Mobile Device Management Design Considerations Guide
Transcript of Mobile Device Management Design Considerations Guide
Mobile Device Management
Design Considerations Guide
Published August, 2015
Version 2.0
Copyright
This guide is provided “as-is”. Information and views expressed in this guide, including URL and other Internet Web site references, may change without notice. Some examples
depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.
This guide does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this guide for your internal, reference
purposes.
© 2015 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Microsoft Intune, Microsoft System Center 2012 R2 Configuration Manager, Mobile Device Management for Office 365, Office 365, Windows, and
Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Contents Introduction .................................................................................................................................................. 1
Design considerations overview ................................................................................................................... 3
Step 1 - Identify your mobile device management requirements ................................................................ 3
Task 1: Identify your business needs ........................................................................................................ 3
Task 2: Specify your mobile device management location requirements ................................................ 5
Task 3: Develop your mobile device management adoption strategy ..................................................... 6
Step 2 - Plan for mobile device management tasks .................................................................................... 13
Task 1: Understanding the mobile device management lifecycle .......................................................... 13
Task 2: Gather monitoring requirements ............................................................................................... 18
Task 3: Determine network resource requirements............................................................................... 19
Task 4: Define your mobile device management lifecycle strategy ....................................................... 23
Step 3 - Plan for enhancing mobile devices protection .............................................................................. 40
Task 1: Gather your data protection requirements ................................................................................ 41
Task 2: Specify your privacy requirements ............................................................................................. 43
Task 3: Specify your access requirements .............................................................................................. 44
Task 4: Develop your incident response requirements .......................................................................... 45
Task 5: Plan your mobile device security strategy .................................................................................. 46
Step 4 - Plan for Software as a Service (SaaS) mobile device management ............................................... 63
Task 1: Identify your SaaS requirements ................................................................................................ 64
Task 2: Identify your SaaS solution / on-premises infrastructure integration needs ............................. 67
Task 3: Develop your SaaS mobile device management adoption strategy ........................................... 70
Next steps and resources ............................................................................................................................ 74
Mobile device management solutions .................................................................................................... 74
Mobile device management documentation ......................................................................................... 74
Mobile device management resources................................................................................................... 75
Mobile Device Management Design Considerations 1
Introduction With all of the different design and configuration options for mobile device management
(MDM), it’s sometimes difficult to determine which combination will best meet the needs of your
organization. This design considerations guide will help you to understand mobile device
management design requirements and will detail a series of steps and tasks that you can follow
to design a solution that best fits the business and technology needs for your organization.
Throughout the steps and tasks, this guide will present the relevant technologies and feature
options available to organizations to meet functional and service quality (such as availability,
scalability, performance, manageability, and security) level requirements.
Specifically, the goals of this guide are to help you answer the following questions:
What questions do I need to answer to drive a MDM-specific design for a technology or
problem domain that best meets my requirements?
What is the sequence of activities I should complete to design a MDM solution for the
technology or problem domain?
What MDM technology and configuration options are available to help me meet my
requirements, and what are the trade-offs between those options so that I can select the
best option for my MDM requirements?
Who is this guide intended for? Information technology architects and professionals
responsible for designing a mobile device management solution for medium or large
organizations.
How can this guide help you? You can use this guide to understand how to design a mobile
device management solution that is able to manage company-owned devices as well as user-
owned devices in different form factors.
2 Mobile Device Management Design Considerations
Figure 1 - Example of a hybrid Intune and System Center 2012 R2 Configuration Manager
MDM solution
Figure 1 is an example of a hybrid solution, where it’s leveraging cloud services to integrate with
on-premises capabilities in order to manage all types of devices, regardless of their location.
Although this is a very common scenario, every organization’s MDM design might be different
than the example due to each organization’s unique management requirements.
This guide details a series of steps and tasks that you should follow to assist you in designing a
customized MDM solution that meets your organization’s unique requirements. Throughout the
following steps and tasks, this guide covers the relevant technologies and feature options
available to you to meet the functional and service quality level requirements for MDM.
Though this guide can help you design a MDM solution, it does not discuss specific
implementation or operations options for the management solutions. You can find detailed
deployment and configuration steps for Microsoft Intune, Mobile Device Management for Office
365, and Microsoft System Center in the TechNet Library using the links available in the Next
Steps section located at the end of this guide.
Assumptions: You have some experience with Intune, System Center 2012 R2 Configuration
Manager (ConfigMgr), Windows Server 2012 R2, and mobile devices running Android, iOS, and
Windows Phone. You may have even deployed one of these solutions in an initial MDM test or
limited production environment. In this guide, we assume you are looking for how these
solutions can best meet your business needs on their own or in an integrated solution.
Mobile Device Management Design Considerations 3
Design considerations overview This guide covers a set of steps and tasks that you can follow to design a solution that best
meets your requirements. The steps are presented in an ordered sequence. However, design
considerations you learn in later steps may prompt you to change decisions you made in earlier
steps as your design matures or due to conflicting design choices. We’ll alert you to potential
design conflicts throughout this guide.
You will develop a mobile device management design that best meets your requirements only
after iterating through the following steps as many times as necessary to incorporate all of the
considerations within this guide:
Step 1 – Identify your device management requirements
Step 2 - Plan for mobile device management
Step 3 - Plan for secure mobile devices
Step 4 - Plan for SaaS mobile device management
Step 1 - Identify your mobile device management requirements The first step in designing a mobile device management solution is to determine the
management platform requirements that will be used to support your mobile devices. Overall
mobile device adoption for your company will dictate the platform requirements. If you decide
to adopt a single management solution to manage all your mobile devices, you may disregard
the multi-platform requirements for your solution. You’ll need to go over your company’s
business strategy to fully understand your current and future business requirements. If you don’t
have a long-term strategy for mobile device adoption, chances are that your solution won’t be
scalable as your business needs grow and change.
Task 1: Identify your business needs Each company will have different requirements. Even if these companies are part of the same
industry, the real business requirements might vary. You can still leverage best practices from
the industry, but ultimately it’s the company’s business needs that will identify the requirements
for the mobile device management solution.
To help identify your business needs, answer the following questions:
Device ownership: You must understand the device ownership policy for your company.
o Who owns the mobile device?
The employee?
The company?
Both?
Platforms: Understanding which mobile device operating systems will be used by the
company is very important for adoption and supportability decisions.
o Which mobile device operating systems will be supported?
4 Mobile Device Management Design Considerations
Android?
iOS?
Windows?
Windows Phone?
All of them?
A mix of the above options?
o Which mobile OS version will be supported?
Only the latest?
Current -1 (current version plus the previous version)?
Applications: Since the main reason to embrace mobility is to increase productivity, the
applications (apps) used by employees must be able to run in all the mobile device
operating systems used in your organization. This is an important point to consider,
because while some companies might have their most important apps fully portable to
run in a mobile environment, others might need to understand what options are
available that can help them to deploy their apps to mobile devices. To assist you
identifying individual app requirements, ask yourself the following questions.
o Do the apps require Internet access from users’ devices?
o Do the apps collect any user personal information?
If so, do the apps inform users about privacy issues and data collection
while being installed?
o Do the apps require integration with cloud services?
o Were the apps developed to run on a specific operating system, or are they
capable of running on any operating system?
o Do you plan to enable users to use apps via remote desktop from their own
devices?
o Do the apps require full-time access to corporate resources, or can they run in
offline mode?
o Do the apps have any integration with social networks?
o Will all apps be available to BYOD users?
o How do you plan to deploy these apps to users’ devices?
o What are the deployment options for these apps?
o Does the installation requirement vary according to the target device, or is it the
same?
o How much space in a target device is necessary in order to install each app?
o Do the apps encrypt the data before transmitting it through the network from the
users’ devices to the app server on the back end?
o Can the apps be remotely uninstalled via the network, or do they need to be
uninstalled via the devices’ consoles?
o Do the apps work in a low-latency network?
o Do the apps provide authentication capabilities?
If so, which authentication method do the apps use?
Users: One of the main points in embracing mobility is to put the user at the center of
the mobility solution and enabling the user to be more productive, while keeping
company data secure and available. This is important to understand what the user’s
requirements are.
o Will the user be able to bring their own device and access company’s resources?
Mobile Device Management Design Considerations 5
If yes, what are the requirements to access company’s resources?
o Does your company have different user’s needs?
If yes, how each user’s profile will impact the mobility strategy?
o Will users be able to access all apps that they have access to in the on-premises
environment via their mobile device?
If not, which apps will be available for the users?
Are those apps available for all supported mobile device
platforms?
Will be necessary to modify or update any apps in order to run
them on all supported mobile device platforms?
o Do your users only need basic access to email (including calendar, contacts, and
tasks) features?
During this task, you should also evaluate if the company has existing management and
compliance policies in place for mobile devices and how these policies might affect the mobile
device management solution selection.
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 3 will go over the available options and advantages/disadvantages of each option. By
having answered these questions, you’ll be able to select which solution best suits your
business needs.
Task 2: Specify your mobile device management location requirements
Location requirements are one of the many factors that you should take in consideration when
designing your mobile device management strategy. Location is important from the mobile
device management solution perspective as well as from the device itself. Answer the following
questions:
Track users: For some kinds of mobile device control, you might need to implement
policies that can restrict access to company resources based on a user’s location.
o Does the company need to implement mechanisms to cover geo-fencing, or the
ability to enforce policies based on the geographic location of the device?
o Does the company need to keep track of where the user was geographically
located when they accessed a company resource?
Administration model: Depending on the mobile device management solution that you
deploy, administration can be distributed in different sites (locations) or centralized in a
single location. A central administration site is suitable for large-scale deployments and
provides a central point of administration and the flexibility to support devices that are
distributed across a global network infrastructure. A primary site is suitable for smaller
deployments, though it has fewer options to accommodate future growth. Determine if
MDM control should be centralized or distributed.
o Does your company need a centralized administration model?
Does the device management solution need to be located on-premises?
If not, can it be located in the cloud?
6 Mobile Device Management Design Considerations
If not, can it be hybrid?
o Does your company need a decentralized model where different locations should
have autonomy over the device management administration?
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 3 will go over the available options and advantages/disadvantages of each option.
By having answered these questions, you’ll be able to select which solution best suits
your business needs.
Task 3: Develop your mobile device management adoption strategy
In this task, you’ll develop the mobile device management adoption strategy that will meet the
business requirements that you identified in Tasks 1 and 2.
Task 3a: Device ownership After reviewing your organization’s current policy and strategy to manage devices, you should
have a list of scenarios that your organization plans to implement. Table 1 will help you
understand the advantages and disadvantages of each scenario:
Table 1
Scenario Advantages Disadvantages
Employee owns the
device (BYOD) Your company does not need
to buy mobile devices for the
employees
Usually allows employees to be
more productive since they will
be using the mobile device of
their choice
Support costs may decrease
since the organization will have
limited support over the mobile
devices
Increases the amount of
security considerations to
protect company’s data
located on personal devices
Increases likelihood of data
leakage, especially when
appropriate security controls
aren’t in place
Limited management
capability due to privacy
restrictions
Company-owned
device Full management capability,
including device hardening and
security controls
More control over mobile
devices
Capability of defining which
mobile devices will be used by
employees
Potential increases in support
costs, since the organization
will maintain the mobile
devices
Less flexibility for end users,
which may affect their
productivity
Cost increases, since the
organization will have to buy
mobile devices
Mobile Device Management Design Considerations 7
Your organization might need to implement a mixture of elements from these scenarios. In that
case, the device management platform must be able to manage multiple platforms while
integrating with current on-premises infrastructure.
Task 3b: Supported mobile device platforms The decision you made regarding device ownership will help you identify which mobile device
platforms you’ll support. The mobile device management solution that you choose will have to
accommodate this decision. In a single mobile device platform scenario, the platform choice will
not be as relevant as in the multi-platform scenario. Use Table 2 to help you choose the mobile
device management solution for a multi-platform scenario:
Table 2
MDM option Advantages Disadvantages
Intune (standalone) Always-on cloud service that
supports the latest MDM
features and updates
Supports provisioning all major
mobile device operating
systems (Android, iOS, Windows
8, Windows 10, and Windows
Phone).
Allows you to manage any
mobile device from any location
More advanced management
options for mobile devices
Mobile application
management capability
Lack of integration with
current device management
solution located on-
premises will introduce an
additional management
interface for you to use
Policies created using the
on-premises MDM solution
are not replicated to the
cloud service
MDM for Office 365 Integrated with Office 365
If you’re already using Office
365, the MDM capabilities are
easily leveraged to manage
mobile devices
If you’re already using Office
365, you won’t need to use
another console to manage
mobile devices
Limited set of capabilities
(see the note that follows
this table) to manage
mobile devices
Lack of integration with
current device management
solution located on-
premises will introduce an
additional management
interface for you to use
Hybrid (Intune with
ConfigMgr) Native integration between
Intune and ConfigMgr
Allows you to use a centralized
console to deploy policies and
manage on-premises PCs,
servers, and mobile devices
Requires additional
configuration steps to
connect Intune and
ConfigMgr
If the organization does not
have a current ConfigMgr
8 Mobile Device Management Design Considerations
infrastructure on-premises,
it will require to plan, install
and configure this platform
prior to the integration
If you only need to manage access to work email, calendar, contacts, and tasks from mobile
devices, learn about the Exchange ActiveSync device management capabilities available in Office
365.
Task 3c: Application requirements Based on the requirements that were defined in Task 1, you can choose which mobile device
management solution best fits your organization. Use Table 3 to compare the MDM options,
and advantages and disadvantages of each option.
Table 3
MDM option Advantages Disadvantages
Intune (standalone) Allows you to manage mobile
apps through their lifecycle,
including app deployment from
installation files and app stores,
detailed monitoring of app
status, and app removal. Read
Deploy software to mobile
devices in Microsoft Intune for
more information.
Allows you to specify a list of
compliant apps that users are
allowed to install and
noncompliant apps, which must
not be installed by users. Read
Manage devices using
configuration policies with
Microsoft Intune for more
information.
Allows you to set restrictions for
apps by using a mobile
application management policy.
This helps you to increase the
security of your company data
by restricting operations such
as copy and paste, external data
backup, and the transfer of data
between apps. Read Control
Lacks integration with on-
premises device
management solutions,
which introduces an
additional management
interface for you to use
when managing mobile
devices if you have an on-
premises solution. Policies
created using an on-
premises MDM platform
aren’t replicated to the
cloud service, requiring two
sets of management and
compliance policies (if you
have ab on-premises MDM
solution)
Mobile Device Management Design Considerations 9
apps using mobile application
management policies with
Microsoft Intune for more
information.
MDM for Office 365 Provides MDM capabilities
across OS platforms such as
password requirements
Limited set of capabilities to
control apps
Lacks integration with on-
premises device
management solutions,
which introduces an
additional management
interface for you to use
when managing mobile
devices if you have an on-
premises solution.
No ability to deploy apps
and apply mobile
application management
capabilities
No advanced MDM
capabilities
Hybrid (Intune with
ConfigMgr) Inherits app control settings
from Intune standalone
Provides an integrated
management experience
(between Intune and
ConfigMgr)
Leverages Configuration
Manager App management
capabilities. Read Application
Management in Configuration
Manager for more information.
Allows you to use a single
console to deploy policies and
manage application policies for
on-premises PCs, servers, and
mobile devices
Requires additional steps to
set up the integration
If your organization does
not have a current on-
premises ConfigMgr
infrastructure, you must
plan, install, and configure
the ConfigMgr platform first
Task 3d: Track requirements Understanding user behavior and being able to identify their location are important factors to
include in your mobile device management strategy. How devices will be tracked will vary
according to your business requirements and needs. Different tracking capabilities are available
in each mobile operating system so the mobile device platforms you choose to support will
10 Mobile Device Management Design Considerations
impact your options. For example, compliance requirements may influence you to prioritize
adopting mobile devices platforms that allow you to track user’s location and use geofencing.
Note
Geofencing allows you to monitor a mobile device’s geographic location and
enable/disable device and network resources based on that location. For example,
Windows 8.1 supports allows an app to define a geographical region and have the
system alert the app when the device it's running on enters or exits that area. For more
information about this feature in Windows 8.1, read Geofencing, start to finish (XAML).
The MDM authority must also be geolocation-aware and communicate with the mobile device
to obtain information that allows enforcing geofencing restrictions. Table 4 compares the
advantages and disadvantages of MDM options.
Table 4
MDM option Advantages Disadvantages
Intune (standalone) Allows you to enable or disable
whether applications can use
location information on mobile
devices. Read Use policies to
manage computers and mobile
devices with Microsoft Intune
for more information.
Does not provide full
geolocation setting
capabilities for apps that
use this feature
Lacks integration with on-
premises device
management solutions,
which introduces an
additional management
interface for you to use
when managing mobile
devices if you have an on-
premises solution.
MDM for Office Not available Not available
Hybrid (Intune with
ConfigMgr) Allows you to enable or disable
whether applications can use
location information on mobile
devices. Read the article
Compliance Settings for Mobile
Devices in Configuration
Manager for more information.
Does not provide full
geolocation setting
capabilities for apps that
use this feature
If your organization doesn’t
have a current on-premises
ConfigMgr infrastructure,
you must plan, install, and
configure the ConfigMgr
platform first
Mobile Device Management Design Considerations 11
Task 3e: Administration model The administration model that you will choose will vary according to your business
requirements. If the mobile device management solution needs to be located on-premises, you
must evaluate what capabilities are available in your current infrastructure to accommodate
mobile device management based on devices that can be located in the cloud or on-premises.
After evaluating this, you might decide that you should keep the core management on-premises
and integrate with a cloud mobile device management solution, which leads you to choose the
hybrid scenario. Review Table 1 to see advantages and disadvantages of using standalone,
cloud, or hybrid MDM solution.
Note
Be aware that Intune Standalone has limited capabilities for delegated admin. ConfigMgr
in a hybrid scenario provides greater control and delegation for delegated admin.
One strategic aspect of how an organization will manage their mobile devices is to understand
the current management platform capabilities and the administration model in place. For
example, organizations that have a headquarters and multiple branch offices might be using a
distributed administration model where each branch office has control over the management
platform for that location.
Most of the time, an administration model is already in place when a company decides to
embrace mobility by deploying a mobile device management solution. However, you must
ensure that the current infrastructure will be able to handle the requirements introduced by the
adoption of a mobile device management solution.
Figure 2 is an example of an organization with a central administration site, with multiple
primary sites and multiple secondary sites:
12 Mobile Device Management Design Considerations
Figure 2: Example of a central administration site hierarchy
The administration model shown here describes an on-premises infrastructure. In this case, the
company already has a device management solution in place for managing their on-premises
devices.
With an administration model like the one shown in Figure 2, you have the following
advantages:
You can schedule and throttle network traffic when you distribute deployment content to
distribution points.
Discovery data records (DDRs) for unknown resources transfer by using file-based replication
from a primary site to the central administration site for processing.
Role-based administration provides a central security model for the hierarchy, and you do
not have to install sites to provide a security boundary. Instead, you use security scopes,
security roles, and collections to define what administrators can see and manage in the
hierarchy.
Note
For more information on how to plan for ConfigMgr Sites and Hierarchy, read Planning
for Configuration Manager Sites and Hierarchy.
You can deploy ConfigMgr using a single stand-alone primary site, or as multiple sites in a
hierarchy. When you plan your initial deployment, consider a design that can scale for future
growth in your organization. Planning for expansion is important because the changes from
Mobile Device Management Design Considerations 13
previous versions of the product mean that ConfigMgr can now support more clients with fewer
sites.
High availability factors should also be considered when designing your management hierarchy.
At each site that will have ConfigMgr installed, you deploy site system roles to provide the
services that you want clients to use at that site. The site database contains the configuration
information for the site and for all clients. This allows you to provide high availability of the site
database, and the recovery of the site and site database if needed.
Note
For more information on how to plan for ConfigMgr high availability, read the article
Planning for High Availability with Configuration Manager
Another important point to consider regarding administration model is how you will delegate
administration to your resources. Ideally the management platform will be able to use role
based access control (RBAC). While this is one method of restricting and managing control of
what users, operators and administrators can manage, it is not the only method and it might not
be required for your business. Step 3 of this document will cover RBAC in more details and how
to identify if you need this capability.
Step 2 - Plan for mobile device management tasks Managing mobile devices, both company-owned and user-owned, includes several important
lifecycle management decisions. After you’ve determined the mobile device platforms,
applications, and user requirements for your organization, you’ll also need to identify how to
manage each of these areas in a way that aligns your overall MDM strategy with other
management and support policies.
In this step, we’ll examine MDM enrollment, management, monitoring, and reporting lifecycle
requirements.
Task 1: Understanding the mobile device management lifecycle Understanding the different areas of managing mobile devices is important when designing
your mobile device management solution. Figure 3 outlines the overall mobile device
management lifecycle stages. Each stage has unique requirements and questions for you to
consider when planning your solution.
We’ll start with the enrollment stage in this section, and the other stages will be covered in more
detail throughout this guide.
14 Mobile Device Management Design Considerations
Figure 3 – Mobile device management lifecycle stages
Device enrollment and configuration Mobile device management starts with the initial enrollment and configuration of devices into
your mobile device management solution. Simplicity, ease of registration, and enrollment are
the key factors for success in the mobile device management lifecycle. If initial device enrollment
is difficult or overly confusing, both you and your users may be reluctant to go ahead with a
mobile device management solution, which means you couldn’t leverage the features, benefits,
and protections that the mobile device management solution can deliver.
Mobile device enrollment in mobile device management solutions are typically initiated in two
ways:
Administrator-managed enrollment
User/owner self-enrollment
Administrator-managed enrollment offers a centrally managed enrollment experience, and
typically is centered on bulk enrollment of multiple devices using a single directory account. This
is useful if you need to enroll many company-owned devices into your mobile device
management solution.
With self-enrollment, the device user/owner enrolls their device in the mobile device
management solution. This is typically used in “bring your own device” (BYOD) scenarios,
although it can also be used in scenarios where the company owns the device. This type of
enrollment typically uses a “push-based” enrollment model, where devices are automatically
Mobile Device Management Design Considerations 15
triggered to enroll in the mobile device management solution when the user tries to connect to
the corporate network or network resource from the device. Users can sometimes also elect to
enroll their devices before connecting to an organization’s network or resources.
Enrolling and configuring mobile devices includes the following:
Deploying, accessing, and managing internal and external applications and services
Enforcing device security and access configurations
Protecting devices from security threats
In most cases, when a mobile device is enrolled in a mobile device management solution, the
device is automatically assigned policies and permissions that you have associated with the
device user’s directory account and/or the group the device itself is associated with in directory
services. Depending on the mobile device management solution, most of the configuring and
provisioning of device policies and permissions is done before device enrollment. Then policy
and compliance settings take effect as soon as the devices enroll, avoiding gaps between
enrollment and compliance.
Device enrollment and configuration planning questions: To plan for MDM lifecycle
management, answer the following planning questions about device enrollment and
configuration:
Will mobile devices be enrolled by you, by users, or both?
Do you need to ability to bulk-enroll mobile devices?
What is the maximum number of devices you’ll need to bulk-enroll?
Do the mobile operating system platforms in your organization require different bulk
enrollment requirements and resources?
How many devices will each user typically use and need to enroll?
Does the mobile device management solution have a per-user device enrollment limit?
What are the requirements (connectivity, application, management agent, company
portal, support) for users to self-enroll devices?
Is this different from the requirements for administrator-managed enrollment?
What are the enrollment requirements for each device operating system you need to
support?
Do the mobile device operating systems in your organization require special or unique
enrollment requirements?
Does the mobile device management solution support both connected and over-the-air
enrollments?
What are the hardware requirements (if any) for supporting device enrollments?
What are the network connectivity and network security requirements for supporting
device enrollments?
Do you need specific device compliance policies applied to devices upon initial
enrollment?
Do you need specific device security policies applied to devices upon initial enrollment?
Do you need the ability to configure or set a maximum or minimum time limit for
provisioning device policies after initial enrollment?
16 Mobile Device Management Design Considerations
Do you require special provisioning policies to be automatically triggered in the event of
enrollment failures?
Device management How mobile devices are managed, both from your perspective and the device user’s perspective,
is a key component of a mobile device management solution.
For example, you may want to integrate the way mobile devices are managed with how non-
mobile devices (servers, desktops, other networked devices) are managed. Depending on the
organization, non-mobile device management solutions may have been in place long before
mobile devices were introduced to the organization. This may have been at considerable cost
and may include long-term investments in these management solutions.
Thoroughly understanding how your organization can integrate mobile device management
solutions with existing non-mobile device management solutions is likely one of the most
important activities to complete when designing a mobile device management solution that
meets the needs of your organization.
Mobile device management typically involves several administrative areas:
Device security and configuration: Mobile device security includes a wide range of
settings that you can deploy to managed devices in your organization. Settings can
include specifying the timing, expiration, and required characteristics for device passcode
access, device encryption, and erasing data from lost or stolen devices. More details
about security and configuration are in the Plan for secure mobile devices section.
Application management: This area includes managing application deployment,
installation, updating and managing status, and application removal. You can also
manage restrictions on certain non-compliant applications, which can be central to an
overall compliance and security strategy.
Company resource access: MDM can also help manage access to on-premises network
resources, such as email servers, Wi-Fi networks, and VPN-enabled resources. This serves
a dual purpose of helping to insure security compliance and making it easier for mobile
device users to access company resources according to company policy. If accessing
organization resources is overly complex or difficult for mobile device users, they may
opt to use non-approved company resources to store company data because it’s easier.
Inventory and reporting: When you manage mobile devices, you’ll want to record and
analyze mobile device and platform events to track compliance with the management
policies in your organization. Detailed reporting can also provide you with real-time
statistics and data so that you can make faster, better decisions based on the status of
mobile devices and mobile device users. More details about inventory and reporting is
included in a later section.
Device management planning questions: For now, focus only in the key administration
aspects as you are still defining the requirements. You can refine these requirements as you
iterate on your plan and better understand the overall needs of your organization.
Mobile Device Management Design Considerations 17
Answer the following planning questions about device management:
Do you need specific management policies applied to groups of users, groups of devices,
and/or groups of device operating systems?
Do you need specific management policies for different types of devices? For example,
separate policies for user-owned or company-owned devices, or mobile devices and
non-mobile devices?
Do you need to separate device management rights and permissions among several IT
roles or positions? If so:
o What separation of permission levels is required?
o Do the permission levels supported by the solution need to be customizable?
o Do the permissions need to be integrated into your existing account directory
services?
Do you need the ability to both manually and automatically deploy the mobile device
management solution agents or software?
Do you want to integrate managing mobile devices with an existing non-mobile device
management solution? If so:
o Do you want to manage all devices from a unified management console or
portal?
o What are the integration requirements for your existing non-mobile device
management solution?
o How does your existing non-mobile device management solution support
required management roles and permissions?
o Are there hardware or networking requirements to connect management services
between the mobile device management and the non-mobile device
management solutions?
o Do both solutions have separate or integration inventory and reporting systems?
Does the mobile device management solution have a company portal for users to install
their apps?
Does the mobile device management solution meet your company’s scalability
requirements?
Does the mobile device management solution support remote administration?
Does the mobile device management solution support automation?
Device retirement/unenrollment When users leave your organization or mobile devices are retired or replaced, you need to make
sure that corporate data isn’t lost or compromised. Typically, mobile device management
solutions support both IT-managed and user-managed device resets and unenrollment. With
most mobile devices, unenrollment starts with resetting the device to factory defaults or
performing a selective wipe of all corporate data and applications. Then the device enrollment
connection to the management solution is removed. However, the process varies between
mobile device manufacturers and device operating system platforms.
Device retirement/unenrollment planning questions: Answer the following planning
questions about device retirement and unenrollment.
18 Mobile Device Management Design Considerations
Do you need the ability for both IT and users to unenroll mobile devices?
If a device is selectively wiped, should it be automatically unenrolled from the mobile
device management solution?
If mobile device users can unenroll their mobile devices, how will the removal of
corporate data and applications be verified?
o Is this different for devices that are selectively wiped and devices that are reset to
the factory default setting?
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 4 will go over the options available and advantages/disadvantages of each option.
Answering these questions will help you select the option that best suits your business
needs.
Task 2: Gather monitoring requirements Monitoring and capturing status and event information for mobile devices is vital to ensuring
that users and devices are in compliance with your corporate policies and security strategy. This
is especially important for organizations that must comply with governmental regulatory
requirements and industry compliance guidelines.
Reporting can also provide valuable information about software, hardware, and software
licenses in your organization to assist with inventory management.
Be aware of the importance of user privacy when you’re establishing monitoring and reporting
guidelines, especially when users can enrol personally-owned devices in your organization’s
mobile device management solution. Your organization should not be able to capture, monitor,
report, or share any personal activity or information.
In general, mobile device management solutions divide monitoring into two general areas:
Logging: Capturing and storing mobile device and mobile device application status and
information.
Reporting: Displaying reports or notifications, including standard and customizable
reports that can be created on-demand, and automatic summary and dashboard status
reports.
Monitoring planning questions: Answer the following planning questions about device
monitoring.
What types of regular reports for mobile devices will you need?
o Device inventory?
o Device usage?
o Device access?
o Device applications?
Will reports need to be shared?
o Between IT roles?
Mobile Device Management Design Considerations 19
o Outside of the IT organization?
o Accessed remotely (outside of the corporate network)?
What types of issues or problems with devices will you need to identify?
What types of events captured in monitoring will need to be acted upon? In what time
frame?
Will you need customized, on-demand reports?
When a device is de-enrolled, should specific inventory and reporting events be
captured?
After a device is de-enrolled, should legacy inventory and reporting events be
archived/maintained?
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 4 will go over the options available and advantages/disadvantages of each option. By
having answered those questions you will select which option best suits your business
needs.
Task 3: Determine network resource requirements Enabling secure, managed access to a wide variety of corporate resources by mobile devices is
an important feature of a mobile device management solution. While these resources have
typically been located in on-premises networks, it’s more common now for resources to be
hosted in addition on cloud-based web services and external networks.
How mobile devices connect to corporate email platforms, virtual private networks (VPNs), and
corporate wireless (Wi-Fi) networks all play an important role in keeping corporate data and
other resources protected from unauthorized access. Equally important is making it convenient
and easy for mobile device users to have secure access these resources to avoid users finding a
more convenient but not secure method of storing or accessing resources.
Email management Corporate email is typically the primary data resource most users need access to on a corporate
network, whether from a personally-owned or a company-owned mobile device. Accessing to
email is also typically the connection that triggers initial mobile device enrollment. Being able to
manage email access for mobile devices across both your existing non-mobile device
management solution and the mobile device management solution helps avoid device coverage
gaps and increases the protection for data stored on email servers.
Most mobile device management solutions provide email access protection by using one or
both of the following features:
Email profiles: By setting up and deploying email profiles, administrators can
automatically configure mobile devices with appropriate email server information for
users to connect to their email mailboxes. This helps users connect to the correct email
server without having to remember the right email server endpoint names or network
addresses. In addition, by removing an email profile, administrators can remove email
20 Mobile Device Management Design Considerations
from devices as part of device reset or selective wipe process. Email profile management
can be a feature in non-mobile device management solution, or can be integrated with a
mobile device management solution.
Conditional email access: Conditional email access, or “managed” email access, typically
focuses on security and compliance for accessing email on a mobile device rather than
which endpoint the mobile device connects to. With conditional email access, a
compliance policy is defined and assigned to individual users or devices or groups of
users and/or devices. The policy outlines the prerequisites that have to be in place before
a mobile device can connect to an email resource; for example, a PIN might be required
on the device. The policy is typically enforced when the device first enrolls, but remains
in place and active as long as the mobile device is enrolled in the mobile device
management system.
Email management planning questions: Answer the following planning questions about
email management.
How will mobile devices connect to your existing on-premises or cloud-hosted email
system?
If mobile devices are already connecting to your existing email system, what connection
type or protocol are the devices using to connect?
Will administrators or users (or a combination of both) be responsible for connecting
mobile devices to your email system? If users will be connecting mobile devices to the
email system, how will they:
o Choose the proper connection point to access their email mailbox?
o Choose the proper connection protocol or connection method?
Will mobile devices need to meet certain security and compliance standards before and
while remaining connected to your email system?
Do you need the ability to create custom email security and compliance connection
policies? If so, what are the specific requirements?
Will you need the ability to import or export email security and compliance connection
policies?
How do you need to manage connections to your email system?
o By device user?
o By device type?
o By device OS?
o By user group or role?
When a mobile device needs to be disconnected from your email system, how will email
data be deleted from the mobile device?
Will both administrators and users need the ability to delete email data or the
connection to the email system?
How will confirmation of email data deletion be verified or confirmed?
If you’re currently managing mobile device connections to email resources with an
existing protocol or management method, how does it integrate with the mobile device
management solution?
If you’re using both an on-premises and cloud-based email system, how do they
integrated with the mobile device management solution? Are email profiles or managed
access policies administered the same or differently from the IT perspective? Is the user
Mobile Device Management Design Considerations 21
email connection experience the same or different depending on where their mailbox is
hosted?
Network connectivity management Mobile devices typically connect to corporate networks and resources by using the following
access technologies:
Wi-Fi: Wireless access to corporate resources is typically provided as an on-premises
network extension service for devices that are in close physical proximity to the on-
premises network. This usually involves allowing mobile devices to connect to network
resources as users roam from location-to-location in an on-premises office, such as
conference and meeting rooms, different offices, or other on-premises areas. It can also
include wireless access from remote locations over non-corporate managed wireless
network access points, such as the user’s home network or a public wireless access point.
To simplify connections to wireless networks, administrators usually manage these
connections using wireless profiles that outline the specific settings mobile devices must
have in place before they can connect to the wireless network. This may include
automatically configuring a custom network name, network Service Set Identifier (SSID),
security settings, network proxy, and whether or not the device should automatically
connect to the wireless network when the device is in range.
Virtual Private Network (VPN): Secure remote access to corporate resources often
includes using a defined VPN connection type from the mobile device. This is often
vendor-specific and includes the installation of a VPN application on the mobile device.
Additionally, these VPN applications often use either digital certificates or separately
managed user account credentials to authenticate the VPN connection. To simplify
connections to VPNs, administrators can usually manage these connections using VPN
profiles or the VPN management tools included with the VPN solution. Depending on
integration support, managing VPN connections with the mobile device management
solution may or may not be an option with certain VPN platforms.
Note
You may have other web-based resources, such as SharePoint, that leverage secure
access via Secure Socket Layer (SSL) or Transport Layer Security (TLS). Be sure you
understand how mobile devices will access these resources or resources with separate
VPN or secure access methods.
Network connectivity management planning questions: Answer the following planning
questions about network connectivity management.
How will the Internet be accessed via the mobile device?
o By using WiFi? If so, do they require access via proxy? Proxy authentication?
Will your Wi-Fi infrastructure require updating to accommodate increased device
connections and increased bandwidth demands?
How will mobile devices connect to your existing on-premises wireless or VPN platform?
If mobile devices are already connecting to your existing wireless or VPN platform, what
connection type or protocol are the devices using to connect?
22 Mobile Device Management Design Considerations
Will changes to these connections be needed if the devices are enrolled in a mobile
device management solution?
Will administrators or users (or a combination of both) be responsible for connecting
mobile devices to your wireless or VPN platform? If users will be connecting mobile
devices to the wireless or VPN platform, how will they:
o Choose the proper connection point to access the corporate network?
o Choose the proper connection protocol or connection method?
o Choose the proper digital certificate for the connection method?
Do you want to automatically configure wireless and VPN connection properties and
settings on user’s mobile devices?
Do you need to provide different wireless network configuration or security settings to
different types of users, devices, device operating systems, or user groups and roles?
Will you need the ability to import or export wireless and/or VPN configuration or
security connection policies?
Which of the following wireless security protocols do you need to support?
o WPA-Personal
o WPA2-Personal
o WPA-Enterprise
o WPA2-Enterprise
o WEP
If you need to support WPA-Enterprise or WPA2-Enterprise, which of the following
Extensible Authentication Protocol (EAP) types do you need to support?
o EAP-TLS
o PEAP
o EAP-AST
o LEAP
o EAP-SIM
Which type of non-EAP authentication connection do you need to support?
o Unencrypted passwords (PAP)
o Challenge Handshake Authentication Protocol (CHAP)
o Microsoft CHAP (MS-CHAP)
o Microsoft CHAP Version 2 (MS-CHAP v2)
What type of VPN platform do you have deployed in your on-premises network?
Is the VPN platform supported or able to be integrated with the mobile device
management solution?
If the VPN platform is already integrated or support by an existing non-mobile device
management solution – does the mobile device management solution integrate with
both systems?
Certificate management Digital certificates, either self-signed or issued from a third party Certificate Authorities (CAs),
may be used to authenticate mobile devices to network connections or specific network
resources. To simplify managing digital certificates, administrators usually manage certificates
using certificate profiles. This allows a uniform, centralized method for managing certificates,
including how they are created, issued, and renewed. This also helps users connect to corporate
Mobile Device Management Design Considerations 23
resource without having to request and install certificates manually or by using a non-approved
security process.
However, using certificates for this type of authentication often requires additional on-premises
infrastructure requirements. This may include all or some of the following network components,
depending on the level of integration supported by the mobile device management solution:
Directory services: Directory services, such as Microsoft Active Directory, are usually
required to securely connect and manage all other network components.
Certification Authority (CA) server: If you’re issuing self-signed certificates for your
organization, you’ll need a certification authority to create, issue, manage and renew
digital certificates.
Network Device Enrollment Service (NDES) server: This server allows software and
mobile devices to obtain certificates based on the Simple Certificate Enrollment Protocol
(SCEP).
Proxy server: Depending on your on-premises network configuration, you may require a
proxy server that allows mobile devices to receive certificates using an Internet
connection and without directly connecting to your internal corporate network.
Certificate management planning questions: Answer the following planning questions about
certificate management.
Does your organization already require or use digital certificates to authenticate access
to network resources?
Do you have an existing enterprise public key infrastructure (PKI)?
Do you need to automatically issue digital certificates to mobile devices?
How are digital certificates created, issued, renewed, or revoked from mobile devices?
Are digital certificates centrally managed by an on-premises or third party Certification
Authority (CA)?
Do you need to have different certificates assigned for access to different network
services? Is this dependent on the type of mobile device accessing the network?
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 4 will go over the options available and advantages/disadvantages of each option. By
having answered those questions you will select which option best suits your business
needs.
Task 4: Define your mobile device management lifecycle strategy In this task, you’ll refine the mobile device management lifecycle strategy to meet the
management requirements you identified in Tasks 1-3.
24 Mobile Device Management Design Considerations
Task 4a: Device enrollment options Enrolling devices in Intune, whether standalone or when connected to Systems Center 2012
(ConfigMgr), requires that you prepare the service for the devices. Enrolling mobile devices in
MDM for Office 365 also requires you activate MDM, configure basic settings, and include each
user in a security policy respond to an enrollment message the next time they sign in to Office
365 on their mobile device. They must complete the enrollment and activation steps on each
mobile device they will use to access Office 365 email and documents.
Intune standalone needs to be configured to define the Mobile Device Management Authority
solution, which can be either Intune or an on-premises ConfigMgr infrastructure. This simply
means “which management platform do you want to use to manage Intune-enrolled devices –
Intune OR ConfigMgr?” It’s very important to understand the impact of choosing the best option
for your organization, as the management solution cannot be easily changed once chosen. If
you need to change this configuration later, you’ll have to contact Microsoft Support for
assistance.
For most organizations that are already using ConfigMgr to manage PCs, servers, and other
devices, connect the on-premises solution with Intune and managing devices with the
ConfigMgr is usually the best choice. To assign the mobile device management authority to
ConfigMgr, you’ll create an Intune subscription from within the ConfigMgr console and select
the option to allow ConfigMgr to manage the Intune subscription and Intune-enrolled devices.
Additionally, before you can enroll certain types of mobile devices running different types of
mobile operating systems, you’ll need to prepare the Intune service or MDM for Office 365 with
specific configuration requirements. For example, if you plan to enroll Apple iOS-based devices,
you’ll need to configure Intune with an Apple Push Notification (APN) service certificate prior to
enrolling iOS-based devices. If this isn’t configured, Intune can’t communicate with the APN
service and iOS-based devices. Mobile devices running Android or Windows Phone operating
systems have separate enrollment requirements.
Your answers to the questions in Task 1 will help you decide how you want devices to be
enrolled in your mobile device management solution. Table 5 below compares the advantages
and disadvantages of each enrollment scenario.
Table 5
Enrollment
scenario
Advantages Disadvantages
Administrators
enroll all mobile
devices
Administrators closely control
the enrollment of all devices,
effectively pre-screening any
device or user at the beginning
of the enrollment process
If supporting a BYOD strategy,
increased likelihood that
administrators may see or
expose sensitive user personal
information if appropriate
Mobile Device Management Design Considerations 25
Each device is enrolled without
any user interaction, reducing
device enrollment errors
Easier to support more
complex, automated, bulk, or
highly customized device
enrollment processes
Support/help desk costs may
decrease since experienced
administrators are performing
the device enrollments
security controls are not in
place
Users may have to arrange
times with you to drop off and
pick up mobile devices,
requiring device enrollment
scheduling and tracking
Modern mobile device users
may feel that this centralization
is cumbersome and
inconvenient, leading to user-
defined workarounds that may
compromise enrollment
security and compliance
processes
User self-enrolls
mobile devices More convenient and flexible
for device owners/users
Quicker device enrollment than
a centralized enrollment
process in most cases
Offloads relatively simple
administration tasks from you
to your users, saving time,
scheduling, tracking, and
administration overhead costs
Potential increase in support
costs or help desk calls, less-
experienced users may need
personal help with enrollment
Your organization might want to allow both of these enrollment scenarios, taking a flexible
approach to permit different methods for different departments or situations. If so, your mobile
device management solution must be able to support both scenarios.
Task 4b: Device enrollment and provisioning options When a user can use and enroll their own device, this increases the requirements for both the
user and IT, and impacts several areas. For example, Figure 4 shows an overview of the
enrollment process for an organization using both Intune and ConfigMgr. This example outlines
the certificate, web application, and synchronization considerations that you’ll need to consider
when planning your solution:
26 Mobile Device Management Design Considerations
Figure 4 - Overview of the enrollment process for mobile devices using hybrid Intune and
ConfigMgr
1. With Windows Server 2012 R2, a new concept known as device registration was
introduced. Users can register their devices for single sign-on and access to corporate
data using Workplace Join. As part of this registration process, a certificate is installed
on the device. In return for registering their device and making in known to the device
management solution, the user gains access to corporate resources that were previously
not available outside of their domain-joined PC.
2. Users can enroll devices which configure the device for management with Microsoft
Intune using the Company Portal, and then leverage the Microsoft Intune Company
Portal for easy access to corporate applications, data and to be able to manage their
own devices, performing tasks such as remote wiping them in the event they are lost,
stolen or replaced.
3. You can publish access to corporate resources with the built in capability available in
Windows Server 2012 R2 called Web Application Proxy based on device awareness (i.e. is
it registered) and the users identity. Multi-factor authentication can be used through
Azure Active Authentication.
4. In order to provide administrators with a unified view of their entire environment, the
data from Intune is synchronized with ConfigMgr which provides unified management
across both on-premises and in the cloud.
5. As part of the enrollment process, a new device object is created in Active Directory. This
device object establishes a link between the user and their device, making it known to
the device management solution, and allowing the device to be authenticated, effectively
a seamless two-factor authentication.
Depending on how you answered the questions in Task 1, you should be able to determine how
you want devices to be managed in the mobile device management solution. Table 6 below
shows the advantages and disadvantages of each provisioning option.
Table 6
Mobile Device Management Design Considerations 27
Enrollment &
provisioning
options
Advantages Disadvantages
Intune (standalone) Supports enrolling and
provisioning all major mobile
device operating systems
(Android, iOS, Windows 10,
Windows 8.x, and Windows
Phone)
A cloud-based service, mobile
devices can be enrolled from
any location with Internet
access
Devices may be enrolled via a
centralized, customizable
Company Portal
Advanced device provisioning
options for mobile devices
Additional management
interface for provisioning
mobile devices (only) if using
an on-premises management
platform for non-mobile
devices
Separate device compliance
and security policies for the
cloud-based service and the
on-premises management
platform
MDM for Office 365 Integrated with Office 365
tenants, providing a single
management console for
mobile devices and Office 365
tenant services (Exchange
Online, SharePoint Online, and
Lync Online
Supports enrolling and
provisioning all major mobile
device operating systems
(Android, iOS, Windows 10,
Windows 8.1, and Windows
Phone)
Basic device provisioning
options for mobile devices
Additional management
interface for provisioning
mobile devices (only) if using
an on-premises management
platform for non-mobile
devices
Separate device compliance
and security policies for the
cloud-based service and the
on-premises management
platform
Less advanced device
provisioning options
Hybrid (Intune with
ConfigMgr) Native integration between
Intune (cloud-based device
management service) with
System Center 2012 and System
Center 2012 R2 Configuration
Manager (on-premises device
management platforms)
Supports enrolling and
provisioning all major mobile
device operating systems
Requires additional
configuration to connect
Intune with the on-premises
ConfigMgr infrastructure
For organizations that don’t
have a current ConfigMgr
infrastructure configured, it
will need to be planned,
installed and configured prior
to integrating with Intune
28 Mobile Device Management Design Considerations
(Android, iOS, and Windows
Phone), and includes
provisioning for all major non-
mobile device operating
systems
Supports advanced device
provisioning options for mobile
devices via Intune connectivity
For more details about mobile device enrollment and provisioning options, make sure to review
how to enable mobile device enrollments in Microsoft Intune and compare these requirements
and procedures to enable mobile device enrollments in ConfigMgr and MDM for Office 365.
Task 4c: Device management options Managing mobile devices with Intune and ConfigMgr centers around management policies.
Policies define groups of settings for mobile devices and can be either created from templates
or customized for specific devices, users, or groups. The best management practice is to create
management policies before mobile devices are enrolled in the management solution. This
insures that the devices are immediately managed in accordance with the policies and processes
defined in your IT strategy. Both solutions allow for configuring the following policy types:
Configuration policies: Configuration policies are used to define the general organizational
settings for each enrolled mobile device. This may include device password, application,
cloud policy, and encryption settings, but can include many other device settings for
different management areas. Additionally, configuration policies are applied and configured
differently for different types of mobile device operating systems by using device enrollment
profiles.
Tip
When creating different policies for different types of devices, users, or groups – it’s easy to
have conflicting policy settings applied to the same device. Be sure that you understand how
conflicting policy settings are applied.
Compliance policies: Compliance policies enforce your organization’s requirements for
mobile devices to access (or be denied access) to company resources or services. This can
also include device password and encryption settings, as well as determining if the mobile
device is rooted (“jail-broken”). As with configuration policies, Intune and ConfigMgr
compliance policy options also vary by mobile device operating system type. If you’re
creating compliance policies in ConfigMgr, it’s important to note that increased granularity
can be configured as part of a multi-part process:
1. Creating configuration items
2. Creating configuration baselines
3. Deploying the configuration baselines to ConfigMgr user or device collections
Conditional access policies: Conditional access policies define how access to email is
managed and can be used separately or in conjunction with compliance policies.
Connections to your Exchange Server or Exchange Online service must be configured in
Mobile Device Management Design Considerations 29
Intune or in ConfigMgr before conditional access policies can be deployed. Conditional
access can also be configured for Office 365 and SharePoint Online services.
Your answers the questions in Task 1 can help you determine how you want devices to be
enrolled in the mobile device management solution. Table 7 below will help you understand the
advantages and disadvantages of each management scenario.
Table 7
Management
options
Advantages Disadvantages
Intune (standalone) Supports simplified policy
control for managing users and
devices, now separated by
device platform. Supports
Android, iOS, Windows 10,
Windows 8.x, and Windows
Phone platforms, as well as
support for Exchange
ActiveSync.
Provides a simple, web-based
administration & management
console that is accessible from
any location
Supports group-based policies,
making it easier to manage
large numbers and diverse
types of mobile devices
Supports advanced mobile
device compliance features and
functionality, including device
root and jailbreak detection
Allows for selective wipe or full
factory reset for all mobile
devices
Includes a customizable
Company portal, allowing the
managed and secure
distribution of internal and 3rd
party mobile applications
Deploy certificates to mobile
devices
Allows organizations to prevent
cut/copy/paste functions in
mobile applications
Additional licensing
requirements and costs for
user accounts enrolling
devices in the Intune service
30 Mobile Device Management Design Considerations
Supports enforcing the use of
managed browsers
MDM for Office 365 Integrated web-based
administration and
management console within
Office 365 tenants
Supports group-based policies,
making it easier to manage
large numbers and diverse
types of mobile devices
Supports advanced mobile
device compliance features and
functionality, including device
root and jailbreak detection
Allows selective wipe or full
factory reset for all mobile
devices
Advanced mobile device
management features aren’t
supported, including:
o Provisioning and
managing certificates,
email, VPN, wireless
profiles
o Enrolling and managing
collections of devices
Some mobile application
management features and
functionality aren’t
supported:
o Deploying line of
business applications to
mobile devices
o Enabling secure data
access to Office mobile
applications
o Extending corporate
data securely to line of
business apps for
mobile devices
o Managed browsers or
other content viewing
applications
Hybrid (Intune with
ConfigMgr)
All the advantages of Intune
standalone, plus the following:
o Provides a single pane of
glass view for managing the
corporate estate, including
flexibility for role-based
administration and scripting
(through PowerShell)
Requires additional
configuration to connect
Intune with the on-premises
ConfigMgr infrastructure
For organizations that don’t
have a current ConfigMgr
infrastructure configured, it
will need to be planned,
installed and configured
prior to integrating with
Intune
VPN and email profiles for
Android devices aren’t
currently supported
Mobile Device Management Design Considerations 31
Managed browser support
isn’t currently supported
Task 4d: Device monitoring options Monitoring and understanding the status and configuration of all mobile devices managed by
your organization helps you discover problems and non-compliance, and manage device
inventory. Without detailed reports on hardware, software, and compliance status, it’s
impossible to make sure that your device policies are actually in place and working correctly.
Proactive monitoring helps mitigate small problems before they become larger and more costly.
Intune, MDM for Office 365, and a hybrid deployment of Intune and ConfigMgr all include
monitoring and reporting to help manage devices, users, and compliance with your
organization’s policies and procedures. Using built-in reports together with customized reports,
you can monitor mobile device management in areas such as:
Update reports for software
Software inventory reports
Hardware inventory reports
Licensing reports
Non-compliance reports
Depending on how your infrastructure is set up, you may be able to create a variety of reports to
help you monitor your organization. Intune-based monitoring and reporting capabilities are the
backbone for reports in MDM for Office 365, as well as Intune standalone deployments. These
reports can also be tightly integrated with the reporting capabilities of ConfigMgr when it’s
connected to Intune in a hybrid deployment. Each product, as shown below, has different but
complementary reporting capabilities. It’s important to explore the nuances of the reporting
capabilities of each mobile device management solution to help make sure you choose a
solution that has the reports that you need.
32 Mobile Device Management Design Considerations
Figure 5 – Integrated mobile device monitoring and reporting
The answers you gave to the questions in Task 2 can help you determine your monitoring and
reporting needs for your mobile devices. Table 8 below shows the advantages and
disadvantages of the monitoring and reporting features in each MDM solution.
Table 8
Monitoring options Advantages Disadvantages
Intune (standalone) Monitoring overview/dashboard
Alerts when errors are detected
on direct managed network
devices
An Intune service RSS feed can
notify you about problems with
the service and upcoming
maintenance
Three levels of alerts (critical,
warning, Informational) with
thresholds and email alert
notifications
Can filter alerts by device type
Can review the status of any
managed device
Can monitor details in the
following areas:
o System
o OS
o Storage
o Exchange ActiveSync
o System enclosure
o Network
o Service
Email alerts only, no text-
based or voice alerts
MDM for Office 365 Monitoring overview/dashboard
Three levels of alerts (critical,
warning, Informational) with
thresholds and email alert
notifications
Can filter alerts by device type
Can review the status of any
managed device
Mobile device compliance
status reports only
Hybrid (Intune with
ConfigMgr)
All the monitoring and
reporting features of Intune
standalone, plus the following:
Requires additional
configuration to connect
Mobile Device Management Design Considerations 33
o Comprehensive, threshold-
based, consolidated
monitoring and reporting
for all your organization’s
devices, including non-
mobile and non-Intune
enrolled devices
o Advanced reporting
capabilities of SQL Server
Reporting Services (SSRS)
and the rich authoring
experience provided by
Reporting Services Report
Builder
Intune with the on-premises
ConfigMgr infrastructure
For organizations that don’t
have a current ConfigMgr
infrastructure configured, it
will need to be planned,
installed and configured
prior to integrating with
Intune
Explore the details about mobile device monitoring options by reviewing the following:
Intune: How to monitor mobile devices and Manage reporting
ConfigMgr: Monitoring mobile devices and Manage reporting
MDM for Office 365: Overview and device management tasks
Task 4e: Email management options The main reason for implementing a mobile device management solution is usually to provide
managed access to corporate email from mobile devices. For example, in MDM for Office 365,
you can create a security policy that provide basic managed access to email mailboxes hosted in
Exchange Online or access through Office apps (on iOS and Android). This policy enforces basic
mobile device compliance settings, such as requiring a device password and device encryption,
before the device is allowed to connect to a user mailbox.
You follow a similar process to configure email management options in Intune, and hybrid
Intune and ConfigMgr deployments. The primary difference is that you can implement more
advanced email management options than you can in MDM for Office 365. For example, using
Intune standalone, you can configure conditional email access to allow access mailboxes hosted
on both Exchange Online and Exchange on-premises, as well as configure customized email
profiles. Intune enables these features by using configuration and compliance policies. Hybrid
Intune and ConfigMgr deployments also supports conditional email access, but only for
mailboxes hosted on Exchange Online.
In the scenario shown below in Figure 6, the user has enrolled their device in Intune and is now
trying to access their corporate email using Office 365 or Exchange on-premises. Based on the
settings defined by the IT administrator at their company, Intune runs a policy verification
34 Mobile Device Management Design Considerations
process. In this scenario, the user’s access is granted if the device is encrypted, a passcode is set,
and the device isn’t jail broken or rooted. If a user tries to access corporate email and their
device is not enrolled, or not compliant based upon settings defined by the IT admin, the user
will receive an email explaining why their access has been blocked along with steps for how to
resolve the issue.
Figure 6 – Conditional email access
Your answers to the questions in Task 1 can help you determine how you want devices to be
managed in the mobile device management solution. Table 9 below lists the advantages and
disadvantages of email management in each MDM solution.
Table 9
Email management
options
Advantages Disadvantages
Intune (standalone) Supports email management
for all major mobile device
operating systems (Android,
iOS, Windows 10, Windows 8.x,
and Windows Phone)
Can leverage native mobile
device email applications via
integration with Exchange
ActiveSync
Integration with Exchange
Online via the Service-to-
Service connector to allow
Email profiles aren’t
supported for Android-
based mobile devices
Mobile Device Management Design Considerations 35
cross-platform monitoring and
reporting between Intune and
Office 365
Supports configuration of email
profiles for managing Exchange
ActiveSync-based settings on
mobile devices
Conditional email access to
resources
MDM for Office 365 Allows Exchange ActiveSync
support for password,
encryption, rooted device
compliance
Allows device management
policies and requiring device
enrollment before access is
granted to Office and OneDrive
for Business apps (iOS and
Android)
Conditional email access to
resources
Some advanced email
management options aren’t
supported
Deploying email profiles
isn’t supported (except iOS)
Hybrid (Intune with
ConfigMgr) Intune on-premises connector
for hybrid connectivity with
Exchange Online
Integration with Exchange
Active Sync (most strict policy
setting is enforced)
Email profiles
Conditional access to restrict
email access to Exchange
Online
Compliance policies to define
the rules and settings the
device must comply with in
order to be allowed access to
the services
Conditional access policies for
each service, define rules for
security groups, Intune groups,
or how unenrolled devices are
managed
Managed access to email
only available for mailboxes
hosted on Exchange Online,
not mailboxes hosted on
Exchange on-premises
Configuring the service-to-
service connector should
not be configured if you
enable conditional access
for both Exchange Online
and Exchange on-premises
36 Mobile Device Management Design Considerations
Explore the details about mobile device email configuration management options by reviewing
the following:
Intune: How to enable email profiles and conditional email access
ConfigMgr: Enabling email profiles and conditional email access
MDM for Office 365: Capabilities of mobile device management
Task 4f: Network connectivity management options Depending on your infrastructure, mobile devices might be able to connect to corporate
resources from a variety of Internet connectivity services, which are often secured by VPN-
protected endpoints.
By using Intune or a hybrid deployment with ConfigMgr, you can deploy Wi-Fi profiles to
provision Wi-Fi networks, so a device can auto-connect to the network when it is in range. For
example, mobile devices can be configured to connect to a Wi-Fi network segmented to a
conference room, but then switch to connect to a Wi-Fi network segment when roaming to a
different location. Users don’t have to enter passwords or choose a network; the connection
works automatically.
Intune and ConfigMgr can also deploy VPN profiles directly to mobile devices, to let user access
internal corporate resources without extra configuration or manual work. Additionally, Intune
can configure mobile devices to automatically start a VPN connection that is based on the type
resource or method of access. Be aware, however, that there are different configuration
requirements for doing this for different types of mobile device operating systems.
Your answers to the questions in Task 3 can help you determine how you want devices to be
connect to corporate resources. Be aware that currently, MDM for Office 365 doesn’t support
managing wireless and VPN network resources for mobile devices.
Table 10 below lists the advantages and disadvantages of managing wireless and VPN networks
using Intune standalone and hybrid Intune with ConfigMgr.
Table 10
Network
management
options
Advantages Disadvantages
Intune (standalone) Supports wireless and VPN
profiles on all major mobile
device operating systems
(Android, iOS, Windows 10,
Windows 8.x, and Windows
Phone)
Supports industry leading VPN
connection types, including
To support VPN profiles,
you’ll need to deploy and
maintain an on-premises
VPN infrastructure
Mobile Device Management Design Considerations 37
Cisco, Juniper, Dell SonicWall,
Checkpoint, and others
Wireless and VPN profiles can
be integrated with SCEP
certificate profiles for increased
security
Supports configuring
customized wireless and VPN
profiles for different types of
users, devices, device operating
systems, or user groups and
roles
DNS name-based initiation
support for Windows 10,
Windows 8.1, Windows Phone
8.1, and iOS
Application ID based initiation
support for Windows 10 and
Windows 8.1
MDM for Office 365 Not available Not available
Hybrid (Intune with
ConfigMgr) All the advantages of Intune
standalone, plus the following:
o VPN profiles are supported
by your existing on-
premises enterprise VPN
infrastructure
To support VPN profiles,
you’ll need to deploy and
maintain an on-premises
VPN infrastructure
Specific security permissions
must be granted to manage
Wi-Fi profiles and VPN
profiles in ConfigMgr
Explore the details about mobile device email configuration management options by reviewing
the following:
Intune: Enable wireless and VPN profiles
ConfigMgr: Enabling wireless and VPN profiles
Task 4g: Certificate management options Using digital certificate management and certificate profiles is supported both by Intune
standalone and hybrid Intune and ConfigMgr deployment scenarios. These features allow you to
deploy trusted root certificates to mobile devices, as well as Simple Certificate Enrollment
Protocol (SCEP) based profiles that instruct mobile devices to get additional certificates from a
NDES server in your organization.
38 Mobile Device Management Design Considerations
Since SCEP is natively supported by iOS, Windows 10 and 8.1, and Windows Phone 10 and 8.1,
and is also supported through the Windows Intune Company Portal app for Android, using this
enrollment protocol has the advantage of having the private key generated directly on the
mobile device. The private key is never generated, cached, or stored by either ConfigMgr or by
Intune - which helps to keep the mobile device secure.
Figure 7 shows how Intune and ConfigMgr use the NDES to provide secure certificate
provisioning to mobile devices using SCEP:
Figure 7 – Secure certificate provisioning
1. A policy that includes the properties of the certificate for SCEP enrollment is created on the
Intune service.
2. Intune converts the policy to a platform mobile device management protocol (like OMA-DM
for Windows 10 and Windows 8.1) and sends it to the device
3. The mobile device receives the policy and initiates an enrollment request from NDES
4. NDES forwards the request to ConfigMgr.
5. ConfigMgr compares the request attributes of the SCEP request for an authentication match
and sends confirmation back to NDES.
6. NDES sends a certificate issuance request to the CA and it sends the certificate to the NDES
role.
7. NDES role sends the certificate to the device.
Depending on how you answered the questions in Task 3, you should be able to determine how
you want certificates managed in the mobile device management solution. Currently, MDM for
Office 365 doesn’t support managing certificate profiles for mobile devices.
Table 11 below will help you understand the advantages and disadvantages of the certificate
profile management for Intune and the hybrid Intune with ConfigMgr deployment scenario:
Mobile Device Management Design Considerations 39
Table 11
Certificate
management
options
Advantages Disadvantages
Intune (standalone) Supports certificate profiles on
all major mobile device
operating systems (Android,
iOS, Windows 10, Windows 8.x,
and Windows Phone)
Platform supports the Simple
Certificate Enrollment Protocol
(SCEP)
Certificate profiles can
automatically configure mobile
devices so that company
resources can be accessed
without having to install
certificates manually or use a
non-approved security process
Certificates can be automatically
revoked when the device is
retired from management,
selectively wiped, or block from
the management hierarchy
To use certificate profiles,
some existing on-premises
infrastructure must be in place.
You must integrate the
following on-premises
infrastructure with Microsoft
Intune:
A server that runs the
Network Device
Enrollment Service
An Enterprise
Certification Authority
The Intune NDES
Connector, which
installs on the server
that runs NDES
MDM for Office 365 Not available Not available
Hybrid (Intune with
ConfigMgr) All the advantages of Intune
standalone, plus the following:
o Also supports managing
certificates for non-mobile
devices
To use certificate profiles,
some existing on-premises
infrastructure must be in place.
You must integrate the
following on-premises
infrastructure with Microsoft
Intune:
A server that runs the
Network Device
Enrollment Service
An Enterprise
Certification Authority
The Intune NDES
Connector, which
installs on the server
that runs NDES
40 Mobile Device Management Design Considerations
For more details about mobile device certificate management options, read how to enable
certificate profiles in Intune and compare these requirements and procedures to enabling
certificate profiles in System Center 2012.
Step 3 - Plan for enhancing mobile devices protection While on-premises and remote users can be more productive by accessing company resources
on their mobile devices, letting them to do also increases security threats that you’ll need to
mitigate in order to help protect your company’s data and maintain user privacy. Your company
might have specific requirements about how to balance these needs. Compliance rules can vary
depending on the industry in which your company operates, for example, which may lead to
different design decisions.
However, there are some general aspects of security in mobile device management to explore
and conform to, regardless of the industry. These are shown in Figure 8.
Figure 8 – Security capabilities in a MDM solution
This diagram shows the core security capabilities required in any MDM solution. The key areas
to consider are the following:
1. Considerations for data protection at the mobile device level:
Data encryption
Data classification
Client privacy
Containerization
Policy enforcement
Hardening
Mobile Device Management Design Considerations 41
2. Considerations for data protection while in transit:
Data encryption
Authentication
Authorization
3. Considerations for data protection while at rest in your on-premises organization:
Data encryption
Authentication
Authorization
4. Considerations for data protection while at rest in the cloud:
Data encryption
Authentication
Authorization
The following tasks can help you understand how your specific security needs will influence your
decision about the best MDM solution for your business requirements.
Task 1: Gather your data protection requirements To help define your organization’s data protection requirements for mobile devices, it helps to
first think about data protection requirements that your organization already has in place. For
example, perhaps your company has to comply with specific regulations, or you might already
have a policy regarding data protection.
Make note of these high-level requirements first, and then you’ll have a basis for asking more
granular questions that will help lead you to better design decisions for your MDM solution.
When defining these requirements, consider the following:
Data encryption at rest: As shown in Figure 8, company data will be stored on the
user’s mobile device. Consider if the following is important to your company:
o Does the MDM solution support encrypting the entire mobile device disk and SD
cards?
If yes, for which operating systems?
o Does the MDM solution support app data encryption?
If yes, for which operating systems?
If yes, for which apps?
Data encryption in transit: Regardless who owns the data, at some point during data
communication, the data is in transit between the mobile device and a company server
(or web service). You must understand what capabilities the MDM solution has in order
to protect data in transit. Consider if the following is important to your company:
o Does the MDM solution support data encryption in transit?
If yes, for which operating systems?
42 Mobile Device Management Design Considerations
If yes, which capabilities are available?
o What options does the MDM solution have to protect data while in transit?
Data segregation: It’s also important to understand if your company’s data should be
treated differently from the user’s data. Segregation, separation, or isolation are some
terms that can be used to describe this capability. When designing your MDM solution,
consider:
o Does the MDM solution support data separation?
If yes, is it possible to erase your company’s data, while preserving the
mobile device user’s data?
o Does the MDM data separation capability ensure that only trusted apps can
access data located on the mobile device?
o Does the MDM solutions support data separation according to the user’s
identity?
o Does the MDM solution support containerization?
If so, is it possible to encrypt data located in a particular container?
Hardening mobile devices: Since there might be different mobile device platforms used
in your organization, you should understand what hardening capabilities are available in
each mobile device platform. Each mobile device platform may control and harden
devices using different methods and at different levels of granularity. If one set of mobile
devices has a more granular set of configuration than others, you’ll need a common set
of options to harden the devices while using custom policies to enhance the security for
each mobile device platform that your organization supports.
The list below includes common options that should be supported by the MDM solution
to harden mobile devices:
o Requiring a password to unlock mobile devices
o Requiring a password type – minimum number of characters and character types
o Minimum password length
o Number of repeated sign-in failures to allow before the mobile device is wiped
o Minutes of inactivity before the device screen turns off
o Remembering password history – preventing the reuse of previous passwords
o Password expiration (days)
o Requiring encryption on the mobile device
o Requiring encryption on storage cards
o Allowing idle return without a password
Note
In Windows Phone 8.1, the policy Allow idle return without password can be configured
using Windows Phone 8.1 Enterprise Device Management Protocol.
Mobile Device Management Design Considerations 43
Task 2: Specify your privacy requirements While Task 1 focused on data protection and how to enhance the overall security of mobile
devices to help keep company data protected, the second task of this step focuses on
understanding your organizational requirements for privacy.
In the previous step, you defined device management tasks, including device management and
content distribution management. In this task, the goal is to define the privacy requirements for
company content that will reside on the mobile device.
Note
Read the solution Streamlined management for mobile devices and computers in a
hybrid environment for more information about content distribution for mobile devices
An organization’s privacy requirements will vary according to the industry, applicable
regulations, and type of business. For example, you may want your MDM solution to allow you
to perform basic hardware inventories, software inventories, file collections, and software
distribution on mobile devices. Hardware inventory and software distribution are usually
supported by default.
Keep in mind that privacy concerns that apply to your client computers for inventory and
software distribution also apply to mobile devices.
Before choosing a mobile device management solution, consider your unique privacy
requirements. For example, consider the following:
Client Privacy: Allowing users to use their mobile devices to connect to and use
company resources also means that they must understand your organization’s privacy
policy and how this will affect their privacy.
o Are you required to provide users with your company privacy policy, and what
should it include?
If yes, does the MDM solution include the ability to easily provide a
privacy policy to users?
o Does the MDM solution store user’s mobile device information or data in the
cloud?
If yes, how is user’s privacy maintained in the cloud?
Who has access to their data?
How is their data kept private?
Data Classification: It’s important to define what constitutes company data, and how it
will be protected. Having policies and mechanisms in place to classify data should be
part of the plan to ensure privacy when managing mobile devices.
o Can you identify or classify company documents or data that will reside on the
mobile device?
If yes, what type of data or document rights or permissions are
supported?
44 Mobile Device Management Design Considerations
o Will this classification travel with the data or document, regardless of the mobile
device that the user is using?
o What type of data or documents can (or can’t) be classified?
Tip
Read the Microsoft Online Services Privacy Statement to better understand how Microsoft
Cloud services, including Intune will maintain user’s privacy
Task 3: Specify your access requirements A mobile device that can’t use apps or access company data that is needed to perform work
isn’t useful for your employees. So it’s critical to understand how the data will travel from the
source location (on-premises or cloud) to the mobile device.
Look back at Figure 8 to see the potential paths that the data will travel to and from mobile
devices, and the considerations that should be in place for each path. Many companies that
have security policies in place haven’t considered how mobile devices can increase the
likelihood that corporate data might be leaked. So review your current company policies to
ensure that the requirements you develop for authentication, authorization, and access control
are aligned with your business requirements.
Answer the following questions to help determine the access requirements for mobile devices:
Authentication and authorization: As part of the strategy to allow your users to access
to company data from mobile devices, you must identify which users are eligible for
access. Some companies decide to initially allow data access for just a portion of their
users, and then grant access to other employees as they request it, based on business
need. To restrict access, your solution must authenticate (identify that the user is who
they claim to be) and authorize (evaluate if the user should have access to the data that
they are requesting) according to your company’s policy.
When designing your MDM solution, consider the following:
o Does your organization have a current directory service that is used for
authentication and authorization?
If yes, does the MDM solution integrate with your directory service to
authenticate and authorize access to resources?
o Does your organization need to have centralized authentication, or can it be
hybrid?
o Does your organization plan to have multi-factor authentication for mobile users?
o Does your organization use an on-premises Public Key Infrastructure (PKI) to
issue certificates?
If yes, does the MDM solution have the capability to perform
authentication using digital certificates?
If yes, does the MDM solution have the capability to integrate with
an existing on-premises PKI?
o Does your organization need to use the current directory services to authenticate
users accessing third party apps?
Mobile Device Management Design Considerations 45
If yes, does the MDM solution allow users to use single sign-on (SSO) to
authenticate against third party apps?
Access Control: Once a user is authenticated and authorized, requests for access to a
resource must be validated with the level of access for the user. The requested resource
can be data or an app. When designing your solution, consider the following:
o Does your company need to have different level of control for you to manage the
mobile devices and the MDM solution?
If yes, does the MDM solution support Role Based Access Control (RBAC)?
o Does your company need to have different levels of access according to the
user’s location?
If yes, does the MDM solution allow you to create access control
restrictions according to the user’s location?
o Does your company need to control access to apps?
If yes, does the MDM solution allow you to control access to apps
installed at the mobile device?
o Does your company need to control access according to a set of conditions?
If yes, does the MDM solution allow you to have conditional access
control?
If yes, does the MDM solution allow you to enable/disable application’s
feature according to the user’s identity?
Tip
Read the Secure access to company resources from any location on any device to better
understand how to leverage built in Windows Server 2012 R2 capabilities in conjunction with
ConfigMgr to provide access to your company resources.
Task 4: Develop your incident response requirements While many organizations already have an incident response (IR) plan in place, you should check
to make sure the plan includes mobile devices and what steps should be taken if an incident is
reported on those devices. If your company is just now adding a mobility solution, it’s likely the
current IR plan doesn’t cover mobile devices.
If your organization doesn’t have an IR plan, it is important to work closely with your security
team to understand the requirements as you develop one, so you’ll know the right questions to
ask when you’re choosing the best MDM solution for your needs.
Tip
Read Responding to IT Security Incidents to better understand the minimum requirements
for an IR plan.
When designing your MDM solution, make sure you ask the following questions so you can
make sure mobile devices can be managed if there’s an incident.
Does your organization have an existing Incident Response Plan?
o If yes, does it include processes and procedures for handling compromised
mobile devices?
46 Mobile Device Management Design Considerations
Does the incident response policy cover scenarios where an end user reports that they’ve
lost their mobile device?
o Is it permissible to erase the entire device to avoid data leakage?
If it is, does your company have backup policy in place for data that
resides on mobile devices?
Does your organization have different procedures for company-owned devices and
personally-owned devices in case they are lost?
o If yes, what are those procedures?
o Will those procedures affect the selection of the MDM solution?
If a user loses their personally-owned mobile device but they don’t authorize your
company to erase the entire device, does the MDM solution allow selective device
wipes?
When a mobile device is compromised and you need to prevent that device from
spreading malicious apps to the corporate network, does the MDM solution allow you to
enforce policies that can rapidly contain the compromised device?
Does the MDM solution allow you to plan for potential attacks so you can take proactive
actions to address problems?
Does the MDM solution allow you to identify when a file is infected with malware, by
using a management console?
Task 5: Plan your mobile device security strategy In this task, you will define the mobile device management security strategy to meet the
business requirements that you defined in Tasks 1-4.
Task 5a: Data encryption Now that you’ve answered the questions in Task 1 regarding the requirements for data
encryption at rest and in transit, next you’ll evaluate the options that are available to address
each requirement. Even when the data is at rest, it can be encrypted in different ways, as shown
in Figure 9.
Figure 9 – Different levels of encryption
Mobile Device Management Design Considerations 47
You can use full disk encryption or encryption based on the data handled by an app. ConfigMgr
allows you to enforce policies that will perform file encryption on mobile devices. Although
some mobile devices, like Windows Phone 8, are automatically encrypted, others only encrypt
data if another option is enabled. For example, on iOS devices, the encryption takes place
automatically only after you configure the setting to require a password on the device.
