Windows Phone 8 Device Management

with Windows Intune and System Center Configuration Manager SP1

This white paper is part of a series of technical papers designed to help IT professionals evaluate Windows Phone 8 and understand how it can play a role in their organizations. It discusses and contains information regarding Windows Phone 8 mobile device management via Windows Intune and System Center Configuration Manager SP1.

Version 1.1 - January 2013

Legal Disclaimer

2012 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and

views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

Published: January 2013

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

TTable of contents
Windows Phone 8 Device Management with Windows Intune and System Center Configuration Manager SP1 Introduction Using Windows Intune for Direct Management of Windows Phone devices Configuring Windows Intune to Manage Devices Setting up Windows Intune for Windows Phone 8 Enrolling Windows Phone Devices in Windows Intune 1 2 4 7 9 Resources 11 1 1

Using System Center Configuration Manager SP1 to manage Windows Phone Devices

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

Introduction
Windows Intune provides a rich and flexible mobile device management experience for Windows Phone. With Windows Intune, you can manage Windows Phone 8 devices directly or through Exchange ActiveSync. With System Center 2012 Configuration Manager deployed in your environment as well, you can use the Windows Intune service to manage mobile devices, while performing all management tasks in the System Center Configuration Manager console.

Using Windows Intune for Direct Management of Windows Phone devices

Windows Intune provides comprehensive mobile device management for Windows Phone 8. With Windows Intune, you can deploy policies to help secure corporate data on your phone, perform a hardware inventory, and distribute applications and links to applications that users can choose to install on their phone, and retire and wipe phones. In addition, Windows Intune direct management of mobile devices enables you to distribute applications to users in either of the following ways:

External link: For Windows Phone 8 devices, you can provide a link address to an application on the Windows Phone Store. In addition, this web link can be to a web-based application that runs on the device through the devices web browser.

Software installer: You can provide a signed application package that is uploaded to the Windows Intune service directly and then sideloaded onto managed devices. Sideloaded applications do not have to be certified by or installed through the Windows Phone Store.

Users benefit from an enrollment and application installation experience that is tailored for their Windows Phone allowing users to choose the applications that they want to install, and maintain control of configuring their devices.

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

Configuring Windows Intune to Manage Devices

Setting the Mobile Device Management Authority
The mobile device management authority determines where you will perform phone device management tasks. You can set the mobile device management authority to Windows Intune by using the Windows Intune administrator console or to System Center Configuration Manager by using the System Center Configuration Manager console. Note: If you also plan to use Exchange ActiveSync to manage mobile devices, we recommend that you only deploy the Exchange Connector in the same environment where you set the mobile device management authority and where you plan to configure Windows Intune direct management. For information about how to set up the Exchange Connector for mobile device management in Windows Intune environments, see Exchange Connector Host System Requirements. Consider carefully whether you want to manage mobile devices by using Windows Intune only or System Center Configuration Manager with Windows Intune Integration. Once you set the mobile device management authority to either of these options, it cannot be changed. For information about how to set the mobile device management authority to System Center Configuration Manager, see the System Center Configuration Manager 2012 SP1 documentation. To set the mobile device management authority for Windows Intune: 1. 2. 3. 4. 5. Open the Windows Intune administrator console. In the workspace shortcuts pane, click the Administration icon. In the navigation pane, click Mobile Device Management Setup. In the Tasks list on the Policy Overview page, click Set Mobile Device Management Authority. The Set Mobile Device Management Authority dialog box appears, and it prompts you to choose whether to use Windows Intune to manage the mobile devices in your account. Do one of the following: Click Yes to use Windows Intune to manage mobile devices for your account. If you set Windows Intune as the management authority, you must manage mobile devices by using the Windows Intune administrator console. Click No to exit the dialog box. This leaves the mobile device management authority as None specified.

