Mobile device management with Microsoft System Center 2012 R2

Professional Cleanup

Client Certificates

Depending on which platform you are using, the most complex process now starts before you can finally manage mobile endpoints with Windows Intune and SCC (Figure 2). For the iOS platform you need to request an Apple Push Notification certificate from Apple; for Windows Phone 8 you need to purchase a code signature certificate from Verisign. Windows Tablets with RT and RT 8.1 and Windows 8.1 devices that do not belong to the domain require a sideload key if you want access to apps other than those in the Windows App Store and if you want to set up your own app store.

Figure 2: After completing the install, the Windows Intune Connector is available in the SCCM management console.

Companies with an Enterprise Software license can acquire a sideload key, and Microsoft recently loosened the requirements and restrictions for getting one. Administrators still need to note that all apps transferred by means of a sideload must be digitally signed. You can use public signature certificates or your internal public key infrastructure for this. Fortunately, you don't need to fulfill any additional requirements to manage Android devices [6].

After successfully setting up the Intune subscription and fulfilling all the requirements for Intune/SCCM integration, you can now start configuring System Center 2012 SP1 or newer (Figure 3). In the SCCM management console, you first need to add the Windows Intune Subscription to the Administration | Cloud Services node and log in to the Intune Portal with your Intune enterprise account. Later in the Intune integration wizard sequence, you will be prompted to state which mobile endpoint platforms you want to support. The choices are Windows Phone 8.0/8.1, Windows RT/8.1, Android, and Apple iOS.

Figure 3: Following Intune integration, administrators can configure policies for mobile endpoints in System Center.

SCCM uses "Collections" of users and devices as the basis for distributing software and other SCCM activities. At this point, it makes sense to add all device owners activated in Windows Intune as the userbase for a new user Collection in SCCM. The Windows Intune Connector then uses this Collection as an additional authorization mechanism for users who will be able to roll out mobile devices in Intune. In additional subscription configuration steps, you can modify the look and feel of the Intune enterprise portal, adding, for example, your company logo and contact information.

Installing the Intune Connector

After setting up the Windows Intune subscription in the SCCM management console, your next step is to install the Windows Intune Connector Site System role. SCCM uses a concept with location roles that handle specific functions in SCCM management [7]. You need to add the Windows Intune Connector in the SCCM management console to the Administration | Overview | Site Configuration | Servers and Site System Roles node.

There is no need to modify the Intune Connector configuration. During the connector install, an additional Site System Role (Site System Server) named manage.microsoft.com is added; this is not configurable. Proceed by checking that the Site System role has installed correctly by checking the Monitoring | Overview | System Status | Site Status node in the SCCM management console [8].

Managing Mobile Devices

After installing the Intune Connector, you now have the matching extensions in the SCCM management console. They include support for Windows Phone 8.1, Apple iOS security setting, and email profile extensions to configure Exchange ActiveSync accounts on managed Apple iOS devices and support remote reset. To enable the extensions for Windows Intune, you need to terminate the SCCM management console and then launch it again.

Nothing should stop you from enrolling a mobile client now. Depending on the endpoint's platform and version, enrolling the device involves different activities. For example, you can download, register, and install the Intune enterprise portal application on Google Play for an Android device with version 4.0 or newer.

After installing the app, the device owner needs to log in with their Intune account and confirm the message on management through enterprise device policies. Then, the enrollment process in Intune starts, and the enrolled endpoint should immediately appear in the Intune management console and in the SCCM management console after a brief delay.

SCCM uses the Windows Intune Subscription to communicate with cloud services. SCCM administrators can now draw on many of the well-known SCCM technologies and management tasks to manage mobile devices, access hardware and software inventory features, or distribute apps to the endpoints. Additionally, policies for mobile devices can be created in the Intune management console and assigned to devices and device groups. The configuration options in the Intune policies go well beyond those for creating mobile device policies in Exchange Server 2013 and are easily on a par with many other commercial mobile device management offerings.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Smartphone management with Microsoft products
    Managing mobile devices is quickly becoming part of the administrator's daily grind. System Center Configuration Manager and Intune can help with this in Microsoft environments.
  • System Center 2012 SP1: What's new?
    Service Pack 1 expands System Center 2012 primarily in terms of features for virtualization and cloud computing. We provide the details in this article.
  • Endpoint Security for Windows 10
    Windows 10, build 21H1, has numerous protection mechanisms out of the box. We look at the option for delaying updates, the components and features of Microsoft Defender, and recommendations for hardening the operating system.
  • Azure AD with Conditional Access
    Trust is good, but controls are better. As more flexible working models become widespread, the boundaries of the classic perimeter are blurring and softening existing models of trust for adopting cloud software and data storage or running domain controllers or core applications in the cloud.
  • Advanced Windows security using EMET
    Although attacks on computers are numerous and varied, they are predominantly based on the same techniques. Microsoft closes these vulnerabilities on Windows computers using the Enhanced Mitigation Experience Toolkit (EMET).
comments powered by Disqus