Clients are no longer configured for mixed mode or native mode, but instead use HTTPS with PKI certificates or HTTP with self-signed certificates, depending on the configuration of the site system roles that the clients connect to and whether the clients have a valid PKI certificate that includes client authentication capability. Review the Client certificate value in the General tab of the Configuration Manager client properties to determine the current client communication method. This value displays PKI certificate when the client is communicating with a management point over HTTPS and Self signed when the client communicates with a management point over HTTP. Just as the client property value for the Connection type updates, depending on the current network status of the client, so the Client certificate client property value updates, depending on which management point the client communicates with.

Because Configuration Manager 2012 does not use mixed mode and native mode, the client installation property, /native: [<native mode option>], is no longer used. Instead, use /UsePKICert to use a PKI certificate that has client authentication capability, if it is available, but fall back to an HTTP connection if no certificate is available. If /UsePKICert is not specified, the client does not attempt to communicate by using a PKI certificate, but communicates by using HTTP only. Additionally, use the new command /NoCRLCheck if you do not want a client to check the CRL before it establishes an HTTPS communication.

The client.msi property SMSSIGNCERT is still used but requires the exported self-signed certificate of the site server. This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate.

The following are new for mobile devices in Configuration Manager 2012:

• Enrollment for mobile devices in Configuration Manager 2012 is now natively supported by using the two new enrollment site system roles (the mobile device enrollment proxy point and the mobile device and AMT enrollment point) and a Microsoft enterprise certification authority. For Configuration Manager to enroll and manage mobile devices, you must configure IIS with a web server certificate on the computers that hold the following site system roles: the management point, the distribution point, the mobile device and AMT enrollment point, and the mobile device enrollment proxy point. Additionally, if you want to allow users to wipe their own mobile devices, configure IIS with a web server certificate on the computers that hold the Application Catalog web service point and the Application Catalog website point. For more information about how to deploy this certificate, see . You must also create and issue a certificate template for mobile device enrollment. For more information about how to deploy this certificate template, see .
  
  After the certificates are configured, use the following steps to enroll mobile devices:
  
  
  1. Optional but recommended to support automatic discovery for the enrollment service: Create a DNS alias (CNAME) named ConfigMgrEnroll that points to the site system server on which you will install the mobile device enrollment proxy point.
     
     
  2. Configure the management point and distribution point site system roles for client connections over HTTPS and configure the management point to allow mobile devices.
     
     
  3. Install the mobile device enrollment proxy point and the mobile device and AMT enrollment point. If you want to allow users to wipe their own mobile devices, install the Application Catalog web service point and the Application Catalog website point. Optionally, install the reporting services point if you want to run reports for mobile devices.
     
     
  4. Edit the default client settings (for all users) or create custom client settings that are assigned to a collection that contains users who you will allow to enroll their mobile devices. Configure the client user setting option for mobile devices to allow users to enroll their mobile devices, and then create a mobile device enrollment profile that is configured to use the certificate template that you created for mobile device enrollment. In the profile, specify the Configuration Manager site that contains the enrollment site system roles for the Site Code and specify the Configuration Manager site that will manage the mobile device for the Assigned Site Code.
     
     
  5. To enroll a mobile device, start the mobile device browser, type https://<FQDN>/ClientCabs/ConfigMgrEnroll.Cab to download and open the file, and then follow the instructions. If you have not configured a DNS alias, you must specify the FQDN of the site system server that holds the mobile device enrollment proxy point.
     
     
• New in Configuration Manager 2012, the Exchange Server connector allows you to find and manage devices that connect to Exchange Server (on-premise or hosted) by using the Exchange ActiveSync protocol. Use this mobile device management process when you cannot install the Configuration Manager client on the mobile device. When you use the Exchange Server connector, the mobile devices are managed by the settings that you define in Configuration Manager 2012 instead of being managed by the default Exchange ActiveSync mailbox policies. Any Exchange ActiveSync mailbox policies that are configured on the Exchange Server and assigned to users will still be applied. Both Configuration Manager and Exchange Server can remotely wipe a mobile device.
  
  The account that connects to the Exchange Client Access server to manage mobile devices for Configuration Manager must be able to run the following cmdlets:
  
  
  • Set-ADServerSettings
    
    
  • Get-ActiveSyncOrganizationSettings
    
    
  • Get-ActiveSyncDeviceStatistics
    
    
  • Get-ActiveSyncDevice
    
    
  • Get-ExchangeServer
    
    
  • Get-Recipient
    
    
  • Get-ActiveSyncMailboxPolicy
    
    
  • Set-ActiveSyncMailboxPolicy
    
    
  • New-ActiveSyncMailboxPolicy
    
    
  • Remove-ActiveSyncDevice
    
    
  • Clear-ActiveSyncDevice