How to Enroll Mobile Device Clients in Configuration Manager 2012

Updated: May 1, 2011

Applies To: System Center Configuration Manager 2012

When you enroll mobile devices in Configuration Manager 2012, the Configuration Manager client is installed, which provides full management capability by Configuration Manager 2012. To enroll mobile devices in Configuration Manager 2012, you must use Microsoft Certificate Services with an enterprise certification authority (CA) and the Configuration Manager enrollment point and enrollment proxy point site system roles. During and after enrollment, public key infrastructure (PKI) certificates secure the communication between the mobile device and the Configuration Manager site.

When the certificate on the mobile device is due for renewal, users are automatically prompted to accept the new certificate. When they confirm the prompt, Configuration Manager automatically re-enrolls their mobile device.

noteNote
If you no longer want a mobile device to be enrolled for Configuration Manager 2012, you must wipe the mobile device.

Use the following steps and the supplemental procedures in this topic to enroll mobile devices in Configuration Manager 2012. After you complete these steps, you can monitor the mobile devices that are enrolled by viewing the collections that display mobile devices, and by using the reports for mobile devices.

Use the following table for the steps, details, and more information about how to enroll mobile devices.

 

Steps Details More Information

Step 1: Deploy a web server certificate to site system servers.

Deploy a web server certificate to the following computers that hold the following site system roles:

  • Management point

  • Distribution point

  • Enrollment point

  • Enrollment proxy point

Additionally, if you want to allow users to wipe their own mobile devices, configure IIS with a web server certificate on the computers that hold the Application Catalog website point and the Application Catalog web service point.

For information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager 2012.

For an example deployment that creates and installs this web server certificate, see .

Step 2: Deploy a client authentication certificate to site system servers.

Deploy a client authentication certificate to the following computers that hold the following site system roles:

  • Management point

  • Distribution point

  • Application Catalog website point

  • Application Catalog web service point

For information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager 2012.

For an example deployment that creates and installs this client certificate, see .

Step 3: Create and issue a certificate template for mobile device enrollment.

The certificate template must have Read and Enroll permissions for the users that have mobile devices to enroll.

See .

Step 4: Optional but recommended: Configure automatic discovery for the enrollment service.

Create a DNS alias (CNAME record) named ConfigMgrEnroll that references the site system server on which you will install the enrollment proxy point.

For more information about how to create a DNS alias, consult your DNS documentation.

Step 5: Configure the management point and distribution point.

Configure the management point and distribution point for client connections over HTTPS and configure the management point to support mobile devices.

See the following procedure in this topic: Configuring Management Points and Distribution Points for Mobile Devices.

Step 6: Configure the enrollment proxy point and the enrollment point.

You must install both these site system roles in the same site but you do not have to install them on the same site system server.

For more information about site system role placement, see .

To configure the enrollment proxy point and the enrollment point, see the following procedure in this topic: Installing and Configuring the Enrollment Site Systems.

Step 7: Optional: Install the Application Catalog web service point and the Application Catalog website point.

Install the Application Catalog web service point and the Application Catalog website point if you want to allow users to wipe their own mobile devices.

Step 8: Optional: Install the reporting services point.

Install the reporting services point if you want to run reports for mobile devices.

Step 9: Configure client settings for mobile device enrollment.

Configure the default client settings if you want all users to be able to enroll mobile devices. Or, as a best practice, configure custom client settings to restrict the users who can enroll mobile devices.

For more information about client settings, see About Client Settings in Configuration Manager 2012.

For information about how to configure these client settings, see the following procedure in this topic: Configuring the Client Settings for Mobile Device Enrollment.

Step 10: Enroll mobile devices.

Use the browser on the mobile device to start enrollment.

See the following procedure in this topic: Enrolling Mobile Devices.

Use the following procedures for steps in the preceding table.

Configuring Management Points and Distribution Points for Mobile Devices

noteNote
Use the following procedure for step 5 in the preceding table.

This procedure configures existing management points and distribution points to support mobile devices.

How to Configure Management Points and Distribution Points for Mobile Devices

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Operations, select Servers and Site System Roles, and then select the server that holds the site system roles to configure.

  3. In the details pane, right-click Management point, click Role Properties, and in the Management Point Properties dialog box, configure the following and then click OK:

    1. Select HTTPS

    2. If the mobile devices will connect over the Internet, select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties.

    3. Select Allow mobile devices to use this management point.

  4. In the details pane, right-click Distribution point, click Role Properties, and in the Distribution Point Properties dialog box, configure the following and then click OK:

    1. Select HTTPS

    2. If the mobile devices will connect over the Internet, select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties.

  5. Repeat steps 2 through 4 in this procedure for all management points and distribution points that you will use with mobile devices.

Installing and Configuring the Enrollment Site Systems

noteNote
Use the following procedures for step 6 in the preceding table.

These procedures configure the site system roles for mobile device enrollment. Choose one of these the procedure according to whether you will install a new site system server for mobile device enrollment or use an existing site system server:

How to Install and Configure the Enrollment Site Systems: New Site System Server

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Operations, and click Servers and Site System Roles

  3. On the Home tab, in the Create group, click Create Site System Server.

  4. On the General page, specify the general settings for the site system, and then click Next.

    TipTip
    If you want to manage mobile devices over the Internet, specify the Internet FQDN.

  5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next.

  6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next.

  7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next.

  8. Complete the wizard.

How to Install and Configure the Enrollment Site Systems: Existing Site System Server

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Operations, select Servers and Site System Roles, and then select the server that you want to use for mobile device enrollment.

  3. On the Home tab, in the Create group, click Add Site System Roles.

  4. On the General page, specify the general settings for the site system, and then click Next.

    TipTip
    If you want to manage mobile devices over the Internet, specify the Internet FQDN.

  5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next.

  6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next.

  7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next.

  8. Complete the wizard.

Configuring the Client Settings for Mobile Device Enrollment

noteNote
Use the following procedure for step 9 in the preceding table.

This procedure configures the default client settings for mobile device enrollment and will apply to all users in hierarchy. If you want these settings to apply to only some users, create a custom user setting and assign it to a collection that contains users who you will allow to enroll their mobile devices. For more information about how to create a custom user setting, see .

How to Configure the Default Client Settings for Mobile Device Enrollment

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, click Client Settings.

  3. Click Default Client Settings.

  4. On the Home tab, in the Properties group, click Properties.

  5. Select the Mobile Devices section, and then configure the following user settings:

    1. Allow users to enroll mobile devices:True

    2. Mobile device enrollment profile: Click Set Profile.

  6. In the Mobile Device Enrollment Profile dialog box, click Create.

  7. In the Create Mobile Device Enrollment Profile dialog box, enter a name for this mobile device enrollment profile, and then configure the Management Site. Select the Configuration Manager 2012 primary site that contains the management points that will manage these mobile devices.

    noteNote
    If you cannot select the site, check that at least one management point in the site is configured to support mobile devices.

  8. Click Add.

  9. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to mobile devices, and then click OK.

  10. In the Create Mobile Device Enrollment Profile dialog box, select the mobile device certificate template that you created in Step 3, and then click OK.

  11. Click OK to close the Mobile Device Enrollment Profile dialog box, and then click OK to close the client settings dialog box.

Enrolling Mobile Devices

noteNote
Use the following procedure for step 10 in the preceding table.

This procedure enrolls mobile devices in Configuration Manager 2012.

How to Enroll Mobile Devices

  • To enroll a mobile device, start the mobile device browser, type https://<FQDN>/ClientCabs/ConfigMgrEnroll.Cab to download and open the file, and then follow the instructions. If you have not configured a DNS alias, you must specify the FQDN of the site system server that holds the enrollment proxy point.

Concepts