First published on CloudBlogs on Jul, 10 2013
This post is a part of the nine-part “ What’s New in Windows Server & System Center 2012 R2 ” series that is featured on Brad Anderson’s In the Cloud blog. Today’s blog post covers how System Center 2012 R2 Configuration Manager and Windows Intune allows and administrator to provide VPN, WiFi profiles, and Certificates to permit users to connect to company resources and how it applies to Brad’s larger topic of “People-centric IT.” To read that post and see the other technologies discussed, read today’s post: “ Making Device Users Productive and Protecting Corporate Information .”
As part of the People-centric IT pillar of System Center 2012 R2 and Windows Intune, the Enterprise Client Management team made significant investments in enabling enterprises to configure devices for connecting to company network resources and for managing additional PC and mobile device settings. Companies can now easily configure profiles for connecting to corporate VPN and Wi-Fi, can deploy certificates for authentication, and can establish policy baselines for controlling and auditing how devices are configured. These settings and profiles are managed for all device types directly by using unified device management and for mobile devices are delivered via native mobile device management protocols by using Windows Intune.
Mobile device settings
Dozens of new mobile device settings have been added to the mobile device settings flow of the Create Configuration Item Wizard.
First, the devices must be enrolled by using the Windows Intune connector, and then they are then visible from the Devices node in the Configuration Manager console, as shown in the following screenshot.
You can then create a new configuration item by running the Create Configuration Manager Wizard from the console under Assets and Compliance | Compliance Settings | Configuration Items. As you can see from the following screenshots, specify the type of the configuration item to be “Mobile device” and you can then specify the settings that you want to configure.
Finally, you can create a configuration baseline under Assets and Compliance | Compliance Settings | Configuration Baselines and add the mobile configuration item to it. The configuration baseline then needs to be deployed to the target collection to allow the policies to flow to the devices.
The list of supported settings is shown in the following table:
Compliance Settings Group |
Compliance Settings |
Windows 8.1 |
iOS 6.0 |
Android 4.0 |
Password |
Require password settings on mobile devices |
Not applicable |
Yes |
Yes |
Password |
Password complexity |
Yes |
Yes |
Not applicable |
Password |
Idle time before mobile device is locked (minutes) |
Yes |
Yes |
Yes |
Password |
Minimum password length (characters) |
Yes |
Yes |
Yes |
Password |
Number of passwords remembered |
Yes |
Yes |
Yes |
Password |
Password expiration in days |
Yes |
Yes |
Yes |
Password |
Number of failed logon attempts before device is wiped |
Yes |
Yes |
Yes |
Password |
Minimum complex characters |
Yes |
Yes |
Not applicable |
Password |
Allow simple password |
Not applicable |
Yes |
Not applicable |
Password |
Allow convenience logon |
Yes |
Not applicable |
No |
Password |
Maximum grace period |
Not applicable |
Yes |
No |
Password |
Password Quality |
Not applicable |
Not applicable |
Yes |
Device |
Voice Dialing |
Not applicable |
Yes |
Not applicable |
Device |
Voice Assistant |
Not applicable |
Yes |
Not applicable |
Device |
Voice Assistant while Locked |
Not applicable |
Yes |
Not applicable |
Device |
Screen Capture |
Not applicable |
Yes |
Not applicable |
Device |
Video Conferencing |
Not applicable |
Yes |
Not applicable |
Device |
Game Center |
Not applicable |
Yes |
Not applicable |
Device |
Add Game Center friends |
Not applicable |
Yes |
Not applicable |
Device |
Multiplayer Gaming |
Not applicable |
Yes |
Not applicable |
Device |
Personal wallet software While Locked |
Not applicable |
Yes |
Not applicable |
Device |
Diagnostic data Submission |
Yes |
Yes |
Not applicable |
Store |
Application Store |
No |
Yes |
Not applicable |
Store |
Force Application Store Password |
Not applicable |
Yes |
Not applicable |
Store |
In App Purchases |
Not applicable |
Yes |
Not applicable |
Browser |
Default browser |
No |
Yes |
Not applicable |
Browser |
Autofill |
Yes |
Yes |
Not applicable |
Browser |
Plug-ins |
Yes |
|
Not applicable |
Browser |
Active scripting |
Yes |
Yes |
Not applicable |
Browser |
Pop-up Blocker |
Yes |
Yes |
Not applicable |
Browser |
Fraud warning |
Yes |
Yes |
Not applicable |
Browser |
Cookies |
No |
Yes |
Not applicable |
Internet Explorer |
Go to intranet site for single word entry |
Yes |
Not applicable |
Not applicable |
Internet Explorer |
Always send Do Not Track header |
Yes |
Not applicable |
Not applicable |
Internet Explorer |
Intranet security zone |
Yes |
Not applicable |
Not applicable |
Internet Explorer |
Security level for internet zone |
Yes (read only) |
Not applicable |
Not applicable |
Internet Explorer |
Security level for intranet zone |
Yes (read only) |
Not applicable |
Not applicable |
Internet Explorer |
Security level for trusted sites zone |
Yes (read only) |
Not applicable |
Not applicable |
Internet Explorer |
Security level for restricted sites zone |
Yes (read only) |
Not applicable |
Not applicable |
Internet Explorer |
Namespace exists for browser security zone |
Yes |
Not applicable |
Not applicable |
Content Rating |
Adult Content in media store |
Not applicable |
Yes |
Not applicable |
Content Rating |
Ratings Region |
Not applicable |
Yes |
Not applicable |
Content Rating |
Movie Rating |
Not applicable |
Yes |
Not applicable |
Content Rating |
TV Show Rating |
Not applicable |
Yes |
Not applicable |
Content Rating |
App Rating |
Not applicable |
Yes |
Not applicable |
Cloud |
Encrypted backup |
Not applicable |
Yes |
Not applicable |
Cloud |
Document synchronization |
No |
Yes |
Not applicable |
Cloud |
Photo synchronization |
Not applicable |
Yes |
Not applicable |
Cloud |
Cloud backup |
No |
Yes |
Not applicable |
Cloud |
Settings synchronization |
Yes (read only) |
Not applicable |
Not applicable |
Cloud |
Credentials synchronization |
Yes (read only) |
Not applicable |
Not applicable |
Cloud |
Synchronization over metered connection |
Yes (read only) |
Not applicable |
Not applicable |
Security |
Removable storage |
No |
Not applicable |
Yes |
Security |
Camera |
No |
Yes |
Yes (4.1) |
Security |
Bluetooth |
Yes (read only) |
Not applicable |
Not applicable |
Roaming |
Allow Voice Roaming |
Not applicable |
Yes |
Not applicable |
Roaming |
Allow Global Background Fetch When Roaming |
Not applicable |
Yes |
Not applicable |
Roaming |
Allow Data Roaming |
Yes |
Yes |
Not applicable |
Encryption |
File encryption on mobile device |
Yes (read only) |
Not applicable |
Yes |
System Security |
User to accept untrusted TLS certificates |
Not applicable |
Yes |
Not applicable |
System Security |
User Access Control |
Yes |
Not applicable |
Not applicable |
System Security |
Network Firewall |
Yes (read only) |
Not applicable |
Not applicable |
System Security |
Updates |
Yes |
Not applicable |
Not applicable |
System Security |
Virus Protection |
Yes (read only) |
Not applicable |
Not applicable |
System Security |
Virus Protection signatures are up-to-date |
Yes (read only) |
Not applicable |
Not applicable |
System Security |
SmartScreen |
Yes |
Not applicable |
Not applicable |
Windows Server Work Folders |
Work Folders URL |
Yes |
Not applicable |
Not applicable |
Windows Server Work Folders |
Force automatic setup |
Yes |
Not applicable |
Not applicable |
Company Resource Access Settings
This group of settings solves the problem of deploying profiles and certificates to mobile devices and PCs that are not managed through Group Policy. Users will receive policies containing VPN profiles that instruct the device on how to reach corporate VPN servers, and Wi-Fi profiles that will allow the device to automatically connect to corporate Wi-Fi hotspots. Users will also receive any necessary certificates for authenticating to those networks. All of this happens seamlessly, and avoids having users follow a series of complex instructions to setup their devices. For the Configuration Manager desktop administrator, deploying and monitoring these profiles is just like any other configuration baseline.
It begins with creating a new profile in the Assets and Compliance workspace of the Configuration Manager console. We have added a new Company Resource Access section with nodes for each of the new profile types.
Each node will launch a wizard to create a new profile, and will walk you through groups of settings that are relevant for any of the supported platforms. You can configure a profile once, and the relevant settings for each platform will be applied at the time of deployment. After a new profile is created, it is ready to be deployed to user and device collections. Note that these profiles are deployed directly, rather than being added to a configuration baseline. Reporting and monitoring works the same as for regular configuration items and configuration baselines, and will provide visibility into the device compliance.
You also have an option to import VPN and Wi-Fi profiles in XML format for Windows devices. Because these profiles contain fairly advanced network settings, organizations might want to grant access to network administrators to perform the configuration, so to support role-based administration, a new Resource Access security role for Network Administrators has been added to the Configuration Manager console.
Wi-Fi Profiles
The Create Wi-Fi Profile Wizard has settings for configuring the basic network display name and SSID, as well as security and advanced settings that are available for any of the supported client platforms. In the example below, an administrator has configured a profile to use WPA2-Enterprise with PEAP authentication.
Clicking the Configure button brings up the familiar Windows EAP control for configuring the server and client authentication methods. This control constructs the same EAP configuration XML as the control that is used on any given Windows client, and is used to configure both Windows and Android clients. Server and client authentication certificates for iOS are configured by using the Select buttons.
Other wizard pages expose advanced settings, such as fast roaming and proxy settings. Wi-Fi profiles can be deployed to Windows 8.1, iOS, and Android 4.
VPN Profiles
For Windows 8.1, Microsoft partnered with numerous VPN vendors to provide in-box support for their technologies. As part of this effort, Configuration Manager unified device management supports profile provisioning for each of these vendors as well as configuring new automatic VPN connections that automatically open whenever a user accesses a configured company application or network resource. More information about automatic VPN connections in Windows 8.1 can be found in http://blogs.technet.com/b/configmgrteam/archive/2013/07/10/user-centric-application-management.aspx. Profiles can also be created for each of the VPN vendors supported in iOS as well as VPN standards like PPTP and LT2P, as shown in the following screenshot.
The wizard exposes additional settings like authentication method, proxy settings and DNS-based automatic VPN. Automatic VPN connections can be configured through the Software Library workspace and will associate the Windows Store application’s ID with the VPN profile that has been deployed to the device.
VPN profiles can be deployed to Windows 8.1 and iOS clients.
Certificates
A certificate profile can be one of two types:
- Trusted CA certificate profile - Trusted CA certificate profiles can be used to deploy root CA certificates for establishing trust for certificates presented to a device from Wi-Fi and VPN servers. The certificate file is included as part of the policy that is deployed to client devices, and is installed as a trusted CA certificate.
- SCEP settings profile - This profile contains settings for enrolling for client certificates using Simple Certificate Enrollment Protocol (SCEP). When devices receive this profile they will have all the necessary instructions for which Registration Authority server to contact, and which certificate properties should be used. More information about SCEP support is in the next section.
Simple Certificate Enrollment Protocol
Simple Certificate Enrollment Protocol (SCEP) was adopted by Apple iOS as a means to deliver certificates to iPhones and iPads for client authentication. Configuration Manager now supports certificate enrollment through SCEP, and has collaborated with partner Microsoft teams to expand client support to Windows 8.1 and to provide a secure means of generating and validating SCEP challenges. Issuing certificates via certificate profiles requires integration with an enterprise Public Key Infrastructure through the Network Device Enrollment Service (NDES) role in Windows Server 2012 R2, and involves installing a policy module that integrates with Configuration Manager to validate SCEP challenges against the originally deployed properties to ensure its integrity.
Certificates can be issued via certificate profiles to Windows 8.1, iOS and Android 4.0 clients.
Summary
We’ve taken a look at some of the new features in System Center 2012 R2 Configuration Manager that help you to manage devices and enable seamless and secured access to company resources. For more information, see the following documentation on TechNet:
--
Heena Macwan
and
Chris Green
To see all of the posts in this series, check out the What’s New in Windows Server & System Center 2012 R2 archive.
This posting is provided "AS IS" with no warranties and confers no rights.
Published Sep 08, 2018
Version 1.0yvetteomeally
Microsoft
Joined August 30, 2016
Microsoft Security Blog
Follow this blog board to get notified when there's new activity