Export (0) Print
Expand All

Manage mobile devices and PCs by migrating to Configuration Manager with Windows Intune

Updated: January 13, 2014

Applies To: System Center 2012 R2 Configuration Manager, Windows Azure, Windows Intune

Audience: IT Pros who need to extend their current Configuration Manager infrastructure to support the employee demand to use PCs, and Windows Phone 8, Windows RT, iOS, and Android mobile devices to access corporate resources.

How can this guide help you? This guide explains how to:

  • Extend your infrastructure to let your users work remotely from the device of their choice.

  • Unify PC and mobile device management into a single infrastructure.

  • Maintain corporate compliance for all devices.

  • Protect corporate data.

In this solution:

Your company is a medium to large enterprise and you are looking for a way to manage both PCs and mobile devices. To help you find a way to solve this problem, we will show how Contoso, a company similar to your own, solved the problem. After we review Contoso’s solution, you can determine if it meets your needs or whether you need to adjust it for your environment.

Contoso is a company that employs more than 5,000 people who bring their Windows Phone 8, Windows RT, iOS, and Android personal devices to work. Currently, they have no way to access company resources from these devices.

Contoso uses Microsoft System Center Configuration Manager 2007 SP2 to manage PCs for users who are on-premises and who remotely connect to the corporate network by VPN. Contoso can’t manage mobile devices.

The infrastructure of Contoso’s environment contains:

  • Windows Server 2008 R2

  • Windows Server 2008 R2 Active Directory

  • Configuration Manager 2007 SP2

  • PCs that are joined to the domain and managed by Configuration Manager

Diagram 1 provides a high-level overview of Contoso’s current environment:

High-level overview of Contoso’s environment

Diagram 1: High-level overview of Contoso’s environment

 

Contoso’s current device management infrastructure does not support the company’s growing needs:

  • They manage PCs in their current environment, but can’t manage mobile devices.

  • They provide some employees with corporate-owned mobile devices. Other employees want to use their personal devices at work.

Contoso is also concerned about the resources required to manage all these devices. It is expensive to support many PCs, devices, and applications, and device management can tie up IT 24/7.

Contoso needs to manage risk and make sure all devices, both corporate and personal, comply with security guidelines.

  • Device management is a security risk to corporate assets and information. As soon as employees work on a device that IT doesn’t manage (or even know about), it becomes very difficult to retain control of sensitive corporate information.

  • IT can’t do anything if the device is sold, lost, or stolen.

Contoso is looking for a solution that allows them to do the following:

  • Use their existing Configuration Manager infrastructure. Contoso’s IT has invested a lot of resources into their current infrastructure and doesn’t want to start over.

  • Let employees use personal devices as well as company devices to access corporate applications and data. These include PCs and mobile devices.

  • Manage PCs and personal devices from a single administrator console. Managing devices includes setting security and compliance settings, gathering software and hardware inventory, or deploying software.

  • Deploy applications or web links based on device type, and whether the device is personal or owned by the company.

  • Protect the company by wiping corporate data stored on the mobile device when it is lost, stolen, or retired from use.

To solve their business problem and meet their goals, Contoso needs to:

  • Install a new System Center 2012 R2 Configuration Manager stand-alone primary site at their headquarters and install distribution points at remote locations.

  • Migrate objects and distribution points from their existing Configuration Manager 2007 SP2 infrastructure to System Center 2012 R2 Configuration Manager.

  • Subscribe to Windows Intune and configure the Windows Intune connector in Configuration Manager to integrate with Windows Intune.

  • Synchronize their domain user accounts to Windows Azure, since Windows Intune is a cloud service. This allows them to manage the users who can access company resources from their mobile devices.

  • Use Password Sync to allow users to use their on-premises domain user name and password for cloud services.

Diagram 2 shows how the elements in this solution communicate with each other.

High-level overview of Contoso’s solution

Diagram 2: High-level overview of Contoso’s solution

 

 

Solution design element Why is it included in this solution?

System Center 2012 R2 Configuration Manager

Provides secure and scalable software deployment, compliance settings management, and comprehensive asset management of servers, desktops, laptops, and mobile devices (when Windows Intune is integrated).

Windows Intune

Manages mobile devices over the internet. When integrated with System Center 2012 R2 Configuration Manager, you can manage both PCs and mobile devices from the Configuration Manager console.

Windows Azure Active Directory (AD)

A service that provides identity and access capabilities for on-premises and cloud applications.

Windows Azure directory synchronization (DirSync)

Synchronizes on-premises AD users with Windows Azure AD.

Password Sync

Allows users to use the same user name and password for on-premises and cloud services.

System Center 2012 R2 Configuration Manager can extend Contoso’s ability to manage PCs on-premises to the cloud by integrating Windows Intune. And, by using Configuration Manager with Windows Intune, Contoso can manage both their on-premises PCs and mobile devices from a single console. They also want to reduce IT overhead.

So, Contoso will install a System Center 2012 R2 Configuration Manager stand-alone primary site located at their headquarters and distribution points at remote locations.

Then, Contoso will migrate objects from their Configuration Manager 2007 SP2 environment to System Center 2012 R2 Configuration Manager.

Integrated solution: Contoso wants an integrated solution that lets them manage both PCs and mobile devices from a single console. System Center 2012 R2 Configuration Manager with Windows Intune provides this integrated solution.

Simplified hierarchy: With System Center 2012 R2 Configuration Manager, Contoso determined that they no longer need a secondary site at each remote location as shown in the following diagrams.

 

Existing hierarchy, Configuration Manager 2007

Diagram 3: Existing hierarchy, Configuration Manager 2007

 

New hierarchy, System Center 2012 R2 ConfigMgr

Diagram 4: New hierarchy, System Center 2012 R2 Configuration Manager

 

Key drivers for the simplified hierarchy:

  • Role-based administration: In System Center 2012 R2 Configuration Manager, role-based administration lets Contoso design and implement administrative security for the System Center 2012 R2 Configuration Manager hierarchy by using any or all of the following:

    • Security roles

    • Collections

    • Security scopes

    These settings combine to define an administrative scope for an administrative user. The administrative scope controls the objects that an administrative user can view in the Configuration Manager console and the permissions that user has on those objects. See Planning for Role-Based Administration.

  • Content management: In System Center 2012 R2 Configuration Manager, Contoso can configure the network bandwidth used to transfer content to distribution points and you can prestage content on distribution points at remote locations. See Network Bandwidth Considerations for Distribution Points.

Migrated objects: Contoso can use migration tools to migrate objects from Configuration Manager 2007 SP2 to the System Center 2012 R2 Configuration Manager hierarchy. Contoso IT has invested a significant amount of time creating Configuration Manager objects, such as collections, task sequences, configuration items, and so on. By using migration, they will continue to benefit from this investment.

Latest features: Contoso is also interested in new features in System Center 2012 R2 Configuration Manager that are not directly related to this solution. See What’s New in System Center 2012 R2 Configuration Manager.

In System Center 2012 R2 Configuration Manager, the built-in migration functionality replaces in-place upgrades of the existing Configuration Manager infrastructure by providing a process that copies objects from active Configuration Manager 2007 SP2 sites. When Contoso planned for their migration, they first planned the installation of the System Center 2012 R2 Configuration Manager hierarchy and then the migration of objects to the new hierarchy.

External dependencies: When planning for System Center 2012 R2 Configuration Manager, Contoso considered the external dependencies of Configuration Manager. They also evaluated whether they needed to manage resources in untrusted forests or resources that are on the Internet, and determined how Configuration Manager will support these scenarios.

You must decide what is appropriate for your environment. These external dependencies and other considerations can influence your hierarchy design and site system role placement. See:

Hierarchy design: During the planning phase, Contoso identified the number and type of System Center 2012 R2 Configuration Manager sites, and the location where they planned to deploy them.

You must decide what your plan is for each site and identify where to install site system roles at each site. See:

Manage bandwidth with distribution points: Configuration Manager uses distribution points to store files that are required for software to run on client computers. Clients must have access to at least one distribution point from which they can download the files. System Center 2012 R2 Configuration Manager provides new functionality to manage the network bandwidth used when files are copied from a site server to a remote distribution point.

Contoso decided to add distribution points in remote locations instead of installing secondary sites as they currently have with Configuration Manager 2007 SP2. Contoso can use new functionality in System Center 2012 R2 Configuration Manager to configure bandwidth settings, throttling settings, and create a schedule for content distribution between the site server and distribution point to reduce required network bandwidth used during business hours. They can also prestage large content files, such as Microsoft Office, on distribution points in the remote locations. See:

Plan management features and functions: Contoso planned for the management features and functions that they wanted to use in their System Center 2012 R2 Configuration Manager hierarchy, which they will implement before they start the migration process.

You must decide what management features and functions are appropriate for your environment. At a minimum, you must configure Active Directory User Discovery before you subscribe to Windows Intune. See:

Contoso will use migration to transfer most of their objects from Configuration Manager 2007 SP2 to their new System Center 2012 R2 Configuration Manager primary site. Contoso is using this as an opportunity to clean out old objects that they no longer need. They will manually re-create some objects that migration does not migrate.

Contoso does not want to redistribute all of the content that is on their Configuration Manager 2007 distribution points after they migrate to System Center 2012 R2 Configuration Manager. When Contoso migrates from Configuration Manager 2007, they will share their Configuration Manager 2007 distribution points to make them System Center 2012 R2 Configuration Manager distribution points.

When a distribution point is upgraded, the distribution point server and the content on that distribution point are available in the System Center 2012 R2 Configuration Manager hierarchy. Contoso will not need to redistribute that migrated content to those upgraded distribution points. This will eliminate significant network bandwidth that would have been required if they had to redistribute the content. And, it will save them a lot of time. See Planning to Upgrade Configuration Manager 2007 Shared Distribution Points.

If you are not ready to migrate to System Center 2012 R2 Configuration Manager, but you plan to migrate in the future and you need to manage mobile devices right away, an interim approach is described in Mobile Device Management for Configuration Manager 2007 Customers Planning to Migrate to System Center 2012 R2 Configuration Manager.

This interim approach explains how you can install a System Center 2012 R2 Configuration Manager stand-alone primary site server to manage mobile alongside your Configuration Manager 2007 environment, which manages PCs. You manage PCs from the Configuration Manager 2007 console and mobile devices from the System Center 2012 R2 Configuration Manager console. You can run both consoles on the same computer.

The Windows Intune service provides cloud-based management of mobile devices. Contoso will subscribe to Windows Intune, and then integrate Windows Intune with System Center 2012 R2 Configuration Manager to manage both PCs and mobile devices from the Configuration Manager console.

A subscription to Windows Intune supports Contoso’s goal for an integrated solution to manage both PCs and mobile devices.

Contoso considered third-party mobile device management solutions. None of these solutions provide the integrated experience they want. Nor do they want to switch products and incur training and implementation costs.

As an additional benefit, Contoso can use the user account from their Windows Intune subscription when they subscribe to Microsoft Office 365 a few months later.

TipTip
If your company is already using Microsoft Online Services for services such as Microsoft Office 365, use the same user account when you subscribe to Windows Intune. This allows you to use the same group of users across all the services in your organization’s Windows Azure AD tenant. If you do not select the option to sign-in using your existing user, a new Windows Azure AD tenant is created for you. You will then need to add users to the new tenant.

Windows Intune uses Windows Azure AD to store user accounts. Microsoft cloud services, such as Windows Intune and Office 365, rely on the identity management capabilities provided by Windows Azure AD.

Contoso will use Windows Azure directory synchronization (DirSync) to synchronize on-premises Windows Server AD users with Windows Azure AD. Directory synchronization is intended as an ongoing relationship between on-premises AD and cloud-based Windows Azure AD.

