Skip to content

Enterprise Mobility + Security


Author:  Craig Morris, Principal Program Manager, Enterprise Client and Mobility.

As a Windows Intune customer, you have entrusted Microsoft to help protect your data. Microsoft values this trust, and the privacy and security of your data is one of our top concerns.

The information presented below is intended to provide additional details about the shared data that is transmitted between and stored in Configuration Manager and Windows Intune when using the Windows Intune connector.

The Windows Intune connector lets you use Configuration Manager to manage mobile devices with Windows Intune. The connector extends Configuration Manager by establishing a connection to the cloud-based Windows Intune service that manages mobile devices over the Internet. With this connection the IT Administrator is able to manage and provide services (such as application distribution) to the devices employees love to use. In order to accomplish this, the Windows Intune service needs a certain amount of information about the users, enrolled devices, security settings configured, and applications published through Windows Intune.

The goal from the outset of this integration was to minimize the data needed to provide Windows Intune services to users and devices, without compromising on the quality of those services.

The information below refers to the January 2014 releases of Windows Intune and System Center 2012 R2 Configuration Manager. You should read the System Center 2012 R2 Privacy Statement and the Windows Intune Privacy statement in conjunction with this article.

Customer Data from Configuration Manager stored in Windows Intune

Configuration Manager connects to the Windows Intune service and the following customer data is sent to and stored in Windows Intune.

Customer Data stored in Windows Intune

 

Examples

 

Compliance settings, app information, and profile information

 

  • Compliance settings and values, such as requiring a minimum password length of 4 characters.
  • E-mail profile information, such as email server name and time of day preferences.
  • Information to generate certificates for VPN profiles (but not the certificate itself).
  • Name, description, encrypted content, and icon for apps.
  • Any setting needed to onboard devices.

 

Settings and application assignments for users and devices.

 

  • Software applications deployed to a user
  • Settings applied to devices

 

Basic information about enrolled users that is used for single sign-on

 

 

 

  • User Principal Name (UPN)
  • User Name
  • Email (if Email profiles are enabled and deployed)

 

User application request information (for display in company portal)

 

 

 

  • Software applications requested
  • Installation state
  • Request history

 

Basic information about enrolled devices for use in the company portal.

 

  • Device name
  • Device friendly name
  • Device Type
  • Device OS
  • Device Acton (Wipe/Retire/Connect) state
  • Certificate expiry date
  • Primary user
  • Last connection time

 

Information used to distribute certs for Wi-Fi and VPN profiles

 

 

 

  • NDES server information
  • System Center Endpoint Protection challenge encryption certificate (public-key only)
  • Certificate provisioning information
  • Certificate assignment and status

 

Windows Intune Extension Installation status

 

Windows Phone 8.1 extension (V1) is installed

 

Configuration Manager Version Information

 

Connector Build Version 5.0.7958.1000

 

Encrypted Side-loading key and assignment information

 

N/A (this is encrypted data)

 

Remote Connection Profile information for licensed Windows Intune users

 

  • RD Gateway Server Settings
  • Machine names and Windows Intune users for which this feature is enabled

 

 

Customer Data retrieved from Windows Intune and stored in Configuration Manager

The below table reflects the customer data that is retrieved from Windows Intune and stored in the Configuration Manager database.

This data is deleted from Windows Intune after it has been successfully downloaded by Configuration Manager.

Type of Customer Data

 

Information

 

Customer Data that Windows Intune relays from mobile devices

 

 

 

  • Software and Hardware Inventory
  • Compliance setting
  • Requested Application Installation Status
  • Device Status (enrollment, registration status, wipe/retire state)
  • Side-loading key assignment

 

End-user initiated commands

 

  • Device Wipe/Retire action information
  • Application Request information
  • User-generated device commands (rename, wipe, retire, connect now)

 

Tenant, User, and Device error messages

 

  • Apple APNS Certificate Expired
  • Side-loading key could not be applied

 

Windows Intune Extension Packages

 

N/A (this is binary data)

 

License status for Windows Intune Users

 

GUID (generated per user)

 

Application distribution status

 

“Application content could not be uploaded to Windows Intune.”

 

NOTE: For Windows Phone and Android devices, we maintain a cache of inventory data between device sessions to reduce bandwidth costs. It will be removed (within the 90-day data retention period described below under Data Retention) when the device is un-enrolled or the account is deleted.

 Customer Data temporarily stored in Windows Intune

Commands sent to and received from mobile devices are temporarily stored in the Windows Intune service while the device is actively connected to the service. This data is subsequently deleted within an hour of the device’s active session expiring.

Microsoft’s commitment to customer data security and privacy

More information on Microsoft’s commitment can be found here:
Windows Intune Trust Center
Windows Intune’s privacy/security whitepaper
            

Data Security Area

 

Microsoft’s commitment

 

Data Location

 

Microsoft has a regionalized data center strategy. The customer’s country or region, which the customer’s administrator inputs during initial setup of the online services account, determines the primary storage location for customer data.

 

Data Retention

 

Microsoft believes that customers own their own data. When customers do not renew their Windows Intune subscriptions (i.e., they terminate or allow their subscriptions to expire), there is a 90-day data retention period with limited customer access. Thirty days after the end of the data retention period, customer data stored in the Windows Intune service is deleted.

 

Customers who actively cancel their subscription may choose to disable their accounts and request deletion of their subscriber data.

 

–Craig Morris

Configuration Manager Resources

Documentation Library for System Center 2012 Configuration Manager

Configuration Manager 2012 Forums

System Center 2012 Configuration Manager Survival Guide

System Center Configuration Manager Support

This posting is provided “AS IS” with no warranties and confers no rights.