Windows phone 8 device management with windows intune

December 2012

Windows Phone 8

Device Management

with Windows Intune

This white paper is part of a series of technical papers designed to help IT professionals evaluate

Windows Phone 8 and understand how it can play a role in their organizations. It discusses and

contains information regarding Windows Phone 8 mobile device management via Windows

Intune.

Windows Phone 8 Mobile Device Management with Windows Intune

Legal Disclaimer

© 2012 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and

views expressed in this document, including URL and other Internet Web site references, may change

without notice. You bear the risk of using it.

This document does not provide you with any legal rights to any intellectual property in any Microsoft

product. You may copy and use this document for your internal, reference purposes.

Published: December 2012


Windows Phone 8 Device Management with Windows Intune 1

Introduction 1

Using Windows Intune for Direct Management of Windows Phone devices 1

Configuring Windows Intune to Manage Devices 2

Setting up Windows Intune for Windows Phone 8 4

Enrolling Windows Phone Devices in Windows Intune 7

Resources 9

TTable of contents


1

Introduction

Windows Intune provides a rich and flexible mobile device management

experience for Windows Phone. With Windows Intune, you can manage Windows

Phone 8 devices directly or through Exchange ActiveSync. With System Center

2012 Configuration Manager deployed in your environment as well, you can use

the Windows Intune service to manage mobile devices, while performing all

management tasks in the System Center Configuration Manager console.

Using Windows Intune for Direct Management of

Windows Phone devices

Windows Intune provides comprehensive mobile device management for Windows

Phone 8. With Windows Intune, you can deploy policies to help secure corporate

data on your phone, perform a hardware inventory, and distribute applications and

links to applications that users can choose to install on their phone, and retire and

wipe phones. In addition, Windows Intune direct management of mobile devices

enables you to distribute applications to users in either of the following ways:

External link: For Windows Phone 8 devices, you can provide a link address

to an application on the Windows Phone Store. In addition, this web link

can be to a web-based application that runs on the device through the

device’s web browser.

Software installer: You can provide a signed application package that is

uploaded to the Windows Intune service directly and then sideloaded onto

managed devices. Sideloaded applications do not have to be certified by

or installed through the Windows Phone Store.

Users benefit from an enrollment and application installation experience that is

tailored for their Windows Phone allowing users to choose the applications that

they want to install, and maintain control of configuring their devices.


2

Configuring Windows Intune to Manage Devices

Setting the Mobile Device Management Authority

The mobile device management authority determines where you will perform

phone device management tasks. You can set the mobile device management

authority to Windows Intune by using the Windows Intune administrator console

or to System Center Configuration Manager by using the System Center

Configuration Manager console.

Note: If you also plan to use Exchange ActiveSync to manage mobile devices,

we recommend that you only deploy the Exchange Connector in the same

environment where you set the mobile device management authority and

where you plan to configure Windows Intune direct management. For

information about how to set up the Exchange Connector for mobile device

management in Windows Intune environments, see Exchange Connector

Host System Requirements.

Consider carefully whether you want to manage mobile devices by using Windows

Intune only or System Center Configuration Manager with Windows Intune

Integration. Once you set the mobile device management authority to either of

these options, it cannot be changed.

For information about how to set the mobile device management authority to

System Center Configuration Manager, see the System Center Configuration

Manager 2012 SP1 documentation.

To set the mobile device management authority for Windows Intune:

1. Open the Windows Intune administrator console.

2. In the workspace shortcuts pane, click the Administration icon.

3. In the navigation pane, click Mobile Device Management Setup.

4. In the Tasks list on the Policy Overview page, click Set Mobile Device

Management Authority.

5. The Set Mobile Device Management Authority dialog box appears, and

it prompts you to choose whether to use Windows Intune to manage the

mobile devices in your account. Do one of the following:

Click Yes to use Windows Intune to manage mobile devices for

your account. If you set Windows Intune as the management

authority, you must manage mobile devices by using the

Windows Intune administrator console.

Click No to exit the dialog box. This leaves the mobile device

management authority as None specified.

http://tnstage.redmond.corp.microsoft.com/en-us/library/jj662704.aspx

http://tnstage.redmond.corp.microsoft.com/en-us/library/jj662704.aspx

http://go.microsoft.com/fwlink/?LinkID=271118



3

Provisioning users in Windows Intune

To manage users’ mobile devices, you must first provision the users in Windows

Intune. The process of provisioning defines device owners as managed users in

Windows Intune. After provisioning is complete, users appear and can be managed

in the Windows Intune administrator console. You provision by users doing either

of the following:

If you have Active Directory Domain Services (AD DS) in your environment

you can configure Active Directory synchronization so that your local users

and security groups are synchronized to the Windows Azure Active

Directory and can appear in the Windows Intune administrator console. To

configure Active Directory synchronization, you need to set up the

Microsoft Directory Synchronization Tool. Doing this populates the

Windows Intune account portal with synchronized users and security

groups and enables Windows Intune to retrieve user information for

mobile device users. To ensure that your AD DS infrastructure is properly

prepared for Windows Intune, we strongly recommend that you review

Active Directory Synchronization Roadmap.

If you do not have AD DS in your environment you can provision users in

Windows Intune by manually adding the users to the Windows Intune

account portal. For more information, see “Adding Users and Security

Groups to Windows Intune” in the Windows Intune Getting Started Guide.

Enabling automatic detection of a Windows Intune enrollment

To be managed by Windows Intune, devices must first discover and enroll in the

Windows Intune service. If you plan to enable automatic detection of a Windows

Intune enrollment server, you must ensure that you have set up a verified domain

name for your Windows Intune account and then create a CNAME resource record

for the verified domain in the public DNS

http://go.microsoft.com/fwlink/?LinkId=242287



4

Obtaining an enterprise mobile code-signing certificate from Symantec

In order to distribute applications and external links to users who have Windows

Phone 8 devices, you must first distribute the Company Portal app to these users

by making it available on the Windows Phone Store. Users access the Company

Portal app and install the Company Portal when they enroll their devices in

Windows Intune. When you distribute applications and external links to users, they

can access the applications and links by visiting the Company Portal.

Before you can distribute the Company Portal app to users, you must ensure that it

is signed by a mobile code-signing certificate that is trusted by users’ devices. After

you obtain an enterprise mobile code-signing certificate, additional steps are

required to export the certificate in PFX format, and to generate an application

enrollment token (AET).

Setting up Windows Intune for Windows Phone 8

Setting up mobile device management for Windows Phone 8 devices

In order to be managed by Windows Intune, Windows Phone 8 devices must first

discover and enroll in the Windows Intune service. You can either enable automatic

detection of a Windows Intune enrollment server, or provide the following

enrollment server address to users: enterpriseenrollment-s.manage.microsoft.com.

To enable devices to automatically detect a Windows Intune enrollment server,

complete the following steps:

1. Verify your domain in the Windows Intune account portal.

2. Create a CNAME resource record for the verified domain in the

public DNS. If there is more than one verified domain, you must

create a CNAME record for each domain. The CNAME resource

record must contain the following information:

Alias name: enterpriseenrollment

Fully qualified domain name (FQDN) for the target DNS

host: enterpriseenrollment.manage.microsoft.com

For example, if contoso.com and fabrikam.com are the verified

domains, you would create two CNAME resource records: One


5

resource record to redirect requests that arrive at

enterpriseenrollment.contoso.com to

enterpriseenrollment.manage.microsoft.com, and another record

to redirect requests that arrive at

enterpriseenrollment.fabrikam.com to

enterpriseenrollment.manage.microsoft.com. For information

about how to create a CNAME resource record, see Add an Alias

(CNAME) Resource Record to a Zone.

If you have enabled automatic detection, confirm that you have set up automatic

detection correctly by completing the following steps:



3. In the navigation pane, under Mobile Device Management , click

Windows Phone 8 .

4. Under Step 1: Enrollment Server Address , type the name of the

verified domain, and then click Test Auto-Detection.

5. If you have set up automatic detection correctly, a message

appears to confirm that users can enroll their devices without

manually specifying the address of the Windows Intune enrollment

server.




6

Distributing Applications and External Links to Windows Phone users

In order to distribute applications and external web links to users with Windows

Phone 8 devices be sure to complete the steps required for distributing

applications and external web links to users with Windows Phone 8 devices that are

listed here: http://technet.microsoft.com/en-us/library/jj662647.aspx

Distributing applications and external links to users with Windows Phone 8 devices

requires that you first distribute the Company Portal app to these users. Users

access the Company Portal app when they enroll their devices in Windows Intune.

To complete the enrollment process, users must install the Company Portal app.

When you distribute applications and external links to users, they can access the

applications and links by using the Company Portal app.

Before you can distribute the Company Portal app to users, you must make sure

that the app is signed by a mobile code-signing certificate that is trusted by users’

devices. To obtain the code-signing certificate, complete the following steps:

1. Establish a Company Dev Center account on the Windows Phone

Dev Center. As part of this process, you will receive a Publisher ID.

For more information, see Registration Info.

2. Visit the Symantec Enterprise Mobile Code Signing Certificate

website to complete the required steps to obtain an enterprise

mobile code-signing certificate. When this process is complete,

Symantec will deliver a certificate that can be imported into the

certificate store on a computer.

3. In the Certificates snap-in on the computer where the certificate is

imported, export the certificate in PFX format. Be sure to export

the private key with the certificate. The .pfx file will be used to

generate an application enrollment token (AET) and sign company

apps. For more information about how to export the certificate in

PFX format, see Export a Certificate with the Private Key.

4. Windows Intune generates an application enrollment token (AET)

so that you can enroll phones in the company account. This is

required so that users can install the Company Portal app.

To prepare the Company Portal app for distribution to users, you must first

download the app, and then ensure that it is signed with a certification authority

http://technet.microsoft.com/en-us/library/jj662647.aspx








7

that is trusted by the users’ devices. To download and sign the app, complete the

following steps:



7. In the navigation pane, under Mobile Device Management , click

Windows Phone 8 .

8. Under Step 3: Download the Company Portal app File , click the

Download the App File hyperlink.

9. Download the XapSignTool tool from the Windows Phone 8 SDK.

10. To sign the Company Portal app, follow the instructions in the

“Signing the XAP by using the XapSignTool tool” section in How to

precompile managed assemblies and sign a company app. You

must sign the Company Portal app with the Symantec enterprise

mobile code-signing certificate that you obtained when you

completed step 3b.

Before distributing the Company Portal app to users, you must upload the signed

Company Portal app file to Windows Intune. During the upload process, you will be

prompted to provide the code-signing certificate. The Company Portal app will

then be automatically made available to members of the All Users group in

Windows Intune, so that you do not have to explicitly create a deployment to make

it available.

Enrolling Windows Phone Devices in Windows Intune

Enrollment establishes a relationship among a user who is provisioned in

Windows Intune, the user’s device, and the Windows Intune service. Users must

enroll their devices in Windows Intune to access and install applications that you

distribute. Enrollment enables the following:

Windows Intune to identify the device

Windows Intune to identify the user of the device

The device to contact the Windows Intune service

The Windows Intune service to contact the device through a notification

service





8

Windows Intune and the device to exchange management

communications securely

Follow-up tasks, such as hardware inventory and the application of

security policies, to be triggered

The names of the devices that users enroll should appear in the Windows Intune

administrator console within a few hours of enrollment.

To enroll a Windows Phone 8 Device

To enroll their devices, users must enter their Windows Intune user ID or their

existing on-premises Active Directory credentials using the following steps:

1. On the Windows Phone 8 device select Settings , then system , and select

Company Apps .

2. Select add account , and enter your company credentials in the Company

Apps dialog.

After the Windows Phone 8 device is enrolled, users will be prompted to install the

Company Portal app, which users can then use to install apps provided by their

administrator.

During enrollment, the Windows Intune service checks to confirm that:

The account for the organization is active.

The user is provisioned in Windows Intune.

The user has not exceeded the maximum allowed number of devices per

user. Each user who is provisioned in Windows Intune can enroll a

maximum of five devices.


9

Resources

For more information about all the aspects of using Windows Phone in your

company, see, Windows Phone for Business (http://www.windowsphone.com/en-

US/business/for-business).

To learn more about Windows Phone 8 Device Management and Windows Intune,

or for more complete guidance for managing Windows Phone and other mobile

devices additional information is available at:

“Using Windows Intune for Direct Management of Mobile Devices” at


“Customizing the Windows Intune Company Portal” at





Technology

Windows phone 8 device management with windows intune