Intune for the Education Sector€¦ · Microsoft Intune delivers powerful capabilities for...

A guide to planning and implementing a Microsoft Intune deployment that delivers strategic value to your school district, brought to you by:

Microsoft IntuneArchitecture & Planning for Education

For more info, contact your Microsoft representative or visit https://lumagatena.com/edu

We Drive Business & Education Evolution Forward

MAKING MOBILE DEVICE MANAGEMENT WORK FOR THE EDUCATION SECTOR

Charting your course

B egin with the end in mind. These words, penned more than 25 years ago by Steven Covey,

author of “The 7 Habits of Highly Effective People”, are perhaps some of the most

broadly applicable to technology projects across any industry. However, they hold special meaning

when planning Mobile Device Management (MDM) for the Education sector, where these devices have

become essential in delivering a high-quality education.

Planning mobile device management for the Education sector goes beyond the typical

discussions of device configuration and process automation. Your students and your educators are

two unique audiences who require special attention when envisioning the user experience. While your

IT operations team has insight into the desired user experience, mapping delivery of that user

experience to a new tool can be a challenge. Microsoft Intune delivers powerful capabilities for

modernizing and transforming mobile device management in the Education sector, but as with any

enterprise technology, successful implementation must “begin with the end in mind”.

Charting your course begins with identifying your deployment objectives. Deployment

objectives are the actions your organization can take to reach its Intune deployment goals. There are a

few objectives typical across most organizations, such as:

❖ Reduce the number of device management solutions

❖ Enable easy access to cloud services

❖ Provide secure access to Exchange and SharePoint Online

❖ Prevent corporate data from being stored or forwarded to unmanaged apps on mobile devices

❖ Provide capability to wipe corporate data from the device

And a few more common objectives specific to the Education sector, including:

❖ Preparing a group of tablets for a new class

❖ Enabling quick rollout of a newly released version of an app or cloud service

❖ Securing classroom iPads to prevent student from making unwanted changes

And how about implementing a solution that puts these capabilities in the hands of your teachers?

This guide is intended to serve as a practical reference for educational institutions seeking to

implement a modern, efficient, and secure mobile device management strategy or devices in the

classroom. In the pages that follow, you’ll find insights for technology architects and decision makers

alike to help guide your journey to a successful Microsoft Intune implementation that goes beyond

efficient deployment, configuration, and management of your mobile devices, to one that delivers

strategic advantage to both your IT organization and the educators they support.


Challenges


in the Education sector

Dprevious projects that you would like to avoid, or new issues related to the current deployment

effort. As with deployment objectives, there are several avoidable challenges we see across

implementations of any enterprise mobile device management solution and the problems that

result:

❖ Support readiness and end-user experience are not included in an initial project scope.

This leads to poor end-user adoption and challenges for your support organization.

❖ Lack of clearly-defined goals and success metrics leads to intangible results. It may also

shift your organization into a reactive mode when issues arise.

❖ You neglect to create, validate, and aggressively share a clear value proposition that

resonates for your organization. This often leads to limited adoption and a lack of return

on investment (ROI).

Then, there are the challenges specific to the Education sector that should be considered from

the outset:

❖ Quantifying the impact of a technology rollout to the IT Support organization on a per-

classroom basis.

❖ Identifying and triaging issues affecting the classroom user experience.

❖ Developing a strategy to quickly resolve common and urgent requests to avoid

interruption to the learning process.

❖ Implementing processes and procedures for request and issue reporting new teachers can

easily digest.

Once you have identified your challenges, it’s time to develop mitigation strategies.

eployment challenges are issues that are top of mind for an organization that also may have a

negative impact on deployment. Sometimes they are related to past issues from

Don’t develop your mitigation strategies in a bubble, especially those centered on the user experience for teachers and students.


Challenge Mitigation strategy

You neglect to create, validate, and aggressively

share a clear value proposition that resonates for

your organization. This often leads to limited

adoption and a lack of return on investment

(ROI).

Lack of clearly-defined goals and success metrics

leads to intangible results. It may also shift your

organization into a reactive mode when issues

arise.

