Export (0) Print
Expand All

Manage Mobile Devices with Configuration Manager and Microsoft Intune

Updated: May 14, 2015

Applies To: Microsoft Intune, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

noteNote
The information in this topic applies to System Center 2012 Configuration Manager SP1 or later, and System Center 2012 R2 Configuration Manager or later.

This walkthrough shows you step-by-step how to configure Configuration Manager so that you can manage iOS, Android (including Samsung KNOX), Windows Phone, and Windows devices by using the Microsoft Intune service over the Internet. Although you use the Microsoft Intune service, management tasks are completed by using the Microsoft Intune connector site system role available through the Configuration Manager console. System Center 2012 R2 Configuration Manager also gives you option of managing Windows 8.1 devices, in the same manner of mobile devices, that do not have the Configuration Manager client installed.

You can configure Configuration Manager to enable mobile device management to let users access company resources in a secure, managed way. By using device management, you protect company data while letting users enroll their personal or company-owned mobile devices and giving them access to company data. When you use Configuration Manager with Intune, you have the following management capabilities:

  • You can retire and wipe devices.

  • You can configure compliance settings on devices. These include settings for passwords, security, roaming, encryption, and wireless communication.

  • You can deploy line of business apps to devices.

  • You can deploy apps from the store that the device connects to, Windows Store, Windows Phone Store, App Store, or Google Play.

  • You can collect hardware inventory.

  • You can collect software inventory by using built-in reports.

This document assumes that you are using Configuration Manager to manage computers, and that you are interested in extending the Configuration Manager console with Microsoft Intune to manage mobile devices. After extending Configuration Manager with Microsoft Intune you can give users permission to enroll their personal devices or enroll corporate-owned devices to be managed.

Use the following sections to help you manage mobile devices by using the Microsoft Intune connector.

  1. Prerequisites

  2. Configuring the Microsoft Intune Subscription

  3. The Microsoft Intune Connector Site System Role

  4. Prepare for Mobile Device Enrollment

  5. Next Steps

Use the following information to determine the prerequisites for managing mobile devices.

For a checklist about how to configure Configuration Manager to manage mobile devices, see Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Microsoft Intune.

 

External dependencies More information

Sign up for a Microsoft Intune subscription and account

When you sign-up for Intune you subscribe to a trial subscription. You can convert the trial into a paid (full) subscription at any time from within the Microsoft Intune account portal.

You can sign up for a subscription at Microsoft Intune.

For more information, see Task 1: Subscribe to Microsoft Intune and Acceptable Use Policy for Microsoft Intune in the Documentation Library for Intune.

Add a public company domain.

All user accounts must have a publicly verifiable domain name that can be verified by Intune.

Verify users have a public domain UPN.

Before you synchronize the Active Directory user account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library.

Deploy and configure directory synchronization.

There are several methods you can use for directory integration with Intune. These methods are the same for all Azure AD tenants. Therefore, to learn about the available methods and to drill through to procedures for the method you select, start with the Directory integration topic.

Create a DNS alias.

Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to manage.microsoft.com. For example, if Melissa's email address is Melissa@contoso.com, you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com.

The CNAME record is used as part of the enrollment process.

The Microsoft Intune subscription lets you specify your configuration settings for the Intune service. This includes specifying which users can enroll their devices and defining which mobile device platforms to manage. When you have created your subscription, you can then install the Microsoft Intune connector site system role that lets you connect to the Microsoft Intune service. This connector site system role will push settings and applications to the Intune service. The Intune subscription performs the following:

  • Retrieves the certificate that the Microsoft Intune connector requires to connect to the Intune service.

  • Defines the user collection that enables users to enroll mobile devices.

  • Defines and configures the mobile platforms that you want to support.

  1. In the Configuration Manager console, click Administration.

  2. For System Center 2012 Configuration Manager SP1: In the Administration workspace, expand Hierarchy Configuration, and click Microsoft Intune Subscriptions.

    Beginning with System Center 2012 R2 Configuration Manager: In the Administration workspace, expand Cloud Services, and click Microsoft Intune Subscriptions.

  3. For System Center 2012 Configuration Manager SP1: On the Home tab, in the Create group, click Create Microsoft Intune Subscription.

    Beginning with System Center 2012 R2 Configuration Manager: On the Home tab, click Add Microsoft Intune Subscription.

  4. On the Introduction page of the Create Microsoft Intune Subscription Wizard, review the text and click Next.

  5. On the Subscription page, click Sign in and sign in by using your work or school account. In the Set the Mobile Device Management Authority dialog, select the check box to only manage mobile devices by using Intune through the Configuration Manager console. To continue with your subscription, you must select this option.

    ImportantImportant
    Once you select Configuration Manager as your management authority, you cannot change the management authority to Microsoft Intune in the future.

  6. Click the privacy links to review them, and then click Next.

  7. On the General page, specify the following options, and then click Next.

    • Collection: Specify a user collection that contains users who will enroll their mobile devices.

      noteNote
      If a user is removed from the collection, the user’s device will continue to be managed for up to 24 hours when the user record is removed from the user database.

    • Company name: Specify your company name.

    • URL to company privacy documentation: If you publish your company privacy information to a link that is accessible from the Internet, provide a link that users can access from the company portal. Privacy information can clarify what information users are sharing with your company.

    • Color scheme for company portal: Optionally, change the default color of blue for the company portals.

    • Configuration Manager site code: Specify a site code for a primary site to manage the mobile devices.

      noteNote
      Changing the site code affects only new enrollments and does not affect existing enrolled devices.

  8. On the Company Contact Information page, specify the company contact information that is displayed in the company portal, and then click Next.

  9. On the Company Logo page, choose whether to display a logo in the company portal, and then click Next.

  10. Prior to Configuration Manager SP2, on the Platforms page, select the device types that you want to manage and review the platform requirements, and then click Next. For each device type that you select, you must configure additional options. Use the procedures that follow for more information about those options. After you have configured these additional options, click Next.

  11. Complete the wizard.

The Microsoft Intune connector sends settings and software deployment information to Microsoft Intune and retrieves status and inventory messages from mobile devices. The Intune service acts as a gateway that communicates with mobile devices and stores settings.

noteNote
The Microsoft Intune connector site system role may only be installed on a central administration site or stand-alone primary site.

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles.

  3. Add the Microsoft Intune connector role to a new or existing site system server by using the associated step:

    • New site system server: On the Home tab, in the Create group, click Create Site System Server to start the Create Site System Server Wizard.

    • Existing site system server: Click the server on which you want to install the Microsoft Intune connector role. Then, on the Home tab, in the Server group, click Add Site System Roles to start the Add Site system Roles Wizard.

  4. On the System Role Selection page, select Microsoft Intune Connector, and click Next.

  5. Complete the wizard.

The Microsoft Intune Connector extends Configuration Manager by establishing a connection to the cloud-based Microsoft Intune service that manages mobile devices over the Internet. The Microsoft Intune Connection authenticates with the Microsoft Intune service as follows:

  1. When you create a Microsoft Intune subscription in the Configuration Manager console, the Intune admin is authenticated by connecting to Azure Active Directory, which redirects to the respective ADFS server to prompt for user name and password. Then, Microsoft Intune issues a certificate to the tenant.

  2. The certificate from step 1 is installed on the Microsoft Intune Connector site role and is used to authenticate and authorize all further communication with the Microsoft Intune service.

Before device can be enrolled you must establish a trust relationship between the management solution and the managed mobile devices. This relationship is platform-specific so if, for example, you want to manage both iOS devices and Windows Phone devices you must complete the prerequisites for both platforms. The following table lists the certificates or keys that you must have to enroll mobile platforms.

 

Platform Certificates or keys How you obtain certificates or keys

Windows Phone 8

Before you can configure mobile device management for Windows Phone 8.0, the company portal app must be code-signed with a Symantec certificate that is trusted by the Windows Phone devices and you must create an application in the Software Library.

Buy a code signing certificate from Symantec.

If you are just testing this out in a trial version, you can use the Support tool for Windows Phone trial management.

Frequently asked questions about Windows Phone mobile device management

Windows Phone 8.1 and Windows RT, Windows RT 8.1, or Windows 8.1 devices that are not joined to the domain.

Sideloading keys: Devices have to be provisioned with sideloading keys to enable the installation of sideloaded apps.

All sideloaded apps must be code-signed.

Buy sideloading keys from Microsoft.

All apps must be code-signed by using your company’s certification authority or an external certification authority.

iOS

Apple Push Notification service certificate.

Request an Apple Push Notification service certificate from Apple. For more information, see the Prepare to enroll iOS Devices in this topic.

Android 4.0+ and Samsung KNOX

None.

Not applicable.

To support enrollment of iOS devices, you must follow these steps:

  1. Download a certificate signing request
    A certificate signing request lets you apply for an Apple Push Notification service (APNs) certificate from the Apple certification authority.

    1. In the Configuration Manager console in the Administration workspace, go to Cloud Services > Microsoft Intune Subscriptions.

      WarningWarning
      If other Configuration Manager dialog boxes are open, close them before continuing with this procedure.

    2. On the Home tab, click Create APNs certificate request. The Request Apple Push Notification Service Certificate Signing Request dialog box opens.

    3. Browse to the path to save the new certificate signing request (.csr) file. Save the certificate signing request (.csr) file locally.

    4. Click Download. The new Microsoft Intune .csr file downloads and is saved by Configuration Manager. The .csr file is used to request a trust relationship certificate from the Apple Push Certificates Portal.

  2. Request an Apple Push Notification service certificate from the Apple website

    1. Connect to the Apple Push Certificates Portal and sign in with your company Apple ID to create the APNs certificate. This Apple ID must be used in future to renew your APNs certificate.

    2. Sign in and complete the wizard. Download the APNs certificate and save the file locally. This APNs certificate (.pem) file is used to establish a trust relationship between the Apple Push Notification server and Intune’s mobile device management authority.

  3. Enable iOS enrollment

    1. In the Configuration Manager console in the Administration workspace, go Cloud Services > Microsoft Intune Subscription.

    2. On the Home tab in the Subscription group, click Configure Platforms, and then click IOS.

    3. In the Microsoft Intune Subscription Properties dialog box, select the iOS tab and mark the Enable iOS enrollment checkbox.

    1. In the Configuration Manager console in the Administration workspace, go to Cloud Services > Microsoft Intune Subscription.

    2. In the Microsoft Intune Subscription Properties dialog box, select the iOS tab and mark the Enable iOS enrollment checkbox.

  4. Upload the Apple Push Notification service certificate

    Click Browse and go to the APNs certificate (.cer) file downloaded from Apple. Configuration Manager displays the APNs certificate information. Click OK to save the APNs certificate to Intune.

    ImportantImportant
    Do not upload the Apple Push Notification service (APNS) certificate until you enable iOS enrollment in the Configuration Manager console.

To support the Company Portal app for Windows Phone 8.0 and to deploy company apps to Windows Phone 8.1 you must get a Symantec Enterprise Mobile Code Signing Certificate. You cannot use a certificate issued by your own certification authority because only the Symantec certificate is trusted by Windows Phone devices. This certificate is used to:

  • Sign a company portal app for deployment to Windows Phone 8 for enrollment and phone management

  • Sign company apps so Configuration Manager can deploy them to Windows Phones

The steps below will help you get the required certificates and sign the company portal app. You will need a Windows Phone Dev Center account and then you will need to purchase a Symantec certificate.

  1. Join the Windows Phone Dev Center
    Join the Windows Phone Dev Center using corporate account information when logging in to purchase your company account. This request will need to be authorized by a company officer before you receive a code-signing certificate.

  2. Get a company Symantec certificate
    Purchase a certificate from the Symantec website using your Symantec ID. After you purchase the certificate, the corporate approver whom you designated in your Windows Phone Dev Center account will receive an email asking for approval of the certificate request. For more information about the Symantec certificate requirement, see Why does Windows Phone require a Symantec certificate for management?.

  3. Import certificates
    Once the request has been approved, you will receive an email containing instructions for importing certificates. Follow the instructions in the email to import the certificates.

  4. Verify certificates imported
    To verify that the certificates have been imported correctly, go to the Certificates snap-in, right-click Certificates, and select Find Certificates. In the Contains field, enter “Symantec”, and click Find Now. The certificates you imported should appear in the results.

    Certificate search

  5. Export a signing certificate
    Having verified that the certificates are present, you can export the .pfx file to sign the company portal. Select the Symantec certificate with Intended purpose “code-signing.” Right-click the code-signing certificate and select Export.

    Certificate export

    In the Certificate Export Wizard, select Yes, export the private key and then click Next. Select Personal Information Exchange –PKCS #12 (.PFX) and check Include all the certificates in the certification path if possible. Complete the wizard. For more information, see How to Export a Certificate with the Private Key.

  6. Download the Company Portal
    Download the Intune Company Portal for Windows Phone from the Download Center. The default installation location is C:\Program Files (x86)\Microsoft Corporation\Windows Intune Company Portal for Windows Phone.

  7. Download the SDK
    Download the Windows Phone SDK.

  8. Code-sign the Company Portal app
    Use the XAPSignTool app downloaded with the SDK to sign the company portal with the .pfx file you created from the Symantec certificate. For more information, see How to sign a company app by using XapSignTool.

  9. Create an application for distribution
    Create an application to deploy that contains the signed company portal app. Select Automatically detect information about this application from installation files. In Type, select Windows Phone app package (*.xap) file. In Location, browse to a network share where you have copied the ssp.xap. On the General Information page, enter a name that will show up in the Configuration Manager console, but note that the application will always be displayed as Company Portal in the app list on Windows Phones.

  10. Enable management by Configuration Manager

    Complete the following steps for the Windows devices you will manage.

    1. In the Configuration Manager console in the Administration workspace, go to Cloud Services > Microsoft Intune Subscriptions.

      WarningWarning
      If other Configuration Manager dialog boxes are open, close them before continuing with this procedure.

    2. On the Home tab, click Configure Platforms, and then click Windows Phone.

    3. On the General tab, choose the Windows Phone platforms that you will use, and then click Next. The Windows Phone 8.0 and Windows Phone 8.1 and later options are used to determine the requirements that are needed for those platforms. For example, when you select Windows Phone 8.0, you are required to specify the Company Portal app on the Company Portal App tab. If you only select Windows Phone 8.1 and later, the options are disabled on the Company Portal App tab because the Company Portal app installation is not associated with device enrollment with Windows Phone 8.1 or later devices.

    4. Add the certificate (.pfx) file that you exported to .pfx file. Or choose Application enrollment token and browse to the location of the files.

    5. On the Company Portal App tab, click Browse and select the application package that contains the signed Company Portal app. This option is only available when you select Windows Phone 8.0 on the General tab. For Windows Phone 8.1 and later, deploy the application that contains the Company Portal app with a deployment purpose of Required. For details, see How to Create and Deploy Applications for Mobile Devices in Configuration Manager.

    1. For Windows Phone 8.1, you must enable the Windows Phone 8.1 extension in the Configuration Manager console. For more information, see How to Enable Extensions.

    2. On the Windows Phone page of the Create Microsoft Intune Subscription Wizard or in the properties for the subscription, specify the .pfx file that you received.

    3. Specify the name of the Microsoft Intune company portal application package that you created.

    1. In the Configuration Manager console in the Administration workspace, go to Cloud Services > Microsoft Intune Subscriptions.

      WarningWarning
      If other Configuration Manager dialog boxes are open, close them before continuing with this procedure.

    2. On the Home tab, click Configure Platforms, and then click Windows.

    3. On the General tab, select Enable Windows enrollment, and if you have a certificate from your company’s certification authority, click Browse to specify the code-signing certificate that you want to use for all Windows 8 apps.

      noteNote
      All apps must be code-signed. The certificate field is for your company’s certificate. If you have purchased a certificate from an external certification authority, you can leave this field blank.

    1. On the Windows RT Configuration page of the Create Microsoft Intune Subscription Wizard or in the properties for the subscription, if you have a certificate from your company’s certification authority, click Browse to specify the code-signing certificate that you want to use for all Windows 8 apps.

      noteNote
      All apps must be code-signed. The certificate field is for your company’s certificate. If you have purchased a certificate from an external certification authority, you can leave this field blank.

    2. Click Add to enter your sideloading keys.

  11. Distribute the application
    Use the Distribute Content wizard to distribute the Microsoft Intune company portal application to the manage.microsoft.com distribution point.

    ImportantImportant
    Do not create a deployment for this application - the deployment will be automatically created when you complete the Microsoft Intune Subscription Wizard.

For System Center 2012 R2 Configuration Manager, users can download the Android company portal app from Google Play that lets them enroll Android (including Samsung KNOX) devices. With the Android company portal app, you can manage compliance setting, wipe or delete Android devices, deploy apps, and collect software and hardware inventory. If the Android company portal app is not installed on Android devices or if you are using Configuration Manager SP1, then you will not have all the management capabilities, such as inventory and compliance settings, but you can still deploy apps to Android devices.

-----
For additional resources, see Information and Support for Configuration Manager.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012 Configuration Manager. For instructions and examples, see Search the Configuration Manager Documentation Library.
-----
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft