Microsoft IT enables employees to bring their own devices to work. IT distributes personal hardware budgets to internal departments. We have worked hard to make IT-standard devices be compelling and easy to acquire, but teams can buy what they want. We have clear practices related to support based on the device. We expanded our device support with the growth of tablets and smart phones. We believe internal users should opt into being managed by IT, where they give up some control in order to get more access to corporate resources. For example, if the device doesn't have TPM-enforced bit locker and multi-factor authentication, the user can't get to sensitive data. We recommend Windows-based devices over others due to usability and security, and we provide guidance to employees with personal devices. That said, we have more than 10,000 iOS and Android devices on our network, and many more Macs (Microsoft has software for the Macintosh and a dedicated business group). Read this IT technical case study on unified device management for more details.

1. Microsoft Solves BYOD Using
Microsoft System Center
Configuration Manager and Windows
Intune
Published November 2013
Microsoft IT uses Microsoft System Center 2012 Configuration Manager with
Windows Intune as their enterprise tool to create a consistent, reliable, and
secure work environment that allows users to be productive anytime,
anywhere, on any device they choose, while meeting Microsoft compliance
and security requirements and while simplifying administration across
heterogeneous device platforms.
Situation
Microsoft Information Technology (Microsoft IT) needed to embrace and adapt to the rising bring
your own device (BYOD) culture by enabling users to access corporate resources from personal
devices without compromising corporate security, increasing infrastructure costs or complexity, or
increasing administrative overhead.
Solution
To address the changes in the enterprise landscape, Microsoft IT enabled Unified Device
Management (UDM). By adding a Windows Intune subscription and deploying the Intune
connector to their Microsoft System Center 2012 Configuration Manager Service Pack 1 (SP1)
environment, Microsoft IT brings all devices, company-owned and user-owned, into the scope of
centralized management while providing users a flexible work environment across multiple device
platforms.
Benefits
• Reduced costs by unifying IT management
infrastructure.
• Simplified administration for managing all
PCs and mobile devices.
Products and Technology
• Increased user productivity while
maintaining compliance and reducing risk.

2. 2 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
• System Center 2012 Configuration Manager
SP1
• Windows Intune
• Active Directory
• Microsoft Online Directory Services

3. 3 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
Situation
Microsoft IT, like many other enterprises, faces an explosion of heterogeneous devices and the
growing challenges created by the bring your own device (BYOD) culture. Long gone are the days of
managing a single user using a single corporate-owned device to access corporate resources. To keep
pace with the need to allow users to work when, where, and with which device best suits them,
Microsoft IT needed to find a new approach for managing the modern workplace. A solution that
would:
Deliver simplified, comprehensive management across device platforms, on-premises and in the
cloud, using a single console for administration, deployment, and reporting.
Integrate into the existing network design without additional investments in hardware or increase
in complexity.
Provide a consistent user experience across device platforms.
Enable access to line of business (LOB) applications from the user’s device of choice without
compromising corporate security.
Microsoft IT uses Microsoft System Center 2012 Configuration Manager to manage devices
connected to its corporate network but was looking for a solution to also manage devices and
applications in the cloud.
Solution
Microsoft IT enabled Unified Device Management (UDM) by leveraging Windows Intune and System
Center 2012 Configuration Manager SP1. This solution retains the scalability and administrative
functionality of Configuration Manager while extending its reach via Windows Intune to cloud-based
device management. With UDM, Microsoft IT uses a single Configuration Manager–based
administrative console to centrally manage both on-premises and cloud-connected computers,
devices, and applications.
With UDM, Microsoft IT is able to:
Extend Configuration Manager infrastructure with Windows Intune to support cloud
management of mobile devices, enabling publication of corporate apps and services across
multiple device types.
Provide consistent access to corporate resources for a variety of devices, regardless of location.
Offer and deploy LOB modern applications dynamically based on device type.
Apply policies across various devices and platforms to meet Microsoft compliance and security
requirements.
Remove corporate data and applications if a device is lost, stolen, or retired from use.
As part of the solution, Microsoft IT implementeda self-service app store, the Company Portal,which
gives Microsoft users the ability to install internal LOB apps on all their devices, virtually anytime or
anywhere.
Deployment
The Microsoft IT UDM service offering focuses on four key areas: device enrollment, application
provisioning, policy, and inventory of hardware and software. Before the deployment and
configuration of UDM could begin, Microsoft IT needed to determine the type of devices they would
support. Based on an analysis of device volume and native LOB apps, the initial scope of the UDM
project was set to support Microsoft Surface RT, Windows Phone 8, and Apple iOSdevices. While UDM
supports Android devices, Microsoft IT did not include them in the initial scope due to lack of internal
LOB apps developed for Android platform. Understanding the scope of devices enabled Microsoft IT

4. 4 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
to coordinate with the appropriate Microsoft teams to configure the Intune Connector, define security
policies, and publish apps to the new Company Portal.
Architecture
UDM consists of a series of components working in concert:
Configuration Manager provides the central administration console for administering both onpremises and cloud-based devices.
Windows Intune Subscription establishes the connection between Configuration Manager and
Intune. It specifies the configuration settings for the Windows Intune service, such as which users
can enroll their devices and which mobile device platforms to manage.
Windows Intune Connector, a Configuration Manager site role, acts as a gateway between
Windows Intune and on-premises Configuration Manager, sending settings and software
deployment information to WindowsIntune and retrieving status and inventory messages from
mobile devices.
Figure 1.Microsoft IT Unified Device Management infrastructure.
The following sections describe the various activities involved in Microsoft IT'sUDM deployment.
Deployment Process
Microsoft IT took a five-step approach to deploying UDM into their existing Configuration Manager
environment.
Build CM SP1
environment
Provision users
Provision
Intune services
Set up DNS
redirection
Acquire device
specific
certificates
Step 1: Build Configuration Manager SP1 environment
Microsoft IT added a Configuration Manager SP1 primary site in the corporate domain hierarchy
specifically for mobile device management. Server hardware consisted of:
A primary site server using a virtual machine with 12 GB of RAM and four core processors.
A Microsoft SQL Server server with 64 GB of RAM and six core processors.
Creating a separate site for mobile device management is not a UDM requirement—UDM is capable
of scaling to large volumes of devices. For Microsoft IT, the decision to create a separate mobile

5. 5 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
device management site instead of incorporating UDM into an existing Configuration Manager site
used for managing PCs and laptops was based around the anticipated volume of mobile devices. With
approximately 180,000 users between full time employees (FTEs) and vendors, Microsoft IT needed to
ensure that the UDM environment could handle a very large number of enrolled mobile devices.
Most small and medium size organizations will not require a separate site and can incorporate Unified
Device Management into their existing site hierarchy.
Step 2: Provision users
Microsoft IT performed user discovery for the entire Microsoft corporate Active Directory forest using
the existing production Configuration Manager environment. This process took a few hours due to
the large user base in Microsoft IT and ensured that all users were added to a user collection before
enabling UDM.
Your organization must determine the extent of your BYOD environment to see if performing a full
user discovery is necessary or if you want to manually add the users allowed to enroll their mobile
devices to Configuration Manager.
Step 3: Provision Windows Intune services
Microsoft IT worked with the Microsoft Online Directory Services (MSODS) team to provision Intune
services for Microsoft IT organizational user (tenant) account and set up the UDM services Admin (the
account used for authentication when creating the Intune Subscription in Configuration Manager).
They also worked with the Active Directory team to configure Directory Sync (DirSync) and Active
Directory Federation Services (ADFS) 2.0.DirSync ensured that all users were synchronized into the
cloud, and ADFS allowed for users to use a single sign-on (SSO) to access all cloud services.
Microsoft had an existing tenant account as they already use Microsoft Office 365 and other cloud
services and already had DirSync and ADFS in place to synchronize data into the cloud. If your
company does not, you will need to:
Sign up for a Windows Intune organizational (tenant) account.
Deploy and configure DirSync to synchronize on-premises Activity Directory users with the
MSODS, creating the user ID used for cloud-based applications.
Deploy ADFS to allow a single identity for each user across both on-premises and cloud-based
applications.
Step 4: Set up DNS redirection
Most companies will benefit from creating a DNS alias (CNAME record type) to redirect
enterpriseenrollment.<yourcompany>.com to allow for server auto discovery. This means users will
not need to know the actual server name when they enroll their device.
Step 5: Acquire device-specific certificates
Each device platform has different requirements for loading applications. Microsoft IT worked with the
Microsoft App team to acquire the certificates required for the supported mobile devices.
At Microsoft, Configuration Manager Admins do not maintain certificates. The Product Release &
Security Services (PRSS) team is the central authority for the signing process used to sign all Windows
Phone 8 and Windows apps applicable to Windows RT devices at Microsoft.
For signing Windows RT and Windows 8 modern apps,Microsoft IT uses one of the child certificates of
the Microsoft Root CA. They configure the Microsoft root certificate in the WindowsIntune
subscription page, enabling Windows RT devices to trust those signed apps.