While you may be excited to jump into your

project, ensure you have clearly defined your

goals and objectives. Include these in all

awareness and training activities to ensure users

understand why your org selected Intune.

Define your goals and success metrics early in

your project scope, and use these data points to

flesh out your other rollout phases.

A few challenge/mitigation examples…

Now that you have identified your deployment goals, objectives, and potential challenges, it’s time

to identify your use-case scenarios.

dentifying your use-case scenarios is an important part of the planning process for a successful

Intune deployment. Use-case scenarios are helpful because they let you

Identifying

You can begin identifying your use-case scenarios by referring to your Intune deployment

objectives. In addition to managing your shared classroom devices, you’ll want to consider whether you

intend to support the personally owned devices of teachers, other faculty, and staff (bring-your-own-

device, or BYOD).

Leveraging Microsoft 365, you have

the power to enable your users to use the

full Office Mobile suite, with full deployment

and management capability provided via

Intune while protecting the privacy and

security of student data. You’ll quite possibly

find specialized use cases in each scenario,

particularly with faculty and staff with

varying responsibilities and data access

privileges. These distinctions will help you

identify where to apply different device

management policies.

Intune uses Azure Active Directory (AAD) groups to manage devices and users. To facilitate

application of management policies with enough granularity to meet your use cases, you’ll want to

create organizational groups that are associated with each use case. Then, you should identify the

mobile device platforms associated with each scenario. Are your users strictly iOS? Is Android support

a need? BYOD may bring a broader range of mobile device platforms, including additional Android

distributions and Windows 10 Mobile.

Take advantage of Azure AD dynamic

groups to minimize the manual effort in Intune policy application and

enforcement.


your use cases

Isegment your users into manageable groups by user type or role, and the ownership of the

user's device (for example, company or personal).

Let’s discuss a few examples to help your organization identify Intune use-case scenarios, as

well as organizational groups, and mobile device platforms associated with each use case.

Dynamic user and device groups and bulk

device import make Intune device policies

and app deployment even more

compelling. Making the most of Intune

means spending time identifying the

needs of your educators and their

classrooms, and where their needs

overlap. Implement dynamic group

population based on user properties (such

as job title or grade level). If your teachers

can maintain a list of serial numbers for

classrooms and other devices, your Intune

administrator can make short work of

group population.


Talk to your teachers to learn where app needs

overlap to maximize Intune policy reuse across classrooms

Creating

Gap analysis is another import step when preparing your design. Reviewing the requirements within

your use cases to identify any areas where customization may be necessary and identifying the need

for customizations as early in the process as possible will minimize deployment delays. For more on

gaps common to education, see “Extending Intune for the Education sector” in this document.


your Intune design

our current environment can influence design decisions and should be documented and

referenced when you make other Intune design decisions. Having documentation on hand forYyour current environment, including existing MDM, Identity, Email, Public Key Infrastructure

(PKI), and System Management will prove important. Make sure to note any projects in motion

that could change the state of your existing environments.

Then, it’s important to identify requirements for any external dependencies and how to

configure them, like Azure Active Directory (the identity provider for Intune and Office 365),

user and device groups to support the use-cases you identified earlier, as well as PKI, which

supplies certificates to devices to securely authenticate to Intune and other services.

For schools with classroom devices targeted for management with Intune, you'll want to

prepare for bulk enrollment. You can enroll devices in bulk in different ways depending on the

platform. With iOS devices, your bulk enrollment options will be influenced by how you purchased the

devices.

To meet your use cases, you’ll leverage these

five key Intune capabilities, mapped to the user

and device groups you defined previously:

❖ Policies. You should plan to create at least

one configuration policy per platform.

❖ Profiles. Enable configuration of resources,

including certificates, Wi-Fi settings, VPN,

and e-mail.

❖ Apps. In addition to individual apps, you

can manage and deploy volume-purchased

apps common in classroom scenarios

❖ Seamless access. You can federate your

cloud services to Azure AD, providing a

Single Sign On experience while allowing

you to get away from maintaining on-

premises ADFS infrastructure.

❖ Compliance policies determine whether a

device conforms to certain requirements,

enabling protection of confidential faculty

information.

Conditional access policies in Intune work

with EMS to allow only compliant devices

to access school resources

Your app deployment strategy will take on

an additional dimension over typical

corporate Intune deployments: classroom

deployment strategy. Leverage the

overlapping classroom app and device

configuration needs you identified earlier

in the planning process to reduce policy

configuration effort and complexity.

To better understand the communication

flow in device policy delivery with Intune,

see the Intune Service Architecture

diagram on the next page.


Identifying common needs across classrooms

can help minimize Intune configuration effort to implement

your use cases


Microsoft Intune

Protect data Azure Active Directory

Microsoft Azure

Office 365Office 365

Network Access

Control partner

Device

compliance

policies

App protection

policies

Mobile Threat

Defense connector

Conditional access

Custom Web

appsLOB appsLOB appsCustom Web

appsLOB apps

Web consoleWeb console

SaaS appsSaaS apps

App StoreApp Store

Graph

API

Graph

API

Telecom expense

management

Configuration

policies

Configure devices

Profiles

Manage apps

Apps App

configuration

policies

On-premises

network

Apps, Policy and

Reporting Data

Authentication

& authorization

Device

compliance

results

Group

targeting

Read device

compliance

information

Data for

compliance

calculation

Data from

telco on usage

Mobile threat

assessment

Device

settings

assignment

App install status

and inventory

Data usage

and alerts

RESTful API calls

Intune Service Architecture

Gaps requiring customizationA few features often requested in the

Education sector not native to Intune:

❖ No self-service GUI for teachers,

forcing all requests to flow through IT

❖ App deployment delays of up to

several hours on iOS by default

❖ No feature to maintain up-to-date

lists of currently approved apps

❖ Request process to have new apps

added to the catalog

The EDU App Catalog for Intune from

Lumagate leverages the power of the

Microsoft Graph API and Microsoft Azure

to bridge these gaps, delivering:


Lumagate® presents the

EDU App Catalogfor Microsoft Intune®

Extending Intune for the Education sector

❖ A simple, web-based portal that enables teachers to select & assign of a list of apps to an iPad or

group of iPads

❖ Approval workflow automation for deployment of apps requiring administrative approval

❖ Automatically requests iOS device check-in to decrease deployment time from hours to minutes

❖ An automated procurement request form & workflow that allows educators to view the org’s

current app & request purchase approval in just a few keystrokes

hile Intune is a powerful mobile device management platform, the special use cases, staffing,

and budget limitations of today’s school districts present unique challenges Wthat can only be met through customization. Fortunately, the Intune APIs in Microsoft Graph

enable programmatic access to Intune device management and application deployment

capabilities. When coupled with the rich PaaS capabilities of the Microsoft cloud, the

possibilities are truly impressive.


Solution Architecture

Office 365 Intune

Azure

Teacher requests app deployment to student iPads

App is deployed and app checks in to report status

EDU App Catalog processes request & executes accelerated

app deployment in Intune

Request is captured in a custom SharePoint portal

Intune deploys app to targeted classroom iPads

EDU App Catalog updates request status & emails requestor

1

2

3

4

5

6

About the EDU App CatalogThe EDU App Catalog for Intune is a cloud-based service, leveraging Microsoft Platform-as-a-

Service (PaaS), so it requires no server infrastructure. It’s hosted in your Azure tenant, ensuring

no outside organizations can access your data. And because it’s 100% Azure PaaS, its very

inexpensive to operate.

Lumagate can help your organization implement the EDU App Catalog as part of guided Intune

pilot deployment.

EDU App Catalog

Developing

Break these down in a logical way based on previous experience, such as by grade, or by school.

Plan to start small and gauge the support load generated after each wave before increasing the

number of users and devices in a single move. Larger groups may need to be logically divided.

Now that you have determined the

targeted groups and time frames for your

Intune rollout, the next step is to choose

the most appropriate Intune enrollment

approach. While your classroom devices

should be bulk enrolled, personal devices

of your faculty can be handled via self-

service (for tech-savvy individuals), assisted

enrollment, or even via a group

walkthrough via video conference. You can

refine this process based on your results,

starting with the pilot.

Finally, a successful Intune rollout relies on clear and helpful communications, delivered in waves (3-5

installments) in the weeks proceeding the pilot. This is the last, and perhaps most crucial item, in the

rollout plan.

Run your rollout communication in

phases, and sell the value of coming

changes, so users are invested in the move.


your rollout plan

Your rollout plan identifies the organizational groups you want to target for your Intune rollout,

the rollout timeframe for each group, and the enrollment approaches you will use. First, review

the groups that are targeted with your Intune rollout and that you identified in your use-case

scenarios. The first phase to rollout should be to pilot users. The pilot users should understand

they are the first users in a new solution and that their feedback to help improve configuration,

documentation, notifications, and ease the way for all other users in later rollout phases.

After a successful pilot, you're ready to start a full production rollout, targeting the rest of your

organization’s groups.


Start with broad communications that introduce

the Intune project itself, and in later waves

include additional information about Intune and

complementary offerings, user resources, and

specific timelines for when organization groups

and users are scheduled to receive Intune. The

week before the move, the first groups

scheduled receive the enrollment

announcement. Post-enrollment communication

should include a survey to the group just

enrolled, enabling the implementation team to

incorporate user feedback into their own lessons

learned to ensure the process improves with

each subsequent wave of enrollment.

Well-planned messaging and cadence of rollout

communications are key to an Intune deployment users and stakeholders

view as successful


Ddependencies (if required) based on your use-case requirements. Microsoft guidance details

more than a dozen discrete tasks for implementing an Intune deployment. You may have

already completed some of these tasks, such as:

❖ Getting an Intune subscription

❖ Adding an Office 365 subscription

Then, there are sets of configuration tasks to implement settings for your use cases before

enrollment begins.

❖ Add user groups in Azure AD mapping to your use cases

❖ Assign Intune and Office 365 user licenses

❖ Set mobile device management authority to Intune

❖ Add terms and conditions policies

❖ Add and deploy configuration policies

❖ Configure and deploy resource profiles, such as Wi-Fi settings

❖ Add and deploy apps. For classroom devices, this often means integrating with Apple DEP

and VPP services.

❖ Add and deploy compliance policies

❖ Enable Conditional Access policies to implement access controls

Finally, enroll devices based on your Intune deployment based on your rollout plan. Once

you’ve handled the post-enrollment support, deliver your final user survey and compile

learnings to pass on to future projects. Congratulations, your Intune implementation is

complete!

uring the onboarding phase, you deploy Intune into your production environment. The

implementation process consists of setting up and configuring Intune and external

Well-planned use cases, consistent user communication, and a solid pilot are the critical in a successful Intune deployment

Implementing Intune in your environment

To learn more about the EDU App Catalog for Intune, visit https://lumagatena.com/edu

We Drive Business & Education Evolution Forward

Next Steps in your Intune journey

e hope you found this guide to planning in your Microsoft Intune deployment helpful. Intune is

a powerful platform for user and device management, and for the education

sector, brings not only valuable management capabilities, but tremendous total-cost-of-

ownership (TCO) advantages, enabling school districts to reduce spending on IT operations and

redirect funds where they are needed most - delivering a high quality education to our

children!

What’s next? That depends on where you are in your evaluation journey with Microsoft Intune.

If you’d like to see Intune in action, a live demo or proof-of-concept may be the best next step.

Already convinced of Intune’s compelling value? A guided pilot implementation is a great

option to enable your IT staff to gain hands-on exposure and see that value first hand.

Whatever your next step, we wish you much success in your Intune journey!

Unsure who your Microsoft Education representative is? Contact Lumagate and we’ll connect

you to the right person at Microsoft to help you with those next steps. Our contact info is listed

below.

W

email: [email protected]

website: https://lumagatena.com/edu

Intune for the Education Sector€¦ · Microsoft Intune delivers powerful capabilities for...

Documents

Transcript of Intune for the Education Sector€¦ · Microsoft Intune delivers powerful capabilities for...