How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 4

Introduction

 

In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In Part 2 we added Support for iOS devices (Iphone, iPad). In Part 3 we learned the difference between App Package for iOS (*.ipa file) and applications from the Apple App Store. We learned how to deploy them to iOS devices and edited our deployment types to set requirements so that the applications were made available to the user based on the iPhone or Ipad operating system version, in addition we also checked device Ownership information and deployed the application based on those requirements.

System Center 2012 R2 Configuration Manager with Windows Intune integration provides new abilities (double the default settings groups that were offered in Configuration Manager 2012 Service Pack 1) for configuring settings for mobile device management. In this part we will learn how to use and configure compliance settings in order to enable or disable certain configurable features on iOS devices. We will enforce a Password requirement and make it a minimum password length, this is a common requirement for organizations.

 

The following lists the default settings groups (or headings) of the mobile device settings which are now available, each default settings group contains many configurable settings:

  • Password
  • Device
  • Email Management
  • Store
  • Browser
  • Internet Explorer
  • Content Rating
  • Cloud
  • Security
  • Peak synchronization
  • Roaming
  • Encryption
  • Wireless communications
  • Certificates
  • System Security
  • Windows Server Work folders

Note: In addition to the above, you can configure additional settings that are not listed by clicking on configure additional settings that are not listed in the default settings groups when creating your configuration item. There are many additional settings available so do take a look at them.

 

The following page on Technet explains the above settings in more detail and shows which settings are applicable by platform type.

 

table.png

 

Note: Although the list above is quite extensive and contains several configurable settings per heading, not all default settings groups apply to any one device type, the applicability of a setting is listed during Configuration Item creation.

 

Step 1. Create a new Mobile Device configuration item

Compliance Settings within Configuration Manager are used to control the settings on your mobile devices. In the Configuration Manager console, click on Assets and Compliance, and expand Compliance Settings. Locate Configuration Items, right click and choose Create Configuration Item.

 

Create Configuration Item.png

 

In the wizard that appears, give your configuration Item a suitable name which desribes the functionality of the Configuration Item such as Minimum Password Length, then from the drop down menu select Mobile Device as the type of Configuration Item you are going to create like in the example below

 

create configuration item - Name and configuration item type.png

 

and then click on Categories, then Create to create a new category, enter All iOS – Password. This will make it easier later to filter our configuration items for each platform and heading group.

 

create category called All iOS Password.png

 

so that it looks look the following example

 

General - create configuration item wizard.png

 

Place a checkmark in the Password default settings group.

 

Password default settings group.png

 

click on next and the Password default settings group settings are revealed, we will configure the minimum password length here, set it to a value that works in your organization and change the Require password settings on mobile devices dop down menu to Required and make sure that Remediate noncompliant settings checkbox is checked as shown in the screenshot below.

 

Password default settings group.png

 

Tip: Although there are many settings in each default settings group, to make it easier to track compliance for each setting you configure, consider creating one Configuration Item per setting.

 

On the Supported Platforms screen you can select the devices you want to support, for example iPhone as shown in the screenshot below, if you choose to select All Systems (default) then the next screen will be populated with those platforms that are not supported by the setting you have chosen.

 

supported platforms.png

 

In the Platform Applicability screen any platforms that are NOT supported by the settings you chose will be listed,

 

Platform Applicability.png

 

complete the wizard

 

wizard complete.png

 

Step 2. Create a Configuration Baseline

Now that we’ve created our Configuration Item, we will add it to a Configuration Baseline. To do that we need to create the baseline. In Configuration Baselines, right click and choose Create Configuration Baseline

 

Create Configuration Baseline.png

 

Give it a suitable name like All iOS Mobile Device Management baseline and click on Add, then add our previously created Configuration Item from Step 1.

 

All iOS configuration baseline.png

 

and don’t forget to add any assigned Categories to improve search filtering

 

assigned categories.png

 

Step 3. Create a new device collection

Create a new device collection called All iOS devices, limit it to All Mobile devices

 

All iOS devices collection.png

 

and setup a membership query to look for Operating Systems like iOS.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Clientfrom SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "iOS%"

membership query.png

 

And below is our collection populated with iOS devices after creation

 

all ios devices.png

 

Step 4. Deploy the Configuration Baseline

Now that we have created our configuration item which has compliance rules defined for Password minimum length, and added it to a configuration baseline we are ready to deploy it to a collection.

 

Note: You can deploy compliance settings for Mobile Devices to a user or device collection. If you deploy the baseline to a user collection, the compliance settings are applied to all the enrolled devices for those users.

 

In this example, we will deploy it to our previously created collection called All iOS Devices.

 

Right click on the All iOS Mobile Device Management baseline configuration baseline created above and choose Deploy.

 

deploy configuration baseline.png

 

Place a checkmark in Remediate noncompliant rules when supported and Generate an alert. Next select the browse button beside collection and specify the All iOS Devices collection, select the Schedule to Simple Schedule and set it to run every 1 days.

 

remediate noncompliant rules when supported.png

 

Step 5. Monitor Compliance using Reports.

Configuration Manager has several built-in reports including of course reports for Compliance. In the Monitoring node click on Reports, and expand to Compliance Settings Management.

 

compliance settings management reports.png

 

Select the following report, Summary Compliance by a configuration baseline and fill in the values requested

 

All iOS Mobile Device Management baseline compliance report.png

 

Click on View Report to get details of compliance

 

view report.png

 

and you can drill your way through the compliance reports to see how your Compliance Settings are taking shape !

In the screenshot below for example we can see that the compliance state was not applicable as we targeted our configuration item to iPhone IOS only (and excluded iPads).

 

not applicable to iPads.png

 

and below we can see a compliant device

 

phone is compliant.png

 

Step 6. Verify the settings change on a targeted mobile device

You will of course want to verify the settings change on a mobile device that you have targeted with these compliance settings.

 

Note: The screenshots below are only related to the change we enforced above (minimum password length) so obviously whatever setting you target to your modern devices will have to be verified accordingly.

 

In the first screenshot we can see that the device has received the policy and alerts the user, clicking on continue allows the user to make the change, or the user can delay it (within the deadline of 60 minutes) by clicking later.

 

IMG_5059.PNG

 

the user is prompted to enter the old password (4 chars in this case)

 

IMG_5061.PNG

 

and then the user must enter the new password with 6 characters (from our configured compliance settings)

 

IMG_5063.PNG

 

and re-enter it and click on save to confirm

 

IMG_5064.PNG

 

congratulations ! All done.

 

 

Recommended Reading

  • How to Create Configuration Items for Devices enrolled by Windows Intune and Configuration Manager – http://technet.micro…y/dn376523.aspx
  • Adding the Reporting Services Point role – http://www.windows-n…ces-point-role/
  • How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 1
  • How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 2
  • How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 3

 

Summary

In this part we’ve looked at how we can configure settings on mobile devices using Compliance Settings within Configuration Manager. We then saw how to report on the compliance and finally how to verify those settings were applied on targeted devices. Until next time, adios !

This entry was posted in Compliance Settings, ConfigMgr 2012, iOS. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.