Windows Phone 8 Device Management



Similar documents
Getting Started Guide: Getting the most out of your Windows Intune cloud

How To Configure A Windows 8.1 On A Windows (Windows) With A Powerpoint (Windows 8) On A Blackberry) On An Ipad Or Ipad (Windows 7) On Your Blackberry Or Black

Windows Intune Walkthrough: Windows Phone 8 Management

Introduction to Unified Device Management with Intune and System Center Configuration Manager

Configuration Guide. BES12 Cloud

Getting Started with TRITON Mobile Security

OneLogin Integration User Guide

Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment using Azure AD Sync

Device Enrollment Guide

Introduction to Mobile Application Management (MAM)

Kaspersky Lab Mobile Device Management Deployment Guide

Thirtyseven4 Endpoint Security (EPS) Upgrading Instructions

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

System Administration Training Guide. S100 Installation and Site Management

How Microsoft IT manages mobile device management

Defender Token Deployment System Quick Start Guide

Introduction to Directory Services

Special thanks to the following people for reviewing and providing invaluable feedback for this document: Joe Davies, Bill Mathers, Andreas Kjellman

Converting Prospects to Purchasers.

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Centrify Cloud Connector Deployment Guide

Infrastructure Deployment for Mobile Device Management with Microsoft System Center Configuration Manager and Windows Intune

Office 365 Windows Intune Administration Guide

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios with TouchDown

IIS, FTP Server and Windows

Mobility Manager 9.5. Users Guide

ManageEngine Desktop Central. Mobile Device Management User Guide

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

EPB Managed Wi-Fi Creating Social Media Apps with AirTight Guest Manager

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

AVG Business SSO Connecting to Active Directory

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Installing Policy Patrol on a separate machine

Windows 7 Hula POS Server Installation Guide

AvePoint Meetings for SharePoint On-Premises. Installation and Configuration Guide

Connected Data. Connected Data requirements for SSO

Advanced Configuration Steps

APNS Certificate generating and installation

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

Before you begin with an Exchange 2010 hybrid deployment Sign up for Office 365 for an Exchange 2010 hybrid deployment... 10

Customizing Remote Desktop Web Access by Using Windows SharePoint Services Stepby-Step

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

NSi Mobile Installation Guide. Version 6.2

FaxCore Ev5 -To-Fax Setup Guide

Employee Active Directory Self-Service Quick Setup Guide

CUSTOMER Android for Work Quick Start Guide

ALTIRIS Software Delivery Solution for Windows 6.1 SP3 Product Guide

Configuration Information

Preparing for GO!Enterprise MDM On-Demand Service

Installation and Configuration Guide

MaaS360 On-Premises Cloud Extender

Zenprise Device Manager 6.1

Configuring. Moodle. Chapter 82

Telstra Mobile Device Management (T MDM) Getting Started Guide

Administration Guide for the System Center Cloud Services Process Pack

Sophos Mobile Control SaaS startup guide. Product version: 6

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Introduction to the EIS Guide

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios Devices

WatchDox Administrator's Guide. Application Version 3.7.5

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

SPHOL300 Synchronizing Profile Pictures from On-Premises AD to SharePoint Online

Hosted Exchange 2010

DreamFactory on Microsoft SQL Azure

Advanced Administration

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Sharepoint server SSO

Installation Guide. SafeNet Authentication Service

Introduction to Mobile Access Gateway Installation

System Center Service Manager

Microsoft Office 365 from Vodafone. Administrator s Guide for Midsize Businesses and Enterprises

INSTALLING MICROSOFT SQL SERVER AND CONFIGURING REPORTING SERVICES

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Workflow approval via

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Vodafone Secure Device Manager Administration User Guide

MaaS360 Cloud Extender

Cloud Services ADM. Agent Deployment Guide

Configuring. SuccessFactors. Chapter 67

Guide for Generating. Apple Push Notification Service Certificate

Installation and Configuration Guide

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Lync Online Deployment Guide. Version 1.0

Configuring SuccessFactors

CONFIGURING MICROSOFT SQL SERVER REPORTING SERVICES

QMX ios MDM Pre-Requisites and Installation Guide

NotifyMDM Device Application User Guide Installation and Configuration for Windows Mobile 6 Devices

Generating an Apple Push Notification Service Certificate

RoomWizard Synchronization Software Manual Installation Instructions

Enable SSL for Apollo 2015

Managing Software Updates with System Center 2012 R2 Configuration Manager


BlackBerry Enterprise Service 10. Version: Configuration Guide

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

How to Configure Certificate Based Authentication for WorxMail and XenMobile 10

Transcription:

Windows Phone 8 Device Management with Windows Intune and System Center Configuration Manager SP1 This white paper is part of a series of technical papers designed to help IT professionals evaluate Windows Phone 8 and understand how it can play a role in their organizations. It discusses and contains information regarding Windows Phone 8 mobile device management via Windows Intune and System Center Configuration Manager SP1. Version 1.1 - January 2013

Legal Disclaimer 2012 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Published: January 2013

TTable of contents Windows Phone 8 Device Management with Windows Intune and System Center Configuration Manager SP1 1 Introduction 1 Using Windows Intune for Direct Management of Windows Phone devices 1 Configuring Windows Intune to Manage Devices 2 Setting up Windows Intune for Windows Phone 8 4 Enrolling Windows Phone Devices in Windows Intune 7 Using System Center Configuration Manager SP1 to manage Windows Phone Devices 9 Resources 11

Introduction Windows Intune provides a rich and flexible mobile device management experience for Windows Phone. With Windows Intune, you can manage Windows Phone 8 devices directly or through Exchange ActiveSync. With System Center 2012 Configuration Manager deployed in your environment as well, you can use the Windows Intune service to manage mobile devices, while performing all management tasks in the System Center Configuration Manager console. 1 Using Windows Intune for Direct Management of Windows Phone devices Windows Intune provides comprehensive mobile device management for Windows Phone 8. With Windows Intune, you can deploy policies to help secure corporate data on your phone, perform a hardware inventory, and distribute applications and links to applications that users can choose to install on their phone, and retire and wipe phones. In addition, Windows Intune direct management of mobile devices enables you to distribute applications to users in either of the following ways: External link: For Windows Phone 8 devices, you can provide a link address to an application on the Windows Phone Store. In addition, this web link can be to a web-based application that runs on the device through the device s web browser. Software installer: You can provide a signed application package that is uploaded to the Windows Intune service directly and then sideloaded onto managed devices. Sideloaded applications do not have to be certified by or installed through the Windows Phone Store. Users benefit from an enrollment and application installation experience that is tailored for their Windows Phone allowing users to choose the applications that they want to install, and maintain control of configuring their devices.

Configuring Windows Intune to Manage Devices Setting the Mobile Device Management Authority The mobile device management authority determines where you will perform phone device management tasks. You can set the mobile device management authority to Windows Intune by using the Windows Intune administrator console or to System Center Configuration Manager by using the System Center Configuration Manager console. 2 Note: If you also plan to use Exchange ActiveSync to manage mobile devices, we recommend that you only deploy the Exchange Connector in the same environment where you set the mobile device management authority and where you plan to configure Windows Intune direct management. For information about how to set up the Exchange Connector for mobile device management in Windows Intune environments, see Exchange Connector Host System Requirements. Consider carefully whether you want to manage mobile devices by using Windows Intune only or System Center Configuration Manager with Windows Intune Integration. Once you set the mobile device management authority to either of these options, it cannot be changed. For information about how to set the mobile device management authority to System Center Configuration Manager, see the System Center Configuration Manager 2012 SP1 documentation. To set the mobile device management authority for Windows Intune: 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Administration icon. 3. In the navigation pane, click Mobile Device Management Setup. 4. In the Tasks list on the Policy Overview page, click Set Mobile Device Management Authority. 5. The Set Mobile Device Management Authority dialog box appears, and it prompts you to choose whether to use Windows Intune to manage the mobile devices in your account. Do one of the following: Click Yes to use Windows Intune to manage mobile devices for your account. If you set Windows Intune as the management authority, you must manage mobile devices by using the Windows Intune administrator console. Click No to exit the dialog box. This leaves the mobile device management authority as None specified.

Provisioning users in Windows Intune To manage users mobile devices, you must first provision the users in Windows Intune. The process of provisioning defines device owners as managed users in Windows Intune. After provisioning is complete, users appear and can be managed in the Windows Intune administrator console. You provision by users doing either of the following: 3 If you have Active Directory Domain Services (AD DS) in your environment you can configure Active Directory synchronization so that your local users and security groups are synchronized to the Windows Azure Active Directory and can appear in the Windows Intune administrator console. To configure Active Directory synchronization, you need to set up the Microsoft Directory Synchronization Tool. Doing this populates the Windows Intune account portal with synchronized users and security groups and enables Windows Intune to retrieve user information for mobile device users. To ensure that your AD DS infrastructure is properly prepared for Windows Intune, we strongly recommend that you review Active Directory Synchronization Roadmap. If you do not have AD DS in your environment you can provision users in Windows Intune by manually adding the users to the Windows Intune account portal. For more information, see Adding Users and Security Groups to Windows Intune in the Windows Intune Getting Started Guide. Enabling automatic detection of a Windows Intune enrollment To be managed by Windows Intune, devices must first discover and enroll in the Windows Intune service. If you plan to enable automatic detection of a Windows Intune enrollment server, you must ensure that you have set up a verified domain name for your Windows Intune account and then create a CNAME resource record for the verified domain in the public DNS

Obtaining an enterprise mobile code-signing certificate from Symantec In order to distribute applications and external links to users who have Windows Phone 8 devices, you must first distribute the Company Portal app to these users by making it available on the Windows Phone Store. Users access the Company Portal app and install the Company Portal when they enroll their devices in Windows Intune. When you distribute applications and external links to users, they can access the applications and links by visiting the Company Portal. 4 Before you can distribute the Company Portal app to users, you must ensure that it is signed by a mobile code-signing certificate that is trusted by users devices. After you obtain an enterprise mobile code-signing certificate, additional steps are required to export the certificate in PFX format, and to generate an application enrollment token (AET). Setting up Windows Intune for Windows Phone 8 Setting up mobile device management for Windows Phone 8 devices In order to be managed by Windows Intune, Windows Phone 8 devices must first discover and enroll in the Windows Intune service. You can either enable automatic detection of a Windows Intune enrollment server, or provide the following enrollment server address to users: enterpriseenrollment-s.manage.microsoft.com. To enable devices to automatically detect a Windows Intune enrollment server, complete the following steps: 1. Verify your domain in the Windows Intune account portal. 2. Create a CNAME resource record for the verified domain in the public DNS. If there is more than one verified domain, you must create a CNAME record for each domain. The CNAME resource record must contain the following information: Alias name: enterpriseenrollment Fully qualified domain name (FQDN) for the target DNS host: enterpriseenrollment.manage.microsoft.com For example, if contoso.com and fabrikam.com are the verified domains, you would create two CNAME resource records: One

resource record to redirect requests that arrive at enterpriseenrollment.contoso.com to enterpriseenrollment.manage.microsoft.com, and another record to redirect requests that arrive at enterpriseenrollment.fabrikam.com to enterpriseenrollment.manage.microsoft.com. For information about how to create a CNAME resource record, see Add an Alias (CNAME) Resource Record to a Zone. 5 If you have enabled automatic detection, confirm that you have set up automatic detection correctly by completing the following steps: 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Administration icon. 3. In the navigation pane, under Mobile Device Management, click Windows Phone 8. 4. Under Step 1: Enrollment Server Address, type the name of the verified domain, and then click Test Auto-Detection. 5. If you have set up automatic detection correctly, a message appears to confirm that users can enroll their devices without manually specifying the address of the Windows Intune enrollment server.

Distributing Applications and External Links to Windows Phone users In order to distribute applications and external web links to users with Windows Phone 8 devices be sure to complete the steps required for distributing applications and external web links to users with Windows Phone 8 devices that are listed here: http://technet.microsoft.com/en-us/library/jj662647.aspx 6 Distributing applications and external links to users with Windows Phone 8 devices requires that you first distribute the Company Portal app to these users. Users access the Company Portal app when they enroll their devices in Windows Intune. To complete the enrollment process, users must install the Company Portal app. When you distribute applications and external links to users, they can access the applications and links by using the Company Portal app. Before you can distribute the Company Portal app to users, you must make sure that the app is signed by a mobile code-signing certificate that is trusted by users devices. To obtain the code-signing certificate, complete the following steps: 1. Establish a Company Dev Center account on the Windows Phone Dev Center. As part of this process, you will receive a Publisher ID. For more information, see Registration Info. 2. Visit the Symantec Enterprise Mobile Code Signing Certificate website to complete the required steps to obtain an enterprise mobile code-signing certificate. When this process is complete, Symantec will deliver a certificate that can be imported into the certificate store on a computer. 3. In the Certificates snap-in on the computer where the certificate is imported, export the certificate in PFX format. Be sure to export the private key with the certificate. The.pfx file will be used to generate an application enrollment token (AET) and sign company apps. For more information about how to export the certificate in PFX format, see Export a Certificate with the Private Key. 4. Windows Intune generates an application enrollment token (AET) so that you can enroll phones in the company account. This is required so that users can install the Company Portal app. To prepare the Company Portal app for distribution to users, you must first download the app, and then ensure that it is signed with a certification authority

that is trusted by the users devices. To download and sign the app, complete the following steps: 5. Open the Windows Intune administrator console. 6. In the workspace shortcuts pane, click the Administration icon. 7. In the navigation pane, under Mobile Device Management, click Windows Phone 8. 7 8. Under Step 3: Download the Company Portal app File, click the Download the App File hyperlink. 9. Download the XapSignTool tool from the Windows Phone 8 SDK. 10. To sign the Company Portal app, follow the instructions in the Signing the XAP by using the XapSignTool tool section in How to precompile managed assemblies and sign a company app. You must sign the Company Portal app with the Symantec enterprise mobile code-signing certificate that you obtained when you completed step 3b. Before distributing the Company Portal app to users, you must upload the signed Company Portal app file to Windows Intune. During the upload process, you will be prompted to provide the code-signing certificate. The Company Portal app will then be automatically made available to members of the All Users group in Windows Intune, so that you do not have to explicitly create a deployment to make it available. Enrolling Windows Phone Devices in Windows Intune Enrollment establishes a relationship among a user who is provisioned in Windows Intune, the user s device, and the Windows Intune service. Users must enroll their devices in Windows Intune to access and install applications that you distribute. Enrollment enables the following: Windows Intune to identify the device Windows Intune to identify the user of the device The device to contact the Windows Intune service The Windows Intune service to contact the device through a notification service

Windows Intune and the device to exchange management communications securely Follow-up tasks, such as hardware inventory and the application of security policies, to be triggered The names of the devices that users enroll should appear in the Windows Intune administrator console within a few hours of enrollment. 8 To enroll a Windows Phone 8 Device To enroll their devices, users must enter their Windows Intune user ID or their existing on-premises Active Directory credentials using the following steps: 1. On the Windows Phone 8 device select Settings, then system, and select Company Apps. 2. Select add account, and enter your company credentials in the Company Apps dialog. After the Windows Phone 8 device is enrolled, users will be prompted to install the Company Portal app, which users can then use to install apps provided by their administrator. During enrollment, the Windows Intune service checks to confirm that: The account for the organization is active. The user is provisioned in Windows Intune. The user has not exceeded the maximum allowed number of devices per user. Each user who is provisioned in Windows Intune can enroll a maximum of five devices.

Using System Center Configuration Manager SP1 to manage Windows Phone Devices System Center 2012 Configuration Manager SP1 lets you manage Windows Phone 8 devices by using the Windows Intune service over the Internet. Although you use the Windows Intune service, management tasks are completed by using the Configuration Manager console. You can use the Windows Intune connector site system role in the Configuration Manager console to connect to the Windows Intune service. 9 Users can manage their devices by using the company portal. The company portal is a self-service portal that lets users control what apps are installed on their devices. The Windows Intune subscription lets you specify configuration settings for the Windows Intune service; this includes defining the user collection that enables users to enroll mobile devices and defining which mobile devices to manage. After you have created your subscription, you can install the Windows Intune connector site system role, which lets you connect to Windows Intune. This role pushes settings and applications to the Windows Intune service. Windows Intune then makes apps available to users on their mobile devices through an interface called the company portal. To set up mobile device management for Windows Phone 8, you must create a Windows Intune subscription where you specify your configuration settings. Create the Windows Intune Subscription in SCCM SP1 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions. 3. On the Home tab in the Create group, click Create Windows Intune Subscription. 4. On the Introduction page of the Create Windows Intune Subscription Wizard, review the text and click Next. 5. On the Subscription page, click Sign in and sign in by using your Windows Intune organizational account. Select the Allow the Configuration Manager console to manage this subscription check box. When you select this setting, you will only be able to manage mobile

devices by using the Configuration Manager console. In order to continue with your subscription, you must select this option. 6. Click the privacy links to review them, and then click Next. 7. On the General page, specify the following options, and then click Next. Collection: Specify a user collection whose members will be enabled for using the service. These users will be able to enroll their mobile devices. If a user is removed from the collection, the user s device will continue to be managed for up to 24 hours until the user record is removed from the user database. 10 Company name: Specify your company name. URL to company privacy documentation: If you publish your company privacy information to a link that is accessible from the Internet, provide the link so that users can access it from the company portal. Privacy information can clarify what information users are sharing with your company. Color scheme for company portal: Optionally, change the default color of blue for the company ports. Configuration Manager site code: Specify a site code for a primary site to manage the mobile devices. Although you can change the site code at any time, if you do change it, existing users will have to retire their mobile devices and then reenroll on the new site. 8. On the Platforms page, select the device types that you want to manage and review the platform requirements, and then click Next. 9. On the Windows Phone 8 page, specify the code-signing certificate to use for all Windows Phone apps and then specify the location of the signed Windows Phone 8 company portal app. The Windows Intune Connector Site System Role The Windows Intune connector sends settings and software deployment information to Windows Intune and retrieves status and inventory messages from clients. The Windows Intune service acts as a gateway to communicate with mobile devices and store the settings. 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and thenclick Servers and Site System Roles.

3. Add the Windows Intune Connector role to a new or existing site system server by using the associated step: New site system server: On the Home tab, in the Create group, click Create Site System Server to start the Create Site System Server Wizard. Existing site system server: Click the server on which you want to install the Windows Intune Connector role. Then, on the Home tab, in the Server group, click Add Site System Roles to start the Add Site system Roles Wizard. 4. On the System Role Selection page, select Windows Intune Connector, and click Next. 5. Complete the wizard. 11 Enrolling Windows Phone 8 in SCCM SP1 Windows Phone 8 users must start enrollment from the Windows Phone 8 device by going to system settings and selecting company apps. 1. Users navigate to system settings and select company apps. 2. Users are prompted for their Active Directory credentials for authentication. When authentication is successful, Windows Intune establishes a relationship between the user and the Windows Phone 8 device. 3. Users must select Install company app or Hub to let their device be managed. If users do not select this option, they cannot download the company portal. If the Windows Phone 8 company portal is not installed during enrollment, or if users uninstall the company portal, users must retire their mobile device and reenroll it. Or, you can make the company portal file available by sending users a link in email. After the company portal is installed on the device, inventory is collected, management settings are applied, and users now have access to line-of-business apps that you make available to them. Resources For more information about all the aspects of using Windows Phone in your company, see, Windows Phone for Business (http://www.windowsphone.com/en- US/business/for-business).

To learn more about Windows Phone 8 Device Management and Windows Intune, or for more complete guidance for managing Windows Phone and other mobile devices additional information is available at: Using Windows Intune for Direct Management of Mobile Devices at http://technet.microsoft.com/en-us/library/jj733632.aspx 12 Customizing the Windows Intune Company Portal at http://technet.microsoft.com/en-us/library/jj662649.aspx How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager at http://technet.microsoft.com/en-us/library/jj884158.aspx

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information