Mobile Device Management (MDM) is a hot industry segment. MDM represents the intersection between the Bring Your Own Device (BYOD) megatrend and traditional IT responsibilities like security and identity management. Organizations large and small need to deliver on employee expectations for device freedom while protecting corporate data using all reasonable means. Example MDM features are enforcing policies like enabling use of the device’s camera, or the number of failed login attempts before the device is remotely wiped. A key concept to effective MDM is regardless if, for example, the employee has an Apple iOS or an Android mobile device, the same policies will apply.

As far as risk assessment, to indiscriminately allow employees to download sensitive documents to any device of their choosing is to invite business disaster or worse. Large organizations have rapidly invested in vertical MDM solutions like Airwatch and MobileIron to maintain control over information while allowing employees to use their preferred devices. Microsoft has long had basic MDM features (such as command-directed remote wipe in the case of a lost or stolen device) in their Exchange product.

Microsoft is late to the market for a comprehensive MDM solution, but has fairly quietly and quickly modified the alignment of their client device management applications, System Center 2012 Configuration Manager (SCCM) and Windows Intune. Following a recent upgrade wave to the System Center and Intune products, when it comes to managing client devices like PCs, smart phones, and tablets, organizations of all sizes have a good value and solid MDM solution available from Microsoft. Figure A shows a possible hybrid SCCM and Intune architecture that demonstrates how a managed PC can download software from both on-premise and Windows Azure public-cloud-based repositories from Windows Intune.

Figure A

A Hybrid SCCM and Intune architecture works inside and outside the corporate network.

Appealing to the SMB

Smaller companies may be challenged to select, deploy, operate, and support MDM software in a cost-effective manner. There is no reason a start-up’s data should be more exposed than that of their larger competitors. The chance of a business loss due to missing or compromised data does not diminish with a company’s size. For the Small and Medium Business (SMB), having an effective MDM solution is a critical insurance policy.

The SMB space is especially attractive for a good cloud-based MDM solution. The expense to deploy an on-premise or private cloud MDM solution is a barrier to the SMB. Windows Intune lets the SMB owner apply enterprise-class MDM device policies at a very reasonable cost. With Windows Intune alone, you can manage Windows PCs, Apple iOS, Android, Windows RT, and Windows Phone 8 devices without any on-premise infrastructure setup requirements.

Figure B shows the web-based Windows Intune console, open to the Create Policy page. It is a simple matter to create a policy that applies to multiple device platforms, like IOS or Windows RT and apply that policy to an Intune user group. All the devices of each group member will receive and use the consistent policy.

Figure B

“Allow Documents to Sync to iCloud” is an available Windows Intune MDM setting for IOS devices.

Scalable feature-rich solution for the enterprise

What is significant for the larger organization is that Windows InTune now includes System Center Configuration Manager (SCCM). This really changes the pricing dynamic and makes InTune features available more economically. If you just need the MDM and client management features of SCCM, you can get the best of both Intune and SCCM for 33% less cost than previous license terms. Figure A demonstrates an SCCM “plus” Intune topology that can be deployed just by subscribing to Windows Intune.

Using System Center to manage client PCs and mobile devices requires a System Center Client Management License that costs about $108 per year per user and includes all the System Center components such as Operations Manager (SCOM) and Data Protection Manager (DPM), but not Windows Intune. The news is that a Windows Intune subscription, which starts at $6 per month, includes SCCM. As an Intune customer, there is now no license cost (other than the Windows Server OS where SCCM is installed) to host an SCCM instance on-premise to augment your Intune subscription.

When you integrate SCCM with Intune, you make a one-time irreversible decision to either (1) use the Intune console to author and deploy MDM policies (as seen in Figure B), or (2) use the SCCM console for MDM policy management. A main difference between using Intune vs. SCCM consoles regarding MDM policies is that SCCM, being the larger and more feature-rich product, includes the concept of Configuration Baselines. Whereas Intune policies are applied directly to Intune groups, SCCM policies (Configuration Items) are applied to SCCM Configuration Baselines, which are in turn deployed to SCCM collections.

There are three steps to deploy MDM settings to devices managed by SCCM behind Windows Intune:

  1. Create a Configuration Item for the device (see Figure C).
  2. Create a Configuration Baseline that includes the Configuration Item, any desired Software Updates, and/or any other Configuration Baselines.
  3. Deploy the Configuration Baseline to a collection.

Figure C

In SCCM, settings for MDM are added as Configuration Items, which form part of Configuration Baselines.