6. 6 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
Depending on the size of your organization, your model for managing and deploying certificates may
be different. For more information on certificates and/or keys required for each mobile device
platform and from where your company needs to obtain the certificate or key, see Obtain Certificates
or Keys to Meet Prerequisites per Platform under the Prerequisites section of How to Manage Mobile
Devices by Using Configuration Manager and Windows Intune.
UDM Configuration
Enabling UDM requires creating a Windows Intune Subscription and defining a Windows Intune
Connector role in Configuration Manager. To setup and configure UDM, Microsoft IT:
1.
Created a new Intune Subscription. In the Subscription Wizard, they selected Allow the
Configuration Manager console to manage this subscription. This enabled Configuration
Manager to become the authoritative source for managing all mobile devices, providing a
single administration console for on-premises systems, cloud-connected devices, and
application life cycle management.
2.
Defined a user collection. Microsoft IT created a custom user collection for all Microsoft
employees based on the users discovered after performing user discovery for the entire
Microsoft corporate Active Directory forest. This ensured that members of this collection
were licensed for enrollment in UDM.
3.
Configured platform, certificates, and keys.The three platforms that were identified as in
scope for UDM were enabled: Windows Phone 8, Windows RT, and iOS. For each platform,
the required certificates were applied. For Windows Phone 8, they also deployed the
Company Portal app to allow users to start using the Company Portal and installing
applications almost immediately after enrolling their device.
4.
Assigned connector role. Microsoft IT added the Windows Intune Connector site server role
to the Central Administration Site (CAS) server. The Intune Connector server role
communicates directly with Windows Intune and provides the communication gateway
between Configuration Manager and Intune for all incoming and outgoing communication.
Cloud User Sync Monitoring
After UDM is configured, Cloud User Sync, a component in Configuration Manager, provides
communication between Configuration Manager and Windows Intune. It monitors the collection of
users for additions, synchronizes changes with Windows Intune to license users and enables them to
enroll their devices. Microsoft IT makes the following recommendations.
Use delta user discovery and incremental updates settings.
By enabling delta discovery in your Active Directory User Discovery settings and selecting
incremental updates on the collection settings, updates are synchronized on a more frequent
schedule. This ensures licensing of new users and removal of licenses for disabled users happens
quickly.
Use default Cloud User Sync setting.
Cloud User Sync synchronizes changes—new users added to the collection are licensed and
enabled for enrollment; users removed from the collection have their Windows Intune license
revoked. By default, synchronization occurs every five (5) minutes and is a minimal burden on
your Configuration Manager hierarchy and network.
Monitor the following Intune Connector log files:
o Dmpdownloader.logto monitor policy changes downloaded from Windows Intune to
Configuration Manager.
o Dmpuploader.logto monitor policy changes uploaded to Windows Intune from
Configuration Manager.
o Cloudusersync.logto monitor user licensing in Windows Intune.

