Windows Phone 8    Device Management    with Windows IntuneThis white paper is part of a series of technical papers design...
Legal Disclaimer© 2012 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information andviews...
TTable of contents Windows Phone 8 Device Management with Windows Intune                              1  Introduction     ...
IntroductionWindows Intune provides a rich and flexible mobile device managementexperience for Windows Phone. With Windows...
Configuring Windows Intune to Manage DevicesSetting the Mobile Device Management AuthorityThe mobile device management aut...
Provisioning users in Windows IntuneTo manage users’ mobile devices, you must first provision the users in Windows        ...
Obtaining an enterprise mobile code-signing certificate fromSymantecIn order to distribute applications and external links...
resource record to redirect requests that arrive at                enterpriseenrollment.contoso.com to                ente...
Distributing Applications and External Links to Windows PhoneusersIn order to distribute applications and external web lin...
that is trusted by the users’ devices. To download and sign the app, complete thefollowing steps:            5.   Open the...
   Windows Intune and the device to exchange management         communications securely       Follow-up tasks, such as...
ResourcesFor more information about all the aspects of using Windows Phone in yourcompany, see, Windows Phone for Business...
Upcoming SlideShare
Loading in …5
×

Windows phone 8 device management with windows intune

1,659 views

Published on

This white paper is part of a series of technical papers designed to help IT professionals evaluate Windows Phone 8 and understand how it can play a role in their organizations. It discusses and contains information regarding Windows Phone 8 mobile device management via Windows Intune.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,659
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Windows phone 8 device management with windows intune

  1. 1. Windows Phone 8 Device Management with Windows IntuneThis white paper is part of a series of technical papers designed to help IT professionals evaluateWindows Phone 8 and understand how it can play a role in their organizations. It discusses andcontains information regarding Windows Phone 8 mobile device management via WindowsIntune. December 2012
  2. 2. Legal Disclaimer© 2012 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information andviews expressed in this document, including URL and other Internet Web site references, may changewithout notice. You bear the risk of using it.This document does not provide you with any legal rights to any intellectual property in any Microsoftproduct. You may copy and use this document for your internal, reference purposes.Published: December 2012 Windows Phone 8 Mobile Device Management with Windows Intune
  3. 3. TTable of contents Windows Phone 8 Device Management with Windows Intune 1 Introduction 1 Using Windows Intune for Direct Management of Windows Phone devices 1 Configuring Windows Intune to Manage Devices 2 Setting up Windows Intune for Windows Phone 8 4 Enrolling Windows Phone Devices in Windows Intune 7 Resources 9 Windows Phone 8 Mobile Device Management with Windows Intune
  4. 4. IntroductionWindows Intune provides a rich and flexible mobile device managementexperience for Windows Phone. With Windows Intune, you can manage WindowsPhone 8 devices directly or through Exchange ActiveSync. With System Center 12012 Configuration Manager deployed in your environment as well, you can usethe Windows Intune service to manage mobile devices, while performing allmanagement tasks in the System Center Configuration Manager console.Using Windows Intune for Direct Management ofWindows Phone devicesWindows Intune provides comprehensive mobile device management for WindowsPhone 8. With Windows Intune, you can deploy policies to help secure corporatedata on your phone, perform a hardware inventory, and distribute applications andlinks to applications that users can choose to install on their phone, and retire andwipe phones. In addition, Windows Intune direct management of mobile devicesenables you to distribute applications to users in either of the following ways:  External link: For Windows Phone 8 devices, you can provide a link address to an application on the Windows Phone Store. In addition, this web link can be to a web-based application that runs on the device through the device’s web browser.  Software installer: You can provide a signed application package that is uploaded to the Windows Intune service directly and then sideloaded onto managed devices. Sideloaded applications do not have to be certified by or installed through the Windows Phone Store.Users benefit from an enrollment and application installation experience that istailored for their Windows Phone allowing users to choose the applications thatthey want to install, and maintain control of configuring their devices. Windows Phone 8 Mobile Device Management with Windows Intune
  5. 5. Configuring Windows Intune to Manage DevicesSetting the Mobile Device Management AuthorityThe mobile device management authority determines where you will performphone device management tasks. You can set the mobile device managementauthority to Windows Intune by using the Windows Intune administrator console 2or to System Center Configuration Manager by using the System CenterConfiguration Manager console. Note: If you also plan to use Exchange ActiveSync to manage mobile devices, we recommend that you only deploy the Exchange Connector in the same environment where you set the mobile device management authority and where you plan to configure Windows Intune direct management. For information about how to set up the Exchange Connector for mobile device management in Windows Intune environments, see Exchange Connector Host System Requirements.Consider carefully whether you want to manage mobile devices by using WindowsIntune only or System Center Configuration Manager with Windows IntuneIntegration. Once you set the mobile device management authority to either ofthese options, it cannot be changed.For information about how to set the mobile device management authority toSystem Center Configuration Manager, see the System Center ConfigurationManager 2012 SP1 documentation.To set the mobile device management authority for Windows Intune: 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Administration icon. 3. In the navigation pane, click Mobile Device Management Setup. 4. In the Tasks list on the Policy Overview page, click Set Mobile Device Management Authority. 5. The Set Mobile Device Management Authority dialog box appears, and it prompts you to choose whether to use Windows Intune to manage the mobile devices in your account. Do one of the following:  Click Yes to use Windows Intune to manage mobile devices for your account. If you set Windows Intune as the management authority, you must manage mobile devices by using the Windows Intune administrator console.  Click No to exit the dialog box. This leaves the mobile device management authority as None specified. Windows Phone 8 Mobile Device Management with Windows Intune
  6. 6. Provisioning users in Windows IntuneTo manage users’ mobile devices, you must first provision the users in Windows 3Intune. The process of provisioning defines device owners as managed users inWindows Intune. After provisioning is complete, users appear and can be managedin the Windows Intune administrator console. You provision by users doing eitherof the following:  If you have Active Directory Domain Services (AD DS) in your environment you can configure Active Directory synchronization so that your local users and security groups are synchronized to the Windows Azure Active Directory and can appear in the Windows Intune administrator console. To configure Active Directory synchronization, you need to set up the Microsoft Directory Synchronization Tool. Doing this populates the Windows Intune account portal with synchronized users and security groups and enables Windows Intune to retrieve user information for mobile device users. To ensure that your AD DS infrastructure is properly prepared for Windows Intune, we strongly recommend that you review Active Directory Synchronization Roadmap.  If you do not have AD DS in your environment you can provision users in Windows Intune by manually adding the users to the Windows Intune account portal. For more information, see “Adding Users and Security Groups to Windows Intune” in the Windows Intune Getting Started Guide.Enabling automatic detection of a Windows Intune enrollmentTo be managed by Windows Intune, devices must first discover and enroll in theWindows Intune service. If you plan to enable automatic detection of a WindowsIntune enrollment server, you must ensure that you have set up a verified domainname for your Windows Intune account and then create a CNAME resource recordfor the verified domain in the public DNS Windows Phone 8 Mobile Device Management with Windows Intune
  7. 7. Obtaining an enterprise mobile code-signing certificate fromSymantecIn order to distribute applications and external links to users who have WindowsPhone 8 devices, you must first distribute the Company Portal app to these usersby making it available on the Windows Phone Store. Users access the CompanyPortal app and install the Company Portal when they enroll their devices in 4Windows Intune. When you distribute applications and external links to users, theycan access the applications and links by visiting the Company Portal.Before you can distribute the Company Portal app to users, you must ensure that itis signed by a mobile code-signing certificate that is trusted by users’ devices. Afteryou obtain an enterprise mobile code-signing certificate, additional steps arerequired to export the certificate in PFX format, and to generate an applicationenrollment token (AET).Setting up Windows Intune for Windows Phone 8Setting up mobile device management for Windows Phone 8devicesIn order to be managed by Windows Intune, Windows Phone 8 devices must firstdiscover and enroll in the Windows Intune service. You can either enable automaticdetection of a Windows Intune enrollment server, or provide the followingenrollment server address to users: enterpriseenrollment-s.manage.microsoft.com.To enable devices to automatically detect a Windows Intune enrollment server,complete the following steps: 1. Verify your domain in the Windows Intune account portal. 2. Create a CNAME resource record for the verified domain in the public DNS. If there is more than one verified domain, you must create a CNAME record for each domain. The CNAME resource record must contain the following information:  Alias name: enterpriseenrollment  Fully qualified domain name (FQDN) for the target DNS host: enterpriseenrollment.manage.microsoft.com For example, if contoso.com and fabrikam.com are the verified domains, you would create two CNAME resource records: One Windows Phone 8 Mobile Device Management with Windows Intune
  8. 8. resource record to redirect requests that arrive at enterpriseenrollment.contoso.com to enterpriseenrollment.manage.microsoft.com, and another record to redirect requests that arrive at enterpriseenrollment.fabrikam.com to enterpriseenrollment.manage.microsoft.com. For information 5 about how to create a CNAME resource record, see Add an Alias (CNAME) Resource Record to a Zone.If you have enabled automatic detection, confirm that you have set up automaticdetection correctly by completing the following steps: 1. Open the Windows Intune administrator console. 2. In the workspace shortcuts pane, click the Administration icon. 3. In the navigation pane, under Mobile Device Management , click Windows Phone 8 . 4. Under Step 1: Enrollment Server Address , type the name of the verified domain, and then click Test Auto-Detection. 5. If you have set up automatic detection correctly, a message appears to confirm that users can enroll their devices without manually specifying the address of the Windows Intune enrollment server. Windows Phone 8 Mobile Device Management with Windows Intune
  9. 9. Distributing Applications and External Links to Windows PhoneusersIn order to distribute applications and external web links to users with WindowsPhone 8 devices be sure to complete the steps required for distributing 6applications and external web links to users with Windows Phone 8 devices that arelisted here: http://technet.microsoft.com/en-us/library/jj662647.aspxDistributing applications and external links to users with Windows Phone 8 devicesrequires that you first distribute the Company Portal app to these users. Usersaccess the Company Portal app when they enroll their devices in Windows Intune.To complete the enrollment process, users must install the Company Portal app.When you distribute applications and external links to users, they can access theapplications and links by using the Company Portal app.Before you can distribute the Company Portal app to users, you must make surethat the app is signed by a mobile code-signing certificate that is trusted by users’devices. To obtain the code-signing certificate, complete the following steps: 1. Establish a Company Dev Center account on the Windows Phone Dev Center. As part of this process, you will receive a Publisher ID. For more information, see Registration Info. 2. Visit the Symantec Enterprise Mobile Code Signing Certificate website to complete the required steps to obtain an enterprise mobile code-signing certificate. When this process is complete, Symantec will deliver a certificate that can be imported into the certificate store on a computer. 3. In the Certificates snap-in on the computer where the certificate is imported, export the certificate in PFX format. Be sure to export the private key with the certificate. The .pfx file will be used to generate an application enrollment token (AET) and sign company apps. For more information about how to export the certificate in PFX format, see Export a Certificate with the Private Key. 4. Windows Intune generates an application enrollment token (AET) so that you can enroll phones in the company account. This is required so that users can install the Company Portal app.To prepare the Company Portal app for distribution to users, you must firstdownload the app, and then ensure that it is signed with a certification authority Windows Phone 8 Mobile Device Management with Windows Intune
  10. 10. that is trusted by the users’ devices. To download and sign the app, complete thefollowing steps: 5. Open the Windows Intune administrator console. 6. In the workspace shortcuts pane, click the Administration icon. 7. In the navigation pane, under Mobile Device Management , click 7 Windows Phone 8 . 8. Under Step 3: Download the Company Portal app File , click the Download the App File hyperlink. 9. Download the XapSignTool tool from the Windows Phone 8 SDK. 10. To sign the Company Portal app, follow the instructions in the “Signing the XAP by using the XapSignTool tool” section in How to precompile managed assemblies and sign a company app. You must sign the Company Portal app with the Symantec enterprise mobile code-signing certificate that you obtained when you completed step 3b.Before distributing the Company Portal app to users, you must upload the signedCompany Portal app file to Windows Intune. During the upload process, you will beprompted to provide the code-signing certificate. The Company Portal app willthen be automatically made available to members of the All Users group inWindows Intune, so that you do not have to explicitly create a deployment to makeit available.Enrolling Windows Phone Devices in Windows IntuneEnrollment establishes a relationship among a user who is provisioned inWindows Intune, the user’s device, and the Windows Intune service. Users mustenroll their devices in Windows Intune to access and install applications that youdistribute. Enrollment enables the following:  Windows Intune to identify the device  Windows Intune to identify the user of the device  The device to contact the Windows Intune service  The Windows Intune service to contact the device through a notification service Windows Phone 8 Mobile Device Management with Windows Intune
  11. 11.  Windows Intune and the device to exchange management communications securely  Follow-up tasks, such as hardware inventory and the application of security policies, to be triggeredThe names of the devices that users enroll should appear in the Windows Intune 8administrator console within a few hours of enrollment.To enroll a Windows Phone 8 DeviceTo enroll their devices, users must enter their Windows Intune user ID or theirexisting on-premises Active Directory credentials using the following steps: 1. On the Windows Phone 8 device select Settings , then system , and select Company Apps . 2. Select add account , and enter your company credentials in the Company Apps dialog.After the Windows Phone 8 device is enrolled, users will be prompted to install theCompany Portal app, which users can then use to install apps provided by theiradministrator.During enrollment, the Windows Intune service checks to confirm that:  The account for the organization is active.  The user is provisioned in Windows Intune.  The user has not exceeded the maximum allowed number of devices per user. Each user who is provisioned in Windows Intune can enroll a maximum of five devices. Windows Phone 8 Mobile Device Management with Windows Intune
  12. 12. ResourcesFor more information about all the aspects of using Windows Phone in yourcompany, see, Windows Phone for Business (http://www.windowsphone.com/en- 9US/business/for-business).To learn more about Windows Phone 8 Device Management and Windows Intune,or for more complete guidance for managing Windows Phone and other mobiledevices additional information is available at: “Using Windows Intune for Direct Management of Mobile Devices” at http://technet.microsoft.com/en-us/library/jj733632.aspx “Customizing the Windows Intune Company Portal” at http://technet.microsoft.com/en-us/library/jj662649.aspx Windows Phone 8 Mobile Device Management with Windows Intune

×