Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Success with Enterprise Mobility: Integration into Broader Systems
Published Sep 08 2018 04:17 AM 624 Views
Iron Contributor
First published on CloudBlogs on Jun, 05 2014

The long-term success of any Enterprise Mobility strategy hinges on how well you can make your mobile devices integrate into your larger strategies for management, identity, access, and data protection throughout your entire IT infrastructure. Ideally, all this should be done together so that you’re not faced with multiple consoles/dashboards/platforms/headaches.

You may be thinking that this is all much easier said than done, but it’s really not that difficult – and this post will identify the challenges and solutions for removing that unnecessary barrier between a mobile strategy and a strategy for the rest of your infrastructure.

Managing and maintaining your Enterprise Mobility strategy is a mandatory part of the IT profession now, and there is no shortage of point-solution options for device management. What makes Microsoft’s solution unique is the power it gives IT Pros to offer unified-device management by offering three critical things:

  • Integration with System Center Configuration Manager
  • Integration with Active Directory & Azure Active Directory
  • Integration with Office

Integration with System Center Configuration Manager

End-users want a simple, rich and consistent experience across all their devices.  To deliver this we have created a way to enable the use of all devices within the IT infrastructure – whether that device is on your desk (PC’s, servers), at your house (tablets), or in your pocket (phones). These devices are not just easily integrated into your infrastructure, they also deliver a single user experience for IT, and a single user experience for the workforce using them.

Our goal is straightforward: We want to make it simple and easy for end-users to move across these transitions between home, work, and personal devices.

If IT Pros consider what they need to do in order to deliver a consistent experience across all these devices, the need for a unified backend solution that brings all these devices under a unified management experience (i.e. a single pane of glass) becomes obvious. This is exactly what SCCM + Intune delivers .

With more than 2 out of 3 enterprise PC’s around the world already managed by SCCM, it is the most commonly used tool for managing Windows desktops and laptops. Windows Intune extends SCCM management power to the cloud and provides a single pane of glass in the SCCM console for you to manage all the devices your users want to use.

The reason (and value) for the combination of SCCM and Intune is simple : If you don’t have a unified management solution you cannot deliver a unified experience to your end-users.

With just a few mouse clicks you can establish this Intune-SCCM connection and immediately start using the MDM/MAM capabilities you need to securely enable your users appear in the SCCM console – and all of this administration/reporting can be done in the familiar SCCM console.

It’s important to note that to build this connection you’ll first need to have SCCM 2012 R2 deployed. We recently completed some research into the SCCM install base, and more than two-thirds of the massive SCCM customer base has already upgraded to SCCM 2012 R2. The data also showed that nearly every company not on R2 was planning to upgrade this year.

Once this connection is made, the workflow is really exciting . For example, when you start to configure settings (e.g. power-on password, or the wireless settings on mobile devices) this can be done in the SCCM console and these settings are then saved and synchronized with the Intune service in the cloud.   Once these settings are in the cloud, Intune updates all the appropriate devices around the world with the updated policy.  At no point in the process do these users or devices need to be physically or virtually behind the firewall – they can all get updated policy anywhere in the world with a connection.  As your devices report their status back to Intune, Intune then passes that information to SCCM (the data is stored in SCCM, not in Intune). Intune gives you a global reach through the Microsoft cloud that is always available for your mobile devices.

In a Mobile-First, Cloud-First world this is the kind of solution you need . The expectations of your workforce mean that you need to have efficiency and responsiveness that can enable users anywhere and everywhere – and this is great news for long-time SCCM administrators .  Previously, we worked very hard to enable these “internet-facing” scenarios in SCCM 2007, but, after a herculean effort, trying to get SCCM servers to become accessible through a variety of corporate firewalls was (let’s face it) a challenge.  We learned from SCCM 2007 and have now created a cloud service with global presence and seamless integration with your rich SCCM environment. This is the absolute best way to create a unified PC and mobile device management environment.

Integration with Active Directory & Azure Active Directory

A key part of this management and integration is identity, and I believe that this is an area where our products really shine. It is critical to extend your organization’s directory services into the cloud in order to enable users to authenticate and access resources which are either cloud- or corporate-based.  To make this possible (and easy to use) we’re using several existing investments and connecting them to cloud-based services.

The result of our successful development of enterprise-grade hybrid identity is a workforce that is measurably more productive because they have a single sign-on to all corporate resources. This is possible because IT can provide users with a common identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory . With this in place, users can leverage their common identity through accounts in Azure Active Directory to Azure, Office 365 , and third-party applications .

From our perspective at Microsoft, we are working to address these challenges by providing users with a single sign-on experience when accessing all resources, regardless of location. This means that users do not have to remember multiple sets of credentials. For identity management, users and IT can leverage their common identity for access to external resources through federation. But this is the short answer – here’s a deeper look at how Microsoft has approached delivering on these solutions:

On the development side, devs can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Windows Azure for cloud-based applications.

This opportunity for cloud-based and cloud-scalable device management is where the Enterprise Mobility Suite becomes hyper valuable.

To make EMS optimally valuable to your IT operations, we’ve built it as a single solution that includes Intune, Active Directory, Azure Active Directory, and Azure Rights Management (RMS). This combination of solutions scales dramatically beyond MAM to provide data protection across the device, app, and data layers.

For organizations interested in adding EMS to their operation , it is simple to add the Windows Intune cloud-based management to SCCM (to be clear, SCCM is not a prerequisite for EMs). To learn more about how to do this, check out this overview .

This pivot to cloud-based management can be done with your existing SCCM server infrastructure via a logical connection to Intune. To do this, input your Intune admin credentials to setup the logical connector – and, once this is done, all your mobile devices that talk to Intune will show up in the SCCM console. To see something really impressive, check out Extensions for Windows Intune which allows Intune to send down new features to SCCM without requiring a huge upgrade process.

Integration with Office

When it comes to MAM, not all solutions are created equal – not even close . There are a lot of solutions that provide “containers” to help protect corporate data, and these containers are usually delivered in the form of unique, proprietary apps that govern e-mail, file access, web connectivity, etc. These containers also include a variety of SDKs or wrappers that allow other apps to populate and participate inside the container. The major downside of this approach is that all of this technology is proprietary and incompatible with other apps on your device.

The first app that every company wants to protect is e-mail. To do this, others in industry have created their own e-mail applications to protect mail content. I’m not exaggerating when I say that I have never spoken with an executive at an organization who is happy with the user experience of the e-mail app from other EMM vendors. Without fail, these execs ask, “Can you deliver us Outlook on these devices so I can have a better, richer, and more complete experience for my end-users?”

Microsoft believes there’s a better way – a very different way. We recognize that what end-users want is the same e-mail apps and productivity apps they’re already using.

To make this happen, Office is being instrumented to be natively manageable by Windows Intune – a component of the Enterprise Mobility Suite. Last month at TechEd North America , we announced that we will be releasing updates to the Office for iPad applications later this calendar year and that these updates will be instrumented to be manageable through Intune. This is huge . This means that you will be able to deliver the wonderful, familiar Office experience across all your devices and manage them through SCCM/Intune. This is a topic I’ll be writing about a lot in upcoming posts. I’m sincere when I say that this will deliver the absolute best experience for your end-users; nothing other EMM vendors deliver will compare to the beautiful Office experience being managed by Intune/SCCM.

* * *

Ultimately, the scale of what EMS offers is really exciting:

  • Active Directory provides identity and conditional access to services from IT as well as 3rd party SaaS apps.
  • Intune takes care of the device and app management requirements.
  • RMS protects data natively.
  • And all of these solutions seamlessly integrate and connect to the experiences you’ll need to support (and end-users expect) from Office .

This takes the guesswork out of constructing an infrastructure from a variety of questionably compatible raw materials, and it ensures the end-users get what they need simply and safely.

Version history
Last update:
‎Sep 08 2018 04:17 AM
Updated by: