Q. How can I publish corporate applications to an iOS device using Configuration Manager via Intune?
Dept - Intune
A. Intune enables full management of mobile devices including iOS, Android and Windows Phone. Often organizations wish to deploy applications to these devices and ensure corporate data stays within the corporate applications, not being able to leak into personal applications on the device. In this walkthrough I will go through all the steps required to enable this for iOS using Intune and performing the actual configuration using Configuration Manager (which connects to Intune).
First make sure you have connected Intune to your Configuration Manager instance via the Administration workspace - Cloud Services - Microsoft Intune Subscription. As part of this connection you can configure logos and contact details. Once the connection is established select the Intune subscription and from the Home tab select Create APNs certificate request which enables a certificate request to be generated that is saved to a file. This is then uploaded to the Apply Push Certificate Portal and then the certificate downloaded. There is no charge for this certificate and it enables deployment to iOS devices.
Still selecting the Intune subscription select Configure Platforms from the Home tab and select iOS. Check the box to enable iOS enrollment and select the certificate you downloaded from the Apple site. Note you can also select Android and other platforms to enable enrollment.
The next step is to create a Configuration Item and Configuration Baseline for iOS which will block corporate data being used in personal applications.
- Select the Assets and Compliance workspace
- Select Compliance Settings - Configuration Items
- Select Create Configuration Item. Select a name and set the target device to be iOS and Mac OS X from the list of device types and click Next
- For the platforms select iPhone and iPad and click Next
- For the list of device settings select Data Protection and click Next
- Set the Open documents in managed apps in other unmanaged apps to Disabled and optionally enable unmanaged apps to open data in managed apps to Enabled. Make sure Remediate noncompliant settings is checked and click Next
- Click Next to all remaining questions
- Select Compliance Settings - Configuration Baselines
- Select Create Configuration Baseline
- Enter a name for the baseline and add the configuration item that was created and click OK
- Right click the new baseline and select Deploy. Select the target collection (e.g. All Mobile Devices) and check the Remediate noncompliant rules when supported. Click OK
You are now ready to actually publish applications which will be via the Apple Store.
- Open the Software Library workspace
- Open Application Manager - Application Management Policies
- Select Create Application Management Policy
- Enter a name and click Next
- Select the Platform as IOS and the policy type as General then click Next
- Configure all required settings. Critical settings are:
Allow app to transfer data to other apps: Policy Managed Apps
Prevent "Save As" : Yes
Require simple PIN for access :
- Click Next
- Once complete click Close. You may choose to create different policies for different applications
- Select Application Management - Applications
- Select Create Application
- For the application type select App Package for iOS from App Store and enter the URL for Outlook, e.g. https://itunes.apple.com/us/app/microsoft-outlook-email-calendar/id951937596?mt=8. Click Next
- Click Next and enter any specific details then click Next until complete
- Repeat the process for additional applications
- Right click on the application and select Deploy
- Specify a collection, e.g. All Mobile Devices under Device Collections and click Next
- Click next to all the sections until you get to Application Management. Select the application management policy previously created
- Click Next to all other dialogs until complete
Enrolled iOS devices will now have the applications available via the Company Portal application once enrolled and data (including clipboard) will not be able to leave the corporate deployed applications to personal applications.
I have a video walking through this at https://youtu.be/wfWoLLx8WeA.
For more details on device enrollment see https://technet.microsoft.com/en-us/library/jj884158.aspx.