Exporteren (0) Afdrukken
Alles uitvouwen
EN
Deze inhoud is niet beschikbaar in uw taal, maar wel in het Engels.

Prepare and set up to manage mobile devices by using Windows Intune

Updated: June 30, 2014

Applies To: Windows Intune

This walkthrough will help you configure Windows Intune so that users can enroll their Android, iOS, and Windows devices. Using this walkthrough, you also have the option of configuring Windows Intune so that Windows 8.1 devices are enrolled as mobile devices.

This document assumes that you have a Windows Intune subscription and plan to use Windows Intune as a stand-alone service. In this configuration you use the Windows Intune administrator console to manage mobile devices. If you are planning to use Configuration Manager with the Windows Intune connector to manage devices, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune.

Get help from others or provide feedback

If you have questions or feedback regarding the content of this document, you can post a message to the Windows Intune Forums.

Walkthrough steps

The following table lists the supported devices you can enroll:

 

Platform More information

Windows Phone 8 and Windows Phone 8.1

Supported for enrollment.

Windows RT and Windows RT 8.1

Supported for enrollment.

Windows 8.1

Supported for enrollment.

  • This topic covers enrolling Windows 8.1 as a mobile device. You can also manage Windows 8.1 by installing the Windows Intune client software.

iOS

Supported for enrollment.

  • The Windows Intune company portal app which is available in the App store can be installed on iOS devices running iOS 6 or later.

  • You can also manage your iOS device using the m.manage.microsoft.com portal to enroll.

Android

Supported for enrollment.

  • Android devices must download the Windows Intune company portal app in order to enroll. The Windows Intune company portal app is available on Google Play.

  • Samsung KNOX is supported.

Before users can enroll their devices, configurations to support those devices must be completed outside of the Windows Intune administration console. Each mobile platform has its own external dependencies and the following sections include information for each.

Certificates and Requirements

You must have the appropriate certificates or sideloading keys to manage different mobile device platforms. The following table below describes these requirements, and is followed by more in-depth details for each platform.

 

Platform Requirements

Windows Phone 8 and Windows Phone 8.1

Obtain a code-signing certificate from Symantec or for a trial certificate, see Support tool for Windows Phone trial management

  1. Join the Windows Phone Dev Center.

    1. Your Windows Phone Dev Center account is required to obtain a code signing certificate from Symantec.

    2. This certificate is needed to deploy the company portal app.

  2. Download the company portal at Windows Intune Company Portal for Windows Phone.

Windows RT , Windows RT 8.1, or Windows 8.1 devices that are not joined to the domain.

There are no requirements for enrolling Windows RT and Windows devices.

However, to manage apps, you must have sideloading keys and a code-signing certificate:

  • Sideloading keys: You buy sideloading keys from Microsoft.

  • Code-signing certificate: You can use your company’s certification authority or an external certification authority.

iOS

Request an Apple Push Notification service certificate from Apple.For more information, see the “To request an Apple Push Notification Service Certificate” section in this topic.

Android

There are no requirements for enrolling Android devices.

To manage Windows Phone 8 and Windows Phone 8.1 devices, you must deploy the Windows Phone company portal app to the devices. The company portal app must be code-signed with a certificate that is trusted by Windows Phone devices. The following steps will help you get the required certificates and sign the company portal app. You will need a Windows Phone Dev center account and then you will need to purchase a Symantec certificate.

  1. Join the Windows Phone Dev Center. You must use a corporate account.

  2. Locate your Symantec ID by clicking Dashboard in the Windows Phone Dev Center and locate the numeric ID under Symantec Id.

  3. Purchase a certificate from the Symantec website by using your Symantec ID.

  4. After you purchase the certificate, the corporate approver that you designated in your Windows Phone Developer account will receive an email asking for approval of the certificate request. Once the request has been approved, you will receive an email that contains the instructions for importing the certificates.

  5. Read the instructions in the email carefully and import the certificates.

  6. To verify that the certificates have been imported correctly, go to the Certificates snap-in, right-click Certificates, and select Find Certificates. In the Contains field, enter “Symantec”, and click Find Now. The certificates you imported should be listed as part of the results.

    Certificate search

  7. Now that you have verified that the certificates have been imported, you can export the .pfx file so that you can sign the company portal. Using the results from the previous step, you must select the Symantec certificate with the Intended purpose as “code-signing.” Then, right-click the code-signing certificate and select Export.

    Certificate export

    In the Certificate Export Wizard, select Yes, export the private key and then click Next. Select Personal Information Exchange –PKCS #12 (.PFX) and check Include all the certificates in the certification path if possible. Complete the wizard. For more information, see How to Export a Certificate with the Private Key.

  8. Download the Windows Intune Company Portal for Windows Phone.

  9. Before you can deploy the company portal app, it must be signed by a certification authority that is trusted by Windows Phone devices. Use the XAPSignTool app that comes with the Windows Phone SDK to sign the company portal with the .pfx file you created from the Symantec certificate. For more information, see How to sign a company app by using XapSignTool.

After you successfully sign the company portal, you are ready to move to the next step. You will use the signed company portal app and certificate in the “Set up direct management of mobile devices” section of this walkthrough.

The external dependencies for Windows RT, Windows RT 8.1, and Windows 8.1 are only necessary for app management. If you are not considering app management, you can skip this section. If you are considering app management, follow these steps:

  1. Obtain sideloading keys. Before you can sideload line-of-business apps on Windows RT, you must obtain and activate sideloading keys from Microsoft. For more information about sideloading product activation keys, see Microsoft Volume Licensing.

  2. Sign all apps. For sideloaded apps to run on Windows RT, you must use a certificate to sign all apps. You can use a third party certificate or your own company’s certification authority to sign the apps.

To enroll iOS devices, you must follow these steps to obtain an Apple Push Notification service certificate which enables Windows Intune to securely communicate with the Apple Push Notification service.

  1. Download a Certificate Signing Request from Windows Intune. This certificate signing request lets you apply to the Apple certification authority for an Apple Push Notification service certificate.

  2. Request an Apple Push Notification service certificate from the Apple website.

  1. In the Windows Intune administration console, click Administration > Mobile Device Management > iOS. Then click the link to Upload an APNs Certificate.

  2. Click Download the APNs certificate request. When the Save As dialog box opens, save the CSR (Certificate Signing Request) file. You will be using the .CSR file to request an APNs certificate in the next procedure.

  1. Connect to the Apple Push Certificates Portal.

  2. Sign in by using your corporate credentials and complete the wizard by uploading the Certificate Signing Request you downloaded in the previous procedure.

    ImportantImportant
    Make sure that you use a company account to obtain the Apple Push Notification service certificate. In the future, when you go back to the site to renew the certificate, make sure that you use the same account or you will have to unenroll and then re-enroll devices.

    TipTip
    If you use Internet Explorer to download the APNs certificate, you may receive an error saying that the file is not valid when you try to upload it in the Windows Intune administrator console. In order to download the file properly with Internet Explorer:

    • After you create the certificate and are prompted to save or open the file, click Cancel.

    • Sign out of the Apple Push Certificates Portal and sign in again.

    • On the Certificates for Third-Party Servers page, download the most recent APNs certificate that was created.

    • In the Windows Intune administrator console, click Upload the APNs certificate and browse to the MDM_Microsoft_Corporation_Certificate.pem file that you downloaded previously.

    We recommend that you enter your Apple ID when prompted. Doing so saves the Apple ID that you used to create the certificate in Windows Intune, so that upon annual renewal, Windows Intune can remind you which Apple ID you used.

After you obtain the APNs certificate, you have fulfilled the prerequisites for managing iOS devices.

For Android devices, users must download the Windows Intune Company Portal from Google Play which will let them enroll Android devices for direct management.

To manage users’ mobile devices, you must first provision the users in Windows Intune. The process of provisioning adds users to your subscription and assigns Windows Intune licenses to users. If you do not assign licenses to users, you will not be able to manage their devices. To add users, see Task 3: Add users and assign licenses for your subscription. To assign licenses see “To assign or revoke a license” at Task 4: Manage Windows Intune licenses for users.

A DNS alias (CNAME record type) is required for Windows 8.1 and Windows RT 8.1 and optional for all other device platforms. A DNS Alias makes it easier for users to enroll their devices by not asking users for the server name during enrollment. When you configure a CNAME in DNS, it must redirect EnterpriseEnrollment.<company domain name>.com to manage.microsoft.com. For example, if your company’s name is Contoso, you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com.

  1. Verify your domain in the Windows Intune account portal.

  2. Create a CNAME resource record for the verified domain in the public DNS; this lets users enroll their devices without manually specifying the address of the Windows Intune enrollment server.If there is more than one verified domain, you must create a CNAME record for each domain. The CNAME resource record must contain the following information:

    • Alias name: enterpriseenrollment

    • Fully qualified domain name (FQDN) for the target DNS host: manage.microsoft.com

    For information about how to create a CNAME resource record, see Add an Alias (CNAME) Resource Record to a Zone.

You can set up policy for mobile devices before the devices enroll, this way devices will get policy applied shortly after they enroll. For more information, see Configure policy for mobile devices in Windows Intune.

Windows Intune provides a common service infrastructure that supports multiple configurations. The mobile device management authority specifies which configuration you use to manage mobile devices.

ImportantImportant
After it is set, the mobile device management authority cannot be changed.

 

Configuration Where to set the authority More information

Windows Intune stand-alone

Windows Intune administrator console

Continue with the next step, “To set the mobile device management authority for Windows Intune”

System Center 2012 Configuration Manager

Configuration Manager console

How to Manage Mobile Devices by Using Configuration Manager and Windows Intune

  1. In the Windows Intune administration console, click Administration> Mobile Device Management.

  2. In the Tasks list, click Set Mobile Device Management Authority.

  3. The Set MDM Authority dialog box appears. You cannot change this selection at a later time. Therefore, if you will use the Windows Intune console to manage mobile devices in the future, check the box and click Yes if you want to use Windows Intune to manage mobile devices.

Now that you have set Windows Intune as the mobile device management authority, you can configure Windows Intune for direct management of mobile devices.

You must enable each mobile device platform before users can enroll their devices.

Before setting up direct management for Windows Phone 8 and Windows Phone 8.1, you must have completed the Prerequisites. At this point you must have the Windows Intune company portal app signed with your certificate from Symantec.

  1. In the Windows Intune administration console, click Administration> Mobile Device Management > Windows Phone.

  2. Under Step 1: Enrollment Server Address, type the name of the verified domain, and then click Test Auto-Detection.

  3. Click Upload Signed App File and sign in to the Windows Intune Software Publisher Wizard.

  4. On the Software setup page for Specify the location of the software setup files, browse to the signed Windows Intune company portal app that you signed when you completed the prerequisites.

  5. Add the .pfx file that you exported in the Windows Phone prerequisites to Code-signing certificate and create a password for the certificate.

  6. On the Software description page, complete the fields and keep in mind that users will see this information on their devices.

  7. Complete the wizard.

All users who enroll will now get the company portal app on their devices.

If you are planning to manage apps for Windows RT, Windows® RT 8.1, and Windows 8.1 you will need sideloading keys and be able to code-sign the apps. For more information, see the Prerequisites.

  1. In the Windows Intune administration console, click Administration> Mobile Device Management > Windows.

  2. Under Step 1: Enrollment Server Address, type the name of the verified domain, and then click Test Auto-Detection.

Sideloading keys for app deployment
If you plan to sideload apps, you must add sideloading keys to Windows Intune. Although sideloaded apps do not have to be certified by the Windows Store or installed through the Windows Store, they can only be installed on sideloading-enabled devices.

To enable a Windows device for sideloading, you must first obtain sideloading product activation keys. For information about how to obtain sideloading product activation keys, see Microsoft Volume Licensing. After you obtain sideloading product activation keys, complete these steps in the Windows Intune administrator console to add the keys:

  1. In the Windows Intune administration console, click Administration> Mobile Device Management > Windows.

  2. Under Step 2: Add Sideloading keys, click Add Sideloading Key.

  3. In the Add Sideloading Key dialog box, enter a name, the sideloading product activation key, the number of total activations, and an optional description, and then click OK.

Line-of-business apps you will distribute to Windows users must be signed with a certification authority that is trusted by the users’ devices:

  • You can obtain a non-Microsoft public certificate

  • You can use a code-signing certificate from your organization’s certification authority.

For information, see Acquire a Code Signing Certificate. If you use a code-signing certificate from your organization’s certification authority, you must upload a code-signing certificate to Windows Intune so that it can be distributed to Windows devices:

noteNote
Windows Intune only retains one copy of the code-signing certificate. You cannot uninstall a code-signing certificate that was previously installed through Windows Intune.

  1. In the Windows Intune administration console, click Administration > Mobile Device Management > Windows.

  2. Under Step 3: Upload Code-Signing Certificate (Optional), click Modify Code-Signing Certificate.

  3. In the Upload a Code-Signing Certificate dialog box, click Browse, specify the code-signing certificate file to use, and then click Upload.

Before you set up direct management for iOS, you must have completed the Prerequisites. After you complete the prerequisites, you will have the APNs certificate from Apple.

  1. In the Windows Intune administration console, click Administration > Mobile Device Management > iOS.

  2. Click the task Upload an APNs Certificate and select the APNs Certificate that you downloaded as part of the iOS prerequisites.

Now that you have set up direct management for mobile devices, you can start enrolling devices.

No further configuration in Windows Intune is necessary. Users will need to download the Android Windows Intune company portal app to enroll their devices.

You are now ready to enroll and manage mobile devices. The first action you take is to have your users enroll their devices using the company portal. For more information, see Enroll mobile devices using the Windows Intune Company Portal.

In the table that follows, we have included links to common tasks that you will use to manage devices.

 

Action More information

Enroll devices

Enroll mobile devices using the Windows Intune Company Portal

Manage stolen or lost mobile devices by using retire, wipe, lock, or passcode reset.

Help protect your data with Remote Wipe, Remote Lock, or Passcode Reset Using Windows Intune

Deploy apps on mobile devices

Deploy software to mobile devices in Windows Intune

Secure your company’s data by enforcing security policy on mobile devices.

Configure policy for mobile devices in Windows Intune

Monitor devices that are directly managed by Windows Intune

Monitoring mobile devices by using Windows Intune

See Also

 
Vindt u dit nuttig?
(1500 tekens resterend)
Bedankt voor uw feedback
Weergeven:
© 2014 Microsoft