Like with MAC OS-X, Configuration Manager 2012 supports the management of Compliance Settings for Mobile Devices, unfortunately the not all of the settings can be applied to all different kind of mobile devices. Since settings management in the Mobile Device World is very important, I would like to give you with this blog an overview of the configurable settings per supported platform. Applying settings can be done via the Windows Intune integration, Exchange Server Connector and via direct management, the tables below describe the options for direct management, the mobile device management via Windows Intune and via the Exchange Server Connector.
This blog is divided into two sections, one for Settings Management via Compliance Baselines that is supported via Windows Intune and Direct Management and one section that describes the options with the Exchange Server Connector.
Management via Compliance Settings
(Windows Intune & Direct Management)
Password
Synchronizing the email of the company with a private or company owned mobile device is always a risk. Therefore you definitely want to configure password protection for the mobile device. In the following table you find the settings and the supported platforms per setting.
| Feature | Supported platforms |
| Require password settings on mobile devices (Not Configured/Required) |
|
| Minimum password length (number) |
|
| Password expiration (number) |
|
| Number of passwords remembered (number) |
|
| Number of failed logon attempts before device is wiped (number) |
|
| Idle time before mobile phone is locked (between 1 minute – 12 hours) |
|
| Password complexity (PIN / Strong) |
|
| Send password recovery PIN to Exchange Server (Enabled / disabled) |
|
Email Management
Get control over who is synchronizing and what is synchronized, in the following table the settings for email management are covered.
| Feature | Supported platforms |
| POP and IMAP email (allowed / prohibited) |
|
| Maximum time to keep email (between 1 day – all) |
|
| Allowed message format (plain, HTML or both) |
|
| Maximum size for plain text email (automatically downloaded) (size) |
|
| Maximum size for HTML email (automatically downloaded) (size) |
|
| Maximum size of an attachment (automatically downloaded) (size) |
|
| Calendar synchronization (allowed / prohibited) |
|
Security
| Feature | Supported platforms |
| Unsigned file installation (various options) |
|
| Unsigned applications (allowed / prohibited) |
|
| SMS and MMS messaging (allowed / prohibited) |
|
| Removable storage (allowed / prohibited) |
|
| Camera (allowed / prohibited) |
|
| Bluetooth (allowed / prohibited) |
|
| Windows RT VPN profile |
|
Peak Synchronization
If you allow your users to sync their corporate email you are then able to configure when the synchronization will take place within peak hours and outside the peak hours.
| Feature | Supported platforms |
| Peak synchronization frequency (push, manual 15,30, 60, 240 minutes) |
|
| Peak start time (time) |
|
| Peak end time (time) |
|
| Peak days (sun-sat) |
|
| Off-peak synchronization frequency (push, manual 15,30, 60, 240 minutes) |
|
Roaming
You may want to control roaming of devices when your staff is traveling often to foreign countries.
| Feature | Supported platforms |
| Mobile device management while roaming (allowed / prohibited) |
|
| Software download while roaming (allowed / prohibited) |
|
| Email download while roaming (allowed / prohibited) |
|
Encryption
When receiving confidential information via email on your mobile device, it is whise to setup encryptioin of your device.
| Feature | Supported platforms |
| Storage card encryption (on / off) |
|
| File encryption on mobile device (on / off) |
|
| Require email signing (Yes / No) |
|
| Signing algorithm (Default, SHA, MD5) |
|
| Require email encryption (Yes / No) |
|
| Encryption algorithm (Default, Triple DES, DES, RC2 128-bit, RC2 64bit, RC2 40bits) |
|
Wireless configuration
Deploy your root Wireless configuration profiles via Configuration Manager.
| Feature | Supported platforms |
| Wireless network connection (profile) |
|
Certificates
Deploy your root certificates or authentication certificates via Configuration Manager.
| Feature | Supported platforms |
| Certificates (root, CA, Normal, Privileged, SPC, Peer) |
|
Next to the settings that are grouped by the categories you are also able to configure your custom settings or settings that are device specific. Be aware that if you modify a setting that has already been configured via the categories a conflict of settings may occur. A lot of settings can be configured via two ways. The following table describes the additional mobile device settings for the supported devices:
Additional mobile device settings:
| Feature | Supported platforms |
| Allow backup to iCloud (true/false) |
|
| Allow browser (true/false) |
|
| Allow documents to sync to iCloud (true/false) |
|
| Allow photostream sync to iCloud (true/false) |
|
| Maximum grace period (number) |
|
| Mail synchronization conflict resolution (true/false) |
|
| Allow S/MIME software certificates (true/false) |
|
| Allow specific unsigned applications to run as normal (Application list) |
|
| Allow user to change storage card encryption (true/false) |
|
| Allowed message formats (text) |
|
| Code word (text) |
|
| Code word frequency (number) |
|
| Desktop PIM sync (true/false) |
|
| Email download while roaming (true/false) |
|
| Encryption algorithm (text) |
|
| Exclude files from encryption (file list) |
|
| Infrared (true/false) |
|
| Management session reset reminder timeout (number) |
|
| Manager role permission for user (number) |
|
| Maximum size for HTML email (automatically downloaded) (number) |
|
| Maximum size for plain text email (automatically downloaded) (number) |
|
| Maximum size of an attachment (automatically downloaded) (number) |
|
| Negotiate encryption algorithm (number) |
|
| POP and IMAP email (true/false) |
|
| Remote API access to ActiveSync (true/false) |
|
| Require email encryption (true/false) |
|
| Require email signing (true/false) |
|
| Send email immediately (true/false) |
|
| Send password recovery PIN to Exchange Server (true/false) |
|
| Signing algorithm (number) |
|
| SMS and MMS messaging (true/false) |
|
| Specify file encryption list (file list) |
|
| Storage card encryption (true/false) |
|
| Unapproved in ROM application ID (application list) |
|
| Unsigned applications (true/false) |
|
| Unsigned file installation (number) |
|
| User prompts on unsigned files (true/false) |
|
| Bluetooth (true/false) |
|
| Calendar history synchronization (number) |
|
| Calendar synchronization (true/false) |
|
| Maximum time to keep email (number) |
|
| Mobile device management while roaming (true/false) |
|
| Off-peak synchronization frequency (number) |
|
| Peak days (number) |
|
| Peak end time (number) |
|
| Peak start time (number) |
|
| Peak synchronization frequency (number) |
|
| Software download while roaming (true/false) |
|
| Synchronize calendar tasks (true/false) |
|
| Synchronize contacts (true/false) |
|
| Wireless LAN (true/false) |
|
| Camera (true/false) |
|
| File encryption on mobile device (true/false) |
|
| Password complexity (number) |
|
| Require password settings on mobile devices (true/false) |
|
| Idle time before mobile device is locked (minutes) |
|
| Minimum password length (characters) (number) |
|
| Number of failed logon attempts before device is wiped (number) |
|
| Number of passwords remembered (number) |
|
| Password expiration in days (number) |
|
| Removable storage (true/false) |
|
| Allow simple password (true/false) |
|
| Minimum complex characters (number) |
|
| Allow convenience logon (true/false) |
|
Management via Exchange Server Connector
Another way of managing Mobile Device Settings is via the Exchange Server Connector. The following settings can be configured via Exchange Server 2010/2013 or Configuration Manager 2012 and are applied via Microsoft Active Sync. In this blog you did not see any reference to Android devices, these devices can use Microsoft Active Sync to receive one or more of the settings beneath. (if supported)
| Setting | Setting |
| Allow sharing | Allowed / Prohibited |
| Computer Synchronization | Allowed / Prohibited |
| Allow mobile device that cannot be provisioned | Allowed / Prohibited |
| Refresh interval | Hours |
| Require password settings on mobile devices | Optional / required |
| Idle time before mobile device is locked | Number |
| Minimum password length (characters) | Number |
| Number of failed logon attempts before device is wiped | Number |
| Number of passwords remembered | Number |
| Password expiration in days | Number |
| POP and IMAP email | Allowed / Prohibited |
| Maximum time to keep email | between 2 weeks – all |
| Maximum time to keep calendar items | between 2 weeks – all |
| Direct Push when roaming | Allowed / Prohibited |
| Allowed message format | plain, HTML or both |
| Maximum size for plain text email (automatically downloaded) | Number |
| Maximum size for HTML email (automatically downloaded) | Number |
| Maximum size of an attachment (automatically downloaded) | Number |
| Remote Desktop | Allowed / Prohibited |
| Removable Storage | Allowed / Prohibited |
| Camera | Allowed / Prohibited |
| Bluetooth | Allowed / Prohibited |
| Wireless network connections | Allowed / Prohibited |
| Infrared | Allowed / Prohibited |
| Browser | Allowed / Prohibited |
| Storage card encryption | Required / optional |
| File encryption on mobile device | Required / optional |
| SMS and MMS messaging | Allowed / Prohibited |
| Applications | List of unsigned applications |
Mobile Device Management and the support of all different kind of devices with different operating systems is can be very messy, I hope that this blog gives you some clarification what can be done for what device with what component of Configuration Manager 2012 SP1. More on Windows Intune and Mobile Device Management in later blog posts.
Hello, thanks for the detailed post. One question, I noticed that there is an option to send a recovery PIN to iOS devices. Does the device have to be enrolled in Windows Intune, or can it just be enrolled in SCCM 2012. Thanks!
Hi, all IOS devices that are enrolled in ConfigMgr via Windows Intune.
Do you know if you can reset device passwords on Windows 8 phones with the device only enrolled in SCCM 2012?