In this article by Martyn Coupland, author of the book, Microsoft System Center Configuration Manager Advanced Deployments, we will explore some of these options and look at how they can help you manage mobility in your workforce. We’ll cover the following topics:
- Deploying company resource profiles
- Managing roaming devices
- Integrating the Microsoft Exchange connector
- Using Windows Intune
(For more resources related to this topic, see here.)
Deploying company resource profiles
One of the improvements that shipped with the R2 release of Configuration Manager 2012 was the ability to deploy company resources such as Wi-Fi profiles, certificates, and VPN profiles. This functionality really opened up the management story for organizations that already have a big take up of bring your own device or have mobility in their long-term strategy.
You do not need Windows Intune to deploy company resource profiles.
The company resource profiles are really useful in extending some of the services that you provide to domain-based clients using Group Policy. Some examples of this include deploying VPN and Wi-Fi profiles to domain clients using Group Policy preferences.
As you cannot deploy a group policy to non-domain-joined devices, it becomes really useful to manage and deploy these via Configuration Manager.
Another great use case for company resource profiles is deploying certificates. Configuration Manager includes the functionality to allow managed clients to have certificates enrolled to them. This can include those resources that rarely or never contact the domain. This scenario is becoming more common, so it is important that we have the capability to deploy these settings to users without relying on the domain.
Managing Wi-Fi profiles with Configuration Manager
The deployment of Wi-Fi profiles in Configuration Manager is very similar to that of a manual setup. The wizard provides you with the same options that you would expect to see should you configure the network manually within Windows.
You can also configure a number of security settings, such as certificates for clients and server authentication. You can configure the following device types with Wi-Fi profiles:
- Windows 8.1 32-bit
- Windows 8.1 64-bit
- Windows RT 8.1
- Windows Phone 8.1
- iOS 5, iOS 6, and iOS 7
- iOS 5, iOS 6, and iOS 7
- Android devices that run Version 4
Configuring a Wi-Fi network profile in Configuration Manager is a simple process that is wizard-driven. First, in the Assets and Compliance workspace, expand Compliance Settings and Company Resource Access, and then click on Wi-Fi Profiles. Right-click on the node and select Create Wi-Fi Profile, or select this option from the home tab on the ribbon.
On the general page of the wizard, provide a name for the profile. If required, you can add a description here as well. If you have exported the settings from a Windows 8.1 device, you can import them here as well.
Click on Next in the Wi-Fi Profile page that you need to provide information about the network you want to connect to. Network Name is what is displayed on the users’ device and so should be friendly for them. You also need to enter the SSID of the network. Make sure this is entered correctly as clients will use this to attempt to connect to the network.
You can also specify other settings here, like you can in Windows, such as specifying whether we should connect if the network is not broadcasting or while the network is in range. Click on Next to continue to the security configuration page.
Depending on the security, encryption, and Extensible Authentication Protocol (EAP) settings that you select, some items on this page of the wizard might not be available. As shown in the previous screenshot, the settings you configure here replicate those that you can configure in Windows when manually connecting to the network.
On the Advanced Settings page of Create Wi-Fi Profile Wizard, specify any additional settings for the Wi-Fi profile. This can be the authentication mode, single sign-on options, and Federal Information Processing Standards (FIPS) compliance.
If you require any proxy settings, you can also configure these on the next page as well as providing information on which platforms should process this profile. When the profile has been created, you can then right-click on the profile to deploy it to a collection.
Managing certificates with Configuration Manager
Deploying a certificate profile in Configuration Manager is actually a little quicker than creating a Wi-Fi profile. However, before you move on to deploying a certificate, you need some prerequisites in your environment.
First, you need to deploy the Network Device Enrollment Service (NDES), which is part of the Certificate Services functionality in Windows Server. You can find guidance on deploying NDES in the Active Directory TechNet library at http://bit.ly/1kjpgxD.
You must then install and configure at least one certificate registration point in the Configuration Manager hierarchy, and you can install this site system role in the central administration site or in a primary site.
In the preceding screenshot, you can see the configuration screen in the wizard to deploy the certificate enrollment point in Configuration Manager. For the URL, enter the address in the https://<FQDN>/certsrv/mscep/mscep.dll format. For the root certificate, you should browse for the certificate file of your certificate authority. If you are using certificates in Configuration Manager, this will be the same certificate that you imported in the Client Communication tab in Site Settings.
When this is configured on the server that runs the NDES, log on as a domain administrator and copy the files listed from the <ConfigMgrInstallationMedia>SMSSETUPPOLICYMODULEX64 folder on the Configuration Manager installation media to a folder on your server:
- PolicyModule.msi
- PolicyModuleSetup.exe
On the Certificate Registration Point page, specify the URL of the certificate registration point and the virtual application name. The default virtual application name is CMCertificateRegistration. For example, if the site system server has an FQDN of scep1.contoso.com and you used the default virtual application name, specify https://scep1.contoso.com/CMCertificateRegistration.
Creating certificate profiles
Click on Certificate Profiles in the Assets and Compliance workspace under the Compliance Settings folder.
On the General page, provide the name and description of the profile, and then provide information about the type of certificate that you want to deploy. Select the trusted CA certificate profile type if you want to deploy a trusted root certification authority (CA) or intermediate CA certificate, for example, you might want to deploy you own internal CA certificate to your own workgroup devices managed by Configuration Manager.
Select the SCEP certificate profile type if you want to request a certificate for a user or device using the Simple Certificate Enrollment Protocol and the Network Device Enrollment Service role service.
You will be provided with different settings depending on the option that you specify. If you select SCEP, then you will be asked about the number of retries and storage information about TPM. You can find specific information about each of the settings on the TechNet library at http://bit.ly/1n5CtZF.
Configuring a trusted CA certificate is much simpler; provide the certificate settings and the destination store, as shown in the following screenshot:
When you have finished configuring information on your certificate profile, select the supported platforms for the profile and continue through the wizard to create the profile. When it has been created, you can right-click on the profile to deploy it to a collection.
Managing VPN profiles with Configuration Manager
At a high level, the process to create VPN profiles is the same as creating Wi-Fi profiles; no prerequisites are required such as deploying certificates. Click on VPN Profiles in the Assets and Compliance workspace under the Compliance Settings folder. Create a new VPN profile, and on the initial screen, provide simple information about the profile.
The following table provides an overview of which profiles are supported on which device:
|
Connection type |
iOS |
Windows 8.1 |
Windows RT |
Windows RT 8.1 |
Windows Phone 8.1 |
|
Cisco AnyConnect |
Yes |
No |
No |
No |
No |
|
Juniper Pulse |
Yes |
Yes |
No |
Yes |
Yes |
|
F5 Edge Client |
Yes |
Yes |
No |
Yes |
Yes |
|
Dell SonicWALL Mobile Connect |
Yes |
Yes |
No |
Yes |
Yes |
|
Check Point Mobile VPN |
Yes |
Yes |
No |
Yes |
Yes |
|
Microsoft SSL (SSTP) |
No |
Yes |
Yes |
Yes |
No |
|
Microsoft Automatic |
No |
Yes |
Yes |
Yes |
No |
|
IKEv2 |
No |
Yes |
Yes |
Yes |
Yes |
|
PPTP |
Yes |
Yes |
Yes |
Yes |
No |
|
L2TP |
Yes |
Yes |
Yes |
Yes |
No |
Specific options will be required, depending on which technology you choose from the drop-down list. Ensure that the settings are specified, and move on to the profile information in the authentication method.
If you require proxy settings with your VPN profile, then specify these settings on the Proxy Settings page of the wizard. See the following screenshot for an example of this screen:
Continue through the wizard and select the supported profiles for the profile. When the profile is created, you can right-click on the profile and select Deploy.
Managing Internet-based devices
We have already looked at deploying certain company resources to those clients to whom we have very little connectivity on a regular basis. We can use Configuration Manager to manage these devices just like those domain-based clients over the Internet.
This scenario works really well when the clients do not use VPN or DirectAccess, or maybe when we do not deploy a remote access solution for our remote users. This is where we can use Configuration Manager to manage clients using Internet-based client management (IBCM).
How Internet-based client management works
We have the ability to manage Internet-based clients in Configuration Manager by deploying certain site system roles in DMZ. By doing this, we make the management point, distribution point, and software update point Internet-facing and configure clients to connect to this while on the Internet.
With these measures in place, we now have the ability to manage clients that are on the Internet, extending our management capabilities.
Functionality in Internet-based client management
In general, functionality will not be supported for Internet-based client management when we have to rely on network functionality that is not appropriate on a public network or relies some kind of communication with Active Directory. The following is not supported for Internet-based clients:
- Client push and software-update-based client deployment
- Automatic site assignment
- Network access protection
- Wake-On-LAN
- Operating system deployment
- Remote control
- Out-of-band management
Software distribution for users is only supported when the Internet-based management point can authenticate the user in Active Directory using the Windows authentication.
Requirements for Internet-based client management
In terms of requirements, the list is fairly short but depending on your current setup, this might take a while to set up. The first seems fairly obvious, but any site system server or client must have Internet connectivity. This might mean some firewall configuration, depending on your configuration.
A public key infrastructure (PKI) is also required. It must be able to deploy and manage certificates to clients that are on the Internet and site systems that are Internet-based. This does not mean deploying certificates over the public Internet.
The following information can help you plan and deploy Internet-based client management in your environment:
- Planning for Internet-based client management (http://bit.ly/1p1qtsU)
- Planning for certificates (http://bit.ly/1kj9PFr)
- PKI certificate requirements (http://bit.ly/1hssMFM)
Using Internet-based client management
As the administrator, you have no additional concerns and requirements in terms of how you manage your clients when they are based on the Internet and are reporting to an Internet-facing management point.
When you are administering clients that are Internet-based, you will see them report to the Internet-facing management point. This is the only thing you will see. You will see that the preceding features we listed are not working.
The icon for the client in the list of devices does not change; this is one of the reasons the functionality is powerful, as it gives you many of the management capabilities you already perform on your premise devices.
Lots of people will implement DirectAccess to get around the need to set up additional Configuration Manager Infrastructure and provisioning certificates. DirectAccess with the Manage Out functionality is a viable alternative.
Summary
In this article, we explored a number of ways in which you can manage the growing popularity of bring your own device and also look at how we can manage mobility in your user estate. We explored the deployment of profiles that contain settings for Wi-Fi profiles, VPN profiles for Windows, and other devices as well as deploying certificates via Configuration Manager.
Resources for Article:
Further resources on this subject:
- Wireless and Mobile Hacks [Article]
- Introduction to Mobile Forensics [Article]
- Getting Started with Microsoft Dynamics CRM 2013 Marketing [Article]
