Streamlined management for mobile devices and computers in a hybrid environment
Updated: August 15, 2014
Who is this guide intended for?: Companies who need to manage mobile devices and PCs that are on-premises and remote by utilizing their existing Configuration Manager infrastructure to support the employee demand to use these devices to access corporate resources.
How can this guide help you? This guide provides a prescriptive, tested design that explains how to:
Upgrade your existing on-premises Configuration Manager infrastructure and extend it to the cloud to let your users work remotely from the device of their choice.
Unify PC and mobile device management into a single infrastructure.
Maintain corporate compliance for all devices.
Protect corporate data.
In this solution:
The following diagram illustrates the problem that this solution guide is addressing.
Diagram 1: High-level overview of the problem.
This section describes the scenario, problem, and goals for an example organization.
This solution uses an example company that employs more than 5,000 people who bring their Windows Phone 8, Windows RT, iOS, and Android personal devices to work. Currently, they have no way to access company resources from these devices.
The company uses Microsoft System Center Configuration Manager 2007 SP2 to manage PCs for users who are on-premises and who remotely connect to the corporate network by VPN. The company can’t manage mobile devices.
The infrastructure of the company’s environment contains:
Windows Server 2008 R2
Windows Server 2008 R2 Active Directory
Configuration Manager 2007 SP2
PCs that are joined to the domain and managed by Configuration Manager
The following diagram illustrates the current environment for the company.
Diagram 2: High-level overview of the current environment
The current device management infrastructure does not support the example company’s growing needs:
They manage PCs in their current environment, but can’t manage mobile devices.
They provide some employees with corporate-owned mobile devices. Other employees want to use their personal devices at work.
The company is also concerned about the resources required to manage all these devices. It is expensive to support many PCs, devices, and applications, and device management can tie up IT 24/7.
The company needs to manage risk and make sure all devices, both corporate and personal, comply with security guidelines.
Device management is a security risk to corporate assets and information. As soon as employees work on a device that IT doesn’t manage (or even know about), it becomes very difficult to retain control of sensitive corporate information.
IT can’t do anything if the device is sold, lost, or stolen.
The example company is looking for a solution that allows them to do the following:
Use their existing Configuration Manager infrastructure. IT has invested a lot of resources into their current infrastructure and doesn’t want to start over.
Let employees use personal devices as well as company devices to access corporate applications and data. These include PCs and mobile devices.
Manage PCs and personal devices from a single administrator console. Managing devices includes setting security and compliance settings, gathering software and hardware inventory, or deploying software.
Deploy applications or web links based on device type, and whether the device is personal or owned by the company.
Protect the company by wiping corporate data stored on the mobile device when it is lost, stolen, or retired from use.
To solve their business problem and meet their organization goals, the company needs to:
Install a new System Center 2012 R2 Configuration Manager stand-alone primary site at their headquarters and install distribution points at remote locations.
Migrate objects and distribution points from their existing Configuration Manager 2007 SP2 infrastructure to System Center 2012 R2 Configuration Manager.
Subscribe to Windows Intune and configure the Windows Intune connector in Configuration Manager to integrate with Windows Intune.
Synchronize their domain user accounts to Windows Azure, since Windows Intune is a cloud service. This allows them to manage the users who can access company resources from their mobile devices.
Use Password Sync to allow users to use their on-premises domain user name and password for cloud services.
The following diagram illustrates how the elements in this solution communicate with each other.
Diagram 3: High-level overview of the solution
Solution design element
Why is it included in this solution?
System Center 2012 R2 Configuration Manager
Provides secure and scalable software deployment, compliance settings management, and comprehensive asset management of servers, desktops, laptops, and mobile devices (when Windows Intune is integrated).
Manages mobile devices over the internet. When integrated with System Center 2012 R2 Configuration Manager, you can manage both PCs and mobile devices from the Configuration Manager console.
Windows Azure Active Directory (AD)
A service that provides identity and access capabilities for on-premises and cloud applications.
Windows Azure directory synchronization (DirSync)
Synchronizes on-premises AD users with Windows Azure AD.
Allows users to use the same user name and password for on-premises and cloud services.
System Center 2012 R2 Configuration Manager can extend the company’s ability to manage PCs on-premises to the cloud by integrating Windows Intune. And, by using Configuration Manager with Windows Intune, the company can manage both their on-premises PCs and mobile devices from a single console. They also want to reduce IT overhead.
So, the company will install a System Center 2012 R2 Configuration Manager stand-alone primary site located at their headquarters and distribution points at remote locations.
Then, they will migrate objects from their Configuration Manager 2007 SP2 environment to System Center 2012 R2 Configuration Manager.
The company chose to migrate for the following reasons:
Integrated solution: The company wants an integrated solution that lets them manage both PCs and mobile devices from a single console. System Center 2012 R2 Configuration Manager with Windows Intune provides this integrated solution.
Simplified hierarchy: With System Center 2012 R2 Configuration Manager, they determined that they no longer need a secondary site at each remote location as shown in the following diagrams.
Diagram 3: Existing hierarchy, Configuration Manager 2007
Diagram 4: New hierarchy, System Center 2012 R2 Configuration Manager
Key drivers for the simplified hierarchy:
Role-based administration: In System Center 2012 R2 Configuration Manager, role-based administration lets the company design and implement administrative security for the System Center 2012 R2 Configuration Manager hierarchy by using any or all of the following:
These settings combine to define an administrative scope for an administrative user. The administrative scope controls the objects that an administrative user can view in the Configuration Manager console and the permissions that user has on those objects. See Planning for Role-Based Administration.
Content management: In System Center 2012 R2 Configuration Manager, the company can configure the network bandwidth used to transfer content to distribution points and prestage content on distribution points at remote locations. See Network Bandwidth Considerations for Distribution Points.
Migrated objects: The company can use migration tools to migrate objects from Configuration Manager 2007 SP2 to the System Center 2012 R2 Configuration Manager hierarchy. The company’s IT has invested a significant amount of time creating Configuration Manager objects, such as collections, task sequences, configuration items, and so on. By using migration, they will continue to benefit from this investment.
Latest features: The company is also interested in new features in System Center 2012 R2 Configuration Manager that are not directly related to this solution. See What’s New in System Center 2012 R2 Configuration Manager.
The Windows Intune service provides cloud-based management of mobile devices. The company will subscribe to Windows Intune, and then integrate Windows Intune with System Center 2012 R2 Configuration Manager to manage both PCs and mobile devices from the Configuration Manager console.
A subscription to Windows Intune supports the company’s goal for an integrated solution to manage both PCs and mobile devices.
The company considered third-party mobile device management solutions. None of these solutions provide the integrated experience they want. Nor do they want to switch products and incur training and implementation costs.
As an additional benefit, the company can use the user account from their Windows Intune subscription when they subscribe to Microsoft Office 365 a few months later.
If your company is already using Microsoft Online Services for services such as Microsoft Office 365, use the same user account when you subscribe to Windows Intune. This allows you to use the same group of users across all the services in your organization’s Windows Azure AD tenant. If you do not select the option to sign-in using your existing user, a new Windows Azure AD tenant is created for you. You will then need to add users to the new tenant.
Windows Intune uses Windows Azure AD to store user accounts. Microsoft cloud services, such as Windows Intune and Office 365, rely on the identity management capabilities provided by Windows Azure AD.
The company will use Windows Azure directory synchronization (DirSync) to synchronize on-premises Windows Server AD users with Windows Azure AD. Directory synchronization is intended as an ongoing relationship between on-premises AD and cloud-based Windows Azure AD. The company chose DirSync to:
Reduce administration costs: Without DirSync, the company would have had to manually add their user and group accounts to Windows Azure AD. DirSync synchronizes the user accounts from on-premises Windows Server AD to Windows Azure AD. After you activate directory synchronization, you can edit synchronized objects in your on-premises environment and these edits will synchronize with your Windows Intune subscription, which reduces administrative costs.
Improve productivity: By automating the process of synchronizing user and group accounts, the company can significantly reduce the amount of time it takes to make cloud-based services accessible for their employees.
When planning for directory synchronization, the company considered hardware requirements, administrator permissions, performance considerations, and so on. These requirements are documented in Prepare for directory synchronization.
User authentication must be configured or the company’s employees will have to use a different user name and separate passwords to access cloud and on-premises services. The company decided that they must have user authentication to avoid additional administrative overhead to manage initial and ongoing password changes and to provide a better user experience. The decided to use Password Sync for user authentication.
The company considered the following authentication methods for employee access to cloud and on-premises resources with the same credentials:
Password Sync is a lightweight option that provides users with an experience that is similar to single sign-on and very easy to deploy. Password Sync is an option that you can select within DirSync that allows DirSync to store a hash of the password in Windows Azure AD. When password sync is enabled on your directory sync computer, your users will be able to sign into Microsoft cloud services, such as Office 365, Dynamics CRM, and Windows Intune, using the same password as they use when logging into your on-premises network. When your users change their passwords in your corporate network, those changes are synchronized to the cloud.
However, Password Sync does not provide a Single Sign-On (SSO) solution that you get when using AD FS. Users will need to re-enter their credentials each time they access a cloud service. See:
Active Directory Federation Services (AD FS) provides a true single sign-on (SSO) experience working together with Active Directory authentication protocols. The on-premises Active Directory and AD FS interact with the Windows Azure AD identity platform to provide access to one or more Microsoft cloud services. When SSO is configured, a federated trust is created between the domain and the Windows Azure AD authentication system. Users can authenticate with cloud services and on-premises services by using the same user name and password for both. After a user is authenticated, they are not prompted again for credentials when they access a cloud service.
The company decided to use Password Sync for user authentication for a couple of reasons. Password Sync is very easy to configure in DirSync, which they already plan to use to synchronize their on-premises user accounts. They also plan to upgrade their domain controllers to Windows Server 2012 R2 within the next six months. AD FS is a site role in Windows Server 2012 R2 and has a lot of new features. The company plans to implement AD FS when they upgrade their domain controllers. For more information about implementing AD FS in Windows Server 2012 R2, see:
The company decided to use Password Sync for user authentication. However, you might decide to implement AD FS for SSO in your environment. See:
AD FS design considerations: AD FS 2.0 Design Guide
Using AD FS for SSO: Checklist: Use AD FS to implement and manage single sign-on
The company decided not to upgrade their on-premises AD as part of this solution, but plans to upgrade in the next 6 months.
The company’s IT proposed that their on-premises AD be upgraded as part of the solution. In Windows Server 2012 R2, AD has been enhanced with the following functionality:
Device registration. IT administrators can allow a device to be registered, which associates the device with the company’s Active Directory. This association can be used as a seamless second factor authentication.
Single sign-on (SSO) from devices that are associated with the company’s Active Directory.
Web Application Proxy, which allows users to connect to applications and services from anywhere.
Multi-Factor Access Control and Multi-Factor Authentication (MFA), which manage the risk of users working from anywhere and accessing protected data from their devices.
Work folders, which provide users a location to store and access work files on PCs and devices.
While the company’s management team agreed that the new features were valuable, they couldn’t approve the resources to upgrade AD as part of this solution. The management team wants to upgrade their on-premises AD in the next six months.
When you are ready to upgrade your on-premises AD and implement AD FS, see Secure access to company resources from any location on any device.
This section provides the steps that the company took to implement the solution. If you follow these steps, make sure to verify the correct deployment of each step before proceeding to the next step.
Subscribe to Windows Intune.
Create a Windows Intune subscription on the Windows Intune web site.
If you already have a user account for another cloud service, such as Office 365, you can click Sign in to enter the account credentials. This allows you to share the same group of users across all the services in your organization’s Windows Azure AD tenant.
Verification steps: After you complete the sign-up process, an email is sent to the email address that you provided. Click the link that is included in that email or go to the Windows Intune account portal at https://account.manage.microsoft.com and verify that you can sign in.
Configure your public domain.
Get a public domain. To use the Windows Intune service you also need a public organization domain name that is verifiable through a domain name registration service. Add and verify your public domain in the Windows Intune account portal at https://account.manage.microsoft.com under the Domains node.
Ensure the public domain has been added as an alternate UPN suffix in on-premises Active Directory. Users must have the same public domain User Principal Name (UPN) in the cloud and the on-premises Active Directory to enroll mobile devices. You must verify that your users have a public domain UPN before you configure directory synchronization. If you skip this step, users may get “onmicrosoft.com” appended to their cloud UPN, which will cause a mismatch with on-premises Active Directory user names. See Add User Principal Name Suffixes.
Add a CNAME record in DNS that points enterpriseenrollment.<publicdomain> to manage.microsoft.com. The CNAME record is used later as part of the enrollment process. See Add an Alias (CNAME) Resource Record to a Zone.
Check the Domains page of the Windows Intune account portal to make sure the public domain is listed and verified.
Look at the properties of a user account in your on-premises Active Directory to ensure the UPN is listed with the public domain name.
Provide secure easy access for users by using DirSync with Password Sync.
You can configure Password Sync from your Windows Intune Account portal at https://account.manage.microsoft.com. In the Users node of the portal, click Active Directory synchronization: Set up, and then follow the steps outlined in Set up and manage Active Directory synchronization. You enable Password Sync when running the Directory Sync tool Configuration Wizard by selecting Enable Password Synchronization.
Verification steps: Check in the Windows Intune Account portal at https://account.manage.microsoft.com to view user accounts.
Install your System Center 2012 R2 Configuration Manager site or hierarchy.
After planning for their System Center 2012 R2 Configuration Manager hierarchy, the company decided they will install a stand-alone primary site at their headquarters and install distribution points at their remote locations. You might determine that your hierarchy requires a different configuration. Use the following steps to install your System Center 2012 R2 Configuration Manager site or hierarchy:
Identify a server that meets both the software and hardware prerequisites to host a Configuration Manager primary site. See Planning for Hardware Configurations for Configuration Manager.
Review the required software and supported operating systems for hosting a Configuration Manager site. See Site System Requirements.
Configure your Windows environment to support System Center 2012 R2 Configuration Manager. See Prepare the Windows Environment for Configuration Manager.
Install a System Center 2012 R2 Configuration Manager site. See Install Sites and Create a Hierarchy for Configuration Manager. For this solution, the company will install a stand-alone primary site and will skip steps to install a central administration site or secondary site. As you go through the topic, choose sites appropriate for your environment.
Install a distribution point at remote locations. The example company has determined that they can use a distribution point at each of their remote locations instead of using a secondary site at each location. For details about installing and configuring a distribution point, see Configuring Content Management in Configuration Manager.
On the primary site server computer, monitor progress in the Setup wizard. The Configuration Manager Setup wizard displays the result of each site installation task. After all installation tasks are complete, you can close the wizard. However, after the site installation is complete, the Setup wizard continues to display information about ongoing configurations for the site, which you can monitor if you do not close the wizard. Closing the Setup wizard does not affect these ongoing configurations, which continue to run in the background after the wizard is closed. Review the ConfigMgrSetup.log to verify that the site installed successfully.
Configure management features and functions.
After you install your site or hierarchy, configure the site to support the management features and functions of System Center 2012 R2 Configuration Manager you want to use. You must configure Active Directory User Discovery before you configure the Windows Intune subscription or install the Windows Intune Connector site system role in step 8. See:
Migrate to System Center 2012 R2 Configuration Manager.
When you migrate objects from your Configuration Manager 2007 source hierarchy, you access data from the site databases that you identify in the source infrastructure and then copy that data to the System Center 2012 R2 Configuration Manager hierarchy. Migration does not change the data in the source hierarchy. It discovers the data and stores a copy in the database of the destination hierarchy. See Migrating Hierarchies in System Center 2012 Configuration Manager.
To migrate your Configuration Manager 2007 data to System Center 2012 R2 Configuration Manager:
Specify your Configuration Manager 2007 SP2 hierarchy as the source hierarchy for migration. By default, the top-level site of that hierarchy becomes a source site of the source hierarchy. After data is gathered from the initial source site, you can then configure additional source sites for migration.
Configuration Manager starts to gather data from the source site immediately after you specify a source hierarchy, configure credentials for each additional source site in a source hierarchy, or share the distribution points for a source site. By default, the data gathering process repeats every four hours so that Configuration Manager can identify changes to data in the source hierarchy that you might want to migrate. Data gathering is also necessary to share distribution points from the source hierarchy to the destination hierarchy. See Configuring Source Hierarchies and Source Sites for Migration to System Center 2012 Configuration Manager.
Create migration jobs to migrate data between the source and destination hierarchy. Use migration jobs to configure the specific data that you want to migrate to your System Center 2012 R2 Configuration Manager environment. Migration jobs identify the objects that you plan to migrate, and they run at the top-level site in your hierarchy. See Create and Edit Migration Jobs for System Center 2012 Configuration Manager.
Monitor migration jobs. Monitor the progress of migration jobs in the System Center 2012 R2 Configuration Manager console. See Monitor Migration Activity in the Migration Workspace.
Upgrade shared distribution points. You can upgrade a supported distribution point that is shared from your Configuration Manager 2007 source site to be a distribution point in the destination hierarchy. See Upgrade or Reassign a Shared Distribution Point in System Center 2012 Configuration Manager.
Migrate Configuration Manager 2007 clients to System Center 2012 R2 Configuration Manager. After you migrate data for clients between hierarchies but before you complete migration, plan to migrate clients to the destination hierarchy. To migrate clients between hierarchies, install the Configuration Manager client software from the destination hierarchy. The Configuration Manager client is uninstalled, and the System Center 2012 R2 Configuration Manager client is installed and assigned to the primary site. See Planning a Client Migration Strategy in System Center 2012 Configuration Manager.
Complete the migration process: When your Configuration Manager 2007 hierarchy no longer contains data that you want to migrate to your destination hierarchy, you can complete the migration process. To do so:
Make sure that you have successfully migrated all of the resources from the source hierarchy that you require in the destination hierarchy. This can include data and clients.
Stop gathering data from each source site in your Configuration Manager 2007 hierarchy. To do so, run the Stop Gathering Data action on the bottom tier source sites, and then repeat the process at each parent site. The top-level site of the source hierarchy must be the last site on which you stop gathering data. You must stop data gathering at each child site before performing this action on a parent site. After you stop gathering data, you can no longer share distribution points between the source and destination hierarchies.
Clean up migration data. To do so, use the Clean Up Migration Data action. This optional action removes data about the current source hierarchy from the database of the destination hierarchy. Until you clean up migration data, each migration job that has run or that is scheduled to run remains accessible in the Configuration Manager console. When you clean up migration data, most data about the migration is removed from the database of the destination hierarchy. See Complete Migration in System Center 2012 Configuration Manager.
Verification steps: Migration is comprised of several distinct actions or phases, and extends over a period of time until you decide to complete the migration process. Therefore, there is no single verification step or process you can review to confirm that migration is complete. Instead, you can verify results as they display in the System Center 2012 R2 Configuration Manager console when actions for each phase run or complete.
Decommission your Configuration Manager 2007 hierarchy: After you complete migration from a source hierarchy and that hierarchy no longer contains resources that you manage, you can decommission the sites in the source hierarchy and remove the related infrastructure from your environment. See Configuration Manager Tasks for Decommissioning Sites and Hierarchies.
Get certificates or keys for mobile devices
The company must have certificates or sideloading keys before they can enroll mobile devices. The types of mobile devices that you have in your environment will determine what certificates or sideloading keys you will need. See Obtain Certificates or Keys to Meet Prerequisites per Platform.
Configure the Windows Intune subscription and install the Windows Intune Connector site system role on the top-level site.
Before the company can use Configuration Manager to manage mobile devices, they must configure their Windows Intune subscription and install the Windows Intune connector site system role on their top-level site server. They will configure their stand-alone primary site. If you have a more complex hierarchy, configure your central administration site.
Configure your Windows Intune subscription. See Configuring the Windows Intune Subscription.
Install the Windows Intune connector. See The Windows Connector Site System Role.
On the primary site server computer, review the sitecomp.log to verify that the Windows Intune connector site system role installed successfully.
On the computer where you install the Windows Intune connector, review the cloudusersync.log to verify that users from your domain have successfully synchronized to Windows Intune.
On the primary site server computer, review the CertMgr.log to confirm that the computer where you installed the Windows Intune connector shares the connector certificate. The certificate is shared after the installation of the Windows Intune connector site system role is complete.
On the computer where you install the Windows Intune connector, review the dmpuploader.log to verify that the connector site system role can upload policy and configuration changes to the Windows Intune service.
On the computer where you install the Windows Intune connector, review the dmpdownloader.log to verify that the Windows Intune connector is able to download messages from Windows Intune. This log might only show a ping at the beginning of the download process and it might take some time before entries related to downloads are logged.
Enroll mobile devices.
Enrollment establishes a relationship between the user, the mobile device, and the Windows Intune service. Users enroll their own mobile devices. Android devices are not enrolled, but can be managed by using the Exchange Server connector. See Mobile Device Enrollment.
Install the System Center 2012 R2 Configuration Manager console.
By default, when you install a primary site, the Configuration Manager console also installs on the primary site server computer. After the site installs, you can install additional System Center 2012 R2 Configuration Manager consoles on computers to manage the site. See Install a Configuration Manager Console.
Manage your PCs and mobile devices.
After you install and make the basic configurations for your site, you can begin to configure management of your PCs and mobile devices. The following are typical features or functionality that you might configure:
Use hardware inventory to collect information about the hardware configuration of client devices in your organization.
Use software inventory to collect information about files that are contained on client devices in your organization. Additionally, software inventory can collect files from client devices and store these on the site server.
Use Asset Intelligence to inventory and manage software license usage throughout your enterprise and improve the breadth of information that is collected about hardware and software.
Use compliance settings to manage the configuration and compliance of servers, laptops, desktop computers, and mobile devices in your organization.
Use company resource access to provide users in your organization access to data and applications from remote locations by configuring the following:
Use remote connection profiles to allow your users to remotely connect to work computers when they are not connected to the domain or if their personal computers are connected over the Internet.
Use application management to manage applications in your enterprise for both Configuration Manager administrative users and client device users.
Use software updates to monitor compliance and deploy software updates to computers in your enterprise.
Use this walkthrough for the steps to let you manage Windows Phone 8, Windows RT, iOS, and Android devices by using the Windows Intune service over the Internet.
You can do a full wipe on Windows Phone 8, iOS, and Android devices to restore the device to factory settings. Or, you can do a selective wipe that only removes company content.
Product evaluation/Getting started