mdm series Windows Intune is the cloud solution from where you are able to manage your PC’s and/or mobile devices. In this series we are focusing on mobile device management so we will skip the PC side of the Windows Intune. Mobile device management via Windows Intune enables you to manage your devices from anywhere, anytime and anyplace without really needing an infrastructure of your own. Let’s see what Mobile Device Management options Windows Intune as a standalone solution is able to offer you.

Architecture Overview

Windows Intune is a multi-tenant management platform which allows multiple tenants (customers) to manage their devices without having to build their own complete management infrastructure. The “enterprise client” administrator connects via the web console to Windows Intune and is able to manage the devices that are connecting via their Windows based clients agents to the Windows Intune platform and the mobile devices that are enrolled into Windows Intune via the Direct Management channel.


Architecture overview

Via the Direct Management channel you are able to pull hardware inventory, push settings, publish available line of business applications, publish deep links to the Windows Phone Store, Apple App Store and the Google Play Store, and publish web links to websites that you want to have available for your users. Enabling Mobile Device Management in Windows Intune allows you also to remotely wipe the device in case it gets lost, remotely reset the passcode or remotely lock the device.

Windows Intune MDM features

Windows Intune MDM features

Next to the direct management channel, Windows Intune also supports connecting to an on premise Exchange 2010+ environment or an Office 365 environment. To be able to connect your on premise Exchange environment you need to download and install the On-Premises Connector.

MDM Options in Windows Intune

Connecting to Exchange Server (on premise or in the cloud)

Enabling the Exchange connection with the hosted Exchange solution (Office 365) is easy when using the same organizational account. You just need to click on Set Up Service to Service Connector and you are all set to go. If you have an on premise Active Directory you may want to supply a solution for your users that allows your users to use their email address and their Active Directory password to logon to the Windows Intune Company Portal. This can be accomplished in two ways;

  • Via Windows Azure Active Directory Sync tool (DirSync)
    • Passwords need to be synced to Azure Active Directory
    • Authentication is done on Azure Active Directory
  • DirSync and Active Directory Federation Services
  • No passwords are saved in the cloud
  • Authentication happens on your Active Directory

More on Single Sign On in a later blog post in this series.

Over the air enrolment of devices

Windows Intune is currently supporting four mobile device platforms;

  • Apple iOS
  • Microsoft Windows Phone
  • Android
  • Microsoft Windows RT

Those platforms can be enrolled over the air into Windows Intune. The user is responsible of enrolling their device into Windows Intune. Currently no delegation for administrators is in place. Enrollment can be done in two ways. Enrollment can be done from the Company Portal for

  • Android devices
  • iPhone / iPad devices

Enrollment via build in OMA-DM (Open Mobile Alliance – Device Management) agent

  • Windows RT devices
  • Windows Phone devices

Policy Support

Windows Intune offers a large set of mobile device policies that can be deployed to the mobile devices that are enrolled. Depending of the operating system of the device and the manageability options of the operating systems some settings will not be valid for an operating system. In a later blog I will describe the policy deployment process in-depth.

Application Distribution Support

Currently you are able to deploy the following application via Windows Intune:

  • Windows application (appx file)
  • iOS application (ipa file)
  • Windows Phone application (xap file)
  • Android application (apk file)
  • Applications in Windows, Windows Phone, Apple and Google Play stores
  • Web links (deeplinks and websites)

In a later blog I will describe the application deployment process in-depth.


Windows Intune offers a basic set of inventory of your enrolled devices, no software inventory is offered. Depending of the platform more or less information is gathered. mdm-intune-overview-04mdm-intune-overview-03 In the next blog we will have a look at how we are able to setup a Windows Intune environment very quickly. Earlier and next subjects in this series are:

  • MDM via Exchange ActiveSync – overview / intro
  • MDM via Windows Intune – overview
  • MDM via Windows Intune – setting up the environment
  • MDM via Windows Intune – setting up policies
  • MDM via Windows Intune – deploying applications
  • MDM via Windows Intune – remote tasks
  • MDM via Windows Intune – troubleshooting
  • MDM via ConfigMgr 2012 R2, Windows Intune & Exchange ActiveSync – overview
  • MDM via ConfigMgr 2012 R2, Windows Intune & Exchange ActiveSync – setting up the environment
  • MDM via ConfigMgr 2012 R2, Windows Intune & Exchange ActiveSync – setting up policies
  • MDM via ConfigMgr 2012 R2, Windows Intune & Exchange ActiveSync – deploying applications
  • MDM via ConfigMgr 2012 R2, Windows Intune & Exchange ActiveSync – remote tasks
  • MDM via ConfigMgr 2012 R2, Windows Intune & Exchange ActiveSync – troubleshooting
  • The complete MDM solution with Exchange 2013, ConfigMgr 2012 R2 and Windows Intune

Earlier blogs in the Mobile Device Management space were: