Client deployment in Configuration Manager 2012 refers to the planning, installation and management of Configuration Manager 2012 client computers and mobile devices in your enterprise. The methods used to manage computers and mobile devices are different. This book contains information about how to plan, configure, manage and monitor client deployment in Configuration Manager 2012.
Deploying the Configuration Manager Client to Windows-based Computers
The following table lists the various methods that you can use to install the Configuration Manager 2012 client software. For information about deciding which client installation method to use, see Determine the Client Installation Method to Use in Configuration Manager 2012. For more information about installing the client, see How to Install Clients in Configuration Manager 2012
Client Installation Method | Description |
---|---|
Client push installation |
Use this method to automatically install the client to assigned resources and to manually install the client to resources that are not assigned. |
Software update point installation |
Used to install the client using the Configuration Manager 2012 software updates feature. |
Group Policy installation |
Used to install the client using Windows Group Policy. |
Logon script installation |
Used to install the client by means of a logon script. |
Manual installation |
Used to manually install the client software. |
Upgrade installation |
Uses Configuration Manager 2012 application management to upgrade clients to a newer version. You can also use Configuration Manager 2007 software distribution to upgrade clients to Configuration Manager 2012. |
Client Imaging |
Used to pre-stage the client installation in an operating system image. |
After the client has installed successfully, it will attempt to assign to a site and find that site's management point to download policy. For more information about site assignment, see How to Assign Clients to a Site in Configuration Manager 2012.
The client's success or failure for these processes can be captured with the fallback status point if this role has been defined for the site, and the client is configured to use it. For more information about the fallback status point, see Determine the Site System Roles You Need for Clients in Configuration Manager 2012.
What’s New in Configuration Manager 2012
Clients are no longer configured for mixed mode or native mode, but instead use HTTPS with PKI certificates or HTTP with self-signed certificates, depending on the configuration of the site system roles that the clients connect to and whether the clients have a valid PKI certificate that includes client authentication capability. Review the Client certificate value in the General tab of the Configuration Manager client properties to determine the current client communication method. This value displays PKI certificate when the client is communicating with a management point over HTTPS and Self signed when the client communicates with a management point over HTTP. Just as the client property value for the Connection type updates, depending on the current network status of the client, so the Client certificate client property value updates, depending on which management point the client communicates with.
Because Configuration Manager 2012 does not use mixed mode and native mode, the client installation property, /native: [<native mode option>], is no longer used. Instead, use /UsePKICert to use a PKI certificate that has client authentication capability, if it is available, but fall back to an HTTP connection if no certificate is available. If /UsePKICert is not specified, the client does not attempt to communicate by using a PKI certificate, but communicates by using HTTP only. Additionally, use the new command /NoCRLCheck if you do not want a client to check the CRL before it establishes an HTTPS communication.
The client.msi property SMSSIGNCERT is still used but requires the exported self-signed certificate of the site server. This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate.
Managing Mobile Devices in Configuration Manager 2012
Configuration Manager 2012 enables you to manage mobile devices in the enterprise. Administrative users can use the following Configuration Manager 2012 features to administer mobile devices that run supported operating systems:
- Hardware inventory
- Asset Intelligence
- File collection
- Application management
- Compliance settings
When you cannot install the Configuration Manager 2012 client on mobile devices, you can use the Exchange Server connector to find and manage mobile devices that connect to Exchange Server. This allows you to define settings in Configuration Manager 2012 that manage mobile device settings instead of being managed by the default Exchange mailbox policies.
What’s New in Configuration Manager 2012
The following are new for mobile devices in Configuration Manager 2012:
- Enrollment for mobile devices in
Configuration Manager 2012 is now natively supported by
using the two new enrollment site system roles (the mobile device
enrollment proxy point and the mobile device and AMT enrollment
point) and a Microsoft enterprise certification authority. For
Configuration Manager to enroll and manage mobile devices, you must
configure IIS with a web server certificate on the computers that
hold the following site system roles: the management point, the
distribution point, the mobile device and AMT enrollment point, and
the mobile device enrollment proxy point. Additionally, if you want
to allow users to wipe their own mobile devices, configure IIS with
a web server certificate on the computers that hold the Application
Catalog web service point and the Application Catalog website
point. For more information about how to deploy this certificate,
see . You must also create and issue a certificate template for
mobile device enrollment. For more information about how to deploy
this certificate template, see .
After the certificates are configured, use the following steps to enroll mobile devices:
- Optional but recommended to support automatic discovery for the
enrollment service: Create a DNS alias (CNAME) named
ConfigMgrEnroll that points to the site system server on which you
will install the mobile device enrollment proxy point.
- Configure the management point and distribution point site
system roles for client connections over HTTPS and configure the
management point to allow mobile devices.
- Install the mobile device enrollment proxy point and the mobile
device and AMT enrollment point. If you want to allow users to wipe
their own mobile devices, install the Application Catalog web
service point and the Application Catalog website point.
Optionally, install the reporting services point if you want to run
reports for mobile devices.
- Edit the default client settings (for all users) or create
custom client settings that are assigned to a collection that
contains users who you will allow to enroll their mobile devices.
Configure the client user setting option for mobile devices to
allow users to enroll their mobile devices, and then create a
mobile device enrollment profile that is configured to use the
certificate template that you created for mobile device enrollment.
In the profile, specify the Configuration Manager site that
contains the enrollment site system roles for the Site Code and
specify the Configuration Manager site that will manage the mobile
device for the Assigned Site Code.
- To enroll a mobile device, start the mobile device browser,
type https://<FQDN>/ClientCabs/ConfigMgrEnroll.Cab to
download and open the file, and then follow the instructions. If
you have not configured a DNS alias, you must specify the FQDN of
the site system server that holds the mobile device enrollment
proxy point.
- Optional but recommended to support automatic discovery for the
enrollment service: Create a DNS alias (CNAME) named
ConfigMgrEnroll that points to the site system server on which you
will install the mobile device enrollment proxy point.
- New in Configuration Manager 2012,
the Exchange Server connector allows you to find and manage devices
that connect to Exchange Server (on-premise or hosted) by using the
Exchange ActiveSync protocol. Use this mobile device management
process when you cannot install the Configuration Manager client on
the mobile device. When you use the Exchange Server connector, the
mobile devices are managed by the settings that you define in
Configuration Manager 2012 instead of being managed by
the default Exchange ActiveSync mailbox policies. Any Exchange
ActiveSync mailbox policies that are configured on the Exchange
Server and assigned to users will still be applied. Both
Configuration Manager and Exchange Server can remotely wipe a
mobile device.
The account that connects to the Exchange Client Access server to manage mobile devices for Configuration Manager must be able to run the following cmdlets:
- Set-ADServerSettings
- Get-ActiveSyncOrganizationSettings
- Get-ActiveSyncDeviceStatistics
- Get-ActiveSyncDevice
- Get-ExchangeServer
- Get-Recipient
- Get-ActiveSyncMailboxPolicy
- Set-ActiveSyncMailboxPolicy
- New-ActiveSyncMailboxPolicy
- Remove-ActiveSyncDevice
- Clear-ActiveSyncDevice
- Set-ADServerSettings