Professional Documents
Culture Documents
Overview
What is hybrid MDM
Choose Intune standalone or hybrid MDM
What's new in hybrid MDM
Plan and design
Supported device platforms
Device enrollment methods
Get started
Create an MDM collection
Confirm domain name requirements
Configure Intune subscription
Add terms and conditions
Create service connection point
Enable platform enrollment
iOS and MAC
Windows
Android
Set up additional management
Verify MDM configuration
How to
Enroll user-owned (BYOD) devices
Enroll corporate-owned devices
iOS DEP enrollment
Apple Configurator enrollment
Device enrollment manager
Predeclare hardware ID
Manage iOS activation lock
User device affinity
Retire/wipe, lock, reset devices
Configure hardware inventory
Configure software inventory
Manage compliance settings
Windows 8.1 and Windows 10
Windows Phone
iOS and Mac OS X
Android and Samsung KNOX Standard
Sync Intune-enrolled devices
Manage applications
Create iOS applications
iOS app configuration policies
iOS volume-purchased apps
Create Windows Phone applications
Create Android applications
Mobile application management policies
Managed browser policies
Windows Store for Business apps
Manage an Intune subscription
Manage resource access
Create Wi-Fi profiles
Create PFX certificate profiles
VPN profiles
Create email profiles
Windows Hello for Business settings
Manage conditional access
Device compliance policies
Create a device compliance policy
Manage email access
Manage SharePoint Online access
Manage Skype for Business Online access
Manage Dynamics CRM Online access
Manage PC access to O365 services
Manage access based on risk
Set up Lookout device threat protection
Enable Lookout in Intune
Deploy Lookout for Work apps
Enable device threat protection policy
Troubleshoot Lookout integration
On-premises mobile device management (MDM)
What is On-premises MDM
Plan for on-premises MDM
Setup steps
Set up the Intune subscription
Install on-prem roles
Set up certificates
Set up for enrollment
Enroll devices for on-premises MDM
User enrollment
Bulk enrollment
Manage devices
Manage applications
Protect data and devices
Device management with Exchange
Hybrid mobile device management (MDM) with
System Center Configuration Manager and Microsoft
Intune
3/6/2017 • 1 min to read • Edit on GitHub
New in Microsoft Intune In general, all the features listed under this category should
work with all Configuration Manager releases including
System Center 2012 R2 Configuration Manager releases, since
these features only require the Intune service and do not
require additional functionality in Configuration Manager.
New in Configuration Manager Technical Preview All the features listed under this category only work with the
specified Technical Preview release. To try out these features,
you must install the Technical Preview version specified in the
feature description. For more information, see Technical
Preview for System Center Configuration Manager.
New in Configuration Manager (current branch) All the features listed under this category only work with the
specified version of Configuration Manager (current branch),
such as version 1511 or 1602. If you're using an older version
of Configuration Manager for your hybrid deployment, you
must upgrade to the Configuration Manager (current branch)
version specified in the feature description. For more
information, see Upgrade to System Center Configuration
Manager.
Retire/wipe (remove all data) Remove a remote device Remove device (local and remote)
New or updated app deployments Install available line-of-business apps Device passcode reset
Remote lock
Passcode reset
Notices
System Center 2012 Configuration SP1 and System Center 2012 R2 Configuration Manager (RTM ): Support for
hybrid mobile device management ending on April 10, 2017
January 11, 2017
Support for System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager
RTM ended on July 12, 2016. Subsequently, support for these releases connecting to the Microsoft Intune service
for hybrid MDM ends on April 10, 2017. After this date, hybrid MDM will stop functioning with these releases.
Managed devices will essentially become unmanaged as the Intune Connector will no longer connect to the Intune
service. Configuration Manager data (such as policies and applications) will not flow up to Intune and managed
device data will not flow down to Configuration Manager until an upgrade takes place.
If you're running a hybrid deployment with Configuration Manager 2012 SP1 or R2 RTM, we recommend that
before April 10, 2017 you upgrade to Configuration Manager (current branch) or the latest supported service pack
for Configuration Manager 2012 (either R2 SP1 or SP2) to avoid disruption of service.
Additional resources:
Upgrade to System Center Configuration Manager (current branch)
Planning to upgrade to System Center 2012 R2 Configuration Manager SP1
Planning to upgrade to System Center 2012 Configuration Manager SP2
Windows Phone 8 Company Portal upload deprecated
October 25, 2016
The ability to upload a signed Company Portal app has been removed from the Configuration Manager console, as
Intune support is being deprecated for Windows 8, Windows Phone 8, and Windows RT, and support for the
Windows Phone 8 Company Portal is ending in November. Windows 8, Windows Phone 8, and Windows RT
devices that are already enrolled will continue to be supported, but enrolling additional devices with these
platforms will not be supported.
See Also
Past hybrid MDM features
What's new for MDM in System Center 2012 Configuration Manager
Plan for hybrid mobile device management (MDM)
with System Center Configuration Manager and
Microsoft Intune
3/6/2017 • 1 min to read • Edit on GitHub
DEM No No No more
DEM No No No more
For a series of question that help you find the right method, see Choose how to enroll devices.
BYOD
"Bring your own device" (BYOD) users install the Company Portal app and enroll their device. This can let users
connect to the company network, joining the domain or Azure Active Directory. Enabling BYOD enrollment is a
prerequisite for many COD scenarios for most platforms. See Setup hybrid MDM. (Back to the table)
Corporate-owned devices
Corporate-owned devices (COD) can be managed with the Configuration Manager console. iOS devices can be
enrolled directly through tools provided by Apple. All device types can be enrolled by an admin or manager using
the device enrollment manager. Devices with an IMEI number can also be identified and tagged as company-
owned to enable COD scenarios.
Enroll corporate-owned devices
DEM
Device enrollment manager is a special user account used to enroll and manage multiple corporate-owned devices.
Managers can install the Company Portal and enroll many user-less devices. Learn more about DEM. (Back to the
table)
DEP
Apple Device Enrollment Program (DEP) management lets you create and deploy policy “over the air” to iOS
devices purchased and managed with DEP. The device is enrolled when the user turns on the device for the first
time and runs the iOS Setup Assistant. This method supports iOS Supervised mode which in turn enables:
Locked enrollment
Conditional access
Jailbreak detection
Mobile application management
Learn more about DEP. (Back to the table)
USB -SA
USB-connected, Setup Assistant enrollment. The admin creates a policy and exports it to Apple Configurator. USB-
connected, corporate-owned devices are prepared with policy. The admin must enroll each device by hand. Users
receive their devices and run Setup Assistant, enrolling their device. This method supports iOS Supervised mode
which in turn enables:
Conditional access
Jailbreak detection
Mobile application management
Learn more about Setup Assistant enrollment with Apple Configurator. (Back to the table)
STEPS DETAILS
Step 1: Create an MDM collection Create a Configuration Manager user collection with users
whose devices can be enrolled
Step 2: Domain name requirements Confirm your organization's domain name service (DNS) and
Active Directory user management meets MDM requirements
Step 3: Configure Intune Subscription The Intune service lets you manage devices over the Internet.
Step 4: Add terms and conditions Create terms and conditions to which users must agree
before they can use the Company Portal app
Step 5: Create service connection point The service connection point sends settings and software
deployment information to Configuration Manager and
retrieves status and inventory messages from mobile devices.
Step 6: Enable platform enrollment MDM enrollment for iOS and Windows devices require
additional steps for communication between the service and
devices. Android requires no additional configuration.
Step 7: Set up additional management (Optional) Set up configuration items and conditional access
for enrolled devices
Step 8: Verify MDM configuration View log files to confirm that the service connection point was
created successfully and user accounts are synchronizing.
Enroll devices
After hybrid setup is complete, devices can be enrolled in Configuration Manager in a number of ways:
Company-owned (COD) devices: Enroll company-owned devices provides guidance on different platform-
specific ways to enroll company-owned devices.
User-owned (BYOD) devices: Enroll user-owned (BYOD) devices provides guidance on ways to enroll user-
owned devices.
Create an MDM collection with System Center
Configuration Manager and Microsoft Intune
3/6/2017 • 1 min to read • Edit on GitHub
NOTE
To enroll devices with Intune, you do not need to assign licenses to users in the Office 365 portal or Azure Active Directory
portal. Including the users in a collection that gets associated with the Intune subscription (in a later step) is all that's
required.
For testing purposes you can set up a Direct rule and add specific users who can enroll devices. In athe
Configuration Manager console, choose, Assets and Compliance > User Collections, click the Home tab >
Create group, and then click Create User Collection. For broader distribution you should use Query rules to
define users. For more information about collections, see How to create collections.
N E X T STE P
>
Confirm domain name requirements with System
Center Configuration Manager and Microsoft Intune
3/6/2017 • 1 min to read • Edit on GitHub
IMPORTANT
Creating a subscription for Microsoft Intune in Configuration Manager will put your site's service connection point in "online
mode." See About the service connection point in System Center Configuration Manager.
IMPORTANT
Once you select Configuration Manager as your management authority, you cannot change the management
authority to Microsoft Intune in the future.
3. Click the privacy links to review them, and then click Next.
4. On the General page, specify the following options, and then click Next.
Collection: Specify a user collection that contains users who will enroll their mobile devices.
NOTE
If a user is removed from the collection, the user's device will continue to be managed for up to 24 hours
when the user record is removed from the user database.
NOTE
Changing the site code affects only new enrollments and does not affect existing enrolled devices.
5. On the Company Contact Information page, specify the company contact information that is displayed to
users under Contact IT in the Company Portal app. Provide contact information for your company, and
then click Next.
6. On the Company Logo page, you can choose whether to display logos in the company portal, and then
click Next.
7. Complete the wizard.
< P R E V IO U S N E X T STE P
STE P >
Add Terms and Conditions with System Center
Configuration Manager
3/6/2017 • 4 min to read • Edit on GitHub
NOTE
If you deploy a set of terms to multiple user collections to which a user belongs, that user will see multiple copies of
identical terms when opening Company Portal. Since users can only accept or decline all terms, there is no danger of
being in an ambiguous acceptance state where the user has both accepted and rejected the terms. The Terms and
Conditions acceptance report will include only one row for each set of terms for each user, so there is no error in the
report.
NOTE
The service connection point site system role may only be installed on a central administration site or stand-alone primary
site. The service connection point must have Internet access.
How does the service connection point authenticate with the Microsoft
Intune service?
The service connection point extends Configuration Manager by establishing a connection to the cloud-based
Intune service that manages mobile devices over the Internet. The service connection point authenticates with the
Intune service as follows:
1. When you create an Intune subscription in the Configuration Manager console, the Configuration Manager
admin is authenticated by connecting to Azure Active Directory, which redirects to the respective ADFS
server to prompt for user name and password. Then, Intune issues a certificate to the tenant.
2. The certificate from step 1 is installed on the service connection point site role and is used to authenticate
and authorize all further communication with the Microsoft Intune service.
< P R E V IO U S N E X T STE P
STE P >
Enable platform enrollment with System Center
Configuration Manager and Microsoft Intune
3/6/2017 • 1 min to read • Edit on GitHub
NOTE
Do not upload the Apple Push Notification service (APNs) certificate until you enable iOS enrollment in the
Configuration Manager console.
c. In the Microsoft Intune Subscription Properties dialog box, select the iOS tab and click to select
the Enable iOS enrollment checkbox.
d. Click Browse, and go to the APNs certificate (.cer) file downloaded from Apple. Configuration
Manager displays the APNs certificate information. Click OK to save the APNs certificate to Intune.
Once you're set up, you'll need to let your users know how to enroll their devices. See What to tell users
about enrolling their devices. This information applies to both Microsoft Intune and Configuration
Manager-managed mobile devices.
< P R E V IO U S N E X T STE P
STE P >
Set up Windows hybrid device management with
System Center Configuration Manager and Microsoft
Intune
3/14/2017 • 4 min to read • Edit on GitHub
Automatic enrollment
Automatic enrollment lets users enroll either company-owned or personal Windows 10 devices by adding a work
or school account and agreeing to be managed. In the background, the user's device registers and connects with
Azure Active Directory. Once registered, the device can be managed with Intune. Managed devices can still use the
Company Portal for tasks, but don't have to install it to become enrolled.
Prerequisites
Azure Active Directory Premium subscription (trial subscription)
Microsoft Intune subscription
Configure automatic enrollment
1. Sign in to the Azure portal, navigate to the Active Directory node in the left pane, and select your directory.
2. Select the Configure tab and scroll to the section called Devices.
3. Select All for Users may workplace join devices.
4. Select the maximum number of devices you want to authorize per user.
By default, two-factor authentication is not enabled for the service. However, two-factor authentication is
recommended when registering a device. Before requiring two-factor authentication for this service, you must
configure a two-factor authentication provider in Azure Active Directory and configure your user accounts for
multi-factor authentication. See Getting started with the Azure Multi-Factor Authentication Server.
NOTE
DEP with user affinity requires ADFS WS-Trust 1.3 Username/Mixed endpoint to be enabled to
request user token.
No user affinity: The device is not affiliated with a user. Use this affiliation for devices that
perform tasks without accessing local user data. Apps requiring user affiliation won’t work.
b. On the Device Enrollment Program page, specify the following information, and then click Next.
Department: This information appears when users tap "About Configuration" during
activation.
Support phone number: Displayed when the user clicks the Need Help button during
activation.
Preparation mode: This state is set during activation and cannot be changed without factory
resetting the device:
Unsupervised - Limited management capabilities
Supervised - Enables more management options and disables Activation Lock by
default
Lock enrollment profile to device: This state is set during activation and cannot be changed
without a factory reset.
Disable - Allows the management profile to be removed from the Settings menu
Enable - (Requires Preparation Mode = Supervised) Disables iOS settings that
could allow removal of the management profile
c. On the Setup Assistant page, configure the settings that customize the iOS Setup Assistant that
starts when the device is first powered on, and then click Next. These settings include:
Passcode - Prompt for passcode during activation. Always require a passcode unless the device
will be secured or have access controlled in some other manner (i.e. kiosk mode that restricts the
device to one app).
Location Services - If enabled, Setup Assistant prompts for the service during activation
Restore - If enabled, Setup Assistant prompts for iCloud backup during activation
Apple ID - An Apple ID is required to download iOS App Store apps, including those installed by
Intune. If enabled, iOS will prompt users for an Apple ID when Intune attempts to install an app
without an ID.
Terms and Conditions - If enabled, Setup Assistant prompts users to accept Apple's terms and
conditions during activation
Touch ID - If enabled, Setup Assistant prompts for this service during activation
Apple Pay - If enabled, Setup Assistant prompts for this service during activation
Zoom - If enabled, Setup Assistant prompts for this service during activation
Siri - If enabled, Setup Assistant prompts for this service during activation
Send diagnostic data to Apple - If enabled, Setup Assistant prompts for this service during
activation
d. On the Additional Management page, specify whether a USB connection can be used for
additional management settings. When you select Require certificate, you must import an Apple
Configurator management certificate to use for this profile. Set to Disallow to prevent syncing files
with iTunes or management via Apple Configurator. Microsoft recommends you set to Disallow,
export any further configuration from Apple Configurator, and then deploy as a Custom iOS
configuration profile, rather than use this setting to allow manual deployment with or without a
certificate.
Disallow - Prevents the device from communicating via USB (disables pairing)
Allow - Allows device communicate via USB connection with any PC or Mac
Require certificate- Allows pairing with a Mac with a certificate imported to the enrollment
profile
2. Assign DEP Devices for management
Go to the Device Enrollment Program portal (https://deploy.apple.com) and sign in with your company
Apple ID. Go to Deployment Program > Device Enrollment Program > Manage Devices. Specify how
you will Choose Devices, provide device information and specify details by device Serial Number, Order
Number, or Upload CSV File. Next, select Assign to Server and select the <ServerName> that you
specified in step 3, and then click OK.
3. Synchronize DEP-managed devices
In the Assets and Compliance workspace, go to All Corporate-owned Devices > iOS > Device
Information. On the Home tab, click DEP Sync. A sync request is sent to Apple. After synchronization
completes, the DEP-managed devices are displayed. The Enrollment Status for managed devices reads
Not contacted until the device is powered on and runs the Setup Assistant to enroll the device.
4. Distribute devices to users
You can now give your corporate-owned devices to users. When an iOS device is turned on it will be
enrolled for management by Intune.
iOS hybrid enrollment using Apple Configurator with
Configuration Manager
3/6/2017 • 4 min to read • Edit on GitHub
Prerequisites
Physical access to iOS devices
Device serial numbers - How to get an iOS serial number
Mac computer with Apple Configurator 2.0
USB cables for connecting devices to your Mac computer
https://manage.microsoft.com/EnrollmentServer/Discovery.svc/iOS/ESProxy?id=
with
https://appleconfigurator2.manage.microsoft.com/MDMServiceConfig?id=
5. Save the edited profile URL. You will use it to add the enrollment profile URL in Apple Configurator in the
next section.
NOTE
The enrollment profile URL is valid for two weeks from when it is exported. After two weeks, you must export a new URL to
enroll iOS devices.
WARNING
Apple Configurator wipes and resets devices to factory configurations.
WARNING
This process resets devices to factory configurations. Prior to connecting the device, reset the device and power it on.
As a best practice, the device should be at the Hello screen before continuing.
7. Click Prepare. On the Prepare iOS Device pane, select Manual, and then click Next.
8. On the Enroll in MDM Server pane, select the server name you created, and then click Next.
9. On the Create an Organization pane, choose the Organization or create a new organization, and then
click Next.
10. On the Configure iOS Setup Assistant pane, choose the steps to present to the user, and then click
Prepare. If prompted, authenticate to update trust settings.
11. When finished, you can disconnect the USB cable.
Repeat these steps for all the devices you want to prepare for enrollment.
Do not include a header row in your .csv file. The following example shows the same sample data in CSV format:
IMEI number without spaces iOS serial number IOS, WINDOWS, or Optional device details
ANDROID (1024 character limit)
Manage iOS Activation Lock with System Center
Configuration Manager
3/6/2017 • 3 min to read • Edit on GitHub
TIP
Supervised mode for iOS devices lets you use the Apple Configurator Tool to lock down a device to limit functionality to
specific business purposes. Supervised mode is generally only for corporate-owned devices.
While Activation Lock helps secure iOS devices and improves the chances of recovery if they are lost and stolen,
this capability can present you, as an IT admin, with a number of challenges. For example:
One of your users sets up Activation Lock on a device. The user then leaves the company and returns the device.
Without the user's Apple ID and password, there is no way to reactivate the device, even if you wipe it.
You need a report of all devices that have Activation Lock enabled.
During a device refresh in your organization, you want to reassign some devices to a different department. You
can only reassign devices that do not have Activation Lock enabled.
To help solve these problems, Apple introduced Activation Lock bypass in iOS 7.1. This lets you remove the
Activation Lock from supervised devices without the user's Apple ID and password. Supervised devices can
generate a device-specific Activation Lock bypass code, which is stored on Apple's activation server.
You can read more about Activation Lock here.
IMPORTANT
You cannot bypass Activation Lock on unsupervised devices.
IMPORTANT
Ensure you are in physical possession of the device before you follow this procedure. If you do not, the Activation Lock will
be bypassed and whoever is in possession of the device will have full access to it, allowing them to turn off Find My iPhone,
erase the device, or reactivate it.
You can only bypass Activation Lock or retrieve the Activation Lock bypass code on supervised devices; trying to
bypass activation lock on an unsupervised device or view the bypass code results in an error.
Full Wipe
You might issue a wipe command to a device when you need to secure a lost device or when you retire a device
from active use.
Issue a full wipe to a device to restore the device to its factory defaults. This removes all company and user data
and settings. You can do a full wipe on Windows Phone, iOS, Android, and Windows 10 devices.
NOTE
Wiping Windows 10 devices on versions earlier than version 1511 with less than 4 GB of RAM might leave the device
unresponsive. Learn more.
Selective Wipe
Issue a selective wipe to a device to remove only company data. The following table describes by platform what
data is removed and the effect on data that remains on the device after a selective wipe.
iOS
Company apps and associated data installed by using Apps are uninstalled. Company app data is removed.
Configuration Manager and Intune.
Email profiles For email profiles provisioned by Intune, the email account
and email are removed.
Company apps and associated data Apps and data remain installed. Apps are uninstalled.
installed by using Configuration
Manager and Intune.
Company apps and associated data Apps are uninstalled and sideloading Sideloading keys are removed but apps
installed by using Configuration keys are removed. Apps using Windows remain installed.
Manager and Intune. Selective Wipe will have the encryption
key revoked and data will no longer be
accessible.
Management agent Not applicable. Management agent is Not applicable. Management agent is
built-in. built-in.
CONTENT REMOVED WHEN RETIRING A WINDOWS 10, WINDOWS 8.1 AND
DEVICE WINDOWS RT 8.1 WINDOWS RT
Company apps and associated data installed by using Apps are uninstalled. Company app data is removed.
Configuration Manager and Intune.
VPN and Wi-Fi profiles Removed for Windows 10 Mobile and Windows Phone 8.1
The following settings are also removed from Windows 10 Mobile and Windows Phone 8.1 devices:
Require a password to unlock mobile devices
Allow simple passwords
Minimum password length
Required password type
Password expiration (days)
Remember password history
Number of repeated sign-in failures to allow before the device is wiped
Minutes of inactivity before password is required
Required password type – minimum number of character sets
Allow camera
Require encryption on mobile device
Allow removable storage
Allow web browser
Allow application store
Allow screen capture
Allow geolocation
Allow Microsoft Account
Allow copy and paste
Allow Wi-Fi tethering
Allow automatic connection to free Wi-Fi hotspots
Allow Wi-Fi hotspot reporting
Allow factory reset
Allow Bluetooth
Allow NFC
Allow Wi-Fi
To initiate a remote wipe from the Configuration Manager console
1. In the Configuration Manager console, click Assets and Compliance and select Devices. Alternatively, you
can click Device Collections and select a collection.
2. Select the device that you want to retire/wipe.
3. Click Remote Device Actions in the Device Group, and then select Retire/Wipe.
Passcode Reset
If a user forgets their passcode, you can help them by removing the passcode from a device or by forcing a new
temporary passcode on a device. The table below lists how passcode reset works on different mobile platforms.
iOS Supported for clearing the passcode from a device. Does not
create a new temporary passcode.
Remote Lock
If a user loses their device you can lock the device remotely. The following table lists how remote lock works on
different mobile platforms.
iOS Supported
Android Supported
Windows RT 8.1 and Windows RT Supported if the current user of the device is the same user
who enrolled the device.
Windows 8.1 Supported if the current user of the device is the same user
who enrolled the device.
Name Device_ComputerSystem.DeviceName
Model ModelName
Android
NOTE
NOTE: Android inventory classes are available when using the Android Company Portal app.
Manufacturer Device_Info.Manufacturer
Model Device_Info.Model
Name Device_ComputerSystem.DeviceName
Manufacturer Device_ComputerSystem.DeviceManufacturer
Model Device_ComputerSystem.DeviceModel
Windows RT
Name Device_ComputerSystem.DeviceName
Manufacturer Win32_ComputerSystem.Manufacturer
Model Win32_ComputerSystem.Model
1 The phone number is masked with * except for the last 4 digits.
For inventory to collect the phone number, the device must have a SIM card inserted, and a phone number
provisioned by the carrier to that SIM.
Software inventory for mobile devices enrolled with
Microsoft Intune
3/6/2017 • 1 min to read • Edit on GitHub
NOTE
Inventory on the apps installed on mobile devices is collected as part of the hardware inventory process.
Here are the apps that are inventoried for personal-owned or company-owned devices.
Windows 10 (without the Configuration Only managed apps Only managed apps
Manager client)
Windows 8.1 (without the Configuration Only managed apps Only managed apps
Manager client)
See Introduction to software inventory and How to configure software inventory for detailed information about
using software inventory to collect file information on client devices.
Managing compliance on devices managed with
Intune
3/6/2017 • 4 min to read • Edit on GitHub
TIP
If the setting that you want is not listed, select the Configure additional settings that are not in the default
setting groups check box.
8. On each settings page, configure the settings you require, and whether you want to remediate them when
they are not compliant on devices (when this is supported).
9. For each settings group, you can also configure the severity that will be reported (in Configuration Manager
reports) when a configuration item is found to be noncompliant from:
None - Devices that fail this compliance rule do not report a failure severity.
Information - Devices that fail this compliance rule report a failure severity of Information.
Warning - Devices that fail this compliance rule report a failure severity of Warning.
Critical - Devices that fail this compliance rule report a failure severity of Critical.
Critical with event - Devices that fail this compliance rule report a failure severity of Critical. This
severity level is also be logged as a Windows event in the application event log.
10. On the Platform Applicability page, review any settings that are not compatible with the supported
platforms you selected earlier. You can go back and remove these settings, or you can continue.
TIP
Unsupported settings are not assessed for compliance.
Minimum password length (characters) The minimum length for the password.
Password expiration in days The number of days before a password must be changed.
Number of failed logon attempts before device is wiped Wipes the device if this number of login attempts fail.
Idle time before device is locked Specify the amount of time a device can be idle (have no user
input) before it is locked.
Password complexity Choose whether you can specify a PIN such as ‘1234’, or
whether you must supply a strong password.
(Windows 10 only)
Password complexity - Number of complex character If you selected a Strong password, use this setting to
sets required in password configure the number of complex character sets required. For
a strong password, this should be set to at least 3 which
means both letters and numbers are required. Select 4 if you
want to enforce a password that additionally requires special
characters such as (%$.
(Windows 10 only)
Device
SETTING NAME DETAILS
Diagnostic data submission (Windows 10) Allow submission of app log files.
(Windows 10 only)
Copy and Paste Use copy and paste to transfer data between apps.
(Windows 10 only)
Factory reset Controls whether the user can factory reset their device.
Bluetooth discoverable mode Allow the device to be discovered by other Bluetooth devices.
(Windows 10 only)
Voice recording Allow the use of the voice recording features of the device.
(Windows 10 only)
Email management
SETTING DETAILS
POP and IMAP email Allows connection to email accounts that use the POP and
IMAP standards.
Maximum time to keep email How long to keep email before it is deleted from the server.
Allowed message formats Specify whether user emails can be HTML, or plain text only.
Maximum size for plain text email (automatically Controls the maximum size of plain text emails when
downloaded) automatically downloaded.
Maximum size for HTML email (automatically Controls the maximum size of HTML emails when
downloaded) automatically downloaded.
Maximum size of an attachment (automatically Configures the maximum size email that will be automatically
downloaded) downloaded.
Make Microsoft Account optional in Windows Mail app Configure this to remove the requirement for a Microsoft
account in Windows Mail.
Store
These settings are for devices running Windows 10 and later only.
SETTING DETAILS
Enter a password to access the application store Users must enter a password to access the app store.
Browser
SETTING DETAILS
Allow web browser Allow the use of the web browser on the device.
(Windows 10 only)
Internet Explorer
These settings are only for devices running Windows 8.1.
Always send Do Not Track header Prevents browsing information from being sent to third-party
sites.
Intranet security zone Assign a security level to the Intranet security zone.
Security level for Internet zone Configure the security level for the Internet zone.
Security level for intranet zone Configure the security level for the intranet zone.
Security level for trusted sites zone Configure the security level for the trusted sites zone.
Security level for restricted sites zone Configure the security level for the restricted sites zone.
Namespaces for intranet zone Configure websites that will be added or removed from the
intranet zone.
Go to intranet site for single word entry Enables or disables the setting that allows Internet Explorer to
automatically go to an Intranet site if a valid site name is
entered without a preceding HTTP:
SETTING NAME DETAILS
Enterprise Mode menu option Allow users to activate and deactivate Enterprise Mode from
the Internet Explorer Tools menu.
Logging report location (URL) Specify a URL where visited websites will be logged when
Enterprise Mode is active.
Enterprise Mode site list location (URL) Specify the location of the list of websites that will use
Enterprise Mode when it is active.
Microsoft Edge
These settings are for devices running Windows 10 and later.
Allow search suggestions in address bar Lets your search engine suggest sites as you type search
phrases.
Allow sending intranet traffic to Internet Explorer Lets users open intranet websites in Internet Explorer.
Allow do not track Do not track informs websites that you do not want them to
track your visit to a site.
Enable SmartScreen Use SmartScreen to check files your users download do not
contain malicious code.
Allow Autofill Allow the use of the Autofill feature of the Edge browser.
Allow Password Manager Allow the use of the password manager feature of the Edge
browser.
Enterprise Mode site list location Specifies where to find the list of web sites that will open in
Enterprise mode. Users cannot edit this list.
Windows Defender
These settings are for devices running Windows 10 November Update (1511) and later.
Allow real-time monitoring Enables real-time scanning for malware, spyware, and other
unwanted software.
Allow behavior monitoring Lets Defender check for certain known patterns of suspicious
activity on devices.
Enable Network Inspection System The Network Inspection System (NIS) helps to protect devices
against network-based exploits by using the signatures of
known vulnerabilities from the Microsoft Endpoint Protection
Center to help detect and block malicious traffic.
SETTING NAME DETAILS
Scan all downloads Controls whether Defender scans all files downloaded from
the Internet.
Allow script scanning Lets Defender scan scripts that are used in Internet Explorer.
Monitor file and program activity Enable this setting to allow Defender to monitor file and
program activity on devices.
Files monitored If you enabled Monitor file and program activity, you can
then select whether to monitor incoming files, outgoing files,
or all files.
Days to track resolved malware Lets Defender continue to track resolved malware for the
number of days you specify so that you can manually check
previously affected devices. If you set the number of days to
0, malware remains in the Quarantine folder and is not
automatically removed.
Allow client UI access Controls whether the Windows Defender user interface is
hidden from end users. When this setting is changed, it will
take effect the next time the end user's PC is restarted.
Schedule a system scan Lets you schedule a full or quick system scan that occurs
regularly on the day and time you select.
Schedule a quick daily scan Lets you schedule a quick scan that occurs daily at the time
you select.
Limit CPU usage during a scan Lets you limit the amount of CPU that scans are allowed to
use (from 1 to 100)
Scan archive files Allows Defender to scan archived files such as Zip or Cab files.
Scan email messages Allows Defender to scan email messages as they arrive on the
device.
Scan removable drives Lets Defender scan removable drives like USB sticks.
Scan mapped drives Lets Defender scan files on mapped network drive.
If the files on the drive are read-only, Defender will be unable
to remove any malware found in them.
Scan files opened from network shared folders Lets Defender scan files on shared network drives (for
instance, those accessed from a UNC path.
If the files on the drive are read-only, Defender will be unable
to remove any malware found in them.
Signature update interval Specify the interval at which Defender will check for new
signature files.
Allow cloud protection Allow or block the Microsoft Active Protection Service from
receiving information about malware activity from devices you
manage. This information is used to improve the service in the
future.
SETTING NAME DETAILS
Prompt users for samples submission Controls whether files that might require further analysis by
Microsoft to determine if they are malicious are automatically
sent to Microsoft.
Potentially Unwanted Application detection This setting can be used to protect enrolled Windows desktop
devices against running software classified by Windows
Defender as potentially unwanted. You can protect against
these applications running, or use audit mode to report when
a potentially unwanted application is installed.
File and folder exclusions Add one or more files and folders like C:\Path or
%ProgramFiles%\Path\filename.exe to the exclusions list.
These files and folders will not be included in any real-time, or
scheduled scans.
File extension exclusions Add one or more file extensions like jpg or txt to the
exclusions list. Any files with these extensions will not be
included in any real-time, or scheduled scans.
Process exclusions Add one or more processes of the type .exe, .com, or .scr to
the exclusions list. These processes will not be included in any
real-time, or scheduled scans.
Cloud
SETTING NAME DETAILS
Settings synchronization over metered connections Allow settings to be synchronized when the Internet
connection is metered.
Security
SETTING NAME DETAILS
SMS and MMS messaging Allow SMS and MMS messaging from the device.
(Windows 10 only)
Removable storage Allow use of removable storage, like an SD card on the device.
(Windows 10 only)
SETTING NAME DETAILS
Near field communication (NFC) Allow communication using NFC on the device.
(Windows 10 only)
Allow USB connection Controls whether devices can access external storage devices
through a USB connection.
(Windows 10 only)
Profile for all users Provisions a VPN profile for Windows RT devices.
(Windows 8 only)
Peak synchronization
These settings are for devices running Windows 10 and later only.
Specify peak time Configure the peak time for mobile device synchronization.
Peak synchronization frequency Configure how often synchronization occurs during the peak
hours you configured.
Off-peak synchronization frequency Configure how often synchronization occurs outside of the
peak hours you configured.
Roaming
SETTING NAME DETAILS
Device management while roaming Allows the device to be managed by Configuration Manager
when it is roaming.
(Windows 10 only)
Software download while roaming Allows the download of apps and software when roaming.
(Windows 10 only)
VPN over cellular Controls whether the device can access VPN connections
when connected to a cellular network.
(Windows 10 only)
VPN roaming over cellular Controls whether the device can access VPN connections
when roaming on a cellular network.
(Windows 10 only)
Encryption
SETTING NAME DETAILS
Storage card encryption Require any storage cards used with the device to be
encrypted.
(Windows 10 only)
File encryption on device Requires that files on the device are encrypted.
Require email signing Requires that emails are signed before they are sent.
(Windows 10 only)
Require email encryption Requires that emails are encrypted before they are sent.
(Windows 10 only)
Wireless communications
These settings are for devices running Windows 10 and later only.
Offload data to Wi-Fi when possible Configure this to use the Wi-Fi connection on the device
when possible.
Wi-Fi hotspot reporting Sends information about Wi-Fi connections to help the user
discover nearby connections.
Manual Wi-Fi configuration Controls whether the user can configure their own Wi-Fi
connections, or whether they can only use connections
configured by a Wi-Fi profile.
Data encryption Choose the encryption method used by this connection. The
values you can select will differ depending on the
Authentication method you selected:
- Disabled
- WEP
- TKIP
- AES
Key index Select a key index from 1 to 4 that will be used with a Data
encryption setting of WEP.
This network connects to the Internet Select this option if you want to supply proxy settings that let
mobile devices on a wireless connection connect to the
Internet.
Proxy server settings Specify as required, Server and Port settings for HTTP, WAP
and Sockets.
Enable 802.1X network access Select this option if you want to secure the connection by
specifying an EAP type.
Certificates
Lets you import certificates to install on mobile devices.
Click Import, and then specify the following values:
Certificate file – Click Browse and then select the certificate file with the extension .cer that you want to
import.
Destination store – Choose one or more destination stores where the imported certificate will be added on
the mobile device from:
Root
CA
Normal
Privileged
SPC
Peer
Role – If SPC (Software Publisher Certificate) is selected as the destination store, choose the role that will be
associated with the certificate from:
Mobile Operator
Manager
User Authenticated
IT Administrator
User Unauthenticated
Trusted Provisioning Server
System security
SETTING DETAILS
User Account Control Enables or disables Windows User Account Control on the
device.
Updates (Windows 8.1 and earlier) Choose how Windows software updates will be downloaded
to computers. For example, you can automatically download
updates, but let the user choose when to install them.
Minimum classification of updates Choose the minimum classification of updates that will be
downloaded to Windows computers, None, Important, or
Recommended.
Updates (Windows 10) Choose how Windows software updates will be downloaded
to computers. For example, you can automatically download
updates, but let the user choose when to install them.
(Windows 10 only)
Virus protection signatures are up to date Select to ensure that the antivirus signature files are up to
date.
Allow manual unenrollment Lets the user manually delete the workplace account from the
device.
(Windows 10 only)
Work Folders URL Configures the location of a Windows Server work folder that
users can connect to from their device.
Windows 10 Team
These settings are for devices running Windows 10 Team only.
Allow screen to wake automatically when sensors detect Allows the device to wake automatically when its sensor
someone in the room detects someone in the room.
Required PIN for wireless projection Specifies whether you must enter a PIN before you can use
the wireless projection capabilities of the device.
Maintenance Window Configures the window when updates can take place to the
device. You can configure the start time of the window and
the duration (from 1-5 hours).
Azure Operational Insights Azure Operational Insights , part of the Microsoft Operations
Manager suite collects, stores, and analyzes log file data from
Windows 10 Team devices.
To connect to Azure Operational insights, you must specify a
Workspace ID and a Workspace Key.
Miracast wireless projection Enable this option if you want to let the Windows 10 Team
device use Miracast enabled devices to project.
If you enable this option, from Choose Miracast channel
select the Miracast channel used to project content.
Meeting information displayed on welcome screen If you enable this option, you can choose the information that
will be displayed on the Meetings tile of the Welcome screen.
You can:
- Show organizer and time only
- Show organizer, time and subject (subject hidden for
private meetings)
Lockscreen background image URL Enable this setting to display a custom background on the
Welcome screen of Windows 10 Team devices from the URL
you specify.
The image must be in PNG format and the URL must begin
with https://.
Blocked apps list Select this option if you want to specify a list of apps that
users are not allowed to install.
Allowed apps list Select this option if you want to specify a list of apps that
users are allowed to install. Any other apps will be blocked
from installing.
To specify the URL, from the Windows Store, search for the
app you want to use.
Open the app’s page, and copy the URL to the clipboard. You
can now use this as the URL in either the allowed or blocked
apps list.
Example: Search the store for the Skype app. The URL you
use will be
http://www.windowsphone.com/store/app/skype/c3f8e5
70-68b3-4d6a-bdbb-c0a3f4360a51.
Edit Lets you edit the name, publisher and URL of the selected
app.
TIP
If the setting that you want is not listed, select the Configure additional settings that are not in the default
setting groups check box.
8. On each settings page, configure the settings you require, and whether you want to remediate them when
they are not compliant on devices (when this is supported).
9. For each settings group, you can also configure the severity that will be reported (in Configuration Manager
reports) when a configuration item is found to be noncompliant from:
None - Devices that fail this compliance rule do not report a failure severity.
Information - Devices that fail this compliance rule report a failure severity of Information.
Warning - Devices that fail this compliance rule report a failure severity of Warning.
Critical - Devices that fail this compliance rule report a failure severity of Critical.
Critical with event - Devices that fail this compliance rule report a failure severity of Critical.
10. On the Platform Applicability page, review any settings that are not compatible with the supported
platforms you selected earlier. You can go back and remove these settings, or you can continue.
TIP
Unsupported settings are not assessed for compliance.
SETTING DETAILS
Minimum password length (characters) The minimum length for the password.
Password expiration in days The number of days before a password must be changed.
Number of failed logon attempts before device is wiped Wipes the device if this number of login attempts fail.
Idle time before device is locked Specifies the amount of time a device must remain idle before
the screen is automatically locked.
Password complexity Choose whether you can specify a PIN such as ‘1234’, or
whether you must supply a strong password.
Allow simple passwords Specifies that simple passwords such as ‘0000’ and ‘1234’ can
be used.
Device
SETTING DETAILS
Screen capture Allow the user to take a screenshot of the device display.
Copy and Paste Use copy and paste to transfer data between apps.
Email management
These settings apply to both Windows Phone 8 and Windows Phone 8.1.
SETTING DETAILS
POP and IMAP email Allows connection to email accounts that use the POP and
IMAP standards.
Maximum time to keep email How long to keep email before it is deleted from the server.
Allowed message formats Specify whether user emails can be HTML, or plain text only.
Maximum size for plain text email (automatically Controls the maximum size of plain text emails when
downloaded) automatically downloaded.
Maximum size for HTML email (automatically Controls the maximum size of HTML emails when
downloaded) automatically downloaded.
Maximum size of an attachment (automatically Configures the maximum size email that will be automatically
downloaded) downloaded.
Store
These settings apply to Windows Phone 8.1 devices only.
SETTING DETAILS
Browser
These settings apply to both Windows Phone 8 and Windows Phone 8.1.
SETTING DETAILS
Allow web browser User can change the default Internet browser.
Internet Explorer
These settings apply to both Windows Phone 8 and Windows Phone 8.1.
SETTING DETAILS
Always send Do Not Track header Prevents browsing information from being sent to third-party
sites.
Security level for Internet zone Configure the security level for the Internet zone.
Security level for intranet zone Configure the security level for the intranet zone.
Security level for trusted sites zone Configure the security level for the trusted sites zone.
Security level for restricted sites zone Configure the security level for the restricted sites zone.
Go to intranet site for single word entry Enables or disables the setting that allows Internet Explorer to
automatically go to an Intranet site if a valid site name is
entered without a preceding HTTP:
Enterprise mode menu option Allow users to activate and deactivate Enterprise Mode from
the Internet Explorer Tools menu.
Logging report location (URL) Specify a URL where visited websites will be logged when
Enterprise Mode is active.
Enterprise Mode site list location (URL) Specify the location of the list of websites that will use
Enterprise Mode when it is active.
Cloud
SETTING DETAILS
Settings synchronization over metered connections Allow settings to be synchronized when the Internet
connection is metered.
Security
SETTING DETAILS
SMS and MMS messaging Allow SMS and MMS messaging from the device.
Removable storage Allow use of removable storage, like an SD card on the device.
Near field communication (NFC) Allow communication using NFC on the device.
Allow USB connection Controls whether devices can access external storage devices
through a USB connection.
Peak synchronization
These settings apply to both Windows Phone 8 and Windows Phone 8.1.
SETTING DETAILS
Specify peak time Configure the peak time for mobile device synchronization.
Peak synchronization frequency Configure how often synchronization occurs during the peak
hours you configured.
Off-peak synchronization frequency Configure how often synchronization occurs outside of the
peak hours you configured.
Roaming
These settings apply to both Windows Phone 8 and Windows Phone 8.1.
SETTING DETAILS
Device management while roaming Allows the device to be managed by Configuration Manager
when it is roaming.
Software download while roaming Allows the download of apps and software when roaming.
Encryption
These settings apply to both Windows Phone 8 and Windows Phone 8.1.
SETTING DETAILS
Storage card encryption Require any storage cards used with the device to be
encrypted.
File encryption on device Requires that files on the mobile device are encrypted.
Require email signing Require emails to be signed before they are sent.
Require email encryption Require emails to be encrypted before they are sent.
Wireless communications
These settings apply to both Windows Phone 8 and Windows Phone 8.1.
Offload data to Wi-Fi when possible Configure this to use the Wi-Fi connection on the device
when possible.
Wi-Fi hotspot reporting Sends information about Wi-Fi connections to help the user
discover nearby connections.
- Open
- Shared
- WPA
- WPA-PSK
- WPA2
- WPA2-PSK
SETTING MORE INFORMATION
Data encryption Choose the encryption method used by this connection. The
values you can select will differ depending on the
Authentication method you selected:
- Disabled
- WEP
- TKIP
- AES
Key index Select a key index from 1 to 4 that will be used with a Data
encryption setting of WEP.
This network connects to the Internet Select this option if you want to supply proxy settings that let
mobile devices on a wireless connection connect to the
Internet.
Proxy server settings Specify as required, Server and Port settings for HTTP, WAP
and Sockets.
Enable 802.1X network access Select this option if you want to secure the connection by
specifying an EAP type.
- PEAP
- Smart card or certificate
Certificates
Let’s you import certificates to install on mobile devices.
Click Import, and then specify the following values:
Certificate file – Click Browse and then select the certificate file with the extension .cer that you want to
import.
Destination store – Choose one or more destination stores where the imported certificate will be added on
the mobile device from:
Root
CA
Normal
Privileged
SPC
Peer
Role – If SPC (Software Publisher Certificate) is selected as the destination store, choose the role that will be
associated with the certificate from:
Mobile Operator
Manager
User Authenticated
IT Administrator
User Unauthenticated
Trusted Provisioning Server
System security
These settings apply to both Windows Phone 8 and Windows Phone 8.1.
SETTING DETAILS
User Account Control Enables or disables Windows User Account Control on the
device.
Minimum classification of updates Choose the minimum classification of updates that will be
downloaded to Windows computers, None, Important, or
Recommended.
Virus protection signatures are up to date Ensure that the antivirus software signatures are up to date.
SETTING DETAILS
Work Folders URL Configures the location of a Windows Server work folder that
users can connect to from their device.
Windows Phone allowed and blocked apps list (Windows Phone 8.1 only)
Let’s you specify a list of Windows Phone apps that are compliant, or not compliant in your company. Apps that
you specify as blocked cannot be installed by users. If you specify a list of allowed apps, users can only install apps
in the list.
You cannot specify both allowed and blocked apps in the same configuration item.
IMPORTANT
If you specify a list of allowed apps, you must ensure that the company portal app, and any apps you have deployed to
Windows Phone 8.1 devices are in the Allowed apps list.
Blocked apps list Select this option if you want to specify a list of apps that
users will not be allowed to install.
Allowed apps list Select this option if you want to specify a list of apps that
users are allowed to install.
Example: Search the store for the Skype app. The URL you
use will be http://www.windowsphone.com/en-
us/store/app/skype/c3f8e570-68b3-4d6a-bdbb-
c0a3f4360a51.
Edit Let’s you edit the name, publisher and URL of the selected
app.
TIP
If the setting that you want is not listed, select the Configure additional settings that are not in the default
setting groups check box.
8. On each settings page, configure the settings you require, and whether you want to remediate them when
they are not compliant on devices (when this is supported).
9. For each settings group, you can also configure the severity that will be reported (in Configuration Manager
reports) when a configuration item is found to be noncompliant from:
None - Devices that fail this compliance rule do not report a failure severity.
Information - Devices that fail this compliance rule report a failure severity of Information.
Warning - Devices that fail this compliance rule report a failure severity of Warning.
Critical - Devices that fail this compliance rule report a failure severity of Critical.
Critical with event - Devices that fail this compliance rule report a failure severity of Critical.
10. On the Platform Applicability page, review any settings that are not compatible with the supported
platforms you selected earlier. You can go back and remove these settings, or you can continue.
TIP
Unsupported settings are not assessed for compliance.
Minimum password length (characters) The minimum length for the password.
Password expiration in days The number of days before a password must be changed.
Number of failed logon attempts before device is wiped Wipes the device if this number of login attempts fail.
(iOS only)
Idle time before device is locked Specifies the number of minutes of inactivity before the device
automatically locks.
Password complexity Choose whether you can specify a PIN such as '1234', or
whether you must supply a strong password.
Allow simple passwords Specifies that simple passwords such as ‘0000’ and ‘1234’ can
be used.
Device
These settings apply to both iOS and Mac OS X devices.
Voice dialing Allows use of the voice dialing feature on the device.
Voice assistant while locked Allows use of a voice assistance app like Siri when the device is
locked.
Video chat client Allows use of video chat apps like Facetime.
SETTING NAME DETAILS
Add game center friends Allows you to add friends in the game center app.
Multiplayer gaming Allows you to play games with other players on the Internet.
Personal wallet software while locked Allows use of personal wallet software like Passbook.
Store
These settings apply to iOS devices only.
Enter a password to access the application store Users must enter a password to access the app store.
Browser
These settings apply to iOS devices only.
Allow web browser User can use the default device web browser.
Content rating
These settings apply to iOS devices only.
Explicit content in media store Specify if you want to allow adult content to be accessed from
the app store.
Ratings region Specifies the country for which you want to apply ratings
restrictions.
Movie rating Specify the maximum rating of movie content you want to
allow.
SETTING NAME DETAILS
TV show rating Specify the maximum rating of TV show content you want to
allow.
App rating Specify the maximum rating of app content you want to allow.
NOTE
The ratings you can select will vary depending on the Ratings region you selected.
Cloud
These settings apply to iOS devices only.
Security
These settings apply to iOS devices only.
Roaming
These settings apply to iOS devices only.
Automatic synchronization while roaming Allows the device t automatically synchronize when roaming.
System security
These settings apply to iOS devices only.
User to accept untrusted TLS certificates If Allowed, lets the user accept these certificates. If
Prohibited, automatically rejects untrusted certificates.
SETTING NAME DETAILS
Allow Activation Lock (supervised mode only) Use this setting to enable iOS Activation Lock on supervised
iOS devices that you manage. For more information about
Activation Lock, see Manage iOS Activation Lock.
Lock screen control center Controls whether the control center app can be accessed
when the device is locked.
Lock screen notification view Controls whether notifications can be viewed when the device
is locked.
Lock screen today view Controls whether the Today view can be seen when the device
is locked.
Data protection
These settings apply to iOS devices only.
Open documents in managed apps in other unmanaged For use with apps managed by Configuration Manager
apps application management policies.
Open documents in unmanaged apps in other managed For use with apps managed by Configuration Manager
apps application management policies.
TIP
To find the bundle ID of an app, use the following steps on a Mac computer that has the app installed:
1. Open the folder in which the app is installed (for example, /Applications)
a. Select the .app bundle, and choose Show Package Contents
b. Open the Info.plist file
c. Check the value associated with the key CFBundleIdentifier
The format for Bundle ID is com.contoso.appname
Edit - Lets you edit the name, publisher and bundle ID of the selected app.
Remove - Deletes the selected app from the list.
Import - Imports a list of apps you have specified in a comma-separated values file. Use the format,
app name, publisher, app bundle ID in the file.
2. When you are finished, click Next. Configuration items containing compliant and noncompliant app
settings must be deployed to collections of users.
You can use one of the following reports monitor compliant and noncompliant apps:
List of noncompliant Apps and Devices for a specified user - Displays information about users and
devices that have apps installed that are not compliant with a policy you specified.
Summary of Users who have Noncompliant Apps - Displays information about users that have apps
installed that are not compliant with a policy you specified.
For information about how to use reports, see Reporting in System Center Configuration Manager.
iOS and Mac OS X custom profile settings
Use iOS and Mac OS X Custom Profiles to deploy settings that you created using the Apple Configurator tool to
iOS and Mac OS X devices. This tool lets you create many settings that control the operation of these devices and
export them to a configuration profile. You can then import this configuration profile into an iOS and Mac OS X
custom profile and deploy the settings to users and devices in your organization.
NOTE
Ensure that the settings you export from the Apple Configurator tool are compatible with the version of iOS or Mac OS X on
the devices to which you deploy the profile. For information about how incompatible settings are resolved, search for
Configuration Profile Reference and Mobile Device Management Protocol Reference on the Apple Developer web site.
NOTE
When a Mac OS X device is in Sleep mode, policies and profiles cannot be delivered or inventoried. As a
result, the Configuration Manager console might temporarily display the status Policy settings in error until
the next time the device wakes from Sleep mode.
None Devices that fail this compliance rule do not report a failure severity for Configuration
Manager reports.
Information Devices that fail this compliance rule report a failure severity of Information for
Configuration Manager reports.
Warning Devices that fail this compliance rule report a failure severity of Warning for
Configuration Manager reports.
Critical Devices that fail this compliance rule report a failure severity of Critical for
Configuration Manager reports.
Critical with event Devices that fail this compliance rule report a failure severity of Critical
for Configuration Manager reports. This severity level is also be logged as a Windows event in
the application event log.
TIP
If the setting that you want is not listed, select the Configure additional settings that are not in the default
setting groups check box.
8. On each settings page, configure the settings you require, and whether you want to remediate them when
they are not compliant on devices (when this is supported).
9. For each settings group, you can also configure the severity that will be reported (in Configuration Manager
reports) when a configuration item is found to be noncompliant from:
None - Devices that fail this compliance rule do not report a failure severity.
Information - Devices that fail this compliance rule report a failure severity of Information.
Warning - Devices that fail this compliance rule report a failure severity of Warning.
Critical - Devices that fail this compliance rule report a failure severity of Critical.
Critical with event - Devices that fail this compliance rule report a failure severity of Critical.
10. On the Platform Applicability page, review any settings that are not compatible with the supported
platforms you selected earlier. You can go back and remove these settings, or you can continue.
TIP
Unsupported settings are not assessed for compliance.
SETTING DETAILS
Minimum password length (characters) The minimum length for the password.
Password expiration in days The number of days before a password must be changed.
Number of failed logon attempts before device is wiped Wipes the device if this number of login attempts fail.
Idle time before device is locked Select the amount of time before the device will be locked if it
is not being used.
Password quality Select the password complexity level required and also
whether biometric devices can be used.
Allow Smart Lock and other trust agents Lets you control the Smart Lock feature on compatible
Android devices. This phone capability, sometimes known as
trust agents lets you disable or bypass the device lock screen
password if the device is in a trusted location such as when it
is connected to a specific Bluetooth device, or when it is near
to an NFC tag. You can use this setting to prevent end users
from configuring Smart Lock.
Fingerprint for unlocking (KNOX 5.0+) Let's users use a fingerprint for unlocking compatible devices.
Device
These settings apply to Samsung KNOX Standard devices only.
Voice dialing Enables or disables the voice dialing feature on the device.
Voice assistant Allows the use of voice assistant software on the device.
SETTING NAME DETAILS
Screen capture Lets the user capture the screen contents as an image.
Diagnostic data submission Allows the device to submit diagnostic information to Google.
Copy and Paste Allows copy and paste functions on the device.
Factory reset Allow the user to perform a factory reset on the device.
Clipboard share between applications Use the clipboard to copy and paste between apps.
Store
SETTING DETAILS
Application store Allows access to the Google Play Store app on the device.
Browser
SETTING DETAILS
Allow web browser Specifies whether the device's default web browser can be
used.
Active scripting Allows the device web browser to use active scripting.
Pop-up blocker Allows the use of the pop-up blocker in the web browser.
Cloud
These settings apply to Samsung KNOX Standard devices only.
SETTING DETAILS
Security
SETTING DETAILS
SMS and MMS messaging Allows the use of SMS and MMS messaging on the device.
SETTING DETAILS
Removable storage Allows the device to use removable storage, like an SD card.
Near field communication (NFC) Allows operations that use near field communication if the
device supports it.
Roaming
SETTING DETAILS
Voice roaming Allows voice roaming when the device is on a cellular network.
Data roaming Allows data roaming when the device is on a cellular network.
Encryption
These settings apply to both Android and Samsung KNOX Standard devices.
SETTING DETAILS
Storage card encryption Specifies whether the device storage card must be encrypted.
File encryption on device Requires that files on the mobile device are encrypted.
Wireless communications
SETTING DETAILS
Wireless network connection Allows the use of the Wi-Fi capabilities of the device.
Noncompliant apps list Select this option if you want to specify a list of apps that
will be reported as noncompliant if installed by users.
Compliant apps list Select this option if you want to specify a list of apps that
users are allowed to install. Any other installed apps will be
reported as noncompliant.
Open the app’s page, and copy the URL to the clipboard.
You can now use this as the URL in either the compliant
or noncompliant apps list.
Edit Lets you edit the name, publisher and URL of the selected
app.
2. When you are finished, click Next. Configuration items containing compliant and noncompliant app
settings must be deployed to collections of users.
You can use one of the following reports monitor compliant and noncompliant apps:
List of noncompliant Apps and Devices for a specified user - Displays information about users and
devices that have apps installed that are not compliant with a policy you specified.
Summary of Users who have Noncompliant Apps - Displays information about users that have apps
installed that are not compliant with a policy you specified.
For information about how to use reports, see Reporting in System Center Configuration Manager.
Remotely synchronize policy on Intune-enrolled
devices from the Configuration Manager console
3/6/2017 • 1 min to read • Edit on GitHub
General considerations
Configuration Manager supports the deployment of the following app types:
iOS *.ipa
IMPORTANT
Currently, end-users cannot install corporate apps from the Microsoft Intune Company Portal app for iOS. This is because
there are restrictions that are placed on apps that are published in the iOS App Store (see App Store Review Guidelines,
Section 2). Users can install corporate apps (including managed App Store apps and line-of-business app packages) by
browsing to the Intune Web Portal on their device (portal.manage.microsoft.com). For more information about the mobile
management capabilities that are enabled by the Intune Company Portal app, see Enrolled device management capabilities in
Microsoft Intune.
Apply settings to iOS apps with app configuration
policies in System Center Configuration Manager
3/6/2017 • 4 min to read • Edit on GitHub
<integer>
<real>
<string>
<array>
<dict>
<true /> or <false />
For more information about data types, see About Property Lists in the iOS Developer Library.
Intune also supports the following token types in the property list:
The {{ and }} characters are used by token types only and must not be used for other
purposes.
b. To import an XML file that you created earlier, choose Select file.
5. Choose Next. If there are errors in the XML code, you'll have to correct them before you continue.
6. Finish the steps shown in the wizard.
The new app configuration policy is shown in the Software Library workspace, in the App Configuration
Policies node.
<dict>
<key>userprincipalname</key>
<string>{{userprincipalname}}</string>
<key>mail</key>
<string>{{mail}}</string>
<key>partialupn</key>
<string>{{partialupn}}</string>
<key>accountid</key>
<string>{{accountid}}</string>
<key>deviceid</key>
<string>{{deviceid}}</string>
<key>userid</key>
<string>{{userid}}</string>
<key>username</key>
<string>{{username}}</string>
<key>serialnumber</key>
<string>{{serialnumber}}</string>
<key>serialnumberlast4digits</key>
<string>{{serialnumberlast4digits}}</string>
<key>udidlast4digits</key>
<string>{{udidlast4digits}}</string>
</dict>
Manage volume-purchased iOS apps with System
Center Configuration Manager
3/6/2017 • 4 min to read • Edit on GitHub
Additionally, you must have imported a valid Apple Push Notification service (APNs) certificate from Apple to let
you to manage iOS devices, including app deployment. For more information, see Set up iOS hybrid device
management.
IMPORTANT
You must choose a deployment purpose of Required. Available installations are not currently supported.
When you deploy the app, a license is used by each user who installs the app.
To reclaim a license, you must change the deployment action to Uninstall. The license will be reclaimed
after the app uninstalls.
General considerations
Configuration Manager supports deploying the following app file types:
Windows Phone 8, Windows Phone 8.1, and Windows 10 Available, Required, Uninstall
Mobile
Steps to deploy the latest Windows Phone company portal app with
supersedence
The following table provides the steps, details, and more information for creating and deploying the latest
Windows Phone 8 company portal app.
Step 1: Get the latest company portal app. Download the Windows Phone 8 company portal app.
STEP MORE INFORMATION
Step 2: Sign the company portal app with your Symantec For information on how to sign the company portal app, see
certificate. Set up Windows Phone and Windows 10 Mobile hybrid device
management with System Center Configuration Manager and
Microsoft Intune.
Step 3: Create a new application with the latest version of the For more information, see Create applications and Revise and
company portal app, and specify a supersedence relationship. supersede applications.
Step 4: Add the application to the Microsoft Intune For more information, see Set up Windows Phone and
Subscription Wizard. Windows 10 Mobile hybrid device management with System
Center Configuration Manager and Microsoft Intune.
Step 5: Delete the deployment that is automatically created The Microsoft Intune subscription has created an automatic
when you added the company portal app to the Microsoft deployment of this app, as this deployment will not support
Intune Subscription Wizard. supersedence.
Step 6: Create a new deployment of the application. On the Create a new deployment with supersedence using the
Deployment Settings page of the Deploy Software application you created with the supersedence relationship.
Wizard, check Automatically upgrade any superceded
versions of this application.
If you set this value to a lower value than the default, it might
negatively affect the performance of your network and client
computers.
Create Android applications with System Center
Configuration Manager
3/6/2017 • 1 min to read • Edit on GitHub
General considerations
Configuration Manager supports the deployment of the following app types for Android:
Android .apk
Restrict web content to display in a corporate managed Enables all links in the app to open in the Managed Browser.
browser You must have deployed this app to devices in order for this
option to work.
Prevent Android backups or Prevent iTunes and iCloud Disables the backup of any information from the app.
backups
Allow app to transfer data to other apps Specifies the apps that this app can send data to. You can
choose to not allow data transfer to any app, to only allow
transfer to other restricted apps, or to allow transfer to any
app.
Allow app to receive data from other apps Specifies the apps that this app can receive data from. You can
choose to not allow data transfer from any app, to only allow
transfer from other restricted apps, or to allow transfer from
any app.
Prevent “Save As” Disables the use of the Save As option in any app that uses
this policy.
Restrict cut, copy and paste with other apps Specifies how cut, copy, and paste operations can be used
with the app. Choose from:
Require simple PIN for access Requires the user to enter a PIN that they specify to use this
app. The user is asked to set this up the first time they run the
app.
Number of attempts before PIN reset Specifies the number of PIN entry attempts that can be made
before the user must reset the PIN.
Require corporate credentials for access Requires that the user must enter their corporate sign-in
information before they can access the app.
Require device compliance with corporate policy for Allows the app to be used only when the device is not
access jailbroken or rooted.
Recheck the access requirements after (minutes) Specifies the time period before the access requirements for
the app are rechecked after the app is launched (in the
Timeout field).
Encrypt app data Specifies that all data that is associated with this app is
encrypted, including data that's stored externally, such as data
stored on SD cards.
Block screen capture (Android devices only) Specifies that the screen capture capabilities of the device are
blocked when using this app.
6) On the Managed Browser page, select whether the managed browser is allowed to open only URLs in the list
or to block the managed browser from opening the URLs in the list, and then choose Next.
For more information, see Manage Internet access using managed browser policies.
7) Complete the wizard.
The new policy is displayed in the Application Management Policies node of the Software Library workspace.
IMPORTANT
If the application is already deployed, then the deployment for the new deployment type fails until this association is made.
You can make the association in Properties for the application, on the Application Management tab.
IMPORTANT
For devices that run operating systems earlier than iOS 7.1, associated policies aren't removed when the app is uninstalled.
If the device is unenrolled from Configuration Manager, polices are not removed from the apps. Apps that had policies
applied retain the policy settings even after the app is uninstalled and reinstalled.
IMPORTANT
If users install the managed browser themselves, it will not be managed by any policies you specify. To ensure that the
browser is managed by Configuration Manager, they must uninstall the app before you can deploy it to them as a managed
app.
You can create managed browser policies for the following device types:
Devices that run Android 4 and later
Devices that run iOS 7 and later
NOTE
For more information and to download the Intune Managed Browser app, see iTunes for iOS and Google Play for Android.
For more about the URL formats you can specify, see URL format for allowed and blocked URLs in this
article.
NOTE
The General policy type lets you change the functionality of apps that you deploy to help bring them into line with
your company compliance and security policies. For example, you can restrict cut, copy, and paste operations within a
restricted app. For more about the General policy type, see Protect apps using mobile application management
policies.
Reference information
URL format for allowed and blocked URLs
Use the following information to learn about the allowed formats and wildcards you can use when specifying URLs
in the allowed and blocked lists.
You can use the wildcard symbol ‘\*’ according to the rules in the permitted patterns list below.
Ensure that you prefix all URLs with http or https when entering them into the list.
You can specify port numbers in the address. If you do not specify a port number, the values used will be:
Port 80 for http
Port 443 for https
Using wildcards for the port number is not supported, for example, http://www.contoso.com:\*
and http://www.contoso.com: /\*
Use the following table to learn about the permitted patterns you can use when you specify URLs:
contoso.com/
www.contoso.com
http://www.contoso.com:80 http://www.contoso.com:80
The following are examples of some of the inputs you cannot specify:
*.com
.contoso/\
www.contoso.com/*images
www.contoso.com/images\pigs
www.contoso.com/page*
IP addresses
https://*
http://*
http://www.contoso.com:*
http://www.contoso.com: /*
NOTE
*.microsoft.com is always allowed.
How conflicts between the allow and block list are resolved
If multiple managed browser policies are deployed to a device and the settings conflict, both the mode (allow or
block) and the URL lists are evaluated for conflicts. In case of a conflict, the following behavior applies:
If the modes in each policy are the same but the URL lists are different, the URLs will not be enforced on the
device.
If the modes in each policy are different but the URL lists are the same, the URLs will not be enforced on the
device.
If a device is receiving managed browser policies for the first time and two policies conflict, the URLs will not
be enforced on the device. Use the Policy Conflicts node of the Policy workspace to view the conflicts.
If a device has already received a managed browser policy and a second policy is deployed with conflicting
settings, the original settings remain on the device. Use the Policy Conflicts node of the Policy workspace
to view the conflicts.
WSfB in System Center Configuration Manager
3/6/2017 • 1 min to read • Edit on GitHub
NOTE
You can configure only one Intune subscription at a time in hybrid mobile device management.
1. In the Configuration Manager console, go to Administration > Overview > Cloud Services > Microsoft
Intune Subscriptions.
2. Right-click the listed Microsoft Intune Subscription, and then click Delete.
3. In the wizard, click Remove Microsoft Intune Subscription from Configuration Manager, click Next,
and then click Next again to remove the subscription.
IMPORTANT
To deploy profiles to Android, iOS, Windows Phone, and enrolled Windows 8.1 or later devices, these devices must be
enrolled in Microsoft Intune. For information about how to get your devices enrolled, see Enroll devices for management in
Intune.
Create a Wi-Fi profile provides general information about how to use Wi-Fi profiles in Configuration Manager to
deploy wireless network settings to users.
See Deploy Wi-Fi, VPN, email, and certificate profiles for information about deploying Wi-Fi profiles.
How to create PFX certificate profiles in System
Center Configuration Manager
3/6/2017 • 4 min to read • Edit on GitHub
$EncryptedPfxBlob = "<blob>"
$Password = "abc"
$ProfileName = "PFX_Profile_Name"
$UserName = "ComputerName\Administrator"
#New pfx
$WMIConnection = ([WMIClass]"\\nksccm\root\SMS\Site_MDM:SMS_ClientPfxCertificate")
$NewEntry = $WMIConnection.psbase.GetMethodParameters("ImportForUser")
$NewEntry.EncryptedPfxBlob = $EncryptedPfxBlob
$NewEntry.Password = $Password
$NewEntry.ProfileName = $ProfileName
$NewEntry.UserName = $UserName
$Resource = $WMIConnection.psbase.InvokeMethod("ImportForUser",$NewEntry,$null)
WINDOWS
CONNECTIO IOS AND WINDOWS WINDOWS WINDOWS WINDOWS 10 DESKTOP
N TYPE MAC OS X ANDROID 8.1 RT RT 8.1 PHONE 8.1 AND MOBILE
NOTE
The name of a VPN profile that uses Windows 10 VPN features cannot be in unicode or include special characters.
Bypass VPN when connected to The VPN connection will not be used All
company Wi-Fi network when the device is connected to the
company Wi-Fi network. Enter the
trusted network name, used to
determine if the device is connected to
the company network.
Network traffic rules Set which protocols, local and remote All
port and address ranges will be enabled
for the VPN connection.
DNS servers Which DNS servers are used by the VPN All
connection once the connection has
been established.
Apps that automatically connect to You can add apps, or import lists of All
the VPN apps, that will automatically use the
VPN connection. The type of app will
determine the app identifier. For a
desktop app, provide the file path of the
app. For a universal app, provide the
package family name (PFN). To learn
how to find the PFN for an app, see
Find a package family name for per-app
VPN.
IMPORTANT
We recommend that you secure all lists of associated apps that you compile for use in configuration of per-app VPN. If an
unauthorized user modifies your list and you import it into the per-app VPN app list, you will potentially authorize VPN
access to apps that should not have access. One way you can secure app lists is by using an access control list (ACL).
Certificates -
Cisco AnyConnect
Note: If the client certificate is used to authenticate to
a RADIUS server, such as a Network Policy Server, the - Pulse Secure
Subject Alternative Name in the certificate must be set
to the User Principal Name. - F5 Edge Client
- F5 Edge Client
- Microsoft Automatic
- PPTP
- IKEv2
- L2TP
- Microsoft Automatic
- IKEv2
- PPTP
- L2TP
- Microsoft Automatic
- IKEv2
- PPTP
- L2TP
- Microsoft Automatic
- IKEv2
- PPTP
- L2TP
- Microsoft Automatic
- IKEv2
- PPTP
- L2TP
- Microsoft Automatic
- PPTP
- L2TP
NOTE
For iOS devices, the SCEP profile you select will be embedded in the VPN profile. For other platforms,
an applicability rule is added to ensure that the VPN profile is not installed if the certificate is not
present, or not compliant.
If the SCEP certificate you specify is not compliant, or has not been deployed, then the VPN profile will
not be installed on the device.
Devices that run iOS support only RSA SecurID and MSCHAP v2 for the authentication method when
the connection type is PPTP. To avoid reporting errors, deploy a separate PPTP VPN profile to devices
that run iOS.
Conditional access
Choose Enable conditional access for this VPN connection to ensure that devices that
connect to the VPN are tested for conditional access compliance before connecting.
Compliance policies are described in Device compliance policies in System Center
Configuration Manager
Choose Enable single sign-on (SSO) with alternate certificate to choose a certificate
other than the VPN Authentication cert for device compliance. If you choose this option,
provide the EKU (comma-separated list) and Issuer Hash, for the correct certificate that the
VPN Client should locate.
Windows Information Protection - provide the enterprise-managed corporate identity,
which is usually your organization's primary domain, for example, contoso.com. You can
specify multiple domains owned by your organization by separating them with the "|"
character. For example, contoso.com|newcontoso.com.
For information about Windows Information Protection, see Create a Windows Information
Protection (WIP) policy using Microsoft Intune.
NOTE
For some authentication methods, you can click Configure to open the Windows properties dialog box (if the version of
Windows on which you are running the Configuration Manager console supports this authentication method) where you can
configure the authentication method properties.
1. On the Proxy Settings page of the Create VPN Profile Wizard, select the Configure proxy settings for
this VPN profile check box if your VPN connection uses a proxy server. Then, provide the proxy server
information. For more information, see the Windows Server documentation.
NOTE
On Windows 8.1 computers, the VPN profile will not display the proxy information until you connect to the VPN with
that computer.
NOTE
For Windows Phone 8.1 devices only
If the Send all network traffic through the VPN connection option is selected, and the VPN connection is
using full tunneling, for the first profile provisioned on the device, the VPN connection will automatically open.
If you want a different profile to automatically open a connection, you must make it the default profile on the
device.
If the Send all network traffic through the VPN connection option is not selected, and the VPN
connection is using split-tunneling, a VPN connection can automatically be opened if you configure routes, or
a connection specific DNS suffix.
3. On the Supported Platforms page of the Create VPN Profile Wizard, select the operating systems on
which the VPN profile will be installed, or click Select all to install the VPN profile on all available operating
systems.
4. Complete the wizard. The new VPN profile is displayed in the VPN Profiles node in the Assets and
Compliance workspace.
Deploy: See Deploy Wi-Fi, VPN, email, and certificate profiles for information about deploying VPN profiles.
Next steps
Use the following topics to help you plan for, configure, operate, and maintain VPN profiles in Configuration
Manager.
Prerequisites for VPN profiles in System Center Configuration Manager
Security and privacy for VPN profiles in System Center Configuration Manager
Exchange ActiveSync email profiles in System Center
Configuration Manager
3/6/2017 • 5 min to read • Edit on GitHub
IMPORTANT
To deploy profiles to iOS, Android Samsung KNOX Standard, Windows Phone, and Windows 8.1 or Windows 10 devices,
these devices must be enrolled into Intune. For information about how to get your devices enrolled, see Manage mobile
devices with Microsoft Intune.
In addition to configuring an email account on the device, you can also configure synchronization settings for
contacts, calendars and tasks.
When you create an email profile, you can include a wide range of security settings, including certificates for
identity, encryption and signing that have been provisioned by using System Center Configuration Manager
certificate profiles. For more information about certificate profiles, see Certificate profiles in System Center
Configuration Manager.
NOTE
Before you can select the identity certificate, you must first configure it as a Simple Certificate Enrollment
Protocol (SCEP) certificate profile. For more information about certificate profiles, see Certificate profiles in
System Center Configuration Manager.
This option is only available if you selected Certificates under Authentication method.
Use S/MIME Send outgoing email using S/MIME encryption. This option is applicable to iOS devices
only.
Encryption certificates: Click Select and then select a certificate to use for encryption. This option is
applicable to iOS devices only.
NOTE
Before you can select the encryption certificate, you must first configure it as a Simple Certificate Enrollment
Protocol (SCEP) certificate profile. For more information about certificate profiles, see Certificate profiles in
System Center Configuration Manager.
This option is only available if you selected Use S/MIME.
Signing certificates: Click Select and then select a certificate to use for signing. This option is
applicable to iOS devices only.
NOTE
Before you can select the signing certificate, you must first configure it as a Simple Certificate Enrollment
Protocol (SCEP) certificate profile. For more information about certificate profiles, see Certificate profiles in
System Center Configuration Manager.
AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have already
deployed the ADFS Device Registration Service will not see registered devices in their on-premises Active
Directory.
You must use an Office 365 subscription that includes Exchange Online (such as E3) and users must be licensed
for Exchange Online.
The optional Exchange Server connector is optional and connects Configuration Manager to Microsoft
Exchange Online and helps you monitor device information through the Configuration Manager console (see
Manage mobile devices with System Center Configuration Manager and Exchange). You do not need to use the
connector to use compliance policies or conditional access policies, but is required to run reports that help
evaluate the impact of conditional access.
TIP
If your Exchange environment is in a CAS server configuration, then you must configure the on-premises Exchange connector
to point to one of the CAS servers.
You must use the Exchange Server connector which connects Configuration Manager to Microsoft Exchange On-
premises. This lets you manage mobile devices and enables conditional access (see Manage mobile devices with System
Center Configuration Manager and Exchange).
Make sure that you are using the latest version of the on-premises Exchange connector. The on-premises
Exchange connector should be configured through the Configuration Manager console. For a detailed
walkthrough, see Manage mobile devices with System Center Configuration Manager and Exchange.
The connector must be configured only on the System Center Configuration Manager Primary Site.
This connector supports Exchange CAS environment.
When configuring the connector, you must set it so it talk to the one of the Exchange CAS servers.
Exchange ActiveSync can be configured with certificate based authentication, or user credential entry
Next Steps
Read the following topics to learn how to configure compliance policies and conditional access policies for your
required scenario:
Manage device compliance policies in System Center Configuration Manager
Manage email access in System Center Configuration Manager
Manage SharePoint Online access in System Center Configuration Manager
Manage Skype for Business Online access
See also
Get started with compliance settings in System Center Configuration Manager
Device compliance policies in System Center
Configuration Manager
3/9/2017 • 2 min to read • Edit on GitHub
IMPORTANT
This article describes the compliance policies for devices managed by Microsoft Intune. The compliance policies for PCs
managed by System Center Configuration Manager is described in Manage access to O365 services for PCs managed by
System Center Configuration Manager.
Windows 10 and
Windows 10 Mobile
are Quarantined.
Remediated = Compliance is enforced by the device operating system (for example, the user is forced to set a
PIN). There is never a case when the setting will be noncompliant.
Quarantined = The device operating system does not enforce compliance (for example, Android devices do not
force the user to encrypt the device). In this case:
The device will be blocked if the user is targeted by a conditional access policy.
The company portal or web portal will notify the user about any compliance issues.
Next Steps
Create and deploy a device compliance policy
See also
Manage access to services in System Center Configuration Manager
Create and deploy a device compliance policy
3/9/2017 • 11 min to read • Edit on GitHub
For devices managed by Intune, choose the Compliance rules for devices managed without
configuration manager client option. When you select this option you can also select the type of
platform you want this policy to apply to.
Noncompliance severity for reports: Specify the severity level that is reported if this compliance
policy is evaluated as noncompliant. The available severity levels are the following:
None - devices that fail this compliance rule do not report a failure severity for Configuration
Manager reports.
Information - devices that fail this compliance rule report a failure severity of Information for
Configuration Manager reports.
Warning - devices that fail this compliance rule report a failure severity of Warning for
Configuration Manager reports.
Critical - devices that fail this compliance rule report a failure severity of Critical for
Configuration Manager reports.
Critical with event - devices that fail this compliance rule report a failure severity of Critical for
Configuration Manager reports. This severity level is also be logged as a Windows event in the
application event log.|
5. On the Supported Platforms page, choose the device platforms that this compliance policy will be
evaluated on, or click Select all to choose all device platforms.
6. On the Rules page, you define one or more rules that define the configuration that devices must have in
order to be evaluated as compliant. When you create a compliance policy, some rules are enabled by default,
but you can edit or delete these. For a full list of all the rules see the Compliance policy rules section later
in this topic.
NOTE
On Windows PCs, Windows Operating System version 8.1, is reported as 6.3 instead of 8.1. If the OS version rule is set to
Windows 8.1 for Windows, then the device will be reported as non-compliant even if the device has Windows OS 8.1. Make
sure you are setting the right reported version of Windows for the Minimum and Maximum OS rules. The version number
must match the version returned by the winver command. Windows Phones do not have this issue; the version is reported
as 8.1 as expected.
Windows PCs with Windows 10 operating system, the version should be set as "10.0"+ the OS Build number returned by the
winver command. For example, it could be something like 10.0.10586.
Windows 10 Mobile does not have this issue.
1. On the Summary page of the wizard, review the settings you made, and then complete the wizard.
The new policy displays in the Compliance Policies node of the Assets and Compliance workspace.
NOTE
PCs should be domain joined or be complaint with the policies set in Intune.
Device requirements
If you configure conditional access, before a user can connect to their email, the device they use must:
Be enrolled with Intune or a domain joined PC.
Register the device in Azure Active Directory (this happens automatically when the device is enrolled with
Intune (for Exchange Online only). Additionally, the client Exchange ActiveSync ID must be registered with
Azure Active Directory (does not apply to Windows and Windows Phone devices connecting to Exchange
On-premises).
For a domain joined PC, you must set it to automatically register with Azure Active Directory. Conditional
Access for PCs section in the Manage access to services in System Center Configuration Manager topic lists
the full set of requirements to enable conditional access for PCs.
Be compliant with any Configuration Manager compliance policies deployed to that device
If a conditional access condition is not met, the user is presented with one of the following messages when
they log in:
If the device is not enrolled with Intune, or is not registered in Azure Active Directory, a message is displayed
with instructions about how to install the company portal app, enroll the device, and (for Android and iOS
devices), activate email, which associates the device's Exchange ActiveSync ID with the device record in
Azure Active Directory.
If the device is not compliant, a message is displayed that directs the user to the Intune web portal where
they can find information about the problem and how to remediate it.
For mobile devices:
You can restrict access to Outlook Web Access (OWA) on Exchange Online when accessed from a browser on
iOS and Android devices. Access will only be allowed from only supported browsers on compliant devices:
Safari (iOS)
Chrome (Android)
Managed Browser (iOS and Android)
Unsupported browsers will be blocked.The OWA apps for iOS and Android are not supported. They should be
blocked through ADFS claims rules:
Setup ADFS claims rules to block non-modern authentication protocols. Detailed instructions are provided
in scenario 3 - block all access to O365 except browser based applications.
For PCs:
If the conditional access policy requirement is to allow domain joined or compliant, a message with
instructions about how to enroll the device is displayed. If the PC does not meet either of the requirements,
the user will be asked to enroll the device with Intune.
If the conditional access policy requirement is set to allow only domain joined windows devices, the device is
blocked and a message to contact the IT admin is displayed.
You can block access to Exchange email from the devices built-in Exchange ActiveSync email client on the
following platforms:
Android 4.0 and later, Samsung KNOX Standard 4.0 and later
iOS 7.1 and later
Windows Phone 8.1 and later
The Mail application on Windows 8.1 and later
Outlook app for iOS and Android, and Outlook desktop 2013 and above is supported for only Exchange
Online.
The on-premises Exchange connector between Configuration Manager and Exchange is required for
conditional access to work.
You can configure a conditional access policy for Exchange On-premises from the Configuration Manager
console. When you configure a conditional access policy for Exchange Online, you can begin the process in
the Configuration Manager console, which launches the Intune console where you can complete the process.
NOTE
Windows Phone devices always display a value in this column.
Devices that are part of a targeted group or collection will be blocked from accessing Exchange unless the
column values match those listed in the following table:
MANAGEMENT
CHANNEL AAD REGISTERED COMPLIANT EAS ACTIVATED RESULTING ACTION
You can export the contents of the report and use the Email Address column to help you inform users that they
will be blocked.
Step 2: Configure user groups or collections for the conditional access policy
You target conditional access policies to different groups or collections of users depending on the policy types.
These groups contain the users that will be targeted, or exempt from the policy. When a user is targeted by a policy,
each device they use must be compliant in order to access email.
For the Exchange Online policy - to Azure Active Directory security user groups. You can configure these
groups in the Office 365 admin center, or the Intune account portal.
For the Exchange On-premises policy - to Configuration Manager user collections. You can configure
these in the Assets and Compliance workspace.
You can specify two group types in each policy:
Targeted groups - User groups or collections to which the policy is applied
Exempted groups - User groups or collections that are exempt from the policy (optional)
If a user is in both, they will be exempt from the policy.
Only the groups or collections which are targeted by the conditional access policy are evaluated for
Exchange access.
Step 3: Configure and deploy a compliance policy
Ensure that you have created and deployed a compliance policy to all devices that the Exchange conditional access
policy will be targeted to.
For details about how to configure the compliance policy, see Manage device compliance policies in System Center
Configuration Manager.
IMPORTANT
If you have not deployed a compliance policy and then enable an Exchange conditional access policy, all targeted devices will
be allowed access.
NOTE
You can also create conditional access policy in the Azure AD management console. Azure AD management console allows
you to create the Intune device conditional access policies (referred to as the device-based conditional access policy in Azure
AD) in addition to other conditional access policies like multi-factor authentication. You can also set conditional access
policies for third-party Enterprise apps like Salesforce and Box that Azure AD supports. For more details, see How to set
Azure Active Directory device-based conditional access policy for access control to Azure Active Directory connected
applications.
The following flow is used by conditional access policies for Exchange Online to evaluate whether to allow or block
devices.
To access email, the device must:
Enroll with Intune
PCs must either be domain joined or be enrolled and compliant with the policies set in Intune.
Register the device in Azure Active Directory (this happens automatically when the device is enrolled with
Intune.
For domain joined PCs, you must set it up to automatically register the device with Azure Active Directory.
Have activated email, which associates the device's Exchange ActiveSync ID with the device record in Azure
Active Directory (applies to iOS and Android devices only).
Be compliant with any deployed compliance policies
The device state is stored in Azure Active Directory which grants or blocks access to email, based on the
evaluated conditions.
If a condition is not met, the user will be presented with one of the following messages when they log in:
If the device is not enrolled, or registered in Azure Active Directory, a message is displayed with instructions
about how to install the company portal app and enroll
If the device is not compliant, a message is displayed that directs the user to the Intune Company Portal
website or the Company Portal app where they can find information about the problem and how to
remediate it.
For a PC:
If the policy is set to require domain join, and the PC is not domain joined, a message is displayed to
contact the IT admin.
If the policy is set to require domain join or compliant, then the PC does not meet either requirement,
a message is displayed with instructions about how to install the company portal app and enroll.
The message is displayed on the device for Exchange Online users and tenants in the new Exchange Online
Dedicated environment, and is delivered to the users email inbox for Exchange On-premises and legacy
Exchange Online Dedicated devices.
NOTE
Configuration Manager conditional access rules override, allow, block and quarantine rules that are defined in the Exchange
Online admin console.
NOTE
Conditional access policy must be configured in the Intune console. The following steps begin by accessing the Intune
console through Configuration Manager. If prompted, log in using the same credentials that were used to set up the service
connection point between Configuration Manager and Intune.
To e n a b l e t h e Ex c h a n g e O n l i n e p o l i c y
5. On the Exchange Online Policy page, select Enable conditional access policy for Exchange Online. If
you check this, the device must be compliant. If this is not checked then conditional access is not applied.
NOTE
If you have not deployed a compliance policy and then enable the Exchange Online policy, all targeted devices are
reported as compliant.
Regardless of the compliance state, all users who are targeted by the policy will be required to enroll their devices
with Intune.
6. Under Application access, for outlook and other apps using modern authentication, you can choose to
restrict access only to devices that are compliant for each platform. Windows devices must either be domain
joined, or be enrolled in Intune and compliant.
TIP
Modern authentication brings Active Directory Authentication Library (ADAL)-based sign in to Office clients.
The ADAL based authentication enables Office clients to engage in browser-based authentication (also known
as passive authentication). To authenticate, the user is directed to a sign-in web page.
This new sign-in method enables new scenarios such as, conditional access, based on device compliance
and whether multi-factor authentication was performed.
This article has more detailed information on how modern authentication works.
Using Exchange Online with Configuration Manager and Intune, you can not only manage mobile devices
with conditional access, but also desktop computers as well. PCs must either be domain joined, or be
enrolled in Intune and compliant. You can set the following requirements:
Devices must be domain joined or compliant. PCs must either be domain joined or compliant
with the policies. If a PC does not meet either of these requirements, the user is prompted to enroll
the device with Intune.
Devices must be domain joined. PCs must be domain joined to access Exchange Online. If a PC is
not domain joined, access to email is blocked and the user is prompted to contact the IT admin.
Devices must be compliant. PCs must be enrolled in Intune and compliant. If a PC is not enrolled, a
message with instructions on how to enroll is displayed.
7. Under Outlook web access (OWA), you can choose to allow access to Exchange Online only through the
supported browsers: Safari (iOS), and Chrome (Android). Access from other browsers will be blocked. The
same platform restrictions you selected for Application access for Outlook also apply here.
On Android devices, users must enable the browser access. To do this the end-user must enable the "Enable
Browser Access" option on the enrolled device as follows:
a. Launch the Company Portal app.
b. Go to the Settings page from the triple dots (...) or the hardware menu button.
a. Press the Enable Browser Access button.
b. In the Chrome browser, sign out of Office 365 and restart Chrome.
On iOS and Android platforms, To identify the device that is used to access the service, Azure Active
Directory will issue a Transport layer security ( TLS) certificate to the device. The device displays the
certificate with a prompt to the end-user to select the certificate as seen in the screenshots below. The
end-user must select this certificate before they can continue to use the browser.
iOS
Android
8. ForExchange ActiveSync mail apps, you can choose to block email from accessing Exchange Online if the
device is noncompliant, and select whether to allow or block access to email when Intune cannot manage
the device.
9. Under Targeted Groups, select the Active Directory security groups of users to which the policy will apply.
NOTE
For users that are in the Targeted groups, the Intune polices will replace Exchange rules and policies.
Exchange will only enforce Exchange allow, block and quarantine rules, and Exchange policies if:
The user is not licensed for Intune.
The user is licensed for Intune, but the user does not belong to any security groups targeted in the
conditional access policy.
10. Under Exempted Groups, select the Active Directory security groups of users that are exempt from this
policy. If a user is in both the targeted and exempted groups, they will be exempt from the policy and will
have access to their email.
11. When you are finished, click Save.
You do not have to deploy the conditional access policy; it takes effect immediately.
After a user creates an email account, the device is blocked immediately.
If a blocked user enrolls the device with Intune (or remediates noncompliance), email access is unblocked
within 2 minutes.
If the user un-enrolls their device, email is blocked after about 6 hours.
For Exchange on-premises (and tenants in the legacy Exchange Online Dedicated environment)
The following flow is used by conditional access policies for Exchange on-premises and tenants in the legacy
Exchange Online Dedicated environment to evaluate whether to allow or block devices.
To e n a b l e t h e Ex c h a n g e O n - p r e m i se s p o l i c y
NOTE
There is an issue with the default override for Android devices. If the default access rule of the Exchange server is set
to Block and the Exchange conditional access policy is enabled with the default rule override option, then the
Android devices of the targeted users may not get unblocked even after the devices are Intune enrolled and
compliant. To workaround this issue, set the Exchange default access rule to Quarantine. The device does not get
access to Exchange by default, and the administrator can get a report from the Exchange server on the list of devices
that are being quarantined.
If you have not setup a notification email account when you set up the Exchange connector, you will see a
warning on this page, and the Next button is disabled. Before you can proceed, you must first configure the
notification email settings in the Exchange Connector and then come back to the Configure Conditional
Access Policy Wizard to complete the process.
Click Next.
5. On the Targeted Collections page, add one or more user collections. In order to access Exchange, users in
these collections must enroll their devices with Intune and also be compliant with any compliance policies
you deployed.
Click Next.
6. On the Exempted Collections page, add any user collections that you want to be exempt from the
conditional access policy. Users in these groups, do not need to enroll their devices with Intune and do not
need to be compliant with any deployed compliance policies in order to access Exchange.
If a user appears in both the targeted and exempted lists, they will be exempt from the conditional access
policy.
Click Next.
7. On the Edit User Notification page, configure the email that Intune sends to users with instructions about
how to unblock their device (in addition to the email that Exchange sends).
You can edit the default message and use HTML tags to format how the text appears. You can also send an
email in advance to your employees notifying them of the upcoming changes and providing them with
instructions about enrolling their devices.
NOTE
Because the Intune notification email containing remediation instructions is delivered to the user's Exchange mailbox,
in the event that the user's device gets blocked before they receive the email message, they can use an unblocked
device or other method to access Exchange and view the message.
NOTE
In order for Exchange to be able to send the notification email, you must configure the account that will be used to
send the notification email. You do this when you configure the properties of the Exchange Server connector.
For details, see Manage mobile devices with System Center Configuration Manager and Exchange.
Click Next.
8. On the Summary page, review your settings, and then complete the wizard.
You do not have to deploy the conditional access policy, it takes effect immediately.
After a user sets up an Exchange ActiveSync profile, it might take from 1-3 hours for the device to be
blocked (if it is not managed by Intune).
If a blocked user then enrolls the device with Intune (or remediates noncompliance), email access will be
unblocked within 2 minutes.
If the user un-enrolls from Intune it might take from 1-3 hours for the device to be blocked.
See also
Manage access to services in System Center Configuration Manager
Manage SharePoint Online access in System Center
Configuration Manager
3/9/2017 • 7 min to read • Edit on GitHub
NOTE
PCs should be domain joined or be complaint with the policies set in Intune.
When a targeted user attempts to connect to a file using a supported app such as OneDrive on their device, the
following evaluation occurs:
NOTE
While compliance policies are deployed to Intune groups, or Configuration Manager collections, conditional access policies
are targeted to Azure Active Directory security groups.
For details about how to configure the compliance policy, see Manage device compliance policies in System Center
Configuration Manager.
IMPORTANT
If you have not deployed a compliance policy and then enable the SharePoint Online policy, all targeted devices will be
allowed access.
NOTE
You can also create conditional access policy in the Azure AD management console. Azure AD management console allows
you to create the Intune device conditional access policies (referred to as the device-based conditional access policy in Azure
AD) in addition to other conditional access policies like multi-factor authentication. You can also set conditional access
policies for third-party Enterprise apps like Salesforce and Box that Azure AD supports. For more details, see How to set
Azure Active Directory device-based conditional access policy for access control to Azure Active Directory connected
applications.
TIP
Modern authentication brings Active Directory Authentication Library (ADAL)-based sign in to Office clients.
The ADAL based authentication enables Office clients to engage in browser-based authentication (also known
as passive authentication). To authenticate, the user is directed to a sign-in web page.
This new sign-in method enables new scenarios such as, conditional access, based on device compliance
and whether multi-factor authentication was performed.
This article has more detailed information on how modern authentication works.
For windows PCs, the PC must either be domain joined, or enrolled with Intune and compliant. You can set
the following requirements:
Devices must be domain joined or compliant. This means that the PCs must either be domain
joined or compliant with the policies set in Intune. If the PC does not meet either of these
requirements, the user is prompted to enroll the device with Intune.
Devices must be domain joined. This means that the PCs must be domain joined to access
Exchange Online. If the PC is not domain joined access to email is blocked and the user is prompted
to contact the IT admin.
Devices must be compliant. This means that the PCs must be enrolled in Intune and compliant. If
the PC is not enrolled, a message with instructions on how to enroll is displayed.
4. Under Browser access to SharePoint Online and OneDrive for Business, you can choose to allow access to
Exchange Online only through the supported browsers: Safari (iOS), and Chrome (Android). Access from
other browsers will be blocked. The same platform restrictions you selected for Application access for
OneDrive also apply here.
On Android devices, users must enable the browser access. To do this the end-user must enable the
“Enable Browser Access†option on the enrolled device as follows:
a. Launch the Company Portal app.
b. Go to the Settings page from the triple dots (…) or the hardware menu button.
c. Press the Enable Browser Access button.
d. In the Chrome browser, sign out of Office 365 and restart Chrome.
On iOS and Android platforms, To identify the device that is used to access the service, Azure Active
Directory will issue a Transport layer security ( TLS) certificate to the device. The device displays the
certificate with a prompt to the end-user to select the certificate as seen in the screenshots below. The end-
user must select this certificate before they can continue to use the browser.
iOS
Android
5. On the Home tab, in the Links group, click Configure Conditional Access Policy in the Intune Console.
You might need to supply the user name and password of the account used to connect Configuration
Manager with Intune.
The Intune admin console will open.
6. In the Microsoft Intune administration console, click Policy > Conditional Access > SharePoint Online
Policy.
7. Select Block apps from accessing SharePoint Online if the device is noncompliant.
8. Under Targeted Groups, click Modify to select the Azure Active Directory security groups to which the
policy will apply.
9. Under Exempted Groups, optionally, click Modify to select the Azure Active Directory security groups that
are exempt from this policy.
10. When you are done, click Save.
You do not have to deploy the conditional access policy, it takes effect immediately.
See Manage SharePoint Online access with Microsoft Intune for information about how you can monitor the
policy from the Intune console.
See also
Manage access to services in System Center Configuration Manager
Manage Skype for Business Online access
3/9/2017 • 3 min to read • Edit on GitHub
Prerequisites
Enable modern authentication for Skype for Business Online. Fill this connect form to be enrolled in the
modern authentication program.
All your end-users must be using Skype for Business Online. If you have a deployment with both Skype for
Business Online and Skype for Business on-premises, conditional access policy will not be applied to end-
users.
The device that needs access to Skype for Business Online must:
Be an Android or iOS device.
Be enrolled with Intune.
Be compliant with any deployed Intune compliance policies.
The device state is stored in Azure Active Directory which grants or blocks access, based on the conditions
you specify.
If a condition is not met, the user is presented with one of the following messages when they log in:
If the device is not enrolled with Intune, or is not registered in Azure Active Directory, a message is displayed
with instructions about how to install the company portal app and enroll.
If the device is not compliant, a message is displayed that directs the user to the Intune Company Portal
website or Company Portal app where they can find information about the problem, and how to remediate
it.
NOTE
If you have not deployed a compliance policy and then enable the Skype for Business Online policy, all targeted devices will
be allowed access if they are enrolled in Intune.
NOTE
While compliance policies are deployed to Microsoft Intune groups, conditional access policies are targeted to Azure Active
Directory security groups.
IMPORTANT
If you have not deployed a compliance policy, the devices will be treated as compliant.
IMPORTANT
This is a pre-release feature available in update 1602,update 1606, and update 1610. Pre-release features are included in the
product for early testing in a production environment, but should not be considered production ready. For more information,
see Use pre-release features from updates.
After you install update 1602, the feature type displays as released even though it is pre-release.
If you then update from 1602 to 1606, the feature type displays as released even through it remains pre-release.
If you update from version 1511 directly to 1606, the feature type displays as pre-release.
If you are looking for information on how to configure conditional access for devices enrolled and managed by
Intune, or PCs that are domain joined and are not evaluated for compliance, see Manage access to services in
System Center Configuration Manager.
Supported Services
Exchange Online
SharePoint Online
Supported PCs
Windows 7
Windows 8.1
Windows 10 is not yet fully supported. If you try to set to conditional access for Windows 10 PCs, you may
encounter some issues. See Known issues for more details.
NOTE
The same security user group should be used for deploying compliancy policy and the Targeted Group for conditional
access policy.
Under Exempted Groups, optionally, click Modify to select the Azure Active Directory security groups that
are exempt from this policy.
7. Click Save to create and save the policy
End-users who are blocked due to noncompliance will view compliance information in the System Center
Configuration Manager Software Center and will initiate a new policy evaluation when compliance issues are
remediated.
Known issues
You may see the following issues when using this feature:
In this 1602 update, the 5 day compliance is not enforced. Even if compliance check on the end-user's device
has happened more than 5 days ago, users still can access Office 365 and SharePoint online.
When a device is not compliant with the compliance policy, the reason is not automatically displayed. The
end- user must go to the new Software Center to find the reason for non-compliance. The reason is
displayed in the Device compliance section of the Software Center.
Windows 10 users may see multiple access failures when trying to reach O365 and/or SharePoint online
resources. Note that conditional access is not fully supported for Windows 10.
See also
Protect data and site infrastructure with System Center Configuration Manager
Manage access to company resource based on
device, network, and application risk
3/6/2017 • 3 min to read • Edit on GitHub
Supported platforms:
Android 4.1 and later, and enrolled in Microsoft Intune.
iOS 8 and later, and enrolled in Microsoft Intune. For information about platforms and languages that Lookout
supports, see this article.
Prerequisites:
Hybrid MDM deployment
A subscription to Microsoft Intune, and Azure Active Directory.
A enterprise subscription to Lookout Mobile EndPoint Security. For more information, see Lookout Mobile
Endpoint Security
Example scenarios
Following are some common scenarios:
Control access based on threat from malicious apps:
When malicious apps such as malware is detected on the device, you can block such devices from:
Connecting to corporate e-mail before resolving the threat.
Synchronizing corporate files using the OneDrive for Work app.
Accessing business-critical apps.
Access blocked when malicious apps are detected:
Device unblocked and is able to access company resources when the threat is remediated:
IMPORTANT
An existing Lookout Mobile Endpoint Security tenant that is not already associated with your Azure AD tenant cannot be
used for the integration with Azure AD and Intune. Contact Lookout support to create a new Lookout Mobile Endpoint
Security tenant. Use the new tenant to onboard your Azure AD users.
Use the following section to gather the information you need to give to the Lookout support team.
When you choose the name of your subscription, the resulting URL includes the subscription ID. If you have any
issues finding your subscription ID, see this Microsoft support article for tips on finding your subscription ID.
Azure AD Group ID
The Lookout console supports 2 levels of access:
Full Access: The Azure AD admin can create a group for users that will have Full Access and optionally create a
group for users that will have Restricted Access. Only users in these groups will be able to login to the Lookout
console.
Restricted Access: The users in this group will have no access to several configuration and enrollment related
modules of the Lookout console, and have read-only access to the Security Policy module of the Lookout
console.
For more details on the permissions, read this article on the Lookout website.
The Group Object ID is on the Properties page of the group in the Azure AD management console.
Once you have gathered this information, contact Lookout support (email: enterprisesupport@lookout.com).
Lookout Support will work with your primary contact to onboard your subscription and create your Lookout
Enterprise account, using the information that you collected.
2. In the connection settings option, configure the heartbeat frequency in minutes. Your Intune connector is
now ready.
Step 3: Configure enrollment groups
On the Enrollment Management option, define a set of users whose devices should be enrolled with Lookout.
The best practice is to start with a small group of users to test and become familiar with how the integration works.
Once you are satisfied with your test results, you can extend the enrollment to additional groups of users.
To get started with enrollments groups, first define an Azure AD security group that would be a good first set of
users to enroll in Lookout device threat protection. Once you have the group created in Azure, AD, in the Lookout
Console, go to the Enrollment Management option and add the Azure AD security group Display Name(s) for
enrollment.
When a user is in an enrollment group, any of their devices that are identified and supported in Azure AD are
enrolled and eligible for activation in Lookout device threat protection. The first time they open the Lookout for
Work app on their supported device, the device is activated in Lookout.
The best practice is to use the default (5 minutes) for the increment of time to check for new devices.
IMPORTANT
The display name is case sensitive. Use the Display Name as shown the in the Properties page of the security group in the
Azure portal. Note in the picture below that the Properties page of the security group, the Display Name is camel case. The
title however is displayed in all lower case and should not be used to enter into the Lookout console.
If you no longer
want to receive email notifications, set the notifications to OFF and save your changes.
Step 8: Configure threat classification
Lookout device threat protection classifies mobile threats of various types. The Lookout threat classifications have
default risk levels associated with them. These can be changed at any time to suite your company requirements.
IMPORTANT
The risk levels specified here are an important aspect of device threat protection because the Intune integration calculates
device compliance according to these risk levels at runtime. In other words, the Intune administrator sets a rule in policy to
identify a device as non-compliant if the device has an active threat with a minimum level of: high, medium, or low. The
threat classification policy in Lookout device threat protection directly drives the device compliance calculation in Intune.
Watching enrollment
Once the setup is complete, Lookout device threat protection starts to poll Azure AD for devices that correspond to
the specified enrollment groups. You can find information about the devices enrolled on the Devices module. The
initial status for devices is shown as pending. The device status changes once the Lookout for Work app is
installed, opened, and activated on the device. For details on how to get the Lookout for Work app pushed to the
device, see the Configure and deploy Lookout for work apps topic.
Next steps
Enable Lookout MTP connection Intune
Enable Lookout MTP connection in the Intune admin
console
3/6/2017 • 1 min to read • Edit on GitHub
This completes the setup of the Lookout and Intune integration in the Intune administrator console. The next few
steps to implement this solution involve deploying the Lookout for Work apps and setting up the compliance
policy.
IMPORTANT
You must configure the Lookout for Work app before creating compliance policy rules and configuring conditional access.
This ensures that the app is ready and available for end users to install before they can get access to email or other company
resources.
Next steps
Configure Lookout for Work app
Configure and deploy Lookout for Work apps
3/6/2017 • 3 min to read • Edit on GitHub
IMPORTANT
You must select the same users added in to the Enrollment Management option in the Lookout MTP console.
Choose the Required Install option to require that the Lookout app be installed on the user’s device.
Next steps
Enable device threat protection rule in the compliance policy
Enable device threat protection rule in the
compliance policy
3/6/2017 • 2 min to read • Edit on GitHub
To resolve this issue, the global admin user must login to https://aad.lookout.com/les?action=consent and accept
the prompt to initiate the setup. More detailed information can be found in Set up your subscription with Lookout
MTP topic
On-premises Mobile Device Management differs from Microsoft Intune, which also relies on built-in OMA DM
capabilities, but all of the management functions are delivered through cloud services. On-premises Mobile Device
Management also differs from the client-based management solution traditionally offered by Configuration
Manager in that it relies on similar enterprise infrastructure but does not use separately installed client software on
the computers and devices it manages.
The table below lists the advantages and disadvantages of On-premises Mobile Device Management as compared
to traditional client-based management:
ADVANTAGES DISADVANTAGES
Simplified infrastructure - Fewer site system roles are Less client management functionality - No orchestration,
required. software metering, third-party integration, task sequencing, or
software center support.
Easier to maintain - Because management functionality is
built-in to the device operating system, new versions of the Limited device support - currently On-premises Mobile
client software are not required when new management Device Management only supports devices running Windows
features are introduced to the Configuration Manager system. 10 and Windows 10 Mobile.
The following topics provides information you can use to plan, prepare, and enroll devices for On-premises Mobile
Device Management:
Plan for On-premises Mobile Device Management in System Center Configuration Manager
Learn about what to consider when setting up the Configuration Manager infrastructure and planning for
device enrollment in On-premises Mobile Device Management.
Preparation steps for On-premises Mobile Device Management in System Center Configuration Manager
Learn about how to get the Configuration Manager system ready for On-premises Mobile Device
Management by setting up the Microsoft Intune subscription, setting up certificates, installing site system
roles, and setting up device enrollment.
Enroll devices for On-premises Mobile Device Management in System Center Configuration Manager
Learn about how enrollment occurs, how users can enroll their own devices, and how to bulk-enroll devices
with an enrollment package.
Plan for On-premises Mobile Device Management in
System Center Configuration Manager
3/6/2017 • 5 min to read • Edit on GitHub
Supported devices
On-premises Mobile Device Management allows you to manage mobile devices using the management
capabilities built into the device operating systems. The management capability is based on the Open Mobile
Alliance (OMA) Device Management (DM) standard, and many device platforms use this standard to allow the
devices to be managed. We call these modern devices (in the documentation and the Configuration Manager
console user interface) to distinguish them from other devices that require the Configuration Manager client to
manage them.
NOTE
The current branch of Configuration Manager supports enrollment in On-premises Mobile Device Management for devices
running the following operating systems:
Windows 10 Enterprise
Windows 10 Pro
Windows 10 Team (beginning in Configuration Manager version 1602)
Windows 10 Mobile
Windows 10 Mobile Enterprise
NOTE
Beginning in version 1610, Configuration Manager supports managing mobile devices using both Microsoft Intune and on-
premises Configuration Manager infrastructure at the same time.
If your site has devices with internet connectivity, the Intune service can be used to notify devices to check the
device management point for policy updates. This use of Intune is strictly for notification only of internet-facing
devices. Devices without internet connections (and cannot be contacted by Intune) rely on the configured polling
interval to check in with site system roles for management functions.
TIP
We recommend that you set up the Intune before you set up the required site system roles to minimize the time required for
the site system roles to become functional.
For information on how to set up the Intune subscription, see Set up a Microsoft Intune subscription for On-
premises Mobile Device Management in System Center Configuration Manager.
Enrollment considerations
To enable device enrollment for On-premises Mobile Device Management, users must be granted permission to
enroll and their devices must be able to have trusted communications with the site system servers hosting the
required site system roles.
Granting user enrollment permission can be accomplished through setting up an enrollment profile in
Configuration Manager client settings. You can use the default client settings to push the enrollment profile to all
discovered users or you can set up the enrollment profile in custom client settings and push the settings to one or
more user collections.
With user enrollment permission granted, users can enroll their own devices. To get enrolled, the user's device
must have the root certificate of the certification authority (CA) that issued the web server certificate used on the
site system servers hosting the required site system roles.
As an alternative to user-initiated enrollment, you can set up a bulk enrollment package that allows the device to be
enrolled without user intervention. This package can be delivered to the device before it is initially provisioned for
use or after the device goes through its OOBE process.
For more information on how to set up and enroll devices, see
Set up device enrollment for On-premises Mobile Device Management in System Center Configuration
Manager
Enroll devices for On-premises Mobile Device Management in System Center Configuration Manager
Preparation steps for On-premises Mobile Device
Management in System Center Configuration
Manager
3/6/2017 • 1 min to read • Edit on GitHub
NOTE
Beginning in version 1610, Configuration Manager supports using both Microsoft Intune and on-premises Configuration
Manager infrastructure to manage mobile devices at the same time.
TIP
We recommend that you set up the Intune subscription for On-premises Mobile Device Management before you install the
required site system roles to minimize the time required for the newly installed site system roles to become functional.
NOTE
When adding the Intune subscription, keep the following in mind:
The collection specified in the Add Microsoft Intune Subscription Wizard is not used for On-premises Mobile Device
Management user right delegation. It is only used for mobile device management with Intune. However, you are required
to specify a collection for the wizard to proceed.
The site code setting specified in the wizard is ignored for On-premises Mobile Device Management. The site code
that is used is the one you specify in the enrollment profile that grants users permission to enroll devices.
Do not enable multi factor authentication. It is not supported in On-premises Mobile Device Management.
NOTE
By clicking this check box, you configure the Intune subscription to keep all management information on-
premises and not replicate data to the cloud.
If you plan to have devices managed by both Intune and Configuration Manager on-premises, leave
the box unchecked.
3. If you plan to manage Windows 10 Mobile devices, right-click the Microsoft Intune Subscription, click
Configure Platforms, and then click Windows Phone.
4. Click the check box next to Windows Phone 8.1 and Windows 10 Mobile, and then click OK.
5. If you plan to manage Windows 10 desktop computers, right-click the Microsoft Intune Subscription,
click Configure Platforms, and then click Enable Windows Enrollment.
6. Click the check box next to Enable Windows enrollment, and then click OK.
Install site system roles for On-premises Mobile
Device Management in System Center Configuration
Manager
3/6/2017 • 3 min to read • Edit on GitHub
NOTE
If you use database replicas with your device management point site system role, newly enrolled devices will initially fail to
connect to the device management point until the database replica synchronizes with it. This connection failure occurs
because the database replica does not have the information about the newly enrolled device necessary for a successful
connection. Replicas synchronize every 5 minutes, so devices will fail to connect for the first 5 minutes after enrollment
(usually 2 connection attempts), after which the device will connect successfully.
Whether you are using existing site system roles or adding new ones, you must configure them to be used to
manage modern devices. Follow the steps below to configure the distribution point and device management point
to function correctly for On-premises Mobile Device Management:
NOTE
The current branch of Configuration Manager only supports intranet connections from devices to the distribution points and
device management points for On-premises Mobile Device Management. However, if you are also managing Mac OS X
computers, those clients require internet connections to those site system roles. In that case, when you configure the
properties of the distribution point and the device management point, you should use the Allow intranet and internet
connections setting instead.
NOTE
Distribution points configured for intranet connections require site boundaries to be configured for them. The current
branch of Configuration Manager only supports IPv4 range boundaries for On-premises Mobile Device
Management. For more information on configuring site boundaries, see Define site boundaries and boundary groups
for System Center Configuration Manager.
4. Click the check box next to Allow mobile devices to connect to this distribution point, and then click
OK.
5. Open properties for the management point site system role. On the General tab, make sure HTTPS is
selected, and select Allow intranet-only connections.
If you're also separately managing Mac computers with the Configuration Manager client, use Allow
intranet and internet connections instead.
6. Click the check box next to Allow mobile devices and Mac Computer to use this management point.
Click OK.
This effectively turns the management point into a device management point.
Once the site system roles have been added and configured for managing modern devices, you then need
to configure the servers hosting the roles as trusted endpoints for enrolling and communicating with
managed devices. See Set up certificates for trusted communications for On-premises Mobile Device
Management in System Center Configuration Manager for more information.
Set up certificates for trusted communications for
On-premises Mobile Device Management in System
Center Configuration Manager
3/6/2017 • 8 min to read • Edit on GitHub
IMPORTANT
There are many ways to set up the certificates for trusted communications between devices and the site system servers for
On-premises Mobile Device Management. The information provided in this article is given as an example of one way to do it.
This method requires you to be running a server in your site with Active Directory Certificate Services role and the
Certification Authority and Certification Authority Web Enrollment role services installed. See Active Directory Certificate
Services for more information and guidance on this Windows Server role.
To set up the Configuration Manager site for the SSL communications required for On-premises Mobile Device
Management, follow these high-level steps:
Configure the certification authority (CA) for CRL publishing
Create the web server certificate template on the CA
Request the web server certificate for each site system role
Bind the certificate to the web server
Export the certificate with the same root as the web server certificate
Configure the certification authority (CA) for CRL publishing
By default, the certification authority (CA) uses LDAP-based certificate revocation lists (CRLs) that allows
connections for domain-joined devices. You must add HTTP-based CRLs to the CA to make it possible for non-
domain-joined devices to be trusted with certificates issues from the CA. These certificates are required for SSL
communications between the servers hosting the Configuration Manager site system roles and the devices
enrolled for On-premises Mobile Device Management.
Follow the steps below to configure the CA to autopublish CRL information for issuing certificates that allow
trusted connections for domain-joined and non-domain-joined devices:
1. On the server running the certification authority for your site, click Start > Administrative Tools >
Certification Authority.
2. In the Certification Authority console, right-click CertificateAuthority, and then click Properties.
3. In CertificateAuthority properties, click the Extensions tab, make sure that Select extension is set to CRL
Distribution Point (CDP)
4. Select http:///CertEnroll/.crl. And the three options below:
Include in CRLs. Clients use this to find Delta CRL locations.
Include in CDP extension of issued certificates.
Include in the IDP extension of issued CRLs
5. Click the Exit Module tab, click Properties..., then select Allow certificates to be published to the file
system.
6. Click OK when notified that Active Directory Certificate Services must restarted.
7. Right-click Revoked Certificates, click All Tasks, and then click Publish.
8. In Publish CRL dialog, select Delta CRL only, and then click OK.
NOTE
If the CA you are using is on Windows Server 2012, you are not prompted for the certificate template version when
you click Duplicate Template. Instead, specify this on the Compatibility tab of the template properties, as follows:
Certification Authority: Windows Server 2003
Certificate recipient: Windows XP / Server 2003
5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the
web certificates that will be used on Configuration Manager site systems, such as ConfigMgr MDM Web
Server.
6. Click the Subject Name tab, select Build from Active Directory information, and for subject name
format, specify DNS name. Clear the check box from alternate subject name, if User Principal Name
(UPN) is selected.
7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and
Enterprise Admins.
8. Click Add, enter ConfigMgr MDM Servers in the text box, and then click OK.
9. Select the Enroll permission for this group, and do not clear the Read permission.
10. Click OK, and close the Certificate Templates console.
11. In the Certification Authority console, right-click Certificate Templates, click New, and then click
Certificate Template to Issue.
12. In the Enable Certificate Templates dialog box, select the new template that you have just created,
ConfigMgr MDM Web Server, and then click OK.
Request the web server certificate for each site system role
Devices enrolled for On-premises Mobile Device Management must trust SSL endpoints hosting the enrollment
point, enrollment proxy point, distribution point, and device management point. The steps below describe how to
request the web server certificate for IIS. You must do this for each server (SSL endpoint) hosting one of the
required site system roles for On-premises Mobile Device Management.
1. On the primary site server, open command prompt with administrator permission, type MMC and press
Enter.
2. In the MMC, click File > Add/Remove Snap-in.
3. In the Certificates snap-in, select Certificates, click Add, select Computer account, click Next, click Finish,
and then click OK to exit the Add or Remove Snap-in window.
4. Right-click Personal, and then click All Tasks > Request New Certificate.
5. In the Certificate Enrollment wizard, click Next, select Active Directory Enrollment Policy and click Next.
6. Select the checkbox next to the web server certificate (ConfigMgr MDM Web Server), and then click
Enroll.
7. Once certificate is enrolled, click Finish.
Because each server will need a unique web server certificate, you need to repeat this process for every
server hosting one of the required site system roles for On-premises Mobile Device Management. If one
server hosts all the site system roles, you just need to request one web server certificate.
Export the certificate with the same root as the web server certificate
Active Directory Certificate Services typically installs the required certificate from the CA on all domain-joined
devices. But non-domain-joined devices will not be able to communicate with the site system roles without
certificate from the root CA. To get the certificate required for devices to communicate with the site system roles,
you can export it from the certificate bound to the web server.
Follow these steps to export the root certificate of the web server's certificate.
1. In IIS Manager, click Default Web Site, and then in the right Action panel, click Bindings...
2. In the Site Bindings dialog, click https, and then click Edit...
3. Make sure the web server certificate is selected, and click View...
4. In properties of the web server certificate, click Certification Path, click the root at the top of the
certification path, and click View Certificate.
5. In the properties of the root certificate, click Details, and then click Copy to File...
6. In the Certificate Export Wizard, click Next.
7. Make sure DER encoded binary X.509 (.CER) is selected for format, and click Next.
8. For the file name, click Browse..., choose a location to save the certificate file, name the file, and click Save.
Devices to be enrolled will need access to this file to import the root certificate, so you choose a common
location that most computers and devices can access, or you can save it to a convenient location now (like
the C drive) and move it to common location later.
Click Next.
9. Review the settings, and click Finish .
Set up device enrollment for On-premises Mobile
Device Management in System Center Configuration
Manager
3/6/2017 • 3 min to read • Edit on GitHub
NOTE
If you want to deploy the enrollment profile to a subset of discovered users, you can use a user collection, and create custom
client settings to deploy to that collection. For information on creating custom client settings, see How to configure client
settings in System Center Configuration Manager
NOTE
For On-premises Mobile Device Management, software deployment settings can only be used as default client
settings. Software deployment settings cannot be used with custom client settings in the current branch of
Configuration Manager.
NOTE
The current branch of Configuration Manager supports enrollment in On-premises Mobile Device Management for
devices running the following operating systems:
Windows 10 Enterprise
Windows 10 Pro
Windows 10 Team (beginning in Configuration Manager version 1602)
Windows 10 Mobile
Windows 10 Mobile Enterprise
How users enroll devices with On-premises Mobile
Device Management in System Center Configuration
Manager
3/6/2017 • 1 min to read • Edit on GitHub
NOTE
The current branch of Configuration Manager supports enrollment in On-premises Mobile Device Management for devices
running the following operating systems:
Windows 10 Enterprise
Windows 10 Pro
Windows 10 Team (beginning in Configuration Manager version 1602)
Windows 10 Mobile
Windows 10 Mobile Enterprise
The following tasks explain how to enroll and verify enrollment of computers and devices for On-premises Mobile
Device Management:
Enroll a Windows 10 computer
Enroll a Windows 10 Mobile device
Verify device enrollment
NOTE
The current branch of Configuration Manager supports enrollment in On-premises Mobile Device Management for devices
running the following operating systems:
Windows 10 Enterprise
Windows 10 Pro
Windows 10 Team (beginning in Configuration Manager version 1602)
Windows 10 Mobile
Windows 10 Mobile Enterprise
The following tasks explain how to bulk-enroll computers and devices for On-premises Mobile Device
Management:
Create a certificate profile
Create a Wi-Fi profile
Create an enrollment profile
Create an enrollment package (ppkg) file
Use the package to bulk-enroll a device
Verify enrollment of device
IMPORTANT
Keep the following two issues in mind when creating a Wi-Fi profile for bulk enrollment:
The current branch of Configuration Manager only supports the following Wi-Fi security configurations for On-
premises Mobile Device Management:
Security types: WPA2 Enterprise or WPA2 Personal
Encryption types: AES or TKIP
EAP types: Smart Card or other certificate or PEAP
Although Configuration Manager has a setting for proxy server information in the Wi-Fi profile, it does not configure
the proxy when the device is enrolled. If you need to set up a proxy server with your enrolled devices, you can deploy
the settings using configuration items once devices are enrolled or create the second package using the Windows
Image and Configuration Designer (ICD) to deploy along side the bulk enrollment package.
8. Confirm the settings for the enrollment profile, and click Next. Click Close to exit the wizard.
TIP
If you remove an enrollment package from the Configuration Manager console, it cannot be used to enroll devices. You can
use package removal as a way to manage packages that you no longer want used for bulk-enrolling devices.
NOTE
If you encrypted the package, Configuration Manager provides a message with the decrypted password in it. Make
sure you save the password information because you will need it to provision the package on devices.
4. Click OK.
When you manage mobile devices by using the Exchange Server connector, this does not install the
Configuration Manager client on the mobile devices. Some management functions are therefore limited. For
example, you cannot install software on these devices or use configuration items to configure these devices. For
more information about the various management capabilities that you can use with Configuration Manager for
mobile devices, see Choose a device management solution for System Center Configuration Manager.
IMPORTANT
Before you install the Exchange Server connector, confirm that Configuration Manager supports the version of Microsoft
Exchange that you are using. For more information, see "Exchange Server connector" in Supported operating systems for
sites and clients for System Center Configuration Manager.
When you use the Exchange Server connector, the mobile devices can be managed by the settings that you
configure in Configuration Manager instead of being managed by the default Exchange ActiveSync mailbox
policies. Define the settings that you want to use in the following group settings: General, Password, Email
Management, Security, and Application. For example, in the Password group setting, you can configure
whether mobile devices require a password, the minimum password length, password complexity, and whether
password recovery is allowed.
When you configure at least one setting in the group, Configuration Manager manages all settings in the group
for mobile devices. If you do not configure any setting in a group, Exchange continues to manage the mobile
devices for those settings. Any Exchange ActiveSync mailbox policies that are configured on the Exchange Server
and assigned to users will still be applied.
You can also configure the Exchange Server connector to manage the Exchange access rules and allow, block, or
quarantine mobile devices. You can remotely wipe mobile devices by using the Configuration Manager console,
and users can remotely wipe their mobile devices by using the Application Catalog.
A user's mobile device appears in the Application Catalog automatically when the Exchange Server connector
manages it and the Exchange Server is on-premises. When you configure the Exchange Server connector for
Microsoft Exchange Online, you must manually configure user device affinity for the user's mobile device to
appear in the Application Catalog. For more information about how to manually configure user device affinity,
see Link users and devices with user device affinity in System Center Configuration Manager.
TIP
If you manage a mobile device by using the Exchange Server connector and the mobile device is transferred to another
user, delete the mobile device from the Configuration Manager console before the new owner of the mobile device
configures his or her Exchange account on this transferred mobile device.
NOTE
The following Exchange Server management roles include these cmdlets: Recipient Management, View-Only
Organization Management, and Server Management. For more information about management role groups in
Microsoft Exchange Server 2010, see Understanding Management Role Groups.
TIP
If you try to install or use the Exchange Server connector without the required cmdlets, you will see an error logged
with the message Invoking cmdlet <cmdlet> failed in the EasDisc.log file on the site server computer.