Export (0) Print
Expand All
10 out of 16 rated this helpful - Rate this topic

How to Manage Mobile Devices by Using Configuration Manager and Windows Intune

Updated: February 1, 2014

Applies To: System Center 2012 Configuration Manager SP1, System Center 2012 R2 Configuration Manager

noteNote
The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager.

This walkthrough shows you step-by-step how to configure Configuration Manager so that you can manage Windows Phone 8, Windows RT, iOS, and Android devices by using the Windows Intune service over the Internet. Although you use the Windows Intune service, management tasks are completed by using the Windows Intune connector site system role available through the Configuration Manager console. System Center 2012 R2 Configuration Manager also gives you option of managing Windows 8.1 devices, in the same manner of mobile devices, that do not have the Configuration Manager client installed.

You can configure Configuration Manager to enable mobile device management to let users access company resources in a secure, managed way. By using device management, you protect company data while letting users enroll their personal or company-owned mobile devices and giving them access to company data. When you use Configuration Manager with Windows Intune, you have the following management capabilities:

  • You can retire and wipe devices.

  • You can configure compliance settings on devices. These include settings for passwords, security, roaming, encryption, and wireless communication.

  • You can deploy line of business apps to devices.

  • You can deploy apps from the store that the device connects to, Windows Store, Windows Phone Store, App Store, or Google Play.

  • You can collect hardware inventory.

  • You can collect software inventory by using built-in reports.

This document assumes that you are using Configuration Manager to manage computers, and that you are interested in extending the Configuration Manager console to manage mobile devices. After you complete this walkthrough, users will be able to enroll their devices for management.

We will show you:

  • How to configure the Windows Intune subscription for mobile device management.

  • How to install the Windows Intune connector site system role that lets you use Windows Intune in the Configuration Manager console.

Use the following sections to help you manage mobile devices by using the Windows Intune connector.

Use the following information to determine the prerequisites for managing mobile devices.

For a checklist about how to configure Configuration Manager to manage mobile devices, see Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune.

 

External dependencies More information

Sign up for a Windows Intune organizational account.

You can sign up for an account at Windows Intune.

For more information, see Windows Intune organizational account and Acceptable Use Policy for Windows Intune in the Documentation Library for Windows Intune.

Add a public company domain.

All user accounts must have a publicly verifiable domain name that can be verified by Windows Intune.

Verify users have a public domain UPN.

Before you synchronize the Active Directory user account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library.

Deploy and configure directory synchronization.

Directory synchronization lets you populate Windows Intune with synchronized user accounts. The synchronized users and security groups are added to Windows Intune. For more information, see Configure directory synchronization in the Active Directory documentation library.

For single sign-on you must deploy AD FS. For more information, see Configure single sign-on in the Active Directory documentation library.

Create a DNS alias.

Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to manage.microsoft.com. For example, if Melissa's email address is Melissa@contoso.com, you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com.

The CNAME record is used as part of the enrollment process.

Obtain certificates or keys.

For more information, see Obtain Certificates or Keys to Meet Prerequisites per Platform in this topic.

The following table lists the certificates or keys that you must have to enroll mobile platforms.

 

Platform Certificates or keys How you obtain certificates or keys

Windows Phone 8

Code signing certificate: All sideloaded apps must be code-signed.

Buy a code signing certificate from Symantec.

Windows RT, Windows RT 8.1, or Windows 8.1 devices that are not joined to the domain.

Sideloading keys: Devices have to be provisioned with sideloading keys to enable the installation of sideloaded apps.

All sideloaded apps must be code-signed.

Buy sideloading keys from Microsoft.

All apps must be code-signed by using your company’s certification authority or an external certification authority.

iOS

Apple Push Notification service certificate.

Request an Apple Push Notification service certificate from Apple. For more information, see the Prerequisites for Enrolling iOS Devices in this topic.

Android

None.

Not applicable.

To manage Windows Phone 8 devices, you have to deploy the Windows Phone 8 company portal app. The company portal app must be code-signed with a Symantec certificate that is trusted by the Windows Phone 8 devices.

  1. Join the Windows Phone Dev Center by visiting the Windows Phone Dev Center. You must use a corporate account.

  2. Locate your Symantec ID by clicking Dashboard in the Windows Phone Dev Center and locate the numeric ID under Symantec Id.

  3. Purchase a certificate from the Symantec website by using your Symantec ID.

  4. After you purchase the certificate, the corporate approver that you designated in your Windows Phone Developer account will receive an email asking for approval of the certificate request. Once the request has been approved, you will receive an email that contains the instructions for importing the certificates.

  5. Read the instructions in the email carefully and import the certificates.

  6. To verify that the certificates have been imported correctly, go to the Certificates snap-in, right-click Certificates, and select Find Certificates. In the Contains field, enter “Symantec”, and click Find Now. The certificates that you imported should be listed as part of the results.

    Certificate search

  7. Now that you have verified that the certificates have been imported, you can export the .pfx file so that you can sign the company portal. Using the results from the previous step, you must select the Symantec certificate with the Intended purpose as “code-signing.” Then, right-click the code-signing certificate and select Export.

    Certificate export

    In the Certificate Export Wizard, select Yes, export the private key and click Next. Select Personal Information Exchange –PKCS #12 (.PFX) and check Include all the certificates in the certification path if possible. Complete the wizard. For more information, see How to Export a Certificate with the Private Key.

  8. Download the Windows Phone 8 company portal app.

  9. Before you can deploy the company portal app, it must be signed by a certification authority that is trusted by Windows Phone 8 devices. Use the XAPSignTool app that comes with the Windows Phone 8 SDK to sign the company portal with the .pfx file you created from the Symantec certificate. For more information, see How to sign a company app by using XapSignTool

  10. Create an application using the signed company portal app, for more information, see Create an application for Windows Phone 8 devices.

  11. Deploy the Windows Phone 8 company portal application to the manage.microsoft.com distribution point.

    For more information, see How to deploy an application to mobile devices.

    noteNote
    If you have already deployed the company portal app and want to deploy the latest version see the Supercedence section in How to Create and Deploy Applications for Mobile Devices in Configuration Manager.

To configure app management on a mobile device that runs Windows RT or on a Windows 8.1 device, you must follow these steps.

  1. Obtain sideloading keys. Before you can run sideloaded line-of-business apps on Windows RT, you must obtain and activate sideloading keys from Microsoft. For more information about sideloading product activation keys, see Microsoft Volume Licensing.

  2. Sign all apps. For sideloaded apps to run on Windows RT, you must use a certificate to sign all apps.

To enroll iOS devices, you must follow these steps.

  1. Download a certificate signing request from Windows Intune. This certificate signing request lets you apply to for an Apple Push Notification service certificate from the Apple certification authority.

  2. Request an Apple Push Notification service certificate from the Apple website.

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions.

  3. On the Home tab, in the Create group, click Create APNs certificate request.

  4. In the Request Apple Push Notification Service Certificate Signing Request dialog box, click Browse to specify a location to download the Certificate Signing Request, specify your choice of file name, and then click Download.

  5. On the Windows Intune sign in page, enter your organizational account and password. After you sign in, the certificate signing request is downloaded to the location that you specified.

  1. Connect to the Apple Push Certificates Portal.

  2. Sign in and complete the wizard.

    noteNote
    Make sure that you use a company account to obtain the Apple Push Notification service certificate. When you return to the Apple site to renew the certificate, make sure that you use the same account.

  3. Upload the Certificate Signing Request that you downloaded from Windows Intune.

For System Center 2012 R2 Configuration Manager, users can download the Android company portal app from Google Play that lets them enroll Android devices. With the Android company portal app, you can manage compliance setting, wipe or delete Android devices, deploy apps, and collect software and hardware inventory. If the Android company portal app is not installed on Android devices or if you are using Configuration Manager SP1, then you will not have all the management capabilities, such as inventory and compliance settings, but you can still deploy apps to Android devices.

 

Dependencies in Configuration Manager More information

Create the Windows Intune subscription.

For more information, see Configuring the Windows Intune Subscription in this topic.

Add the Windows Intune connector.

For more information, see The Windows Intune Connector Site System Role in this topic.

The Windows Intune subscription lets you specify your configuration settings for the Windows Intune service. This includes specifying which users can enroll their devices and defining which mobile device platforms to manage. When you have created your subscription, you can then install the Windows Intune connector site system role that lets you connect to the Windows Intune service. This connector site system role will push settings and applications to the Windows Intune service. The Windows Intune subscription performs the following:

  • Retrieves the certificate that the Windows Intune connector requires to connect to the Windows Intune service.

  • Defines the user collection that enables users to enroll mobile devices.

  • Defines and configures the mobile platforms that you want to support.

  1. In the Configuration Manager console, click Administration.

  2. For System Center 2012 Configuration Manager SP1: In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions.

    For System Center 2012 R2 Configuration Manager: In the Administration workspace, expand Cloud Services, and click Windows Intune Subscriptions.

  3. For System Center 2012 Configuration Manager SP1: On the Home tab, in the Create group, click Create Windows Intune Subscription.

    System Center 2012 R2 Configuration Manager: On the Home tab, click Add Windows Intune Subscription.

  4. On the Introduction page of the Create Windows Intune Subscription Wizard, review the text and click Next.

  5. On the Subscription page, click Sign in and sign in by using your Windows Intune organizational account. Select the Allow the Configuration Manager console to manage this subscription check box. When you select this setting, you will only be able to manage mobile devices by using the Configuration Manager console. To continue with your subscription, you must select this option.

    ImportantImportant
    Once you select Configuration Manager as your management authority, you cannot change the management authority to Windows Intune in the future.

  6. Click the privacy links to review them, and then click Next.

  7. On the General page, specify the following options, and then click Next.

    • Collection: Specify a user collection that contains users who will enroll their mobile devices.

      noteNote
      If a user is removed from the collection, the user’s device will continue to be managed for up to 24 hours when the user record is removed from the user database.

    • Company name: Specify your company name.

    • URL to company privacy documentation: If you publish your company privacy information to a link that is accessible from the Internet, provide a link that users can access from the company portal. Privacy information can clarify what information users are sharing with your company.

    • Color scheme for company portal: Optionally, change the default color of blue for the company portals.

    • Configuration Manager site code: Specify a site code for a primary site to manage the mobile devices.

      noteNote
      Changing the site code affects only new enrollments and does not affect existing enrolled devices.

  8. On the Platforms page, select the device types that you want to manage and review the platform requirements, and then click Next.

For each device type that you selected, you must configure additional options. Use the procedures that follow for more information about those options. After you have configured these additional options, click Next and complete the wizard.

  • On the iOS page, click Browse to specify the Apple Push Notification service certificate that you received from Apple. For more information about how to obtain an Apple Push Notification service certificate, see the Prerequisites for Enrolling iOS Devices section in this topic.

  • On the Windows Phone 8 Configuration page, specify the .pfx file or Application Enrollment token that you received when you satisfied the Windows Phone 8 prerequisites in the prerequisites section of this walkthrough.

  • Specify the location of the signed Windows Phone 8 company portal app that you created in the prerequisites section of this walkthrough.

For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows Phone 8 Devices section in this topic.

Windows RT, Windows RT 8.1 and Windows 8.1 devices require that all sideloaded apps be signed with a trusted code-signing certificate.

  1. On the Windows RT Configuration page, if you have a certificate from your company’s certification authority, click Browse to specify the code-signing certificate that you want to use for all Windows 8 apps.

    noteNote
    All apps must be code-signed. The certificate field is for your company’s certificate. If you have purchased a certificate from an external certification authority, you can leave this field blank.

  2. Click Add to enter your sideloading keys. For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows RT Devices, Windows RT 8.1, or Windows 8.1 devices section in this topic.

Android devices have no prerequisites. For System Center 2012 R2 Configuration Manager, Android users can download the Android company portal app from Google Play that will allow them to enroll Android devices.

The Windows Intune connector sends settings and software deployment information to Windows Intune and retrieves status and inventory messages from mobile devices. The Windows Intune service acts as a gateway that communicates with mobile devices and stores settings.

noteNote
The Windows Intune connector site system role may only be installed on a central administration site or stand-alone primary site.

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles.

  3. Add the Windows Intune Connector role to a new or existing site system server by using the associated step:

    • New site system server: On the Home tab, in the Create group, click Create Site System Server to start the Create Site System Server Wizard.

    • Existing site system server: Click the server on which you want to install the Windows Intune connector role. Then, on the Home tab, in the Server group, click Add Site System Roles to start the Add Site system Roles Wizard.

  4. On the System Role Selection page, select Windows Intune Connector, and click Next.

  5. Complete the wizard.

Enrollment establishes a relationship between the user, the device, and the Windows Intune service. Users enroll their own mobile devices. Android devices are not enrolled, but can be managed by using the Exchange Server connector. The following sections describe enrollment for Windows Phone 8, Windows RT, and iOS.

noteNote
If your subscription to Windows Intune is going to expire, you must unenroll all devices prior to expiration in order to ensure company content is removed from devices.

For Windows Phone 8, users start enrollment from the Windows Phone 8 device by going to system settings and selecting company apps. The following processes then occur when users enroll their own mobile devices.

  1. Users are asked to provide their credentials. When authentication is successful, Windows Intune establishes a relationship between the user and the Windows Phone 8 device.

  2. A certificate is installed on the device for authentication between the device and the Windows Intune service.

  3. Users must select Install company app or Hub to let their device be managed.

    ImportantImportant
    If users do not select this option to install the company app or hub, they cannot download the company portal. If the Windows Phone 8 company portal is not installed during enrollment, or if users uninstall the company portal, users must retire their mobile device and enroll again. Or, you can make the company portal file available by sending users a link in an email.

  4. The company portal is installed on the device. Inventory is collected; management settings are applied, and users now have access to line-of-business apps that you make available to them.

For Windows RT, users start enrollment from the Windows RT device. The users must complete the following tasks:

  1. On the Windows RT device, users select Start, and type “System Configuration”, and click the dialog box to open the Company Apps.

  2. The users enter their company credentials and are authenticated. This establishes a relationship between the user, the Windows RT device, and the Windows Intune service.

  3. Windows Intune collects inventory and applies management settings. Users now have access to line-of-business apps and direct links to the app store through the company portal.

For Windows 8.1 and Windows RT 8.1, the user enrolls through the device.

  1. On the Windows 8.1 device, the user selects Settings, clicks PC Settings, then clicks Network, and finally, clicks Workplace.

  2. The user enters their user ID in the (ID) field.

  3. The user clicks Turn on and provides their password.

  4. The user agrees to the Allow apps and services from IT admin dialog box, and clicks Turn on.

For System Center 2012 R2 Configuration Manager only: Users can enroll iOS devices by using the iOS company portal app, Windows Intune Company Portal, available in the App store. The company portal app can be installed on iOS devices running iOS 6 or later.

For System Center 2012 Configuration Manager SP1 iOS enrollment, users must complete the following tasks:

  1. The user begins enrollment by going to m.manage.microsoft.com.

  2. The users are asked for their company credentials to begin the enrollment process.

  3. As soon as authentication is successful, a relationship is established between the user, the iOS device and the Windows Intune service.

  4. Windows Intune collects inventory and applies management settings. The user now has access to line-of-business apps and direct links to the app store through the company portal.

For System Center 2012 R2 Configuration Manager only: Users can enroll iOS devices by using the iOS company portal app that is available in the App store. The company portal app can be installed on iOS devices running iOS 6 or later.

For System Center 2012 R2 Configuration Manager only: Android devices can be enrolled by using the Android company portal app, Windows Intune Company Portal, available on Google Play.

You can do a full wipe on Windows Phone 8, iOS, and Android devices with the Android company portal app installed on them. A full wipe will restore the device to factory settings.

For System Center 2012 R2 Configuration Manager only: you have the option to do a selective wipe that only removes company content. For a selective wipe, you can use Retire/wipe and select the option Wipe company content and retire the mobile device from Configuration Manager to remove company content from devices. The following table lists what company content is wiped from devices.

 

Content removed when retiring a device Windows 8.1 and Windows RT 8.1 Windows RT Windows Phone 8 iOS Android

Company apps and associated data installed by using Configuration Manager and Windows Intune.

Apps are uninstalled and sideloading keys are removed. Apps using Windows Selective Wipe will have the encryption key revoked and data will no longer be accessible.

Sideloading keys are removed but apps remain installed.

Apps are uninstalled. Company app data is removed.

Apps are uninstalled. Company app data is removed.

Apps and data remain installed.

VPN and Wifi profiles

Removed.

Not applicable.

Not applicable.

Removed.

VPN: Not applicable.

Wi-Fi: Not removed

Certificates

Removed and revoked.

Not applicable.

Not applicable.

Removed and revoked.

Revoked.

Settings

Requirements removed.

Requirements removed.

Requirements removed.

Requirements removed.

Requirements removed.

Management Agent

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Not applicable. Management agent is built-in.

Management profile is removed.

Device Administrator privilege is revoked.

Email

Not applicable.

Not applicable.

Not applicable.

For email profiles provisioned by Windows Intune, the email account and email are removed.

Not applicable.

  1. In the Configuration Manager console, click Assets and Compliance and select Devices.

  2. Select a device and then select the action that you want to take.

-----
For additional resources, see Information and Support for Configuration Manager.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012 Configuration Manager. For instructions and examples, see Search the Configuration Manager Documentation Library.
-----
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.