In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In Part 2 we added Support for iOS devices (Iphone, iPad). In Part 3 we learned the difference between App Package for iOS (*.ipa file) and applications from the Apple App Store. We learned how to deploy them to iOS devices and configured the deployment type so that the applications were made available to the user based on the iPhone or Ipad operating system version, in addition we also checked device Ownership information and deployed the application based on those requirements.
In Part 4 we learned how to use and configure compliance settings in order to enable or disable certain configurable features on iOS devices. We enforced a Password requirement and enforced a minimum password length as this is a common requirement for organizations. In Part 5 we enabled support for Windows 8.1 devices (both Windows RT 8.1 and Windows 8.1 Enterprise) so that they could be managed via System Center 2012 R2 Configuration Manager integrated with Windows Intune. In Part 6 we deployed Windows 8.1 apps (appx) to Windows 8.1 devices. In Part 7 we looked at how to make Windows 8.1 store apps available in the Company Portal and how to make them featured apps with their own categories.
Now we will add support for Android and learn how to deploy mobile device settings to Android devices. As security of company data is so important these days, being able to encrypt files on a device is a great asset, and we will use mobile device settings (Compliance Settings) to enable File encryption on these Android devices. Users can download the Android company portal app from Google’s Android store (Google Play) and that allows them to enroll Android devices. With the Android company portal app, you can manage compliance settings, wipe or delete Android devices, deploy apps, and collect software and hardware inventory. If the Android company portal app is not installed on Android devices or if you are using Configuration Manager SP1, then you will not have all the management capabilities, such as inventory and compliance settings, but you can still deploy apps to Android devices.
Step 1. Enable Android support
In the System Center 2012 R2 Configuration Manager console, browse to Administration, expand Cloud Services and right click on the Windows Intune Subscriptions, select Properties like in the screenshot below
Select the Android tab, and place a checkmark in Enable Android Enrollment like in the screenshot below
click Apply, then ok, and that’s it, you are done.
Step 2. Create an All Android Devices Collection
Create a new collection called All Android Devices liimited to All Mobile Devices, we will use this collection to house our Android devices and to target them with Android specific deployments.
with a membership query for Android devices
select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "Android%"
continue through to the end of the Create New Collection wizard.
Step 3. Create a Configruation Item to configure mobile device settings for Android
Next we will configure mobile device settings for Android. This is done in a few parts, first we create the configuration item containing the settings, next we add them to a configuration baseline, and finally we deploy the configuration baseline to our previously created All Android Devices collection.
The following page on Technet explains the settings available for Android (for devices with the Android company portal app installed) and other mobile platform types, but to summarize the following 9 settings are currently available for the Android Platform (as of March 2014).
In Assets and Compliance, select Configuration Items, right click on it and choose Create Configuration Item.
Give it a suitable name such as Android Mobile Device File Encryption Settings and create a new category called “All Android – Enable file encryption” like in the screenshot below.
As File encryption requires a passcode being set on the Android device, select Password and Encryption from the settings groups available
For the Password screen, select a Minimum Password Length of at least 6 characters (6 characters containing at least one letter), like in the screenshot below, making sure to sure to set a checkmark in Remediate noncompliant settings otherwise the Password setting won’t be forced
For the setting, File Encryption on Mobile Device change the drop down menu to On, make sure to set a checkmark in Remediate noncompliant settings otherwise it won’t Encrypt anything,
Note: The Storage Card Encryption option is not currently available for Android so don’t bother selecting it. In fact, the only option applicable to Android on this screen is File Encryption on Mobile device.
For Supported Platforms de-select All, and only select Android as in the screenshot below
If you did everything like I’ve shown above, then the Platform Availability screen will be blank, and that’s ok, if you selected an additional option previous to this that was not compatible with the Android platform you’ll see it here, if so click back and remove it,
continue the wizard through to completion.
Step 4. Create a Configuration Baseline
Right click on Configuration Baselines and choose Create Configuration Baseline. A Configuration Baseline can contain one or more Configuration Items.
give the baseline a useful name like All Android Mobile Device Management Baseline and click on Add, select the previously created Android Mobile Device Encryption Settings CI like in the screenshot below, and then select the All Android – Enable File Encryption category
Step 5. Deploy the Configuration Baseline
Now we are ready to deploy our mobile device settings for Android to a collection. In this example, we will deploy it to our previously created collection called All Android Devices.
Note: You can deploy compliance settings for Mobile Devices to a user or device collection. If you deploy the baseline to a user collection, the compliance settings are applied to all the enrolled devices for those users.
Right click on the All Android Mobile Device Management baseline configuration baseline created above and choose Deploy.
select the option to Remediate and browse to the device collection called All Android Devices, select your desired compliance evaluation schedule, every 1 day is sufficient in a lab, perhaps every 7 days in production is better.
Step 6. Enroll an Android Device
On an Android 4.0, 4.1 or 4.2 device start up Google Play (Play Store)
and search for Company Portal, you should see Windows Intune Company Portal listed,
select it and choose Install
click Accept to the App Permissions
and click Open once installed,
you’ll be prompted to sign in using your organizational account, do so by clicking on Add this device
enter your credentials and click on Sign In,
it should say adding your device….
and after a delay you should be prompted to Active device administrator, click on Activate
and then it continues adding your device,
after which you’ll be displayed with the Company Portal
Step 7. Check the status of your Android devices in the console
In the Configuration Manager console, check All Mobile devices, your Android devices should appear here first (once they have enrolled successfully)
You should also check the All Android Devices collection next, if your device doesn’t appear here yet try Update Membership
After hardware inventory data has been uploaded you can start Resource Explorer and see what details it provides, including if the device is a Jailbroken or rooted device or not
Lastly you can monitor the Deployment status of your Configuration Baseline by clicking on View Status to see how compliant your Android devices are for the deployed baseline. To view status, click on the Configuration Baseline, select Deployments, and right click on the deployment, then select View Status like in the screenshot below.
Step 8. Verify the settings on an enrolled device
Now everything is in place for your changes to take place, on a targeted Android you should see that notifications arrive for the two major changes we initiated namely
- Device Passcode
- File Encryption
The following screenshot shows what the notification will look like on a Samsung Galaxy 4
when entering the new Password you’ll be prompted to enter at least 6 characters
and you’ll be reminded that it must contain at least one number, exactly as we set in the Mobile Device Compliance Settings
I’ll post a screenshot of the Encrypted settings taking effect as soon as I can.
That’s it, Job done !
Thanks to my eldest son Christopher for lending me his Samsung for this guide.
- CM12 in a Lab – How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 1
- CM12 in a Lab – How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 2
- CM12 in a Lab – How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 3
- CM12 in a Lab – How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 4
- CM12 in a Lab – How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 5
- CM12 in a Lab – How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 6
- CM12 in a Lab – How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 7
Android devices are becoming common place in our workplaces and homes, from sophisticated phones to feature rich tablets, they are gaining market share rapidly. In this post we learned how to enable support for Android devices in System Center 2012 R2 Configuration Manager with Windows Intune integration. We also saw how to enroll those devices, and how to deploy Mobile Device Settings to control up to 9 different settings on these devices. We also looked at the Company Portal and in our next post we’ll look in more detail at it’s features and how to deploy Apps.
For Offline reading you can download a Microsoft Word copy of this guide below.