Export (0) Print
Expand All

Manage mobile devices with Microsoft Intune

 

Updated: July 2, 2015

Applies To: Microsoft Intune

Intune can help you protect and manage devices while allowing users to access company email, data and apps. Because it is cloud-based, you can administer devices from any supported web browser. You can use Intune to manage mobile devices including phones and tablets running Android, iOS, Windows Phone, and Windows RT operating systems. Computers running Windows 8.1 can be managed as mobile devices or as computers using the Intune client software.

Intune can manage mobile devices in a number of ways:

This topic assumes that Intune manages mobile devices alone without System Center Configuration Manager integration or Exchange ActiveSync. Office 365 can also be used to manage mobile devices. Choose between Microsoft Intune and Built-in MDM for Office 365.

Intune mobile device management supports the following operating systems:

  • Apple iOS 7.1 and later (previously enrolled iOS 6.0 and 7.0 devices remain enrolled but new devices cannot enroll)

  • Google Android 2.3.4 and later (includes Samsung KNOX)

  • Windows Phone 8.0 and later

  • Windows RT and later

  • Windows 8.1 computers and later

For a list of features, see Mobile device management capabilities in Microsoft Intune.

Set mobile device management authority
Before you can enroll mobile devices, you must prepare the Intune service by selecting the appropriate mobile device management authority setting. The mobile device management authority setting determines whether you manage mobile devices with Intune or System Center Configuration Manager with Intune integration. This guidance assumes Intune is used without System Center Configuration Manager integration so the setting should be set to Microsoft Intune.

System_CAPS_importantImportant

Consider carefully whether you want to manage mobile devices using Intune only or System Center Configuration Manager with Intune integration. After you set the mobile device management authority to either of these options, it cannot be changed again. For more information, see Microsoft Intune and System Center 2012 Configuration Manager.

Set mobile device management authority

  1. In the Microsoft Intune administration console click Admin > Mobile Device Management.

  2. In the Tasks list, click Set Mobile Device Management Authority. The Set MDM Authority dialog box opens.

  3. Check the box and then click Yes to use Microsoft Intune to manage mobile devices.

Direct a domain URL to support BYOD (optional)
To make Windows device enrollment easier for users in BYOD scenarios you can create CNAME entries in your company's public DNS record to point to Intune servers. If you do not configure the CNAME records, users must enter the Intune server address into the Company Portal app on their device to register their devices.

Create a domain CNAME for Intune management servers

  1. Access or request additions to your company's public DNS record to create new CNAME entries. See Add an Alias (CNAME) Resource Record to a Zone for information about making the change in Internet Information Services (IIS).

  2. Create CNAME resource records for your company’s domain as follows:

    TYPE

    Host Name

    Points to

    TTL

    CNAME

    enterpriseenrollment.company_domain.com

    manage.microsoft.com

    1 Hour

    CNAME

    enterpriseregistration.company_domain.com

    enterpriseregistration.windows.net

    1 Hour

    For example, if your company’s website is contoso.com, you would create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com.

    • manage.microsoft.com – Supports a redirect to the Intune service with domain recognition from the email’s domain name

    • enterpriseregistration.windows.net – Supports workplace join for mobile devices. It also supports conditional access for Windows 8.1

Each mobile device operating system (for example Windows, iOS or Android) requires its own setup procedure. For example, to manage iOS devices, you need an Apple Push Notification service certificate to connect iOS devices with your Intune account. Similarly, to manage apps for a Windows RT 8.1 device, your company must get side-loading keys and a code-signing certificate. Other devices, such as Android, have no requirements.

Platform

Certificates or keys

How you obtain certificates or keys

Windows Phone 8

Company Portal (ssp.xap) and any line-of-business apps must be signed by an enterprise mobile code-signing certificate from Symantec.

Buy an enterprise mobile code signing certificate from Symantec.

If you are just testing this out in a trial version, you can use the Support tool for Windows Phone trial management.

Frequently asked questions about mobile device management for Microsoft Intune including management with Configuration Manager 2012

Windows Phone 8.1

Line-of-business apps must be signed with an enterprise mobile code-signing certificate from Symantec

Buy an enterprise mobile code signing certificate from Symantec.

If users only install apps from the Store, including the Company Portal app, no Symantec certificate is required.

Windows RT, Windows RT 8.1, or Windows 8.1 devices that are not joined to the domain.

Sideloading keys: Devices must be provisioned with sideloading keys to install sideloaded apps.

All sideloaded apps must be code-signed.

Buy sideloading keys from Microsoft.

iOS

Apple Push Notification service certificate.

Request an Apple Push Notification service certificate from Apple. For more information, see Start managing iOS devices with Microsoft Intune   

Android 4.0+ and Samsung KNOX

None.

Not applicable.

For instructions to start managing mobile devices, see the following:

After the Intune device management infrastructure is in place, devices must be enrolled to allow management and access to company resources:

  • Bring Your Own Device (BYOD) – Users enroll their personal devices using a Company Portal app or setting. An administrator must add users to Intune and assign licenses to allow device management. Each user can have up to five devices managed by Intune.

  • Corporate-owned Device (COD) – (iOS only) The company provides one or more devices for employees to choose from while retaining administrative control of the devices. These devices are owned and managed by the company and can be preconfigured with company policy from their initial setup. Currently this is supported for Apple’s Device Enrollment Program (DEP) iOS devices.

  • Corporate-owned shared devices – Corporate-owned shared devices meet the need for devices such as point-of-sale machines, kiosks, or tablets shared by multiple students in a classroom. Shared devices can be user-less or assigned to a device enrollment manager.

    • Device enrollment manager devices – A special user account allows the administrator or her designate to enroll more than 5 devices. The admin or manager takes ownership and can manage the device, its policy and apps.

    • User-less devices (iOS only) –The administrator enrolls the device with a device certificate which restricts day-to-day users from modifying the device.

Enrollment type

BYOD

CYOD

Shared device with manager account

Shared device without a user account

Description

Personal device enrolled using Microsoft Intune

Corporate-owned device for single user

Corporate-owned device managed using a manager account shared by many users

Corporate-owned user-less device used by many users.

Device’s user

Owner

Assigned user

No user-specific account

No specific user

Who enrolls

Owner

Administrator

Device Manager

Anyone

Who un-enrolls

Owner or administrator

Administrator

Administrator

Administrator

Who can reset

Owner or administrator

Administrator

Administrator

Administrator

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft