How to Manage Mobile Devices by Using Configuration Manager and Windows Intune

Note
The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager.

Note
This topic appears in the Deploying Clients for System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide.

This walkthrough shows you step-by-step how to configure Configuration Manager so that you can manage Windows Phone 8, Windows RT, iOS, and Android devices by using the Windows Intune service over the Internet. Although you use the Windows Intune service, management tasks are completed by using the Windows Intune connector site system role available through the Configuration Manager console. System Center 2012 R2 Configuration Manager also gives you option of managing Windows 8.1 devices, in the same manner of mobile devices, that do not have the Configuration Manager client installed.

You can configure Configuration Manager to enable mobile device management to let users access company resources in a secure, managed way. By using device management, you protect company data while letting users enroll their personal or company-owned mobile devices and giving them access to company data. When you use Configuration Manager with Windows Intune, you have the following management capabilities:

You can retire and wipe devices.
You can configure compliance settings on devices. These include settings for passwords, security, roaming, encryption, and wireless communication.
You can deploy line of business apps to devices.
You can deploy apps from the store that the device connects to, Windows Store, Windows Phone Store, App Store, or Google Play.
You can collect hardware inventory.
You can collect software inventory by using built-in reports.

This document assumes that you are using Configuration Manager to manage computers, and that you are interested in extending the Configuration Manager console to manage mobile devices. After you complete this walkthrough, users will be able to enroll their devices for management.

We will show you:

How to configure the Windows Intune subscription for mobile device management.
How to install the Windows Intune connector site system role that lets you use Windows Intune in the Configuration Manager console.

Use the following sections to help you manage mobile devices by using the Windows Intune connector.

Prerequisites
Configuring the Windows Intune Subscription
The Windows Intune Connector Site System Role
Mobile Device Enrollment
Next Steps
Wiping Company Content from Mobile Devices

Prerequisites

Use the following information to determine the prerequisites for managing mobile devices.

Dependencies External to Configuration Manager

For a checklist about how to configure Configuration Manager to manage mobile devices, see Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune.

External dependencies	More information
Sign up for a Windows Intune organizational account.	You can sign up for an account at Windows Intune. For more information, see Windows Intune organizational account and Acceptable Use Policy for Windows Intune in the Documentation Library for Windows Intune.
Add a public company domain.	All user accounts must have a publicly verifiable domain name that can be verified by Windows Intune.
Verify users have a public domain UPN.	Before you synchronize the Active Directory user account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library.
Deploy and configure directory synchronization.	Directory synchronization lets you populate Windows Intune with synchronized user accounts. The synchronized users and security groups are added to Windows Intune. For more information, see Configure directory synchronization in the Active Directory documentation library. For single sign-on you must deploy AD FS. For more information, see Configure single sign-on in the Active Directory documentation library.
Create a DNS alias.	Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to manage.microsoft.com. For example, if Melissa's email address is Melissa@contoso.com, you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com. The CNAME record is used as part of the enrollment process.
Obtain certificates or keys.	For more information, see Obtain Certificates or Keys to Meet Prerequisites per Platform in this topic.

Obtain Certificates or Keys to Meet Prerequisites per Platform

The following table lists the certificates or keys that you must have to enroll mobile platforms.

Platform	Certificates or keys	How you obtain certificates or keys
Windows Phone 8	Code signing certificate: All sideloaded apps must be code-signed.	Buy a code signing certificate from Symantec.
Windows RT, Windows RT 8.1, or Windows 8.1 devices that are not joined to the domain.	Sideloading keys: Devices have to be provisioned with sideloading keys to enable the installation of sideloaded apps. All sideloaded apps must be code-signed.	Buy sideloading keys from Microsoft. All apps must be code-signed by using your company’s certification authority or an external certification authority.
iOS	Apple Push Notification service certificate.	Request an Apple Push Notification service certificate from Apple. For more information, see the Prerequisites for Enrolling iOS Devices in this topic.
Android	None.	Not applicable.

Prerequisites for Enrolling Windows Phone 8 Devices

To manage Windows Phone 8 devices, you have to deploy the Windows Phone 8 company portal app. The company portal app must be code-signed with a Symantec certificate that is trusted by the Windows Phone 8 devices.

Join the Windows Phone Dev Center by visiting the Windows Phone Dev Center. You must use a corporate account.
Locate your Symantec ID by clicking Dashboard in the Windows Phone Dev Center and locate the numeric ID under Symantec Id.
Purchase a certificate from the Symantec website by using your Symantec ID.
After you purchase the certificate, the corporate approver that you designated in your Windows Phone Developer account will receive an email asking for approval of the certificate request. Once the request has been approved, you will receive an email that contains the instructions for importing the certificates.
Read the instructions in the email carefully and import the certificates.
To verify that the certificates have been imported correctly, go to the Certificates snap-in, right-click Certificates, and select Find Certificates. In the Contains field, enter “Symantec”, and click Find Now. The certificates that you imported should be listed as part of the results.
Now that you have verified that the certificates have been imported, you can export the .pfx file so that you can sign the company portal. Using the results from the previous step, you must select the Symantec certificate with the Intended purpose as “code-signing.” Then, right-click the code-signing certificate and select Export.

In the Certificate Export Wizard, select Yes, export the private key and click Next. Select Personal Information Exchange –PKCS #12 (.PFX) and check Include all the certificates in the certification path if possible. Complete the wizard. For more information, see How to Export a Certificate with the Private Key.
Download the Windows Phone 8 company portal app.
Before you can deploy the company portal app, it must be signed by a certification authority that is trusted by Windows Phone 8 devices. Use the XAPSignTool app that comes with the Windows Phone 8 SDK to sign the company portal with the .pfx file you created from the Symantec certificate. For more information, see How to sign a company app by using XapSignTool
Create an application using the signed company portal app, for more information, see Create an application for Windows Phone 8 devices.

Deploy the Windows Phone 8 company portal application to the manage.microsoft.com distribution point.

For more information, see How to deploy an application to mobile devices.

Note
If you have already deployed the company portal app and want to deploy the latest version see the Supercedence section in How to Create and Deploy Applications for Mobile Devices in Configuration Manager.

Prerequisites for Enrolling Windows RT Devices, Windows RT 8.1, or Windows 8.1 devices

Prerequisites for Enrolling iOS Devices

Note
Make sure that you use a company account to obtain the Apple Push Notification service certificate. When you return to the Apple site to renew the certificate, make sure that you use the same account.

Prerequisites for Enrolling Android devices

Dependencies within Configuration Manager

Dependencies in Configuration Manager	More information
Create the Windows Intune subscription.	For more information, see Configuring the Windows Intune Subscription in this topic.
Add the Windows Intune connector.	For more information, see The Windows Intune Connector Site System Role in this topic.

Configuring the Windows Intune Subscription

The Windows Intune subscription lets you specify your configuration settings for the Windows Intune service. This includes specifying which users can enroll their devices and defining which mobile device platforms to manage. When you have created your subscription, you can then install the Windows Intune connector site system role that lets you connect to the Windows Intune service. This connector site system role will push settings and applications to the Windows Intune service. The Windows Intune subscription performs the following:

Retrieves the certificate that the Windows Intune connector requires to connect to the Windows Intune service.
Defines the user collection that enables users to enroll mobile devices.
Defines and configures the mobile platforms that you want to support.

To create the Windows Intune subscription

In the Configuration Manager console, click Administration.
For System Center 2012 Configuration Manager SP1: In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions.

For System Center 2012 R2 Configuration Manager: In the Administration workspace, expand Cloud Services, and click Windows Intune Subscriptions.
For System Center 2012 Configuration Manager SP1: On the Home tab, in the Create group, click Create Windows Intune Subscription.

System Center 2012 R2 Configuration Manager: On the Home tab, click Add Windows Intune Subscription.
On the Introduction page of the Create Windows Intune Subscription Wizard, review the text and click Next.
On the Subscription page, click Sign in and sign in by using your Windows Intune organizational account. Select the Allow the Configuration Manager console to manage this subscription check box. When you select this setting, you will only be able to manage mobile devices by using the Configuration Manager console. To continue with your subscription, you must select this option.

Important

Once you select Configuration Manager as your management authority, you cannot change the management authority to Windows Intune in the future.
Click the privacy links to review them, and then click Next.
On the General page, specify the following options, and then click Next.
- Collection: Specify a user collection that contains users who will enroll their mobile devices.
  
  Note
  
  If a user is removed from the collection, the user’s device will continue to be managed for up to 24 hours when the user record is removed from the user database.
- Company name: Specify your company name.
- URL to company privacy documentation: If you publish your company privacy information to a link that is accessible from the Internet, provide a link that users can access from the company portal. Privacy information can clarify what information users are sharing with your company.
- Color scheme for company portal: Optionally, change the default color of blue for the company portals.
- Configuration Manager site code: Specify a site code for a primary site to manage the mobile devices.
  
  Note
  
  Changing the site code affects only new enrollments and does not affect existing enrolled devices.
On the Platforms page, select the device types that you want to manage and review the platform requirements, and then click Next.

Important
Once you select Configuration Manager as your management authority, you cannot change the management authority to Windows Intune in the future.

Note
If a user is removed from the collection, the user’s device will continue to be managed for up to 24 hours when the user record is removed from the user database.

Note
Changing the site code affects only new enrollments and does not affect existing enrolled devices.

For each device type that you selected, you must configure additional options. Use the procedures that follow for more information about those options. After you have configured these additional options, click Next and complete the wizard.

iOS Devices

On the iOS page, click Browse to specify the Apple Push Notification service certificate that you received from Apple. For more information about how to obtain an Apple Push Notification service certificate, see the Prerequisites for Enrolling iOS Devices section in this topic.

Windows Phone 8 Devices

On the Windows Phone 8 Configuration page, specify the .pfx file or Application Enrollment token that you received when you satisfied the Windows Phone 8 prerequisites in the prerequisites section of this walkthrough.
Specify the location of the signed Windows Phone 8 company portal app that you created in the prerequisites section of this walkthrough.

For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows Phone 8 Devices section in this topic.

Windows Devices

Windows RT, Windows RT 8.1 and Windows 8.1 devices require that all sideloaded apps be signed with a trusted code-signing certificate.

On the Windows RT Configuration page, if you have a certificate from your company’s certification authority, click Browse to specify the code-signing certificate that you want to use for all Windows 8 apps.

Note
All apps must be code-signed. The certificate field is for your company’s certificate. If you have purchased a certificate from an external certification authority, you can leave this field blank.

Click Add to enter your sideloading keys. For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows RT Devices, Windows RT 8.1, or Windows 8.1 devices section in this topic.

Android Devices

Android devices have no prerequisites. For System Center 2012 R2 Configuration Manager, Android users can download the Android company portal app from Google Play that will allow them to enroll Android devices.

The Windows Intune Connector Site System Role

The Windows Intune connector sends settings and software deployment information to Windows Intune and retrieves status and inventory messages from mobile devices. The Windows Intune service acts as a gateway that communicates with mobile devices and stores settings.

Note
The Windows Intune connector site system role may only be installed on a central administration site or stand-alone primary site.

To configure the Windows Intune Connector role

Mobile Device Enrollment

Enrollment establishes a relationship between the user, the device, and the Windows Intune service. Users enroll their own mobile devices. Android devices are not enrolled, but can be managed by using the Exchange Server connector. The following sections describe enrollment for Windows Phone 8, Windows RT, and iOS.

Note
If your subscription to Windows Intune is going to expire, you must unenroll all devices prior to expiration in order to ensure company content is removed from devices.

Windows Phone 8 Enrollment

For Windows Phone 8, users start enrollment from the Windows Phone 8 device by going to system settings and selecting company apps. The following processes then occur when users enroll their own mobile devices.

Users are asked to provide their credentials. When authentication is successful, Windows Intune establishes a relationship between the user and the Windows Phone 8 device.
A certificate is installed on the device for authentication between the device and the Windows Intune service.

Users must select Install company app or Hub to let their device be managed.

Important
If users do not select this option to install the company app or hub, they cannot download the company portal. If the Windows Phone 8 company portal is not installed during enrollment, or if users uninstall the company portal, users must retire their mobile device and enroll again. Or, you can make the company portal file available by sending users a link in an email.

The company portal is installed on the device. Inventory is collected; management settings are applied, and users now have access to line-of-business apps that you make available to them.

Windows RT, Windows RT 8.1, and Windows 8.1 Enrollment

For Windows RT, users start enrollment from the Windows RT device. The users must complete the following tasks:

On the Windows RT device, users select Start, and type “System Configuration”, and click the dialog box to open the Company Apps.
The users enter their company credentials and are authenticated. This establishes a relationship between the user, the Windows RT device, and the Windows Intune service.
Windows Intune collects inventory and applies management settings. Users now have access to line-of-business apps and direct links to the app store through the company portal.

For Windows 8.1 and Windows RT 8.1, the user enrolls through the device.

On the Windows 8.1 device, the user selects Settings, clicks PC Settings, then clicks Network, and finally, clicks Workplace.
The user enters their user ID in the (ID) field.
The user clicks Turn on and provides their password.
The user agrees to the Allow apps and services from IT admin dialog box, and clicks Turn on.

iOS Enrollment

For System Center 2012 R2 Configuration Manager only: Users can enroll iOS devices by using the iOS company portal app, Windows Intune Company Portal, available in the App store. The company portal app can be installed on iOS devices running iOS 6 or later.

For System Center 2012 Configuration Manager SP1 iOS enrollment, users must complete the following tasks:

The user begins enrollment by going to m.manage.microsoft.com.
The users are asked for their company credentials to begin the enrollment process.
As soon as authentication is successful, a relationship is established between the user, the iOS device and the Windows Intune service.
Windows Intune collects inventory and applies management settings. The user now has access to line-of-business apps and direct links to the app store through the company portal.

For System Center 2012 R2 Configuration Manager only: Users can enroll iOS devices by using the iOS company portal app that is available in the App store. The company portal app can be installed on iOS devices running iOS 6 or later.

Android Enrollment

For System Center 2012 R2 Configuration Manager only: Android devices can be enrolled by using the Android company portal app, Windows Intune Company Portal, available on Google Play.

Next Steps

Now that you have configured Configuration Manager for mobile device management and users can enroll their devices, use the following links to manage devices.

Wiping Company Content from Mobile Devices

You can do a full wipe on Windows Phone 8, iOS, and Android devices with the Android company portal app installed on them. A full wipe will restore the device to factory settings.

For System Center 2012 R2 Configuration Manager only: you have the option to do a selective wipe that only removes company content. For a selective wipe, you can use Retire/wipe and select the option Wipe company content and retire the mobile device from Configuration Manager to remove company content from devices. The following table lists what company content is wiped from devices.

Content removed when retiring a device	Windows 8.1 and Windows RT 8.1	Windows RT	Windows Phone 8	iOS	Android company portal app
Company apps and associated data installed by using Configuration Manager and Windows Intune.	Apps are uninstalled and sideloading keys are removed. Apps using Windows Selective Wipe will have the encryption key revoked and data will no longer be accessible.	Sideloading keys are removed but apps remain installed.	Apps are uninstalled. Company app data is removed.	Apps are uninstalled. Company app data is removed.	Apps and data remain installed.
VPN and Wifi profiles	Removed.	Not applicable.	Not applicable.	Removed.	VPN: Not applicable. Wi-Fi: Not removed
Certificates	Removed and revoked.	Not applicable.	Not applicable.	Removed and revoked.	Revoked.
Settings	Requirements removed.	Requirements removed.	Requirements removed.	Requirements removed.	Requirements removed.
Management Agent	Not applicable. Management agent is built-in.	Not applicable. Management agent is built-in.	Not applicable. Management agent is built-in.	Management profile is removed.	Device Administrator privilege is revoked.
Email	Exchange email removed from device.	Exchange email removed from device.	Not applicable.	Not applicable.	Not applicable.
Email profiles	Not applicable.	Not applicable.	Not applicable.	Removed	Not applicable.

To retire or wipe a mobile device

In the Configuration Manager console, click Assets and Compliance and select Devices.
Select a device and then select the action that you want to take.