7. 7 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
Use the CloudUserID field in the User_Disc table in Configuration Manager to identify if users
are licensed.
o Null indicates that user is not licensed to enroll devices.
o All zero GUID indicates that user was previously licensed but is no longer a member of
the user licensing collection.
o Non-zero GUID indicates that the user is licensed to enroll devices.
Note: There is no need to license users separately for each device. When a user is licensed, they are
licensed for up to 20 devices.
Device Enrollment
Along with configuring the UDM architecture, Microsoft IT had to plan the user experience as part of
their deployment. They wanted to ensure that enrolling devices:
Provided a good user experience where users could enroll their devices, gain access to the
Company Portal, and install LOB applications with minimum user intervention.
Enabled users to become productive quickly with the LOB apps by providing a seamless single
sign-on installation. ADFS enables Microsoft users to use the same credentials (their corporate
user ID, email account, and network password) regardless of device.
When a user enrolls a device, Microsoft IT collects general information about the device, such as
manufacturer and any LOB apps installed from the Company Portal (not the Microsoft Store).
Enrollment installs the Company Portal application on the device, enabling users to install applications
by showing them only the applications that are targeted to their user account.
Company Portal
Microsoft has provided their users with the ability to install business applications in the past. The
Company Portal is the next generation, a Windows 8x modern application platform,which allows users
to installinternal business applications by showing them which applications they have permissions to
install based on their role, language, and location. This included an iOS Self-Service Portal (‘Company
Portal’) for users who needed to install enterprise iOS applications on their iPad and iPhone devices.
Microsoft IT tried to create an end user experience that was as similar as possible between all
supported device platforms, but each device platform had some minor differences when deploying
the Company Portal.
Windows Phone 8.The Company Portal is installed as part of the enrollment process. Installing
the Company Portal during enrollment requires the user to select the Install company app or
hubcheck box. This check box is selected by default. If the user clears this check box, they would
need to unenroll the device and then re-enroll if the Company Portal was needed in the future.
Windows RT. The Company Portal is installed as a required app after the enrollment is
completed. Microsoft IT deployed the Company Portal to all users asRequired.
Apple iOS.Usersmust install the Company Portal app from the iOS Self Service Portal, then enroll
their iOS devices.
Modern Application Publishing
Two types of apps are published via the Company Portal:
Sideloaded apps—modern LOB applications developed and published to the Company Portal
where the content is hosted and provided by the Configuration Manager and Windows Intune
hierarchy.
Deep link apps—link to an application in the Microsoft Store (or Apple Marketplace for iOS
apps)stored in Configuration Manager, that users access via the Company Portal. Microsoft IT

8. 8 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
used these for apps that are likely to update often (such as Skype or Microsoft OneNote). It
enabled them to reduce administrative overhead, redirecting users to the Microsoft Store for the
latest version instead of having to manage and publish updates to the Company Portal.
While modern apps are not as resource intensive to provision and deploy, there is still a cost
associated with developing and maintaining them. Microsoft IT applied the following business rules
when determining what applications would be published through the Company Portal. They started
by determining the target number of users for the app. The threshold was set at 1,000 users. While
they did publish a few applications with a user population of 500 users, if the application was used by
less than 1 percent of the company (less than 1,000 users), the application would not be available
through the Company Portal and would require the LOB be publishedvia Microsoft SharePoint or
some other LOB-created site.
As discussed earlier, each platform has different requirements for signing and publishing apps, but
there are some common areas that helped streamline the process for Microsoft IT. Before their users
started to enroll their devices, Microsoft IT:
Worked with the app provisioning team to sign both the Company Portal app and apps created
by the internal Microsoft developers before publishing the apps.
Signed all Windows RT apps with a child certificate from the Microsoft Root CA. As all child
certificates of the Microsoft Root CA cert are trusted, Windows RT apps that are published are
automatically trusted by Windows RT devices.
Worked with PRSS team and formulated a process for signing apps for Windows Phone 8.
Categorized all apps per Microsoft IT App team standards to reduce the need for users to scroll
through hundreds of apps. Users can use Search, but categories made locating apps easier—
especially on mobile phone devices.
Targeted most applications to the built-in All Users and User Groups collection as Available. This
made the apps available in the Company Portal as soon as the user enrolled a device.
Used custom collections based on Active Directory Security Groups to limit the targeted users for
a few applications with specific access requirements,limiting which users could install them.
Troubleshooting Enrollment
Microsoft IT experienced enrollment failures due to a non-standard User Principle Name (UPN)
for some users. The enrollment process is based on a user’s UPN. For some Microsoft users, their
UPN deviated from the standard naming convention and was different from their user alias.
Microsoft IT created a DNS redirection to resolve this issue.
As there are no client logs for enrollment troubleshooting, Microsoft IT needed to take a
systematic approach to troubleshooting.
For troubleshooting general device enrollment issues, Microsoft IT recommends that you verify
the following:
o
The Admin has configured mobile device management.
o
The Admin has enabled enrollment for specific device types.
o
The Admin provisioned the user for mobile device enrollment.
o
The user is not trying to enroll several devices at the same time or does not have
more than 20 mobile devices enrolled in the system.
o
For Windows Phone 8 devices, the code signing certificate is configured properly.
o
For iOS devices, the Apple Push Notification Service certificate is configured or
hasn’t expired, and the device is running iOS v5.0 or later.
For troubleshooting Company Portal related issues, a good place to start the troubleshooting
process is:

9. 9 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
o For Windows RT devices, use the portal log
c:users<useraccount>appdataLocalPacakgesMicrosoft.CompanyportalLocalstateSS
PLOG_<number>.log.
o For Windows Phone 8 devices, a log can be retreived from the portal itself and sent via
email.
Enrollment Lessons Learned
Microsoft IT learned from a few issues that occurred during the enrollment process.
Microsoft IT discovered that both enrollment and re-enrollment of a Windows RT device
consumed a sideloading key. During unenrollment, the sideloading key and assigned device ID
are removed. Re-enrollment is treated as a new device, and a new device ID with sideloading key
is provisioned.
User-initiated un-enrollment did not remove the Company Portal, only disconnected the
Windows RT device from Windows Intune. This is due to the fact that the Company Portal
provides other functions, such as the ability to manage other devices. Microsoft IT needed to
educate both their users and IT admins that this was by design.
User education requirements was another area of learning for Microsoft IT.
o Users were concerned as to what type of information Microsoft IT could see and collect
about their personal devices. They needed to reassure users that the only information
Microsoft IT collects is general information about the device itself (such as the
manufacturer) and any LOB apps installed from the Company Portal—and that no
personal information, such as phone number, personal apps, or apps installed from the
Microsoft Store is collected.
o There were delays in refreshing Windows RT policies due to the Windows RT
maintenance window being set for every 24 hours. Microsoft IT needed to educate users
that some changes were impacted by the default maintenace window. Microsoft IT used
user communications and the company support website, ITWeb, to inform users of
expected delays.
o Differences in the enrollment process for the various mobile devices platforms. For
example, the Windows Phone 8 enrollment user experience and user interfaces are
different from Windows RT, and iOS device enrollment presents additional screens for
adding management profiles on the device that are not seen on Windows Phone 8 or
Windows RT devices. These differences were generating support requests. To address
this, Microsoft IT documented the enrollment process for each device and made available
through the company support website, ITWeb.
Policy and Security Configuration
Making sure that corporate security was maintained as well as providing a good end user experience
required that Microsoft IT coordinate with:
The Microsoft Security team to define the policies that would enforce Microsoft corporate
compliance settings, such as password policy and encryption settings, on mobile devices.
The Exchange team to align policy settings between Exchange ActiveSync (EAS) and UDM.
Microsoft IT leveraged default Compliance Rules built into the Configuration Manager for mobile
devices. They created new Configuration Items (CIs) for mobile devices (different CIs for each device
type to make troubleshooting easier), added built-in compliance rules with values (see table 1) based
on Microsoft IT security requirements, then created a Configuration Baseline for those CIs and
targeted Configuration Baseline to the collection of mobile devices.
Table 1.Microsoft IT compliance settings for mobile devices.

10. 10 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
Corporate Policy
Windows Phone 8
Windows RT
iOS
Device Encryption
TRUE
Not Supported
Not Supported
Password Required
TRUE
Not Supported
TRUE
Allow Simple Password
Not set
Not Supported
TRUE
Min Password Length
4
5 (local only)
4
Max inactive time to lock
15 minutes
15 minutes
15 minutes
Max failed attempts
before wipe
5
Not set
5
Password Expiration
Not Set
70 days (local)
Not Set
Password History
Not Set
Not Set
0
Min Complex Characters
1
1 (local only)
0
Removed Storage
TRUE
Not Supported
Not Supported
Allow Convenience Logon
Not Supported
TRUE
Not Supported
Allow Browser
Not Supported
Not Supported
TRUE
Allow Camera
Not Supported
Not Supported
TRUE
Microsoft IT’s goal is to develop a common set of policies that would scale across devices while
providing a good end user experience. The one policy that created the most issues was the minimum
password length; Windows Phone 8 was four (4) while Windows RT was six (6). Microsoft IT is working
with the Security teams and the Exchange teams to see if they can find a common ground between
their requirements that provides good corporate security without impacting the end user experience.
Microsoft IT makes the following recommendations for configuring your mobile device policies.
Align your policies, such as password/PIN policies, across EAS and UDM to ensure the best end
user experience.
Note: Although the most restrictive policy will apply, different user experiences have the potential
to increase support calls.
If the policy is not applicable to a particular device platform, it will report back which platforms
do not support the policy. Common policies will simplify administration. For example, if you set
the same password requirements across all mobile device platforms, you will not require multiple
CIs and different device collections to support various password policies.
Create custom device collections when policies cannot be aligned across platforms. Use the
Agent Edition attribute in the Configuration Manager console, which shows enrolled device by
device type, to create custom device collections and then target policy baselines to each
collection.
In both your Configuration Items and your Configuration Baselines, enable Remediate
noncompliant settings to enforce compliance settings on the device. If Remediate
noncompliant settings is not enabled on both your Configuration Items and your Configuration
Baselines, your reports will only reflect the current compliance state of enrolled devices but not
enforce compliance rules/settings on those devices.
Device Retirement

11. 11 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
Organizations need a means to enforce security if the user leaves the company or loses their device.
Microsoft IT used the Configuration Manager SP1 wipe and retire options to enforce device security
for retiring enrolled devices.
Microsoft IT used role-based access control (RBAC) in Configuration Manager to limit which
administrators had access to wipe or retire a device by restricting their view in the console.
Note:If you have finished conducting a UDM pilot in your test hierarchy and want to move to a
production hierarchy, it is important to retire all devices from the Configuration Manager console
so that the enrollment from devices is cleaned up and ready for enrollment into your production
hierarchy.
Reporting
Configuration Manager includes many ready-to-use, built-in reports for UDM, including reports for
apps, hardware inventory, and settings management. There is no need to create custom reports or
separate reports for PC and mobile device management. The same report can be used to report on
both environments.
Microsoft IT used built-in Configuration Manager reports to report on their UDM environment. Two
built-in reports that provided Microsoft IT with insight into application install status and policy
compliance status for UDM were:
Security policy compliance report. Home > ConfigMgr_<sitecode>> Compliance and Settings
Management > Summary compliance by configuration baseline
Application compliance report. Home > ConfigMgr_<sitecode>> Software Distribution Application Monitoring > Application compliance
Microsoft IT also used the Configuration Manager console monitoring to easily view and drill down to
the asset level on the status of app deployment and security policy compliance.
While custom reports were not needed due to the built-in reporting capabilities of Configuration
Manager, Microsoft IT did create a custom UDM dashboard specifically for Microsoft executive
management using Microsoft SQL Server 2012 Reporting Services. It provided executive management
visibility into enrollment count trends using graphs and a similar look and feel of other Microsoft IT
dashboards.
Results

12. 12 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
By creating a solution that streamlined administration and deployment of devices and applications,
Microsoft IT was able to increase the scope of their centrally managed devices by 10 percent without
adding additional resources or administrative overhead. They expect this number to continue to
increase at a rapid pace with the potential of centrally managing more than 125,000 mobile devices.
The following table provides a summary of the Microsoft IT UDM deployment.
Windows Phone 8
Windows RT
iOS
Devices enrolled
10,998
1,732
248
LOB apps published
74
124
0
Deep linked apps
36
2
16
Benefits
The Microsoft IT UDM solution provides the following benefits:
Low-cost, scalable solution. Windows Intuneintegrates into the existing Configuration Manager
environment without the need to add new infrastructure, hardware, or network complexity to the
Microsoft IT environment. It provides enterprise-level scalability, extending the reach of
Configuration Manager to support management of Windows RT, Windows Phone 8, and iOS
devices.
Simplified administration.The Configuration Manager console unifies device management,
providing Microsoft IT administators with a single console for administration, application
management, and reporting across multiple device types.
Empowered users.Provide a consistent end user experience across device platforms. Microsoft
users can enroll their personal devices, install internal business applications, and manage their
mobile devices through the Company Portal, allowing them to be more productive from almost
anywhere on almost any device.
Maintained compliance.Apply policies across multiple device platforms to meet Microsoft
compliance and security requirements while providing a good end user experience for Microsoft
users. Security risks for lost, stolen, or retired devices are reduced by removing corporate data
and applications from the device by Microsoft IT administrators through Configuration Manager
or Microsoft users through the Company Portal.
Best Practices
When implementing UDM, Microsoft IT recommends the following best practices:
Plan your deployment.Proper planning before deployment will increase deployment efficiency.
Review your Configuration Manager hierarchy to determine how you will integrate UDM.
Remember, UDM does not require a separate site in your Configuration Manager hierarchy.
Understand which platforms your organization will support. This will help you determine what
types of certificates are required for app deployment.
Acquire and deploy certificates and sideloading keys before enabling user enrollment.
Coordinate with other teams to streamline the app certification process.
Identify and license specific users by using user discovery in Configuration Manager and then
add users to a custom collection that will synchronize these user accounts with Windows Intune.
Enable ADFS to allow users to use the same user name and password to access coprorate
resources.

13. 13 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
Work with your security team and your Exchange team to align passwords and policies across
device platforms to ensure a good user experience without compromising corporate security.
Promote collaboration among all teams involved.A number of different teams in your organization
may need to be involved—including Security, Compliance, application developers, services, and
infrastructure providers. It is important to ensure that all stakeholders can provide input at an early
stage and can work together to allow for a smooth deployment.
Develop a detailed communication and readiness plan.A well-developed support plan and
documentation for user and helpdesk readiness can reduce support costs.
Train helpdesk technicians before deployment. Have training and support content ready on
modern device support, especially any differences in user experience across device platforms.
Educate users. Provide users with documentation on the enrollment steps for each supported
device platform to reduce support calls. Set expectations for any delays between enrollment and
when Company Portal apps are available for installation.Ensure users understand what is being
inventoried on their device to reduce their concerns. Create FAQs for common questions and
document any known issues.
Plan your enrollment process.To ensure a good user experience and to reduce support costs,
consider how you will deploy the Company Portal and LOB apps.
Use categories to organize applications on the Company Portal to make them easier to find.
Use security groups to limit what apps users can see based on their role in the company.
Determine which apps to publish on the Company Portal based on business needs. Determine
how long apps will be maintained on the Company Portal before retiring them.
Evaluate which apps might change frequently and consider using a deep link instead of
deploying the full app.
Use the Windows Phone emulator in the Windows Phone SDK to test the Windows Phone
enrollment experience.
Resources
How to Manage Mobile Devices by Using Configuration Manager and Windows Intune
System Center 2012 Configuration Manager Documentation Library
System Center 2012 Technical Documentation Library
Empower People-Centric IT
Directory Synchronization Roadmap
Microsoft SQL Server 2012 Reporting Services Features and Tasks (SSRS)
How Microsoft IT Deployed System Center 2012 Configuration Manager
Related videos
Microsoft System Center 2012 SP1 - Configuration Manager Overview
For More Information

14. 14 | Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune
For more information about Microsoft products or services, call the Microsoft Sales Information
Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750.
Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access
information via the World Wide Web, go to:
http://www.microsoft.com
http://www.microsoft.com/microsoft-IT
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Office 365, OneNote,
SharePoint, Skype, SQL Server, Surface, Windows, and Windows Intune are either registered trademarks
or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners. This
document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, IN THIS SUMMARY.