When communication is a matter of life or death: A mobile device solution for a city ambulance service

Using Microsoft Intune, together with System Center Configuration Manager (SCCM), Kocho designed a unified hybrid solution.

Results

Difficulties tracking a growing number of mobile devices

The ambulance service needed a way to manage the hundreds of mobile devices being used by their staff, as they had lost track of how many devices were being used. They needed a new system that gave them visibility of exactly who was using what and when.

Sophisticated telecommunications systems are already in place for emergency procedures. What the ambulance service needed to manage were the devices used by staff for routine and regular business interactions.

Their long-term plan was to standardise on the Windows platform and, in the future, offer a bring-your-own-device (BYOD) option – but their immediate need was to manage the ambulance service devices that were already out there.

They were referred to Kocho by Microsoft, who recommended us as the technical partner with the right skills and experience. We sent Mat Richards, Head of Enterprise Mobility and Security at Kocho, to find out more.

Upgrading the old server, and migrating to the new version of SCCM 2012

“They were using System Center Configuration Manager (SCCM) to manage their on-premises devices; their desktops, laptops, and servers,” reveals Mat Richards. “We identified a big hurdle almost immediately, which could have been a show-stopper. Their existing implementation of SCCM was very old; they were running version 2007 and they needed 2012 R2.”

This was concerning, as SCCM was deeply embedded within their policies, profiles, and processes. It wasn’t going to be a case of simply upgrading the SCCM server.

We recommended a brand-new SCCM 2012 R2 server with all the latest patches and updates. This was to be used in isolation of their existing installation to manage their mobile devices.

This server would be the target for future migration. This allowed for a controlled migration of settings and configuration from the old platform onto the platform already managing their mobile devices.

They were gradually able to introduce their on-premises desktops, laptops, and servers to the platform and then decommission their 2007 version.

Integrating the new server with Microsoft Intune and providing profiles for secure access to email and Wi-Fi

The next project was integrating the new SCCM 2012 R2 server into the Microsoft Intune service. We configured it to manage only Windows phone devices, as they had no requirement for Android or iOS.

They could potentially deploy native applications to the Windows Phone platform, so we helped them procure the necessary certificates from Symantec.

We developed a baseline of security policies to control things like power-on passwords, the complexity of passwords (alpha-numeric, lengths), PINs, and so on.

We deployed email and Wi-Fi profiles to the devices, allowing users to enrol into Microsoft Intune and automatically get access to their email. This made it nice and simple for users. Similarly, with Wi-Fi access, we pre-configured it to allow users immediate access.

The Microsoft Intune deployment took about seven days. The client also wanted to use federation, allowing users to be authenticated against an on-premises Active Directory (AD) when they enrolled their devices and used company data.

We used Active Directory Federation Services on-premises which we federated with the Azure Active Directory. Whenever users accessed any Azure-based resource (including Intune), it would be redirected for authentication to the on-premises AD.