How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 8

In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In Part 2 we added Support for iOS devices (Iphone, iPad). In Part 3 we learned the difference between App Package for iOS (*.ipa file) and applications from the Apple App Store. We learned how to deploy them to iOS devices and configured the deployment type so that the applications were made available to the user based on the iPhone or Ipad operating system version, in addition we also checked device Ownership information and deployed the application based on those requirements.

In Part 4 we learned how to use and configure compliance settings in order to enable or disable certain configurable features on iOS devices. We enforced a Password requirement and enforced a minimum password length as this is a common requirement for organizations. In Part 5 we enabled support for Windows 8.1 devices (both Windows RT 8.1 and Windows 8.1 Enterprise) so that they could be managed via System Center 2012 R2 Configuration Manager integrated with Windows Intune. In Part 6 we deployed Windows 8.1 apps (appx) to Windows 8.1 devices. In Part 7 we  looked at how to make Windows 8.1 store apps available in the Company Portal and how to make them featured apps with their own categories.

Now we will add support for Android and learn how to deploy mobile device settings to Android devices. As security of company data is so important these days, being able to encrypt files on a device is a great asset, and we will use mobile device settings (Compliance Settings) to enable File encryption on these Android devices. Users can download the Android company portal app from Google’s Android store (Google Play) and that allows them to enroll Android devices. With the Android company portal app, you can manage compliance settings, wipe or delete Android devices, deploy apps, and collect software and hardware inventory. If the Android company portal app is not installed on Android devices or if you are using Configuration Manager SP1, then you will not have all the management capabilities, such as inventory and compliance settings, but you can still deploy apps to Android devices.

Step 1. Enable Android support

In the System Center 2012 R2 Configuration Manager console, browse to Administration, expand Cloud Services and right click on the Windows Intune Subscriptions, select Properties like in the screenshot below


windows intune subscription properties.png


Select the Android tab, and place a checkmark in Enable Android Enrollment like in the screenshot below


enable android enrollment.png


click Apply, then ok, and that’s it, you are done.


Step 2. Create an All Android Devices Collection

Create a new collection called All Android Devices liimited to All Mobile Devices, we will use this collection to house our Android devices and to target them with Android specific deployments.


All Android Devices.png


with a membership query for Android devices

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "Android%"

membership query.png


continue through to the end of the Create New Collection wizard.



Step 3. Create a Configruation Item to configure mobile device settings for Android

Next we will configure mobile device settings for Android. This is done in a few parts, first we create the configuration item containing the settings, next we add them to a configuration baseline, and finally we deploy the configuration baseline to our previously created All Android Devices collection.


The following page on Technet explains the settings available for Android (for devices with the Android company portal app installed) and other mobile platform types, but to summarize the following 9 settings are currently available for the Android Platform (as of March 2014).


Android Settings available.png


In Assets and Compliance, select Configuration Items, right click on it and choose Create Configuration Item.


Create Configuration Item.png


Give it a suitable name such as Android Mobile Device File Encryption Settings and create a new category called “All Android – Enable file encryption” like in the screenshot below.


android mobile device settings.png


As File encryption requires a passcode being set on the Android device, select Password and Encryption from the settings groups available


Password and Encryption settings groups.png


For the Password screen, select a Minimum Password Length of at least 6 characters (6 characters containing at least one letter), like in the screenshot below, making sure to sure to set a checkmark in Remediate noncompliant settings otherwise the Password setting won’t be forced


Minimum Password Length (characters) 6.png


For the setting, File Encryption on Mobile Device change the drop down menu to On, make sure to set a checkmark in Remediate noncompliant settings otherwise it won’t Encrypt anything,


Note: The Storage Card Encryption option is not currently available for Android so don’t bother selecting it. In fact, the only option applicable to Android on this screen is File Encryption on Mobile device.


