Windows Phone 8.1 MDM protocol documentation

One of the best pieces of documentation that I have used when developing content for Windows Intune for Windows Phone 8.1 is the MDM protocol guide.

image

Windows Phone 8.1 provides an enterprise management solution to help IT administrators manage company security policies and business applications while avoiding compromise of the users’ privacy on their personal phones. A built-in management component in Windows Phone 8.1 can communicate with the device management server. There are two parts to the Windows Phone management component, the enrollment client, which enrolls and configures the phone to communicate with the enterprise management server and the phone management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by an IT administrator. Third-party MDM servers can manage Windows Phone 8.1 by using the Enterprise Device Management protocol. The built-in Windows Phone 8.1 management client is able to communicate with a third-party server proxy that supports the protocols outlined in this downloadable document to perform enterprise management tasks.

Windows Phone 8.1 MDM protocol documentation : http://msdn.microsoft.com/en-us/library/dn499787.aspx 

Direct link to document : Windows Phone 8.1 MDM protocol documentation

Lets take this example :

You want to understand how to block or allow an application to run on Windows Phone 8.1. Currently today in Windows Intune this can not be achieved via the GUI from Configuration Manager.

The Windows Phone 8.1 MDM Protocol document will enable you to understand the structure of the OMA URI string that needs to be created as a setting into Configuration Manager

image

You can then find the relevant setting

image

And craft a string / setting to be deployed into Configuration Manager that is then targeted for your Windows Phone 8.1 users.

You also get examples of the XML that you may require to set that policy

imageimage

There is a whole number of configurations and capabilities that you can look to set.

This document is extremely powerful and can really help you deliver some great customisations/controls for your Windows Phone 8.1 platform using OMA URI in Configuration Manager with Windows Intune.

Reference :

Windows Phone 8 MDM protocol documentation PDF : Windows Phone 8 Enterprise Device Management Protocol 

Windows Phone 8.1 MDM protocol documentation : http://msdn.microsoft.com/en-us/library/dn499787.aspx 

Windows Phone 8.1 MDM protocol documentation PDF : Windows Phone 8.1 MDM protocol documentation

Black or Whitelist applications on Windows Phone 8.1 with Windows Intune : http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/06/04/black-or-whitelist-applications-on-windows-phone-8-1-with-windows-intune.aspx

Windows Intune and EMS at TechEd North America 2014

Back in May there was a small show called TechEd. TechEd featured some amazing new announcements as well as some insightful looks at our core technologies.

TechEd North America provides technical education, product evaluation, and community resources to plan, architect, deploy, manage and secure a connected enterprise. The brightest and most skilled technology professions meet to increase their technical expertise through deep hands-on technical learning, sharing of best practices and interaction with Microsoft and a variety of industry experts and their peers.

Our team of fun loving devs, program managers and product managers attended to give some great insight to Windows Intune and what’s coming next. See all the sessions where Windows Intune gets a mention below ;

TechEd Keynote

Join us for the TechEd 2014 opening Keynote with Microsoft’s Brad Anderson, Corporate Vice President, Windows Server and System Center Program Management.

Enabling Enterprise Mobility with Windows Intune, Microsoft Azure, and Windows Server

Presenter : Andrew Conway : Senior Director Product Marketing

People want to choose their own devices and be productive in a way that best suits them. IT is responsible for managing corporate assets and resources. Once users are working on mobile devices across the various platforms of Windows, iOS, and Android (i.e., BYOD not joined to a domain) IT needs a way to manage all personal and corporate devices, enforce corporate data protection and have a way to securely publish access to these resources with strong authentication, such as conditional claims-based access and multi-factor authentication. Microsoft provides a unified management environment for all these platforms, a rich desktop virtualization experience for Windows, Mac OS, iOS, Android, information protection, and a hybrid identity for users across existing on-premises investments and connected to new cloud services in Microsoft Azure Active Directory. We call this approach People-centric IT (PCIT). In this session, we cover the scenarios we deliver in PCIT through Microsoft System Center Configuration Manager, Windows Intune, Windows Server, and Azure Active Directory, and showcase with demos how they come together in real-world implementations so customers can have productive users working on the device and platform of their choice.

What’s New in Enterprise Management with Microsoft System Center Configuration Manager and Windows Intune

Presenters : Craig Morris and Dave Randall : Senior Program Managers Enterprise Client

Come hear about the latest in enterprise mobility management using Windows Intune and System Center 2012 R2 Configuration Manager. See the newest Windows Intune enhancements for managing Windows Phone, iOS and Android systems in action and learn about the newest features in Configuration Manager. We’ll demonstrate how Configuration Manager and Windows Intune work together to offer a single, seamless cross platform device management solution.

Infrastructure Deployment for Mobile Device Management with Microsoft System Center Configuration Manager and Windows Intune

Presenter : Jim Dempsey

This session dives into what you’ll do at the server level to drive Configuration Manager and Windows Intune integration for mobile device management. The session includes subscription, connectors, certificates, Active Directory Federation Services (AD FS), DirSync, among other server configurations that enable Mobile Device Management.

Enrollment and Management of Mobile Devices with Microsoft System Center Configuration Manager and Windows Intune

Presenters : Joey Glocke and Chris Green

System Center Configuration Manager and Windows Intune provide a unified approach for device management on-premise and through the cloud. Come and learn how this can help organizations address the complex issues raised by Bring Your Own Device scenarios. Go deep into settings management scenarios, security considerations, deployment options, and how these will enable single pane of glass management of Windows, Mac OS X, Windows RT, Windows Phone 8, iOS, and Android devices.

Application Management with Microsoft System Center Configuration Manager and Windows Intune

Presenters : Craig Morris and Heidi Cheng : Senior Program Managers

Configuration Manager gives users access to business applications on a wide array of platforms. In this session we provide a deep technical overview of the application model and demonstrate how an IT Admin configures applications for a variety of devices. This session includes Windows 8 app delivery to Windows 8 and 8.1, Microsoft Application Virtualization (App-V), Mac, Linux, Windows RT, Windows Phone 8, iOS, and Android inclusive of new functionality enabled by R2 and Windows Intune.

Protecting Your Corporate Data with Microsoft System Center Configuration Manager and Windows Intune

Presenters : Dilip Radhakrishan : Lead Program Manager and Assem Kohil : Senior Program Manager

This session takes you through the capabilities provided by System Center 2012 R2 Configuration Manager and Windows Intune to help protect your corporate data. From mobile device compliance settings, wrapping applications with specific policies, to our data center certifications and privacy controls, find out how Configuration Manager and Windows Intune can help provide the governance and control that your high priority business information requires.

Deploying and Managing Enterprise Apps on Windows and Windows Phone

Presenters : Michael Niehaus and Matthijs Hoekstra

Learn how companies can publish their line-of-business apps for deployment to Windows and Windows Phone, and then manage the lifecycles of those apps. The two platforms haven’t yet converged on a single mechanism for doing this, and this session helps you navigate the differences. This session provides overviews of each platform as well as what’s new for 8.1, including policy allowing only certain apps to run on Windows Phone, the ability to remotely install and uninstall apps from a Windows Phone, changes to sideloading and sideloaded apps in Windows 8.1, and more.  Also, see how MDM vendors such as Windows Intune choose to abstract many of the differences and service both platforms in a unified way.

How Microsoft IT Solves BYOD Using Microsoft System Center 2012 R2 Configuration Manager and Windows Intune

Presenters : Karthik Jayavel and Marc Hurley

Join this session to learn how Microsoft IT is successfully running Unified Device Management by leveraging Windows Intune and System Center 2012 R2 Configuration Manager to embrace BYOD scenarios across 15K heterogeneous devices. This session provides a deep technical overview of how Microsoft IT automates LOB application publishing, manages Company Portal deployments, and enforces device security settings for Windows 8.1 PCs, Windows RT, Windows Phone 8, and iOS. This session also covers how Microsoft IT has configured certificate services to deploy VPN, Wi-Fi, and Remote connection profiles on devices to enhance user productivity

I hope this collection of the North America TechEd 2014 Windows Intune sessions are useful.

References :

Windows Intune TechEd 2014 Sessions : http://channel9.msdn.com/events/TechEd/NorthAmerica/2014?sort=sequential&direction=desc&term=intune#fbid=

TechEd Keynote : http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/KEY01#fbid=

Enabling Enterprise Mobility with Windows Intune, Microsoft Azure, and Windows Server : http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/FDN02#fbid=

What’s New in Enterprise Management with Microsoft System Center Configuration Manager and Windows Intune : http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/PCIT-B311#fbid=

Infrastructure Deployment for Mobile Device Management with Microsoft System Center Configuration Manager and Windows Intune : http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/PCIT-B216#fbid=

Enrollment and Management of Mobile Devices with Microsoft System Center Configuration Manager and Windows Intune : http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/PCIT-B317#fbid=

Application Management with Microsoft System Center Configuration Manager and Windows Intune : http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/PCIT-B323#fbid=

Protecting Your Corporate Data with Microsoft System Center Configuration Manager and Windows Intune : http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/PCIT-B325#fbid=

Deploying and Managing Enterprise Apps on Windows and Windows Phone : http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/WIN-B217#fbid=

How Microsoft IT Solves BYOD Using Microsoft System Center 2012 R2 Configuration Manager and Windows Intune : http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/PCIT-B333#fbid=

 

Windows Intune for IT Professionals Jump Start

Customers are always looking for some good training material to help them with readiness for on-boarding onto Windows Intune. The Microsoft Virtual Academy is a great starting point for customers big and small that want to understand and develop to a Mobile Device Management solution.

Instructors

This course features Technical Evangelist David Tesar and IT Security and Infrastructure Architect Richard Harrison delivering an engaging, demo-rich, live learning experience.

Modules

There are 12 modules and the course takes you from the beginner steps of setting up the environment to end user enrolment.

image

All the courses and details can be found http://www.microsoftvirtualacademy.com/training-courses/windows-intune-for-it-professionals-jump-start 

Reference :

Windows Intune for IT Professionals Jump Start : http://www.microsoftvirtualacademy.com/training-courses/windows-intune-for-it-professionals-jump-start

How to delegate administrative rights to a partner

Scenario:

You are a Microsoft partner and want to support and assist your customers with deploying Windows Intune in there organisation to help them grow as a business. With this deployment you also want to be able to administer the management portal for Windows Intune and help create policy and deploy applications.

How to:

Once you establish your Microsoft partner account, and have this configured for your Office365/Intune tenant, it will give you the ability to create offers to sell packages of Office365/Intune to your customers.

It also gives you the ability to offer delegated administration rights to there environment. This blog will walk you through the process of making an offer for delegated access.

Microsoft Partner Section

The Microsoft partner that wants to manage the service will have to go and login with your partner account : https://account.manage.microsoft.com/admin/default.aspx

2014-05-21_15-19-49-0012

Now select Partner up at the top of the screen

image

Select offer delegated administration, this gives you the option to administer other organisations Intune environments.

2014-05-21_15-21-18-0010

A new dialogue will appear with either a custom text that you can copy into a mail or an option to open directly into a mail client which then you would forward to your perspective customer that you wish to administer the environment.

SNAGHTML40ad8b7

“{PartnerName} has offered to provide delegated administration for your online services.

Authorize access to administer your online services here:

https://account.manage.microsoft.com/partner/partnersignup.aspx?type=Administration&id=

Additional partner information:”

Customer Section

The customer will receive this invite and once they click on the link they will get asked to log in using there tenant administrative credentials.

When they sign in this will authorise the delegated access.

2014-05-21_15-25-01-0008

The customer will then see the following and delegated rights have been distributed.

SNAGHTML41a442a

 

Microsoft Partner Section

Now that your partner account has delegated access to administrator your customers tenants, to help them do the following.

Click Partner then click Lookup user or domain Under Find and Assist

image

You can then search using the username or the domain for the company that you support and then click next

SNAGHTML410ecaf

You are then presented with the option to administer on behalf of or create a service request
, to administer the Intune environment select “administer on behalf of”

SNAGHTML420900a

When you click on the administer on behalf of, this will take you to the account portal for the delegated customer

SNAGHTML412860c

From here the admin can open up the admin console and the option will be presented based on the access for the tenants.

As we can see the delegated admin has access both their Intune environment and the said customer. You can then have a single high level view of your customers health for the cloud only version of Intune.

image

Now you can select the customers domain and assist

SNAGHTML4135ab1

References :
Configure Your Windows Intune Environment : http://technet.microsoft.com/en-us/library/hh441722.aspx
December 2012 Getting Started Guide : http://download.microsoft.com/download/6/8/D/68D655DE-F42E-4D89-9705-A84917867F6E/Windows%20Intune%20Getting%20Started%20Guide%20PDF_June%2012%202012.pdf

How to sign up for Windows Intune if you already have a Office365 tenant

If you have a Office365 account already and have yet to establish a Windows Intune tenant to manage your devices in your organisation, this is a really easy set up.

When you go to https://account.manage.microsoft.com/Signup/MainSignUp.aspx?OfferId=A77BE827-FC8B-4EF2-A0F5-7CD6C813AA65&ali=1

Click on the Sign In button;

image

Sign in with your office365 details and complete the setup of Windows Intune.

Reference :
Set up Windows Intune : http://technet.microsoft.com/en-us/library/dn646983.aspx

Getting Started with the Windows Management Portals

There are two Administrator management portals that you can use to access the various features of your Windows Intune service: the Account Portal and the Admin Portal.

Account Portal: https://account.manage.microsoft.com

clip_image001
Windows Intune Account Console

The Account Portal is a common configuration interface that administrators can use to manage users, groups, and domains for all Microsoft Online services, including Windows Intune and Office 365. With this online portal, you can check the status of your subscriptions, add new subscriptions, and activate new user accounts. It is also where you can set up and configure the link to your on-premise Active Directory Domain Service (ADDS) instance. In addition, end users can use the portal to change their passwords.

Admin Portal: https://admin.manage.microsoft.com

clip_image002
Windows Intune Administration Console System Overview Screen

In the above, you can see the three main information panels for Windows Intune. On the left is the Navigation panel, which contains links to Windows Intune workspaces. (Note that each feature in Windows Intune has a workspace.) In the middle of the screen is the main information panel that provides the detailed view for the workspace, which in this example is the Systems Overview workspace. Finally, on the right is the Tasks panel, which generates a context sensitive list of available tasks for the selected workspace.

If you are in the process of setting up your Windows Intune solution, you may not have much information to display. However, you can start to familiarize yourself with the workspaces and tasks available in each area until you start enrolling computers.

References :
Windows Intune Getting Started Guide : http://technet.microsoft.com/en-us/library/hh441719.aspx