If you are new to Configuration Manager, use the following information to learn about the basic concepts for Microsoft System Center Configuration Manager 2012 before you run Setup or read more detailed information. If you are familiar with Configuration Manager 2007, see What’s New in Configuration Manager 2012.
Sites
When you install Configuration Manager 2012 for the first time, you create a Configuration Manager site that is the foundation from which to manage devices and users in your enterprise. This site is either a central administration site or a primary site. A central administration site is suitable for large-scale deployments and provides a central point of administration and flexibility for you to support a global network infrastructure. A primary site is suitable for smaller deployments and it has fewer options to accommodate any future growth of your enterprise.
When you install a central administration site, you must also install at least one primary site to manage users and devices. With this design, you can install additional primary sites to manage more devices and to control network bandwidth when devices are in different geographical locations. You can also install another type of site that is named a secondary site. Secondary sites extend a primary site to manage a few devices that have a slow network connection to the primary site.
When the first site that you install is a primary site instead of a central administration site, you cannot install additional primary sites. However, you can still install one or more secondary sites to extend the primary site when you need to manage a few devices that have a slow network connection to the primary site. If you do not install any secondary sites from this single primary site, the site is referred to as a standalone site.
When you have more than one site that communicates with each other, you have an arrangement of sites that is referred to as a hierarchy.
Publishing Site Information to Active Directory Domain Services
If you extend the Active Directory schema for Configuration Manager 2012, you can publish Configuration Manager 2012 sites to Active Directory Domain Services so that Active Directory computers can securely retrieve Configuration Manager 2012 site information from a trusted source. Although publishing site information to Active Directory Domain Services is not required for basic Configuration Manager functionality, this configuration increases the security of your Configuration Manager 2012 hierarchy and reduces administrative overhead.
You can extend the Active Directory schema before or after you install Configuration Manager 2012. Before you can publish site information, you must also create an Active Directory container named System Management in each domain that contains a Configuration Manager 2012 site. You must also configure the Active Directory permissions so that the site can publish its information to this Active Directory container. As with all schema extensions, you extend the schema for Configuration Manager 2012 one time only per forest.
Site System Servers and Site System Roles
Configuration Manager uses site system roles to support management operations at each site. When you install a Configuration Manager site, some site system roles are automatically installed and assigned to the server on which Configuration Manager Setup has run successfully. One of these site system roles is the site server, which you cannot transfer to another server or remove without uninstalling the site. You can use other servers to run additional site system roles or to transfer some site system roles from the site server by installing and configuring Configuration Manager site system servers.
Each site system role supports different management functions. The site system roles that provide basic management functionality are described in the following table.
| Site System Role | Description |
|---|---|
|
Site server |
A site server is the computer on which you run Configuration Manager 2012 Setup and it provides the core functionality for the site. |
|
Site database server |
A site database server hosts the SQL Server database to store information about assets and site data. |
|
Component server |
A component server runs Configuration Manager services and it is automatically installed with all site systems except the distribution point. |
|
Management point |
A management point provides policy and content location information to clients. It also receives configuration data from clients. |
|
Distribution point |
A distribution point contains source files for clients to download, such as application content, software packages, software updates, operating system images, and boot images. You can control content distribution by using bandwidth, throttling, and scheduling options. |
|
Reporting services point |
A reporting services point integrates with SQL Server Reporting Services to create and manage reports for Configuration Manager. |
When companies first deploy Configuration Manager in a production environment, they often run multiple site system roles on the site server and have additional site system servers for distribution points. Then they install additional site system servers and add new site system roles, according to their business requirements and network infrastructure.
The additional site system roles that you might need for specific functionality are listed in the following table.
| Site System Role | Description |
|---|---|
|
Server locator point |
A server locator point completes site assignment for clients that cannot retrieve site information from Active Directory Domain Services. It also provides management point information to clients when they cannot retrieve the information from Active Directory Domain Services or from other sources. |
|
State migration point |
A state migration point stores user state data when a computer is migrated to a new operating system. |
|
Software update point |
A software update point integrates with Windows Server Update Services (WSUS) to provide software updates to Configuration Manager clients. |
|
System Health Validator point |
A System Health Validator point validates Configuration Manager Network Access Protection (NAP) policies. It must be installed on a NAP health policy server. |
|
Fallback status point |
A fallback status point helps you monitor client installation and identify the clients that are unmanaged because they cannot communicate with their management point. |
|
Out of band service point |
An out of band service point provisions and configures AMT-based computers for out of band management. |
|
Asset Intelligence synchronization point |
An Asset Intelligence synchronization point connects to System Center Online to download Asset Intelligence catalog information and upload uncategorized titles so that they can be considered for future inclusion in the catalog. |
|
Application Catalog web service point |
An Application Catalog web service point provides software information to the Application Catalog website from the Software Library. |
|
Application Catalog website point |
An Application Catalog website point provides users with a list of available software. |
|
Mobile device enrollment proxy point |
A mobile device enrollment proxy point manages enrollment requests from mobile devices so that they can be managed by Configuration Manager. |
|
Mobile device and AMT enrollment point |
A mobile device and AMT enrollment point uses PKI certificates to complete mobile device enrollment and provision AMT-based computers. |
Clients
Configuration Manager 2012 clients are devices (such as workstations, laptops, servers, and mobile devices) that have the Configuration Manager client software installed so that you can manage them. Management includes operations such as reporting hardware and software inventory information, installing software, and configuring settings that are needed for compliance. Configuration Manager has discovery methods that you can use to find devices on your network to help you to install the client software on them.
Configuration Manager has a number of options to install the client software on devices. These options include client push installation, software update-based installation, group policy, and manual installation. You can also include the client when you deploy an operating system image.
Configuration Manager uses collections to group devices so that you can perform management tasks on multiple devices that share a common set of criteria. For example, you might want to install a mobile device application on all mobile devices, in which case you could use the All Mobile Devices collection, which automatically excludes computers. You can create your own collections to logically group the devices that you manage, according to your business requirements.
User-Centric Management
In addition to the collections for devices, there are also user collections that contain users from Active Directory Domain Services. User collections allow you to install software on all computers that the user logs into, or you can configure user device affinity so that the software installs on only the main devices that the user uses. These main devices are called primary devices and a user can have one or more primary devices.
Users can manage their software and request new applications by using the client application, named Software Center. This application installs when the Configuration Manager 2012 client installs and allows users to browse the Application Catalog to find and request applications. Users can also specify their primary devices from the Application Catalog, if you allow this configuration. Other methods of configuring the user device affinity information include importing the information from a file and using tracking data.
Client Settings
When you first install Configuration Manager 2012, all clients in the hierarchy are configured with default client settings, which you can modify. These client settings include configuration options such as how often devices communicate with the site, whether the client is enabled for software updates and other management operations, and whether users can enroll their mobile devices to be managed by Configuration Manager. If you need different client settings for groups of users or devices, you can create custom client settings and then assign them to collections. Users or devices that are in the collection will be configured with the custom settings. You can create multiple custom client settings and they are applied in the order that you specify. If there is a conflict between settings on a device or user, similar to Group Policy behavior, the final configuration for the device or user will be the last custom setting that is applied.
Limited Management without Clients
The Configuration Manager 2012 client software provides full management capability for users and devices but there are also two scenarios in which you can manage devices independently from the client software: out of band management, which uses Intel Active Management Technology (AMT), and mobile devices that are connected to an Exchange Server computer.
Configuration Manager uses the client software to provision and configure computers for AMT, but when you perform AMT management operations, the client software is not used. Instead, Configuration Manager connects directly to the AMT management controller. This means that you continue to have some management control over computers that are not started or are not responding at the operating system level. For example, you could restart these computers, re-image them, or run diagnostic utilities to help troubleshoot them.
When you cannot install the Configuration Manager client software on mobile devices, you can still manage them by using the Exchange Server connector. The connector allows you to configure the settings in the Exchange Default ActiveSync mailbox policy. Any settings that are defined in this policy can be configured by Configuration Manager, and this connector also supports remote wipe. Any mobile device that you manage by using the Exchange Server connector displays in the All Mobile Devices collection, even though the device does not have the Configuration Manager 2012 client installed on it. Because the client is not installed, you cannot deploy software to these devices.
Client Management Tasks
After you have installed Configuration Manager clients, you can perform various client management tasks, which include the following:
- Deploy applications, software updates,
maintenance scripts, and operating systems. You can configure these
to install by a specified date and time, or make them available for
users to install when they are requested, and you can configure
applications to be uninstalled.
- Define client configuration settings that you
want to monitor and remediate if they are out of compliance.
- Collect hardware and software inventory
information, which includes monitoring and reconciling license
information from System Center Online.
- Troubleshoot computers by using remote
control or by using AMT operations for AMT-based computers that are
not responding.
- Implement power management settings to manage
and monitor the power consumption of computers.
You can use the Configuration Manager console to monitor these operations in near real-time, by using alerts and status information. For capturing data and historical trending, you can use the integrated reporting capabilities of SQL Reporting Services.
To help ensure that you continue to manage the Configuration Manager 2012 clients, use the client status information that provides data about the health client and client activity. This data helps to identify computers that are not responding and in some cases, problems can be automatically remediated.
Configuration Manager (Windows Control Panel)
When you install the Configuration Manager client, this installs the Configuration Manager client application in Control Panel. Unlike Software Center, this application is not intended to be used by end users, but rather by the help desk. Some configuration options require local administrative permissions. You can use this application to perform the following tasks on an individual client:
- View properties about the client, such as the
build number, its assigned site, which management point it is
communicating with, and whether it is using a PKI certificate or a
self-signed certificate.
- Confirm that the client has successfully
downloaded client policy after it is installed for the first time
and that client settings are enabled or disabled as expected,
according to the client settings that are configured in the
Configuration Manager console.
- Initiate client actions, such as download the
client policy if there has been a recent change of configuration in
the Configuration Manager console and you do not want to wait until
the next schedule time.
- Manually assign a client to a Configuration
Manager site or try to find a site, and specify the DNS suffix for
management points that publish to DNS.
- Configure the client cache that temporarily
stores files, and delete files in the cache if you need more disk
space to install software.
- Configure settings for Internet-based client
management.
- View configuration baselines that have been
deployed to the client, initiate compliance evaluation, and view
compliance reports.
Security
Security for Configuration Manager 2012 consists of several layers. First, Windows provides many security features for both the operating system and the network, such as the following:
- File sharing to transfer files between
Configuration Manager 2012 components
- Access Control Lists (ACLs) to secure files
and registry keys
- IPsec for securing communications
- Group Policy for setting security policy
- DCOM permissions for distributed
applications, such as the Configuration Manager console
- Active Directory Domain Services to
store security principals
- Windows account security, including some
groups that are created during Configuration Manager 2012
Setup
Additional security components, such as firewalls and intrusion detection, help provide defense in depth for the entire environment. Certificates issued by industry standard PKI implementations help provide authentication, signing, and encryption.
Configuration Manager 2012 controls access to the Configuration Manager console in several ways. By default, only local Administrators have rights to the files and registry keys required to run the Configuration Manager console on computers where it is in installed
The next layer of security is based on access through Windows Management Instrumentation (WMI), specifically the SMS Provider. The SMS Provider is restricted by default to members of the local SMS Admins group. This group initially contains only the user who installed Configuration Manager 2012. To grant other accounts permission to the Common Information Model (CIM) repository and the SMS Provider, add the other accounts to the SMS Admins group.
The final layer of security is based on permissions to objects in the site database. By default, the Local System account and the user account that you used to install Configuration Manager 2012 have access to administer all objects in the site database. You can grant and restrict permissions to additional administrative users in the Configuration Manager console by using role-based administration.
Role-Based Administration
Configuration Manager 2012 uses role-based administration to secure objects such as collections, deployments, and sites. This administration model centrally defines and manages hierarchy-wide security access settings for all sites and site settings. Security roles group typical administrative tasks that are assigned to administrative users, and security scopes group the permissions that are applied to site objects, such as deployments. The combination of security roles, security scopes, and collections define what objects an administrative user can view and manage. Configuration Manager 2012 installs some default security roles for typical management tasks, but you can create your own security roles to support your specific business requirements.
Securing Client Endpoints
Client communication to site system roles is secured by using either self-signed certificates, or by using public key infrastructure (PKI) certificates. Mobile devices and clients that Configuration Manager detects to be on the Internet must use PKI certificates and the client endpoints are secured by using HTTPS. The site system roles that clients connect to can be configured for HTTPS or HTTP client communication. Client computers always communicate by using the most secure method available and only fall back to using the less secure communication method of HTTP on the intranet if you have site systems roles that are configured for HTTP communication and the client cannot establish a HTTPS connection.
Configuration Manager Accounts and Groups
Configuration Manager 2012 uses the Local System account for most site operations. However, some management tasks might require creating and maintaining additional accounts. Several default groups and SQL Server roles are created during Setup, but you might have to manually add computer or user accounts to these default groups and roles.
Privacy
Although network management products offer many advantages because they can effectively manage large numbers of clients, you must also be aware of how this software might affect the privacy of users in your organization. Configuration Manager 2012 includes many tools to gather data and monitor devices, some of which could raise privacy concerns.
For example, when you install the Configuration Manager 2012 client, many management settings are enabled by default, which result in the client software sending information to the Configuration Manager site. Client information is stored in the Configuration Manager database and it is not sent to Microsoft. Before you implement Configuration Manager 2012, consider your privacy requirements.