Exportovat (0) Tisk
Rozbalit vše

How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager

Aktualizováno: leden 2013

Rozsah platnosti: System Center 2012 Configuration Manager SP1

ImportantImportant:

System Center 2012 Configuration Manager SP1 lets you manage Windows Phone 8, Windows RT, iOS, and Android devices by using the service. Although you will be using the Windows Intune service, all the management will be done through the Configuration Manager console which lets you manage all devices through one interface.

You can help employees access their workplace apps from any location and at any time by using System Center 2012 Configuration Manager SP1 with Windows Intune. You can also control settings such as password settings and device life cycle to help protect your company’s data. Employees are still able to control their own devices by having choices whether to enroll and what apps they want to install and use on their devices.

For Windows Phone 8, Windows RT, and iOS, you can manage device life cycle, device settings, apps, and also collect hardware inventory. Windows Intune takes advantage of the management client that is built directly into the Windows RT and Windows Phone 8 platforms. For iOS, the iOS APIs are used for management. For Android devices, you can manage apps. Windows Intune uses a per-user licensing model that allows for each user up to 5 active devices to manage.

 

Capability Windows RT Windows Phone 8 iOS Android

Device life cycle management including the ability to retire, wipe, remove, and block devices.

Yes

Yes

Yes

No

User settings or configuration items that could include settings for password settings, email management, security, Roaming, Encryption, Wireless communication, and Certificates

Yes

Yes

Yes

No

Line of business app management

Yes

Yes

Yes

Yes

Install apps from the store that the device connects to (Windows Store, Windows Phone Store, App Store, Google Play)

Yes

Yes

Yes

Yes

Hardware Inventory

Yes

Yes

Yes

No

In company portals are portals that let users control their devices. The company portals are customized for devices. The company portals are where users can view and download sideloaded apps. The Windows RT and Windows Phone 8 have company portal apps that let users manage line of business apps on their devices. For iOS and Android devices, the company portal is a web portal that lets users manage line of business apps on their devices.

The company portal gives users control in configuring their devices, users can:

 

Action user can take through the company portal Windows RT Windows Phone 8 iOS Android

Enroll local device

Yes

Yes

Yes

No

Rename devices

Yes

No

No

No

Retire local device

Yes

Yes

No

No

Wipe other devices remotely

Yes

No

No

No

Install line of business apps

Yes

Yes

Yes

Yes

Install apps from the store that the device connects to (Windows Store, Windows Phone Store, App Store, Google Play)

Yes

Yes

Yes

Yes

Using Configuration Manager and Windows Intune, you can manage user settings, hardware inventory, and device life cycle on Windows RT, Windows Phone 8, and iOS. To manage user settings for hardware inventory and device life cycle for Android, you can manage user settings that use Exchange Activesync by using the Exchange connector in Configuration Manager.

When a device is receiving security settings from both the Exchange ActiveSync and Windows Intune, the most restrictive settings apply.

 

Management Functionality Windows Intune connector Exchange Server connector

App management/deployment

Yes

No

Public key infrastructure (PKI) security between the mobile device and Configuration Manage

Yes

No

Discovery

Yes

Yes

Hardware inventory

Yes

Yes

Settings management

Yes

Yes

You can deploy line of business apps. Users can view and download available apps to their devices through the company portal. There are two ways to deploy apps:

  • You can link to an app available in any of the stores for all the devices. You can set up links to the Windows Store, Windows Phone Store, App store, and Google Play by using the Configuration Manager console.

  • You can “sideload” a line of business app. Sideloading an app lets you distribute an app directly to a device without going through the Windows Store, Windows Phone Store, App Store, or Google Play. You can sideload an app for Windows Phone 8, Windows RT, iOS, and Android, although there are usually other requirements for an app, depending on the platform.

In order to manage devices, you will need a Windows Intune organizational account. Using your organizational account, you will create a Windows Intune subscription. You will need certificates or keys depending on what platforms you want to enable. The following steps are necessary before you can create the Windows Intune subscription.

  1. Synchronizing your Active Directory with Microsoft Azure Active Directory. This lets you set up users so that they can enroll their devices. You will also need to deploy Active Directory Federated Service to enable single sign-on for users.

  2. Obtain a Windows Intune organization account.

  3. Obtain certificates or keys to meet prerequisites per device. Without the required certificates or keys, you cannot manage devices.

  4. Create a DNS alias (CNAME record type). You have to configure a CNAME in the DNS that redirects EnterpriseEnrollment.<company domain name>.com to EnterpriseEnrollment.manage.microsoft.com. For example, if Melissa's email address is Meliss@contoso.com, the admin has to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to EnterpriseEnrollment.manage.microsoft.com.

Before you set up your Windows Intune subscription, you have to have synchronized your Active Directory with Azure Active Directory in order to set up users for device management.

  1. Use directory synchronization to populate the account portal with synchronized users and security groups. The synchronized users and security groups are added to Windows Intune. In the Windows Intune Subscription wizard, you will specify the user collection whose users can enroll their devices for management. For more information, see Configure directory synchronization.

  2. For single sign on you must deploy AD FS, see Configure single sign-on.

The following table lists the certificates or keys you will need in order to enable mobile platforms.

 

Platform Certificates or keys Where you can get it

Windows Phone 8

Code signing certificate: All sideloaded apps must be code-signed.

Buy a code signing certificate from Symantec

Windows RT

Sideloading Keys: Windows RT devices have to be provisioned with sideloading keys to enable installation of sideloaded apps.

All sideloaded apps must be code-signed.

Buy sideloading keys from Microsoft

iOS

Apple Push Notification service certificate

Request an Apple Push Notification service certificate from Apple. For more information, see the “How to get an Apple Push Notification service certificate” section.

Android

None

In order to manage Windows Phone 8 devices, you have to deploy the Windows Phone 8 Company Portal app. In order to deploy the company portal, you have to code-sign it with a certificate that is trusted by the Windows Phone 8 devices.

 

Step Description

(Step 1) Get a Windows Phone Dev center Publisher ID

Go to the Windows Phone Dev Centerto get a Publisher ID.

(Step 2) Get a certificate from Symantec

Using your Publisher ID, you can retrieve a certificate from Symantec website

(Step 3) Download the Windows Phone 8 Company Portal app

Download the Windows Phone 8 company portal app.

(Step 4) Obtain the Signtool app from the Windows Phone 8 SDK

Download the Signtool from the Windows Phone 8 SDK. To deploy an app to end-users, it must be signed by a certification authority that is trusted by the target Windows Phone 8 devices. Use the Signtool app to sign your apps with the Symantec certificate.

(Step 5) Sign the Windows Phone 8 Company Portal app

Using the Signtool and the certificate that you downloaded from Symantec to sign the company portal app.

(Step 6) Deploy the Windows Phone 8 company portal app to the manage.microsoft.com distribution point

After you install the connector, you have to deploy the Windows Phone 8 company portal app, see “To Deploy an Application to Mobile Devices”.

(Step 7) Sign all apps you plan to deploy to Windows Phone 8

You must sign all apps you want to deploy to Windows Phone 8 devices by using the same certificate

In order to set up app management on iOS, you must:

 

Requirement Description

Obtain sideloading Keys

Before you can run sideloaded Line of business apps on Windows RT, you must obtain and activate sideloading keys from For more information about sideloading product activation keys, see Microsoft Volume Licensing.

Sign all apps

For sideloaded apps to run on Windows RT you must use a certificate to sign all apps.

In order to set up app management on iOS, you must:

  1. Download a Certificate Signing Request from Windows Intune. This certificate signing request lets you apply to Apple’s certification authority for an Apple Push Notification service certificate.

  2. Request an Apple Push Notification service certificate from the Apple website.

  1. In the Configuration Manager console, click Administration.

  2. In the Hierarchy Configuration, right-click Windows Intune Subscriptions and select Create APNs certificate request.

  3. Select a location and then click Download.

  4. In the sign in page enter your organizational account and password. Once you sign in, the certificate signing request will be downloaded to the location you specified.

  1. Connect to the Apple Push Certificates Portal.

  2. Sign in and continue through the wizard.

    noteNote:
    Make sure that you use a company account to obtain the Apple Push Notification service certificate. If you have to go back to the site to renew the certificate, make sure that you use the same credentials.

  3. Upload the Certificate Signing Request that you downloaded from Windows Intune.

The Subscription lets you specify your configuration settings for the service, this includes defining the user collection that enables users to enroll devices and defining which devices to manage. As soon as you have created your subscription, you can then install the connector site system role which lets you connect to Windows Intune. The connector site system role will push settings and applications to the service. will then make apps available to users on their devices through an interface called the company portal. To set up mobile device management for Windows Phone 8, Windows RT, iOS, and Android devices, you can follow these steps.

  1. Create a Windows Intune Subscription where you will specify your configuration settings. The Windows Intune Subscription:

    • Retrieves the certificate needed by the connector to connect to the Windows Intune Service.

    • Defines the User Collection that enables members to enroll mobile devices.

    • Defines and configures the mobile platforms you want to support.

  2. Configure a Window Intune connector site system role which will connect you to . The connector:

    • Connects to service.

    • Sends setting values and apps.

    • Receives status messages back from devices.

  1. In the Configuration Manager console, click Administration.

  2. In the Hierarchy Configuration, on the Home tab, and select Create Windows Intune Subscription.

  3. Click Sign in and sign in by using your Windows Intune organizational account. Check the Allow the Configuration Manager console to manage this subscription check box. As soon as you have selected this setting, you will only be able to manage mobile devices by using the Configuration Manager console. In order to continue with your subscription, you must check this option. Click Next.

  4. Specify the user collection, company preferences, the links to privacy information, and the site code.

    • Specify the user collection whose members will be enabled for using the service. These users will be able to enroll their mobile devices.

      noteNote:
      If a user is removed from the collection, the user’s device will continue to be managed for up to 24 hours until the user record is removed from the user database.

    • Specify company preferences including company name and color of the company portal. The company portal is what users on devices will be interacting with.

    • Add a link to your company’s privacy documentation. It is important for employees to understand what information they are sharing with your company.

    • Specify the site code. All mobile devices will be assigned to this site. Although, you can change the site code at any time, if you do this, existing users will have to be unenrolled and then re-enrolled to the new site. Click Next.

  5. Check the Device types that you want to manage. By selecting a device, you will enable the platform for management. Click Next.

On the Platforms page of the wizard and check the Android option to enable Android.

Browse to specify the Apple Push Notification service certificate that you received from Apple. For more information about how to obtain an Apple Push Notification service certificate, see the “How to get an Apple Push Notification Certificate section.

Specify the code-signing certificate that you want to use for all Windows Phone apps. All apps must be code-signed. Specify the location of the signed Windows Phone 8 company portal app. For more information about obtaining the certificate, see the “Prerequisites for Enabling Windows Phone 8 Devices” section in this document.

Windows RT devices require that all sideloaded apps be signed with a client trusted code-signing certificate.

  1. If you have a certificate from your company’s Certification Authority, Browse to specify the code-signing certificate that you want to use for all Windows 8 apps. All apps must be code-signed. If you are using certificate from a third-party, you can leave this field blank.

  2. Click Add to enter your sideloading keys. For more information about how to obtain the certificate, see the “Prerequisites for Enabling Windows RT Devices” section in this document.

The connector sends settings and software distribution information to Windows Intune and retrieves status and inventory messages from clients. The Windows Intune service acts as a gateway to communicate with mobile devices and store the settings.

  1. In the Configuration Manager console, click Administration.

  2. Right-click Servers and Site System Roles, right-click the primary site, and select Add Site System Role.

  3. In the wizard, select the setting that you want and then click Next until you reach the Specify Roles for Users page.

  4. Check Windows Intune Connector and then click Next and complete the wizard.

You have the ability to remove, block, wipe, or delete devices. The below table lists the functions for each platform and compares life cycle functions to the same functions that the Exchange connector enables. Because you can’t manage these functions with the Windows Intune connector you can use the Exchange connector to manage these functions for Android devices.

 

Function Windows Phone 8 Windows RT iOS Exchange Connector

Retire: removes the device from Configuration Manager while leaving personal settings and data intact on the device.

Yes

Line of business apps are uninstalled including the company portal app.User settings are retained.

Yes

Removes the Windows RT sideloading keys. Without the sideloading keys, sideloaded apps will no longer run.User settings are retained.

noteNote:
When an RT device is retired, users can still use company apps until the next update. The update occurs every 24 hours for RT devices.

Yes

Installed apps will still run.

Yes

Installed apps will still run. User settings are removed.

Block: blocks the client from communicating with the hierarchy. You can also unblock.

Yes

Yes

Yes

Not available

Wipe: deletes all data, sets back to manufacturers defaults

Yes

Not available

Yes

Exchange ActiveSync mailbox removal only

Delete: deletes the mobile device permanently from the hierarchy so that it will no longer be managed. No data from the device is removed. After the device is deleted, the user has to unenroll and re-enroll again.

Yes

Yes

Yes

Not available

  1. In the Configuration Manager console, click Assets and Compliance. Select Devices.

  2. Select a device and select the action that you want to take.

You can manage app deployment for mobile devices. Apps will appear in the company portal and users can decide whether to download the apps to their devices.

You can deploy line of business apps or you can deploy links to apps in the Windows Phone Store. In order to deploy apps to Windows Phone 8 devices, you must enable Windows Phone 8 devices in the Windows Intune subscription.

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Application Management, and then click Applications.

  3. In the Home tab, in the Create group, Click Create Application.

  4. In the Type drop-down, select Windows Phone app package (in the Windows Phone Store)

  5. Browse to the store app and then click Next.

  6. On the General Information page, enter the text and category information that you want users to see in the company portal. Complete the wizard.

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Application Management, and then click Applications.

  3. In the Home tab, in the Create group, Click Create Application.

  4. In the Type drop-down, select Windows Phone app package (*.xap file).

  5. Browse to the application and then click Next.

  6. On the General Information page, enter the text and category information that you want users to see in the company portal. Complete the wizard.

You can deploy line of business apps or you can deploy links to apps in the Windows Store. In order to deploy apps to Windows RT devices that you must enable Windows RT devices in the Windows Intune subscription wizard or property pages.

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Application Management, and then click Applications.

  3. In the Home tab, in the Create group, Click Create Application.

  4. In the Type dropdown, select Windows app package (*.appx file).

  5. Browse to the signed .appx program file and on the General Information page complete the text and category information that you want users to see in the company portal.

To create a link to the Windows Store for Windows RT the app must be installed on Windows 8 computer. You must first configure HTTPS on the Windows 8 computer.

  1. Create an HTTPS-based listener by running winrm qc –Transport:HTTPS.

  2. Run the command enable-psremoting to allow powershell remoting.

  3. Run the command winrm delete winrm/config/Listener?Address=*+Transport=HTTP to remove the HTTP-based listener created by the enable-psremoting command.

  4. Open Windows Firewall and add an inbound rule for port 5986, the WinRM default HTTPS port.

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Application Management, and then click Applications.

  3. In the Home tab, in the Create group, Click Create Application.

  4. In the Type dropdown select Windows app package (in the Windows Store)

  5. Browse to the app on a Windows 8 device and then click Next.

  6. On the General Information page complete the text and category information that you want users to see in the company portal. Complete the wizard.

You can deploy line of business apps or you can deploy links to apps on the App store. In order to deploy apps to iOS devices that you must enable iOS devices in the Windows Intune subscription wizard.

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Application Management, and then click Applications.

  3. In the Home tab, in the Create group, click Create Application.

  4. In the Type dropdown, select App Package for iOS from App Store.

  5. Browse to the app and then click Next.

  6. On the General Information page, complete the text and category information that you want users to see in the company portal.

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Application Management, and then click Applications.

  3. In the Home tab, in the Create group, Click Create Application, In the Type drop-down list, select App Package for iOS (*.ipa file)

  4. Browse to the application and on the General Information page complete the text and category information that you want users to see in the company portal.

You can deploy line of business apps or you can deploy links to Google Play through the company portal. In order to deploy apps to Android devices that you must enable Android devices in the Windows Intune subscription wizard.

  1. In the Configuration Manager console, click Software Library.

  2. In the Software Library workspace, expand Application Management, and then click Applications.

  3. In the Home tab, in the Create group, click Create Application.

  4. In the Type dropdown, select App Package for Android (*.apk file).

  5. Browse to the application and then click Next.

  6. On the General Information page, complete the text and category information that you want users to see in the company portal.

    noteNote:
    If you create more than one deployment type for the same app, only the deployment type with the highest priority will be available in the company portal.

-----
Informace o dalších materiálech a zdrojích informací jsou k dispozici v tématu Information and Support for Configuration Manager (Informace a podpora pro nástroj Configuration Manager).

Tip: Pomocí tohoto dotazu můžete v knihovně TechNet vyhledat online dokumentaci pro nástroj System Center 2012 Configuration Manager. Pokyny a příklady naleznete v následujícím tématu v části Search the Configuration Manager Documentation Library (Prohledání knihovny dokumentace k nástroji Configuration Manager).
-----
Byl tento obsah pro vás užitečný?
(Zbývající počet znaků: 1500)
Děkujeme za váš názor.
Zobrazit:
© 2014 Microsoft