Friday, December 19, 2014

Did You Know: Securing Mobile Devices with Microsoft Intune & Configuration Manager Part II #MSExchange, #Intune

There are several prerequisites that need to be configured before Microsoft Intune can manage mobile devices or connect directly to SCCM through an on-premises configuration. Here are the high-level steps required before you can start configuring Microsoft Intune with your on-premises SCCM instance.
  1. First, you need to create a Microsoft Intune account by enrolling for a free 30-day trial.
  2. Next, you must go through several steps to verify your public domain name.
  3. All you’re on-premises users must be configured with an external domain UPN.
  4. Microsoft Azure Active Directory Sync Services is required to be downloaded and installed on an on-premises server. This software synchronizes your on-premises Active Directory users to the cloud for single sign on functionality. Also, synchronization is needed so SCCM can deploy software to your mobile users.
  5. A new CNAME record in your public domain will need to be added to allow for enterprise enrollment.
  6. Certificates Keys are needed to securely deliver software packages to mobile devices managed via Microsoft Intune. These steps are different for each mobile operating system.
Based on your business requirements for an MDM solution, there will be several installation options that you can take advantage of. Some customers may want to keep the solution simple with minimal configuration required on the part of their administrators. Other customers may have a large pool of enterprise users and require a lot of flexibility in how devices are provisioned, managed, and how software is delivered.

Smaller customers that want more of a simplistic approach can configure Microsoft Intune only in the cloud.  This method stores all the user accounts and device policies within Microsoft Intune and does not need any sort of synchronization of user accounts or access to on-premises equipment.

Some customers may want to gain the advantages of extending Microsoft Intune to their on-premises environment, but want to limit the amount of SCCM configuration. These customers can leverage the Exchange connector within SCCM. This on-premises option essentially creates a tunnel for the ActiveSync protocol between SCCM and the company managed mobile devices. A single pane of glass is created to allow devices to be managed through SCCM. You can optionally control settings via ActiveSync within Exchange, but that limits what can be done in SCCM. This method does not install the SCCM client on mobile devices so you cannot push software.

The most complex, but feature rich approach, is to fully integrate SCCM with Intune. This method requires a SCCM site system role that communicates with Microsoft Intune and opens a 2-way communication channel between the cloud and on-premises assets.

In order for mobile devices to be managed by Microsoft Intune, users must enroll their mobile devices into the MDM service. Installing a mobile application, called the Microsoft Intune Company Portal, allows devices to be enrolled and managed according to company policy.

The installation of the Microsoft Intune Company Portal application allows the mobile device to download the company management profile, install new apps, and to enroll/remove their devices from corporate management. The Microsoft Intune Company Portal can be downloaded from all the main application stores like iTunes/Apple App Store and Google Play.

The Microsoft Intune Company Portal presents a central location where organizations can make internal applications available for users to download and use on their mobile devices. The Company Portal can also be leveraged to provide deeplinked applications.

Deeplinking allows you to grab an application from say iTunes and suggest them to users via the Company Portal application. An icon for each deeplinked application will be present in the Company Portal so users can click on them and install.

There are several different URLs that will be required to install, manage and configure Microsoft Intune. At first, this was a source of confusion for me as I was never sure where I needed to go for each task!

Portal.manage.microsoft.com – Users can log in and use this site to manage their installed applications or even to wipe their devices.

Account.manage.microsoft.com – Administrators that take care of the Microsoft Intune subscription, add users, or setup new domains will use this portal.

Manage.microsoft.com – Microsoft Intune administrators will use this portal to create and manage groups, policies, reports, and software.

In the next article, we are going to jump into starting the configuration of Microsoft Intune.

No comments:

Post a Comment