Chapter 5. Device management

Enterprise companies today are more than ever facing the challenges presented by the BYOD trend and searching for ways to support users who bring their own devices to work while at the same time struggling with how to protect company data. To do this, employees must allow company IT departments to manage some aspects of their personal devices to ensure the security of corporate data and compliance with company policies. In general, more and more employees are beginning to use their personal devices to perform some aspects of their daily jobs with the awareness that the company they work for will need to perform certain actions to safeguard company data, including applying security policies, installing software, and performing basic hardware and software inventories of their devices.

As the device management component of EMS, Microsoft Intune is a cloud-based management solution that enables organizations to provide their employees access to business apps and d ata from almost anywhere on almost any device, while also helping to keep company information secure. Using Microsoft Intune you can manage Windows computers and mobile devices including iOS, Android, Windows RT, and Windows Phones. You can deploy policies to help secure corporate data on phones and tablets, perform hardware and software inventories, distribute software, and retire or wipe mobile devices.

Microsoft Intune provides you with a wide range of general PC and device management capabilities as well as functions specific to each. This chapter focuses on preparing you to enroll devices into management with Microsoft Intune and then introduces you to the following device management features of the service: policies, inventory, and selective wipe functionality.

This section describes several key elements of the Microsoft Intune service that you should be familiar with and that you should plan for as you begin preparing to enroll devices into management, including setting the Mobile Device Management (MDM) authority, understanding the device-specific enrollment prerequisites that must be met before your users begin enrolling devices, understanding how to create device enrollment profiles, learning about the Company Portal and how to customize it to create a seamless experience for your users, and finally, understanding how to write and publish custom terms and conditions for use of the service to your users.

The Mobile Device Management authority setting determines whether you will manage mobile devices with Microsoft Intune or by using System Center 2012 Configuration Manager with Microsoft Intune integration.

Many organizations already use System Center Configuration Manager 2012 on-premises to manage servers, PCs, and other devices. In this situation, most organizations simply integrate Microsoft Intune with their existing Configuration Manager infrastructure to create a robust hybrid management solution for servers, PCs, and mobile devices when they purchase EMS or standalone Microsoft Intune subscription licenses. While the focus of this book is on using Microsoft Intune standalone, because that technology is included with EMS, you should also know that Microsoft Intune licensing provides non-perpetual use rights for on-premises use of System Center 2012 Configuration Manager and Endpoint Protection (SCEP) to manage as many as five devices per Microsoft Intune-licensed user. This means that you are entitled to install and use System Center 2012 Configuration Manager integrated with Microsoft Intune in a unified device management scenario for the duration of your valid Microsoft Intune subscription. However, if your Microsoft Intune subscription is not renewed in this licensing model, you will need to either stop using the on-premises software or purchase System Center 2012 Configuration Manager licenses.

There are other code-signing and key requirements that must be met when uploading signed application packages to deploy to devices using Microsoft Intune. This process, called sideloading, enables you to deploy line of business (LOB) apps to devices without having to go through a public application store. However, sideloading applications requires that you have the necessary code-signing certificate as well as sideloading keys obtained from the Microsoft Volume Licensing Service Center (VLSC) previously uploaded into the Microsoft Intune Admin Portal.

The information in this section will help you understand the requirements for iOS and Windows Phone devices as well as how to prepare the Microsoft Intune service to support and manage the mobile device types that your users are bringing to work.

Before you begin this process, you need an Apple ID associated with an email account from your company. Make sure that you will be able to access this account even if the person originally requesting the APNs certificate leaves the company. You will need that account ID and password not only when you first request the certificate but also when the APNs certificate needs to be renewed.

When your users try to enroll their devices, they will be prompted for their credentials and their devices must be able to access the enrollment server. Technically, they could manually enter their user names, passwords, and manage.microsoft.com to enroll their devices, but that will require all of your users to know the enrollment server name and how to use that name to enroll their devices. A better option is to simply create a CNAME DNS record with your domain registrar for the domain that you registered and that was previously verified in the Microsoft Azure administrator console, for use with your cloud services. Once that is completed, your users will need only their user names and passwords to enroll their Windows devices.

To prepare for enrolling Windows Phone 8.0 devices, you need to download the Windows Phone 8.0 Company Portal app from the Microsoft download center, install the Windows Phone 8.0 SDK, code-sign the Company Portal app with SignTool.exe included with the SDK, and then upload the signed Company Portal app to the Microsoft Intune Admin Portal before enrolling any Windows Phone 8.0 devices.

Remember that you will not be able to deploy (sideload) LOB applications to any of the Windows devices without first using a Symantec code-signing certificate to sign the application to be deployed and then using the sideloading keys as previously discussed. However, you can still enroll these Windows devices into management and deploy apps from the various app stores to them.

The first device enrollment profile you create automatically becomes the default policy applied to BYOD devices. Otherwise, you will need to specify which device enrollment profile to apply to devices enrolling in the service. The default profile will always be assigned to mobile devices enrolled in Microsoft Intune that don’t have another profile specified. Figure 5-2 shows an example Device Enrollment Policy configured to assign newly enrolled devices into the custom All BYOD Devices group.

The Company Portal app is available for Windows, Android, or iOS devices in each of the respective company’s app stores. Users must download and install the applicable version on their BYOD devices to self-enroll as many as five devices each into the Microsoft Intune management service and gain access to company-managed applications.

Regardless of the device type, or whether the portal is seen on the website or a mobile device app, the Company Portal is composed of three major sections, as shown in Figure 5-3:

Apps In this section of the Company Portal, users can browse the apps that have been made available to them by their Microsoft Intune administrator. Apps can be sorted by new, by category, or they can simply view all available apps.

My Devices This section of the Company Portal displays all of the devices that are currently enrolled into the Microsoft Intune service by the logged on user. As a logged on user, you can review the properties of each device, change the display name so that it is easier for you to recognize, perform a factory reset, remove the device from management, or force a policy synchronization to ensure your device has the most recent policy settings applied. You can also perform a remote wipe on certain device types.

Contact IT In this section of the Company Portal, users can get helpdesk information so that they know whom to contact and how. This information includes not only the tech support person’s name but also their phone number, email links, and website information. You can also include additional tech support text to keep users informed of their troubleshooting options.

While the default Company Portal experience provides basic access to apps, device settings, and IT contact information, it is very basic and without any company branding. To avoid confusing your users and to provide a more seamless and branded experience, you can customize many aspects of the Company Portal, including additional information that will assist your users to get their jobs done and reduce the number of helpdesk calls they might otherwise make.

On the Microsoft Intune Admin Portal page at Admin, Company Portal, you can find the following sections and options for customizing the Company Portal experience for your Microsoft Intune service as described below:

Specify Company Name, Company Contact Information And Privacy Statement. This section of the Company Portal settings allows you to customize the user experience by displaying the company name (displayed as the title of the Company Portal), IT Department Contact Name, IT Department Phone Number, IT Department Email Address, any additional tech support information you would like displayed (shown when a user clicks the Contact IT option in the top-right corner of the Company Portal), and a company privacy statement URL (this target URL will be opened when users click the Privacy link at the bottom of the Company Portal).

Specify A Website That Users Can Contact For Support. This section of the customization page allows you to enter both an URL for a custom support website that is hidden from users as well as a website name title that is shown to them. Users can utilize this link to find ways to access online support without calling the helpdesk.

Customization. This section contains customization options similar to those used to customize the Microsoft Azure Access Panel in Azure AD. Here you can customize the Company Portal with your company logo (and the company name next to the logo if you want it there), a theme color, and either the default or white background for the Windows 8 Company Portal app.

Microsoft Intune Company Portal URLs. The last section of the Company Portal customization page displays the read-only Company Portal URLs that can be used to review your customizations in either the full Company Portal website (https://portal.manage.microsoft.com/) or the mobile Company Portal website (https://m.manage.microsoft.com/).

You can choose whether to force your users to accept the terms and conditions in order to access the Company Portal. If enforced, they will need to accept the terms to gain access regardless of whether the device they are using is already enrolled in management, but they will need to accept the terms and conditions only once regardless of how many devices they have enrolled into the Microsoft Intune service. If you require users to accept company terms and conditions, but they do not accept them, they will be denied access to the Company Portal and the apps and capabilities available there. They will also need to unenroll all of their devices in management, as shown in Figure 5-4.

You can easily update the terms and conditions to make a new version available at any time from within the Microsoft Intune Admin Console and require that users agree to the updated terms and conditions in order to continue accessing the Company Portal.

By using the built-in Terms and Conditions Report made available in the Reports workspace of the Admin Console, it is very easy to see which users have agreed to the terms and conditions, which version they agreed to, and when they agreed to them. If you need to keep a record of this information, you can also easily export it as either a .csv or .html file.

It is a good idea to create and deploy Microsoft Intune policies before your users begin enrolling their devices to ensure the process is as smooth as possible and they are not surprised when settings change after they enroll their devices into management. Read the following policy sections carefully and plan for the settings and policies that you will need to implement before you begin enrolling devices.

It’s probably a good idea to begin with this policy template as you start to plan how you will manage mobile devices in your enterprise. It covers most of the basic configuration requirements that enterprises want and need and it will apply to all mobile device types without the need to make separate configuration policies for each device type.

When you create and deploy a default Mobile Device Security Policy to your users, the following settings are enabled and applied by default:

A password is required to unlock the mobile device. It can be either numeric or alphanumeric. If alphanumeric, it must include a minimum of one character set used (from the four available: uppercase, lowercase, symbols, or numbers).

The minimum password length is four characters.

Simple passwords are not allowed (for example, passwords such as 1234 or 1111).

The number of times an incorrect password can be entered before the device is automatically wiped is set to four.

The time, in minutes, of inactivity that will be allowed before the screen turns off is set to 15.

Encryption is enforced on mobile devices.

Devices that do not fully support the configured settings can still access Exchange ActiveSync. This should not be a problem with the default mobile device settings, but if you configure additional settings beyond the default settings, this setting might be necessary.

These are certainly not the only settings available to be configured in the default Mobile Device Security Policy, but they are the only ones that are enabled by default. These should be used as a baseline as you begin planning what policy settings you will need to configure to fully support the device types your users are bringing to work and what additional, device-specific configuration policies you will need to implement to meet your organizational goals and company security policy requirements.

Various profile options are also available to be configured for Android devices that make connecting to Exchange ActiveSync email (for Samsung KNOX 4.0 and later devices) possible without user interaction and enabling access to corporate resources via configurable trusted certificate, SCEP, VPN, and Wi-Fi profile policy options.

Similar to the available Android settings, you can use iOS configuration policies to configure email profiles for Exchange ActiveSync settings and you can configure network access with trusted certificate and SCEP profiles as well as configure VPN and Wi-Fi profile settings centrally without the need for users to configure these settings themselves.

iOS device configuration policies also include an option to deploy configuration profiles that you create using the Apple Configurator tool. This capability is useful when you want to set a configuration setting for iOS that is not included in the default options for configuration policy settings within Microsoft Intune. You can use the Apple Configurator to easily capture settings that you can then deploy to iPhone, iPad, and iPod touch devices.

The same email, trusted certificate, SCEP, and VPN profile configurations are available for Windows devices as for Android and iOS devices when creating a Windows device configuration policy.

Additionally, with Windows devices, you can create Windows Phone OMA-URI¹ (Open Mobile Alliance Uniform Resource Identifier) policies to control functionality of Windows Phone devices. By using OMA-URI settings, you can set Windows Phone settings that are unavailable in the default configuration settings similar to the way you can use the Apple Configurator to set configuration settings on iOS for settings unavailable in the default configuration setting options for that device type.

¹ You can learn more about OMA-URI settings for Windows Phones on TechNet at http://technet.microsoft.com/en-us/library/dn499787.aspx.

The Microsoft Intune Center runs in the system tray and allows users to request remote assistance, run anti-malware scans, and manage software updates for their computers. The configuration policy settings for the Microsoft Intune Center also include options for providing tech support or helpdesk information to users on managed computers similar to the support information displayed on the Company Portal.

Other Microsoft Intune computer agent settings are used to configure Endpoint Protection scans to help protect computers from malware infections, to exclude folders from virus scans, and to set the frequency for updating both Endpoint Protection and Windows updates.

The final computer configuration policy template setting is used to manage Windows Firewall settings on Microsoft Intune computer clients. The settings available in this template allow you to turn on Windows Firewall, block incoming connections, manage user notifications, and configure exceptions for specific network profiles.

You can configure compliance rules that include advanced password settings, encryption, whether the device is jail-broken or rooted, and whether email on the device is managed by a Microsoft Intune policy. If a device is determined to be non-compliant with any of the compliance policy settings configured by the administrator, the device will be denied access to company resources, as shown in Figure 5-7.

To use conditional access policies with Exchange on-premises, you must first deploy the on-premises Exchange connector that connects Microsoft Intune service to Microsoft Exchange on-premises to allow you to manage devices through the Microsoft Intune console. Then, to control access to Exchange on-premises for devices not managed by Microsoft Intune, enable the rules that block access by the users in the Microsoft Intune user groups that are specified in the Conditional Access Policy.

Exchange Online conditional access policies are used to block email apps from accessing Exchange Online when devices are either noncompliant with Microsoft Intune compliance policies or not managed by Microsoft Intune and belong to users who are in the Active Directory security groups targeted by the policy.

However, before you can configure the conditional access policies for Exchange Online, you must first configure the Microsoft Intune service-to-service connector. To configure this connector, you must be signed in to the Microsoft Intune Admin Console with an account that has Exchange Online administrative rights. The email address of the currently logged-on user will be used to complete the hosted connection between Microsoft Intune and Exchange Online.

Once the connection is established to either Exchange on-premises or Exchange Online, Microsoft Intune will synchronize new mobile devices and device management status and display those in the Groups workspace in the Microsoft Intune Admin Console. The management status is displayed in the Management Channel column and will define one of the following for each device accessing Exchange email:

Managed By Exchange ActiveSync These devices are accessing Exchange email but they are not managed by Microsoft Intune.

Managed By Microsoft Intune These devices are managed by Microsoft Intune but they are not accessing Exchange email.

Managed By Microsoft Intune And Exchange ActiveSync These devices are both managed by Microsoft Intune and accessing Exchange email.

When a device is a member of a group to which a Conditional Access Policy is targeted, devices that display Managed By Exchange ActiveSync will be blocked unless they are in a group that has been marked exempt from the policy. To avoid blocking Exchange email access without notifying them first, you can run a mobile device inventory report to find email addresses for users with devices that are managed by Exchange ActiveSync who will soon be blocked so that you can notify them before enabling the Conditional Access Policy.

After you enable a Conditional Access Policy, you can easily see which devices have been blocked from accessing Exchange email from the Microsoft Intune dashboard. There, the Blocked Devices From Exchange tile shows the number of blocked devices and links to more information.

When users are blocked from accessing Exchange due to a Conditional Access Policy, they will receive an email that provides instructions about how to enroll their devices. You can customize that email by defining a custom user notification message using HTML text that will be included in an email sent to users whose access to email has been blocked, as shown in Figure 5-8.

When policy settings have been configured for groups that conflict, and a user is in both groups, the policy applied to the group that is the deepest in the group structure as defined in the Groups workspace in the Microsoft Intune Admin Console wins and is applied. However, if two or more conflicting policies are applied to the same group, the policy that was updated last (and thus has the most recent Last Modified Time) will apply.

You can also use the inventory information collected about computers and mobile devices in use for your organization to understand the hardware needs of your users and to plan for future hardware upgrades and replacement device purchases. Additional detected software reports can help you to better understand what software is installed on computers in your organization, including the software versions.

Chassis type

Operating system

TPM version

Disk space information (total, used, free, and OS disk name)

Physical memory installed

Processor information (name, architecture, and CPU speed)

IP address

Serial number

Last user to log on

Last updated time stamp

Device operating system and version

Manufacturer

Management channel

If the device is registered in Azure AD

If the device is compliant or not

Email address for the user who enrolled the device

Exchange ActiveSync ID

If the device is jail-broken or rooted

Unique Device ID

Serial number

Storage space (total and free)

The last four digits of the telephone number for the device (if applicable)

IMEI (International Mobile Station Equipment Identity)

MEID (Mobile Equipment Identifier)

Wi-Fi MAC address

Subscriber (mobile phone carrier name)

Cellular technology (CDMA, GSM, and so on)

When the device was enrolled

When the inventory was last updated

However, by far the most powerful data protection feature that Microsoft Intune makes available to you and your users is the ability to remotely wipe a mobile device to remove company data or even just factory-reset the device. This feature can be very useful when you need to retire a device from use, either when you need to replace it or when a person leaves the company. If a device is lost or stolen, you will also want to be sure to get all company information off of the device as soon as possible and the data-wipe commands usually take only about 15 minutes or so to reach the device. Administrators can perform remote wipe functions from the Microsoft Intune Admin Console and users can perform wipes on their enrolled devices from the Company Portal to reset them to factory condition.

Microsoft Intune administrators can perform a selective wipe on a device simply by right-clicking a device name in the Admin Console and selecting the Retire/Wipe action. At that point, a dialog box similar to the one shown in Figure 5-9 is displayed, confirming the decision to wipe the device.

If there is a need to perform a full device wipe, then select the Wipe The Device Before Retiring check box before continuing. Otherwise, click Yes; a selective wipe of company data will occur, removing all company data from the device.