Managing BYOD with Intune and System Center

, we looked at how Bring Your Own Device (BYOD) is quickly becoming a growing trend in business, and how it can actually benefit a company. But while many employees are happy to bring their own device and use it for work it, it has also become a headache for some IT departments. As soon as users begin working on their own devices that are not managed or supported by IT management it becomes hard to retain control of sensitive organizational information and to respond to incidents of the device being lost or stolen.

In this article we take a look at two options to make managing BYOD  much simpler. 

Some solutions are available through Windows System Center 2012 SP1 and Windows Intune. Windows Configuration Manager also helps manage BYOD devices on-site through the current infrastructure. These devices can even get service through the Cloud. These solutions can present enterprise management solutions for mobile devices that use Windows RT, Windows Phone, Android, and Apple operating systems.

System Center 2012 R2 is Microsoft’s solution to building and operating Cloud services to provide an inclusive Cloud and data center management across host service providers, on site environments, and Windows Azure. System Center 2012 R2 enables scaled management of the main Windows Server 2012 R2 capabilities. This tool will extend on software defined networking with management support for multitenant VPN gateways that provide seamless extension to data centers.

System Center 2012 R2 Configuration Manager allows the ability to configure applications to initiate a VPN connection when an application is opened. Configuration Manager provides a unified console that helps bring awareness of where data is stored on various devices to maintain flexibility with a controlled environment. This takes place when a BYOD user opens their application that requires access to an organization’s resources. Traditional VPNs are initiated by users and provide an on-demand connection to organization resources. Without the auto VPN connection, the user cannot originate the VPN admin connection to the organization’s intranet and they will not be able to get through the firewall.

An automatic VPN connection is a new feature that allows VPN connections to be opened automatically under limited conditions. In Configuration Manager and Windows Intune users can run and configure the dashboard application to open a VPN connection. The device’s platform will auto detect the company app needs a VPN connection and automatically opens a VPN connection to the organization’s network. The user doesn’t see these actions taking place and won’t realize a VPN connection was initiated as it runs in the background.

In order to perform the automatic VPN, a VPN profile must be created and deployed on the device. The organization’s IT administrator performs this setup. When the user installs the organization’s applications, Configuration Manager connects it to the VPN profile automatically. Going back to the statement that this varies per operating system, this option is only supported on Windows 8.1 devices that are non-domain joined.

If a user has lost the device or reported it stolen, a full wipe is available to reset the mobile device back to its original factory settings. All data that was saved or loaded on the device will be erased and uninstalled from the public store by the end user. Users must be responsible for backing up their own personal data on their devices, after all it is their device.

The full wipe can be performed remotely using the Configuration Manager console to route to the Devices node in Compliance workspace and Assets. There is an option to retire or wipe the device. This option is great for lost or stolen devices however a “selective wipe” is also available.

The selective wipe option works for administrators who wish to remove organization data only from a device through Configuration Manager. This would be used where an employee has left the organization. Conducting a full wipe also deletes personal information stored on the device which is intrusive to the employee. An option to “wipe company content” is available through Configuration Manager to perform this action. The specifics of selective wipe vary by which operating system the mobile device is running.

Android based devices seem the most difficult to manage through remote wipe. Certificates, settings, and device administrator privileges can be revoked however; apps and data stay installed and Wi-Fi is not removable. This can cause problems if company apps are not password protected. Proper security must be implemented in order to ensure the security of company apps and data used and stored on BYOD devices.

Users can also perform a remote wipe of their own devices if they are not able to do so through the IT administrator. This can be done through the company’s portal by viewing a list of the devices they have tied to the company and see how to contact the administrator for support. Users can click on their devices and initiate their own selective wipe on the device as well as choosing to reset their phone to factory settings through a full wipe.

BYOD users can use their device regardless of where they are at to access their organization’s resources, they are not limited to using the device only when they are located in their office building. Windows Web Application Proxy and Work folders enable the publication of access to internal resources and the option to require Multi-Factor Authentication at the edge. After a BYOD user registers their device and enrolls for management they are provided access to the Company Portal app. From there the user installs a line of business app and launches it which then contacts the Web Application Proxy to gain access to the backend web service needed.

Once the user accesses the web service the Web Application Proxy directs the authentication with AD FS which is configured to challenge the user’s device for the certificate they acquired through Workplace Join. Once the verification recognizes the user is authorized to access the organization’s resources from the specific device the user can gain access. AD FS can challenge the user for extra authentication factors when they are connecting from the Internet.

Work Folders is another tool on Windows Server 2012 R2 that allows administrators to provide BYOD employees the ability to sync their devices with their work information while remaining compliant with the organizations policies. User data is synched from their devices to on-site file servers. This helps alleviate some of the headache of network administration to manage BYOD users.

Management of the network with integrated BYOD users helps reduce costs to manage the infrastructure and reduces complexity by integrating Windows Intune and Configuration Manager. Managing users and security features are available in a unified solution with Configuration Manager to manage applications and BYOD devices. When you add Windows Intune for Cloud-based management you can position an Intune connector to your System Center 2012 Configuration Manager deployment and you are good to go. A system administrator can manage the comprehensive settings across the various OS platforms including VPNs, certificates, and network profiles from a single admin console through Windows Intune and Configuration manager as well as the lifecycle of the applications to the user.

Productivity of BYOD users is ensured through delivering organization applications for their devices in an optimal and efficient method with Configuration Manager and Windows Intune. With Configuration Manager, the systems administrator can configure an application one time and deploy these settings to users or groups. The device types and network connection are evaluated and the appropriate installation method is selected and sent out. Whether a user is working on a mobile phone, tablet, or other wireless handheld device, the application is delivered to each user with the most seamless experience possible. These applications can include remote applications that use Microsoft virtualization, web links, public applications from the Windows Store, Google Play, or other applications that are Windows based.

Security and policies can be deployed across various mobile devices and OS to match compliance requirements to the level of detail that the capabilities exposed on hose operating system platforms extend management for Android, Apple, and Windows RT. System administrators can provide certificates or Wi-Fi and VPN profiles on mobile devices and gather a full inventory of applications and push installs for organization owned devices. Admin can also provide this functionality to BYOD devices.

Administrators must be able to provide a single sign-on to all network users whether they are traditional on-site users or BYOD users using Cloud-based solutions. Users can be provided with a common identity across Cloud-based or on-site services leveraging current Windows Server Active Directory and then connecting to Windows Azure Active Directory. Active Directory Federation Services can be used to perform the combination of these two types of Windows Active Directory. Users are more productive if they have a single sign-on for their resources and can access their accounts in Windows Azure Active Directory to Office 365, Windows Azure, and third party services and applications.

With Windows Intune and System Center, administrators can provide quick and easy access for BYOD users to access their organization’s resources. These methods can increase productivity in BYOD users and establish a user friendly secure environment. BYOD may come with risks but they can be easily handled and mitigated through the combined use of Windows System Center Configuration Manager and Windows Intune.