Reduced administration costs: Without DirSync, Contoso would have had to manually add their user and group accounts to Windows Azure AD. DirSync synchronizes the user accounts from Contoso’s on-premises Windows Server AD to Windows Azure AD. After you activate directory synchronization, you can edit synchronized objects in your on-premises environment and these edits will synchronize with your Windows Intune subscription, which reduces administrative costs.

Improved productivity: By automating the process of synchronizing user and group accounts, Contoso can significantly reduce the amount of time it takes to make cloud-based services accessible for their employees.

When planning for directory synchronization, Contoso considered hardware requirements, administrator permissions, performance considerations, and so on. These requirements are documented in Prepare for directory synchronization.

User authentication must be configured or Contoso’s employees will have to use a different user name and separate passwords to access cloud and on-premises services. Contoso decided that they must have user authentication to avoid additional administrative overhead to manage initial and ongoing password changes and to provide a better user experience. Contoso decided to use Password Sync for user authentication.

Contoso considered the following authentication methods for employee access to cloud and on-premises resources with the same credentials:

  • Password Sync is a lightweight option that provides users with an experience that is similar to single sign-on and very easy to deploy. Password Sync is an option that you can select within DirSync that allows DirSync to store a hash of the password in Windows Azure AD. When password sync is enabled on your directory sync computer, your users will be able to sign into Microsoft cloud services, such as Office 365, Dynamics CRM, and Windows Intune, using the same password as they use when logging into your on-premises network. When your users change their passwords in your corporate network, those changes are synchronized to the cloud.

    However, Password Sync does not provide a Single Sign-On (SSO) solution that you get when using AD FS. Users will need to re-enter their credentials each time they access a cloud service. See:

  • Active Directory Federation Services (AD FS) provides a true single sign-on (SSO) experience working together with Active Directory authentication protocols. The on-premises Active Directory and AD FS interact with the Windows Azure AD identity platform to provide access to one or more Microsoft cloud services. When SSO is configured, a federated trust is created between the domain and the Windows Azure AD authentication system. Users can authenticate with cloud services and on-premises services by using the same user name and password for both. After a user is authenticated, they are not prompted again for credentials when they access a cloud service.

Contoso decided to use Password Sync for user authentication for a couple of reasons. Password Sync is very easy to configure in DirSync, which they already plan to use to synchronize their on-premises user accounts. They also plan to upgrade their domain controllers to Windows Server 2012 R2 within the next six months. AD FS is a site role in Windows Server 2012 R2 and has a lot of new features. Contoso plans to implement AD FS when they upgrade their domain controllers. For more information about implementing AD FS in Windows Server 2012 R2, see:

Contoso decided to use Password Sync for user authentication. However, you might decide to implement AD FS for SSO in your environment. See:

Contoso decided not to upgrade their on-premises AD as part of this solution, but plans to upgrade in the next 6 months.

Contoso’s IT proposed that their on-premises AD be upgraded as part of the solution. In Windows Server 2012 R2, AD has been enhanced with the following functionality:

  • Device registration. IT administrators can allow a device to be registered, which associates the device with the company’s Active Directory. This association can be used as a seamless second factor authentication.

  • Single sign-on (SSO) from devices that are associated with the company’s Active Directory.

  • Web Application Proxy, which allows users to connect to applications and services from anywhere.

  • Multi-Factor Access Control and Multi-Factor Authentication (MFA), which manage the risk of users working from anywhere and accessing protected data from their devices.

  • Work folders, which provide users a location to store and access work files on PCs and devices.

See Active Directory Services.

While Contoso’s management team agreed that the new features were valuable, they couldn’t approve the resources to upgrade AD as part of this solution. The management team wants to upgrade their on-premises AD in the next six months.

When you are ready to upgrade your on-premises AD and implement AD FS, see Secure access to company resources from any location on any device.

This section provides the steps that Contoso took to implement the solution. If you follow these steps, make sure to verify the correct deployment of each step before proceeding to the next step.

  1. Subscribe to Windows Intune.

    Create a Windows Intune subscription on the Windows Intune web site.

    • If you already have a user account for another cloud service, such as Office 365, you can click Sign in to enter the account credentials. This allows you to share the same group of users across all the services in your organization’s Windows Azure AD tenant.