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

Provisioning users in Windows Intune

To manage users mobile devices, you must first provision the users in Windows Intune. The process of provisioning defines device owners as managed users in Windows Intune. After provisioning is complete, users appear and can be managed in the Windows Intune administrator console. You provision by users doing either of the following: If you have Active Directory Domain Services (AD DS) in your environment you can configure Active Directory synchronization so that your local users and security groups are synchronized to the Windows Azure Active Directory and can appear in the Windows Intune administrator console. To configure Active Directory synchronization, you need to set up the Microsoft Directory Synchronization Tool. Doing this populates the Windows Intune account portal with synchronized users and security groups and enables Windows Intune to retrieve user information for mobile device users. To ensure that your AD DS infrastructure is properly prepared for Windows Intune, we strongly recommend that you review Active Directory Synchronization Roadmap. If you do not have AD DS in your environment you can provision users in Windows Intune by manually adding the users to the Windows Intune account portal. For more information, see Adding Users and Security Groups to Windows Intune in the Windows Intune Getting Started Guide.

Enabling automatic detection of a Windows Intune enrollment

To be managed by Windows Intune, devices must first discover and enroll in the Windows Intune service. If you plan to enable automatic detection of a Windows Intune enrollment server, you must ensure that you have set up a verified domain name for your Windows Intune account and then create a CNAME resource record for the verified domain in the public DNS

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

Obtaining an enterprise mobile code-signing certificate from Symantec

In order to distribute applications and external links to users who have Windows Phone 8 devices, you must first distribute the Company Portal app to these users by making it available on the Windows Phone Store. Users access the Company Portal app and install the Company Portal when they enroll their devices in Windows Intune. When you distribute applications and external links to users, they can access the applications and links by visiting the Company Portal. Before you can distribute the Company Portal app to users, you must ensure that it is signed by a mobile code-signing certificate that is trusted by users devices. After you obtain an enterprise mobile code-signing certificate, additional steps are required to export the certificate in PFX format, and to generate an application enrollment token (AET).

Setting up Windows Intune for Windows Phone 8

Setting up mobile device management for Windows Phone 8 devices
In order to be managed by Windows Intune, Windows Phone 8 devices must first discover and enroll in the Windows Intune service. You can either enable automatic detection of a Windows Intune enrollment server, or provide the following enrollment server address to users: enterpriseenrollment-s.manage.microsoft.com. To enable devices to automatically detect a Windows Intune enrollment server, complete the following steps: 1. 2. Verify your domain in the Windows Intune account portal. Create a CNAME resource record for the verified domain in the public DNS. If there is more than one verified domain, you must create a CNAME record for each domain. The CNAME resource record must contain the following information: Alias name: enterpriseenrollment Fully qualified domain name (FQDN) for the target DNS host: enterpriseenrollment.manage.microsoft.com

For example, if contoso.com and fabrikam.com are the verified domains, you would create two CNAME resource records: One

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

resource record to redirect requests that arrive at enterpriseenrollment.contoso.com to enterpriseenrollment.manage.microsoft.com, and another record to redirect requests that arrive at enterpriseenrollment.fabrikam.com to enterpriseenrollment.manage.microsoft.com. For information about how to create a CNAME resource record, see Add an Alias (CNAME) Resource Record to a Zone. If you have enabled automatic detection, confirm that you have set up automatic detection correctly by completing the following steps: 1. 2. 3. Open the Windows Intune administrator console. In the workspace shortcuts pane, click the Administration icon. In the navigation pane, under Mobile Device Management , click Windows Phone 8 . Under Step 1: Enrollment Server Address , type the name of the verified domain, and then click Test Auto-Detection. If you have set up automatic detection correctly, a message appears to confirm that users can enroll their devices without manually specifying the address of the Windows Intune enrollment server.

4.

5.

