Determine How to Manage Mobile Devices in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Use the information in this topic to help you decide how to manage mobile devices in System Center 2012 Configuration Manager. There are different options for you to choose from depending on the mobile device platforms that you have in your environment and the management functionality that you need. The following options are available:

  • Microsoft Intune enrollment supports all major mobile device operating systems, including Windows Phone, Windows RT, iOS, and Android. It also provides is the most advanced management functionality, allows you to manage any mobile device from any location, and provides a single management console to manage mobile devices and on-premises computers.

  • The Exchange Server connector enables Configuration Manager to connect to multiple Exchange servers, centralizing management of devices that can connect to Exchange ActiveSync. You can configure Exchange mobile device management features, such as remote device wipe and settings control for multiple Exchange servers, from the Configuration Manager console.

  • Configuration Manager mobile device enrollment provides robust management including software deployment and configuration baselines for Windows Mobile and Nokia Symbian Belle operating systems.

  • The mobile device legacy client provides software deployment, software inventory, and monitoring for Windows CE and Windows Mobile 6.0 operating systems.

General information to help you choose a mobile device management solution

Use the information in this section as general guidance to choose a mobile device management solution.

Enrollment by Microsoft Intune

Manage mobile devices by integrating Microsoft Intune with Configuration Manager to enroll mobile devices when the following conditions apply:

  • The mobile device platform is supported by Microsoft Intune mobile device enrollment.

  • You want additional management features or settings that are not supported by the other mobile device management options.

Enrollment by Configuration Manager

Use Configuration Manager to enroll mobile devices when the mobile operating system is supported by System Center 2012 Configuration Manager mobile device enrollment and when both of the following conditions apply:

  • You have a Microsoft enterprise CA to issue and manage the required certificates.

  • You want the additional management features or settings that are not supported by the Exchange Server connector, such as software installation and full hardware inventory.

    Important

    If the mobile device synchronizes with Exchange Server, set the Exchange flag AllowExternalDeviceManagement to ensure that the mobile device continues to receive email from Exchange after it is enrolled by Configuration Manager. If you install the Configuration Manager Exchange Server connector, you can set this flag by configuring the option External mobile device management in the Exchange Server connector properties. If you do not install the connector, you must set this flag by using the Exchange management tools. For example, use the PowerShell cmdlet Set-ActiveSyncMailPolicy with the parameter AllowExternalDeviceManagement.

Mobile device legacy client

Use the mobile device legacy client when the mobile operating system is not supported by Microsoft Intune or System Center 2012 Configuration Manager mobile device enrollment and when both of the following conditions apply:

  • You can install the required PKI certificates on the mobile device and the Configuration Manager site systems (management point and distribution point).

  • You want to install software packages on the mobile device and collect hardware inventory.

Exchange Server connector

Manage mobile devices by using the Exchange Server connector when the mobile device can connect to Exchange Server by using ActiveSync and when either of the following conditions applies:

  • You do not require the security that a PKI offers or you do not have a PKI.

  • You do not require all the management functions and settings that enrollment provides.

Choose a mobile device management solution based on supported mobile device platforms

Beginning with System Center 2012 Configuration Manager SP1, you can enroll devices that run Windows Phone 8, Windows RT, and iOS by using the Microsoft Intune connector. You can also use the Exchange Server connector, use Configuration Manager to enroll mobile devices and install the Configuration Manager client, or use the mobile device legacy client (for example, for Windows CE mobile operating systems).

Use the following table to help you decide what mobile device management methods support the mobile device platforms you have in your environment.

Note

Not all mobile device platforms are listed in this table. For more information about the mobile operating systems that System Center 2012 Configuration Manager supports, see Mobile Device Requirements.

Platform

Enrollment by Microsoft Intune1

Enrollment by Configuration Manager2

Mobile device legacy client3

Exchange Server connector4

iOS

Yes

Yes

Android

Yes

Yes5

Windows Phone 8.1

Yes

Yes

Windows Phone 8

Yes

Yes

Windows 8.1 RT

Yes

Yes

Windows 8 RT

Yes

Yes

Windows 8.1

Yes

Yes

Windows Phone 7

Yes

Nokia Symbian Belle

Yes

Yes

Windows Mobile 6.5

Yes

Yes

Windows Mobile 6.1

Yes

Yes

Windows CE 5.0 (Arm and x86 processors)

Yes

Yes

Windows CE 6.0 (Arm and x86 processors)

Yes

Yes

Windows CE 7.0 (Arm and x86 processors)

Yes

Yes

Windows Mobile 6.0

Yes

Yes

1 For details about what Configuration Manager versions support enrollment by Microsoft Intune, see Mobile Devices Enrolled by Microsoft Intune.

2 For details about what Configuration Manager versions support enrollment by Configuration Manager, see Mobile Devices Enrolled by Configuration Manager.

3 For details about what Configuration Manager versions support enrollment by using the mobile device legacy client, see Mobile Device Legacy Client.

4 Configuration Manager offers limited management for mobile devices when you use the Exchange Server connector for Exchange Active Sync (EAS) capable devices that connect to a server running Exchange Server or Exchange Online. For details about what Configuration Manager versions support enrollment by using the Exchange Server Connector, see Mobile Device Support by Using the Exchange Server Connector.

5 Many mobile phones and tablets with the Android operating system support Exchange ActiveSync. However, these mobile devices may not support all available mobile device mailbox policies.

Choose a mobile device management solution based on management functionality

After you narrow down the mobile device management methods that you can use for the mobile device platforms you have in your environment, use the following table to decide what management method provides the management functionality that you need in your environment.

Management functionality

Enrollment by Microsoft Intune 

Enrollment by Configuration Manager

Mobile device legacy client

Exchange Server connector

Public key infrastructure (PKI) security between the mobile device and Configuration Manager by using mutual authentication and SSL to encrypt data transfers

Yes

Yes

More information: Requires Active Directory Certificate Services and an enterprise certification authority (CA). The mobile device certificates are installed automatically by Configuration Manager during the enrollment process.

Yes

More information: Any PKI that meets the certificate requirements. The mobile device certificates must be installed independently from Configuration Manager.

No

Client installation

No

More information: Instead of a client the user installs or connects to a company portal.

Yes

More information: Installed by the user from the browser on the mobile device.

Yes

More information: Installed by an administrative user by deploying a package and program.

No

Support over the Internet

Yes

Yes

Yes

Yes

Discovery

No

No

No

Yes

Hardware inventory

Yes

Yes

More information: You can collect default information and create your own customized hardware inventory.

Yes

Yes

More information: Limited by what Exchange Server collects.

Software inventory

No

No

Yes

More information: List of installed software only; you cannot inventory all files and you cannot collect files.

No

Settings

Yes

Yes

More information: Deploy configuration baselines that contain mobile device configuration items. You can configure default settings and create your own customized settings.

No

Yes

More information: Limited by the settings in the default Exchange ActiveSync mailbox policies.

Software deployment

Yes

More information: You can deploy available apps that users can download from the company portal.

Yes

More information: You can deploy required applications (install and uninstall), but not packages or software updates. Available applications, which users request from the Application Catalog, are not supported for mobile devices. Mobile devices also do not support simulated deployments.

Yes

More information: You can deploy packages, but not applications or software updates.

No

Monitor with the fallback status point

No

No

Yes

No

Connections to management points

No

Yes

More information: A single management point in the client’s assigned (primary) site.

Yes

More information: A single management point in primary sites and secondary sites.

No

Connections to distribution points

Yes

More information: manage.microsoft.com is the only distribution point that is used.

Yes

More information: Distribution points in the assigned (primary) site.

Yes

More information: Distribution points in primary sites and secondary sites.

No

Block from Configuration Manager

Yes

Yes

Yes

No

Quarantine and block from Exchange Server (and Configuration Manager)

No

No

No

Yes

Remote wipe

Yes

Yes

More information: By Configuration Manager and by a user from the Configuration Manager Application Catalog.

No

Yes

More information: By Configuration Manager and by a user if supported by Exchange.

For more information about the mobile operating systems that System Center 2012 Configuration Manager supports, see Supported Configurations for Configuration Manager.

Dual Management: Enrolled by Configuration Manager and Managed by Using the Exchange Server Connector

You can enroll a mobile device by using Configuration Manager and also manage it by using the Exchange Server connector. In this scenario, although you see only one mobile device in the Configuration Manager console, you have dual management for a mobile device and the following consequences:

  • No settings are applied from the Exchange Server connector; you must configure the mobile device settings by deploying a configuration baseline.

  • If you collect hardware inventory by enabling the client setting for hardware inventory and by using the Exchange Server connector, the hardware inventory information from the mobile device is consolidated by Configuration Manager.