Back

Managing BYOD with Intune and System Center

bring your own device byodwpcontentuploadsBringyourowndeviceBYOD300x1521jpgalignright sizemedium wpimage92291 width300 hei...

8 min read
Published on Oct 18, 2013
managing-byod-with-intune-and-system-center

bring your own device - byod, we looked at how Bring Your Own Device (BYOD) is quickly becoming a growing trend in business, and how it can actually benefit a company. But while many employees are happy to bring their own device and use it for work it, it has also become a headache for some IT departments. As soon as users begin working on their own devices that are not managed or supported by IT management it becomes hard to retain control of sensitive organizational information and to respond to incidents of the device being lost or stolen.

In this article we take a look at two options to make managing BYOD  much simpler. 

Some solutions are available through Windows System Center 2012 SP1 and Windows Intune. Windows Configuration Manager also helps manage BYOD devices on-site through the current infrastructure. These devices can even get service through the Cloud. These solutions can present enterprise management solutions for mobile devices that use Windows RT, Windows Phone, Android, and Apple operating systems.

System Center 2012 R2 is Microsoft’s solution to building and operating Cloud services to provide an inclusive Cloud and data center management across host service providers, on site environments, and Windows Azure. System Center 2012 R2 enables scaled management of the main Windows Server 2012 R2 capabilities. This tool will extend on software defined networking with management support for multitenant VPN gateways that provide seamless extension to data centers.

System Center 2012 R2 Configuration Manager allows the ability to configure applications to initiate a VPN connection when an application is opened. Configuration Manager provides a unified console that helps bring awareness of where data is stored on various devices to maintain flexibility with a controlled environment. This takes place when a BYOD user opens their application that requires access to an organization’s resources. Traditional VPNs are initiated by users and provide an on-demand connection to organization resources. Without the auto VPN connection, the user cannot originate the VPN admin connection to the organization’s intranet and they will not be able to get through the firewall.

An automatic VPN connection is a new feature that allows VPN connections to be opened automatically under limited conditions. In Configuration Manager and Windows Intune users can run and configure the dashboard application to open a VPN connection. The device’s platform will auto detect the company app needs a VPN connection and automatically opens a VPN connection to the organization’s network. The user doesn’t see these actions taking place and won’t realize a VPN connection was initiated as it runs in the background.

In order to perform the automatic VPN, a VPN profile must be created and deployed on the device. The organization’s IT administrator performs this setup. When the user installs the organization’s applications, Configuration Manager connects it to the VPN profile automatically. Going back to the statement that this varies per operating system, this option is only supported on Windows 8.1 devices that are non-domain joined.

If a user has lost the device or reported it stolen, a full wipe is available to reset the mobile device back to its original factory settings. All data that was saved or loaded on the device will be erased and uninstalled from the public store by the end user. Users must be responsible for backing up their own personal data on their devices, after all it is their device.

The full wipe can be performed remotely using the Configuration Manager console to route to the Devices node in Compliance workspace and Assets. There is an option to retire or wipe the device. This option is great for lost or stolen devices however a “selective wipe” is also available.

The selective wipe option works for administrators who wish to remove organization data only from a device through Configuration Manager. This would be used where an employee has left the organization. Conducting a full wipe also deletes personal information stored on the device which is intrusive to the employee. An option to “wipe company content” is available through Configuration Manager to perform this action. The specifics of selective wipe vary by which operating system the mobile device is running.

Android based devices seem the most difficult to manage through remote wipe. Certificates, settings, and device administrator privileges can be revoked however; apps and data stay installed and Wi-Fi is not removable. This can cause problems if company apps are not password protected. Proper security must be implemented in order to ensure the security of company apps and data used and stored on BYOD devices.

Users can also perform a remote wipe of their own devices if they are not able to do so through the IT administrator. This can be done through the company’s portal by viewing a list of the devices they have tied to the company and see how to contact the administrator for support. Users can click on their devices and initiate their own selective wipe on the device as well as choosing to reset their phone to factory settings through a full wipe.

BYOD users can use their device regardless of where they are at to access their organization’s resources, they are not limited to using the device only when they are located in their office building. Windows Web Application Proxy and Work folders enable the publication of access to internal resources and the option to require Multi-Factor Authentication at the edge. After a BYOD user registers their device and enrolls for management they are provided access to the Company Portal app. From there the user installs a line of business app and launches it which then contacts the Web Application Proxy to gain access to the backend web service needed.

