If you would like to read the other parts of this article series please go to:
- Getting to Know the Enterprise Mobility Suite (Part 1)
- Getting to Know the Enterprise Mobility Suite (Part 3)
- Getting to Know the Enterprise Mobility Suite (Part 4)
- Getting to Know the Enterprise Mobility Suite (Part 5)
In Part 1 of this series, we talked about how EMS – Microsoft’s new mobile device management solution – offers organizations a more mobile, cloud-centric way of doing business. We discussed the components of EMS: Microsoft Active Directory Premium, Microsoft Intune and Microsoft Azure Rights Management and we provided an overview of what each one is and does and how it fits into the solution.
Deploying Azure AD Premium
Azure AD provides your organization with an Active Directory that lives in the cloud, offering the same services that your on-premises Active Directory does, and in fact you can synchronize your on-premises AD with Azure AD and even set up a federated trust between the AD that runs on your local domain controllers and the AD that runs on the Azure DCs.
Office 365 and some of Microsoft’s other cloud services work with Azure AD. The user account that you use to sign into Office 365 is an Azure AD account. Each organization that has an Office 365 account has an Azure AD that is set up for it. The administrator of the Office 365 account can add users to its AD, manage their passwords, assign roles and set permissions for them, as a domain admin does for users through the local AD. Users get single sign-on (SSO) across all of the Office 365 applications through their Azure AD accounts. Note that the Azure AD included with Office 365 does not have to be purchased or deployed separately; it’s part of the Office 365 subscription.
So what else can you do with Azure AD? You can extend your existing on-premises Active Directory into the cloud, by synchronizing it with the Azure AD using the DirSync tool. This allows Active Directory to work in a hybrid cloud environment so that you can use cloud based applications and services without affecting the user experience for accessing on-premises resources. When you set up a federated trust between the two directories and use Active Directory Federated Services (AD FS), the user accounts are still created and managed via your on-premises domain controllers.
Although the Azure AD can easily integrate with your on-premises AD, the two are not identical; that is, Azure AD isn’t just a Windows Server AD that’s running on a machine in the cloud. Microsoft made a number of changes to ensure that Azure AD would be more scalable and highly available. Azure AD was redesigned to be able to connect to many external applications that are managed by third parties and the new directory graph interface allows developers to create applications that integrate with Azure AD. Azure AD was designed early in its existence to integrate with the Microsoft account service, Google, Yahoo and Facebook.
If you’re familiar with cloud services and multi-tenancy, you already know that it’s an architectural term that is used to describe one software application or service that is used by multiple customers, but with each instance isolated from the others. The tenant is the group of users that share access.
The first step in deploying Azure AD is to obtain a tenant, which in the context of Azure AD refers to your company’s dedicated instance of the Active Directory that you get when you subscribe to Azure, Office 365, Intune, etc. and is of course one of the three components of Microsoft Enterprise Mobility Suite. The tenant is where all of your users’ information (such as their user names, passwords, profile information and access permissions) are stored. Users within a tenant can access the applications that are registered and published there.
You’ll need to assign licenses to your users when you add them to the directory. If it’s your first time to purchase a license plan, you may need to activate the license plan by following the instructions in the email that you receive after the purchase of the first license plan. This will involve completing a profile to up Microsoft Online Services.
You get another email message after the licenses have been provisioned to your Active Directory. If you already have an Azure account, go to the management portal and sign in. If not, you’ll need to go through the link on the email or the Access to Azure Active Directory activation page. This will walk you through the necessary steps to access your directory.
You’ll be asked to provide a mobile phone number to be used for multi-factor authentication. You can choose to have Azure send you a text message or call you to validate the phone number. The access will then be activated and you can go to the management portal to configure and manage your Azure AD.
Now you’ll need to assign each of the users in your organization a license for them to use the Premium features of Azure AD. This is done by signing into the portal as a global admin, selecting Active Directory and the directory in which you want to assign licenses to users, and then select the Licenses tab. Here you select Enterprise Mobility Suite and click Assign. You can select multiple users by checkmarking them. Now you’re ready to use AD Premium.
Deploying Microsoft Intune
Intune is Microsoft’s solution for cloud-based mobile device management (MDM) and computer management, combined in one service. Intune uses the Azure AD, which houses users’ accounts and account information, as do other Microsoft services. Not only can you manage Windows devices with Intune, but also iOS and Android mobile devices. It is configured and managed through a web portal.
Intune can also be integrated with Configuration Manager. If you go this route, you will have to manage mobile devices from the Configuration Manager console rather than through Intune’s management portal. There are advantages and disadvantages to integrating with Configuration Manager. We will assume here that you are deploying Intune as a standalone solution rather than integrating with Configuration Manager.
Your first step is to sign into Intune with your company account and then set Intune to be your mobile device management authority. Only one management service can be set to be the authority. To set Intune as the MDM authority, in the console go to Admin and then Mobile Device Management, and in the Tasks list, click Set Mobile Device Management Authority and check the box for Microsoft Intune, then click Yes.
Next you have to enable mobile device enrollment for whichever operating systems run on the devices that your users will be using. You can set up Windows computers, Windows Phone OS, Android and iOS devices. Many of the steps are the same, but they do differ depending on the OS. We’re going to look at how to set up Windows computers and I’ll provide links for setting up enrollment for other operating systems.
You might want to set up a DNS alias for the address of the enrollment server to make it easier for users to enroll their devices, but this is optional. To do this, you verify and create a DNS CNAME. You also might or might not want to enable sideloading of apps (installing apps from sources other than the Windows Store).
Before any devices can be enrolled, you have to add users to Intune. This is done through the Add Users option in the Intune management portal. You can add one user at a time or you can do a bulk add, by creating a comma separated values (.csv) file and importing it. You can also use the DirSync tool to synchronize your on-premises Active Directory with the Azure AD.
You then have several options. You can create groups if you want, add polices for devices to control their features, and set a limit on how many devices each user can enroll through the Enrollment Rules in the MDM Management section of the admin portal. You can also customize the portal with your company’s name and additional information such as the contact info for the IT department, the organization’s privacy statement, web site name and so forth. You can publish terms and conditions to which your users have to agree when they initially sign into the company portal.
Now users can enroll their own devices through the company portal web site or company portal app, and you can enroll corporate devices using the Device Enrollment Manager that’s in Intune. After the devices are enrolled, you will be able to utilize Intune’s features to get device inventory information, deploy apps to mobile devices, manage the settings and features on devices, control access to your organization’s resources and use remote wipe and remote lock to protect the devices and the company network if a device is lost, stolen or the user leaves the company.
In this, Part 2 of our article series about getting to know Microsoft Enterprise Mobility Suite, we went deeper into specifics of how to deploy the first two of its three services: Azure Active Directory and Microsoft Intune. We’ll wrap up the series in Part 3 with a look at how to deploy Microsoft Azure Rights Management.
If you would like to read the other parts of this article series please go to: