Working with Intune and RMS
Enterprise Management Suite
In Chapter 9, you were introduced to Azure Active Directory Premium (AADP). It is part of an Azure SKU called the Enterprise Management Suite. This suite also includes Microsoft Intune and Rights Management Services (RMS). These technologies can also be purchased individually, but you get a better value when purchasing the entire suite.
This chapter introduces you to Microsoft Intune and RMS. These technologies give you a greater level of control over your company’s data, and they help prevent accidental leakage of your sensitive data.
Managing Mobile Devices with Microsoft Intune
Microsoft Intune is designed to help you protect and manage devices while, at the same time, allowing users to access company e-mail, data, and apps remotely. Because it is cloud-based, you can administer devices from any supported web browser. You can use Intune to manage many devices, including phones and tablets running the Android, iOS, Windows Phone, and Windows RT operating systems. Computers running Windows 8.1 can be managed as mobile devices or as computers using the Intune client software. To manage devices with Intune, open a web browser and browse to https://manage.microsoft.com.
Intune can manage mobile devices a number of ways:
Important This chapter assumes that Intune is managing devices alone, without System Center Configuration Manager (SCCM) integration or Exchange ActiveSync.
Supported Devices and Features
Intune mobile device management supports the following OSs:
For a list of features, see https://technet.microsoft.com/en-us/library/dn600287.aspx.
Preparing for Mobile Device Management
Before you can enroll mobile devices in Microsoft Intune, you need to prepare the Intune service by selecting the appropriate Mobile Device Management Authority setting on the Mobile Device Management page of the Administration workspace. The Mobile Device Management Authority setting determines whether you manage the devices with Intune or SCCM with Intune integration. This chapter assumes that Intune is used without SCCM, so the option should be set to Microsoft Intune, as shown in the example in Figure 16-1.
Important Consider carefully whether you want to manage mobile devices using Intune only or by using SCCM with Intune integration. After you set Mobile Device Management Authority to either of these options, it cannot be changed.
SETTING THE MOBILE DEVICE MANAGEMENT AUTHORITY OPTION
Figure 16-1. Setting the Mobile Device Management Authority
Figure 16-2. Confirming the mobile device management authority
Important Pay careful attention to the warning. Once the Mobile Device Management Authority option is set, it cannot easily be changed.
Configuring the Mobile Device Management Infrastructure
After setting the Mobile Device Management Authority, you are ready to start managing devices. As shown in Figure 16-3, some devices can be managed right away without requiring additional configuration. Windows, Windows Phone 8.1, and Android devices don’t require additional configuration. iOS and Windows Phone 8 devices, however, require additional configuration before they can be managed.
Figure 16-3. Managing mobile devices
Enabling iOS Mobile Devices Management
Each mobile device OS requires its own setup procedure. For example, to manage iOS devices, such as iPhones or iPads, you first need to install an Apple Push Notification service certificate from the Apple Push Certificate portal to connect iOS devices with your Intune account. Similarly, to manage apps for a Windows RT 8.1 device, you need to obtain side-loading keys and a code-signing certificate.
Note The Apple Push Notification certificate requires an Apple ID in order to complete the installation. If you don’t have an Apple ID, create one before proceeding with the steps in the following exercise. This same Apple ID must also be used to renew the certificates. It is recommended that you create a corporate Apple ID for managing these certificates, rather than a personal ID.
ENABLING IOS MANAGEMENT
To enable iOS management, follow these steps:
Figure 16-4. Enable The iOS Platform link
Figure 16-5. Downloading Apple Network certificate requests
Figure 16-6. Saving the certificate request file
Figure 16-7. Uploading an APNs Certificate
Figure 16-8. Logging in to the Apple certificates portal
Figure 16-9. Creating the certificate
Figure 16-10. Accepting the terms of use
Figure 16-11. Uploading the certificate request file
Figure 16-12. Uploading the certificate
Figure 16-13. Completing the certificate upload
Figure 16-14. iOS mobile devices are now ready to be managed using Microsoft Intune
Enrolling Mobile Devices in Intune
When the Intune device-management infrastructure is in place, devices must be enrolled to enable device management and access to company resources. There are multiple options for device enrollment, as detailed next and in Table 16-1:
Table 16-1. Mobile device management
Now that the Intune management environment is set up, you can begin enrolling devices. However, to do so, you first need to perform a few tasks.
The first task you need to complete is to add your user accounts. Microsoft Intune can use an existing Azure Active Directory (AAD) tenant domain for user accounts, making adding accounts to Intune a simple process. To get your user accounts to appear in Intune when using directory synchronization, as in this chapter, you only need to assign an AAD Premium license to your users. Once they are licensed, they will show up in Intune, and you can begin to enroll devices.
Creating Enrollment Profiles
The next step is to create enrollment profiles. Profiles specify whether devices have user affinity (a user and device association) and assign a group for device management. At least one profile must be specified before company-owned devices can be enrolled in Intune.
CREATING ENROLLMENT PROFILES
Specifying Company Portal Settings
You can customize the Intune Company Portal for your company.
CUSTOMIZING THE INTUNE COMPANY PROFILE
Optionally, you can publish terms and conditions that users see the first time they use the company portal. Once enrollment is set up, inform your users that device enrollment is now available. Instruct them to go to the device store and install the Company Portal, or go to Company Apps (Windows Phone 8.0 only). Users can enroll and manage their mobile devices with the Company Portal app. They can also use a Company Portal web site. Each device OS has its own Company Portal app:
When users open the Company Portal, they are asked for their credentials. The first time in the portal, users are asked to accept the terms—it doesn’t matter whether the device is enrolled. The user either accepts or declines the terms. Upon accepting, they continue to the portal. If they decline, they are asked to confirm that they want to decline and are then given a link that instructs them on how to unenroll. Users are not automatically unenrolled, and until they unenroll, you can still manage the device.
At this point, the process is different for devices that have not yet been enrolled, depending on the OS of the device:
Getting Started with Azure Rights Management
Azure Rights Management Services (Azure RMS) is the security-control feature in Microsoft Azure that is used to protect company information, whether on a corporate device or a personal device. Azure RMS uses a combination of encryption, identity, and authorization policies to secure files and e-mail. When users share documents or e-mails that are protected with Azure RMS, the protection stays with the protected item.
In Figure 16-15, you can see how Azure RMS works as a rights-management solution for Office 365 as well as for your on-premises servers and services. You can also see that it supports most devices that run Windows, Mac OS, iOS, Android, and Windows Phone.
Figure 16-15. Azure RMS
Configuring Azure Rights Management
By default, RMS is disabled when you first sign up for Office 365 or AAD. To enable RMS for your tenant, you first need to activate it.
ACTIVATING RMS
To activate RMS from the Azure Management Portal, follow these steps:
Figure 16-16. Activating Azure RMS
The Rights Management Status now displays as Active, and the Activate option is replaced with Deactivate.
After activating Azure RMS, you can begin using the two default templates to apply policies to sensitive files that restrict access to authorized users in the organization. These two templates have the following rights policy restrictions:
The default templates may be sufficient for most users, but if you want to create your own custom rights-policy templates, you can do that as well. Some of the reasons for creating custom templates are as follows:
Before users can select a custom template that contains settings such as those listed here, you first need to create and configure it and then publish it to your tenant.
Creating, Configuring, and Publishing a Custom Template
You create and manage custom templates through the Azure Management Portal. You can sign in directly from the Azure Management Portal, or you can sign in to the Office 365 admin center and choose advanced features for Rights Management, which then redirects you to the Azure Management Portal.
CREATING A CUSTOM TEMPLATE
To create, configure, or publish custom templates for RMS, use the following procedures. Begin in the Azure Management Portal:
After the template has been created, on the Get Started With Rights Management quick-start page, click Manage Your Rights Policy Templates. The template you just created is in the list of available templates, showing a status of Archived. At this point, the template is created but not configured, and it is not yet visible to users. The next step is to configure the template.
CONFIGURING AND PUBLISHING A CUSTOM TEMPLATE
On the Templates page, select the newly created template:
Note As a best practice, use groups rather than users, which simplifies management of templates.
Note You don’t have to select one of the default rights to grant to your users or groups. Selecting Custom allows you to choose from the any of the following rights:
Tip You can make templates visible to a subset of users when they see a list of templates in applications. To do so, click Scope, which is currently in Preview, to configure a template as a departmental template, and follow the same steps as in the “Configuring and Publishing a Custom Template” exercise to add a group or groups.
If you wish to configure additional options with your template, click the Configure link. On this page, you can add languages and the name and description of this template in that language. When you have users who speak multiple language, it’s important to add each language they use and supply a name and description in that language. Users then see the name and description of the template in the same language as their client OS, which ensures that they understand the policy applied to a document or e-mail message. If there is no match with their client OS, the name and description they see falls back to the language and description that you defined when you first created the template.
Additionally, you can set the template expiration to one of the following options:
You can also configure offline access to the files protected by your templates. The configurable offline settings are as follows:
This setting can be used to control how users can access protected files. For example, if you specify that content is not available without an Internet connection, or that content is only available for a specified number of days, then when that threshold is reached, users must be re-authenticated, and their access is logged. When this happens, if their credentials are not cached, users are prompted to sign in before they can open the file.
In addition to re-authenticating, the policy and the user group membership are reevaluated. This means users could experience different access results for the same file if there are changes in the policy or group membership from when they last accessed the file.
Updating Templates
When RMS templates are updated, the updates first need to be downloaded before they can be used. Template updates must be downloaded for Exchange Online (EOL) and for Microsoft Office.
Forcing Exchange Online to Download Changed Custom Templates
If you’ve already configured Information Rights Management (IRM) for Exchange Online, custom templates will not download for users until you make the following changes with Windows PowerShell in Exchange Online.
Note You must perform this procedure each time you change a template.
UPDATING TEMPLATES FOR EXCHANGE ONLINE
To update templates for Exchange Online, follow these steps:
Use the Import-RMSTrustedPublishingDomain cmdlet to reimport your trusted publishing domain (TPD) from Azure RMS. For example, if your TPD name is Cloud Protection, enter
Import-RMSTrustedPublishingDomain -Name "Cloud Protection" -RefreshTemplates –RMSOnline
Get-RMSTemplate -TrustedPublishingDomain "Cloud Protection" -Type All
Set-RMSTemplate -Identity "Cloud Protection" -Type Distributed
After you archive a template when using Exchange Online with Office 365, users will continue to see the archived templates when using the Outlook Web App or mobile devices that use the Exchange ActiveSync Protocol. To stop users from seeing these templates, connect to EOL with Microsoft Azure PowerShell and then use the Set-RMSTemplate cmdlet as follows:
Set-RMSTemplate -Identity "RMS Online: 1" -Type Archived
Forcing Microsoft Office to Refresh Updated RMS Custom Templates
By default, RMS templates are refreshed by Microsoft Office every seven days. By editing the local computer’s Registry, you can change the automatic schedule so that changed RMS templates are refreshed more frequently. You can also force an immediate refresh by deleting the templates folder on a computer.
CHANGING THE AUTOMATIC RMS TEMPLATE REFRESH SCHEDULE
To change the automatic refresh schedule, follow these steps:
HKEY_CURRENT_USERSoftwareClassesLocal SettingsSoftwareMicrosoftMSIPC
You can also force the RMS templates to update immediately by deleting the templates folder in the registry.
Summary
In this chapter, you stepped through the process of preparing Microsoft Intune without integration with Systems Center Configuration Manager or with Exchange Active Sync, and of setting up the rest of the Intune device-management environment for your Intune subscription. You also worked through the process of enrolling mobile devices. After completing these steps, you should be able to begin managing your users’ devices.
You also navigated the process of activating and configuring Azure RMS. With these two technologies activated and configured, you can confidently deploy mobile devices to your users with the knowledge that your corporate information is protected.
18.118.2.225