mercredi 20 mars 2013

[SCCM 2012 & Intune] Mobile management - Part 4: Managing Mobile device configuration with SCCM 2012 SP1

This article is the 4th of a series concerning Mobile Management with SCCM 2012 SP1 and Windows Intune.

I propose now to audit and to secure the mobile device configuration.


1. What can be configured on a mobile device ?

That depends especially on the device !!
Here is a table that provide you a first view of what can be and can't be managed. Latter in that article, I'll show you how you can know precisely if a settings is available or not on a device.

Compliance settingWindows Phone 8Windows RTiOS
Require password settings on mobile devicesYesNoYes
Minimum password length (characters)YesYesYes
Idle time before mobile device is lockedYesYesYes
Number of passwords rememberedYesYesYes
Password expiration in daysYesYesYes
Password complexityYesNoYes
Number of failed logon attempts before device is wipedYesYesYes
Removable storageYesNoNo
File encryption on mobile deviceYesNoNo

2. Creating Configuration Item

In the Configuration Manager console, open the Asset and Compliance workspace
Expand Compliance Settings and select Configuration Items
Click on Create Configuration Item

Specify a name.
Select Mobile Device in the type of configuration item

Select the groups that you want to specify
For this demo, I select all groups

Password Management:
 - On the higher part of the windows, you can specify settings.
 - In lower part, you can specify if you only want to audit devices or if you want to remediate settings.
You can also specify the non-compliance severity for reports.
Note that in Windows Intune Cloud only mode, you can only set settings and never audit them.

For this demo, I specify that password is required on devices and that settings is only for audit.

Email management:

Device Security Settings:
You can provide VPN profiles for Windows RT devices

Peak times and frequency for mobile device synchronization:

Roaming settings:

Encryption settings:
For this demo, I select a value that is not supported on iOS devices to show you latter how wizard help you.

Wireless communication settings:
This window is really useful to deploy wifi configuration on devices without having to distribute connection password to people

Certificates settings:

Specify the platform supported by your configuration item

As you probably know, all settings are not supported on all platforms. Assistant remind you what settings you selected won't be applied on your different mobile devices.

Click on Next

Click on Close

3. Configuration Item : Properties and Revisions

Before creating a Configuration Baseline, I would like to show you some great features with Configuration  Items.

Open properties of your configuration item
Select the Compliance Rules tab
Click on New

You get the list of all available settings and the list of the associated supported platforms.
Useful, isn't it ?!?

For that demo, I add a new setting: "Number of failed logon attempts before device is wiped"

Note that Mobile configuration revision rises to 2
You can easily get the time and the person responsible for the last change.
Click on Revision History

You get the revision history. You can compare an older version to the current version, delete a version... and restore a version, for example if you experiment some issues.

In that demo, SCCM 2012 informs us that in the second version, a new rules have been created...

4. Create Configuration Baseline

Select Configuration Items
Click on Create Configuration Baselines

Specify a name.
Click on Add and select Configuration Items

Select the configuration Item
Click on Add

Click on OK to add configuration item(s)
Click on OK again to finish Configuration Baseline creation


5. Deploy Configuration Baseline

Select your configuration Baseline
Click on Deploy

Verify the Configuration Baseline selected
Specify the target collection and click on OK
Note that you need to check Remediate noncompliant rules when supported if you want to apply settings and not only audit settings.

6. Compliance Reports

The easiest way to get compliance information is to watch directly the Configuration Baseline. You get directly the number of compliant and not-compliant devices.

To get more information, you need to use reports:
Open the Monitoring workspace
Expand Reportings>Reports and Open the Compliance and Security folder
Select the Summary compliance by configuration baseline and Click on Run

 You get detailed information about all Configuration baselines
To get more information about a specific configuration baseline, click on it

 For each device and each Configuration Item, you get compliance information

7. My recommendations

As you can see on the previous screen shot, you can't get more information about what's wrong in your configuration item. You simply know that your device is compliant or not to your configuration item.
On a Windows device, you can get more information in the log files (see DCMAgent.log and CIAgent.log) but on an iOS device, it's quiet impossible to troubleshoot.

So, My recommendation is to create several Configuration Items as simple as possible.

For this demo, I create one Configuration Item for each setting.

Note :
 - Even if Remediate noncompliant settings is enabled in my configuration items, settings are not remediated because option is not enabled in the Configuration Baseline deployment
 - Not supported settings are reported as "Compliant"

For each configuration Item and each population, you can get detailed information

In my next post, I will show you how to generate reports about Mobile devices.

See you soon

7 commentaires:

  1. Yet again another strong guide. Thanks!

    Just one question, these password restrictions. Are they for logging on to the company portal, or for other things?

    1. Password restrictions doesn't concern company portal, but the password of your device itself.

      For example, with that settings, users have to use a password to unlock device and device is automatically wiped if there are more that 10 failed logins.

  2. Could you define the capabilities with Certificate compliance.

    1. Hi,
      On my mind, there is no "Certificate compliance" feature. However you can deploy certificates on your devices thanks to compliances features.


  3. After deploying the baseline settings does the mobile device user need to do anything to receive the configuration items?? or are they applied automatically. Does the user need to log onto the portal before settings are applied??. The reason i ask is that i have deployed a config item to prohibit the use of the camera on an IOS device. Settings have not been applied??

  4. Also Are these configuration items deployed to users or devices

    1. With mobile device, all configuration are applied on Users.

      The configuration is deployed automatically on device, if device is attached to the user and correctly initialized.
      However, note that it can take some time to be deployed on device: I noticed that configurations and reports were deployed/received during the night. So be patient...


Remarque : Seul un membre de ce blog est autorisé à enregistrer un commentaire.