Mobile device windows phone

Перед прочтением темы настоятельно рекомендую ознакомиться со Справками и инструкциями Microsoft.

Если какие-то пункты FAQ’a совместимы только с WP7 или WP8, дайте знать об этом в QMS gavrila

Сообщение отредактировал zheka_x — 23.11.13, 14:40

Сообщение отредактировал gavrila — 31.07.15, 14:40

Как устанавливать приложения и игры из XAP?

alex
Для установки приложения из XAP, на Вашем смартфоне должен быть сделан джейлбрейк. Подробности можно узнать здесь.

Способ №1:

1. Установите Windows Phone Developer Tools
2. Откройте Application Deployment tool (Пуск-> Windows Phone Developer Tools -> Application Deployment) и следуете инструкциям.

Способ №2:
1 этап:

1. Установите Windows Phone Developer Tools
2. Скачайте и распакуйте архив с последней версией Tom XAP Installer
3. Запустите Tom XAP Installer.exe
4. Поставьте галочку около «Enable Tom XAP Installer» и закройте окно
   

Примечание: действия описанные в 1 этапе нужно выполнить только один раз. Желательно не удалять и не перемещать Tom XAP Installer.exe

2 этап:

1. Подключите устройство к ПК
2. Запустите Zune
3. Проверьте, что устройство не заблокировано (т.е. открыт начальный экран)
4. Скачайте приложение в .xap
5. Откройте его
6. Нажмите Install и дождитесь окончания установки
   

Способ №3:

1. Скачайте и распакуйте архив с последней версией Homebrew Windows Phone 7 Market
2. Откройте XAPDeployX.exe
3. Выберите куда вам необходимо установить XAP (Windows Phone 7 Device — Устройство, Windows Phone 7 Emulator — Эмулятор)
   
4. Нажмите Browse и выберите XAP, который вам необходимо установить и нажмите Открыть. Также вы можете просто перетащить XAP на программу, не нажимая кнопку Browse.
   

   

5. Нажмите кнопку Deploy
   

Преимуществом третьего способа можно считать отсутствие необходимости устанавливать Windows Phone 7 Developers Tools. Также, есть альтернативный вариант выполнения третьего шага — в Homebrew Windows Phone 7 Market нажмите Options и выберите «Register filehandler». После данной операции вы можете просто открывать XAP файлы в проводнике, Homebrew Windows Phone 7 Market будет запускаться автоматически.

Список возможных ошибок при установке приложений и их решение:

Сообщение отредактировал Alex — 04.02.12, 22:57

Как устанавливать приложения и игры из Marketplace?

alex
Загружайте приложения и игры с телефона или на ПК, где бы Вы ни находились.
Загляните в Marketplace – виртуальный магазин Microsoft, предлагающий приложения, игры и другие развлечения для Вашего телефона. Многие приложения и игры в Marketplace бесплатны, остальные можно опробовать до покупки.

Прежде, чем Вы опробуете или купите приложение или игру
— Используя Ваш Windows Live ID, войдите в службу Windows Live для получения доступа к сервисам Windows Live, Zune и Xbox LIVE.
— Установите программное обеспечение Zune для синхронизации приложений и игр между Вашим ПК и телефоном.

Загружайте приложения в Ваш телефон

1. Чтобы начать, нажмите на значок Marketplace
2. Нажимайте значки приложений.
3. Двигайте экран влево или вправо, чтобы увидеть наиболее популярные, новые или связанные приложения, а также для доступа к категориям. Когда Вы найдете нужное приложение или игру, нажмите на нее.
4. Если Вы хотите установить бесплатное приложение или игру, нажмите Установить (Install) дважды, чтобы подтвердить установку и скачать его на Ваш телефон.
5. Если Вы хотите приобрести приложение или игру:
   1. Нажмите Купить (Buy) для приобретения платного приложения.
   2. Или нажмите Попробовать (Try) (если это доступно) для установки пробной версии приложения.

   Выполните одно из перечисленных действий:

   • Если Вы скачиваете пробную версию приложения, нажмите Установить (Install).
   • Если Вы приобретаете приложение, нажмите Купить (Buy), выберите удобный Вам способ платежа (Вы можете оплачивать приложения кредитной картой или со своего мобильного счета) и нажмите Купить (Buy) еще раз.

   Памятка
   По умолчанию плата за покупки списывается с Вашего мобильного счета или включается в счет, если у Вас постоплатный тариф (данная услуга должна поддерживаться Вашим мобильным оператором, в России этот метод недоступен). Или Вы можете использовать Вашу кредитную карту: в диалоге Подтверждения покупки (Purchase screen) нажмите Изменить способ оплаты (Change payment method) и выберите Добавить кредитную карту (Add a credit card) (или сразу нажмите Добавить кредитную карту (Add a credit card)). Далее следуйте инструкциям на экране Вашего телефона.
   
   
   Скачивание и установка приложения или игры займет несколько минут, в зависимости от объема загружаемых данных. Прогресс загрузки виден на экране.

   Советы

   • Чтобы проверить прогресс установки приложения или игры, которые Вы в данный момент загружаете, нажмите Проверить установку (Check install)
   • Чтобы приостановить загрузку приложения, нажмите и удерживайте его иконку на экране загрузки Marketplace (нажмите Проверить установку (Check install) или ссылку на загрузку в нижней части хаба Marketplace), затем нажмите паузу. Для возобновления загрузки приложения, нажмите и удерживайте его иконку, затем нажмите Продолжить (Resume).

   Вы найдете Ваши новые приложения в Списке программ (App list) (сдвиньте экран влево от Начального экрана (Start)). Вы найдете Ваши новые игры в хабе Игры (Games) (на Начальном экране (Start) нажмите Игры (Games) и сдвиньте экран влево к коллекции).

   Совет
   Ищете определенное приложение или игру? Войдите в Marketplace и нажмите Поиск (Search).
   

Загрузите приложения на Ваш ПК

1. Подключите Ваш телефон к ПК используя usb-кабель.
2. На Начальном экране (Start), нажмите Все программы (All programs), затем нажмите Zune.
3. Если Вы не вошли, нажмите Войти (Sign In), затем войдите, используя тот же идентификатор Windows Live ID, который Вы используете на Вашем телефоне.
4. Нажмите Marketplace > Apps. В Устройствах (Devices) нажмите Windows Phone.
   
5. Ищите приложения или игры по жанру или используя Поиск (Search box).
6. Нажмите на заинтересовавшее Вас приложение, затем нажмите Опробовать бесплатно (Free trial) или Купить (Buy), чтобы опробовать или купить приложение или игру. Или нажмите Бесплатно (Free) для установки бесплатного приложения. Следуйте инструкциям на экране. Если Вы хотите добавить в Ваш аккаунт информацию о новой кредитной карте, Вы можете добавить ее из программного обеспечения Zune, установленного на Вашем ПК (нажмите Установки > Аккаунт > Добавить кредитную карту (Settings > Account > Add a credit card) или перейдите по ссылке в Zune Account Center.
   
7. Чтобы увидеть приложения и игры на Вашем телефоне, отсоедините его от ПК. Вы найдете:
   • Приложения – в Списке программ (Apps list) сдвиньте экран влево от начального экрана (Start).
   • Игры — в хабе Игры (Games) (на Начальном экране (Start) нажмите Игры (Games) и сдвиньте экран влево к коллекции).

Примечание

• Приложения синхронизируются напрямую с Вашим телефоном и не добавляются в коллекцию Zune на Вашем ПК.
• Если Вы приобрели Ваше приложение в Zune в то время, как Ваш телефон не был соединен с ПК, приложение будет загружено по беспроводному соединению в течение 24 часов. Если Вы впоследствии подключите Ваш телефон к Вашему ПК, загрузка будет продолжена по беспроводному соединению.
• Marketplace может быть недоступен в Вашей стране или регионе.

Сообщение отредактировал gavrila — 02.04.12, 14:34

С помощью каких программ можно подключить смартфон к компьютеру?

Скачать Windows Phone Device Manager 1.10.0.0

На этой странице вы можете скачать Windows Phone Device Manager 1.10.0.0 для Windows 10 Mobile и Windows Phone бесплатно, программа совместима со всеми смартфонами на этих платформах по системным требованиям, но в некоторых случаях может не работать.

Windows Phone Device Manager — это неофициальный менеджер для телефонов на Windows Phone 7. Программа дает возможность использовать телефон как накопитель, устанавливать свои мелодии на звонок, сохранять скриншоты с экрана, делать синхронизацию Windows Phone и многое другое. При подключении смартфона к ПК он должен определить его автоматически и установить на него приложение TouchXperience.

Особенности Windows Phone Device Manager:

• просмотр, установка/удаление и обновление приложений.
• обмен файлами.
• подробная информация о телефоне.
• подробная информация о накопителе.
• добавление и удаление своих мелодий.
• отправка СМС и емэйл прямо с ПК.
• возможность сделать скриншот с экрана телефона.
• резервирование данных и управление резервными копиями (восстановление).
• полный доступ к установленным приложениям.
• общий буфер обмена ПК со смартфоном.
• интеграция с Internet Explorer.
• интеграция с панелью управления.
• детальный просмотр XAP файлов в проводнике Windows.
• возможность инициировать подключение и с ПК и со смартфона.
• поддержка WI-Fi подключения.
• оповещение об обновлении установленных приложений.
• отображение информации об аккумуляторе, и оповещение о его разряде.
• перезагрузка смартфона.

Особенности приложения TouchExperience:

• создание пользовательского меню
• добавляет папки, приложения, контакты, веб-сайты, карты, документы и многое другое в виджеты
• прикрепляет приложения, игры, папки на стартовый экран
• файловый менеджер
• поддержка многозадачности
• настройки фоновых изображений
• менеджер контактов
• менеджер подключений

• разблокированное устройство на Windows Phone.
• Windows Vista или Windows 7 32/64-bit.
• . NET Framework 4.0.
• Zune Software 4.8 или более поздний.
• Zune WMDU (опционально).
• Windows Phone SDK 7.1 или более поздний (скачать).

Windows Phone Device Manager должен работать на любой версии WP7.

PLACEHOLDER DATA FOR PI — DO NOT DELETE

Bring your own device is no longer just a trend—it is arguably the dominant workplace culture. More employees are using personal devices for work, creating a unique set of challenges for IT teams that must balance user convenience and data security. Microsoft uses Enterprise Mobility Suite and other services to manage identity, devices, and applications. Now, simplified and integrated IT solutions enable employees to be productive on any device.

Situation

In a bring your own device (BYOD) work environment, users expect to be able to work from any location at any time, on the device of their choice. Moreover, users now typically have several identities, meaning that they use their devices in both work-related and non-work-related contexts. For example, they might bring a personal tablet to a business meeting and expect to access files on a team’s Microsoft SharePoint site, or they might present a Microsoft PowerPoint presentation over Microsoft Skype for Business. They’re likely to check both work and personal email accounts on their phone, and may use their phone camera to take photos of whiteboard sessions to help them remember what a work group collaborated on during a meeting. On both types of device, they’re likely to have a mix of apps, some for personal use and some for work.

But as the traditional boundaries between work and personal life blur the use of these devices, it’s critical that devices be managed in a way that is acceptable to the entire business. Data policies, such as encryption, password length, password complexity, and password duration, must provide corporate data security on all devices while maintaining the privacy of workers’ personal information.

IT must be able to identify, with certainty, who a user is and if a device should have access to corporate resources. Current trends suggest that workers change jobs and companies several times over the course of a career, so IT needs a way to account for this flux of people and devices. What should IT do if a device is lost or an employee leaves the company? What is the best way to ensure that corporate resources are wiped from a personal device that should no longer have access to them?

In short, the situation for IT is about managing data, managing access to that data, and handling the use of multiple accounts and identities on a device.

Solution

Microsoft Digital has been involved in mobile device management (MDM) for several years and is evolving strategies and best practices to ensure the proper balance between convenience and security as BYOD becomes the norm in organizations of all sizes.

Microsoft Digital approaches MDM a bit differently today than it did in the past. Even as recently as 2013, the focus was much more on providing access to applications. Now, however, the focus is on access as defined by certificate and profile provisioning. In the future, the focus will be on conditional access that is based on the state of the device as interpreted through the MDM system and Microsoft Azure Active Directory.

The Microsoft Intune and Microsoft Azure teams are working together to provide solutions so that Microsoft Digital can address a range of related issues: identity and access management, mobile device and app management, and information protection. The first step is to make Microsoft Digital cloud-based and enable a mobile workforce.

Identity and access management

For employees who use multiple devices for work, a key convenience—a requirement, even—is to have single sign-on (SSO) and a common identity, so that they can get their work done on whatever device suits them at the moment. A common identity enables application access management, regardless of whether those applications are on the device or in the cloud. This ensures that the user can have a consistent experience across devices and remain as productive as possible.

Microsoft Digital is delivering identity and access management by providing that SSO experience, using federation to manage access to external resources, and consistently managing identities across on-premises and cloud-based identity domains. This helps Microsoft Digital address the matter of managing access.

The following are some specific features:

Microsoft Digital provides users with a common identity across on-premises and cloud-based services through Microsoft Windows Server Active Directory and by connecting to Azure Active Directory.

Microsoft Digital uses Active Directory Federation Services (AD FS) to connect with Azure for a consistent, cloud-based identity.

Through their accounts in Azure Active Directory, users have a common identity across Azure, Microsoft Office 365, and third-party applications.

Developers can build applications that use the common identity model, integrating applications either with Active Directory Domain Services for on-premises applications or with Azure for cloud-based applications.

Azure Active Directory syncs with on-premises Active Directory Domain Services through Azure AD Connect. Azure Active Directory enables self-service password changes and resets, and self-service group management for internal users. It also supports multifactor authentication, so that internal users don’t have to carry around their smart cards.

Multifactor authentication provides an additional layer of security in case a device falls into the wrong hands or is used improperly. When a user attempts to log on or perform an action that is subject to multifactor authentication, the application or service confirms the user’s identity by sending a text, making a phone call, or using a mobile app. Typically, this additional authentication factor is a numeric code, such as a personal identification number (PIN), and may only be intended for a single use. The user must respond (usually within a limited period, such as 10 minutes) before the application or service allows him or her to proceed.

Credential caching enables enterprises to determine how long credentials can be cached on a device. This allows the enterprises to customize the user experience when users access applications and resources on devices. For example, enterprises can specify how long credentials pass through during logon or device registration, so that users do not have to enter their credentials so many times.

Mobile device management

Users prefer a consistent experience when they access and work with their line-of-business (LOB) apps, no matter what device they use, how often they use it, and what platform it runs. Device enrollment should be simple, and the process for finding and working with apps and other internal resources should be familiar. In addition, policies should help users feel secure that their personal data is protected on devices that they also use for work, and it should be possible to remove devices that users no longer want included in a managed environment.

Device enrollment

Users can enroll a device relatively quickly in Intune. Notably, the process is opt-in rather than opt-out. This sets a friendlier tone for the experience, because it doesn’t feel like a mandate. Users recognize the value of being able to use personal devices for work, and voluntarily enroll them.

Similarly, when users no longer want to use a device for work, they can easily remove it by using the Intune console (the web portal for information workers). For example, if a device has been lost or stolen, the user can either remove it for himself or herself, or request that Microsoft Digital do so. When a device is removed, corporate assets are automatically removed from it. Devices can be completely wiped or just selectively wiped. See the “Device retirement/wiping” section later in this document.

Intune provides a single administrative console that it can use to manage all enrolled devices. One administrative advantage of this solution is the ability to create reports, such as security and audit reports.

Provisioning of the Company Portal

For users who connect to corporate resources on mobile devices, Microsoft Digital now relies on its Company Portal to provide a kind of “one-stop shopping” experience for installing and using the Microsoft Windows or LOB apps that they need. Currently, users on iOS or Android platforms install the Company Portal from a separate site. For users on Windows or Windows Phone platforms, the Intune service pushes the Company Portal out to the device.

The Company Portal includes approximately 350 apps—and the number is growing at a rate of 10 to 15 new apps per month. Provisioning also includes updates of existing apps—as many as 35 to 40 are updated per month. Each month, there are approximately 30,000 application installations, and availability of the service has been more than 99 percent.

One goal that Microsoft Digital has for the Company Portal is to create apps that package streams of content and functionality for specific roles and use cases. For example, for users in field sales and marketing, the GearUp app provides a quick reference to every product that Microsoft sells, including value propositions and competitive differentiation. For users who do a lot of business travel, an app is available to instantly track expenses while they are on the go, helping users complete expense reports more quickly for improved compliance.

Policies across mobile devices

Whether they are related to encryption, passwords, security, email management, or another fundamental issue, policies are the cornerstones of MDM in an organization. In Intune, users see a dialog box that informs them about policies. They can then select to allow apps and services from Microsoft Digital, or they can cancel device enrollment.

Although users do not always fully appreciate this fact, policies are a form of protection for them too. Their own personal data on the devices that they use for work is more secure when other users and devices in the same environment are managed by policies. For more information about compliance settings for mobile devices, see the “Policy and security configuration” section.

Mobile application management

From an application standpoint, user and device provisioning is an important piece of the mobility landscape in organizations. For example, after app deployment, the app owner can use tools such as Operations Manager in Microsoft System Center to discover issues such as application dependencies, monitor application components, and isolate the cause of issues that are found during monitoring. They can even triage and remediate in Microsoft Visual Studio to fix any issues in the code. From an IT perspective, apps must be managed securely within the overall MDM service. LOB apps should be signed and should be accessed only by managed users.

Information protection

Microsoft Digital has several goals for information protection, such as keeping corporate data secure, managing data rather than the user, and providing access to data on any trusted device. Techniques for achieving these goals include encryption and policies, as mentioned earlier.

Additionally, Intune enables access to company resources through certificate profiles. When certificate profiles are used to configure managed devices with the certificates that they need, device users can connect to on-premises company resources by using connections such as Wi-Fi or a virtual private network (VPN). When Microsoft Digital deploys certificate profiles, it provisions devices with a trusted root certificate for the company’s public key infrastructure (PKI) and configures them to request device-specific certificates.

Microsoft Digital will be offering conditional access features to help improve the precision of access and protection. For example, users who require just read-only access to a file or resource will be restricted from editing, printing, or forwarding it. One of the most significant scenarios for conditional access is email provisioning, but other scenarios include certificate provisioning and profile provisioning. Taken together, these techniques help address data management.

Deployment

Although Microsoft Digital is evolving its approach to MDM, it’s important to consider, from a tactical perspective, how exactly it performs MDM. The information in this section describes, in detail, a deployment solution for a hybrid environment that includes both System Center Configuration Manager and Intune. Although smaller organizations might need only Intune (a stand-alone rather than hybrid environment), most medium to large organizations, including Microsoft, already have Configuration Manager and use it in combination with Intune.

Architecture

MDM consists of a series of components that work in concert:

Configuration Manager provides the central administration console for administering both on-premises and cloud-based devices.

The Intune subscription establishes the connection between Configuration Manager and Intune. It specifies the configuration settings for the Intune service, such as which users can enroll their devices and which mobile device platforms should be managed.

Microsoft Intune Connector site system role, which is a Configuration Manager site role, acts as a gateway between Intune and on-premises Configuration Manager, sending settings and software deployment information to Intune, and retrieving status and inventory messages from mobile devices.

Figure 1. Microsoft Digital MDM infrastructure

The following sections describe the various activities that are involved in the Microsoft Digital MDM deployment.

Deployment process

Microsoft Digital took a five-step approach to deploying MDM in its existing Configuration Manager environment.

Step 1: Build a Configuration Manager 1511 or SP1 environment

Microsoft Digital added a Configuration Manager 1511 primary site that is specifically for MDM to the corporate domain hierarchy. Server hardware consisted of the following:

A primary site server that uses a virtual machine with 12 gigabytes (GB) of RAM and four core processors

A Microsoft SQL Server with 64 GB of RAM and six core processors

A separate site for MDM is not required. Because MDM can scale to large volumes of devices, most small and medium organizations will not need a separate site and can incorporate MDM into their existing site hierarchy.

Step 2: Provision users

Microsoft Digital performed user discovery for the entire Microsoft corporate Active Directory forest by using the existing production Configuration Manager environment. This process took a few hours because of the large user base in Microsoft, but it ensured that all users were added to a user collection before MDM was enabled.

Organizations must consider the extent of their BYOD environment to determine if they need to perform a full user discovery, or whether the users who are allowed to enroll their mobile devices should be added manually to Configuration Manager.

Step 3: Provision Intune services

Microsoft Digital worked with the Azure Active Directory team to provision Intune services for the Microsoft IT organizational user (tenant) account and set up the MDM services Admin (the account that is used for authentication when the Intune subscription is created in Configuration Manager). Microsoft IT also worked with the Active Directory team to configure Azure AD Connect and Active Directory Federation Services Windows Server 2012 R2. Azure AD Connect ensured that all users were synchronized into the cloud, and AD FS enabled users to use SSO to access all cloud services.

Microsoft had an existing tenant account because it already used Microsoft Office 365 and other cloud services; it also had Azure AD Connect and AD FS in place to synchronize data into the cloud. Companies that do not have these services in place will need to complete these tasks:

Sign up for an Intune organizational (tenant) account.

Deploy and configure Azure AD Connect to synchronize on-premises Active Directory users with the Azure AD Connect, creating the user ID that is used for cloud-based applications.

Deploy AD FS to allow for a single identity for each user across both on-premises and cloud-based applications.

Step 4: Set up DNS redirection

Most companies will benefit from creating a Domain Name System (DNS) alias (CNAME record type) to redirect enterprise enrollment to .com to allow for server auto discovery. This means that users will not need to know the actual server name when they enroll their device.

Step 5: Acquire device-specific certificates

Each device platform has different requirements for loading applications. Microsoft Digital worked with the Microsoft App team to acquire the certificates that are required for the supported mobile devices.

MDM configuration

Enabling MDM requires creating an Intune subscription and defining an Intune Connector role in Configuration Manager. MDM is now equipped to work with any device platform, including iOS, Android, and Windows Phone. To set up and configure MDM, Microsoft Digital completed these steps:

Create a new Intune subscription. In the Subscription Wizard, Microsoft Digital selected Allow the Configuration Manager console to manage this subscription. This enabled Configuration Manager to become the authoritative source for managing all mobile devices, providing a single administration console for on-premises systems, cloud-connected devices, and application life cycle management.

Define a user collection. Microsoft Digital created a custom user collection for all Microsoft employees, based on the users who were discovered during user discovery for the entire Microsoft corporate Active Directory forest. This ensured that members of this collection were licensed for enrollment in MDM.

Configure the platform, certificates, and keys. For each platform, Microsoft Digital applied the required certificates.

Assign a connector role. Microsoft Digital added the Intune Connector site server role to the Central Administration Site (CAS) server. The Intune Connector server role communicates directly with Intune and provides the communication gateway between Configuration Manager and Intune for all incoming and outgoing communication.

Cloud User Sync monitoring

After MDM is configured, a Configuration Manager component named Cloud User Sync provides communication between Configuration Manager and Intune. It monitors the collection of users for additions, synchronizes changes with Intune to license users, and enables users to enroll their devices.

Microsoft Digital makes the following recommendations for Cloud User Sync monitoring:

Use delta user discovery and incremental updates. When delta discovery is enabled in AD User Discovery settings, and incremental updates are selected in the collection settings, updates are synchronized more often. This ensures that licensing new users and removing licenses for disabled users occur quickly.

Use default Cloud User Sync settings. Cloud User Sync synchronizes changes, such as when new users who have been added to the collection are licensed and enabled for enrollment or when the Intune license is revoked for users who have been removed from the collection. By default, synchronization occurs every five minutes and is a minimal burden on the Configuration Manager hierarchy and network.

Monitor the following Intune Connector log files:

Dmpdownloader.log to monitor policy changes that are downloaded from Intune to Configuration Manager

Dmpuploader.log to monitor policy changes that are uploaded to Intune from Configuration Manager

Cloudusersync.log to monitor user licensing in Intune

Use the CloudUserID field in the User_Disc table in Configuration Manager to identify whether users are licensed:

Null indicates that a user is not licensed to enroll devices.

All zero GUID indicates that a user was previously licensed but is no longer a member of the user licensing collection.

Non-zero GUID indicates that a user is licensed to enroll devices.

Users do not have to be licensed separately for each device. When a user is licensed, he or she is licensed for up to 20 devices.

Device enrollment

In addition to configuring the MDM architecture, Microsoft Digital had to plan the user experience as part of its deployment. It wanted to ensure that the process for enrolling devices had these characteristics:

It provides a good user experience, where users can enroll their devices, gain access to the Company Portal, and install LOB applications with minimal user intervention.

It enables users to become productive quickly with LOB apps by providing a seamless SSO installation. AD FS enables Microsoft users to use the same credentials (their corporate user ID, email account, and network password), regardless of device.

When a user enrolls a device, Microsoft Digital collects general information about the device, such as the manufacturer and any LOB apps that are installed from the Company Portal (but not from the Microsoft Store). The Company Portal is a required app for every newly enrolled device.

Troubleshooting enrollment

Microsoft Digital experienced enrollment failures because some users had a non-standard User Principle Name (UPN). The enrollment process is based on a user’s UPN, but the UPN of some Microsoft users deviated from the standard naming convention and also differed from their user alias. To resolve this issue, Microsoft Digital created a DNS redirection.

Because there are no client logs for enrollment troubleshooting, Microsoft Digital needed to take a systematic approach to troubleshooting.

Microsoft Digital recommends that the following issues be verified when troubleshooting general device enrollment issues:

The Admin has configured MDM.

The Admin has enabled enrollment for specific device types.

The Admin has provisioned the user for mobile device enrollment.

The user is not trying to enroll several devices at the same time and has not enrolled more than 20 mobile devices in the system.

For Windows Phone 8.1 devices, the code signing certificate is configured properly.

For iOS devices, the Apple Push Notification Service certificate is configured and hasn’t expired, and the device is running iOS v5.0 or later.

Enrollment lessons learned

Microsoft Digital learned lessons from a few issues that occurred during the enrollment process, particularly regarding user education requirements:

Users were concerned about the type of information that Microsoft Digital could see and collect about their personal devices. Microsoft Digital needed to reassure users that it collects only general information about the device itself (such as the manufacturer) and any LOB apps that are installed from the Company Portal—and that it collects no personal information, such as phone numbers, personal apps, or apps that are installed from the Microsoft Store.

Users were sometimes confused about differences in the enrollment process for the various mobile devices platforms (for example, one platform might have additional screens for adding management profiles on the device). To address this issue, Microsoft Digital documented the enrollment process for each device and made this documentation available through the company support website, ITWeb.

Policy and security configuration

To help ensure that corporate security was maintained while also providing a good end-user experience, Microsoft Digital had to coordinate with the following Microsoft teams:

The Microsoft Security team, to define the policies that would enforce Microsoft corporate compliance settings on mobile devices, such as password policy and encryption settings.

The Exchange team, to align policy settings between Exchange ActiveSync (EAS) and MDM.

Microsoft Digital took advantage of default compliance rules for mobile devices that are built into Configuration Manager. It created new configuration items (CIs) for mobile devices (different CIs for each device type, to make troubleshooting easier) and added built-in compliance rules whose values are based on Microsoft Digital security requirements (see Table 1). It then created a configuration baseline for those CIs and targeted the configuration baseline to the collection of mobile devices.