Fundamentals of Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

If you are new to Configuration Manager, you can use the following information to learn about the basic concepts for Microsoft System Center 2012 Configuration Manager before you run Setup or read more detailed information. If you are familiar with Configuration Manager 2007, see What's New in System Center 2012 Configuration Manager.

For information about supported operating systems and supported environments, hardware requirements, and capacity information, see Supported Configurations for Configuration Manager.

Sites

When you install System Center 2012 Configuration Manager for the first time, you create a Configuration Manager site that is the foundation from which to manage devices and users in your enterprise. This site is either a central administration site or a primary site. A central administration site is suitable for large-scale deployments and provides a central point of administration and the flexibility to support devices that are distributed across a global network infrastructure. A primary site is suitable for smaller deployments and it has fewer options to accommodate any future growth of your enterprise.

When you install a central administration site, you must also install at least one primary site to manage users and devices. With this design, you can install additional primary sites to manage more devices and to control network bandwidth when devices are in different geographical locations. You can also install another type of site that is named a secondary site. Secondary sites extend a primary site to manage a few devices that have a slow network connection to the primary site.

If you do not install a central administration site, the first site that you install is a stand-alone primary site. By default, you cannot install additional primary sites that can communicate with one another. However, you can still install one or more secondary sites to extend this primary site when you have to manage a few devices that have a slow network connection to the primary site.

If you have installed a stand-alone primary site and you later decide to use a central administration site design, Configuration Manager SP1 lets you do this. Configuration Manager without a service pack does not support this design change until you upgrade the site to Configuration Manager SP1. This design change is known as site expansion.

When you have more than one site that communicates with one another, you have an arrangement of sites that is known as a hierarchy. The following diagrams show some example site designs.

Site designs

For more information, see the following topics in the Site Administration for System Center 2012 Configuration Manager guide:

Publishing Site Information to Active Directory Domain Services

If you extend the Active Directory schema for System Center 2012 Configuration Manager, you can publish System Center 2012 Configuration Manager sites to Active Directory Domain Services so that Active Directory computers can securely retrieve System Center 2012 Configuration Manager site information from a trusted source. Although publishing site information to Active Directory Domain Services is not required for basic Configuration Manager functionality, this configuration improves the security of your System Center 2012 Configuration Manager hierarchy and reduces administrative overhead.

You can extend the Active Directory schema before or after you install System Center 2012 Configuration Manager. Before you can publish site information, you must also create an Active Directory container named System Management in each domain that contains a System Center 2012 Configuration Manager site. You must also configure the Active Directory permissions so that the site can publish its information to this Active Directory container. As with all schema extensions, you extend the schema for System Center 2012 Configuration Manager one time only per forest.

For more information, see the following topics in the Site Administration for System Center 2012 Configuration Manager guide:

Site System Servers and Site System Roles

Configuration Manager uses site system roles to support management operations at each site. When you install a Configuration Manager site, some site system roles are automatically installed and assigned to the server on which Configuration Manager Setup has run successfully. One of these site system roles is the site server, which you cannot transfer to another server or remove without uninstalling the site. You can use other servers to run additional site system roles or to transfer some site system roles from the site server by installing and configuring Configuration Manager site system servers.

Each site system role supports different management functions. The site system roles that provide basic management functionality are described in the following table.

Site system role

Description

Site server

A computer from which you run Configuration Manager Setup and that provides the core functionality for the site.

Site database server

A server that hosts the SQL Server database, which stores information about Configuration Manager assets and site data.

Component server

A server that runs Configuration Manager services. When you install all the site system roles except for the distribution point role, Configuration Manager automatically installs the component server.

Management point

A site system role that provides policy and service location information to clients and receives configuration data from clients.

Distribution point

A site system role that contains source files for clients to download, such as application content, software packages, software updates, operating system images, and boot images.

Reporting services point

A site system role that integrates with SQL Server Reporting Services to create and manage reports for Configuration Manager.

When companies first deploy Configuration Manager in a production environment, they typically run multiple site system roles on the site server and have additional site system servers for distribution points. Then they install additional site system servers and add new site system roles, according to their business requirements and network infrastructure.

The additional site system roles that you might need for specific functionality are listed in the following table.

