As part of the Community Evaluation Community the 9th live meeting about System Center Configuration Manager 2012 was scheduled for today. The main subject was Mobile Device Management in SCCM 2012.
At this moment Microsoft has three major products for managing Mobile phones, Mobile Devices Management (MDM) 2008, SCCM 2007 and Exchange 2007/2010. The functionality of MDM 2008 SP1 and SCCM 2007 is combined in SCCM 2007 R3. The same functionality of SCCM 2007 R3 and some nice enhancements and new features will be available in SCCM 2012.
This blog is a summary of the CEP session about SCCM 2012 Mobile Device Management.
Mobile phones in the enterprise today
Today the mobile devices in the enterprise is a heterogeneous environment, the companies can no longer standardize on one platform. The employees bring their own mobile device to their work and want to synchronize their email and calendar information. Half of all smartphones in use in North America business are not company owned.
Exchange admins end up managing most mobile devices due to use of Exchange Activesync policies
Microsoft Mobile device management
There are two sorts of mobile device management in SCCM, light mobile device management and depth mobile device management.
- Single “pane of glass” for managing desktops, servers, mobile devices;
- Exchange connector
- Depth management of WinCE 6.0, WM 6.0/6.1, WP 6.5 and Nokia Symbian based devices
- Secure over the air enrollment
- Monitor and remediate non-compliant devices
- Deploy applications and configuration policies to users or devices
- Mobile VPN is not required anymore to connect to the Device Management environment
Exchange Connector for SCCM 2012
Light Mobile device management via Exchange connector:
- Provides a single pane of glass for all assets in the enterprise
- Transfers mobile device administrator from exchange to SCCM
- Rich inventory and reporting experience
- Define organization level ActiveSync Policy
- Device wipe
- Supports Exchange 2010 and hosted Exchange
- Supports all EAS capable devices including WP7, Symbian, IOS, Android, Palm, etc.
Configuring Exchange Connector in SCCM 2012
Configuring the Exchange Connector in SCCM 2012 is easy, you just need to supply the server address of the Exchange (I think the CAS) server and a service account. You can give the service account limited access through RBAC. (Option; Mobile Device Management)
In SCCM 2012 you must configure the EAS policy on the Primary Site, it will deploy it to Exchange and Active Directory. In the EAS Policy you can assign the same things like in Exchange Server 2010, one of the settings is disabling POP3 and IMAP access.
Exchange Connector experience
“All mobile device” collection is the place to find all the in Exchange discovered devices
You can see information of discovered mobile devices through the resource explorer, things like hardware information, software settings, inventory and ActiveSync properties. You also can remotely wipe the mobile device. (or cancel the request 😉 )
The Exchange connector gives us basic reporting about the following things;
- What mobile devices are in the enterprise?
- Exchange policy summarization (compliancy)
- What mobile devices are compliant
- What mobile devices are not compliant
The discovery of the mobile devices goes from Exchange/AD to SCCM.
Depth vs Light Management
You will find the difference between light management and depth management in the following table.
Light | Depth | Depth | Depth | |
Feature | Exchange ActiveSync Connected Devices | WM 6.1, WP 6.5.x | Nokia Symbian | WM 6.0, CE 6.0 |
Over the air enrolment | V | V | ||
Inventory | V | V | V | V |
Settings Management | V | V | V | |
Software Distribution | V | V | V | |
Remote Wipe | V | V | V |
Depth Device Management Topology
- Key server roles for Device Management in SCCM 2012
- Enrollment Web Proxy
- Enrollment Service Point
- Software catalog roles (option)
- Management Point
- Distribution Point
- Management is done over HTTPS
- Microsoft Enterprise CA is required (SCCM Native Mode)
Mobile device enrollment
- Establishes mutual trusts between the device and the management server
- Windows Phone 6.5.x, WM 6.1 abd Nokia devices enrolled and provision securely (HTTPS) over the air
- WinCE 6.0 and WM 6.0 enrollment performed as in SCCM 2007
Prerequisite
User targeting Client setting is used to allow users to enroll mobile devices assigned to collections.
Installation process:
- User download Configmgrenroll[1].cab to the mobile device
- Enrollment client is installed by user
- User supplies email and password
- Autodiscovery server address in Enrolment client
- Client will poll for the policies / registration
Registered mobile devices
- Are added to site
- More Inventory information
When registered, the administrator have more reporting functionality. Like in the Resource Explorer, the following hardware information:
- Device Client Agent Version
- Device Computer System
- Device Display
- Device Installed Applications
- Device Memory
- Device OS Information
- Device Password
- Device Power
- System
- Workstation Status
The Software Catalog also integrates with depth managed mobile devices, and can wipe their mobile devices. You are also able to bind a mobile device to a specific user.
Remote Device Wipe
- Admins can wipe a mobile device from the management console
- Users can wipe from the software catalog
- The wipe action is always scheduled
- Depth managed devices : wipe is scheduled for the next DM session
- Light managed devices are wiped at next email synchronization
- Dual managed devices: next DM session or email synchronization or whichever is first.
Mobile device settings management
- Fully integrated experience with non-mobile configuration and settings mangement
- Supports monitoring and enforcement
- Standard settings groups with simplified UI
- Supports admin defined settings via mobile registry or OMA-URI
- Evaluation is done on the server and remediate commands to sent to client
- Baseline settings can be user or devices targeted
New Features for software distribution
Like mentioned in an earlier blog, the Application Model is changed in SCCM 2012.
- Application Model
- Incorporates all supported software types (MSI, Script, App-v, Mobile Cab)
- Greatly improved dependency handling
- Installation requirements rules
- Installation detection methods
- Application supersedence
- Application uninstall
- User devices affinity
- Unified monitoring experience
- Content Management
- Distribution Points Groups
- Content Library
- Improved content monitoring experience
Application distribution/ deployment process for mobile devices:
- Create Application with more deployment types.
- Create / get policy for application required apps
- Only required apps are supported
- Get source from DP
- Install
- Report back to MP
Next CEP session is about SCCM 2012 Migration. In my opinion a very interesting session, because Microsoft announced at TechEd last year that migrating from SCCM 2007 to SCCM 2012 is very easy 🙂
I am able to connect my device with the exchange connector in SCCM 2012 Beta 2 but I couldn’t deploy any application in it(xap file). Need a step by step documentation for the following concepts.
1.Password/Pin enforcement
2.Application deployment (Application deployment process for mobile devices)
3.Application update deployment
4.Remote data wipe
5.Policy enforcement
Mainly I need the steps to deploy an application in my mobile device via exchange connector in System Center Configuration Manager 2012.
Hi Saranya, you are not able to install apps via the Exchange connector. The Mobile device needs to support thick management because you will need to install the Configuration Manager 2012 client on the mobile device. See for instance this blog for more information: http://www.systemcenterblog.nl/2011/07/24/mobile-device-support-in-configuration-manager-2012/
Hi,
Thanks for the great write-up. I have the question about AD pwd change and manual re-type of new pwd on the activesync device.
Every company has pwd expiration policy define, so it comes to a day an user change their AD pwd and of course as the normal process, he’s required to update the new pwd on his Async device(s)
With SCCM 2012 mobile client management/registration/OTA enrollment, does it help to steamline the traditional pwd-change-update process? So SCCM 2012 Mobile client management server might become a Blackberry-Server like where it pulls and push the email to user’s device (once the device is registered/enrolled to its device management database)
I hope/wish this can be done via SCCM 2012 mobile client management or something Microsoft might develop in the near future?
Thx,
jha
Hi, thanks for your message. It should be indeed very nice if there would be such option. But since no Mobile ConfigMgr Client is installed on the device, ConfigMgr is communicating through the Exchange Server. The ability to change the password must come from the Exchange Server.
Cheers,
Peter