Home
Microsoft

Compliance Settings and Company Resource Access in Configuration Manager

First published on CLOUDBLOGS on Jul 10, 2013

This post is a part of the nine-part “ What’s New in Windows Server & System Center 2012 R2 ” series that is featured on Brad Anderson’s In the Cloud blog.  Today’s blog post covers how System Center 2012 R2 Configuration Manager and Windows Intune allows and administrator to provide VPN, WiFi profiles, and Certificates to permit users to connect to company resources and how it applies to Brad’s larger topic of “People-centric IT.”  To read that post and see the other technologies discussed, read today’s post:  “ Making Device Users Productive and Protecting Corporate Information .”


As part of the People-centric IT pillar of System Center 2012 R2 and Windows Intune, the Enterprise Client Management team made significant investments in enabling enterprises to configure devices for connecting to company network resources and for managing additional PC and mobile device settings.  Companies can now easily configure profiles for connecting to corporate VPN and Wi-Fi, can deploy certificates for authentication, and can establish policy baselines for controlling and auditing how devices are configured.  These settings and profiles are managed for all device types directly by using unified device management and for mobile devices are delivered via native mobile device management protocols by using Windows Intune.


Mobile device settings


Dozens of new mobile device settings have been added to the mobile device settings flow of the Create Configuration Item Wizard.


First, the devices must be enrolled by using the Windows Intune connector, and then they are then visible from the Devices node in the Configuration Manager console, as shown in the following screenshot.



You can then create a new configuration item by running the Create Configuration Manager Wizard from the console under Assets and Compliance | Compliance Settings | Configuration Items. As you can see from the following screenshots, specify the type of the configuration item to be “Mobile device” and you can then specify the settings that you want to configure.





Finally, you can create a configuration baseline under Assets and Compliance | Compliance Settings | Configuration Baselines and add the mobile configuration item to it. The configuration baseline then needs to be deployed to the target collection to allow the policies to flow to the devices.


The list of supported settings is shown in the following table:



Compliance Settings Group



Compliance Settings



Windows 8.1



iOS 6.0



Android 4.0



Password



Require password settings on mobile devices



Not applicable



Yes



Yes



Password



Password complexity



Yes



Yes



Not applicable



Password



Idle time before mobile device is locked (minutes)



Yes



Yes



Yes



Password



Minimum password length (characters)



Yes



Yes



Yes



Password



Number of passwords remembered



Yes



Yes



Yes



Password



Password expiration in days



Yes



Yes



Yes



Password



Number of failed logon attempts before device is wiped



Yes



Yes



Yes



Password



Minimum complex characters



Yes



Yes



Not applicable



Password



Allow simple password



Not applicable



Yes



Not applicable



Password



Allow convenience logon



Yes



Not applicable



No



Password



Maximum grace period



Not applicable



Yes



No



Password



Password Quality



Not applicable



Not applicable



Yes



Device



Voice Dialing



Not applicable



Yes



Not applicable



Device



Voice Assistant



Not applicable



Yes



Not applicable



Device



Voice Assistant while Locked



Not applicable



Yes



Not applicable



Device



Screen Capture



Not applicable



Yes



Not applicable



Device



Video Conferencing



Not applicable



Yes



Not applicable



Device



Game Center



Not applicable



Yes



Not applicable



Device



Add Game Center friends



Not applicable



Yes



Not applicable



Device



Multiplayer Gaming



Not applicable



Yes



Not applicable



Device



Personal wallet software While Locked



Not applicable



Yes



Not applicable



Device



Diagnostic data Submission



Yes



Yes



Not applicable



Store



Application Store



No



Yes



Not applicable



Store



Force Application Store Password



Not applicable



Yes



Not applicable



Store



In App Purchases



Not applicable



Yes



Not applicable



Browser



Default browser



No



Yes



Not applicable



Browser



Autofill



Yes



Yes



Not applicable



Browser



Plug-ins



Yes





Not applicable



Browser



Active scripting



Yes



Yes



Not applicable



Browser



Pop-up Blocker



Yes



Yes



Not applicable



Browser



Fraud warning



Yes



Yes



Not applicable



Browser



Cookies



No



Yes



Not applicable



Internet Explorer



Go to intranet site for single word entry



Yes



Not applicable



Not applicable



Internet Explorer



Always send Do Not Track header



Yes



Not applicable



Not applicable



Internet Explorer



Intranet security zone



Yes



Not applicable



Not applicable



Internet Explorer



Security level for internet zone



Yes (read only)



Not applicable



Not applicable



Internet Explorer



Security level for intranet zone



Yes (read only)



Not applicable



Not applicable



Internet Explorer



Security level for trusted sites zone



Yes (read only)



Not applicable



Not applicable



Internet Explorer



Security level for restricted sites zone



Yes (read only)



Not applicable



Not applicable



Internet Explorer



Namespace exists for browser security zone



Yes



Not applicable



Not applicable



Content Rating



Adult Content in media store



Not applicable



Yes



Not applicable



Content Rating



Ratings Region



Not applicable



Yes



Not applicable



Content Rating



Movie Rating



Not applicable



Yes



Not applicable



Content Rating



TV Show Rating



Not applicable



Yes



Not applicable



Content Rating



App Rating



Not applicable



Yes



Not applicable



Cloud



Encrypted backup



Not applicable



Yes



Not applicable



Cloud



Document synchronization



No



Yes



Not applicable



Cloud



Photo synchronization



Not applicable



Yes



Not applicable



Cloud



Cloud backup



No



Yes



Not applicable



Cloud



Settings synchronization



Yes (read only)



Not applicable



Not applicable



Cloud



Credentials synchronization



Yes (read only)



Not applicable



Not applicable



Cloud



Synchronization over metered connection



Yes (read only)



Not applicable



Not applicable



Security



Removable storage



No



Not applicable



Yes



Security



Camera



No



Yes



Yes (4.1)



Security



Bluetooth



Yes (read only)



Not applicable



Not applicable



Roaming



Allow Voice Roaming



Not applicable



Yes



Not applicable



Roaming



Allow Global Background Fetch When Roaming



Not applicable



Yes



Not applicable



Roaming



Allow Data Roaming



Yes



Yes



Not applicable



Encryption



File encryption on mobile device



Yes (read only)



Not applicable



Yes



System Security



User to accept untrusted TLS certificates



Not applicable



Yes



Not applicable



System Security



User Access Control



Yes



Not applicable



Not applicable



System Security



Network Firewall



Yes (read only)



Not applicable



Not applicable



System Security



Updates



Yes



Not applicable



Not applicable



System Security



Virus Protection



Yes (read only)



Not applicable



Not applicable



System Security



Virus Protection signatures are up-to-date



Yes (read only)



Not applicable



Not applicable



System Security



SmartScreen



Yes



Not applicable



Not applicable



Windows Server Work Folders



Work Folders URL



Yes



Not applicable



Not applicable



Windows Server Work Folders



Force automatic setup



Yes



Not applicable



Not applicable



Company Resource Access Settings


This group of settings solves the problem of deploying profiles and certificates to mobile devices and PCs that are not managed through Group Policy.  Users will receive policies containing VPN profiles that instruct the device on how to reach corporate VPN servers, and Wi-Fi profiles that will allow the device to automatically connect to corporate Wi-Fi hotspots.  Users will also receive any necessary certificates for authenticating to those networks.  All of this happens seamlessly, and avoids having users follow a series of complex instructions to setup their devices.  For the Configuration Manager desktop administrator, deploying and monitoring these profiles is just like any other configuration baseline.


It begins with creating a new profile in the Assets and Compliance workspace of the Configuration Manager console.  We have added a new Company Resource Access section with nodes for each of the new profile types.



Each node will launch a wizard to create a new profile, and will walk you through groups of settings that are relevant for any of the supported platforms.  You can configure a profile once, and the relevant settings for each platform will be applied at the time of deployment.  After a new profile is created, it is ready to be deployed to user and device collections.  Note that these profiles are deployed directly, rather than being added to a configuration baseline.  Reporting and monitoring works the same as for regular configuration items and configuration baselines, and will provide visibility into the device compliance.


You also have an option to import VPN and Wi-Fi profiles in XML format for Windows devices.  Because these profiles contain fairly advanced network settings, organizations might want to grant access to network administrators to perform the configuration, so to support role-based administration, a new Resource Access security role for Network Administrators has been added to the Configuration Manager console.


Wi-Fi Profiles


The Create Wi-Fi Profile Wizard has settings for configuring the basic network display name and SSID, as well as security and advanced settings that are available for any of the supported client platforms.  In the example below, an administrator has configured a profile to use WPA2-Enterprise with PEAP authentication.



Clicking the Configure button brings up the familiar Windows EAP control for configuring the server and client authentication methods.  This control constructs the same EAP configuration XML as the control that is used on any given Windows client, and is used to configure both Windows and Android clients.  Server and client authentication certificates for iOS are configured by using the Select buttons.


Other wizard pages expose advanced settings, such as fast roaming and proxy settings.  Wi-Fi profiles can be deployed to Windows 8.1, iOS, and Android 4.


VPN Profiles


For Windows 8.1, Microsoft partnered with numerous VPN vendors to provide in-box support for their technologies.  As part of this effort, Configuration Manager unified device management supports profile provisioning for each of these vendors as well as configuring new automatic VPN connections that automatically open whenever a user accesses a configured company application or network resource.  More information about automatic VPN connections in Windows 8.1 can be found in http://blogs.technet.com/b/configmgrteam/archive/2013/07/10/user-centric-application-management... Profiles can also be created for each of the VPN vendors supported in iOS as well as VPN standards like PPTP and LT2P, as shown in the following screenshot.



The wizard exposes additional settings like authentication method, proxy settings and DNS-based automatic VPN.  Automatic VPN connections can be configured through the Software Library workspace and will associate the Windows Store application’s ID with the VPN profile that has been deployed to the device.


VPN profiles can be deployed to Windows 8.1 and iOS clients.


Certificates


A certificate profile can be one of two types:



  • Trusted CA certificate profile - Trusted CA certificate profiles can be used to deploy root CA certificates for establishing trust for certificates presented to a device from Wi-Fi and VPN servers.  The certificate file is included as part of the policy that is deployed to client devices, and is installed as a trusted CA certificate.

  • SCEP settings profile - This profile contains settings for enrolling for client certificates using Simple Certificate Enrollment Protocol (SCEP).  When devices receive this profile they will have all the necessary instructions for which Registration Authority server to contact, and which certificate properties should be used.  More information about SCEP support is in the next section.


Simple Certificate Enrollment Protocol


Simple Certificate Enrollment Protocol (SCEP) was adopted by Apple iOS as a means to deliver certificates to iPhones and iPads for client authentication.  Configuration Manager now supports certificate enrollment through SCEP, and has collaborated with partner Microsoft teams to expand client support to Windows 8.1 and to provide a secure means of generating and validating SCEP challenges.  Issuing certificates via certificate profiles requires integration with an enterprise Public Key Infrastructure through the Network Device Enrollment Service (NDES) role in Windows Server 2012 R2, and involves installing a policy module that integrates with Configuration Manager to validate SCEP challenges against the originally deployed properties to ensure its integrity.


Certificates can be issued via certificate profiles to Windows 8.1, iOS and Android 4.0 clients.


Summary


We’ve taken a look at some of the new features in System Center 2012 R2 Configuration Manager that help you to manage devices and enable seamless and secured access to company resources. For more information, see the following documentation on TechNet:




-- Heena Macwan and Chris Green


To see all of the posts in this series, check out the What’s New in Windows Server & System Center 2012 R2 archive.


This posting is provided "AS IS" with no warranties and confers no rights.