Posts Tagged ‘Mobile Device Management’

Mobile Device Management in SCCM 2012 – Hands on (Part 2)

April 29, 2012

So, after connecting the SCCM 2012 server to Exchange and getting some info about devices through EAS, now it’s time to really get busy with Mobile Device Management.

In this posting i will show you how i set up the Mobile Device Enrollment, and actually got my old Windows Mobile 6.5 phone enrolled. W00t!

Starting point in this is this 10-step program to get your mobile devices managed in SCCM 2012.

The basic steps are:

  • Set up a working Microsoft PKI infrastructure
  • Install and configure certificates to SCCM servers
  • Install Enrollment Point Roles
  • Publish the Enrollment point so devices can contact it
  • Allow users to enroll their device

The first step is a tricky one already. Setting up a single issuing Root CA in a test environment is no big deal. But setting up a PROPER PKI Infrastructure is a whole different ballgame.

Since this is way out of scope for this post, i’ll just assume you’ve got a working PKI Infrastructure already. (hehe)

So, onto configuring the required certificates then.

I created a couple of new certificate templates:

Important note when creating these certificate templates and enabling them, is to use the “Windows Server 2003, Enterprise Edition” version.  That is the only supported version in ConfigMgr.

O, and don’t forget to configure a GPO for auto-enrollment of workstation certificates

Well, after you get all the certificates created, enabled and installed, it’s time to configure them in ConfigMgr.

Yes, that’s step 5 of the 10 step program already 🙂

This involves first configuring the MP and DP to manage Mobile Devices, which basically means enabling https, allowing internet-based client access, and selecting certificates. And don’t forget to first configure the Site System on which these roles run, with an external FQDN.

Then the Distribution Point:

and finally the MP:

Then, onto step 6, installing the Enrollment Point Role, and the Enrollment Proxy Point Roles.

When adding these roles it is important to keep in mind that you must use the external FQDN that you will use for Device Enrollment.

After his, you can already access the website containing the Device Enrollment Agents:

This very basic page (what, not even a nice System Center logo??)  contains two links, to the Client Agent installers for Windows Mobile (.cab format) and for Nokia Symbian Belle (.sisx format)

Now, we fly to step 9, to configure the device settings for Mobile Devices

Here you can set things like which usergroup you want to allow to enroll their devices.

This is done in the Mobile Device Enrollment Policy:

Now, that’s it. Now to get the old Windows Mobile device charged up, and see what we can do with it.

In the next posting that is.

Mobile Device Management in SCCM 2012 – Hands on (part 1)

April 28, 2012

In SCCM 2012 there is a completely revised version of the Mobile Device Management part.

Sure, this was already there in SCCM 2007, but hey, would YOU want to “manage” ancient Windows CE or Windows Mobile 5.0 devices? I didn’t think so too. Also, in the SCCM 2007 era, Bring Your Own Device (BYOD) wasn’t as hot as it is today, with everyone wanting to bring in and use their own Tablets, Smarphones and laptops.

Now with SCCM 2012, there is proper support for BYOD. Yeah! For a nice overview of this, see this video of Principal Program manager Jeffrey Sutherland, talking about Mobile Device Management in SCCM 2012.

 

Light and Depth Management

We can define two types of device management in SCCM 2012:

-> Light Management <

Working through Exchange ActiveSync, we leverage on the existing Exchange Device Policies, to do light management of the device (remote wipe, lockdown etc)

Why do we want this? It’s already in Exchange right?

Well, the Exchange admins might not be very concerned with specific end-users devices as they are with handling the mailflow, so this task may better fit with the desktop/enduser/device management team in your organization. They are the ones working with SCCM 2012, and they are the ones most interested in gathering information about, and managing the devices. Also, SCCM provides some very nice Reporting on these devices.

->In-Depth Management <-

The other type is the In-Depth Management of Mobile Devices

This does not work through EAS, but through two new SCCM Roles that have been introduced in SCCM 2012; the Enrollment Point and the Enrollment Proxy point.

In-depth management can be done in two ways;

– Enroll the mobile devices into SCCM by installing the Mobile Device Client on them. Only on supported mobile OS’s.(Currently WinMobile 6.1, 6.5 and Nokia Symbian Belle) .Offers most features.

– Enroll the mobile devices into SCCM by installing the Legacy Mobile Device Client on it. Only on supported mobile OS’s, which currently are ancient WinCE 5, 6 and 7, and WinMo 6.0. Less features, but still way more options than with EAS.

For a good comparison of all features on all three scenarios( EAS, Mobile Device Client on device, and Legacy Mobile device client), see this page on Technet.

Note that both in-depth solutions require a PKI Infrastructure, because of the Certificates that are used on the devices!

So, more on the In-Depth part later, let’s first get the EAS connected. (Yes, you can also choose hybrid solutions, ie. managing with both EAS and through the Enrollment)

 

Configuration of Mobile Device Management through Exchange

So, how do we set this up?

First the prereqs: an Exchange 2010 SP1 server (or Exchange Online(office365),and a working SCCM 2012 server (duh) and a network connection between them.

Then we have to establish a connection between the SCCM server and the Exchange (CAS) server.

We click Add exchange server and get the wizard:

Specifiy the name of the exchange CAS server…

Hey, look at this screen. A precise listing of the exchange permissions that the connector account requires. I’d say this calls for a new RBAC  Role in Exchange!

So, lets first create a serviceaccount for this connection and assign the proper exchange permissions to it.

Now i am going to be assigning Read-Only rights to this service account, ’cause i just want to get data from EAS about the devices, and not do any remote wiping. Which is by the way also how Microsoft IT did this (read here )

 

Then continue through the wizard:

I just set this to Weekly Full discovery, and Delta discovery twice a day.

So, after this wizard, the connection has been established with the CAS server.

 

As you can see, the path /powershell has been added to the targetpath of the Exchange server. Which makes sense, because all it really does is fire up PowerShell cmdlets against the CAS, to get information from it.

So, do we see any devices now?

First lets kick off a discovery cycle:

And behold:

 

Well that device has my name written all over it (tee-hee)

So, what can we do with it then?

Well, not an awfull lot:

Wipe, Block, and.. hmm. well.

Lets have a look at those Reports then:

Wow. That’s a lot of Reports Built-in. Very cool!

 

So far for this then.

Time to get really busy, and fire up an old Windows Mobile 6.5 phone, and start doing some real managing.

In the Next post that is.