Home > Articles > Operating Systems, Server

This chapter is from the book

This chapter is from the book

System Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager (SCCM) UnleashedSystem Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager (SCCM) Unleashed

Learn More Buy

This chapter is from the book

This chapter is from the book

System Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager (SCCM) UnleashedSystem Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager (SCCM) Unleashed

Learn More Buy

Mobile Device Management Features

With the December 2012 release of Windows Intune, the fourth release in less than 2 years, Microsoft shifted heavily into mobile device management. By integrating with Configuration Manager 2012 SP 1, organizations could now see mobile devices natively inside of the ConfigMgr console, and not just those devices discovered via the Exchange connector. The key features delivered in Configuration Manager are listed here, followed by an explanation of each feature:

  • Device management
  • Device inventory
  • Policy settings management
  • Application distribution
  • Device retirement and remote wipe

For a detailed explanation of the use of the new features within ConfigMgr 2012 R2, see Chapter 8, “Mobile Device Management in Configuration Manager 2012 R2.”

Device Management

One of the exciting features supported within Intune is the ability to perform direct device management of modern smartphones such as Windows Phone 8 and iOS. This over-theair enrollment and management process no longer requires the need to use Exchange ActiveSync policies to manage settings on the devices.

The December 2012 release of Intune and the January 2013 release of ConfigMgr 2012 SP 1 accomplished mobile device management by leveraging a management channel that exists within the mobile OS, versus deploying a management agent (app) to the device to perform all the management functions. Therefore Intune did not support Android devices, and only supported Windows 8 RT (RTM). The Android operating system platform did not include the functionality of an embedded management channel to deliver the functionality wanted by Microsoft. For Android policy and settings management, Microsoft still required the use of Exchange ActiveSync (EAS). Configuration Manager administrators could still see Android devices within the console, however it required using the Exchange connector and the Android device must have Exchange ActiveSync configured.

With the release of Configuration Manager 2012 R2, a new version of Windows Intune, and the Windows 8.1 client OS, there are new options available to manage mobile devices. Android 4.x devices and Windows 8.1 (both x86 and ARM) can now be managed directly using the Intune management channel. To manage Android 4.x devices, users would install the new company portal application available for free in the Google Play Store, and enroll their device into Intune with this application. Windows 8.1 builds on the mobile management capabilities first added to Windows 8 RT. Using the embedded MDM agent, based on the Open Mobile Alliance–Device Management (OMA–DM) protocol, Windows 8.1 Intel x86-based machines can now be managed as mobile devices even though they are running a full Windows 8.1 OS. This is critical for Microsoft to expose since many BYOD scenarios include new full OS 8.1 devices. Without this option, companies would have to install the traditional ConfigMgr agent to manage the device. iOS and Windows Phone 8.x also added new enhancements to improve management functionality.

Device Inventory

Windows Intune supports gathering hardware inventory from the mobile device depending on mobile operating system support and settings defined within the ConfigMgr console. For devices that enrolled via Intune, Table A.1 identifies the attributes that are queried for and those devices that return the values.

TABLE A.1 Hardware Inventory Attributes from ConfigMgr R2 and Intune

Hardware Inventory Class

WP8

Windows 8.1

iOS

Android (Using the Company Portal App)

Name

Unique Device ID

Serial Number

Email Address

Operating System Type

Operating System Version

Build Version

Service Pack Major Version

Service Pack Minor Version

Operating System Language

Total Storage Space

Free Storage Space

International Mobile Equipment Identity or IMEI (IMEI)

Mobile Equipment Identifier (MEID)

Manufacturer

Model

Phone Number

Subscriber Carrier

Cellular Technology

Wi-Fi MAC

NOTE: HARDWARE INVENTORY

Review http://technet.microsoft.com/en-us/library/dn469411.aspx for the latest hardware inventory list from Microsoft. Also note that hardware inventory is controlled through the Client Settings node in the Administration pane of the ConfigMgr console. Not all hardware classes are enabled for mobile devices; you may need to review the settings if you are not receiving the inventory information you expect.

For those devices managed using EAS, the attributes are first returned to Exchange, and then they are placed into the ConfigMgr database if the ConfigMgr Exchange connector is configured. Without installing the Exchange connector role in ConfigMgr, the information only resides within Exchange. Mobile devices that are managed using Windows Intune and EAS would have duplicate information returned to ConfigMgr. In those instances, ConfigMgr merges the two data records together into the device object.

Prior to ConfigMgr 2012 R2, mobile device software inventory was limited to the line-of-business (LOB) applications that were installed on the devices. ConfigMgr could then be used to query and report the users and devices that installed various LOB applications. Windows Intune did not support querying for all the installed software in the

ConfigMgr 2012 SP 1 release. Microsoft added support for full software device inventory in ConfigMgr 2012 R2 by adding a device setting that defines whether the device is company or personal owned. Any mobile device that the ConfigMgr administrator defined as “company-owned” reports full software inventory to the extent that the device platform supports it. Currently, only iOS and Android support a full software inventory, which is returned during the hardware inventory cycle timeframe.

Policy Settings Management

Microsoft’s vision of “people-centric IT” and unifying all device management inside of ConfigMgr is extremely attractive for organizations. A benefit of this approach is seen within mobile device policy settings. ConfigMgr administrators use similar skills and tasks for creating mobile device policies as for creating PC compliance items and baselines. Table A.2 enumerates the mobile device settings provided for unified device management in ConfigMgr 2012 R2.

TIP: COMBINING POLICY SOURCES

Users often configure the ActiveSync client to receive email. In the case where an EAS and ConfigMgr 2012 R2 mobile device policy overlap, the most restrictive policy is enforced.

Expect ConfigMgr to release mobile device features as rapidly as possible, as seen with the February 2014 release of new iOS 7 security and data-retention policies, the new Exchange email profile configuration capability, and the May 2014 Windows Phone 8.1 policies.

For the latest policy and feature support list, review http://technet.microsoft.com/en-us/library/dn376523.aspx. To support the release of MDM features without requiring large architecture changes and system upgrades, Configuration Manager R2 includes a new node under Cloud Services called Extensions for Windows Intune. Chapter 7 includes additional information on how to receive and enable new MDM feature updates.

Application Distribution and the Windows Intune Company Portal

Windows Intune application distribution for mobile devices is a user-friendly approach to self-service provisioning. In ConfigMgr 2012 R2, Windows Intune added additional application delivery options, building on the SP 1 features, which now support the following:

  • Internal LOB apps written by the company.
  • External public store applications. Also call deep links, these are shortcuts to applications that reside in the public marketplaces of the device platform, such as the Windows Phone Store or Apple App Store.
  • Web links for users to access web-based applications.
  • Device-targeted application “push” deployments.

TABLE A.2 ConfigMgr R2 Unified Device Management Policy Settings

Device Setting Group

Settings

Values

Windows Phone 8.x

Windows 8.1 Enrolled via Intune

iOS

Android (Using the Company Portal App)

Browser

Default browser

Allowed /Prohibited

Windows Phone 8.1 only

Browser

Autofill

Allowed /Prohibited

Browser

Plug-ins

Allowed /Prohibited

Browser

Active scripting

Allowed /Prohibited

Browser

Pop-ups

Allowed /Prohibited

Browser

Fraud warning

Allowed /Prohibited

Browser

Cookies

Allowed /Prohibited

Cloud

Encrypted backup

Allowed /Prohibited

Cloud

Document synchronization

Allowed /Prohibited

Cloud

Photo synchronization

Allowed /Prohibited

Cloud

Cloud backup

Allowed /Prohibited

Cloud

Settings synchronization

Allowed /Prohibited

Windows Phone 8.1 only

✓ (GET only)

Cloud

Credentials synchronization

Allowed /Prohibited

✓ (GET only)

Cloud

Synchronization over metered connection

Allowed /Prohibited

✓ (GET only)

Cloud

Microsoft Account

Enabled /Disabled

Windows Phone 8.1 only

Content Rating

Adult content in media store

Allowed /Prohibited

Content Rating

Ratings region

Country of choice

Content Rating

Movie rating

Rating

Content Rating

TV show rating

Rating

Content Rating

App rating

Rating

Device

Voice dialing

Allowed /Prohibited

Device

Voice assistant

Allowed /Prohibited

Device

Voice assistant while locked

Allowed /Prohibited

Device

Screen capture

Enabled /Disabled

Windows Phone 8.1 only

Device

Video conferencing

Enabled /Disabled

Device

Add game center friends

Allowed /Prohibited

Device

Multiplayer gaming

Allowed /Prohibited

Device

Personal wallet software while locked

Allowed /Prohibited

Device

Diagnostic data submission

Enabled /Disabled

Windows Phone 8.1 only

Device

Geolocation

Enabled /Disabled

Windows Phone 8.1 only

Device

Copy and Paste

Enabled /Disabled

Windows Phone 8.1 only

Encryption

File encryption on mobile device

On/Off

✓ (GET only)

✓, for Android 4

Internet Explorer

Go to intranet site for single word entry

Allowed /Prohibited

Internet Explorer

Always send Do Not Track header

Allowed /Prohibited

Internet Explorer

Intranet security zone

Allowed /Prohibited

Internet Explorer

Security level for Internet zone

High, Medium-high, Medium

✓ (GET only)

Internet Explorer

Security level for intranet zone

High, Medium-high, Medium, Medium-low, Low

✓ (GET only)

Internet Explorer

Security level for trusted sites zone

High, Medium-high, Medium, Medium-low, Low

✓ (GET only)

Internet Explorer

Security level for restricted sites zone

High

✓ (GET only)

Internet Explorer

Namespace exists for browser security zone

Sites

Password

Require password settings on mobile devices

Required

✓, for Android 4

Password

Password complexity

PIN, Strong

Password

Idle time before mobile device is locked (minutes)

1 minute - 12 hours

✓, for Android 4

Password

Minimum password length (characters)

4–18

✓, for Android 4

Password

Number of passwords remembered

0-50

✓, for Android 4

Password

Password expiration in days

1-365

✓, for Android 4

Password

Number of failed logon attempts before device is wiped

0-100

✓, for Android 4

Password

Password quality

Low security biometric, Required, At least numeric, At least alphabetic, Alphanumeric with symbols

✓, for Android 4

Roaming

Allow voice roaming

Allowed /Prohibited

Roaming

Allow data roaming

Allowed /Prohibited

Security

Removable storage

Allowed /Prohibited

Security

Camera

Allowed /Prohibited

Windows Phone 8.1 only

✓, for Android 4.1

Security

Bluetooth

Allowed /Prohibited

Windows Phone 8.1 only

✓ (GET only)

Security

Allow app installation

Allowed /Prohibited

Security

Near field communication (NFC)

Enabled /Disabled

Windows Phone 8.1 only

Store

Application store

Allowed /Prohibited

Windows Phone 8.1 only

Store

Force application store password

Enabled /Disabled

✓, this setting applies to iTunes only

Store

In-app purchases

Allowed /Prohibited

System Security

User to accept untrusted TLS certificates

Allowed /Prohibited

System Security

User access control

Always notify, Notify app changes, Notify app changes (do not dim desktop), Never notify

System Security

Network firewall

Required

✓ (GET only)

System Security

Updates

Automatic updates is required

System Security

Virus protection

Required

✓ (GET only)

System Security

Virus protection signatures are up-to-date

Required

✓ (GET only)

System Security

SmartScreen

Enabled /Disabled

System Security

Lock screen control center

Enabled /Disabled

✓ (iOS 7)

System Security

Lock screen notification view

Enabled /Disabled

✓ (iOS 7)

System Security

Lock screen today view

Enabled /Disabled

✓ (iOS 7)

System Security

Fingerprint for unlocking

Allowed /Prohibited

✓ (iOS 7)

Data Protection

Open managed documents in other unmanaged apps

Allowed /Prohibited

✓ (iOS 7)

Data Protection

Open unmanaged documents in other managed apps

Allowed /Prohibited

✓ (iOS 7)

Windows Server Work Folders

Work folders URL

URL

Email Management

Custom Email account

Enabled /Disabled

Windows Phone 8.1 only

✓ (iOS 7)

Wireless Communication

Wi-Fi Tethering

Enabled /Disabled

Windows Phone 8.1 only

Wireless Communication

Offload data to Wi-Fi when possible

Enabled /Disabled

Windows Phone 8.1 only

Wireless

Wi-Fi hotspot reporting Communication

Enabled /Disabled

Windows Phone 8.1 only

Wireless Communication

Wireless network connection

Enabled /Disabled

Windows Phone 8.1 only

To install the available self-service applications, users leverage a company portal application on their mobile device. In ConfigMgr 2012 R2, Microsoft shows their commitment to a consistent user experience by releasing updated company portal applications for Windows Phone 8 and Windows 8.1, along with new company portal applications for iOS and Android that bring parity to functionality and appearance. However, the company portal is used for more than just application delivery; it is designed to allow a user to have control over their devices and is tailored to each device platform. In addition to accessing applications that were published to that user, the company portal is used to enroll iOS and Android devices, and even control aspects of other devices linked to that user account. The exact functionality in the Company Portal depends on the device platform. Table A.3 lists company portal features.

TABLE A.3 Company Portal Features

Action Taken

Windows 8.1

Windows Phone 8.x

iOS

Android

Enroll local device

Rename devices

Retire local device

Wipe other devices remotely

Install company line of business apps

Install deep-linked apps from Public Stores

Install or launch web-based application links

NOTE: SIDELOADING IOS APPLICATIONS

Apple currently restricts Microsoft from using a public store app, such as the Windows Intune company portal, to sideload LOB applications. Users must open their Safari browser and access the Windows Intune web portal on their device to view and install a company’s LOB apps. In addition, iOS LOB applications requiring administrator approval are currently not supported using the Intune web portal.

Device Retirement and Remote Wipe

Windows Intune provides two distinct functions for a mobile device that is either lost/stolen or at end-of-life for management. Mobile devices can be retired from management, breaking the management channel where the device no longer receives management policies. Both administrators and users have the ability to perform this action, which could also be considered a “selective wipe” procedure, as it removes company applications, data, and management policies. Mobile devices can also be remotely wiped; for those devices that support that command, it is a factory reset of the device.

NOTE: RETIRING AND REMOTE WIPING DEVICES

In ConfigMgr 2012 R2, support for selective wipe and full factory resets vary by mobile device platform. There could also be longer time delays between when the administrator issues a wipe command and when it the device receives it. Refer to Chapter 8 for additional information, and ensure proper testing of the device platforms your organization plans to support.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020