Manage mobile devices and PCs from the cloud
Applies To: Microsoft Intune
How can this guide help you? As a small business IT professional, you can use this solution guide to understand the solution design and implementation steps that we recommend to manage mobile devices and computers via the cloud and let people in your company use the devices they choose to access applications and data.
This solution guide describes how a small business with no local servers can extend their current infrastructure to the cloud to support mobile device management and the "bring your own device (BYOD)" demand to use personal mobile devices and computers at work to access company resources. In addition to managing mobile devices and computers via the cloud, this solution also describes how you can let people in the company use the devices they choose to access applications and data while, at the same time, enforcing company policies on those devices.
In this solution guide:
Scenario, problem statement, and goals
Recommended design for this solution
Steps to implement this solution
The following diagram illustrates the problem that this solution guide is addressing.
Users accessing company data and applications by using unmanaged mobile devices and computers.
Scenario, problem statement, and goals
This section describes the scenario, current problem, and goals you might have. After reviewing this solution to the problem of users accessing company applications and data from unmanaged mobile devices and computers, you can decide whether it meets your needs, or if you need to adjust it for your particular business environment.
In this solution, a small business is looking for a cloud-only solution to manage mobile devices and computers. This solution is best for small businesses because they typically:
Have very small IT support teams.
Rely on free, web-based email for employee communications.
Have no on-premises servers.
Do not use management software for mobile devices or computers.
The overall problem to solve is:
Without on-premise servers, small businesses can struggle to manage mobile devices and PCs and protect company data. Small business employees are mobile and expect to be able to consistently and easily access the applications they need to get their jobs done. Additionally, they need to get their work done wherever they might be on whatever device they might be using.
Based on the scenario and problem statement, a management solution for mobile devices and PCs is needed that meets the following goals:
Effectively manages employees’ mobile devices and computers from a single administration console regardless of whether or not they are company-owned or employee-owned. Managing mobile devices and computers includes setting security and compliance settings, gathering and maintaining a software and hardware inventory, and deploying software.
Helps prevent malware infections and potentially unwanted software from infecting computers that connect to company assets.
Helps protect company data by erasing company data stored on mobile devices when they are lost, stolen, or retired from use.
Provides a company portal to enable employees to enroll their own devices, access licensed applications, and contact support.
Eliminates the need for on-premises servers.
What is the recommended design for this solution?
The solution we recommend for companies such as the ones described earlier is to use Microsoft Intune to manage both company owned and employee owned mobile devices and PCs. Administrators can simply and easily meet their basic mobile device and PC management needs using the Microsoft Intune admin portal and deploy applications or provide end user self-service using the Microsoft Intune company portal.
Watch this demo video to learn how easy it is to get started with a free trial of Microsoft Intune and manage your first device:
Why are we recommending this design?
Microsoft Intune is a cloud-based management solution for computers and mobile devices that requires no on-premises hardware and it does not matter if those computers and mobile devices are employee-owned or company owned. Using Microsoft Intune, you can secure your company's information assets and manage user access to company resources and licensed software that they can install themselves using the company portal.
This solution describes how to use Microsoft Intune in the simplest scenario supported for a stand-alone, cloud-only configuration with no local servers. However, Microsoft Intune can also be used in conjunction with System Center 2012 Configuration Manager or in addition to Configuration Manager 2007 to provide unified device management for both on-premises and mobile device management needs.
The following diagram illustrates how to use Microsoft Intune to manage mobile devices and computers without an on-premises infrastructure.
Using Microsoft Intune to manage mobile devices and PCs
The following table lists the elements that are part of this solution design and describes why they’re included in the design. There is also additional planning information for implementing Microsoft Intune in the Documentation Library for Microsoft Intune on TechNet.
Solution design element
Why is it included in this solution?
Apps and data
What are the steps to implement this solution?
Use the steps in this section to implement the solution. Make sure to verify the correct deployment of each step before proceeding to the next step.
If you want to print or export a customized set of solution topics, see Print/Export Multiple Topics – Help.
In the implementation steps for this solution, it is assumed that you are not already using Active Directory for identity management or Microsoft Online Services such as Microsoft Office 365. If you have one of those technologies, the following steps help you evaluate Microsoft Intune in a cloud-only configuration, but these steps might not all be applicable or lead to the best solution for your organization in production.
Sign up for a free, 30-day trial of Microsoft Intune. You can sign up for a free, 30-day trial of Microsoft Intune to manage up to 25 computers and mobile devices.
If your company already has a Microsoft Online Services work or school account, and you might possibly continue with this Microsoft Intune subscription in production after the trial period ends, it is essential that you click the Sign in option on that Sign in page and authenticate yourself by using the Global Administrator account for your company. This action ensures that your Microsoft Intune trial links to your existing Microsoft Online Services account.
