Managing Encryption on Mobile Devices with Configuration Manager and Intune

Managing Mobile Devices Encryption with Configuration Manager and Windows Intune

In this blog I will detail the steps (with screenshots) on how to implement and monitor Mobile Device Encryption using Configuration Manager 2012 R2 and Windows InTune.  I will outline the following:

  1. Enroll a Windows Phone 8.1 Device to be managed by Configuration Manager and Windows Intune
  2. Create Windows Intune Collections (Users and Devices)
  3. Create Compliance Settings - Configuration Item with Encryption Policy
  4. Create Compliance Settings - Configuration Baseline with Configuration Item
  5. Deploy Configuration Baseline to Collections
  6. Monitor Configuration Baseline Deployment

This blog post assumes that you already have Configuration Manager and Windows Intune up and running and are knowledge operating and managing devices with Configuration Manager.


Enroll a Device

These are the steps to enroll a Windows Phone 8.1 Device to be managed by Configuration Manager and Windows InTune.

Go into Settings on Windows Phone 8.1 Device and select Workplace. Click on Add Account and then enter your email address and select Sign In.

Enter your Password and click Sign In to Enroll .   Finally, select Install Company App and Click Done.

Once you Enroll your phone, you can expect policy and changes to take effect within an hour.  You can also force a policy refresh by clicking on the Refresh Button.


Create Configuration Manager Collections

I created User and Device Collections.  I have a User Collection called All Windows Intune Users and multiple Device Collections.  I will focus on creating the Device Collections below:

All Mobile Devices

Built-In Collection.  All Mobile Device Collections below are limited to this Collection

All Mobile Windows Phone Devices

Criteria: System Resource.Agent Edition is equal to 4

All Mobile iPhone Devices

Criteria: System Resource.Agent Edition is equal to 8

All Mobile Android Devices

Criteria: System Resource.Agent Edition is equal to 11

I only have one Windows InTune Users Collection that queries an AD Group.  This collection defines which users will be able to enroll there devices for management.

All Windows InTune Users

Criteria: User Resource.User Group Name is equal to "CONTOSO\Windows Intune Users"


Create Configuration Item - Encryption Policy

From the Configuration Manager Console, Navigate to Assets and Compliance Node.  Select Configuration Items and Right Click to Create Configuration Item.

Select Encryption under the Select the mobile device setting groups to configure. Click Next.

Change File encryption on mobile device from Not Configured to On.   You can select Remediate noncompliant settings to force Encryption on devices that support that feature.  I change Noncompliance severity for reports to Critical.

Under the Supported Platforms screen, uncheck Select All and then only select Windows Phone 8.1.

The following page is the Platform Applicability.  If any settings are not supported by all platforms, they will be listed on the following screen.  Encryption is supported on Windows Phone 8.1, so nothing to show here. I just clicked Next.

Next is the Summary Page.

Completion Page.


Create and Deploy Configuration Baseline

Navigate to Assets and Compliance Node in Configuration Manager Admin Console.  Select Configuration Baselines, Right Click and Select Create Configuration Baseline.

Enter a Name: All Windows Phone 8.1 Encryption Baseline and Description is desired.

From the Configuration Data section, click on Add and Choose Configuration Items.

Select All Windows Phone 8.1 Encryption Policy Configuration Item that was created in the previous step and Click Add then OK. You can add multiple Configuration Items if desired.

Now that the Configuration Baseline is created, the next step is to deploy the Baseline to a Collection.

Right Click Configuration Baseline and Select Deploy. You can select multiple options for Remediation and Generating an Alert.  I choose All Windows InTune Users Collection and a Simple Schedule to Run Every 4 Hours.

Click OK to Complete the Deployment.


Monitoring Baseline Deployment

There are multiple ways to monitor and report on the Encryption Status of the devices in our Deployment.  Navigate to Monitoring Node in Configuration Manager Console.  From here, we can utilize Alerts Node, Reporting Node and Deployments Node to monitor and track Encryption Status of the devices.

Here are screenshot from the Deployment Status:

Each Deployment Status will show Compliant, Error (if a Configuration Item does not apply), Non-Compliant and Unknown (if a device has not gotten the policy).

This screen shows that Andrew's Windows Phone is Encrypted and therefore Compliant. 

The Non-Compliant Tab shows that Dawn and Madison's Windows Phones are not Encrypted and therefore Non-Compliant.

There are also 17 Built-In Compliance and Settings Reports.

And finally, we have Alerts that can be configured when deploying each Baseline.

This concludes a high-level overview of how to monitor the Encryption Status (or any other Mobile Device Setting).