Export (0) Print
Expand All
3 out of 4 rated this helpful - Rate this topic

Get Started with Mobile Device Management by using Windows Intune: Walkthrough Guide

Updated: January 1, 2014

This walkthrough will help you configure Windows Intune so that users can enroll their Android, iOS, Windows Phone 8, Windows RT, Windows RT 8.1, and Windows 8.1 devices. If you are planning to use Windows Intune with Configuration Manager to manage devices, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune.

This document assumes that you have a Windows Intune subscription and plan to use the Windows Intune as a stand-alone console to manage mobile devices.

You'll learn:

  • How to set up Windows Intune for mobile device enrollment.

  • How to enroll mobile devices.

Get help from others or provide feedback

If you have questions or feedback regarding the content of this document, you can post a message to the Windows Intune Forums.

Walkthrough steps

Prerequisites

Before users can enroll their devices, there are steps that need to be completed outside of the Windows Intune console. Each mobile platform has its own external dependencies to configure; the following sections include information on external dependencies.

External dependencies for enrolling Windows Phone 8 devices

To manage Windows Phone 8 devices, you must deploy the Windows Phone 8 company portal app to the devices. The company portal app must be code-signed with a certificate that is trusted by Windows Phone 8 devices. The following steps will help you get the required certificates and sign the company portal app. You will need a Windows Phone Dev center account and then you will need to purchase a Symantec certificate.

  1. Join the Windows Phone Dev Center using by going to the Windows Phone Dev Center. You must use a corporate account.

  2. Locate your Symantec ID by clicking Dashboard in the Windows Phone Dev Center and locate the numeric ID under Symantec Id.

  3. Purchase a certificate from the Symantec website by using your Symantec ID.

  4. After you purchase the certificate, the corporate approver that you designated in your Windows Phone Developer account will receive an email asking for approval of the certificate request. Once the request has been approved, you will receive an email that contains the instructions for importing the certificates.

  5. Read the instructions in the email carefully and import the certificates.

  6. To verify that the certificates have been imported correctly, go to the Certificates snap-in, right-click Certificates, and select Find Certificates. In the Contains field, enter “Symantec”, and click Find Now. The certificates you imported should be listed as part of the results.

    Certificate search

  7. Now that you have verified that the certificates have been imported, you can export the .pfx file so that you can sign the company portal. Using the results from the previous step, you must select the Symantec certificate with the Intended purpose as “code-signing.” Then, right-click the code-signing certificate and select Export.

    Certificate export

    In the Certificate Export Wizard, select Yes, export the private key and click Next. Select Personal Information Exchange –PKCS #12 (.PFX) and check Include all the certificates in the certification path if possible. Complete the wizard. For more information, see How to Export a Certificate with the Private Key.

  8. Download the Windows Phone 8 company portal app.

  9. However, before you can deploy the company portal app, it must be signed by a certification authority that is trusted by Windows Phone 8 devices. Use the XAPSignTool app that comes with the Windows Phone 8 SDK to sign the company portal with the .pfx file you created from the Symantec certificate. For more information, see How to sign a company app by using XapSignTool

As soon as you have successfully signed the company portal, you are ready to move to the next step. You will use the signed company portal app and certificate in step 2 of this walkthrough.

External dependencies for enrolling Windows devices

The external dependencies for Windows RT, Windows RT 8.1, and Windows 8.1 are only necessary for app management. If you are not considering app management, you can skip this section. If you are considering app management on a Windows RT device, follow these steps:

  1. Obtain sideloading keys. Before you can sideload line-of-business apps on Windows RT, you must obtain and activate sideloading keys from Microsoft. For more information about sideloading product activation keys, see Microsoft Volume Licensing.

  2. Sign all apps. For sideloaded apps to run on Windows RT, you must use a certificate to sign all apps. You can use a third party certificate or your own company’s certification authority to sign the apps.

You are now ready to move to the next step of the walkthrough.

External dependencies for enrolling iOS devices

To enroll iOS devices, you must follow these steps to obtain an Apple Push Notification service certificate which enables Windows Intune to securely communicate with the Apple Push Notification service.

  1. Download a Certificate Signing Request from Windows Intune. This certificate signing request lets you apply to the Apple certification authority for an Apple Push Notification service certificate.

  2. Request an Apple Push Notification service certificate from the Apple website.

To download a Certificate Signing Request from Windows Intune

  1. In the Windows Intune administrator console, click Administration, click Mobile Device Management Setup, and then click iOS. Click the link to Upload an APNs Certificate.

    iOS request certificate

  2. Click Download the APNs certificate request. When the Save As dialog box opens, save the CSR (Certificate Signing Request) file. You will be using the .CSR file to request an APNs certificate in the next procedure.

To request an Apple Push Notification Service Certificate

  1. Connect to the Apple Push Certificates Portal.

  2. Sign in by using your corporate credentials and complete the wizard by uploading the Certificate Signing Request you downloaded in the previous procedure.

    noteNote
    Make sure that you use a company account to obtain the Apple Push Notification service certificate. In the future, when you go back to the site to renew the certificate, make sure that you use the same account.

    ImportantImportant
    If you use Internet Explorer to download the APNs certificate, you will receive an error saying that the file is not valid when you try to upload it in the Windows Intune administrator console. In order to download the file properly with Internet Explorer:

    1. After you create the certificate and are prompted to save or open the file, click Cancel.

    2. Sign out of the Apple Push Certificates Portal and sign in again.

    3. On the Certificates for Third-Party Servers page, download the most recent APNs certificate that was created.

    4. In the Windows Intune administrator console, click Upload the APNs certificate and browse to the MDM_Microsoft_Corporation_Certificate.pem file that you downloaded previously.

    We recommend that you enter your Apple ID when prompted. Doing so saves the Apple ID that you used to create the certificate in Windows Intune, so that upon annual renewal, Windows Intune can remind you which Apple ID you used.

As soon as you have obtained the APNs certificate, you have fulfilled the prerequisites for managing iOS devices. In step 2 of this walkthrough you will be using the APNs certificate to set up iOS management.

External dependencies for enrolling Android devices

For Windows Intune, users must download the Android company portal app from Google Play which will let them enroll Android devices for direct management.

Create a DNS alias

Creating a DNS alias (CNAME record type) is optional for all device platforms except for Windows 8.1 and Windows RT 8.1. A DNS Alias makes it easier for users to enroll their devices by not asking users for the server name during enrollment. You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to manage.microsoft.com. For example, if your company’s name is Contoso, you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com.

  1. Verify your domain in the Windows Intune account portal.

  2. Create a CNAME resource record for the verified domain in the public DNS; this lets users enroll their devices without manually specifying the address of the Windows Intune enrollment server.If there is more than one verified domain, you must create a CNAME record for each domain. The CNAME resource record must contain the following information:

    • Alias name: enterpriseenrollment

    • Fully qualified domain name (FQDN) for the target DNS host: manage.microsoft.com

    For information about how to create a CNAME resource record, see Add an Alias (CNAME) Resource Record to a Zone.

Step 1: Set the Mobile Device Management Authority for Windows Intune

You must first decide if you will be using the Windows Intune console for managing mobile devices. Your other option is to use the Configuration Manager console.

ImportantImportant
This setting cannot be changed in the future so think carefully on which console you will be using to manage your mobile devices.

To set the mobile device management authority for Windows Intune

  1. Open the Windows Intune administrator console.

  2. In the workspace shortcuts pane, click the Administration icon.

  3. In the navigation pane, click Mobile Device Management Setup.

  4. In the Tasks list on the Policy Overview page, click Set Mobile Device Management Authority.

    Management authority

  5. The Set MDM Authority dialog box appears. You cannot change this selection at a later time. Therefore, if you will use the Windows Intune console to manage mobile devices in the future, check the box and click Yes if you want to use Windows Intune to manage mobile devices.

    Management authority warning

Now that you have set Windows Intune as the mobile device management authority, you can configure Windows Intune for direct management of mobile devices.

Step 2: Set up direct management for mobile devices

You must enable each mobile device platform for users to be able to enroll their devices.

Set up direct management for Windows Phone 8

Before setting up direct management for Windows Phone 8, you must have completed the Prerequisites. At this point you must have the Windows Phone 8 company portal app signed with your certificate from Symantec.

To set up direct management for Windows Phone 8

  1. Open the Windows Intune administrator console.

  2. In the workspace shortcuts pane, click the Administration icon.

  3. In the navigation pane, under Mobile Device Management, click Windows Phone 8.

  4. Under Step 1: Enrollment Server Address, type the name of the verified domain, and then click Test Auto-Detection.

  5. Click Upload Signed App File and sign in to the Windows Intune Software Publisher Wizard.

  6. On the Software setup page for Specify the location of the software setup files, browse to the signed Windows Phone 8 company portal app that you generated when you completed the prerequisites.

  7. Add the .pfx file that you exported in the Windows Phone 8 prerequisites to Code-signing certificate and create a password for the certificate.

  8. On the Software description page, complete the fields and keep in mind that users will see this information on their devices.

  9. Complete the wizard.

The company portal can now be automatically deployed to all users who enroll.

Set up direct management for Windows Devices

If you are planning to manage apps for Windows RT, Windows® RT 8.1, and Windows 8.1 you will need to get sideloading keys and be able to code-sign the apps. For more information, see the Prerequisites.

To set up direct management for Windows Devices

  1. Open the Windows Intune administrator console.

  2. In the workspace shortcuts pane, click the Administration icon.

  3. In the navigation pane, under Mobile Device Management, click Windows.

  4. Under Step 1: Enrollment Server Address, type the name of the verified domain, and then click Test Auto-Detection.

If you are planning to sideload apps, you will need to add the sideloading keys. Although sideloaded apps do not have to be certified by the Windows Store or installed through the Windows Store, they can only be installed on sideloading-enabled devices. To enable a Windows device for sideloading, you must first obtain sideloading product activation keys. For information about how to obtain sideloading product activation keys, see Microsoft Volume Licensing. After you obtain sideloading product activation keys, complete these steps in the Windows Intune administrator console to add the keys:

Add sideloading keys

  1. On the Set Up Mobile Device Management for Windows page under Step 2: Add Sideloading keys, click Add Sideloading Key.

  2. In the Add Sideloading Key dialog box, enter a name, the sideloading product activation key, the number of total activations, and an optional description, and then click OK.

To distribute line-of-business apps to Windows users, you must also ensure that the apps are signed with a certification authority that is trusted by the users’ devices. You can either obtain a non-Microsoft public certificate, or use a code-signing certificate from your organization’s certification authority. For information, see Acquire a Code Signing Certificate. If you use a code-signing certificate from your organization’s certification authority, you must upload a code-signing certificate to Windows Intune so that it can be distributed to Windows devices:

noteNote
Windows Intune only retains one copy of the code-signing certificate. You cannot uninstall a code-signing certificate that was previously installed through Windows Intune.

To upload a code-signing certificate, complete these steps in the Windows Intune administrator console:

  1. On the Windows RT Mobile Device Management Setup page under Step 3: Upload Code-Signing Certificate (Optional), click Modify Code-Signing Certificate.

  2. In the Upload a Code-Signing Certificate dialog box, click Browse, specify the code-signing certificate file to use, and then click Upload.

Set up direct management for iOS

Before setting up direct management for iOS, you must have completed the Prerequisites. At this point, you must have the APNs certificate from Apple.

To set up direct management for iOS

  1. Go to the Windows Intune Admin Console click Administration, click Mobile Device Management Setup, and then click iOS.

    iOS upload APNs certificate

  2. Click the link to Upload an APNs Certificate and select the APNs Certificate that you downloaded as part of the iOS prerequisites.

    noteNote
    If you use Internet Explorer to download the APNs certificate, you will receive an error saying that the file is not valid when you try to upload it in the Windows Intune administrator console. In order to download the file properly with Internet Explorer:

    1. After you create the certificate and are prompted to save or open the file, click Cancel.

    2. Sign out of the Apple Push Certificates Portal and sign in again.

    3. On the Certificates for Third-Party Servers page, download the most recent APNs certificate that was created.

    4. In the Windows Intune administrator console, click Upload the APNs certificate and browse to the MDM_Microsoft_Corporation_Certificate.pem file that you downloaded previously.

  3. We recommend that you enter your Apple ID when prompted. Doing so saves the Apple ID that you used to create the certificate in Windows Intune, so that upon annual renewal, Windows Intune can remind you which Apple ID you used.

Now that you have set up direct management for mobile devices, you can proceed to step 3.

Step 3: Provision users for device enrollment

Before users are able to enroll their devices, they must be members of the Windows Intune user group.

To manage users’ mobile devices, you must first provision the users in Windows Intune. The process of provisioning defines device owners as managed users in Windows Intune. After provisioning is complete, users appear and can be managed in the Windows Intune administrator console. You provision users by doing either of the following:

  • If you have Active Directory Domain Services (AD DS) in your environment: You can configure Active Directory synchronization so that your local users and security groups are synchronized to the Windows Azure Active Directory and can appear in the Windows Intune administrator console. To configure Active Directory synchronization, you need to set up the Microsoft Directory Synchronization tool. When you set up the Microsoft Directory Synchronization tool, the tool populates the Windows Intune account portal with synchronized users and security groups and enables Windows Intune to retrieve user information for mobile device users.

    ImportantImportant
    To ensure that your AD DS infrastructure is properly prepared for Windows Intune, we strongly recommend that you review Active Directory Synchronization Roadmap.

    After you synchronize your local users and security groups to the Windows Azure Active Directory, you must activate the synchronized users and assign them membership in the Windows Intune user group to provision them in Windows Intune. You do not need to activate the synchronized security groups. For more information, see the “Adding Users and Security Groups to Windows Intune” section in the Windows Intune Getting Started Guide.

  • If you do not have AD DS in your environment: You can provision users in Windows Intune by manually adding the users to the Windows Intune account portal.

To add users manually to the Windows Intune account portal

  1. Open the Windows Intune account portal.

  2. In the header, click Admin.

  3. In the left pane, under Management, click Users.

  4. On the Users page, click New, and then click User.

  5. On the Details page, complete the user information. Click the arrow next to Additional details to add optional user information such as job title or department, and then click Next.

