Export (0) Print
Expand All

Manage mobile devices and PCs without an on-premises infrastructure

Updated: April 23, 2014

Applies To: Azure, Windows Intune

Who is this guide intended for? Small businesses that need to extend their current infrastructure by using Windows Intune to support mobile device management and the "bring your own device (BYOD)" demand to use personal mobile devices and computers at work to access company resources.

In this solution, Windows Intune is described in the simplest scenario supported for a stand-alone, cloud-only configuration with no local servers. However, Windows Intune can also be used in conjunction with Configuration Manager 2012 or in addition to Configuration Manager 2007 to provide unified device management for both on-premises and mobile device management needs.

How can this guide help you? You can follow the steps in this solution to use Windows Intune to manage mobile devices and computers via the cloud and let people in the company use the devices they choose to access applications and data while, at the same time, enforcing company policies on those devices.

The problem: Users access company data and applications by using unmanaged mobile devices and computers

Before implementing Windows Intune

This solution covers:

  • Business scenario, problem statement, and goals

  • Recommended design approach and planning considerations for this solution

  • Steps to implement Windows Intune for this cloud-only solution

This section describes the business scenario, problem statement, and goals for a typical small business with no on-premises servers. After reviewing this solution to the problem of users accessing company applications and data from unmanaged mobile devices and computers, you can check whether it meets your needs, or whether you need to adjust it for your particular business environment.

Business scenario

In this solution, a small business is looking for a cloud-only solution to manage mobile devices and computers. This solution is best for small businesses because they typically:

  • Have very small IT support teams.

  • Rely on free, web-based email for employee communications.

  • Have no on-premises servers.

  • Do not use management software for mobile devices or computers.

Problem statement

Small business employees are mobile and expect to be able to consistently and easily access the applications they need to get their jobs done. Additionally, they need to get their work done wherever they might be on whatever device they might be using. Because of these employee demands, business needs a solution that:

  • Manages both company-owned and employee-owned mobile devices and computers to ensure secure access to company applications and data.

  • Provides license inventory and software deployment functionality to provide the applications to users that they need on the device of their choice.

  • Protects devices connecting to company resources against malware (malicious software).

Goals

Based on the business scenario and problem statement, a management solution for mobile devices and computers is needed that meets the following goals:

  • Effectively manages employees’ mobile devices and computers from a single administration console. Managing mobile devices and computers includes setting security and compliance settings, gathering and maintaining a software and hardware inventory, and deploying software.

  • Helps prevent malware infections and potentially unwanted software from infecting computers that connect to company assets.

  • Helps protect company data by erasing company data stored on mobile devices when they are lost, stolen, or retired from use.

  • Provides a company portal to enable employees to enroll their own devices, access applications, and contact support.

  • Eliminates the need for on-premises servers.

To meet these goals and to solve this business problem, you should implement Windows Intune in a cloud-only configuration. This option is perfect for small to midsize businesses without local servers to support users, applications, and data and to manage mobile devices and computers.

The recommended solution: Use Windows Intune to manage mobile devices and computers without an on-premises infrastructure

After implementing Windows Intune Standalone.

In the implementation steps for this solution, it is assumed that you are not already using Active Directory for identity management or Microsoft Online Services such as Microsoft Office 365. If you have one of those technologies, the following steps help you evaluate Windows Intune in a cloud-only configuration, but these steps might not all be applicable or lead to the best solution for your organization in production.

Review the following table to gain an understanding of the planning considerations for each of the elements described in this solution. There is also additional planning information for implementing Windows Intune in the Documentation Library for Windows Intune on TechNet.

 

Solution element Planning considerations

Users

  • You can easily manage license usage and access to resources by creating Windows Intune users.

  • You can also assign administrative rights to users in the Windows Intune administration console.

  • Users can enroll their mobile devices and computers to enable them to work from anywhere on their devices to access company applications and data more securely.

All devices

  • The web-based Windows Intune administration console provides simplified management of computers in your company, including computers running Windows 7 and Windows 8 Enterprise.

  • Not all computers running Windows operating systems, such as the Windows XP Home Edition operating systems, are supported for Windows Intune management. You should review the computer requirements for more information to help you plan for managing Windows-based computers with Windows Intune.

  • Company-owned or employee-owned mobile devices including Windows RT, Windows Phone 8, iOS, and Android devices can also be managed by Windows Intune.

  • Windows Intune direct management of mobile devices has different requirements and capabilities than managing Windows-based computers. You should review the mobile device requirements for more information to help you plan for managing mobile devices with Windows Intune.

Apps and data

  • Using Windows Intune, you can publish software to the Windows Intune Company Portal. Users can then access and install the software on their managed computers and devices.

  • There are several, device-specific requirements that must be planned for, and set up correctly, before you can deploy software to mobile device. These requirements can include things to do such as obtaining sideloading keys for Windows RT devices, code-signing certificates, and deploying the Company Portal application when necessary.

  • In addition to deploying software, you can set up and deploy policies for the Windows Intune Agent settings on computers, manage mobile device policies, and collect hardware and software computer inventory. You can see the data collected during your evaluation period by reviewing the reports available in the Reports workspace of the Windows Intuneadministration console.

The following implementation steps provide an overview of setting up Windows Intune in a cloud-only configuration to manage mobile devices and computers. These are the recommended steps for a small to midsize company without an on-premises infrastructure.

  1. Sign up for a free, 30-day trial of Windows Intune. You can sign up for a free, 30-day trial of Windows Intune to manage up to 25 computers and mobile devices.

    WarningWarning
    If your company already has a Microsoft Online Services organizational account, and you might possibly continue with this Windows Intune subscription in production after the trial period ends, it is essential that you click the Sign in option on that Sign in page and authenticate yourself by using the Global Administrator account for your company. This action ensures that your Windows Intune trial links to your existing Microsoft Online Services account.

    Verification steps: Review the confirmation email from the Microsoft Online Services Team to ensure that all the information is correct and ensure that you can log in to the Windows Intune account portal with the User ID that is included in the email.



  2. Familiarize yourself with the various Windows Intune portals, workspaces, and tasks. There are three Windows Intune portals that you should be aware of: two administration management portals that you can use to access the various features of your Windows Intune service, and one company portal that your end users use to connect to Windows Intune services.

     

    Windows Intune portal Verification step

    Windows Intune account portal. Using the Windows Intune account portal, administrators can manage users, groups, and domains for all Microsoft Online Services, including Windows Intune and Office 365. You can use the account portal to check the status of your subscriptions, add new subscriptions, add new domain names, and activate new user accounts. It is also where you can set up and configure the link to your on-premises Active Directory Domain Services (AD DS) instance if you have one.

    Ensure that you can log in to the Windows Intune account portal with your tenant administrator credentials.

    Windows Intune administration console. The Windows Intune administration console is a web-based console that helps you to quickly access key information and Windows Intune management features. Here you can manage user and device groups, configure policy settings, view alerts and take action on them, review reports, and perform other service administrative tasks.

    Ensure that you can log in to the Windows Intune administration console with your tenant administrator credentials.

    Windows Intune Company Portal. To self-enroll a computer, the user must first access the Windows Intune company portal and log in by using their Windows Intune user ID. As an administrator, you configure Company Portal settings such as the company name, support contact information, and privacy statement links from within the Administration workspace of the administration console.

    Don’t forget that you need to send instructions to users explaining what to expect when they go to the Company Portal. Make sure to include their user ID and temporary password, steps for connecting their computers and mobile devices to Windows Intune, and information about how to browse and install apps, and how to contact IT for help.

    Ensure that you can log in to the Windows Intune Company Portal website with your tenant administrator credentials.



  3. Add Windows Intune users and administrators.

    A tenant administrator can use the account portal to assign subscription licenses to users by adding them to the Windows Intune Users Group. Adding users to the Windows Intune Users Group maintained in the account portal is also how you get those users to show up in the Windows Intuneadministration console.

    Administrator accounts for your Windows Intune service are not created in the account portal the way regular user accounts are. Instead, you have the option to assign administrative rights to existing users. You do this by assigning either read-only access or full access administrative rights to users from within the administrator console in the Administration workspace under administration management. Service administrators that are assigned read-only access cannot modify Windows Intune settings, but they can view data and run reports. Service administrators with full access have all possible administrative rights.

    You can view tenant administrator information by using the Windows Intune administration console, but you cannot create them there. By default, the subscription owner becomes a tenant administrator for your Windows Intune service and has full access to both the Windows Intune account portal and the Windows Intuneadministration console. We recommend that you create a least one extra tenant administrator account by using the account portal to help delegate tasks and ensure you don’t get locked out of your Windows Intune service administrator account if you forget your password.

    Verification steps:

    • Ensure that user accounts appear in the All Users group within the Windows Intune administration console after adding them to the Windows Intune group in the account portal.

    • Log out of the administration console, and then ensure that you can log back in to it with the newly assigned service administrator’s credentials.



  4. Create groups to organize users and devices. In Windows Intune, groups are used to help you manage users, mobile devices, computers, and software deployments. Windows Intune uses two types of groups that you can create in the Windows Intune administrator console:

    • User Groups. User Groups are used to make licensed software available to users and target mobile device security policies.

    • Device Groups. Device Groups are used to deploy software and updates, and configure Windows Intune Agent Settings and Windows Firewall Settings policies.

    Verification steps: As new groups are created, you should see them displayed in the Windows Intuneadministration console.



  5. Set policies for mobile devices and computers. Windows Intune policies let you configure settings that help secure mobile devices, deploy computer updates, protect against malware, maintain firewall settings, and enhance the end-user experience.

    You can configure and deploy Windows Intune policies to groups to manage settings for the Windows Intune client on computers and mobile device policy-based settings. After you add and deploy a new policy, all users or devices in the group to which you applied the policy inherit the settings as their baseline policy. You can always review and, if required, edit the details of these policies later from the Policy workspace.

    Verification steps: As new polices are added, you should see them displayed in the Windows Intune administration console.



  6. Install the Windows Intune client on computers. The Windows Intune client is used to manage computers and can be installed on both domain-joined computers in any domain and non-domain-joined computers. After the Windows Intune is installed on a supported computer operating system, the Windows Intune client provides application management, Endpoint Protection, hardware and software inventory, remote control through remote assistance requests, software updates, and compliance settings reporting.

    You can enroll computers in Windows Intune without an on-premises infrastructure in one of the following ways:

    • You can manually deploy the Windows Intune client software. In this type of deployment, an administrator downloads the Windows Intune client software and manually installs it on each PC. To download the Windows Intune client software, open the Windows Intune administration console and, in the Client Software Download area, download the client software package. After the client software is installed, Windows Intune automatically installs additional software as necessary to manage the computer.

    • End-users can self-enroll each of their computers through the Windows Intune Company Portal. Each enrolled computer is then automatically linked to the user account that was used to install the Windows Intune client software.

    • You can deploy the Windows Intune client software to computers as part of an operating system deployment.

    Windows Intune Endpoint Protection is installed by default during Windows Intune client installation on computers. Endpoint Protection helps enhance the security of computers in your organization by providing real-time protection against potential threats, keeping malicious software definitions up-to-date, and automatically running scheduled scans. For added security, you can also use Windows Intune policies to manage Windows Firewall settings on managed computers.

    Verification steps:

    • Ensure that you can see the Windows Intune client icon in the taskbar at the bottom of the Windows desktop and that you get the Tech Support and Company Portal options when you click them.

      • The Tech Support option should open the Windows Intune Center. From there, you can see the tech support contact information and other options such as checking for available applications or software updates and scanning your computer for malware by using Endpoint Protection.

      • The Company Portal option should open a web browser and display a Windows Intune log in page. After logging in with your organizational account, you should see your company portal website with options for contacting IT, adding a device, and all applications available for your device.



  7. Prepare for mobile device management. Before you can enroll mobile devices, you must prepare the Windows Intune service by selecting the appropriate mobile device management authority setting on the Mobile Device Management page of the Administration workspace. The mobile device management authority setting determines whether you manage mobile devices with Windows Intune or System Center Configuration Manager with Windows Intune integration. In this solution, Windows Intune is used without System Center Configuration Manager integration so the setting should be set to Windows Intune.

    ImportantImportant
    Consider carefully whether you want to manage mobile devices by using Windows Intune only or System Center Configuration Manager with Windows Intune integration. After you set the mobile device management authority to either of these options, it cannot be changed again.

    In addition to setting the mobile device management authority, there might be other tasks necessary to prepare to manage mobile devices in use by your company. For example, Windows RT and Windows Phone devices require access to an enrollment server during the enrollment process, and you need an Apple Push Notification service (APNs) certificate to manage iOS devices.

    Verification steps: Ensure that the mobile device management authority is set to Windows Intune and that you have completed any additional tasks required to support the types of mobile devices you plan to support before you continue.



  8. Enroll mobile devices. You do not need to install Windows Intune client software on supported mobile devices. Instead, they are enrolled in the Windows Intune service by using the company portal or the Company Apps Windows Phone setting.

    After enrolling a mobile device in Windows Intune, device management capabilities are provided for application management, hardware and software inventory of managed applications, and compliance settings reporting. You can help protect company data by deploying security policies to user groups to help secure company data and by using the Windows Intune remote wipe feature to delete company data stored on mobile devices when they are lost, stolen, or retired from use.

    Verification steps:

    • Ensure that the Company Portal app has been successfully installed on the mobile device. If it has not been installed, you need to distribute it manually.

    • After logging in with your organizational account, you should see all apps that have been made available, and the devices that have been linked, to the user account you are logged in as.



  9. Deploy applications to mobile devices and computers. You can perform two types of software installations by using Windows Intune: required install, which automatically installs or pushes the software to managed computers, or an available install which deploys the software, or a link to the software, to the Windows Intune Company Portal so that users can choose whether to install it on their computers or on their mobile devices.

    • Before using Windows Intune to deploy software, you should make sure that you have the appropriate licenses to publish, distribute, and use the software. The Licenses workspace lets you add and manage license agreement information for software that was purchased through Microsoft Volume Licensing agreements, and for Microsoft or non-Microsoft software that was purchased by other means. You can then create license reports that display managed license usage information throughout your company to stay informed of license usage activity.

    • Users must be linked to their computer before you can deploy software to them by using Windows Intune. However, if a user is not already automatically linked to a computer, you can use the administration console to link them. You can link a user to multiple computers, but each computer can be linked to only one user. Mobile device users are automatically linked to their devices during enrollment, and users are also automatically linked to any computers that they add to Windows Intune by using the company portal.

    • After you have ensured license compliance, and users are linked to devices, you can start the Windows Intune Software Publisher from the Software workspace in the Windows Intune administration console to publish and deploy software to mobile devices and computers. There are two ways to deploy published applications with the software publisher: external links and software installer packages.

      • External link: To use external links, you simply provide a link to the web address of an application in an online app store. The link that you provide is then be made available to users in the company portal. The link lets users obtain the software from the online app store or be redirected to a web-based application that runs on the device’s web browser.

      • Software installer: You can also use the Windows Intune Software Publisher to upload a signed application package directly to the Windows Intune service for users to access from the company portal. Using the software publisher, you can publish any of the following installer types: Windows Installer (.exe and .msi files), app packages for Android (.apk file type), app packages for iOS (.ipa file type), Windows Phone app packages (.xap file type), and Windows app packages (.appx file type).

        TipTip
        To make the process of deploying software to Windows Phone 8 devices easier during your trial evaluation period, you can use the support tool for Windows Intune trial management of Window Phone 8, which provides the necessary enrollment token and example applications for you to deploy during the trial evaluation period. The sample Company Portal app only works with trial accounts, but additional help for deploying applications to Windows Phone 8 devices in production is available by downloading the Windows Phone 8 walkthrough guide.

    Verification steps: Ensure that a published application is available from the company portal when logged in with a user account that is associated with a software deployment.



  10. Manage software update approvals. You can approve and deploy Microsoft and non-Microsoft updates to Windows Intune clients from the Updates workspace in the Windows Intuneadministration console. If you want to closely manage individual update approvals, then you can use the Approve or Decline options for each update in the Updates workspace. You can also automatically approve updates by using Windows Intune auto-approval rules.

    Verification steps: As new updates are approved, you should see Yes displayed in the approved column for them in the Updates workspace in the administration console.



  11. Configure alerts and notifications. Windows Intune alerts are used to monitor system and software performance or notify administrators when an action is required. You can configure and monitor alerts from the Alerts workspace or by having the service send the alerts directly to specific service administrator email addresses.

    Verification steps: As alerts are generated, you should see them displayed in the Alerts workspace in the Windows Intune administration console. If notification rules have been configured, specified alert recipients should receive alert notifications.



  12. Create reports to review organizational data. Windows Intune reports provide information about the status of software updates, detected software, computer inventory, mobile device inventory, license purchase, and license installation reports for managed mobile devices and computers.

    Reports can help you answer a range of questions, such as how many computers have a particular application or update installed, information about the computer hardware and mobile devices in use, and even software license purchase and usage activities. Windows Intune provides a set of built-in report templates that can be used as-is, or you can create custom reports based on views within the Windows Intune workloads.

    Verification steps: Ensure that expected information is returned when you view a report in the Reports workspace of the Windows Intune administration console. If you create a new report, it should be available from the Load list on the Report page that you created it on.



Cloud-only implementation complete. After completing the implementation steps, all of the goals as listed in this solution are met as follows:

  • Mobile devices and computers can effectively be managed from the cloud-based Windows Intune administration console to configure security and compliance settings, software and hardware inventory, and software deployment.

  • Windows Intune client computers are protected from malware infections and unwanted software installations by Windows Intune Endpoint Protection.

  • Windows Intune remote wipe functionality can protect company data by wiping company data stored on mobile devices when they are lost, stolen, or retired from use.

  • Employees can access the company portal to provide self-service functions such as enrolling their own devices, accessing applications, and contacting IT.

  • Because this is a cloud-only management solution without the need for on-premises hardware, server and site system role management are eliminated.

Do you need additional, step-by-step evaluation information? If so, you should review the Windows Intune Evaluation Guide in the Documentation Library for Windows Intune. That guide is designed to help you evaluate the main features of Windows Intune by providing step-by-step instructions for you to set up your new Windows Intune evaluation environment.

Buy a subscription to Windows Intune. After evaluating Windows Intune, you should be ready to move from Windows Intune free trial to buy a subscription to continue providing mobile device and PC management services to your organization.

You can easily convert your free trial subscription to a paid, full subscription on the Admin page of the account portal. The full subscription lets you continue using the Windows Intune service without any interruption or loss of data. Alternatively, you can let your initial trial Windows Intune subscription expire so that you can start a new trial subscription configured to match your production needs in preparation for purchasing a full subscription to Windows Intune.

Get technical help for Windows Intune. You can review the Windows Intune Knowledge Base for known issues. Additionally, you can get phone support and email support for both non-technical issues, such as billing or subscription issues, or technical questions about the Windows Intune cloud-based service by contacting Windows Intune Support.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft