How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 8

Posted on April 3, 2014 by ncbrady

In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In Part 2 we added Support for iOS devices (Iphone, iPad). In Part 3 we learned the difference between App Package for iOS (*.ipa file) and applications from the Apple App Store. We learned how to deploy them to iOS devices and configured the deployment type so that the applications were made available to the user based on the iPhone or Ipad operating system version, in addition we also checked device Ownership information and deployed the application based on those requirements.

In Part 4 we learned how to use and configure compliance settings in order to enable or disable certain configurable features on iOS devices. We enforced a Password requirement and enforced a minimum password length as this is a common requirement for organizations. In Part 5 we enabled support for Windows 8.1 devices (both Windows RT 8.1 and Windows 8.1 Enterprise) so that they could be managed via System Center 2012 R2 Configuration Manager integrated with Windows Intune. In Part 6 we deployed Windows 8.1 apps (appx) to Windows 8.1 devices. In Part 7 we  looked at how to make Windows 8.1 store apps available in the Company Portal and how to make them featured apps with their own categories.

Now we will add support for Android and learn how to deploy mobile device settings to Android devices. As security of company data is so important these days, being able to encrypt files on a device is a great asset, and we will use mobile device settings (Compliance Settings) to enable File encryption on these Android devices. Users can download the Android company portal app from Google’s Android store (Google Play) and that allows them to enroll Android devices. With the Android company portal app, you can manage compliance settings, wipe or delete Android devices, deploy apps, and collect software and hardware inventory. If the Android company portal app is not installed on Android devices or if you are using Configuration Manager SP1, then you will not have all the management capabilities, such as inventory and compliance settings, but you can still deploy apps to Android devices.

Step 1. Enable Android support

In the System Center 2012 R2 Configuration Manager console, browse to Administration, expand Cloud Services and right click on the Windows Intune Subscriptions, select Properties like in the screenshot below

 

windows intune subscription properties.png

 

Select the Android tab, and place a checkmark in Enable Android Enrollment like in the screenshot below

 

enable android enrollment.png

 

click Apply, then ok, and that’s it, you are done.

 

Step 2. Create an All Android Devices Collection

Create a new collection called All Android Devices liimited to All Mobile Devices, we will use this collection to house our Android devices and to target them with Android specific deployments.

 

All Android Devices.png

 

with a membership query for Android devices

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "Android%"

membership query.png

 

continue through to the end of the Create New Collection wizard.

 

 

Step 3. Create a Configruation Item to configure mobile device settings for Android

Next we will configure mobile device settings for Android. This is done in a few parts, first we create the configuration item containing the settings, next we add them to a configuration baseline, and finally we deploy the configuration baseline to our previously created All Android Devices collection.

 

The following page on Technet explains the settings available for Android (for devices with the Android company portal app installed) and other mobile platform types, but to summarize the following 9 settings are currently available for the Android Platform (as of March 2014).

 

Android Settings available.png

 

In Assets and Compliance, select Configuration Items, right click on it and choose Create Configuration Item.

 

Create Configuration Item.png

 

Give it a suitable name such as Android Mobile Device File Encryption Settings and create a new category called “All Android – Enable file encryption” like in the screenshot below.

 

android mobile device settings.png

 

As File encryption requires a passcode being set on the Android device, select Password and Encryption from the settings groups available

 

Password and Encryption settings groups.png

 

For the Password screen, select a Minimum Password Length of at least 6 characters (6 characters containing at least one letter), like in the screenshot below, making sure to sure to set a checkmark in Remediate noncompliant settings otherwise the Password setting won’t be forced

 

Minimum Password Length (characters) 6.png

 

For the setting, File Encryption on Mobile Device change the drop down menu to On, make sure to set a checkmark in Remediate noncompliant settings otherwise it won’t Encrypt anything,

 

Note: The Storage Card Encryption option is not currently available for Android so don’t bother selecting it. In fact, the only option applicable to Android on this screen is File Encryption on Mobile device.

 

turn on file encryption.png

 

For Supported Platforms de-select All, and only select Android as in the screenshot below

 

supported platforms.png

 

If you did everything like I’ve shown above, then the Platform Availability screen will be blank, and that’s ok, if you selected an additional option previous to this that was not compatible with the Android platform you’ll see it here, if so click back and remove it,

 

platform applicability.png

 

continue the wizard through to completion.

 

wizard is complete.png

 

Step 4. Create a Configuration Baseline

Right click on Configuration Baselines and choose Create Configuration Baseline. A Configuration Baseline can contain one or more Configuration Items.

 

create configuration baseline.png

 

give the baseline a useful name like All Android Mobile Device Management Baseline and click on Add, select the previously created Android Mobile Device Encryption Settings CI like in the screenshot below, and then select the All Android – Enable File Encryption category

 

create configuration baseline with CI and category.png

 

Step 5. Deploy the Configuration Baseline

Now we are ready to deploy our mobile device settings for Android to a collection. In this example, we will deploy it to our previously created collection called All Android Devices.

 

Note: You can deploy compliance settings for Mobile Devices to a user or device collection. If you deploy the baseline to a user collection, the compliance settings are applied to all the enrolled devices for those users.

 

Right click on the All Android Mobile Device Management baseline configuration baseline created above and choose Deploy.

 

Deploy Configuration Baseline.png

 

select the option to Remediate and browse to the device collection called All Android Devices, select your desired compliance evaluation schedule, every 1 day is sufficient in a lab, perhaps every 7 days in production is better.

 

deploy cb settings.png

 

Step 6. Enroll an Android Device

On an Android 4.0, 4.1 or 4.2 device start up Google Play (Play Store)

 

Screenshot_2014-04-01-21-30-06.png

 

and search for Company Portal, you should see Windows Intune Company Portal listed,

 

Screenshot_2014-04-01-21-30-41.png

 

select it and choose Install

 

Screenshot_2014-04-01-21-31-44.png

 

click Accept to the App Permissions

 

Screenshot_2014-04-01-21-32-05.png

 

and click Open once installed,

 

Screenshot_2014-04-01-21-33-06.png

 

you’ll be prompted to sign in using your organizational account, do so by clicking on Add this device

 

Screenshot_2014-04-01-21-33-21.png

 

enter your credentials and click on Sign In,

 

Screenshot_2014-04-01-21-36-03.png

 

it should say adding your device….

 

Screenshot_2014-04-01-21-36-35.png

 

and after a delay you should be prompted to Active device administrator, click on Activate

 

Screenshot_2014-04-01-21-52-57.png

 

and then it continues adding your device,

 

Screenshot_2014-04-01-21-53-35.png

 

after which you’ll be displayed with the Company Portal

 

Screenshot_2014-04-01-21-54-10.png

 

 

Step 7. Check the status of your Android devices in the console

In the Configuration Manager console, check All Mobile devices, your Android devices should appear here first (once they have enrolled successfully)

 

android enrolled.png

 

You should also check the All Android Devices collection next, if your device doesn’t appear here yet try Update Membership

 

All Android Devices now with an enrolled device.png

 

After hardware inventory data has been uploaded you can start Resource Explorer and see what details it provides, including if the device is a Jailbroken or rooted device or not

 

Jailbroken or rooted device.png

 

Lastly you can monitor the Deployment status of your Configuration Baseline by clicking on View Status to see how compliant your Android devices are for the deployed baseline. To view status, click on the Configuration Baseline, select Deployments, and right click on the deployment, then select View Status like in the screenshot below.

 

View Status of Deployments.png

 

Step 8. Verify the settings on an enrolled device

Now everything is in place for your changes to take place, on a targeted Android you should see that notifications arrive for the two major changes we initiated namely

  • Device Passcode
  • File Encryption

The following screenshot shows what the notification will look like on a Samsung Galaxy 4

 

Screenshot_2014-04-02-07-48-40.png

 

when entering the new Password you’ll be prompted to enter at least 6 characters

 

Screenshot_2014-04-02-17-15-01.png

 

and you’ll be reminded that it must contain at least one number, exactly as we set in the Mobile Device Compliance Settings

 

Screenshot_2014-04-02-17-15-05.png

 

I’ll post a screenshot of the Encrypted settings taking effect as soon as I can.

 

That’s it, Job done !

 

Thanks to my eldest son Christopher for lending me his Samsung for this guide.

 

Recommended Reading

 

Summary

 

Android devices are becoming common place in our workplaces and homes, from sophisticated phones to feature rich tablets, they are gaining market share rapidly. In this post we learned how to enable support for Android devices in System Center 2012 R2 Configuration Manager with Windows Intune integration. We also saw how to enroll those devices, and how to deploy Mobile Device Settings to control up to 9 different settings on these devices. We also looked at the Company Portal and in our next post we’ll look in more detail at it’s features and how to deploy Apps.

 

Downloads

 

For Offline reading you can download a Microsoft Word copy of this guide below.

 

 

Attached File  How can I manage modern devices using System Center 2012 R2 Configuration Manager Part 8.zip   7.59MB   1 downloads

This entry was posted in Android, ConfigMgr 2012. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.