Enterprise Mobility End to End // Part 1 – Introduction

This blog series is intended to document our learning's during the setup of all required infrastructure component's you need to build a modern mobility enabled workplace. During the series we will explain all building blocks you need to bring in place implementing a "Enterprise Mobility Solution". We will only focus on Intune + System Center Configuration Manager (Build 1606) in hybrid mode. All Android and iOS phones got the latest updates installed and for Windows we only use Windows10 (Build 1511) and Redstone1 (Windows Insider Ring, Build 14380 or higher), also known as Windows 10 anniversary update. This series is the outcome of a 8-month customer project. The goal was to enable BYOD and CYOD scenarios with the highest level of security. In other words, we need to manage and configure every device before it can access any corporate service. Everything should be possible from home or on the road. No requirement to perform any enrollment activity on your device in the office. OK that's a big goal, so we went to the drawing board for the overall architecture. Here is the list of technologies we planned to implement:

  • System Center Configuration Manager
  • Microsoft Intune
  • Mobile Device Management (aka. MDM) for iOS, Android, Windows
  • Network Device Enrollment Service (aka. NDES)
  • AAD Automatic Device Registration to support BYOD
  • Microsoft Passport for Work for Biometric Authentication
  • Conditional Access
  • Mobile Application Management (aka. MAM)
  • Azure Rights Management Service (aka. ARMS)
  • Azure Multi Factor Authentication (aka. MFA)
  • Device Health Attestation (aka. DHA)
  • Enterprise State Roaming (aka. ESR)
  • Windows Store for Business (aka. WSfB)
  • Windows Information Protection (aka. WIP, formally known as Enterprise Data Protection or EDP)

But where to start?  Where do we have dependencies?  Is there a good logical implementation order? We looked at TechNet and other blogs for dependency information or setup instructions. Unfortunately, we were unable to find good or detailed enough documentation. We ask ourselves "Are we really the first implementing everything in a single project?". Frankly speaking, we learned a lot over the last 9 months so we decided to document each step and configuration item for others to not repeat out mistakes. During the blog series you will see lot of cross references to other information sources for more details. We tried not to replicate others work as long there not gaps or missing information. That's where we started to consolidate different sources into a single set of instructions. Over this series we will cover:

  1. Introduction
  2. Basic Mobile Device Management (here)
  3. Elevate Security using Certificates (here)
  4. Enable BYOD and Passport for Work (here)
  5. Define Access Conditions (here)
  6. Information and Access Protection (here)
  7. Enterprise State Roaming and Windows Store for Business (here)

The authors, Lutz Seidemann (Solution Architect) and Raymond Michael Sy Guan (Consultant), are with Microsoft Consulting Services – Worldwide Enterprise Mobility Center of Excellence (CoE). The customer we worked with was part of a program called FirstWave which assists market leading, innovative and forward thinking Enterprise Companies in fast adoption and deployment of latest Microsoft technologies. A customer case study and video was created as part of this engagement, go HERE.  For older case studies around our past projects go here.

 

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.