turn on file encryption.png


For Supported Platforms de-select All, and only select Android as in the screenshot below


supported platforms.png


If you did everything like I’ve shown above, then the Platform Availability screen will be blank, and that’s ok, if you selected an additional option previous to this that was not compatible with the Android platform you’ll see it here, if so click back and remove it,


platform applicability.png


continue the wizard through to completion.


wizard is complete.png


Step 4. Create a Configuration Baseline

Right click on Configuration Baselines and choose Create Configuration Baseline. A Configuration Baseline can contain one or more Configuration Items.


create configuration baseline.png


give the baseline a useful name like All Android Mobile Device Management Baseline and click on Add, select the previously created Android Mobile Device Encryption Settings CI like in the screenshot below, and then select the All Android – Enable File Encryption category


create configuration baseline with CI and category.png


Step 5. Deploy the Configuration Baseline

Now we are ready to deploy our mobile device settings for Android to a collection. In this example, we will deploy it to our previously created collection called All Android Devices.


Note: You can deploy compliance settings for Mobile Devices to a user or device collection. If you deploy the baseline to a user collection, the compliance settings are applied to all the enrolled devices for those users.


Right click on the All Android Mobile Device Management baseline configuration baseline created above and choose Deploy.


Deploy Configuration Baseline.png


select the option to Remediate and browse to the device collection called All Android Devices, select your desired compliance evaluation schedule, every 1 day is sufficient in a lab, perhaps every 7 days in production is better.


deploy cb settings.png


Step 6. Enroll an Android Device

On an Android 4.0, 4.1 or 4.2 device start up Google Play (Play Store)




and search for Company Portal, you should see Windows Intune Company Portal listed,




select it and choose Install




click Accept to the App Permissions




and click Open once installed,




you’ll be prompted to sign in using your organizational account, do so by clicking on Add this device




enter your credentials and click on Sign In,




it should say adding your device….




and after a delay you should be prompted to Active device administrator, click on Activate




and then it continues adding your device,




after which you’ll be displayed with the Company Portal





Step 7. Check the status of your Android devices in the console

In the Configuration Manager console, check All Mobile devices, your Android devices should appear here first (once they have enrolled successfully)


android enrolled.png


You should also check the All Android Devices collection next, if your device doesn’t appear here yet try Update Membership


All Android Devices now with an enrolled device.png


After hardware inventory data has been uploaded you can start Resource Explorer and see what details it provides, including if the device is a Jailbroken or rooted device or not


Jailbroken or rooted device.png


Lastly you can monitor the Deployment status of your Configuration Baseline by clicking on View Status to see how compliant your Android devices are for the deployed baseline. To view status, click on the Configuration Baseline, select Deployments, and right click on the deployment, then select View Status like in the screenshot below.


View Status of Deployments.png


Step 8. Verify the settings on an enrolled device

Now everything is in place for your changes to take place, on a targeted Android you should see that notifications arrive for the two major changes we initiated namely

  • Device Passcode
  • File Encryption

The following screenshot shows what the notification will look like on a Samsung Galaxy 4




when entering the new Password you’ll be prompted to enter at least 6 characters




and you’ll be reminded that it must contain at least one number, exactly as we set in the Mobile Device Compliance Settings




I’ll post a screenshot of the Encrypted settings taking effect as soon as I can.


That’s it, Job done !


Thanks to my eldest son Christopher for lending me his Samsung for this guide.


Recommended Reading




Android devices are becoming common place in our workplaces and homes, from sophisticated phones to feature rich tablets, they are gaining market share rapidly. In this post we learned how to enable support for Android devices in System Center 2012 R2 Configuration Manager with Windows Intune integration. We also saw how to enroll those devices, and how to deploy Mobile Device Settings to control up to 9 different settings on these devices. We also looked at the Company Portal and in our next post we’ll look in more detail at it’s features and how to deploy Apps.




For Offline reading you can download a Microsoft Word copy of this guide below.



Attached File  How can I manage modern devices using System Center 2012 R2 Configuration Manager Part   7.59MB   1 downloads

This entry was posted in Android, ConfigMgr 2012. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.