Smartphone management with Microsoft products
On a Leash
Companies that want to integrate their users' smartphones into their existing infrastructure can do so with various Microsoft products. One example is System Center Configuration Manager (SCCM) 2012. However, this product only does a reasonably good job of managing Apple iPhones and Android devices [1] as of Service Pack 1 (SP1). For Windows Phone and Windows 8 RT, too, the use of SCCM 2012 SP1 is required. Companies that use Exchange Server 2010 can specify settings for smartphones without this management software.
Parallel to or as a substitute for SCCM and Exchange ActiveSync policies, administrators can also use Windows Intune for cloud-based management of mobile devices and smartphones. As of SP1 for SCCM 2012, Windows Intune and SCCM 2012 work together. Microsoft updated the cloud application to do this. To manage smartphones optimally, parallel use of both products makes sense – preferably in combination with Exchange Server 2010/2013.
System Center Configuration Manager 2012 is the most important product in the new System Center. Microsoft fully integrates the functions of the System Center Mobile Device Manager 2008 in SCCM. However, this offering was not very comprehensive without the service pack, and it only gave admins the possibility of managing devices with Windows Phone 7 and other systems.
Teamwork
As an integrated solution, Windows Intune and System Center Configuration Manager improve the ability to secure and manage Windows 8 PCs, Windows RT tablets, and Windows Phone 8 smartphones. Even devices from Apple and Android-based platforms can be integrated into the management setup. If you use Windows Intune and System Center Configuration Manager 2012 SP1, you can apply the settings from Windows Intune via the management console of System Center Configuration Manager 2012.
Windows Intune lets admins centrally monitor not only computers and laptops, but also smartphones and tablets (Figure 1). In particular, businesses who rely on Windows Server 2012, Windows 8 and Windows Phone 8, or Windows RT, can thus consistently ensure that all devices that use business data are hardened against attacks.
Another mainstay in the integration of mobile devices is compliance with security settings in the operating system. With Windows Intune, you can centrally define policies, for example, to manage password security. Administrators can define central settings, thus ensuring that all connected devices are configured as securely as possible.
Settings on the Web
If you use Windows Intune, you can define specific settings for Windows RT smartphones, as well as for iOS devices (e.g., iPhones and iPads) and Android devices, in the web-based management console. The web interface has special subsections for all types of smartphones (Figure 2). The Management | Mobile Device Management link takes you to the administration section where you can integrate various devices.
It is not surprising that Windows Phone 8 and Windows RT work best with Windows Intune and explains why there is also an enterprise app for Windows Phone [2] that gives you the best option for integrating the smartphones with Windows Intune and System Center Configuration Manager 2012 SP1. Unlike Android or Apple devices, you can use this approach to install applications on smartphones with Windows Phone 8.
At least you can register iOS devices with a certificate in the Windows Intune/SCCM portal and manage them in this way, but for Android, the only management option is via Exchange ActiveSync policies, which I describe below.
Although SCCM 2012 can also configure settings for smartphones, again, integration with Windows Intune is better suited for managing mobile devices as of SP1 for SCCM 2012. Both systems are best used in parallel. However, this does not give you the options provided by third-party products. Basically, the server mainly distributes policies, for example, if you use Exchange.
Exchange ActiveSync Mailbox Policies
In Exchange Server 2010 or in Office 365, you can use policies to define which devices are allowed to synchronize with the server and which settings must be set for the devices. Smartphones and tablets can be protected and configured here. Once a device connects to the mailbox, the server transmits the settings. Users are only allowed to synchronize their mailboxes if they have accepted the policies. That is, when using their own devices, users can decide whether they want to connect.
Exchange ActiveSync mailbox policies control the security settings on the devices. This does not help you with inventory work, but it does give a secure configuration of the endpoints. The function is integrated into all Exchange ActiveSync-compatible devices, that is, besides Windows Phone, also iPhone, Android, and Blackberry.