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

Distributing Applications and External Links to Windows Phone users

In order to distribute applications and external web links to users with Windows Phone 8 devices be sure to complete the steps required for distributing applications and external web links to users with Windows Phone 8 devices that are listed here: http://technet.microsoft.com/en-us/library/jj662647.aspx Distributing applications and external links to users with Windows Phone 8 devices requires that you first distribute the Company Portal app to these users. Users access the Company Portal app when they enroll their devices in Windows Intune. To complete the enrollment process, users must install the Company Portal app. When you distribute applications and external links to users, they can access the applications and links by using the Company Portal app. Before you can distribute the Company Portal app to users, you must make sure that the app is signed by a mobile code-signing certificate that is trusted by users devices. To obtain the code-signing certificate, complete the following steps: 1. Establish a Company Dev Center account on the Windows Phone Dev Center. As part of this process, you will receive a Publisher ID. For more information, see Registration Info. Visit the Symantec Enterprise Mobile Code Signing Certificate website to complete the required steps to obtain an enterprise mobile code-signing certificate. When this process is complete, Symantec will deliver a certificate that can be imported into the certificate store on a computer. In the Certificates snap-in on the computer where the certificate is imported, export the certificate in PFX format. Be sure to export the private key with the certificate. The .pfx file will be used to generate an application enrollment token (AET) and sign company apps. For more information about how to export the certificate in PFX format, see Export a Certificate with the Private Key. Windows Intune generates an application enrollment token (AET) so that you can enroll phones in the company account. This is required so that users can install the Company Portal app.

2.

3.

4.

To prepare the Company Portal app for distribution to users, you must first download the app, and then ensure that it is signed with a certification authority

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

that is trusted by the users devices. To download and sign the app, complete the following steps: 5. 6. 7. Open the Windows Intune administrator console. In the workspace shortcuts pane, click the Administration icon. In the navigation pane, under Mobile Device Management , click Windows Phone 8 . Under Step 3: Download the Company Portal app File , click the Download the App File hyperlink. Download the XapSignTool tool from the Windows Phone 8 SDK.

8.

9.

10. To sign the Company Portal app, follow the instructions in the Signing the XAP by using the XapSignTool tool section in How to precompile managed assemblies and sign a company app. You must sign the Company Portal app with the Symantec enterprise mobile code-signing certificate that you obtained when you completed step 3b. Before distributing the Company Portal app to users, you must upload the signed Company Portal app file to Windows Intune. During the upload process, you will be prompted to provide the code-signing certificate. The Company Portal app will then be automatically made available to members of the All Users group in Windows Intune, so that you do not have to explicitly create a deployment to make it available.

Enrolling Windows Phone Devices in Windows Intune

Enrollment establishes a relationship among a user who is provisioned in Windows Intune, the users device, and the Windows Intune service. Users must enroll their devices in Windows Intune to access and install applications that you distribute. Enrollment enables the following: Windows Intune to identify the device Windows Intune to identify the user of the device The device to contact the Windows Intune service The Windows Intune service to contact the device through a notification service

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

Windows Intune and the device to exchange management communications securely Follow-up tasks, such as hardware inventory and the application of security policies, to be triggered

The names of the devices that users enroll should appear in the Windows Intune administrator console within a few hours of enrollment.

To enroll a Windows Phone 8 Device

To enroll their devices, users must enter their Windows Intune user ID or their existing on-premises Active Directory credentials using the following steps: 1. 2. On the Windows Phone 8 device select Settings , then system , and select Company Apps . Select add account , and enter your company credentials in the Company Apps dialog.

After the Windows Phone 8 device is enrolled, users will be prompted to install the Company Portal app, which users can then use to install apps provided by their administrator. During enrollment, the Windows Intune service checks to confirm that: The account for the organization is active. The user is provisioned in Windows Intune. The user has not exceeded the maximum allowed number of devices per user. Each user who is provisioned in Windows Intune can enroll a maximum of five devices.

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

Using System Center Configuration Manager SP1 to manage Windows Phone Devices
System Center 2012 Configuration Manager SP1 lets you manage Windows Phone 8 devices by using the Windows Intune service over the Internet. Although you use the Windows Intune service, management tasks are completed by using the Configuration Manager console. You can use the Windows Intune connector site system role in the Configuration Manager console to connect to the Windows Intune service. Users can manage their devices by using the company portal. The company portal is a self-service portal that lets users control what apps are installed on their devices. The Windows Intune subscription lets you specify configuration settings for the Windows Intune service; this includes defining the user collection that enables users to enroll mobile devices and defining which mobile devices to manage. After you have created your subscription, you can install the Windows Intune connector site system role, which lets you connect to Windows Intune. This role pushes settings and applications to the Windows Intune service. Windows Intune then makes apps available to users on their mobile devices through an interface called the company portal. To set up mobile device management for Windows Phone 8, you must create a Windows Intune subscription where you specify your configuration settings.

Create the Windows Intune Subscription in SCCM SP1

1. 2. 3. 4. 5.

In the Configuration Manager console, click Administration. In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions. On the Home tab in the Create group, click Create Windows Intune Subscription. On the Introduction page of the Create Windows Intune Subscription Wizard, review the text and click Next. On the Subscription page, click Sign in and sign in by using your Windows Intune organizational account. Select the Allow the Configuration Manager console to manage this subscription check box. When you select this setting, you will only be able to manage mobile

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

6. 7.

devices by using the Configuration Manager console. In order to continue with your subscription, you must select this option. Click the privacy links to review them, and then click Next. On the General page, specify the following options, and then click Next. Collection: Specify a user collection whose members will be enabled for using the service. These users will be able to enroll their mobile devices. If a user is removed from the collection, the users device will continue to be managed for up to 24 hours until the user record is removed from the user database. Company name: Specify your company name. URL to company privacy documentation: If you publish your company privacy information to a link that is accessible from the Internet, provide the link so that users can access it from the company portal. Privacy information can clarify what information users are sharing with your company. Color scheme for company portal: Optionally, change the default color of blue for the company ports. Configuration Manager site code: Specify a site code for a primary site to manage the mobile devices. Although you can change the site code at any time, if you do change it, existing users will have to retire their mobile devices and then reenroll on the new site.

10

8. 9.

On the Platforms page, select the device types that you want to manage and review the platform requirements, and then click Next. On the Windows Phone 8 page, specify the code-signing certificate to use for all Windows Phone apps and then specify the location of the signed Windows Phone 8 company portal app.

The Windows Intune Connector Site System Role

The Windows Intune connector sends settings and software deployment information to Windows Intune and retrieves status and inventory messages from clients. The Windows Intune service acts as a gateway to communicate with mobile devices and store the settings. 1. 2. In the Configuration Manager console, click Administration. In the Administration workspace, expand Site Configuration, and thenclick Servers and Site System Roles.

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

3.

4. 5.

Add the Windows Intune Connector role to a new or existing site system server by using the associated step: New site system server: On the Home tab, in the Create group, click Create Site System Server to start the Create Site System Server Wizard. Existing site system server: Click the server on which you want to install the Windows Intune Connector role. Then, on the Home tab, in the Server group, click Add Site System Roles to start the Add Site system Roles Wizard. On the System Role Selection page, select Windows Intune Connector, and click Next. Complete the wizard.

11

Enrolling Windows Phone 8 in SCCM SP1

Windows Phone 8 users must start enrollment from the Windows Phone 8 device by going to system settings and selecting company apps. 1. 2. Users navigate to system settings and select company apps. Users are prompted for their Active Directory credentials for authentication. When authentication is successful, Windows Intune establishes a relationship between the user and the Windows Phone 8 device. Users must select Install company app or Hub to let their device be managed. If users do not select this option, they cannot download the company portal. If the Windows Phone 8 company portal is not installed during enrollment, or if users uninstall the company portal, users must retire their mobile device and reenroll it. Or, you can make the company portal file available by sending users a link in email.

3.

After the company portal is installed on the device, inventory is collected, management settings are applied, and users now have access to line-of-business apps that you make available to them.

Resources
For more information about all the aspects of using Windows Phone in your company, see, Windows Phone for Business (http://www.windowsphone.com/enUS/business/for-business).

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1

To learn more about Windows Phone 8 Device Management and Windows Intune, or for more complete guidance for managing Windows Phone and other mobile devices additional information is available at:

Using Windows Intune for Direct Management of Mobile Devices at http://technet.microsoft.com/en-us/library/jj733632.aspx

12

Customizing the Windows Intune Company Portal at http://technet.microsoft.com/en-us/library/jj662649.aspx

How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager at http://technet.microsoft.com/en-us/library/jj884158.aspx

Windows Phone 8 Mobile Device Management with Windows Intune and SCCM SP1