Mobile device management in System Center 2012 Configuration Manager

 

Updated: July 27, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

You already have Configuration Manager to manage PCs and servers, and now you need a way to manage mobile devices. This topic provides information to help you to choose and implement the right mobile device management (MDM) option with Configuration Manager. If you don't have Configuration Manager, you can use either Microsoft Intune or built-in MDM for Office 365 to manage mobile devices.

MDM options in Configuration Manager

You will choose one or more MDM options based on the mobile device platforms that you have in your environment and the management functionality that you need. For example, you must use both Configuration Manager with Intune and the Exchange Server connector to configure conditional access policies for devices that connect to on-premises Exchange. System Center 2012 Configuration Manager provides the following options to help you manage the mobile devices in your environment:

MDM option

Use this option to:

Configuration Manager with Microsoft Intune

  • Manage Windows Phone, Windows RT, Android, and iOS devices.

  • Get the most advanced management functionality.

  • Manage mobile devices from any location.

  • Use a single management console to manage mobile devices and on-premises computers.

  • Manage computers that have Windows 8.1 or later operating systems as mobile devices.

Configuration Manager with Exchange Active Sync

  • Get centralized management of your devices that can connect to Exchange ActiveSync.

  • Configure Exchange mobile device management features, such as remote device wipe and settings control for multiple Exchange servers, from the Configuration Manager console.

  • Add the Exchange Server connector with Configuration Manager and Intune to get conditional access for devices that connect to Exchange on-premises or Exchange Online dedicated.

Configuration Manager Mobile Device Enrollment

  • Manage mobile devices that have Windows Mobile or Nokia Symbian Belle operating systems.

Configuration Manager with the legacy client

  • Manage mobile devices that have Windows CE or Windows Mobile 6.0 operating systems.

If you still aren't sure which option is right for you, see Determine How to Manage Mobile Devices in Configuration Manager for the technical details. To review the supported hardware and operating systems for these options, see Mobile Device Requirements.

Configuration Manager with Microsoft Intune

When you extend Configuration Manager with Microsoft Intune, the hybrid option, you get the most advanced management functionality for the most popular mobile device platforms.

 

Mobile Device Management in Configuration Manager

Extend Configuration Manager with Microsoft Intune to manage mobile devices

What's new for MDM

Check for recently released mobile device management features in the hybrid option. If you have Intune without Configuration Manager, see What's new in Microsoft Intune instead.

Prerequisites to manage mobile devices

Before you can manage mobile devices in the hybrid option, you must make sure all prerequisites are in place, configure the Microsoft Intune subscription, add the Microsoft Intune Connector site system role, and prepare for mobile device enrollment. For step-by-step instructions, see Manage Mobile Devices with Configuration Manager and Microsoft Intune. For a checklist of steps, see Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Microsoft Intune.

Enroll corporate-owned iOS Devices using the Apple Device Enrollment Program

Beginning with System Center 2012 Configuration Manager SP2, you can Enroll corporate-owned iOS devices using the Apple Device Enrollment Program (DEP). This process automates MDM enrollment for corporate-owned iOS devices so the devices are already configured and ready to activate for your users.

Ways to protect corporate data

Because mobile devices can store sensitive corporate data and provide access to many corporate resources, protect your data with remote wipe, remote lock, or passcode reset using Configuration Manager. You can initiate a full wipe to restore the device to its factory settings or a selective wipe to remove only company data. Beginning with System Center 2012 Configuration Manager SP2, you can initiate a remote lock to help secure a device that might be lost and reset the device passcode.

Control device configurations with compliance settings

In the hybrid option, you can create configuration items to configure compliance settings for enrolled mobile devices. These settings include general security, kiosk mode, and app compliance.

Note

Be sure to review Introduction to Compliance Settings in Configuration Manager before you create compliance settings for mobile devices.

Deploy apps to mobile devices

In the hybrid option, you can create and deploy apps to mobile devices that appear in the company portal on mobile devices.

Note

Be sure to review Introduction to Application Management in Configuration Manager before you create and deploy applications for mobile devices.

Control apps using mobile application management policies

Beginning with System Center 2012 Configuration Manager SP2, you can control apps using mobile application policies that let you modify the functionality of deployed apps to help bring them into line with your company compliance and security policies. For example, you can restrict cut, copy and paste operations within a restricted app, or configure an app to open all web links inside a managed browser.

Collect inventory for mobile devices

In the hybrid option, you can collect hardware inventory for iOS, Android, and Windows devices by enabling certain hardware inventory classes. You can also collect software inventory of the apps installed on mobile devices. The apps that are inventoried will depend on whether the device is company-owned or personal-owned. For personal devices, the only apps that are inventoried are apps that are managed by Microsoft Intune.

Use profiles to allow access to data and applications from remote locations

When you integrate Configuration Manager with Microsoft Intune, company resource access provides a set of tools and resources that enable you to give users in your organization access to data and applications from remote locations. Use the following to help you find information about company resource access. For more information, see Remote Connection Profiles in Configuration Manager.

  •  Remote connection profiles in Configuration Manager: Use remote connection profiles to allow your users to remotely connect to work computers when they are not connected to the domain or if their personal computers are connected over the Internet. By deploying these settings, you minimize the effort that end users require to connect to their computers on the corporate network.

  • Certificate Profiles in Configuration Manager: Use certificate profiles to help you provision computers in your organization with the certificates that users require to connect to various company resources.

  • VPN Profiles in Configuration Manager: Use VPN profiles to help you create, deploy, and monitor VPN profiles. By deploying these settings, you reduce the end-user effort that is required to connect to resources on the company network.

  • Wi-Fi Profiles in Configuration Manager: Use Wi-Fi profiles to help you create, deploy, and monitor wireless network settings to devices in your organization. By deploying these settings, you minimize the effort that end users require to connect to corporate wireless networks.

  • Email Profiles in Configuration Manager: Use email profiles to help you create, deploy and monitor email settings on devices. This enables users to access corporate email on their personal devices without any required setup on their part.

  • Conditional Access in Configuration Manager: Use conditional access to help you secure email and other services depending on conditions you specify. When devices do not meet the conditions, the user is guided though the process of enrolling the device and fixing the issue that is preventing the device from being compliant. To use conditional access for devices that connect to Exchange Online dedicated or Exchange on-premises, you must install the Exchange Server connector.

  • Manage Internet access using managed browser policies: Beginning with System Center 2012 Configuration Manager SP2, deploy the Intune Managed Browser, a web browsing application, and associate the application with a managed browser policy. The managed browser policy configures an allow list or a block list that restricts the web sites that users of the managed browser can visit.

Configuration Manager with Exchange Active Sync

Use the Exchange Server connector in System Center 2012 Configuration Manager when you want to manage mobile devices that connect to Exchange Server (on-premises or online) by using the Microsoft Exchange ActiveSync protocol. You can configure Exchange mobile device management features, such as remote device wipe and settings control for multiple Exchange servers, from the Configuration Manager console. To use conditional access for devices that connect to Exchange Online dedicated or Exchange on-premises, you must install the Exchange Server connector with Configuration Manager and Intune.

 

MDM_ExchangeConnector

Connect to Exchange to manage mobile device settings

Prerequisites to manage mobile devices that connect to Exchange Server

Before you can manage mobile devices by using Configuration Manager and Exchange, you must install the Exchange Server connector site system role. For step-by-step instructions, see How to Manage Mobile Devices by Using Configuration Manager and Exchange.

Configure general settings for mobile devices that connect to Exchange Server

You can create configuration items to configure settings for mobile devices that connect to Exchange Server. These settings in the default Exchange ActiveSync mailbox policies. You can configure general settings for mobile devices in the password, browser, security, and encryption groups. For example, in the password group setting, you can configure whether mobile devices require a password, the minimum password length, password complexity, and whether password recovery is allowed.

Note

Be sure to review Introduction to Compliance Settings in Configuration Manager before you create compliance settings for mobile devices.

Configuration Manager Mobile Device Enrollment

You can manage Windows Mobile and Nokia Symbian Belle mobile devices when they are enrolled with Configuration Manager. This enables hardware inventory, software deployment for required applications, settings, and remote wipe on these devices.

Prerequisites to manage Windows Mobile and Nokia Symbian mobile devices

When you enroll Windows Mobile and Nokia Symbian Devices mobile devices by using System Center 2012 Configuration Manager, the Configuration Manager client is installed on the devices to provide management capabilities. For step-by-step instructions, see How to Install Clients on Windows Mobile and Nokia Symbian Devices Using Configuration Manager

Deploy apps to Windows Mobile and Nokia Symbian mobile devices

After Windows Mobile and Nokia Symbian Belle mobile devices when they are enrolled with Configuration Manager, you can create and deploy required applications to these mobile devices.

Note

Be sure to review Introduction to Application Management in Configuration Manager before you create and deploy applications for mobile devices.

Configure compliance settings for Windows Mobile and Nokia Symbian Belle mobile devices

You can create configuration items to configure settings for Windows Mobile and Nokia Symbian Belle mobile devices. You can configure general settings for mobile devices in the password, email management, security, peak synchronization, roaming, encryption, and wireless communications groups. For example, in the password group setting, you can configure whether mobile devices require a password, the minimum password length, password complexity, and whether password recovery is allowed.

Note

Be sure to review Introduction to Compliance Settings in Configuration Manager before you create compliance settings for mobile devices.

Configuration Manager with the legacy client

You can manage mobile devices that run Windows CE or Windows Mobile 6.0 operating systems by using the Configuration Manager legacy client. This enables hardware and software inventory, lets you collect files, manage configurations, and distribute packages and programs.

Prerequisites to manage Windows CE or Windows Mobile 6.0 mobile devices

When you enroll Windows CE or Windows Mobile 6.0 mobile devices by using the legacy client, the Configuration Manager client is installed on the devices to provide management capabilities. For step-by-step instructions, see Mobile Device Management in Configuration Manager in the Configuration Manager 2007 documentation library.

Collect inventory for Windows CE or Windows Mobile 6.0 mobile devices

When you use the legacy client, Configuration Manager collects hardware inventory and software inventory for Windows CE or Windows Mobile 6.0 mobile devices.

Deploy packages and programs to Windows CE or Windows Mobile 6.0 mobile devices

You can deploy packages and programs to mobile devices that run the legacy client, but not applications or software updates.

Configure compliance settings for Windows CE or Windows Mobile 6.0 mobile devices

You can create configuration items to configure settings for Windows CE or Windows Mobile 6.0 mobile devices. You can configure general settings for mobile devices in the password, email management, security, peak synchronization, roaming, encryption, and wireless communications groups. For example, in the password group setting, you can configure whether mobile devices require a password, the minimum password length, password complexity, and whether password recovery is allowed.

Note

Be sure to review Introduction to Compliance Settings in Configuration Manager before you create compliance settings for mobile devices.