You are on page 1of 80

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

20703-2A
Integrating MDM and Cloud Services with
System Center Configuration Manager
Companion Content
ii Integrating MDM and Cloud Services with System Center Configuration Manager

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.

© 2017 Microsoft Corporation. All rights reserved.


Microsoft and the trademarks listed at https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/
Usage/General.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of
their respective owners

Product Number: 20703-2A


Released: 10/2017
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE

These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.

If you comply with these license terms, you have the rights below for each license you acquire.

1. DEFINITIONS.

a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.

b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.

c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.

d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.

e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.

f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.

g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.

h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.

i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.

j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.

k. “MPN Member” means an active Microsoft Partner Network program member in good standing.
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.

m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.

n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.

o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.

2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.

2.1 Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:


i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:


i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:


For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

e. If you are a Trainer.


i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
“customize” refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.

2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject


matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the
other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.

c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
• modify or create a derivative work of any Licensed Content,
• publicly display, or make the Licensed Content available for others to access or use,
• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
• work around any technical limitations in the Licensed Content, or
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.

6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.

7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.

8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.

9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW.


a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to


o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES


DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres
dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si
votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre
égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.

Revised July 2013


Extending the Configuration Manager infrastructure to support Internet-based and mobile devices 1-1

Module 1
Extending the Configuration Manager infrastructure to
support Internet-based and mobile devices
Contents:
Module Review and Takeaways 2
Lab Review Questions and Answers 3
1-2 Integrating MDM and Cloud Services with System Center Configuration Manager

Module Review and Takeaways


Review Question
Question: What’s the biggest challenge for your organization when it comes to device management?

Answer: Answers will vary depending on student experience.


Extending the Configuration Manager infrastructure to support Internet-based and mobile devices 1-3

Lab Review Questions and Answers


Lab A: Preparing for cloud integration
Question and Answers

Question: You need to configure directory syncing between your local Active Directory Domain Services
(AD DS) and Azure AD. Which tool would you use to perform this task?
( ) Active Directory Users and Computers

( ) Active Directory Domains and Trusts

( ) DirSync
( ) Azure AD Connect

( ) Active Directory Sites and Services

Answer:
( ) Active Directory Users and Computers

( ) Active Directory Domains and Trusts

( ) DirSync

(√) Azure AD Connect

( ) Active Directory Sites and Services

Question: After a trial run of using Azure AD, users state that they find it difficult to remember their
onmicrosoft.com account. What can you do to address this concern?

Answer: You can add a custom domain that matches your AD DS domain name. You also need
to configure appropriate external Domain Name System (DNS) settings, and you need to validate
the custom domain from Azure. This allows users to utilize the same sign-in credentials as they
use for their internal domain

Lab B: Implementing PKI for Configuration Manager site systems and


clients

Question and Answers

Question: On which existing certificate template is the Distribution Point certificate template based?
Why do you need to create a new certificate template?
Answer: The Configuration Manager Distribution Point certificate template is based on the
Workstation Authentication template, which is the same template that the Configuration
Manager client certificate uses. However, it requires the private key to be exportable because,
for computers that are not members of AD DS, you must import the certificate as a file. You
cannot select it from the certificate store.
1-4 Integrating MDM and Cloud Services with System Center Configuration Manager

Question: Which Configuration Manager functionality could you use to deploy a partner organization’s
enterprise root certification authority (CA) certificate to Configuration Manager clients that are members
of your organization’s Active Directory forest?
Answer: You can use Certificate Profiles functionality to deploy root CA certificates to
Configuration Manager clients that are not domain members within your forest.

Lab C: Configuring cloud-based distribution points

Question and Answers

Question: You have configured a cloud-based distribution point; however, your clients can’t seem to
resolve the name of the cloud-based service. What should you do?

Answer: Before clients can access a cloud-based distribution point, they must be able to resolve
the name of the cloud-based distribution point to an IP address that Azure manages. To resolve
the service name that you provided with the cloud-based distribution point service certificate (for
example, clouddp1.adatum.com) to your Azure service FQDN (for example,
d1594d4527614a09b934d470.cloudapp.net), DNS servers on the Internet must have a DNS alias
(CNAME) resource record. Your clients will then be able to resolve the Azure service fully
qualified domain name (FQDN) to the IP address by using DNS servers on the Internet.

Question: To keep the cost of a cloud-based distribution point manageable, you need to ensure that only
a maximum of 100 GB is stored on the cloud service. How can you ensure this?
Answer: You can configure and specify a storage alert threshold set to 100 GB.
Managing clients on the Internet 2-1

Module 2
Managing clients on the Internet
Contents:
Lesson 1: Methods for managing Internet-based clients 2

Lesson 2: Planning and implementing Internet-based client management 4


Lesson 3: Planning and implementing the Cloud Management Gateway 6

Module Review and Takeaways 8

Lab Review Questions and Answers 9


2-2 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 1
Methods for managing Internet-based clients
Contents:
Question and Answers 3
Resources 3
Managing clients on the Internet 2-3

Question and Answers


Question: Which of the following are typical considerations when implementing IBCM? (Choose all that
apply.)

( ) It requires a public key infrastructure (PKI).

( ) It requires a Microsoft Azure subscription.

( ) It requires a cloud-based distribution point.

( ) It doesn’t support client deployment.

( ) It supports only the management point and software update point site system roles.

Answer:
(√) It requires a public key infrastructure (PKI).

( ) It requires a Microsoft Azure subscription.

( ) It requires a cloud-based distribution point.


(√) It doesn’t support client deployment.

( ) It supports only the management point and software update point site system roles.

Resources

Methods for managing Internet-connected client devices

Additional Reading: For more information, refer to “Manage clients on the Internet with
Configuration Manager” at https://aka.ms/kajvjb
2-4 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 2
Planning and implementing Internet-based client
management
Contents:
Question and Answers 5
Managing clients on the Internet 2-5

Question and Answers


Question: You have several Configuration Manager clients that are currently managed with Configuration
Manager. You decide to reconfigure these clients to support IBCM in an Internet-only configuration. You
have already installed the necessary certificates on the clients, but the clients don’t change to the
Internet-only option. What do you do to ensure that the clients are configured to be Internet-only?

( ) Reinstall the Configuration Manager client with the DNSSUFFIX property.

( ) Reinstall the Configuration Manager client with the CCMALWAYSINF=1 property.

( ) Configure a fallback status point.

( ) Enable the Enable user policy requests from Internet clients client policy setting.

( ) Configure the management point to support HTTPS.

Answer:

( ) Reinstall the Configuration Manager client with the DNSSUFFIX property.


(√) Reinstall the Configuration Manager client with the CCMALWAYSINF=1 property.

( ) Configure a fallback status point.


( ) Enable the Enable user policy requests from Internet clients client policy setting.
( ) Configure the management point to support HTTPS.
2-6 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 3
Planning and implementing the Cloud Management
Gateway
Contents:
Question and Answers 7
Resources 7
Managing clients on the Internet 2-7

Question and Answers


Question: As of version 1702, which of the following site system roles are supported for use with the
Cloud Management Gateway service? (Choose all that apply.)

( ) Fallback status point

( ) Management point

( ) Application Catalog website point

( ) Software update point

( ) Enrollment point

Answer:
( ) Fallback status point

(√) Management point

( ) Application Catalog website point


(√) Software update point

( ) Enrollment point

Resources

Resources and costs associated with the Cloud Management Gateway

Additional Reading: Use the Azure pricing calculator and the Azure bandwidth calculator
to help determine the potential costs. For the calculators, refer to “Pricing calculator” at
https://aka.ms/jutfbp and “Bandwidth Pricing Details” at https://aka.ms/bqyzn4
2-8 Integrating MDM and Cloud Services with System Center Configuration Manager

Module Review and Takeaways


Best Practices
Take note of the following takeaways from this module:

• IBCM does not require a cloud subscription. However, it does require that you expose corporate
network services to the Internet.
• The Cloud Management Gateway does not directly expose internal network services to the
Internet. However, you incur a subscription cost for this service.
• Both solutions require a PKI and custom certificate templates.

Review Questions
Question: You decide to implement IBCM to manage Configuration Manager clients on the Internet.
Describe the ways that you might design the network infrastructure to provide access to the Internet.

Answer: A common design involves creating a new forest in a perimeter network. This new forest
then contains any services that are needed on the Internet, such as a management point or
distribution point. If you want to take advantage of user-based policies, you must ensure that the
perimeter network forest trusts the internal corporate forests.
You can also publish the internal services by using a web proxy server and configure SSL bridging
or SSL tunneling.

Question: Your Internet-based solution requires that you apply user policies over the Internet. Will you
implement IBCM or the Cloud Management Gateway?

Answer: The Cloud Management Gateway does not currently support user-based policies. You
must implement IBCM. Note that user authentication must take place, so the management point
must have access to the domain controller.
Question: You have just configured the Cloud Management Gateway. You want to deploy software to a
client on the Internet, however you don’t understand how to enable the distribution points to use the
Cloud Management Gateway. What do you do?

Answer: Currently, the Cloud Management Gateway supports only cloud-based distribution
points. You must configure a cloud-based distribution point to support software deployments.

Common Issues and Troubleshooting Tips


Common Issue Troubleshooting Tip

Internet-based Configuration Manager Verify that the client and server certificates are correctly
clients can’t communicate with the configured and that DNS name resolution is in place.
management point. It’s common that the name on the certificate isn’t the
same name that is registered in DNS. Be sure that the
names match.

After setting up the Cloud Management All clients must initially be on the corporate network to
Gateway, Internet clients can’t connect. receive location information for the Cloud Management
Gateway service. Be sure to have the client devices
connect to the internal environment before being placed
on the Internet.
Managing clients on the Internet 2-9

Lab Review Questions and Answers


Lab A: Configuring IBCM
Question and Answers
Question: List the three types of certificates that you need to configure to support IBCM in Configuration
Manager.

Answer: You need to configure a Web Server certificate, a distribution point client certificate,
and a client certificate.
Question: You add a new distribution point to the Configuration Manager environment. What do you
need to do to make it accessible to both intranet and Internet clients?

Answer: Import the .pfx certificate file that has been exported for distribution points, and then
configure HTTPS. Also, configure the Allow intranet and Internet connections option.

Question: You want to make sure that a new distribution point is accessible only from Internet clients.
What should you do?
Answer: Configure the distribution point to allow only Internet-only connections. You configure
this on the General tab of the Distribution point Properties dialog box.

Lab B: Configuring the Cloud Management Gateway for managing clients


on the Internet

Question and Answers


Question: You attempt to turn on the Cloud Management Gateway feature, but the button is unavailable.
What do you have to do first?

Answer: You need to first open the hierarchy settings and select the check box to consent to use
pre-release features.

Question: What is the purpose of exporting the Azure management certificate twice?

Answer: You need to export the certificate in both .pfx and.cer file formats. You use the .cer
format when uploading the management certificate to Azure. You use the .pfx format when
configuring the service in Configuration Manager.

Question: What do you need to do to ensure that clients can resolve the cloudmgw.cloudapp.net DNS
name to the Cloud Management Gateway service?

Answer: You need to register this name in the public Domain Name System (DNS) so that client
devices can resolve and find the service in Azure.
Managing Microsoft Store for Business apps by using Configuration Manager 3-1

Module 3
Managing Microsoft Store for Business apps by using
Configuration Manager
Contents:
Lesson 1: Overview of Microsoft Store for Business 2
Lesson 2: Managing Microsoft Store for Business apps by using Configuration Manager 6

Module Review and Takeaways 10

Lab Review Questions and Answers 11


3-2 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 1
Overview of Microsoft Store for Business
Contents:
Question and Answers 3
Resources 5
Managing Microsoft Store for Business apps by using Configuration Manager 3-3

Question and Answers


Question: On which devices can you install an app from Microsoft Store for Business? (Select all that
apply.)

( ) Windows 7 PC

( ) Windows 8.1 tablet

( ) Windows 8.1 Update PC

( ) Windows 10 tablet

( ) Android 7 tablet

Answer:
( ) Windows 7 PC

( ) Windows 8.1 tablet

( ) Windows 8.1 Update PC


(√) Windows 10 tablet

( ) Android 7 tablet

Feedback: You can install apps from Microsoft Store for Business only on Windows 10 devices.
Question: Users can install offline licensed apps only if they have an Azure AD account.

( ) True
( ) False
Answer:

( ) True

(√) False
Feedback: Offline licensed apps can install on a device even if the device does not have Internet
connectivity and the user does not have an Azure AD account.

Question: An organization must pay a monthly fee for using Microsoft Store for Business.

( ) True

( ) False

Answer:

( ) True

(√) False
Feedback: Microsoft Store for Business is a cloud service that is available for free. However, an
organization must be using Azure AD to be able to use Microsoft Store for Business.

Benefits and features of Microsoft Store for Business


Question: What is the main difference between Windows Store and Microsoft Store for Business?

Answer: The main difference is that Windows Store is for general audiences, while Microsoft
Store for Business is aimed at organizations. Hence, in Windows Store, users can find all types of
apps, including games, books, music, and TV shows. In Microsoft Store for Business, you can find
business-related modern Windows 10 apps and line-of-business (LOB) apps.

Question: Can you sign in to Microsoft Store for Business with a Microsoft account?
3-4 Integrating MDM and Cloud Services with System Center Configuration Manager

Answer: A Microsoft account is necessary only to install an app from Windows Store. However,
you cannot use a Microsoft account to sign in to Microsoft Store for Business; you must use a
Microsoft Azure Active Directory (Azure AD) account to sign in to it.

Prerequisites for Microsoft Store for Business


Question: Can you install an app from Microsoft Store for Business on a device that is running Windows
8.1 Update?

Answer: No, you can’t install an app from Microsoft Store for Business on a device that is
running Windows 8.1 Update. Apps from Microsoft Store for Business can install only on
Windows 10 devices.

Question: Is an Azure AD account necessary if you want to browse Microsoft Store for Business and not
install any apps from it?
Answer: Yes, an Azure AD account is necessary even if you only want to browse Microsoft Store
for Business. Users must authenticate before they can access Microsoft Store for Business. This is
different than with the public Windows Store, where users can browse the store but must
authenticate with a Microsoft account before installing an app.

Process for implementing Microsoft Store for Business


Question: In which app can you sign up for Microsoft Store for Business? Do users utilize the same app
for browsing it?

Answer: You can sign up for Microsoft Store for Business in a web browser, for example, in
Internet Explorer 11 or in Microsoft Edge. You can use a web browser both for managing
Microsoft Store for Business and for browsing the available apps in a private store, and for
installing apps from Microsoft Store for Business. Company users would probably use the Store
app for browsing Microsoft Store for Business and for installing apps from the store.

Question: Do you need to add company users to a role to be able to browse Microsoft Store for
Business?
Answer: No. After you set up Microsoft Store for Business, all company users who have Azure AD
accounts can access and browse it. If you want to delegate permissions to some users—for
example, to purchase apps and to add them to the private store—you must add them to a role.

What is the app licensing model?


Question: Should a user have an Azure AD account if you want to deploy an offline licensed app to that
user?
Answer: Microsoft Store for Business requires that users have an Azure AD account if you want
to deploy users online licensed apps or if they want to connect to Microsoft Store for Business.
You can deploy an offline licensed app to any user regardless of whether they have an Azure AD
account.

Question: Can you include an online licensed app from a private store in an image that you plan to
deploy on a new Windows 10 computer?

Answer: Online licensed apps require that a user first connects and authenticates to Microsoft
Store for Business, and only then can the user install the app. Online licensed apps can’t be
downloaded and included in an image.

Methods to distribute and manage apps


Question: In which ways can you distribute an online licensed app from Microsoft Store for Business?
Managing Microsoft Store for Business apps by using Configuration Manager 3-5

Answer: An online licensed app requires that users connect and authenticate to Microsoft Store
for Business before they can install the app. For distributing online licensed apps, you can use a
private store, assign apps to users, or you can use an MDM management tool such as
Configuration Manager or Microsoft Intune.

Question: Can you assign an app from Microsoft Store for Business to a Windows 10 device?

Answer: No, you can assign apps from Microsoft Store for Business only to company users. You
can’t assign apps from Microsoft Store for Business to groups or devices.

Resources

Benefits and features of Microsoft Store for Business

Additional Reading: For an overview of Microsoft Store for Business, refer to


https://aka.ms/s6ik04

Prerequisites for Microsoft Store for Business

Additional Reading: For a list of URLs that must be allowed on the firewall or proxy server
to be able to access Windows Store and Microsoft Store for Business, refer to
https://aka.ms/p0db8f

What is the app licensing model?

Additional Reading: For additional information on offline licensing in Microsoft Store for
Business, refer to https://aka.ms/lhidy7
Additional Reading: For more information about working with LOB apps in Microsoft
Store for Business, refer to https://aka.ms/wwf42z

Methods to distribute and manage apps

Additional Reading: For additional information on distributing offline licensed apps, refer
to https://aka.ms/oaj2fm
3-6 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 2
Managing Microsoft Store for Business apps by using
Configuration Manager
Contents:
Question and Answers 7
Resources 9
Managing Microsoft Store for Business apps by using Configuration Manager 3-7

Question and Answers


Question: You can deploy only offline licensed Microsoft Store for Business apps by using Configuration
Manager.

( ) True

( ) False

Answer:

( ) True

(√) False

Feedback: You can deploy online and offline licensed Microsoft Store for Business apps by using
Configuration Manager. Online licensed apps are installed from Microsoft Store for Business even
when you deploy them by using Configuration Manager, while offline licensed apps are
downloaded and installed from a Configuration Manager distribution point.
Question: You are planning to implement Microsoft Store for Business syncing with Configuration
Manager. Where can you find the client ID and client secret key?

Answer: You can find the client ID and client secret key in Azure AD. Both are generated when
you register Configuration Manager as a web app in Azure AD.

Question: If you deploy an online licensed Microsoft Store for Business app by using Configuration
Manager, a user must still authenticate to Azure AD.

( ) True

( ) False

Answer:
(√) True

( ) False
Feedback: When you deploy an online licensed Microsoft Store for Business app by using
Configuration Manager, the app is installed from Microsoft Store for Business, and users must
authenticate to Microsoft Store for Business with their Azure AD accounts.

How does Configuration Manager work with Microsoft Store for Business?
Question: What must you do in Configuration Manager before you can start using Configuration
Manager to deploy apps that you obtained in Microsoft Store for Business?
Answer: Before you can start using Configuration Manager to deploy apps that you obtain in
Microsoft Store for Business, you must add the Microsoft Store for Business account in
Configuration Manager. You must also perform some additional preparation steps before adding
a Microsoft Store for Business account in Configuration Manager, but they are done in Azure
Portal and in Microsoft Store for Business.

Question: Can you use Configuration Manager to deploy apps from Microsoft Store for Business to
computers that are running Windows 10 Anniversary Update (version 1607)?

Answer: Yes, you can use Configuration Manager to deploy apps from Microsoft Store for
Business to computers that are running Windows 10 Anniversary Update (version 1607).
However, if you deploy the apps to computers that are running Windows 10 prior to Creators
Update (version 1703), some limitations exist, such as that users will have to install apps from
Microsoft Store for Business manually, even when apps are deployed by using Configuration
Manager.
3-8 Integrating MDM and Cloud Services with System Center Configuration Manager

Configuration Manager support for offline and online apps


Question: Can you deploy online licensed Microsoft Store for Business apps by using Configuration
Manager?

Answer: Yes, you can deploy online licensed Microsoft Store for Business apps and offline
licensed Microsoft Store for Business apps by using Configuration Manager.
Question: Can you deploy paid offline licensed Microsoft Store for Business apps with Configuration
Manager?

Answer: No, you can’t deploy paid offline licensed Microsoft Store for Business apps with
Configuration Manager. This is the only type of Microsoft Store for Business app that you can’t
deploy with Configuration Manager.

Configuring Microsoft Store for Business synchronization


Question: What must you do before you can add a Microsoft Store for Business account to Configuration
Manager?
Answer: Before adding a Microsoft Store for Business account to Configuration Manager, ensure
that Microsoft Store for Business exists. You must also create an application registration for
Configuration Manager, which will provide you with client ID and client secret key information.
These details are required when creating a Microsoft Store for Business account in Configuration
Manager.

Question: Can you use Configuration Manager to manage Microsoft Store for Business?
Answer: No. You can connect Configuration Manager with Microsoft Store for Business.
Configuration Manager can synchronize inventory data, and you can use it for deploying
Microsoft Store for Business apps. However, you can’t use Configuration Manager to manage
Microsoft Store for Business. You manage it through a web browser even after you connect
Microsoft Store for Business with Configuration Manager.

Deploying apps from Microsoft Store for Business by using Configuration


Manager
Question: Can you deploy apps from Microsoft Store for Business to users or devices by using
Configuration Manager?

Answer: By using Microsoft Store for Business, you can assign apps only to individual users.
When you use Configuration Manager to deploy Microsoft Store for Business apps, you can
deploy them to a user collection or a device collection. This means that you can deploy an app to
multiple users at one time, or you can deploy the app to all users that are using a certain device.

Question: After syncing license information, what must you do to deploy Microsoft Store for Business
apps by using Configuration Manager?

Answer: To deploy Microsoft Store for Business apps by using Configuration Manager, you must
first create applications from the synced licensing information, and then you must deploy the
applications to a user or device collection.

Monitoring Microsoft Store for Business apps


Question: Does Configuration Manager show you the users who have licenses to run a Microsoft Store for
Business app?

Answer: No, you can’t see that information in Configuration Manager. Configuration Manager
synchronizes only information such as the list of purchased apps, the number of purchased
licenses, and the number of available licenses. It does not synchronize which users have licenses
Managing Microsoft Store for Business apps by using Configuration Manager 3-9

to run specific Microsoft Store for Business apps. Microsoft Store for Business tracks licensing
information for online licensed apps.

Question: You want to view the users who installed a certain Microsoft Store for Business app that was
deployed by using Configuration Manager. How can you view this list in Configuration Manager?
Answer: You can see the list of users who installed a Microsoft Store for Business app in the
Monitoring workspace of Configuration Manager. Expand Deployments, and then double-click
the app that was used to deploy the Microsoft Store for Business app.

Resources

How does Configuration Manager work with Microsoft Store for Business?

Additional Reading: For more information on the limitations of Windows 10 prior to


Creators Update (version 1703) when deploying apps from Microsoft Store for Business by using
Configuration Manager, refer to https://aka.ms/h3v7zs

Monitoring Microsoft Store for Business apps

Additional Reading: For more information on monitoring applications in Configuration


Manager, refer to https://aka.ms/nmoars
This link is not specific to Microsoft Store for Business.
3-10 Integrating MDM and Cloud Services with System Center Configuration Manager

Module Review and Takeaways


Review Questions
Question: Which role must a user have in Azure AD to be able to sign up for Microsoft Store for Business?

Answer: The user must be a global administrator in an Azure AD tenant to be able to sign up for
Microsoft Store for Business.
Question: You want to add a payable app to Microsoft Store for Business. Will company users have to pay
when they want to install the app from the private store?

Answer: No. If you want to add a payable app to Microsoft Store for Business, you need to buy
and pay for the required number of copies of the app. Then, company users will be able to install
the app from Microsoft Store for Business without paying for it. You should be aware that only as
many company users will be able to install the app as the number of app copies that you
purchased.

Question: You need to create a Microsoft Store for Business account for every company user who will
access the store.
( ) True

( ) False
Answer:
( ) True

(√) False
Feedback: Users utilize Azure AD accounts for accessing Microsoft Store for Business. You don’t
need to create any additional account for them to access Microsoft Store for Business.

Question: The built-in administrator can run the Store app.


( ) True
( ) False

Answer:

( ) True

(√) False

Feedback: Company users can run the Store app on their Windows 10 devices. However, a built-
in administrator can’t run the Store app. If they try to run it, they will receive a message stating
that this app can’t open.
Managing Microsoft Store for Business apps by using Configuration Manager 3-11

Lab Review Questions and Answers


Lab A: Setting up and managing Microsoft Store for Business
Question and Answers

Question: Can you sign up for Microsoft Store for Business by using the Store app?

Answer: Windows 10 includes the Store app, and you can use it to access, browse, and install
available apps from the Windows Store and from Microsoft Store for Business. However, you
can’t sign up for Microsoft Store for Business in the Store app; you must use a web browser to
sign up for Microsoft Store for Business.

Question: You used the Sync account to sign up for Microsoft Store for Business. Which permissions does
this account have in Azure AD?

Answer: The Sync account is a global administrator for the Azure AD tenant. This account was
created when you set up synchronization with on-premises Active Directory Domain Services (AD
DS) in the lab from Module 1, “Extending the Configuration Manager infrastructure to support
Internet-based and mobile devices.”
Question: Do you need to add a user to the Basic purchaser role to be able to browse and install apps
from Microsoft Store for Business?

Answer: No, you don’t need to add users to any role to be able to browse and install apps from
Microsoft Store for Business. All company users can perform this action by default.
Question: Why were you unable to view any apps in the private store even though you had several apps
there?
Answer: The private store updates every 24 hours. Even after you add apps to the private store, it
takes up to 24 hours before added apps appear in the private store, regardless of whether you
access the store by using the Store app or a web browser.

Lab B: Deploying Microsoft Store for Business apps by using Configuration


Manager

Question and Answers


Question: Why did you copy the private key value from Azure Portal to Notepad?
Answer: The private key value generates when you add the private key to the registered web
app in Azure AD. This value is required when you want to create a Microsoft Store for Business
account in Configuration Manager. You copied the private key value to Notepad to have this
information handy when you needed it later in the lab.

Question: In which tool did you activate synchronization with Configuration Manager?

Answer: You activated synchronization with Configuration Manager in Microsoft Store for
Business. You manage Microsoft Store for Business in a web browser, so you activated
synchronization with Configuration Manager in Internet Explorer.

Question: Do installation files for online licensed Microsoft Store for Business apps download to
Configuration Manager when you synchronize Configuration Manager with Microsoft Store for Business?

Answer: No. When you synchronize Microsoft Store for Business with Configuration Manager,
only licensing information syncs. After synchronization, you can see the Microsoft Store for
3-12 Integrating MDM and Cloud Services with System Center Configuration Manager

Business apps that are available and how they are licensed, but their installation files do not
download to Configuration Manager.

Question: Can you deploy Microsoft Store for Business apps to multiple users and groups when you are
using Configuration Manager?
Answer: Yes. One of the reasons for synchronizing Microsoft Store for Business with
Configuration Manager and using Configuration Manager to deploy Microsoft Store for Business
apps is additional flexibility, which includes deployment to collections.
Managing Office 365 apps by using Configuration Manager 4-1

Module 4
Managing Office 365 apps by using Configuration Manager
Contents:
Lesson 1: Overview of Office 365 ProPlus 2

Lesson 2: Deploying Office 365 client applications by using Configuration Manager 4


Lesson 3: Managing and updating an Office 365 client deployment 6

Module Review and Takeaways 8

Lab Review Questions and Answers 9


4-2 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 1
Overview of Office 365 ProPlus
Contents:
Question and Answers 3
Resources 3
Managing Office 365 apps by using Configuration Manager 4-3

Question and Answers


Question: A single Office 365 ProPlus license allows a user to install the applications on how many
devices? Choose all that apply.

( ) Up to five different computers per client

( ) Up to 10 different computers per client

( ) Up to five phones per client

( ) One computer per client

( ) Up to five tablets per client

Answer:
(√) Up to five different computers per client

( ) Up to 10 different computers per client

(√) Up to five phones per client


( ) One computer per client

(√) Up to five tablets per client

Resources

What is Office 365 ProPlus?

Reference Links: For the full system requirements of Office 365, refer to “System
requirements for Office” at https://aka.ms/qopby2.

Planning an Office 365 ProPlus deployment

Additional Reading: For more information about modifying the configuration.xml file,
refer to “Configuration options for the Office 2016 Deployment Tool” at https://aka.ms/mrm8hy.
4-4 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 2
Deploying Office 365 client applications by using
Configuration Manager
Contents:
Question and Answers 5
Resources 5
Managing Office 365 apps by using Configuration Manager 4-5

Question and Answers


Question: You want to enable the Office 365 Client Management dashboard to monitor your Office
365 software deployment. Which option must you enable?

( ) Software Inventory

( ) Hardware Inventory

( ) Software Metering

( ) Asset Intelligence

( ) App Configuration Policies

Answer:
( ) Software Inventory

(√) Hardware Inventory

( ) Software Metering
( ) Asset Intelligence

( ) App Configuration Policies

Feedback: The Hardware Inventory feature needs to be enabled before Configuration Manager
can determine which workstations have the software installed. By default, Hardware Inventory
should be enabled unless it has been purposefully turned off in the client settings.

Resources

The Office 365 Client Management dashboard

Additional Reading: For additional information about version and build numbers for
Office 365 ProPlus, refer to “Version and build numbers of update channel releases” at
https://aka.ms/veqaw2.
4-6 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 3
Managing and updating an Office 365 client
deployment
Contents:
Question and Answers 7
Managing Office 365 apps by using Configuration Manager 4-7

Question and Answers


Question: Which of the following software update point classifications do you need to select to support
Office 365 client updates?

( ) Critical Updates

( ) Definition Updates

( ) Updates

( ) Upgrades

( ) Security Updates

Answer:
( ) Critical Updates

( ) Definition Updates

(√) Updates
( ) Upgrades

( ) Security Updates

Feedback: The Updates classification is needed to download updates related to an Office 365
client.
4-8 Integrating MDM and Cloud Services with System Center Configuration Manager

Module Review and Takeaways


Question: You decide to exclude Microsoft Access from a specific Office 365 ProPlus deployment. What
can you do to begin the process?

Answer: You can modify the configuration.xml file and add the exclusion by using the
ExcludeApp section.
Question: You have a specific workstation that two people share during opposite works shifts. What can
you do to ensure that each person has a valid license for Office 365?

Answer: Be sure to include the SharedComputerLicensing property and have it set to True in
the Configuration.xml file.
Managing Office 365 apps by using Configuration Manager 4-9

Lab Review Questions and Answers


Lab A: Preparing Office 365 for application deployment
Question and Answers
Question: Ada Russel is a user in your organization. She signs in to the Office 365 portal and attempts to
download and install Office 365 ProPlus applications manually. However, she cannot see any available
applications. What do you need to do?

Answer: You need to ensure that Ada Russel has been assigned a license for the Office 365
applications. You can assign the license from the user account object in the Office 365 admin
center.
Question: What is the default update channel for Office 365 applications that you download from the
Office 365 portal?

Answer: The default channel is the Deferred Channel (Semi-annual Channel (Broad)) that
provides updates every four months.

Question: You want to prevent users from using the Office 365 portal to install applications. What should
you do?
Answer: Configure software download settings and turn off all options in the Office 365 portal.

Lab B: Deploying and managing Office 365 client applications by using


Configuration Manager

Question and Answers


Question: You deployed the Office 365 ProPlus client to Configuration Manager workstations. However,
the Office 365 Client Management dashboard does not show the status of the deployment. What do
you need to do?
Answer: You need to verify that hardware inventory is being collected from the clients. Also,
verify that the hardware inventory classes include the Office 365 classes. Finally, make sure that
the client device settings are configured to enable Office 365 client agent management.
Question: You want to enable the management of the Office 365 client agent only on specific
workstations. What should you do?

Answer: You should create a custom client device setting and deploy it to the specific collections
that contain the workstations.
Mobile device management by using Configuration Manager 5-1

Module 5
Mobile device management by using Configuration
Manager
Contents:
Lesson 1: Overview of mobile device management 2
Lesson 2: Configuring the Exchange Server connector for mobile device management 4

Module Review and Takeaways 6

Lab Review Questions and Answers 7


5-2 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 1
Overview of mobile device management
Contents:
Question and Answers 3
Resources 3
Mobile device management by using Configuration Manager 5-3

Question and Answers


Question: Your organization does not use Office 365, but does use Exchange Server 2013 and
Configuration Manager in its on-premises deployment. You want to manage Android and iOS devices that
employees are using to check organizational email. However, you do not want to deploy client software
on those devices. Which mobile device management solution might you use in this instance?

Answer: If you want to manage Android and iOS devices that employees are using to check
organizational email, without deploying client software on those devices, use Exchange Server
Connector with your Configuration Manager deployment.

Resources

What is OMA DM?

Additional Reading: For more information on OMA DM, refer to “OMA DM protocol
support” at http://aka.ms/Lb6evj.
5-4 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 2
Configuring the Exchange Server connector for
mobile device management
Contents:
Question and Answers 5
Resources 5
Mobile device management by using Configuration Manager 5-5

Question and Answers


Question: Which versions of Exchange support the Exchange Server Connector?

Answer: The following versions of Exchange support Exchange Server Connector:


• Exchange Server 2010 with Service Pack 1 (SP1)

• Exchange Server 2010 with SP2

• Exchange Server 2013


• Exchange Server 2016

• Exchange Online (Office 365)

Resources

Managing access to Exchange by using conditional access

Additional Reading: For more information on conditional access, refer to “Manage access
to services in System Center Configuration Manager” at https://aka.ms/tkn3y8.
5-6 Integrating MDM and Cloud Services with System Center Configuration Manager

Module Review and Takeaways


Review Question
Question: In what scenarios would you use the Exchange Server connector over another mobile device
management solution?

Answer: Answers will vary, but will often include a requirement that the organization wants to
perform some form of device management that only interacts with organizational infrastructure
through Exchange messaging. It could also be necessary to perform some level of management
without deploying client software on the device to be managed.
Mobile device management by using Configuration Manager 5-7

Lab Review Questions and Answers


Lab: Managing mobile devices by using the Exchange Server connector
Question and Answers
Question: You manage mobile devices by using the Exchange Server connector. Which management
tasks can you perform on synchronized devices? (Choose all that apply)

( ) Retire/Wipe
( ) Deploy applications

( ) Install the Configuration Manager client

( ) Allow/Block Exchange ActiveSync Access


( ) Disable the camera

Answer:

(√) Retire/Wipe
( ) Deploy applications

( ) Install the Configuration Manager client

( ) Allow/Block Exchange ActiveSync Access

(√) Disable the camera

Question: You need to be sure that any mobile devices that have not been active for 30 days are not
synchronized into Configuration Manager from Exchange Server. What should you do?
Answer: Modify the Exchange Server Connector Properties, enable the Ignore mobile devices
that are inactive for more than (days) option, and set the value to 30.
Hybrid MDM with Configuration Manager and Intune 6-1

Module 6
Hybrid MDM with Configuration Manager and Intune
Contents:
Lesson 1: Planning and preparing for hybrid MDM 2

Lesson 2: Configuring hybrid MDM with Configuration Manager and Intune 4


Module Review and Takeaways 6

Lab Review Questions and Answers 7


6-2 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 1
Planning and preparing for hybrid MDM
Contents:
Question and Answers 3
Resources 3
Hybrid MDM with Configuration Manager and Intune 6-3

Question and Answers


Question: Which of the following enrollment methods performs a factory reset of the device? (Select all
that apply)

( ) BYOD

( ) DEP

( ) Device enrollment manager

( ) Apple Configurator

( ) Azure AD autoenrollment

Answer:
( ) BYOD

(√) DEP

( ) Device enrollment manager


(√) Apple Configurator

( ) Azure AD autoenrollment

Resources

Differences between Intune stand-alone and hybrid MDM

Reference Links: As of July 2017, Intune stand-alone has moved many of its features to the
Microsoft Azure cloud platform. This provides Intune with enhanced scalability, role-based access
through the Azure Portal, custom reporting, and programmatic access using a software
development kit (SDK) and Windows PowerShell management options.
6-4 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 2
Configuring hybrid MDM with Configuration
Manager and Intune
Contents:
Question and Answers 5
Resources 5
Hybrid MDM with Configuration Manager and Intune 6-5

Question and Answers


Question: Which of the following components are used to configure the Mobile Device Management
Authority for a hybrid MDM solution?

( ) Company Portal

( ) Service connection point

( ) Azure

( ) Intune subscription

( ) Office 365

Answer:
( ) Company Portal

( ) Service connection point

( ) Azure
(√) Intune subscription

( ) Office 365

Feedback:
When you configure the subscription settings to Intune from within the Configuration Manager
console, you are prompted to set the Mobile Device Management Authority.

Resources

Overview of the service connection point site system role

Additional Reading: For more information about the Service Connection Tool, refer to Use
the Service Connection Tool for System Center Configuration Manager located at:
https://aka.ms/h5d7df.
6-6 Integrating MDM and Cloud Services with System Center Configuration Manager

Module Review and Takeaways


Review Questions
Question: How will your organization enroll devices into your MDM environment?

