Mobile device management for Configuration Manager 2007 customers planning to migrate to System Center 2012 R2 Configuration Manager
How can this guide help you? This guide provides a prescriptive, tested design that you can use to understand the design and implementation steps that we recommend to enable mobile device management for iOS, Android, Windows Phone 8, Windows RT, and Windows 8.1 devices when you have an existing Configuration Manager 2007 hierarchy and plan to migrate to System Center 2012 R2 Configuration Manager.
While you plan to migrate to System Center 2012 R2 Configuration Manager, you need a solution that allows you to manage the devices in your organization. This solution guide describes how you can run a System Center 2012 R2 Configuration Manager stand-alone primary site server alongside your Configuration Manager 2007 environment to enable mobile device management.
The following diagram illustrates the problem and scenario that this solution guide is addressing.
Configuration Manager and mobile device management
In this solution guide:
Scenario, problem statement, and goals
What is the recommended design for this solution?
What are the high-level steps to implement this solution?
Scenario, problem statement, and goals
This section describes the scenario, current problem, and goals that you might have.
There’s a growing demand from your company’s employees for the ability to access company data from their personal devices. You want to meet this demand by providing the employees with the flexibility to use their own devices over the internet from any location to accomplish work related tasks.
Your organization is a large enterprise consisting of more than 5,000 users who bring their personal devices to the workplace. Your infrastructure supports the management of computers for users that are on premises and who remotely connect to the corporate network by using VPN. Currently, you manage these computers using Configuration Manager 2007 and are not ready to do a full deployment of System Center 2012 R2 Configuration Manager.
In summary, the current technologies used by your organization:
A domain and directory service, specifically, Active Directory.
PC management software, specifically, System Center Configuration Manager 2007.
PCs that are joined to the domain and managed by Configuration Manager 2007.
Personal mobile devices owned by employees, as well as personal PCs not joined to the domain.
Today you use Configuration Manager 2007 to manage devices in your organization but this solution does not manage iOS, Android, Windows Phone 8, Windows RT, and personally-owned Windows 8.1 devices. However, the latest version of Configuration Manager and Windows Intune does provide support for these devices. Because you are planning to migrate to System Center 2012 R2 Configuration Manager, you want to use it as your mobile device management solution to avoid the cost and effort of integrating a third-party solution. You would like to implement System Center 2012 R2 Configuration Manager as a management solution even though you are neither ready to fully deploy this version nor migrate your full infrastructure from Configuration Manager 2007.
You can manage today’s mobile devices, specifically, Windows Phone 8, Windows RT, iOS, Android, and personally-owned Windows 8.1 devices. Managing devices can mean security and compliance settings, gathering software and hardware inventory, or deploying mobile apps.
You can protect company data with the ability to wipe company data from mobile devices over the internet.
You can scale up to managing 100,000 mobile devices.
You want a solution that you are familiar with and with minimal learning curve.
You can implement a solution that is compatible with your current environment and can be leveraged for future use.
What is the recommended design for this solution?
In an environment where you are managing on-premises devices using Configuration Manager 2007, you want to be able to manage mobile devices as well. Your main constraint is that you are not ready to migrate to the latest version of Configuration Manager but you want to use its mobile device management capabilities. Since you are planning to migrate to the latest version of Configuration Manager, you would like the interim solution for mobile device management to be relevant after migration.
System Center 2012 R2 Configuration Manager works with Windows Intune to manage mobile devices. Through the Configuration Manager console, you can manage mobile devices much like you would manage other devices. The main difference with the mobile devices as compared to computers in your domain is that they are managed over the internet. The Configuration Manager console interfaces with the Windows Intune service which does the actual management of the mobile devices over the internet. When you use System Center 2012 R2 Configuration Manager with Windows Intune for mobile device management, you can:
Protect your company data with security settings and the ability to wipe company data from retired devices. You can use compliance settings to enforce security policy on mobile device users. These settings can include attributes such as password, camera, system, and security settings. You can also run reports to identify rooted Android devices and modified iOS devices.
Manage devices through compliance settings. Compliance settings can include anything from roaming, store, or device settings. For a full list of settings, see Compliance Settings for Mobile Devices in Configuration Manager.
Collect hardware and software inventory. You can run reports to view hardware inventory that describes the types of devices that are enrolled and software inventory can report on what apps are installed on the devices.
Manage apps either by sideloading apps to mobile devices or by deploying links to apps available in device stores such as Windows Store, Windows Phone store, App Store and Google Play.
Create a consistent experience for accessing company data using the company portal. The company portal is an interface where users can view company data and install apps.
In this solution, mobile device management will be enabled by a System Center 2012 R2 Configuration Manager stand-alone primary site and a Windows Intune connector. Windows Intune is a cloud service so, to let users enroll their devices, you need to synchronize your domain user accounts to Windows Azure. This will allow you to manage which users can access company resources with their mobile devices. Once users can access company resources over the internet with their mobile devices, you can use Active Directory Federation Service (AD FS) to enable a single sign-on experience.
The following diagram shows how the components of a System Center 2012 R2 Configuration Manager stand-alone primary site server communicate side-by-side with a Configuration Manager 2007 environment. The AD FS portion of the diagram is optional.
System Center 2012 R2 Configuration Manager stand-alone primary server runs side-by-side with a Configuration Manager 2007 environment.
The following table lists the elements that are part of this solution design and describes the reason for the design choice.
Solution design element
Why is it included in this solution?
System Center 2012 R2 Configuration Manager
Manages mobile devices by using the Windows Intune service.
Manages mobile devices over the internet.
Windows Azure Active Directory
Provisions users in the cloud.
Synchronizes on-premises Active Directory users with Windows Azure Active Directory.
Active Directory Federation Services (AD FS)
Enables a single sign-on experience.
System Center 2012 R2 Configuration Manager and the Windows Intune Connector
You will be running System Center 2012 R2 Configuration Manager side-by-side with Configuration Manager 2007. The System Center 2012 R2 Configuration Manager site will only be used for mobile device management until you migrate your entire Configuration Manager environment to System Center 2012. Because you can install the System Center 2012 R2 Configuration Manager console on the same computer where you install a Configuration Manager 2007 console, you can manage devices from a single computer.
When you run both products side-by-side, you must take some precautions to prevent devices that should be managed by Configuration Manager 2007 from discovering your System Center 2012 R2 Configuration Manager deployment. For example, you should make sure that the two products do not configure boundaries for site assignment where those boundaries include the same network locations. This is referred to as overlapping boundaries. Fortunately, overlapping boundaries are easy to avoid because they are not configured by default and you do not need to configure any boundaries for System Center 2012 R2 Configuration Manager to enable management of mobile devices when you use Windows Intune.
You will install a Windows Intune Connector site system role to the System Center 2012 R2 Configuration Manager site, which connects you to the Windows Intune service.
Windows Azure Active Directory and directory synchronization (DirSync)
Windows Intune uses Windows Azure Active Directory to store user accounts. You will need to sync your Active Directory users to the Windows Azure Active Directory. Directory synchronization is intended as an ongoing relationship between your on-premises environment and cloud. After you have activated directory synchronization, you can edit synchronized objects in your on-premises environment and these edits will synchronize with your Windows Intune subscription.
Options for user authentication
Once you’ve populated Windows Azure AD with your user accounts, you have a few options as to how to authenticate users. Your options are AD FS, Password Synchronization, or neither.
AD FS provides a true single sign-on experience working together with Active Directory authentication protocols. AD FS is the more secure solution because it never shares password information with the cloud service, Windows Azure AD. Your on-premises Active Directory and AD FS interact with the Windows Azure AD identity platform to provide access to one or more Microsoft cloud services. When you set up single sign-on, you establish a federated trust between your domain and the Windows Azure AD authentication system. This allows your users to seamlessly access the Microsoft cloud services without needing to sign in with different credentials.
With AD FS you will need at least one federation server or server farm and a federation proxy server. The federation server authenticates clients, while the federation server proxy provides a layer of security and redirects client authentication requests coming from outside your corporate network to your federation servers. As a Windows Intune customer, deploying a federation server proxy to your existing AD FS infrastructure is necessary to enable mobile device users to authenticate from the internet.
Password Sync is a lightweight option that provides users with an experience that is similar to single sign-on and very easy to deploy. While not a true single sign-on capability, Password Sync is a selectable option within DirSync that allows DirSync to store a hash of the password in Windows Azure AD. Users can authenticate with cloud services and on-premises services by using the same user name and password for both.
If you choose not to implement AD FS or Password Sync, users will have to manually update the passwords to keep them in sync or simply remember more than one password, depending on whether they are accessing cloud or on-premises services. This approach is not recommended, as it requires additional administrative overhead to manage initial and ongoing password changes, and results in a less friendly user experience.
The company portal is an easy way for users to access all their corporate apps from one place. You can populate the company portal with internal line-of-business applications, as well as with links to apps available in the public application stores (Microsoft Windows Store, Windows Phone Store, Apple App Store, and Google Play). From within the company portal, users can manage their devices and perform various actions, such as wiping a lost or replaced device.
Users enroll through the company portal on their mobile device. During enrollment the mobile device communicates with the federation proxy which authenticates the user for enrollment.
When you are ready to migrate your Configuration Manager 2007 infrastructure to System Center 2012 R2 Configuration Manager, you can use your existing stand-alone primary site as the starting point. System Center 2012 R2 Configuration Manager supports migrating data and clients from your Configuration Manager 2007 infrastructure to System Center 2012 R2 Configuration Manager. Then, after your data and clients have migrated, you can decommission your Configuration Manager 2007 sites and infrastructure.
When your Configuration Manager 2007 infrastructure includes more devices than you can manage with a single System Center 2012 R2 Configuration Manager stand-alone primary site, you can use the option to expand that stand-alone primary site into a larger hierarchy that includes a central administration site and additional primary sites. This option enables you to maintain your current primary site to manage your mobile devices, while adding more primary sites to your hierarchy, which increases the total capacity of devices the hierarchy can support.
What are the high-level steps to implement this solution?
You can use the steps in this section to implement the solution. Make sure to verify the correct deployment of each step before proceeding to the next step.
Get a Windows Intune subscription.
Before you can install the Windows Intune connector, you need to create a Windows Intune subscription. You can sign up for an account at Windows Intune.
Configure your public domain.
To use the Windows Intune service you also need a public organization domain name that is verifiable through services like GoDaddy. Add and verify your public domain in the Windows Intune account portal at https://account.manage.microsoft.com under the Domains node.
Ensure the public domain has been added as an alternate UPN suffix in on-premises Active Directory. Users must have the same public domain User Principal Name (UPN) in the cloud and the on-premises Active Directory to enroll mobile devices. You must verify that your users have a public domain UPN before you configure directory synchronization and AD FS. If you skip this step, you may end up with users automatically getting “onmicrosoft.com” appended to their cloud UPN which will result in a mismatch with on-premises Active Directory user names. For information on how to change the UPN, see Add User Principal Name Suffixes in the Active Directory documentation library.
Add a CNAME record in DNS pointing enterpriseenrollment.<publicdomain> to manage.microsoft.com. The CNAME record is used later as part of the enrollment process.
Check the Domains page of the Windows Intune Account Portal to make sure the public domain is listed and verified.
Look at the properties of a user account in on-prem Active Directory to ensure the UPN is listed with the public domain name.
Ping enterpriseenrollment.<publicdomain> and ensure it is resolving to the IP address of manage.microsoft.com. The CNAME record is used as part of the enrollment process.
Configure User Authentication.
You can configure AD FS from your Windows Intune Account portal at https://account.manage.microsoft.com. In the User node of the portal, click Single sign-on: Set up and then follow the steps to Set up and manage single sign-on. For more information, see Checklist: Use AD FS to implement and manage single sign-on in the Active Directory documentation library, this article fully details the requirements needed, the planning and deployment process, as well as how to verify that AD FS has been deployed and configured correctly.
Alternatively, you can consider implementing Password Synchronization depending on your security considerations. Password Synchronization is a feature of the Windows Azure Active Directory Synchronization tool that synchronizes user passwords from your on-premises Active Directory to Windows Azure Active Directory. You can implement Password Sync as part of configuring directory synchronization. To understand the security considerations and whether this is the right decision for your organization, see Implement Password Synchronization.
Provision users by configuring directory synchronization.
In the Users node of the Windows Intune Account portal at https://account.manage.microsoft.com, click Active Directory synchronization: Setup, and then follow the steps outlined in Set up and manage Active Directory synchronization. For more information, see Configure directory synchronization in the Active Directory documentation library. You can install DirSync on any computer as long as it is not a domain controller.
Verification steps: Check in the Windows Intune Account portal at https://account.manage.microsoft.comto view user accounts.
Plan your stand-alone primary site server.
Identify a server that meets both the software and hardware prerequisites to host a Configuration Manager primary site. By default, when you install a primary site for Configuration Manager, the management point and distribution point site system roles are also installed. Because you will only manage mobile devices for this scenario, the management point and distribution point are not used. However, their presence does not affect the performance of your site. Therefore, we recommend to leaving these site system roles installed.
For hardware sizing information for the primary site, see Planning for Hardware Configurations for Configuration Manager. The details provided for a stand-alone primary site will give you the basics for running a primary site that can support the Windows Intune connector and up to 100,000 mobile devices.
For information on required software and supported operating systems for hosting a Configuration Manager site, see Site System Requirements. Specifically, review the applicable section for the prerequisites that apply to the operating system you use to host the stand-alone primary site. The site system roles installed by default are the site server, database server, SMS Provider server, management point, and distribution point.
Deploy a stand-alone primary site server.
Install and configure a System Center 2012 R2 Configuration Manager stand-alone primary site which will allow you to manage mobile devices. For information, see the Install a Primary Site Server.
After the site installation completes, confirm or set the following common configurations for Configuration Manager primary sites:
Do not configure site boundaries. By default, no site boundaries are created for a new site. Site boundaries are used by new Configuration Manager clients to identify a site to join, and to locate content that you deploy. For this scenario, neither activity applies.
Configure and run Active Directory User Discovery on your domain to discover users for future enrollment.
Ensure that Client Push Installation is not enabled. This is only used when you are ready to install the Configuration Manager client on Windows devices, and is not used to manage mobile devices.
Configure the Windows Intune subscription and install the Windows Intune Connector site system role on your stand-alone primary site server.
Before you can use Configuration Manager to manage mobile devices, you must configure your Windows Intune subscription and install the Windows Intune connector site system role on the stand-alone primary site server. For more information, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune.
On the primary site server computer, review the Sitecomp.log to verify that the Windows Intune connector site system role installed successfully.
On the computer where you install the Windows Intune connector, review the Cloudusersync.log to verify that users from your domain have successfully synchronized to the Windows Intune. The log file will confirm that the UPN names are consistent between Windows Azure AD and on-premises AD. If any users fail to sync, it’s most likely due to UPN mismatches.
On the primary site server computer, review the Certmgr.log to confirm that the computer where you installed the Windows Intune connector shares the connector certificate. The certificate is shared after the installation of the Windows Intune connector site system role is complete.
On the computer where you install the Windows Intune connector, review the Dmpuploader.log to verify that the connector site system role can upload policy and configuration changes to the Windows Intune service.
On the computer where you install the Windows Intune connector, review the Dmpdownloader.log to verify that the Windows Intune connector is able to download messages from Windows Intune. This log might only show a ping at the beginning of the download process and it might take some time before entries related to downloads are logged.
Install the System Center 2012 R2 Configuration Manager console.
By default, when you install a primary site, the Configuration Manager console also installs on the primary site server computer. After the site installs, you can install additional System Center 2012 R2 Configuration Manager consoles on additional computers to manage the site. Installing a console from both Configuration Manager 2007and System Center 2012 R2 Configuration Manager on the same computer is supported. This side-by-side installation allows you to use a single computer to manage both your existing Configuration Manager 2007 infrastructure, and the mobile devices you manage using Windows Intune with System Center 2012 R2 Configuration Manager. However, you cannot use the management console from System Center 2012 R2 Configuration Manager to manage your Configuration Manager 2007 site, and vice versa. For more information, see Install a Configuration Manager Console.
Enroll mobile devices.
For information on how to enroll mobile devices, see Mobile Device Enrollment.
Manage mobile devices.
After you install and make the basic configurations for your stand-alone primary site, you can begin to configure management of mobile devices. The following are typical actions you might configure:
To apply compliance setting to mobile devices, see Compliance Settings for Mobile Devices in Configuration Manager.
To create and deploy applications to mobile devices, see How to Create and Deploy Applications for Mobile Devices in Configuration Manager.
To configure Hardware Inventory, see How to Configure Hardware Inventory for Mobile Devices Enrolled by Windows Intune and Configuration Manager.
To configure Software Inventory, see Introduction to Software Inventory in Configuration Manager.
To wipe content from mobile devices, see Wiping Company Content from Mobile Devices.
Migrate to System Center 2012 R2 Configuration Manager.
For information on migrating to System Center 2012 R2 Configuration Manager, see Migrating Hierarchies in System Center 2012 Configuration Manager.
If you will be managing more than 100,000 devices, you will need to expand your stand-alone primary site into a hierarchy. For more information, see Planning to Expand a Stand-Alone Primary Site.