Verification steps: Review the confirmation email from the Microsoft Online Services Team to ensure that all the information is correct and ensure that you can log in to the Microsoft Intune account portal with the User ID that is included in the email.
Familiarize yourself with the various Microsoft Intune portals, workspaces, and tasks. There are three Microsoft Intune portals that you should be aware of: two administration management portals that you can use to access the various features of your Microsoft Intune service, and one company portal that your end users use to connect to Microsoft Intune services.
Microsoft Intune portal
Microsoft Intune account portal. Using the Microsoft Intune account portal, administrators can manage users, groups, and domains for all Microsoft Online Services, including Microsoft Intune and Office 365. You can use the account portal to check the status of your subscriptions, add new subscriptions, add new domain names, and activate new user accounts. It is also where you can set up and configure the link to your on-premises Active Directory Domain Services (AD DS) instance if you have one.
Ensure that you can log in to the Microsoft Intune account portal with your tenant administrator credentials.
Microsoft Intune administration console. The Microsoft Intune administration console is a web-based console that helps you to quickly access key information and Microsoft Intune management features. Here you can manage user and device groups, configure policy settings, view alerts and take action on them, review reports, and perform other service administrative tasks.
Ensure that you can log in to the Microsoft Intune administration console with your tenant administrator credentials.
Microsoft Intune Company Portal. To self-enroll a computer, the user must first access the Microsoft Intune company portal and log in by using their Microsoft Intune user ID. As an administrator, you configure Company Portal settings such as the company name, support contact information, and privacy statement links from within the Administration workspace of the administration console.
Don’t forget that you need to send instructions to users explaining what to expect when they go to the Company Portal. Make sure to include their user ID and temporary password, steps for connecting their computers and mobile devices to Microsoft Intune, and information about how to browse and install apps, and how to contact IT for help.
Ensure that you can log in to the Microsoft Intune Company Portal website with your tenant administrator credentials.
Add Microsoft Intune users and administrators.
A tenant administrator can use the account portal to assign subscription licenses to users by adding them to the Microsoft Intune Users Group. Adding users to the Microsoft Intune Users Group maintained in the account portal is also how you get those users to show up in the Microsoft Intuneadministration console.
Administrator accounts for your Microsoft Intune service are not created in the account portal the way regular user accounts are. Instead, you have the option to assign administrative rights to existing users. You do this by assigning either read-only access or full access administrative rights to users from within the administrator console in the Administration workspace under administration management. Service administrators that are assigned read-only access cannot modify Microsoft Intune settings, but they can view data and run reports. Service administrators with full access have all possible administrative rights.
You can view tenant administrator information by using the Microsoft Intune administration console, but you cannot create them there. By default, the subscription owner becomes a tenant administrator for your Microsoft Intune service and has full access to both the Microsoft Intune account portal and the Microsoft Intuneadministration console. We recommend that you create a least one extra tenant administrator account by using the account portal to help delegate tasks and ensure you don’t get locked out of your Microsoft Intune service administrator account if you forget your password.
Ensure that user accounts appear in the All Users group within the Microsoft Intune administration console after adding them to the Microsoft Intune group in the account portal.
Log out of the administration console, and then ensure that you can log back in to it with the newly assigned service administrator’s credentials.
Create groups to organize users and devices. In Microsoft Intune, groups are used to help you manage users, mobile devices, computers, and software deployments. Microsoft Intune uses two types of groups that you can create in the Microsoft Intune administrator console:
User Groups. User Groups are used to make licensed software available to users and target mobile device security policies.
Device Groups. Device Groups are used to deploy software and updates, and configure Microsoft Intune Agent Settings and Windows Firewall Settings policies.
Verification steps: As new groups are created, you should see them displayed in the Microsoft Intuneadministration console.
Set policies for mobile devices and computers. Microsoft Intune policies let you configure settings that help secure mobile devices, deploy computer updates, protect against malware, maintain firewall settings, and enhance the end-user experience.
You can configure and deploy Microsoft Intune policies to groups to manage settings for the Microsoft Intune client on computers and mobile device policy-based settings. After you add and deploy a new policy, all users or devices in the group to which you applied the policy inherit the settings as their baseline policy. You can always review and, if required, edit the details of these policies later from the Policy workspace.
Verification steps: As new polices are added, you should see them displayed in the Microsoft Intune administration console.
Install the Microsoft Intune client on computers. The Microsoft Intune client is used to manage computers and can be installed on both domain-joined computers in any domain and non-domain-joined computers. After the Microsoft Intune is installed on a supported computer operating system, the Microsoft Intune client provides application management, Endpoint Protection, hardware and software inventory, remote control through remote assistance requests, software updates, and compliance settings reporting.
You can enroll computers in Microsoft Intune without an on-premises infrastructure in one of the following ways:
You can manually deploy the Microsoft Intune client software. In this type of deployment, an administrator downloads the Microsoft Intune client software and manually installs it on each PC. To download the Microsoft Intune client software, open the Microsoft Intune administration console and, in the Client Software Download area, download the client software package. After the client software is installed, Microsoft Intune automatically installs additional software as necessary to manage the computer.
End-users can self-enroll each of their computers through the Microsoft Intune Company Portal. Each enrolled computer is then automatically linked to the user account that was used to install the Microsoft Intune client software.
You can deploy the Microsoft Intune client software to computers as part of an operating system deployment.
Microsoft Intune Endpoint Protection is installed by default during Microsoft Intune client installation on computers. Endpoint Protection helps enhance the security of computers in your organization by providing real-time protection against potential threats, keeping malicious software definitions up-to-date, and automatically running scheduled scans. For added security, you can also use Microsoft Intune policies to manage Windows Firewall settings on managed computers.
Ensure that you can see the Microsoft Intune client icon in the taskbar at the bottom of the Windows desktop and that you get the Tech Support and Company Portal options when you click them.
The Tech Support option should open the Microsoft Intune Center. From there, you can see the tech support contact information and other options such as checking for available applications or software updates and scanning your computer for malware by using Endpoint Protection.
The Company Portal option should open a web browser and display a Microsoft Intune log in page. After logging in with your work or school account, you should see your company portal website with options for contacting IT, adding a device, and all applications available for your device.
Prepare for mobile device management. Before you can enroll mobile devices, you must prepare the Microsoft Intune service by selecting the appropriate mobile device management authority setting on the Mobile Device Management page of the Administration workspace. The mobile device management authority setting determines whether you manage mobile devices with Microsoft Intune or System Center Configuration Manager with Microsoft Intune integration. In this solution, Microsoft Intune is used without System Center Configuration Manager integration so the setting should be set to Microsoft Intune.
Consider carefully whether you want to manage mobile devices by using Microsoft Intune only or System Center Configuration Manager with Microsoft Intune integration. After you set the mobile device management authority to either of these options, it cannot be changed again.
In addition to setting the mobile device management authority, there might be other tasks necessary to prepare to manage mobile devices in use by your company. For example, Windows RT and Windows Phone devices require access to an enrollment server during the enrollment process, and you need an Apple Push Notification service (APNs) certificate to manage iOS devices.
Verification steps: Ensure that the mobile device management authority is set to Microsoft Intune and that you have completed any additional tasks required to support the types of mobile devices you plan to support before you continue.
Enroll mobile devices. You do not need to install Microsoft Intune client software on supported mobile devices. Instead, they are enrolled in the Microsoft Intune service by using the company portal or the Company Apps Windows Phone setting.
After enrolling a mobile device in Microsoft Intune, device management capabilities are provided for application management, hardware and software inventory of managed applications, and compliance settings reporting. You can help protect company data by deploying security policies to user groups to help secure company data and by using the Microsoft Intune remote wipe feature to delete company data stored on mobile devices when they are lost, stolen, or retired from use.
Ensure that the Company Portal app has been successfully installed on the mobile device. If it has not been installed, you need to distribute it manually.
After logging in with your work or school account, you should see all apps that have been made available, and the devices that have been linked, to the user account you are logged in as.
Deploy applications to mobile devices and computers. You can perform two types of software installations by using Microsoft Intune: required install, which automatically installs or pushes the software to managed computers, or an available install which deploys the software, or a link to the software, to the Microsoft Intune Company Portal so that users can choose whether to install it on their computers or on their mobile devices.
Before using Microsoft Intune to deploy software, you should make sure that you have the appropriate licenses to publish, distribute, and use the software. The Licenses workspace lets you add and manage license agreement information for software that was purchased through Microsoft Volume Licensing agreements, and for Microsoft or non-Microsoft software that was purchased by other means. You can then create license reports that display managed license usage information throughout your company to stay informed of license usage activity.
Users must be linked to their computer before you can deploy software to them by using Microsoft Intune. However, if a user is not already automatically linked to a computer, you can use the administration console to link them. You can link a user to multiple computers, but each computer can be linked to only one user. Mobile device users are automatically linked to their devices during enrollment, and users are also automatically linked to any computers that they add to Microsoft Intune by using the company portal.
After you have ensured license compliance, and users are linked to devices, you can start the Microsoft Intune Software Publisher from the Software workspace in the Microsoft Intune administration console to publish and deploy software to mobile devices and computers. There are two ways to deploy published applications with the software publisher: external links and software installer packages.
External link: To use external links, you simply provide a link to the web address of an application in an online app store. The link that you provide is then be made available to users in the company portal. The link lets users obtain the software from the online app store or be redirected to a web-based application that runs on the device’s web browser.
Software installer: You can also use the Microsoft Intune Software Publisher to upload a signed application package directly to the Microsoft Intune service for users to access from the company portal. Using the software publisher, you can publish any of the following installer types: Windows Installer (.exe and .msi files), app packages for Android (.apk file type), app packages for iOS (.ipa file type), Windows Phone app packages (.xap file type), and Windows app packages (.appx file type).
To make the process of deploying software to Windows Phone 8 devices easier during your trial evaluation period, you can use the support tool for Microsoft Intune trial management of Window Phone 8, which provides the necessary enrollment token and example applications for you to deploy during the trial evaluation period. The sample Company Portal app only works with trial accounts, but additional help for deploying applications to Windows Phone 8 devices in production is available by downloading the Windows Phone 8 walkthrough guide.
Verification steps: Ensure that a published application is available from the company portal when logged in with a user account that is associated with a software deployment.
Manage software update approvals. You can approve and deploy Microsoft and non-Microsoft updates to Microsoft Intune clients from the Updates workspace in the Microsoft Intuneadministration console. If you want to closely manage individual update approvals, then you can use the Approve or Decline options for each update in the Updates workspace. You can also automatically approve updates by using Microsoft Intune auto-approval rules.
Verification steps: As new updates are approved, you should see Yes displayed in the approved column for them in the Updates workspace in the administration console.
Configure alerts and notifications. Microsoft Intune alerts are used to monitor system and software performance or notify administrators when an action is required. You can configure and monitor alerts from the Alerts workspace or by having the service send the alerts directly to specific service administrator email addresses.
Verification steps: As alerts are generated, you should see them displayed in the Alerts workspace in the Microsoft Intune administration console. If notification rules have been configured, specified alert recipients should receive alert notifications.
Create reports to review organizational data. Microsoft Intune reports provide information about the status of software updates, detected software, computer inventory, mobile device inventory, license purchase, and license installation reports for managed mobile devices and computers.
Reports can help you answer a range of questions, such as how many computers have a particular application or update installed, information about the computer hardware and mobile devices in use, and even software license purchase and usage activities. Microsoft Intune provides a set of built-in report templates that can be used as-is, or you can create custom reports based on views within the Microsoft Intune workloads.
Verification steps: Ensure that expected information is returned when you view a report in the Reports workspace of the Microsoft Intune administration console. If you create a new report, it should be available from the Load list on the Report page that you created it on.
Cloud-only implementation complete. After completing the implementation steps, all of the goals as listed in this solution are met as follows:
Mobile devices and computers can effectively be managed from the cloud-based Microsoft Intune administration console to configure security and compliance settings, software and hardware inventory, and software deployment.
Microsoft Intune client computers are protected from malware infections and unwanted software installations by Microsoft Intune Endpoint Protection.
Microsoft Intune remote wipe functionality can protect company data by wiping company data stored on mobile devices when they are lost, stolen, or retired from use.
Employees can access the company portal to provide self-service functions such as enrolling their own devices, accessing applications, and contacting IT.
Because this is a cloud-only management solution without the need for on-premises hardware, server and site system role management are eliminated.
Do you need additional, step-by-step evaluation information? If so, you should review the Microsoft Intune Evaluation Guide in the Documentation Library for Microsoft Intune. That guide is designed to help you evaluate the main features of Microsoft Intune by providing step-by-step instructions for you to set up your new Microsoft Intune evaluation environment.
Buy a subscription to Microsoft Intune. After evaluating Microsoft Intune, you should be ready to move from Microsoft Intune free trial to buy a subscription to continue providing mobile device and PC management services to your organization.
You can easily convert your free trial subscription to a paid, full subscription on the Admin page of the account portal. The full subscription lets you continue using the Microsoft Intune service without any interruption or loss of data. Alternatively, you can let your initial trial Microsoft Intune subscription expire so that you can start a new trial subscription configured to match your production needs in preparation for purchasing a full subscription to Microsoft Intune.
Get technical help for Microsoft Intune. You can review the Microsoft Intune Knowledge Base for known issues. Additionally, you can get phone support and email support for both non-technical issues, such as billing or subscription issues, or technical questions about the Microsoft Intune cloud-based service by contacting Microsoft Intune Support.
Planning and design
Microsoft Virtual Academy Training