Mobile device management in System Center 2012 Configuration Manager
Updated: July 27, 2015
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
You already have Configuration Manager to manage PCs and servers, and now you need a way to manage mobile devices. This topic provides information to help you to choose and implement the right mobile device management (MDM) option with Configuration Manager. If you don't have Configuration Manager, you can use either Microsoft Intune or built-in MDM for Office 365 to manage mobile devices.
MDM options in Configuration Manager
You will choose one or more MDM options based on the mobile device platforms that you have in your environment and the management functionality that you need. For example, you must use both Configuration Manager with Intune and the Exchange Server connector to configure conditional access policies for devices that connect to on-premises Exchange. System Center 2012 Configuration Manager provides the following options to help you manage the mobile devices in your environment:
MDM option |
Use this option to: |
---|---|
Configuration Manager with Microsoft Intune |
|
Configuration Manager with Exchange Active Sync |
|
Configuration Manager Mobile Device Enrollment |
|
Configuration Manager with the legacy client |
|
If you still aren't sure which option is right for you, see Determine How to Manage Mobile Devices in Configuration Manager for the technical details. To review the supported hardware and operating systems for these options, see Mobile Device Requirements.
Configuration Manager with Microsoft Intune
When you extend Configuration Manager with Microsoft Intune, the hybrid option, you get the most advanced management functionality for the most popular mobile device platforms.
Extend Configuration Manager with Microsoft Intune to manage mobile devices
What's new for MDM
Check for recently released mobile device management features in the hybrid option. If you have Intune without Configuration Manager, see What's new in Microsoft Intune instead.
Prerequisites to manage mobile devices
Before you can manage mobile devices in the hybrid option, you must make sure all prerequisites are in place, configure the Microsoft Intune subscription, add the Microsoft Intune Connector site system role, and prepare for mobile device enrollment. For step-by-step instructions, see Manage Mobile Devices with Configuration Manager and Microsoft Intune. For a checklist of steps, see Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Microsoft Intune.
Enroll corporate-owned iOS Devices using the Apple Device Enrollment Program
Beginning with System Center 2012 Configuration Manager SP2, you can Enroll corporate-owned iOS devices using the Apple Device Enrollment Program (DEP). This process automates MDM enrollment for corporate-owned iOS devices so the devices are already configured and ready to activate for your users.
Ways to protect corporate data
Because mobile devices can store sensitive corporate data and provide access to many corporate resources, protect your data with remote wipe, remote lock, or passcode reset using Configuration Manager. You can initiate a full wipe to restore the device to its factory settings or a selective wipe to remove only company data. Beginning with System Center 2012 Configuration Manager SP2, you can initiate a remote lock to help secure a device that might be lost and reset the device passcode.
Control device configurations with compliance settings
In the hybrid option, you can create configuration items to configure compliance settings for enrolled mobile devices. These settings include general security, kiosk mode, and app compliance.
Note
Be sure to review Introduction to Compliance Settings in Configuration Manager before you create compliance settings for mobile devices.
Deploy apps to mobile devices
In the hybrid option, you can create and deploy apps to mobile devices that appear in the company portal on mobile devices.
Note
Be sure to review Introduction to Application Management in Configuration Manager before you create and deploy applications for mobile devices.
Control apps using mobile application management policies
Beginning with System Center 2012 Configuration Manager SP2, you can control apps using mobile application policies that let you modify the functionality of deployed apps to help bring them into line with your company compliance and security policies. For example, you can restrict cut, copy and paste operations within a restricted app, or configure an app to open all web links inside a managed browser.
Collect inventory for mobile devices
In the hybrid option, you can collect hardware inventory for iOS, Android, and Windows devices by enabling certain hardware inventory classes. You can also collect software inventory of the apps installed on mobile devices. The apps that are inventoried will depend on whether the device is company-owned or personal-owned. For personal devices, the only apps that are inventoried are apps that are managed by Microsoft Intune.
Use profiles to allow access to data and applications from remote locations
When you integrate Configuration Manager with Microsoft Intune, company resource access provides a set of tools and resources that enable you to give users in your organization access to data and applications from remote locations. Use the following to help you find information about company resource access. For more information, see Remote Connection Profiles in Configuration Manager.
Remote connection profiles in Configuration Manager: Use remote connection profiles to allow your users to remotely connect to work computers when they are not connected to the domain or if their personal computers are connected over the Internet. By deploying these settings, you minimize the effort that end users require to connect to their computers on the corporate network.
Certificate Profiles in Configuration Manager: Use certificate profiles to help you provision computers in your organization with the certificates that users require to connect to various company resources.
VPN Profiles in Configuration Manager: Use VPN profiles to help you create, deploy, and monitor VPN profiles. By deploying these settings, you reduce the end-user effort that is required to connect to resources on the company network.
Wi-Fi Profiles in Configuration Manager: Use Wi-Fi profiles to help you create, deploy, and monitor wireless network settings to devices in your organization. By deploying these settings, you minimize the effort that end users require to connect to corporate wireless networks.
Email Profiles in Configuration Manager: Use email profiles to help you create, deploy and monitor email settings on devices. This enables users to access corporate email on their personal devices without any required setup on their part.
Conditional Access in Configuration Manager: Use conditional access to help you secure email and other services depending on conditions you specify. When devices do not meet the conditions, the user is guided though the process of enrolling the device and fixing the issue that is preventing the device from being compliant. To use conditional access for devices that connect to Exchange Online dedicated or Exchange on-premises, you must install the Exchange Server connector.
Manage Internet access using managed browser policies: Beginning with System Center 2012 Configuration Manager SP2, deploy the Intune Managed Browser, a web browsing application, and associate the application with a managed browser policy. The managed browser policy configures an allow list or a block list that restricts the web sites that users of the managed browser can visit.
Configuration Manager with Exchange Active Sync
Use the Exchange Server connector in System Center 2012 Configuration Manager when you want to manage mobile devices that connect to Exchange Server (on-premises or online) by using the Microsoft Exchange ActiveSync protocol. You can configure Exchange mobile device management features, such as remote device wipe and settings control for multiple Exchange servers, from the Configuration Manager console. To use conditional access for devices that connect to Exchange Online dedicated or Exchange on-premises, you must install the Exchange Server connector with Configuration Manager and Intune.
Connect to Exchange to manage mobile device settings
Prerequisites to manage mobile devices that connect to Exchange Server
Before you can manage mobile devices by using Configuration Manager and Exchange, you must install the Exchange Server connector site system role. For step-by-step instructions, see How to Manage Mobile Devices by Using Configuration Manager and Exchange.
Configure general settings for mobile devices that connect to Exchange Server
You can create configuration items to configure settings for mobile devices that connect to Exchange Server. These settings in the default Exchange ActiveSync mailbox policies. You can configure general settings for mobile devices in the password, browser, security, and encryption groups. For example, in the password group setting, you can configure whether mobile devices require a password, the minimum password length, password complexity, and whether password recovery is allowed.
Note
Be sure to review Introduction to Compliance Settings in Configuration Manager before you create compliance settings for mobile devices.
Configuration Manager Mobile Device Enrollment
You can manage Windows Mobile and Nokia Symbian Belle mobile devices when they are enrolled with Configuration Manager. This enables hardware inventory, software deployment for required applications, settings, and remote wipe on these devices.
Prerequisites to manage Windows Mobile and Nokia Symbian mobile devices
When you enroll Windows Mobile and Nokia Symbian Devices mobile devices by using System Center 2012 Configuration Manager, the Configuration Manager client is installed on the devices to provide management capabilities. For step-by-step instructions, see How to Install Clients on Windows Mobile and Nokia Symbian Devices Using Configuration Manager
Deploy apps to Windows Mobile and Nokia Symbian mobile devices
After Windows Mobile and Nokia Symbian Belle mobile devices when they are enrolled with Configuration Manager, you can create and deploy required applications to these mobile devices.
Note
Be sure to review Introduction to Application Management in Configuration Manager before you create and deploy applications for mobile devices.
Configure compliance settings for Windows Mobile and Nokia Symbian Belle mobile devices
You can create configuration items to configure settings for Windows Mobile and Nokia Symbian Belle mobile devices. You can configure general settings for mobile devices in the password, email management, security, peak synchronization, roaming, encryption, and wireless communications groups. For example, in the password group setting, you can configure whether mobile devices require a password, the minimum password length, password complexity, and whether password recovery is allowed.
Note
Be sure to review Introduction to Compliance Settings in Configuration Manager before you create compliance settings for mobile devices.
Configuration Manager with the legacy client
You can manage mobile devices that run Windows CE or Windows Mobile 6.0 operating systems by using the Configuration Manager legacy client. This enables hardware and software inventory, lets you collect files, manage configurations, and distribute packages and programs.
Prerequisites to manage Windows CE or Windows Mobile 6.0 mobile devices
When you enroll Windows CE or Windows Mobile 6.0 mobile devices by using the legacy client, the Configuration Manager client is installed on the devices to provide management capabilities. For step-by-step instructions, see Mobile Device Management in Configuration Manager in the Configuration Manager 2007 documentation library.
Collect inventory for Windows CE or Windows Mobile 6.0 mobile devices
When you use the legacy client, Configuration Manager collects hardware inventory and software inventory for Windows CE or Windows Mobile 6.0 mobile devices.
Deploy packages and programs to Windows CE or Windows Mobile 6.0 mobile devices
You can deploy packages and programs to mobile devices that run the legacy client, but not applications or software updates.
Configure compliance settings for Windows CE or Windows Mobile 6.0 mobile devices
You can create configuration items to configure settings for Windows CE or Windows Mobile 6.0 mobile devices. You can configure general settings for mobile devices in the password, email management, security, peak synchronization, roaming, encryption, and wireless communications groups. For example, in the password group setting, you can configure whether mobile devices require a password, the minimum password length, password complexity, and whether password recovery is allowed.
Note
Be sure to review Introduction to Compliance Settings in Configuration Manager before you create compliance settings for mobile devices.