Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
A guide to planning and implementing a Microsoft Intune deployment that delivers strategic value to your school district, brought to you by:
Microsoft IntuneArchitecture & Planning for Education
For more info, contact your Microsoft representative or visit https://lumagatena.com/edu
We Drive Business & Education Evolution Forward
MAKING MOBILE DEVICE MANAGEMENT WORK FOR THE EDUCATION SECTOR
Contents
2 Intune Planning & Architecture for Education
3468
11131516
| Charting your course
| Challenges in the Education sector
| Identifying your use cases
| Creating your Intune design
| Extending Intune for the Education sector
| Developing your rollout plan
| Implementing Intune
| Next steps
Charting your course
B egin with the end in mind. These words, penned more than 25 years ago by Steven Covey,
author of “The 7 Habits of Highly Effective People”, are perhaps some of the most
broadly applicable to technology projects across any industry. However, they hold special meaning
when planning Mobile Device Management (MDM) for the Education sector, where these devices have
become essential in delivering a high-quality education.
Planning mobile device management for the Education sector goes beyond the typical
discussions of device configuration and process automation. Your students and your educators are
two unique audiences who require special attention when envisioning the user experience. While your
IT operations team has insight into the desired user experience, mapping delivery of that user
experience to a new tool can be a challenge. Microsoft Intune delivers powerful capabilities for
modernizing and transforming mobile device management in the Education sector, but as with any
enterprise technology, successful implementation must “begin with the end in mind”.
Charting your course begins with identifying your deployment objectives. Deployment
objectives are the actions your organization can take to reach its Intune deployment goals. There are a
few objectives typical across most organizations, such as:
❖ Reduce the number of device management solutions
❖ Enable easy access to cloud services
❖ Provide secure access to Exchange and SharePoint Online
❖ Prevent corporate data from being stored or forwarded to unmanaged apps on mobile devices
❖ Provide capability to wipe corporate data from the device
And a few more common objectives specific to the Education sector, including:
❖ Preparing a group of tablets for a new class
❖ Enabling quick rollout of a newly released version of an app or cloud service
❖ Securing classroom iPads to prevent student from making unwanted changes
And how about implementing a solution that puts these capabilities in the hands of your teachers?
This guide is intended to serve as a practical reference for educational institutions seeking to
implement a modern, efficient, and secure mobile device management strategy or devices in the
classroom. In the pages that follow, you’ll find insights for technology architects and decision makers
alike to help guide your journey to a successful Microsoft Intune implementation that goes beyond
efficient deployment, configuration, and management of your mobile devices, to one that delivers
strategic advantage to both your IT organization and the educators they support.
3 Intune Planning & Architecture for Education
Challenges
4 Intune Planning & Architecture for Education
in the Education sector
Dprevious projects that you would like to avoid, or new issues related to the current deployment
effort. As with deployment objectives, there are several avoidable challenges we see across
implementations of any enterprise mobile device management solution and the problems that
result:
❖ Support readiness and end-user experience are not included in an initial project scope.
This leads to poor end-user adoption and challenges for your support organization.
❖ Lack of clearly-defined goals and success metrics leads to intangible results. It may also
shift your organization into a reactive mode when issues arise.
❖ You neglect to create, validate, and aggressively share a clear value proposition that
resonates for your organization. This often leads to limited adoption and a lack of return
on investment (ROI).
Then, there are the challenges specific to the Education sector that should be considered from
the outset:
❖ Quantifying the impact of a technology rollout to the IT Support organization on a per-
classroom basis.
❖ Identifying and triaging issues affecting the classroom user experience.
❖ Developing a strategy to quickly resolve common and urgent requests to avoid
interruption to the learning process.
❖ Implementing processes and procedures for request and issue reporting new teachers can
easily digest.
Once you have identified your challenges, it’s time to develop mitigation strategies.
eployment challenges are issues that are top of mind for an organization that also may have a
negative impact on deployment. Sometimes they are related to past issues from
Don’t develop your mitigation strategies in a bubble, especially those centered on the user experience for teachers and students.
5 Intune Planning & Architecture for Education
Challenge Mitigation strategy
You neglect to create, validate, and aggressively
share a clear value proposition that resonates for
your organization. This often leads to limited
adoption and a lack of return on investment
(ROI).
Lack of clearly-defined goals and success metrics
leads to intangible results. It may also shift your
organization into a reactive mode when issues
arise.
While you may be excited to jump into your
project, ensure you have clearly defined your
goals and objectives. Include these in all
awareness and training activities to ensure users
understand why your org selected Intune.
Define your goals and success metrics early in
your project scope, and use these data points to
flesh out your other rollout phases.
A few challenge/mitigation examples…
Now that you have identified your deployment goals, objectives, and potential challenges, it’s time
to identify your use-case scenarios.
dentifying your use-case scenarios is an important part of the planning process for a successful
Intune deployment. Use-case scenarios are helpful because they let you
Identifying
You can begin identifying your use-case scenarios by referring to your Intune deployment
objectives. In addition to managing your shared classroom devices, you’ll want to consider whether you
intend to support the personally owned devices of teachers, other faculty, and staff (bring-your-own-
device, or BYOD).
Leveraging Microsoft 365, you have
the power to enable your users to use the
full Office Mobile suite, with full deployment
and management capability provided via
Intune while protecting the privacy and
security of student data. You’ll quite possibly
find specialized use cases in each scenario,
particularly with faculty and staff with
varying responsibilities and data access
privileges. These distinctions will help you
identify where to apply different device
management policies.
Intune uses Azure Active Directory (AAD) groups to manage devices and users. To facilitate
application of management policies with enough granularity to meet your use cases, you’ll want to
create organizational groups that are associated with each use case. Then, you should identify the
mobile device platforms associated with each scenario. Are your users strictly iOS? Is Android support
a need? BYOD may bring a broader range of mobile device platforms, including additional Android
distributions and Windows 10 Mobile.
Take advantage of Azure AD dynamic
groups to minimize the manual effort in Intune policy application and
enforcement.
6 Intune Planning & Architecture for Education
your use cases
Isegment your users into manageable groups by user type or role, and the ownership of the
user's device (for example, company or personal).
Let’s discuss a few examples to help your organization identify Intune use-case scenarios, as
well as organizational groups, and mobile device platforms associated with each use case.
Dynamic user and device groups and bulk
device import make Intune device policies
and app deployment even more
compelling. Making the most of Intune
means spending time identifying the
needs of your educators and their
classrooms, and where their needs
overlap. Implement dynamic group
population based on user properties (such
as job title or grade level). If your teachers
can maintain a list of serial numbers for
classrooms and other devices, your Intune
administrator can make short work of
group population.
7 Intune Planning & Architecture for Education
Talk to your teachers to learn where app needs
overlap to maximize Intune policy reuse across classrooms
Creating
Gap analysis is another import step when preparing your design. Reviewing the requirements within
your use cases to identify any areas where customization may be necessary and identifying the need
for customizations as early in the process as possible will minimize deployment delays. For more on
gaps common to education, see “Extending Intune for the Education sector” in this document.
8 Intune Planning & Architecture for Education
your Intune design
our current environment can influence design decisions and should be documented and
referenced when you make other Intune design decisions. Having documentation on hand forYyour current environment, including existing MDM, Identity, Email, Public Key Infrastructure
(PKI), and System Management will prove important. Make sure to note any projects in motion
that could change the state of your existing environments.
Then, it’s important to identify requirements for any external dependencies and how to
configure them, like Azure Active Directory (the identity provider for Intune and Office 365),
user and device groups to support the use-cases you identified earlier, as well as PKI, which
supplies certificates to devices to securely authenticate to Intune and other services.
For schools with classroom devices targeted for management with Intune, you'll want to
prepare for bulk enrollment. You can enroll devices in bulk in different ways depending on the
platform. With iOS devices, your bulk enrollment options will be influenced by how you purchased the
devices.
To meet your use cases, you’ll leverage these
five key Intune capabilities, mapped to the user
and device groups you defined previously:
❖ Policies. You should plan to create at least
one configuration policy per platform.
❖ Profiles. Enable configuration of resources,
including certificates, Wi-Fi settings, VPN,
and e-mail.
❖ Apps. In addition to individual apps, you
can manage and deploy volume-purchased
apps common in classroom scenarios
❖ Seamless access. You can federate your
cloud services to Azure AD, providing a
Single Sign On experience while allowing
you to get away from maintaining on-
premises ADFS infrastructure.
❖ Compliance policies determine whether a
device conforms to certain requirements,
enabling protection of confidential faculty
information.
Conditional access policies in Intune work
with EMS to allow only compliant devices
to access school resources
Your app deployment strategy will take on
an additional dimension over typical
corporate Intune deployments: classroom
deployment strategy. Leverage the
overlapping classroom app and device
configuration needs you identified earlier
in the planning process to reduce policy
configuration effort and complexity.
To better understand the communication
flow in device policy delivery with Intune,
see the Intune Service Architecture
diagram on the next page.
9 Intune Planning & Architecture for Education
Identifying common needs across classrooms
can help minimize Intune configuration effort to implement
your use cases
10 Intune Planning & Architecture for Education
Microsoft Intune
Protect data Azure Active Directory
Microsoft Azure
Office 365Office 365
Network Access
Control partner
Device
compliance
policies
App protection
policies
Mobile Threat
Defense connector
Conditional access
Custom Web
appsLOB appsLOB appsCustom Web
appsLOB apps
Web consoleWeb console
SaaS appsSaaS apps
App StoreApp Store
Graph
API
Graph
API
Telecom expense
management
Configuration
policies
Configure devices
Profiles
Manage apps
Apps App
configuration
policies
On-premises
network
Apps, Policy and
Reporting Data
Authentication
& authorization
Device
compliance
results
Group
targeting
Read device
compliance
information
Data for
compliance
calculation
Data from
telco on usage
Mobile threat
assessment
Device
settings
assignment
App install status
and inventory
Data usage
and alerts
RESTful API calls
Intune Service Architecture
Gaps requiring customizationA few features often requested in the
Education sector not native to Intune:
❖ No self-service GUI for teachers,
forcing all requests to flow through IT
❖ App deployment delays of up to
several hours on iOS by default
❖ No feature to maintain up-to-date
lists of currently approved apps
❖ Request process to have new apps
added to the catalog
The EDU App Catalog for Intune from
Lumagate leverages the power of the
Microsoft Graph API and Microsoft Azure
to bridge these gaps, delivering:
11 Intune Planning & Architecture for Education
Lumagate® presents the
EDU App Catalogfor Microsoft Intune®
Extending Intune for the Education sector
❖ A simple, web-based portal that enables teachers to select & assign of a list of apps to an iPad or
group of iPads
❖ Approval workflow automation for deployment of apps requiring administrative approval
❖ Automatically requests iOS device check-in to decrease deployment time from hours to minutes
❖ An automated procurement request form & workflow that allows educators to view the org’s
current app & request purchase approval in just a few keystrokes
hile Intune is a powerful mobile device management platform, the special use cases, staffing,
and budget limitations of today’s school districts present unique challenges Wthat can only be met through customization. Fortunately, the Intune APIs in Microsoft Graph
enable programmatic access to Intune device management and application deployment
capabilities. When coupled with the rich PaaS capabilities of the Microsoft cloud, the
possibilities are truly impressive.
12 Intune Planning & Architecture for Education
Solution Architecture
Office 365 Intune
Azure
Teacher requests app deployment to student iPads
App is deployed and app checks in to report status
EDU App Catalog processes request & executes accelerated
app deployment in Intune
Request is captured in a custom SharePoint portal
Intune deploys app to targeted classroom iPads
EDU App Catalog updates request status & emails requestor
1
2
3
4
5
6
About the EDU App CatalogThe EDU App Catalog for Intune is a cloud-based service, leveraging Microsoft Platform-as-a-
Service (PaaS), so it requires no server infrastructure. It’s hosted in your Azure tenant, ensuring
no outside organizations can access your data. And because it’s 100% Azure PaaS, its very
inexpensive to operate.
Lumagate can help your organization implement the EDU App Catalog as part of guided Intune
pilot deployment.
EDU App Catalog
Developing
Break these down in a logical way based on previous experience, such as by grade, or by school.
Plan to start small and gauge the support load generated after each wave before increasing the
number of users and devices in a single move. Larger groups may need to be logically divided.
Now that you have determined the
targeted groups and time frames for your
Intune rollout, the next step is to choose
the most appropriate Intune enrollment
approach. While your classroom devices
should be bulk enrolled, personal devices
of your faculty can be handled via self-
service (for tech-savvy individuals), assisted
enrollment, or even via a group
walkthrough via video conference. You can
refine this process based on your results,
starting with the pilot.
Finally, a successful Intune rollout relies on clear and helpful communications, delivered in waves (3-5
installments) in the weeks proceeding the pilot. This is the last, and perhaps most crucial item, in the
rollout plan.
Run your rollout communication in
phases, and sell the value of coming
changes, so users are invested in the move.
13 Intune Planning & Architecture for Education
your rollout plan
Your rollout plan identifies the organizational groups you want to target for your Intune rollout,
the rollout timeframe for each group, and the enrollment approaches you will use. First, review
the groups that are targeted with your Intune rollout and that you identified in your use-case
scenarios. The first phase to rollout should be to pilot users. The pilot users should understand
they are the first users in a new solution and that their feedback to help improve configuration,
documentation, notifications, and ease the way for all other users in later rollout phases.
After a successful pilot, you're ready to start a full production rollout, targeting the rest of your
organization’s groups.
14 Intune Planning & Architecture for Education
Start with broad communications that introduce
the Intune project itself, and in later waves
include additional information about Intune and
complementary offerings, user resources, and
specific timelines for when organization groups
and users are scheduled to receive Intune. The
week before the move, the first groups
scheduled receive the enrollment
announcement. Post-enrollment communication
should include a survey to the group just
enrolled, enabling the implementation team to
incorporate user feedback into their own lessons
learned to ensure the process improves with
each subsequent wave of enrollment.
Well-planned messaging and cadence of rollout
communications are key to an Intune deployment users and stakeholders
view as successful
15 Intune Planning & Architecture for Education
Ddependencies (if required) based on your use-case requirements. Microsoft guidance details
more than a dozen discrete tasks for implementing an Intune deployment. You may have
already completed some of these tasks, such as:
❖ Getting an Intune subscription
❖ Adding an Office 365 subscription
Then, there are sets of configuration tasks to implement settings for your use cases before
enrollment begins.
❖ Add user groups in Azure AD mapping to your use cases
❖ Assign Intune and Office 365 user licenses
❖ Set mobile device management authority to Intune
❖ Add terms and conditions policies
❖ Add and deploy configuration policies
❖ Configure and deploy resource profiles, such as Wi-Fi settings
❖ Add and deploy apps. For classroom devices, this often means integrating with Apple DEP
and VPP services.
❖ Add and deploy compliance policies
❖ Enable Conditional Access policies to implement access controls
Finally, enroll devices based on your Intune deployment based on your rollout plan. Once
you’ve handled the post-enrollment support, deliver your final user survey and compile
learnings to pass on to future projects. Congratulations, your Intune implementation is
complete!
uring the onboarding phase, you deploy Intune into your production environment. The
implementation process consists of setting up and configuring Intune and external
Well-planned use cases, consistent user communication, and a solid pilot are the critical in a successful Intune deployment
Implementing Intune in your environment
To learn more about the EDU App Catalog for Intune, visit https://lumagatena.com/edu
We Drive Business & Education Evolution Forward
Next Steps in your Intune journey
e hope you found this guide to planning in your Microsoft Intune deployment helpful. Intune is
a powerful platform for user and device management, and for the education
sector, brings not only valuable management capabilities, but tremendous total-cost-of-
ownership (TCO) advantages, enabling school districts to reduce spending on IT operations and
redirect funds where they are needed most - delivering a high quality education to our
children!
What’s next? That depends on where you are in your evaluation journey with Microsoft Intune.
If you’d like to see Intune in action, a live demo or proof-of-concept may be the best next step.
Already convinced of Intune’s compelling value? A guided pilot implementation is a great
option to enable your IT staff to gain hands-on exposure and see that value first hand.
Whatever your next step, we wish you much success in your Intune journey!
Unsure who your Microsoft Education representative is? Contact Lumagate and we’ll connect
you to the right person at Microsoft to help you with those next steps. Our contact info is listed
below.
W
email: [email protected]
website: https://lumagatena.com/edu