Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune

Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows IntunePublished November 2013

Microsoft IT uses Microsoft System Center 2012 Configuration Manager with Windows Intune as their enterprise tool to create a consistent, reliable, and secure work environment that allows users to be productive anytime, anywhere, on any device they choose, while meeting Microsoft compliance and security requirements and while simplifying administration across heterogeneous device platforms.

SituationMicrosoft Information Technology (Microsoft IT) needed to embrace and adapt to the rising bring your own device (BYOD) culture by enabling users to access corporate resources from personal devices without compromising corporate security, increasing infrastructure costs or complexity, or increasing administrative overhead.

SolutionTo address the changes in the enterprise landscape, Microsoft IT enabled Unified Device Management (UDM). By adding a Windows Intune subscription and deploying the Intune connector to their Microsoft System Center 2012 Configuration Manager Service Pack 1 (SP1) environment, Microsoft IT brings all devices, company-owned and user-owned, into the scope of centralized management while providing users a flexible work environment across multiple device platforms.

Benefits• Reduced costs by unifying IT

management infrastructure.• Simplified administration for

managing all PCs and mobile devices.

• Increased user productivity while maintaining compliance and reducing risk.

Products and Technology• System Center 2012 Configuration

Manager SP1• Windows Intune

• Active Directory• Microsoft Online Directory Services

2 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune

SituationMicrosoft IT, like many other enterprises, faces an explosion of heterogeneous devices and the growing challenges created by the bring your own device (BYOD) culture. Long gone are the days of managing a single user using a single corporate-owned device to access corporate resources. To keep pace with the need to allow users to work when, where, and with which device best suits them, Microsoft IT needed to find a new approach for managing the modern workplace. A solution that would:

Deliver simplified, comprehensive management across device platforms, on-premises and in the cloud, using a single console for administration, deployment, and reporting.

Integrate into the existing network design without additional investments in hardware or increase in complexity.

Provide a consistent user experience across device platforms. Enable access to line of business (LOB) applications from the user’s device of choice

without compromising corporate security.Microsoft IT uses Microsoft System Center 2012 Configuration Manager to manage devices connected to its corporate network but was looking for a solution to also manage devices and applications in the cloud.

SolutionMicrosoft IT enabled Unified Device Management (UDM) by leveraging Windows Intune and System Center 2012 Configuration Manager SP1. This solution retains the scalability and administrative functionality of Configuration Manager while extending its reach via Windows Intune to cloud-based device management. With UDM, Microsoft IT uses a single Configuration Manager–based administrative console to centrally manage both on-premises and cloud-connected computers, devices, and applications.

With UDM, Microsoft IT is able to:

Extend Configuration Manager infrastructure with Windows Intune to support cloud management of mobile devices, enabling publication of corporate apps and services across multiple device types.

Provide consistent access to corporate resources for a variety of devices, regardless of location.

Offer and deploy LOB modern applications dynamically based on device type. Apply policies across various devices and platforms to meet Microsoft compliance

and security requirements. Remove corporate data and applications if a device is lost, stolen, or retired from

use.As part of the solution, Microsoft IT implemented a self-service app store, the Company Portal, which gives Microsoft users the ability to install internal LOB apps on all their devices, virtually anytime or anywhere.

DeploymentThe Microsoft IT UDM service offering focuses on four key areas: device enrollment, application provisioning, policy, and inventory of hardware and software. Before the deployment and configuration of UDM could begin, Microsoft IT needed to determine the type of devices they would support. Based on an analysis of device volume and native LOB apps, the initial scope of the UDM project was set to support Microsoft Surface RT, Windows Phone 8, and Apple iOS devices. While UDM supports Android devices, Microsoft IT did not include them in the initial scope due to lack of internal LOB apps developed for Android platform. Understanding the scope of devices enabled Microsoft IT to coordinate with the appropriate Microsoft teams to configure the Intune Connector, define security policies, and publish apps to the new Company Portal.


ArchitectureUDM consists of a series of components working in concert:

Configuration Manager provides the central administration console for administering both on-premises and cloud-based devices.

Windows Intune Subscription establishes the connection between Configuration Manager and Intune. It specifies the configuration settings for the Windows Intune service, such as which users can enroll their devices and which mobile device platforms to manage.

Windows Intune Connector, a Configuration Manager site role, acts as a gateway between Windows Intune and on-premises Configuration Manager, sending settings and software deployment information to Windows Intune and retrieving status and inventory messages from mobile devices.

Figure 1. Microsoft IT Unified Device Management infrastructure.

The following sections describe the various activities involved in Microsoft IT's UDM deployment.

Deployment ProcessMicrosoft IT took a five-step approach to deploying UDM into their existing Configuration Manager environment.

Step 1: Build Configuration Manager SP1 environment

Microsoft IT added a Configuration Manager SP1 primary site in the corporate domain hierarchy specifically for mobile device management. Server hardware consisted of:

A primary site server using a virtual machine with 12 GB of RAM and four core processors.

A Microsoft SQL Server server with 64 GB of RAM and six core processors.Creating a separate site for mobile device management is not a UDM requirement—UDM is capable of scaling to large volumes of devices. For Microsoft IT, the decision to create a separate mobile device management site instead of incorporating UDM into an existing Configuration Manager site used for managing PCs and laptops was based around the anticipated volume of mobile devices. With approximately 180,000 users between full

Build CM SP1 environment Provision users Provision

Intune servicesSet up DNS redirection

Acquire device specific

certificates


time employees (FTEs) and vendors, Microsoft IT needed to ensure that the UDM environment could handle a very large number of enrolled mobile devices.

Most small and medium size organizations will not require a separate site and can incorporate Unified Device Management into their existing site hierarchy.

Step 2: Provision users

Microsoft IT performed user discovery for the entire Microsoft corporate Active Directory forest using the existing production Configuration Manager environment. This process took a few hours due to the large user base in Microsoft IT and ensured that all users were added to a user collection before enabling UDM.

Your organization must determine the extent of your BYOD environment to see if performing a full user discovery is necessary or if you want to manually add the users allowed to enroll their mobile devices to Configuration Manager.

Step 3: Provision Windows Intune services

Microsoft IT worked with the Microsoft Online Directory Services (MSODS) team to provision Intune services for Microsoft IT organizational user (tenant) account and set up the UDM services Admin (the account used for authentication when creating the Intune Subscription in Configuration Manager). They also worked with the Active Directory team to configure Directory Sync (DirSync) and Active Directory Federation Services (ADFS) 2.0. DirSync ensured that all users were synchronized into the cloud, and ADFS allowed for users to use a single sign-on (SSO) to access all cloud services.

Microsoft had an existing tenant account as they already use Microsoft Office 365 and other cloud services and already had DirSync and ADFS in place to synchronize data into the cloud. If your company does not, you will need to:

Sign up for a Windows Intune organizational (tenant) account. Deploy and configure DirSync to synchronize on-premises Activity Directory users

with the MSODS, creating the user ID used for cloud-based applications. Deploy ADFS to allow a single identity for each user across both on-premises and

cloud-based applications.Step 4: Set up DNS redirection

Most companies will benefit from creating a DNS alias (CNAME record type) to redirect enterpriseenrollment.<yourcompany>.com to allow for server auto discovery. This means users will not need to know the actual server name when they enroll their device.

Step 5: Acquire device-specific certificates

Each device platform has different requirements for loading applications. Microsoft IT worked with the Microsoft App team to acquire the certificates required for the supported mobile devices.

At Microsoft, Configuration Manager Admins do not maintain certificates. The Product Release & Security Services (PRSS) team is the central authority for the signing process used to sign all Windows Phone 8 and Windows apps applicable to Windows RT devices at Microsoft.

For signing Windows RT and Windows 8 modern apps, Microsoft IT uses one of the child certificates of the Microsoft Root CA. They configure the Microsoft root certificate in the Windows Intune subscription page, enabling Windows RT devices to trust those signed apps.

Depending on the size of your organization, your model for managing and deploying certificates may be different. For more information on certificates and/or keys required for each mobile device platform and from where your company needs to obtain the


certificate or key, see Obtain Certificates or Keys to Meet Prerequisites per Platform under the Prerequisites section of How to Manage Mobile Devices by Using Configuration Manager and Windows Intune.

UDM ConfigurationEnabling UDM requires creating a Windows Intune Subscription and defining a Windows Intune Connector role in Configuration Manager. To set up and configure UDM, Microsoft IT:

1. Created a new Intune Subscription. In the Subscription Wizard, they selected Allow the Configuration Manager console to manage this subscription. This enabled Configuration Manager to become the authoritative source for managing all mobile devices, providing a single administration console for on-premises systems, cloud-connected devices, and application life cycle management.

2. Defined a user collection. Microsoft IT created a custom user collection for all Microsoft employees based on the users discovered after performing user discovery for the entire Microsoft corporate Active Directory forest. This ensured that members of this collection were licensed for enrollment in UDM.

3. Configured platform, certificates, and keys. The three platforms that were identified as in scope for UDM were enabled: Windows Phone 8, Windows RT, and iOS. For each platform, the required certificates were applied. For Windows Phone 8, they also deployed the Company Portal app to allow users to start using the Company Portal and installing applications almost immediately after enrolling their device.

4. Assigned connector role. Microsoft IT added the Windows Intune Connector site server role to the Central Administration Site (CAS) server. The Intune Connector server role communicates directly with Windows Intune and provides the communication gateway between Configuration Manager and Intune for all incoming and outgoing communication.

Cloud User Sync MonitoringAfter UDM is configured, Cloud User Sync, a component in Configuration Manager, provides communication between Configuration Manager and Windows Intune. It monitors the collection of users for additions, synchronizes changes with Windows Intune to license users and enables them to enroll their devices. Microsoft IT makes the following recommendations.

Use delta user discovery and incremental updates settings.By enabling delta discovery in your Active Directory User Discovery settings and selecting incremental updates on the collection settings, updates are synchronized on a more frequent schedule. This ensures licensing of new users and removal of licenses for disabled users happens quickly.

Use default Cloud User Sync setting.Cloud User Sync synchronizes changes—new users added to the collection are licensed and enabled for enrollment; users removed from the collection have their Windows Intune license revoked. By default, synchronization occurs every five (5) minutes and is a minimal burden on your Configuration Manager hierarchy and network.

Monitor the following Intune Connector log files:o Dmpdownloader.log to monitor policy changes downloaded from Windows

Intune to Configuration Manager.o Dmpuploader.log to monitor policy changes uploaded to Windows Intune

from Configuration Manager.o Cloudusersync.log to monitor user licensing in Windows Intune.

Use the CloudUserID field in the User_Disc table in Configuration Manager to identify if users are licensed.

http://technet.microsoft.com/en-us/library/jj884158.aspx

http://technet.microsoft.com/en-us/library/jj884158.aspx


o Null indicates that user is not licensed to enroll devices.o All zero GUID indicates that user was previously licensed but is no longer a

member of the user licensing collection. o Non-zero GUID indicates that the user is licensed to enroll devices.

Note: There is no need to license users separately for each device. When a user is licensed, they are licensed for up to 20 devices.

Device EnrollmentAlong with configuring the UDM architecture, Microsoft IT had to plan the user experience as part of their deployment. They wanted to ensure that enrolling devices:

Provided a good user experience where users could enroll their devices, gain access to the Company Portal, and install LOB applications with minimum user intervention.

Enabled users to become productive quickly with the LOB apps by providing a seamless single sign-on installation. ADFS enables Microsoft users to use the same credentials (their corporate user ID, email account, and network password) regardless of device.

When a user enrolls a device, Microsoft IT collects general information about the device, such as manufacturer and any LOB apps installed from the Company Portal (not the Microsoft Store). Enrollment installs the Company Portal application on the device, enabling users to install applications by showing them only the applications that are targeted to their user account.

Company PortalMicrosoft has provided their users with the ability to install business applications in the past. The Company Portal is the next generation, a Windows 8x modern application platform, which allows users to install internal business applications by showing them which applications they have permissions to install based on their role, language, and location. This included an iOS Self-Service Portal (‘Company Portal’) for users who needed to install enterprise iOS applications on their iPad and iPhone devices.

Microsoft IT tried to create an end user experience that was as similar as possible between all supported device platforms, but each device platform had some minor differences when deploying the Company Portal.

Windows Phone 8. The Company Portal is installed as part of the enrollment process. Installing the Company Portal during enrollment requires the user to select the Install company app or hub check box. This check box is selected by default. If the user clears this check box, they would need to unenroll the device and then re-enroll if the Company Portal was needed in the future.

Windows RT. The Company Portal is installed as a required app after the enrollment is completed. Microsoft IT deployed the Company Portal to all users as Required.

Apple iOS. Users must install the Company Portal app from the iOS Self Service Portal, then enroll their iOS devices.

Modern Application PublishingTwo types of apps are published via the Company Portal:

Sideloaded apps—modern LOB applications developed and published to the Company Portal where the content is hosted and provided by the Configuration Manager and Windows Intune hierarchy.

Deep link apps—link to an application in the Microsoft Store (or Apple Marketplace for iOS apps) stored in Configuration Manager, that users access via the Company Portal. Microsoft IT used these for apps that are likely to update often (such as Skype or Microsoft OneNote). It enabled them to reduce administrative overhead, redirecting users to the Microsoft Store for the latest version instead of having to manage and publish updates to the Company Portal.


While modern apps are not as resource intensive to provision and deploy, there is still a cost associated with developing and maintaining them. Microsoft IT applied the following business rules when determining what applications would be published through the Company Portal. They started by determining the target number of users for the app. The threshold was set at 1,000 users. While they did publish a few applications with a user population of 500 users, if the application was used by less than 1 percent of the company (less than 1,000 users), the application would not be available through the Company Portal and would require the LOB be published via Microsoft SharePoint or some other LOB-created site.

As discussed earlier, each platform has different requirements for signing and publishing apps, but there are some common areas that helped streamline the process for Microsoft IT. Before their users started to enroll their devices, Microsoft IT:

Worked with the app provisioning team to sign both the Company Portal app and apps created by the internal Microsoft developers before publishing the apps.

Signed all Windows RT apps with a child certificate from the Microsoft Root CA. As all child certificates of the Microsoft Root CA cert are trusted, Windows RT apps that are published are automatically trusted by Windows RT devices.

Worked with PRSS team and formulated a process for signing apps for Windows Phone 8.

Categorized all apps per Microsoft IT App team standards to reduce the need for users to scroll through hundreds of apps. Users can use Search, but categories made locating apps easier—especially on mobile phone devices.

Targeted most applications to the built-in All Users and User Groups collection as Available. This made the apps available in the Company Portal as soon as the user enrolled a device.

Used custom collections based on Active Directory Security Groups to limit the targeted users for a few applications with specific access requirements, limiting which users could install them.

Troubleshooting Enrollment Microsoft IT experienced enrollment failures due to a non-standard User Principle

Name (UPN) for some users. The enrollment process is based on a user’s UPN. For some Microsoft users, their UPN deviated from the standard naming convention and was different from their user alias. Microsoft IT created a DNS redirection to resolve this issue.

As there are no client logs for enrollment troubleshooting, Microsoft IT needed to take a systematic approach to troubleshooting. For troubleshooting general device enrollment issues, Microsoft IT recommends that you verify the following:

o The Admin has configured mobile device management.o The Admin has enabled enrollment for specific device types.o The Admin provisioned the user for mobile device enrollment.o The user is not trying to enroll several devices at the same time or does

not have more than 20 mobile devices enrolled in the system.o For Windows Phone 8 devices, the code signing certificate is configured

properly.o For iOS devices, the Apple Push Notification Service certificate is

configured or hasn’t expired, and the device is running iOS v5.0 or later.For troubleshooting Company Portal related issues, a good place to start the troubleshooting process is:

o For Windows RT devices, use the portal log c:\users\<useraccount>\appdata\Local\Pacakges\Microsoft.Companyportal\Localstate\SSPLOG_<number>.log.


o For Windows Phone 8 devices, a log can be retreived from the portal itself and sent via email.

Enrollment Lessons LearnedMicrosoft IT learned from a few issues that occurred during the enrollment process.

Microsoft IT discovered that both enrollment and re-enrollment of a Windows RT device consumed a sideloading key. During unenrollment, the sideloading key and assigned device ID are removed. Re-enrollment is treated as a new device, and a new device ID with sideloading key is provisioned.

User-initiated un-enrollment did not remove the Company Portal, only disconnected the Windows RT device from Windows Intune. This is due to the fact that the Company Portal provides other functions, such as the ability to manage other devices. Microsoft IT needed to educate both their users and IT admins that this was by design.

User education requirements was another area of learning for Microsoft IT.o Users were concerned as to what type of information Microsoft IT could see

and collect about their personal devices. They needed to reassure users that the only information Microsoft IT collects is general information about the device itself (such as the manufacturer) and any LOB apps installed from the Company Portal—and that no personal information, such as phone number, personal apps, or apps installed from the Microsoft Store is collected.

o There were delays in refreshing Windows RT policies due to the Windows RT maintenance window being set for every 24 hours. Microsoft IT needed to educate users that some changes were impacted by the default maintenace window. Microsoft IT used user communications and the company support website, ITWeb, to inform users of expected delays.

o Differences in the enrollment process for the various mobile devices platforms. For example, the Windows Phone 8 enrollment user experience and user interfaces are different from Windows RT, and iOS device enrollment presents additional screens for adding management profiles on the device that are not seen on Windows Phone 8 or Windows RT devices. These differences were generating support requests. To address this, Microsoft IT documented the enrollment process for each device and made available through the company support website, ITWeb.

Policy and Security ConfigurationMaking sure that corporate security was maintained as well as providing a good end user experience required that Microsoft IT coordinate with:

The Microsoft Security team to define the policies that would enforce Microsoft corporate compliance settings, such as password policy and encryption settings, on mobile devices.

The Exchange team to align policy settings between Exchange ActiveSync (EAS) and UDM.

Microsoft IT leveraged default Compliance Rules built into the Configuration Manager for mobile devices. They created new Configuration Items (CIs) for mobile devices (different CIs for each device type to make troubleshooting easier), added built-in compliance rules with values (see table 1) based on Microsoft IT security requirements, then created a Configuration Baseline for those CIs and targeted Configuration Baseline to the collection of mobile devices.

Table 1. Microsoft IT compliance settings for mobile devices.

Corporate Policy Windows Phone 8 Windows RT iOS

Device Encryption TRUE Not Supported Not Supported

Password Required TRUE Not Supported TRUE


Allow Simple Password Not set Not Supported TRUE

Min Password Length 4 5 (local only) 4

Max inactive time to lock 15 minutes 15 minutes 15 minutes

Max failed attempts before wipe 5 Not set 5

Password Expiration Not Set 70 days (local) Not Set

Password History Not Set Not Set 0

Min Complex Characters 1 1 (local only) 0

Removed Storage TRUE Not Supported Not Supported

Allow Convenience Logon Not Supported TRUE Not Supported

Allow Browser Not Supported Not Supported TRUE

Allow Camera Not Supported Not Supported TRUE

Microsoft IT’s goal is to develop a common set of policies that would scale across devices while providing a good end user experience. The one policy that created the most issues was the minimum password length; Windows Phone 8 was four (4) while Windows RT was six (6). Microsoft IT is working with the Security teams and the Exchange teams to see if they can find a common ground between their requirements that provides good corporate security without impacting the end user experience.

Microsoft IT makes the following recommendations for configuring your mobile device policies.

Align your policies, such as password/PIN policies, across EAS and UDM to ensure the best end user experience. Note: Although the most restrictive policy will apply, different user experiences have the potential to increase support calls.

If the policy is not applicable to a particular device platform, it will report back which platforms do not support the policy. Common policies will simplify administration. For example, if you set the same password requirements across all mobile device platforms, you will not require multiple CIs and different device collections to support various password policies.

Create custom device collections when policies cannot be aligned across platforms. Use the Agent Edition attribute in the Configuration Manager console, which shows enrolled device by device type, to create custom device collections and then target policy baselines to each collection.

In both your Configuration Items and your Configuration Baselines, enable Remediate noncompliant settings to enforce compliance settings on the device. If Remediate noncompliant settings is not enabled on both your Configuration Items and your Configuration Baselines, your reports will only reflect the current compliance state of enrolled devices but not enforce compliance rules/settings on those devices.

Device RetirementOrganizations need a means to enforce security if the user leaves the company or loses their device. Microsoft IT used the Configuration Manager SP1 wipe and retire options to enforce device security for retiring enrolled devices.


Microsoft IT used role-based access control (RBAC) in Configuration Manager to limit which administrators had access to wipe or retire a device by restricting their view in the console.

Note: If you have finished conducting a UDM pilot in your test hierarchy and want to move to a production hierarchy, it is important to retire all devices from the Configuration Manager console so that the enrollment from devices is cleaned up and ready for enrollment into your production hierarchy.

ReportingConfiguration Manager includes many ready-to-use, built-in reports for UDM, including reports for apps, hardware inventory, and settings management. There is no need to create custom reports or separate reports for PC and mobile device management. The same report can be used to report on both environments.

Microsoft IT used built-in Configuration Manager reports to report on their UDM environment. Two built-in reports that provided Microsoft IT with insight into application install status and policy compliance status for UDM were:

Security policy compliance report. Home > ConfigMgr_<sitecode> > Compliance and Settings Management > Summary compliance by configuration baseline

Application compliance report. Home > ConfigMgr_<sitecode> > Software Distribution - Application Monitoring > Application compliance

Microsoft IT also used the Configuration Manager console monitoring to easily view and drill down to the asset level on the status of app deployment and security policy compliance.

While custom reports were not needed due to the built-in reporting capabilities of Configuration Manager, Microsoft IT did create a custom UDM dashboard specifically for Microsoft executive management using Microsoft SQL Server 2012 Reporting Services. It provided executive management visibility into enrollment count trends using graphs and a similar look and feel of other Microsoft IT dashboards.

ResultsBy creating a solution that streamlined administration and deployment of devices and applications, Microsoft IT was able to increase the scope of their centrally managed devices by 10 percent without adding additional resources or administrative overhead. They expect this number to continue to increase at a rapid pace with the potential of centrally managing more than 125,000 mobile devices. The following table provides a summary of the Microsoft IT UDM deployment.


Windows Phone 8 Windows RT iOS

Devices enrolled 10,998 1,732 248

LOB apps published 74 124 0

Deep linked apps 36 2 16

BenefitsThe Microsoft IT UDM solution provides the following benefits:

Low-cost, scalable solution. Windows Intune integrates into the existing Configuration Manager environment without the need to add new infrastructure, hardware, or network complexity to the Microsoft IT environment. It provides enterprise-level scalability, extending the reach of Configuration Manager to support management of Windows RT, Windows Phone 8, and iOS devices.

Simplified administration. The Configuration Manager console unifies device management, providing Microsoft IT administators with a single console for administration, application management, and reporting across multiple device types.

Empowered users. Provide a consistent end user experience across device platforms. Microsoft users can enroll their personal devices, install internal business applications, and manage their mobile devices through the Company Portal, allowing them to be more productive from almost anywhere on almost any device.

Maintained compliance. Apply policies across multiple device platforms to meet Microsoft compliance and security requirements while providing a good end user experience for Microsoft users. Security risks for lost, stolen, or retired devices are reduced by removing corporate data and applications from the device by Microsoft IT administrators through Configuration Manager or Microsoft users through the Company Portal.

Best PracticesWhen implementing UDM, Microsoft IT recommends the following best practices:

Plan your deployment. Proper planning before deployment will increase deployment efficiency.

Review your Configuration Manager hierarchy to determine how you will integrate UDM. Remember, UDM does not require a separate site in your Configuration Manager hierarchy.

Understand which platforms your organization will support. This will help you determine what types of certificates are required for app deployment.

Acquire and deploy certificates and sideloading keys before enabling user enrollment. Coordinate with other teams to streamline the app certification process.

Identify and license specific users by using user discovery in Configuration Manager and then add users to a custom collection that will synchronize these user accounts with Windows Intune.

Enable ADFS to allow users to use the same user name and password to access coprorate resources.

Work with your security team and your Exchange team to align passwords and policies across device platforms to ensure a good user experience without compromising corporate security.

Promote collaboration among all teams involved. A number of different teams in your organization may need to be involved—including Security, Compliance, application developers, services, and infrastructure providers. It is important to ensure that all stakeholders can provide input at an early stage and can work together to allow for a smooth deployment.


Develop a detailed communication and readiness plan. A well-developed support plan and documentation for user and helpdesk readiness can reduce support costs.

Train helpdesk technicians before deployment. Have training and support content ready on modern device support, especially any differences in user experience across device platforms.

Educate users. Provide users with documentation on the enrollment steps for each supported device platform to reduce support calls. Set expectations for any delays between enrollment and when Company Portal apps are available for installation. Ensure users understand what is being inventoried on their device to reduce their concerns. Create FAQs for common questions and document any known issues.

Plan your enrollment process. To ensure a good user experience and to reduce support costs, consider how you will deploy the Company Portal and LOB apps.

Use categories to organize applications on the Company Portal to make them easier to find.

Use security groups to limit what apps users can see based on their role in the company.

Determine which apps to publish on the Company Portal based on business needs. Determine how long apps will be maintained on the Company Portal before retiring them.

Evaluate which apps might change frequently and consider using a deep link instead of deploying the full app.

Use the Windows Phone emulator in the Windows Phone SDK to test the Windows Phone enrollment experience.

ResourcesHow to Manage Mobile Devices by Using Configuration Manager and Windows IntuneSystem Center 2012 Configuration Manager Documentation LibrarySystem Center 2012 Technical Documentation LibraryEmpower People-Centric ITDirectory Synchronization RoadmapMicrosoft SQL Server 2012 Reporting Services Features and Tasks (SSRS)How Microsoft IT Deployed System Center 2012 Configuration Manager

Related videosMicrosoft System Center 2012 SP1 - Configuration Manager Overview

For More InformationFor more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:

http://www.microsoft.comhttp://www.microsoft.com/microsoft-IT


© 2013 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Office 365, OneNote, SharePoint, Skype, SQL Server, Surface, Windows, and Windows Intune are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune

Technology

Transcript of Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune