Manage Mobile Devices with Configuration Manager and Microsoft Intune

 

Updated: February 8, 2017

Applies To: Microsoft Intune, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Note

The information in this topic applies to System Center 2012 Configuration Manager SP1 or later, and System Center 2012 R2 Configuration Manager or later.

Important

Support for System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager RTM ended on July 12, 2016. Subsequently, support for these releases connecting to the Microsoft Intune service for hybrid mobile device management (MDM) ends on April 10, 2017. After this date, hybrid MDM will stop functioning with these releases. Managed devices will essentially become unmanaged as the Intune Connector will no longer connect to the Intune service. Configuration Manager data (such as policies and applications) will not flow up to Intune and managed device data will not flow down to Configuration Manager until an upgrade takes place.

If you're running a hybrid deployment with Configuration Manager 2012 SP1 or R2 RTM, we recommend that before April 10, 2017 you upgrade to Configuration Manager (current branch) or the latest supported service pack for Configuration Manager 2012 (either SP2 or R2 SP1) to avoid disruption of service.

Additional resources about upgrading:

This walkthrough shows you how to configure Configuration Manager to manage iOS, Android (including Samsung KNOX), Windows Phone, and Windows devices with the Intune service over the Internet. Although you use the Intune service, management tasks are done using the Microsoft Intune connector site system role in the Configuration Manager console. System Center 2012 R2 Configuration Manager also lets you manage Windows 8.1 PC's and laptops as mobile devices, without installing the Configuration Manager client.

You can configure Configuration Manager to let users access company resources on their devices in a secure, managed way. By using device management, you protect company data while letting users enroll their personal or company-owned mobile devices and giving them access to company data. When you use Configuration Manager with Intune, you have the following management capabilities on devices:

  • Retire and wipe devices

  • Configure compliance settings such as passwords, security, roaming, encryption, and wireless communication

  • Deploy line of business apps to devices

  • Deploy apps to devices that connect to Windows Store, Windows Phone Store, App Store, or Google Play

  • Collect hardware inventory

  • Collect software inventory by using built-in reports

This document assumes that you are using Configuration Manager to manage computers, and that you are interested in extending the Configuration Manager console with Microsoft Intune to manage mobile devices. After extending Configuration Manager with Intune you can give users permission to enroll their personal devices or enroll corporate-owned devices to be managed.

Use the following sections to help you manage mobile devices by using the Microsoft Intune connector.

  1. Prerequisites

  2. Configuring the Microsoft Intune Subscription

  3. The Microsoft Intune Connector Site System Role

  4. Prepare for Mobile Device Enrollment

  5. Next Steps

Prerequisites

Use the following information to determine the prerequisites for managing mobile devices.

Dependencies External to Configuration Manager

For a checklist about how to configure Configuration Manager to manage mobile devices, see Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Microsoft Intune.

External dependencies

More information

Sign up for a Microsoft Intune subscription and account

Sign up for a subscription at Microsoft Intune. When you sign-up for Intune you subscribe to a trial subscription. You can convert the trial into a paid (full) subscription at any time from within the Microsoft Intune account portal.

For more information, see Set up Microsoft Intune.

Add a public company domain.

All user accounts must have a publicly verifiable domain name that can be verified by Intune.

Verify users have a public domain UPN.

Before you synchronize the Active Directory user account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library.

Deploy and configure directory synchronization.

There are several methods you can use for directory integration with Intune. These methods are the same for all Azure AD tenants. Therefore, to learn about the available methods and to drill through to procedures for the method you select, start with the Directory integration topic.

Create a DNS alias.
(Windows devices only)

Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to enterpriseenrollment-s.manage.microsoft.com. For example, if Melissa's email address is Melissa@contoso.com, you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com.

The CNAME record is used as part of the enrollment process for Windows devices.

Configuring the Microsoft Intune Subscription

The Microsoft Intune subscription lets you specify your configuration settings for the Intune service. This includes specifying which users can enroll their devices and defining which mobile device platforms to manage. When you have created your subscription, you can then install the Microsoft Intune connector site system role that lets you connect to the Intune service. This connector site system role will push settings and applications to the Intune service. The Intune subscription performs the following:

  • Retrieves the certificate that the Microsoft Intune connector requires to connect to the Intune service.

  • Defines the user collection that enables users to enroll mobile devices.

  • Defines and configures the mobile platforms that you want to support.

To create the Microsoft Intune subscription

  1. In the Configuration Manager console, click Administration.

  2. Choose the steps that are appropriate for your version of Configuration Manager:

    For System Center 2012 Configuration Manager SP1:

    - In the **Administration** workspace, expand **Hierarchy Configuration**, and click **Microsoft Intune Subscriptions**.
    
    - On the **Home** tab, click **Create Microsoft Intune Subscription**.
    

     

    For Microsoft System Center 2012 Configuration Manager SP2 and
    System Center 2012 R2 Configuration Manager SP1:

    1. In the Administration workspace, expand Cloud Services, and click Microsoft Intune Subscriptions.

    2. On the Home tab, click Add Microsoft Intune Subscription.

  3. On the Introduction page of the Create Microsoft Intune Subscription Wizard, review the text and click Next.

  4. On the Subscription page, click Sign in and sign in by using your work or school account. In the Set the Mobile Device Management Authority dialog, select the check box to only manage mobile devices by using Intune through the Configuration Manager console. To continue with your subscription, you must select this option.

    Important

    Once you select Configuration Manager as your management authority, you cannot change the management authority to Microsoft Intune in the future.

  5. Click the privacy links to review them, and then click Next.

  6. On the General page, specify the following options, and then click Next.

    - **Collection**: Specify a user collection that contains users who will enroll their mobile devices.
    
      <div class="alert">
    
    
      > [!NOTE]
      > <P>If a user is removed from the collection, the user’s device will continue to be managed for up to 24 hours when the user record is removed from the user database.</P>
    
    
      </div>
    
    - **Company name**: Specify your company name.
    
    - **URL to company privacy documentation**: If you publish your company privacy information to a link that is accessible from the Internet, provide a link that users can access from the company portal, for example https://www.contoso.com/CP\_privacy.html. Privacy information can clarify what information users are sharing with your company.
    
    - **Color scheme for company portal**: Optionally, change the default color of blue for the company portals.
    
    - **Configuration Manager site code**: Specify a site code for a primary site to manage the mobile devices.
    
      <div class="alert">
    
    
      > [!NOTE]
      > <P>Changing the site code affects only new enrollments and does not affect existing enrolled devices.</P>
    
    
      </div>
    
  7. On the Company Contact Information page, specify the company contact information that is displayed in the company portal, and then click Next.

  8. On the Company Logo page, choose whether to display a logo in the company portal, and then click Next.

  9. Prior to Configuration Manager SP2, on the Platforms page, select the device types that you want to manage and review the platform requirements, and then click Next. For each device type that you select, you must configure additional options. Use the procedures that follow for more information about those options. After you have configured these additional options, click Next.

  10. Complete the wizard.

The Microsoft Intune Connector Site System Role

The Microsoft Intune connector sends settings and software deployment information to Microsoft Intune and retrieves status and inventory messages from mobile devices. The Intune service acts as a gateway that communicates with mobile devices and stores settings.

Note

The Microsoft Intune connector site system role may only be installed on a central administration site or stand-alone primary site.

To configure the Microsoft Intune Connector role

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles.

  3. Add the Microsoft Intune connector role to a new or existing site system server by using the associated step:

    - New site system server: On the **Home** tab, in the **Create** group, click **Create Site System Server** to start the Create Site System Server Wizard.
    
    - Existing site system server: Click the server on which you want to install the Microsoft Intune connector role. Then, on the **Home** tab, in the **Server** group, click **Add Site System Roles** to start the Add Site system Roles Wizard.
    
  4. On the System Role Selection page, select Microsoft Intune Connector, and click Next.

  5. Complete the wizard.

How does the Microsoft Intune Connector Authenticate with the Microsoft Intune Service?

The Microsoft Intune Connector extends Configuration Manager by establishing a connection to the cloud-based Microsoft Intune service that manages mobile devices over the Internet. The Microsoft Intune Connection authenticates with the Microsoft Intune service as follows:

  1. When you create a Microsoft Intune subscription in the Configuration Manager console, the Intune admin is authenticated by connecting to Azure Active Directory, which redirects to the respective ADFS server to prompt for user name and password. Then, Microsoft Intune issues a certificate to the tenant.

  2. The certificate from step 1 is installed on the Microsoft Intune Connector site role and is used to authenticate and authorize all further communication with the Microsoft Intune service.

    If the account used to authenticate the Intune Connector has not completed first-time login in the Intune portal, go through the first-time login experience in the Company Portal at https://manage.microsoft.com.

Prepare for Mobile Device Enrollment

Before device can be enrolled you must establish a trust relationship between the management solution and the managed mobile devices. This relationship is platform-specific so if, for example, you want to manage both iOS devices and Windows Phone devices you must complete the prerequisites for both platforms. The following table lists the certificates or keys that you must have to enroll mobile platforms.

Platform

Certificates or keys

How you obtain certificates or keys

Windows Phone 8

Company Portal (ssp.xap) and any line-of-business apps must be signed by an enterprise mobile code-signing certificate from Symantec.

Buy an enterprise mobile code signing certificate from Symantec.

If you are using a trial version of Intune, you can use the Support tool for Windows Phone trial management.

Frequently asked questions about mobile device management

Windows Phone 8.1

Line-of-business apps must be signed with an enterprise mobile code-signing certificate from Symantec

Buy an enterprise mobile code signing certificate from Symantec.

If users only install apps from the Store, including the Company Portal app, no additional certificate is required.

Windows RT, Windows RT 8.1, or Windows 8.1 devices that are not joined to the domain.

Sideloading keys: Devices must be provisioned with sideloading keys to install sideloaded apps.

All sideloaded apps must be code-signed.

Buy sideloading keys from Microsoft.

iOS

Apple Push Notification service certificate.

Request an Apple Push Notification service certificate from Apple. For more information, see the Prepare to enroll iOS Devices in this topic.

Android 4.0+ and Samsung KNOX

None.

Not applicable.

Prepare to enroll iOS Devices

To support enrollment of iOS devices, you must follow these steps:

  1. Download a certificate signing request
    A certificate signing request lets you apply for an Apple Push Notification service (APNs) certificate from the Apple certification authority.

    To download a certificate signing request

    1. In the Configuration Manager console in the Administration workspace, go to Cloud Services > Microsoft Intune Subscriptions.

      Warning

      If other Configuration Manager dialog boxes are open, close them before continuing with this procedure.

    2. On the Home tab, click Create APNs certificate request. The Request Apple Push Notification Service Certificate Signing Request dialog box opens.

    3. Browse to the path to save the new certificate signing request (.csr) file. Save the certificate signing request (.csr) file locally.

    4. Click Download. The new Microsoft Intune .csr file downloads and is saved by Configuration Manager. The .csr file is used to request a trust relationship certificate from the Apple Push Certificates Portal.

  2. Request an Apple Push Notification service certificate from the Apple website

    To request an Apple Push Notification service certificate

    1. Connect to the Apple Push Certificates Portal and sign in with your company Apple ID to create the APNs certificate. This Apple ID must be used in future to renew your APNs certificate.

    2. Sign in and complete the wizard. Download the APNs certificate and save the file locally. This APNs certificate (.pem) file is used to establish a trust relationship between the Apple Push Notification server and Intune’s mobile device management authority.

  3. Enable iOS enrollment

    To enable iOS enrollment beginning in Configuration Manager SP2

    1. In the Configuration Manager console in the Administration workspace, go Cloud Services > Microsoft Intune Subscription.

    2. On the Home tab in the Subscription group, click Configure Platforms, and then click IOS.

    3. In the Microsoft Intune Subscription Properties dialog box, select the iOS tab and mark the Enable iOS enrollment checkbox.

    To enable iOS enrollment prior to Configuration Manager SP2

    1. In the Configuration Manager console in the Administration workspace, go to Cloud Services > Microsoft Intune Subscription.

    2. In the Microsoft Intune Subscription Properties dialog box, select the iOS tab and mark the Enable iOS enrollment checkbox.

  4. Upload the Apple Push Notification service certificate

    Click Browse and go to the APNs certificate (.cer) file downloaded from Apple. Configuration Manager displays the APNs certificate information. Click OK to save the APNs certificate to Intune.

    Important

    Do not upload the Apple Push Notification service (APNS) certificate until you enable iOS enrollment in the Configuration Manager console.

Prepare to enroll Windows and Windows Phone mobile devices

To support the Company Portal app for Windows Phone 8.0 and to deploy company apps to Windows Phone 8.1 you must get a Symantec Enterprise Mobile Code Signing Certificate. You cannot use a certificate issued by your own certification authority because only the Symantec certificate is trusted by Windows Phone devices. If users will only enroll Windows Phone 8.1 devices and you won't deploy line-of-business apps to Windows devices, instruct users to install the Company Portal app from the Windows Phone Store and skip the following steps. This certificate is used to:

  • Sign a company portal app for deployment to Windows Phone 8 for enrollment and phone management

  • Sign company apps so Configuration Manager can deploy them to Windows Phones

The steps below will help you get the required certificates and sign the company portal app. You will need a Windows Phone Dev Center account and then you will need to purchase a Symantec certificate.

To prepare to enroll Windows and Windows Phone mobile devices

  1. Join the Windows Phone Dev Center 
    Join the Windows Phone Dev Center using corporate account information when logging in to purchase your company account. This request will need to be authorized by a company officer before you receive a code-signing certificate.

  2. Get a company Symantec certificate 
    Purchase a certificate from the Symantec website using your Symantec ID. After you purchase the certificate, the corporate approver whom you designated in your Windows Phone Dev Center account will receive an email asking for approval of the certificate request. For more information about the Symantec certificate requirement, see Why does Windows Phone require a Symantec certificate for management?.

  3. Import certificates 
    Once the request has been approved, you will receive an email containing instructions for importing certificates. Follow the instructions in the email to import the certificates.

  4. Verify certificates imported 
    To verify that the certificates have been imported correctly, go to the Certificates snap-in, right-click Certificates, and select Find Certificates. In the Contains field, enter “Symantec”, and click Find Now. The certificates you imported should appear in the results.

    Certificate search

  5. Export a signing certificate 
    Having verified that the certificates are present, you can export the .pfx file to sign the company portal. Select the Symantec certificate with Intended purpose “code-signing.” Right-click the code-signing certificate and select Export.

    Certificate export

    In the Certificate Export Wizard, select Yes, export the private key and then click Next. Select Personal Information Exchange –PKCS #12 (.PFX) and check Include all the certificates in the certification path if possible. Complete the wizard. For more information, see How to Export a Certificate with the Private Key.

  6. Download the Company Portal 
    Download the Intune Company Portal for Windows Phone from the Download Center. The default installation location is C:\Program Files (x86)\Microsoft Corporation\Windows Intune Company Portal for Windows Phone.

  7. Download the SDK
    Download the Windows Phone SDK.

  8. Code-sign the Company Portal app 
    Use the XAPSignTool app downloaded with the SDK to sign the company portal with the .pfx file you created from the Symantec certificate. For more information, see How to sign a company app by using XapSignTool.

  9. Create an application for distribution 
    Create an application to deploy that contains the signed company portal app. Select Automatically detect information about this application from installation files. In Type, select Windows Phone app package (*.xap) file. In Location, browse to a network share where you have copied the ssp.xap. On the General Information page, enter a name that will show up in the Configuration Manager console, but note that the application will always be displayed as Company Portal in the app list on Windows Phones.

  10. Enable management by Configuration Manager

    Complete the following steps for the Windows devices you will manage.

    To enable Windows Phone enrollment beginning in System Center 2012 Configuration Manager SP2

    1. In the Configuration Manager console in the Administration workspace, go to Cloud Services > Microsoft Intune Subscriptions.

      Warning

      If other Configuration Manager dialog boxes are open, close them before continuing with this procedure.

    2. On the Home tab, click Configure Platforms, and then click Windows Phone.

    3. On the General tab, choose the Windows Phone platforms that you will use, and then click Next. The Windows Phone 8.0 and Windows Phone 8.1 and later options are used to determine the requirements that are needed for those platforms. For example, when you select Windows Phone 8.0, you are required to specify the Company Portal app on the Company Portal App tab. If you only select Windows Phone 8.1 and later, the options are disabled on the Company Portal App tab because the Company Portal app installation is not associated with device enrollment with Windows Phone 8.1 or later devices.

    4. Add the certificate (.pfx) file that you exported to .pfx file. Or choose Application enrollment token and browse to the location of the files.

    5. On the Company Portal App tab, click Browse and select the application package that contains the signed Company Portal app. This option is only available when you select Windows Phone 8.0 on the General tab. For Windows Phone 8.1 and later, deploy the application that contains the Company Portal app with a deployment purpose of Required. For details, see How to Create and Deploy Applications for Mobile Devices in Configuration Manager.

    To enable Windows Phone enrollment prior to System Center 2012 Configuration Manager SP2

    1. For Windows Phone 8.1, you must enable the Windows Phone 8.1 extension in the Configuration Manager console. For more information, see How to Enable Extensions.

    2. On the Windows Phone page of the Create Microsoft Intune Subscription Wizard or in the properties for the subscription, specify the .pfx file that you received.

    3. Specify the name of the Microsoft Intune company portal application package that you created.

    To enable Windows Device enrollment beginning in System Center 2012 Configuration Manager SP2

    1. In the Configuration Manager console in the Administration workspace, go to Cloud Services > Microsoft Intune Subscriptions.

      Warning

      If other Configuration Manager dialog boxes are open, close them before continuing with this procedure.

    2. On the Home tab, click Configure Platforms, and then click Windows.

    3. On the General tab, select Enable Windows enrollment, and if you have a certificate from your company’s certification authority, click Browse to specify the code-signing certificate that you want to use for all Windows 8 apps.

      Note

      All apps must be code-signed. The certificate field is for your company’s certificate. If you have purchased a certificate from an external certification authority, you can leave this field blank.

    To enable Windows Device enrollment prior to System Center 2012 Configuration Manager SP2

    1. On the Windows RT Configuration page of the Create Microsoft Intune Subscription Wizard or in the properties for the subscription, if you have a certificate from your company’s certification authority, click Browse to specify the code-signing certificate that you want to use for all Windows 8 apps.

      Note

      All apps must be code-signed. The certificate field is for your company’s certificate. If you have purchased a certificate from an external certification authority, you can leave this field blank.

    2. Click Add to enter your sideloading keys.

  11. Distribute the application 
    Use the Distribute Content wizard to distribute the Microsoft Intune company portal application to the manage.microsoft.com distribution point.

    Important

    Do not create a deployment for this application - the deployment will be automatically created when you complete the Microsoft Intune Subscription Wizard.

Renew your Symantec enterprise code-signing certificate for Windows devices

The Symantec certificate used to manage certain Windows and Windows Phone mobile devices must be renewed periodically. For Windows Phone 8.0 devices, a signed Company Portal app and the code-signing certificate are needed for device enrollment. Later Windows Phone devices can use the company portal app downloaded from the store. A code-signing certificate is also be required for deploying line-of-business apps.

How to renew the Symantec enterprise code-signing certificate

  1. Look for a renewal email sent from Symantec approximately 14 days prior to certificate expiration. This email contains directions from Symantec about renewing your enterprise certificate.

    For additional information about Symantec certificates, visit www.symantec.com or call 1-877-438-8776 or 1-650-426-3400.

  2. Go to the website (example: https://products.websecurity.symantec.com/orders/enrollment/microsoftCert.do) and login with the Symantec Publisher ID and email addressed associated with the certificate. Remember to use the same machine for starting the renewal that you’ll use to download the certificate.

  3. Once the renewal is approved and paid for, download the certificate.

How to install the updated the Symantec certificate for Windows Phone 8.0

  1. Download and sign the latest Windows Phone Company Portal located here: https://www.microsoft.com/en-us/download/details.aspx?id=36060.

  2. In the Configuration Manager console locate the Windows Phone workspace and then click Upload Signed App.

  3. Upload the newly signed Company Portal. You’ll need the newly signed SSP.xap and the new .PFX file you received from Symantec or the application enrollment token that was created with this new .PFX file.

  4. When the upload is complete, remove the old Company Portal version in the Software workspace in the Intune Management Console.

  5. Sign all enterprise line-of-business apps again using the same certificate and upload and replace existing applications.

Providing a signed SSP.xap file is currently the only way to provide the updated code signing certificate. To support signed line-of-business apps, you must sign and upload a Company Portal app even though your users will install the Company Portal app from the store.

How to install the updated certificate for Windows Phone 8.1 and later devices

  1. Download and sign the latest Windows Phone Company Portal from the Download Center located here: https://www.microsoft.com/en-us/download/details.aspx?id=36060.

  2. In the Configuration Manager console locate the Windows Phone workspace and then click Upload Signed App.

  3. Upload the newly signed Company Portal. You’ll need the newly signed SSP.xap and the new .PFX file you received from Symantec or the Application enrollment token that was created with this new .PFX file.

  4. When the upload is complete, remove the old Company Portal version in the Software workspace.

  5. Sign all new and any updated enterprise line-of-business apps using the new certificate. Existing applications do not need to be resigned and redeployed.

Next Steps