Elements of an MDM Strategy Part 5 – Management

Posted on Updated on

This post is part of a series. The previous posts in the series can be found here:

Elements of an MDM Strategy Part 1 – Defining the Problem Space

Elements of an MDM Strategy Part 2 – Applications

Elements of an MDM Strategy Part 3 – Users

Elements of an MDM Strategy Part 4 – Data Access and Protection

So far we have focused on elements of an MDM strategy that are more heavily weighted towards creating a high quality user experience while meeting enterprise policy requirements. Today’s post will focus on the management and manageability aspects of your MDM strategy. These are the elements that can make the implementation and operation of your strategy easier.

“Management” is part of the phrase “Mobile Device Management” but what does it mean in the mobile device context? Management refers to the services and capabilities that will enable IT to measure and meet the objectives of the strategy. These services and capabilities include (but are not limited to) the following:

  1. Monitoring (users, devices, compute, storage, etc.)
  2. Reporting
  3. Provisioning & Configuration

These services and capabilities can all be very complex depending on your use case scenario. In the following sections I will provide some key questions that should be answered for each of these services and capabilities.


  1. Do you have the legal ability to monitor the devices (consider BYOD)
  2. Do you require agentless or agent based monitoring capabilities? Perhaps a mix depending on use case? Are agents available for your devices?
  3. Will you enforce policies or simply monitor adherence?
  4. Will you require remote management capabilities (E.g. remote/selective wipe)


What are your reporting needs? Do you have specific compliance reports (regulatory or otherwise) that need to be available to auditors? Is your device ownership model (BYOD, CYOD, COPE. Etc.) driving specific reporting requirements. Some examples of the types of reports that might be required include:

  1. Devices
    1. Device Hardware (make, model, firmware, memory, camera, IMEI, SIM, carrier, etc.)
    2. Device Software (OS Version, Apps Installed,
    3. Device Configuration (PIN, encryption, certificates, jail broken, etc.)
  2. Users
    1. Which users are using which devices
    2. Which users use the most bandwidth (exceed quota, etc.)
    3. Which users are roaming regularly
  3. Security
    1. Last successful connection by device and user
    2. Failed connection attempts
    3. Device Locations

Provisioning & Configuration

Provisioning deals with how devices will be delivered to users. IT might be driven by your device ownership model and will involve answering some of the following questions:

  1. How will devices be delivered to end users?
  2. How will Applications be delivered to devices?
  3. Will it be different for different platforms?
  4. How will configurations be maintained overtime?
  5. Will automation be required to make it more efficient and scalable?

Next Month

Now that we have a covered Applications, Users, Data Access & Protection, and Management – The Topic that I know you have all been waiting for – DEVICES. Stay tuned.


A great reference for BYOD with a Microsoft slant can be found on TechNet.  I got a many of my ideas from this guide.

Elements of an MDM Strategy Part 3 – Users

Posted on Updated on

This post is part of a series. The previous posts in the series can be found here:

Elements of an MDM Strategy Part 1 – Defining the Problem Space

Elements of an MDM Strategy Part 2 – Applications

In my last post, I discussed the types of questions that need to be answered about your mobile applications. If you have any specific application requirements, answering the questions in last month’s post should have helped you to narrow the field of candidate devices. Notice that we haven’t really addressed devices yet. It seems counter intuitive but it really makes more sense to address devices near the end of the strategy as many of the device constraints will have been established by addressing other elements of the strategy.

This month I’m going to address Users.

Understanding User Requirements

Many of the same techniques we would use as part of a standard workforce analysis are useful to build a mobile device user strategy. Typically we would create a series of personas that represent the user population. Personas are fictitious, specific, and concrete representations of target users. For an overview of workforce personas, please refer to the Ted Schadler’s blog. Once personas are created, you will need to understand the use case scenarios that each persona will be presented with. In an organization with many personas and scenarios, it might make sense to prioritize both personas and scenarios to focus on the most important combinations. It is the combination of personas and use case scenarios that will lead to the solution design.

Scenario1 Scenario2 Scenario3

Once the personas are use cases are defined, create a matrix similar to the one presented above. For each cell in the matrix consider the following question and record the answer:

Which of the following does the Persona in this Scenario require?

  1. Access to web-based apps on-premises
  1. Access to web-based apps in the cloud
  2. Access to corporate mobile apps
  3. Access to files located in file servers on-premises
  4. Access to files located in the cloud
  5. Access to computers using Remote Desktop
  6. Access to other computers located on-premises

Do you need to link Users to Devices?

Although we are not addressing devices specifically at this time, it is also a good time to determine whether or not there is a requirement to map users to the devices that they use. This requirement may be driven by many factors including:

  1. Asset Management (SAM/ITAM)
  2. Compliance Requirements
  3. Auditing

Next Post

Now that we have a good understanding of our applications and users I plan to discuss Data Access and Protection. Stay tuned.


A great reference for BYOD with a Microsoft slant can be found on TechNet.  I got a lot of my ideas from this guide.

Elements of an MDM Strategy Part 1 – Defining the Problem Space

Posted on Updated on

I was organizing my thoughts about Mobile Device Management (MDM) for some presentations that I’m going to be delivering over the next few months.  As I was structuring my presentation I realized that other people might be struggling with organizing their thoughts about MDM as well, so I thought I’d share.  To that end, this is the first post in a series of posts that will deal with  MDM. I will endeavour to provide a framework for thinking about MDM for different use cases. As this is a work in progress and still evolving, I can’t tell you exactly how many installments there will be but at this point I envision somewhere around a dozen. I will cover various scenarios such as:

  1. BYOD
  2. Lifecycle Management
  3. Security
  4. User Management
  5. Application Management
  6. Policies and Compliance
  7. Profile Management

While I will deal with the business and technology challenges faced by organizations that have a mobile devices in their estate, I will also deal with specific product based solutions. More than likely they will focus on Microsoft technologies however, I will share whatever I can about other products as well. So where to begin? Let’s start with understanding the problem space. This will serve as the context for the use cases that I will cover. Traditionally (can we say that yet in this space?), the MDM problem space is divided into five major segments:

  1. Applications
  2. Users
  3. Protection & Data Access
  4. Management
  5. Devices

Elements of an MDM Strategy

From a framework perspective, we can initially focus on each of these segments independently. This will avoid confusion and minimize the number of variable that we have to deal with. Once we have six independent segment frameworks we will link them together. It may be useful to link some of these segments together to be able to develop more meaningful use cases. The most obvious linkages are between the following:

  1. Users and Devices
  2. Data Access and Protection

Next Post In my next post we will explore some of the segments in more detail. We will start by with a list of questions to answer to help build the various use case scenarios we will deal with. Have I whet your appetite? Do you have any specific questions you’d like me to address? Let me know. References A great reference for BYOD with a Microsoft slant can be found on TechNet.  I got a lot of my ideas from this guide.

What’s New in System Center 2012 Configuration Manager R2?

Posted on Updated on

While Windows 8.1 and Windows Server 2012 R2 was released earlier this month, when nobody was looking, System Center 2012 Configuration Manager R2 came out. Did anybody notice? Aside from support for Windows 8.1 and Windows Server 2012 R2, there are a quite a few new features. I understand that many organizations typically wait before deploying new versions of products but what’s in store for those who are ready to install if only for evaluation purposes? Here are the features that I’m most interested in exploring:

Profiles. Profiles, Profiles

A raft of new profile types can be managed including Remote Connection profiles, VPN profiles, Wi-Fi profiles, and Certificate profiles. This can really simplify the management of some complex settings across devices.

Client reassignment

Reassign clients to another site in the hierarchy. This will primarily be useful for large organizations with a CAS.

Mobile Devices

Many new features and enhancements including user self-enrollment for Android and iOS using the company portal app. Another neat new feature that I’m excited about is support for personal and corporate owned devices. This feature will be useful in lifecycle management and BYOD scenarios where a selective wipe makes more sense when a device is lost. There are also some new compliance settings specifically targeted at mobile devices.

Software Distribution and Application Management

There’s a new Deployment Type for web based applications. This is really just a way to manage links to web based applications but it does help to simplify and centralize all software deployments. There are also some new features that are intended to help manage scenarios that include Windows Store Apps and the company portal.

Software Updates

There are some enhancements to ADRs as well as a new type of maintenance window specifically for Software Updates. I can see this being very useful for organizations that need to manage software updates on a different schedule that normal application deployments.


There are fifty new PowerShell commandlets – My colleague Sean will be excited about this.

Check out fellow MVP Kent Agerlund’s TechEd New Zealand’s presentation for some demos of some of the changes. For a full list of the changes and additions in Configuration Manager 2012 R2 check TechNet

Microsoft’s MDM Toolset

Posted on Updated on

I get a lot of questions about Microsoft’s mobile device management (MDM) strategy. It can be confusing because to achieve the full spectrum of management functionality, multiple Microsoft products are required:

  1. Exchange ActiveSync (EAS)
  2. System Center 2012 Configuration Manager
  3. Windows Intune

Can you do some MDM with only EAS? Of course. Can you do MDM with only Intune? Absolutely. So how do you explain this multi-product approach to MDM? Although not strictly true, the way I like to look at it is as a series of layers, with each layer adding additional functionality, and Configuration Manager bringing it all together.

Exchange ActiveSync (EAS) Configuration Manager Intune
  • Configuration Manager, through the Exchange connector, exposes the policy objects in the Configuration Manager console to create collection specific policies.
  • Configuration Manager provides additional value in the form of asset inventory of devices connecting through EAS as well as reporting and compliance management of EAS policies on the devices.
  • Configuration Manager provides the single pane of glass for managing EAS and Intune enrolled devices.
  • Intune provides the bridge to the vendor specific application stores “App Stores” (E.g. iTunes, Google Play, Windows Phone Store, etc.)
  • Additional policies and enforcement
  • Intune provides application management and hardware lifecycle management (enroll, manage, retire).
  • Intune provides interesting options like selective wipe and application delivery.

Microsoft calls this approach Unified Device Management (UDM) since it goes beyond simply managing mobile devices.  Using the MS approach all devices including servers, desktops, laptops, tablets, and mobile phones can be managed with the same tool set.  Some might consider this too confusing and prefer a point solution with less moving parts, however, consider the following:

  1. Many organizations already have Configuration Manager in place
  2. Many organizations already have Exchange or hosted Exchange in place
  3. Using an incremental approach allows you to start small using the pieces you already have without purchasing new software and tailor the solution to your specific needs while controlling costs

Start with Exchange and Configuration Manager and add InTune when and where it makes sense.