System Center 2012 R2 Configuration Manager, the market-leading client management product, can integrate with Windows Intune to be a powerful solution which manages PCs and mobile devices both on-premises and in the cloud, all in one infrastructure and administrative console – what we call Unified Device Management. Historically Microsoft shipped a major release of Configuration Manager every 1 – 2 years. However with rapid releases of the Windows Intune service to address the emerging trends in the Mobile Device Management (MDM) market, it is essential to provide a very simple way for our customers to be able to adopt these new MDM features without going through expensive deployment upgrades to their on premises Configuration Manager infrastructure. We are excited to demonstrate a feature of System Center 2012 R2 Configuration Manager called “Extensions for Windows Intune”. This capability enables new features in Windows Intune to be available within your Configuration Manager console alongside the existing features without any on premises upgrade.
One of the first features to be available as an extension for Windows Intune is the ability to provision Exchange ActiveSync email profiles to mobile devices. This feature allows enterprises to deploy email profiles and restrictions so that workers can access corporate email on their personal devices without any required setup.
In this blog post, I’ll provide:
- An overview of the ‘Extensions for Windows Intune’ feature
- A drill-down into the email profiles extension.
Installing and enabling an extension for Windows Intune
Once Microsoft ships a new extension feature through the Windows Intune service, it is immediately made available to administrators within the Configuration Manager console that is connected to Windows Intune service. They will be provided with a message that notifies them about the availability of the new extension. They can then navigate to the ‘Administration workspace’ > Cloud services and select the new ‘Extensions for Windows Intune’ node. The list of available and installed Windows Intune extensions is provided there.
The administrator can view details about each extension. Before installing an extension, they are prompted to review and accept a license agreement. A key deployment aspect to note is that, once the administrator enables an extension, that feature is automatically replicated and enabled on all site servers in their Configuration Manager hierarchy of servers.
The process of enabling an extension triggers a connection to the Windows Intune service to download and install the extension. In just a few minutes, the extensions are installed and the administrator will be provided with a confirmation dialog that will prompt for a restart of the Configuration Manager console.
After the Configuration Manager console restarts, the new features are available. In this example, the ‘Email Profiles’ feature is available in the ‘Company Resource Access’ node in the ‘Assets and Compliance’ workspace.
As you can see, with just 3 simple easy steps we have made it super easy for a System Center 2012 R2 Configuration Manager administrator who has a Windows Intune subscription to dynamically add new capabilities without any of the upgrade steps typically associated with getting access to new Configuration Manager features.
Deploying an ActiveSync email profile
Despite millions of applications now being available on different mobile stores, email is still the number 1 killer app being used on mobile devices. A key incentive for enterprises to adopt Bring Your Own Device (BYOD) strategies is to enable workers to become more productive with their personally owned devices. This involves enabling them to access corporate email in order to stay in constant communication with colleagues. But setting up email can require special knowledge or can otherwise be a time sink for workers and a support liability for IT groups.
The new ‘Email Profiles’ feature enables enterprises to provision ‘Exchange ActiveSync’ email profiles to iOS and Windows Phone 8 devices. By creating and targeting an email profile to users, the email profile can be automatically setup by Windows Intune shortly after the users enroll their mobile devices with the Intune service. This eliminates the need for any manual configuration on the email client mobile device. It also allows the enforcement of email-related restrictions. Let us now take a look at how to provision an email profile using the simple ‘Email Profiles’ wizard. In the first step, provide a profile name and description.
The key features in Exchange ActiveSync email profile configuration are:
- The Exchange ActiveSync host can either be an on premises Exchange server or an Office 365 service.
- User accounts can be auto populated with the User Principal Name (UPN) or Active Directory domain user namealias. Both options are supported for enterprise (aka on-premises) Exchange. Only UPN is supported for Exchange services hosted in the Office 365 service.
- There are two options supported for authenticating users to Exchange ActiveSync:
- Certificates: An identity certificate will be used to authenticate the Exchange ActiveSync connection. This feature is currently supported in iOS, but not Windows Phone.
- Username and Password: The device user must supply a password to connect to Exchange ActiveSync (The user name is configured as part of the email profile). If the user’s email address is the same as their UPN, then the email address and password are sufficient for credentials. If the user’s email address is not the same as their UPN, then domainusername and password are required as their credentials. When domainusername is required for credentials, the username corresponds to the Active Directory “sAMAccountName.”
- Configure S/MIME signing certificate for iOS devices with a Simple Certificate Enrollment Protocol (SCEP) profile. (Users on Windows Phone devices can select S/MIME certificates on a per-message basis or for all messages.)
In addition to configuring the basic email profile details, administrators can also configure some of the email client settings. The key capabilities specific to Windows Phone 8 devices are:
- Content type to synchronize: Email, contacts, calendar or tasks
The following settings are applicable only to iOS devices:
- Allow messages to be moved to other email accounts: This allows users to move email messages between different accounts they have configured on their device.
- Allow email to be sent from third-party applications: This option allows users to send email from a non-default, third-party email application.
- Synchronize recently used email addresses: This feature allows users to synchronize the list of email addresses that have been recently used on the device.
The following settings are applicable to both Windows Phone and iOS7.
- Schedule: This provides the ability to select the schedule by which devices will synchronize data from the Exchange Server.
And that is it. With a few simple clicks, an administrator can create an email profile and deploy it to thousands of users who automatically get their corporate email setup on their mobile devices.
Selective wipe of email
When a user’s mobile device is lost or stolen, the administrator or the end user can initiate a ‘selective wipe’ of corporate data including their corporate email. This is currently supported by the iOS native email client app, but not the Windows Phone 8 EAS mail app. Administrators should ensure that the EAS email profile on iOS devices was provisioned through the Windows Intune MDM channel and not manually created by the end user in order for the selective wipe capability to be effective. The corporate email profile is also removed when the user unenrolls from the Windows Intune management service or deletes the MDM profile.
The ‘Extensions for Windows Intune’ feature provides frequent, dynamic feature updates to System Center 2012 R2 Configuration Manager without any on-premises infrastructure update. New extensions like email profile provisioning make it very easy for end users to connect to corporate email from their mobile devices while at the same time, it ensures that administrators can protect corporate data by having the ability to selectively wipe email from lost or stolen mobile devices.
This posting is provided "AS IS" with no warranties and confers no rights.