[SCCM 2012 & Intune] Mobile management - Part 4: Managing Mobile device configuration with SCCM 2012 SP1

This article is the 4th of a series concerning Mobile Management with SCCM 2012 SP1 and Windows Intune.

• Part 1: Configure Windows Intune connector in SCCM 2012 SP1
• Part 2: Configure SCCM 2012 for iOS devices
• Part 3: Deploy an application on iOS devices with SCCM 2012 SP1
• Part 4: Managing Mobile device configuration with SCCM 2012 SP1
• Part 5: Getting reports on Mobile devices with SCCM 2012 SP1

I propose now to audit and to secure the mobile device configuration.

PART 4 - MANAGING MOBILE DEVICE CONFIGURATION WITH SCCM 2012 SP1

1. What can be configured on a mobile device ?

That depends especially on the device !!

Here is a table that provide you a first view of what can be and can't be managed. Latter in that article, I'll show you how you can know precisely if a settings is available or not on a device.

Compliance setting	Windows Phone 8	Windows RT	iOS
Require password settings on mobile devices	Yes	No	Yes
Minimum password length (characters)	Yes	Yes	Yes
Idle time before mobile device is locked	Yes	Yes	Yes
Number of passwords remembered	Yes	Yes	Yes
Password expiration in days	Yes	Yes	Yes
Password complexity	Yes	No	Yes
Number of failed logon attempts before device is wiped	Yes	Yes	Yes
Removable storage	Yes	No	No
Camera	No	No	Yes
File encryption on mobile device	Yes	No	No

2. Creating Configuration Item

In the Configuration Manager console, open the Asset and Compliance workspace
Expand Compliance Settings and select Configuration Items
Click on Create Configuration Item

Specify a name.
Select Mobile Device in the type of configuration item

Select the groups that you want to specify
For this demo, I select all groups

Password Management:

 - On the higher part of the windows, you can specify settings.

 - In lower part, you can specify if you only want to audit devices or if you want to remediate settings.

You can also specify the non-compliance severity for reports.

Note that in Windows Intune Cloud only mode, you can only set settings and never audit them.

For this demo, I specify that password is required on devices and that settings is only for audit.

Email management:

Device Security Settings:
You can provide VPN profiles for Windows RT devices

Peak times and frequency for mobile device synchronization:

Roaming settings:

Encryption settings:

For this demo, I select a value that is not supported on iOS devices to show you latter how wizard help you.

Wireless communication settings:

This window is really useful to deploy wifi configuration on devices without having to distribute connection password to people

Certificates settings:

Specify the platform supported by your configuration item

As you probably know, all settings are not supported on all platforms. Assistant remind you what settings you selected won't be applied on your different mobile devices.

Click on Next

Click on Close
 

3. Configuration Item : Properties and Revisions

Before creating a Configuration Baseline, I would like to show you some great features with Configuration  Items.

Open properties of your configuration item

Select the Compliance Rules tab

Click on New

You get the list of all available settings and the list of the associated supported platforms.

Useful, isn't it ?!?

For that demo, I add a new setting: "Number of failed logon attempts before device is wiped"

Note that Mobile configuration revision rises to 2
You can easily get the time and the person responsible for the last change.
Click on Revision History

You get the revision history. You can compare an older version to the current version, delete a version... and restore a version, for example if you experiment some issues.

In that demo, SCCM 2012 informs us that in the second version, a new rules have been created...

4. Create Configuration Baseline

Select Configuration Items
Click on Create Configuration Baselines

Specify a name.
Click on Add and select Configuration Items

Select the configuration Item
Click on Add

Click on OK to add configuration item(s)
Click on OK again to finish Configuration Baseline creation

 

5. Deploy Configuration Baseline

Select your configuration Baseline
Click on Deploy

Verify the Configuration Baseline selected

Specify the target collection and click on OK

Note that you need to check Remediate noncompliant rules when supported if you want to apply settings and not only audit settings.

6. Compliance Reports

The easiest way to get compliance information is to watch directly the Configuration Baseline. You get directly the number of compliant and not-compliant devices.

To get more information, you need to use reports:
Open the Monitoring workspace
Expand Reportings>Reports and Open the Compliance and Security folder
Select the Summary compliance by configuration baseline and Click on Run

 You get detailed information about all Configuration baselines
To get more information about a specific configuration baseline, click on it

 For each device and each Configuration Item, you get compliance information

7. My recommendations

As you can see on the previous screen shot, you can't get more information about what's wrong in your configuration item. You simply know that your device is compliant or not to your configuration item.

On a Windows device, you can get more information in the log files (see DCMAgent.log and CIAgent.log) but on an iOS device, it's quiet impossible to troubleshoot.

So, My recommendation is to create several Configuration Items as simple as possible.

For this demo, I create one Configuration Item for each setting.

Note :
 - Even if Remediate noncompliant settings is enabled in my configuration items, settings are not remediated because option is not enabled in the Configuration Baseline deployment
 - Not supported settings are reported as "Compliant"

For each configuration Item and each population, you can get detailed information

In my next post, I will show you how to generate reports about Mobile devices.


See you soon
Julien