Compliance Settings and Company Resource Access in Configuration Manager

Compliance Settings and Company Resource Access in Configuration Manager

  • Comments 2
  • Likes

This post is a part of the nine-part “What’s New in Windows Server & System Center 2012 R2” series that is featured on Brad Anderson’s In the Cloud blog.  Today’s blog post covers how System Center 2012 R2 Configuration Manager and Windows Intune allows and administrator to provide VPN, WiFi profiles, and Certificates to permit users to connect to company resources and how it applies to Brad’s larger topic of “People-centric IT.”  To read that post and see the other technologies discussed, read today’s post:  “Making Device Users Productive and Protecting Corporate Information.”

As part of the People-centric IT pillar of System Center 2012 R2 and Windows Intune, the Enterprise Client Management team made significant investments in enabling enterprises to configure devices for connecting to company network resources and for managing additional PC and mobile device settings.  Companies can now easily configure profiles for connecting to corporate VPN and Wi-Fi, can deploy certificates for authentication, and can establish policy baselines for controlling and auditing how devices are configured.  These settings and profiles are managed for all device types directly by using unified device management and for mobile devices are delivered via native mobile device management protocols by using Windows Intune.

Mobile device settings

Dozens of new mobile device settings have been added to the mobile device settings flow of the Create Configuration Item Wizard.

First, the devices must be enrolled by using the Windows Intune connector, and then they are then visible from the Devices node in the Configuration Manager console, as shown in the following screenshot.

                

 You can then create a new configuration item by running the Create Configuration Manager Wizard from the console under Assets and Compliance | Compliance Settings | Configuration Items. As you can see from the following screenshots, specify the type of the configuration item to be “Mobile device” and you can then specify the settings that you want to configure.

                  

 

Finally, you can create a configuration baseline under Assets and Compliance | Compliance Settings | Configuration Baselines and add the mobile configuration item to it. The configuration baseline then needs to be deployed to the target collection to allow the policies to flow to the devices.

The list of supported settings is shown in the following table:

Compliance Settings Group

Compliance Settings

Windows 8.1

iOS 6.0

Android 4.0

Password

Require password settings on mobile devices

Not applicable

Yes

Yes

Password

Password complexity

Yes

Yes

Not applicable

Password

Idle time before mobile device is locked (minutes)

Yes

Yes

Yes

Password

Minimum password length (characters)

Yes

Yes

Yes

Password

Number of passwords remembered

Yes

Yes

Yes

Password

Password expiration in days

Yes

Yes

Yes

Password

Number of failed logon attempts before device is wiped

Yes

Yes

Yes

Password

Minimum complex characters

Yes

Yes

Not applicable

Password

Allow simple password

Not applicable

Yes

Not applicable

Password

Allow convenience logon

Yes

Not applicable

No

Password

Maximum grace period

Not applicable

Yes

No

Password

Password Quality

Not applicable

Not applicable

Yes

Device

Voice Dialing

Not applicable

Yes

Not applicable

Device

Voice Assistant

Not applicable

Yes

Not applicable

Device

Voice Assistant while Locked

Not applicable

Yes

Not applicable

Device

Screen Capture

Not applicable

Yes

Not applicable

Device

Video Conferencing

Not applicable

Yes

Not applicable

Device

Game Center

Not applicable

Yes

Not applicable

Device

Add Game Center friends

Not applicable

Yes

Not applicable

Device

Multiplayer Gaming

Not applicable

Yes

Not applicable

Device

Personal wallet software While Locked

Not applicable

Yes

Not applicable

Device

Diagnostic data Submission

Yes

Yes

Not applicable

Store

Application Store

No

Yes

Not applicable

Store

Force Application Store Password

Not applicable

Yes

Not applicable

Store

In App Purchases

Not applicable

Yes

Not applicable

Browser

Default browser

No

Yes

Not applicable

Browser

Autofill

Yes

Yes

Not applicable

Browser

Plug-ins

Yes

 

Not applicable

Browser

Active scripting

Yes

Yes

Not applicable

Browser

Pop-up Blocker

Yes

Yes

Not applicable

Browser

Fraud warning

Yes

Yes

Not applicable

Browser

Cookies

No

Yes

Not applicable

Internet Explorer

Go to intranet site for single word entry

Yes

Not applicable

Not applicable

Internet Explorer

Always send Do Not Track header

Yes

Not applicable

Not applicable

Internet Explorer

Intranet security zone

Yes

Not applicable

Not applicable

Internet Explorer

Security level for internet zone

Yes (read only)

Not applicable

Not applicable

Internet Explorer

Security level for intranet zone

Yes (read only)

Not applicable

Not applicable

Internet Explorer

Security level for trusted sites zone

Yes (read only)

Not applicable

Not applicable

Internet Explorer

Security level for restricted sites zone

Yes (read only)

Not applicable

Not applicable

Internet Explorer

Namespace exists for browser security zone

Yes

Not applicable

Not applicable

Content Rating

Adult Content in media store

Not applicable

Yes

Not applicable

Content Rating

Ratings Region

Not applicable

Yes

Not applicable

Content Rating

Movie Rating

Not applicable

Yes

Not applicable

Content Rating

TV Show Rating

Not applicable

Yes

Not applicable

Content Rating

App Rating

Not applicable

Yes

Not applicable

Cloud

Encrypted backup

Not applicable

Yes

Not applicable

Cloud

Document synchronization

No

Yes

Not applicable

Cloud

Photo synchronization

Not applicable

Yes

Not applicable

Cloud

Cloud backup

No

Yes

Not applicable

Cloud

Settings synchronization

Yes (read only)

Not applicable

Not applicable

Cloud

Credentials synchronization

Yes (read only)

Not applicable

Not applicable

Cloud

Synchronization over metered connection

Yes (read only)

Not applicable

Not applicable

Security

Removable storage

No

Not applicable

Yes

Security

Camera

No

Yes

Yes (4.1)

Security

Bluetooth

Yes (read only)

Not applicable

Not applicable

Roaming

Allow Voice Roaming

Not applicable

Yes

Not applicable

Roaming

Allow Global Background Fetch When Roaming

Not applicable

Yes

Not applicable

Roaming

Allow Data Roaming

Yes

Yes

Not applicable

Encryption

File encryption on mobile device

Yes (read only)

Not applicable

Yes

System Security

User to accept untrusted TLS certificates

Not applicable

Yes

Not applicable

System Security

User Access Control

Yes

Not applicable

Not applicable

System Security

Network Firewall

Yes (read only)

Not applicable

Not applicable

System Security

Updates

Yes

Not applicable

Not applicable

System Security

Virus Protection

Yes (read only)

Not applicable

Not applicable

System Security

Virus Protection signatures are up-to-date

Yes (read only)

Not applicable

Not applicable

System Security

SmartScreen

Yes

Not applicable

Not applicable

Windows Server Work Folders

Work Folders URL

Yes

Not applicable

Not applicable

Windows Server Work Folders

Force automatic setup

Yes

Not applicable

Not applicable

 Company Resource Access Settings

This group of settings solves the problem of deploying profiles and certificates to mobile devices and PCs that are not managed through Group Policy.  Users will receive policies containing VPN profiles that instruct the device on how to reach corporate VPN servers, and Wi-Fi profiles that will allow the device to automatically connect to corporate Wi-Fi hotspots.  Users will also receive any necessary certificates for authenticating to those networks.  All of this happens seamlessly, and avoids having users follow a series of complex instructions to setup their devices.  For the Configuration Manager desktop administrator, deploying and monitoring these profiles is just like any other configuration baseline. 

It begins with creating a new profile in the Assets and Compliance workspace of the Configuration Manager console.  We have added a new Company Resource Access section with nodes for each of the new profile types.

 

Each node will launch a wizard to create a new profile, and will walk you through groups of settings that are relevant for any of the supported platforms.  You can configure a profile once, and the relevant settings for each platform will be applied at the time of deployment.  After a new profile is created, it is ready to be deployed to user and device collections.  Note that these profiles are deployed directly, rather than being added to a configuration baseline.  Reporting and monitoring works the same as for regular configuration items and configuration baselines, and will provide visibility into the device compliance.

You also have an option to import VPN and Wi-Fi profiles in XML format for Windows devices.  Because these profiles contain fairly advanced network settings, organizations might want to grant access to network administrators to perform the configuration, so to support role-based administration, a new Resource Access security role for Network Administrators has been added to the Configuration Manager console. 

Wi-Fi Profiles

The Create Wi-Fi Profile Wizard has settings for configuring the basic network display name and SSID, as well as security and advanced settings that are available for any of the supported client platforms.  In the example below, an administrator has configured a profile to use WPA2-Enterprise with PEAP authentication.

Clicking the Configure button brings up the familiar Windows EAP control for configuring the server and client authentication methods.  This control constructs the same EAP configuration XML as the control that is used on any given Windows client, and is used to configure both Windows and Android clients.  Server and client authentication certificates for iOS are configured by using the Select buttons.

Other wizard pages expose advanced settings, such as fast roaming and proxy settings.  Wi-Fi profiles can be deployed to Windows 8.1, iOS, and Android 4.

VPN Profiles

For Windows 8.1, Microsoft partnered with numerous VPN vendors to provide in-box support for their technologies.  As part of this effort, Configuration Manager unified device management supports profile provisioning for each of these vendors as well as configuring new automatic VPN connections that automatically open whenever a user accesses a configured company application or network resource.  More information about automatic VPN connections in Windows 8.1 can be found in http://blogs.technet.com/b/configmgrteam/archive/2013/07/10/user-centric-application-management.aspx. Profiles can also be created for each of the VPN vendors supported in iOS as well as VPN standards like PPTP and LT2P, as shown in the following screenshot. 

The wizard exposes additional settings like authentication method, proxy settings and DNS-based automatic VPN.  Automatic VPN connections can be configured through the Software Library workspace and will associate the Windows Store application’s ID with the VPN profile that has been deployed to the device.

VPN profiles can be deployed to Windows 8.1 and iOS clients.

Certificates

A certificate profile can be one of two types:

  • Trusted CA certificate profile - Trusted CA certificate profiles can be used to deploy root CA certificates for establishing trust for certificates presented to a device from Wi-Fi and VPN servers.  The certificate file is included as part of the policy that is deployed to client devices, and is installed as a trusted CA certificate.
  • SCEP settings profile - This profile contains settings for enrolling for client certificates using Simple Certificate Enrollment Protocol (SCEP).  When devices receive this profile they will have all the necessary instructions for which Registration Authority server to contact, and which certificate properties should be used.  More information about SCEP support is in the next section.

Simple Certificate Enrollment Protocol

Simple Certificate Enrollment Protocol (SCEP) was adopted by Apple iOS as a means to deliver certificates to iPhones and iPads for client authentication.  Configuration Manager now supports certificate enrollment through SCEP, and has collaborated with partner Microsoft teams to expand client support to Windows 8.1 and to provide a secure means of generating and validating SCEP challenges.  Issuing certificates via certificate profiles requires integration with an enterprise Public Key Infrastructure through the Network Device Enrollment Service (NDES) role in Windows Server 2012 R2, and involves installing a policy module that integrates with Configuration Manager to validate SCEP challenges against the originally deployed properties to ensure its integrity. 

Certificates can be issued via certificate profiles to Windows 8.1, iOS and Android 4.0 clients.

Summary

We’ve taken a look at some of the new features in System Center 2012 R2 Configuration Manager that help you to manage devices and enable seamless and secured access to company resources. For more information, see the following documentation on TechNet:


-- Heena Macwan and Chris Green

To see all of the posts in this series, check out the What’s New in Windows Server & System Center 2012 R2 archive.

This posting is provided "AS IS" with no warranties and confers no rights.

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • What about protecting users data from corporate spying when the user has their own device?  What information/data can be captured?  It's interesting that functionality can be disabled without the users knowledge or permission in the case of BYOD.

  • Hello, Is there any way to enable VPN profiles for Windows 7? [At least] 95% of enterprise machines still use Win 7 or even XP. Thanks