Enterprise Mobility and Security Blog



When you think about how broad and diverse the scenarios for PC and mobility management have become, it is pretty amazing. These scenarios range from light-weight management (where the user is in charge of the device) to scenarios where the device needs to be locked down tight (where the IT team has control). The majority of the cases that require heavy management fall into what we refer to as “task worker scenarios.”

In task worker scenarios, the device user is usually performing a limited set of actions, and they are often only working within a single or a small number of apps. Examples of this include a PC that is running on an assembly line to monitor the production on that specific line. In this scenario, management is done with SCCM and Group Policy – and that PC is locked down super tight. Another task worker scenario is the Point of Sale (POS) device (PC or tablet) at a hair salon, or the tablet at the front of a restaurant that is being used for reservations and seating. Scenarios like the salon and restaurant are where we’re seeing a huge amount of Windows Intune and Enterprise Mobility Suite adoption.

There are a lot of real world examples of Intune in a task worker scenario that are already up and running. Toyota uses Intune to manage more than 3,000 PCs in their dealerships across Europe (read the case study here). We’ve also spent the last year working with a salon that uses Intune to manage more than 15,000 POS devices in their franchises all over the US.

Another interesting example is the British restaurant chain Mitchells & Butlers who use Intune to manage the iPods used by the wait staff to take orders, as well as the Android tablets used to assign seating and make reservations (check out the case study here). M&B will soon be managing more than 15,000 mobile devices – and all of that management is done by two IT Pros who are also using SCCM to manage the PCs at M&B headquarters. To see all of this in action check out this quick video:

I think M&B is an great example of how SCCM administrators can dramatically increase their impact and their role in an organization (as discussed before). This powerful combination of SCCM + Intune is the model for what an SCCM admin’s future deployments can and should look like.

We have learned a lot working with thousands of organizations like the three noted above, and, as a learning organization, we have worked exhaustively to add and improve features which address some of the unique scenarios and requirements that IT Pros commonly encounter when setting up and operating the devices used in task work scenarios.

In an upcoming update to Intune, we’re providing new features that address the task-worker, corporate-owned device scenario. In this post, I’ll discuss these new features, the scenarios they cover, and how you can hit the ground running with these new tools.

Service-account Enrollment

This is the first big scenario we addressed; it enables IT to define a special account (or multiple special accounts) called Device Enrollment Managers which are not constrained by the current five device user limit. This account can enroll up to 1,000 devices, on any (or across all) of the platforms Intune supports!

An example of this in action takes place every day (for example) in a restaurant chain. In this setting, an IT team sets up host-desk devices in 1,000 restaurants. A single enrollment manager account and password is used for all of those devices, and any device enrolled with this account cannot be un-enrolled from the management service – this ensures that they are always managed after enrollment and never leave the control of IT.

To set this up, IT admins can simply specify a user ID as a Device Enrollment Manager in the Intune Admin console. End users of these devices simply use that ID and password to enroll the device (helpfully unconstrained by the existing 5 devices per user limit). The high limits on this type of account allow for it to be shared for use across hundreds of devices, or across multiple enrollment-owners, e.g. store managers. The process is streamlined every step of the way: All certificates needed for enrollment come down as part of the authentication of that service account, so IT doesn’t have to worry about any of the certificate management overhead which might otherwise be required for device enrollment. Through AAD integration, account and password management of this account can all be done in one place. AAD really makes for a great unified experience across all Microsoft services.

Another scenario is that an IT team (also in the restaurant business) wants to use different Device Enrollment Manager accounts for different use-cases. Doing this provides a great way to target those devices with specific policies and apps by targeting each account – and, by extension, all devices enrolled through that account. In this scenario, an IT admin can enroll host devices with the HOSTDESK account, and store manager devices with STOREMANAGER. IT is then able to easily target host-specific policies by targeting the HOSTDESK user, and store manager policies by targeting the STOREMANAGER user. However, if customers prefer to target by device, we’re also enabling device targeting.

Support for iOS Device Enrollment through Apple Configurator

Apple has built and delivered tools to help with configuration and service enrollment, and I touched on some of these when I wrote about our Day Zero support for iOS 8.  That Day Zero functionality is the result of the deep, careful integration we’ve built between Apple and Intune. With Apple Configurator support, devices can be enrolled into Intune directly via device enrollment, or iOS devices can prompt the user for AAD credential at first boot (to force enrollment of that specific user).

The Configurator model we support is Setup-Assistant, which also allows us to support the lockdown settings in iOS supervised mode. Supervised devices managed by Intune will allow admins to configure an iOS device to run only a specific app (like a POS app), and also disable a variety of things, (e.g. device rotation or volume buttons).

Like the service account model, iOS Configurator-based enrollment also prevents users from un-enrolling and exposing the device (and the infrastructure behind it) to threats.

This model enables devices to be task-worker ready on first-boot. These devices are either enrolled (and targetable) as devices on first boot, or the user is required to enter their credentials and enroll the device before it can be used. This assures that IT has a simple, user-friendly way to ensure that iOS devices are enrolled into Intune immediately after being turned on by the task-worker.

IT can also prefix the name of the device so that, when it shows up in Intune, its use case is easily identifiable by name. As an additional security measure, IT Pros can pre-load the serial numbers of the devices into Intune to ensure that only devices with those specific serial numbers can enroll. IT can preconfigure which groups the device is put into based on the profile it uses – thus the device instantly gets the right policy and apps upon enrollment without any manual overhead by the IT admin.

Going back to our restaurant example from earlier, with iOS Configurator support the IT team at corporate headquarters can push a configuration profile to all their devices, then ship these devices to each restaurant where they are turned on by the store manager. Simply by turning on the device the WiFi configuration is handled by the configuration profile and the device automatically enrolls itself into Intune. Once enrolled the device begins receiving policy and apps that are targeted to it. This device is now ready for business on first boot – all by itself!

This feature is huge. Now only trusted devices (called out by serial number) can get into the corporate network, and this means the devices go directly to the right groups automatically without any IT overhead.

Additional Functionality

Last but not least:  In the next few months we will add support for Apple’s Device Enrollment Program. This means that our fictional restaurant chain can order devices directly from Apple, then import all of the serial numbers through a CSV, and have the device shipped directly to the restaurant – all without IT intervention or profile staging.  Now, the first time the device boots, it runs the configuration the customer defined in the Device Enrollment Program – and it enrolls directly into Intune.

A lot of painfully boring, manual tasks just got swept away – allowing IT Pros to work on the big picture projects they love.

As the task-specific market keeps booming, we will continue to invest heavily and preemptively to make Intune the best management option for all devices. The goal of our work is simple: Empower device users, IT Pros, and the devices they need – quickly and easily.