    Verification steps: After you complete the sign-up process, an email is sent to the email address that you provided. Click the link that is included in that email or go to the Windows Intune account portal at https://account.manage.microsoft.com and verify that you can sign in.

  2. Configure your public domain.

    1. Get a public domain. To use the Windows Intune service you also need a public organization domain name that is verifiable through a domain name registration service. Add and verify your public domain in the Windows Intune account portal at https://account.manage.microsoft.com under the Domains node.

    2. Ensure the public domain has been added as an alternate UPN suffix in on-premises Active Directory. Users must have the same public domain User Principal Name (UPN) in the cloud and the on-premises Active Directory to enroll mobile devices. You must verify that your users have a public domain UPN before you configure directory synchronization. If you skip this step, users may get “onmicrosoft.com” appended to their cloud UPN, which will cause a mismatch with on-premises Active Directory user names. See Add User Principal Name Suffixes.

    3. Add a CNAME record in DNS that points enterpriseenrollment.<publicdomain> to manage.microsoft.com. The CNAME record is used later as part of the enrollment process. See Add an Alias (CNAME) Resource Record to a Zone.

    Verification steps:

    • Check the Domains page of the Windows Intune account portal to make sure the public domain is listed and verified.

    • Look at the properties of a user account in your on-premises Active Directory to ensure the UPN is listed with the public domain name.

  3. Provide secure easy access for users by using DirSync with Password Sync.

    You can configure Password Sync from your Windows Intune Account portal at https://account.manage.microsoft.com. In the Users node of the portal, click Active Directory synchronization: Set up, and then follow the steps outlined in Set up and manage Active Directory synchronization. You enable Password Sync when running the Directory Sync tool Configuration Wizard by selecting Enable Password Synchronization.

    See:

    Verification steps: Check in the Windows Intune Account portal at https://account.manage.microsoft.com to view user accounts.

  4. Install your System Center 2012 R2 Configuration Manager site or hierarchy.

    After planning for their System Center 2012 R2 Configuration Manager hierarchy, Contoso decided they will install a stand-alone primary site at their headquarters and install distribution points at their remote locations. You might determine that your hierarchy requires a different configuration. Use the following steps to install your System Center 2012 R2 Configuration Manager site or hierarchy:

    1. Identify a server that meets both the software and hardware prerequisites to host a Configuration Manager primary site. See Planning for Hardware Configurations for Configuration Manager.

    2. Review the required software and supported operating systems for hosting a Configuration Manager site. See Site System Requirements.

    3. Configure your Windows environment to support System Center 2012 R2 Configuration Manager. See Prepare the Windows Environment for Configuration Manager.

    4. Install a System Center 2012 R2 Configuration Manager site. See Install Sites and Create a Hierarchy for Configuration Manager. For this solution, Contoso will install a stand-alone primary site and will skip steps to install a central administration site or secondary site. As you go through the topic, choose sites appropriate for your environment.

    5. Install a distribution point at remote locations. Contoso has determined that they can use a distribution point at each of their remote locations instead of using a secondary site at each location. For details about installing and configuring a distribution point, see Configuring Content Management in Configuration Manager.

    Verification steps

    On the primary site server computer, monitor progress in the Setup wizard. The Configuration Manager Setup wizard displays the result of each site installation task. After all installation tasks are complete, you can close the wizard. However, after the site installation is complete, the Setup wizard continues to display information about ongoing configurations for the site, which you can monitor if you do not close the wizard. Closing the Setup wizard does not affect these ongoing configurations, which continue to run in the background after the wizard is closed. Review the ConfigMgrSetup.log to verify that the site installed successfully.

  5. Configure management features and functions.

    After you install your site or hierarchy, configure the site to support the management features and functions of System Center 2012 R2 Configuration Manager you want to use. You must configure Active Directory User Discovery before you configure the Windows Intune subscription or install the Windows Intune Connector site system role in step 8. See:

    1. Configure Sites and the Hierarchy in Configuration Manager

    2. Configure Active Directory Discovery for Computers, Users, or Groups

  6. Migrate to System Center 2012 R2 Configuration Manager.

    When you migrate objects from your Configuration Manager 2007 source hierarchy, you access data from the site databases that you identify in the source infrastructure and then copy that data to the System Center 2012 R2 Configuration Manager hierarchy. Migration does not change the data in the source hierarchy. It discovers the data and stores a copy in the database of the destination hierarchy. See Migrating Hierarchies in System Center 2012 Configuration Manager.

    To migrate your Configuration Manager 2007 data to System Center 2012 R2 Configuration Manager:

    1. Specify your Configuration Manager 2007 SP2 hierarchy as the source hierarchy for migration. By default, the top-level site of that hierarchy becomes a source site of the source hierarchy. After data is gathered from the initial source site, you can then configure additional source sites for migration.

      Configuration Manager starts to gather data from the source site immediately after you specify a source hierarchy, configure credentials for each additional source site in a source hierarchy, or share the distribution points for a source site. By default, the data gathering process repeats every four hours so that Configuration Manager can identify changes to data in the source hierarchy that you might want to migrate. Data gathering is also necessary to share distribution points from the source hierarchy to the destination hierarchy. See Configuring Source Hierarchies and Source Sites for Migration to System Center 2012 Configuration Manager.

    2. Create migration jobs to migrate data between the source and destination hierarchy. Use migration jobs to configure the specific data that you want to migrate to your System Center 2012 R2 Configuration Manager environment. Migration jobs identify the objects that you plan to migrate, and they run at the top-level site in your hierarchy. See Create and Edit Migration Jobs for System Center 2012 Configuration Manager.

    3. Monitor migration jobs. Monitor the progress of migration jobs in the System Center 2012 R2 Configuration Manager console. See Monitor Migration Activity in the Migration Workspace.

    4. Upgrade shared distribution points. You can upgrade a supported distribution point that is shared from your Configuration Manager 2007 source site to be a distribution point in the destination hierarchy. See Upgrade or Reassign a Shared Distribution Point in System Center 2012 Configuration Manager.

    5. Migrate Configuration Manager 2007 clients to System Center 2012 R2 Configuration Manager. After you migrate data for clients between hierarchies but before you complete migration, plan to migrate clients to the destination hierarchy. To migrate clients between hierarchies, install the Configuration Manager client software from the destination hierarchy. The Configuration Manager client is uninstalled, and the System Center 2012 R2 Configuration Manager client is installed and assigned to the primary site. See Planning a Client Migration Strategy in System Center 2012 Configuration Manager.

    6. Complete the migration process: When your Configuration Manager 2007 hierarchy no longer contains data that you want to migrate to your destination hierarchy, you can complete the migration process. To do so:

      1. Make sure that you have successfully migrated all of the resources from the source hierarchy that you require in the destination hierarchy. This can include data and clients.

      2. Stop gathering data from each source site in your Configuration Manager 2007 hierarchy. To do so, run the Stop Gathering Data action on the bottom tier source sites, and then repeat the process at each parent site. The top-level site of the source hierarchy must be the last site on which you stop gathering data. You must stop data gathering at each child site before performing this action on a parent site. After you stop gathering data, you can no longer share distribution points between the source and destination hierarchies.

      3. Clean up migration data. To do so, use the Clean Up Migration Data action. This optional action removes data about the current source hierarchy from the database of the destination hierarchy. Until you clean up migration data, each migration job that has run or that is scheduled to run remains accessible in the Configuration Manager console. When you clean up migration data, most data about the migration is removed from the database of the destination hierarchy. See Complete Migration in System Center 2012 Configuration Manager.

      Verification steps: Migration is comprised of several distinct actions or phases, and extends over a period of time until you decide to complete the migration process. Therefore, there is no single verification step or process you can review to confirm that migration is complete. Instead, you can verify results as they display in the System Center 2012 R2 Configuration Manager console when actions for each phase run or complete.

    7. Decommission your Configuration Manager 2007 hierarchy: After you complete migration from a source hierarchy and that hierarchy no longer contains resources that you manage, you can decommission the sites in the source hierarchy and remove the related infrastructure from your environment. See Configuration Manager Tasks for Decommissioning Sites and Hierarchies.

  7. Get certificates or keys for mobile devices

    Contoso must have certificates or sideloading keys before they can enroll mobile devices. The types of mobile devices that you have in your environment will determine what certificates or sideloading keys you will need. See Obtain Certificates or Keys to Meet Prerequisites per Platform.

  8. Configure the Windows Intune subscription and install the Windows Intune Connector site system role on the top-level site.

    Before Contoso can use Configuration Manager to manage mobile devices, they must configure their Windows Intune subscription and install the Windows Intune connector site system role on their top-level site server. Contoso will configure their stand-alone primary site. If you have a more complex hierarchy, configure your central administration site.

    1. Configure your Windows Intune subscription. See Configuring the Windows Intune Subscription.

    2. Install the Windows Intune connector. See The Windows Connector Site System Role.



    Verification steps:

    • On the primary site server computer, review the sitecomp.log to verify that the Windows Intune connector site system role installed successfully.

    • On the computer where you install the Windows Intune connector, review the cloudusersync.log to verify that users from your domain have successfully synchronized to Windows Intune.

    • On the primary site server computer, review the CertMgr.log to confirm that the computer where you installed the Windows Intune connector shares the connector certificate. The certificate is shared after the installation of the Windows Intune connector site system role is complete.

    • On the computer where you install the Windows Intune connector, review the dmpuploader.log to verify that the connector site system role can upload policy and configuration changes to the Windows Intune service.

    • On the computer where you install the Windows Intune connector, review the dmpdownloader.log to verify that the Windows Intune connector is able to download messages from Windows Intune. This log might only show a ping at the beginning of the download process and it might take some time before entries related to downloads are logged.

  9. Enroll mobile devices.

    Enrollment establishes a relationship between the user, the mobile device, and the Windows Intune service. Users enroll their own mobile devices. Android devices are not enrolled, but can be managed by using the Exchange Server connector. See Mobile Device Enrollment.

  10. Install the System Center 2012 R2 Configuration Manager console.

    By default, when you install a primary site, the Configuration Manager console also installs on the primary site server computer. After the site installs, you can install additional System Center 2012 R2 Configuration Manager consoles on computers to manage the site. See Install a Configuration Manager Console.

  11. Manage your PCs and mobile devices.

    After you install and make the basic configurations for your site, you can begin to configure management of your PCs and mobile devices. The following are typical features or functionality that you might configure:

     

    Feature Details

    Hardware inventory

    Use hardware inventory to collect information about the hardware configuration of client devices in your organization.

    Software inventory

    Use software inventory to collect information about files that are contained on client devices in your organization. Additionally, software inventory can collect files from client devices and store these on the site server.

    Asset Intelligence

    Use Asset Intelligence to inventory and manage software license usage throughout your enterprise and improve the breadth of information that is collected about hardware and software.

    Compliance settings

    Use compliance settings to manage the configuration and compliance of servers, laptops, desktop computers, and mobile devices in your organization.

    Company resource access

    Use company resource access to provide users in your organization access to data and applications from remote locations by configuring the following:

    • Certificate profiles

    • VPN profiles

    • Wi-Fi profiles

    Remote connection profiles

    Use remote connection profiles to allow your users to remotely connect to work computers when they are not connected to the domain or if their personal computers are connected over the Internet.

    Application management

    Use application management to manage applications in your enterprise for both Configuration Manager administrative users and client device users.

    Software updates

    Use software updates to monitor compliance and deploy software updates to computers in your enterprise.

    Manage mobile devices

    Use this walkthrough for the steps to let you manage Windows Phone 8, Windows RT, iOS, and Android devices by using the Windows Intune service over the Internet.

    Wiping company content from mobile devices

    You can do a full wipe on Windows Phone 8, iOS, and Android devices to restore the device to factory settings. Or, you can do a selective wipe that only removes company content.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft