MDM Mar2017

Table of Contents
Overview
What is hybrid MDM
Choose Intune standalone or hybrid MDM
What's new in hybrid MDM
Plan and design
Supported device platforms
Device enrollment methods
Get started
Create an MDM collection
Confirm domain name requirements
Configure Intune subscription
Add terms and conditions
Create service connection point
Enable platform enrollment
iOS and MAC
Windows
Android
Set up additional management
Verify MDM configuration
How to
Enroll user-owned (BYOD) devices
Enroll corporate-owned devices
iOS DEP enrollment
Apple Configurator enrollment
Device enrollment manager
Predeclare hardware ID
Manage iOS activation lock
User device affinity
Retire/wipe, lock, reset devices
Configure hardware inventory
Configure software inventory
Manage compliance settings
Windows 8.1 and Windows 10
Windows Phone
iOS and Mac OS X
Android and Samsung KNOX Standard
Sync Intune-enrolled devices
Manage applications
Create iOS applications
iOS app configuration policies
iOS volume-purchased apps
Create Windows Phone applications
Create Android applications
Mobile application management policies
Managed browser policies
Windows Store for Business apps
Manage an Intune subscription
Manage resource access
Create Wi-Fi profiles
Create PFX certificate profiles
VPN profiles
Create email profiles
Windows Hello for Business settings
Manage conditional access
Device compliance policies
Create a device compliance policy
Manage email access
Manage SharePoint Online access
Manage Skype for Business Online access
Manage Dynamics CRM Online access
Manage PC access to O365 services
Manage access based on risk
Set up Lookout device threat protection
Enable Lookout in Intune
Deploy Lookout for Work apps
Enable device threat protection policy
Troubleshoot Lookout integration
On-premises mobile device management (MDM)
What is On-premises MDM
Plan for on-premises MDM
Setup steps
Set up the Intune subscription
Install on-prem roles
Set up certificates
Set up for enrollment
Enroll devices for on-premises MDM
User enrollment
Bulk enrollment
Manage devices
Manage applications
Protect data and devices
Device management with Exchange
Hybrid mobile device management (MDM) with
System Center Configuration Manager and Microsoft
Intune
3/6/2017 • 1 min to read • Edit on GitHub
Applies to: System Center Configuration Manager (Current Branch)

You can manage iOS, Windows, and Android devices with Configuration Manager and Microsoft Intune. All
management tasks are handled from the Configuration Manager console where you perform the rest of your
management tasks seamlessly integrated with Microsoft Intune's online service over the internet. You can use
Configuration Manager to let users access company resources on their devices in a secure, managed way. By using
device management, you protect company data while letting users enroll their personal or company-owned devices
to access company data. Management capabilities on devices:
Retire and wipe devices
Configure compliance settings such as passwords, security, roaming, encryption, and wireless communication
Deploy line-of-business (LOB) apps to devices
Deploy apps to devices that connect to Windows Store, Windows Phone Store, App Store, or Google Play
Collect hardware inventory
Collect software inventory by using built-in reports
To read about what new features are available for hybrid MDM, see What's new in hybrid mobile device
management.
This document assumes that you are using Configuration Manager to manage computers, and that you are
interested in extending the Configuration Manager console with Intune to manage mobile devices. To understand
the differences between Intune and hybrid mobile device management, see Choose between Microsoft Intune
standalone and hybrid mobile device management with System Center Configuration Manager.
After extending Configuration Manager with Intune, you can enroll and manage corporate-owned devices or give
users permission to enroll their personal devices. You can also manage company-owned devices with Intune using
Configuration Manager.
Hybrid MDM Enrollment

To bring devices into hybrid management, those devices must be enrolled with the service. How devices enroll
devices depends on the device type, ownership, and the level of management needed.
"Bring your own device" (BYOD) enrollment lets users enroll their personal phones, tablets, or PCs.
Corporate-owned device (COD) enrollment enables management scenarios like remote wipe, shared devices, or
user affinity for a device.
If you use Exchange ActiveSync, either on-premises or hosted in the cloud, you can enable simple Intune
management without enrollment. Windows PCs can also be managed using Intune client software.
Choose between Microsoft Intune standalone and
hybrid mobile device management with System
Center Configuration Manager

One of the most commonly asked questions regarding mobile device management (MDM) with Microsoft Intune is
"Should I integrate Intune with Configuration Manager (hybrid MDM) or run Intune standalone in the cloud only
configuration?" To answer that question, you should carefully compare the two options and consider updates
coming in early 2017 to Intune standalone.
What is Intune standalone?

Intune standalone is a cloud-only MDM solution that involves no on-premises resources and is managed using a
web console that can be accessed from anywhere in the world. Intune datacenters are hosted in North America,
Europe, and Asia. Because Intune is a cloud service, you can deploy Intune management to your devices in a
relatively short timeframe. You may also choose Intune standalone if your organization is moving to the cloud.
What is hybrid MDM with Configuration Manager?

Hybrid MDM is a solution that uses Intune as the delivery channel for policies, profiles, and applications to devices
but uses Configuration Manager on-premises infrastructure to store and administer content and manage the
devices. You may choose hybrid MDM if you already have a significant investment in Configuration Manager and
want to extend it to manage mobile devices. A hybrid implementation gives you “single pane of glass” control,
which means you can use the same on-premises infrastructure and administrative console to manage mobile
devices with Intune as well as PCs and servers with the traditional Configuration Manager client.
What’s coming to Intune standalone in early 2017

If you are choosing between standalone and hybrid, you should take into consideration features that are coming to
Intune standalone in early 2017. Today, hybrid MDM has several advanced features that have historically been why
some customers choose to manage their devices with hybrid MDM instead of Intune standalone:
Programmatic access (API) – SDK and PowerShell management options.
Custom reporting – create customized reports.
Role-based Access Control – restrict access to administrative functions based on assigned roles.
Scale – deploy and manage over 100,000 mobile devices.
Single pane of glass –manage both traditional PC clients and Intune-managed devices using the same
console.
If you are beginning to plan your Intune deployment today and have a several-month window for piloting,
acceptance testing, and deployment, you might consider choosing Intune standalone now with the understanding
that updates coming to the cloud service will include more functionality. Throughout the first half of the 2017
calendar year, Intune standalone will receive updates that provide much of the advanced functionality of a hybrid
deployment with Configuration Manager. Intune standalone will soon be moving to the Microsoft Azure cloud
platform and with it will have enhanced scalability, role-based access through the Azure Portal, custom reporting,
and programmatic access through the Azure Graph API.
You can switch from hybrid to Intune standalone, or from standalone to hybrid, but it requires help from Microsoft
support and operations. It also requires unenrolling and re-enrolling all of the devices after the management
authority is changed. Microsoft is working on improving the experience of switching configurations in a future
service update.
What's new in hybrid mobile device management
with System Center Configuration Manager and
Microsoft Intune

This article provides details on the new mobile device management (MDM) features available for hybrid
deployments with System Center Configuration Manager and Microsoft Intune.
Compatibility with Configuration Manager versions

Each section of this article lists hybrid features under 3 different categories. Use the following guidance to
determine compatibility of the features in each category with different versions of Configuration Manager:
FEATURE CATEGORIES DESCRIPTION
New in Microsoft Intune In general, all the features listed under this category should
work with all Configuration Manager releases including
System Center 2012 R2 Configuration Manager releases, since
these features only require the Intune service and do not
require additional functionality in Configuration Manager.
New in Configuration Manager Technical Preview All the features listed under this category only work with the
specified Technical Preview release. To try out these features,
you must install the Technical Preview version specified in the
feature description. For more information, see Technical
Preview for System Center Configuration Manager.
New in Configuration Manager (current branch) All the features listed under this category only work with the
specified version of Configuration Manager (current branch),
such as version 1511 or 1602. If you're using an older version
of Configuration Manager for your hybrid deployment, you
must upgrade to the Configuration Manager (current branch)
version specified in the feature description. For more
information, see Upgrade to System Center Configuration
Manager.
New hybrid features in February 2017

New in Microsoft Intune
The following Intune features introduced in February 2017 work in hybrid deployments:
Modernizing the Company Portal website
The Company Portal website supports apps that are targeted to users who do not have managed devices.
The website aligns with other Microsoft products and services by using a new contrasting color scheme,
dynamic illustrations, and a "hamburger menu," which contains helpdesk contact details and information on
existing managed devices. The landing page is rearranged to emphasize apps that are available to users,
with carousels for Featured and Recently Updated apps. You can find before-and-after images available on
the UI updates page.
New MDM server address for Windows devices
The MDM server address for enrolling Windows and Windows Phone devices has changed from
manage.microsoft.com to enrollment.manage.microsoft.com. Notify your user to use
enrollment.manage.microsoft.com as the MDM server address if prompted for it while enrolling a Windows
or and Windows Phone device. This update also requires any CNAME in DNS that redirects
EnterpriseEnrollment.contoso.com to manage.microsoft.com to be replaced with a CNAME in DNS that
redirects EnterpriseEnrollment.contoso.com to EnterpriseEnrollment-s.manage.microsoft.com. For additional
information about this change, visit http://aka.ms/intuneenrollsvrchange.
New in Configuration Manager Technical Preview 1702
Android for Work Support
You can now manage Android devices using Android for Work in hybrid MDM environments using
Configuration Manager Technical Preview 1702. Supported Android devices can now be enrolled as Android
for Work devices, which creates a work profile on the device to which apps approved in Play for Work can
be deployed. You can also configure and deploy configuration items, compliance policies, and resource
access profiles for these devices.
Non-Compliant Apps Compliance Settings
You can now create non-compliant apps rules for Android and iOS apps in compliance policies. If devices
have the specified applications installed, they will be marked “non-compliant” and will lose access to
company resources according to conditional access policies in place.
PFX Certificate Creation and Distribution and S/MIME Support
You can now create and deploy PFX certificates to users in a hybrid environment. These certificates can then
be used for S/MIME email encryption and decryption by devices that the user has enrolled.
New hybrid features in January 2017

The following Intune features introduced in January 2017 work in hybrid deployments:
Android 7.1.1 support
Intune now fully supports and manages Android 7.1.1.
Resolve issue where iOS devices are inactive, or the admin console cannot communicate with
them
When users’ devices lose contact with Intune, you can give them new troubleshooting steps to help them
regain access to company resources. See Devices are inactive, or the admin console cannot communicate
with them.
New in Configuration Manager Technical Preview 1701
Android and iOS versions are no longer targetable in creation wizards for hybrid MDM
Beginning in Technical Preview 1701 for hybrid mobile device management (MDM), you no longer need to
target specific versions of Android and iOS when creating new policies and profiles for Intune-managed
devices. With this change, hybrid deployments can provide support more quickly for new Android and iOS
versions without needing a new Configuration Manager release or extension. To learn more, see Android
and iOS versions are no longer targetable in creation wizards.
New hybrid features in December 2016

The following Intune features introduced in Decmember 2016 work in hybrid deployments:
Multi-Factor authentication (MFA) on enrollment is moving to the Azure portal
Previously, you would go to either the Intune console or the Configuration Manager console to set MFA for
Intune enrollments. With this updated feature, you now login to the Microsoft Azure portal using your
Intune credentials and configure MFA settings through Azure AD. To learn more, see Multi-factor
authentication for Microsoft Intune.
Company Portal app for Android now available in China
The Company Portal app for Android is now available in China. Due to the absence of Google Play Store in
China, Android devices must obtain apps from Chinese app marketplaces. The Company Portal app for
Android is available for download on the following stores:
Baidu
Huawei
Tencent
Wandoujia
Xiaomi
The Company Portal app for Android uses Google Play Services to communicate with the Microsoft Intune
service. Since Google Play Services are not yet available in China, performing any of the following tasks can
take up to 8 hours to complete.
CONFIGURATION MANAGER ADMIN INTUNE COMPANY PORTAL APP FOR

CONSOLE ANDROID INTUNE COMPANY PORTAL WEBSITE
Retire/wipe (remove all data) Remove a remote device Remove device (local and remote)
Retire/wipe (remove company data) Reset device Reset device
New or updated app deployments Install available line-of-business apps Device passcode reset
Remote lock
Passcode reset
New hybrid features in November 2016

The following Intune features introduced in November 2016 work in hybrid deployments:
New Microsoft Intune Company Portal available for Windows 10 devices
Microsoft has released a new Company Portal app for Windows 10 devices. This app, which leverages the
new Windows 10 Universal format, provides an updated user experience that is identical across all Windows
10 devices, PC and Mobile alike, while still enabling all the same functionality provided by previous
Company Portal apps.
The new app leverages platform features like single sign-on (SSO) and certificate-based authentication on
Windows 10 devices. The app is available as an upgrade to the existing Windows 8.1 Company Portal and
Windows Phone 8.1 Company Portal installs from the Windows Store. For more details, go to the Intune
Support Team Blog.
The new Company Portal app also displays any Windows Store for Business applications marked Available
in the Configuration Manager console.
New in Configuration Manager (current branch)
The following features that were previously available in Configuration Manager Technical Preview releases are now
available in hybrid deployments with Intune and Configuration Manager (current branch) version 1610.
Additional settings and improved experience for Configuration items
Additional settings for DEP profiles
Paid apps in Windows Store for Business
Native connection types for Windows 10 VPN profiles
Intune compliance charts
Request to policy sync from console
Windows Defender configuration settings
The following additional hybrid features are also included in version 1610 of Configuration Manager (current
branch):
Increased number of enrolled devices
You can now enable users to enroll up to 15 devices. The previous limit was 5 devices per user.
Addtional security support
In addition to Full Administrator, the following built-in security roles now have full access to items in the All
Corporate-owned Devices node, including Predeclared Devices, iOS Enrollment Profiles, and Windows
Enrollment Profiles:
Asset Manager
Company Resource Access Manager
Read-only access to these areas of the Configuration Manager console is still granted to the Read-only
Analyst role.
Auto-trigger VPN access from Windows Information Protection apps
You can add a Windows Information Protection primary domain to Windows 10 VPN profiles that causes all
associated apps to automatically trigger a VPN connection when they are run on the device. This option is
only available when choosing a native connection type.
Conditional access for Windows 10 VPN profiles
You can now require Windows 10 devices enrolled in Azure Active Directory to be compliant in order to
have VPN access through Windows 10 VPN profiles created in the Configuration Manager console. This is
possible through the new Enable conditional access for this VPN connection checkbox on the
Authentication Method page in the VPN profile wizard and VPN profile properties for Windows 10 VPN
profiles. This option is only available when choosing a native connection type.
You can also specify a separate certificate for single sign-on authentication if you enable conditional access
for the profile.
Notices
System Center 2012 Configuration SP1 and System Center 2012 R2 Configuration Manager (RTM ): Support for
hybrid mobile device management ending on April 10, 2017
January 11, 2017
Support for System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager
RTM ended on July 12, 2016. Subsequently, support for these releases connecting to the Microsoft Intune service
for hybrid MDM ends on April 10, 2017. After this date, hybrid MDM will stop functioning with these releases.
Managed devices will essentially become unmanaged as the Intune Connector will no longer connect to the Intune
service. Configuration Manager data (such as policies and applications) will not flow up to Intune and managed
device data will not flow down to Configuration Manager until an upgrade takes place.
If you're running a hybrid deployment with Configuration Manager 2012 SP1 or R2 RTM, we recommend that
before April 10, 2017 you upgrade to Configuration Manager (current branch) or the latest supported service pack
for Configuration Manager 2012 (either R2 SP1 or SP2) to avoid disruption of service.
Additional resources:
Upgrade to System Center Configuration Manager (current branch)
Planning to upgrade to System Center 2012 R2 Configuration Manager SP1
Planning to upgrade to System Center 2012 Configuration Manager SP2
Windows Phone 8 Company Portal upload deprecated
October 25, 2016
The ability to upload a signed Company Portal app has been removed from the Configuration Manager console, as
Intune support is being deprecated for Windows 8, Windows Phone 8, and Windows RT, and support for the
Windows Phone 8 Company Portal is ending in November. Windows 8, Windows Phone 8, and Windows RT
devices that are already enrolled will continue to be supported, but enrolling additional devices with these
platforms will not be supported.
See Also
Past hybrid MDM features
What's new for MDM in System Center 2012 Configuration Manager
Plan for hybrid mobile device management (MDM)
Microsoft Intune

You can only use one management solution, the mobile device management authority, to manage your mobile
devices. Before making this setting you should choose between Microsoft Intune standalone and hybrid mobile
device management with Configuration Manager.
In addition, the Intune Deployment Planning, Design and Implementation Guide provides a great deal of
information about the process of developing a deployment plan, creating a design, onboarding Intune, and
conducting a production rollout.
Supported Device Platforms shows the mobile device platforms that are supported by Configuration
Manager using Microsoft Intune.
Device Enrollment Methods provides information about how to enroll corporate-owned and user-owned
devices and their supported capabilities.
Next steps
Setup hybrid MDM
Supported Device Platforms for hybrid MDM

Mobile device management with Configuration Manager using Microsoft Intune supports the following mobile
device platforms:
Apple iOS 8.0 and later
Google Android 4.0 and later (including Samsung KNOX Standard 4.0 and higher)*
Windows Phone 8.1
Windows 10 Mobile
Windows 8.1 RT
PCs running Windows 8.1
PCs running Windows 10 (Home, Pro, Education, and Enterprise versions)
Devices running Windows 10 IoT Enterprise (x86, x64)
Devices running Windows 10 IoT Mobile Enterprise
Windows Holographic & Windows Holographic Enterprise
Mac OS X 10.9 and later
*The following models of the Samsung Galaxy Ace phone cannot be managed by Intune as Samsung KNOX
Standard devices: SM-G313HU, SM-G313HY, SM-G313M, SM-G313MY, and SM-G313U. When you enroll these
devices with Intune, they are managed as standard Android devices. See the Samsung KNOX website for more
information.
You can only use one management solution, the mobile device management authority, to manage your mobile
devices. Before making this setting you should choose between Microsoft Intune standalone and hybrid mobile
device management with Configuration Manager
Overview of device enrollment methods

After you extend Configuration Manager with Intune, you can enroll and manage corporate-owned devices or give
users permission to enroll their personal devices. You can also manage company-owned devices with Intune using
The following table shows enrollment methods with their supported capabilities. These capabilities include:
Wipe - Factory reset the device, removing all data. Retire devices
Affinity - Associates devices with users. Required for mobile application management (MAM) and conditional
access to company data. User Affinity
Lock Prevents users from removing the device from management. iOS devices require Supervised mode for
Lock. Remote lock
iOS enrollment methods
METHOD WIPE AFFINITY LOCK DETAILS
BYOD No Yes No more
DEM No No No more
DEP Yes Optional Optional more
USB-SA Yes Optional No more
Windows and Android enrollment methods
METHOD WIPE AFFINITY LOCK DETAILS
BYOD No Yes No more
DEM No No No more
For a series of question that help you find the right method, see Choose how to enroll devices.
BYOD
"Bring your own device" (BYOD) users install the Company Portal app and enroll their device. This can let users
connect to the company network, joining the domain or Azure Active Directory. Enabling BYOD enrollment is a
prerequisite for many COD scenarios for most platforms. See Setup hybrid MDM. (Back to the table)
Corporate-owned devices
Corporate-owned devices (COD) can be managed with the Configuration Manager console. iOS devices can be
enrolled directly through tools provided by Apple. All device types can be enrolled by an admin or manager using
the device enrollment manager. Devices with an IMEI number can also be identified and tagged as company-
owned to enable COD scenarios.
Enroll corporate-owned devices
DEM
Device enrollment manager is a special user account used to enroll and manage multiple corporate-owned devices.
Managers can install the Company Portal and enroll many user-less devices. Learn more about DEM. (Back to the
table)
DEP
Apple Device Enrollment Program (DEP) management lets you create and deploy policy “over the air” to iOS
devices purchased and managed with DEP. The device is enrolled when the user turns on the device for the first
time and runs the iOS Setup Assistant. This method supports iOS Supervised mode which in turn enables:
Locked enrollment
Conditional access
Jailbreak detection
Mobile application management
Learn more about DEP. (Back to the table)
USB -SA
USB-connected, Setup Assistant enrollment. The admin creates a policy and exports it to Apple Configurator. USB-
connected, corporate-owned devices are prepared with policy. The admin must enroll each device by hand. Users
receive their devices and run Setup Assistant, enrolling their device. This method supports iOS Supervised mode
which in turn enables:
Conditional access
Jailbreak detection
Mobile application management
Learn more about Setup Assistant enrollment with Apple Configurator. (Back to the table)
Mobile device management with Exchange ActiveSync and

Configuration Manager
Mobile devices that aren't enrolled but that connect to Exchange ActiveSync (EAS) can be managed by Intune using
EAS MDM policy. Intune uses an Exchange Connector to communicate with EAS, either on-premises and cloud-
hosted.
Mobile device management with Exchange ActiveSync and Intune
Setup hybrid mobile device management (MDM)
Microsoft Intune

Before you can manage iOS, Windows, and Android devices with Configuration Manager, they must be enrolled
with Intune. Use the following steps to setup hybrid device enrollment with Configuration Manager using Intune.
By completing the following steps you will enable "bring your own device" (BYOD) enrollment for your users.
These steps are also prerequisites for enrolling BYOD devices and enrolling company-owned devices.
STEPS DETAILS
Step 1: Create an MDM collection Create a Configuration Manager user collection with users
whose devices can be enrolled
Step 2: Domain name requirements Confirm your organization's domain name service (DNS) and
Active Directory user management meets MDM requirements
Step 3: Configure Intune Subscription The Intune service lets you manage devices over the Internet.
Step 4: Add terms and conditions Create terms and conditions to which users must agree
before they can use the Company Portal app
Step 5: Create service connection point The service connection point sends settings and software
deployment information to Configuration Manager and
retrieves status and inventory messages from mobile devices.
Step 6: Enable platform enrollment MDM enrollment for iOS and Windows devices require
additional steps for communication between the service and
devices. Android requires no additional configuration.
Step 7: Set up additional management (Optional) Set up configuration items and conditional access
for enrolled devices
Step 8: Verify MDM configuration View log files to confirm that the service connection point was
created successfully and user accounts are synchronizing.
Looking for Intune without Configuration Manager?

V IE W IN T U N E D O C S
>
Enroll devices
After hybrid setup is complete, devices can be enrolled in Configuration Manager in a number of ways:
Company-owned (COD) devices: Enroll company-owned devices provides guidance on different platform-
specific ways to enroll company-owned devices.
User-owned (BYOD) devices: Enroll user-owned (BYOD) devices provides guidance on ways to enroll user-
owned devices.
Create an MDM collection with System Center
Configuration Manager and Microsoft Intune

A Configuration Manager user collection is required to specify the users who can enroll devices into management.
You can only use user collections (instead of device collections) because Intune licenses are assigned by user.
NOTE
To enroll devices with Intune, you do not need to assign licenses to users in the Office 365 portal or Azure Active Directory
portal. Including the users in a collection that gets associated with the Intune subscription (in a later step) is all that's
required.
For testing purposes you can set up a Direct rule and add specific users who can enroll devices. In athe
Configuration Manager console, choose, Assets and Compliance > User Collections, click the Home tab >
Create group, and then click Create User Collection. For broader distribution you should use Query rules to
define users. For more information about collections, see How to create collections.
N E X T STE P
>
Confirm domain name requirements with System
Center Configuration Manager and Microsoft Intune

If necessary, take the following steps to satisfy any dependencies external to Configuration Manager:
1. Each user must have an Intune license assigned to enroll devices. To associate Intune licenses to users, each
user must have a user principal name (UPN) that can be publicly resolved (for example,
johndoe@contoso.com) or an alternate login ID configured in Azure Active Directory. Configuring an
alternate login ID allows users to sign in with an email address, for example, even if their UPN is in a
NetBIOS format (for example, CONTOSO\johndoe).
If your company uses publicly resolvable UPNs (i.e. johndoe@contoso.com), no further configuration is
required.
If your company uses a non-resolvable UPN (i.e. CONTOSO\johndoe), you must configure an alternate
ID in Azure Active Directory.
2. Deploy and configure Active Directory Federation Services (AD FS). (Optional)
When you set up single sign-on, your users can sign in with their corporate credentials to access the
services in Intune.
For more information, see the following topics:
Prepare for single sign-on
Plan for and deploy AD FS 2.0 for use with single sign-on
3. Deploy and configure directory synchronization.
Directory synchronization lets you populate Intune with synchronized user accounts. The synchronized user
accounts and security groups are added to Intune. Failure to enable Directory Synchronization is a common
cause of devices not being able to enroll when setting up Configuration Manager MDM with Microsoft
Intune.
For more information, see Directory integration in the Active Directory documentation library.
4. Optional, not recommended: If you are not using Active Directory Federation Services, reset users' Microsoft
Online passwords.
If you are not using AD FS, you must set a Microsoft Online password for each user.
< P R E V IO U S N E X T STE P
STE P >
Configure your Intune subscription with System

The Intune subscription lets you manage devices over the internet. This includes specifying which user collection
can enroll devices and defining information presented to users. While creating the Intune subscription, you can
also add company branding to the Intune company portal with your company logo and custom color schemes.
The Intune subscription does the following:
Retrieves the certificate that the service connection point requires to connect to the Intune service
Defines the user collection that enables users to enroll mobile devices
Defines and configures the mobile platforms that you want to support
IMPORTANT
Creating a subscription for Microsoft Intune in Configuration Manager will put your site's service connection point in "online
mode." See About the service connection point in System Center Configuration Manager.
To create the Microsoft Intune subscription

1. If you haven't already, sign up for a Microsoft Intune account at Microsoft Intune. After creating your Intune
account, you do not need to add any users to the Intune account or perform additional settings
configurations.
2. In the Configuration Manager console, click Administration.
3. In the Administration workspace, expand Cloud Services, and click Microsoft Intune Subscriptions. On
the Home tab, click Add Microsoft Intune Subscription.
1. On the Introduction page of the Create Microsoft Intune Subscription Wizard, review the text and click
Next.
2. On the Subscription page, click Sign in and sign in by using your work or school account. In the Set the
Mobile Device Management Authority dialog, select the check box to only manage mobile devices by
using Configuration Manager through the Configuration Manager console. To continue with your
subscription, you must select this option.
IMPORTANT
Once you select Configuration Manager as your management authority, you cannot change the management
authority to Microsoft Intune in the future.
3. Click the privacy links to review them, and then click Next.
4. On the General page, specify the following options, and then click Next.
Collection: Specify a user collection that contains users who will enroll their mobile devices.
NOTE
If a user is removed from the collection, the user's device will continue to be managed for up to 24 hours
when the user record is removed from the user database.
Company name: Specify your company name.

URL to company privacy documentation: If you publish your company privacy information to a
link that is accessible from the Internet, provide a link that users can access from the company portal,
for example http://www.contoso.com/CP_privacy.html. Privacy information can clarify what
information users are sharing with your company.
Color scheme for company portal: Optionally, change the default color of blue for the company
portals.
Configuration Manager site code: Specify a site code for a primary site to manage the mobile
devices.
NOTE
Changing the site code affects only new enrollments and does not affect existing enrolled devices.
5. On the Company Contact Information page, specify the company contact information that is displayed to
users under Contact IT in the Company Portal app. Provide contact information for your company, and
then click Next.
6. On the Company Logo page, you can choose whether to display logos in the company portal, and then
click Next.
7. Complete the wizard.
STE P >
Add Terms and Conditions with System Center

You can deploy System Center Configuration Manager terms and conditions to user groups to explain how device
enrollment, access to work resources, and using the Company Portal affect devices and users. Users must accept
the terms and conditions before they can use the Company Portal to enroll and access their work.
Working with terms and conditions policies in System Center

You can create and deploy multiple set of terms and conditions. You can also produce versions of the same terms
and conditions in different languages and then deploy these to their appropriate groups.
To create a terms and conditions

1. In the Configuration Manager console, go Assets and Compliance > Overview > Compliance Settings
> Terms and Conditions.
2. Click Create Terms and Conditions to create new terms and conditions.
3. On the General page, specify the following information:
Name - A unique name displayed in the Configuration Manager console
Description - Details that help you identify the terms and conditions in the Configuration Manager
console
And then click Next.
4. On the Terms page, specify the following information:
Title - The title displayed to users in the Company Portal
Text for terms - The terms and conditions displayed to users in the Company Portal
Text to explain what it means if the user accepts - Label users see regarding acceptance.
Example: "I agree to the terms and conditions."
And then click Next.
5. Complete the wizard to create the new terms and conditions. The new terms and conditions are displayed in
the Terms and Conditions node of the Assets and Compliance workspace.
To deploy a terms and conditions

1. In the Configuration Manager console, go to Assets and Compliance > Overview > Compliance
Settings > Terms and Conditions.
2. In the Terms and Conditions list, select the item you want to deploy, and then click Deploy.
3. Browse to the Collection you want to deploy the terms and conditions to, and then click OK.
When targeted devices access the Company Portal app, it displays the terms and conditions you deployed.
Users must accept these terms before they can gain access to company resources.
NOTE
If you deploy a set of terms to multiple user collections to which a user belongs, that user will see multiple copies of
identical terms when opening Company Portal. Since users can only accept or decline all terms, there is no danger of
being in an ambiguous acceptance state where the user has both accepted and rejected the terms. The Terms and
Conditions acceptance report will include only one row for each set of terms for each user, so there is no error in the
report.
To monitor terms and conditions

1. Beginning in version 1602, you can monitor terms and conditions deployments in the Configuration
Manager console. In the Configuration Manager console, go to Monitoring > Overview > Deployments.
2. Select the terms and conditions deployment. from the list of deployments
The summary area will show the following statistics:
Compliant - Users have accepted the latest version of the terms and conditions
Error
Noncompliant - Users have accepted a version of the terms and conditions, but not the latest
version
Unknown - Users have never accepted the terms and conditions, including those without an
enrolled device
3. Select a terms and conditions deployment and then select Run Summarization to see individual users'
Deployment Status.
On the Deployment Status screen you can select the status tabs to view users with that status. You can click
Run Summarization to update the data throughout the hierarchy. Click Refresh to update data in the
console
To view a terms and conditions report

1. In the Configuration Manager console, go Monitoring > Overview > Reporting > Report.
2. Select Terms and conditions acceptance and then click Run. The Terms and conditions acceptance report
opens. The report displays each user to whom terms and conditions have been deployed. Fields include:
Name of terms and conditions
User name
Accepted version
Date accepted
Accepted latest
Updates and version control for terms and conditions

When you edit existing terms and conditions, you can choose the behavior when you deploy the terms and
conditions. Use the following procedure to help you update existing terms and conditions.
How to work with multiple versions of terms and conditions
1. In the Configuration Manager console, go Assets and Compliance > Overview > Compliance Settings
> Terms and Conditions.
2. Select the terms and conditions instance that you want to edit, and double-click to open it.
3. You can modify content on the General or the Terms page to make any required edits.
4. On the Terms page you can then specify whether this new version requires all users to accept the terms
and conditions, or if only new users will see the new version.
We recommend you increase the version number and require acceptance any time you make significant
changes to your terms and conditions. Keep the current version number if you are fixing typos or changing
formatting, for example.
STE P >
Create a service connection point with System

When you have created your subscription, you can then install the service connection point site system role that
lets you connect to the Intune service. This site system role will push settings and applications to the Intune service.
The service connection point sends settings and software deployment information to Configuration Manager and
retrieves status and inventory messages from mobile devices. The Configuration Manager service acts as a
gateway that communicates with mobile devices and stores settings.
NOTE
The service connection point site system role may only be installed on a central administration site or stand-alone primary
site. The service connection point must have Internet access.
Configure the service connection point role

2. In the Administration workspace, expand Sites, and then click Servers and Site System Roles.
3. Add the Service connection point role to a new or existing site system server by using the associated
step:
New site system server: On the Home tab, in the Create group, click Create Site System Server to
start the Create Site System Server Wizard.
Existing site system server: Click the server on which you want to install the service connection point
role. Then, on the Home tab, in the Server group, click Add Site System Roles to start the Add Site
system Roles Wizard.
4. On the System Role Selection page, select Service connection point, and click Next.
Complete the wizard.
How does the service connection point authenticate with the Microsoft
Intune service?
The service connection point extends Configuration Manager by establishing a connection to the cloud-based
Intune service that manages mobile devices over the Internet. The service connection point authenticates with the
Intune service as follows:
1. When you create an Intune subscription in the Configuration Manager console, the Configuration Manager
admin is authenticated by connecting to Azure Active Directory, which redirects to the respective ADFS
server to prompt for user name and password. Then, Intune issues a certificate to the tenant.
2. The certificate from step 1 is installed on the service connection point site role and is used to authenticate
and authorize all further communication with the Microsoft Intune service.
STE P >
Enable platform enrollment with System Center
Configuration Manager and Microsoft Intune

Different device platforms require additional configuration to enable device enrollment.
iOS and Mac enrollment setup: Get an Apple MDM Push certificate
Windows enrollment setup: Configure DNS and enable enrollment for both Windows PCs, Windows 10
Mobile, and Windows Phone devices
Android: Android devices require no additional steps to enable enrollment
Once you enable MDM management, you can specify the number of devices each user can enroll, up to 15 devices
per user.
Set up iOS hybrid device management with System

With Configuration Manager and Intune, you can enable BYOD ("bring your own device") iOS and Mac OS X
device enrollment to give access to company email and resources to iPhone, iPad and Mac users. Once users
install the Intune company portal app, their devices can be targeted with policy. Before you can manage iOS and
Mac devices, you must import an Apple Push Notification service (APNs) certificate from Apple. This certificate
allows Intune to manage iOS and Mac devices and establishes an accredited and encrypted IP connection with the
mobile device management authority services.
You can also enroll corporate-owned iOS devices. See Enroll company-owned devices.
Enable iOS device enrollment

To support enrollment of iOS devices, you must follow these steps:
Set up iOS device enrollment in Configuration Manager
1. Prerequisites - Before you can set up enrollment for any platform, complete the prerequisites and
procedures in Setup hybrid MDM.
2. Download a certificate signing request - A certificate signing request file (.csr) is required to request an
APNs certificate from Apple.
a. In the Configuration Manager console in the Administration workspace, go to Cloud Services>
Microsoft Intune Subscriptions.
b. On the Home tab, click Create APNs certificate request. The Request Apple Push Notification
Service Certificate Signing Request dialog box opens.
c. Browse to the path to save the new certificate signing request (.csr) file. Save the certificate signing
request (.csr) file locally.
d. Click Download. The new Microsoft Intune .csr file downloads and is saved by Configuration
Manager. The .csr file is used to request a trust relationship certificate from the Apple Push
Certificates Portal.
3. Request an APNs certificate from Apple - The Apple Push Notification service (APNs) certificate is used
to establish a trust relationship between the management service, Intune, and enrolled iOS mobile devices.
a. In a browser, go to the Apple Push Certificates Portal and sign in with your company Apple ID. This
Apple ID must be used in future to renew your APNs certificate.
b. Complete the wizard using the certificate signing request (.csr) file. Download the APNs certificate
and save the .pem file locally. This APNs certificate (.pem) file is used to establish a trust relationship
between the Apple Push Notification server and Intune's mobile device management authority.
4. Enable enrollment and upload the APNs certificate - To enable iOS enrollment, upload the APNs
certificate.
a. In the Configuration Manager console in the Administration workspace, go to Cloud Services >
Microsoft Intune Subscription.
b. On the Home tab in the Subscription group, click Configure Platforms > iOS.
NOTE
Do not upload the Apple Push Notification service (APNs) certificate until you enable iOS enrollment in the
Configuration Manager console.
c. In the Microsoft Intune Subscription Properties dialog box, select the iOS tab and click to select
the Enable iOS enrollment checkbox.
d. Click Browse, and go to the APNs certificate (.cer) file downloaded from Apple. Configuration
Manager displays the APNs certificate information. Click OK to save the APNs certificate to Intune.
Once you're set up, you'll need to let your users know how to enroll their devices. See What to tell users
about enrolling their devices. This information applies to both Microsoft Intune and Configuration
Manager-managed mobile devices.
STE P >
Set up Windows hybrid device management with
Intune

This topic tells IT admins how they can enable their users to bring Windows PCs and mobile devices into
management using Configuration Manager and Microsoft Intune. Two enrollment methods are available:
Azure Active Directory (AD) automatic enrollment when users connect their account to a device
Enrollment by installing and signing in with the Company Portal app
Choose how to enroll Windows devices

Two factors determine how you'll enroll Windows devices:
Do you use Azure Active Directory Premium?
Azure AD Premium is included with Enterprise Mobility + Security and other licensing plans.
What versions of Windows clients will enroll?
Windows 10 devices can automatically enroll by adding a work or school account. Earlier versions must enroll
using the Company Portal app.
AZURE AD PREMIUM **OTHER AD **
Windows 10 Automatic enrollment Company Portal enrollment
Earlier Windows versions Company Portal enrollment Company Portal enrollment
Automatic enrollment
Automatic enrollment lets users enroll either company-owned or personal Windows 10 devices by adding a work
or school account and agreeing to be managed. In the background, the user's device registers and connects with
Azure Active Directory. Once registered, the device can be managed with Intune. Managed devices can still use the
Company Portal for tasks, but don't have to install it to become enrolled.
Prerequisites
Azure Active Directory Premium subscription (trial subscription)
Microsoft Intune subscription
Configure automatic enrollment
1. Sign in to the Azure portal, navigate to the Active Directory node in the left pane, and select your directory.
2. Select the Configure tab and scroll to the section called Devices.
3. Select All for Users may workplace join devices.
4. Select the maximum number of devices you want to authorize per user.
By default, two-factor authentication is not enabled for the service. However, two-factor authentication is
recommended when registering a device. Before requiring two-factor authentication for this service, you must
configure a two-factor authentication provider in Azure Active Directory and configure your user accounts for
multi-factor authentication. See Getting started with the Azure Multi-Factor Authentication Server.
Company Portal enrollment

Your end users or a device enrollment manager can enroll Windows devices by installing the Company Portal app
and then signing in with their work credentials. To simplify enrollment for your end users, you should add a
CNAME to your DNS registration.
Enable Windows device management
To enable Windows device management for either PCs or mobile devices, use the following steps:
1. Before you set up enrollment for any platform, complete the prerequisites and procedures in Setup hybrid
MDM.
2. In the Configuration Manager console in the Administration workspace, go to Overview > Cloud Services >
Microsoft Intune Subscriptions.
3. In the ribbon, click Configure Platforms, and then select the Windows platform:
Windows for Windows PCs and laptops, then perform the following steps:
a. In the General tab, click the Enable Windows enrollment checkbox.
b. If you use a certificate to code-sign and deploy the Company Portal app, browse to the Code-
signing certificate. Device users can also install the Company Portal app from the Windows
Store or you can deploy the app from the Windows Store for Business without code-signing.
c. You can also configure Windows Hello for Business settings.
Windows Phone for Windows phones and tablets, then perform the following steps:
a. In the General tab, click the Windows Phone 8.1 and Windows 10 Mobile checkbox. Windows
Phone 8.0 is no longer supported.
b. If your organization needs to sideload company apps, you can upload the required token or file.
For more information about sideloading apps, see Creat Windows apps.
Application enrollment token
.pfx file
None If you use a Symantec certificate, you can specify Show an alert before Symantec
certificates expire.
4. Click OK to close the dialog box. To simplify the enrollment process using the Company Portal, you should
create a DNS alias for device enrollment. You can then tell users how to enroll their devices.
Create DNS alias for device enrollment
A DNS alias (CNAME record type) makes it easier for users to enroll their devices by connecting to the service
without requiring the user to enter a server address. To create a DNS alias (CNAME record type), you have to
configure a CNAME in your company's DNS records that redirects requests sent to a URL in your company's
domain to Microsoft's cloud service servers. For example, if your company's domain is contoso.com, you should to
create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to EnterpriseEnrollment-
s.manage.microsoft.com.
Although creating CNAME DNS entries is optional, CNAME records make enrollment easier for users. If no
enrollment CNAME record is found, users are prompted to manually enter the MDM server name,
enrollment.manage.microsoft.com.
TYPE HOST NAME POINTS TO TTL
CNAME EnterpriseEnrollment.compa EnterpriseEnrollment- 1 hour

ny_domain.com s.manage.microsoft.com
If you have more than one UPN suffix, you need to create one CNAME for each domain name and point each one
to EnterpriseEnrollment-s.manage.microsoft.com. For example if users at Contoso use name@contoso.com, but
also use name@us.contoso.com, and name@eu.constoso.com as their email/UPN, the Contoso DNS admin would
need to create the following CNAMEs.
TYPE HOST NAME POINTS TO TTL
CNAME EnterpriseEnrollment.contos EnterpriseEnrollment- 1 hour

o.com s.manage.microsoft.com
CNAME EnterpriseEnrollment.us.cont EnterpriseEnrollment- 1 hour

oso.com s.manage.microsoft.com
CNAME EnterpriseEnrollment.eu.cont EnterpriseEnrollment- 1 hour

oso.com s.manage.microsoft.com
Tell users how to enroll devices

Once you're set up, you'll need to let your users know how to enroll their devices. See What to tell users about
enrolling their devices for guidance. You can direct users to Enroll your Windows device in Intune. This information
applies to both Microsoft Intune and Configuration Manager-managed mobile devices.
STE P >
Set up Android hybrid device management with
Intune

For System Center Configuration Manager, users can download the Android company portal app from Google Play
that lets them enroll Android (including Samsung KNOX Standard) devices. With the Android company portal app,
you can manage compliance settings, wipe or delete Android devices, deploy apps, and collect software and
hardware inventory. If the Android company portal app is not installed on Android devices, then you will not have
all the management capabilities, such as inventory and compliance settings, but you can still deploy apps to
Android devices.
Prepare to manage Android mobile devices with Configuration

Manager and Intune
The following steps allow Configuration Manager to manage Android devices.
To enable Android enrollment
1. Prerequisites - Before you can set up enrollment for any platform, complete the prerequisites and
procedures in Setup hybrid MDM.
2. In the Configuration Manager console in the Administration workspace, go to Cloud Services >
Microsoft Intune Subscription.
3. On the Home tab in the Subscription group, click Configure Platforms > Android.
4. In the Microsoft Intune Subscription Properties dialog box, select the Android tab and click to select the
Enable Android enrollment checkbox.
Once you're set up, you'll need to let your users know how to enroll their devices. See What to tell users
about enrolling their devices. This information applies to both Microsoft Intune and Configuration Manager-
managed mobile devices.
STE P >
Set up additional management with System Center

(Optional) You can set up additional management before devices are enrolled. These management solutions can
be created and deployed after devices are enrolled, although many organizations prefer to deploy them as devices
are brought into management.
Configuration items let you manage settings such as requiring a PIN or requiring encryption on enrolled devices
based on device platform:
Windows 10 and Windows 8.1 devices
Windows Phone devices
iOS and Mac devices
Android and Samsung KNOX Standard devices
Applications can be deployed to managed devices:
iOS applications
Mac applications
Windows PC applications
Windows Phone applications
Android applications
Conditional access lets you manage access to company resources including:
Email access
SharePoint access
Skype for Business access
Dynamic CRM Online
Multi-factor Authentication (MFA) lets you require more than one verification method, which adds a critical
second layer of security to user sign-ins and transactions. Previously, you would go to either the Intune console or
the Configuration Manager console to set MFA for Intune enrollments. Now, you login to the Microsoft Azure
portal using your Intune credentials and configure MFA settings through Azure AD. To learn more, see Multi-factor
authentication for Microsoft Intune.
STE P >
Verify MDM configuration with System Center

You can verify certain device management components by checking the following log files:
Check the Cloudusersync.log to verify that user accounts are successfully synchronized.
Check the Sitecomp.log to verify that the service connection point was created successfully.
You can review Log files in System Center Configuration Manager for more information about these specific log
files and how to view them.
< P R E V IO U S
STE P
Enroll user-owned devices for hybrid deployments
with Configuration Manager

User-owned devices (BYOD) can be brought into management in a variety of ways depending upon the device and
how it was purchased.
Once enrollment is enabled, user-owned devices can be enrolled via the company portal app.
Resources about the end-user experience with Microsoft Intune reviews some of the steps that end users take to do
different tasks in Intune after they enroll their devices.
Enroll company-owned devices for hybrid
deployments with Configuration Manager

Organization or corporate-owned devices (COD) can be brought into management in a variety of ways depending
upon the device and how it was purchased.
Enroll Device Enrollment Program iOS devices

Deploys an enrollment profile “over the air” to devices purchased through Apple's Device Enrollment Program.
When the user runs Setup Assistant on the device, the device is enrolled in Intune. Devices enrolled through DEP
cannot be un-enrolled by users. See iOS Device Enrollment Program (DEP) enrollment for hybrid deployments
with Configuration Manager.
Enroll iOS devices with Apple Configurator

This method requires the administrator to USB connect the iOS device to a Mac computer running Apple
Configurator to preconfigure the enrollment. Devices are then delivered to their users who run the Setup Assistant
process, configuring the device with their work or school credentials and completing the enrollment process. See
iOS hybrid enrollment using Apple Configurator with Configuration Manager.
Device Enrollment Manager

Organizations can use Intune to manage large numbers of mobile devices with a single user account called a
device enrollment manager account. After creating a device enrollment manager account, that account can be
used by a manager to enroll more than the standard five devices allowed by default to normal users. Enrolling
devices with a device enrollment manager only works for devices that aren't used by a specific user. These devices
are good for point-of-sale or utility apps, for example, but bad for users who need access to email or company
resources. See Enroll devices with device enrollment manager with Configuration Manager.
User affinity for managed devices

When configuring profiles for corporate-owned devices, the administrator can specify whether the managed
devices support user affinity which identifies a specific user with the device. Devices configured with user affinity
can install and run the Company Portal app to download apps and manage devices. See User affinity for hybrid
managed devices in Configuration Manager.
Manage devices with Activation Lock

Microsoft Intune can help you manage iOS Activation Lock, a feature of the Find My iPhone app for iOS 7.1 and
later devices. Activation Lock is enabled automatically when the Find My iPhone app is used on a device. See
Manage iOS Activation Lock with System Center Configuration Manager.
Predeclare devices with IMEI or iOS serial numbers

You can identify corporate-owned devices by importing their international station mobile equipment identity
(IMEI) numbers or iOS serial numbers. You can upload a comma-separated values (.csv) file containing device IMEI
numbers or you can manually enter device information. See Predeclare devices with hardware ID numbers.
iOS Device Enrollment Program (DEP) enrollment for
hybrid deployments with Configuration Manager

Companies can purchase iOS devices through Apple's device enrollment program and then manage them using
Microsoft Intune. To manage corporate-owned iOS devices with the Apple Device Enrollment Program (DEP),
companies must complete the steps with Apple to participate in the program and acquire devices through that
program. Details of that process are available at: https://deploy.apple.com. Advantages of the program include
hands-free set up of devices without USB-connecting each device to a computer.
Before you can enroll corporate-owned iOS devices with the DEP, you need a DEP token from Apple. This token
allows Intune to sync information about DEP-participating devices owned by your corporation. It also lets Intune
upload enrollment profiles to Apple and assign devices to those profiles.
Apple DEP enrollment for iOS devices

The following procedures describe how to specify iOS devices purchased through Apple DEP as Intune-managed
company-owned devices. When the user first powers up the device it will receive the DEP management profile and
run the Setup Assistant and bring them into management.
Enable DEP enrollment in Configuration Manager with Intune
1. Start managing iOS devices with Configuration Manager
Before you can enroll iOS Device Enrollment Program (DEP) devices, you must complete steps to Set up
Hybrid mobile device management including steps to support iOS enrollment.
2. Create a DEP token request
In the Configuration Manager console, in the Administration workspace, expand Hierarchy
Configuration, expand Cloud Services, and click Windows Intune Subscriptions. Click Create DEP
Token Request on the Home tab, click Browse to specify the download location for the DEP token request,
and then click Download. Save the DEP token request (.pem) file locally. The .pem file is used to request a
trusted token (.p7m) from the Apple Device Enrollment Program portal.
3. Get a Device Enrollment Program token
Go to the Device Enrollment Program portal (https://deploy.apple.com) and sign in with your company
Apple ID. This Apple ID must be used in future to renew your DEP token.
a. In the Device Enrollment Program portal, go to Device Enrollment Program > Manage Servers,
and then click Add MDM Server.
b. Enter the MDM Server Name, and then click Next. The server name is for your reference to identify
the MDM server. It is not the name or URL of the Intune or Configuration Manager server.
c. The Add dialog box opens. Click Choose File… to upload the .pem file that you created in the
previous step, and then click Next.
d. The Add dialog box displays a Your Server Token link. Download the server token (.p7m) file to
your computer, and then click Done.
This certificate (.p7m) file is used to establish a trust relationship between Intune and Apple’s Device
Enrollment Program servers.
4. Add the DEP token to Configuration Manager
In the Configuration Manager console, in the Administration workspace, expand Hierarchy
Configuration and click Windows Intune Subscriptions. Click Configure Platforms on the Home tab
and click iOS. Select Enable Device Enrollment Program, browse to the certificate (.p7m) file, click Open,
click Upload, and then click OK.
Set up enrollment for Apple Device Enrollment Program (DEP) iOS devices
1. Add a Corporate Device Enrollment policy
In the Configuration Manager console, in the Assets and Compliance workspace, expand Overview,
expand All Corporate-owned Devices, expand iOS, and click Enrollment Profiles. Click Create Profile
on the Home tab to open the Create Profile wizard. Configure the settings on the following pages:
a. On the General page, specify the following information, and then click Next.
Name – Name of the device enrollment profile. (Not visible to users)
Description - Description of the device enrollment profile. (Not visible to users)
User affinity – Specifies how devices are enrolled. See User affinity for hybrid managed
devices in Configuration Manager.
Prompt for user affinity: The device must be affiliated with a user during initial setup and
could then be permitted to access company data and email as that user. User affinity
should be configured for DEP-managed devices that belong to users and need to use the
company portal (i.e. to install apps).
NOTE
DEP with user affinity requires ADFS WS-Trust 1.3 Username/Mixed endpoint to be enabled to
request user token.
No user affinity: The device is not affiliated with a user. Use this affiliation for devices that
perform tasks without accessing local user data. Apps requiring user affiliation won’t work.
b. On the Device Enrollment Program page, specify the following information, and then click Next.
Department: This information appears when users tap "About Configuration" during
activation.
Support phone number: Displayed when the user clicks the Need Help button during
activation.
Preparation mode: This state is set during activation and cannot be changed without factory
resetting the device:
Unsupervised - Limited management capabilities
Supervised - Enables more management options and disables Activation Lock by
default
Lock enrollment profile to device: This state is set during activation and cannot be changed
without a factory reset.
Disable - Allows the management profile to be removed from the Settings menu
Enable - (Requires Preparation Mode = Supervised) Disables iOS settings that
could allow removal of the management profile
c. On the Setup Assistant page, configure the settings that customize the iOS Setup Assistant that
starts when the device is first powered on, and then click Next. These settings include:
Passcode - Prompt for passcode during activation. Always require a passcode unless the device
will be secured or have access controlled in some other manner (i.e. kiosk mode that restricts the
device to one app).
Location Services - If enabled, Setup Assistant prompts for the service during activation
Restore - If enabled, Setup Assistant prompts for iCloud backup during activation
Apple ID - An Apple ID is required to download iOS App Store apps, including those installed by
Intune. If enabled, iOS will prompt users for an Apple ID when Intune attempts to install an app
without an ID.
Terms and Conditions - If enabled, Setup Assistant prompts users to accept Apple's terms and
conditions during activation
Touch ID - If enabled, Setup Assistant prompts for this service during activation
Apple Pay - If enabled, Setup Assistant prompts for this service during activation
Zoom - If enabled, Setup Assistant prompts for this service during activation
Siri - If enabled, Setup Assistant prompts for this service during activation
Send diagnostic data to Apple - If enabled, Setup Assistant prompts for this service during
activation
d. On the Additional Management page, specify whether a USB connection can be used for
additional management settings. When you select Require certificate, you must import an Apple
Configurator management certificate to use for this profile. Set to Disallow to prevent syncing files
with iTunes or management via Apple Configurator. Microsoft recommends you set to Disallow,
export any further configuration from Apple Configurator, and then deploy as a Custom iOS
configuration profile, rather than use this setting to allow manual deployment with or without a
certificate.
Disallow - Prevents the device from communicating via USB (disables pairing)
Allow - Allows device communicate via USB connection with any PC or Mac
Require certificate- Allows pairing with a Mac with a certificate imported to the enrollment
profile
2. Assign DEP Devices for management
Go to the Device Enrollment Program portal (https://deploy.apple.com) and sign in with your company
Apple ID. Go to Deployment Program > Device Enrollment Program > Manage Devices. Specify how
you will Choose Devices, provide device information and specify details by device Serial Number, Order
Number, or Upload CSV File. Next, select Assign to Server and select the <ServerName> that you
specified in step 3, and then click OK.
3. Synchronize DEP-managed devices
In the Assets and Compliance workspace, go to All Corporate-owned Devices > iOS > Device
Information. On the Home tab, click DEP Sync. A sync request is sent to Apple. After synchronization
completes, the DEP-managed devices are displayed. The Enrollment Status for managed devices reads
Not contacted until the device is powered on and runs the Setup Assistant to enroll the device.
4. Distribute devices to users
You can now give your corporate-owned devices to users. When an iOS device is turned on it will be
enrolled for management by Intune.
iOS hybrid enrollment using Apple Configurator with

Companies that buy iOS devices to be used by employees can manage them using Microsoft Intune. To prepare
corporate-owned iOS devices for enrollment, you configure an enrollment profile in the Configuration Manager
console and then export the profile URL for use by Apple Configurator. You prepare the iOS device for enrollment
by connecting it to a Mac computer with a USB cable and using Apple Configurator to set it up. Apple Configurator
factory resets the device and adds the enrollment profile so that the device can be enrolled when the user first
powers it up and goes through the Setup Assistant process.
The following procedure is recommended for dedicated iOS devices that will have a single user who uses the
device to access company email and company resources such as apps and date.
Prerequisites
Physical access to iOS devices
Device serial numbers - How to get an iOS serial number
Mac computer with Apple Configurator 2.0
USB cables for connecting devices to your Mac computer
Step 1: Add a corporate-owned device enrollment profile

1. In the Configuration Manager console, go to Assets and Compliance > Overview > All Corporate-
owned Devices > iOS > Enrollment Profiles. Click Create Profile to open the Create Profile wizard.
Configure the settings on the following pages:
2. On the General page, specify the following information:
Name (Not visible to users)
Description (Not visible to users)
User affinity – Specifies how devices are enrolled. For most Setup Assistant scenarios, use Prompt
for user affinity.
Prompt for user affinity: The device must be affiliated with a user during initial setup and
could then be permitted to access company data and email as that user.
No user affinity: The device is not affiliated with a user. Use this affiliation for devices that
perform tasks without accessing local user data. Apps requiring user affiliation won’t work.
Click Next to continue.
3. On the Device Enrollment Program page, leave the Configure Device Enrollment Program settings
for this profile checkbox unchecked, and click Next.
4. Review the summary, and then click Next to create the enrollment profile. Click Close to finish the wizard.
You're now ready to add IMEI numbers or serial numbers for the devices you want to enroll.
Step 2: Predeclare devices to enroll with Setup Assistant
In this step, you predeclare devices as corporate-owned by providing a list of hardware identifiers (IMEI or serial
numbers).
For more information, see Predeclare devices with IMEI and iOS serial number. When you're done with that task,
return to this page to continue with the next step.
Step 3: Export the profile to deploy to iOS devices

owned Devices > iOS > Enrollment Profiles.
2. Select the enrollment profile to deploy to mobile devices and click Export….
3. Copy and save the Profile URL in a file you can edit.
4. To support Apple Configurator 2, the 2.0 Profile URL must be edited. Replace the following portion of the
URL:
https://manage.microsoft.com/EnrollmentServer/Discovery.svc/iOS/ESProxy?id=
with
https://appleconfigurator2.manage.microsoft.com/MDMServiceConfig?id=
5. Save the edited profile URL. You will use it to add the enrollment profile URL in Apple Configurator in the
next section.
NOTE
The enrollment profile URL is valid for two weeks from when it is exported. After two weeks, you must export a new URL to
enroll iOS devices.
Step 4: Prepare the device with Apple Configurator

To prepare iOS devices for enrollment, you connect each device to a Mac computer and upload the enrollment
profile to it.
WARNING
Apple Configurator wipes and resets devices to factory configurations.
1. On a Mac computer, open Apple Configurator 2.

2. In the menu bar, click Apple Configurator 2 > Preferences.
3. In the preferences pane, select Servers and click the "+" symbol below the left pane to launch the MDM
Server wizard. Click Next.
4. Enter the Name and Enrollment URL you saved earlier. Click Next.
NOTE
If you receive a warning about trust profile requirements for Apple TV, you can safely cancel the Trust Profile option
by clicking the grey "X". You can also safely disregard any Anchor certificate warning.
To continue, click Next until the wizard is complete.

5. On the Servers pane, click “Edit” beside the new server’s profile. Ensure that the Enrollment URL exactly
matches the URL you entered earlier. Reenter the URL if it is different, and click Save.
6. With a USB cable, connect an iOS device to the Mac computer.
WARNING
This process resets devices to factory configurations. Prior to connecting the device, reset the device and power it on.
As a best practice, the device should be at the Hello screen before continuing.
7. Click Prepare. On the Prepare iOS Device pane, select Manual, and then click Next.
8. On the Enroll in MDM Server pane, select the server name you created, and then click Next.
9. On the Create an Organization pane, choose the Organization or create a new organization, and then
click Next.
10. On the Configure iOS Setup Assistant pane, choose the steps to present to the user, and then click
Prepare. If prompted, authenticate to update trust settings.
11. When finished, you can disconnect the USB cable.
Repeat these steps for all the devices you want to prepare for enrollment.
Step 5: Distribute devices

The devices are now ready for corporate enrollment. Power down the devices and distribute them to users. When
the device is turned on, Setup Assistant will start and prompt the user for their work or school account to begin
enrollment.
Enroll devices with device enrollment manager with

Organizations can use System Center Configuration Manager and Intune to manage large numbers of mobile
devices with a single user account. The device enrollment manager account is a special Intune account with
permission to enroll more than five devices.
Enroll corporate-owned devices with the device enrollment manager

You can assign a store manager or supervisor, for example, a device enrollment manager user account to allow
her to do the following:
Enroll devices for management
Use Company Portal app to install company apps
Install and uninstall software
Configure access to company data
The following limitations apply to devices managed using a device enrollment manager account:
The store manager cannot reset the device from the company portal.
Devices cannot be workplace joined or Azure Active Directory joined. This prevents these devices from using
conditional access.
To deploy company apps to devices managed with the device enrollment manager, deploy Company Portal
app as a Required Install to the device enrollment manager's user account. The device enrollment manager
can then launch the Company Portal app to install additional apps.
To improve performance, the Company Portal app only shows the local device. Remote management of other
DEM devices can only be done from the Configuration Manager console by and administrator
The Company Portal website is not available for device enrollment manager accounts. Use the Company
Portal app.
Examples of device enrollment manager scenario:
A restaurant wants point-of-sale tablets for its wait staff and order-monitors for its kitchen staff. The
employees never need access to company data or to log on as a user. The Intune administrator creates a
device enrollment manager account and enrolls the company-owned devices using that account.
Alternatively, the administrator could give the device enrollment manager credentials to a restaurant
manager, allowing him or her to enroll and manage the devices.
The administrator or manager can deploy role-specific apps to the restaurant devices. An administrator can
also select a device in the console and retire it from mobile device management.
Add a device enrollment manager
2. In the Administration workspace, expand Cloud Services, and click Microsoft Intune Subscriptions.
Select the Microsoft Intune subscription to which you'll add a device enrollment manager, and then click
Properties.
3. In the Microsoft Intune Subscription Properties dialog box, click the Device Enrollment Manager tab.
4. Click Add/Remove.
5. In the Device Enrollment Manager dialog, type the user name of the user you want to add as a device
enrollment manager and then click Search. Select the user you'd like to add as a Device Enrollment
Manager and click Add.
6. Confirm the user account that will be a device enrollment manager and click Add/Remove. A subscription
license is required for each user that accesses the service and the device enrollment manager cannot be an
Intune administrator. Determine whether you need to add more licenses before you use this feature.
7. The device enrollment manager can now enroll mobile devices using the same procedure an end user uses
for a bring-your-own-device (BYOD) scenario in the company portal.
Delete a device enrollment manager from Intune
2. In the Administration workspace, expand Cloud Services, and click Microsoft Intune Subscriptions.
Select the Microsoft Intune subscription to which you'll add a device enrollment manager, and then click
Properties.
3. In the Microsoft Intune Subscription Properties dialog box, click the Device Enrollment Manager tab.
4. Search for the device enrollment manager you'd like to delete and click Remove, then OK.
Deleting a device enrollment manager does not affect enrolled devices. When a device enrollment manager
is deleted:
No enrolled devices are affected
Enrolled devices continue to be fully managed
The deleted device enrollment manager account credentials remain valid to log on to the company portal
to access apps
The deleted device enrollment manager account credentials still cannot wipe or retire devices
The deleted device enrollment manager account’s relationship to enrolled devices remains but no
additional devices can be enrolled
Predeclare devices with IMEI or iOS serial numbers

You can identify corporate-owned devices by importing their international station mobile equipment identity
(IMEI) numbers or iOS serial numbers. You can upload a comma-separated values (.csv) file containing device IMEI
numbers or you can manually enter device information. Imported information will set Ownership of the devices
that enroll as Corporate in lists of devices. An Intune license is still required for each user that accesses the service.
How to predeclare corporate-owned devices

owned devices > Predeclared devices.
2. Click Create Predeclared Devices. The Create Predeclared Devices wizard opens.
3. Choose how you want to add device information:
Upload a CSV file containing IMEI or serial numbers and details
For this option, click Browse to specify the .csv file containing information to predeclare corporate-
owned devices. The .csv file must be formatted correctly. For more information, see Format for
uploading .csv files.
Manually add IMEI or serial numbers and details
To manually enter information, type the IMEI number or iOS serial number and details for the
devices. Correct any error or warnings before continuing.
Click Next.
4. If you uploaded a .csv file, review the results of the file import. If a device number was previously imported,
Configuration Manager displays those devices and the replacement Details. Select the devices whose
details you want to overwrite. Device details can only be modified by reimporting the device identification
or serial number.
If you chose to manually enter number, complete the form for the devices you want to predeclare.
Click Next to continue.
5. If your list includes iOS serial numbers, select the Enrollment Profile to Assign from the list of available
profiles, and then click Next.
6. Click Next to review the details, and then click Next again to upload the data.
7. Click Close to finish.
Format for uploading .csv files

The .csv file you use to identify devices by IMEI or serial number must have the following format, excluding the top
row which provided for guidance only. Each row must contain either an IMEI number or iOS serial number. Only
the serial numbers of iOS devices can be predeclared; use IMEI number for other device platforms. This table
contains sample data:
IMEI # IOS SERIAL # OS DETAILS
123456789012345 WINDOWS Company-owned Windows

device
A1B2C3D4E5C6 IOS Company-owned iOS device
223456789012345 E6D5C4B3A210 IOS Another iOS device
323456789012345 IOS A third iOS device
123456789012346 ANDROID Company-owned Android

device
Do not include a header row in your .csv file. The following example shows the same sample data in CSV format:
123456789012345,,WINDOWS,Company-owned Windows device

,A1B2C3D4E5C6,IOS,Company-owned iOS device
223456789012345,E6D5C4B3A210,IOS,Another iOS device
323456789012345,,IOS,A third iOS device
123456789012346,,ANDROID,Company-owned Android device
The columns in the .csv file accept the following values:
COLUMN 1 COLUMN 2 COLUMN 3 COLUMN 4
IMEI number without spaces iOS serial number IOS, WINDOWS, or Optional device details
ANDROID (1024 character limit)
Manage iOS Activation Lock with System Center

System Center Configuration Manager can help you manage iOS Activation Lock, a feature of the Find My iPhone
app for iOS 7.1 and later devices. When Activation Lock is enabled, the user's Apple ID and password must be
entered before anyone can:
Turn off Find My iPhone
Erase the device
Reactivate the device
On unsupervised devices, Activation Lock is enabled automatically when the Find My Iphone app is used.
On supervised devices, you must activate Activation Lock by using Configuration Manager compliance settings.
TIP
Supervised mode for iOS devices lets you use the Apple Configurator Tool to lock down a device to limit functionality to
specific business purposes. Supervised mode is generally only for corporate-owned devices.
While Activation Lock helps secure iOS devices and improves the chances of recovery if they are lost and stolen,
this capability can present you, as an IT admin, with a number of challenges. For example:
One of your users sets up Activation Lock on a device. The user then leaves the company and returns the device.
Without the user's Apple ID and password, there is no way to reactivate the device, even if you wipe it.
You need a report of all devices that have Activation Lock enabled.
During a device refresh in your organization, you want to reassign some devices to a different department. You
can only reassign devices that do not have Activation Lock enabled.
To help solve these problems, Apple introduced Activation Lock bypass in iOS 7.1. This lets you remove the
Activation Lock from supervised devices without the user's Apple ID and password. Supervised devices can
generate a device-specific Activation Lock bypass code, which is stored on Apple's activation server.
You can read more about Activation Lock here.
How Configuration Manager helps you manage Activation Lock

Configuration Manager can help you manage Activation Lock in two ways:
1. Enable Activation Lock on supervised devices.
2. Bypass Activation Lock on supervised devices.
IMPORTANT
You cannot bypass Activation Lock on unsupervised devices.
The business benefits of this for corporate-owned devices are:

The user gets the security benefits of the Find My iPhone app
You can enable the user to do their work knowing that when the device needs to be repurposed, you can retire
or unlock it
Enable Activation Lock on supervised devices

You use Configuration Manager compliance settings to create and deploy a configuration item of the type iOS and
Mac OS X to enable Activation Lock on supervised devices:
1. Use the information in the topic How to create configuration items for iOS and Mac OS X devices managed
without the System Center Configuration Manager client to create a configuration item of the type iOS and
Mac OS X.
2. On the System Security page of the Create Configuration Item Wizard, configure the setting Allow Activation
Lock (supervised mode only) to Allowed.
3. Add the configuration item to a configuration baseline.
4. Deploy this configuration baseline to a collection containing the iOS devices for which you want to enable
Activation Lock.
IMPORTANT
Ensure you are in physical possession of the device before you follow this procedure. If you do not, the Activation Lock will
be bypassed and whoever is in possession of the device will have full access to it, allowing them to turn off Find My iPhone,
erase the device, or reactivate it.
You can only bypass Activation Lock or retrieve the Activation Lock bypass code on supervised devices; trying to
bypass activation lock on an unsupervised device or view the bypass code results in an error.
View the Activation Lock bypass code

1. In the Configuration Manager console, click Assets and Compliance.
2. In the Assets and Compliance workspace, click Devices.
3. Select an enrolled device that is in supervised mode that has Activation Lock enabled.
4. On the Home tab, in the Device group, click Remote Device Actions > View Activation Lock Bypass Code.
5. The Activation Lock Bypass Code dialog box displays the bypass code for the selected device.
Bypass Activation Lock

2. In the Assets and Compliance workspace, click Devices.
3. Select an enrolled device that is in supervised mode that has Activation Lock enabled.
4. On the Home tab, in the Devices group, click Remote Device Actions > Bypass Activation Lock.
5. Read the messages in the warning dialog box, and click Yes when you are ready to proceed.
6. You can examine the status of the unlock request from:
The discovery data for the device in the device properties dialog box.
The Activation Lock Bypass State column in the Devices view (this column is hidden by default).
The Remote Device Actions Information section in the Summary tab of the details pane (when a
device is selected).
User affinity for hybrid managed devices in

When configuring profiles for corporate-owned devices, the administrator can specify whether the managed
devices can have user affinity which identifies a specific user with the device.
Managed devices with user affinity

Devices configured with user affinity can install and run the Company Portal app to download apps and manage
devices. Once users receive their devices they must complete a number of additional steps to complete the Setup
Assistant and install the Company Portal app.
How to enroll iOS devices with user affinity
1. When users first power on their new devices, they are prompted to complete the Setup Assistant. The
enrollment profile can specify to prompt for credentials during setup. Users must use the credentials (i.e.
the unique personal name or UPN) associated with their subscription in Intune.
2. During setup, users can also be prompted for an Apple ID. An Apple ID must be provided before the device
can install the Company Portal. Users can provide an Apple ID after setup is complete from the iOS
Settings menu.
3. After completing setup, the iOS device must install the Company Portal app from the App Store, for
example Company Portal app.
4. The user can now login to the Company Portal with the UPN used when setting up the device.
5. After logging in, the user is prompted to enroll their device. The first step is to Identify their device. The
app presents a list of iOS devices that are corporate-enrolled and assigned to the end-user’s Intune account.
Choose the matching device.
If this device is not already corporate-enrolled, select “new device” to continue with the standard enrolment
flow.
6. On the next screen, the user must confirm the serial of the new device. The user can tap on the link “confirm
the Serial Number” to launch the Settings app to verify the serial number. The user must then enter the last
4 characters of the serial number into the Company Portal app.
This step verifies that the device is the corporate device enrolled in Intune. If the serial number on the device
does not match, the wrong device was selected. Go back to the previous screen and select a different device.
7. After the serial number is verified, the Company Portal app redirects to the Company Portal website to
finalize enrolment, and then prompts the user to return to the app.
8. Enrollment is now complete. You can now use this device with the full set of capabilities.
Managed devices without user affinity

Devices configured with no user affinity do not support the Company Portal and should not install the app. The
Company Portal is designed for users who have corporate credentials and require access to personalized
corporate resources (e.g. email). Device enrolled with no user affinity are not intended to have a dedicated user
sign in. Kiosk, point of sale (POS), or shared utility devices are typical use-cases for devices enrolled with no user
affinity. If user affinity is required, be sure the device’s enrollment profile has User Affinity selected prior to
enrolling the device. To change the affinity status on a device, you must retire and re-enroll the device.
Protect data with remote wipe, lock, or passcode
reset using System Center Configuration Manager

Configuration Manager provides selective wipe, full wipe, remote lock, and passcode reset capabilities. Mobile
devices can store sensitive corporate data and provide access to many corporate resources. To protect devices you
can issue:
A full wipe to restore the device to its factory settings.
A selective wipe to remove only company data.
A remote lock to help secure a device that might be lost.
Reset the device passcode.
Full Wipe
You might issue a wipe command to a device when you need to secure a lost device or when you retire a device
from active use.
Issue a full wipe to a device to restore the device to its factory defaults. This removes all company and user data
and settings. You can do a full wipe on Windows Phone, iOS, Android, and Windows 10 devices.
NOTE
Wiping Windows 10 devices on versions earlier than version 1511 with less than 4 GB of RAM might leave the device
unresponsive. Learn more.
To initiate a remote wipe from the Configuration Manager console

1. In the Configuration Manager console, click Assets and Compliance and select Devices. Alternatively, you
can click Device Collections and select a collection.
2. Select the device that you want to retire/wipe.
3. Click Remote Device Actions in the Device Group, and then select Retire/Wipe.
Selective Wipe
Issue a selective wipe to a device to remove only company data. The following table describes by platform what
data is removed and the effect on data that remains on the device after a selective wipe.
iOS
CONTENT REMOVED WHEN RETIRING A DEVICE IOS
Company apps and associated data installed by using Apps are uninstalled. Company app data is removed.
Configuration Manager and Intune.
VPN and Wi-Fi profiles Removed.

CONTENT REMOVED WHEN RETIRING A DEVICE IOS
Certificates Removed and revoked.
Settings Removed, except for: Allow voice roaming, Allow data

roaming, and Allow automatic synchronization while
roaming.
Management agent Management profile is removed.
Email profiles For email profiles provisioned by Intune, the email account
and email are removed.
Android and Android Samsung KNOX Standard
CONTENT REMOVED WHEN RETIRING A

DEVICE ANDROID SAMSUNG KNOX STANDARD
Company apps and associated data Apps and data remain installed. Apps are uninstalled.
installed by using Configuration
Manager and Intune.
VPN and Wi-Fi profiles Removed. Removed.
Certificates Revoked. Revoked.
Settings Requirements removed. Requirements removed.
Management agent Device Administrator privilege is Device Administrator privilege is

revoked. revoked.
Email profiles Not applicable. For email profiles provisioned by Intune,

the email account and email are
removed.
Windows 10, Windows 8.1, Windows RT 8.1, and Windows RT
CONTENT REMOVED WHEN RETIRING A WINDOWS 10, WINDOWS 8.1 AND

DEVICE WINDOWS RT 8.1 WINDOWS RT
Company apps and associated data Apps are uninstalled and sideloading Sideloading keys are removed but apps
installed by using Configuration keys are removed. Apps using Windows remain installed.
Manager and Intune. Selective Wipe will have the encryption
key revoked and data will no longer be
accessible.
VPN and Wi-Fi profiles Removed. Not applicable.
Certificates Removed and revoked. Not applicable.
Settings Requirements removed.
Management agent Not applicable. Management agent is Not applicable. Management agent is
built-in. built-in.
CONTENT REMOVED WHEN RETIRING A WINDOWS 10, WINDOWS 8.1 AND
DEVICE WINDOWS RT 8.1 WINDOWS RT
Email profiles Removes email that is EFS-enabled Not applicable.

which includes the Mail app for
Windows email and attachments.
Windows 10 Mobile, Windows Phone 8.0 and Windows Phone 8.1
WINDOWS 10 MOBILE, WINDOWS PHONE 8 AND WINDOWS

CONTENT REMOVED WHEN RETIRING A DEVICE PHONE 8.1
Company apps and associated data installed by using Apps are uninstalled. Company app data is removed.
Configuration Manager and Intune.
VPN and Wi-Fi profiles Removed for Windows 10 Mobile and Windows Phone 8.1
Certificates Removed for Windows Phone 8.1.
Management agent Not applicable. Management agent is built-in
Email profiles Removed (except Windows Phone 8.0)
The following settings are also removed from Windows 10 Mobile and Windows Phone 8.1 devices:
Require a password to unlock mobile devices
Allow simple passwords
Minimum password length
Required password type
Password expiration (days)
Remember password history
Number of repeated sign-in failures to allow before the device is wiped
Minutes of inactivity before password is required
Required password type – minimum number of character sets
Allow camera
Require encryption on mobile device
Allow removable storage
Allow web browser
Allow application store
Allow screen capture
Allow geolocation
Allow Microsoft Account
Allow copy and paste
Allow Wi-Fi tethering
Allow automatic connection to free Wi-Fi hotspots
Allow Wi-Fi hotspot reporting
Allow factory reset
Allow Bluetooth
Allow NFC
Allow Wi-Fi
To initiate a remote wipe from the Configuration Manager console
2. Select the device that you want to retire/wipe.
3. Click Remote Device Actions in the Device Group, and then select Retire/Wipe.
Wiping Encrypting File System (EFS)-enabled content

Selective wipe of EFS-encrypted content is supported by Windows 8.1 and Windows RT 8.1. The following apply to
a selective wipe of EFS-enabled content:
Only apps and data that are protected by EFS using the same Internet domain as the Intune account are
selectively wiped. For more information, see Windows Selective Wipe for Device Data Management.
If there are any changes are made to the domain associated with EFS, the changes can take up to 48 hours
before apps and data using the new domain can be selectively wiped.
Each domain that is registered with Intune is the domain that will be wiped.
The data and apps that are currently supported by EFS selective wipe are:
Mail app for Windows
Work Folders
Files and folders encrypted by EFS. For more information, see Best practices for the Encrypting File System.
Best Practices for Selective Wipe
For successful wipe of email, provision email profiles to iOS and Windows Phone 8.1 devices.
For successful wipe of apps, make sure the apps are distributed through mobile device app management.
For iOS, configure the setting “Allow backup to iCloud” to “Disallow” so that users can’t restore content
using iCloud.
If an account has been deactivated, then after one year, the account will be retired by Intune and a selective
wipe will be performed.
Passcode Reset
If a user forgets their passcode, you can help them by removing the passcode from a device or by forcing a new
temporary passcode on a device. The table below lists how passcode reset works on different mobile platforms.
PLATFORM PASSCODE RESET

PLATFORM PASSCODE RESET
iOS Supported for clearing the passcode from a device. Does not
create a new temporary passcode.
Android Supported and a temporary passcode is created.
Windows 10 Not supported at this time.
Windows Phone 8 and Windows Phone 8.1 Supported
Windows RT 8.1 and Windows RT Not Supported
Windows 8.1 Not Supported
To reset the passcode on a mobile device remotely in Configuration Manager

2. Select the device or devices on which to reset the passcode.
3. Click Remote Device Actions in the Device Group, and then select Passcode Reset.
To show the state of the passcode reset
2. Select the device or devices on which to show the state of the passcode reset.
3. Click Remote Device Actions in the Device Group, and then select Show Passcode State.
Remote Lock
If a user loses their device you can lock the device remotely. The following table lists how remote lock works on
different mobile platforms.
PLATFORM REMOTE LOCK
iOS Supported
Android Supported
Windows 10 Not supported at this time.
Windows Phone 8 and Windows Phone 8.1 Supported
Windows RT 8.1 and Windows RT Supported if the current user of the device is the same user
who enrolled the device.
Windows 8.1 Supported if the current user of the device is the same user
who enrolled the device.
To lock a mobile device remotely through the Configuration Manager console

2. Select the device or devices to lock.
3. Click Remote Device Actions in the Device Group, and then select Remote Lock.
To show the state of the remote lock
2. Select the device on which to show the state of the remote lock.
3. Click Remote Device Actions in the Device Group, and then select Show Remote Lock State.
See Also
Windows Selective Wipe for Device Data Management
How to configure hardware inventory for mobile
devices enrolled by Microsoft Intune and System

In Configuration Manager, you can collect the hardware inventory on iOS, Android, and Windows devices by using
the Microsoft Intune connector. For information about how to configure hardware inventory, see How to extend
hardware inventory in System Center Configuration Manager.
For information about how to enroll devices in Microsoft Intune, see Manage mobile devices with Microsoft Intune.
Hardware inventory for mobile devices

The following tables list the inventory classes available for hardware inventory across commonly used mobile
platforms.
iOS
HARDWARE INVENTORY CLASS IOS
Name Device_ComputerSystem.DeviceName
Unique Device ID Device_ComputerSystem.UDID
Serial Number Device_ComputerSystem.SerialNumber
Email Address Device_Email.OwnerEmailAddress
Operating System Type Not applicable
Operating System Version Device_OSInformation.OSVersion
Build Version Not applicable
Service Pack Major Version Not applicable
Service Pack Minor Version Not applicable
Operating System Language Not applicable
Total Storage Space Device_Memory.DeviceCapacity
Free Storage Space Device_Memory.AvailableDeviceCapacity
International Mobile Equipment Identity or IMEI (IMEI) Device_ComputerSystem.IMEI

HARDWARE INVENTORY CLASS IOS
Mobile Equipment Identifier (MEID) Device_ComputerSystem.MEID
Manufacturer Not applicable
Model ModelName
Phone Number1 Device_ComputerSystem.PhoneNumber
Subscriber Carrier Device_ComputerSystem.SubscriberCarrierNetwork
Cellular Technology Device_ComputerSystem.CellularTechnology
Wi-Fi MAC Device_WLAN.WiFiMAC
Android
NOTE
NOTE: Android inventory classes are available when using the Android Company Portal app.
HARDWARE INVENTORY CLASS ANDROID
Name Not applicable
Unique Device ID Not applicable
Serial Number Device_ComputerSystem.SerialNumber
Email Address Not applicable
Operating System Type Device_OSInformation.Platform
Operating System Version Device_OSInformation.Version
Total Storage Space Device_Memory.StorageTotal
Free Storage Space Device_Memory.StorageFree
International Mobile Equipment Identity or IMEI (IMEI) Device_ComputerSystem.IMEI
Mobile Equipment Identifier (MEID) Not applicable

HARDWARE INVENTORY CLASS ANDROID
Manufacturer Device_Info.Manufacturer
Model Device_Info.Model
Phone Number1 Device_ComputerSystem.PhoneNumber
Subscriber Carrier Device_ComputerSystem.SubscriberCarrierNetwork
Cellular Technology Device_ComputerSystem.CellularTechnology
Wi-Fi MAC Device_WLAN.WiFiMAC
Windows Phone 8/8.1
HARDWARE INVENTORY CLASS WINDOWS PHONE 8 AND WINDOWS PHONE 8.1
Unique Device ID Device_ComputerSystem.DeviceClientID
Serial Number Not applicable
Operating System Type Device_OSInformation.Platform
Operating System Version Device_ComputerSystem.SoftwareVersion
Operating System Language Device_OSInformation.Language
Total Storage Space Not applicable
Free Storage Space Not applicable
International Mobile Equipment Identity or IMEI (IMEI) Not applicable
Manufacturer Device_ComputerSystem.DeviceManufacturer
Model Device_ComputerSystem.DeviceModel
Phone Number1 Not applicable

HARDWARE INVENTORY CLASS WINDOWS PHONE 8 AND WINDOWS PHONE 8.1
Subscriber Carrier Not applicable
Cellular Technology Not applicable
Wi-Fi MAC Not applicable
Windows RT
HARDWARE INVENTORY CLASS WINDOWS RT
Unique Device ID Device_ComputerSystem.DeviceName
Serial Number Not applicable
Operating System Type CCM_OperatingSystem .SystemType
Operating System Version Win32_OperatingSystem.Version
Build Version Win32_OperatingSystem.BuildNumber
Service Pack Major Version Win32_OperatingSystem.ServicePackMajorVersion
Service Pack Minor Version Win32_OperatingSystem.ServicePackMinorVersion
Total Storage Space Win32_PhysicalMemory.Capacity
Free Storage Space Win32_OperatingSystem.FreePhysicalMemory
International Mobile Equipment Identity or IMEI (IMEI) Not applicable
Manufacturer Win32_ComputerSystem.Manufacturer
Model Win32_ComputerSystem.Model
Phone Number1 Not applicable
Subscriber Carrier Not applicable
Cellular Technology Not applicable
Wi-Fi MAC Win32_NetworkAdapter.MACAddress
1 The phone number is masked with * except for the last 4 digits.
For inventory to collect the phone number, the device must have a SIM card inserted, and a phone number
provisioned by the carrier to that SIM.
Software inventory for mobile devices enrolled with
Microsoft Intune

You can collect inventory for apps installed on mobile devices. The apps that are inventoried will depend on
whether the device is company-owned or personal-owned. For personal devices, the only apps that are inventoried
are apps that are managed by Microsoft Intune.
NOTE
Inventory on the apps installed on mobile devices is collected as part of the hardware inventory process.
Here are the apps that are inventoried for personal-owned or company-owned devices.
PLATFORM FOR PERSONAL-OWNED DEVICES FOR COMPANY-OWNED DEVICES
Windows 10 (without the Configuration Only managed apps Only managed apps
Manager client)
Windows 8.1 (without the Configuration Only managed apps Only managed apps
Manager client)
Windows Phone 8 Only managed apps Only managed apps
Windows RT Only managed apps Only managed apps
iOS Only managed apps All apps installed on the device
Android Only managed apps All apps installed on the device
See Introduction to software inventory and How to configure software inventory for detailed information about
using software inventory to collect file information on client devices.
Managing compliance on devices managed with
Intune

These scenarios give you an introduction to using System Center Configuration Manager compliance settings by
working through some common scenarios you might encounter.
If you are already familiar with compliance settings, detailed documentation about all the features you use can be
found in the Configuration items for devices managed with Intune section.
Get started with compliance settings provides the basics about compliance settings and Plan for and configure
compliance settings will help you implement any necessary prerequisites.
General information for each scenario

In each scenario, you'll create a configuration item that performs a specific task. open the Create Configuration Item
Wizard, use the following steps:
1. In the Configuration Manager console, click Assets and Compliance > Compliance Settings >
Configuration Items.
2. On the Home tab, in the Create group, click Create Configuration Item.
3. On the General tab of the Create Configuration Item Wizard as shown below, specify a name and
description for the configuration item, then choose the appropriate configuration item type for each scenario
in this topic.
Scenarios for Windows 8.1 and Windows 10 devices managed with
Intune
Scenario: Restrict access to the app store on all Windows PCs
In this scenario, you are the IT admin for a company that deals with highly sensitive information. Because of this,
you restrict the apps that users can install. You want to stop users of all Windows 10 PCs from downloading apps
from the Windows Store, so you take the following actions.
1. On the General page of the Create Configuration Item wizard, select the Windows 8.1 and Windows 10
configuration item type, then click Next.
2. On the Supported Platforms page, select all of the Windows 10 platforms.
3. On the Device Settings page, select Store, then click Next.
4. On the Store page, select Prohibited as the value for Application store.
5. Select Remediate noncompliant settings to ensure the change is applied to all PCs.
6. Complete the wizard to create the configuration item.
You can now use the information in the Common tasks for creating and deploying configuration baselines
topic to help you deploy the configuration you have created to devices.
Scenarios for Windows Phone devices managed with Intune

Scenario: Disable the use of screen capture on a Windows Phone
In this scenario, you use Windows Phone 8.1 devices in your company. These devices run a sales app that contains
sensitive information. To protect your company, you want to disable the use of screen capture on the device which
could potentially be used to transmit sensitive information outside of your company.
1. On the General page of the Create Configuration Item wizard, select the Windows Phone configuration
item type, then click Next.
2. On the Supported Platforms page, select All Windows Phone 8.1 platforms.
3. On the Device Settings page, select Device, then click Next.
4. On the Device page, select Disabled as the value for Screen capture.
5. Select Remediate noncompliant settings to ensure the change is applied to all Windows Phone 8.1
devices.
with System Center Configuration Manager topic to help you deploy the configuration you have created to
devices.
Scenarios for iOS and Mac OS X devices managed with Intune

Scenario: Disable the camera on iOS devices
In this scenario, your company produces blueprints for new product designs. These contain sensitive information
that must not be leaked. As your company issues iPhones or iPads to all employees, you want to disable the use of
the camera on these devices to prevent them being used to photograph the blueprints.
1. On the General page of the Create Configuration Item wizard, select the iOS and Mac OS X configuration
item type, then click Next.
2. On the Supported Platforms page, select all iPhone and all iPad device platforms.
3. On the Device Settings page, select Security, then click Next.
4. On the Security page, select Prohibited as the value for Camera.
5. Select Remediate noncompliant settings to ensure the change is applied to all iOS devices.
with System Center Configuration Manager topic to help you deploy the configuration you have created to
devices.
Scenarios for Android and Samsung KNOX Standard devices managed

with Intune
Scenario: Require a password on all Android 5 devices
In this scenario, you'll create a configuration item for Android 5 devices only that requires users to configure a
password of at least 6 characters on their devices. Additionally, if a user enters an incorrect password 5 times, then
the device will be wiped.
1. On the General page of the Create Configuration Item wizard, select the Android and Samsung KNOX
configuration item type, then click Next.
2. On the Supported Platforms page, select only Android 5 (to ensure that the settings only get applied to
that platform).
3. On the Device Settings page, select Password, then click Next.
4. On the Password page, configure the following settings:
Require password settings on devices > Required
Minimum password length (characters) > 6
Number of failed logon attempts before device is wiped > 5
topic to help you deploy the configuration you have created to devices.
Configuration items for devices managed with Intune

The following System Center Configuration Manager configuration item types are available for devices that are not
managed by the Configuration Manager client, for example, devices that are enrolled with Microsoft Intune.
How to create configuration items for Windows 8.1 and Windows 10 devices managed with Intune
How to create configuration items for Windows Phone devices managed with Intune
How to create configuration items for iOS and Mac OS X devices managed with Intune
How to create configuration items for Android and Samsung KNOX Standard devices managed with Intune
Create configuration items for Windows 8.1 and
Windows 10 devices managed with Intune

Use the System Center Configuration Manager Windows 8.1 and Windows 10 configuration item to manage
settings for Windows 8.1, and Windows 10 devices that are enrolled in Microsoft Intune or managed on-premises
by Configuration Manager.
Create a Windows 8.1 and Windows 10 configuration item

1. In the Configuration Manager console, click Assets and compliance > Compliance Settings >
3. On the General page of the Create Configuration Item Wizard, specify a name, and optional description
for the configuration item.
4. Under Specify the type of configuration item that you want to create, select Windows 8.1 and
Windows 10.
5. Click Categories if you create and assign categories to help you search and filter configuration items in the
6. On the Supported Platforms page, select the specific Windows platforms that will evaluate the
configuration item.
7. On the Device Settings page, select the settings group that you want to configure. See Windows 8.1 and
Windows 10 configuration item settings reference in this topic for details, and then click Next.
TIP
If the setting that you want is not listed, select the Configure additional settings that are not in the default
setting groups check box.
8. On each settings page, configure the settings you require, and whether you want to remediate them when
they are not compliant on devices (when this is supported).
9. For each settings group, you can also configure the severity that will be reported (in Configuration Manager
reports) when a configuration item is found to be noncompliant from:
None - Devices that fail this compliance rule do not report a failure severity.
Information - Devices that fail this compliance rule report a failure severity of Information.
Warning - Devices that fail this compliance rule report a failure severity of Warning.
Critical - Devices that fail this compliance rule report a failure severity of Critical.
Critical with event - Devices that fail this compliance rule report a failure severity of Critical. This
severity level is also be logged as a Windows event in the application event log.
10. On the Platform Applicability page, review any settings that are not compatible with the supported
platforms you selected earlier. You can go back and remove these settings, or you can continue.
TIP
Unsupported settings are not assessed for compliance.

You can view the new configuration item in the Configuration Items node of the Assets and Compliance
workspace.
Windows 8.1 and Windows 10 configuration item settings reference

Password
SETTING DETAILS
Require password settings on devices Require a password on supported devices.
Minimum password length (characters) The minimum length for the password.
Password expiration in days The number of days before a password must be changed.
Number of passwords remembered Prevents re-using previously used passwords.
Number of failed logon attempts before device is wiped Wipes the device if this number of login attempts fail.
Idle time before device is locked Specify the amount of time a device can be idle (have no user
input) before it is locked.
Password complexity Choose whether you can specify a PIN such as ‘1234’, or
whether you must supply a strong password.
(Windows 10 only)
Password complexity - Number of complex character If you selected a Strong password, use this setting to
sets required in password configure the number of complex character sets required. For
a strong password, this should be set to at least 3 which
means both letters and numbers are required. Select 4 if you
want to enforce a password that additionally requires special
characters such as (%$.
(Windows 10 only)
Send password recovery PIN to Exchange Server Set to Enabled or Disabled.

(Windows 10 only)
Device
SETTING NAME DETAILS
Screen capture Allows you to take a screenshot of the device display.

(Windows 10 only)
Diagnostic data submission Allow submission of app log files.

(Windows 8.1 only)
Diagnostic data submission (Windows 10) Allow submission of app log files.
(Windows 10 only)
Geolocation Allow the device to use location services information.

(Windows 10 only)
Copy and Paste Use copy and paste to transfer data between apps.
(Windows 10 only)
Factory reset Controls whether the user can factory reset their device.
Bluetooth Allow use of the devices Bluetooth capability.
Bluetooth discoverable mode Allow the device to be discovered by other Bluetooth devices.
(Windows 10 only)
Bluetooth advertising Allow the use of Bluetooth advertising.

(Windows 10 only)
Voice recording Allow the use of the voice recording features of the device.
(Windows 10 only)
Cortana Enable or disable the Cortana voice assistant.
Email management
SETTING DETAILS
POP and IMAP email Allows connection to email accounts that use the POP and
IMAP standards.
Maximum time to keep email How long to keep email before it is deleted from the server.
Allowed message formats Specify whether user emails can be HTML, or plain text only.
Maximum size for plain text email (automatically Controls the maximum size of plain text emails when
downloaded) automatically downloaded.
Maximum size for HTML email (automatically Controls the maximum size of HTML emails when
Maximum size of an attachment (automatically Configures the maximum size email that will be automatically
downloaded) downloaded.
Calendar synchronization Allow synchronization of calendars to the device.
Custom email account Allow using a non-Microsoft account on the device.
Make Microsoft Account optional in Windows Mail app Configure this to remove the requirement for a Microsoft
account in Windows Mail.
Store
These settings are for devices running Windows 10 and later only.
SETTING DETAILS
Application store Allows access to the app store on the device.
Enter a password to access the application store Users must enter a password to access the app store.
In-app purchases Allows users to make in-app purchases.
Browser
SETTING DETAILS
Allow web browser Allow the use of the web browser on the device.
(Windows 10 only)
Autofill User can change autocomplete settings in the browser.
Active scripting Browser can run scripts, such as Active X scripts.
Plug-ins User can add plug-ins to Internet Explorer.
Pop-up blocker Enables or disables the browser pop-up blocker.
Cookies Allow cookies to be saved on the device.
Fraud warning Enable or disable warnings of potential fraudulent websites.
Internet Explorer
These settings are only for devices running Windows 8.1.
Always send Do Not Track header Prevents browsing information from being sent to third-party
sites.
Intranet security zone Assign a security level to the Intranet security zone.
Security level for Internet zone Configure the security level for the Internet zone.
Security level for intranet zone Configure the security level for the intranet zone.
Security level for trusted sites zone Configure the security level for the trusted sites zone.
Security level for restricted sites zone Configure the security level for the restricted sites zone.
Namespaces for intranet zone Configure websites that will be added or removed from the
intranet zone.
Go to intranet site for single word entry Enables or disables the setting that allows Internet Explorer to
automatically go to an Intranet site if a valid site name is
entered without a preceding HTTP:
Enterprise Mode menu option Allow users to activate and deactivate Enterprise Mode from
the Internet Explorer Tools menu.
Logging report location (URL) Specify a URL where visited websites will be logged when
Enterprise Mode is active.
Enterprise Mode site list location (URL) Specify the location of the list of websites that will use
Enterprise Mode when it is active.
Microsoft Edge
These settings are for devices running Windows 10 and later.
Allow search suggestions in address bar Lets your search engine suggest sites as you type search
phrases.
Allow sending intranet traffic to Internet Explorer Lets users open intranet websites in Internet Explorer.
Allow do not track Do not track informs websites that you do not want them to
track your visit to a site.
Enable SmartScreen Use SmartScreen to check files your users download do not
contain malicious code.
Allow pop-ups Allow or disable browser pop-ups.
Allow cookies Allow or disable cookies.
Allow Autofill Allow the use of the Autofill feature of the Edge browser.
Allow Password Manager Allow the use of the password manager feature of the Edge
browser.
Enterprise Mode site list location Specifies where to find the list of web sites that will open in
Enterprise mode. Users cannot edit this list.
Windows Defender
These settings are for devices running Windows 10 November Update (1511) and later.
Allow real-time monitoring Enables real-time scanning for malware, spyware, and other
unwanted software.
Allow behavior monitoring Lets Defender check for certain known patterns of suspicious
activity on devices.
Enable Network Inspection System The Network Inspection System (NIS) helps to protect devices
against network-based exploits by using the signatures of
known vulnerabilities from the Microsoft Endpoint Protection
Center to help detect and block malicious traffic.
Scan all downloads Controls whether Defender scans all files downloaded from
the Internet.
Allow script scanning Lets Defender scan scripts that are used in Internet Explorer.
Monitor file and program activity Enable this setting to allow Defender to monitor file and
program activity on devices.
Files monitored If you enabled Monitor file and program activity, you can
then select whether to monitor incoming files, outgoing files,
or all files.
Days to track resolved malware Lets Defender continue to track resolved malware for the
number of days you specify so that you can manually check
previously affected devices. If you set the number of days to
0, malware remains in the Quarantine folder and is not
automatically removed.
Allow client UI access Controls whether the Windows Defender user interface is
hidden from end users. When this setting is changed, it will
take effect the next time the end user's PC is restarted.
Schedule a system scan Lets you schedule a full or quick system scan that occurs
regularly on the day and time you select.
Schedule a quick daily scan Lets you schedule a quick scan that occurs daily at the time
you select.
Limit CPU usage during a scan Lets you limit the amount of CPU that scans are allowed to
use (from 1 to 100)
Scan archive files Allows Defender to scan archived files such as Zip or Cab files.
Scan email messages Allows Defender to scan email messages as they arrive on the
device.
Scan removable drives Lets Defender scan removable drives like USB sticks.
Scan mapped drives Lets Defender scan files on mapped network drive.
If the files on the drive are read-only, Defender will be unable
to remove any malware found in them.
Scan files opened from network shared folders Lets Defender scan files on shared network drives (for
instance, those accessed from a UNC path.
If the files on the drive are read-only, Defender will be unable
to remove any malware found in them.
Signature update interval Specify the interval at which Defender will check for new
signature files.
Allow cloud protection Allow or block the Microsoft Active Protection Service from
receiving information about malware activity from devices you
manage. This information is used to improve the service in the
future.
Prompt users for samples submission Controls whether files that might require further analysis by
Microsoft to determine if they are malicious are automatically
sent to Microsoft.
Potentially Unwanted Application detection This setting can be used to protect enrolled Windows desktop
devices against running software classified by Windows
Defender as potentially unwanted. You can protect against
these applications running, or use audit mode to report when
a potentially unwanted application is installed.
File and folder exclusions Add one or more files and folders like C:\Path or
%ProgramFiles%\Path\filename.exe to the exclusions list.
These files and folders will not be included in any real-time, or
scheduled scans.
File extension exclusions Add one or more file extensions like jpg or txt to the
exclusions list. Any files with these extensions will not be
included in any real-time, or scheduled scans.
Process exclusions Add one or more processes of the type .exe, .com, or .scr to
the exclusions list. These processes will not be included in any
real-time, or scheduled scans.
Cloud
Settings synchronization Allows synchronization of settings between devices.
Credentials synchronization Allows synchronization of credentials between devices.
Microsoft Account Allow the use of a Microsoft account on the device.

(Windows 10 only)
Settings synchronization over metered connections Allow settings to be synchronized when the Internet
connection is metered.
Security
Unsigned file installation Allows the loading of unsigned files.

(Windows 10 only)
Unsigned applications Allows the loading of unsigned apps.

(Windows 10 only)
SMS and MMS messaging Allow SMS and MMS messaging from the device.
(Windows 10 only)
Removable storage Allow use of removable storage, like an SD card on the device.
(Windows 10 only)
Camera Allow use of the device camera.

(Windows 10 only)
Near field communication (NFC) Allow communication using NFC on the device.
(Windows 10 only)
AntiTheft mode Controls whether Windows 10 AntiTheft mode is enabled.

(Windows 10 only)
Allow USB connection Controls whether devices can access external storage devices
through a USB connection.
(Windows 10 only)
Profile file Provisions a VPN profile for Windows RT devices.

(Windows 8 only)
Profile name Provisions a VPN profile for Windows RT devices.

(Windows 8 only)
Profile for all users Provisions a VPN profile for Windows RT devices.
(Windows 8 only)
Peak synchronization
Specify peak time Configure the peak time for mobile device synchronization.
Peak synchronization frequency Configure how often synchronization occurs during the peak
hours you configured.
Off-peak synchronization frequency Configure how often synchronization occurs outside of the
peak hours you configured.
Roaming
Device management while roaming Allows the device to be managed by Configuration Manager
when it is roaming.
(Windows 10 only)
Software download while roaming Allows the download of apps and software when roaming.
(Windows 10 only)
Email download while roaming Allows e-mail downloads when roaming.

(Windows 10 only)
Data roaming Allow roaming between networks when accessing data.

VPN over cellular Controls whether the device can access VPN connections
when connected to a cellular network.
(Windows 10 only)
VPN roaming over cellular Controls whether the device can access VPN connections
when roaming on a cellular network.
(Windows 10 only)
Encryption
Storage card encryption Require any storage cards used with the device to be
encrypted.
(Windows 10 only)
File encryption on device Requires that files on the device are encrypted.
Require email signing Requires that emails are signed before they are sent.
(Windows 10 only)
Signing algorithm Select the signing algorithm for signed emails.

(Windows 10 only)
Require email encryption Requires that emails are encrypted before they are sent.
(Windows 10 only)
Encryption algorithm Select the algorithm for encrypting emails.

(Windows 10 only)
Wireless communications
Wireless network connection Enable or disable the devices Wi-Fi capability.
Wi-Fi tethering Lets users use their device as a mobile hotspot.
Offload data to Wi-Fi when possible Configure this to use the Wi-Fi connection on the device
when possible.
Wi-Fi hotspot reporting Sends information about Wi-Fi connections to help the user
discover nearby connections.
Manual Wi-Fi configuration Controls whether the user can configure their own Wi-Fi
connections, or whether they can only use connections
configured by a Wi-Fi profile.
To configure a wireless network connection

1. On the Configure mobile device wireless communication settings page, click Add.
2. In the Wireless Network Connection dialog box, specify the following information about the wireless
connection that will be provisioned on mobile devices:
SETTING MORE INFORMATION
Network name (SSID) Enter the name of the Wi-Fi network.
Network connection Choose from Internet or Work.
Authentication Choose the authentication method for the wireless connection

from:
- Open
- Shared
- WPA
- WPA-PSK
- WPA2
- WPA2-PSK
Data encryption Choose the encryption method used by this connection. The
values you can select will differ depending on the
Authentication method you selected:
- Disabled
- WEP
- TKIP
- AES
Key index Select a key index from 1 to 4 that will be used with a Data
encryption setting of WEP.
This network connects to the Internet Select this option if you want to supply proxy settings that let
mobile devices on a wireless connection connect to the
Internet.
Proxy server settings Specify as required, Server and Port settings for HTTP, WAP
and Sockets.
Enable 802.1X network access Select this option if you want to secure the connection by
specifying an EAP type.
EAP type Choose the EAP type to use from:

- PEAP
- Smart card or certificate
Certificates
Lets you import certificates to install on mobile devices.
Click Import, and then specify the following values:
Certificate file – Click Browse and then select the certificate file with the extension .cer that you want to
import.
Destination store – Choose one or more destination stores where the imported certificate will be added on
the mobile device from:
Root
CA
Normal
Privileged
SPC
Peer
Role – If SPC (Software Publisher Certificate) is selected as the destination store, choose the role that will be
associated with the certificate from:
Mobile Operator
Manager
User Authenticated
IT Administrator
User Unauthenticated
Trusted Provisioning Server
System security
SETTING DETAILS
User Account Control Enables or disables Windows User Account Control on the
device.
Network firewall Enables or disables Windows Firewall.

(Windows 8.1 only)
Updates (Windows 8.1 and earlier) Choose how Windows software updates will be downloaded
to computers. For example, you can automatically download
updates, but let the user choose when to install them.
Minimum classification of updates Choose the minimum classification of updates that will be
downloaded to Windows computers, None, Important, or
Recommended.
Updates (Windows 10) Choose how Windows software updates will be downloaded
(Windows 10 only)
Install day Choose the day when updates will be installed.

(Windows 10 only)
Install time Choose the time when updates will be installed.

(Windows 10 only)
SmartScreen Enable or disable Windows Smart Screen.
Virus protection Select to ensure that antivirus software is installed on the

device.
Virus protection signatures are up to date Select to ensure that the antivirus signature files are up to
date.
Pre-release features Allows Microsoft to deploy pre-release settings and features

to the device.
(Windows 10 only)
SETTING DETAILS
Manual root certificate installation (Windows 10 only)
Allow manual unenrollment Lets the user manually delete the workplace account from the
device.
(Windows 10 only)
Windows Server Work Folders

These settings are for devices running Windows 8.1 and Windows 10.
Work Folders URL Configures the location of a Windows Server work folder that
users can connect to from their device.
Windows 10 Team
These settings are for devices running Windows 10 Team only.
Allow screen to wake automatically when sensors detect Allows the device to wake automatically when its sensor
someone in the room detects someone in the room.
Required PIN for wireless projection Specifies whether you must enter a PIN before you can use
the wireless projection capabilities of the device.
Maintenance Window Configures the window when updates can take place to the
device. You can configure the start time of the window and
the duration (from 1-5 hours).
Azure Operational Insights Azure Operational Insights , part of the Microsoft Operations
Manager suite collects, stores, and analyzes log file data from
Windows 10 Team devices.
To connect to Azure Operational insights, you must specify a
Workspace ID and a Workspace Key.
Miracast wireless projection Enable this option if you want to let the Windows 10 Team
device use Miracast enabled devices to project.
If you enable this option, from Choose Miracast channel
select the Miracast channel used to project content.
Meeting information displayed on welcome screen If you enable this option, you can choose the information that
will be displayed on the Meetings tile of the Welcome screen.
You can:
- Show organizer and time only
- Show organizer, time and subject (subject hidden for
private meetings)
Lockscreen background image URL Enable this setting to display a custom background on the
Welcome screen of Windows 10 Team devices from the URL
you specify.
The image must be in PNG format and the URL must begin
with https://.
Windows Information Protection

These settings are for devices running Windows 10 only.
With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data
leaks through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s
control. For example, when an employee sends the latest engineering pictures from their personal email account,
copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise
interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental
data leaks on enterprise-owned devices and personal devices that employees bring to work without requiring
changes to your environment or other apps.
Configuration Manager WIP configuration items manage the list of apps protected by WIP, enterprise network
locations, protection level, and encryption settings.
For information about how to configure Windows Information Protection with Configuration Manager, see Protect
your enterprise data using Windows Information Protection (WIP).
Allowed and blocked apps (Windows Phone only)
Lets you specify a list of Intune managed apps that are compliant, or not compliant in your company. Windows
Phone can allow, or block the installation of these apps.
You cannot specify both compliant and noncompliant apps in the same configuration item.
To specify apps that will be allowed or blocked
1. On the Allowed and Blocked Apps list page, specify the following information:
Blocked apps list Select this option if you want to specify a list of apps that
users are not allowed to install.
Allowed apps list Select this option if you want to specify a list of apps that
users are allowed to install. Any other apps will be blocked
from installing.
Add Adds an app to the selected list. Specify a name of your

choice, optionally the app publisher, and the URL to the app
in the app store.
To specify the URL, from the Windows Store, search for the
app you want to use.
Open the app’s page, and copy the URL to the clipboard. You
can now use this as the URL in either the allowed or blocked
apps list.
Example: Search the store for the Skype app. The URL you
use will be
http://www.windowsphone.com/store/app/skype/c3f8e5
70-68b3-4d6a-bdbb-c0a3f4360a51.
Edit Lets you edit the name, publisher and URL of the selected
app.
Remove Deletes the selected app from the list.

Import Imports a list of apps you have specified in a comma-

separated values file. Use the format, application name,
publisher, app URL in the file.
How to create configuration items for Windows
Phone devices managed with Intune

Use the System Center Configuration Manager Windows Phone configuration item to manage settings for
Windows Phone devices that are enrolled in Microsoft Intune or managed on-premises by Configuration Manager.
Create a Windows Phone configuration item

4. Under Specify the type of configuration item that you want to create, select Windows Phone.
6. On the Supported Platforms page, select the specific Windows Phone platforms that will evaluate the
configuration item.
7. On the Device Settings page, select the settings group that you want to configure. See Windows Phone
configuration item settings reference in this topic for details, and then click Next.
TIP
Critical with event - Devices that fail this compliance rule report a failure severity of Critical.
TIP

workspace.
Windows Phone configuration item settings reference

Password
These settings apply to both Windows Phone 8 and Windows Phone 8.1.
SETTING DETAILS
Idle time before device is locked Specifies the amount of time a device must remain idle before
the screen is automatically locked.
Password complexity Choose whether you can specify a PIN such as ‘1234’, or
Allow simple passwords Specifies that simple passwords such as ‘0000’ and ‘1234’ can
be used.
Send password recovery PIN to Exchange Server -
Device
SETTING DETAILS
Screen capture Allow the user to take a screenshot of the device display.
(Windows Phone 8.1 only)
Geolocation Allow the device to use location services information.
Copy and Paste Use copy and paste to transfer data between apps.

SETTING DETAILS
Bluetooth Allows use of the Bluetooth capability of the device.
Email management
SETTING DETAILS
POP and IMAP email Allows connection to email accounts that use the POP and
IMAP standards.
Maximum time to keep email How long to keep email before it is deleted from the server.
Allowed message formats Specify whether user emails can be HTML, or plain text only.
Maximum size for plain text email (automatically Controls the maximum size of plain text emails when
Maximum size for HTML email (automatically Controls the maximum size of HTML emails when
Maximum size of an attachment (automatically Configures the maximum size email that will be automatically
downloaded) downloaded.
Calendar synchronization Lets users synchronize calendar appointments in addition to

email.
Custom email account Allow using a non-Microsoft account on the device.
Make Microsoft Account optional in Windows Mail app -
Store
These settings apply to Windows Phone 8.1 devices only.
SETTING DETAILS
Browser
SETTING DETAILS
Allow web browser User can change the default Internet browser.
Plug-ins User can add plug-ins to Internet Explorer.

SETTING DETAILS
Internet Explorer
SETTING DETAILS
Always send Do Not Track header Prevents browsing information from being sent to third-party
sites.
Intranet security zone -
Security level for Internet zone Configure the security level for the Internet zone.
Security level for intranet zone Configure the security level for the intranet zone.
Security level for trusted sites zone Configure the security level for the trusted sites zone.
Security level for restricted sites zone Configure the security level for the restricted sites zone.
Namespaces for intranet zone -
Go to intranet site for single word entry Enables or disables the setting that allows Internet Explorer to
automatically go to an Intranet site if a valid site name is
entered without a preceding HTTP:
Enterprise mode menu option Allow users to activate and deactivate Enterprise Mode from
the Internet Explorer Tools menu.
Logging report location (URL) Specify a URL where visited websites will be logged when
Enterprise Mode is active.
Enterprise Mode site list location (URL) Specify the location of the list of websites that will use
Enterprise Mode when it is active.
Cloud
SETTING DETAILS
Settings synchronization Allows synchronization of settings between devices.
Credentials synchronization Allows synchronization of credentials between devices.
Microsoft Account Allow the use of a Microsoft account on the device.

SETTING DETAILS
Settings synchronization over metered connections Allow settings to be synchronized when the Internet
connection is metered.
Security
SETTING DETAILS
Unsigned file installation Allows the loading of unsigned files.
Unsigned applications Allows the loading of unsigned apps.
SMS and MMS messaging Allow SMS and MMS messaging from the device.
Removable storage Allow use of removable storage, like an SD card on the device.
Near field communication (NFC) Allow communication using NFC on the device.
Allow USB connection Controls whether devices can access external storage devices
through a USB connection.
Peak synchronization
SETTING DETAILS
Specify peak time Configure the peak time for mobile device synchronization.
Peak synchronization frequency Configure how often synchronization occurs during the peak
hours you configured.
Off-peak synchronization frequency Configure how often synchronization occurs outside of the
peak hours you configured.
Roaming
SETTING DETAILS
Device management while roaming Allows the device to be managed by Configuration Manager
when it is roaming.
Software download while roaming Allows the download of apps and software when roaming.
Email download while roaming Allows e-mail downloads when roaming.
Encryption
SETTING DETAILS
Storage card encryption Require any storage cards used with the device to be
encrypted.
File encryption on device Requires that files on the mobile device are encrypted.
Require email signing Require emails to be signed before they are sent.
Signing algorithm Select the algorithm used to sign emails.
Require email encryption Require emails to be encrypted before they are sent.
Encryption algorithm Select the algorithm used to encrypt emails.
Wireless network connection Enable or disable the devices Wi-Fi capability.
Wi-Fi tethering Let’s users use their device as a mobile hotspot.
Offload data to Wi-Fi when possible Configure this to use the Wi-Fi connection on the device
when possible.
Wi-Fi hotspot reporting Sends information about Wi-Fi connections to help the user
discover nearby connections.
To configure a wireless network connection

1. On the Configure mobile device wireless communication settings page, click Add.
2. In the Wireless Network Connection dialog box, specify the following information about the wireless
connection that will be provisioned on mobile devices, then click OK:
Network name (SSID) Enter the name of the Wi-Fi network.
Network connection Choose from Internet or Work.
Authentication Choose the authentication method for the wireless connection

from:
- Open
- Shared
- WPA
- WPA-PSK
- WPA2
- WPA2-PSK
Data encryption Choose the encryption method used by this connection. The
values you can select will differ depending on the
Authentication method you selected:
- Disabled
- WEP
- TKIP
- AES
Key index Select a key index from 1 to 4 that will be used with a Data
encryption setting of WEP.
This network connects to the Internet Select this option if you want to supply proxy settings that let
mobile devices on a wireless connection connect to the
Internet.
Proxy server settings Specify as required, Server and Port settings for HTTP, WAP
and Sockets.
Enable 802.1X network access Select this option if you want to secure the connection by
specifying an EAP type.
EAP type Choose the EAP type to use from:
- PEAP
- Smart card or certificate
Certificates
Let’s you import certificates to install on mobile devices.
Click Import, and then specify the following values:
Certificate file – Click Browse and then select the certificate file with the extension .cer that you want to
import.
Destination store – Choose one or more destination stores where the imported certificate will be added on
the mobile device from:
Root
CA
Normal
Privileged
SPC
Peer
Role – If SPC (Software Publisher Certificate) is selected as the destination store, choose the role that will be
associated with the certificate from:
Mobile Operator
Manager
User Authenticated
IT Administrator
User Unauthenticated
Trusted Provisioning Server
System security
SETTING DETAILS
User Account Control Enables or disables Windows User Account Control on the
device.
Network firewall Enables or disables Windows Firewall.
Updates Choose how Windows software updates will be downloaded

Minimum classification of updates Choose the minimum classification of updates that will be
downloaded to Windows computers, None, Important, or
Recommended.
SmartScreen Enable or disable Windows Smart Screen.
Virus protection Ensure that the device is protected by antivirus software
Virus protection signatures are up to date Ensure that the antivirus software signatures are up to date.
Allow manual unenrollment -
Windows Server Work Folders

SETTING DETAILS
Work Folders URL Configures the location of a Windows Server work folder that
users can connect to from their device.
Windows Phone allowed and blocked apps list (Windows Phone 8.1 only)
Let’s you specify a list of Windows Phone apps that are compliant, or not compliant in your company. Apps that
you specify as blocked cannot be installed by users. If you specify a list of allowed apps, users can only install apps
in the list.
You cannot specify both allowed and blocked apps in the same configuration item.
IMPORTANT
If you specify a list of allowed apps, you must ensure that the company portal app, and any apps you have deployed to
Windows Phone 8.1 devices are in the Allowed apps list.
To specify an allowed or blocked apps list

1. On the Allowed and Blocked Apps list (Windows Phone 8.1) page, specify the following information:
Blocked apps list Select this option if you want to specify a list of apps that
users will not be allowed to install.
Allowed apps list Select this option if you want to specify a list of apps that
users are allowed to install.

choice, optionally the app publisher, and the URL to the app
in the app store.
To specify the URL, from the Windows Phone Store page,

search for the app you want to use.
Example: Search the store for the Skype app. The URL you
use will be http://www.windowsphone.com/en-
us/store/app/skype/c3f8e570-68b3-4d6a-bdbb-
c0a3f4360a51.
For the company portal app, or line of business apps, you do

not have to specify a full URL, only the app GUID.
Edit Let’s you edit the name, publisher and URL of the selected
app.

Create configuration items for iOS and Mac OS X
devices managed with Intune

Use the System Center Configuration Manager iOS and Mac OS X configuration item to manage settings for iOS
and Mac OS X devices that are enrolled in Microsoft Intune or managed on-premises by Configuration Manager.
To create an iOS and Mac OS X configuration item

4. Under Specify the type of configuration item that you want to create, select iOS and Mac OS X.
6. On the Supported Platforms page, select the specific iOS, or Mac OS X platforms that will evaluate the
configuration item.
7. On the Device Settings page, select the settings group that you want to configure. See iOS and Mac OS X
configuration item settings reference in this topic for details, and then click Next.
TIP
TIP

workspace.
iOS and Mac OS X configuration item settings reference

Password
Require password settings on mobile devices Require a password on supported devices.
(iOS only)
Idle time before device is locked Specifies the number of minutes of inactivity before the device
automatically locks.
Password complexity Choose whether you can specify a PIN such as '1234', or
Allow simple passwords Specifies that simple passwords such as ‘0000’ and ‘1234’ can
be used.
Fingerprint for unlocking Allow using a fingerprint to unlock the device.
Device
These settings apply to both iOS and Mac OS X devices.
Voice dialing Allows use of the voice dialing feature on the device.
Voice assistant Allows use of a voice assistance app like Siri.
Voice assistant while locked Allows use of a voice assistance app like Siri when the device is
locked.
Screen capture Allows you to take a screenshot of the device display.
Video chat client Allows use of video chat apps like Facetime.
Add game center friends Allows you to add friends in the game center app.
Multiplayer gaming Allows you to play games with other players on the Internet.
Personal wallet software while locked Allows use of personal wallet software like Passbook.
Store
These settings apply to iOS devices only.
Enter a password to access the application store Users must enter a password to access the app store.
In-app purchases Allows users to make in-app purchases.
Browser
Allow web browser User can use the default device web browser.
Content rating
Explicit content in media store Specify if you want to allow adult content to be accessed from
the app store.
Ratings region Specifies the country for which you want to apply ratings
restrictions.
Movie rating Specify the maximum rating of movie content you want to
allow.
TV show rating Specify the maximum rating of TV show content you want to
allow.
App rating Specify the maximum rating of app content you want to allow.
NOTE
The ratings you can select will vary depending on the Ratings region you selected.
Cloud
Cloud backup Allow backup to a cloud service like iCloud.
Encrypted backup Allow the backup to a cloud service to be encrypted.
Document synchronization Allow document synchronization to a cloud service.
Photo synchronization Allow photo synchronization to a cloud service.
Security
Roaming
Voice roaming Allows voice calls when roaming.
Automatic synchronization while roaming Allows the device t automatically synchronize when roaming.
System security
User to accept untrusted TLS certificates If Allowed, lets the user accept these certificates. If
Prohibited, automatically rejects untrusted certificates.
Allow Activation Lock (supervised mode only) Use this setting to enable iOS Activation Lock on supervised
iOS devices that you manage. For more information about
Activation Lock, see Manage iOS Activation Lock.
Lock screen control center Controls whether the control center app can be accessed
when the device is locked.
Lock screen notification view Controls whether notifications can be viewed when the device
is locked.
Lock screen today view Controls whether the Today view can be seen when the device
is locked.
Data protection
Open documents in managed apps in other unmanaged For use with apps managed by Configuration Manager
apps application management policies.
Open documents in unmanaged apps in other managed For use with apps managed by Configuration Manager
apps application management policies.
Compliant and noncompliant apps (iOS )

Lets you specify a list of iOS apps that are compliant, or not compliant in your company. You can then use reports
to display devices that have noncompliant apps installed, and the associated user.
To specify the compliant or noncompliant apps list
1. On the Compliant and Noncompliant Apps (iOS) page, specify the following information:
Noncompliant apps list - Select this option if you want to specify a list of apps that will be reported
as noncompliant if installed by users.
Compliant apps list - Select this option if you want to specify a list of apps that users are allowed to
install. Any other installed apps will be reported as noncompliant.
Add - Adds an app to the selected list. Specify a name of your choice, optionally the app publisher,
and the URL to the app in the app store.
To specify the URL, from the iTunes App Store, search for the app you want to use.
Open the app’s page, and copy the URL to the clipboard. You can now use this as the URL in either
the compliant or noncompliant apps list.
Example: Search the store for the Microsoft Word for iPad app. The URL you use will be
https://itunes.apple.com/us/app/microsoft-word-for-ipad/id586447913?mt=8.
Edit - Lets you edit the name, publisher and URL of the selected app.
Remove - Deletes the selected app from the list.
Import - Imports a list of apps you have specified in a comma-separated values file. Use the format,
application name, publisher, app URL in the file.
2. When you are finished, click Next.
You can use one of the following reports monitor compliant and noncompliant apps:
List of noncompliant Apps and Devices for a specified user - Displays information about users and
devices that have apps installed that are not compliant with a policy you specified.
Summary of Users who have Noncompliant Apps - Displays information about users that have apps
installed that are not compliant with a policy you specified.
For information about how to use reports, see Reporting in System Center Configuration Manager.
Compliant and noncompliant apps (Mac OS X )
Lets you specify a list of Mac OS X apps that are compliant, or not compliant in your company. You can then use
reports to display devices that have noncompliant apps installed, and the associated user.
1. On the Compliant and Noncompliant Apps (Mac OS X) page, specify the following information:
Noncompliant apps list - Select this option if you want to specify a list of apps that will be reported
as noncompliant if installed by users.
Compliant apps list - Select this option if you want to specify a list of apps that users are allowed to
install. Any other installed apps will be reported as noncompliant.
Add - Adds an app to the selected list. Specify a name of your choice, optionally the app publisher,
and the bundle ID of the app.
TIP
To find the bundle ID of an app, use the following steps on a Mac computer that has the app installed:
1. Open the folder in which the app is installed (for example, /Applications)
a. Select the .app bundle, and choose Show Package Contents
b. Open the Info.plist file
c. Check the value associated with the key CFBundleIdentifier
The format for Bundle ID is com.contoso.appname
Edit - Lets you edit the name, publisher and bundle ID of the selected app.
Remove - Deletes the selected app from the list.
Import - Imports a list of apps you have specified in a comma-separated values file. Use the format,
app name, publisher, app bundle ID in the file.
2. When you are finished, click Next. Configuration items containing compliant and noncompliant app
settings must be deployed to collections of users.
iOS and Mac OS X custom profile settings
Use iOS and Mac OS X Custom Profiles to deploy settings that you created using the Apple Configurator tool to
iOS and Mac OS X devices. This tool lets you create many settings that control the operation of these devices and
export them to a configuration profile. You can then import this configuration profile into an iOS and Mac OS X
custom profile and deploy the settings to users and devices in your organization.
NOTE
Ensure that the settings you export from the Apple Configurator tool are compatible with the version of iOS or Mac OS X on
the devices to which you deploy the profile. For information about how incompatible settings are resolved, search for
Configuration Profile Reference and Mobile Device Management Protocol Reference on the Apple Developer web site.
To create an iOS and Mac OS X custom profile

1. On the Configure iOS and Mac OS X custom profile settings page of the Create Configuration Item
Wizard, specify the following information:
Custom configuration profile name (displayed to users) - Provide a name for the policy as it will
be displayed on the device, and in Configuration Manager reports.
Import - Choose a file that you exported from the Apple Configurator tool.
Configuration profile details - Displays the file that you imported.
Remediate noncompliant settings -
Select if you want to remediate noncompliant configuration settings (when supported).
Noncompliance severity for reports - Specify the severity level that is reported if this compliance
policy is evaluated as noncompliant. The available severity levels are the following:
NOTE
When a Mac OS X device is in Sleep mode, policies and profiles cannot be delivered or inventoried. As a
result, the Configuration Manager console might temporarily display the status Policy settings in error until
the next time the device wakes from Sleep mode.
None Devices that fail this compliance rule do not report a failure severity for Configuration
Manager reports.
Information Devices that fail this compliance rule report a failure severity of Information for
Configuration Manager reports.
Warning Devices that fail this compliance rule report a failure severity of Warning for
Critical Devices that fail this compliance rule report a failure severity of Critical for
Critical with event Devices that fail this compliance rule report a failure severity of Critical
for Configuration Manager reports. This severity level is also be logged as a Windows event in
the application event log.
How to create a configuration profile file

You can create the configuration profile file used by the custom policy in two ways:
Export the file (with the extension .mobileconfig) from the Apple Configurator tool.
Author the file yourself using the appropriate schema from the Apple Configuration Profile Key Reference.
Kiosk mode (iOS )
Kiosk mode allows you to lock a device to only allow certain features to work. For example, you can allow a device
to only run one managed app that you specify, or you can disable the volume buttons on a device. These settings
might be used for a demonstration model of a device, or a device that is dedicated to performing only one
function, such as a point of sale device.
To configure kiosk mode for iOS devices
1. On the Configure Kiosk Mode Settings for iOS Devices page of the Create Configuration Item
Select App - Select the app that will be allowed to run when the device is in kiosk mode. No other
apps will be allowed to run on the device. Choose from:
Managed App – Click Browse, then select a managed app.
Store App – specify the URL to an app on the app store then click Get App ID to populate the
App ID field.
To find the app URL:
Using a search engine, find the app you want to use in the iTunes App Store and open the
page for the app.
Copy the URL of the page and use this as the URL to specify the app you want to run in kiosk
mode.
Example: Search for Microsoft Word for iPad. The URL you use will be
https://itunes.apple.com/us/app/microsoft-word-for-ipad/id586447913?mt=8.
Touch - Enables or disables the touch screen on the device.
Screen rotation - Enables or disables changing the screen orientation when you rotate the device.
Volume buttons - Enables or disables the use of the volume buttons on the device.
Ringer switch - Enables or disables the ringer (mute) switch on the device.
Screen sleep and wake button - Enables or disables the screen sleep wake button on the device.
Auto lock - Enables or disables automatic locking of the device.
Mono audio - Enables or disables the accessibility setting Mono audio.
Voice over - Enables or disables the accessibility setting VoiceOver which reads aloud text on the
device display.
Voice over adjustments - Enables or disables voiceover adjustments which let you adjust the
VoiceOver function (for example, how fast on-screen text is read aloud).
Zoom - Enables or disables the Zoom accessibility setting which lets you use touch to zoom into the
device display.
Zoom adjustments - Enables or disables zoom adjustments which let you adjust the zoom function.
Invert colors - Enables or disables the Invert Colors accessibility setting which adjusts the display
to help users with visual impairments.
Invert colors adjustments - Enables or disables invert colors adjustments which let you adjust the
invert colors function.
Assistive touch - Enables or disables the Assistive Touch accessibility setting which helps users
perform on screen gestures which might be difficult for them to perform.
Assistive touch adjustments - Enables or disables assistive touch adjustments which let you adjust
the assistive touch function.
Speech selection - Enables or disables the Speak Selection accessibility settings which can read
aloud the text you select.
Remediate noncompliant settings - Select if you want to remediate noncompliant configuration
settings (when supported).
Noncompliance severity for reports - Specify the severity level that is reported (in Configuration
Manager reports) if this compliance policy is evaluated as noncompliant. The available severity levels
are:
None Devices that fail this compliance rule do not report a failure severity.
Information Devices that fail this compliance rule report a failure severity of Information.
Warning Devices that fail this compliance rule report a failure severity of Warning.
Critical Devices that fail this compliance rule report a failure severity of Critical.
Critical with event Devices that fail this compliance rule report a failure severity of Critical.
Create configuration items for Android and Samsung
KNOX Standard devices managed with Intune

Use the System Center Configuration Manager Android and Samsung KNOX configuration item to manage
settings for Android and Samsung KNOX Standard devices that are enrolled in Microsoft Intune or managed on-
premises by Configuration Manager.
Create an Android and Samsung KNOX Standard configuration item

4. Under Specify the type of configuration item that you want to create, select Android and Samsung
KNOX.
6. On the Supported Platforms page, select the specific Android or Samsung KNOX Standard platforms that
will evaluate the configuration item.
7. On the Device Settings page, select the settings group that you want to configure. See Android and
Samsung KNOX Standard configuration item settings reference in this topic for details, and then click Next.
TIP
TIP

workspace.
Android and Samsung KNOX Standard configuration item settings

reference
Password
These settings apply to both Android and Samsung KNOX Standard devices.
SETTING DETAILS
Idle time before device is locked Select the amount of time before the device will be locked if it
is not being used.
Password quality Select the password complexity level required and also
whether biometric devices can be used.
Allow Smart Lock and other trust agents Lets you control the Smart Lock feature on compatible
Android devices. This phone capability, sometimes known as
trust agents lets you disable or bypass the device lock screen
password if the device is in a trusted location such as when it
is connected to a specific Bluetooth device, or when it is near
to an NFC tag. You can use this setting to prevent end users
from configuring Smart Lock.
Fingerprint for unlocking (KNOX 5.0+) Let's users use a fingerprint for unlocking compatible devices.
Device
These settings apply to Samsung KNOX Standard devices only.
Voice dialing Enables or disables the voice dialing feature on the device.
Voice assistant Allows the use of voice assistant software on the device.
Screen capture Lets the user capture the screen contents as an image.
Diagnostic data submission Allows the device to submit diagnostic information to Google.
Geolocation Allows the device to utilize location information.
Copy and Paste Allows copy and paste functions on the device.
Factory reset Allow the user to perform a factory reset on the device.
Clipboard share between applications Use the clipboard to copy and paste between apps.
Bluetooth Allows the Bluetooth capability of the device to be used.
Store
SETTING DETAILS
Application store Allows access to the Google Play Store app on the device.
Browser
SETTING DETAILS
Allow web browser Specifies whether the device's default web browser can be
used.
Autofill Allows the autofill function of the web browser to be used.
Active scripting Allows the device web browser to use active scripting.
Pop-up blocker Allows the use of the pop-up blocker in the web browser.
Cookies Allows the device web browser to use cookies.
Cloud
These settings apply to Samsung KNOX Standard devices only.
SETTING DETAILS
Google backup Allows use of Google backup.
Google account auto sync Allows Google account settings to be automatically

synchronized.
Security
SETTING DETAILS
SMS and MMS messaging Allows the use of SMS and MMS messaging on the device.
SETTING DETAILS
Removable storage Allows the device to use removable storage, like an SD card.
Camera Allows the use of the device camera.
Applies to Android and Samsung KNOX Standard devices.
Near field communication (NFC) Allows operations that use near field communication if the
device supports it.
YouTube Allows use of the YouTube app on the device.
Applies to Samsung KNOX Standard devices only.
Power off Allows the device to be powered off.
Applies to Samsung KNOX Standard devices only.
Roaming
SETTING DETAILS
Voice roaming Allows voice roaming when the device is on a cellular network.
Data roaming Allows data roaming when the device is on a cellular network.
Encryption
These settings apply to both Android and Samsung KNOX Standard devices.
SETTING DETAILS
Storage card encryption Specifies whether the device storage card must be encrypted.
File encryption on device Requires that files on the mobile device are encrypted.
SETTING DETAILS
Wireless network connection Allows the use of the Wi-Fi capabilities of the device.
Wi-Fi Tethering Allows the use of Wi-Fi tethering on the device.
Kiosk mode (Samsung KNOX Standard only)

Kiosk mode allows you to lock a device to only allow certain features to work. For example, you can allow a device
to only run one managed app that you specify, or you can disable the volume buttons on a device. These settings
might be used for a demonstration model of a device, or a device that is dedicated to performing only one
function, such as a point of sale device.
To configure kiosk mode for a Samsung KNOX Standard device
On the Configure Kiosk Mode Settings for Samsung KNOX Devices page of the Create Configuration Item
Select app - Click Browse to select a Configuration Manager Android application (with the extension .apk) that
will be allowed to run when the device is in kiosk mode. No other apps will be allowed to run on the device.
Volume buttons - Enables or disables the use of the volume buttons on the device.
Screen sleep and wake button - Enables or disables the screen sleep wake button on the device.|
Compliant and noncompliant apps (Android)
Lets you specify a list of Android apps that are compliant, or not compliant in your company. You can then use
reports to display devices that have noncompliant apps installed, and the associated user.
1. On the Compliant and Noncompliant Apps (Android) page, specify the following information:
Noncompliant apps list Select this option if you want to specify a list of apps that
will be reported as noncompliant if installed by users.
Compliant apps list Select this option if you want to specify a list of apps that
users are allowed to install. Any other installed apps will be
reported as noncompliant.

choice, optionally the app publisher, and the URL to the
app in the app store.
To specify the URL, from the apps section of Google Play,

search for the app you want to use.
Open the app’s page, and copy the URL to the clipboard.
You can now use this as the URL in either the compliant
or noncompliant apps list.
Example: Search Google Play for Microsoft Office

Mobile. The URL you use will be
https://play.google.com/store/apps/details?
id=com.microsoft.office.officehub.
Edit Lets you edit the name, publisher and URL of the selected
app.

2. When you are finished, click Next. Configuration items containing compliant and noncompliant app
settings must be deployed to collections of users.
Remotely synchronize policy on Intune-enrolled
devices from the Configuration Manager console

You can request a policy sync for a device that is enrolled with Intune from the Configuration Manager console
instead of having to request a sync from the Company Portal app on the device itself.
To do this:
1. Select a device under Assets and Compliance > Overview > Devices.
2. Click Send Sync Request in the Remote Device Actions menu.
After five to ten minutes, any changes in policy will be synced to the device. You can view sync request state
information in a new column in device views, called Remote Sync State, as well as in the discovery data section of
the Properties dialog box for each device.
Manage Applications in System Center Configuration
Manager

When you manage devices through Microsoft Intune or Configuration Manager on-premises device management,
you can manage these additional application types:
Windows Phone app package (*.xap file)
App Package for iOS (*.ipa file)
App Package for Android (*.apk file)
App Package for Android on Google Play
Windows Phone app package (in the Windows Phone Store)
Windows Installer through MDM
Web Application
This section provides detailed information about creating and managing applications using hybrid MDM or on-
premises MDM.
Management tasks for System Center Configuration Manager applications provides more general information
about managing System Center Configuration Manager applications and deployment types.
Deploying and monitoring apps

Deploying and monitoring applications in System Center Configuration Manager are the same processes for
mobile devices as they are for onsite devices, such as laptops and desktops. You can read through the following
topics for general information about deploying and monitoring applications:
Deploy applications in System Center Configuration Manager
Monitor applications in System Center Configuration Manager
Here are some considerations to keep in mind when deploying and monitoring applications, specific to mobile
device management.
MDM-enrolled devices do not support simulated deployments, user experience, or scheduling settings.
You can associate the deployment with an iOS app configuration policy if you have already congured one.
See Configure iOS apps with app configuration policies.
Next Steps
You might eventually want to make changes to an application, uninstall an application, or replace an already
deployed application with a new application. Read through Update and retire applications with System Center
Configuration Manager to understand these capabilities.
Create iOS applications with System Center

A System Center Configuration Manager application has one or more deployment types that comprise the
installation files and information that are required to deploy software to a device. A deployment type also has rules
that specify when and how the software is deployed.
You can create applications by using the following methods:
Automatically create the application and deployment types by reading the application installation files.
Manually create the application and then add deployment types later.
Import an application from a file.
See Start the create application wizard for the steps required to create Configuration Manager applications and
deployment types. Also, keep the following considerations in mind when you create and deploy applications for
iOS devices.
General considerations
Configuration Manager supports the deployment of the following app types:
DEVICE TYPE SUPPORTED FILES
iOS *.ipa
In System Center Configuration Manager, you do not need to

specify a property list (.plist) file when importing an iOS app.
The following deployment actions are supported:
DEVICE TYPE SUPPORTED ACTIONS
iOS Available, Required. The user must consent to both

installation and uninstallation.
IMPORTANT
Currently, end-users cannot install corporate apps from the Microsoft Intune Company Portal app for iOS. This is because
there are restrictions that are placed on apps that are published in the iOS App Store (see App Store Review Guidelines,
Section 2). Users can install corporate apps (including managed App Store apps and line-of-business app packages) by
browsing to the Intune Web Portal on their device (portal.manage.microsoft.com). For more information about the mobile
management capabilities that are enabled by the Intune Company Portal app, see Enrolled device management capabilities in
Microsoft Intune.
Apply settings to iOS apps with app configuration
policies in System Center Configuration Manager

You can use app configuration policies in System Center Configuration Manager (Configuration Manager) to
distribute settings that might be required when a user runs an app. For example, an app might require a user to
specify these details:
A custom port number
Language settings
Security settings
Branding settings, like a company logo
If the user enters the settings incorrectly, the burden to fix them falls on your help desk, and app deployment is
slow. To help you prevent these problems, you can use app configuration policies to deploy required settings to
users before they run the app. The settings are associated with a user automatically. The user doesn't need to take
any action. To use an app configuration policy in Configuration Manager, instead of deploying the configuration
policies directly to users and devices, you associate a policy with a deployment type when you deploy the app. The
policy settings are applied whenever the app checks for them (typically, the first time the app runs).
Currently, app configuration policies are available only on devices running iOS 8 and later, and for these
application types:
app package for iOS (*.ipa file)
app package for iOS from App Store
For more information about app installation types, see the introduction to application management.
Create an app configuration policy

1. In the Configuration Manager console, choose Software Library > Application Management > App
Configuration Policies.
2. On the Home tab, in the App Configuration Policies group, choose Create new Application Configuration
Policy.
3. In the Create App Configuration Policy Wizard, on the General page, set this policy information:
Name. Enter a unique name for the policy.
Description. (Optional) To make it easier to identify the policy, you can add a description.
Assigned categories to improve searching and filtering. (Optional) To create and assign categories
to the policy, choose Categories. Categories make it easier for you to sort and find items in the
4. On the iOS Policy page, choose how to set the configuration policy information:
Specify name and value pairs. You can use this option for property list files that do not use nesting.
To specify a name and value pair
a. To add a new pair, choose New.
b. In the Add Name/Value Pair dialog box, specify the following:
Type. From the list, select the type of value that you want to specify.
Name. Enter the name of the property list key for which you want to specify a value.
Value. Enter the value that will be applied to the key you entered.
Browse to a property list file. Use this option if you already have an app configuration XML file, or
for more complex files that use nesting.
To browse to a property list file
a. In the App configuration policy field, enter the property list information in the correct XML
format.
To find out more about XML property lists, see Understanding XML Property Lists in the iOS
Developer Library.
The format of the XML property list varies depending on the app you are configuring. Contact
the app supplier for details about the format to use. Intune supports the following data types
in a property list:
<integer>
<real>
<string>
<array>
<dict>
<true /> or <false />
For more information about data types, see About Property Lists in the iOS Developer Library.
Intune also supports the following token types in the property list:
{{userprincipalname}} - (Example: John@contoso.com)

{{mail}} - (Example: John@contoso.com)
{{partialupn}} - (Example: John)
{{accountid}} - (Example: fc0dc142-71d8-4b12-bbea-bae2a8514c81)
{{deviceid}} - (Example: b9841cd9-9843-405f-be28-b2265c59ef97)
{{userid}} - (Example: 3ec2c00f-b125-4519-acf0-302ac3761822)
{{username}} - (Example: John Doe)
{{serialnumber}} - (Example: F4KN99ZUG5V2) for iOS devices
{{serialnumberlast4digits}} - (Example: G5V2) for iOS devices
The {{ and }} characters are used by token types only and must not be used for other
purposes.
b. To import an XML file that you created earlier, choose Select file.
5. Choose Next. If there are errors in the XML code, you'll have to correct them before you continue.
6. Finish the steps shown in the wizard.
The new app configuration policy is shown in the Software Library workspace, in the App Configuration
Policies node.
Associate an app configuration policy with a Configuration Manager

application
To associate an app configuration policy with the deployment of an iOS app, deploy the application as you
normally would by using the procedure in the Deploy applications topic.
In the Deploy Software Wizard, on the App Configuration Policies page, choose New. In the Select App
Configuration Policy dialog box, choose an application deployment type, and the app configuration policy that
you want to associate it with. When the deployment type is installed, the app configuration policy settings is
automatically applied.
Example format for the mobile app configuration XML file

When you create a mobile app configuration file, you can use this format to specify one or more of the following
values:
<dict>
<key>userprincipalname</key>
<string>{{userprincipalname}}</string>
<key>mail</key>
<string>{{mail}}</string>
<key>partialupn</key>
<string>{{partialupn}}</string>
<key>accountid</key>
<string>{{accountid}}</string>
<key>deviceid</key>
<string>{{deviceid}}</string>
<key>userid</key>
<string>{{userid}}</string>
<key>username</key>
<string>{{username}}</string>
<key>serialnumber</key>
<string>{{serialnumber}}</string>
<key>serialnumberlast4digits</key>
<string>{{serialnumberlast4digits}}</string>
<key>udidlast4digits</key>
<string>{{udidlast4digits}}</string>
</dict>
Manage volume-purchased iOS apps with System

The iOS app store lets you buy multiple licenses for an app that you want to run in your company. This helps you
reduce the administrative overhead of tracking multiple copies of apps that you bought.
System Center Configuration Manager helps you deploy and manage iOS apps that you bought through the
program by importing the license information from the app store and tracking the number of the licenses that you
have used.
Manage volume-purchased apps for iOS devices

You buy multiple licenses for iOS apps through the Apple Volume Purchase Program (VPP). This involves setting up
an Apple VPP account from the Apple web site and uploading the Apple VPP token to Configuration Manager,
which provides the following capabilities:
Sync your volume purchase information with Configuration Manager.
Apps that you bought are displayed in the Configuration Manager console.
You can deploy apps, monitor these apps, and track the number of licenses for each app that has been used.
Configuration Manager can help you reclaim licenses when required by uninstalling volume-purchased apps
that you deployed to users.
Before you start

Before you begin, you'll need to get a VPP token from Apple and upload this to Configuration Manager.
IMPORTANT
Currently, each organization can have only one VPP account and token.
Only the Apple Volume Purchase Program for Business is supported.
After you associate an Apple VPP account to Intune, you cannot subsequently associate a different account. For
this reason, make sure that more than one person has the details of the account that you use.
If you previously used a VPP token with a different MDM product in your existing Apple VPP account, you must
generate a new one to use with Configuration Manager.
Each token is valid for one year.
By default, Configuration Manager syncs with the Apple VPP service twice a day to ensure that your licenses are
synced with Configuration Manager.
Only changes to your licenses are synced. But, once every seven days, a full sync will be performed.
When you choose Sync to do a manual sync, this will always do a full sync.
If you need to recover or restore you Configuration Manager database, we recommend that you do a manual sync
afterwards to ensure that your synced license data is up to date.
Although you can deploy iOS volume-purchased apps to user or device collections, VPP apps that you deploy to a
device without a user (for instance, a device you enrolled without user affinity using the Device Enrollment
Program (DEP) or Apple Configurator) will not be installed.
Additionally, you must have imported a valid Apple Push Notification service (APNs) certificate from Apple to let
you to manage iOS devices, including app deployment. For more information, see Set up iOS hybrid device
management.
Step 1 - To get and upload an Apple VPP token

1. In the Configuration Manager console, choose Administration > Cloud Services > Apple Volume
Purchase Program Tokens.
2. On the Home tab, in the Apple Volume Purchase Program Tokens group, choose Add Apple Volume
Purchase Program Token.
3. On the General page of the Add Apple Volume Purchase Program Token wizard, configure the
following:
Name - Enter a name for this token as it will be displayed in the Configuration Manager console.
Token - Choose Browse, and then choose the VPP token that you downloaded from the Apple web
site.
Choose the See Apple VPP account link, and if you haven't already, sign up for the business or
education volume purchase program. After you are signed up, download the Apple VPP token for
your account.
Description - Optionally, enter a description that will help you identify this VPP token in the
Assigned categories to improve searching and filtering - Optionally, you can assign categories
to the VPP token to make it easier to search for in the Configuration Manager console.
4. Choose Next, and then finish the wizard.
From the Apple Volume Purchase Program Tokens node, you can now view information about the Apple VPP
token including when it was last updated, when it will expire, and when it was last synced.
You can fully sync the data held by Apple with Configuration Manager at any time by choosing Sync on the Home
tab in the Sync group.
Step 2 - Deploy a volume-purchased app

1. In the Configuration Manager console, choose Software Library > Application Management > License
Information for Store Apps.
2. Choose the app that you want to deploy, and then, in the Home tab, in the Create group, choose Create
Application. The Configuration Manager application that is created has the Windows Store for Business
app. You can then deploy and monitor this application as you would any other Configuration Manager
application.
IMPORTANT
You must choose a deployment purpose of Required. Available installations are not currently supported.
When you deploy the app, a license is used by each user who installs the app.
To reclaim a license, you must change the deployment action to Uninstall. The license will be reclaimed
after the app uninstalls.
Step 3 - Monitor iOS VPP apps

The License Information for Store Apps node of the Software Library workspace displays information about
your volume-purchased iOS apps. The information includes the total number of licenses that you own for each app
and the number that have been deployed.
You can also monitor the license usage of all VPP apps that you bought by using the Apple Volume Purchase
Program apps for iOS with license counts report.
This report shows the name of each application together with the total number of licenses that you bought, the
number of licenses available, and more.
For help with running Configuration Manager reports, see Reporting in System Center Configuration Manager.
Create Windows Phone applications with System

Windows Phone devices.
Configuration Manager supports deploying the following app file types:
DEVICE TYPE SUPPORTED FILE TYPES
Windows Phone 8 .xap
Windows Phone 8.1 .xap, .appx, .appxbundle
Windows 10 Mobile .xap, .appx, .appxbundle
Windows Phone 8, Windows Phone 8.1, and Windows 10 Available, Required, Uninstall
Mobile
Steps to deploy the latest Windows Phone company portal app with
supersedence
The following table provides the steps, details, and more information for creating and deploying the latest
Windows Phone 8 company portal app.
STEP MORE INFORMATION
Step 1: Get the latest company portal app. Download the Windows Phone 8 company portal app.
STEP MORE INFORMATION
Step 2: Sign the company portal app with your Symantec For information on how to sign the company portal app, see
certificate. Set up Windows Phone and Windows 10 Mobile hybrid device
management with System Center Configuration Manager and
Microsoft Intune.
Step 3: Create a new application with the latest version of the For more information, see Create applications and Revise and
company portal app, and specify a supersedence relationship. supersede applications.
Step 4: Add the application to the Microsoft Intune For more information, see Set up Windows Phone and
Subscription Wizard. Windows 10 Mobile hybrid device management with System
Center Configuration Manager and Microsoft Intune.
Step 5: Delete the deployment that is automatically created The Microsoft Intune subscription has created an automatic
when you added the company portal app to the Microsoft deployment of this app, as this deployment will not support
Intune Subscription Wizard. supersedence.
Step 6: Create a new deployment of the application. On the Create a new deployment with supersedence using the
Deployment Settings page of the Deploy Software application you created with the supersedence relationship.
Wizard, check Automatically upgrade any superceded
versions of this application.
Step 7 (Optional): By default, the superseding apps install on No additional information.

devices after 7 days. To deploy the company portal app
sooner to previously enrolled devices, change the schedule
re-evaluation for deployments setting to a lower value.
If you set this value to a lower value than the default, it might
negatively affect the performance of your network and client
computers.
Create Android applications with System Center

Android devices.
Configuration Manager supports the deployment of the following app types for Android:
DEVICE TYPE SUPPORTED FILES
Android .apk
Android Available, Required. The user must consent to both

installation and uninstallation.
Protect apps using mobile application management
policies in System Center Configuration Manager

System Center Configuration Manager application management policies let you modify the functionality of apps
that you deploy to help bring them in line with your company compliance and security policies. For example, you
can restrict cut, copy, and paste operations within a restricted app, or configure an app to open all URLs inside a
managed browser. App management policies support:
Devices that run Android 4 and later
Devices that run iOS 7 and later
You can also use mobile app management policies to protect apps on devices that are not managed by Intune.
Using this new capability, you can apply mobile app management policies to apps that connect to Office 365
services. This is not supported for apps that connect to on-premises Exchange or SharePoint.
To use this new capability, you need to use the Azure preview portal. The following topics can help you get started:
Get started with mobile app management policies in the Azure portal
Create and deploy mobile app management policies with Microsoft Intune
You don't deploy an application management policy directly as you do with configuration items and
baselines in Configuration Manager. Instead, you associate the policy with the application deployment type
that you want to restrict. When the app deployment type is deployed and installed on devices, the settings
you specify take effect.
To apply restrictions to an app, the app must incorporate the Microsoft Intune App Software Development Kit
(SDK). There are two methods of obtaining this type of app:
Use a policy managed app (Android and iOS): These apps have the App SDK built in. To add this type of
app, you specify a link to the app from an app store such as the iTunes store or Google Play. No further
processing is required for this type of app. For a list of the policy managed apps that are available for iOS
and Android devices, see Managed apps for Microsoft Intune mobile application management policies.
Use a "wrapped" app (Android and iOS): These apps are repackaged to include the App SDK by using the
Microsoft Intune App Wrapping Tool. This tool is typically used to process company apps that were
created in-house. It cannot be used to process apps that were downloaded from the app store. See the
following articles for more information:
Prepare iOS apps for mobile application management with the Microsoft Intune App Wrapping Tool
Prepare Android apps for mobile application management with the Microsoft Intune App Wrapping
Tool
Create and deploy an app with a mobile application management

policy
Step 1: Obtain the link to a policy managed app or create a wrapped
app
To obtain a link to a policy managed app: From the app store, find, and note the URL of the policy
managed app you want to deploy.
For example, the URL of the Microsoft Word for iPad app is https://itunes.apple.com/us/app/microsoft-
word-for-ipad/id586447913?mt=8
To create a wrapped app: Use the information in the topics Prepare iOS apps for mobile application
management with the Microsoft Intune App Wrapping Tool and Prepare Android apps for mobile
application management with the Microsoft Intune App Wrapping Tool to create a wrapped app.
The tool creates a processed app and an associated manifest file. You use these files when you create a
Configuration Manager application that contains the app.
Step 2: Create a Configuration Manager application that contains an

app
The procedure to create the Configuration Manager application differs depending on whether you are using a
policy managed app (external link), or an app that was created by using the Microsoft Intune App Wrapping Tool
for iOS (App package for iOS). Use one of the following procedures to create the Configuration Manager
application.
1. In the Configuration Manager console, choose Software Library > Application Management >
Applications.
2. In the Home tab, in the Create group, choose Create Application to open the Create Application Wizard.
3. On the General page, select Automatically detect information about this application from
installation files.
4. In the Type drop-down list, select App package for iOS (*.ipa file).
5. Choose Browse to select the app package you want to import, and then choose Next.
6. On the General Information page, enter the descriptive text and category information that you want users
to see in the company portal.
The new application is displayed in the Applications node of the Software Library workspace.
Create an application that contains a link to a policy managed app
Applications.
2. In the Home tab, in the Create group, choose Create Application to open the Create Application Wizard.
3. On the General page, select Automatically detect information about this application from
installation files.
4. In the Type drop-down, select one of the following:
For iOS: App Package for iOS from App Store
For Android: App Package for Android on Google Play
5. Enter the URL for the app (from step 1), and then choose Next.
6. On the General Information page, enter the descriptive text and category information that you want users
to see in the company portal.
The new application is displayed in the Applications node of the Software Library workspace.
Step 3: Create an application management policy

Next, create an application management policy that you associate with the application. You can create a general or
managed browser policy.
1) In the Configuration Manager console, choose Software Library > Application Management > Application
Management Policies.
2) In the Home tab, in the Create group, choose Create Application Management Policy.
3) On the General page, enter the name and description for the policy, and then choose Next.
4) On the Policy Type page, select the platform and the policy type for this policy, and then choose Next. The
following policy types are available:
General: The General policy type lets you modify the functionality of apps that you deploy to help bring
them in line with your company compliance and security policies. For example, you can restrict cut, copy,
and paste operations within a restricted app.
Managed Browser: The Managed Browser policy lets you decide whether to allow or block the managed
browser from opening a list of URLs. The Managed Browser policy type lets you modify the functionality of
the Intune Managed Browser app. This is a web browser that lets you manage the actions that users can
perform, including the sites they can visit, and how links to content within the browser are opened. Learn
more about the Intune Managed Browser app for iOS and the Intune Managed Browser app for Android.
5) On the iOS Policy or Android Policy page, configure the following values as required, and then choose Next.
The options might differ depending on the device type for which you are configuring the policy.
VALUE MORE INFORMATION
Restrict web content to display in a corporate managed Enables all links in the app to open in the Managed Browser.
browser You must have deployed this app to devices in order for this
option to work.
Prevent Android backups or Prevent iTunes and iCloud Disables the backup of any information from the app.
backups
Allow app to transfer data to other apps Specifies the apps that this app can send data to. You can
choose to not allow data transfer to any app, to only allow
transfer to other restricted apps, or to allow transfer to any
app.
For iOS devices, to prevent document transfer between

managed and unmanaged apps, you must also configure and
deploy a mobile device security policy that disables the setting
Allow managed documents in other unmanaged apps.
If you select to only allow transfer to other restricted apps, the

Intune PDF and image viewers (if deployed) are used to open
content of the respective types.
Allow app to receive data from other apps Specifies the apps that this app can receive data from. You can
choose to not allow data transfer from any app, to only allow
transfer from other restricted apps, or to allow transfer from
any app.
Prevent “Save As” Disables the use of the Save As option in any app that uses
this policy.
Restrict cut, copy and paste with other apps Specifies how cut, copy, and paste operations can be used
with the app. Choose from:
Blocked – Doesn't allow cut, copy, and paste operations

between this app and other apps.
Policy Managed Apps – Allows cut, copy, and paste

operations between only this app and other restricted apps.
Policy Managed Apps with Paste In – Allows data that's cut

or copied from this app only to be pasted into other restricted
apps. Allows data that is cut or copied from any app to be
pasted into this app.
Any App – No restrictions to cut, copy, and paste operations

to or from this app.
Require simple PIN for access Requires the user to enter a PIN that they specify to use this
app. The user is asked to set this up the first time they run the
app.
Number of attempts before PIN reset Specifies the number of PIN entry attempts that can be made
before the user must reset the PIN.
Require corporate credentials for access Requires that the user must enter their corporate sign-in
information before they can access the app.
Require device compliance with corporate policy for Allows the app to be used only when the device is not
access jailbroken or rooted.
Recheck the access requirements after (minutes) Specifies the time period before the access requirements for
the app are rechecked after the app is launched (in the
Timeout field).
In the Offline grace period field, if the device is offline,

specifies the time period before the access requirements for
the app are rechecked.
Encrypt app data Specifies that all data that is associated with this app is
encrypted, including data that's stored externally, such as data
stored on SD cards.
Encryption for iOS
For apps that are associated with a Configuration Manager

mobile application management policy, data is encrypted at
rest using device-level encryption that's provided by the OS.
This is enabled through a device PIN policy that must be set
by the IT admin. When a PIN is required, the data is encrypted
per the settings in the mobile application management policy.
As stated in Apple documentation, the modules that are used
by iOS 7 are FIPS 140-2 certified.
Encryption for Android
For apps that are associated with a Configuration Manager

mobile application management policy, encryption is provided
by Microsoft. Data is encrypted synchronously during file I/O
operations according to the setting in the mobile application
management policy. Managed apps on Android use AES-128
encryption in CBC mode utilizing the platform cryptography
libraries. The encryption method is not FIPS 140-2 certified.
Content on the device storage is always encrypted.
Block screen capture (Android devices only) Specifies that the screen capture capabilities of the device are
blocked when using this app.
6) On the Managed Browser page, select whether the managed browser is allowed to open only URLs in the list
or to block the managed browser from opening the URLs in the list, and then choose Next.
For more information, see Manage Internet access using managed browser policies.
7) Complete the wizard.
The new policy is displayed in the Application Management Policies node of the Software Library workspace.
Step 4: Associate the application management policy with a

deployment type
When a deployment type is created for an app that requires an application management policy, Configuration
Manager recognizes this and prompts you to associate an app management policy. For the Managed Browser, you
are required to associate both a General and Managed Browser policy. For more information, see Create
applications.
IMPORTANT
If the application is already deployed, then the deployment for the new deployment type fails until this association is made.
You can make the association in Properties for the application, on the Application Management tab.
IMPORTANT
For devices that run operating systems earlier than iOS 7.1, associated policies aren't removed when the app is uninstalled.
If the device is unenrolled from Configuration Manager, polices are not removed from the apps. Apps that had policies
applied retain the policy settings even after the app is uninstalled and reinstalled.
Step 5: Monitor the app deployment

Once you have created and deployed an app that's associated with a mobile application management policy, you
can monitor the app and resolve any policy conflicts.
1. In the Configuration Manager console, choose Software Library > Overview > Deployments.
2. Select the deployment that you created. Then, on the Home tab, choose Properties.
3. In the details pane for the deployment, under Related Objects, choose Application Management
Policies.
For more information about monitoring applications, see Monitor applications.
Learn how policy conflicts are resolved

When there is a mobile application management policy conflict on the first deployment to the user or device, the
specific setting value that's in conflict is removed from the policy that's deployed to the app. Then the app uses a
built-in conflict value.
When there is a mobile app management policy conflict on later deployments to the app or user, the specific
setting value that's in conflict is not updated on the mobile app management policy that's deployed to the app, and
the app uses the existing value for that setting.
In cases where the device or user receives two conflicting policies, the following behavior applies:
If a policy has yet been deployed to the device, the existing policy settings are not overwritten.
If no policy has already been deployed to the device, and two conflicting settings are deployed, the default
setting that's built into the device is used.
See a list of available policy managed apps

For a list of the policy managed apps that are available for iOS and Android devices, see Microsoft Intune
application partners.
Manage Internet access using managed browser
policies with System Center Configuration Manager

In System Center Configuration Manager, you can deploy the Intune Managed Browser (a web browsing
application) and associate the application with a managed browser policy. The managed browser policy sets up an
allow list or a block list that restricts the websites that users of the managed browser can go to.
Because this app is a managed app, you can also apply mobile application management policies to it, like
controlling the use of cut, copy, and paste. This prevents screen captures and also ensures that links to content only
open in other managed apps. For details, see Protect apps using mobile application management policies.
IMPORTANT
If users install the managed browser themselves, it will not be managed by any policies you specify. To ensure that the
browser is managed by Configuration Manager, they must uninstall the app before you can deploy it to them as a managed
app.
You can create managed browser policies for the following device types:
Devices that run Android 4 and later
Devices that run iOS 7 and later
NOTE
For more information and to download the Intune Managed Browser app, see iTunes for iOS and Google Play for Android.
Create a managed browser policy

Application Management Policies.
2. On the Home tab, in the Create group, choose Create Application Management Policy.
3. On the General page, enter the name and description for the policy, and then choose Next.
4. On the Policy Type page, select the platform, select Managed Browser for the policy type, and then
choose Next.
On the Managed Browser page, select one of the following options:
Allow the managed browser to open only the URLs listed below–Specify a list of URLs that the
managed browser can open.
Block the managed browser from opening the URLs listed below–Specify a list of URLs that the
managed browser will be blocked from opening.
NOTE
You cannot include both allowed and blocked URLs in the same managed browser policy.
For more about the URL formats you can specify, see URL format for allowed and blocked URLs in this
article.
NOTE
The General policy type lets you change the functionality of apps that you deploy to help bring them into line with
your company compliance and security policies. For example, you can restrict cut, copy, and paste operations within a
restricted app. For more about the General policy type, see Protect apps using mobile application management
policies.
5. Finish the wizard.

The new policy is displayed in the Application Management Policies node of the Software Library workspace.
Create a software deployment for the managed browser app

After you have created the managed browser policy, you can then create a software deployment type for the
managed browser app. You must associate both a general and managed browser policy for the managed browser
app.
For more information, see Create applications.
Security and privacy for the managed browser

On iOS devices, websites that have expired or untrusted certificates cannot be opened.
Settings that users make for the built-in browser on their devices are not used by the managed browser. The
managed browser does not have access to these settings.
If you set up the options Require simple PIN for access or Require corporate credentials for access in
a mobile application management policy associated with the managed browser, a user can click Help on the
authentication page and then go to any site--even one added to a block list in the managed browser policy.
The managed browser can only block access to sites when they are accessed directly. It cannot block access
when intermediate services (such as a translation service) are used to access the site.
Reference information
URL format for allowed and blocked URLs
Use the following information to learn about the allowed formats and wildcards you can use when specifying URLs
in the allowed and blocked lists.
You can use the wildcard symbol ‘\*’ according to the rules in the permitted patterns list below.
Ensure that you prefix all URLs with http or https when entering them into the list.
You can specify port numbers in the address. If you do not specify a port number, the values used will be:
Port 80 for http
Port 443 for https
Using wildcards for the port number is not supported, for example, http://www.contoso.com:\*
and http://www.contoso.com: /\*
Use the following table to learn about the permitted patterns you can use when you specify URLs:
URL MATCHES DOES NOT MATCH
http://www.contoso.com www.contoso.com host.contoso.com
Matches a single page www.contoso.com/images
contoso.com/
http://contoso.com contoso.com/ host.contoso.com
Matches a single page www.contoso.com/images
www.contoso.com
http://www.contoso.com/* www.contoso.com host.contoso.com
Matches all URLs beginning with www.contoso.com/images host.contoso.com/images

www.contoso.com
www.contoso.com/videos/tvshows
http://.contoso.com/\ developer.contoso.com/resources contoso.host.com
Matches all sub-domains under news.contoso.com/images

contoso.com
news.contoso.com/videos
http://www.contoso.com/images www.contoso.com/images www.contoso.com/images/dogs
Matches a single folder
http://www.contoso.com:80 http://www.contoso.com:80
Matches a single page, using a port

number
https://www.contoso.com https://www.contoso.com http://www.contoso.com
Matches a single, secure page
http://www.contoso.com/images/* www.contoso.com/images/dogs www.contoso.com/videos
Matches a single folder and all www.contoso.com/images/cats

subfolders
The following are examples of some of the inputs you cannot specify:
*.com
.contoso/\
www.contoso.com/*images
www.contoso.com/images\pigs
www.contoso.com/page*
IP addresses
https://*
http://*
http://www.contoso.com:*
http://www.contoso.com: /*
NOTE
*.microsoft.com is always allowed.
How conflicts between the allow and block list are resolved
If multiple managed browser policies are deployed to a device and the settings conflict, both the mode (allow or
block) and the URL lists are evaluated for conflicts. In case of a conflict, the following behavior applies:
If the modes in each policy are the same but the URL lists are different, the URLs will not be enforced on the
device.
If the modes in each policy are different but the URL lists are the same, the URLs will not be enforced on the
device.
If a device is receiving managed browser policies for the first time and two policies conflict, the URLs will not
be enforced on the device. Use the Policy Conflicts node of the Policy workspace to view the conflicts.
If a device has already received a managed browser policy and a second policy is deployed with conflicting
settings, the original settings remain on the device. Use the Policy Conflicts node of the Policy workspace
to view the conflicts.
WSfB in System Center Configuration Manager

Configuration Manager supports managing Windows Store for Business apps on Windows 10 devices that are
enrolled with Microsoft Intune (hybrid configuration) in addition to Windows 10 devices running the Configuration
Manager client.
To see the capabilities Configuration Manager offers for online and offline apps, and to set up Windows Store for
Business synchronization, see Manage apps from the Windows Store for Business with System Center
Manage an Intune subscription associated with
System Center Configuration Manager

If you add a Microsoft Intune (either a trial subscription or paid subscription) to Configuration Manager, and then
need to switch to a different Intune subscription, you must delete both the Microsoft Intune Subscription and the
Service connection point from the Configuration Manager console before you can add a new subscription.
NOTE
You can configure only one Intune subscription at a time in hybrid mobile device management.
How to delete an Intune subscription from Configuration Manager

IMPORTANT
All content including user enrollments, policies, and app deployments configured for devices managed by the Intune
subscription are removed when you delete the subscription.
1. In the Configuration Manager console, go to Administration > Overview > Cloud Services > Microsoft
Intune Subscriptions.
2. Right-click the listed Microsoft Intune Subscription, and then click Delete.
3. In the wizard, click Remove Microsoft Intune Subscription from Configuration Manager, click Next,
and then click Next again to remove the subscription.
How to remove the service connection point role

1. Go to Administration > Overview > Site Configuration > Servers and Site System Roles.
2. Select the server that hosts the Service connection point role.
3. In the Site System Roles list, select Service connection point and then click Remove Role in the ribbon.
Confirm you want to remove the role. The service connection point is deleted.
You can now create a new service connection point, add a new Intune subscription to Configuration Manager, and
set Configuration Manager as the MDM Authority.
How to change MDM authority to Intune

Beginning in version 1610, you can to switch the MDM authority from Configuration Manager to Intune.
Information about this feature is coming soon.
How to create Wi-Fi profiles for mobile devices in

Use Wi-Fi profiles in System Center Configuration Manager to deploy wireless network settings to mobile device
users in your organization. By deploying these settings, you make it easier for your users to connect to Wi-Fi.
You can configure the following mobile device types with Wi-Fi profiles:
Devices that run Windows Phone 8.1
Devices that run Windows 10 Desktop or Mobile
IPhone devices that run iOS 5, iOS 6, iOS 7 and iOS 8
IPad devices that run iOS 5, iOS 6, iOS 7 and iOS 8
Android devices that run version 4 or later
IMPORTANT
To deploy profiles to Android, iOS, Windows Phone, and enrolled Windows 8.1 or later devices, these devices must be
enrolled in Microsoft Intune. For information about how to get your devices enrolled, see Enroll devices for management in
Intune.
Create a Wi-Fi profile provides general information about how to use Wi-Fi profiles in Configuration Manager to
deploy wireless network settings to users.
See Deploy Wi-Fi, VPN, email, and certificate profiles for information about deploying Wi-Fi profiles.
How to create PFX certificate profiles in System

Certificate profiles work with Active Directory Certificate Services and the Network Device Enrollment Service role
to provision authentication certificates for managed devices so that users can seamlessly access company
resources. For example, you can create and deploy certificate profiles to provide the necessary certificates for users
to initiate VPN and wireless connections.
Certificate profiles provides general information about creating and configuring certificaate profiles. This topic
highlights some specific information about certificate profiles related to mobile device management.
Certificate profiles provide certificate enrollment and renewal from an enterprise certification authority (CA)
for devices that run iOS, Windows 8.1, Windows RT 8.1, Windows 10 Desktop and Mobile, and Android.
These certificates can then be used for Wi-Fi and VPN connections.
To deploy certificate profiles that use the SCEP, you must install a policy module for NDES on a server that
runs Windows Server 2012 R2 with the Active Directory Certificate Services role and a working NDES that is
accessible to the devices that require the certificates. For devices that are enrolled by Microsoft Intune, this
requires the NDES to be accessible from the Internet, for example, in a screened subnet (also known as a
DMZ).
Configuration Manager supports deploying certificates to different certificate stores, depending on the
requirements, the device type, and the operating system. The following devices and operating systems are
supported:
Windows RT 8.1
Windows 8.1
Windows Phone 8.1
Windows 10 Desktop and Mobile
iOS
Android
> [!IMPORTANT]
> To deploy profiles to Android, iOS, Windows Phone, and enrolled Windows 8.1 or later devices, these
devices must be enrolled in Microsoft Intune.
For other prerequisites, see Certificate profile prerequisites.
PFX certificate profiles

System Center Configuration Manager allows you to provision personal information exchange (.pfx) files to user
devices. PFX files can be used to generate user-specific certificates to support encrypted data exchange. PFX
certificates can be created within Configuration Manager or imported. With System Center Configuration Manager,
imported or new PFX certificates can be deployed to iOS, Android, and Windows 10 devices. These files can then be
deployed to multiple devices to support user-based PKI communication.
TIP
A step-by-step walkthrough describing this process is available in How to Create and Deploy PFX Certificate Profiles in
Create and deploy a Personal Information Exchange (PFX ) certificate profile

1. In the System Center Configuration Manager console, click Assets and Compliance.
2. In the Assets and Compliance workspace, expand Compliance Settings, expand Company Resource
Access, and then click Certificate Profiles.
3. On the Home tab, in the Create group, click Create Certificate Profile. The Create Certificate Profile
wizard opens.
4. On the General page of the Create Certificate Profile Wizard, specify the following information:
Name: Enter a unique name for the certificate profile. You can use a maximum of 256 characters.
Description: Provide a description that gives an overview of the certificate profile and other relevant
information that helps to identify it in the System Center Configuration Manager console. You can use
a maximum of 256 characters.
Specify the type of certificate profile that you want to create: Choose one of the following
certificate profile types:
Trusted CA certificate: Select this certificate profile type if you want to deploy a trusted root
certification authority (CA) or intermediate CA certificate to form a certificate chain of trust
when the user or device must authenticate another device. For example, the device might be a
Remote Authentication Dial-In User Service (RADIUS) server or a virtual private network (VPN)
server. You must also configure a trusted CA certificate profile before you can create a SCEP
certificate profile. In this case, the trusted CA certificate must be the trusted root certificate for
the CA that will issue the certificate to the user or device.
Simple Certificate Enrollment Protocol (SCEP) settings: Select this certificate profile type
if you want to request a certificate for a user or device, by using the Simple Certificate
Enrollment Protocol and the Network Device Enrollment Service role service.
Personal Information Exchange PKCS #12 (PFX) settings import: Select this to import a
PFX certificate.
5. In the Certificate Properties window of the Create Certificate Profile wizard, specify where the PFX
certificate will be stored on targeted devices.
Install to Trusted Platform Module (TPM) if present
Install to Trusted Platform Module (TPM), otherwise fail
Install to Software Key Storage Provider
Click Next.
6. In the Supported Platforms window of the Create Certificate Profile wizard, specify which operating
systems or platforms that can receive the imported PFX file.
Windows 10
iPhone
iPad
Android
7. Click Next, review the Summary page, and then close the wizard.
8. The certificate profile containing the PFX file is now available from the Certificate Profiles workspace. In
the Assets and Compliance workspace go Compliance Settings > Company Resource Access >
Certificate Profiles and right-click to deploy the new certificate to User collections.
9. Using the SDK for Windows 8.1 available from the Download Center (http://go.microsoft.com/fwlink/?
LinkId=613525, deploy a Create PFX Script. The Create PFX Script added in Configuration Manager 2012
SP2 adds an SMS_ClientPfxCertificate class to the SDK. This class includes the following methods:
ImportForUser
DeleteForUser
Sample script:
$EncryptedPfxBlob = "<blob>"
$Password = "abc"
$ProfileName = "PFX_Profile_Name"
$UserName = "ComputerName\Administrator"
#New pfx
$WMIConnection = ([WMIClass]"\\nksccm\root\SMS\Site_MDM:SMS_ClientPfxCertificate")
$NewEntry = $WMIConnection.psbase.GetMethodParameters("ImportForUser")
$NewEntry.EncryptedPfxBlob = $EncryptedPfxBlob
$NewEntry.Password = $Password
$NewEntry.ProfileName = $ProfileName
$NewEntry.UserName = $UserName
$Resource = $WMIConnection.psbase.InvokeMethod("ImportForUser",$NewEntry,$null)
The following script variables must be modified for your script:

= The PFX base64-encrypted blob
$Password = The password for the PFX file
$ProfileName = The name of the PFX profile
ComputerName = Name of host computer
See also
Create a new certificate profile walks you through the Create Certificate Profile Wizard.
Deploy Wi-Fi, VPN, email, and certificate profiles provides information about deploying certificate profiles.
VPN Profiles on mobile devices in System Center

Use VPN profiles in System Center Configuration Manager to deploy VPN settings to mobile device users in your
organization. By deploying these settings, you minimize the end-user effort required to connect to resources on the
company network.
For example, you want to provision all devices that run the iOS operating system with the settings required to
connect to a file share on the corporate network. You can create a VPN profile containing the settings necessary to
connect to the corporate network and then deploy this profile to all users that have devices that run iOS in your
hierarchy. Users of iOS devices see the VPN connection in the list of available networks and can connect to this
network with the minimum of effort.
When you create a VPN profile, you can include a wide range of security settings, including certificates for server
validation and client authentication that have been provisioned by using System Center Configuration Manager
certificate profiles. For more information about certificate profiles, see Certificate profiles in System Center
VPN profiles when using Configuration Manager together with Intune

To deploy profiles to iOS, Android, Windows Phone, and Windows 8.1 devices, these devices must be enrolled into
Microsoft Intune. Devices on other platforms can also be enrolled to Intune. For information about how to enroll,
see Manage mobile devices with Microsoft Intune. This table shows which connection type is supported for each
device platform:
WINDOWS
CONNECTIO IOS AND WINDOWS WINDOWS WINDOWS WINDOWS 10 DESKTOP
N TYPE MAC OS X ANDROID 8.1 RT RT 8.1 PHONE 8.1 AND MOBILE
Cisco Yes Yes No No No No Yes (OMA-

AnyConnec URI)
t
Pulse Yes Yes Yes No Yes Yes Yes

Secure
F5 Edge Yes Yes Yes No Yes Yes Yes

Client
Dell Yes Yes Yes No Yes Yes Yes

SonicWALL
Mobile
Connect
Check Point Yes Yes Yes No Yes Yes Yes

Mobile VPN
WINDOWS
CONNECTIO IOS AND WINDOWS WINDOWS WINDOWS WINDOWS 10 DESKTOP
N TYPE MAC OS X ANDROID 8.1 RT RT 8.1 PHONE 8.1 AND MOBILE
Microsoft No No Yes Yes Yes No No

SSL (SSTP)
Microsoft No No Yes Yes Yes No Yes (OMA-

Automatic URI)
IKEv2 Yes No Yes Yes Yes Yes Yes (OMA-

(Custom URI)
policy)
PPTP Yes No Yes Yes Yes No Yes (OMA-

URI)
L2TP Yes No Yes Yes Yes No Yes (OMA-

URI)
Create VPN Profiles

How to Create VPN profiles in System Center Configuration Manager provides general information about creating
VPN profiles.
Windows 10 VPN features, available when using Configuration Manager with Intune
NOTE
The name of a VPN profile that uses Windows 10 VPN features cannot be in unicode or include special characters.
OPTION MORE INFORMATION CONNECTION TYPE
Bypass VPN when connected to The VPN connection will not be used All
company Wi-Fi network when the device is connected to the
company Wi-Fi network. Enter the
trusted network name, used to
determine if the device is connected to
the company network.
Network traffic rules Set which protocols, local and remote All
port and address ranges will be enabled
for the VPN connection.
Note: If you do not create a network

traffic rule, all protocols, ports and
address ranges are enabled. Once you
create a rule, only the protocols, ports
and address ranges that you specify in
that rule or in additional rules will be
used by the VPN connection.
Routes Which routes will use the VPN All

connection. Note that creation of more
than 60 routes may cause the policy to
fail.
OPTION MORE INFORMATION CONNECTION TYPE
DNS servers Which DNS servers are used by the VPN All
connection once the connection has
been established.
Apps that automatically connect to You can add apps, or import lists of All
the VPN apps, that will automatically use the
VPN connection. The type of app will
determine the app identifier. For a
desktop app, provide the file path of the
app. For a universal app, provide the
package family name (PFN). To learn
how to find the PFN for an app, see
Find a package family name for per-app
VPN.
IMPORTANT
We recommend that you secure all lists of associated apps that you compile for use in configuration of per-app VPN. If an
unauthorized user modifies your list and you import it into the per-app VPN app list, you will potentially authorize VPN
access to apps that should not have access. One way you can secure app lists is by using an access control list (ACL).
1. On the Authentication Method page of the wizard, specify:

Authentication method: Select the authentication method that the VPN connection will use.
Available methods depend on the connection type as shown in this table.
AUTHENTICATION METHOD SUPPORTED CONNECTION TYPES
Certificates -
Cisco AnyConnect
Note: If the client certificate is used to authenticate to
a RADIUS server, such as a Network Policy Server, the - Pulse Secure
Subject Alternative Name in the certificate must be set
to the User Principal Name. - F5 Edge Client
- Dell SonicWALL Mobile Connect
- Check Point Mobile VPN
Username and Password -

Pulse Secure
- F5 Edge Client
- Dell SonicWALL Mobile Connect
- Check Point Mobile VPN

AUTHENTICATION METHOD SUPPORTED CONNECTION TYPES
Microsoft EAP-TTLS - Microsoft SSL (SSTP)
- Microsoft Automatic
- PPTP
- IKEv2
- L2TP
Microsoft protected EAP (PEAP) - Microsoft SSL (SSTP)
- IKEv2
- PPTP
- L2TP
Microsoft secured password (EAP-MSCHAP v2) - Microsoft SSL (SSTP)
- IKEv2
- PPTP
- L2TP
Smart Card or other certificate - Microsoft SSL (SSTP)
- IKEv2
- PPTP
- L2TP
MSCHAP v2 - Microsoft SSL (SSTP)
- IKEv2
- PPTP
- L2TP
RSA SecurID (iOS only) - Microsoft SSL (SSTP)
- PPTP
- L2TP
Use machine certificates IKEv2

Depending on the options you select, you might be asked to specify further information, such as:
Remember the user credentials at each logon: User credentials are remembered so that
the user does not have to enter them each time they connect.
Select a client certificate for client authentication - Select the client SCEP certificate that
you previously created that will be used to authenticate the VPN connection.
NOTE
For iOS devices, the SCEP profile you select will be embedded in the VPN profile. For other platforms,
an applicability rule is added to ensure that the VPN profile is not installed if the certificate is not
present, or not compliant.
If the SCEP certificate you specify is not compliant, or has not been deployed, then the VPN profile will
not be installed on the device.
Devices that run iOS support only RSA SecurID and MSCHAP v2 for the authentication method when
the connection type is PPTP. To avoid reporting errors, deploy a separate PPTP VPN profile to devices
that run iOS.
Conditional access
Choose Enable conditional access for this VPN connection to ensure that devices that
connect to the VPN are tested for conditional access compliance before connecting.
Compliance policies are described in Device compliance policies in System Center
Choose Enable single sign-on (SSO) with alternate certificate to choose a certificate
other than the VPN Authentication cert for device compliance. If you choose this option,
provide the EKU (comma-separated list) and Issuer Hash, for the correct certificate that the
VPN Client should locate.
Windows Information Protection - provide the enterprise-managed corporate identity,
which is usually your organization's primary domain, for example, contoso.com. You can
specify multiple domains owned by your organization by separating them with the "|"
character. For example, contoso.com|newcontoso.com.
For information about Windows Information Protection, see Create a Windows Information
Protection (WIP) policy using Microsoft Intune.
NOTE
For some authentication methods, you can click Configure to open the Windows properties dialog box (if the version of
Windows on which you are running the Configuration Manager console supports this authentication method) where you can
configure the authentication method properties.
1. On the Proxy Settings page of the Create VPN Profile Wizard, select the Configure proxy settings for
this VPN profile check box if your VPN connection uses a proxy server. Then, provide the proxy server
information. For more information, see the Windows Server documentation.
NOTE
On Windows 8.1 computers, the VPN profile will not display the proxy information until you connect to the VPN with
that computer.
2. Configure Further DNS Settings (if required)

On the Configure Automatic VPN connection page , you can configure the following:
Enable VPN on-demand Use if you want to configure further DNS settings for Windows Phone 8.1
devices. This setting applies only to Windows Phone 8.1 devices and should only be enabled on VPN
profiles that are going to be deployed to Windows Phone 8.1 devices.
DNS Suffix list (Windows Phone 8.1 devices only) - Configures domains that will establish a VPN
connection. For each domain you specify, add the DNS suffix, the DNS server address, and one of the
following on-demand actions:
Never establish - Never open a VPN connection
Establish if needed - Only open a VPN connection if the device needs to connect to resources
Always establish - Always open the VPN connection
Merge - Copies any DNS suffices you configured into the Trusted network list.
Trusted network list (Windows Phone 8.1 devices only) - Specify one DNS suffix on each line. If the
device is in a trusted network, the VPN connection will not be opened.
Suffix search list (Windows Phone 8.1 devices only) - Specify one DNS suffix on each line. Each DNS
suffix will be searched when connecting to a website using a short name.
For example, you specify the DNS suffices domain1.contoso.com and domain2.contoso.com and
then visit the URL http://mywebsite. The following addresses will be searched:
http://mywebsite.domain1.contoso.com
http://mywebsite.domain2.contoso.com
NOTE
For Windows Phone 8.1 devices only
If the Send all network traffic through the VPN connection option is selected, and the VPN connection is
using full tunneling, for the first profile provisioned on the device, the VPN connection will automatically open.
If you want a different profile to automatically open a connection, you must make it the default profile on the
device.
If the Send all network traffic through the VPN connection option is not selected, and the VPN
connection is using split-tunneling, a VPN connection can automatically be opened if you configure routes, or
a connection specific DNS suffix.
3. On the Supported Platforms page of the Create VPN Profile Wizard, select the operating systems on
which the VPN profile will be installed, or click Select all to install the VPN profile on all available operating
systems.
4. Complete the wizard. The new VPN profile is displayed in the VPN Profiles node in the Assets and
Compliance workspace.
Deploy: See Deploy Wi-Fi, VPN, email, and certificate profiles for information about deploying VPN profiles.
Next steps
Use the following topics to help you plan for, configure, operate, and maintain VPN profiles in Configuration
Manager.
Prerequisites for VPN profiles in System Center Configuration Manager
Security and privacy for VPN profiles in System Center Configuration Manager
Exchange ActiveSync email profiles in System Center

Email profiles works with Microsoft Intune to enable you to provision devices with email profiles and restrictions by
using Exchange ActiveSync. This enables your users to access corporate email on their devices with minimal setup
required on their part.
You can configure the following device types with email profiles:
Devices that run Windows Phone 8
Devices that run Windows Phone 8.1
Devices that run Windows 10 Mobile
IPhone devices that run iOS 5, iOS 6, iOS 7 and iOS 8
IPad devices that run iOS 5, iOS 6, iOS 7 and iOS 8
IMPORTANT
To deploy profiles to iOS, Android Samsung KNOX Standard, Windows Phone, and Windows 8.1 or Windows 10 devices,
these devices must be enrolled into Intune. For information about how to get your devices enrolled, see Manage mobile
devices with Microsoft Intune.
In addition to configuring an email account on the device, you can also configure synchronization settings for
contacts, calendars and tasks.
When you create an email profile, you can include a wide range of security settings, including certificates for
identity, encryption and signing that have been provisioned by using System Center Configuration Manager
certificate profiles. For more information about certificate profiles, see Certificate profiles in System Center
Create a New Exchange ActiveSync Email Profile

Start the Create Exchange ActiveSync Email Profile Wizard
1. In the System Center Configuration Manager console, click Assets and Compliance.
2. In the Assets and Compliance workspace, expand Compliance Settings, expand Company Resource
Access, and then click Email Profiles.
3. On the Home tab, in the Create group, click Create Exchange ActiveSync Profile.
4. Follow the wizard instructions
To configure Exchange ActiveSync settings for the Exchange ActiveSync email profile
1. On the Exchange ActiveSync page of the Create Exchange ActiveSync Email Profile Wizard, specify the
following information:
Exchange ActiveSync host: Specify the hostname of your company Exchange Server that hosts
Exchange ActiveSync services.
Account name: Specify the display name for the email account as it will be displayed to users on
their devices.
Account user name: Select how the email account user name is configured on client devices. You
can select one of the following options from the drop-down list:
User Principal Name Use the full user principal name to log onto Exchange.
sAMAccountName Use
Primary SMTP Address Use the users primary SMTP address to log onto Exchange.
Email address: Select how the email address for the user on each client device is generated. You can
select one of the following options from the drop-down list:
Primary SMTP Address Use the users primary SMTP address to log onto Exchange.
User Principal Name Use the full user principal name as the email address.
Account domain: Choose one of the following options:
Obtain from Active Directory
Custom
This field is only applicable if sAMAccountName is selected in the Account user name drop-
down list.
Authentication method: Choose one of the following authentication methods that will be used to
authenticate the connection to Exchange ActiveSync:
Certificates An identity certificate will be used to authenticate the Exchange ActiveSync
connection.
Username and Password The device user must supply a password to connect to Exchange
ActiveSync (the user name is configured as part of the email profile).
Identity certificate: Click Select and then select a certificate to use for identity.
NOTE
Before you can select the identity certificate, you must first configure it as a Simple Certificate Enrollment
Protocol (SCEP) certificate profile. For more information about certificate profiles, see Certificate profiles in
System Center Configuration Manager.
This option is only available if you selected Certificates under Authentication method.
Use S/MIME Send outgoing email using S/MIME encryption. This option is applicable to iOS devices
only.
Encryption certificates: Click Select and then select a certificate to use for encryption. This option is
applicable to iOS devices only.
NOTE
Before you can select the encryption certificate, you must first configure it as a Simple Certificate Enrollment
This option is only available if you selected Use S/MIME.
Signing certificates: Click Select and then select a certificate to use for signing. This option is
NOTE
Before you can select the signing certificate, you must first configure it as a Simple Certificate Enrollment
This option is only available if you selected Use S/MIME.

Configure Synchronization Settings for the Exchange ActiveSync Email Profile.
1. On the Configure synchronization settings page of the Create Exchange ActiveSync Email Profile Wizard,
specify the following information:
Schedule: Select the schedule by which devices will synchronize data from the Exchange Server. This
option is applicable to Windows Phone devices only. Choose from:
Not Configured A synchronization schedule is not enforced. This allows users to configure
their own synchronization schedule.
As messages arrive Data such as emails and calendar items will be automatically
synchronized when they arrive.
15 minutes Data such as emails and calendar items will be automatically synchronized every
15 minutes.
30 minutes.
60 minutes.
Manual Synchronization must be initiated manually by the device user.
Number of days of email to synchronize: From the drop-down list, select the number of days of
email that you want to synchronize. Choose one of the following values:
Not Configured The setting is not enforced. This allows users to configure how much email is
downloaded to their device.
Unlimited Synchronize all available email.
1 day
3 days
1 week
2 weeks
1 month
Allow messages to be moved to other email accounts Select this option to allow users to move
email messages between different accounts they have configured on their device. This option is
Allow email to be sent from third-party applications Select this option to allow users to send
email from certain non-default, third-party email applications. This option is applicable to iOS devices
only.
Synchronize recently used email addresses Select this option to synchronize the list of email
addresses that have been recently used on the device. This option is applicable to iOS devices only.
Use SSL Select this option to use Secure Sockets Layer (SSL) communication when sending emails,
receiving emails, and communicating with the Exchange Server.
Content type to synchronize: Select the content types that you want to synchronize to devices. This
option is applicable to Windows Phone devices only. Choose from:
Email
Contacts
Calendar
Tasks
Specify Supported Platforms for the Exchange ActiveSync Email Profile.
1. On the Supported Platforms page of the Create Exchange ActiveSync Email Profile Wizard, select the
operating systems on which the email profile will be installed, or click Select all to install the email profile
on all available operating systems.
For information about how to deploy the Exchange ActiveSync email profiles, see How to deploy profiles in System
Center Configuration Manager.
Windows Hello for Business settings in System Center
Configuration Manager (hybrid)

System Center Configuration Manager lets you integrate with Windows Hello for Business (formerly Microsoft
Passport for Windows), which is an alternative sign-in method for Windows 10 devices. Hello for Business uses
Active Directory, or an Azure Active Directory account to replace a password, smart card, or virtual smart card.
Hello for Business lets you use a user gesture to login, instead of a password. A user gesture might be a simple
PIN, biometric authentication, or an external device such as a fingerprint reader.
Configuration Manager integrates with Windows Hello for Business in two ways:
You can use Configuration Manager to control which gestures users can and cannot use to sign in.
You can store authentication certificates in the Windows Hello for Business key storage provider (KSP). For
more information, see Certificate profiles.
You can deploy Windows Hello for Business policies to domain-joined Windows 10 devices that run the
Configuration Manager client. This configuration is described in Configure Windows Hello for Business on
domain-joined Windows 10 devices. When you are using Configuration Manager with Intune (hybrid), you
can configure these settings on Windows 10, and Windows 10 Mobile devices, but not on domain-joined
devices that run the Configuration Manager client.
For general information about configuring Windows Hello for Business settings, see Windows Hello for Business
settings in System Center Configuration Manager.
Configure Windows Hello for Business settings (hybrid)

1. In the Configuration Manager console, click Administration > Cloud Services > Microsoft Intune
Subscriptions.
2. From the list, select your Microsoft Intune subscription and then, in the Home tab, in the Subscription
group, click Configure Platforms > Windows (MDM).
3. On the Windows Hello for Business tab of the Microsoft Intune Subscription Properties dialog box,
choose from the following values that will affect all enrolled Windows 10 and Windows 10 Mobile devices:
Disable Windows Hello for Business on enrolled devices or Enable Windows Hello for
Business on enrolled devices - Enables or disables the use of Windows Hello for Business on all
enrolled Windows 10 and Windows 10 Mobile devices.
Use a Trusted Platform Module (TPM) - A Trusted Platform Module (TPM) chip provides an
additional layer of data security. Choose one of the following values:
Required (default) - Only devices with an accessible TPM can provision Windows Hello for
Business.
Preferred - Devices first attempt to use a TPM. If this is not available, they can use software
encryption
Require minimum PIN length - Specify the minimum number of characters required for the
Windows Hello for Business PIN. You must use at least 4 characters (the default value is 6 characters).
Require maximum PIN length - Specify the maximum number of characters allowed for the
Windows Hello for Business PIN. You can use up to 127 characters.
Require lowercase letters in PIN - Specifies whether lowercase letters must be used in the
Windows Hello for Business PIN. Choose from:
Allowed - Users can use lowercase characters in their PIN.
Required - Users must include at least one lowercase character in their PIN.
Not allowed (default) - Users must not use lowercase characters in their PIN.
Require uppercase letters in PIN - Specifies whether uppercase letters must be used in the
Windows Hello for Business PIN. Choose from:
Allowed - Users can use uppercase characters in their PIN.
Required - Users must include at least one uppercase character in their PIN.
Not allowed (default) - Users must not use uppercase characters in their PIN.
Require special characters - Specifies the use of special characters in the PIN. Choose from:
Allowed - Users can use special characters in their PIN.
Required - Users must include at least one special character in their PIN.
Not allowed (default) - Users must not use special characters in their PIN (this is also the
behavior if the setting is not configured).
Special characters include: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~.
Require PIN expiration (days) - Specifies the number of days before the device PIN must be
changed. The default is 41 days.
Prevent reuse of previous PINS - Use this setting to restrict the re-use of previously used PINS. The
default is the last 5 PINS used cannot be reused.
Enable biometric gestures - Enables biometric authentication such as facial recognition or
fingerprint as an alternative to a PIN for Windows Hello for Business. Users must still configure a
work PIN in case biometric authentication fails.
If set to Enabled, Windows Hello for Business allows biometric authentication. If set to Disabled,
Windows Hello for Business prevents biometric authentication (for all account types).
Use enhanced anti-spoofing, when available - Configures whether enhanced anti-spoofing is
used on devices that support it.
If set to Enabled, Windows requires all users to use anti-spoofing for facial features when supported.
Use Remote Passport - If this option is set to Enabled, users can use a remote Hello for Business to
serve as a portable companion device for desktop computer authentication. The desktop computer
must be Azure Active Directory joined, and the companion device must be configured with a
Windows Hello for Business PIN.
4. When you are finished, click OK.
See also
Protect data and site infrastructure with System Center Configuration Manager
Manage identity verification using Windows Hello for Business.
Manage access to services in System Center
Conditional access in System Center Configuration Manager

Use conditional access to help secure email and other services on devices that are enrolled with Microsoft Intune,
depending on conditions you specify.
For information about conditional access on PCs that are managed with System Center Configuration
Manager and evaluated for compliance, see Manage access to O365 services for PCs managed by System Center
A typical flow for conditional access might look as follows:
Use conditional access to manage access to the following services:

Microsoft Exchange On-premises
Microsoft Exchange Online
Exchange Online Dedicated
SharePoint Online
Skype for Business Online
Dynamics CRM Online
To implement conditional access, you configure two policy types in Configuration Manager:
Compliance policies are optional policies you can deploy to user collections and evaluate settings like:
Passcode
Encryption
Whether the device is jailbroken or rooted
Whether email on the device is managed by a Configuration Manager or Intune policy
If no compliance policy is deployed to a device, then any applicable conditional access
policies will treat the device as compliant.
Conditional access policies are configured for a particular service, and define rules such as which Azure
Active Directory security user groups or Configuration Manager user collections will be targeted, or exempt.
You configure the On-Premises Exchange conditional access policy from the Configuration Manager console.
However, when you configure an Exchange Online or SharePoint Online policy, this opens the Intune admin
console where you configure the policy.
Unlike other Intune or Configuration Manager policies, you do not deploy conditional access policies.
Instead, you configure these once, and they apply to all targeted users.
When devices do not meet the conditions you configure, the user is guided though the process of enrolling
the device and fixing the issue that prevents the device from being compliant.
Before you start using conditional access, ensure that you have the correct requirements in place:
Requirements for Exchange Online (using the shared multi-tenant

environment)
Conditional access to Exchange Online supports devices that run:
Windows 8.1 and later (when enrolled with Intune)
Windows 7.0 or Windows 8.1 (when domain joined)
Windows Phone 8.1 and later
iOS 7.1 and later
Android 4.0 and later, Samsung KNOX Standard 4.0 and later
Additionally:
Devices must be workplace joined, which registers the device with the Azure Active Directory Device
Registration Service (AAD DRS).
Domain joined PCs must be automatically registered with Azure Active Directory through group policy or
MSI.
The Conditional access for PCs section in this topic describes all the requirements for enabling conditional
access for a PC.
AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have already
deployed the ADFS Device Registration Service will not see registered devices in their on-premises Active
Directory.
You must use an Office 365 subscription that includes Exchange Online (such as E3) and users must be licensed
for Exchange Online.
The optional Exchange Server connector is optional and connects Configuration Manager to Microsoft
Exchange Online and helps you monitor device information through the Configuration Manager console (see
Manage mobile devices with System Center Configuration Manager and Exchange). You do not need to use the
connector to use compliance policies or conditional access policies, but is required to run reports that help
evaluate the impact of conditional access.
Requirements for Exchange Online Dedicated

Conditional access to Exchange Online Dedicated supports devices that run:
Windows 8 and later (when enrolled with Intune)
Conditional access to domain joined PCs only to tenants in the new Exchange Online dedicated environment.
Windows Phone 8 and later
Any iOS device that uses an Exchange ActiveSync (EAS) email client
Android 4 and later.
For tenants in the legacy Exchange Online Dedicated environment:
You must use the Exchange Server connector which connects Configuration Manager to Microsoft
Exchange On-premises. This lets you manage mobile devices and enables conditional access (see Manage
mobile devices with System Center Configuration Manager and Exchange).
For tenants in the new Exchange Online Dedicated environment:
The optional Exchange Server connector connects Configuration Manager to Microsoft Exchange Online and
helps you manage device information (see Manage mobile devices with System Center Configuration Manager
and Exchange). You do not need to use the connector to use compliance policies or conditional access policies,
but is required to run reports that help evaluate the impact of conditional access.
Requirements for Exchange On-premises

Conditional access to Exchange On-premises supports:
Windows 8 and later (when enrolled with Intune)
Windows Phone 8 and later
Native email app on iOS
Native email app on Android 4 or later
Microsoft Outlook app is not supported (Android and iOS).
Additionally:
Exchange version must be Exchange 2010 or later. Exchange server Client Access Server (CAS) array is
supported.
TIP
If your Exchange environment is in a CAS server configuration, then you must configure the on-premises Exchange connector
to point to one of the CAS servers.
You must use the Exchange Server connector which connects Configuration Manager to Microsoft Exchange On-
premises. This lets you manage mobile devices and enables conditional access (see Manage mobile devices with System
Center Configuration Manager and Exchange).
Make sure that you are using the latest version of the on-premises Exchange connector. The on-premises
Exchange connector should be configured through the Configuration Manager console. For a detailed
walkthrough, see Manage mobile devices with System Center Configuration Manager and Exchange.
The connector must be configured only on the System Center Configuration Manager Primary Site.
This connector supports Exchange CAS environment.
When configuring the connector, you must set it so it talk to the one of the Exchange CAS servers.
Exchange ActiveSync can be configured with certificate based authentication, or user credential entry
Requirements for Skype for Business Online

Conditional access to SharePoint Online supports devices that run:
iOS 7.1 and later
Android 4.0 and later
Samsung KNOX Standard 4.0 or later
Additionally, you must enable modern authentication for Skype for Business Online. Fill this connect form to be
enrolled in the modern authentication program.
All your end-users must be using the Skype for Business Online. If you have a deployment with both Skype for
Business Online and Skype for Business on-premises, conditional access policy will not be applied to end-users
who are in the on-premises deployment.
Requirements for SharePoint Online

Conditional access to SharePoint Online supports devices that run:
Windows 8.1 and later (when enrolled with Intune)
iOS 7.1 and later
Additionally:
Devices must be workplace joined, which registers the device with the Azure Active Directory Device
Registration Service (AAD DRS).
Domain joined PCs must be automatically registered with Azure Active Directory through group policy or
MSI. The Conditional access for PCs section in this topic describes all the requirements for enabling
conditional access for a PC.
AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have already
deployed the ADFS Device Registration Service will not see registered devices in their on-premises Active
Directory.
A SharePoint Online subscription is required and users must be licensed for SharePoint Online.
Conditional access for PCs
You can setup conditional access for PCs that run Office desktop applications to access Exchange Online
and SharePoint Online for PCs that meet the following requirements:
The PC must be running Windows 7.0 or Windows 8.1.
The PC must either be domain joined or compliant.
In order to be compliant, the PC must be enrolled in Intune and comply with the policies.
For domain joined PCs, you must set it up to automatically register the device with Azure Active Directory.
Office 365 modern authentication must be enabled, and have all the latest Office updates.
Modern authentication brings Active Directory Authentication Library (ADAL) based sign-in to Office 2013
Windows clients and enables better security like multi-factor authentication, and certificate-based
authentication.
Setup ADFS claims rules to block non-modern authentication protocols.
Next Steps
Read the following topics to learn how to configure compliance policies and conditional access policies for your
required scenario:
Manage device compliance policies in System Center Configuration Manager
Manage email access in System Center Configuration Manager
Manage SharePoint Online access in System Center Configuration Manager
See also
Get started with compliance settings in System Center Configuration Manager
Device compliance policies in System Center

Compliance policies in System Center Configuration Manager define the rules and settings that a device must
comply with in order to be considered compliant by conditional access polices. You can also use compliance
policies to monitor and remediate compliance issues with devices independently of conditional access.
IMPORTANT
This article describes the compliance policies for devices managed by Microsoft Intune. The compliance policies for PCs
managed by System Center Configuration Manager is described in Manage access to O365 services for PCs managed by
These rules include requirements like:

PIN and passwords to access a device
Encryption of data stored on the device
Whether the device is jailbroken or rooted
Whether email on the device is managed by an Intune policy, or if the device is reported as unhealthy by the
Windows device health attestation service.
You deploy compliance policies to user collections. When a compliance policy is deployed to a user, then all of the
users devices are checked for compliance.
The following table lists the device types supported by compliance policies and how noncompliant settings are
managed when the policy is used with a conditional access policy.
ANDROID 4.0 AND

LATER SAMSUNG KNOX
WINDOWS 8.1 AND WINDOWS PHONE 8.1 STANDARD 4.0 AND
RULE LATER AND LATER IOS 6.0 AND LATER LATER
PIN or password Remediated Remediated Remediated Quarantined

configuration
Device encryption N/A Remediated Remediated (by Quarantined

setting PIN)
Jailbroken or N/A N/A Quarantined (not a Quarantined (not a

rooted device setting) setting)
Email profile N/A N/A Quarantined N/A
Minimum OS Quarantined Quarantined Quarantined Quarantined

version
ANDROID 4.0 AND
LATER SAMSUNG KNOX
WINDOWS 8.1 AND WINDOWS PHONE 8.1 STANDARD 4.0 AND
RULE LATER AND LATER IOS 6.0 AND LATER LATER
Maximum OS Quarantined Quarantined Quarantined Quarantined

version
Device Health Setting is not N/A N/A N/A

Attestation (1602 applicable to
update) Windows 8.1
Windows 10 and
Windows 10 Mobile
are Quarantined.
Remediated = Compliance is enforced by the device operating system (for example, the user is forced to set a
PIN). There is never a case when the setting will be noncompliant.
Quarantined = The device operating system does not enforce compliance (for example, Android devices do not
force the user to encrypt the device). In this case:
The device will be blocked if the user is targeted by a conditional access policy.
The company portal or web portal will notify the user about any compliance issues.
Next Steps
Create and deploy a device compliance policy
See also
Manage access to services in System Center Configuration Manager
Create and deploy a device compliance policy
Create a compliance policy

2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Compliance
Policies.
3. On the Home tab, in the Create group, click Create Compliance Policy.
4. On the General page of the Create Compliance Policy Wizard, specify the following information:
Name: Enter a unique name for the compliance policy. You can use a maximum of 256 characters.
Description: Enter a description that gives an overview of the VPN profile and helps identify it in the
Configuration Manager console. You can use a maximum of 256 characters.
Type of compliance policy: Select the type of policy you want to create depending on whether the
device is managed by Configuration Manager. This applies to version or later.
For devices managed by Intune, choose the Compliance rules for devices managed without
configuration manager client option. When you select this option you can also select the type of
platform you want this policy to apply to.
Noncompliance severity for reports: Specify the severity level that is reported if this compliance
policy is evaluated as noncompliant. The available severity levels are the following:
None - devices that fail this compliance rule do not report a failure severity for Configuration
Manager reports.
Information - devices that fail this compliance rule report a failure severity of Information for
Warning - devices that fail this compliance rule report a failure severity of Warning for
Critical - devices that fail this compliance rule report a failure severity of Critical for
Critical with event - devices that fail this compliance rule report a failure severity of Critical for
Configuration Manager reports. This severity level is also be logged as a Windows event in the
application event log.|
5. On the Supported Platforms page, choose the device platforms that this compliance policy will be
evaluated on, or click Select all to choose all device platforms.
6. On the Rules page, you define one or more rules that define the configuration that devices must have in
order to be evaluated as compliant. When you create a compliance policy, some rules are enabled by default,
but you can edit or delete these. For a full list of all the rules see the Compliance policy rules section later
in this topic.
NOTE
On Windows PCs, Windows Operating System version 8.1, is reported as 6.3 instead of 8.1. If the OS version rule is set to
Windows 8.1 for Windows, then the device will be reported as non-compliant even if the device has Windows OS 8.1. Make
sure you are setting the right reported version of Windows for the Minimum and Maximum OS rules. The version number
must match the version returned by the winver command. Windows Phones do not have this issue; the version is reported
as 8.1 as expected.
Windows PCs with Windows 10 operating system, the version should be set as "10.0"+ the OS Build number returned by the
winver command. For example, it could be something like 10.0.10586.
Windows 10 Mobile does not have this issue.
1. On the Summary page of the wizard, review the settings you made, and then complete the wizard.
The new policy displays in the Compliance Policies node of the Assets and Compliance workspace.
Deploy a compliance policy

2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Compliance
Policies.
3. On the Home tab, in the Deployment group, click Deploy.
4. In the Deploy Compliance Policy dialog box, click Browse to select the user collection to which to deploy
the policy.
Additionally, you can select options to generate alerts when the policy is not compliant, and also to
configure the schedule by which this policy will be evaluated for compliance.
5. When you are done, click OK.
Monitor the compliance policy

To view compliance results in the Configuration Manager console
1. In the Configuration Manager console, click Monitoring.
2. In the Monitoring workspace, click Deployments.
3. In the Deployments list, select the compliance policy deployment for which you want to review compliance
information.
4. You can review summary information about the compliance of the policy deployment on the main page. To
view more detailed information, select the deployment, and then on the Home tab, in the Deployment
group, click View Status to open the Deployment Status page.
The Deployment Status page contains the following tabs:
Compliant: Displays the compliance of the policy based on the number of assets affected. You can
click a rule to create a temporary node under the Users or Devices node that are in the Assets and
Compliance workspace, which contains all users or devices that are compliant with this rule. The
Asset Details pane displays the users or devices that are compliant with the policy. Double-click a
user or device in the list to display additional information.
Error: Displays a list of all errors for the selected policy deployment based on number of assets
affected. You can click a rule to create a temporary node under the Users or Devices node of the
Assets and Compliance workspace, which contains all users or devices that generated errors with
this rule. When you select a user or device, the Asset Details pane displays the users or devices that
are affected by the selected issue. Double-click a user or device in the list to display additional
information about the issue.
Non-Compliant: Displays a list of all noncompliant rules within the policy based on number of
assets affected. You can click a rule to create a temporary node under the Users or Devices node of
the Assets and Compliance workspace, which contains all users or devices that are not compliant
with this rule. When you select a user or device, the Asset Details pane displays the users or devices
that are affected by the selected issue. Double-click a user or device in the list to display further
information about the issue.
Unknown: Displays a list of all users and devices that did not report compliance for the selected
policy deployment together with the current client status of devices.
To view Intune compliance policies charts
1. Beginning in version 1610 of Configuration Manager, in the Configuration Manager console, click Monitoring.
2. In the Monitoring workspace, go to Overview > Compliance Settings > Compliance Policies.
3. The following charts are displayed:
Overall Device Compliance: Display the overall compliance of devices for all compliance policies.
Top Non-Compliance Reasons: Displays the top policies for which devices are non-compliant.
4. Click a section in either chart to drill-down to a list of the devices within that category.
To view a Health Attestation Report
1. Beginning in version 1602 of Configuration Manager, in the Configuration Manager console, click
Monitoring.
2. To view a summary report of the current status of devices by their compliance status, click Security. and
then click Health Attestation.
3. To view a report that lists all devices and all the health attestation attributes, click Security. and then click
Health Attestation.
Compliance policy rules

Require password settings on mobile devices: Require users to enter a password before they can access
their device.
Supported on:
Windows Phone 8+
iOS 6+
Android 4.0+
Samsung KNOX Standard 4.0+
Require a password to unlock an idle device (1602 update): Require users to enter a password to
access device that is locked.
Supported on:
Windows Phone 8+
iOS 6+
Android 4.0+
Minutes of inactivity before password is required (1602 update): Specifies the idle time before the
user must re-enter their password.Set the value to one of the available options: 1 minute, 5 minutes, 15
minutes, 30 minutes, 1 hour.
This rule when must be used with the Require a password to unlock an idle device. The value set here
determines when the device is considered idle and is locked, and Require a password to unlock an idle
device is set to True, will then require that the user enters a password in order to access the locked device.
Supported on:
Windows Phone 8+
Windows RT/8.1
iOS 6+
Android 4.0+
Require automatic updates (1602 update): You can require devices with Windows 8.1 or later to
automatically install updates, and specify the class of updates.
The value should be set to None to prevent automatic installation, to Recommended to automatically
install all recommended updates, or to Important to only install updates classified as important.
Supported on:
Windows Phone 8+
Allow simple passwords: Let users create simple passwords such as "1234" or "1111". This setting is
disabled by default.
Supported on:
Windows Phone 8+
iOS 6+
Minimum password length: Specifies the minimum number of digits or characters that the user's
password must contain(6 by default).
Supported on:
Windows Phone 8+
Windows 8.1
iOS 6+
Android 4.0+
Samsung KNOX Standard 4.0+ >[!NOTE] >For devices that run Windows and are secured with a
Microsoft Account, the compliance policy will fail to evaluate correctly if Minimum password length is
greater than 8 characters or if Minimum number of character sets is more than 2.
File encryption on mobile device: Requires the device to be encrypted in order to connect to
resources.Devices that run Windows Phone 8 are automatically encrypted. Devices that run iOS are
encrypted when you configure the setting Require password settings on mobile devices (Enabled by
default).
Supported on:
Windows Phone 8+
Windows 8.1
iOS 6+
Android 4.0+
Device must not be jailbroken or rooted: If enabled, jailbroken (iOS), or rooted (Android) devices will not
be compliant(Disabled by default).
Supported on:
iOS 6+
Android 4.0+
Email profile must be managed by Intune: When this option is set to Yes, the device must use the email
profile deployed to the device. The device is considered noncompliant if the email profile is not deployed to
the same user group as the user group targeted by the compliance policy.
It is also noncompliant if the user has already set up an email account on the device that matches the Intune
email profile that is deployed to the device. In this case, Intune cannot overwrite the user-provisioned profile
and therefore cannot manage it. The user can bring the device into compliance by removing the existing
email settings, which allows Intune to install the managed email profile.
For details about email profiles, see Enable access to corporate email using email profiles with Microsoft
Intune. This setting is disabled by default.
Supported on:
iOS 6+
Email profile: If Email account must be managed by Intune is selected, click Select to choose the email
profile that devices must be managed by. The email profile must be present on the device.
Supported on:
iOS 6+
Minimum OS required: When a device does not meet the minimum OS version requirement, it will be
reported as non-compliant. A link with information on how to upgrade will be displayed. The end-user can
choose to upgrade their device after which they will be able to access company resources.
Supported on:
Windows Phone 8+
Windows 8.1
iOS 6+
Android 4.0+
Maximum OS version allowed: When a device is using an OS version later than the one specified in the
rule, access to company resources is blocked and the user is asked to contact their IT admin. Until there is a
change in rule to allow the OS version, this device cannot be used to access company resources.
Supported on:
Windows Phone 8+
Windows 8.1
iOS 6+
Android 4.0+
Require devices to be reported as healthy (1602 update): You can set a rule to require that Windows
10 devices must be reported as healthy in new or existing Compliance Policies. If this setting is enabled,
Windows 10 devices will be evaluated via the Health Attestation Service (HAS) for the following data points:
BitLocker is enabled: When Bitlocker is on, the device is able to protect data that is stored on the
drive from unauthorized access, when the system is turned off or goes to hibernation.
Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system
volume. BitLocker uses the TPM to help protect the Windows operating system and user data and
helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption
keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state
of the computer.
Code integrity is enabled: Code integrity is a feature that validates the integrity of a driver or system
file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file
is being loaded into the kernel, or whether a system file has been modified by malicious software that is
being run by a user account with administrator privileges.
Secure boot is enabled: When Secure Boot is enabled, the system is forced to boot to a factory trusted
state. Also, when Secure Boot is enabled, the core components used to boot the machine must have
correct cryptographic signatures that are trusted by the organization that manufactured the device. The
UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking
their signature, the system will not boot.
Early-launch antimalware is enabled (this setting only applies to PCs.): Early launch anti-malware
(ELAM) provides protection for the computers in your network when they start up and before third-party
drivers initialize.
This rule is turned off by default.
For information on how the HAS service works, see Health Attestation CSP. Supported on:
Windows 10 and Windows 10 Mobile
Manage email access in System Center Configuration
Manager

Use System Center Configuration Manager conditional access to manage access to Exchange email based on
conditions you specify.
You can manage access to:
Microsoft Exchange On-premises
Microsoft Exchange Online
Exchange Online Dedicated
You can control access to Exchange Online and Exchange On-premises from the built-in email client on the
following platforms:
iOS 7.1 and later
Mail application on Windows 8.1 and later
Office desktop applications can access Exchange Online on PCs running:
Office desktop 2013 and later with modern authentication enabled.
Windows 7.0 or Windows 8.1
NOTE
PCs should be domain joined or be complaint with the policies set in Intune.
Device requirements
If you configure conditional access, before a user can connect to their email, the device they use must:
Be enrolled with Intune or a domain joined PC.
Register the device in Azure Active Directory (this happens automatically when the device is enrolled with
Intune (for Exchange Online only). Additionally, the client Exchange ActiveSync ID must be registered with
Azure Active Directory (does not apply to Windows and Windows Phone devices connecting to Exchange
On-premises).
For a domain joined PC, you must set it to automatically register with Azure Active Directory. Conditional
Access for PCs section in the Manage access to services in System Center Configuration Manager topic lists
the full set of requirements to enable conditional access for PCs.
Be compliant with any Configuration Manager compliance policies deployed to that device
If a conditional access condition is not met, the user is presented with one of the following messages when
they log in:
If the device is not enrolled with Intune, or is not registered in Azure Active Directory, a message is displayed
with instructions about how to install the company portal app, enroll the device, and (for Android and iOS
devices), activate email, which associates the device's Exchange ActiveSync ID with the device record in
Azure Active Directory.
If the device is not compliant, a message is displayed that directs the user to the Intune web portal where
they can find information about the problem and how to remediate it.
For mobile devices:
You can restrict access to Outlook Web Access (OWA) on Exchange Online when accessed from a browser on
iOS and Android devices. Access will only be allowed from only supported browsers on compliant devices:
Safari (iOS)
Chrome (Android)
Managed Browser (iOS and Android)
Unsupported browsers will be blocked.The OWA apps for iOS and Android are not supported. They should be
blocked through ADFS claims rules:
Setup ADFS claims rules to block non-modern authentication protocols. Detailed instructions are provided
in scenario 3 - block all access to O365 except browser based applications.
For PCs:
If the conditional access policy requirement is to allow domain joined or compliant, a message with
instructions about how to enroll the device is displayed. If the PC does not meet either of the requirements,
the user will be asked to enroll the device with Intune.
If the conditional access policy requirement is set to allow only domain joined windows devices, the device is
blocked and a message to contact the IT admin is displayed.
You can block access to Exchange email from the devices built-in Exchange ActiveSync email client on the
following platforms:
iOS 7.1 and later
The Mail application on Windows 8.1 and later
Outlook app for iOS and Android, and Outlook desktop 2013 and above is supported for only Exchange
Online.
The on-premises Exchange connector between Configuration Manager and Exchange is required for
conditional access to work.
You can configure a conditional access policy for Exchange On-premises from the Configuration Manager
console. When you configure a conditional access policy for Exchange Online, you can begin the process in
the Configuration Manager console, which launches the Intune console where you can complete the process.
Configure conditional access

Step 1: Evaluate the effect of the conditional access policy
Once you have configured the on-premises Exchange connector, you can use the Configuration ManagerList of
devices by Conditional Access State report to identify devices that will be blocked from accessing Exchange
after you configure the conditional access policy. This report also requires:
A subscription to Intune
The service connection point should be configured and deployed
In the report parameters, select the Intune group you want to evaluate and, if required, the device platforms
to which the policy will apply.
For more information about how to run reports, see Reporting in System Center Configuration Manager.
After you run the report, examine these four columns to determine whether a user will be blocked:
Management Channel - Indicates whether the device is managed by Intune, Exchange ActiveSync, or both.
Registered with AAD - Indicates whether the device is registered with Azure Active Directory (known as
Workplace Join).
Compliant - Indicates whether the device is compliant with any compliance policies you deployed.
EAS Activated - iOS and Android devices are required to have their Exchange ActiveSync ID associated with
the device registration record in Azure Active Directory. This happens when the user clicks the Activate
Email link in the quarantine email.
NOTE
Windows Phone devices always display a value in this column.
Devices that are part of a targeted group or collection will be blocked from accessing Exchange unless the
column values match those listed in the following table:
MANAGEMENT
CHANNEL AAD REGISTERED COMPLIANT EAS ACTIVATED RESULTING ACTION
Managed by Yes Yes Yes or No is Email access allowed

Microsoft Intune displayed
and Exchange
ActiveSync
Any other value No No No value is displayed Email access blocked
You can export the contents of the report and use the Email Address column to help you inform users that they
will be blocked.
Step 2: Configure user groups or collections for the conditional access policy
You target conditional access policies to different groups or collections of users depending on the policy types.
These groups contain the users that will be targeted, or exempt from the policy. When a user is targeted by a policy,
each device they use must be compliant in order to access email.
For the Exchange Online policy - to Azure Active Directory security user groups. You can configure these
groups in the Office 365 admin center, or the Intune account portal.
For the Exchange On-premises policy - to Configuration Manager user collections. You can configure
these in the Assets and Compliance workspace.
You can specify two group types in each policy:
Targeted groups - User groups or collections to which the policy is applied
Exempted groups - User groups or collections that are exempt from the policy (optional)
If a user is in both, they will be exempt from the policy.
Only the groups or collections which are targeted by the conditional access policy are evaluated for
Exchange access.
Step 3: Configure and deploy a compliance policy
Ensure that you have created and deployed a compliance policy to all devices that the Exchange conditional access
policy will be targeted to.
For details about how to configure the compliance policy, see Manage device compliance policies in System Center
IMPORTANT
If you have not deployed a compliance policy and then enable an Exchange conditional access policy, all targeted devices will
be allowed access.
When you are ready, continue to Step 4.

Step 4: Configure the conditional access policy
For Exchange Online (and tenants in the new Exchange Online Dedicated environment)
NOTE
You can also create conditional access policy in the Azure AD management console. Azure AD management console allows
you to create the Intune device conditional access policies (referred to as the device-based conditional access policy in Azure
AD) in addition to other conditional access policies like multi-factor authentication. You can also set conditional access
policies for third-party Enterprise apps like Salesforce and Box that Azure AD supports. For more details, see How to set
Azure Active Directory device-based conditional access policy for access control to Azure Active Directory connected
applications.
The following flow is used by conditional access policies for Exchange Online to evaluate whether to allow or block
devices.
To access email, the device must:
Enroll with Intune
PCs must either be domain joined or be enrolled and compliant with the policies set in Intune.
Intune.
For domain joined PCs, you must set it up to automatically register the device with Azure Active Directory.
Have activated email, which associates the device's Exchange ActiveSync ID with the device record in Azure
Active Directory (applies to iOS and Android devices only).
Be compliant with any deployed compliance policies
The device state is stored in Azure Active Directory which grants or blocks access to email, based on the
evaluated conditions.
If a condition is not met, the user will be presented with one of the following messages when they log in:
If the device is not enrolled, or registered in Azure Active Directory, a message is displayed with instructions
about how to install the company portal app and enroll
If the device is not compliant, a message is displayed that directs the user to the Intune Company Portal
website or the Company Portal app where they can find information about the problem and how to
remediate it.
For a PC:
If the policy is set to require domain join, and the PC is not domain joined, a message is displayed to
contact the IT admin.
If the policy is set to require domain join or compliant, then the PC does not meet either requirement,
a message is displayed with instructions about how to install the company portal app and enroll.
The message is displayed on the device for Exchange Online users and tenants in the new Exchange Online
Dedicated environment, and is delivered to the users email inbox for Exchange On-premises and legacy
Exchange Online Dedicated devices.
NOTE
Configuration Manager conditional access rules override, allow, block and quarantine rules that are defined in the Exchange
Online admin console.
NOTE
Conditional access policy must be configured in the Intune console. The following steps begin by accessing the Intune
console through Configuration Manager. If prompted, log in using the same credentials that were used to set up the service
connection point between Configuration Manager and Intune.
To e n a b l e t h e Ex c h a n g e O n l i n e p o l i c y

2. Expand Compliance Settings, expand Conditional Access, and then click Exchange Online.
3. On the Home tab, in the Links group, click Configure Conditional Access Policy in the Intune Console.
You might need to provide the user name and password of the account used to connect Configuration
Manager with any global administrator for the Intune service.
The Intune admin console opens.
4. In the Microsoft Intune administration console, click Policy > Conditional Access > Exchange Online
Policy.
5. On the Exchange Online Policy page, select Enable conditional access policy for Exchange Online. If
you check this, the device must be compliant. If this is not checked then conditional access is not applied.
NOTE
If you have not deployed a compliance policy and then enable the Exchange Online policy, all targeted devices are
reported as compliant.
Regardless of the compliance state, all users who are targeted by the policy will be required to enroll their devices
with Intune.
6. Under Application access, for outlook and other apps using modern authentication, you can choose to
restrict access only to devices that are compliant for each platform. Windows devices must either be domain
joined, or be enrolled in Intune and compliant.
TIP
Modern authentication brings Active Directory Authentication Library (ADAL)-based sign in to Office clients.
The ADAL based authentication enables Office clients to engage in browser-based authentication (also known
as passive authentication). To authenticate, the user is directed to a sign-in web page.
This new sign-in method enables new scenarios such as, conditional access, based on device compliance
and whether multi-factor authentication was performed.
This article has more detailed information on how modern authentication works.
Using Exchange Online with Configuration Manager and Intune, you can not only manage mobile devices
with conditional access, but also desktop computers as well. PCs must either be domain joined, or be
enrolled in Intune and compliant. You can set the following requirements:
Devices must be domain joined or compliant. PCs must either be domain joined or compliant
with the policies. If a PC does not meet either of these requirements, the user is prompted to enroll
the device with Intune.
Devices must be domain joined. PCs must be domain joined to access Exchange Online. If a PC is
not domain joined, access to email is blocked and the user is prompted to contact the IT admin.
Devices must be compliant. PCs must be enrolled in Intune and compliant. If a PC is not enrolled, a
message with instructions on how to enroll is displayed.
7. Under Outlook web access (OWA), you can choose to allow access to Exchange Online only through the
supported browsers: Safari (iOS), and Chrome (Android). Access from other browsers will be blocked. The
same platform restrictions you selected for Application access for Outlook also apply here.
On Android devices, users must enable the browser access. To do this the end-user must enable the "Enable
Browser Access" option on the enrolled device as follows:
a. Launch the Company Portal app.
b. Go to the Settings page from the triple dots (...) or the hardware menu button.
a. Press the Enable Browser Access button.
b. In the Chrome browser, sign out of Office 365 and restart Chrome.
On iOS and Android platforms, To identify the device that is used to access the service, Azure Active
Directory will issue a Transport layer security ( TLS) certificate to the device. The device displays the
certificate with a prompt to the end-user to select the certificate as seen in the screenshots below. The
end-user must select this certificate before they can continue to use the browser.
iOS
Android
8. ForExchange ActiveSync mail apps, you can choose to block email from accessing Exchange Online if the
device is noncompliant, and select whether to allow or block access to email when Intune cannot manage
the device.
9. Under Targeted Groups, select the Active Directory security groups of users to which the policy will apply.
NOTE
For users that are in the Targeted groups, the Intune polices will replace Exchange rules and policies.
Exchange will only enforce Exchange allow, block and quarantine rules, and Exchange policies if:
The user is not licensed for Intune.
The user is licensed for Intune, but the user does not belong to any security groups targeted in the
conditional access policy.
10. Under Exempted Groups, select the Active Directory security groups of users that are exempt from this
policy. If a user is in both the targeted and exempted groups, they will be exempt from the policy and will
have access to their email.
11. When you are finished, click Save.
You do not have to deploy the conditional access policy; it takes effect immediately.
After a user creates an email account, the device is blocked immediately.
If a blocked user enrolls the device with Intune (or remediates noncompliance), email access is unblocked
within 2 minutes.
If the user un-enrolls their device, email is blocked after about 6 hours.
For Exchange on-premises (and tenants in the legacy Exchange Online Dedicated environment)
The following flow is used by conditional access policies for Exchange on-premises and tenants in the legacy
Exchange Online Dedicated environment to evaluate whether to allow or block devices.
To e n a b l e t h e Ex c h a n g e O n - p r e m i se s p o l i c y

2. Expand Compliance Settings, expand Conditional Access, and then click On-Premises Exchange.
3. On the Home tab, in the On-Premises Exchange group, click Configure Conditional Access Policy.
4. Beginning in version 1602 of Configuration Manager, On the General page of the Configure
Conditional Access Policy Wizard, specify whether you want to override the Exchange Active Sync default
rule. Click this option if you want enrolled and compliant devices to always have access to email, even when
the default rule is set to quarantine or block access.
NOTE
There is an issue with the default override for Android devices. If the default access rule of the Exchange server is set
to Block and the Exchange conditional access policy is enabled with the default rule override option, then the
Android devices of the targeted users may not get unblocked even after the devices are Intune enrolled and
compliant. To workaround this issue, set the Exchange default access rule to Quarantine. The device does not get
access to Exchange by default, and the administrator can get a report from the Exchange server on the list of devices
that are being quarantined.
If you have not setup a notification email account when you set up the Exchange connector, you will see a
warning on this page, and the Next button is disabled. Before you can proceed, you must first configure the
notification email settings in the Exchange Connector and then come back to the Configure Conditional
Access Policy Wizard to complete the process.
Click Next.
5. On the Targeted Collections page, add one or more user collections. In order to access Exchange, users in
these collections must enroll their devices with Intune and also be compliant with any compliance policies
you deployed.
Click Next.
6. On the Exempted Collections page, add any user collections that you want to be exempt from the
conditional access policy. Users in these groups, do not need to enroll their devices with Intune and do not
need to be compliant with any deployed compliance policies in order to access Exchange.
If a user appears in both the targeted and exempted lists, they will be exempt from the conditional access
policy.
Click Next.
7. On the Edit User Notification page, configure the email that Intune sends to users with instructions about
how to unblock their device (in addition to the email that Exchange sends).
You can edit the default message and use HTML tags to format how the text appears. You can also send an
email in advance to your employees notifying them of the upcoming changes and providing them with
instructions about enrolling their devices.
NOTE
Because the Intune notification email containing remediation instructions is delivered to the user's Exchange mailbox,
in the event that the user's device gets blocked before they receive the email message, they can use an unblocked
device or other method to access Exchange and view the message.
NOTE
In order for Exchange to be able to send the notification email, you must configure the account that will be used to
send the notification email. You do this when you configure the properties of the Exchange Server connector.
For details, see Manage mobile devices with System Center Configuration Manager and Exchange.
Click Next.
8. On the Summary page, review your settings, and then complete the wizard.
You do not have to deploy the conditional access policy, it takes effect immediately.
After a user sets up an Exchange ActiveSync profile, it might take from 1-3 hours for the device to be
blocked (if it is not managed by Intune).
If a blocked user then enrolls the device with Intune (or remediates noncompliance), email access will be
unblocked within 2 minutes.
If the user un-enrolls from Intune it might take from 1-3 hours for the device to be blocked.
See also
Manage SharePoint Online access in System Center

Use the System Center Configuration Manager SharePoint Online conditional access policy to manage access to
OneDrive for Business files located on SharePoint online, based on conditions you specify. You can control access
to SharePoint Online from the following apps for the listed platforms:
Microsoft Office Mobile (Android)
Microsoft OneDrive (Android and iOS)
Microsoft Word (Android and iOS)
Microsoft Excel (Android and iOS)
Microsoft PowerPoint (Android and iOS)
Microsoft OneNote (Android and iOS)
Office desktop applications can access SharePoint Online on PCs running:
Office desktop 2013 and later with modern authentication enabled.
Windows 7.0 or Windows 8.1
NOTE
PCs should be domain joined or be complaint with the policies set in Intune.
When a targeted user attempts to connect to a file using a supported app such as OneDrive on their device, the
following evaluation occurs:
To connect to the required files, the device running OneDrive must:

Be enrolled with Microsoft Intune or a domain joined PC.
Intune.
For domain joined PCs, you must set it up to automatically register with Azure Active Directory.
Be compliant with any deployed Configuration Manager compliance policies
The device state is stored in Azure Active Directory which grants or blocks access to the files, based on the
conditions you specify.
If a condition is not met, the user is presented with one of the following messages when they log in:
with instructions about how to install the company portal app and enroll.
If the device is not compliant, a message is displayed that directs the user to the Intune web portal where
they can find information about the problem, and how to remediate it.
For mobile devices:
You can restrict access to SharePoint Online when accessed from a browser from iOS and Android devices.
Access will only be allowed from only supported browsers on compliant devices:
Safari (iOS)
Chrome (Android)
Managed Browser (iOS and Android)
Unsupported browsers will be blocked.
For a PC:
If the policy is set to require domain join, and the PC is not domain joined, a message is displayed to
contact the IT admin.
If the policy is set to require domain join or compliant, then the PC does not meet either requirement,
a message is displayed with instructions about how to install the company portal app and enroll.
You can block access to SharePoint Online from the following apps:
Microsoft Office Mobile (Android)
Microsoft OneDrive (Android and iOS)
Microsoft Word (Android and iOS)
Microsoft Excel (Android and iOS)
Microsoft PowerPoint (Android and iOS)
Microsoft OneNote (Android and iOS)
Configure conditional access for SharePoint Online

Step 1: Configure Active Directory security groups
Before you start, configure Azure Active Directory security groups for the conditional access policy. You can
configure these groups in the Office 365 admin center, or the Intune account portal. These groups contain the
users that will be targeted, or exempt from the policy. When a user is targeted by a policy, each device they use
must be compliant in order to access resources.
You can specify two group types in a SharePoint Online policy:
Targeted groups â€“ Contains groups of users to which the policy will apply
Exempted groups â€“ Contains groups of users that are exempt from the policy (optional)
If a user is in both groups, they will be exempt from the policy.
Ensure that you create and deploy a compliance policy to all devices that the SharePoint Online policy will be
targeted to.
NOTE
While compliance policies are deployed to Intune groups, or Configuration Manager collections, conditional access policies
are targeted to Azure Active Directory security groups.
IMPORTANT
If you have not deployed a compliance policy and then enable the SharePoint Online policy, all targeted devices will be
allowed access.

Step 3: Configure the SharePoint Online policy
Next, configure the policy to require that only managed and compliant devices can access SharePoint Online. This
policy will be will be stored in Azure Active Directory.
NOTE
You can also create conditional access policy in the Azure AD management console. Azure AD management console allows
you to create the Intune device conditional access policies (referred to as the device-based conditional access policy in Azure
AD) in addition to other conditional access policies like multi-factor authentication. You can also set conditional access
policies for third-party Enterprise apps like Salesforce and Box that Azure AD supports. For more details, see How to set
Azure Active Directory device-based conditional access policy for access control to Azure Active Directory connected
applications.

2. Select Enable conditional access policy for SharePoint Online..
3. Under Application access for Outlook and apps that use modern authentication, you can choose to restrict
access to only devices that are compliant for each platform.
TIP
Modern authentication brings Active Directory Authentication Library (ADAL)-based sign in to Office clients.
The ADAL based authentication enables Office clients to engage in browser-based authentication (also known
as passive authentication). To authenticate, the user is directed to a sign-in web page.
This new sign-in method enables new scenarios such as, conditional access, based on device compliance
and whether multi-factor authentication was performed.
This article has more detailed information on how modern authentication works.
For windows PCs, the PC must either be domain joined, or enrolled with Intune and compliant. You can set
the following requirements:
Devices must be domain joined or compliant. This means that the PCs must either be domain
joined or compliant with the policies set in Intune. If the PC does not meet either of these
requirements, the user is prompted to enroll the device with Intune.
Devices must be domain joined. This means that the PCs must be domain joined to access
Exchange Online. If the PC is not domain joined access to email is blocked and the user is prompted
to contact the IT admin.
Devices must be compliant. This means that the PCs must be enrolled in Intune and compliant. If
the PC is not enrolled, a message with instructions on how to enroll is displayed.
4. Under Browser access to SharePoint Online and OneDrive for Business, you can choose to allow access to
Exchange Online only through the supported browsers: Safari (iOS), and Chrome (Android). Access from
other browsers will be blocked. The same platform restrictions you selected for Application access for
OneDrive also apply here.
On Android devices, users must enable the browser access. To do this the end-user must enable the
â€œEnable Browser Accessâ€ option on the enrolled device as follows:
a. Launch the Company Portal app.
b. Go to the Settings page from the triple dots (â€¦) or the hardware menu button.
c. Press the Enable Browser Access button.
d. In the Chrome browser, sign out of Office 365 and restart Chrome.
On iOS and Android platforms, To identify the device that is used to access the service, Azure Active
Directory will issue a Transport layer security ( TLS) certificate to the device. The device displays the
certificate with a prompt to the end-user to select the certificate as seen in the screenshots below. The end-
user must select this certificate before they can continue to use the browser.
iOS
Android
You might need to supply the user name and password of the account used to connect Configuration
Manager with Intune.
The Intune admin console will open.
6. In the Microsoft Intune administration console, click Policy > Conditional Access > SharePoint Online
Policy.
7. Select Block apps from accessing SharePoint Online if the device is noncompliant.
8. Under Targeted Groups, click Modify to select the Azure Active Directory security groups to which the
policy will apply.
9. Under Exempted Groups, optionally, click Modify to select the Azure Active Directory security groups that
are exempt from this policy.
10. When you are done, click Save.
You do not have to deploy the conditional access policy, it takes effect immediately.
See Manage SharePoint Online access with Microsoft Intune for information about how you can monitor the
policy from the Intune console.
See also

Use conditional access policy for Skype for Business Online to manage access to Skype for Business Online,
based on conditions you specify.
When a targeted user attempts to use Skype for Business Online on their device, the following evaluation occurs:
Prerequisites
Enable modern authentication for Skype for Business Online. Fill this connect form to be enrolled in the
modern authentication program.
All your end-users must be using Skype for Business Online. If you have a deployment with both Skype for
Business Online and Skype for Business on-premises, conditional access policy will not be applied to end-
users.
The device that needs access to Skype for Business Online must:
Be an Android or iOS device.
Be enrolled with Intune.
Be compliant with any deployed Intune compliance policies.
The device state is stored in Azure Active Directory which grants or blocks access, based on the conditions
you specify.
with instructions about how to install the company portal app and enroll.
If the device is not compliant, a message is displayed that directs the user to the Intune Company Portal
website or Company Portal app where they can find information about the problem, and how to remediate
it.
Configure conditional access for Skype for Business Online

configure these groups in the Office 365 admin center. These groups contain the users that will be targeted, or
exempt from the policy. When a user is targeted by a policy, each device they use must be compliant in order to
access resources.
You can specify two group types to use for the Skype for Business policy:
Targeted groups â€“ Contains groups of users to which the policy will apply
Exempted groups â€“ Contains groups of users that are exempt from the policy (optional)
Ensure that you create and deploy a compliance policy to all devices that the Skype for Business Online policy will
be targeted to.
NOTE
If you have not deployed a compliance policy and then enable the Skype for Business Online policy, all targeted devices will
be allowed access if they are enrolled in Intune.

Step 3: Configure the Skype for Business Online policy
Next, configure the policy to require that only managed and compliant devices can access Skype for Business
Online. This policy will be will be stored in Azure Active Directory.
1. In the Microsoft Intune administration console, click Policy > Conditional Access > Skype for Business
Online Policy.
2. Select Enable conditional access policy.

3. Under Application access, you can choose to apply conditional access policy to:
iOS
Android
policy will apply. You can choose to target this to all users or just a select group of users.
5. Under Exempted Groups, optionally, click Modify to select the Azure Active Directory security groups that
6. When you are done, click Save.
You have now configured conditional access for Skype for Business Online. You do not have to deploy the
conditional access policy, it takes effect immediately.
Monitor the compliance and conditional access policies

In the Groups workspace, you can view the conditional access status of your devices.
Select any mobile device group and then, on the Devices tab, select one of the following Filters:
Devices that are not registered with AAD â€“ These devices are blocked from Skype for Business Online.
Devices that are not compliant â€“ These devices are blocked from Skype for Business Online.
Devices that are registered with AAD and compliant â€“ These devices can access Skype for Business
Online.
See also
Manage device compliance policies in System Center Configuration Manager
Manage Dynamics CRM Online access in System

You can control access to Microsoft Dynamics CRM Online from iOS and Android devices with Microsoft Intune
conditional access. Intune conditional access has two components:
Device compliance policy that the device must comply with in order to be considered compliant.
Conditional access policy that where you specify the conditions that the device must meet in order to access the
service.
To learn more about how conditional access works, read the Manage access to services article.
When a targeted user attempts to use the Dynamics CRM app on their device, the following evaluation occurs:
The device that needs access to Dynamics CRM Online must:

Be an Android or iOS device.
Be enrolled with Microsoft Intune.
Be compliant with any deployed Microsoft Intune compliance policies.
The device state is stored in Azure Active Directory which grants or blocks access, based on the conditions you
specify.
If the device is not enrolled with Microsoft Intune, or is not registered in Azure Active Directory, a message is
displayed with instructions about how to install the company portal app and enroll.
If the device is not compliant, a message is displayed that directs the user to the Microsoft Intune Company
Portal website or Company Portal app where they can find information about the problem, and how to
remediate it.
Configure conditional access for Dynamics CRM Online

configure these groups in the Office 365 admin center. These groups will be used to target, or exempt users from
the policy. When a user is targeted by a policy, each device they use must be compliant in order to access
resources.
You can specify two group types to use for the Dynamics CRM policy:
Targeted groups – Contains groups of users to which the policy will apply.
Exempted groups – Contains groups of users that are exempt from the policy.
Create and deploy a compliance policy to all devices that will be affected by the policy. These would be all the
devices that are used by the users in the Targeted groups.
NOTE
While compliance policies are deployed to Microsoft Intune groups, conditional access policies are targeted to Azure Active
Directory security groups.
IMPORTANT
If you have not deployed a compliance policy, the devices will be treated as compliant.

Step 3: Configure the Dynamics CRM policy
Next, configure the policy to require that only managed and compliant devices can access Dynamics CRM. This
policy will be will be stored in Azure Active Directory.
1. In the Microsoft Intune administration console, choose Policy > Conditional Access > Dynamics CRM
Online Policy.
2. Select Enable conditional access policy.

3. Under Application access, you can choose to apply conditional access policy to:
iOS
Android
4. Under Targeted Groups, choose Modify to select the Azure Active Directory security groups to which the
policy will apply. You can choose to target this to all users or just a select group of users.
5. Under Exempted Groups, optionally, choose Modify to select the Azure Active Directory security groups that
6. When you are done, choose Save.
You have now configured conditional access for Dynamics CRM. You do not have to deploy the conditional access
policy, it takes effect immediately.
Monitor the compliance and conditional access policies

In the Groups workspace, you can view the conditional access status of your devices.
Select any mobile device group and then, on the Devices tab, select one of the following Filters:
Devices that are not registered with AAD – These devices are blocked from Dynamics CRM.
Devices that are not compliant – These devices are blocked from Dynamics CRM.
Devices that are registered with AAD and compliant – These devices can access Dynamics CRM.
See also
Manage access to email
Manage access to SharePoint Online
Manage access to Skype for Business Online
Manage access to O365 services for PCs managed by

Beginning with version 1602 of Configuration Manager, you can configure conditional access for PCs managed by
IMPORTANT
This is a pre-release feature available in update 1602,update 1606, and update 1610. Pre-release features are included in the
product for early testing in a production environment, but should not be considered production ready. For more information,
see Use pre-release features from updates.
After you install update 1602, the feature type displays as released even though it is pre-release.
If you then update from 1602 to 1606, the feature type displays as released even through it remains pre-release.
If you update from version 1511 directly to 1606, the feature type displays as pre-release.
If you are looking for information on how to configure conditional access for devices enrolled and managed by
Intune, or PCs that are domain joined and are not evaluated for compliance, see Manage access to services in
Supported Services
Exchange Online
SharePoint Online
Supported PCs
Windows 7
Windows 8.1
Windows 10 is not yet fully supported. If you try to set to conditional access for Windows 10 PCs, you may
encounter some issues. See Known issues for more details.
Configure conditional access

To setup conditional access, you must first create a compliance policy and configure conditional access policy.
When you configure conditional access policies for PCs you can require that the PCs be compliant with the
compliance policy in order to access Exchange Online and SharePoint Online services.
Prerequisites
ADFS Sync, and an O365 subscription. The O365 subscription is for setting up Exchange Online and
SharePoint Online.
A Microsoft Intune Subscription. The Microsoft Intune Subscription should be configured in Configuration
Manager Console. This still requires that you are in a hybrid deployment.
The PCs must meet the following requirements:
Prerequisites for automatic device registration with Azure Active Directory
You can register PCs with Azure AD through the compliance policy.
For Windows 8.1 and Windows 10 PCs, you can use an Active Directory Group Policy to configure
your devices to register automatically with Azure AD.
o For Windows 7 PCs, you must deploy the device registration software package to your Windows 7
PC through System Center Configuration Manager. The Automatic device registration with Azure
Active Directory for Windows Domain-Joined Devices topic has more details.
Must use Office 2013 or Office 2016 with modern authentication enabled.
The steps described below apply to both Exchange Online and SharePoint Online
Step 1. Configure compliance policy
In the Configuration Manager Console, create a compliance policy with the following rules:
Require registration in Azure Active Directory: This rule checks if the user's device is work-place joined to
Azure AD, and if not, the device is automatically registered in Azure AD. Automatic registration is only
supported on Windows 8.1. For Windows 7 PCs, deploy an MSI to perform the auto registration. For more
details, see Automatic device registration with Azure Active Directory
All required updates installed with a deadline older than a certain number of days: This rule checks
to see if the user's device has all required updates (specified in the Required automatic updates rule) within
deadline and grace period specified by you, and automatically install the any pending required updates.
Require BitLocker drive encryption: This is a check to see if the primary drive (e.g. C:\) on the device is
BitLocker encrypted. If Bitlocker encryption is not enabled on the primary device access to email and
SharePoint services is blocked.
Require Antimalware: This is a check to see if the antimalware software (System Center Endpoint
Protection or Windows Defender only) is enabled and running. If it is not enabled, access to email and
SharePoint services is blocked.
Step 2. Evaluate the effect of conditional access
Run the Conditional Access Compliance Report. It can be found in Monitoring section under Reports >Compliance
and Settings Management . This displays the compliance status for all devices. Devices that are reported as not
compliant will be blocked from accessing Exchange Online and SharePoint Online.
Configure Active Directory Security Groups

You target conditional access policies to groups of users depending on the policy types. These groups contain the
users that will be targeted, or exempt from the policy. When a user is targeted by a policy, each device they use
must be compliant in order to be able to access the service.
Active Directory security user groups. These user groups should be synchronized to Azure Active Directory. You can
also configure these groups in the Office 365 admin center, or the Intune account portal.
You can specify two group types in each policy. :
Targeted groups - User groups to which the policy is applied. The same group should be used both for
compliance and conditional access policy.
Exempted groups - User groups that are exempt from the policy (optional)
If a user is in both, they will be exempt from the policy.
Only the groups, which are targeted by the conditional access policy, are evaluated.
Step 3. Create a conditional access policy, for Exchange Online and SharePoint Online
2. To create a policy for Exchange Online, select Enable conditional access policy for Exchange Online.
To create a policy for SharePoint Online, select Enable conditional access policy for Exchange Online.
You might need to supply the user name and password of the account used to connect Configuration
Manager with Intune.
The Intune admin console will open.
4. For Exchange Online, in the Microsoft Intune administration console, click Policy > Conditional Access >
Exchange Online Policy.
For SharePoint Online, in the Microsoft Intune administration console, click Policy > Conditional Access >
SharePoint Online Policy.
5. Set the Windows PC requirement toDevices must be compliant option.
policy will apply.
NOTE
The same security user group should be used for deploying compliancy policy and the Targeted Group for conditional
access policy.
Under Exempted Groups, optionally, click Modify to select the Azure Active Directory security groups that
7. Click Save to create and save the policy
End-users who are blocked due to noncompliance will view compliance information in the System Center
Configuration Manager Software Center and will initiate a new policy evaluation when compliance issues are
remediated.
Known issues
You may see the following issues when using this feature:
In this 1602 update, the 5 day compliance is not enforced. Even if compliance check on the end-user's device
has happened more than 5 days ago, users still can access Office 365 and SharePoint online.
When a device is not compliant with the compliance policy, the reason is not automatically displayed. The
end- user must go to the new Software Center to find the reason for non-compliance. The reason is
displayed in the Device compliance section of the Software Center.
Windows 10 users may see multiple access failures when trying to reach O365 and/or SharePoint online
resources. Note that conditional access is not fully supported for Windows 10.
See also
Protect data and site infrastructure with System Center Configuration Manager
Manage access to company resource based on
device, network, and application risk

You can control access from mobile devices to corporate resources, based on risk assessment conducted by
Lookout, a device threat protection solution that is integrated with Microsoft Intune. The risk is based on telemetry
that the Lookout service collects from devices for operating system (OS) vulnerabilities, installed malicious apps,
and malicious network profiles.
Based on Lookout's reported risk assessment enabled through System center configuration manager (SCCM)
compliance policies, you can configure conditional access policies and allow or block devices that have been
determined to be noncompliant due to threats detected on those devices.
What problem does this solve?

Companies and organizations need to protect sensitive data from emerging threats that include physical, app-
based, and network-based threats, as well as OS vulnerabilities.
Historically, companies and organizations have taken an active position of protecting PCs against malicious attacks.
Mobile is an emerging area that often goes unprotected. Although the mobile platforms have built-in protection of
the OS using techniques such as app isolation and vetted consumer app stores, these platforms continue to be
vulnerable to sophisticated attacks. As mobile devices are increasingly used by employees to do work and need
access to information that can be sensitive and valuable, these devices need to be protected from a variety of
sophisticated attacks.
The hybrid MDM deployment (SCCM with Intune) gives you the ability to control the access to company resources
and data based on risk assessment that device threat protection solutions like Lookout provides.
How do the hybrid MDM deployment and Lookout device threat

protection help protect company resources?
Lookout’s mobile app (Lookout for work), running on mobile devices, captures file system, network stack, device
and application telemetry (where available) and sends it to the Lookout device threat protection cloud service to
calculate an aggregate device risk for mobile threats. You can also change the classification of the risk level for the
threats in the Lookout console to suit your requirements.
The compliance policy in SCCM now includes a new rule for Lookout mobile threat protection that is based on the
Lookout device threat risk assessment. When this rule is enabled, the device is evaluated for compliance.
If the device is determined as noncompliant with the compliance policy, access to resources like Exchange Online
and SharePoint Online can blocked using conditional access policies. When access is blocked, the end-users are
provided with a walkthrough to help resolve the issue and gain access to company resources. This walkthrough is
launched through the Lookout for work app.
Supported platforms:
Android 4.1 and later, and enrolled in Microsoft Intune.
iOS 8 and later, and enrolled in Microsoft Intune. For information about platforms and languages that Lookout
supports, see this article.
Prerequisites:
Hybrid MDM deployment
A subscription to Microsoft Intune, and Azure Active Directory.
A enterprise subscription to Lookout Mobile EndPoint Security. For more information, see Lookout Mobile
Endpoint Security
Example scenarios
Following are some common scenarios:
Control access based on threat from malicious apps:
When malicious apps such as malware is detected on the device, you can block such devices from:
Connecting to corporate e-mail before resolving the threat.
Synchronizing corporate files using the OneDrive for Work app.
Accessing business-critical apps.
Access blocked when malicious apps are detected:
Device unblocked and is able to access company resources when the threat is remediated:
Control access based on threat to network:

Detect threats to your network such as Man-in-the-middle attacks and restrict access to WiFi networks based on
the device risk.
Access to network through WiFi blocked:
Access granted on remediation:
Control access to SharePoint Online based on threat to network:

Detect threats to your network such as Man-in-the-middle attacks, and prevent synchronization of corporate files
based on the device risk.
Access blocked SharePoint Online based on network threat detected on the device:
Access granted on remediation:

Next steps
Here are the main steps you must do to implement this solution:
1. Set up your subscription with Lookout mobile threat protection
2. Enable Lookout MTP connection in Intune
3. Configure and deploy Lookout for work application
4. Configure compliance policy
5. Troubleshoot Lookout integration
Set up your subscription for Lookout device threat
protection

To get your subscription ready for the Lookout device threat protection service, Lookout support
(enterprisesupport@lookout.com) needs the following information about your Azure Active Directory (Azure AD)
subscription. Your Lookout Mobility Endpoint Security tenant will be associated with your Azure AD subscription to
integrate Lookout with Intune.
Azure AD Tenant ID
Azure AD Group Object ID for full Lookout console access
Azure AD Group Object ID for restricted Lookout console access (optional)
IMPORTANT
An existing Lookout Mobile Endpoint Security tenant that is not already associated with your Azure AD tenant cannot be
used for the integration with Azure AD and Intune. Contact Lookout support to create a new Lookout Mobile Endpoint
Security tenant. Use the new tenant to onboard your Azure AD users.
Use the following section to gather the information you need to give to the Lookout support team.
Get your Azure AD information

Azure AD tenant ID
Sign in to the Azure AD management portal and select your subscription.
When you choose the name of your subscription, the resulting URL includes the subscription ID. If you have any
issues finding your subscription ID, see this Microsoft support article for tips on finding your subscription ID.
Azure AD Group ID
The Lookout console supports 2 levels of access:
Full Access: The Azure AD admin can create a group for users that will have Full Access and optionally create a
group for users that will have Restricted Access. Only users in these groups will be able to login to the Lookout
console.
Restricted Access: The users in this group will have no access to several configuration and enrollment related
modules of the Lookout console, and have read-only access to the Security Policy module of the Lookout
console.
For more details on the permissions, read this article on the Lookout website.
The Group Object ID is on the Properties page of the group in the Azure AD management console.
Once you have gathered this information, contact Lookout support (email: enterprisesupport@lookout.com).
Lookout Support will work with your primary contact to onboard your subscription and create your Lookout
Enterprise account, using the information that you collected.
Configure your subscription with Lookout device threat protection

Step 1: Set up your device threat protection
After Lookout support creates your Lookout Enterprise account, you can sign in to the Lookout console. An email
from Lookout is sent to the primary contact for your company with a link to the login
url:https://aad.lookout.com/les?action=consent
You must use a user account with the Azure AD role of Global Admin when you first log in to the Lookout console,
since Lookout requires this information to register your Azure AD tenant. Subsequent sign in will not require the
user to have this level of Azure AD privilege. In this first login, a consent page is displayed. Choose Accept to
complete the registration.
Once you have accepted and consented, you are redirected to the Lookout Console. Subsequent logins after the
initial registration can be done using the URL: https://aad.lookout.com
See the [troubleshooting article]() if you run into login issues.
The next steps outline the tasks that you must do to complete the Lookout set up within the Lookout Console.
Step 2: Configure the Intune connector
1. In the Lookout console, from the System module, choose the Connectors tab, and select Intune.
2. In the connection settings option, configure the heartbeat frequency in minutes. Your Intune connector is
now ready.
Step 3: Configure enrollment groups
On the Enrollment Management option, define a set of users whose devices should be enrolled with Lookout.
The best practice is to start with a small group of users to test and become familiar with how the integration works.
Once you are satisfied with your test results, you can extend the enrollment to additional groups of users.
To get started with enrollments groups, first define an Azure AD security group that would be a good first set of
users to enroll in Lookout device threat protection. Once you have the group created in Azure, AD, in the Lookout
Console, go to the Enrollment Management option and add the Azure AD security group Display Name(s) for
enrollment.
When a user is in an enrollment group, any of their devices that are identified and supported in Azure AD are
enrolled and eligible for activation in Lookout device threat protection. The first time they open the Lookout for
Work app on their supported device, the device is activated in Lookout.
The best practice is to use the default (5 minutes) for the increment of time to check for new devices.
IMPORTANT
The display name is case sensitive. Use the Display Name as shown the in the Properties page of the security group in the
Azure portal. Note in the picture below that the Properties page of the security group, the Display Name is camel case. The
title however is displayed in all lower case and should not be used to enter into the Lookout console.
The current release has the following limitations:

There is no validation for the group display names. Make sure to use the value in the DISPLAY NAME field
shown in the Azure portal for the Azure AD security group.
Creating groups within groups is not currently supported. Azure AD security groups specified may only contain
users and not nested groups.
Step 4: Configure state sync
In the State Sync option, specify the type of data that should be sent to Intune. Currently, you must enable both
device status and threat status in order for the Lookout Intune integration to work correctly. These are enabled by
default.
Step 5: Configure error report email recipient information
In the Error Management option, enter the email address that should receive the error reports.
Step 6. Configure enrollment settings

In the System module, on the Connectors page, specify the number of days before a device is considered as
disconnected. Disconnected devices are considered as non-compliant and will be blocked from accessing your
company applications based on the SCCM conditional access policies. You can specify values between 1 and 90
days.
Step 7: Configure email notifications

If you want to receive email alerts for threats, sign in to the Lookout console with the user account that should
receive the notifications. On the Preferences tab of the System module, choose the desired notifications and set
them to ON. Save your changes.
If you no longer
want to receive email notifications, set the notifications to OFF and save your changes.
Step 8: Configure threat classification
Lookout device threat protection classifies mobile threats of various types. The Lookout threat classifications have
default risk levels associated with them. These can be changed at any time to suite your company requirements.
IMPORTANT
The risk levels specified here are an important aspect of device threat protection because the Intune integration calculates
device compliance according to these risk levels at runtime. In other words, the Intune administrator sets a rule in policy to
identify a device as non-compliant if the device has an active threat with a minimum level of: high, medium, or low. The
threat classification policy in Lookout device threat protection directly drives the device compliance calculation in Intune.
Watching enrollment
Once the setup is complete, Lookout device threat protection starts to poll Azure AD for devices that correspond to
the specified enrollment groups. You can find information about the devices enrolled on the Devices module. The
initial status for devices is shown as pending. The device status changes once the Lookout for Work app is
installed, opened, and activated on the device. For details on how to get the Lookout for Work app pushed to the
device, see the Configure and deploy Lookout for work apps topic.
Next steps
Enable Lookout MTP connection Intune
Enable Lookout MTP connection in the Intune admin
console

This topic shows you how to enable the Lookout MTP connection in Intune. You should have already configured
the Intune Connector in the Lookout console before doing this step. If you have not already done so, do the steps
described in Set up your subscription with Lookout mobile threat protection.
To enable the Lookout MTP connection in Intune, on the Administration page in the Microsoft Intune
administrator console, choose Third Party Service Integration. Choose Lookout status and enable
Synchronization with MTP using the toggle button.
This completes the setup of the Lookout and Intune integration in the Intune administrator console. The next few
steps to implement this solution involve deploying the Lookout for Work apps and setting up the compliance
policy.
IMPORTANT
You must configure the Lookout for Work app before creating compliance policy rules and configuring conditional access.
This ensures that the app is ready and available for end users to install before they can get access to email or other company
resources.
Next steps
Configure Lookout for Work app
Configure and deploy Lookout for Work apps

This article explains how to configure and deploy the Lookout for Work app for Android and iOS devices.
Android (Google Play Store app)

1. In the Configuration Manager console, click Software Library > Application Management >
Applications.
2. On the General page of the Deploy Software Wizard, specify the following information:
Type: select App package for Android on Google Play.
Location: copy the Lookout for work app link from the Google Play store as paste it here
Publisher: Lookout Mobile Security
Name: Lookout for Work
Description: Lookout offers the best protection against mobile threats to keep your device safe. When
the Lookout app is installed on the device, the app protects your device from threats and will alert you,
and your company administrator, if any are found.
Administrative category: Computer Management
Upon successful completion, you will now see the Lookout for work app in your list of applications.
3. On the Home tab, in the Deployment group, choose Deploy to deploy the Lookout for Work app to
users.
IMPORTANT
You must select the same users added in to the Enrollment Management option in the Lookout MTP console.
Choose the Required Install option to require that the Lookout app be installed on the user’s device.
iOS (Enterprise-signed version of Lookout app)

Step 1: Make sure iOS management is set up on your device. For instruction on how to setup your device
for iOS management, see [Set up iOS and Mac device management]().
Step 2: Re-sign the Lookout for Work iOS app. Lookout distributes its Lookout for Work iOS app outside
of the iOS App Store. Before distributing the app, you must re-sign the app with your iOS Enterprise
Developer Certificate. For detailed instructions to re-sign the Lookout for Work iOS apps, see Lookout for
Work iOS app re-signing process on the Lookout site.
Step 3: Enable Azure Active Directory authentication for the iOS users by doing the following:
1. Login to the Azure Active Directory management portal, and navigate to the application page.
2. Add the Lookout for Work iOS app as a native client application.
3. Replace the com.lookout.enterprise.yourcompanyname with the customer bundle ID you
selected when you signed the IPA.
4. Add additional redirect URI: <companyportal://code/> followed by a URLencoded version of your
original redirect URI.
5. Add Delegated Permissions to your app.
For more details, see Configure a native client application.
Step 4: Upload the re-signed .ipa file as described in the Create iOS applications in System Center
Configuration Manager topic topic. Set the minimum OS version to iOS 8.0 or later.
Step 5: Create the managed app configuration policy as described in the Configure iOS apps with mobile
app configuration policies in System Center Configuration Manager topic.
Step 6: To deploy the app to users, select the Lookout for Work app in the Applications page, from the
Home tab, in the Deployment group, choose Deploy.
You must select the same users that were added to the Enrollment Management option in the Lookout
console.
Choose the Required Install option to require that the Lookout app be installed on the user’s device.
What happens when the deployed app is opened on the device

When the user opens the Lookout for Work on the device they are prompted to activate the app, and choose the
Sign in with Azure Active Directory option. A detailed walkthrough with the end-user flow can be found in the
following topics:
You are prompted to install Lookout for Work on your Android device
You need to resolve a threat that Lookout for Work found on your Android device
Next steps
Enable device threat protection rule in the compliance policy
Enable device threat protection rule in the
compliance policy

Intune with Lookout mobile threat protection gives you the ability to detect mobile threats and make a risk
assessment on the device. You can create an compliance policy rule in Configuration Manager to include the risk
assessment to determine if the device is compliant. You can then use the conditional access policy to allow or
block access to Exchange, SharePoint, and other services based on device compliance.
To have Lookout device threat detection influence the compliance policy for the device:
The Device Threat Protection rule must be enabled on the compliance policy.
The Lookout Status page in the Intune administrator console must show as Active. See the Enable
Lookout MTP connection in Intune topic for more details and instructions on how to activate Lookout
integration.
Before creating the device threat protection rule in the compliancy policy, we recommend that you set up your
subscription with Lookout device threat protection, enable the Lookout connection in Intune,and configure the
Lookout for work app. The compliance rule enforced only after the setup is completed.
To enable the device threat protection rule, you can either use an existing compliance policy or create a new one.
As part of the Lookout device threat protection setup, in the Lookout console, you created a policy that classifies
various threats into high, medium and low levels. In the Intune compliance policy you will use the threat level to
set the maximum allowed threat level.
On the Rules page of the compliance policy wizard, define a new rule with the following information:
Condition: Device threat protection maximum risk level.
Value: The value can be one of the following:
None (secured): This is the most secure. This means that the device cannot have any threats. If any level
of threats are found, the device is evaluated as non-compliant.
Low: The device is evaluated as compliant if only low level threats are present. Anything higher puts the
device in a non-compliant status.
Medium: The device is evaluated as compliant if the threats found on the device are low or medium
level. If high level threats are detected, the device is determined as non-compliant.
High: This is the least secure. Essentially, this allows all threat levels, and perhaps only useful if you are
using this solution only for reporting purposes.
If you create conditional access policies for Office 365 and other services, the above compliance evaluation is taken
into consideration and non-compliant devices are blocked from accessing company resources until the threat is
resolved.
The device threat protection status is displayed on the Security node in the Monitoring workspace. A summary
of the status with various thread level is displayed in a visual chart. You can click on the individual sections of the
chart to see more information like, the number of devices reporting as non-compliant by platform, and any errors
that are reported. You can also see the individual device status in the Assets and compliance workspace, under
Devices. You can add the Device threat compliance and the Device threat level columns to see the status.
These columns are not displayed by default.
Troubleshoot Lookout Integration with Intune
Troubleshoot login errors

403 errors
You may see a 403 error when you log in to the Lookout MTP console: you are not authorized to access the
service This can happen when the username you specified is not a member of the Azure Active Directory (Azure
AD) group that is configured to access Lookout MTP.
Lookout MTP is configured to allow only users from a configured Azure AD group to have access. If you are unsure
which group is configured with access to Lookout MTP, contact Lookout Support.
You can contact Lookout Support through on the following methods:
Email: enterprisesupport@lookout.com
Login to the MTP Console, and navigate to the Support module.
Go to: https://enterprise.support.lookout.com/hc/en-us/requests and make a support request.
Unable to sign in
You may see the following error when the Azure AD global admin user has not accepted the initial Lookout setup.
To resolve this issue, the global admin user must login to https://aad.lookout.com/les?action=consent and accept
the prompt to initiate the setup. More detailed information can be found in Set up your subscription with Lookout
MTP topic
Troubleshoot device status issues

Device not showing up in the Lookout MTP console device list
This could happen in either of the following scenarios:
When the user who owns this device is not in the Enrollment Group specified in the Lookout MTP
Console. From the System module, go to the Intune Connector tab and look at the Enrollment
Management settings. You should see one or more Azure AD groups configured for enrollment. Verify that
the user who owns the missing device is part of one of the specified Azure AD groups. Once a new user is
added to the enrollment group it will take up to the configured polling interval (5 minutes is the default) to
see the device show up in the Devices module of the Lookout MTP Console.
If the device is unsupported by Lookout MTP. Devices that are unsupported will appear in the Managed
Devices section of the connector settings on the Lookout MTP Console.
Device continues to be reported as pending
A device that is showing Pending means the end user has not opened the Lookout for work app and tapped the
Activate button. For more details on the device activation with Lookout for Work app, read the following topic:
In the Lookout MTP console, a device is showing as active, but does not have a device ID.
This means that the user who owns this device is not in the enrollment group, specified in the Lookout MTP
Console. A device can get into this state is if the user who owns the device has been removed from the enrollment
group or the enrollment group that the user belongs to has been removed.
From the System module on the Lookout MTP console, go to the Intune Connector tab, and review the
Enrollment settings. You should see one or more Azure AD groups configured for enrollment. Verify that the user
who owns the device is part of one of the Azure AD groups specified.
While a device is in this state, Lookout will continue to notify the user of any threats detected, but will not send any
threat information to Intune.
Device shows disconnected state
Disconnected means that Lookout MTP has not heard from the device for over a preconfigured time interval
(default is 30 days with a minimum of 7 days). This means that either the Company Portal app or the Lookout for
Work app is not installed on the device or has been uninstalled. Reinstalling the apps should resolve this issue.
When the user opens Lookout for Work and activates the app, the device resyncs with Lookout MTP and Intune.
Forcing a resync on the device
From the Devices module of the Lookout MTP console, the administrator can select the device and choose to
delete it. The next time the device owner opens the Lookout for Work app and taps Activate, the device state will
do a full resync.
The owner of the device is no longer using this device
You must wipe the device and ask the new user to enroll as described in this topic.
You can also go to the Devices module of the Lookout MTP Console and choose Delete.
As long as the new user is in one of the enrollment groups specified in the Lookout MTP console, the device will
appear once Azure AD associates the device to the new user.
Compliance remediation workflows

You need to resolve a threat that Lookout for Work found on your Android device
On-premises Mobile Device Management (MDM) in

System Center Configuration Manager On-premises Mobile Device Management is a device management solution
that relies on the built-in management capabilities of device operating systems (based on the Open Mobile Alliance
Device Management or OMA DM standard) while using an enterprise's Configuration Manager infrastructure to
manage and maintain the devices. On-premises Mobile Device Management requires Microsoft Intune to set up the
management capability, but it's only needed for the subscription (and at times to help notify devices to check in for
policy changes), but it's not used to manage devices or store data about them.
On-premises Mobile Device Management differs from Microsoft Intune, which also relies on built-in OMA DM
capabilities, but all of the management functions are delivered through cloud services. On-premises Mobile Device
Management also differs from the client-based management solution traditionally offered by Configuration
Manager in that it relies on similar enterprise infrastructure but does not use separately installed client software on
the computers and devices it manages.
The table below lists the advantages and disadvantages of On-premises Mobile Device Management as compared
to traditional client-based management:
ADVANTAGES DISADVANTAGES
Simplified infrastructure - Fewer site system roles are Less client management functionality - No orchestration,
required. software metering, third-party integration, task sequencing, or
software center support.
Easier to maintain - Because management functionality is
built-in to the device operating system, new versions of the Limited device support - currently On-premises Mobile
client software are not required when new management Device Management only supports devices running Windows
features are introduced to the Configuration Manager system. 10 and Windows 10 Mobile.
On-premises - All management and data kept on-premises.
The following topics provides information you can use to plan, prepare, and enroll devices for On-premises Mobile
Device Management:
Plan for On-premises Mobile Device Management in System Center Configuration Manager
Learn about what to consider when setting up the Configuration Manager infrastructure and planning for
device enrollment in On-premises Mobile Device Management.
Preparation steps for On-premises Mobile Device Management in System Center Configuration Manager
Learn about how to get the Configuration Manager system ready for On-premises Mobile Device
Management by setting up the Microsoft Intune subscription, setting up certificates, installing site system
roles, and setting up device enrollment.
Enroll devices for On-premises Mobile Device Management in System Center Configuration Manager
Learn about how enrollment occurs, how users can enroll their own devices, and how to bulk-enroll devices
with an enrollment package.
Plan for On-premises Mobile Device Management in

Consider the following requirements before preparing the Configuration Manager infrastructure to handle On-
premises Mobile Device Management.
Supported devices
On-premises Mobile Device Management allows you to manage mobile devices using the management
capabilities built into the device operating systems. The management capability is based on the Open Mobile
Alliance (OMA) Device Management (DM) standard, and many device platforms use this standard to allow the
devices to be managed. We call these modern devices (in the documentation and the Configuration Manager
console user interface) to distinguish them from other devices that require the Configuration Manager client to
manage them.
NOTE
The current branch of Configuration Manager supports enrollment in On-premises Mobile Device Management for devices
running the following operating systems:
Windows 10 Enterprise
Windows 10 Pro
Windows 10 Team (beginning in Configuration Manager version 1602)
Windows 10 Mobile
Windows 10 Mobile Enterprise
Use of the Microsoft Intune subscription

To start using On-premises Mobile Device Management, you will need a Microsoft Intune subscription. The
subscription is only required to track licensing of the devices and is not used to manage or store management
information for the devices. All management is handled in your organization's enterprise using the on-premises
Configuration Manager infrastructure.
NOTE
Beginning in version 1610, Configuration Manager supports managing mobile devices using both Microsoft Intune and on-
premises Configuration Manager infrastructure at the same time.
If your site has devices with internet connectivity, the Intune service can be used to notify devices to check the
device management point for policy updates. This use of Intune is strictly for notification only of internet-facing
devices. Devices without internet connections (and cannot be contacted by Intune) rely on the configured polling
interval to check in with site system roles for management functions.
TIP
We recommend that you set up the Intune before you set up the required site system roles to minimize the time required for
the site system roles to become functional.
For information on how to set up the Intune subscription, see Set up a Microsoft Intune subscription for On-
premises Mobile Device Management in System Center Configuration Manager.
Required site system roles

On-premises Mobile Device Management requires at least one of each of the following site system roles:
Enrollment proxy point to support enrollment requests.
Enrollment point to support device enrollment.
Device management point for policy delivery. This site system role is a variation of the management
point role that has been configured to allow for mobile device management.
Distribution point for content delivery.
Service connection point for connecting to Intune to notify devices outside the firewall.
These site system roles can be installed on the single site system server or can be run separately on different
servers depending the needs of your organization. Each site system server used for On-premises Mobile
Device Management must be configured as an HTTPS endpoint for communicating with trusted devices. For
more information, see Required trusted communications.
For more information on planning for site system roles, see Plan for site system servers and site system
roles for System Center Configuration Manager.
For more information on how to add the required site system roles, see Install site system roles for On-
premises Mobile Device Management in System Center Configuration Manager.
Required trusted communications

On-premises Mobile Device Management requires site system roles to be enabled for HTTPS communications.
Depending on your needs, you can use your enterprise's certificate authority (CA) to establish the trusted
connections between servers and devices or you could use a publicly available CA to be the trusted authority. Either
way, you will need a web server certificate to be configured with IIS on the site system servers hosting the required
site system roles, and you will need the root certificate of that CA installed on the devices that need to connect to
those servers.
If you use your enterprise's CA to establish trusted communications, you need to do the following tasks:
Create and issue the web server certificate template on the CA.
Request a web server certificate for each site system server hosting a required site system role.
Configure IIS on the site system server to use the requested web server certificate.
For devices joined to the corporate Active Directory domain, the root certificate of the enterprise CA is
already available on the device for trusted connections. This means that domain-joined devices (like desktop
computers) will automatically be trusted for HTTPS connections with the site system servers. However, non-
domain-joined devices (typically mobile) will not have the required root certificate installed. Those devices
will require the root certificate to be manually installed on them to successfully communicate with site
system servers supporting On-premises Mobile Device Management.
You must export the root certificate of the issuing CA for use by individual devices. To get the root certificate
file, you can export it using the CA, or a simpler method is to use the web server certificate issued by the CA
to extract the root and create a root certificate file. Then, the root certificate must be delivered to the device.
Some example delivery methods include
File system
Email attachment
Memory card
Tethered device
Cloud storage (such as OneDrive)
Near field communication (NFC) connection
Barcode scanner
Out of box experience (OOBE) provisioning package
For more information, see Set up certificates for trusted communications for On-premises Mobile Device
Management in System Center Configuration Manager
Enrollment considerations
To enable device enrollment for On-premises Mobile Device Management, users must be granted permission to
enroll and their devices must be able to have trusted communications with the site system servers hosting the
required site system roles.
Granting user enrollment permission can be accomplished through setting up an enrollment profile in
Configuration Manager client settings. You can use the default client settings to push the enrollment profile to all
discovered users or you can set up the enrollment profile in custom client settings and push the settings to one or
more user collections.
With user enrollment permission granted, users can enroll their own devices. To get enrolled, the user's device
must have the root certificate of the certification authority (CA) that issued the web server certificate used on the
site system servers hosting the required site system roles.
As an alternative to user-initiated enrollment, you can set up a bulk enrollment package that allows the device to be
enrolled without user intervention. This package can be delivered to the device before it is initially provisioned for
use or after the device goes through its OOBE process.
For more information on how to set up and enroll devices, see
Set up device enrollment for On-premises Mobile Device Management in System Center Configuration
Manager
Enroll devices for On-premises Mobile Device Management in System Center Configuration Manager
Preparation steps for On-premises Mobile Device
Management in System Center Configuration
Manager

Managing devices with System Center Configuration Manager On-premises Mobile Device Management requires
the Configuration Manager infrastructure to be set up so that the required site system roles (enrollment proxy
point, enrollment point, device management point, and distribution point) can communicate across a trusted
channel with the mobile devices to be managed.
The following high-level tasks are required to prepare the Configuration Manager system for On-premises Mobile
Device Management:
Set up a Microsoft Intune subscription for On-premises Mobile Device Management in System Center
In this task, you sign up for Microsoft Intune, and then add the subscription to Configuration Manager
through the Configuration Manager console. This step is required for licensing purposes only. Intune is not
used to manage the devices or store management information. All coordination and management of devices
is with your organization's enterprise using the on-premises Configuration Manager infrastructure.
Install site system roles for On-premises Mobile Device Management in System Center Configuration
Manager
In this task, you install and configure the site system roles required to manage devices with on-premises
Configuration Manager infrastructure. On-premises Mobile Device Management minimally requires the
enrollment proxy point, enrollment point, device management point, and distribution point site system roles.
Set up certificates for trusted communications for On-premises Mobile Device Management in System
In this task, you configure the on-premises Configuration Manager infrastructure to allow trusted
communications (HTTPS) between managed devices and the servers hosting the required site system roles.
Set up device enrollment for On-premises Mobile Device Management in System Center Configuration
Manager
In this task, you grant permission to users to enroll computers and devices and you install the trusted root
certificate on devices (typically ones that are not domain-joined) to permit HTTPS connections to the site
system servers.
Set up a Microsoft Intune subscription for On-
premises Mobile Device Management in System

System Center Configuration Manager On-premises Mobile Device Management requires a Microsoft Intune
subscription to track licensing. The Intune service is not used to manage the devices or to store management
information. For On-premises Mobile Device Management, all device management is handled by the Configuration
Manager infrastructure.
NOTE
Beginning in version 1610, Configuration Manager supports using both Microsoft Intune and on-premises Configuration
Manager infrastructure to manage mobile devices at the same time.
TIP
We recommend that you set up the Intune subscription for On-premises Mobile Device Management before you install the
required site system roles to minimize the time required for the newly installed site system roles to become functional.
Sign up for Microsoft Intune

Intune is required to make On-premises Mobile Device Management functional. Simply sign up for a trial or paid
subscription and go to the next step to add the subscription to Configuration Manager.
Add the Intune subscription to Configuration Manager

To add the subscription to Configuration Manager, you follow the same basic steps as you would when adding the
subscription for mobile device management with Intune. Read the notes below for specific differences, and then
use the instructions in To create the Microsoft Intune subscription.
NOTE
When adding the Intune subscription, keep the following in mind:
The collection specified in the Add Microsoft Intune Subscription Wizard is not used for On-premises Mobile Device
Management user right delegation. It is only used for mobile device management with Intune. However, you are required
to specify a collection for the wizard to proceed.
The site code setting specified in the wizard is ignored for On-premises Mobile Device Management. The site code
that is used is the one you specify in the enrollment profile that grants users permission to enroll devices.
Do not enable multi factor authentication. It is not supported in On-premises Mobile Device Management.
Configure the Intune subscription for On-premises Mobile Device

Management
1. In the Configuration Manager console, right-click the Microsoft Intune Subscription, and click
Properties.
2. In the On Premises Mobile Device Management box, choose one of the following:
If you plan to only have devices managed on-premises, click the check box next to Only manage
devices on-premises, and click OK.
NOTE
By clicking this check box, you configure the Intune subscription to keep all management information on-
premises and not replicate data to the cloud.
If you plan to have devices managed by both Intune and Configuration Manager on-premises, leave
the box unchecked.
3. If you plan to manage Windows 10 Mobile devices, right-click the Microsoft Intune Subscription, click
Configure Platforms, and then click Windows Phone.
4. Click the check box next to Windows Phone 8.1 and Windows 10 Mobile, and then click OK.
5. If you plan to manage Windows 10 desktop computers, right-click the Microsoft Intune Subscription,
click Configure Platforms, and then click Enable Windows Enrollment.
6. Click the check box next to Enable Windows enrollment, and then click OK.
Install site system roles for On-premises Mobile
Device Management in System Center Configuration
Manager

System Center Configuration Manager On-premises Mobile Device Management requires the following site
system roles in your Configuration Manager site infrastructure:
Enrollment point
Enrollment proxy point
Distribution point
Device management point
Service connection point
If you are adding On-premises Mobile Device Management to your organization that has most PCs and
devices managed using the Configuration Manager client software, you might have most of the site system
roles installed already as part of your existing infrastructure. If not, see Add site system roles for System
Center Configuration Manager for complete information on how to add them to your site.
NOTE
If you use database replicas with your device management point site system role, newly enrolled devices will initially fail to
connect to the device management point until the database replica synchronizes with it. This connection failure occurs
because the database replica does not have the information about the newly enrolled device necessary for a successful
connection. Replicas synchronize every 5 minutes, so devices will fail to connect for the first 5 minutes after enrollment
(usually 2 connection attempts), after which the device will connect successfully.
Whether you are using existing site system roles or adding new ones, you must configure them to be used to
manage modern devices. Follow the steps below to configure the distribution point and device management point
to function correctly for On-premises Mobile Device Management:
NOTE
The current branch of Configuration Manager only supports intranet connections from devices to the distribution points and
device management points for On-premises Mobile Device Management. However, if you are also managing Mac OS X
computers, those clients require internet connections to those site system roles. In that case, when you configure the
properties of the distribution point and the device management point, you should use the Allow intranet and internet
connections setting instead.
To configure site system roles to manage modern devices:

1. In the Configuration Manager console, click Administration > Overview > Site Configuration > Servers
and Site System Roles.
2. Select site system server with distribution point or device management point you want to configure, open
properties for Site System and make sure it has a FQDN specified. Click OK.
3. Open properties for the distribution point site system role. On the General tab, make sure HTTPS is selected
and select Allow intranet-only connections.
If you're also separately managing Mac computers with the Configuration Manager client, use Allow
intranet and internet connections instead.
NOTE
Distribution points configured for intranet connections require site boundaries to be configured for them. The current
branch of Configuration Manager only supports IPv4 range boundaries for On-premises Mobile Device
Management. For more information on configuring site boundaries, see Define site boundaries and boundary groups
for System Center Configuration Manager.
4. Click the check box next to Allow mobile devices to connect to this distribution point, and then click
OK.
5. Open properties for the management point site system role. On the General tab, make sure HTTPS is
selected, and select Allow intranet-only connections.
If you're also separately managing Mac computers with the Configuration Manager client, use Allow
intranet and internet connections instead.
6. Click the check box next to Allow mobile devices and Mac Computer to use this management point.
Click OK.
This effectively turns the management point into a device management point.
Once the site system roles have been added and configured for managing modern devices, you then need
to configure the servers hosting the roles as trusted endpoints for enrolling and communicating with
managed devices. See Set up certificates for trusted communications for On-premises Mobile Device
Management in System Center Configuration Manager for more information.
Set up certificates for trusted communications for
On-premises Mobile Device Management in System

System Center Configuration Manager On-premises Mobile Device Management requires the enrollment point,
enrollment proxy point, distribution point, and device management point site system roles to be set up for trusted
communications with managed devices. Any site system server hosting one or more of those roles must have a
unique PKI certificate bound to the web server on that system. A certificate with the same root as the certificate on
the servers most also be stored on managed devices to establish trusted communication with them.
For domain-joined devices, Active Directory Certificate Services installs the needed certificate with the trusted root
on all devices automatically. For non-domain-joined devices, you must obtain a valid certificate with a trusted root
by some other means. If you use the site CA as your trusted root (which is the same one Active Directory uses for
domain-joined devices), the site system servers for the enrollment point and enrollment proxy point must have a
certificate issued by that CA bound to them.
Each device to be managed will also need to have a certificate with the same root installed on them to support
trusted communications with the site system roles. For bulk-enrolled devices, you can include the certificate in the
enrollment package that is added to the device for enrolling it when the device is started for the first time by a
user. For user-enrolled devices, you need to add the certificate through email, web download, or some other
method.
As an alternative for non-domain joined devices, you can use the root of a well-known public CA (like Verisign or
GoDaddy) to issue the server certificate, which avoids having to manually install a certificate on the device,
because most devices natively trust connections to servers using the same root of the public CA. This is a useful
alternative for user-enrolled devices in which it is not feasible to install the certificates trusted through the site CA
on each device.
IMPORTANT
There are many ways to set up the certificates for trusted communications between devices and the site system servers for
On-premises Mobile Device Management. The information provided in this article is given as an example of one way to do it.
This method requires you to be running a server in your site with Active Directory Certificate Services role and the
Certification Authority and Certification Authority Web Enrollment role services installed. See Active Directory Certificate
Services for more information and guidance on this Windows Server role.
To set up the Configuration Manager site for the SSL communications required for On-premises Mobile Device
Management, follow these high-level steps:
Configure the certification authority (CA) for CRL publishing
Create the web server certificate template on the CA
Request the web server certificate for each site system role
Bind the certificate to the web server
Export the certificate with the same root as the web server certificate
Configure the certification authority (CA) for CRL publishing
By default, the certification authority (CA) uses LDAP-based certificate revocation lists (CRLs) that allows
connections for domain-joined devices. You must add HTTP-based CRLs to the CA to make it possible for non-
domain-joined devices to be trusted with certificates issues from the CA. These certificates are required for SSL
communications between the servers hosting the Configuration Manager site system roles and the devices
enrolled for On-premises Mobile Device Management.
Follow the steps below to configure the CA to autopublish CRL information for issuing certificates that allow
trusted connections for domain-joined and non-domain-joined devices:
1. On the server running the certification authority for your site, click Start > Administrative Tools >
Certification Authority.
2. In the Certification Authority console, right-click CertificateAuthority, and then click Properties.
3. In CertificateAuthority properties, click the Extensions tab, make sure that Select extension is set to CRL
Distribution Point (CDP)
4. Select http:///CertEnroll/.crl. And the three options below:
Include in CRLs. Clients use this to find Delta CRL locations.
Include in CDP extension of issued certificates.
Include in the IDP extension of issued CRLs
5. Click the Exit Module tab, click Properties..., then select Allow certificates to be published to the file
system.
6. Click OK when notified that Active Directory Certificate Services must restarted.
7. Right-click Revoked Certificates, click All Tasks, and then click Publish.
8. In Publish CRL dialog, select Delta CRL only, and then click OK.
Create the web server certificate template on the CA

After publishing the new CRL on the CA, the next step is to create a web server certificate template. This template is
required for issuing certificates for the servers hosting the enrollment point, enrollment proxy point, distribution
point, and device management point site system roles. These servers will be SSL endpoints for trusted
communications between the site system roles and enrolled devices. Follow the steps below to create the
certificate template:
1. Create a security group named ConfigMgr MDM Servers that contains the servers running the site
systems that require trusted communications with enrolled devices.
2. In the Certification Authority console, right-click Certificate Templates and click Manage to load the
Certificate Templates console.
3. In the results pane, right-click the entry that displays Web Server in the column Template Display Name,
and then click Duplicate Template.
4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected,
and then click OK.
IMPORTANT
Do not select Windows 2008 Server, Enterprise Edition. Configuration Manager does not support Windows
Server 2008 certificate templates for trusted communications using HTTPS.
NOTE
If the CA you are using is on Windows Server 2012, you are not prompted for the certificate template version when
you click Duplicate Template. Instead, specify this on the Compatibility tab of the template properties, as follows:
Certification Authority: Windows Server 2003
Certificate recipient: Windows XP / Server 2003
5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the
web certificates that will be used on Configuration Manager site systems, such as ConfigMgr MDM Web
Server.
6. Click the Subject Name tab, select Build from Active Directory information, and for subject name
format, specify DNS name. Clear the check box from alternate subject name, if User Principal Name
(UPN) is selected.
7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and
Enterprise Admins.
8. Click Add, enter ConfigMgr MDM Servers in the text box, and then click OK.
9. Select the Enroll permission for this group, and do not clear the Read permission.
10. Click OK, and close the Certificate Templates console.
11. In the Certification Authority console, right-click Certificate Templates, click New, and then click
Certificate Template to Issue.
12. In the Enable Certificate Templates dialog box, select the new template that you have just created,
ConfigMgr MDM Web Server, and then click OK.
Request the web server certificate for each site system role
Devices enrolled for On-premises Mobile Device Management must trust SSL endpoints hosting the enrollment
point, enrollment proxy point, distribution point, and device management point. The steps below describe how to
request the web server certificate for IIS. You must do this for each server (SSL endpoint) hosting one of the
required site system roles for On-premises Mobile Device Management.
1. On the primary site server, open command prompt with administrator permission, type MMC and press
Enter.
2. In the MMC, click File > Add/Remove Snap-in.
3. In the Certificates snap-in, select Certificates, click Add, select Computer account, click Next, click Finish,
and then click OK to exit the Add or Remove Snap-in window.
4. Right-click Personal, and then click All Tasks > Request New Certificate.
5. In the Certificate Enrollment wizard, click Next, select Active Directory Enrollment Policy and click Next.
6. Select the checkbox next to the web server certificate (ConfigMgr MDM Web Server), and then click
Enroll.
7. Once certificate is enrolled, click Finish.
Because each server will need a unique web server certificate, you need to repeat this process for every
server hosting one of the required site system roles for On-premises Mobile Device Management. If one
server hosts all the site system roles, you just need to request one web server certificate.
Bind the certificate to the web server

The new certificate now needs to be bound to the web server of each site system server hosting the required site
system roles for On-premises Mobile Device Management. Follow the steps below for each server hosting the
enrollment point and enrollment proxy point site system roles. If one server hosts all the site system roles, you
only need to follow these steps once. You do not have to do this task for the distribution point and device
management point site system roles since they automatically receive the required certificate during enrollment.
1. On the server hosting the enrollment point, enrollment proxy point, distribution point, or device
management point, click Start > Administrative Tools > IIS Manager.
2. Under Connections, navigate to and right-click Default Web Site, and then click Edit Bindings...
3. In Site Bindings dialog, click https, and then click Edit...
4. In the Edit Site Binding dialog, select the certificate you just enrolled for the SSL certificate, click OK, and
then click Close.
5. In IIS Manager console, under Connections, select the web server, and then in the right Actions panel, click
Restart.
Export the certificate with the same root as the web server certificate
Active Directory Certificate Services typically installs the required certificate from the CA on all domain-joined
devices. But non-domain-joined devices will not be able to communicate with the site system roles without
certificate from the root CA. To get the certificate required for devices to communicate with the site system roles,
you can export it from the certificate bound to the web server.
Follow these steps to export the root certificate of the web server's certificate.
1. In IIS Manager, click Default Web Site, and then in the right Action panel, click Bindings...
2. In the Site Bindings dialog, click https, and then click Edit...
3. Make sure the web server certificate is selected, and click View...
4. In properties of the web server certificate, click Certification Path, click the root at the top of the
certification path, and click View Certificate.
5. In the properties of the root certificate, click Details, and then click Copy to File...
6. In the Certificate Export Wizard, click Next.
7. Make sure DER encoded binary X.509 (.CER) is selected for format, and click Next.
8. For the file name, click Browse..., choose a location to save the certificate file, name the file, and click Save.
Devices to be enrolled will need access to this file to import the root certificate, so you choose a common
location that most computers and devices can access, or you can save it to a convenient location now (like
the C drive) and move it to common location later.
Click Next.
9. Review the settings, and click Finish .
Set up device enrollment for On-premises Mobile
Manager

Enabling users to enroll their devices for System Center Configuration Manager On-premises Mobile Device
Management requires you to grant them permission to do so. To grant users permission to enroll devices, follow
the tasks below.
Create an enrollment profile that allows users to enroll modern devices
Set up additional client settings for enrolled devices
Enable users to receive the modern device enrollment profile
Store the root certificate on devices to be enrolled
Create an enrollment profile that allows users to enroll modern devices

To push the settings required to allow users to enroll modern devices, you can add a new enrollment profile to the
default client settings, which gets applied to all discovered users in the Configuration Manager site.
1. In the Configuration Manager console, click Administration > Overview > Client Settings, open Default
Client Settings and select Enrollment.
2. Under Device Settings, specify the polling interval for modern devices.
3. Under User Settings, select Yes for Allow users to enroll modern devices.
4. Next to Modern device enrollment profile, click Set Profile... and then click Create...
5. In Create Enrollment Profile, type a name for the enrollment profile, and choose the management site code
you want users with the enrollment profile to use. Click OK several times to exit the Default Settings page.
NOTE
If you want to deploy the enrollment profile to a subset of discovered users, you can use a user collection, and create custom
client settings to deploy to that collection. For information on creating custom client settings, see How to configure client
settings in System Center Configuration Manager
Set up additional client settings for enrolled devices

In addition to setting up the enrollment profile fo modern devices, you can set up additional client settings for
configuring devices when they're enrolled. For information on setting up client settings, see How to configure
client settings in System Center Configuration Manager.
Not all client settings are available for On-premises Mobile Device Management. The current branch of
Configuration Manager supports the following client settings for On-premises Mobile Device Management:
Enrollment - these settings specify the enrollment profile for managed devices. For more information on
how to set up an enrollment profile, see Create an enrollment profile that allows users to enroll modern
devices.
Client policy - theses settings specify the frequency for downloading client policy to the device. You can also
enable settings for targeting users with policy polling. For more information on client policy settings, see
the Client Policy section in About client settings in System Center Configuration Manager.
Software deployment - this setting sets the interval for evaluating client devices for software deployments.
For more information of software deployment settings, see the Software Deployment section in About client
settings in System Center Configuration Manager
NOTE
For On-premises Mobile Device Management, software deployment settings can only be used as default client
settings. Software deployment settings cannot be used with custom client settings in the current branch of
Enable users to receive the modern device enrollment profile

For users to receive the modified client settings with the enrollment profile for On-premises Mobile Device
Management, they must be discovered through the Active Directory discovery method. To make sure everyone
that needs the enrollment profile gets it, run discovery for Active Directory users. For instructions on how to
discover users, see Run discovery for System Center Configuration Manager.
Store the root certificate on devices to be enrolled

Users with domain-joined devices will likely already have the required root certificate for trusted communication
with the servers hosting the site system roles because the root was issued as part of the domain-joining process
with Active Directory. Non-domain joined computers and mobile devices will need the root certificate manually
installed on the device to allow for enrollment to take place. These devices will not automatically have the required
root certificate.
The exported certificate file must be provided to the device for manual installation. This can be done using email,
OneDrive, SD card, USB thumbdrive, or whatever method works best for your needs.
The root certificate you want to use on the devices is the one you exported in Export the certificate with the same
root as the web server certificate.
1. On the device to be enrolled, locate the root certificate file and double-click it.
2. In Certificate window, click Install Certificate...
3. In the Certificate Import Wizard, select Local Machine, and click Next.
4. In the User Account Control window, click Yes.
5. Select Place all certificates in the following store, and click Browse.
6. Click Trusted Root Certification Authorities, click OK, and then click Next.
7. Click Finish.
Enroll devices for On-premises Mobile Device
Management in System Center Configuration
Manager

To manage computers and devices with System Center Configuration Manager On-premises Mobile Device
Management, the devices need to be enrolled so that Configuration Manager can communicate with the devices
for management tasks. Configuration Manager provides two methods for enrolling devices:
User enrollment - In this method, users initiate the enrollment process on their devices. For user
enrollment to be successful, the device must have a trusted root certificate installed on it, and the user must
be provisioned for enrollment by Configuration Manager. To enroll device, the user simply provides work
credentials, and the device is enrolled to be managed.
For more information, see How users enroll devices with On-premises Mobile Device Management in
Bulk enrollment - In this method, the user of the device is not required to initiate enrollment. Instead a
bulk enrollment package created in Configuration Manager and is then put on the device and opened.
When opened, the package provides the information required to enroll the device.
For more information, see How to bulk-enroll devices with On-premises Mobile Device Management in
NOTE
The current branch of Configuration Manager supports enrollment in On-premises Mobile Device Management for
devices running the following operating systems:
Windows 10 Pro
Windows 10 Mobile
How users enroll devices with On-premises Mobile
Manager

With System Center Configuration Manager On-premises Mobile Device Management, users can enroll devices if
they have been granted enrollment permission (by way of updated client settings), and their devices have the
required root certificate installed to have trusted communications with the servers hosting the required site system
roles. For more information on how to set up enrollment, see Set up device enrollment for On-premises Mobile
Device Management in System Center Configuration Manager.
NOTE
Windows 10 Pro
Windows 10 Mobile
The following tasks explain how to enroll and verify enrollment of computers and devices for On-premises Mobile
Device Management:
Enroll a Windows 10 computer
Enroll a Windows 10 Mobile device
Verify device enrollment
Enroll a Windows 10 computer

1. On a Windows 10 computer, go to Settings.
2. Click Accounts, and then click Work access.
3. In Work Access under Connect to work or school, click Connect, enter your work email address, and click
Continue.
4. Enter the FQDN of the server hosting the enrollment proxy point site system role, and click Continue.
5. In Connecting to a service, enter your work email password, and click Sign in.
6. Click Skip for remembering the sign-in info, and after a short time the device is connected.
Enroll a Windows 10 Mobile device

1. On a Windows 10 Mobile device, go to Settings.
2. Click Accounts, and then click Work access.
3. Click Connect.
4. Enter your work email address and the FQDN of the server hosting the enrollment proxy point site system
role. Click Connect.
5. On the next screen, enter your work email address and password, and then click Sign-in. After a short time,
the device is enrolled. Click Done.
Verify device enrollment

You can verify that devices have been successfully enrolled in the Configuration Manager console.
1. Start the Configuration Manager console.
2. Click Assets and Compliance > Overview > Devices. The enrolled device appears in the list.
How to bulk-enroll devices with On-premises Mobile
Manager

Bulk enrollment in System Center Configuration Manager On-premises Mobile Device Management is a more
automated means for enrolling devices, as compared to user enrollment, which requires users to enter their
credentials to enroll the device. Bulk enrollment uses an enrollment package to authenticate the device during
enrollment. The package (a .ppkg file) contains a certificate profile and optionally a Wi-Fi profile if the device needs
intranet connectivity to support enrollment.
NOTE
Windows 10 Pro
Windows 10 Mobile
The following tasks explain how to bulk-enroll computers and devices for On-premises Mobile Device
Management:
Create a certificate profile
Create a Wi-Fi profile
Create an enrollment profile
Create an enrollment package (ppkg) file
Use the package to bulk-enroll a device
Verify enrollment of device
Create a certificate profile

The main component of the enrollment package is a certificate profile, which is used to automatically provision a
trusted root certificate to the device being enrolled. This root certificate is required for trusted communication
between the devices and the site system roles needed for On-premises Mobile Device Management. Without the
root certificate, the device would not be trusted in HTTPS connections between it and the servers hosting the
enrollment point, enrollment proxy point, distribution point, and device management point site system roles.
As part of preparing the system for On-premises Mobile Device Management, you export a root certificate that you
can use in the enrollment package's certificate profile. For instructions on how to get the trusted root certificate, see
Export the certificate with the same root as the web server certificate.
Use the exported root certificate to create a certificate profile. For instructions, see How to create certificate profiles
in System Center Configuration Manager.
Create a Wi-Fi profile

The other component of the package used for bulk enrollment is a Wi-Fi profile. Some devices might not have the
network connectivity needed to support enrollment until a network settings are provisioned. Including a Wi-Fi
profile in the enrollment package provides a means for establishing network connectivity for the device.
To create a Wi-Fi profile in Configuration Manager, follow the instructions in How to create Wi-Fi profiles in System
Center Configuration Manager.
IMPORTANT
Keep the following two issues in mind when creating a Wi-Fi profile for bulk enrollment:
The current branch of Configuration Manager only supports the following Wi-Fi security configurations for On-
premises Mobile Device Management:
Security types: WPA2 Enterprise or WPA2 Personal
Encryption types: AES or TKIP
EAP types: Smart Card or other certificate or PEAP
Although Configuration Manager has a setting for proxy server information in the Wi-Fi profile, it does not configure
the proxy when the device is enrolled. If you need to set up a proxy server with your enrolled devices, you can deploy
the settings using configuration items once devices are enrolled or create the second package using the Windows
Image and Configuration Designer (ICD) to deploy along side the bulk enrollment package.
Create an enrollment profile

The enrollment profile allows you to specify settings required for device enrollment, including a certificate profile
that will dynamically provision a trusted root certificate to the device and a Wi-Fi profile that will provision network
settings if required.
Before creating an enrollment profile, make sure you have a certificate profile and Wi-Fi profile (if needed) created.
For more information, see Create a certificate profile and Create a Wi-Fi profile.
To create an enrollment profile:
1. In the Configuration Manager console, click Assets and Compliance >Overview >All Corporate-owned
Device >Windows >Enrollment Profiles.
2. Right click Enrollment Profile and then click Create Profile.
3. In the Create Enrollment Profile wizard, enter a name for the profile, make sure On-Premises is selected for
Management Authority, and then click Next.
4. Select site code, and click Next.
5. Select Intranet Only, select enrollment proxy points the device will use initiate the enrollment process, and
then click Next.
6. Select the certificate profile containing the trusted root certificate (this is the profile you created in Create a
certificate profile), click Next.
7. Select the W-Fi profile containing the necessary network settings for devices to connect to the intranet (this
is the profile you created in Create a Wi-Fi profile) and click Next.
NOTE
If you are not using a Wi-Fi profile for you enrollment package, skip this step.
8. Confirm the settings for the enrollment profile, and click Next. Click Close to exit the wizard.
Create an enrollment package (ppkg) file

The enrollment package is the file you use to bulk-enroll devices for On-premises Mobile Device Management. This
file must be created with Configuration Manager. You can create similar types of packages with Windows Image
and Configuration Designer (ICD), but only packages you create in Configuration Manager can be used to enroll
devices for On-premises Mobile Device Management from start to finish. Packages created with Windows ICD can
only provide the user principal name (UPN) needed for enrollment, but not execute the actual enrollment process.
The process to create the enrollment package requires the Windows Assessment and Deployment Toolkit (ADK) for
Windows 10. On the server running the Configuration Manager console, make sure you have version 1511 of the
Windows ADK installed. For more information, see the ADK section of Download kits and tools for Windows 10
TIP
If you remove an enrollment package from the Configuration Manager console, it cannot be used to enroll devices. You can
use package removal as a way to manage packages that you no longer want used for bulk-enrolling devices.
To create an enrollment package (ppkg) file:

1. Right-click on the profile just created (in Create an enrollment profile, and click Export.
2. Click Browse, find a location you want to save the .ppkg file to, enter a name for the package, and then click
Save.
3. If you want to password-protect the package, click the check box next to Encrypt Package, then click
Export and wait for about 10 seconds for export to complete.
NOTE
If you encrypted the package, Configuration Manager provides a message with the decrypted password in it. Make
sure you save the password information because you will need it to provision the package on devices.
4. Click OK.
Use the package to bulk-enroll a device

You can use package to enroll devices before or after the device has been provisioned through the out-of-box
experience (OOBE) process. The enrollment package can also be included as part of an original equipment
manufacturer's (OEM's) provisioning package.
The package has to be physically delivered to the device to use it for bulk enrollment. You can deliver the
enrollment package to the device in various ways depending on your needs, including:
Copy from file system
Attach to email
Copy across near field communication (NFC) connection
Copy from memory card
Scan barcode
Copy from a tethered device
Include in OEM provisioning package
To bulk-enroll a device:
1. On device to be enrolled, find the enrollment package (using file explorer) and double-click the .ppkg file.
2. Click Yes in the User Account Control message.
3. In the dialog asking you if the package is from a source you trust, click Yes, add it.
The enrollment process starts and takes about 5 minutes.
4. Open Settings.
5. Click Accounts > Work access. When enrollment is successful, you see an account under CompanyApps
6. Click the account, and then click Sync, which starts management with Configuration Manager.
Verify enrollment of device

You can verify that devices have been successfully enrolled in the Configuration Manager console.
Start the Configuration Manager console.
Click Assets and Compliance > Overview > Devices. The enrolled device appears in the list.
Manage devices for On-premises Mobile Device
Management

You can manage computers and devices with System Center Configuration Manager On-premises Mobile Device
Management (MDM). To do so, the devices need to be enrolled so that Configuration Manager can communicate
with the devices for management tasks.
Managing devices in on-premises MDM is the same as managing devices in a hybrid MDM environment. Manage
devices in hybrid MDM provides detailed information about device management.
Manage applications for On-premises Mobile Device
Management

When you manage devices through On-premises Mobile Device Management (MDM) in Configuration Manager,
you can manage certain additional application types. Managing applications in on-premises MDM is the same as
managing apps in a hybrid MDM environment.
Manage mobile applications provides detailed information about creating and managing applications using hybrid
MDM or on-premises MDM.
Protect data and devices in On-premises Mobile
Device Management

You want your users to be able to securely access your organization's resources, so that both your infrastructure
and your data are protected from exposure or malicious attack.
Follow the same guidance for hybrid MDM deployments (listed below) to help protect your organization's
resources:
Create Wi-Fi profiles
Create PFX certificate profiles
Create VPN profiles
Create email profiles
Manage mobile devices with System Center
Configuration Manager and Exchange

Use the Exchange Server connector in System Center Configuration Manager when you want to manage mobile
devices that connect to Exchange Server (on-premises or online) by using the Microsoft Exchange ActiveSync
protocol, and you cannot enroll them by using Configuration Manager. You can configure Exchange mobile
device management features, such as remote device wipe and settings control for multiple Exchange servers,
from the Configuration Manager console.
When you manage mobile devices by using the Exchange Server connector, this does not install the
Configuration Manager client on the mobile devices. Some management functions are therefore limited. For
example, you cannot install software on these devices or use configuration items to configure these devices. For
more information about the various management capabilities that you can use with Configuration Manager for
mobile devices, see Choose a device management solution for System Center Configuration Manager.
IMPORTANT
Before you install the Exchange Server connector, confirm that Configuration Manager supports the version of Microsoft
Exchange that you are using. For more information, see "Exchange Server connector" in Supported operating systems for
sites and clients for System Center Configuration Manager.
When you use the Exchange Server connector, the mobile devices can be managed by the settings that you
configure in Configuration Manager instead of being managed by the default Exchange ActiveSync mailbox
policies. Define the settings that you want to use in the following group settings: General, Password, Email
Management, Security, and Application. For example, in the Password group setting, you can configure
whether mobile devices require a password, the minimum password length, password complexity, and whether
password recovery is allowed.
When you configure at least one setting in the group, Configuration Manager manages all settings in the group
for mobile devices. If you do not configure any setting in a group, Exchange continues to manage the mobile
devices for those settings. Any Exchange ActiveSync mailbox policies that are configured on the Exchange Server
and assigned to users will still be applied.
You can also configure the Exchange Server connector to manage the Exchange access rules and allow, block, or
quarantine mobile devices. You can remotely wipe mobile devices by using the Configuration Manager console,
and users can remotely wipe their mobile devices by using the Application Catalog.
A user's mobile device appears in the Application Catalog automatically when the Exchange Server connector
manages it and the Exchange Server is on-premises. When you configure the Exchange Server connector for
Microsoft Exchange Online, you must manually configure user device affinity for the user's mobile device to
appear in the Application Catalog. For more information about how to manually configure user device affinity,
see Link users and devices with user device affinity in System Center Configuration Manager.
TIP
If you manage a mobile device by using the Exchange Server connector and the mobile device is transferred to another
user, delete the mobile device from the Configuration Manager console before the new owner of the mobile device
configures his or her Exchange account on this transferred mobile device.
Required Security Permissions

You must have the following security permissions to configure the Exchange Server connector:
To add, modify, and delete the Exchange Server connector: Modify permission for the Site object.
To configure the mobile device settings: ModifyConnectorPolicy permission for the Site object.
The Full Administrator security role includes the required permissions to configure the Exchange Server
connector.
You must have the following security permissions to manage mobile devices:
To wipe a mobile device: Delete resource for the Collection object.
To cancel a wipe command: Modify resource for the Collection object.
To allow and block mobile devices: Modify resource for the Collection object.
The Operations Administrator security role includes the required permissions to manage mobile devices
by using the Exchange Server connector.
For more information about how to configure security permissions, see Configure role-based
administration for System Center Configuration Manager.
Installing and Configuring an Exchange Server Connector

Use the following procedure to install and configure an Exchange Server connector to manage mobile devices.
Configuration Manager supports only one connector in an Exchange organization. After you complete these
steps, you can monitor the mobile devices that are found and managed by the connector when you view the
collections that display mobile devices, and by using the reports for mobile devices.
NOTE
Configuration Manager generates names for the mobile devices that it finds by using the format UserName_DeviceType. If
a user has more than one mobile device that has the same device type, Configuration Manager displays the same name for
these mobile devices in the console and in reports.
To install and configure an Exchange Server connector

1. Decide which account will connect to the Exchange Client Access server to manage the mobile devices. The
account can be the computer account of the site server or a Windows user account. Then, configure this
account to run the following Exchange Server cmdlets:
Clear-ActiveSyncDevice
Get-ActiveSyncDevice
Get-ActiveSyncDeviceAccessRule
Get-ActiveSyncDeviceStatistics
Get-ActiveSyncMailboxPolicy
Get-ActiveSyncOrganizationSettings
Get-ExchangeServer
Get-Recipient
Set-ADServerSettings
Set-ActiveSyncDeviceAccessRule
Set-ActiveSyncMailboxPolicy
Set-CASMailbox
New-ActiveSyncDeviceAccessRule
New-ActiveSyncMailboxPolicy
Remove-ActiveSyncDevice
NOTE
The following Exchange Server management roles include these cmdlets: Recipient Management, View-Only
Organization Management, and Server Management. For more information about management role groups in
Microsoft Exchange Server 2010, see Understanding Management Role Groups.
TIP
If you try to install or use the Exchange Server connector without the required cmdlets, you will see an error logged
with the message Invoking cmdlet <cmdlet> failed in the EasDisc.log file on the site server computer.

3. In the Administration workspace, expand Hierarchy Configuration, and then click Exchange Server
Connectors.
4. On the Home tab, in the Create group, click Add Exchange Server.
5. Complete the Add Exchange Server wizard:
If you use an on-premises instance of Exchange Server and specify a Client Access Server, you can
specify a single server or a Client Access Server array for each Active Directory site. If the server or
the array is offline, Configuration Manager tries to discover a Client Access Server to use. If that
fails, Configuration Manager falls back to using a mailbox server to make a connection to a Client
Access Server. Retries are logged as warnings in the EasDisc.log file on the site server computer. For
example, search for Failed to open runspace for site <site_name> .
For the Exchange Server Connector Account, specify the account that you configured in step 1.
If you also enroll mobile devices by using Configuration Manager, enable the option External
mobile device management to ensure that these mobile devices continue to receive email from
Exchange after Configuration Manager enrolls them.
On the Account page of the wizard, you can configure the account used to send email notifications
to clients that are blocked by Configuration Manager conditional access. The account you specify
must have a valid mailbox on the Exchange server.
For more information, see Manage access to services in System Center Configuration Manager.
6. You can verify the installation of the Exchange Server connector by using status messages and by
reviewing the log files:
To confirm that Site Component Manager successfully installed the Exchange Server connector, look
for the status ID 1015 for the SMS_EXCHANGE_CONNECTOR component. If Configuration
Manager cannot successfully install the connector (for example, because the specified Client Access
Server computer is offline), Configuration Manager retries the installation every 60 minutes until
the installation succeeds or you remove the Exchange Server connector.
On the site server computer, search for the SiteComp.log file, and then in the log file, search for
Component SMS_EXCHANGE_CONNECTOR flagged for installation . A successful installation is then logged
with the following text: STATMSG: ID=1015 .

MDM Mar2017

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MDM Mar2017

Uploaded by

Copyright:

Available Formats

Table of Contents

Applies to: System Center Configuration Manager (Current Branch)

Hybrid MDM Enrollment

Applies to: System Center Configuration Manager (Current Branch)

What is Intune standalone?

What is hybrid MDM with Configuration Manager?

What’s coming to Intune standalone in early 2017

Applies to: System Center Configuration Manager (Current Branch)

Compatibility with Configuration Manager versions

FEATURE CATEGORIES DESCRIPTION

New hybrid features in February 2017

New hybrid features in January 2017

New hybrid features in December 2016

CONFIGURATION MANAGER ADMIN INTUNE COMPANY PORTAL APP FOR

Retire/wipe (remove company data) Reset device Reset device

New hybrid features in November 2016

Applies to: System Center Configuration Manager (Current Branch)

Applies to: System Center Configuration Manager (Current Branch)

Applies to: System Center Configuration Manager (Current Branch)

METHOD WIPE AFFINITY LOCK DETAILS

BYOD No Yes No more

DEP Yes Optional Optional more

USB-SA Yes Optional No more

Windows and Android enrollment methods

METHOD WIPE AFFINITY LOCK DETAILS

BYOD No Yes No more

Mobile device management with Exchange ActiveSync and

Applies to: System Center Configuration Manager (Current Branch)

Looking for Intune without Configuration Manager?

Applies to: System Center Configuration Manager (Current Branch)

Applies to: System Center Configuration Manager (Current Branch)

Applies to: System Center Configuration Manager (Current Branch)

To create the Microsoft Intune subscription

Company name: Specify your company name.

Applies to: System Center Configuration Manager (Current Branch)

Working with terms and conditions policies in System Center

To create a terms and conditions

To deploy a terms and conditions

To monitor terms and conditions

To view a terms and conditions report

Updates and version control for terms and conditions

Applies to: System Center Configuration Manager (Current Branch)

Configure the service connection point role

Applies to: System Center Configuration Manager (Current Branch)

Applies to: System Center Configuration Manager (Current Branch)

Enable iOS device enrollment

Applies to: System Center Configuration Manager (Current Branch)

Choose how to enroll Windows devices

AZURE AD PREMIUM **OTHER AD **

Windows 10 Automatic enrollment Company Portal enrollment

Earlier Windows versions Company Portal enrollment Company Portal enrollment

Company Portal enrollment

TYPE HOST NAME POINTS TO TTL

CNAME EnterpriseEnrollment.compa EnterpriseEnrollment- 1 hour

TYPE HOST NAME POINTS TO TTL

CNAME EnterpriseEnrollment.contos EnterpriseEnrollment- 1 hour

CNAME EnterpriseEnrollment.us.cont EnterpriseEnrollment- 1 hour

CNAME EnterpriseEnrollment.eu.cont EnterpriseEnrollment- 1 hour

Tell users how to enroll devices

Applies to: System Center Configuration Manager (Current Branch)

Prepare to manage Android mobile devices with Configuration

Applies to: System Center Configuration Manager (Current Branch)

Applies to: System Center Configuration Manager (Current Branch)

AZURE AD PREMIUM OTHER AD