What's new for MDM in System Center 2012 Configuration Manager

 

Updated: February 23, 2016

Review this topic if you are using Microsoft System Center 2012 Configuration Manager integrated with Microsoft Intune to check for recently released mobile device management features. If you have Intune without Configuration Manager, see What's new in Microsoft Intune instead.

  • Take advantage of iOS "Open-in" management for devices that are enrolled in a third-party MDM solution

    You can use your third-party mobile device management (MDM) vendor to take advantage of iOS "Open-In" management. You can set the restrictions in the configuration profile settings and deploy the app using your MDM software. When the user installs the managed app, the restrictions are applied. Read the details: Microsoft Intune mobile app management policies and iOS Open In.

    1. Users are required to log in with their work account before they get access to any corporate data from Cloud Services or other apps. This ensures that mobile app management (MAM) policies are in place when the data is accessed.

    2. Managed email profiles and other managed apps deployed through a third-parter MDM solution can share files and data with the apps that have Intune MAM policies.

  • Microsoft apps that support MAM

    The list of Microsoft apps you can use with Intune mobile application management policies has been updated to include the latest apps (for devices that are enrolled with Intune only).

  • Mobile app configuration policies give you more flexibility to specify user details for iOS apps

    You can supply user settings that an iOS app might need when it is opened. For example, you can supply a network port, or a user name. For details, see Configure apps with mobile app configuration policies.

  • Deploy Adobe Reader for Microsoft Intune to Intune-managed iOS devices in your enterprise

    The Adobe Reader app for iOS can now be managed on enrolled devices with the Intune mobile application management policy.

  • Ensure deployed web clips are opened in the managed browser

    You can deploy targeted web clips that can only be opened using the managed browser on iOS and Android devices. For example, you deploy links to corporate resources through the Company Portal, and when users navigate to the links, they open directly into the managed browser where they can be protected by MAM policy. For details, see Deploy apps to mobile devices.

  • Find, manage, and distribute Windows Store for Business apps for Windows 10 devices from the Intune administrator console

    Support for Windows Store for Business is available in Intune to help you find, manage, and distribute apps to the Windows 10 devices you’re managing. Windows Store for Business lets you manage the process of deploying and monitoring these apps from the Intune administrator console—the same console you use to manage your other apps. Specifically, Windows Store for Business manages the content and licensing of “online licensed apps”. For details, see Manage apps you purchased from the Windows Store for Business.

  • PFX certificates distribution for iOS devices

    Intune administrators can create and deploy iOS PFX certificates for Wi-Fi, email, and VPN authentication on iOS devices. This feature is already available for Android and Windows 10 devices. For details, see Enable access to company resources using certificate profiles.

  • Apply apps and policies to different device groups based on user category selection

    Intune administrators can now define custom device categories for users to select from during enrollment. For example, administrators might want their users to specify if they're enrolling a device used for the "Cash Register" or "Delivery Truck" or "Inventory Room." The category selected will cause the device to become a member of an Intune device group, which can be used for deploying different apps and policies to the enrolled device. For details, see Categorize devices with device group mapping.

The following changes have been made to the Company Portal in this release:

Android Company Portal app

  • New screens have been added to guide users through the enrollment process and provide more information about why users should enroll and what IT administrators can and can’t see on their enrolled devices. See the enrollment instructions enrollment instructions for details.

  • Enrollment error messages are now displayed in the Company Portal app. Previously, these messages appeared in the Company Portal website. Making this change means that all error messages now appear in just one place instead of two different places.

iOS Company Portal app

  • New screens have been added to guide users through the enrollment process and provide more information about why users should enroll and what IT administrators can and can’t see on their enrolled devices. See the enrollment instructions enrollment instructions for details.

  • Enrollment error messages are now displayed in the Company Portal app. Previously, these messages appeared in the Company Portal website. Making this change means that all error messages now appear in just one place instead of two different places.

The following changes have been made to the Company Portal in this release:

Android Company Portal app

  • The following changes have been made to comply with new Google requirements. On Android 6.0 and above devices, two new messages are displayed to users, asking them to allow or deny permission to the Company Portal app to read their device phone number and IMEI and to write data logs to their device's SD card. See the following table for details about these two messages.

    Message text

    Allow Company Portal to make and manage phone calls?

    Allow Company Portal to access photos, media, and files on your device?

    Meaning of message

    Enables the user's device phone number and IMEI to be sent to the Intune service and appear in the Admin console on the Hardware page.

    System_CAPS_noteNote

    The Company Portal app never makes or manages phone calls! The message text is controlled by Google and cannot be changed.

    To see the Hardware page, go to Groups > All mobile devices > Devices. Select the user's device, and go to View Properties > Hardware.

    Enables the device to write data logs to the device's SD card, which enables logs to be moved by using a USB cable.

    System_CAPS_noteNote

    The Company Portal app never accesses users' photos, media, and files. The message text is controlled by Google and cannot be changed.

    When and where the message appears

    The message appears when users sign in to the Company Portal app for the first time to start enrolling their device.

    The message appears when users tap Send Data to send data logs to their IT admin.

    If users allow access

    The device's phone number and IMEI will appear on the Hardware page in the Admin console.

    The logs will be copied to the SD card.

    If users deny access

    They can continue to use the Company Portal app and enroll their device, but the users's device phone number and IMEI will be blank on the Hardware page in the Admin console.

    The second time that users sign in to the Company Portal app after denying access, the message displays a Never ask again check box that users can select so that the message never shows again.

    If users allow but then later deny access, the message appears the next time users sign in to the Company Portal app after enrollment.

    If users later decide to allow access, they can go to Settings > Apps > Company Portal > Permissions > Phone, and then turn on the permission.

    They can still send data logs, but the logs won't be copied to the device's SD card.

    The second time that users sign in to the Company Portal app after denying access, the message displays a Never ask again check box that users can select so that the message never shows again.

    If users allow but then later deny access, the message appears the next time users try to send logs.

    If users later decide to allow access, they can go to Settings > Apps > Company Portal > Permissions > Storage, and then turn on the permission.

    More information

    For your users: Sign in to the Company Portal app

    For IT Pros: The information in this table is also in Helping your users understand Company Portal app messages

    For your users: Send diagnostic data logs to your IT admin using email

    For IT Pros: The information in this table is also in Helping your users understand Company Portal app messages

iOS

  • Users can now use Microsoft Outlook or other mail apps to send diagnostic logs to the IT administrator. Previously, only the native app could be used.

  • Support has been improved for Apple's Device Enrollment Program (DEP) and corporate-enrolled devices. For details, see You are asked to identify your device when you're trying to enroll.

  • In the user's list of enrolled devices, a green check mark now appears next to the device that the user is currently using. Before this check mark was added, users couldn't tell which enrolled device they were using.

Windows Company Portal app

  • Microsoft automatically collects anonymous data about the performance and use of the company portal to improve Microsoft products and services. End users can turn off data collection by using the Usage Data setting on their device, but administrators have no control over the data collection and cannot change the end user’s selection for this setting.

In addition to managed devices, mobile app management policies can be used to protect apps on devices that are not managed by Intune. Using this new capability, you can apply mobile app management policies for apps connecting to Office 365 services. This is not supported for apps connecting to on-premises Exchange or SharePoint.

To use this new capability, you must use the Azure preview portal. The following topics can help you get started:

You can create new compliance rules to set minimum and maximum OS version requirements. This allows you to ensure that your end-users are using devices that have the OS versions that are compliant with your requirements.

Once you set these rules and deploy them, the devices that are used to access your company resources will need to have at least the minimum version but not a later OS version than the maximum version that you specify. For devices that do not meet the minimum version requirement, a message asking them to upgrade, with a link to information on how to upgrade, is displayed. For devices that have an OS version later than the maximum OS version you specified, users will be asked to contact the IT admin. Until there is a change in rule to allow the OS version, this device cannot be used to access company resources.

How to set the OS version rules and the extension requirements are described in detail in the Compliance Policies in Configuration Manager topic.

The following changes have been made to the Company Portal in this release:

iOS

Company Portal website

  • Users who have enrolled their device in Intune can now reset their passcode by using the Reset Passcode option on the Company Portal website. Previously, only IT administrators could reset users' passcodes. The Reset Passcode option is not supported on Windows 8.1 and Windows RT devices, and the option appears only when devices are enrolled in mobile device management (MDM) or MDM with Exchange ActiveSync. For user instructions, see Reset your passcode.

The following changes have been made to the company portal apps in this release:

iOS

  • New buttons have been added to the Company Portal app to make it easier for users to send diagnostic logs to their IT admins:

    Button name

    Where it appears

    Report

    Error alert messages

    Send Diagnostic Report

    About screen of the Company Portal app

New one-click quarantine experience

We have simplified the quarantine email experience to allow one-click enrollment . With this service update, end users can click a single link in the quarantine email to complete the enrollment process within the company portal app.

System_CAPS_noteNote

To see this update, you must install a hotfix to System Center 2012 Configuration Manager Service Pack 2 and Cumulative Update 1.

A new extension for Intune has been released to add support for iOS 9 in the Configuration Manager console. This updates the list of supported platforms to include iOS 9, and lets you deploy items like apps and configuration items to iOS 9 devices. For details, see Planning to Use Extensions in Configuration Manager.

In this release, you can bring already-deployed apps under Intune management for iOS 9 users. For earlier versions of iOS, when you deploy an app and an unmanaged version of the app is already installed on a device, you still have to ask the user to uninstall the app manually before Intune can install the managed app.

But starting with this release of Intune, you can now prompt users of iOS 9 devices to allow Intune to take over management of the app and apply any relevant mobile application management policies.

The following changes have been made to the company portal apps in this release:

iOS

  • Microsoft automatically collects anonymous data about the performance and use of the company portal to improve Microsoft products and services. End users can turn off data collection by using the Usage Data setting on their device, but administrators have no control over the data collection and cannot change the end user’s selection for this setting.

  • Full screen resolution support on iPhone 6 and 6 Plus

  • Bug fixes to improve security

The following updates have been made to mobile device and app management:

Applies to System Center 2012 R2 Configuration Manager with the Conditional Access extension for Microsoft Intune, or System Center 2012 R2 Configuration Manager SP1 and later.

You can now configure conditional access policies for PCs. This allows Office desktop apps to access Exchange Online and SharePoint online services. To enable conditional access policy for PCs, the PC must either be domain joined or be complaint.

The following changes have been made to the company portal apps in this release:

Android

  • Users will now see device enrollment instructions after signing in if they have not yet enrolled their device for management.

  • Microsoft automatically collects anonymous data about the performance and use of the company portal to improve Microsoft products and services. End users can turn off data collection by using the Usage Data setting on their device, but administrators have no control over the data collection and cannot change the end user’s selection for this setting.

Show: