News

Microsoft Adds MDM Feature to System Center 2012 R2 Configuration Manager

• By Kurt Mackie
• March 13, 2015

It's now possible to use System Center 2012 R2 Configuration Manager to enforce conditional access policies for mobile devices accessing Exchange Online, Microsoft announced on Thursday.

Conditional access is feature of the Microsoft Intune mobile device management (MDM) service that checks to see if the device is managed and compliant before permitting access to an organization's applications and data. While conditional access is an Intune capability, Microsoft recently explained that it plans to bring "100 percent" of its Intune capabilities to its System Center Configuration Manager (SCCM) PC management solution. That's enabled using Intune connector software, which permits SCCM to be used as a "single pane of glass" for managing both PCs and mobile devices.

So far, Microsoft has announced various new Intune features, which now arrive on a monthly frequency. These Intune product updates have mostly been for the "standalone" Intune product, meaning that they don't yet work with SCCM via Intune connector technology. Thursday's announcement is an exception to that general trend.

Microsoft's announcement was very specific about the new conditional access capability applying just to Exchange Online. The standalone version of Intune has broader capabilities. It's capable of enforcing conditional access for premises-based Exchange Server, as well as SharePoint Online and dedicated versions of Microsoft Office 365, according to Microsoft's TechNet documentation. It's possible that SCCM will one day get those capabilities, too. However, Microsoft currently has a warning in its TechNet documentation not to use the Intune connector "if you intend to use conditional access for both Exchange Online and Exchange On-premises."

Organizations need to carry out a few setup steps to use SCCM with the new conditional access capability. It gets enabled through an extension, called "Conditional Access," which will show up in the SCCM console. IT pros need to enable it through the console before it will work, as Microsoft describes in this TechNet article.

The devices managed under Microsoft's conditional access scheme are required to use the Exchange ActiveSync client protocol. For Exchange Online, supported devices include those running Windows 8.1 and later operating systems, Windows Phone 8.1 and later OSes, iOS 6.0 and later OSes and Android 4.2 and later OSes.

The devices also need to be enrolled via "workplace join" (which is a Windows Server 2012 R2-associated technology for non-domain-controlled devices) to work with the conditional access feature. Microsoft's Azure Active Directory (AD) service is used to enable the workplace join operation.

Conditional access checks to see if a device is registered with Azure AD and also if it's compliant with the policies set up for the device by IT pros, according to a blog post by Chris Green, a senior program manager at Microsoft. The compliance policy gets set up using the Intune console. It's also possible to set compliance policies using SCCM via the "Assets and Compliance" interface, Green noted.

A typical compliance policy might only allow a device access to resources if it is password protected, encrypted and not jailbroken. However, the policies that can be set depend on the device's operating system. For instance, Android-based devices don't force the user to encrypt a device, according to Microsoft's documentation.

If a device fails a conditional access check, the system sends a message to the end user describing how the device can be brought into a compliant state. IT pros using Intune can see a list of the noncompliant devices ahead of time by running the Mobile Device Inventory Report in Intune. Green said that this reporting capability will arrive later for "hybrid" users of SCCM with the Intune connector, but it's not available with this current extension release.

Microsoft first added this conditional access feature in its December Intune update, according to Green. Microsoft's March Intune update also extended the conditional access capability to Microsoft's OneDrive for Business and SharePoint Online services. Microsoft's various conditional access components seem to be rolling out in a gradual fashion, though. For instance, Microsoft also announced this month that its Azure AD service now supports conditional access for premises-installed apps, in addition to SaaS apps.