When you enroll mobile devices by using System Center 2012 Configuration Manager, this action installs the System Center 2012 Configuration Manager client to provide management capabilities that include hardware inventory, software deployment for required applications, settings, and remote wipe.

Mobile device clients are automatically assigned to the Configuration Manager site that enrolls them. These mobile device clients install as Internet-only clients, which means that they will communicate with the site system roles (management points and distribution points) in their assigned site when you configure these site system roles to allow client connections from the Internet. They do not communicate with site system roles outside their assigned site.

To enroll these mobile devices, you must use Microsoft Certificate Services with an enterprise certification authority (CA) and the Configuration Manager enrollment point and enrollment proxy point site system roles. During and after enrollment, public key infrastructure (PKI) certificates secure the communication between the mobile device and the Configuration Manager site. When the certificate on the mobile device is due for renewal, users are automatically prompted to renew their certificate. When they confirm the prompt, Configuration Manager automatically re-enrolls their mobile device.

Note
If you no longer want a mobile device to be enrolled for System Center 2012 Configuration Manager, you must wipe the mobile device. You can also block the client from communicating with the Configuration Manager hierarchy. If you remove the enrollment site system roles, any mobile devices that were enrolled continue to be managed by Configuration Manager, unless they are wiped.

Use the following steps and the supplemental procedures to install the client and enroll mobile devices in Configuration Manager. After you complete these steps, you can monitor the mobile devices that are enrolled by viewing the collections that display mobile devices, and by using the reports for mobile devices.

To manage the settings for these mobile devices, create mobile device configuration items and deploy them in a configuration baseline. For more information, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager.

Steps to Install the Client and Enroll Mobile Devices

Use the following table for the steps, details, and more information about how to install the client and enroll mobile devices.

Important
Before you perform these steps, make sure that you have all the prerequisites to install and enroll clients on mobile devices. For more information, see Prerequisites for Windows Client Deployment in Configuration Manager.

Steps Details More information

Step 1: Deploy a web server certificate to site system servers.

Deploy a web server certificate to the computers that host the following site system roles:

  • Management point

  • Distribution point

  • Enrollment point

  • Enrollment proxy point

Additionally, if you want to allow users to wipe their own mobile devices, configure Internet Information Services (IIS) with a web server certificate on the computers that host the Application Catalog website point and the Application Catalog web service point.

Important
The web server certificate must contain the Internet FQDN that is specified in the site system properties.

For information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

For an example deployment that creates and installs this web server certificate, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Important
Make sure that you specify the Internet FQDN in the web server certificate for the management point, the distribution point, and the enrollment proxy point.

Step 2: Deploy a client authentication certificate to site system servers.

Deploy a client authentication certificate to the following computers that host the following site system roles:

  • Management point

  • Distribution point

For information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

For an example deployment that creates and installs the client certificate for management points, see the Deploying the Client Certificate for Computers section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

For an example deployment that creates and installs the client certificate for distribution points, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Step 3: Create and issue a certificate template for mobile device enrollment.

The certificate template must have Read and Enroll permissions for the users that have mobile devices to enroll.

See the Deploying the Enrollment Certificate for Mobile Devices section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Step 4: Optional but recommended: Configure automatic discovery for the enrollment service.

Create a DNS alias (CNAME record) named configmgrenroll that references the site system server on which you will install the enrollment proxy point.

For more information about how to create a DNS alias, consult your DNS documentation.

Step 5: Configure the management point and distribution point.

Configure management points for the following options:

  • HTTPS

  • Allow client connections from the Internet

  • Allow mobile devices

Although distribution points are not required during the enrollment process, you must configure them to allow client connections from the Internet if you want to deploy software to these mobile devices after they are enrolled by Configuration Manager.

See the following procedure in this topic: Step 5: Configuring Management Points and Distribution Points for Mobile Devices.

Step 6: Configure the enrollment proxy point and the enrollment point.

You must install both these site system roles in the same site but you do not have to install them on the same site system server, or in the same Active Directory forest.

For more information about site system role placement and considerations, see the Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in Configuration Manager topic.

To configure the enrollment proxy point and the enrollment point, see the following procedure in this topic: Step 6: Installing and Configuring the Enrollment Site Systems.

Step 7: Optional: Install the Application Catalog web service point and the Application Catalog website point.

Install the Application Catalog web service point and the Application Catalog website point if you want to allow users to wipe their own mobile devices.

For more information about how to install and configure these site system roles, see Configuring the Application Catalog and Software Center in Configuration Manager.

Step 8: Optional: Install the reporting services point.

Install the reporting services point if you want to run reports for mobile devices.

For more information about how to install and configure the reporting services point, see Configuring Reporting in Configuration Manager.

Step 9: Configure client settings for mobile device enrollment.

Configure the default client settings if you want all users to be able to enroll mobile devices. Or, as a best practice, configure custom client settings to restrict the users who can enroll mobile devices.

If required, change the default values for the client polling schedule and hardware inventory client settings.

For more information about client settings, see About Client Settings in Configuration Manager.

For information about how to configure these client settings, see the following procedure in this topic: Step 9: Configuring the Client Settings for Mobile Device Enrollment.

Step 10: Enroll mobile devices.

Use the web browser on the mobile device to start enrollment.

See the following procedure in this topic: Step 10: Enrolling Mobile Devices.

Supplemental Procedures to Install the Client and Enroll Mobile Devices

Use the following information when the steps in the preceding table require supplemental procedures.

Step 5: Configuring Management Points and Distribution Points for Mobile Devices

This procedure configures existing management points and distribution points to support mobile devices that are enrolled by Configuration Manager. Before you start this procedure, make sure that the site system server that runs the management point and distribution point is configured with an Internet FQDN. In addition, these site system roles must be in a primary site.

To configure management points and distribution points for mobile devices

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that hosts the site system roles to configure.

  3. In the details pane, right-click Management point, click Role Properties, and in the Management Point Properties dialog box, configure the following options, and then click OK:

    1. Select HTTPS.

    2. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties.

    3. Select Allow mobile devices to use this management point (Configuration Manager with no service pack) or Allow mobile devices and Mac computers to use this management point (Configuration Manager SP1).

  4. In the details pane, right-click Distribution point, click Role Properties, and in the Distribution Point Properties dialog box, configure the following options, and then click OK:

    1. Select HTTPS.

    2. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties.

    3. Click Import certificate, browse to the exported client distribution point certificate file, and then specify the password.

  5. Repeat steps 2 through 4 in this procedure for all management points and distribution points in primary sites that you will use with mobile devices.

Step 6: Installing and Configuring the Enrollment Site Systems

These procedures configure the site system roles for mobile device enrollment. Choose one of these procedures, depending on whether you will install a new site system server for mobile device enrollment or use an existing site system server:

To install and configure the enrollment site systems: New site system server

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles

  3. On the Home tab, in the Create group, click Create Site System Server.

  4. On the General page, specify the general settings for the site system, and then click Next.

    Important
    Make sure that you specify the Internet FQDN, even if it is the same value as the intranet FQDN. Mobile devices that are enrolled by Configuration Manager always connect to the Internet FQDN, even when they are on the intranet.
  5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next.

  6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next.

  7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next.

  8. Complete the wizard.

To install and configure the enrollment site systems: Existing site system server

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use for mobile device enrollment.

  3. On the Home tab, in the Create group, click Add Site System Roles.

  4. On the General page, specify the general settings for the site system, and then click Next.

    Important
    Make sure that you specify the Internet FQDN, even if it is the same value as the intranet FQDN. Mobile devices that are enrolled by Configuration Manager always connect to the Internet FQDN, even when they are on the intranet.
  5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next.

  6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next.

  7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next.

  8. Complete the wizard.

Step 9: Configuring the Client Settings for Mobile Device Enrollment

The first procedure in this step configures the default client settings for mobile device enrollment and will apply to all users in hierarchy. If you want these settings to apply to only some users, create a custom user setting and assign it to a collection that contains users who you will allow to enroll their mobile devices.

The second procedure in this step configures the default client settings for the mobile device polling interval and hardware inventory to apply to all mobile devices in the hierarchy that Configuration Manager enrolls. The hardware inventory settings also apply to client computers. If you want these settings to apply to only mobile devices or to selected mobile devices, create a custom device setting and assign it to a collection that contains the enrolled mobile devices that you want to configure with these settings.

For more information about how to create custom client settings, see How to Create and Assign Custom Client Settings.

To configure the default client settings for mobile device enrollment

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, click Client Settings.

  3. Click Default Client Settings.

  4. On the Home tab, in the Properties group, click Properties.

  5. Select the Mobile Devices (Configuration Manager with no service pack) or Enrollment (Configuration Manager SP1) section, and then configure the following user settings:

    • For Configuration Manager with no service pack:

      1. Allow users to enroll mobile devices: True

      2. Mobile device enrollment profile: Click Set Profile.

    • For Configuration Manager SP1:

      1. Allow users to enroll mobile devices and Mac computers: Yes

      2. Enrollment profile: Click Set Profile.

  6. In the Mobile Device Enrollment Profile dialog box, click Create.

  7. In the dialog box, enter a name for this mobile device enrollment profile, and then configure the Management site code. Select the System Center 2012 Configuration Manager primary site that contains the management points that will manage these mobile devices.

    Note
    If you cannot select the site, check that at least one management point in the site is configured to support mobile devices.
  8. Click Add.

  9. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to mobile devices, and then click OK.

  10. In the Create Mobile Device Enrollment Profile dialog box (Configuration Manager with no service pack) or Create Enrollment Profile dialog box (Configuration Manager SP1), select the mobile device certificate template that you created in Step 3, and then click OK.

  11. Click OK to close the dialog box, and then click OK to close the Default Client Settings dialog box.

Devices will be configured with these user settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

To configure the default client settings for the mobile device polling interval and hardware inventory

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, click Client Settings.

  3. Click Default Client Settings.

  4. On the Home tab, in the Properties group, click Properties.

  5. To configure the client polling interval:

    • For Configuration Manager with no service pack: Select the Mobile Devices section, and configure the device setting for the polling interval.

    • For Configuration Manager SP1: Select the Client Policy section, and configure the device setting for the client policy polling interval.

  6. Select the Hardware Inventory section, and then configure the following device settings that apply to mobile devices that are enrolled by Configuration Manager:

    1. Enable hardware inventory on clients

    2. Hardware inventory schedule

    3. Hardware inventory classes

    Note
    For more information about hardware inventory, see Hardware Inventory in Configuration Manager
  7. Click OK to close the Default Client Settings dialog box.

Step 10: Enrolling Mobile Devices

This procedure installs the Configuration Manager client on a mobile device, requests and installs a certificate for the mobile device, and assigns the client to the enrollment site in Configuration Manager.

To enroll mobile devices

  • To install the client and enroll a mobile device, open a web browser on the mobile device, and then type the following, where the FQDN is the Internet FQDN of a site system server that runs the enrollment proxy point: https://<FQDN>/EnrollmentServer

    Note
    You can provide this hyperlink to users in an email message or on a web page.If you have created the DNS alias of configmgrenroll, you can use this in your link instead of the server name. The benefit of using the alias in the link is that if the server changes, you must only update DNS rather than the link that you provided to users, and when you have more than one enrollment proxy server, DNS round robin provides some fault tolerance and load balancing.

    The mobile device enrollment process prompts to enter a company email address and password. These credentials are required to authenticate the user to Active Directory Domain Services, which then authorizes the user to access the mobile device enrollment certificate template.

    Tip
    If the user does not have a company email account that is integrated with Active Directory Domain Services (for example, in a test environment), you can enter the UPN for the email address (or use domain\user name) format, and enter the password for the Active Directory account. However, the initial page does not accept the domain\user name format. To use this format, enter any value that is in the user@domain.com format, wait for this to fail the validation check, and then you can use the domain\user name format.

To verify that enrollment succeeded, update and view the collections that display mobile devices in the Assets and Compliance workspace, and view the reports for mobile devices.

See Also