Once the user accesses the web service the Web Application Proxy directs the authentication with AD FS which is configured to challenge the user’s device for the certificate they acquired through Workplace Join. Once the verification recognizes the user is authorized to access the organization’s resources from the specific device the user can gain access. AD FS can challenge the user for extra authentication factors when they are connecting from the Internet.

Work Folders is another tool on Windows Server 2012 R2 that allows administrators to provide BYOD employees the ability to sync their devices with their work information while remaining compliant with the organizations policies. User data is synched from their devices to on-site file servers. This helps alleviate some of the headache of network administration to manage BYOD users.

Management of the network with integrated BYOD users helps reduce costs to manage the infrastructure and reduces complexity by integrating Windows Intune and Configuration Manager. Managing users and security features are available in a unified solution with Configuration Manager to manage applications and BYOD devices. When you add Windows Intune for Cloud-based management you can position an Intune connector to your System Center 2012 Configuration Manager deployment and you are good to go. A system administrator can manage the comprehensive settings across the various OS platforms including VPNs, certificates, and network profiles from a single admin console through Windows Intune and Configuration manager as well as the lifecycle of the applications to the user.

Productivity of BYOD users is ensured through delivering organization applications for their devices in an optimal and efficient method with Configuration Manager and Windows Intune. With Configuration Manager, the systems administrator can configure an application one time and deploy these settings to users or groups. The device types and network connection are evaluated and the appropriate installation method is selected and sent out. Whether a user is working on a mobile phone, tablet, or other wireless handheld device, the application is delivered to each user with the most seamless experience possible. These applications can include remote applications that use Microsoft virtualization, web links, public applications from the Windows Store, Google Play, or other applications that are Windows based.

Security and policies can be deployed across various mobile devices and OS to match compliance requirements to the level of detail that the capabilities exposed on hose operating system platforms extend management for Android, Apple, and Windows RT. System administrators can provide certificates or Wi-Fi and VPN profiles on mobile devices and gather a full inventory of applications and push installs for organization owned devices. Admin can also provide this functionality to BYOD devices.

Administrators must be able to provide a single sign-on to all network users whether they are traditional on-site users or BYOD users using Cloud-based solutions. Users can be provided with a common identity across Cloud-based or on-site services leveraging current Windows Server Active Directory and then connecting to Windows Azure Active Directory. Active Directory Federation Services can be used to perform the combination of these two types of Windows Active Directory. Users are more productive if they have a single sign-on for their resources and can access their accounts in Windows Azure Active Directory to Office 365, Windows Azure, and third party services and applications.

With Windows Intune and System Center, administrators can provide quick and easy access for BYOD users to access their organization’s resources. These methods can increase productivity in BYOD users and establish a user friendly secure environment. BYOD may come with risks but they can be easily handled and mitigated through the combined use of Windows System Center Configuration Manager and Windows Intune.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

GCC High Vs GCC for Protecting CUI with CMMC

Learn the key differences between GCC and GCC High for handling CUI under CMMC, DFARS, and NIST 800-171. Find out which cloud meets your compliance needs.

Mar 31, 2025
4 min read
Risks of not using a CMMC RPO

The Risks of Not Using a CMMC RPO for Compliance and Certification Readiness

A CMMC RPO helps organizations prepare for certification and avoid compliance failures. Learn why working with an RPO is essential for achieving CMMC compliance.

Mar 20, 2025
8 min read
CMMC 2.0 Require GCC High for Compliance

Does CMMC 2.0 Require GCC High for Compliance?

Does CMMC 2.0 require GCC High? Learn the cloud options for compliance, data security, and protecting CUI under NIST 800-171 and DFARS.

Mar 17, 2025
10 min read
Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

CMMC RPO vs a C3PAO: Understanding Their Roles in Compliance

Understanding the difference between an RPO and a C3PAO is crucial for CMMC compliance. Learn why they should be separate and how an RPO helps prepare for certification.

Mar 15, 2025
6 min read
Can You Meet CMMC with Google Workspace?

Can You Meet CMMC with Google Workspace?

Is Google Workspace CMMC compliant? Learn about its DFARS, NIST 800-171, and ITAR limitations and how migrating to GCC High ensures full compliance.

Mar 4, 2025
7 min read
Is Maintaining a GCC High Tenant Worth It for Non-Government

Evaluating the Need for a GCC High Tenant in Non-Government Organizations

Explore whether maintaining a GCC High tenant is necessary for organizations not involved in government work. Understand the pros and cons, costs, and compliance considerations.

Feb 25, 2025
7 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation