Mobile Device Management Design Considerations … · Mobile Device Management Design Considerations 1 Introduction With all of the different design and configuration options for
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Mobile Device Management
Design Considerations Guide
Published May, 2015
Version 1.1
Copyright
This guide is provided “as-is”. Information and views expressed in this guide, including URL and other Internet Web site references, may change without notice. Some examples
depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.
This guide does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this guide for your internal, reference
Microsoft, Active Directory, Microsoft Intune, Microsoft System Center 2012 R2 Configuration Manager, Mobile Device Management for Office 365, Office 365, Windows, and
Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Task 3: Develop your SaaS mobile device management adoption strategy ........................................... 67
Next steps and resources ............................................................................................................................ 71
Mobile device management solutions .................................................................................................... 71
Mobile device management documentation ......................................................................................... 71
Mobile device management resources................................................................................................... 72
Mobile Device Management Design Considerations 1
Introduction With all of the different design and configuration options for mobile device management
(MDM), it’s difficult to determine which combination will best meet the needs of your
organization. This design considerations guide will help you to understand mobile device
management design requirements and will detail a series of steps and tasks that you can follow
to design a solution that best fits the business and technology needs for your organization.
Throughout the steps and tasks, this guide will present the relevant technologies and feature
options available to organizations to meet functional and service quality (such as availability,
scalability, performance, manageability, and security) level requirements.
Specifically, the goals of this guide are to help you answer the following questions:
What questions do I need to answer to drive a MDM-specific design for a technology or
problem domain that best meets my requirements?
What is the sequence of activities I should complete to design a MDM solution for the
technology or problem domain?
What MDM technology and configuration options are available to help me meet my
requirements, and what are the trade-offs between those options so that I can select the
best option for my MDM requirements?
Who is this guide intended for? Information technology architects and professionals
responsible for designing a mobile device management solution for medium or large
organizations.
How can this guide help you? You can use this guide to understand how to design a mobile
device management solution that is able to manage company-owned devices as well as user-
owned devices in different form factors.
2 Mobile Device Management Design Considerations
Figure 1 - Example of a hybrid Intune and System Center 2012 R2 Configuration Manager
MDM solution
Figure 1 is an example of a hybrid solution, where it’s leveraging cloud services to integrate with
on-premises capabilities in order to manage all types of devices, regardless of their location.
Although this is a very common scenario, every organization’s MDM design might be different
than the example due to each organization’s unique management requirements.
This guide details a series of steps and tasks that you should follow to assist you in designing a
customized MDM solution that meets your organization’s unique requirements. Throughout the
following steps and tasks, this guide covers the relevant technologies and feature options
available to you to meet the functional and service quality level requirements for MDM.
Though this guide can help you design a MDM solution, it does not discuss specific
implementation or operations options for the management solutions. You can find detailed
deployment and configuration steps for Microsoft Intune, Mobile Device Management for Office
365, and Microsoft System Center in the TechNet Library using the links available in the Next
Steps section located at the end of this guide.
Assumptions: You have some experience with Intune, System Center 2012 R2 Configuration
Manager, Windows Server 2012 R2, and mobile devices running Android, iOS, and Windows
Phone. You may have even deployed one of these solutions in an initial MDM test or limited
production environment. In this guide, we assume you are looking for how these solutions can
best meet your business needs on their own or in an integrated solution.
support policies. In this step, we’ll examine the MDM enrollment, management, monitoring, and
reporting lifecycle requirements.
Task 1: Understanding the mobile device management lifecycle Understanding the different areas of managing mobile devices is important when designing
your mobile device management solution. Figure 3 outlines the overall mobile device
management lifecycle stages. Each stage has unique requirements and questions for you to
consider when planning your solution. We’ll start with the enrollment stage in this section, and
the other stages will be covered in more detail throughout this guide.
Figure 3 – Mobile device management lifecycle stages
Device enrollment and provisioning Mobile device management starts with the initial enrollment and provisioning of devices into
your mobile device management solution. Simplicity, ease of registration, and enrollment are
the key factors for success in the mobile device management lifecycle. If initial device enrollment
is difficult or overly confusing, both you and your users will be reluctant to leverage the features,
benefits, and protections that the mobile device management solution is intended to deliver.
Mobile device enrollment in mobile device management solutions are typically initiated in two
ways:
14 Mobile Device Management Design Considerations
Administrator-managed enrollment
User/owner self-enrollment
Administrator-managed enrollment offers a centrally managed enrollment experience, and
typically is centered on enabling the bulk enrollment of multiple devices using a single directory
account. This is useful when enrolling many company-owned devices into the mobile device
management solution.
Self-enrollment offers the device user/owner the option of enrolling in the mobile device
management solution and is typically used in “bring your own device” (BYOD) scenarios,
although it can also be used in scenarios where the company owns the device. This type of
enrollment typically leverages features of a “push-based” enrollment model, where devices are
automatically triggered to enroll in the mobile device management solution upon attempting to
connect to the corporate network or network resource. Users can also elect to enroll their
devices before connecting to an organization’s network or resources.
Enrollment and the provisioning of mobile devices encompasses several different areas:
Deploying, accessing, and managing internal and external applications and services
Enforcing device security and access configurations
Protecting devices from security threats
In most cases, when a mobile device is enrolled in a mobile device management solution the
device is automatically assigned policies and permissions associated with the device user’s
directory account and/or the group the device itself is associated with in directory services.
Depending on the mobile device management solution, the bulk of configuring the provisioning
of these policies and permissions is usually done prior to actual device enrollments. This allows
the provisioning of any configuration settings to immediately take effect when the devices
enrolled and avoids the possibility of a gap between enrollment and provisioning.
Device enrollment and provisioning planning questions: As part of mobile device
management lifecycle planning, you’ll want to answer the following planning questions about
device enrollments and provisioning:
Will mobile devices be enrolled by you, by users, or both?
Do you need to ability to bulk enroll mobile devices?
What is the maximum number of devices you’ll need to bulk enroll?
Do the mobile operating system platforms in your organization require different bulk
enrollment requirements and resources?
How many devices will each user typically use and need to enroll?
Does the mobile device management solution have a per-user device enrollment limit?
What are the requirements (connectivity, application, management agent, company
portal) for users to self-enroll devices?
Is this different from the administrator-managed enrollment experience?
What are the enrollment requirements for each device operating system you need to
support?
Mobile Device Management Design Considerations 15
Do the mobile device operating systems in your organization require special or unique
enrollment requirements?
Does the mobile device management solution support both connected and over-the-air
enrollments?
What are the hardware requirements (if any) for supporting device enrollments?
What are the network connectivity and network security requirements for supporting
device enrollments?
Do you need specific device compliance policies applied to devices upon initial
enrollment?
Do you need specific device security policies applied to devices upon initial enrollment?
Do you need the ability to configure or set a maximum or minimum time limit for
provisioning device policies after initial enrollment?
Do you require special provisioning policies to be automatically triggered in the event of
enrollment failures?
Device management How mobile devices are managed, both from your perspective and the device user’s perspective,
is a key component of a mobile device management solution. Often, the method in which
management of mobile devices is highly dependent on how non-mobile devices (servers,
desktops, other networked devices) are managed. Depending on the organization, non-mobile
device management solutions may have been in place long before mobile devices were
introduced to the organization. This may have been at considerable cost and may include long-
term investments in these management solutions. Thoroughly understanding how your
organization can integrate mobile device management solutions with existing non-mobile
device management solutions is likely one of the most important activity you’ll need to
complete when designing a mobile device management solution that meets the needs of your
organization.
Mobile device management typically involves activities in several administrative areas:
Device security and configuration: Configuring mobile device security allows you to
configure a wide range of settings that you can deploy to managed devices in your
organization. These settings can be used to control the overall functionality and security
of mobile devices. This may include setting and configuration of device passcode access,
device encryption, and erasing data from lost or stolen devices. More details about
security and configuration will be covered in the Plan for secure mobile devices section.
Application management: Configuring mobile device applications spans several
important areas, including managing application deployment, installation, updating and
managing status, and application removal. Additionally, managing restrictions on certain
non-compliant applications is central to an overall compliance and security strategy.
Company resource access: Managing access to on-premises network resources, such as
email servers, Wi-Fi networks, and VPN-enabled resources serve a dual purpose of
insuring both security compliance and making it easier for mobile device users to access
company resources according to company policy. If accessing organization resources is
overly complex or difficult for mobile device users, non-approved company resources
may be used to bypass approved company resources for the storage of company data.
16 Mobile Device Management Design Considerations
Inventory and reporting: Managing mobile devices requires recording and analyzing
mobile device and platform events to insure compliance with management policies.
Detailed reporting also provides you with real-time statistics and data so that they can
make timely, actionable decisions based on the status of mobile devices and mobile
device users. More details about inventory and reporting will be covered in a later
section.
Device management planning questions: Understanding your organization’s requirements will
lead you to determine the core administration tasks that the mobile device management
solution must be able to support. For now, focus only in the key administration aspects as you
are still defining the requirements by ensuring that the following questions are answered. As
part of mobile device management lifecycle planning, you’ll want to answer the following
planning questions about device management:
Do you need specific management policies applied to groups of users, groups of devices,
and/or groups of device operating systems?
Do you need specific management policies for different types of devices? For example,
separate policies for user-owned or company-owned devices, or mobile devices and
non-mobile devices?
Do you need to separate device management rights and permissions among several IT
roles or positions? If so;
o What separation of permission levels is required?
o Do the permission levels supported by the solution need to be customizable?
o Do the permissions need to be integrated into your existing account directory
services?
Do you need the ability to both manually and automatically deploy the mobile device
management solution agents or software?
Do you want to integrate managing mobile devices with an existing non-mobile device
management solution? If so;
o Do you want to manage all devices from a unified management console or
portal?
o What are the integration requirements for your existing non-mobile device
management solution?
o How does your existing non-mobile device management solution support
required management roles and permissions?
o Are there hardware or networking requirements to connect management services
between the mobile device management and the non-mobile device
management solutions?
o Do both solutions have separate or integration inventory and reporting systems?
Does the mobile device management solution have a company portal for users to install
their apps?
Does the mobile device management solution meet your company’s scalability
requirements?
Does the mobile device management solution support remote administration?
Does the mobile device management solution support automation?
Mobile Device Management Design Considerations 17
Device retirement/unenrollment When users leave your organization or mobile devices are retired or replaced, it’s important to
insure that corporate data isn’t lost or compromised. Typically, mobile device management
solutions support both IT-managed and user-managed device resets and unenrollment. With
most mobile devices, the unenrollment starts with resetting the device to factory defaults or
performing a selective wipe of all corporate data and applications, followed by removing the
device enrollment connection to the management solution. Often this process differs between
mobile device manufacturers and device operating system platforms.
Device retirement/unenrollment planning questions: As part of mobile device management
lifecycle planning, you’ll want to answer the following planning questions about device
retirement and unenrollment:
Do you need the ability for both IT and users to unenroll mobile devices?
If a device is selectively wiped, will it be automatically unenrolled from the mobile device
management solution?
If mobile device users can unenroll their mobile devices, how will the removal of
corporate data and applications be verified?
o Is this different for devices that are selectively wiped and devices that are reset to
the factory default setting?
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 4 will go over the options available and advantages/disadvantages of each option. By
having answered those questions you will select which option best suits your business
needs.
Task 2: Gather monitoring requirements Monitoring and capturing status and event information for mobile devices is vital to ensuring
that users and devices are maintaining compliance with your corporate policies and security
strategy. This is especially important for organizations that must comply with governmental
regulatory requirements and industry compliance guidelines. Reporting can also provide
valuable information about software, hardware, and software licenses in your organization to
assist with inventory management. It is also important to note that user privacy issues also
impact monitoring and reporting, especially in case where users are enrolling personally-owned
devices in your organization’s mobile device management solution. Your organization should
not be able to capture, monitor, report or share any personal activity or information.
In general, mobile device management solutions split this area into two general areas:
Logging: Capturing and storing mobile device and mobile device application status and
information.
18 Mobile Device Management Design Considerations
Reporting: Displaying reports or notifications, both to standard and customizable
reports that can be created on-demand and automatically to summary and dashboard
status reports.
Monitoring planning questions: As part of mobile device management lifecycle planning,
you’ll want to answer the following planning questions about device monitoring:
What types of regular reports for mobile devices will you need?
o Device inventory?
o Device usage?
o Device access?
o Device applications?
Will reports need to be shared?
o Between IT roles?
o Outside of the IT organization?
o Accessed remotely (outside of the corporate network)?
What types of issues or problems with devices will you need to identify?
What types of events captured in monitoring will need to be acted upon? In what time
frame?
Will you need customized reports?
When a device is de-enrolled, should specific inventory and reporting events be
captured?
After a device is de-enrolled, should legacy inventory and reporting events be
archived/maintained?
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 4 will go over the options available and advantages/disadvantages of each option. By
having answered those questions you will select which option best suits your business
needs.
Task 3: Determine network resource requirements Enabling secure, managed access to a wide variety of corporate resources by mobile devices is
one of the primary features of a mobile device management solution. While these resources
have typically been located in on-premises networks in the past, more and more they are also
starting to be hosted on cloud-based web services and external networks. How mobile devices
connect to corporate email platforms, virtual private networks (VPNs), and corporate wireless
(Wi-Fi) networks all play an important role in keeping corporate data and other resources
protected from unauthorized access. Equally important is making it convenient and easy for
mobile device users to properly secure access these resources to avoid users finding a more
convenient, non-protected method of access resources.
Email management Accessing corporate email, whether on a personal-owned mobile device or a company-owned
mobile device, is typically the primary data resource most users need access to on a corporate
Mobile Device Management Design Considerations 19
network. It is also typically the connection that can trigger initial mobile device enrollment to the
mobile device management solution. Having the ability to manage email access for mobile
devices across both your existing non-mobile device management solution and the mobile
device management solution helps avoid device coverage gaps and increase the protection level
for data stored on email servers.
Most mobile device management solutions provide email access protection by using one or
both of the following features:
Email profiles: Email profiles provide administrators with ability to create and deploy
profiles that can automatically configure mobile devices with appropriate email server
information to that users can connect to their email mailbox. This helps insure that users
connect to the correct email server and prevents the need for users to have to try to
remember email server endpoint names or network addresses. Removing these email
profiles also provide administrators with the ability to remove email from devices as part
of device reset or selective wipe process. Email profile management can be included as a
feature in non-mobile device management solutions, or can often be configured as part
of the integration of a mobile device management solution.
Managed email access: Managed email access, sometimes referred to as conditional
email access, is different from email profiles in that it typically focuses on the security
and compliance area of the mobile device rather than which endpoint the mobile device
connects to for email access. With managed email access, a compliance policy that
outlines the device prerequisites needed before a mobile device can connect to an email
resource is defined and assigned to individual users or devices or groups of users and/or
devices. This compliance policy for managed access is typically first enforced upon initial
device enrollment, but should remain in place and active as long as the mobile device is
enrolled in the mobile device management system.
Email management planning questions: As part of mobile device management lifecycle
planning, you’ll want to answer the following planning questions about email management:
How will mobile devices connect to your existing on-premises or cloud-hosted email
system?
If mobile devices are already connecting to your existing email system, what connection
type or protocol are the devices using to connect?
Will administrators or users (or a combination of both) be responsible for connecting
mobile devices to your email system? If users will be connecting mobile devices to the
email system, how will they:
o Choose the proper connection point to access their email mailbox?
o Choose the proper connection protocol or connection method?
Will mobile devices need to meet certain security and compliance standards before and
while remaining connected to your email system?
Do you need the ability to create custom email security and compliance connection
policies? If so, what are the specific requirements?
Will you need the ability to import or export email security and compliance connection
policies?
How do you need to manage connections to your email system?
20 Mobile Device Management Design Considerations
o By device user?
o By device type?
o By device OS?
o By user group or role?
When a mobile device needs to be disconnected from your email system, how will email
data be deleted from the mobile device?
Will both administrators and users need the ability to delete email data or the
connection to the email system?
How will confirmation of email data deletion be verified or confirmed?
If you’re currently managing mobile device connections to email resources with an
existing protocol or management method, how does it integrate with the mobile device
management solution?
If you’re using both an on-premises and cloud-based email system, how do they
integrated with the mobile device management solution? Are email profiles or managed
access policies administered the same or differently from the IT perspective? Is the user
email connection experience the same or different depending on where their mailbox is
hosted?
Network connectivity management When connecting to the corporate network and corporate resources, mobile devices typically
use one of the following access technologies:
Wi-Fi: Wireless access to corporate resources is typically provided as an on-premises
network extension service while devices are in close physical proximity to the on-
premises network. This usually involves allowing mobile devices to connect to network
resources as users roam from location-to-location in an on-premises office, such as
conference and meeting rooms, different offices, or other on-premises areas. It can also
include wireless access from remote locations over non-corporate managed wireless
network access points, such as the user’s home network or a public wireless access point.
To simplify connections to wireless networks, administrators can usually manage these
connections using wireless profiles that outline the specific settings mobile devices need
to configure in order to connect to the wireless network. This may include automatically
configuring a custom network name, network Service Set Identifier (SSID), security
settings, network proxy, and whether or not the device should automatically connect to
the wireless network when the device is in range.
Virtual Private Network (VPN): Secure remote access to corporate resources often
includes using a defined VPN connection type from the mobile device. This is often
vendor-specific and includes the installation of a VPN application on the mobile device.
Additionally, these VPN applications often use either digital certificates or separately
managed user account credentials to authenticate the VPN connection. To simplify
connections to VPNs, administrators can usually manage these connections using VPN
profiles or the VPN management tools included with the VPN solution. Depending on
integration support, managing VPN connections with the mobile device management
solution may or may not be an option with certain VPN platforms.
Note
Mobile Device Management Design Considerations 21
You may have other web-based resources, such as SharePoint, that leverage secure
access via Secure Socket Layer (SSL) or Transport Layer Security (TLS). Be sure you
understand how mobile devices will access these resources or resources with separate
VPN or secure access methods.
Network connectivity management planning questions: As part of mobile device
management lifecycle planning, you’ll want to answer the following planning questions about
network connectivity management:
How will internet be accessed via the mobile device?
o Is it via WiFi? If it is, do they require access via proxy? Proxy authentication?
How will mobile devices connect to your existing on-premises wireless or VPN platform?
If mobile devices are already connecting to your existing wireless or VPN platform, what
connection type or protocol are the devices using to connect?
Will changes to these connections be needed if the devices are enrolled in a mobile
device management solution?
Will administrators or users (or a combination of both) be responsible for connecting
mobile devices to your wireless or VPN platform? If users will be connecting mobile
devices to the wireless or VPN platform, how will they:
o Choose the proper connection point to access the corporate network?
o Choose the proper connection protocol or connection method?
o Choose the proper digital certificate for the connection method?
Do you want to automatically configure wireless and VPN connection properties and
settings on user’s mobile devices?
Do you need to provide different wireless network configuration or security settings to
different types of users, devices, device operating systems, or user groups and roles?
Will you need the ability to import or export wireless and/or VPN configuration or
security connection policies?
Which of the following wireless security protocols do you need to support?
o WPA-Personal
o WPA2-Personal
o WPA-Enterprise
o WPA2-Enterprise
o WEP
If you need to support WPA-Enterprise or WPA2-Enterprise, which of the following
Extensible Authentication Protocol (EAP) types do you need to support?
o EAP-TLS
o PEAP
o EAP-AST
o LEAP
o EAP-SIM
Which type of non-EAP authentication connection do you need to support?
o Unencrypted passwords (PAP)
o Challenge Handshake Authentication Protocol (CHAP)
o Microsoft CHAP (MS-CHAP)
o Microsoft CHAP Version 2 (MS-CHAP v2)
22 Mobile Device Management Design Considerations
What type of VPN platform do you have deployed in your on-premises network?
Is the VPN platform supported or able to be integrated with the mobile device
management solution?
If the VPN platform is already integrated or support by an existing non-mobile device
management solution – does the mobile device management solution integrate with
both systems?
Certificate management Digital certificates, either self-signed or issued from a third party Certificate Authorities (CAs),
may be used to authenticate mobile devices to networks connections or specific network
resources. To simplify managing digital certificates, administrators can usually manage
certificates using certificate profiles. This allows a uniform, centralized method for managing
certificates, including how they are created, issued and renewed. This also helps users connect to
corporate resource without having to request and install certificates manually or by using a non-
approved security process. However, using certificates for this type of authentication often
requires additional on-premises infrastructure requirements. This may include all or some of the
following network components, depending on the level of integration supported by the mobile
device management solution:
Directory services: Directory services, such as Microsoft Active Directory, are usually
required to securely connect and manage all other network components.
Certification Authority (CA) server: If you’re issuing self-signed certificates for your
organization, you’ll need a certification authority to create, issue, manage and renew
digital certificates.
Network Device Enrollment Service (NDES) server: This server allows software and
mobile devices to obtain certificates based on the Simple Certificate Enrollment Protocol
(SCEP).
Proxy server: Depending on your on-premises network configuration, you may require a
proxy server that allows mobile devices to receive certificates using an Internet
connection and without directly connecting to your internal corporate network.
Certificate management planning questions: As part of mobile device management lifecycle
planning, you’ll want to answer the following planning questions about certificate management:
Does your organization already require or use digital certificates to authenticate access
to network resources?
Do you have an existing enterprise public key infrastructure (PKI)?
Do you need to automatically issue digital certificates to mobile devices?
How are digital certificates created, issued, renewed, or revoked from mobile devices?
Are digital certificates centrally managed by an on-premises or third party Certification
Authority (CA)?
Do you need to have different certificates assigned for access to different network
services? Is this dependent on the type of mobile device accessing the network?
Mobile Device Management Design Considerations 23
Note
Make sure to take notes of each answer and understand the rationale behind the answer.
Task 4 will go over the options available and advantages/disadvantages of each option. By
having answered those questions you will select which option best suits your business
needs.
Task 4: Define your mobile device management lifecycle strategy In this task, you’ll refine the mobile device management lifecycle strategy to meet the
management requirements you identified in Tasks 1-3.
Task 4a: Device enrollment options Enrolling devices in Intune, whether standalone or when connected to Systems Center 2012,
requires that you prepare the service for the devices. Enrolling mobile devices in MDM for Office
365 only requires that each user included in a security policy respond to an enrollment message
the next time they sign in to Office 365 on their mobile device. They must complete the
enrollment and activation steps on each mobile device they will use to access Office 365 email
and documents.
Intune standalone needs to be configured to define the Mobile Device Management Authority
solution, which can be either Intune or an on-premises System Center 2012 R2 Configuration
Manager infrastructure. This simply means “which management platform do you want to use to
manage Intune-enrolled devices – Intune OR System Center?” It’s very important to understand
the impact of choosing the best option for your organization, as the management impact
cannot be easily changed once chosen. If you need to change this configuration, you’ll have to
contact Microsoft Support for assistance. For most organizations that are already using System
Center 2012 R2 Configuration Manager to manage PCs, servers, and other devices, connect the
on-premises solution with Intune and managing devices with the System Center 2012 R2
Configuration Manager (ConfigMgr) is usually the best choice. To assign the mobile device
management authority to ConfigMgr, you’ll create an Intune subscription from within the
ConfigMgr console and select the option to allow ConfigMgr to manage the Intune subscription
and Intune-enrolled devices.
Additionally, before you can enroll certain types of mobile devices running different types of
mobile operating systems, you’ll need to prepare the Intune service with specific configuration
requirements. For example, if you plan to enroll Apple iOS-based devices, you’ll need to
configure Intune with an Apple Push Notification (APN) service certificate prior to enrolling iOS-
based devices. If this isn’t configured, Intune can’t communicate with the APN service and iOS-
based devices. Other mobile devices, such as device running Android or Windows Phone
operating systems are able to connect with separate enrollment requirements.
Depending on how you answered the questions in Task 1, you should be able to determine how
you want devices to be enrolled in the mobile device management solution. Table 5 below will
help you understand the advantages and disadvantages of each enrollment scenario:
Step 4 - Plan for Software as a Service (SaaS) mobile device management The last step in designing a complete mobile device management strategy is to determine the
requirements for the Software as a Service device management solution that will be used to
support mobile devices within your organization. In this step, we’ll examine SaaS platform types,
characteristics such as scalability and accessibility, mobile device management connectivity, and
integration with your on-premises infrastructure.
More and more, organizations are starting to leverage the features and power of cloud
computing infrastructure solutions to deliver services and applications to users. Software as a
Service (SaaS) allows user and device services, applications, and activities to be centrally
managed from a single location, regardless of the location of the user or device. If your
organization is currently using (or planning to implement) SaaS services, it’s important to define
how the solution will deliver these services to mobile devices in your organization and integrate
with (or even replace) your on-premises mobile device management platform. In some cases,
SaaS solution decisions may be completely separate or just a small part of how mobile devices
will be managed in your organization. However, understanding the overall impact of the SaaS
Mobile Device Management Design Considerations 61
solution as it relates to managing mobile devices is an important part deploying a complete
mobile device management solution.
You need to go over these key aspects of the SaaS solution to understand what it is a current
requirement and what your organization plans for the future. If you don’t have the vision to
define a long-term strategy for managing mobile devices and integration with cloud services
adoption, your mobile device management solution may not be scalable as your organization’s
business needs change.
Task 1: Identify your SaaS requirements Each SaaS solution will have different requirements, mobile device management features, and
levels of integration with on-premises networks and platforms. Many SaaS solutions offer trial
tenants or services for you to evaluate their features and functionality, which is an important
part of determining which solution actually meets your needs. However, many SaaS solutions
may have subtle differences in features and functionality, depending on the platform type.
The majority of SaaS solutions are based on three types of cloud types:
Multi-tenant (public)
Private (dedicated)
Hybrid
Before making decisions on how you’ll use a SaaS solution to manage your mobile devices,
you’ll also need to examine the differences between these types of cloud platform architectures
and choose the one that best fits the overall needs of your organization. Individual SaaS
solutions have differing levels of support for areas such as customization, feature configuration,
integration, and collaborative functionality.
SaaS cloud types Multi-tenant SaaS solutions are what are typically called “public” cloud infrastructures. This is
when the software architecture of the service is in a single instance, but serves multiple tenants
or organizations. The solution is designed to provide every tenant a reserved share of its
services, such as user or device management, configuration, and data support. The tenant
accounts and services are separated virtually, with each tenant accessing the platform
infrastructure in separate instances. Multi-tenant SaaS solutions also typically offer cost-savings
earned from sharing the infrastructure and distributing the overhead costs amongst multiple
tenants. Most mobile device management platforms are offered in a multi-tenant SaaS platform
infrastructure.
Private, or dedicated cloud services are instances of SaaS solutions that are operated for a
single organization or tenant. These can either be private cloud services hosted by the
organization or private cloud services hosted by a 3rd party provider. Private cloud solutions also
typically offer greater opportunities for customization, both in the areas of services and security.
Scalability questions: As part of SaaS management lifecycle planning, you’ll want to answer the
following planning questions about cloud scalability:
What type of short and long-term plans does your organization have for growth or
contraction in mobile device and application support infrastructure?
How rapidly will your organization need to scale mobile device management support
services upward or downward?
What are the initial number of mobile devices and/or users that need support in the SaaS
solution? How likely is this number to change in the next year? The next 3 years? The
next 5 years?
Does the number of mobile devices needing SaaS solution support change on a regular
pattern (such as seasonally)? Does it change according to the number of active or
inactive organization projects?
Does SaaS solution performance change depending on the scale of supported mobile
device and users? If so, in what areas? (nodes, data, processing, etc.) How is the scaling
performance measured, reported, and audited?
Accessibility Easy access to the SaaS solution is another key component of the SaaS architecture. Because the
SaaS solution is hosted on a cloud-based infrastructure, it’s accessible by administrators, users,
and devices from any location that has access to the Internet. Administration of mobile devices
is done via a browser. Because many SaaS solution providers operate geographically diverse
datacenters, users and devices can access the platform “locally”, often avoiding latency and
delays that can be associated with connecting to geographically distant endpoints. Accessibility
can also typically be expanded by integrating the SaaS solution with on-premises device
management platforms.
Accessibility questions: As part of SaaS management lifecycle planning, you’ll want to answer
the following planning questions about cloud accessibility:
Are there specific mobile device browser requirements in your organization? If so, does
the SaaS solution support the required browser(s)?
Do mobile device users need any special accessibility requirements for applications or
services?
Does your organization need to access the SaaS infrastructure located in the same
geographic as the user devices or your on-premises infrastructure? Are there legal
ramifications if mobile device data is stored or moved across international borders?
Resiliency Since the SaaS infrastructure is cloud-based and hosted across multiple datacenters, resiliency is
typically subject to less instability or outages than traditional on-premises hosted services.
Multi-location service hosts offer protection against geographic-based outages and service
interruptions by using fail-over infrastructure and processes to replicate data across multiple
64 Mobile Device Management Design Considerations
datacenter nodes. Depending on the SaaS solution, access to the service may or may not remain
in the original geographic area during a fail-over.
Resiliency questions: As part of SaaS management lifecycle planning, you’ll want to answer the
following planning questions about cloud resiliency:
In the event of primary SaaS solution fail-over, how will mobile device management
services be impacted?
How will mobile device data stored on the SaaS solution be shared in the cloud-based
infrastructure?
If the primary mobile device SaaS datacenter isn’t available, are the fail-over datacenters
in the same geographic region as the primary datacenter? Is it OK for fail-over
datacenters to be located outside the international borders from which the mobile
devices are operating?
Does the SaaS solution have a defined service level agreement (SLA) outlining support
for mobile device management?
Up-to-date services SaaS solutions also are able to keep the applications and services up-to-date with the latest
application version, features, security updates, and bug fixes. Often these updates are published
very quickly, sometimes even on a daily basis. Depending on the SaaS solution, updates may be
instantly available to all customers or released in a phased approach to smaller groups of
customers. One of the biggest benefits is that when a bug is fixed for one customer, the fix can
be easily applied to all customers using the service.
Services questions: As part of SaaS management lifecycle planning, you’ll want to answer the
following planning questions about cloud services:
How often are mobile device management features and functionality updated in the
SaaS service?
What impact will feature and functionality updates have on your mission-critical mobile
device applications and services?
Are SaaS solution feature and functionality updates deployed to customers on an ad hoc
or planned schedule?
Does the SaaS solution support exemptions from service-wide updates for individual
organizations?
Does the SaaS solution have different service update schedules for mobile device
application and mobile device management features and functionality?
Task 2: Identify your SaaS solution / on-premises infrastructure integration needs One of the primary decisions that need to be made when considering managing mobile devices
with a SaaS solution are:
Mobile Device Management Design Considerations 65
How will your existing user and device on-premises directory accounts integrate with the
SaaS solution?
Do you need to integrate the SaaS solution with existing on-premises client
management platforms?
The decisions you make in these two areas will significantly impact the overall deployment,
administration, and end-user experiences for your mobile device management solution.
Identity and directory connectivity Connecting and synchronizing your on-premises user and device account directory with the
SaaS solution is really the glue that truly connects users, mobile devices, mobile applications,
and mobile device management. Knowing who a user is (identity) and associating the identity to
specific mobile devices is critical in managing access to company resources and data from the
mobile device. In many ways, maximizing how these areas are connected to the SaaS solution
determines the overall value to both you and your mobile device users. Ubiquitous connectivity
means that people and devices can use devices and applications anywhere, and it’s essential
that user identity management keeps pace with the demands of this connectivity. It can’t be
stressed enough that how you manage identity and user authentication is critical to the success
of your mobile device management solution.
Synchronizing on-premises directory services to the SaaS solution is another key area to
consider when defining your mobile device management strategy. Most organizations prefer to
maintain an on-premises user and device directory infrastructure, but need to extend these
accounts to a variety of cloud-based services. This may include only a SaaS-based mobile device
management solution, but in most scenarios organizations need to integrate user and device
accounts into several different types of cloud-based services. This may include cloud-based
applications, data, or 3rd party web services. Keeping your user and device directory accounts
synchronized is the cornerstone of a well-designed identity management solution. Once you
integrate your on-premises directory with cloud directory, you can also enable single sign-on
(SSO) to allow users to sign into all services using their on-premises credentials. Both Intune and
Office 365 can take advantage of this integration to enable SSO with SaaS apps that the
organization might want to use.
Identity and directory connectivity questions: As part of SaaS management lifecycle planning,
you’ll want to answer the following planning questions about identity management and
directory connectivity:
Does the SaaS solution support integrated user authentication services? If so, does it
support the type of directory services you’re using in your on-premises infrastructure?
Do you need to support user and mobile device authentication for on-premises and/or
internal applications or services?
Does the SaaS solution support user and mobile device authentication for 3rd party or
other external SaaS-based applications or services?
How does the SaaS solution manage identity-related threats and abnormalities?
Does the SaaS solution support implementing and managing multi-factor authentication
(MFA)?
What types of directory services objects do you need to extend to the SaaS solution?
Does the SaaS solution have any restrictions for certain object types?
What on-premises requirements are needed to extend your directory services to the
SaaS solution?
Once connected to the SaaS solution, how are user and mobile device directory objects
replicated or synchronized with the cloud service? Are synchronization settings
customizable or fixed?
Are all directory object attributes synchronized with the SaaS solution? Do you need to
synchronize custom directory object attributes?
Are on-premises directory services hosted in a single location or logical grouping? If not,
does the SaaS solution support synchronizing multiple directory services from multiple
locations and logical groupings?
Connecting with existing client management platforms Most organizations have an existing on-premises client management platform to manage
desktop computers and servers. How you integrate the management of mobile devices into this
system is likely to have a substantial impact on IT infrastructure costs, device management
administration processes, device inventory and reporting support, and overall integration with
other business-critical applications and services. By connecting these two platforms,
organizations are able to leverage the economies of scale of a single, unified management
platform.
Connecting existing client management platforms questions: As part of SaaS management
lifecycle planning, you’ll want to answer the following planning questions about connecting the
SaaS solution with existing client management platforms:
Does your on-premises client management platform support integration with SaaS
solution? If so, are there:
o Limitations on the type of SaaS solution?
o Limitations on the types of supported devices?
What are the requirements to connect your on-premises client management platform to
the SaaS solution? Specifically, are there:
o Physical server or device requirements?
o Directory services or directory schema requirements?
o Domain Name Services (DNS) requirements?
o Identity requirements?
o Client management platform upgrades or configuration requirements?
o Network connectivity and/or network security configuration requirements?
Mobile Device Management Design Considerations 67
Can existing client or device configuration information (policies, profiles, and settings)
be shared or leveraged in the SaaS solution? Will this information have to be recreated?
After the two platforms are connected, how are clients managed? Are different types of
clients managed in a unified administration system or are they managed separately?
How are updates and changes in the SaaS solution integrated with the on-premises
client management platform? Is this an automatic or manual configuration process?
Task 3: Develop your SaaS mobile device management adoption strategy In this task you will define the mobile device management SaaS strategy to meet the
requirements that you defined in Tasks 1 and 2.
Task 3a: Identify your SaaS solution requirements Depending on how you answered the questions in Task 1, you should be able to determine what
the SaaS solution needs to support in your mobile device management solution. Table 20 below
will help you understand the advantages and disadvantages of each SaaS solution scenario:
Table 20
MDM options Advantages Disadvantages
Intune (standalone) Offered as a multi-tenant,
public cloud architecture
Scales to support up to 50,000
mobile devices
Doesn’t require any additional
investments in on-premises
infrastructure, hardware or
software
Updates and feature
improvements are made on a
daily basis. Major feature and
functionality enhancements
made on a monthly basis
Services can be assigned to
datacenters in specific
geographic locations
Datacenter fail-overs can be
restricted to specific geographic
locations
Certified and compliant with the
most industry and
governmental standards
Service Level Agreement (SLA)
is financially-backed, if the
service or features aren’t
Private cloud instances aren’t
supported
If you need to support more
than 50,000 mobile devices,
you’ll need to connect Intune
to System Center 2012 R2
Configuration Manager to
manage the additional
devices
68 Mobile Device Management Design Considerations
available, monthly charges are
waived
MDM for Office 365 Tightly integrated with Office
365 commercial tenants,
providing a single management
console for mobile devices and
Office 365 tenant services
(Exchange Online, SharePoint
Online, and Lync Online)
Offered in Office 365 multi-
tenant (public) or private
(dedicated) platform types
No additional user or device
licensing costs, included by
default in Office 365
commercial (Business,
Enterprise, Education, and
Government) plans
Doesn’t support managing
non-mobile operating
systems
Additional management
interface for provisioning
mobile devices (only) if using
an on-premises management
platform for non-mobile
devices
Hybrid (Intune with
System Center) All the advantages of Intune
standalone, plus the following:
o Native integration between
Intune (cloud-based device
management service) with
System Center 2012 and
System Center 2012 R2
Configuration Manager (on-
premises device
management platforms)
o Supports advanced device
provisioning options for
mobile devices via Intune
connectivity
o New Intune service features
and functionality extended
to the on-premises System
Center infrastructure via
platform extensions, either
automatically or customized.
Requires additional
configuration requirements to
connect Intune with the on-
premises System Center
infrastructure
For organizations that don’t
have a current System Center
infrastructure configured, it
will need to be planned,
installed and configured prior
to integrating with Intune
Make sure to read the article Help protect your data with remote wipe, remote lock, or passcode
reset using Microsoft Intune to understand what data is removed and the effect on data that
remains on the device after a selective wipe per platform. If you have a hybrid environment,