 Note |
| The information in this topic applies only to System Center
2012 Configuration Manager SP1. |
System Center 2012 Configuration Manager SP1
lets you manage Windows Phone 8, Windows RT, iOS,
and Android devices by using the Windows Intune service over
the Internet. Although you use the Windows Intune service,
management tasks are completed by using the Configuration Manager
console. You can use the Windows Intune connector site system
role in the Configuration Manager console to connect to the
Windows Intune service.
Many employees do work-related tasks, such as viewing their
email, on their personal mobile devices. This trend is referred to
as Bring Your Own Device (BYOD). Bring your own device is a
scenario where employees perform work-related tasks on their
user-owned mobile devices. Companies that embrace bringing your own
device can provide more than just email for mobile devices.
Companies can now provide and manage mobile apps to let employees
perform work-related tasks. While providing apps to user-owned
devices, companies can protect company data by exercising control
over mobile device enrollment and security settings. With
Configuration Manager SP1, you have control over which users
can enroll their mobile devices and which users can access your
company’s data and apps.
Use the following sections to help you manage mobile devices by
using the Windows Intune connector.
For a checklist about how to configure Configuration Manager to
manage mobile devices, see Administrator Checklist:
Configuring Configuration Manager to Manage Mobile Devices by Using
Windows Intune.
Actions Available to Users
When employees use their own devices they expect to
have some control over the apps they download, in addition to
privacy for their personal data. The Bring Your Own Device scenario
lets you balance employee concerns with company constraints. Users
can manage their devices by using the company portal. The company
portal is a self-service portal that lets users control what apps
are installed on their devices. Also, the company portal is
customized for that platform so that users will only see apps
available for their device type. The following table lists what
actions users can control on their devices by using the company
portal.
| Company portal actions available to users |
From Windows RT |
From Windows Phone 8 |
From iOS |
From Android |
|
Enroll device.
|
Yes
|
Yes
|
Yes
|
No
|
|
Retire local device.
|
Yes
|
Yes
|
No
|
No
|
|
Wipe mobile devices remotely.
|
Yes
|
No
|
No
|
No
|
|
Install line-of-business apps.
|
Yes
|
Yes
|
Yes
|
Yes
|
|
Install apps from the store that the device connects to for
Windows Store, Windows Phone Store, App Store, or Google Play.
|
Yes
|
Yes
|
Yes
|
Yes
|
Management Options Available to
Administrators
The Windows Intune connector gives administrators
the ability to manage apps, compliance settings, and device life
cycle.
Before you can install the Windows Intune
connector, you first have to subscribe to the Windows Intune
service and configure your Windows Intune subscription. Your
subscription lets you choose which user collection can enroll
mobile devices. Also, your subscription lets you configure a portal
that will host your company apps and then lets users manage their
devices. You use the subscription to publish your privacy statement
so that your employees understand what is being monitored on their
mobile devices. The company portal lets users view and download the
apps that your company provides.
After you have configured the subscription, you can
install the Windows Intune connector. The Windows Intune
connector lets you deploy apps to mobile devices by using a
distribution point hosted by the Windows Intune service. This
distribution point, manage.microsoft.com, is available after you
install the Windows Intune connector. When you deploy an app
by using the Windows Intune connector, the app appears in the
company portal where users can view and download the app. You can
either deploy a link to an app that exists in an app store or you
can deploy a line-of-business app by using sideloading. Sideloading
lets you distribute an app directly to a device without using the
Windows Store, Windows Phone Store, App Store, or Google Play. You
can sideload an app for Windows Phone 8, Windows RT,
iOS, and Android.
The Windows Intune connector also lets you manage
compliance settings and collect inventory on
Windows Phone 8, Windows RT, and iOS devices. You
can manage the life cycle of mobile devices, which includes actions
such as wipe, retire, and block. The Windows Intune service
uses the management client that is built into the Windows RT
and Windows Phone 8 platforms. For mobile devices that
run iOS, Windows Intune uses the iOS APIs for management. The
following table lists the kinds of management tasks that are
available for each mobile device platform.
| Management tasks |
Windows RT |
Windows Phone 8 |
iOS |
Android |
|
Device life cycle management such as the ability to retire,
wipe, remote wipe, remove, and block devices.
|
Yes
|
Yes
|
Yes
|
No
|
|
Compliance settings that include settings for password settings,
email management, security, roaming, encryption, and wireless
communication.
|
Yes
|
Yes
|
Yes
|
No
|
|
Line-of-business app management.
|
Yes
|
Yes
|
Yes
|
Yes
|
|
App installation from the store that the device connects to
(Windows Store, Windows Phone Store, App Store, Google Play).
|
Yes
|
Yes
|
Yes
|
Yes
|
|
Hardware inventory.
|
Yes
|
Yes
|
Yes
|
No
|
Prerequisites
Use the following information to determine the
prerequisites for managing mobile devices.
Dependencies External to
Configuration Manager
| External dependencies |
More information |
|
Sign up for a Windows Intune organizational account.
|
Sign up for an account at Windows Intune.
For more information, see Windows Intune organizational account
and Acceptable Use Policy for Windows
Intune in the Documentation Library for
Windows Intune.
|
|
Add a public company domain.
|
All user accounts must have a publicly registered UPN that can
be verified by Windows Intune.
|
|
Verify users have a public domain UPN.
|
Before you synchronize the Active Directory user account, you
must verify that user accounts have a public domain UPN. For more
information, see Add User Principal Name Suffixes in the
Active Directory documentation library.
|
|
Deploy and configure directory synchronization.
|
Directory synchronization lets you populate Windows Intune
with synchronized user accounts. The synchronized users and
security groups are added to Windows Intune. For more
information, see Configure directory synchronization in
the Active Directory documentation library.
For single sign-on you must deploy AD FS. For more information,
see Configure single sign-on in
the Active Directory documentation library.
|
|
Create a DNS alias.
|
Create a DNS alias (CNAME record type). You have to configure a
CNAME in DNS that redirects EnterpriseEnrollment.<company
domain name>.com to manage.microsoft.com. For example, if
Melissa's email address is Meliss@contoso.com, you have to create a
CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to
manage.microsoft.com.
The CNAME record is used as part of the enrollment process.
|
|
Obtain certificates or keys.
|
For more information, see Obtain
Certificates or Keys to Meet Prerequisites per Platform in this
topic.
|
Obtain Certificates or Keys to Meet
Prerequisites per Platform
The following table lists the certificates or keys that
you must have to enroll mobile platforms.
| Platform |
Certificates or keys |
How you obtain certificates or keys |
|
Windows Phone 8
|
Code signing certificate: All sideloaded apps must be
code-signed.
|
Buy a code signing certificate from Symantec.
|
|
Windows RT
|
Sideloading keys: Windows RT devices have to be provisioned
with sideloading keys to enable the installation of sideloaded
apps.
All sideloaded apps must be code-signed.
|
Buy sideloading keys from Microsoft.
All apps must be code-signed by using your company’s
certification authority or an external certification authority.
|
|
iOS
|
Apple Push Notification service certificate.
|
Request an Apple Push Notification service certificate from
Apple. For more information, see the Prerequisites for Enrolling iOS Devices in this
topic.
|
|
Android
|
None.
|
Not applicable.
|
Prerequisites for Enrolling
Windows Phone 8 Devices
To manage Windows Phone 8 devices, you have
to deploy the Windows Phone 8 company portal app. The
company portal app must be code-signed with a certificate that is
trusted by the Windows Phone 8 devices.
- Obtain a Windows Phone Dev Center Publisher ID from the
Windows Phone Dev Center.
- Retrieve a certificate from the Symantec website by using your
Publisher ID.
- Download the Windows Phone 8 company portal app.
- Download the SignTool app from the Windows Phone 8 SDK. To deploy an app
to -users, the app must be signed by a certification authority that
is trusted by Windows Phone 8 devices. Use the SignTool
app to sign your apps with the Symantec certificate.
- Sign the company portal app by using the SignTool app and the
certificate that you downloaded from Symantec.
- Deploy the Windows Phone 8 company portal app to the
manage.microsoft.com distribution point.
For more information, see To deploy an
application to mobile devices in this topic.
- Sign all apps that you plan to deploy to
Windows Phone 8.
Prerequisites for Enrolling
Windows RT Devices
To configure app management on a mobile device that
runs iOS, you must follow these steps.
- Obtain sideloading keys. Before you can run sideloaded
line-of-business apps on Windows RT, you must obtain and
activate sideloading keys from Microsoft. For more information
about sideloading product activation keys, see Microsoft Volume Licensing.
- Sign all apps. For sideloaded apps to run on Windows RT,
you must use a certificate to sign all apps.
Prerequisites for Enrolling iOS
Devices
To enroll iOS devices, you must follow these steps.
- Download a Certificate Signing Request from
Windows Intune. This certificate signing request lets you
apply to Apple’s certification authority for an Apple Push
Notification service certificate.
- Request an Apple Push Notification service certificate from the
Apple website.
To Download a Certificate Signing
Request from Windows Intune
-
In the Configuration Manager console, click
Administration.
-
In the Administration workspace, expand
Hierarchy Configuration, and click Windows Intune
Subscriptions.
-
On the Home tab, in the Create group,
click Create APNs certificate request.
-
In the Request Apple Push Notification Service
Certificate Signing Request dialog box, click Browse to
specify a location to download the Certificate Signing Request,
specify your choice of file name, and then click
Download.
-
On the Windows Intune sign in page, enter
your organizational account and password. After you sign in, the
certificate signing request is downloaded to the location that you
specified.
To Request an Apple Push
Notification Service Certificate
-
Connect to the Apple Push Certificates Portal.
-
Sign in and complete the wizard.
| Note |
| Make sure that you use a company account to obtain the Apple
Push Notification service certificate. When you have to go back to
the site to renew the certificate, make sure that you use the same
account. |
-
Upload the Certificate Signing Request that you
downloaded from Windows Intune.
Dependencies in
Configuration Manager
The Windows Intune Subscription
The Windows Intune subscription lets you specify
your configuration settings for the Windows Intune service;
this includes specifying which users can enroll their devices and
defining which mobile device platforms to manage. When you have
created your subscription, you can then install the
Windows Intune connector site system role, which lets you
connect to the Windows Intune service. This connector site
system role will push settings and applications to the
Windows Intune service. Windows Intune will then make
apps available to users on their mobile devices by using the
company portal. The Windows Intune subscription performs the
following actions:
- Retrieves the certificate that the
Windows Intune connector requires to connect to the
Windows Intune service.
- Defines the user collection that enables
users to enroll mobile devices.
- Defines and configures the mobile platforms
that you want to support.
To create the Windows Intune
subscription
-
In the Configuration Manager console, click
Administration.
-
In the Administration workspace, expand
Hierarchy Configuration, and click Windows Intune
Subscriptions.
-
On the Home tab, in the Create group,
click Create Windows Intune Subscription.
-
On the Introduction page of the Create
Windows Intune Subscription Wizard, review the text and click
Next.
-
On the Subscription page, click Sign in
and sign in by using your Windows Intune organizational
account. Select the Allow the Configuration Manager console to
manage this subscription check box. When you select this
setting, you will only be able to manage mobile devices by using
the Configuration Manager console. To continue with your
subscription, you must select this option.
-
Click the privacy links to review them, and then click
Next.
-
On the General page, specify the following
options, and then click Next.
- Collection: Specify a user collection
that contains users who will enroll their mobile devices.
| Note |
| If a user is removed from the collection, the user’s device
will continue to be managed for up to 24 hours until the user
record is removed from the user database. |
- Company name: Specify your company
name.
- URL to company privacy documentation:
If you publish your company privacy information to a link that is
accessible from the Internet, provide the link so that users can
access it from the company portal. Privacy information can clarify
what information users are sharing with your company.
- Color scheme for company portal:
Optionally, change the default color of blue for the company
portals.
- Configuration Manager site code:
Specify a site code for a primary site to manage the mobile
devices. Although you can change the site code at any time, if you
do this, existing users will have to retire their mobile devices
and then re-enrolled to the new site.
-
On the Platforms page, select the device types
that you want to manage and review the platform requirements, and
then click Next.
For each device type that you selected, you must
configure additional options. Use the following procedures for more
information. After you have configured these additional options,
click Next and complete the wizard.
iOS Devices
- On the iOS page, click Browse
to specify the Apple Push Notification service certificate that you
received from Apple. For more information about how to obtain an
Apple Push Notification service certificate, see the Prerequisites for Enrolling iOS Devices section
in this topic.
Windows Phone 8 Devices
- On the Windows Phone 8 page, specify
the code-signing certificate to use for all Windows Phone apps and
then specify the location of the signed
Windows Phone 8company portal app.
For more information about how to obtain the
certificate, see the Prerequisites for
Enrolling Windows Phone 8 Devices section in this
topic.
Windows RT Devices
Windows RT devices require that all sideloaded apps be
signed with a trusted code-signing certificate.
- On the Windows RT Configuration page, if you have a
certificate from your company’s certification authority, click
Browse to specify the code-signing certificate that you want
to use for all Windows 8 apps.
| Note |
| All apps must be code-signed. This field is for your company’s
certificate. If you have purchased a certificate from an external
certification authority, you can leave this field blank. |
- Click Add to enter your sideloading keys. For more
information about how to obtain the certificate, see the Prerequisites for Enrolling Windows RT
Devices section in this topic.
The Windows Intune Connector Site System
Role
The Windows Intune connector sends settings and
software deployment information to Windows Intune and
retrieves status and inventory messages from mobile devices. The
Windows Intune service acts as a gateway that communicates
with mobile devices and stores settings.
To configure the Windows Intune
Connector role
-
In the Configuration Manager console, click
Administration.
-
In the Administration workspace, expand Site
Configuration, and then click Servers and Site System
Roles.
-
Add the Windows Intune Connector role to a new or
existing site system server by using the associated step:
- New site system server: On the Home
tab, in the Create group, click Create Site System
Server to start the Create Site System Server Wizard.
- Existing site system server: Click the server
on which you want to install the Windows Intune connector
role. Then, on the Home tab, in the Server group,
click Add Site System Roles to start the Add Site system
Roles Wizard.
-
On the System Role Selection page, select
Windows Intune Connector, and click Next.
-
Complete the wizard.
Mobile Device Enrollment
Enrollment establishes a relationship between the user,
the device, and the Windows Intuneservice. Users enroll their
own mobile devices. Android devices are not enrolled, but can be
managed by using the Exchange Server connector. The following
sections describe enrollment for Windows Phone 8,
Windows RT, and iOS.
Windows Phone 8
Enrollment
For Windows Phone 8, users start enrollment
from the Windows Phone 8 device by going to system
settings and selecting company apps. The following
processes then occur:
- Users are asked to provide their Active Directory credentials
for service. Users enroll their own mobile devices. Android devices
are not enrolled, but can be managed by using the Exchange Server
connector. The following sections describe enrollment for r
authentication. When authentication is successful,
Windows Intune establishes a relationship between the user and
the Windows Phone 8 device.
- A certificate is installed on the device for authentication
between the device and the Windows Intune service.
- Users must select Install company app or Hub to let
their device be managed.
 Important |
| If users do not select this option, they cannot download the
company portal. If the Windows Phone 8 company portal is
not installed during enrollment, or if users uninstall the company
portal, users must retire their mobile device and re-enroll it. Or,
you can make the company portal file available by sending users a
link in an email. |
- The company portal is installed on the device. Inventory is
collected; management settings are applied, and users now have
access to line-of-business apps that you make available to
them.
Windows RT Enrollment
For Windows RT, users start enrollment from the
Windows RT device. The following processes occur:
- On the Windows RT device, users select Start, and
type System Configuration, and open the Company Apps
dialog box.
- The users enter their company credentials and are
authenticated. A relationship between the users, the
Windows RT device and the Windows Intune service is
established.
- Windows Intune collects inventory and applies management
settings. Users now have access to line-of-business apps and direct
links to the app store through the company portal.
iOS Enrollment
For iOS, enrollment is as follows:
- You begin enrollment by sending an email invitation to the
user. The email invitation includes a link to the enrollment
portal, manage.microsoft.com.
- The users are asked for their company credentials to begin the
enrollment process.
- As soon as authentication is successful, a relationship between
the user, the iOS device and the Windows Intune service is
established.
- Windows Intune collects inventory and applies management
settings. The user now has access to line-of-business apps and
direct links to the app store through the company portal.
Device Life-cycle Management
You can retire, block, wipe, or delete devices. The
following table lists the management functions for each platform
and compares these to the management functions that the Exchange
Server connector supports. Because you cannot enroll Android
devices by using the Windows Intune connector, you must use
the Exchange Server connector to remove, block, wipe, or delete
these devices.
For more information about how to manage mobile devices
by using the Exchange Server connector, see How to Manage Mobile
Devices by Using the Exchange Server Connector in Configuration
Manager.
| Management function |
Windows Phone 8 |
Windows RT |
iOS |
Exchange Server connector |
|
Retire: Removes the device from Configuration Manager and
leaves personal settings and data unchanged on the device.
|
Yes
Line-of-business apps are uninstalled, which includes the
company portal app. User settings are retained.
|
Yes
Removes the Windows RT sideloading keys. Without the
sideloading keys, sideloaded apps will no longer run. User settings
are retained.
| Note |
| When an RT device is retired, users can still use company apps
until the next update. The update occurs every 24 hours for
Windows RT devices. |
|
Yes
Installed apps will still run.
|
Yes
Installed apps will still run. User settings are removed.
|
|
Block: Blocks the client from communicating with the
hierarchy. Clients can be unblocked.
|
Yes
|
Yes
|
Yes
|
Not available
|
|
Wipe: Deletes all data, and reverts to the manufacturer’s
defaults. You can issue a remote wipe command by using the
Configuration Manager console. Or, the user can wipe the device by
using the Application Catalog or any company portal except the
Windows Phone 8 company portal.
|
Yes
|
Not available
|
Yes
|
Exchange ActiveSync mailbox removal only
|
|
Delete: Deletes the mobile device permanently from the
hierarchy so that the device is no longer managed. No data is
removed from the device. After the device is deleted, the user has
to re-enroll.
|
Yes
|
Yes
|
Yes
|
Not available
|
To retire, block, or wipe a
mobile device
-
In the Configuration Manager console, click Assets
and Compliance and select Devices.
-
Select a device and then select the action that you
want to take.
Compliance Settings for Mobile
Devices
You can control compliance settings, such as password
policy, for mobile devices by using the Windows Intune
connector.
Applying Compliance Settings by
Using the Windows Intune Connector
Create configuration items to define configurations
that you want to manage and assess for compliance on mobile
devices. The steps you have to take to manage compliance settings
are as follows.
Compliance Settings for Devices That
Are Enrolled by the Windows Intune Connector
You can ensure that users comply with basic security
settings by using compliance settings. The following table lists
the compliance settings available to Windows Phone 8,
Windows RT, and iOS devices. For Android devices, you can use
the Exchange server connector for basic security settings.
| Compliance setting |
Windows Phone 8 |
Windows RT |
iOS |
|
Require password settings on mobile devices
|
Yes
|
No
|
Yes
|
|
Minimum password length (characters)
|
Yes
|
Yes
|
Yes
|
|
Idle time before mobile device is locked
|
Yes
|
Yes
|
Yes
|
|
Number of passwords remembered
|
Yes
|
Yes
|
Yes
|
|
Password expiration in days
|
Yes
|
Yes
|
Yes
|
|
Password complexity
|
Yes
|
No
|
Yes
|
|
Number of failed logon attempts before device is wiped
|
Yes
|
Yes
|
Yes
|
|
Removable storage
|
Yes
|
No
|
No
|
|
Camera
|
No
|
No
|
Yes
|
|
File encryption on mobile device
|
Yes
|
No
|
No
|
App Management for Mobile Devices
Mobile apps that you deploy appear in the company
portal. Users can decide whether to download the apps to their
devices. Use the information in the following sections to help you
create and deploy applications to mobile devices.
Create an application for
Windows Phone 8 devices
For Windows Phone 8 devices, you can deploy
apps or you can deploy links to apps in the Windows Phone Store. To
deploy apps to Windows Phone 8, you must select
Windows Phone 8 devices when you configure the
Windows Intune subscription.
To create an application for a
line-of-business app for Windows Phone 8 devices
-
In the Configuration Manager console, click Software
Library.
-
In the Software Library workspace, expand
Application Management, and then click
Applications.
-
In the Home tab, in the Create group,
click Create Application.
-
On the General page of the Create Application
Wizard, select Automatically detect information about this
application from installation files.
-
In the Type drop-down list, select Windows
Phone app package (*.xap file).
-
Click Browse to select the Windows Phone app
package you want to import, and then click Next.
-
On the General Information page of the wizard,
enter the descriptive text and category information that you want
users to see in the company portal.
-
Complete the wizard.
The new application is displayed in the
Applications node of the Software Library
workspace.
To create an application containing a
link to the Windows Phone Store for Windows Phone 8
devices
-
In the Configuration Manager console, click Software
Library.
-
In the Software Library workspace, expand
Application Management, and then click
Applications.
-
In the Home tab, in the Create group,
click Create Application.
-
On the General page of the Create Application
Wizard, select Automatically detect information about this
application from installation files.
-
In the Type drop-down, select Windows Phone
app package (in the Windows Phone Store)
-
Click Browse to open the Windows Phone Store,
select the app you want to include, and then click Next.
-
On the General Information page, enter the
descriptive text and category information that you want users to
see in the company portal.
-
Complete the wizard.
The new application is displayed in the
Applications node of the Software Library
workspace.
Create an application for Windows RT
devices
For Windows RT devices, you can deploy
line-of-business apps or you can deploy links to apps in the
Windows Store. To deploy apps to Windows RT devices, you must
specify Windows RT devices in the Create
Windows Intune Subscription Wizard.
To create an application for
sideloading a line-of-business app for Windows RT
-
In the Configuration Manager console, click Software
Library.
-
In the Software Library workspace, expand
Application Management, and then click
Applications.
-
In the Home tab, in the Create group,
click Create Application.
-
On the General page of the Create Application
Wizard, select Automatically detect information about this
application from installation files.
-
In the Type drop-down, select Windows app
package (*.appx file).
-
Click Browse, select the signed .appx program
file that you want to include, and then click Next.
-
On the General Information page, enter the
descriptive text and category information that you want users to
see in the company portal.
-
Complete the wizard.
The new application is displayed in the
Applications node of the Software Library
workspace.
Create an application containing a link
to the Windows Store for Windows RT devices
To create a link to the Windows Store for Windows RT,
the app must be installed on a Windows 8 computer. You must first
configure WinRM for HTTPS on the Windows 8 computer.
Configure WinRM for HTTPS for the
Windows 8 computer that has the app installed
-
Create an HTTPS-based listener by running winrm
qc –Transport:HTTPS.
-
Run the command enable-psremoting to allow
PowerShell remoting.
-
Run the command winrm delete
winrm/config/Listener?Address=*+Transport=HTTP to remove the
HTTP-based listener that was automatically created by the
enable-psremoting command.
-
Open Windows Firewall and add an inbound rule for port
5986, which is the default HTTPS port for Windows Remote Management
(WinRM).
To create an application containing a
link to the Windows Store for Windows RT
-
In the Configuration Manager console, click Software
Library.
-
In the Software Library workspace, expand
Application Management, and then click
Applications.
-
In the Home tab, in the Create group,
click Create Application.
-
On the General page of the Create Application
Wizard, select Automatically detect information about this
application from installation files.
-
In the Type dropdown, select Windows app
package (in the Windows Store)
-
Click Browse and then, in the Browse Windows
App Packages dialog box, connect to a computer that runs
Windows 8 and that has the required app installed, select the app,
and then click Next.
-
On the General Information page, enter the
descriptive text and category information that you want users to
see in the company portal.
-
Complete the wizard.
The new application is displayed in the
Applications node of the Software Library
workspace.
Create an application for iOS
devices
For devices that run iOS, you can deploy
line-of-business apps or you can deploy links to apps on the App
store.
To create an application for
sideloading a line-of-business app for iOS devices
-
In the Configuration Manager console, click Software
Library.
-
In the Software Library workspace, expand
Application Management, and then click
Applications.
-
In the Home tab, select Create group, and
then click Create Application.
-
On the General page of the Create Application
Wizard, select Automatically detect information about this
application from installation files.
-
In the Type drop-down list, select App
Package for iOS (*.ipa file).
-
Click Browse, select the signed application
(*.ipa) file that you want to include, and then click
Next.
-
On the General Information page, enter the
descriptive text and category information that you want users to
see in the company portal.
-
Complete the wizard.
The new application is displayed in the
Applications node of the Software Library
workspace.
To create an application containing a
link to the App Store for iOS devices
-
In the Configuration Manager console, click Software
Library.
-
In the Software Library workspace, expand
Application Management, and then click
Applications.
-
In the Home tab, in the Create group,
click Create Application.
-
On the General page of the Create Application
Wizard, select Automatically detect information about this
application from installation files.
-
In the Type dropdown, select App Package for
iOS from App Store.
-
Click Browse, select the app you want to
include, and then click Next.
-
On the General Information page, enter the
descriptive text and category information that you want users to
see in the company portal.
-
Complete the wizard.
The new application is displayed in the
Applications node of the Software Library
workspace.
Create an application for Android
devices
For Android devices, you can deploy apps or you can
deploy links to Google Play by using the company portal.
To create an application for
sideloading a line-of-business app for Android devices
-
In the Configuration Manager console, click Software
Library.
-
In the Software Library workspace, expand
Application Management, and then click
Applications.
-
In the Home tab, in the Create group,
click Create Application.
-
On the General page of the Create Application
Wizard, select Automatically detect information about this
application from installation files.
-
In the Type drop-down, select App Package for
Android (*.apk file).
-
Click Browse, select the .apk program file you
want to include, and then click Next.
-
On the General Information page, enter the
descriptive text and category information that you want users to
see in the company portal.
| Note |
| If you create more than one deployment type for the same app,
only the deployment type with the highest priority will be
displayed in the company portal. |
-
Complete the wizard.
The new application is displayed in the
Applications node of the Software Library
workspace.
To create an application
containing a link to Google Play
-
In the Configuration Manager console, click Software
Library.
-
In the Software Library workspace, expand
Application Management, and then click
Applications.
-
In the Home tab, in the Create group,
click Create Application.
-
On the General page of the Create Application
Wizard, select Automatically detect information about this
application from installation files.
-
In the Type drop-down, select App Package for
Android in Google Play.
-
Click Browse, select the app you want to
include, and then click Next.
-
On the General Information page, enter the
descriptive text and category information that you want users to
see in the company portal.
-
Complete the wizard.
The new application is displayed in the
Applications node of the Software Library
workspace.
Supercedence
Supersedence works the same for mobile apps as it does
for other apps.
For more information about superseding applications,
see How to Use
Application Supersedence in Configuration Manager.
| Note |
| For Windows Phone 8 devices, if you update the
company portal app, you must update to the most recent company
portal app in the Windows Subscription Wizard after you supersede
the older version of the company portal with a new version. |
Approval for Apps
A user can only request approval to download an app
from a Windows-based computer or a Windows RT device. If you
deploy an app that requires approval from an administrative user,
the user must request approval from the Application Catalog on a
Windows-based computer. As soon as the user requests approval, the
app appears in the company portal.
Requirement Rules
Requirements rules specify conditions that must be met
before a deployment type can be installed on a client device. The
requirements that are specific to mobile devices are listed in the
following table:
| Platform |
Requirements available |
|
Windows Phone 8
|
Not available
|
|
Windows RT
|
Windows 8 operating system version and language requirements are
supported.
| Important |
| If you create a deployment type for a Windows app package
(*.appx file) file with any additional requirements, you will not
be able to deploy the app to Windows RT devices. |
|
|
iOS
|
iOS operating system, language requirements, and chassis (iPad
or iPhone) are supported.
|
|
Android
|
Not available
|
For more information about requirements, see the
Step
6: Specify Requirements for the Deployment Type section in the
How to Create
Deployment Types in Configuration Manager topic.
Deploying an Application to Mobile
Devices
After you have created a deployment type, you can
deploy the app to mobile devices. Deploying the app will make the
app available to users on the company portal.
To deploy an application to mobile
devices
-
In the Configuration Manager console, click Software
Library.
-
In the Software Library workspace, expand
Application Management, and then click
Applications.
-
In the Applications list, select the application
that you want to deploy, on the Home tab, in the
Deployment group, click Deploy.
-
On the General page of the Deploy Software
Wizard, specify the following information:
-
Software – To display the applications that you
want to deploy. You can click Browse to select a different
application to deploy.
-
Collection – Click Browse and select the
collection that you selected for enablement in the
Windows Intune Subscription Wizard.
| Important |
| Selecting the device collection All Mobile Devices will
not deploy apps to iOS, Android, Windows Phone 8, or
Windows RT. You must select the same user collection or a
subset of the user collection that you selected in the
Windows Intune Subscription Wizard. |
-
Click Next.
-
On the Content page of the wizard, select
Manage.Microsoft.com as your distribution point. Click
Next.
-
On the Deployment Settings page of the Deploy
Software Wizard, specify the following information:
-
Action – From the drop-down list, select
Install to install the application.
-
Purpose – From the drop-down list, select
Available. When you manage mobile devices by using the
Windows Intune connector, apps must be configured as
Available and do not support Required.
-
Complete the wizard by specifying your preferred
setting for the alerts and scheduling pages. The User
Experience page is not relevant to mobile devices.
Expired Certificates for Mobile Device
Apps
On iOS, Windows Phone 8, and Windows RT,
if the certificate that is used to sign apps expires, apps are no
longer available for users to download.
| Platform |
Expired certificate consequences |
Resolution |
|
iOS
|
Users can no longer install apps
|
Renew the APNs certificate and locate the Windows Intune
Subscription iOS page to upload the new certificate.
The new certificate must be created by using the same ID as the
original certificate or devices have to be enrolled again.
|
|
Windows Phone 8
|
Users can no longer install apps
|
Renew the code signing certificate and go the
Windows Intune Subscription page to upload the certificate.
All apps signed with the previous certificate and the new
certificate will run.
|
|
Windows RT
|
Users can no longer install apps
|
Renew the code signing certificate and open the
Windows Intune Subscription Wizard Windows RT page to
upload the new certificate.
|
Hardware Inventory
You can inventory the following hardware properties by
using the Windows Intune connector. For information about how
to configure hardware inventory, see How to Configure
Hardware Inventory in Configuration Manager.
| Hardware Inventory Class |
Windows Phone 8 |
Windows RT |
iOS |
Available by using the Exchange Server connector |
|
Name
|
Device_ComputerSystem.DeviceName
|
Device_ComputerSystem.DeviceName
|
Device_ComputerSystem.DeviceName
|
Yes
|
|
Unique Device ID
|
Device_ComputerSystem.DeviceClientID
|
Device_ComputerSystem.DeviceName
|
Device_ComputerSystem.UDID
|
Yes
|
|
Serial Number
|
Not applicable
|
Not applicable
|
Device_ComputerSystem.SerialNumber
|
No
|
|
Email Address
|
Device_Email.OwnerEmailAddress
|
Device_Email.OwnerEmailAddress
|
Device_Email.OwnerEmailAddress
|
Yes
|
|
Operating System Type
|
Device_OSInformation.Platform
|
CCM_OperatingSystem .SystemType
|
Not applicable
|
Yes
|
|
Operating System Version
|
Device_ComputerSystem.SoftwareVersion
|
Win32_OperatingSystem.Version
|
evice_OSInformation.OSVersion
|
Yes
|
|
Build Version
|
Not applicable
|
Win32_OperatingSystem.BuildNumber
|
Not applicable
|
No
|
|
Service Pack Major Version
|
Not applicable
|
Win32_OperatingSystem.ServicePackMajorVersion
|
Not applicable
|
No
|
|
Service Pack Minor Version
|
Not applicable
|
Win32_OperatingSystem.ServicePackMinorVersion
|
Not applicable
|
Yes
|
|
Operating System Language
|
Device_OSInformation.Language
|
Not applicable
|
Not applicable
|
No
|
|
Total Storage Space
|
Not applicable
|
Win32_PhysicalMemory.Capacity
|
Device_Memory.DeviceCapacity
|
No
|
|
Free Storage Space
|
Not applicable
|
Win32_OperatingSystem.FreePhysicalMemory
|
Device_Memory.AvailableDeviceCapacity
|
No
|
|
International Mobile Equipment Identity or IMEI (IMEI)
|
Not applicable
|
Not applicable
|
Device_ComputerSystem.IMEI
|
Yes
|
|
Mobile Equipment Identifier (MEID)
|
Not applicable
|
Not applicable
|
Device_ComputerSystem.MEID
|
No
|
|
Manufacturer
|
Device_ComputerSystem.DeviceManufacturer
|
Win32_ComputerSystem.Manufacturer
|
Not applicable
|
No
|
|
Model
|
Device_ComputerSystem.DeviceModel
|
Win32_ComputerSystem.Model
|
ModelName
|
Yes
|
|
Phone Number
|
Not applicable
|
Not applicable
|
Device_ComputerSystem.PhoneNumber
|
Yes
|
|
Subscriber Carrier
|
Not applicable
|
Not applicable
|
Device_ComputerSystem.SubscriberCarrierNetwork
|
Yes
|
|
Cellular Technology
|
Not applicable
|
Not applicable
|
Device_ComputerSystem.CellularTechnology
|
No
|
|
Wi-Fi MAC
|
Not applicable
|
Win32_NetworkAdapter.MACAddress
|
Device_WLAN.WiFiMAC
|
No
|
See Also
