Determine How to Manage Mobile Devices in Configuration Manager

Use the following information to help you decide how to manage mobile devices in System Center 2012 Configuration Manager. You can use Configuration Manager to enroll mobile devices and install the Configuration Manager client, you can use the mobile device legacy client (for example, for Windows CE mobile operating systems), and you can use the Exchange Server connector. In addition, in Configuration Manager SP1, you can enroll devices that run Windows Phone 8, Windows RT, and iOS by using the Windows Intune connector.

The following table lists these four mobile device management methods and provides information about the management functions that each method supports.

Management functionality	Enrollment by Windows Intune	Enrollment by Configuration Manager	Mobile device legacy client	Exchange Server connector
Public key infrastructure (PKI) security between the mobile device and Configuration Manager by using mutual authentication and SSL to encrypt data transfers	Yes	Yes More information: Requires Active Directory Certificate Services and an enterprise certification authority (CA). The mobile device certificates are installed automatically by Configuration Manager during the enrollment process.	Yes More information: Any PKI that meets the certificate requirements. The mobile device certificates must be installed independently from Configuration Manager.	No
Client installation	No More information: Instead of a client the user installs or connects to a company portal.	Yes More information: Installed by the user from the browser on the mobile device.	Yes More information: Installed by an administrative user by deploying a package and program.	No
Support over the Internet	Yes	Yes	Yes	Yes
Discovery	No	No	No	Yes
Hardware inventory	Yes	Yes More information: You can collect default information and create your own customized hardware inventory.	Yes	Yes More information: Limited by what Exchange Server collects.
Software inventory	No	No	Yes More information: List of installed software only; you cannot inventory all files and you cannot collect files.	No
Settings	Yes More information: Deploy configuration baselines that contain mobile device configuration items on Windows Phone 8, Windows RT, and iOS. You can configure default settings and create your own customized settings.	Yes More information: Deploy configuration baselines that contain mobile device configuration items. You can configure default settings and create your own customized settings.	No	Yes More information: Limited by the settings in the default Exchange ActiveSync mailbox policies.
Software deployment	Yes More information: You can deploy available apps that users can download from the company portal.	Yes More information: You can deploy required applications (install and uninstall), but not packages or software updates. Available applications, which users request from the Application Catalog, are not supported for mobile devices. Mobile devices also do not support simulated deployments.	Yes More information: You can deploy packages, but not applications or software updates.	No
Monitor with the fallback status point	No	No	Yes	No
Connections to management points	No	Yes More information: A single management point in the client’s assigned (primary) site.	Yes More information: A single management point in primary sites and secondary sites.	No
Connections to distribution points	Yes More information: manage.microsoft.com is the only distribution point that is used.	Yes More information: Distribution points in the assigned (primary) site.	Yes More information: Distribution points in primary sites and secondary sites.	No
Block from Configuration Manager	Yes	Yes	Yes	No
Quarantine and block from Exchange Server (and Configuration Manager)	No	No	No	Yes
Remote wipe	Yes	Yes More information: By Configuration Manager and by a user from the Configuration Manager Application Catalog.	No	Yes More information: By Configuration Manager and by a user if supported by Exchange.

For more information about the mobile operating systems that System Center 2012 Configuration Manager supports, see Supported Configurations for Configuration Manager.

Use Configuration Manager to enroll mobile devices when the mobile operating system is supported by System Center 2012 Configuration Manager mobile device enrollment and when both of the following conditions apply:

You have a Microsoft enterprise CA to issue and manage the required certificates.

You want the additional management features or settings that are not supported by the Exchange Server connector, such as software installation and full hardware inventory.

Important
If the mobile device synchronizes with Exchange Server, set the Exchange flag AllowExternalDeviceManagement to ensure that the mobile device continues to receive email from Exchange after it is enrolled by Configuration Manager. If you install the Configuration Manager Exchange Server connector, you can set this flag by configuring the option External mobile device management in the Exchange Server connector properties. If you do not install the connector, you must set this flag by using the Exchange management tools. For example, use the PowerShell cmdlet Set-ActiveSyncMailPolicy with the parameter AllowExternalDeviceManagement.

Important

If the mobile device synchronizes with Exchange Server, set the Exchange flag AllowExternalDeviceManagement to ensure that the mobile device continues to receive email from Exchange after it is enrolled by Configuration Manager. If you install the Configuration Manager Exchange Server connector, you can set this flag by configuring the option External mobile device management in the Exchange Server connector properties. If you do not install the connector, you must set this flag by using the Exchange management tools. For example, use the PowerShell cmdlet Set-ActiveSyncMailPolicy with the parameter AllowExternalDeviceManagement.

Use the mobile device legacy client when the mobile operating system is not supported by System Center 2012 Configuration Manager mobile device enrollment and when both of the following conditions apply:

You can install the required PKI certificates on the mobile device and the Configuration Manager site systems (management point and distribution point).
You want to install software packages on the mobile device and collect hardware inventory.

Manage mobile devices by using the Exchange Server connector when the mobile device can connect to Exchange Server by using ActiveSync and when either of the following conditions applies:

You do not require the security that a PKI offers or you do not have a PKI.
You do not require all the management functions and settings that enrollment provides.

Dual Management: Enrolled by Configuration Manager and Managed by Using the Exchange Server Connector

You can enroll a mobile device by using Configuration Manager and also manage it by using the Exchange Server connector. In this scenario, although you see only one mobile device in the Configuration Manager console, you have dual management for a mobile device and the following consequences:

No settings are applied from the Exchange Server connector; you must configure the mobile device settings by deploying a configuration baseline.
If you collect hardware inventory by enabling the client setting for hardware inventory and by using the Exchange Server connector, the hardware inventory information from the mobile device is consolidated by Configuration Manager.

Dual Management: Enrolled by Configuration Manager and Managed by Using the Exchange Server Connector

See Also

Concepts