Determine How to Manage Mobile Devices in Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
Use the information in this topic to help you decide how to manage mobile devices in System Center 2012 Configuration Manager. There are different options for you to choose from depending on the mobile device platforms that you have in your environment and the management functionality that you need. The following options are available:
Microsoft Intune enrollment supports all major mobile device operating systems, including Windows Phone, Windows RT, iOS, and Android. It also provides is the most advanced management functionality, allows you to manage any mobile device from any location, and provides a single management console to manage mobile devices and on-premises computers.
The Exchange Server connector enables Configuration Manager to connect to multiple Exchange servers, centralizing management of devices that can connect to Exchange ActiveSync. You can configure Exchange mobile device management features, such as remote device wipe and settings control for multiple Exchange servers, from the Configuration Manager console.
Configuration Manager mobile device enrollment provides robust management including software deployment and configuration baselines for Windows Mobile and Nokia Symbian Belle operating systems.
The mobile device legacy client provides software deployment, software inventory, and monitoring for Windows CE and Windows Mobile 6.0 operating systems.
General information to help you choose a mobile device management solution
Use the information in this section as general guidance to choose a mobile device management solution.
Enrollment by Microsoft Intune
Manage mobile devices by integrating Microsoft Intune with Configuration Manager to enroll mobile devices when the following conditions apply:
The mobile device platform is supported by Microsoft Intune mobile device enrollment.
You want additional management features or settings that are not supported by the other mobile device management options.
Enrollment by Configuration Manager
Use Configuration Manager to enroll mobile devices when the mobile operating system is supported by System Center 2012 Configuration Manager mobile device enrollment and when both of the following conditions apply:
You have a Microsoft enterprise CA to issue and manage the required certificates.
You want the additional management features or settings that are not supported by the Exchange Server connector, such as software installation and full hardware inventory.
Important
If the mobile device synchronizes with Exchange Server, set the Exchange flag AllowExternalDeviceManagement to ensure that the mobile device continues to receive email from Exchange after it is enrolled by Configuration Manager. If you install the Configuration Manager Exchange Server connector, you can set this flag by configuring the option External mobile device management in the Exchange Server connector properties. If you do not install the connector, you must set this flag by using the Exchange management tools. For example, use the PowerShell cmdlet Set-ActiveSyncMailPolicy with the parameter AllowExternalDeviceManagement.
Mobile device legacy client
Use the mobile device legacy client when the mobile operating system is not supported by Microsoft Intune or System Center 2012 Configuration Manager mobile device enrollment and when both of the following conditions apply:
You can install the required PKI certificates on the mobile device and the Configuration Manager site systems (management point and distribution point).
You want to install software packages on the mobile device and collect hardware inventory.
Exchange Server connector
Manage mobile devices by using the Exchange Server connector when the mobile device can connect to Exchange Server by using ActiveSync and when either of the following conditions applies:
You do not require the security that a PKI offers or you do not have a PKI.
You do not require all the management functions and settings that enrollment provides.
Choose a mobile device management solution based on supported mobile device platforms
Beginning with System Center 2012 Configuration Manager SP1, you can enroll devices that run Windows Phone 8, Windows RT, and iOS by using the Microsoft Intune connector. You can also use the Exchange Server connector, use Configuration Manager to enroll mobile devices and install the Configuration Manager client, or use the mobile device legacy client (for example, for Windows CE mobile operating systems).
Use the following table to help you decide what mobile device management methods support the mobile device platforms you have in your environment.
Note
Not all mobile device platforms are listed in this table. For more information about the mobile operating systems that System Center 2012 Configuration Manager supports, see Mobile Device Requirements.
Platform |
Enrollment by Microsoft Intune1 |
Enrollment by Configuration Manager2 |
Mobile device legacy client3 |
Exchange Server connector4 |
|---|---|---|---|---|
iOS |
Yes |
Yes |
||
Android |
Yes |
Yes5 |
||
Windows Phone 8.1 |
Yes |
Yes |
||
Windows Phone 8 |
Yes |
Yes |
||
Windows 8.1 RT |
Yes |
Yes |
||
Windows 8 RT |
Yes |
Yes |
||
Windows 8.1 |
Yes |
Yes |
||
Windows Phone 7 |
Yes |
|||
Nokia Symbian Belle |
Yes |
Yes |
||
Windows Mobile 6.5 |
Yes |
Yes |
||
Windows Mobile 6.1 |
Yes |
Yes |
||
Windows CE 5.0 (Arm and x86 processors) |
Yes |
Yes |
||
Windows CE 6.0 (Arm and x86 processors) |
Yes |
Yes |
||
Windows CE 7.0 (Arm and x86 processors) |
Yes |
Yes |
||
Windows Mobile 6.0 |
Yes |
Yes |
1 For details about what Configuration Manager versions support enrollment by Microsoft Intune, see Mobile Devices Enrolled by Microsoft Intune.
