As part of the Community Evaluation Community the 9th live meeting about System Center Configuration Manager 2012 was scheduled for today. The main subject was Mobile Device Management in SCCM 2012.
At this moment Microsoft has three major products for managing Mobile phones, Mobile Devices Management (MDM) 2008, SCCM 2007 and Exchange 2007/2010. The functionality of MDM 2008 SP1 and SCCM 2007 is combined in SCCM 2007 R3. The same functionality of SCCM 2007 R3 and some nice enhancements and new features will be available in SCCM 2012.
This blog is a summary of the CEP session about SCCM 2012 Mobile Device Management.
Mobile phones in the enterprise today
Today the mobile devices in the enterprise is a heterogeneous environment, the companies can no longer standardize on one platform. The employees bring their own mobile device to their work and want to synchronize their email and calendar information. Half of all smartphones in use in North America business are not company owned.
Exchange admins end up managing most mobile devices due to use of Exchange Activesync policies
Microsoft Mobile device management
There are two sorts of mobile device management in SCCM, light mobile device management and depth mobile device management.
- Single “pane of glass” for managing desktops, servers, mobile devices;
- Exchange connector
- Depth management of WinCE 6.0, WM 6.0/6.1, WP 6.5 and Nokia Symbian based devices
- Secure over the air enrollment
- Monitor and remediate non-compliant devices
- Deploy applications and configuration policies to users or devices
- Mobile VPN is not required anymore to connect to the Device Management environment
Exchange Connector for SCCM 2012
Light Mobile device management via Exchange connector:
- Provides a single pane of glass for all assets in the enterprise
- Transfers mobile device administrator from exchange to SCCM
- Rich inventory and reporting experience
- Define organization level ActiveSync Policy
- Device wipe
- Supports Exchange 2010 and hosted Exchange
- Supports all EAS capable devices including WP7, Symbian, IOS, Android, Palm, etc.
Configuring Exchange Connector in SCCM 2012
Configuring the Exchange Connector in SCCM 2012 is easy, you just need to supply the server address of the Exchange (I think the CAS) server and a service account. You can give the service account limited access through RBAC. (Option; Mobile Device Management)
In SCCM 2012 you must configure the EAS policy on the Primary Site, it will deploy it to Exchange and Active Directory. In the EAS Policy you can assign the same things like in Exchange Server 2010, one of the settings is disabling POP3 and IMAP access.
Exchange Connector experience
“All mobile device” collection is the place to find all the in Exchange discovered devices
You can see information of discovered mobile devices through the resource explorer, things like hardware information, software settings, inventory and ActiveSync properties. You also can remotely wipe the mobile device. (or cancel the request )
The Exchange connector gives us basic reporting about the following things;
- What mobile devices are in the enterprise?
- Exchange policy summarization (compliancy)
- What mobile devices are compliant
- What mobile devices are not compliant
The discovery of the mobile devices goes from Exchange/AD to SCCM.
Depth vs Light Management
You will find the difference between light management and depth management in the following table.
||Exchange ActiveSync Connected Devices
||WM 6.1, WP 6.5.x
||WM 6.0, CE 6.0
|Over the air enrolment
Depth Device Management Topology
- Key server roles for Device Management in SCCM 2012
- Enrollment Web Proxy
- Enrollment Service Point
- Software catalog roles (option)
- Management Point
- Distribution Point
- Management is done over HTTPS
- Microsoft Enterprise CA is required (SCCM Native Mode)
Mobile device enrollment
- Establishes mutual trusts between the device and the management server
- Windows Phone 6.5.x, WM 6.1 abd Nokia devices enrolled and provision securely (HTTPS) over the air
- WinCE 6.0 and WM 6.0 enrollment performed as in SCCM 2007
User targeting Client setting is used to allow users to enroll mobile devices assigned to collections.
- User download Configmgrenroll.cab to the mobile device
- Enrollment client is installed by user
- User supplies email and password
- Autodiscovery server address in Enrolment client
- Client will poll for the policies / registration
Registered mobile devices
- Are added to site
- More Inventory information
When registered, the administrator have more reporting functionality. Like in the Resource Explorer, the following hardware information:
- Device Client Agent Version
- Device Computer System
- Device Display
- Device Installed Applications
- Device Memory
- Device OS Information
- Device Password
- Device Power
- Workstation Status
The Software Catalog also integrates with depth managed mobile devices, and can wipe their mobile devices. You are also able to bind a mobile device to a specific user.
Remote Device Wipe
- Admins can wipe a mobile device from the management console
- Users can wipe from the software catalog
- The wipe action is always scheduled
- Depth managed devices : wipe is scheduled for the next DM session
- Light managed devices are wiped at next email synchronization
- Dual managed devices: next DM session or email synchronization or whichever is first.
Mobile device settings management
- Fully integrated experience with non-mobile configuration and settings mangement
- Supports monitoring and enforcement
- Standard settings groups with simplified UI
- Supports admin defined settings via mobile registry or OMA-URI
- Evaluation is done on the server and remediate commands to sent to client
- Baseline settings can be user or devices targeted
New Features for software distribution
Like mentioned in an earlier blog, the Application Model is changed in SCCM 2012.
- Application Model
- Incorporates all supported software types (MSI, Script, App-v, Mobile Cab)
- Greatly improved dependency handling
- Installation requirements rules
- Installation detection methods
- Application supersedence
- Application uninstall
- User devices affinity
- Unified monitoring experience
- Content Management
- Distribution Points Groups
- Content Library
- Improved content monitoring experience
Application distribution/ deployment process for mobile devices:
- Create Application with more deployment types.
- Create / get policy for application required apps
- Only required apps are supported
- Get source from DP
- Report back to MP
Next CEP session is about SCCM 2012 Migration. In my opinion a very interesting session, because Microsoft announced at TechEd last year that migrating from SCCM 2007 to SCCM 2012 is very easy