Mobile Device Management - Best Practices from Microsoft IT

You won't be surprised by the following fact: Microsoft also have internal infrastructure, devices, applications and content to be managed in their corporate infrastructure. Customers often ask "How does Microsoft do IT"? Here's a technical case from Microsoft IT with some really impressing insights about setting up the Microsoft corporate Mobile Device Management (MDM) infrastructure.

Bring your own device is no longer just a trend — it is arguably the dominant workplace culture. More employees are using personal devices for work, creating a unique set of challenges for IT teams that must balance user convenience and data security. Microsoft IT uses Enterprise Mobility Suite and other services to manage identity, devices, and applications. Simplified and integrated IT solutions enable employees to be productive on any device.

Microsoft IT MDM Infrastructure Fast Facts

Let's start with some basic facts:

  • Initial setup with 12k devices to be managed
  • System Center Configuration Manager 1511 site specifically for MDM
  • Device enrollment through Microsoft Intune, integrated into System Center Configuration Manager
  • Approx. 30,000 app installations per month
  • Identity and access management: single sign-on and user self services with Azure Active Directory
  • Hybrid infrastructure leveraged by AD FS (Active Directory Federation Services)
  • Multifactor authentication for an additional layer of security through Azure Active Directory
  • MDM configuration and compliance policies, e.g. minimum password length, for Windows, Android and iOS devices

This is what the Microsoft corporate MDM infrastructure looks like:

[caption id="attachment_694" align="alignnone" width="781"]Mobile Device Management Infrastructure at Microsoft IT Mobile Device Management Infrastructure at Microsoft IT[/caption]

Please find additional insights about the infrastructure setup in the below mentioned case studies.

Best Practices

Microsoft IT recommends the following best practices for implementing MDM, just mentioning a few:

  • Plan the deployment. Proper planning before deployment will increase deployment efficiency.
  • Review the Configuration Manager hierarchy to determine how best to integrate MDM. Remember, MDM does not require a separate site in the Configuration Manager hierarchy.
  • Understand which platforms the organization will support.  This will help determine what types of certificates are required for app deployment.
  • Acquire and deploy certificates and sideloading keys before user enrollment is enabled. Coordinate with other teams to streamline the app certification process.
  • Identify and license specific users by using user discovery in Configuration Manager, and then add users to a custom collection that will synchronize these user accounts with Intune.
  • Enable AD FS to allow users to use the same user name and password to access corporate resources.
  • Work with the security and Exchange teams to align passwords and policies across device platforms to ensure a good user experience without compromising corporate security.
  • Promote collaboration among all teams involved. Several different teams in the organization might need to be involved—including security, compliance, application developers, services, and infrastructure providers. It is important to ensure that all stakeholders can provide input at an early stage and that they can work together to ensure a smooth deployment.
  • Develop a detailed communication and readiness plan. A well-developed support plan and documentation for user and helpdesk readiness can reduce support costs.
  • Train help desk technicians before deployment. Have training and support content ready for modern device support, especially for any differences in the user experience across device platforms.
  • Educate users. Provide users with documentation about the enrollment steps for each supported device platform to reduce support calls. Set expectations for any delays between enrollment and when Company Portal apps are available for installation. To reduce user concerns, make sure that users understand what is being inventoried on their devices. Create frequently asked questions (FAQs) for common questions, and document any known issues.
  • Plan the enrollment process. To ensure a good user experience and reduce support costs, consider how the Company Portal and LOB apps will be deployed.
  • Use categories to organize applications on the Company Portal and make them easier to find.
  • Use security groups to limit what apps users can see, based on their role in the company.
  • Determine which apps to publish on the Company Portal, based on business needs. Determine how long apps will be maintained on the Company Portal before they are retired.
  • Evaluate which apps might change often, and consider using a deep link instead of deploying the full app.

Please find additional details and recommendations in the below mentioned technical case study (1) Mobile Device Management at Microsoft.

The following technical case studies from the Enterprise Mobility field - Mobile Application Management (MAM) included - might also be of interest to you:

(1) Mobile Device Management at Microsoft

(2) Microsoft IT prepares LOB apps for Windows

(3) Standardized certification for internal apps improves security, privacy, and productivity

(4) Microsoft IT improves LOB application testing, ensuring readiness for Windows

The above and many more can be found in the Microsoft IT Showcase.


Technical Evangelist Windows Client and Enterprise Mobility at Microsoft Germany


Follow me on Twitter: @seklenk.

Free eBook: Windows 10 Deployment Follow @seklenk