Note
For more information about the mobile devices that can have encryption enabled using
ConfigMgr, read Compliance Settings for Mobile Devices in Configuration Manager.
For apps that are associated with an Intune mobile application management policy, encryption
is provided by Microsoft. Data is encrypted synchronously during file I/O operations according
to the setting in the mobile application management policy. On Android devices, managed apps
use AES-128 encryption in Cipher Block Chaining (CBC) mode utilizing the platform
cryptography libraries, which is not FIPS 140-2 certified.
This option allows you to specify that all data associated with a particular app will be encrypted,
including data stored on external media, such as SD cards. The same capability is also available
with MDM for Office 365.
Public cloud storage services, such as OneDrive for Business, can also be integrated with Intune
Standalone and also with System Center 2012 R2 Configuration Manager SP1. You can deploy
the OneDrive for Business app to the user’s device and then all documents in the user’s
OneDrive for Business account will be encrypted.
Most MDM solutions use SSL to protect data in transit, so you’ll just need to decide if you will
be using an existing PKI to issue certificates or if you will be using a third-party vendor
certificate authority (CA). The advantage of using a third party CA is that users using their own
device to access company’s resources will automatically trust a well-recognized public CA.
Table 12 compares the encryption features of the MDM solutions so you can see which one best
fits your organization’s security requirements.
Table 12
MDM option Advantages Disadvantages
Intune (standalone) Encrypt data associated with
apps controlled by Intune
management policy
Does not include native
encryption for mobile
device storage
No integration with current
on-premises MDM platform
means an additional
management interface for
you to use
48 Mobile Device Management Design Considerations
MDM for Office 365 Encrypt data based on the
mobile device platform
capability
No integration with current
on-premises MDM platform
means an additional
management interface for
you to use
Hybrid (Intune with
ConfigMgr) Encrypt data associated with
apps controlled by Intune
management policy
Encrypt mobile device storage
Provides more granular control
of what can be encrypted on
mobile devices and how the
encryption is done, including
selection of the encryption
algorithm
Centralized management for
mobile device configuration
settings for cloud-based and
on-premises devices
If the organization does not
have a current on-premises
ConfigMgr infrastructure, it
will require to plan, install
and configure this platform
prior to the integration
Note
For more information about how to combine Intune and ConfigMgr’s capabilities to
increase data protection and configure encryption, read Managing Encryption on Mobile
Devices with Configuration Manager and Intune.
Task 5b: Data segregation Data segregation is important, not only for your organization, but also to keep your user’s
personal information private. Data segregation helps you to remove all company apps and data
from a device that belongs to a user, without affecting the user’s personal data (see Figure 10).
Mobile Device Management Design Considerations 49
Figure 10 – User’s personal data is isolated from company’s data
By keeping separate all apps, company data, and policies that were deployed by the MDM
solution, those can be removed from the device if necessary without affecting a user’s personal
content and apps by using selective wipe.
Tip
Read Help protect your data with remote wipe, remote lock, or passcode reset using
Microsoft Intune for more about how remote wipe will behave in other platforms like iOS
and Android
Selective wipe for mobile device data management is included in Windows Server 2012 R2 and
Windows 8.1. It works by linking resources that help Exchange Server and Microsoft Intune
administrators to manage enterprise data on devices and to develop apps that can use Windows
Selective Wipe capabilities. Windows Phone 8 and later supports separating data in the internal
storage.
50 Mobile Device Management Design Considerations
Figure 11 – Core architecture of Windows Phone 8.x
Tip
Read more about Windows Phone 8.1 security capabilities by downloading the Windows
Phone 8.1 Security Overview
Data segregation can be challenging if users switch between personal accounts and corporate
accounts on their mobile devices. In a BYOD scenario, it’s common for users to use multiple
credentials to perform different tasks on their device.
When a user installs and signs in to an app that supports multiple identities (multi-identity) on
an Intune-managed device, such as Outlook, Intune checks to see if the account they’re using
matches the managed account on the device. If the account is managed, and there is also a
policy for the app and the user, then the policy settings protect data in that account. When the
user adds personal accounts to the app, those accounts are outside of Intune management and
protection. This allows personal use of the application without compromising corporate
protection. Read Protect data using mobile application management policies with Microsoft
Intune for more information about multi-identity capability in Intune.
Table 13 compares selective wipe features available with different MDM solutions to help you
choose the MDM solution that best fits your organization’s data segregation requirements.
Table 13
MDM option Advantages Disadvantages
Intune
(standalone)
Allows you to perform selective
wipes to remove only company
data located on mobile devices
Does not include native
encryption for mobile
device storage
Mobile Device Management Design Considerations 51
Allows you to perform factory
resets and fully wipe mobile
devices
Support for multi-identity apps
No integration with current
on-premises MDM platform
means an additional
management interface for
you to use
Office 365 with
MDM
Allows you to perform factory
resets and fully wipe Android,
Windows Phone, and iOS
devices
Allows you to perform selective
wipes on Android, Windows
Phone, and iOS devices to
remove only company data
from mobile devices
No integration with current
on-premises MDM platform
means an additional
management interface for
you to use
Hybrid (Intune
with ConfigMgr)
Allows you to perform selective
wipes to remove only company
data from mobile devices
Allows you to perform factory
resets and fully wipe mobile
devices
Support for multi-identity apps
Single management console to
manage cloud based and on-
premises mobile devices
If the organization does not
have a current on-premises
ConfigMgr infrastructure, it
will require to plan, install
and configure this platform
prior to the integration
Make sure to read the article Help protect your data with remote wipe, remote lock, or passcode
reset using Microsoft Intune to understand how data is removed and retained after a selective
wipe for each mobile device platform. If you have a hybrid environment, consult the article How
to remote wipe mobile devices using Configuration Manager to understand how ConfigMgr can
be used to accomplish this task.
Task 5c: Hardening mobile devices When creating a configuration baseline for mobile devices to harden its capabilities according to
your business needs, make sure that you are balancing usability with security. A very strict
hardening template can cause usability and access problems for your employees, which defeats
the purpose of helping users be productive by accessing company resources with their devices.
Also, keep in mind that not all security policies are available for all mobile device platforms. You
may need to balance priorities for allowing mobile device platforms in your organization with
your security compliance requirements for hardening devices.
52 Mobile Device Management Design Considerations
One way to approach mobile device hardening is by having different layers of security. The
settings that are available for each layer can also vary, depending on your MDM solution. Figure
12 shows an example of how this layered approach be set up.
Figure 12 – Different areas of mobile device hardening
Each layer can be used to group areas that must be compliant with your business security
requirements. For example, you can configure Intune to deploy security policies for devices that
are specifically for hardening system settings and enable encryption. The policies can also help
ensure that only compliant apps are available to be installed on mobile devices by creating an
access white list.
Another area that should be controlled is users’ mobile browsing experience. A managed
browser policy includes an allow or block list that restricts the websites that users of the
managed browser can visit. Read Manage Internet access using managed browser policies with
Microsoft Intune for more information on how to configure these policies in Intune.
In a hybrid environment with ConfigMgr on-premises, you can create a configuration baseline to
set a basic hardening state for managed mobile devices. You can customize this baseline to
include all required settings, and then deploy it to your mobile devices. Compliance settings
options vary according to the mobile device platform, so read Compliance Settings for Mobile
Devices in Configuration Manager for more information about the options available for each
device.
MDM for Office 365 also has a set of capabilities to assist you in hardening mobile devices for
the following categories:
Security
Encryption
Jailbroken
Managed email profile
Read the article Capabilities of built-in Mobile Device Management for Office 365 for more
information on how to set up security policies for enforcing these options.
Mobile Device Management Design Considerations 53
Hardening the mobile device platform plays an important role in keeping your company data
protected while allowing users to use their mobile device without compromising security. Use
Table 14 as a reference to assist you choosing the MDM option that best fits your organization’s
data hardening requirements.
Table 14
MDM option Advantages Disadvantages
Intune (standalone) Allows you to enforce policies
for enrolled devices:
o Encryption
o Malware
o Apps
o Emails
o Email Profile
o Jailbroken
o System
o Security
Supports policy deployment for
major mobile device platforms,
including (Android, iOS,
Windows 10, Windows 8.x, and
Windows Phone)
Lacks integration with
current on-premises MDM
platform, will introduce an
additional management
interface for you to use
when managing mobile
devices
Some policies may not be
available for some mobile
platforms
MDM for Office 365 Allows you to enforce policies
for enrolled devices:
o Encryption
o Apps
o Jailbroken
o Security
Supports policy deployment for
major mobile device platforms,
including (Android, iOS,
Windows 10, Windows 8.x, and
Windows Phone)
Lacks integration with
current on-premises MDM
platform, will introduce an
additional management
interface for you to use
when managing mobile
devices
Some policies may not be
available for some mobile
platforms
Doesn’t allow as much
granularity as Intune
Hybrid (Intune with
ConfigMgr) Allows you to enforce policies
for enrolled devices:
o Encryption
o Malware
o Apps
o Emails
o System
o Security
o Jailbroken
If your company doesn’t
have a current on-premises
ConfigMgr infrastructure, it
will require resources to
plan, install and configure
ConfigMgr prior to
integration
54 Mobile Device Management Design Considerations
Support policy deployment for
major mobile device platforms,
including (Android, iOS,
Windows 10, Windows 8.x, and
Windows Phone)
Single management console for
mobile devices registered from
the cloud and on-premises
devices
Tip
Read more about mobile device management settings that you can configure in a Microsoft
Intune mobile device security policy at Mobile device management policy settings for
Microsoft Intune.
Task 5d: Client privacy When your company rolls out mobile device management, it’s important to be aware of the
boundaries between user privacy and organization privacy. Ideally, your organization should
already have a clear privacy policy stating what’s expected from users regarding data privacy.
Since mobile devices might store company data and these devices will be traveling around with
the user, it’s important that boundaries are well defined, and that your users know upfront what
their role is to maintain privacy for your organization.
Another consideration is how you will make sure users are aware of what to expect when they
enroll their devices in your organization’s MDM solution. Using Microsoft Intune Company
Portal, you can customize your company’s privacy statement to include a URL that has the
description of what will be collected from users when they use managed devices.
You can also publish terms and conditions that your users will see when they first use the
company portal from their devices, whether or not the device is enrolled in the MDM solution.
Users must accept the terms before they can access the company portal. When you update the
terms and conditions and want users to see and accept the new terms, you can mark the new
terms and conditions as a new version, and users will go through the same acceptance process
the next time they visit the company portal.
The same capability for requiring acceptance of terms and conditions is also available when you
have a hybrid environment with ConfigMgr connected with Intune. In addition, ConfigMgr can
use compliance settings to determine whether devices comply with configuration items that you
deployed using configuration baselines. Some settings can be automatically fixed if they’re out
of compliance.
Compliance information is sent to the site server by the management point and stored in the
site database. This information is encrypted when devices send it to the management point, but
Mobile Device Management Design Considerations 55
it’s not stored in an encrypted format in the site database. Information is retained in the
database until the site maintenance task Delete Aged Configuration Management Data deletes it
every 90 days. You also have the capability to configure the deletion interval. This compliance
information is not sent to Microsoft.
Since Intune and Office 365 are cloud-based services, users might also want to be aware of how
Microsoft handles user privacy for these services. You can provide pointers to privacy
information about these services, such as the following:
Office 365 Trust Center
Microsoft Intune Trust Center
Privacy is important for both users and your organization, and the MDM solution that you use
must appropriately balance privacy needs as well as inform users about your organization’s
privacy policy and expectations. Table 15 compares options for assisting with privacy
requirements in different MDM solutions to assist you choosing the MDM option that best fits
your organization’s privacy requirements.
Table 15
MDM option Advantages Disadvantages
Intune
(standalone)
Uses the Intune Company Portal
to publish your organization’s
privacy statement
It doesn’t have a template
for a privacy policy. There is
an assumption that your
organization has a privacy
policy in place and the
Company Portal is only
going to advertise this
policy that is stored in
another location
Office 365 with
MDM
No features for publishing
privacy statements
No features for publishing
privacy statements
Hybrid (Intune
with ConfigMgr)
Uses the Intune Company Portal
to publish your organization’s
privacy statement
Single management console for
mobile devices registered from
the cloud and on-premises
devices
If the organization does not
have a current on-premises
ConfigMgr infrastructure, it
will require to plan, install
and configure this platform
prior to the integration
Task 5e: Data classification Most companies already have a data classification policy in place, and you’ll need to understand
how deploying a mobile device management solution will affect this policy. If your company
56 Mobile Device Management Design Considerations
does not have a current data classification policy, you should introduce this capability in
conjunction with planning your mobile device management solution. Some organizations
perform on-premises data classification at the file server level using Active Directory Rights
Management Services (ADRMS). Another tool some companies use is the Microsoft Data
Classification Toolkit, helping organizations to identify, classify, and protect data on their file
servers.
Office 365 provides some automatic data classification of email that can help surface sensitive
information that should be protected. Office 365 uses transport rules, incorporated into mail
flow processing, to detect sensitive information. Then the DLP feature performs deep content
analysis through keyword matches, dictionary matches, regular expression evaluation, internal
functions such as validate checksum on credit card numbers, and other content examination to
detect specific content types within the message body or attachments.
Intune and ConfigMgr don’t have data classification built in, so they rely on cloud-based
classification using Azure RMS or on-premises using ADRMS. Another option is to use the
Enterprise Mobility Suite (EMS) as your MDM solution. With EMS, you’ll have access to Azure AD
Premium and Azure RMS, which can be used to classify data. Data classification using Azure
RMS can be integrated with an on-premises management solution in a hybrid environment.
Use Table 16 as a reference to assist you choosing the MDM option that best fits your
organization’s data classification requirements.
Table 16
MDM option Advantages Disadvantages
Intune (standalone) Not available Not available
MDM for Office 365 Exchange Transport rules can
be used to detect sensitive
information
Data classification is not
carried with the file itself.
Once the file is located at
the mobile device, it can be
used without restrictions
Hybrid (Intune with
ConfigMgr) Not available Not available
Enterprise
Mobility Suite
Leverages Azure RMS to
perform data classification
Azure RMS subscription is
included with EMS
Doesn’t require an on-premises
infrastructure for data
classification
Can be integrated with existing
on-premises AD RMS solution
Not available for customers
that are not adopting
cloud-based solution
Mobile Device Management Design Considerations 57
Protection is located in the file
itself, which means that the file
will keep its classification even if
it was saved in a different
location
Task 5f: Authentication and authorization Before you can properly protect your company data, you must identify who your users are, and
then you can verify that they’re authorized to access the resource that they’re requesting.
Organizations that already have on-premises Active Directory services should leverage it to
authenticate and authorize mobile users. All Microsoft mobile device management solutions can
use an existing Active Directory infrastructure to do this.
Another decision point for authentication and authorization is where the directory services will
be located. While most organizations have on-premises Active Directory services, some
organizations might be considering extending their on-premises directory services with a cloud-
based directory service such as Azure AD.
For a hybrid scenario, integrating both directories is a good alternative to leverage Azure AD
capabilities, such as the following:
Self-service group management: Allows users to create groups, request access to other
groups, delegate group ownership so others can approve requests, and maintain their
group memberships.
Enterprise SLA of 99.9%: Microsoft guarantees at least 99.9% availability of the Azure
Active Directory Premium service.
Password reset with write-back: Self-service password reset can be written back to on-
premises directories.
Read more about the different options and capabilities at Azure Active Directory.
Requiring two types of authentication (multi-factor authentication, or MFA) is another strategy
to consider including when planning a mobile device management solution. Intune can
integrate directory services with multi-factor authentication (MFA), which adds another layer of
security for the authentication process.
If your organization has an on-premises IT infrastructure that includes an Active Directory
domain with Active Directory Federation Services (AD FS), you can configure MFA on your
federation server and then enable MFA for enrollment in Intune. If you configure MFA on your
federation server, but you don’t enable MFA for enrollment in Intune, users will need to use MFA
each time that they access corporate resources from any device.
58 Mobile Device Management Design Considerations
You can also use Azure AD MFA to require MFA each time that users access your corporate
resources, enabled on a per-user basis. Azure AD MFA is a cloud service that doesn’t require any
on-premises IT infrastructure.
Use Table 17 as a reference to assist you choosing the MDM option that best fits your
organization’s authentication and authorization requirements.
Table 17
MDM option Advantages Disadvantages
Intune (standalone) Can use on-premises directory
services, such as Active
Directory for authentication
Can use cloud-based directory
services, such as Azure AD for
authentication
Can integrate with multi-factor
authentication
Azure AD cloud service is
not included when you
purchase an Intune
subscription
MDM for Office 365 Can use on-premises directory,
such as Active Directory for
authentication
Can use cloud based directory,
such as Azure AD for
authentication
Can integrate with multi-factor
authentication
Azure AD cloud service is
not included when you
purchase an Office 365
subscription
Hybrid (Intune with
ConfigMgr) Can use on-premises directory,
such as Active Directory for
authentication
Can use cloud based directory,
such as Azure AD for
authentication
Can integrate with multi-factor
authentication
Azure AD cloud service is
not included when you
purchase an Intune
subscription
Enterprise
Mobility Suite
Leverages Azure AD Premium
to provide access control
Azure AD Premium license is
already included with EMS
Does not required on-premises
directory services
Can synchronize with on-
premises Active Directory
services
Not available for customers
that are not adopting a
cloud-based solution
Mobile Device Management Design Considerations 59
MFA is natively available with
EMS
Task 5g: Access control to resources Organizations that already use Active Directory to authenticate and authorize users already
manage access control to specific resources, by using groups in Active Directory to segment and
control access to resources.
To manage control to specific resources, you first authenticate and authorize access for the user,
and then validate the type of control the user has on the target resource. In Figure 13, this is
shown for user Bob accessing a folder.
Figure 13 – Basic authentication and authorization flow
The traditional Access Control List (ACL) is very limited and doesn’t take into consideration other
aspects of the user’s state, such as where he is located when trying to access this resource. If
your organization needs to include more variables before granting access to a resource, you can
use Dynamic Access Control, which is natively available in Windows Server 2012.
With many companies acting as a cloud provider themselves by using technologies that allow
them to have a private cloud, another option is to use Role Based Access Control (RBAC). Azure
AD allows IT to use RBAC to control access to resources. And since Azure AD can be integrated
with your Active Directory on-premises, you can use them together to determine how users
access resources.
A resource can also be an app, which means that to implement access control to resources, your
MDM solution must also be able to control how apps are installed and accessed. Mobile
application management policies in Intune let you modify the functionality of apps that you
deploy to help make sure that they comply with your company compliance and security policies.
Use Table 18 as a reference to assist you choosing the MDM option that best fits your
organization’s access control requirements.
Table 18
60 Mobile Device Management Design Considerations
MDM option Advantages Disadvantages
Intune (standalone) Access control (installation and
management) for apps
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
Some policies may not be
available for some mobile
platforms
MDM for Office 365 Access control to email, Office
Mobile, Office apps, and
OneDrive for Business
Only allows a small subset
of access control to
resources
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
Some policies may not be
available for some mobile
platforms
Hybrid (Intune with
ConfigMgr) Access control (installation and
management) for apps
Azure AD cloud service is
not included when you
purchase Intune
subscription
Enterprise Mobility
Suite Access control (installation and
management) for apps
Leverages Azure AD Premium
to provide RBAC based access
control
If the organization does not
have a current on-premises
ConfigMgr infrastructure, it
will require to plan, install
and configure this platform
prior to the integration
Task 5h: Incident responses A good mobile device management solution must be able to allow you to rapidly respond to an
incident, such as a lost mobile device, by taking actions to help mitigate the potential threat for
a security issue. The MDM system is the tool that allows the procedures that were established in
the incident response plan to be executed.
Privacy is always important to consider as well when there has been an incident, especially in a
BYOD scenario. When the user owns the mobile device, you must maintain a balance between
keeping your company data secure and preserving the user’s privacy.
Mobile Device Management Design Considerations 61
There are many levels of response in a scenario where a user has lost their device, for example,
as shown in Figure 14. Your company’s security policy will dictate what should be done,
including, in some circumstances, completely wiping the device.
Figure 14 – Incident response process for a compromised device
Intune provides selective wipe, full wipe, remote lock, and passcode reset capabilities. If a mobile
device is lost or stolen, you can issue a remote device wipe command from the Intune
administrator console. Intune also lets users issue remote device wipe commands from the
Intune company portal themselves.
If you have only ConfigMgr, you can only do a selective wipe to remove company content. In a
hybrid scenario that includes Intune, you can use both options.
MDM for Office 365 also allows you to perform both options: A selective wipe to remove only
organizational data or a full wipe to delete all information from a device and restore it to its
factory settings.
Policies can also be used to take actions to mitigate a threat. You can use ConfigMgr to create
compliance policies that enforce restrictions for the device that was compromised. For example,
if the mobile device that was compromised is an iOS 7 or iOS 8 device, you can use a security
settings extension to require a fingerprint to unlock the device. (This specific capability is also
available with Intune.) As you design your MDM solution to comply with your incident response
62 Mobile Device Management Design Considerations
plan, ensure that all of the mobile device platforms that your company uses are covered, since
they don’t all include the same options.
Other important aspects of incident response will be how you will proactively take action based
on trends, and how you will react to an incident that was not reported, that you detected with
your MDM monitoring system. To help you with these, Intune allows you to identify the recent
detection paths in devices that have Microsoft Intune Endpoint Protection. With this capability,
you can identify the most recently detected instances of malware on a device. Read Help secure
computers with Endpoint Protection for Microsoft Intune to see how to access this capability
using Microsoft Intune administration console.
Tip
For more information about incident responses, see the Determine incident response
requirements task.
Use Table 19 as a reference to assist you choosing the MDM option that best fits your
organization’s incident response requirements.
Table 19
MDM option Advantages Disadvantages
Intune (standalone) Allows you to remotely wipe,
remote lock, and password lock
a mobile device
Allows you to create restrictive
security policies to mitigate
threats
Allows you to create alerts and
custom notifications based on
those alerts
Allows you to identify files (and
paths) infected by malware
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
Some policies may not be
available for some mobile
platforms
MDM for Office 365 Allows you to remotely wipe
and remote lock a mobile
device
Only allows a small subset
of security policies
No integration with current
on-premises MDM platform
means an additional
management interface for
you to use
Some policies may not be
available for some mobile
platforms
Mobile Device Management Design Considerations 63
Hybrid (Intune with
ConfigMgr) Allows you to remote wipe,
remote lock, and password lock
a mobile device
Allows you to create restrictive
security policies to mitigate
threats
Single management for cloud
and on-premises devices
Easier
Allows you to identify files (and
paths) infected by malware
Azure AD cloud service is
not included when you
purchase Intune
subscription
Enterprise Mobility
Suite Allows you to remote wipe,
remote lock, and password lock
a device
Allows you to create restrictive
security policies to mitigate
threats
Allows you to track user’s
behavior by leveraging Azure
AD Reports
Allows you to track user rights
assignment that can be used in
some incident response
scenarios
Allows you to identify files (and
paths) infected by malware
Lack of integration with
current on-premises MDM
platform will introduce an
additional management
interface for you to use
Some policies may not be
available for some mobile
platforms
Step 4 - Plan for Software as a Service (SaaS) mobile device management The last step in designing a complete mobile device management strategy is to determine the
requirements for the Software as a Service (SasS) device management solution that you’ll use to
support mobile devices in your organization. In this step, we’ll examine SaaS platform types,
characteristics such as scalability and accessibility, mobile device management connectivity, and
integration with your on-premises infrastructure.
More and more, organizations are starting to take advantage of the features and power of cloud
computing infrastructure solutions to deliver services and applications to users. Software as a
Service (SaaS) allows user and device services, applications, and activities to be centrally
managed from a single location, regardless of the location of the user or device. If your
organization is currently using (or planning to implement) SaaS services, it’s important to define
how the solution will deliver these services to mobile devices in your organization and integrate
with (or even replace) your on-premises mobile device management platform. In some cases,
SaaS solution decisions may be completely separate or just a small part of how mobile devices
64 Mobile Device Management Design Considerations
will be managed in your organization. However, understanding the overall impact of the SaaS
solution as it relates to managing mobile devices is an important part deploying a complete
mobile device management solution.
You need to go over these key aspects of the SaaS solution to understand what it is a current
requirement and what your organization plans for the future. If you don’t have the vision to
define a long-term strategy for managing mobile devices and integration with cloud services
adoption, your mobile device management solution may not be scalable as your organization’s
business needs change.
Task 1: Identify your SaaS requirements Each SaaS solution will have different requirements, mobile device management features, and
levels of integration with on-premises networks and platforms. Many SaaS solutions offer trial
tenants or services for you to evaluate their features and functionality, which is an important
part of determining which solution actually meets your needs. However, many SaaS solutions
may have subtle differences in features and functionality, depending on the platform type.
The majority of SaaS solutions are based on three types of cloud types:
Multi-tenant (public)
Private (dedicated)
Hybrid
Before making decisions on how you’ll use a SaaS solution to manage your mobile devices,
you’ll also need to examine the differences between these types of cloud platform architectures
and choose the one that best fits the overall needs of your organization. Individual SaaS
solutions have differing levels of support for areas such as customization, feature configuration,
integration, and collaborative functionality.
SaaS cloud types Multi-tenant SaaS solutions are what are typically called “public” cloud infrastructures. This is
when the software architecture of the service is in a single instance, but serves multiple tenants
or organizations. The solution is designed to provide every tenant a reserved share of its
services, such as user or device management, configuration, and data support. The tenant
accounts and services are separated virtually, with each tenant accessing the platform
infrastructure in separate instances. Multi-tenant SaaS solutions also typically offer cost-savings
earned from sharing the infrastructure and distributing the overhead costs amongst multiple
tenants. Most mobile device management platforms are offered in a multi-tenant SaaS platform
infrastructure.
Private, or dedicated cloud services are instances of SaaS solutions that are operated for a
single organization or tenant. These can either be private cloud services hosted by the
organization or private cloud services hosted by a 3rd party provider. Private cloud solutions also
typically offer greater opportunities for customization, both in the areas of services and security.
Mobile Device Management Design Considerations 65
Some dedicated SaaS solutions offer mobile device management services as a part of larger
private cloud tenant options.
Hybrid SaaS solutions can offer a combination of either multi-tenant and private cloud
infrastructures, or a combination of hosted (either multi-tenant or private) and on-premises
cloud infrastructures. A hybrid infrastructure may also include leveraging an external cloud SaaS
solution for delivering certain types of services (such as applications), but leveraging internal
resources for other types of services. Most SaaS solutions offer the ability to support a hybrid
cloud configuration, but may vary significantly on the depth and completeness of integration
with on-premises or other hosted cloud platforms.
SaaS cloud type questions: As part of SaaS management lifecycle planning, you’ll want to
answer the following planning questions about cloud types:
What level of security do I need for mobile device data stored in my SaaS solution?
How does the SaaS solution address intrusion detection and data loss prevention for
mobile devices?
Does your organization have to comply with any regulatory, certification, or compliance
requirements for mobile devices or data stored on mobile devices? If so, do these
require a specific level of security, customization, scalability, or resiliency? How is
compliance audited and reported?
Does the SaaS solution need connectivity with other cloud services or platforms that will
manage mobile devices? If so, is this connectivity:
o Pre-configured or standardized?
o Customizable?
o Supported by the platforms you need to connect to?
Do you need to connect your SaaS solution with an existing on-premises device
management infrastructure? If so, is this connectivity:
o Supported by your on-premises device management platform?
o Supported by the SaaS solution?
o Supported without the need for additional on-premises physical resources?
Will your cloud-based services, applications, and processes for mobile devices require
different levels of security, customization, scalability, and resiliency?
Scalability Ease of scalability is one of the primary reasons for considering or deploying a SaaS solution for
managing mobile devices in your organization. By definition, public SaaS solutions typically offer
a virtually limitless ability to support any amount of users or mobile devices. Private and hybrid
SaaS solutions may be subject to scaling limits, based of available organization resources.
Scaling increases or decreases to support greater or lesser number of users or devices usually
depends on a specific licensing model or per user/device pricing package for public clouds.
66 Mobile Device Management Design Considerations
Scalability questions: As part of SaaS management lifecycle planning, you’ll want to answer the
following planning questions about cloud scalability:
What type of short and long-term plans does your organization have for growth or
contraction in mobile device and application support infrastructure?
How rapidly will your organization need to scale mobile device management support
services upward or downward?
What are the initial number of mobile devices and/or users that need support in the SaaS
solution? How likely is this number to change in the next year? The next 3 years? The
next 5 years?
Does the number of mobile devices needing SaaS solution support change on a regular
pattern (such as seasonally)? Does it change according to the number of active or
inactive organization projects?
Does SaaS solution performance change depending on the scale of supported mobile
device and users? If so, in what areas? (nodes, data, processing, etc.) How is the scaling
performance measured, reported, and audited?
Accessibility Easy access to the SaaS solution is another key component of the SaaS architecture. Because the
SaaS solution is hosted on a cloud-based infrastructure, it’s accessible by administrators, users,
and devices from any location that has access to the Internet. Administration of mobile devices
is done via a browser. Because many SaaS solution providers operate geographically diverse
datacenters, users and devices can access the platform “locally”, often avoiding latency and
delays that can be associated with connecting to geographically distant endpoints. Accessibility
can also typically be expanded by integrating the SaaS solution with on-premises device
management platforms.
Accessibility questions: As part of SaaS management lifecycle planning, you’ll want to answer
the following planning questions about cloud accessibility:
Are there specific mobile device browser requirements in your organization? If so, does
the SaaS solution support the required browser(s)?
Do mobile device users need any special accessibility requirements for applications or
services?
Does your organization need to access the SaaS infrastructure located in the same
geographic as the user devices or your on-premises infrastructure? Are there legal
ramifications if mobile device data is stored or moved across international borders?
Resiliency Since the SaaS infrastructure is cloud-based and hosted across multiple datacenters, resiliency is
typically subject to less instability or outages than traditional on-premises hosted services.
Multi-location service hosts offer protection against geographic-based outages and service
interruptions by using fail-over infrastructure and processes to replicate data across multiple
Mobile Device Management Design Considerations 67
datacenter nodes. Depending on the SaaS solution, access to the service may or may not remain
in the original geographic area during a fail-over.
Resiliency questions: As part of SaaS management lifecycle planning, you’ll want to answer the
following planning questions about cloud resiliency:
In the event of primary SaaS solution fail-over, how will mobile device management
services be impacted?
How will mobile device data stored on the SaaS solution be shared in the cloud-based
infrastructure?
If the primary mobile device SaaS datacenter isn’t available, are the fail-over datacenters
in the same geographic region as the primary datacenter? Is it OK for fail-over
datacenters to be located outside the international borders from which the mobile
devices are operating?
Does the SaaS solution have a defined service level agreement (SLA) outlining support
for mobile device management?
Up-to-date services SaaS solutions also are able to keep the applications and services up-to-date with the latest
application version, features, security updates, and bug fixes. Often these updates are published
very quickly, sometimes even on a daily basis. Depending on the SaaS solution, updates may be
instantly available to all customers or released in a phased approach to smaller groups of
customers. One of the biggest benefits is that when a bug is fixed for one customer, the fix can
be easily applied to all customers using the service.
Services questions: As part of SaaS management lifecycle planning, you’ll want to answer the
following planning questions about cloud services:
How often are mobile device management features and functionality updated in the
SaaS service?
What impact will feature and functionality updates have on your mission-critical mobile
device applications and services?
Are SaaS solution feature and functionality updates deployed to customers on an ad hoc
or planned schedule?
Does the SaaS solution support exemptions from service-wide updates for individual
organizations?
Does the SaaS solution have different service update schedules for mobile device
application and mobile device management features and functionality?
Task 2: Identify your SaaS solution / on-premises infrastructure integration needs One of the primary decisions that need to be made when considering managing mobile devices
with a SaaS solution are:
68 Mobile Device Management Design Considerations
How will your existing user and device on-premises directory accounts integrate with the
SaaS solution?
Do you need to integrate the SaaS solution with existing on-premises client
management platforms?
The decisions you make in these two areas will significantly impact the overall deployment,
administration, and end-user experiences for your mobile device management solution.
Identity and directory connectivity Connecting and synchronizing your on-premises user and device account directory with the
SaaS solution is really the glue that truly connects users, mobile devices, mobile applications,
and mobile device management. Knowing who a user is (identity) and associating the identity to
specific mobile devices is critical in managing access to company resources and data from the
mobile device. In many ways, maximizing how these areas are connected to the SaaS solution
determines the overall value to both you and your mobile device users. Ubiquitous connectivity
means that people and devices can use devices and applications anywhere, and it’s essential
that user identity management keeps pace with the demands of this connectivity. It can’t be
stressed enough that how you manage identity and user authentication is critical to the success
of your mobile device management solution.
Synchronizing on-premises directory services to the SaaS solution is another key area to
consider when defining your mobile device management strategy. Most organizations prefer to
maintain an on-premises user and device directory infrastructure, but need to extend these
accounts to a variety of cloud-based services. This may include only a SaaS-based mobile device
management solution, but in most scenarios organizations need to integrate user and device
accounts into several different types of cloud-based services. This may include cloud-based
applications, data, or 3rd party web services. Keeping your user and device directory accounts
synchronized is the cornerstone of a well-designed identity management solution. Once you
integrate your on-premises directory with cloud directory, you can also enable single sign-on
(SSO) to allow users to sign into all services using their on-premises credentials. Both Intune and
Office 365 can take advantage of this integration to enable SSO with SaaS apps that the
organization might want to use.
Identity and directory connectivity questions: As part of SaaS management lifecycle planning,
you’ll want to answer the following planning questions about identity management and
directory connectivity:
Does the SaaS solution support integrated user authentication services? If so, does it
support the type of directory services you’re using in your on-premises infrastructure?
Do you need to support user and mobile device authentication for on-premises and/or
internal applications or services?
Does the SaaS solution support user and mobile device authentication for 3rd party or
other external SaaS-based applications or services?
Mobile Device Management Design Considerations 69
How does the SaaS solution manage identity-related threats and abnormalities?
Does the SaaS solution support implementing and managing multi-factor authentication
(MFA)?
What types of directory services objects do you need to extend to the SaaS solution?
Does the SaaS solution have any restrictions for certain object types?
What on-premises requirements are needed to extend your directory services to the
SaaS solution?
Once connected to the SaaS solution, how are user and mobile device directory objects
replicated or synchronized with the cloud service? Are synchronization settings
customizable or fixed?
Are all directory object attributes synchronized with the SaaS solution? Do you need to
synchronize custom directory object attributes?
Are on-premises directory services hosted in a single location or logical grouping? If not,
does the SaaS solution support synchronizing multiple directory services from multiple
locations and logical groupings?
Connecting with existing client management platforms Most organizations have an existing on-premises client management platform to manage
desktop computers and servers. How you integrate the management of mobile devices into this
system is likely to have a substantial impact on IT infrastructure costs, device management
administration processes, device inventory and reporting support, and overall integration with
other business-critical applications and services. By connecting these two platforms,
organizations are able to leverage the economies of scale of a single, unified management
platform.
Connecting existing client management platforms questions: As part of SaaS management
lifecycle planning, you’ll want to answer the following planning questions about connecting the
SaaS solution with existing client management platforms:
Does your on-premises client management platform support integration with SaaS
solution? If so, are there:
o Limitations on the type of SaaS solution?
o Limitations on the types of supported devices?
What are the requirements to connect your on-premises client management platform to
the SaaS solution? Specifically, are there:
o Physical server or device requirements?
o Directory services or directory schema requirements?
o Domain Name Services (DNS) requirements?
o Identity requirements?
o Client management platform upgrades or configuration requirements?
o Network connectivity and/or network security configuration requirements?
70 Mobile Device Management Design Considerations
Can existing client or device configuration information (policies, profiles, and settings)
be shared or leveraged in the SaaS solution? Will this information have to be recreated?
After the two platforms are connected, how are clients managed? Are different types of
clients managed in a unified administration system or are they managed separately?
How are updates and changes in the SaaS solution integrated with the on-premises
client management platform? Is this an automatic or manual configuration process?
Task 3: Develop your SaaS mobile device management adoption strategy In this task you will define the mobile device management SaaS strategy to meet the
requirements that you defined in Tasks 1 and 2.
Task 3a: Identify your SaaS solution requirements Depending on how you answered the questions in Task 1, you should be able to determine what
the SaaS solution needs to support in your mobile device management solution. Table 20 below
will help you understand the advantages and disadvantages of each SaaS solution scenario:
Table 20
MDM options Advantages Disadvantages
Intune (standalone) Offered as a multi-tenant,
public cloud architecture
Scales to support up to 50,000
mobile devices
Doesn’t require any additional
investments in on-premises
infrastructure, hardware or
software
Updates and feature
improvements are made on a
daily basis. Major feature and
functionality enhancements
made on a monthly basis
Services can be assigned to
datacenters in specific
geographic locations
Datacenter fail-overs can be
restricted to specific geographic
locations
Certified and compliant with the
most industry and
governmental standards
Service Level Agreement (SLA)
is financially-backed, if the
service or features aren’t
Private cloud instances aren’t
supported
If you need to support more
than 50,000 mobile devices,
you’ll need to connect Intune
to System Center 2012 R2
Configuration Manager
(ConfigMgr) to manage the
additional devices
Mobile Device Management Design Considerations 71
available, monthly charges are
waived
MDM for Office 365 Tightly integrated with Office
365 commercial tenants,
providing a single management
console for mobile devices and
Office 365 tenant services
(Exchange Online, SharePoint
Online, and Skype for Business
Online)
Offered in Office 365 multi-
tenant (public) or private
(dedicated) platform types
No additional user or device
licensing costs, included by
default in Office 365
commercial (Business,
Enterprise, Education, and
Government) plans
Doesn’t support managing
non-mobile operating
systems
Additional management
interface for provisioning
mobile devices (only) if using
an on-premises management
platform for non-mobile
devices
Hybrid (Intune with
ConfigMgr) All the advantages of Intune
standalone, plus the following:
o Native integration between
Intune (cloud-based device
management service) with
System Center 2012 and
System Center 2012 R2
Configuration Manager (on-
premises device
management platforms)
o Supports advanced device
provisioning options for
mobile devices via Intune
connectivity
o New Intune service features
and functionality extended
to the on-premises
ConfigMgr infrastructure via
platform extensions, either
automatically or customized.
Requires additional
configuration requirements to
connect Intune with the on-
premises ConfigMgr
infrastructure
For organizations that don’t
have a current ConfigMgr
infrastructure configured, it
will need to be planned,
installed and configured prior
to integrating with Intune
Make sure to read the article Help protect your data with remote wipe, remote lock, or passcode
reset using Microsoft Intune to understand what data is removed and the effect on data that
72 Mobile Device Management Design Considerations
remains on the device after a selective wipe per platform. If you have a hybrid environment,
consult the article How to remote wipe mobile devices using Configuration Manager to
understand how ConfigMgr can be used to accomplish this task.
For more details about SaaS solution functionality and requirements, make sure to review the
service description for Microsoft Intune to understand the differences in SaaS support versus
MDM for Office 365 and in a hybrid Intune and ConfigMgr infrastructure.
Task 3b: Identify your SaaS solution connectivity requirements How you connect your on-premises infrastructure will impact how user and device identity is
managed with all MDM solutions: Intune, MDM for Office 365, and hybrid Intune and ConfigMgr
deployments. Both Intune and MDM for Office 365 leverage the directory services architecture
provided by Azure Active Directory Services. This integration with Azure gives you a lot of
flexibility when you’re designing identity management support in your mobile device
management solution.
As shown in the Figure 15 below, connecting your on-premises directory services with Azure is
the key requirement for enabling single sign-on and unified directory account management.
Single sign-on makes it much easier for your users to connect to company resources that are
on-premises and in the cloud. Having a single place to manage accounts makes it easier for
administrators. For mobile access, synchronizing directory account attributes and credentials
between Azure and on-premises directory services allows users to authenticate on their mobile
devices for accessing resources that are managed by either MDM for Office 365 or Intune.
Figure 15 – Overview of integrated identity management
Depending on how you answered the questions in Task 2, you should be able to determine how
the SaaS solution needs to connect to your on-premises client management platform for your
Mobile Device Management Design Considerations 73
mobile device management solution. Table 21 below will help you understand the advantages
and disadvantages of connecting your on-premises infrastructure with a SaaS solution:
Table 21:
Connectivity
options
Advantages Disadvantages
Intune (standalone) Tightly integrated with Azure
Active Directory for managing
user and device identity and
authentication
Supports user credential self-
management and single sign-
on experiences that can
leverage existing on-premises
account credentials
Supports single sign-on access
to thousands of pre-integrated
SaaS applications
Supports application access
security by enforcing rules-
based multifactor authentication
(MFA) for both on-premises and
cloud applications
Advanced directory services
connectivity features and
functionality require pairing
with Azure Active Directory
Premium
MDM for Office 365 Integrated with Office 365
tenants, which use the Azure
Active Directory backbone for
managing user and device
identity and authentication
On-premises directory services
can be connected as a part of
connecting services with Office
365
Supports user self-management
and single sign-on experiences
that can leverage existing on-
premises account credentials
Doesn’t support mobile
application management
integration with other SaaS
solutions or applications
Doesn’t support multi-factor
authentication
Hybrid (Intune with
ConfigMgr) All the advantages of Intune
standalone, plus the following:
o Direct integration with on-
premises directory services
through ConfigMgr
infrastructure
For organizations that don’t
have a current ConfigMgr
infrastructure configured, it
will need to be planned,
installed and configured prior
to integrating with Intune
74 Mobile Device Management Design Considerations
Requires additional on-
premises deployment
requirements and
configuration changes for
organizations with ConfigMgr
Next steps and resources Now that you’ve completed defining your requirements and examining all the options for your
mobile device management solution, you’re ready to take the next steps for deploying the
supporting infrastructure that’s right for you and your organization.
Mobile device management solutions Leveraging specific solution scenarios that fit your needs is a great way to review and plan for
the details of deploying a mobile device management infrastructure. The following solutions
outline several of the most common mobile device management scenarios:
The manage mobile devices and PCs in enterprise environments solution helps you
manage mobile devices by extending your on-premises System Center 2012 R2
Configuration Manager infrastructure into the cloud with Microsoft Intune. This hybrid
infrastructure helps medium and large companies enable BYOD and remote access while
reducing administration complexity.
The managing mobile devices for Configuration Manager 2007 solution helps you
manage mobile devices when your infrastructure rests on System Center Configuration
Manager 2007. This solution shows you how to set up a single server running System
Center 2012 R2 Configuration Manager so you can then run Microsoft Intune and take
advantage of its MDM capabilities.
The managing mobile devices in small environments solution is intended for small
businesses that need to support MDM. It explains how to use Microsoft Intune to extend
your current infrastructure to support mobile device management and BYOD. This
solution describes the simplest scenario supported for using Microsoft Intune in a
standalone, cloud-only configuration without local servers.
Mobile device management documentation Conceptual and procedural planning, deployment, and administration content are useful when
implementing your mobile device management solution:
Microsoft System Center solutions can help you capture and aggregate knowledge
about your infrastructure, policies, processes, and best practices so that your IT staff can
build manageable systems and automate operations.
Microsoft Intune is a cloud-based device management service that helps you to manage
your computers and mobile devices and to secure your company’s information.
MDM for Office 365 allows you to manage and secure mobile devices when they're
connected to your Office 365 organization. You can use MDM for Office 365 to set
Mobile Device Management Design Considerations 75
device security policies and access rules, and to wipe mobile devices if they’re lost or
stolen. Get an overview of the features and setup steps for MDM in Office 365 in Explore
the built-in Mobile Device Management (MDM) feature for Office 365.
Mobile device management resources Monitoring the following resources provides the latest news and updates on our mobile device
management solutions:
Microsoft Enterprise Mobility blog
Microsoft In The Cloud blog
Microsoft Intune blog
Microsoft System Center Configuration Manager blog
Microsoft System Center Configuration Manager Team blog
Microsoft Office 365 blog