Our client, a city ambulance service, provides free 24/7 emergency healthcare to millions of people within an urban area of 600 square miles. Its 4,500 staff, stationed at 70 sites, offer scheduled patient transport and emergency healthcare, and work closely with other services on major incidents. When every second saved could be a matter of life or death, swift and secure communication systems are essential.
Speed and communications save lives. The city ambulance service has, by definition, a mobile workforce, as well as office-based employees. It was vital that the service found a way to securely manage the ever-increasing number of mobile devices their employees used to do their jobs.
Using Microsoft Intune together with System Center Configuration Manager (SCCM), ThirdSpace designed a unified hybrid solution.
“We developed a baseline of security policies to control things like: power-on passwords, complexity of passwords (alpha-numeric, lengths), PINs and so on.” Head of Enterprise Mobility and Security ThirdSpace
The ambulance service needed to find a way to manage the hundreds of mobile devices being used by their staff, to access email and other organisational information. They had actually lost track of how many devices were being used, and immediately needed a new system to give them visibility of exactly who was using what and when.
Sophisticated telecommunications systems are, of course, already in place for emergency procedures. What the ambulance service needed to manage were the devices, predominantly smartphones, used day-to-day by staff for routine and regular business interactions.
Their long-term plan was to standardise on the Windows platform, and in the future offer a bring-your-own-device (BYOD) option, but their immediate need was to manage those ambulance-service-owned devices that were already out there.
They were referred to ThirdSpace by Microsoft, who, having understood what they were trying to achieve, recommended us as the technical partner with the right skills and experience to help. We sent our consultant, Mat Richards, to find out more.
“They were using System Center Configuration Manager (SCCM) to manage their on-premises devices; their desktops, laptops and servers” said Mat Richards. “SCCM could manage mobile devices for iOS, Android and Windows platforms and we could take advantage of the native integration between the Microsoft Intune cloud service and on-premises SCCM. There was a connector between the two which meant that you ‘see’ mobile devices in the same way as you would see desktops, laptops and servers. Operationally they worked in the same way. That’s one of its main strengths. But we identified a big hurdle almost immediately which could have been a show-stopper. Their existing implementation of SCCM was very old; they were running version 2007 and they needed 2012 R2.”
The client was very concerned about this, as the ways in which they were using SCCM were deeply embedded within their policies, profiles and processes. So it was more than a simple case of upgrading that server. It could be another complete project its own right to get SCCM up to the right level. And it wasn’t going to be easy. It might have taken months. But their need was urgent; they had to get some level of management on their mobile devices. The risks of not doing so were too great.
We suggested we stand up a brand-new instance of SCCM 2012 R2 with all the latest patches and updates, and use it in isolation of their existing installation to manage their mobile devices. They agreed. So, we deployed it in a way that allowed them to use it as the target for future migration onto the new platform.
Now, when they were ready to upgrade from SCCM 2007, they had an instance of SCCM 2012 R2 waiting, so a controlled migration of settings and configuration could take place onto the platform already managing their mobile devices. Slowly but surely they were able to introduce their on-premises desktops, laptops and servers, and then decommission their 2007 version.
Having solved the SCCM conundrum, we moved onto the main project; integrating the new SCCM 2012 R2 server into the Microsoft Intune service. We configured it to manage only Windows phone devices, as they had no requirement for Android or iOS at that moment.
They had the potential to deploy native applications to the Windows phone platform so we helped them procure the necessary code-signing certificates from Symantec. After that was set up, we turned to their requirements for security policy. This is common to all instances of Intune. We developed a baseline of security policies to control things like: power-on passwords, complexity of passwords (alpha-numeric, lengths), PINs and so on.
Next, we deployed email and Wi-Fi profiles to the devices, enabling users to enrol into Microsoft Intune and automatically get access to their email without having to configure specific Exchange active sync URLs. This made it nice and simple for users. Similarly, with Wi-Fi access, we pre-configured it to allow users’ immediate access.
The Microsoft Intune deployment took about seven days. It might have taken fewer, but the client wanted to use federation, so that when users enrolled their devices and used company data they were authenticated against an on-premises Active Directory (AD) rather than the Azure AD. To enable that, we used Active Directory Federation Services on-premises which we federated with the Azure Active Directory. This meant that when users tried to access any Azure-based resource, including Intune, it would be redirected back to the on-premises AD to be authenticated.
“The client was very happy with the solution” said Mat Richards. “And Microsoft are introducing new features and capabilities to Intune virtually every month now, so our client can take advantage of that fast.”
Award-winning enterprise IT solutions.See More
We work with a range of organisations.See More
Our experts will show you how controlling identities and data is key to liberating your workforce.
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, Security and Compliance.
Oxford Computer Group UK officially rebranded as ThirdSpace in the UK on 16 October. This rebrand reflects our broadening identity and security solutions, as working practices extend from the office and home into working flexibly and collaboratively from anywhere – Your "ThirdSpace".Continue to ThirdSpace
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.