Site system role

Description

Application Catalog web service point

A site system role that provides software information to the Application Catalog website from the Software Library.

Application Catalog website point

A site system role that provides users with a list of available software from the Application Catalog.

Asset Intelligence synchronization point

A site system role that connects to Microsoft to download Asset Intelligence catalog information and upload uncategorized titles so that they can be considered for future inclusion in the catalog.

Certificate registration point

A site system role that communicates with a server that runs the Network Device Enrollment Service to manage device certificate requests that use the Simple Certificate Enrollment Protocol (SCEP).

Endpoint Protection point

A site system role that Configuration Manager uses to accept the Endpoint Protection license terms and to configure the default membership for Microsoft Active Protection Service.

Enrollment point

A site system role that uses PKI certificates for Configuration Manager to enroll mobile devices and Mac computers, and to provision Intel AMT-based computers.

Enrollment proxy point

A site system role that manages Configuration Manager enrollment requests from mobile devices and Mac computers.

Fallback status point

A site system role that helps you monitor client installation and identify the clients that are unmanaged because they cannot communicate with their management point.

Out of band service point

A site system role that provisions and configures Intel AMT-based computers for out of band management.

Software update point

A site system role that integrates with Windows Server Update Services (WSUS) to provide software updates to Configuration Manager clients.

State migration point

A site system role that stores user state data when a computer is migrated to a new operating system.

System Health Validator point

A site system role that validates Configuration Manager Network Access Protection (NAP) policies. It must be installed on a NAP health policy server.

Microsoft Intune connector

A site system role in Configuration Manager SP1 that uses Microsoft Intune to manage mobile devices in the Configuration Manager console.

The following diagram shows these basic and additional site system roles that you can add to the site server computer or distribute by installing additional site system servers.

Site roles

For more information, see the following topics in the Site Administration for System Center 2012 Configuration Manager guide:

Clients

System Center 2012 Configuration Manager clients are devices such as workstations, laptops, servers, and mobile devices that have the Configuration Manager client software installed so that you can manage them. Management includes operations such as reporting hardware and software inventory information, installing software, and configuring settings that are needed for compliance. Configuration Manager has discovery methods that you can use to find devices on the network to help you install the client software on those devices.

Configuration Manager has several options to install the client software on devices. These options include client push installation, software update-based installation, Group Policy, and manual installation. You can also include the client when you deploy an operating system image.

Configuration Manager uses collections to group devices so that you can perform management tasks on multiple devices that share a common set of criteria. For example, you might want to install a mobile device application on all mobile devices that are enrolled by Configuration Manager. If this is the case, you could use the All Mobile Devices collection, which automatically excludes computers. You can create your own collections to logically group the devices that you manage, according to your business requirements.

For more information, see the following topics in the Deploying Clients for System Center 2012 Configuration Manager guide and the Assets and Compliance in System Center 2012 Configuration Manager guide:

User-Centric Management

In addition to the collections for devices, there are also user collections that contain users from Active Directory Domain Services. User collections let you install software on all computers that the user logs into, or you can configure user device affinity so that the software installs on only the main devices that the user uses. These main devices are called primary devices. A user can have one or more primary devices.

One of the ways in which users can control their software deployment experience is by using the new computer client interface, Software Center. Software Center is automatically installed on client computers and accessed from the users’ Start menu. This client interface lets users manage their own software, as well as perform the following:

  • Install software

  • Schedule software to automatically install outside working hours

  • Configure when Configuration Manager can install software on their device

  • Configure access settings for remote control, if remote control is enabled in Configuration Manager

  • Configure options for power management if an administrative user has enabled this

A link in Software Center lets users connect to the Application Catalog, where they can browse for, install, and request software. In addition, the Application Catalog lets users configure some preference settings and wipe their mobile devices. Because Application Catalog is a website that is hosted in IIS, users can also access the Application Catalog directly from a browser, from the intranet, or from the Internet.

Users can also specify their primary devices from the Application Catalog, if you allow this configuration. Other methods of configuring the user device affinity information include importing the information from a file and automatic generation from usage data.

For more information, see the following topics in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide:

Client Settings

When you first install System Center 2012 Configuration Manager, all clients in the hierarchy are configured by using default client settings that you can change. These client settings include configuration options such as how frequently devices communicate with the site, whether the client is enabled for software updates and other management operations, and whether users can enroll their mobile devices to be managed by Configuration Manager. If you need different client settings for groups of users or devices, you can create custom client settings and then assign them to collections. Users or devices that are in the collection will be configured to have the custom settings. You can create multiple custom client settings and they are applied in the order that you specify. When you have multiple custom client settings, they are applied according to their order number. If there are any conflicts, the setting that has the lowest order number overrides the other settings.

The following diagram shows an example of how you could create and apply custom client settings.

Client settings

For more information, see the following topics in the Deploying Clients for System Center 2012 Configuration Manager guide:

Limited Management without Clients

The System Center 2012 Configuration Manager client software provides full management capability for users and devices. However, there are also two scenarios in which you can manage devices independently from the client software: out of band management, which uses Intel Active Management Technology (AMT), and mobile devices that are connected to an Exchange service, such as an on-premises Exchange Server or Exchange Online (Office 365).

Configuration Manager uses the client software to provision and configure computers for AMT, but when you perform AMT management operations, the client software is not used. Instead, Configuration Manager connects directly to the AMT management controller. This means that you continue to have some management control over computers that are not started or are not responding at the operating system level. For example, you could restart these computers, re-image them, or run diagnostic utilities to help troubleshoot them.

When you cannot install the Configuration Manager client software on mobile devices, you can still manage them by using the Exchange Server connector. The connector lets you configure the settings in the Exchange Default ActiveSync mailbox policy. Any settings that are defined in this policy can be configured by Configuration Manager, and this connector also supports remote wipe and Exchange access rules for block and quarantine. Any mobile device that you manage by using the Exchange Server connector displays in the All Mobile Devices collection, even though the device does not have the System Center 2012 Configuration Manager client installed. Because the client is not installed, you cannot deploy software to these devices.

For more information, see the following topics in the Assets and Compliance in System Center 2012 Configuration Manager guide and the Deploying Clients for System Center 2012 Configuration Manager guide:

Client Management Tasks

After you have installed Configuration Manager clients, you can perform various client management tasks, which include the following:

  • Deploy applications, software updates, maintenance scripts, and operating systems. You can configure these to be installed by a specified date and time, or make them available for users to install when they are requested, and you can configure applications to be uninstalled.

  • Help protect computers from malware and security threats, and notify you when problems are detected.

  • Define client configuration settings that you want to monitor and remediate if they are out of compliance.

  • Collect hardware and software inventory information, which includes monitoring and reconciling license information from Microsoft.

  • Troubleshoot computers by using remote control or by using AMT operations for AMT-based computers that are not responding.

  • Implement power management settings to manage and monitor the power consumption of computers.

You can use the Configuration Manager console to monitor these operations in near real-time, by using alerts and status information. For capturing data and historical trending, you can use the integrated reporting capabilities of SQL Reporting Services.

To help ensure that you continue to manage the System Center 2012 Configuration Manager clients, use the client status information that provides data about the health of the client and client activity. This data helps identify computers that are not responding and in some cases, problems can be automatically remediated.

For more information, see the following topics in the Deploying Clients for System Center 2012 Configuration Manager guide and the Site Administration for System Center 2012 Configuration Manager guide:

Configuration Manager (Windows Control Panel)

When you install the Configuration Manager client, this installs the Configuration Manager client application in Control Panel. Unlike Software Center, this application is designed for the help desk rather than for end users. Some configuration options require local administrative permissions and most options require technical knowledge about how Configuration Manager works. You can use this application to perform the following tasks on a client:

  • View properties about the client, such as the build number, its assigned site, the management point it is communicating with, and whether the client is using a PKI certificate or a self-signed certificate.

  • Confirm that the client has successfully downloaded client policy after the client is installed for the first time and that client settings are enabled or disabled as expected, according to the client settings that are configured in the Configuration Manager console.

  • Start client actions, such as download the client policy if there was a recent change of configuration in the Configuration Manager console and you do not want to wait until the next schedule time.

  • Manually assign a client to a Configuration Manager site or try to find a site, and specify the DNS suffix for management points that publish to DNS.

  • Configure the client cache that temporarily stores files, and delete files in the cache if you require more disk space to install software.

  • Configure settings for Internet-based client management.

  • View configuration baselines that were deployed to the client, initiate compliance evaluation, and view compliance reports.

Security

Security for System Center 2012 Configuration Manager consists of several layers. First, Windows provides many security features for both the operating system and the network, such as the following:

  • File sharing to transfer files between System Center 2012 Configuration Manager components

  • Access Control Lists (ACLs) to help secure files and registry keys

  • IPsec for securing communications

  • Group Policy for setting security policy

  • DCOM permissions for distributed applications, such as the Configuration Manager console

  • Active Directory Domain Services to store security principals

  • Windows account security, including some groups that are created during System Center 2012 Configuration Manager Setup

Then, additional security components, such as firewalls and intrusion detection, help provide defense in depth for the whole environment. Certificates issued by industry standard PKI implementations help provide authentication, signing, and encryption.

System Center 2012 Configuration Manager controls access to the Configuration Manager console in several ways. By default, only local Administrators have rights to the files and registry keys required to run the Configuration Manager console on computers where it is installed.

The next layer of security is based on access through Windows Management Instrumentation (WMI), specifically the SMS Provider. The SMS Provider is restricted by default to members of the local SMS Admins group. This group at first contains only the user who installed System Center 2012 Configuration Manager. To grant other accounts permission to the Common Information Model (CIM) repository and the SMS Provider, add the other accounts to the SMS Admins group.

The final layer of security is based on permissions to objects in the site database. By default, the Local System account and the user account that you used to install System Center 2012 Configuration Manager can administer all objects in the site database. You can grant and restrict permissions to additional administrative users in the Configuration Manager console by using role-based administration.

For more information, see the Security and Privacy for System Center 2012 Configuration Manager guide.

Role-Based Administration

System Center 2012 Configuration Manager uses role-based administration to help secure objects such as collections, deployments, and sites. This administration model centrally defines and manages hierarchy-wide security access settings for all sites and site settings. Security roles are assigned to administrative users and group permissions to different Configuration Manager object types, such as the permissions to create or change client settings. Security scopes group specific instances of objects that an administrative user is responsible to manage, such as an application that installs Microsoft Office 2010. The combination of security roles, security scopes, and collections define what objects an administrative user can view and manage. System Center 2012 Configuration Manager installs some default security roles for typical management tasks. However, you can create your own security roles to support your specific business requirements.

For more information, see the following topics in the Site Administration for System Center 2012 Configuration Manager guide:

Securing Client Endpoints

Client communication to site system roles is secured by using either self-signed certificates, or by using public key infrastructure (PKI) certificates. Computer clients that Configuration Manager detects to be on the Internet and mobile device clients must use PKI certificates so that the client endpoints can be secured by using HTTPS. The site system roles that clients connect to can be configured for either HTTPS or HTTP client communication. Client computers always communicate by using the most secure method that is available and only fall back to using the less secure communication method of HTTP on the intranet if you have site systems roles that allow HTTP communication.

For more information, see the following topics in the Site Administration for System Center 2012 Configuration Manager guide:

Configuration Manager Accounts and Groups

System Center 2012 Configuration Manager uses the Local System account for most site operations. However, some management tasks might require creating and maintaining additional accounts. Several default groups and SQL Server roles are created during Setup. However, you might have to manually add computer or user accounts to these default groups and roles.

For more information, see Technical Reference for Accounts Used in Configuration Manager in the Site Administration for System Center 2012 Configuration Manager guide.

Privacy

Although enterprise management products offer many advantages because they can effectively manage lots of clients, you must also be aware of how this software might affect the privacy of users in your organization. System Center 2012 Configuration Manager includes many tools to collect data and monitor devices, some of which could raise privacy concerns.

For example, when you install the System Center 2012 Configuration Manager client, many management settings are enabled by default. This results in the client software sending information to the Configuration Manager site. Client information is stored in the Configuration Manager database and the information is not sent to Microsoft. Before you implement System Center 2012 Configuration Manager, consider your privacy requirements.

For more information, see the Security and Privacy for System Center 2012 Configuration Manager guide.