Eksportér (0) Udskriv
Udvid alt
EN
Dette indhold er ikke tilgængeligt på dit sprog, men her er den engelske version.

How to Manage Mobile Devices by Using Configuration Manager and Windows Intune

Updated: June 30, 2014

Applies To: System Center 2012 Configuration Manager SP1, System Center 2012 R2 Configuration Manager

noteNote
The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager.

This walkthrough shows you step-by-step how to configure Configuration Manager so that you can manage iOS, Android (including Samsung KNOX), Windows Phone, and Windows devices by using the Windows Intune service over the Internet. Although you use the Windows Intune service, management tasks are completed by using the Windows Intune connector site system role available through the Configuration Manager console. System Center 2012 R2 Configuration Manager also gives you option of managing Windows 8.1 devices, in the same manner of mobile devices, that do not have the Configuration Manager client installed.

You can configure Configuration Manager to enable mobile device management to let users access company resources in a secure, managed way. By using device management, you protect company data while letting users enroll their personal or company-owned mobile devices and giving them access to company data. When you use Configuration Manager with Windows Intune, you have the following management capabilities:

  • You can retire and wipe devices.

  • You can configure compliance settings on devices. These include settings for passwords, security, roaming, encryption, and wireless communication.

  • You can deploy line of business apps to devices.

  • You can deploy apps from the store that the device connects to, Windows Store, Windows Phone Store, App Store, or Google Play.

  • You can collect hardware inventory.

  • You can collect software inventory by using built-in reports.

This document assumes that you are using Configuration Manager to manage computers, and that you are interested in extending the Configuration Manager console to manage mobile devices. After you complete this walkthrough, users will be able to enroll their devices for management.

We will show you:

  • How to configure the Windows Intune subscription for mobile device management.

  • How to install the Windows Intune connector site system role that lets you use Windows Intune in the Configuration Manager console.

Use the following sections to help you manage mobile devices by using the Windows Intune connector.

Use the following information to determine the prerequisites for managing mobile devices.

For a checklist about how to configure Configuration Manager to manage mobile devices, see Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune.

 

External dependencies More information

Sign up for a Windows Intune organizational account.

When you sign-up for Windows Intune you subscribe to a trial subscription. You can convert the trial into a paid (full) subscription at any time from within the Windows Intune account portal.

You can sign up for an account at Windows Intune.

For more information, see Task 1: Subscribe to Windows Intune and Acceptable Use Policy for Windows Intune in the Documentation Library for Windows Intune.

Add a public company domain.

All user accounts must have a publicly verifiable domain name that can be verified by Windows Intune.

Verify users have a public domain UPN.

Before you synchronize the Active Directory user account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library.

Deploy and configure directory synchronization.

There are several methods you can use for directory integration with Windows Intune. These methods are the same for all Azure AD tenants. Therefore, to learn about the available methods and to drill through to procedures for the method you select, start with the Directory integration topic.

Create a DNS alias.

Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to manage.microsoft.com. For example, if Melissa's email address is Melissa@contoso.com, you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com.

The CNAME record is used as part of the enrollment process.

Obtain certificates or keys.

For more information, see Obtain Certificates or Keys to Meet Prerequisites per Platform in this topic.

The following table lists the certificates or keys that you must have to enroll mobile platforms.

 

Platform Certificates or keys How you obtain certificates or keys

Windows Phone 8 and Windows Phone 8.1

Before you can configure mobile device management for Windows Phone, the company portal app must be code-signed with a Symantec certificate that is trusted by the Windows Phone devices and you must create an application in the Software Library.

Buy a code signing certificate from Symantec.

If you are just testing this out in a trial version, you can use the Support tool for Windows Phone trial management.

Windows RT, Windows RT 8.1, or Windows 8.1 devices that are not joined to the domain.

Sideloading keys: Devices have to be provisioned with sideloading keys to enable the installation of sideloaded apps.

All sideloaded apps must be code-signed.

Buy sideloading keys from Microsoft.

All apps must be code-signed by using your company’s certification authority or an external certification authority.

iOS

Apple Push Notification service certificate.

Request an Apple Push Notification service certificate from Apple. For more information, see the Prerequisites for enrolling iOS Devices in this topic.

Android 4.0+ and Samsung KNOX

None.

Not applicable.

ImportantImportant
For Windows Phone 8.1, you must enable the Windows Phone 8.1 extension in the Configuration Manager console. For more information, see How to Enable Extensions. The extension enables device management functionality that includes security settings, wipe, inventory, app management, VPN profiles, Wi-Fi profiles, certificate profiles, email profiles, and remote profiles.

The company portal app must be code-signed with a Symantec certificate that is trusted by the Windows Phone devices.

  1. Join the Windows Phone Dev Center by visiting the Windows Phone Dev Center. You must use a corporate account.

  2. Locate your Symantec ID by clicking Dashboard in the Windows Phone Dev Center and locate the numeric ID under Symantec Id.

  3. Purchase a certificate from the Symantec website by using your Symantec ID.

  4. After you purchase the certificate, the corporate approver that you designated in your Windows Phone Developer account will receive an email asking for approval of the certificate request. Once the request has been approved, you will receive an email that contains the instructions for importing the certificates.

  5. Read the instructions in the email carefully and import the certificates.

  6. To verify that the certificates have been imported correctly, go to the Certificates snap-in, right-click Certificates, and select Find Certificates. In the Contains field, enter “Symantec”, and click Find Now. The certificates that you imported should be listed as part of the results.

    Certificate search

  7. Now that you have verified that the certificates have been imported, you can export the .pfx file so that you can sign the company portal. Using the results from the previous step, you must select the Symantec certificate with the Intended purpose as “code-signing.” Then, right-click the code-signing certificate and select Export.

    Certificate export

    In the Certificate Export Wizard, select Yes, export the private key and click Next. Select Personal Information Exchange –PKCS #12 (.PFX) and check Include all the certificates in the certification path if possible. Complete the wizard. For more information, see How to Export a Certificate with the Private Key.

  8. Download the Windows Intune company portal for Windows Phone app.

  9. Before you can configure mobile device management for Windows Phone, the company portal app must be code-signed with a Symantec certificate that is trusted by the Windows Phone devices. Use the XAPSignTool app that comes with the Windows Phone SDK to sign the company portal with the .pfx file you created from the Symantec certificate. For more information, see How to sign a company app by using XapSignTool

  10. Create an application using the signed company portal app. Select Automatically detect information about this application from installation files. In Type, select Windows Phone app package (*.xap) file. In Location, browse to a network share where you have copied the ssp.xap. On the General Information page, enter a name that will show up in the Configuration Manager console, but note that the application will always be displayed as Company Portal in the app list on Windows Phones.

  11. Use the Distribute Content wizard to distribute the Windows Intune company portal application to the manage.microsoft.com distribution point.

    ImportantImportant
    Do not create a deployment for this application - the deployment will be automatically created when you complete the Windows Intune Subscription Wizard.

To configure app management on a mobile device that runs Windows RT or on a Windows 8.1 device, you must follow these steps.

  1. Obtain sideloading keys. Before you can run sideloaded line-of-business apps on Windows RT, you must obtain and activate sideloading keys from Microsoft. For more information about sideloading product activation keys, see Microsoft Volume Licensing.

  2. Sign all apps. For sideloaded apps to run on Windows RT, you must use a certificate to sign all apps.

To enroll iOS devices, you must follow these steps.

  1. Download a certificate signing request from Windows Intune. This certificate signing request lets you apply to for an Apple Push Notification service certificate from the Apple certification authority.

  2. Request an Apple Push Notification service certificate from the Apple website.

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions.

  3. On the Home tab, in the Create group, click Create APNs certificate request.

  4. In the Request Apple Push Notification Service Certificate Signing Request dialog box, click Browse to specify a location to download the Certificate Signing Request, specify your choice of file name, and then click Download.

  5. On the Windows Intune sign in page, enter your organizational account and password. After you sign in, the certificate signing request is downloaded to the location that you specified.

  1. Connect to the Apple Push Certificates Portal.

  2. Sign in and complete the wizard.

    noteNote
    Make sure that you use a company account to obtain the Apple Push Notification service certificate. When you return to the Apple site to renew the certificate, make sure that you use the same account.

  3. Upload the Certificate Signing Request that you downloaded from Windows Intune.

For System Center 2012 R2 Configuration Manager, users can download the Android company portal app from Google Play that lets them enroll Android (including Samsung KNOX) devices. With the Android company portal app, you can manage compliance setting, wipe or delete Android devices, deploy apps, and collect software and hardware inventory. If the Android company portal app is not installed on Android devices or if you are using Configuration Manager SP1, then you will not have all the management capabilities, such as inventory and compliance settings, but you can still deploy apps to Android devices.

 

Dependencies in Configuration Manager More information

Create the Windows Intune subscription.

For more information, see Configuring the Windows Intune Subscription in this topic.

Add the Windows Intune connector.

For more information, see The Windows Intune Connector Site System Role in this topic.

The Windows Intune subscription lets you specify your configuration settings for the Windows Intune service. This includes specifying which users can enroll their devices and defining which mobile device platforms to manage. When you have created your subscription, you can then install the Windows Intune connector site system role that lets you connect to the Windows Intune service. This connector site system role will push settings and applications to the Windows Intune service. The Windows Intune subscription performs the following:

  • Retrieves the certificate that the Windows Intune connector requires to connect to the Windows Intune service.

  • Defines the user collection that enables users to enroll mobile devices.

  • Defines and configures the mobile platforms that you want to support.

  1. In the Configuration Manager console, click Administration.

  2. For System Center 2012 Configuration Manager SP1: In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions.

    For System Center 2012 R2 Configuration Manager: In the Administration workspace, expand Cloud Services, and click Windows Intune Subscriptions.

  3. For System Center 2012 Configuration Manager SP1: On the Home tab, in the Create group, click Create Windows Intune Subscription.

    System Center 2012 R2 Configuration Manager: On the Home tab, click Add Windows Intune Subscription.

  4. On the Introduction page of the Create Windows Intune Subscription Wizard, review the text and click Next.

  5. On the Subscription page, click Sign in and sign in by using your Windows Intune organizational account. Select the Allow the Configuration Manager console to manage this subscription check box. When you select this setting, you will only be able to manage mobile devices by using the Configuration Manager console. To continue with your subscription, you must select this option.

    ImportantImportant
    Once you select Configuration Manager as your management authority, you cannot change the management authority to Windows Intune in the future.

  6. Click the privacy links to review them, and then click Next.

  7. On the General page, specify the following options, and then click Next.

    • Collection: Specify a user collection that contains users who will enroll their mobile devices.

      noteNote
      If a user is removed from the collection, the user’s device will continue to be managed for up to 24 hours when the user record is removed from the user database.

    • Company name: Specify your company name.

    • URL to company privacy documentation: If you publish your company privacy information to a link that is accessible from the Internet, provide a link that users can access from the company portal. Privacy information can clarify what information users are sharing with your company.

    • Color scheme for company portal: Optionally, change the default color of blue for the company portals.

    • Configuration Manager site code: Specify a site code for a primary site to manage the mobile devices.

      noteNote
      Changing the site code affects only new enrollments and does not affect existing enrolled devices.

  8. On the Platforms page, select the device types that you want to manage and review the platform requirements, and then click Next.

For each device type that you selected, you must configure additional options. Use the procedures that follow for more information about those options. After you have configured these additional options, click Next and complete the wizard.

  • On the iOS page, click Browse to specify the Apple Push Notification service certificate that you received from Apple. For more information about how to obtain an Apple Push Notification service certificate, see the Prerequisites for enrolling iOS Devices section in this topic.

  1. For Windows Phone 8.1, you must enable the Windows Phone 8.1 extension in the Configuration Manager console. For more information, see How to Enable Extensions.

  2. On the Windows Phone page, specify the .pfx file that you received when you satisfied the Windows Phone prerequisites in the prerequisites section of this walkthrough.

  3. Specify the name of Windows Intune company portal application package that you created in the prerequisites section of this walkthrough.

For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows Phone 8 and Windows Phone 8.1 Devices section in this topic.

Windows RT, Windows RT 8.1 and Windows 8.1 devices require that all sideloaded apps be signed with a trusted code-signing certificate.

  1. On the Windows RT Configuration page, if you have a certificate from your company’s certification authority, click Browse to specify the code-signing certificate that you want to use for all Windows 8 apps.

    noteNote
    All apps must be code-signed. The certificate field is for your company’s certificate. If you have purchased a certificate from an external certification authority, you can leave this field blank.

  2. Click Add to enter your sideloading keys. For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows RT Devices, Windows RT 8.1, or Windows 8.1 devices section in this topic.

Android devices (including Samsung KNOX) have no prerequisites. For System Center 2012 R2 Configuration Manager, Android users can download the Android company portal app from Google Play that will allow them to enroll Android devices.

The Windows Intune connector sends settings and software deployment information to Windows Intune and retrieves status and inventory messages from mobile devices. The Windows Intune service acts as a gateway that communicates with mobile devices and stores settings.

noteNote
The Windows Intune connector site system role may only be installed on a central administration site or stand-alone primary site.

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles.

  3. Add the Windows Intune Connector role to a new or existing site system server by using the associated step:

    • New site system server: On the Home tab, in the Create group, click Create Site System Server to start the Create Site System Server Wizard.

    • Existing site system server: Click the server on which you want to install the Windows Intune connector role. Then, on the Home tab, in the Server group, click Add Site System Roles to start the Add Site system Roles Wizard.

  4. On the System Role Selection page, select Windows Intune Connector, and click Next.

  5. Complete the wizard.

Enrollment establishes a relationship between the user, the device, and the Windows Intune service. Users enroll their own mobile devices. The following table describes enrollment for enrolled devices.

noteNote
If your subscription to Windows Intune is going to expire, you must unenroll all devices prior to expiration in order to ensure company content is removed from devices.

 

Platform Enrollment information

Windows Phone 8 and Windows Phone 8.1

For Windows Phone 8: Click system settings > company apps, and sign in using your user ID.

For Windows Phone 8.1: Click system settings > Workplace, and sign in using your user ID.

Users must select Install company app or Hub to be able to get company apps. If users do not select this option, they cannot download the company portal. If the company portal is not installed during enrollment, or if users uninstall the company portal, users must retire and then re-enroll their mobile device. You can make the company portal file available by sending users a link in an email.

If your Windows Intune account does not have a public domain and you are using a *.onmicrosoft.com account, you will need to type in the server address as “manage.microsoft.com” when you are prompted for it.

Windows 8.1 and Windows RT 8.1

Users download the Windows Intune Company Portal app that is available in the Windows Store. The following steps describe the enrollment process.

  1. Go to Settings > PC Settings > Network > Workplace.

  2. Enter the User ID and click Turn on.

  3. Check the Allow apps and services from IT admin dialog box, and click Turn on.

If your account does not have a public domain and you are using a *.onmicrosoft.com account, you must  add the following registry information to enroll your Windows 8.1 computer:

  1. Create the MDM registry key if it is not already present [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]

  2. Under the MDM registry key create a new REG_SZ called DiscoveryService with the value data “manage.microsoft.com”

Windows RT

Click Start, and type “System Configuration”, and click the dialog box to open the Company Apps.

If your Windows Intune account does not have a public domain and you are using a *.onmicrosoft.com account, you will need to type in the server address as “manage.microsoft.com” when you are prompted for it.

iOS

You can enroll iOS devices by using the iOS company portal app, Windows Intune Company Portal that is available in the App store. The company portal app can be installed on iOS devices running iOS 6 or later.

On the iOS device, open the Windows Intune Company Portal and enter your credentials. When Prompted click Install in the Management Profile screen.

Android

You can enroll Android devices by using the Android company portal app, Windows Intune Company Portal that is available on Google Play. The company portal app can be installed on Android devices running Android 4 or later.On the Android device, Open the Windows Intune Company Portal and enter your credentials.

You can do a full wipe on Windows Phone, iOS, and Android devices. A full wipe will restore the device to factory settings.

For System Center 2012 R2 Configuration Manager only: you have the option to do a selective wipe that only removes company content. For a selective wipe, you can use Retire/wipe and select the option Wipe company content and retire the mobile device from Configuration Manager to remove company content from devices. The following table lists what company content is wiped from devices.

 

Content removed when retiring a device Windows 8.1 and Windows RT 8.1 Windows RT Windows Phone 8 and Windows Phone 8.1 iOS Android Samsung KNOX

Company apps and associated data installed by using Configuration Manager and Windows Intune.

Apps are uninstalled and sideloading keys are removed. Apps using Windows Selective Wipe will have the encryption key revoked and data will no longer be accessible.

Sideloading keys are removed but apps remain installed.

Apps are uninstalled. Company app data is removed.

Apps are uninstalled. Company app data is removed.

Apps and data remain installed.

Apps are uninstalled.

VPN and Wi-Fi profiles

Removed.

Not applicable.

Removed for Windows Phone 8.1.

Removed.

VPN: Not applicable.

Wi-Fi: Not removed

Removed.

Certificates

Removed and revoked.

Not applicable.

Removed for Windows Phone 8.1.

Removed and revoked.

Revoked.

Revoked.

Settings

Requirements removed.

Requirements removed.

Requirements removed.

Requirements removed.

Requirements removed.

Requirements removed.

Management Agent

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Management profile is removed.

Device Administrator privilege is revoked.

Device Administrator privilege is revoked.

Email

Removes email that is EFS enabled which includes the Mail app for Windows email and attachments.

Not applicable.

Windows Phone 8.1 only: For email profiles provisioned by Windows Intune, the email account and email are removed.

For email profiles provisioned by Windows Intune, the email account and email are removed.

Not applicable.

Not applicable.

Wiping EFS-enabled content

Selective wipe of EFS-encrypted content is supported by Windows 8.1 and Windows RT 8.1. The following apply to a selective wipe of EFS-enabled content:

  1. Only apps and data that are protected by EFS using the same Internet domain as the Windows Intune account are selectively wiped.  For more information, see Windows Selective Wipe for Device Data.

  2. If there are any changes are made to the domain associated with EFS, the changes can take up to 48 hours before apps and data using the new domain can be selectively wiped.

  3. Each domain that is registered with Windows Intune is the domain that will be wiped.

The data and apps that are currently supported by EFS selective wipe are:

  1. Mail app for Windows

  2. Work Folders

  3. Files and folders encrypted by EFS. For more information, see Best practices for the Encrypting File System.

  1. In the Configuration Manager console, click Assets and Compliance and select Devices.

  2. Select a device and then select the action that you want to take.

Best Practices for Selective Wipe

  • For successful wipe of email, provision email profiles to iOS and Windows Phone 8.1 devices.

  • For successful wipe of apps, make sure the apps are distributed through mobile device app management. For more information, see How to Create and Deploy Applications for Mobile Devices in Configuration Manager

  • For iOS, configure the setting “Allow backup to iCloud” to “Disallow” so that users can’t restore content using iCloud.

  • If an account has been deactivated, then after one year, the account will be retired by Intune and a selective wipe will be performed.

-----
For additional resources, see Information and Support for Configuration Manager.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012 Configuration Manager. For instructions and examples, see Search the Configuration Manager Documentation Library.
-----
Syntes du, dette var nyttigt?
(1500 tegn tilbage)
Tak for din feedback
Vis:
© 2014 Microsoft