Via InTune, SCCM 2012 SP1 adds MDM adds the following new platforms Windows RT Windows Phone 8, iOS 5/6, Android 2.1 and later (Android features management through Exchange Connector)
- Over the air device enrollment
- User-targeted available app deployment (not demonstrated here)
- User and device settings management
- Device inventory
- Remote device retirement (removing management bits)
- Remote device wipe
Mobile Device Enrollment
Establishes mutual trust between the device and management server. I attended another session where this was covered in depth for each platform but such instructions are well documented online.
As an admin, you control which users are authorized to enroll devices.
There is a maximum 20 active device enrollments per user account. When that limit is reached the user would need to remove a device from their account in order to add a new one.
Most of the troubleshooting tips were focused on misconfiguration and challenges with certificates. Each platform has its own process for enrollment which for security reasons is not as simple as one might hope.
A demo was provided for enrolling Windows Phone, RT and iOS. For iOS there is no management client, you have to visit a website to enroll. Likewise, there is no self-service portal application for iOS—this too is a website link. In this case they do create a shortcut to the website on the home screen, but seem to have given it a long name so it looks pretty terrible.
Inventory of apps is provided only for applications installed by the management portal, anything installed outside the management portal is not reported in inventory. Inventory is not extensible for mobile devices—in this release you cannot define your own additional details for inventory.
Some more reports have been added with the InTune connector so you can see things like count of mobile devices by operating system.
A single security policy template is used to manage settings on all managed mobile devices (the system figures out what is applicable to each platform). The most restrictive policy will be enforced if a device is getting policy from more than one authority.
There are naturally different settings available for each platform. Allow camera for example is controllable by iOS but not WinRT. When creating a new configuration in SCCM, you can choose mobile and walk through a simple wizard to specify what settings you wish to specify.
Retire and Wipe options
User or admin initiated, it removes the record of the device from the system and disables further MDM app installations and settings management on the device. MDM-installed applications are removed on Windows Phone (in the current release iOS apps are left behind even though Apple supports automatic removal). The sideloading key is removed on Windows RT disabling side-loaded apps.
For wiping devices, iOS and WP8 do a complete wipe and factory reset but Android does a EAS mailbox removal only. Windows 7 and blow don’t support the wipe feature.