Microsoft Intune Connector site system role, which is a Configuration Manager site role, acts as a gateway between Intune and on-premises Configuration Manager, sending settings and software deployment information to Intune, and retrieving status and inventory messages from mobile devices. Server hardware consisted of the following:. A primary site server that uses a virtual machine with 12 gigabytes GB of RAM and four core processors. A separate site for MDM is not required.

Because MDM can scale to large volumes of devices, most small and medium organizations will not need a separate site and can incorporate MDM into their existing site hierarchy. CSE performed user discovery for the entire Microsoft corporate Active Directory forest by using the existing production Configuration Manager environment. This process took a few hours because of the large user base in Microsoft, but it ensured that all users were added to a user collection before MDM was enabled.

Organizations must consider the extent of their BYOD environment to determine if they need to perform a full user discovery, or whether the users who are allowed to enroll their mobile devices should be added manually to Configuration Manager. Microsoft had an existing tenant account because it already used Microsoft Office and other cloud services; it also had Azure AD Connect and AD FS in place to synchronize data into the cloud. Companies that do not have these services in place will need to complete these tasks:.

Deploy AD FS to allow for a single identity for each user across both on-premises and cloud-based applications. This means that users will not need to know the actual server name when they enroll their device. Each device platform has different requirements for loading applications. CSE worked with the Microsoft App team to acquire the certificates that are required for the supported mobile devices. Create a new Intune subscription.

TouchXperience for Windows Phone features

This enabled Configuration Manager to become the authoritative source for managing all mobile devices, providing a single administration console for on-premises systems, cloud-connected devices, and application life cycle management. Define a user collection.

CSE created a custom user collection for all Microsoft employees, based on the users who were discovered during user discovery for the entire Microsoft corporate Active Directory forest. This ensured that members of this collection were licensed for enrollment in MDM. Configure the platform, certificates, and keys. For each platform, CSE applied the required certificates.

Assign a connector role. The Intune Connector server role communicates directly with Intune and provides the communication gateway between Configuration Manager and Intune for all incoming and outgoing communication. It monitors the collection of users for additions, synchronizes changes with Intune to license users, and enables users to enroll their devices.

Use delta user discovery and incremental updates. When delta discovery is enabled in AD User Discovery settings, and incremental updates are selected in the collection settings, updates are synchronized more often. This ensures that licensing new users and removing licenses for disabled users occur quickly. Use default Cloud User Sync settings. Cloud User Sync synchronizes changes, such as when new users who have been added to the collection are licensed and enabled for enrollment or when the Intune license is revoked for users who have been removed from the collection. By default, synchronization occurs every five minutes and is a minimal burden on the Configuration Manager hierarchy and network.

Users do not have to be licensed separately for each device. When a user is licensed, he or she is licensed for up to 20 devices. It wanted to ensure that the process for enrolling devices had these characteristics:. It provides a good user experience, where users can enroll their devices, gain access to the Company Portal, and install LOB applications with minimal user intervention. AD FS enables Microsoft users to use the same credentials their corporate user ID, email account, and network password , regardless of device.

When a user enrolls a device, CSE collects general information about the device, such as the manufacturer and any LOB apps that are installed from the Company Portal but not from the Microsoft Store. The Company Portal is a required app for every newly enrolled device.

Because there are no client logs for enrollment troubleshooting, CSE needed to take a systematic approach to troubleshooting. CSE recommends that the following issues be verified when troubleshooting general device enrollment issues:. The user is not trying to enroll several devices at the same time and has not enrolled more than 20 mobile devices in the system.

CSE learned lessons from a few issues that occurred during the enrollment process, particularly regarding user education requirements:.

Related Posts

Users were concerned about the type of information that CSE could see and collect about their personal devices. CSE needed to reassure users that it collects only general information about the device itself such as the manufacturer and any LOB apps that are installed from the Company Portal—and that it collects no personal information, such as phone numbers, personal apps, or apps that are installed from the Microsoft Store. Users were sometimes confused about differences in the enrollment process for the various mobile devices platforms for example, one platform might have additional screens for adding management profiles on the device.

To address this issue, CSE documented the enrollment process for each device and made this documentation available through the company support website, ITWeb. To help ensure that corporate security was maintained while also providing a good end-user experience, CSE had to coordinate with the following Microsoft teams:. The Microsoft Security team, to define the policies that would enforce Microsoft corporate compliance settings on mobile devices, such as password policy and encryption settings.

CSE took advantage of default compliance rules for mobile devices that are built into Configuration Manager. It created new configuration items CIs for mobile devices different CIs for each device type, to make troubleshooting easier and added built-in compliance rules whose values are based on CSE security requirements see Table 1.

It then created a configuration baseline for those CIs and targeted the configuration baseline to the collection of mobile devices. Although the most restrictive policy will apply, different user experiences have the potential to increase support calls. If a policy does not apply to a particular device platform, the policy will report which platforms do not support it. Use common policies to simplify administration.

1. mobile tower radiation effects ppt!
2. alice in wonderland movie free download for mobile.
3. Enterprise Mobile Device Security & Management, MDM | Trend Micro.

For example, set the same password requirements across all mobile device platforms so that multiple CIs and different device collections are not required to support various password policies. Create custom device collections when policies cannot be aligned across platforms. The Configuration Manager console shows enrolled devices by device type. Like other organizations, Microsoft needs a way to enforce security if users leave the company or lose a device.

To help secure a lost device or retire a device from active use, CSE issues a wipe command to the device. This removes all company and user data and settings. The specific data that a selective wipe removes and the effect on data that remains on the device vary by device platform. To limit which administrators can wipe or retire a device, CSE used role-based access control RBAC in Configuration Manager to restrict the view in the console for some administrators.

After an MDM pilot has been conducted in a test hierarchy, it is important to retire all devices from the Configuration Manager console before the move to a production hierarchy. Configuration Manager includes many ready-to-use, built-in reports for MDM, including reports for apps, hardware inventory, and settings management, so it is not necessary to create custom reports. It is also not necessary to create separate reports for desktop device and mobile device management: the same report can be used to report on both types of environment.

In particular, two built-in reports provided CSE with insight into the application installation status and policy compliance status for MDM:. CSE also used Configuration Manager console monitoring to easily view and drill down to the asset level for the status of app deployment and security policy compliance.

This dashboard provides executive management with visibility into enrollment count trends through graphs, and also has a look and feel that are similar to other CSE dashboards. By creating a solution that streamlined the administration and deployment of devices and applications, CSE was able to increase the scope of its centrally managed devices by 10 percent at initial implementation, without having to add resources or administrative overhead. CSE expects this number to continue to increase at a rapid pace and sees potential for centrally managing more than , mobile devices.

Low-cost, scalable solution.

Intune integrates into the existing Configuration Manager environment without requiring new infrastructure, hardware, or network complexity in the CSE environment. It provides enterprise-level scalability, extending the reach of Configuration Manager to support management across device platforms. Simplified administration. The Configuration Manager console unifies device management, providing CSE administrators with a single console for administration, application management, and reporting across multiple device types.

IBM clients and Business Partners explain the important role, in the cloud and digital era, of a proactive cybersecurity approach.

MaaS360 Mobility Solutions

Watch the video. Find out how. Unlock answers. Solve your challenges.

Definition of Mobile Device Management

Through the intersection of AI, intelligent orchestration, the agility of the cloud, and collaboration with each other, we can tackle the cybersecurity challenges ahead of us. Consider AI. Be ready.