Introduction to Client Deployment in Configuration Manager 2012

Updated: March 15, 2011

Applies To: System Center Configuration Manager 2012

Client deployment in Configuration Manager 2012 refers to the planning, installation and management of Configuration Manager 2012 client computers and mobile devices in your enterprise. The methods used to manage computers and mobile devices are different. This book contains information about how to plan, configure, manage and monitor client deployment in Configuration Manager 2012.

Deploying the Configuration Manager Client to Windows-based Computers

The following table lists the various methods that you can use to install the Configuration Manager 2012 client software. For information about deciding which client installation method to use, see Determine the Client Installation Method to Use in Configuration Manager 2012. For more information about installing the client, see How to Install Clients in Configuration Manager 2012

 

Client Installation Method Description

Client push installation

Use this method to automatically install the client to assigned resources and to manually install the client to resources that are not assigned.

Software update point installation

Used to install the client using the Configuration Manager 2012 software updates feature.

Group Policy installation

Used to install the client using Windows Group Policy.

Logon script installation

Used to install the client by means of a logon script.

Manual installation

Used to manually install the client software.

Upgrade installation

Uses Configuration Manager 2012 application management to upgrade clients to a newer version. You can also use Configuration Manager 2007 software distribution to upgrade clients to Configuration Manager 2012.

Client Imaging

Used to pre-stage the client installation in an operating system image.

After the client has installed successfully, it will attempt to assign to a site and find that site's management point to download policy. For more information about site assignment, see How to Assign Clients to a Site in Configuration Manager 2012.

The client's success or failure for these processes can be captured with the fallback status point if this role has been defined for the site, and the client is configured to use it. For more information about the fallback status point, see Determine the Site System Roles You Need for Clients in Configuration Manager 2012.

What’s New in Configuration Manager 2012

Clients are no longer configured for mixed mode or native mode, but instead use HTTPS with PKI certificates or HTTP with self-signed certificates, depending on the configuration of the site system roles that the clients connect to and whether the clients have a valid PKI certificate that includes client authentication capability. Review the Client certificate value in the General tab of the Configuration Manager client properties to determine the current client communication method. This value displays PKI certificate when the client is communicating with a management point over HTTPS and Self signed when the client communicates with a management point over HTTP. Just as the client property value for the Connection type updates, depending on the current network status of the client, so the Client certificate client property value updates, depending on which management point the client communicates with.

Because Configuration Manager 2012 does not use mixed mode and native mode, the client installation property, /native: [<native mode option>], is no longer used. Instead, use /UsePKICert to use a PKI certificate that has client authentication capability, if it is available, but fall back to an HTTP connection if no certificate is available. If /UsePKICert is not specified, the client does not attempt to communicate by using a PKI certificate, but communicates by using HTTP only. Additionally, use the new command /NoCRLCheck if you do not want a client to check the CRL before it establishes an HTTPS communication.

The client.msi property SMSSIGNCERT is still used but requires the exported self-signed certificate of the site server. This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate.

Managing Mobile Devices in Configuration Manager 2012

Configuration Manager 2012 enables you to manage mobile devices in the enterprise. Administrative users can use the following Configuration Manager 2012 features to administer mobile devices that run supported operating systems:

  • Hardware inventory

  • Asset Intelligence

  • File collection

  • Application management

  • Compliance settings

When you cannot install the Configuration Manager 2012 client on mobile devices, you can use the Exchange Server connector to find and manage mobile devices that connect to Exchange Server. This allows you to define settings in Configuration Manager 2012 that manage mobile device settings instead of being managed by the default Exchange mailbox policies.

What’s New in Configuration Manager 2012

The following are new for mobile devices in Configuration Manager 2012:

  • Enrollment for mobile devices in Configuration Manager 2012 is now natively supported by using the two new enrollment site system roles (the mobile device enrollment proxy point and the mobile device and AMT enrollment point) and a Microsoft enterprise certification authority. For Configuration Manager to enroll and manage mobile devices, you must configure IIS with a web server certificate on the computers that hold the following site system roles: the management point, the distribution point, the mobile device and AMT enrollment point, and the mobile device enrollment proxy point. Additionally, if you want to allow users to wipe their own mobile devices, configure IIS with a web server certificate on the computers that hold the Application Catalog web service point and the Application Catalog website point. For more information about how to deploy this certificate, see . You must also create and issue a certificate template for mobile device enrollment. For more information about how to deploy this certificate template, see .

    After the certificates are configured, use the following steps to enroll mobile devices:

    1. Optional but recommended to support automatic discovery for the enrollment service: Create a DNS alias (CNAME) named ConfigMgrEnroll that points to the site system server on which you will install the mobile device enrollment proxy point.

    2. Configure the management point and distribution point site system roles for client connections over HTTPS and configure the management point to allow mobile devices.

    3. Install the mobile device enrollment proxy point and the mobile device and AMT enrollment point. If you want to allow users to wipe their own mobile devices, install the Application Catalog web service point and the Application Catalog website point. Optionally, install the reporting services point if you want to run reports for mobile devices.

    4. Edit the default client settings (for all users) or create custom client settings that are assigned to a collection that contains users who you will allow to enroll their mobile devices. Configure the client user setting option for mobile devices to allow users to enroll their mobile devices, and then create a mobile device enrollment profile that is configured to use the certificate template that you created for mobile device enrollment. In the profile, specify the Configuration Manager site that contains the enrollment site system roles for the Site Code and specify the Configuration Manager site that will manage the mobile device for the Assigned Site Code.

    5. To enroll a mobile device, start the mobile device browser, type https://<FQDN>/ClientCabs/ConfigMgrEnroll.Cab to download and open the file, and then follow the instructions. If you have not configured a DNS alias, you must specify the FQDN of the site system server that holds the mobile device enrollment proxy point.

  • New in Configuration Manager 2012, the Exchange Server connector allows you to find and manage devices that connect to Exchange Server (on-premise or hosted) by using the Exchange ActiveSync protocol. Use this mobile device management process when you cannot install the Configuration Manager client on the mobile device. When you use the Exchange Server connector, the mobile devices are managed by the settings that you define in Configuration Manager 2012 instead of being managed by the default Exchange ActiveSync mailbox policies. Any Exchange ActiveSync mailbox policies that are configured on the Exchange Server and assigned to users will still be applied. Both Configuration Manager and Exchange Server can remotely wipe a mobile device.

    The account that connects to the Exchange Client Access server to manage mobile devices for Configuration Manager must be able to run the following cmdlets:

    • Set-ADServerSettings

    • Get-ActiveSyncOrganizationSettings

    • Get-ActiveSyncDeviceStatistics

    • Get-ActiveSyncDevice

    • Get-ExchangeServer

    • Get-Recipient

    • Get-ActiveSyncMailboxPolicy

    • Set-ActiveSyncMailboxPolicy

    • New-ActiveSyncMailboxPolicy

    • Remove-ActiveSyncDevice

    • Clear-ActiveSyncDevice

See Also