The official blog of the Microsoft System Center Configuration Manager Product Group
This post is a part of the nine-part “What’s New in Windows Server & System Center 2012 R2” series that is featured on Brad Anderson’s In the Cloud blog. Today’s blog post covers how System Center 2012 R2 Configuration Manager and Windows Intune allows and administrator to provide VPN, WiFi profiles, and Certificates to permit users to connect to company resources and how it applies to Brad’s larger topic of “People-centric IT.” To read that post and see the other technologies discussed, read today’s post: “Making Device Users Productive and Protecting Corporate Information.”
As part of the People-centric IT pillar of System Center 2012 R2 and Windows Intune, the Enterprise Client Management team made significant investments in enabling enterprises to configure devices for connecting to company network resources and for managing additional PC and mobile device settings. Companies can now easily configure profiles for connecting to corporate VPN and Wi-Fi, can deploy certificates for authentication, and can establish policy baselines for controlling and auditing how devices are configured. These settings and profiles are managed for all device types directly by using unified device management and for mobile devices are delivered via native mobile device management protocols by using Windows Intune.
Dozens of new mobile device settings have been added to the mobile device settings flow of the Create Configuration Item Wizard.
First, the devices must be enrolled by using the Windows Intune connector, and then they are then visible from the Devices node in the Configuration Manager console, as shown in the following screenshot.
You can then create a new configuration item by running the Create Configuration Manager Wizard from the console under Assets and Compliance | Compliance Settings | Configuration Items. As you can see from the following screenshots, specify the type of the configuration item to be “Mobile device” and you can then specify the settings that you want to configure.
Finally, you can create a configuration baseline under Assets and Compliance | Compliance Settings | Configuration Baselines and add the mobile configuration item to it. The configuration baseline then needs to be deployed to the target collection to allow the policies to flow to the devices.
The list of supported settings is shown in the following table:
Compliance Settings Group
Require password settings on mobile devices
Idle time before mobile device is locked (minutes)
Minimum password length (characters)
Number of passwords remembered
Password expiration in days
Number of failed logon attempts before device is wiped
Minimum complex characters
Allow simple password
Allow convenience logon
Maximum grace period
Voice Assistant while Locked
Add Game Center friends
Personal wallet software While Locked
Diagnostic data Submission
Force Application Store Password
In App Purchases
Go to intranet site for single word entry
Always send Do Not Track header
Intranet security zone
Security level for internet zone
Yes (read only)
Security level for intranet zone
Security level for trusted sites zone
Security level for restricted sites zone
Namespace exists for browser security zone
Adult Content in media store
TV Show Rating
Synchronization over metered connection
Allow Voice Roaming
Allow Global Background Fetch When Roaming
Allow Data Roaming
File encryption on mobile device
User to accept untrusted TLS certificates
User Access Control
Virus Protection signatures are up-to-date
Windows Server Work Folders
Work Folders URL
Force automatic setup
This group of settings solves the problem of deploying profiles and certificates to mobile devices and PCs that are not managed through Group Policy. Users will receive policies containing VPN profiles that instruct the device on how to reach corporate VPN servers, and Wi-Fi profiles that will allow the device to automatically connect to corporate Wi-Fi hotspots. Users will also receive any necessary certificates for authenticating to those networks. All of this happens seamlessly, and avoids having users follow a series of complex instructions to setup their devices. For the Configuration Manager desktop administrator, deploying and monitoring these profiles is just like any other configuration baseline.
It begins with creating a new profile in the Assets and Compliance workspace of the Configuration Manager console. We have added a new Company Resource Access section with nodes for each of the new profile types.
Each node will launch a wizard to create a new profile, and will walk you through groups of settings that are relevant for any of the supported platforms. You can configure a profile once, and the relevant settings for each platform will be applied at the time of deployment. After a new profile is created, it is ready to be deployed to user and device collections. Note that these profiles are deployed directly, rather than being added to a configuration baseline. Reporting and monitoring works the same as for regular configuration items and configuration baselines, and will provide visibility into the device compliance.
You also have an option to import VPN and Wi-Fi profiles in XML format for Windows devices. Because these profiles contain fairly advanced network settings, organizations might want to grant access to network administrators to perform the configuration, so to support role-based administration, a new Resource Access security role for Network Administrators has been added to the Configuration Manager console.
The Create Wi-Fi Profile Wizard has settings for configuring the basic network display name and SSID, as well as security and advanced settings that are available for any of the supported client platforms. In the example below, an administrator has configured a profile to use WPA2-Enterprise with PEAP authentication.
Clicking the Configure button brings up the familiar Windows EAP control for configuring the server and client authentication methods. This control constructs the same EAP configuration XML as the control that is used on any given Windows client, and is used to configure both Windows and Android clients. Server and client authentication certificates for iOS are configured by using the Select buttons.
Other wizard pages expose advanced settings, such as fast roaming and proxy settings. Wi-Fi profiles can be deployed to Windows 8.1, iOS, and Android 4.
For Windows 8.1, Microsoft partnered with numerous VPN vendors to provide in-box support for their technologies. As part of this effort, Configuration Manager unified device management supports profile provisioning for each of these vendors as well as configuring new automatic VPN connections that automatically open whenever a user accesses a configured company application or network resource. More information about automatic VPN connections in Windows 8.1 can be found in http://blogs.technet.com/b/configmgrteam/archive/2013/07/10/user-centric-application-management.aspx. Profiles can also be created for each of the VPN vendors supported in iOS as well as VPN standards like PPTP and LT2P, as shown in the following screenshot.
The wizard exposes additional settings like authentication method, proxy settings and DNS-based automatic VPN. Automatic VPN connections can be configured through the Software Library workspace and will associate the Windows Store application’s ID with the VPN profile that has been deployed to the device.
VPN profiles can be deployed to Windows 8.1 and iOS clients.
A certificate profile can be one of two types:
Simple Certificate Enrollment Protocol
Simple Certificate Enrollment Protocol (SCEP) was adopted by Apple iOS as a means to deliver certificates to iPhones and iPads for client authentication. Configuration Manager now supports certificate enrollment through SCEP, and has collaborated with partner Microsoft teams to expand client support to Windows 8.1 and to provide a secure means of generating and validating SCEP challenges. Issuing certificates via certificate profiles requires integration with an enterprise Public Key Infrastructure through the Network Device Enrollment Service (NDES) role in Windows Server 2012 R2, and involves installing a policy module that integrates with Configuration Manager to validate SCEP challenges against the originally deployed properties to ensure its integrity.
Certificates can be issued via certificate profiles to Windows 8.1, iOS and Android 4.0 clients.
We’ve taken a look at some of the new features in System Center 2012 R2 Configuration Manager that help you to manage devices and enable seamless and secured access to company resources. For more information, see the following documentation on TechNet:
-- Heena Macwan and Chris Green
To see all of the posts in this series, check out the What’s New in Windows Server & System Center 2012 R2 archive.
This posting is provided "AS IS" with no warranties and confers no rights.
What about protecting users data from corporate spying when the user has their own device? What information/data can be captured? It's interesting that functionality can be disabled without the users knowledge or permission in the case of BYOD.