IT Pro Talk: Mobile device management and Windows Phone 8

IT Pro Talk: Mobile device management and Windows Phone 8

  • Comments 6
  • Likes

Last month I introduced you to the business hub for Windows Phone 8, a site where IT professionals can find white papers and info for deploying Windows Phones in the workplace.

In this post, I’ll drill in a little and detail some of the mobile device management (MDM) capabilities of Windows Phone 8, highlighting related IT pro content and service offerings.

Businesses use mobile device management software to provide mobile access to email and deploy policies to help protect corporate data. Typical policies include turning on device encryption and mandating the use of a PIN or password to unlock the phone.

Windows Phone 8 offers several choices for mobile device management including Exchange ActiveSync support, Windows Intune, and Microsoft System Center Configuration Manager Service Pack 1 along with Windows Intune.

Exchange ActiveSync protocol (EAS) support allows Windows Phone 8 to synchronize email, calendar, task, and contact information with Exchange Server (Exchange Server 2003 SP2 and later) or Microsoft Office 365.

Similar to Group Policy settings for PC operating systems, EAS provides the ability to manage Windows Phones using security-related policies configured by an organization’s IT department. EAS security-related policy settings that can be managed using Exchange Server are:

Policy setting Description

AllowSimpleDevicePassword

Specifies whether a simple device password is allowed.

AlphanumericDevicePasswordRequired

Specifies whether the password must be alphanumeric.

DevicePasswordEnabled

Specifies whether a password is required.

DevicePasswordExpiration

Specifies the length of time that a password can be used.

DevicePasswordHistory

Specifies the number of previously used passwords to store. The user is not allowed to reuse these stored passwords when creating a new password.

IrmEnabled

Specifies whether IRM is enabled for the mailbox policy.

MaxDevicePasswordFailedAttempts

Specifies the number of attempts a user can make to enter the correct password for the mobile phone before a device reset to factory settings is initiated.

MaxInactivityTimeDeviceLock

Specifies the length of time that the phone can be inactive before the password is required to reactivate it.

MinDevicePasswordComplexCharacters

Specifies the number of character groups that are required to be present in the password. (Character groups include lower case alphabetical characters, upper case alphabetical characters, numbers, and non-alphanumeric characters.)

MinDevicePasswordLength

Specifies the minimum number of characters in the device password.

RequireDeviceEncryption

Specifies whether encryption is required on the device. (Once set, BitLocker conversion automatically starts encrypting the internal storage of the phone.)

RemoteWipe

Deletes data on the user data partition and resets the phone to factory settings.

AllowNonProvisionableDevices

A server enforced setting that specifies whether all mobile phones can synchronize with the server running Exchange. When set to $true, this setting enables all mobile phones to synchronize with the Exchange server, regardless of whether the phone can enforce all the specific settings established in the EAS policy. This also includes mobile phones managed by a separate device management system. When set to $false, this setting blocks mobile phones that aren't provisioned from synchronizing with the Exchange server.

AllowStorageCard

Specifies whether the mobile phone can access information stored on a storage card.

In addition to device management capabilities offered with EAS, Windows Intune offers device enrollment, configuration and reporting. With Windows Intune, businesses can manage their Windows Phone 8 devices (as well as existing iOS and Android devices) either directly or through Exchange ActiveSync from their admin console at https://admin.manage.microsoft.com/.

image

If Microsoft System Center 2013 Configuration Manager Service Pack 1 is deployed in your server environment, you can use the Windows Intune service to manage mobile devices while performing all management tasks from the System Center Configuration Manager Console rather than the Windows Intune admin console. More information about Windows Intune and Microsoft System Center 2013 Configuration Manager Service Pack 1 can be found at http://www.microsoft.com/en-us/windows/windowsintune/ and http://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012.aspx.

In addition to the Microsoft offerings mentioned here, Windows Phone 8 also supports popular third party Mobile Device Management offerings such as AirWatch, MobileIron, and others.

For more info on Windows Phone 8's mobile device management capabilities, check out these technical resources.

And if you’re an IT pro with comments about specific business-related topics you’d like to see me cover here, or you want to provide feedback on our white papers, please leave a comment or email me at WPITPro@microsoft.com.

6 Comments
You must be logged in to comment. Sign in or Join Now
  • I agree with mtstream99 & Nathan. I am using a Nokia Lumia 920 which doesn't even have a sd card storage, but due to Windows Phone 8 bug, is reporting it has having sd card storage (see link: support.microsoft.com/.../2464593). Windows Phone 8 sets storage card encryption to 'no", and it will not allow the phone to sync (error code 85010013). This is a major let down.

    The microsoft workaround which basically asking your IT dept to create a customised security policy not requiring encryption on your device is a lazy way of fixing issues. No IT dept in big corporations will take that extra effort to do that, and the fact that Windows Phone 8 adoption is low does not justify the extra effort.

    Microsoft, your effort to push into enterprise adoption will never bear fruit. When will you wake up and fix this ? At least give user the options to encrypt sd card or fix the bug for misreporting of sd card presence when there is none at the first place.

  • Nathan, Msstream, if the storage card is restricted to media files, is encryption necessary? you can't put email or attachments there. better to use make an MDM for WP8 devices that don't have a storage card than try to force encryption of an SD that isn't present and will therefore fail. (instructions for your IT team at support.microsoft.com/.../2464593 ) it might be easier for admins if WP did what iPhone does and just ignored that policy, but it's better for it not become accepted for devices to accept and ignore EAS policies ;-)

  • Can you please clarify if Windows Intune is necessary to be used or the management is possible with just SCCM SP1 in case the devices are all domain joined and company owned?

  • Nathan
    63 Posts

    Agreed with mtstream99. This issue was reported and is being discussed on MS community website answers.microsoft.com/.../cf059499-3ce3-49e4-8069-ecdccd55a5f9.

    All concerned are eager to have input from WP team. Please relax this issue.

  • You forgot to mention that Windows Phone 8 doesn't support all the common Exchange Active Sync security settings.  WP8 sets storage card encryption to "no" and can't be changed.  This lack of security support, by default, eliminates WP8 phones from any security conscious enterprise.  Any users who try to sync get error 85010013 and the choice of not syncing with Exchange or taking their WP8 phone back and exchanging for iPhone or Android.

    I'd love to know when MS plans of fixing this.

  • ADskg
    0 Posts

    Pandora is the great management feature available to wp 8 user, more we can get more mangement tools via wp 8.