Posts Tagged ‘BYOD’

Mobile Device Management in SCCM 2012 – Hands on (part 1)

April 28, 2012

In SCCM 2012 there is a completely revised version of the Mobile Device Management part.

Sure, this was already there in SCCM 2007, but hey, would YOU want to “manage” ancient Windows CE or Windows Mobile 5.0 devices? I didn’t think so too. Also, in the SCCM 2007 era, Bring Your Own Device (BYOD) wasn’t as hot as it is today, with everyone wanting to bring in and use their own Tablets, Smarphones and laptops.

Now with SCCM 2012, there is proper support for BYOD. Yeah! For a nice overview of this, see this video of Principal Program manager Jeffrey Sutherland, talking about Mobile Device Management in SCCM 2012.


Light and Depth Management

We can define two types of device management in SCCM 2012:

-> Light Management <

Working through Exchange ActiveSync, we leverage on the existing Exchange Device Policies, to do light management of the device (remote wipe, lockdown etc)

Why do we want this? It’s already in Exchange right?

Well, the Exchange admins might not be very concerned with specific end-users devices as they are with handling the mailflow, so this task may better fit with the desktop/enduser/device management team in your organization. They are the ones working with SCCM 2012, and they are the ones most interested in gathering information about, and managing the devices. Also, SCCM provides some very nice Reporting on these devices.

->In-Depth Management <-

The other type is the In-Depth Management of Mobile Devices

This does not work through EAS, but through two new SCCM Roles that have been introduced in SCCM 2012; the Enrollment Point and the Enrollment Proxy point.

In-depth management can be done in two ways;

– Enroll the mobile devices into SCCM by installing the Mobile Device Client on them. Only on supported mobile OS’s.(Currently WinMobile 6.1, 6.5 and Nokia Symbian Belle) .Offers most features.

– Enroll the mobile devices into SCCM by installing the Legacy Mobile Device Client on it. Only on supported mobile OS’s, which currently are ancient WinCE 5, 6 and 7, and WinMo 6.0. Less features, but still way more options than with EAS.

For a good comparison of all features on all three scenarios( EAS, Mobile Device Client on device, and Legacy Mobile device client), see this page on Technet.

Note that both in-depth solutions require a PKI Infrastructure, because of the Certificates that are used on the devices!

So, more on the In-Depth part later, let’s first get the EAS connected. (Yes, you can also choose hybrid solutions, ie. managing with both EAS and through the Enrollment)


Configuration of Mobile Device Management through Exchange

So, how do we set this up?

First the prereqs: an Exchange 2010 SP1 server (or Exchange Online(office365),and a working SCCM 2012 server (duh) and a network connection between them.

Then we have to establish a connection between the SCCM server and the Exchange (CAS) server.

We click Add exchange server and get the wizard:

Specifiy the name of the exchange CAS server…

Hey, look at this screen. A precise listing of the exchange permissions that the connector account requires. I’d say this calls for a new RBACĀ  Role in Exchange!

So, lets first create a serviceaccount for this connection and assign the proper exchange permissions to it.

Now i am going to be assigning Read-Only rights to this service account, ’cause i just want to get data from EAS about the devices, and not do any remote wiping. Which is by the way also how Microsoft IT did this (read here )


Then continue through the wizard:

I just set this to Weekly Full discovery, and Delta discovery twice a day.

So, after this wizard, the connection has been established with the CAS server.


As you can see, the path /powershell has been added to the targetpath of the Exchange server. Which makes sense, because all it really does is fire up PowerShell cmdlets against the CAS, to get information from it.

So, do we see any devices now?

First lets kick off a discovery cycle:

And behold:


Well that device has my name written all over it (tee-hee)

So, what can we do with it then?

Well, not an awfull lot:

Wipe, Block, and.. hmm. well.

Lets have a look at those Reports then:

Wow. That’s a lot of Reports Built-in. Very cool!


So far for this then.

Time to get really busy, and fire up an old Windows Mobile 6.5 phone, and start doing some real managing.

In the Next post that is.