This article is the 4th of a series concerning Mobile Management with SCCM 2012 SP1 and Windows Intune.
- Part 1: Configure Windows Intune connector in SCCM 2012 SP1
- Part 2: Configure SCCM 2012 for iOS devices
- Part 3: Deploy an application on iOS devices with SCCM 2012 SP1
- Part 4: Managing Mobile device configuration with SCCM 2012 SP1
- Part 5: Getting reports on Mobile devices with SCCM 2012 SP1
I propose now to audit and to secure the mobile device configuration.
PART 4 - MANAGING MOBILE DEVICE CONFIGURATION WITH SCCM 2012 SP1
1. What can be configured on a mobile device ?
That depends especially on the device !!
Here is a table that provide you a first view of what can be and can't be managed. Latter in that article, I'll show you how you can know precisely if a settings is available or not on a device.
|Compliance setting||Windows Phone 8||Windows RT||iOS|
|Require password settings on mobile devices||Yes||No||Yes|
|Minimum password length (characters)||Yes||Yes||Yes|
|Idle time before mobile device is locked||Yes||Yes||Yes|
|Number of passwords remembered||Yes||Yes||Yes|
|Password expiration in days||Yes||Yes||Yes|
|Number of failed logon attempts before device is wiped||Yes||Yes||Yes|
|File encryption on mobile device||Yes||No||No|
2. Creating Configuration Item
In the Configuration Manager console, open the Asset and Compliance workspace
Expand Compliance Settings and select Configuration Items
Click on Create Configuration Item
Specify a name.
Select Mobile Device in the type of configuration item
Select the groups that you want to specify
For this demo, I select all groups
- On the higher part of the windows, you can specify settings.
- In lower part, you can specify if you only want to audit devices or if you want to remediate settings.
You can also specify the non-compliance severity for reports.
Note that in Windows Intune Cloud only mode, you can only set settings and never audit them.
For this demo, I specify that password is required on devices and that settings is only for audit.
Device Security Settings:
You can provide VPN profiles for Windows RT devices
Peak times and frequency for mobile device synchronization:
For this demo, I select a value that is not supported on iOS devices to show you latter how wizard help you.
Wireless communication settings:
This window is really useful to deploy wifi configuration on devices without having to distribute connection password to people
Specify the platform supported by your configuration item
Click on Next
Click on Close
3. Configuration Item : Properties and Revisions
Before creating a Configuration Baseline, I would like to show you some great features with Configuration Items.
Open properties of your configuration item
Select the Compliance Rules tab
Click on New
You get the list of all available settings and the list of the associated supported platforms.
Useful, isn't it ?!?
For that demo, I add a new setting: "Number of failed logon attempts before device is wiped"
Note that Mobile configuration revision rises to 2
You can easily get the time and the person responsible for the last change.
Click on Revision History
You get the revision history. You can compare an older version to the current version, delete a version... and restore a version, for example if you experiment some issues.
In that demo, SCCM 2012 informs us that in the second version, a new rules have been created...
4. Create Configuration Baseline
Select Configuration Items
Click on Create Configuration Baselines
Specify a name.
Click on Add and select Configuration Items
Select the configuration Item
Click on Add
Click on OK to add configuration item(s)
Click on OK again to finish Configuration Baseline creation
5. Deploy Configuration Baseline
Select your configuration Baseline
Click on Deploy
Verify the Configuration Baseline selected
Specify the target collection and click on OK
Note that you need to check Remediate noncompliant rules when supported if you want to apply settings and not only audit settings.
6. Compliance Reports
The easiest way to get compliance information is to watch directly the Configuration Baseline. You get directly the number of compliant and not-compliant devices.
To get more information, you need to use reports:
Open the Monitoring workspace
Expand Reportings>Reports and Open the Compliance and Security folder
Select the Summary compliance by configuration baseline and Click on Run
You get detailed information about all Configuration baselines
To get more information about a specific configuration baseline, click on it
For each device and each Configuration Item, you get compliance information
7. My recommendations
As you can see on the previous screen shot, you can't get more information about what's wrong in your configuration item. You simply know that your device is compliant or not to your configuration item.
On a Windows device, you can get more information in the log files (see DCMAgent.log and CIAgent.log) but on an iOS device, it's quiet impossible to troubleshoot.
So, My recommendation is to create several Configuration Items as simple as possible.
For this demo, I create one Configuration Item for each setting.
- Even if Remediate noncompliant settings is enabled in my configuration items, settings are not remediated because option is not enabled in the Configuration Baseline deployment
- Not supported settings are reported as "Compliant"
For each configuration Item and each population, you can get detailed information
In my next post, I will show you how to generate reports about Mobile devices.
See you soon
Yet again another strong guide. Thanks!RépondreSupprimer
Just one question, these password restrictions. Are they for logging on to the company portal, or for other things?
Password restrictions doesn't concern company portal, but the password of your device itself.Supprimer
For example, with that settings, users have to use a password to unlock device and device is automatically wiped if there are more that 10 failed logins.
Could you define the capabilities with Certificate compliance.RépondreSupprimer
On my mind, there is no "Certificate compliance" feature. However you can deploy certificates on your devices thanks to compliances features.
After deploying the baseline settings does the mobile device user need to do anything to receive the configuration items?? or are they applied automatically. Does the user need to log onto the portal before settings are applied??. The reason i ask is that i have deployed a config item to prohibit the use of the camera on an IOS device. Settings have not been applied??RépondreSupprimer
Also Are these configuration items deployed to users or devicesRépondreSupprimer
With mobile device, all configuration are applied on Users.Supprimer
The configuration is deployed automatically on device, if device is attached to the user and correctly initialized.
However, note that it can take some time to be deployed on device: I noticed that configurations and reports were deployed/received during the night. So be patient...