2 For details about what Configuration Manager versions support enrollment by Configuration Manager, see Mobile Devices Enrolled by Configuration Manager.
3 For details about what Configuration Manager versions support enrollment by using the mobile device legacy client, see Mobile Device Legacy Client.
4 Configuration Manager offers limited management for mobile devices when you use the Exchange Server connector for Exchange Active Sync (EAS) capable devices that connect to a server running Exchange Server or Exchange Online. For details about what Configuration Manager versions support enrollment by using the Exchange Server Connector, see Mobile Device Support by Using the Exchange Server Connector.
5 Many mobile phones and tablets with the Android operating system support Exchange ActiveSync. However, these mobile devices may not support all available mobile device mailbox policies.
Choose a mobile device management solution based on management functionality
After you narrow down the mobile device management methods that you can use for the mobile device platforms you have in your environment, use the following table to decide what management method provides the management functionality that you need in your environment.
Management functionality |
Enrollment by Microsoft Intune |
Enrollment by Configuration Manager |
Mobile device legacy client |
Exchange Server connector |
|---|---|---|---|---|
Public key infrastructure (PKI) security between the mobile device and Configuration Manager by using mutual authentication and SSL to encrypt data transfers |
Yes |
Yes More information: Requires Active Directory Certificate Services and an enterprise certification authority (CA). The mobile device certificates are installed automatically by Configuration Manager during the enrollment process. |
Yes More information: Any PKI that meets the certificate requirements. The mobile device certificates must be installed independently from Configuration Manager. |
No |
Client installation |
No More information: Instead of a client the user installs or connects to a company portal. |
Yes More information: Installed by the user from the browser on the mobile device. |
Yes More information: Installed by an administrative user by deploying a package and program. |
No |
Support over the Internet |
Yes |
Yes |
Yes |
Yes |
Discovery |
No |
No |
No |
Yes |
Hardware inventory |
Yes |
Yes More information: You can collect default information and create your own customized hardware inventory. |
Yes |
Yes More information: Limited by what Exchange Server collects. |
Software inventory |
No |
No |
Yes More information: List of installed software only; you cannot inventory all files and you cannot collect files. |
No |
Settings |
Yes |
Yes More information: Deploy configuration baselines that contain mobile device configuration items. You can configure default settings and create your own customized settings. |
No |
Yes More information: Limited by the settings in the default Exchange ActiveSync mailbox policies. |
Software deployment |
Yes More information: You can deploy available apps that users can download from the company portal. |
Yes More information: You can deploy required applications (install and uninstall), but not packages or software updates. Available applications, which users request from the Application Catalog, are not supported for mobile devices. Mobile devices also do not support simulated deployments. |
Yes More information: You can deploy packages, but not applications or software updates. |
No |
Monitor with the fallback status point |
No |
No |
Yes |
No |
Connections to management points |
No |
Yes More information: A single management point in the client’s assigned (primary) site. |
Yes More information: A single management point in primary sites and secondary sites. |
No |
Connections to distribution points |
Yes More information: manage.microsoft.com is the only distribution point that is used. |
Yes More information: Distribution points in the assigned (primary) site. |
Yes More information: Distribution points in primary sites and secondary sites. |
No |
Block from Configuration Manager |
Yes |
Yes |
Yes |
No |
Quarantine and block from Exchange Server (and Configuration Manager) |
No |
No |
No |
Yes |
Remote wipe |
Yes |
Yes More information: By Configuration Manager and by a user from the Configuration Manager Application Catalog. |
No |
Yes More information: By Configuration Manager and by a user if supported by Exchange. |
For more information about the mobile operating systems that System Center 2012 Configuration Manager supports, see Supported Configurations for Configuration Manager.
Dual Management: Enrolled by Configuration Manager and Managed by Using the Exchange Server Connector
You can enroll a mobile device by using Configuration Manager and also manage it by using the Exchange Server connector. In this scenario, although you see only one mobile device in the Configuration Manager console, you have dual management for a mobile device and the following consequences:
No settings are applied from the Exchange Server connector; you must configure the mobile device settings by deploying a configuration baseline.
If you collect hardware inventory by enabling the client setting for hardware inventory and by using the Exchange Server connector, the hardware inventory information from the mobile device is consolidated by Configuration Manager.