From his blog post, Björn Axéll walks through the improvements to Intune as a result of applying Cumulative Update 2 to System Center Configuration Manager 2012 R2.
Learn more at: http://blog.advisec.com/?p=694
In this article, I’ll walk you through each EMM component and illustrate the respective Microsoft capabilities.
This is the most general type of management where IT can apply policies, configurations, provisioning, and settings to mobile devices enrolled with an on-premise MDM server or cloud-based service.
The Microsoft MDM solution interfaces with the management APIs exposed by the various mobile operating systems. As with all MDM offerings on the market, this means there are variations in management capabilities across operating systems since each exposes a different set.
Policy settings for enrolled devices include:
A comprehensive matrix of supported policies per device can be found on TechNet:
In addition to Remote Wipe which removes everything from a device, we also have Selective Wipe which removes company apps, data and management policies from the mobile device while leaving personal apps and data untouched. Learn more on TechNet: http://technet.microsoft.com/en-us/library/jj884158.aspx#bkmk_dev
A more specific type of management, MAM focuses on delivering native apps from a corporate app catalog to an employee device while giving IT the power to selectively remove downloaded apps and associated data without touching personal apps and data.
Microsoft provides a Company Portal (Self Service Portal) that is downloadable from the Windows Store, Apple App Store, and Google Play. Windows 8/RT, Windows 8.1/RT/Pro/Enterprise, Windows Phone 8, Android 4 and higher as well as iOS 6 and higher are all supported. Users can download corporate apps to their device from the portal.
Corporate apps can also be pushed (user consent may be required) and remotely uninstalled from all devices except Windows Phone 8. Public apps made available by IT can deep linked to their respective public stores via the portal. Remote apps can also be made available and accessed across mobile platforms via Remote Desktop Services (RDS) for high-security scenarios. Administrators can view an inventory of installed corporate apps on the devices while not seeing the personal apps.
A new Identity and Access feature is Workplace Join which makes your mobile device known to your IT department by creating an object in Active Directory. Employees can access applications and data everywhere, on any device. Employees will get single sign-on when using browser applications or enterprise applications.
Single Sign On (SSO) is facilitated via the new Web Application Proxy which securely publishes corporate resources out to mobile devices without the need for VPN. Active Directory Federation Services (ADFS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security. ADFS supports Web single-sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational boundaries. Multifactor authentication boosts the level of secure access to corporate resources.
This is the most granular type of management where IT policies are assigned directly to the data to ensure security no matter where it resides, flows to, or which app is using it.
Active Directory Rights Management Services protects and encrypts documents and Exchange email by identifying the rights a user has to a given file and removes the option to perform actions outside those rights. This data loss prevention (DLP) capability keeps corporate email from being forwarded to external email accounts and data from being uploaded to 3rd party cloud file sharing providers. Using our rights management technology means your mobile data is secure wherever it goes.
Secure distribution and mobile access to documents for employees.
Secure mobile file synchronization is facilitated by Work Folders. This is a secure share on Windows Server 2012 R2 that is made available to individual mobile devices that are Workplace joined. In order to say “Goodbye” to Dropbox and “Hello” to corporate file sync, you’ll have to accept some security policies on your device. Your IT department can encrypt the Work Folders on your device, require a password to sign in, and erase all the files in your Work Folders if you lose your device.
Our Dynamic Access Control technology can be used with the server share to provide automatic document classification and protection based on their content. Using Work Folders is a great way to make your work files available to all your devices, even when you’re offline. You can even control if files are synched over metered connections or while roaming.
With Exchange ActiveSync (EAS) support, Windows Phone 8 can be managed via Exchange Server on-premise and Office 365 in the cloud. As I’ve discussed in previous articles, EAS provides an enterprise with a baseline level of capabilities to manage BYOD scenarios that need to support a wide range of smartphones.
I’m also pleased to announce MDM support from leading 3rd party vendors including MobileIron, Symantec, Zenprise, and AirWatch. Here are a few of their press releases:
As an MDM veteran, I’m thrilled to see comprehensive management support for Windows Phone 8 and look forward to seeing new additions to our list of 3rd party vendor support for our amazing enterprise device.
In the Spring of 2006, I created a Mobile Device Management (MDM) package for Microsoft called Windows Mobile Provisioner. It was used by Microsoft IT (MSIT) to rapidly provision and manage Windows Mobile devices / smartphones for our employees in the years before we developed and shipped System Center Mobile Device Manager 2008. I drew on my experience in designing, developing, shipping, marketing, and selling the NetPerceptor MDM package for the cloud (Level 3) back in 2003 with my co-founder Darren. Of course, OMA DM and CSPs made creating an MDM system much easier in 2006.
Windows Mobile Provisioner fully integrated with Active Directory to allow the management of policies, settings, and over-the-air (OTA) software distribution based on Microsoft users and groups. As you might imagine, there was a Management and Reporting dashboard as well as a mobile client for user self-service.
The first image below shows the client app where a user could rapidly configure Exchange ActiveSync (EAS) from a single screen:
The second image below shows the client app’s ability to configure the data connections for different mobile operators globally:
The last image below shows how the client app allowed users to change the themes of their smartphone:
Of course, my MDM solution sent health metrics as well as device and app inventory to the server for analysis. Administrators could push out patches, anti-virus definitions, ROM packages, and other software to selected devices. Apps could also be remotely uninstalled. In addition to the features described in the images above, the rich client app that accompanied the MDM agent gave users the ability to view and download apps, ring tones, and other content made available to users and groups via Active Directory security. I certainly hope the MDM solution your company is using “at least” does all the stuff I just mentioned from a long time ago.
It was a great experience being an early pioneer in the Mobile Device Management (MDM) space; and the first to do it in the cloud at the beginning of the 21st century. Back then, I could count all the MDM competitors on my two hands. Fast-forward to 2012, I think there’s over 100 different players in this space. The majority of them are indistinguishable from each other as they all target the identical MDM APIs exposed by iOS and Android. As usual, differentiation will be invented by marketers.
The most notable item for me is the blacklisting of the Google Play app store on Android devices. In my view, no amount of PIN enforcement, device encryption, or VPN usage can protect devices and corporate networks from the potential malware and trojan horses that Android users may unwittingly download from Google Play. Cloud-based file and data repositories like Dropbox and Evernote are tempting data leakage destinations for users and are therefore finding themselves blacklisted more and more.
Of course, all this flies in the face of a BYOD world where many users would never consent to this level of heavy device management and control over their personal devices.