Answer: Answers will vary, but might include the Apple Device Enrollment program (DEP), Apple
configurator, manual enrollment using Company Portal, Automatic enrollment using Azure, or
bulk enrollment using the device enrollment manager.

Question: What are the uses of the service connection point?

Answer: Uses for the Service Connection point include:

• Download Configuration Manager service and feature updates.

• Upload usage data from the Configuration Manager infrastructure.

• Provide the connection and authentication to Intune for both hybrid and on-
premises MDM.
Hybrid MDM with Configuration Manager and Intune 6-7

Lab Review Questions and Answers


Lab: Configuring hybrid MDM
Question and Answers
Question: You decide to allow users to enroll up to three devices each. Where would you go to configure
this setting?

Answer: This setting can be configured by opening the Microsoft Intune Subscription Properties
and then changing the Device Enrollment Limit value. This value is also configured when you add
the new subscription.

Question: During the subscription configuration, you need to specify a collection. What is the purpose of
this collection?

Answer: The user collection specified in the Intune subscription contains the list of users that are
enabled to enroll devices for management.
Device platform enrollment by using Configuration Manager MDM 7-1

Module 7
Device platform enrollment by using Configuration Manager
MDM
Contents:
Lesson 1: Enrolling Windows devices into MDM 2
Lesson 2: Enrolling Android devices into MDM 4

Lesson 3: Enrolling iOS devices into MDM 6

Lesson 4: Managing mobile devices in Configuration Manager 8


Module Review and Takeaways 10

Lab Review Questions and Answers 11


7-2 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 1
Enrolling Windows devices into MDM
Contents:
Question and Answers 3
Resources 3
Device platform enrollment by using Configuration Manager MDM 7-3

Question and Answers


Question: Which of the following information can an administrator access on a managed device? (Choose
all that apply)

( ) Passwords

( ) Personal email

( ) Contacts

( ) Phone number of the device

( ) Model and manufacturer of the device

Answer:
( ) Passwords

( ) Personal email

( ) Contacts
(√) Phone number of the device

(√) Model and manufacturer of the device

Resources

Enabling Windows Device Management for PCs and mobile devices

Additional Reading: For more information, refer to “Windows Hello for business settings
in System Center Configuration Manager (hybrid)” at https://aka.ms/pdu2gh.

User-based enrollment for Windows 10 devices

Additional Reading: For information on enrolling Windows 8.1 devices, refer to “Enroll
your Windows device in Intune” at https://aka.ms/o0ghrd.
7-4 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 2
Enrolling Android devices into MDM
Contents:
Question and Answers 5
Resources 5
Device platform enrollment by using Configuration Manager MDM 7-5

Question and Answers


Question: You need to configure Android for Work settings for your hybrid MDM solution. Which of the
following will you use to configure the settings?

( ) The Company Portal app

( ) Configuration Manager

( ) Microsoft Azure

( ) The Intune classic portal

( ) The Office 365 portal

Answer:
( ) The Company Portal app

( ) Configuration Manager

( ) Microsoft Azure
(√) The Intune classic portal

( ) The Office 365 portal

Feedback:
To configure Android for Work settings, you need to access the Intune classic portal.

Resources

Enabling Android for Work enrollment

Additional Reading: You can create a Google account at https://aka.ms/alfnj1.


7-6 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 3
Enrolling iOS devices into MDM
Contents:
Question and Answers 7
Resources 7
Device platform enrollment by using Configuration Manager MDM 7-7

Question and Answers


Question: Approximately one month ago, you exported an enrollment profile URL for Apple Configurator
enrollment. You attempt to use the enrollment profile, and you receive an error. What do you need to do?

( ) Configure the device to be in unsupervised mode.

( ) Create a DEP token request.

( ) Configure the device to be in supervised mode.

( ) Enable user device affinity.

( ) Export a new enrollment profile URL.

Answer:
( ) Configure the device to be in unsupervised mode.

( ) Create a DEP token request.

( ) Configure the device to be in supervised mode.


( ) Enable user device affinity.

(√) Export a new enrollment profile URL.

Feedback:
An exported enrollment profile URL expires after two weeks. You will need to regenerate the
enrollment profile URL.

Resources

Apple Configurator enrollment

Additional Reading: For more information about creating a CSV file for predeclared
devices, refer to “Predeclare devices with IMEI or iOS serial numbers” at https://aka.ms/qxwk4s.

Managing iOS Activation Lock

Additional Reading: For more information about the Find My iPhone Activation Lock
feature, refer to “Find My iPhone Activation Lock” at https://aka.ms/a8klqv.
Additional Reading: For more information on creating configuration items for iOS and
Mac OS X devices, refer to “How to create configuration items for iOS and Mac OS X devices
managed with Intune” at https://aka.ms/xeta3j.
7-8 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 4
Managing mobile devices in Configuration Manager
Contents:
Question and Answers 9
Resources 9
Device platform enrollment by using Configuration Manager MDM 7-9

Question and Answers


Question: You decide to apply a policy to specify rules for connecting to Exchange Online. Which types
of policies are needed to support this task? (Select all that apply)

( ) Group Policy

( ) Compliance policies

( ) Application management policies

( ) App configuration policies

( ) Conditional access policy

Answer:
( ) Group Policy

(√) Compliance policies

( ) Application management policies


( ) App configuration policies

(√) Conditional access policy

Feedback:
To apply rules for connecting to Exchange Online, you need to configure conditional access
policy settings and associated compliance policies.

Resources

Managing applications for mobile devices

Additional Reading: For more information on managing volume-purchased apps, refer to:

• “Manage volume-purchased iOS apps with System Center Configuration Manager” at


https://aka.ms/oxksbx.
• “Manage apps from the Windows Store for Business with System Center Configuration Manager”
at https://aka.ms/b5k6m5.

• “Create Android applications with System Center Configuration Manager” at


https://aka.ms/as3evb.

Protecting company data by using mobile application management


policies

Additional Reading: For a list of managed apps that support application management
policies, refer to “Offer security and familiarity with Intune-managed apps” at
https://aka.ms/y5av86.
7-10 Integrating MDM and Cloud Services with System Center Configuration Manager

Module Review and Takeaways


Question: Which types of configuration policies do you think you will use in your organization for your
MDM environment?

Answer: Answers will vary, but might include password policies and feature restrictions.

Question: Which bulk mobile device enrollment methods will you use in your organization?

Answer: Answers will vary, but should include Apple Configurator for iOS.
Device platform enrollment by using Configuration Manager MDM 7-11

Lab Review Questions and Answers


Lab A: Enrolling Windows devices into a hybrid mobile device
management (MDM) environment

Question and Answers


Question: Your manager is wondering if you need to obtain an application enrollment token for your
Windows 10 mobile phones. What do you tell your manager?

Answer: Explain to your manager that you do not need to obtain the tokens. An application
enrollment token is required only for Windows Phone 8.0 devices. However, because you are
managing only Windows 10 devices, you do not need to configure the application enrollment
token settings.

Question: During the lab, you installed the Company Portal app by using the Windows Store. What are
some alternative ways to deploy and install the app on devices?

Answer: You can install the Company Portal app from Microsoft Store for Business, or you can
sideload the app and deploy it by using standard Configuration Manager application deployment
tasks.

Lab B: Enrolling Android devices into a hybrid MDM environment

Question and Answers


Question: During the Android for Work configuration, you had to bind a Google account to Intune. What
was the purpose of this binding process?
Answer: The binding process connects the Google’s Play for Work service to Intune. This
provides managed application deployment and a more granular management and separation of
profiles on the Android device.

Question: In the lab, when you configured the Android for Work binding, a synchronization error
displayed in Configuration Manager. How can you fix this error?
Answer: The synchronization error appeared because you did not publish any application from
the Google Play for Work website. This error will disappear as soon as you publish an application
from the Google Play for Work website.

Lab C: Managing mobile devices in hybrid MDM

Question and Answers


Question: You need to create a configuration item setting for a specific mobile device. How can you be
sure that the setting is compatible with the targeted mobile device?

Answer: When you create the configuration item, the Supported Platforms page will display
any compatibility issues with the configuration item.

Question: In the lab, after you configured apps to be available to the mobile device user, where would
the user find the available apps?
Answer: The user can view the published apps in the Company Portal app.
On-premises mobile device management using Configuration Manager 8-1

Module 8
On-premises mobile device management using
Configuration Manager
Contents:
Lesson 1: Overview of On-premises mobile device management 2
Lesson 2: Configuring On-premises MDM using Configuration Manager 6

Module Review and Takeaways 10

Lab Review Questions and Answers 11


8-2 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 1
Overview of On-premises mobile device management
Contents:
Question and Answers 3
Resources 5
On-premises mobile device management using Configuration Manager 8-3

Question and Answers


Question: Which of the following devices can you manage by using On-premises MDM?

( ) Windows 10 Home
( ) Windows 10 Team

( ) Windows 10 Pro

( ) Android 6 (“Marshmallow”)
( ) Android 7 (“Nougat”)

Answer:

( ) Windows 10 Home
(√) Windows 10 Team

(√) Windows 10 Pro

( ) Android 6 (“Marshmallow”)
( ) Android 7 (“Nougat”)

Feedback:
You can only use On-premises MDM for managing modern Windows 10 devices. This includes
Windows 10 Team and Windows 10 Pro devices. You cannot enroll Windows 10 Home for On-
premises MDM.
Question: Which of the following Configuration Manager site system roles does On-premises MDM
require?

( ) Configuration Manager site database server


( ) Certificate registration point

( ) Distribution point

( ) Enrollment point
( ) Exchange Server connector
Answer:

(√) Configuration Manager site database server

( ) Certificate registration point


(√) Distribution point

(√) Enrollment point

( ) Exchange Server connector


Feedback:

From the listed site system roles, On-premises MDM requires only the Configuration Manager
site database server, distribution point, and enrollment point.

What is On-premises MDM?


Question: Can you implement On-premises MDM in an environment that does not have Internet
connectivity?

Answer: If you want to implement On-premises MDM, you must add the Microsoft Intune
subscription to Configuration Manager. In such a scenario, Intune is used only for tracking device
8-4 Integrating MDM and Cloud Services with System Center Configuration Manager

licensing, and not for device management. However, an Intune subscription is mandatory.
Because Intune is a cloud service, you cannot use it in an environment without Internet
connectivity, which means that you cannot implement On-premises MDM in an environment
without Internet connectivity.

Question: Can you implement On-premises MDM in an environment without PKI?

Answer: No. All communication between managed mobile devices and On-premises MDM
infrastructure is encrypted with Secure Sockets Layer (SSL), which requires that Configuration
Manager servers have certificates. Modern devices that are managed by On-premises MDM must
trust the certification authority that signed their certificates and must be able to access CRL
distribution point.

Advantages and disadvantages of On-premises MDM


Question: Do you need to deploy an agent to devices that you want to manage by using On-premises
MDM?

Answer: No. Management of devices by using On-premises MDM is based on the OMA DM
standard, and modern devices already implement support for this standard in their operating
systems. Therefore, you do not need to deploy any agent to devices that you want to manage by
using On-premises MDM.
Question: Do you have the same management options for client devices that have the Configuration
Management agent installed and for devices that On-premises MDM manages?

Answer: No, On-premises MDM management provides less extensive client management
functionality compared to devices that have the Configuration Manager agent installed. For
example, with On-premises MDM-managed devices, you cannot perform software inventory and
discovery.

Supported devices for On-premises MDM


Question: Can you use On-premises MDM for managing Android 7 Nougat devices?
Answer: You can enroll and manage only Windows 10 devices by using On-premises MDM. You
cannot use On-premises MDM for managing Android or Apple iOS devices. If you want to
manage an Android 7 device, you should implement Hybrid MDM.
Question: Your company has recently purchased the Microsoft Surface Hub device. Can you enroll and
manage the device by using On-premises MDM?

Answer: Surface Hub is a conferencing and presentation device that runs on the Windows 10
Team operating system. Because you can enroll the Windows 10 Team operating system for On-
premises MDM, you can manage Surface Hub device by using On-premises MDM.

Planning for On-premises MDM


Question: To implement On-premises MDM, do you need to have the System Health Validator Point site
system role in your Configuration Manager deployment?

Answer: No, the System Health Validator Point site system role is not needed for On-premises
MDM. If you want to implement On-premises MDM, you must make sure that the Configuration
Manager deployment includes the enrollment point, proxy enrollment point, management point,
and distribution point site system roles.
Question: Which protocol do modern Windows 10 devices use for communicating with the On-premises
MDM infrastructure?
On-premises mobile device management using Configuration Manager 8-5

Answer: Modern Windows 10 devices use the HTTPS protocol for communicating with On-
premises MDM infrastructure.

Resources
Advantages and disadvantages of On-premises MDM

Additional Reading: For more information on how to select a device management


solution and which features are supported by various management solutions, refer to “Choose a
device management solution for System Center Configuration Manager” at
https://aka.ms/goz6op.

Supported devices for On-premises MDM

Additional Reading: For more information on Windows 10 Team and how it compares to
Windows 10 Enterprise, refer to “Differences between Surface Hub and Windows 10 Enterprise” at
https://aka.ms/anvb6i.
Additional Reading: For a complete list of supported platforms that can be managed by
Configuration Manager, refer to Supported operating systems for clients and devices for System
Center Configuration Manager at https://aka.ms/joz2l0.
8-6 Integrating MDM and Cloud Services with System Center Configuration Manager

Lesson 2
Configuring On-premises MDM using Configuration
Manager
Contents:
Question and Answers 7
Resources 9
On-premises mobile device management using Configuration Manager 8-7

Question and Answers


Question: You recently created a new user in AD DS. The user complained that he is not able to enroll his
device for On-premises MDM, even though all other uses are able to enroll their devices for On-premises
MDM. What should you do?

Answer: The user can enroll devices for On-premises MDM only after he is discovered by
Configuration Manager through the Active Directory discovery method and added to the user
collection that can enroll devices. You should verify if the user is already in the Configuration
Manager collection, and if he is not, you should run discovery for Active Directory users.
Question: How many modern devices can a user enroll for On-premises MDM by default?

( )1

( )5
( ) 15

( ) 25

( ) 255
Answer:

( )1

( )5
(√) 15

( ) 25

( ) 255
Feedback:
By default, a user can enroll 15 modern devices for On-premises MDM. You can view and modify
this setting on the properties of the Microsoft Intune subscription in the Configuration Manager
console.

Setting up the Intune subscription for On-premises MDM


Question: Do you need to use Microsoft Intune for managing modern devices in an On-premises MDM
implementation?

Answer: No, you only need Configuration Manager for managing modern devices in an On-
premises MDM implementation. You still require Microsoft Intune for tracking licenses and for
notifying Internet-connected modern devices that an updated policy is available on management
point.

Question: When you add the Microsoft Intune subscription to Configuration Manager, you specify that
users in Collection1 will be able to enroll their devices for management. Later, you discover that users who
are not in Collection1 are also able to enroll their devices for On-premises MDM. What might be the
reason for such behavior?
Answer: You can specify the user collection whose members will be able to enroll their devices
for management in the Create Microsoft Intune Subscription Wizard. This setting is used only
with Hybrid MDM; it is ignored for On-premises MDM. For On-premises MDM, you configure the
enrollment settings in Default or Custom Client Settings.
8-8 Integrating MDM and Cloud Services with System Center Configuration Manager

Setting up site system roles for On-premises MDM


Question: You are using Configuration Manager for managing company PCs on a company network by
using client agents. You plan to implement On-premises MDM for your company. Do you need to deploy
a management point site system role on company network?

Answer: Because you are managing PCs, the Configuration Manager deployment already has
management point(s). Therefore, you don’t need to deploy a new management point for
managing modern devices You just need to make sure that the management point is configured
properly for managing modern devices.
Question: Can you manage a Windows 10 modern device that is connected to the Internet by using On-
premises MDM?

Answer: No. Configuration Manager (Current Branch) only supports intranet connections from
modern devices to the distribution points and management points for On-premises MDM. If a
Windows 10 modern device is connected to the Internet, you cannot manage it by using On-
premises MDM.

Certificate requirements for On-premises


Question: Do modern devices that are managed by On-premises MDM require a device certificate?
Answer: No. Devices that are managed by On-premises MDM do not need any certificate. But
they must trust the CA that issued certificates for the On-premises MDM infrastructure.

Question: Why is the default AD CS configuration not appropriate if you want to manage workgroup
devices?
Answer: By default, AD CS publishes the CRL in AD DS. Domain devices can access it, but if a
device is not a domain member, it cannot access the CRL. If you want use On-premises MDM to
manage workgroup devices, you must make sure that the CA publishes the CRL to a location that
is accessible to these devices. Therefore, you should configure AD CS to publish CRL to a location
where it can be accessed by using HTTP.

Enabling modern device enrollment in On-premises MDM


Question: Where do you configure the Management site code that is used for managing On-premises
MDM clients?
Answer: You configure the Management site code that is used for managing On-premises MDM
clients in the enrollment profile in the Configuration Manager client settings. You also can
configure the Configuration Manager site code in the wizard when adding a Microsoft Intune
subscription to Configuration Manager. But the code in Intune subscription is used only for
Hybrid MDM, and it is ignored for On-premises MDM.
Question: What must you install on modern Windows 10 devices that are not domain members if you
want to manage them by using On-premises MDM?

Answer: If you want to manage modern Windows 10 devices that are not domain members by
using On-premises MDM, you must install a root CA certificate on these devices. The certificate is
installed in the trusted root CAs certificate store.

Configuration Manager client settings for On-premises MDM


Question: How can you limit the number of users who can enroll their modern devices for On-premises
MDM?

Answer: You need to create custom client settings, configure enrollment in these client settings,
and then deploy the custom client settings to a user collection that contains users who should be
able to enroll their modern devices.
On-premises mobile device management using Configuration Manager 8-9

Question: Which three client settings does Configuration Manager support for On-premises MDM?

Answer: For On-premises MDM, Configuration Manager supports only the enrollment, client
policy, and software deployment client settings.

Enrolling devices for On-premises MDM


Question: Your company has purchased 20 Windows 10 devices. You need to enroll the devices for On-
premises MDM with minimal effort. What should you do?

Answer: If you want to enroll multiple devices for On-premises MDM with minimal effort, you
should create an enrollment package and run it on the devices. You can create an enrollment
package in the Configuration Manager console.

Question: You have a Windows 10 tablet that is in a workgroup. What must you do on the tablet before
you can manually enroll it for On-premises MDM?
Answer: Before you can enroll a modern Windows 10 device for On-premises MDM, the device
must trust the CA that signed the certificate used by the enrollment point. Because the tablet is in
a workgroup, you must add the CA to the trusted root CAs before you can manually enroll the
device for On-premises MDM.

Resources

Setting up site system roles for On-premises MDM

Additional Reading: For more additional information on the Configuration Manager site
system roles, refer to “Plan for site system servers and site system roles for System Center
Configuration Manager” at https://aka.ms/u84i7c.

Configuration Manager client settings for On-premises MDM

Additional Reading: For more information on the Configuration Manager client settings,
refer to “About client settings in System Center Configuration Manager” at https://aka.ms/ac4x5t.
8-10 Integrating MDM and Cloud Services with System Center Configuration Manager

Module Review and Takeaways


Review Questions
Question: You need to decide whether to deploy On-premises MDM or Hybrid MDM in which you would
integrate Configuration Manager with Microsoft Intune. At present, users only have modern Windows 10
devices, but your company might purchase Apple iPhones to complement corporate-owned offerings.
What should you chose and why?

Answer: You should choose to deploy a Hybrid MDM solution. By using On-premises MDM, you
can manage only modern Windows 10 devices. If some users were to obtain iOS devices later,
you would not be able to manage these devices by using On-premises MDM. You can use Hybrid
MDM for managing Windows 10 modern devices, and iOS and Android modern devices.
Question: What are modern devices? Can you manage all modern devices by using On-premises MDM?

Answer: Modern devices are devices that include support for the OMA DM standard. This
standard specifies how you can manage a device, and devices that support this standard don’t
need an additional agent for you to manage them. On-premises MDM uses the OMA DM
standard for managing devices, but only Windows 10 devices can be enrolled and managed by
On-premises MDM. Other modern devices cannot be managed by On-premises MDM.

Question: Do you use Microsoft Intune for managing devices that are enrolled for On-premises MDM?
Answer: No. Although Microsoft Intune is required for On-Premises MDM, you do not use Intune
for managing devices in such an environment. You use Intune only for tracking licenses for the
enrolled devices, but not for managing the devices. If devices have Internet connectivity, Intune
can also notify the device to check for a policy update on the management point.
On-premises mobile device management using Configuration Manager 8-11

Lab Review Questions and Answers


Lab: Managing mobile devices with an On-premises infrastructure
Question and Answers
Question: Why do you need to add a CDP that can be accessed over HTTP?

Answer: By default, a CRL is published in AD DS, and only devices that are domain members can
access it. However, many devices that you want to manage by using On-premises MDM,
including LON-BYOD1-B and LON-BYOD2-B, are in a workgroup and cannot access the CRL in
AD DS. Therefore, you need to add a CDP that is accessible over the HTTP protocol.

Question: Why do you need to import the AdatumCA root CA certificate into the trusted root CAs store
on LON-BYOD1-B to be able to enroll it for On-premises MDM? Why did you not need to import the
root CA certificate on LON-BYOD2-B?

Answer: A trusted root CA certificate must be in the trusted root store of the modern Windows
10 device to be able to enroll the device for On-premises MDM. Both LON-BYOD1-B and LON-
BYOD2-B didn’t trust the AdatumCA CA. On LON-BYOD1-B, you imported the certificate
manually, while on LON-BYOD2-B, the root CA certificate was included in the enrollment
package, and it was imported when you ran the enrollment package.

Question: How can you differentiate devices that are managed by On-premises MDM from devices that
are managed by the Configuration Manager agent in the Configuration Manager console?
Answer: In the Configuration Manager console, devices that are managed by On-premises MDM
are represented by a different icon compared to devices that are managed by the Configuration
Manager agent. If a device is managed by the installed agent, it is represented by a computer
icon. If the device is managed by On-premises MDM, it is represented by a mobile device icon.