  6. On the Settings page, if you want the user to have an administrator role, select Yes, and select an administrator role from the list.

  7. Under Set user location, select the user’s work location, and then click Next.

  8. On the Group page, under Windows Intune user group, ensure that the name of the user is selected.

  9. On the Send results in email page, select Send email to send to yourself and the recipients of your choice by email a user name and temporary password, which Windows Intune creates automatically, for the newly created user. Enter email addresses separated by semicolons (;), and then click Create. You can enter a maximum of five email addresses.

  10. On the Results page, the new user name and a temporary password are displayed. After you review the results, click Finish.

Now that you have provisioned users for device enrollment you can move to the next step.

Step 4: Enroll devices

Enrollment establishes a relationship between the user, the device, and the Windows Intune service. Users enroll their own mobile devices. The following sections describe enrollment for Windows Phone 8, Windows RT, and iOS.

noteNote
If your subscription to Windows Intune is going to expire, you must unenroll all devices prior to expiration in order to ensure company content is removed from devices.

Windows Phone 8 Enrollment

For Windows Phone 8, users start enrollment from the Windows Phone 8 device by going to system settings and selecting company apps. The process for enrollment is:

  1. Users enroll their own mobile devices. Users are asked to provide their credentials. When authentication is successful, Windows Intune establishes a relationship between the user and the Windows Phone 8 device.

    WarningWarning
    If you have not set up the DNS alias as documented in the prerequisites, users are prompted to provide the server address during enrollment. The server address is enterpriseenrollment.manage.microsoft.com.

  2. A certificate is installed on the device for authentication between the device and the Windows Intune service.

  3. Users must select Install company app or Hub to let their device be managed.

    ImportantImportant
    If users do not select this option, they cannot download the company portal. If the Windows Phone 8 company portal is not installed during enrollment, or if users uninstall the company portal, users must retire and then re-enroll their mobile device. You can make the company portal file available by sending users a link in an email.

  4. As soon as the company portal is installed on the device, inventory is collected; management settings are applied, and users now have access to line-of-business apps that you make available to them.

Windows RT, Windows RT 8.1, and Windows 8.1 Enrollment

For Windows RT, users start enrollment from the Windows RT device. The process for enrollment is:

  1. On the Windows RT device, users select Start, and type System Configuration, and open the Company Apps dialog box.

    WarningWarning
    If you have not set up the DNS alias as documented in the prerequisites, users are prompted to provide the server address during enrollment. The server address is enterpriseenrollment.manage.microsoft.com.

  2. The users enter their company credentials and are authenticated. A relationship between the user, the Windows RT device and the Windows Intune service is established.

  3. Windows Intune collects inventory and applies management settings. Users now have access to line-of-business apps and direct links to the app store through the company portal.

For Windows RT 8.1, the user enrolls through the device.

  1. On the Windows RT 8.1 device, the user selects Settings, clicks PC Settings, Network, and Workplace.

  2. The user enters their user ID.

  3. The user clicks Turn on and provides their password.

  4. The user agrees to the Allow apps and services from IT admin dialog box, and clicks Turn on.

iOS Enrollment

For iOS, enrollment is as follows:

Users can enroll iOS devices by using the iOS company portal app, Windows Intune Company Portal, available in the App store. The company portal app can be installed on iOS devices running iOS 6 or later.

  1. Users can also enroll by entering their credentials at m.manage.microsoft.com. As soon as authentication is successful, a relationship between the user, the iOS device, and the Windows Intune service is established.

  2. On the Company apps page, click Install. At the Install Profile prompt, click Install Now.

  3. Windows Intune collects inventory and applies management settings. The user now has access to line-of-business apps and direct links to the app store through the company portal.

Now that users can enroll their devices, you can move to the next steps.

Android Enrollment

For Windows Intune, Android devices can be enrolled by users by downloading the Android company portal app, Windows Intune Company Portal, available on Google Play. Once the Android company portal app is downloaded to a user’s device, the user must enroll by using the company portal. Once enrolled, you can manage compliance setting, wipe or delete Android devices, deploy apps, and collect software and hardware inventory.

Next steps

You are now ready to manage mobile devices. In the table that follows, we have included links to common tasks that you will use to manage devices.

 

Action More information

Manage mobile devices by using retire, wipe, lock, or passcode reset.

Protect your data with Remote Wipe, Remote Lock, or Passcode Reset Using Windows Intune

Deploy apps on mobile devices

Adding and Deploying Software in Windows Intune

Secure your company’s data by enforcing security policy on mobile devices.

Checklist for Managing Device Security with Windows Intune

Monitor devices that are directly managed by Windows Intune

Monitoring Devices That Are Directly Managed by Windows Intune

See Also

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.