Microsoft Intune for Beginners

At first learning about Microsoft vision for MDM can be tricky. Different considerations for Personal Owned and Company Owned devices. Different approach for Standalone MDM solution (Microsoft Intune) and Unified Devices Management (ConfigMgr + Intune). Below collection of resources for beginners in MDM journey.

When we plan PKI Infrastructure for Customers big part is to define security policies aligned with business strategy. When we plan ITSM for Companies first phase is to validate or define process management according to ITIL/MOF aligned with Customer business needs. BYOD has the same requirement. Without good BYOD policy project may and likely will fail.

I recommend to get familiar with technology agnostic Microsoft guide called:

Bring Your Own Device (BYOD) Design Considerations Guide

Different industries have different challenges related to BYOD implementation. Microsoft published great document based on experience with schools environment:

BYOD Devices – A Deployment Guide for Education

Sooner or later we need to know capabilities for Microsoft Intune Standalone vs Unified Device Management:

Scenario System Center 2012 R2 Configuration Manager Only Microsoft Intune Only System Center 2012 R2 Configuration Manager and Microsoft Intune
Microsoft Windows Yes Yes Yes
Microsoft Windows Server Yes No Yes
Windows Phone No Yes Yes
Windows RT No Yes Yes
iOS No Yes Yes
Android No Yes Yes
Mac OS X Yes No Yes
Unix/Linux Servers Yes No Yes
Extensible Windows PC Device Configuration Settings (e.g., WMI, Registry) Yes No Yes
Extensible Mac OS X Configuration Settings Yes No Yes
Mobile Device Configuration Settings No Yes Yes
Application Deployment Yes Yes Yes
Windows Operating System Deployment Yes No Yes
(No deployment over Intune)
Software Updates Yes Yes Yes
Endpoint Protection Yes Yes Yes
Software Metering Yes No Yes
Hardware and Software Inventory Yes Yes Yes
Custom hardware and software inventory Yes No Yes
Role-based Administration and Reporting Yes No Yes
Unified Reporting for Cloud- and Corporate-connected Devices No No Yes
Cloud-based Reporting No Yes No
Security Settings Yes Yes Yes
Remote Wipe Yes Yes Yes
Remote Lock No Yes No
Passcode Reset No Yes No

Suppose we get familiar with document above and we are start implementation. First step to manage is to enroll and there are differences in “how to” during this phase:

Windows Phone 8 &Windows Phone 8.1 Windows Phone 8: Click system settings > company apps, and sign in using your user ID.Windows Phone 8.1: Click system settings > Workplace, and sign in using your user ID.Note : must select Install Company app or Hub to be able to get company apps Windows Intune account does not have a public domain and you are using a *.onmicrosoft.com account, you will need to type in the server address as “manage.microsoft.com” when you are prompted for it
Windows RT , Windows RT 8.1, or Windows 8.1 devices that are not joined to the domain 1. Go to Settings > PC Settings > Network > Workplace.2. Enter the User ID and click Turn on.3. Check the Allow apps and services from IT admin dialog box, and click Turn on. Account does not have a public domain and you are using a *.onmicrosoft.com account, you must add the following registry information to enroll your Windows 8.1 computer:1. Create the MDM registry key if it is not already present [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]2. Under the MDM registry key create a new REG_SZ called DiscoveryService with the value data “manage.microsoft.com”
Windows RT Click Start, and type “System Configuration”, and click the dialog box to open the Company Apps.
iOS Enroll iOS devices by using the iOS company portal app, Windows Intune Company Portal that is available in the App store. The company portal app can be installed on iOS devices running iOS 6 or later. On the iOS device, open the Windows Intune Company Portal and enter your credentials. When Prompted click Install in the Management Profile screen.
Android Enroll Android devices by using the Android company portal app, Windows Intune Company Portal that is available on Google Play. The company portal app can be installed on Android devices running Android 4 or later. On the Android device, Open the Windows Intune Company Portal and enter your credentials.

Company Owned (Unified Device Management feature) vs Personal Owned (Intune Standalone):

Platform For Personal-owned Devices For Company-owned devices
Windows 8.1 (without the Configuration Manager client) Only managed apps Only managed apps
Windows Phone 8 Only managed apps Only managed apps
Windows RT Only managed apps Only managed apps
iOS Only managed apps All apps
Android Only managed apps All apps

Hardware Inventory details for supported platforms:

Hardware Inventory Class WP 8 & WP 8.1 Windows RT iOS Android (available when using the Android company portal app)
Name Device_ComputerSystem.DeviceName Device_ComputerSystem.DeviceName Device_ComputerSystem.DeviceName Not applicable
Unique Device ID Device_ComputerSystem.DeviceClientID Device_ComputerSystem.DeviceName Device_ComputerSystem.UDID Not applicable
Serial Number Not applicable Not applicable Device_ComputerSystem.SerialNumber Device_ComputerSystem.SerialNumber
Email Address Device_Email.OwnerEmailAddress Device_Email.OwnerEmailAddress Device_Email.OwnerEmailAddress Not applicable
Operating System Type Device_OSInformation.Platform CCM_OperatingSystem .SystemType Not applicable Device_OSInformation.Platform
Operating System Version Device_ComputerSystem.SoftwareVersion Win32_OperatingSystem.Version Device_OSInformation.OSVersion Device_OSInformation.Version
Build Version Not applicable Win32_OperatingSystem.BuildNumber Not applicable Not applicable
Service Pack Major Version Not applicable Win32_OperatingSystem.ServicePackMajorVersion Not applicable Not applicable
Service Pack Minor Version Not applicable Win32_OperatingSystem.ServicePackMinorVersion Not applicable Not applicable
Operating System Language Device_OSInformation.Language Not applicable Not applicable Not applicable
Total Storage Space Not applicable Win32_PhysicalMemory.Capacity Device_Memory.DeviceCapacity Device_Memory.StorageTotal
Free Storage Space Not applicable Win32_OperatingSystem.FreePhysicalMemory Device_Memory.AvailableDeviceCapacity Device_Memory.StorageFree
International Mobile Equipment Identity or IMEI (IMEI) Not applicable Not applicable Device_ComputerSystem.IMEI Device_ComputerSystem.IMEI
Mobile Equipment Identifier (MEID) Not applicable Not applicable Device_ComputerSystem.MEID Not applicable
Manufacturer Device_ComputerSystem.DeviceManufacturer Win32_ComputerSystem.Manufacturer Not applicable Device_Info.Manufacturer
Model Device_ComputerSystem.DeviceModel Win32_ComputerSystem.Model ModelName Device_Info.Model
Phone Number Not applicable Not applicable Device_ComputerSystem.PhoneNumber Device_ComputerSystem.PhoneNumber
Subscriber Carrier Not applicable Not applicable Device_ComputerSystem.SubscriberCarrierNetwork Device_ComputerSystem.SubscriberCarrierNetwork
Cellular Technology Not applicable Not applicable Device_ComputerSystem.CellularTechnology Device_ComputerSystem.CellularTechnology
Wi-Fi MAC Not applicable Win32_NetworkAdapter.MACAddress Device_WLAN.WiFiMAC Device_WLAN.WiFiMAC

Information sent from Intune to Configuration Manager

The following table shows the customer information that is retrieved from Microsoft Intune. This information is deleted from Microsoft Intune after it has been successfully downloaded by Configuration Manager.

Information and data sent to Microsoft Intune Examples
To help the Admin manage enrolled devices and deploy company’s software to users devices
  • Compliance settings and values, such as requiring a minimum password length of 4 characters
  • E-mail profile information, such as email server name and time of day preferences
  • Information to generate certificates for VPN profiles (but not the certificate itself)
  • Software name, description, encrypted content, and icon for apps
  • Any setting needed to enroll devices
To manage their users’ experience
  • Settings applied to user’s devices
  • Whether the company portal has been installed
  • What software applications are displayed as available in the company portals
  • What software the user has requested and installed
  • User’s software request history
To help enrolled users use single sign-on
  • User Principal Name (UPN)
  • User Name
  • Email (if email profiles are enabled and deployed)
To quickly view relevant information about enrolled devices
  • Device name
  • Device friendly name
  • Device Type
  • Device OS
  • Device Acton (Wipe/Retire/Connect) state
  • Certificate expiry date
  • Primary user
  • Last connection time
To distribute certs for Wi-Fi and VPN profiles
  • NDES server information
  • System Center Endpoint Protection challenge encryption certificate (public-key only)
  • Certificate provisioning information
  • Certificate assignment and status
To quickly assess current status and versions
  • Microsoft Intune Connector Installation status e.g. “Windows Phone 8.1 extension (V1) is installed”
  • Configuration Manager Version Information e.g. “Connector Build Version 5.0.7958.1000”
To connect authorized users remotely
  • RD Gateway Server Settings
  • Machine names and Microsoft Intune users for which this feature is enabled

Other information sent by Microsoft Intune to Configuration Manager

The following table shows information that is generated by Microsoft Intune and shared with Configuration Manager. This information is deleted from Microsoft Intune after it has been successfully downloaded by Configuration Manager.

Type of Information Examples
End-user initiated commands
  • Device Wipe/Retire action information
  • Application Request information
  • User-generated device commands (rename, wipe, retire, connect now)
Tenant, user, and device error messages
  • “Apple APNs Certificate Expired”
  • “Side-loading key could not be applied”

Customer commands temporarily stored in Microsoft Intune

Commands sent to and received from mobile devices are temporarily stored in the Microsoft Intune service while the device is actively connected to the service. This data is subsequently deleted after the device’s active session ends.

The best document which I could find regarding security planning for Windows Phone is written by Paweł Pławiak and Marcin Ostrowski – you can find it here:

Przewodnik Zabezpieczeń dla Windows Phone 8.1

For English readers there also great ebook which you might find it useful:

Windows Phone 8.1 Field Guide

enjoy!!!

/Tomasz Gościmiński