System Center in Action

Discover System Center best practices and real-world experience in action. You’ll find collective experiences of a team that designs, operates, and showcases industry-standard, production implementations of System Center client and server management soluti

Configuration Manager 2012 Exchange Connector Implementation in Microsoft IT

Configuration Manager 2012 Exchange Connector Implementation in Microsoft IT

  • Comments 1
  • Likes

Hi all, I am Karthik Jayavel and I work in MPSD on Settings Management (Desired Configuration Management), Power Management and Mobile Device Management. In this blog entry we are going to walk through the implementation of Exchange Connector feature. Before System Center Configuration Manager (Configuration Manager) 2012, Microsoft IT did not manage mobile devices using Configuration Manager. With the addition of light management feature for mobile devices in Configuration Manager 2012, we now have the ability to manage mobile phones that are connected to the Exchange server using Active Sync.  In addition, enhancements to the traditional mobile device management feature enable Microsoft IT to start managing Windows Phone 6.1 and 6.5 devices.

 For those who are new to this feature in Configuration Manager 2012, here is quick run-down on Mobile Device management feature.

 Mobile device management provides the ability to collect basic inventory data on cell phones and few additional management options. Based on the compatibility, these are mainly broken down into to two management roles.

 Mobile device legacy client Management– Devices will be enrolled with Configuration Manager and an agent on the device will be used to manage devices for inventory collection, configure corporate policies using Desired Configuration Management and to distribute applications through software distribution. This requires PKI certificate on the mobile devices and also needs management points and distribution points to manage mobiles.

 Exchange Server connector – This option enables management of devices with all Exchange driven actions such as:

  1. Inventory collection
  2. Remote wipe
  3. Quarantine or block the device
  4. Change or manage Exchange ActiveSync mailbox policies

Now what is this Exchange Connector? Well, in its simplest form Exchange connector establishes the data feed between Configuration Manager and Exchange and extract the mobile device details from Exchange in to Configuration Manager Database. This data comes to the server as discovery record. Exchange Connector configuration is pretty simple; all that is required is a service account and the Exchange server name. To achieve this we use a service acct that has necessary rights to an exchange server to discover basic asset management information from devices connected to it.

The level of access at exchange server defines enablement of certain features. For example ‘Write’ access on exchange is required to set mobile policies or trigger ‘Device Wipe’ through Exchange. Device Wipe, as the name indicates, resets the phone in case if it is lost and if administrator chooses to do from Configuration Manager Console.Since most of all cell phones in Microsoft are owned by individuals, we have currently enabled only a READ ACCESS to exchange server and is used only for inventory reporting purposes.

Configuration Manager 2012 has a built-in wizard for Exchange Connector which allowed us to easily setup the connection to one Exchange server for discovery. The wizard also provides settings for discovery frequency and policies to manage. We have configured discovery at a primary site level. Due to global data replication, mobile discovery data is available across all sites in the hierarchy.

Here’s a screen shot of our configurations:

 

The settings used for device discovery in Microsoft are:

  • Separate service account for connection than site server computer account
  • Full discovery every 30 days
  • Delta discovery every 7 days
  • Used default Mobile settings configured in Exchange

 

 Around 125,000 mobile devices were discovered in 4 hours’ time in Microsoft IT during the initial full discovery. All discovered mobile devices were added to system discovery SQL table. One of the immediate challenge an administrator faces needs to handle after onboarding this service is to separate these mobile devices from bloating the machine count. We do filter mobile devices from our deployment collections and compliance reports. Mobile devices discovered from Exchange can be identified by “EAS_DeviceID”. 

EAS (Exchange Active Sync) device ID is a unique identifier assigned and stored in Exchange when Active Sync is used for connection. System based collections should be created with the filter “EAS_DeviceID is not null” to remove mobile phones.

Here is a sample of the collection builder to filter mobile devices:

 

The Exchange connector feature also comes with out-of-box SRS reports and one of the important reports is devices count by platform. This report shows the count of different device platforms in a graphical view along with the percentage.

Exchange Connector based mobile device management has provided a greater visibility to Microsoft IT on the count of mobile devices using Exchange and also their model and type. The rich reporting that comes out of the box has only paved way to a more structured representation of this data but also in getting rid of some of the old legacy/scripted solution that was in place.  Our stakeholders and partners in Microsoft IT truly appreciate the richness of these out of box reports coming through one authorized source which they are accustomed to.

Thanks for reading about how we implemented Exchange connector and how we manage mobile devices. Let us know your feedback and any other topics to share by our Configuration Manager client management team through this blog.

 

Comments
  • Quick question, If I have configured read only as you have, but an administrator tries to send a device block, this request appears to get stuck in retry as it doesnt have permissions to execute. How do I now clear this from retry?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment