Which Mobile Device Management Settings are available in ConfigMgr 2012 SP1?

sccm2012-logoLike with MAC OS-X, Configuration Manager 2012 supports the management of Compliance Settings for Mobile Devices, unfortunately the not all of the settings can be applied to all different kind of mobile devices. Since settings management in the Mobile Device World is very important, I would like to give you with this blog an overview of the configurable settings per supported platform. Applying settings can be done via the Windows Intune integration, Exchange Server Connector and via direct management, the tables below describe the options for direct management, the mobile device management via Windows Intune and via the Exchange Server Connector.

This blog is divided into two sections, one for Settings Management via Compliance Baselines that is supported via Windows Intune and Direct Management and one section that describes the options with the Exchange Server Connector.

Management via Compliance Settings
(Windows Intune & Direct Management)

Password

Synchronizing the email of the company with a private or company owned mobile device is always a risk. Therefore you definitely want to configure password protection for the mobile device. In the following table you find the settings and the supported platforms per setting.

Feature Supported platforms
Require password settings on mobile devices (Not Configured/Required)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • All Windows Phone 8
  • iPhone or iPod Touch 5.x
  • iPhone or iPod Touch 6.x
  • iPad 5.x
  • iPad 6.x
Minimum password length (number)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • All Windows Phone 8
  • All Windows RT
  • iPhone or iPod Touch 5.x
  • iPhone or iPod Touch 6.x
  • iPad 5.x
  • iPad 6.x
Password expiration (number)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • All Windows Phone 8
  • All Windows RT
  • iPhone or iPod Touch 5.x
  • iPhone or iPod Touch 6.x
  • iPad 5.x
  • iPad 6.x
Number of passwords remembered (number)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • All Windows Phone 8
  • All Windows RT
  • iPhone or iPod Touch 5.x
  • iPhone or iPod Touch 6.x
  • iPad 5.x
  • iPad 6.x
Number of failed logon attempts before device is wiped (number)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • All Windows Phone 8
  • All Windows RT
  • iPhone or iPod Touch 5.x
  • iPhone or iPod Touch 6.x
  • iPad 5.x
  • iPad 6.x
Idle time before mobile phone is locked (between 1 minute – 12 hours)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • All Windows Phone 8
  • All Windows RT
  • iPhone or iPod Touch 5.x
  • iPhone or iPod Touch 6.x
  • iPad 5.x
  • iPad 6.x
Password complexity (PIN / Strong)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • All Windows Phone 8
  • iPhone or iPod Touch 5.x
  • iPhone or iPod Touch 6.x
  • iPad 5.x
  • iPad 6.x
Send password recovery PIN to Exchange Server (Enabled / disabled)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x

 

Email Management

Get control over who is synchronizing and what is synchronized, in the following table the settings for email management are covered.

Feature Supported platforms
POP and IMAP email (allowed / prohibited)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Maximum time to keep email (between 1 day – all)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Allowed message format (plain, HTML or both)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Maximum size for plain text email (automatically downloaded) (size)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Maximum size for HTML email (automatically downloaded) (size)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Maximum size of an attachment (automatically downloaded) (size)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Calendar synchronization (allowed / prohibited)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • iPhone or iPod Touch 6.x
  • iPad 6.x

 

Security

 

Feature Supported platforms
Unsigned file installation (various options)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Unsigned applications (allowed / prohibited)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x
SMS and MMS messaging (allowed / prohibited)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Removable storage (allowed / prohibited)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Windows Phone 8
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Camera (allowed / prohibited)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • iPhone or iPod Touch 5.x
  • iPhone or iPod Touch 6.x
  • iPad 5.x
  • iPad 6.x
Bluetooth (allowed / prohibited)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Windows RT VPN profile
  • All Windows RT

 

Peak Synchronization

If you allow your users to sync their corporate email you are then able to configure when the synchronization will take place within peak hours and outside the peak hours.

Feature Supported platforms
Peak synchronization frequency (push, manual 15,30, 60, 240 minutes)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Peak start time (time)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Peak end time (time)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Peak days (sun-sat)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Off-peak synchronization frequency (push, manual 15,30, 60, 240 minutes)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • iPhone or iPod Touch 6.x
  • iPad 6.x

 

Roaming

You may want to control roaming of devices when your staff is traveling often to foreign countries.

Feature Supported platforms
Mobile device management while roaming (allowed / prohibited)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Software download while roaming (allowed / prohibited)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Email download while roaming (allowed / prohibited)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x

 

Encryption

When receiving confidential information via email on your mobile device, it is whise to setup encryptioin of your device.

Feature Supported platforms
Storage card encryption (on / off)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x
File encryption on mobile device (on / off)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • All Windows Phone 8
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Require email signing (Yes / No)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Signing algorithm (Default, SHA, MD5)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Require email encryption (Yes / No)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x
Encryption algorithm (Default, Triple DES, DES, RC2 128-bit, RC2 64bit, RC2 40bits)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • iPhone or iPod Touch 6.x
  • iPad 6.x

Wireless configuration

Deploy your root Wireless configuration profiles via Configuration Manager.

Feature Supported platforms
Wireless network connection (profile)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • iPhone or iPod Touch 6.x
  • iPad 6.x

Certificates

Deploy your root certificates or authentication certificates via Configuration Manager.

Feature Supported platforms
Certificates (root, CA, Normal, Privileged, SPC, Peer)
  • Windows Mobile 6.1
  • Windows Mobile 6.5
  • All Nokia Symbian
  • All Windows RT
  • iPhone or iPod Touch 6.x
  • iPad 6.x

 

Next to the settings that are grouped by the categories you are also able to configure your custom settings or settings that are device specific. Be aware that if you modify a setting that has already been configured via the categories a conflict of settings may occur. A lot of settings can be configured via two ways. The following table describes the additional mobile device settings for the supported devices:

Additional mobile device settings:

Feature Supported platforms
Allow backup to iCloud (true/false)
  • All iOS
Allow browser (true/false)
  • All iOS
Allow documents to sync to iCloud (true/false)
  • All iOS
Allow photostream sync to iCloud (true/false)
  • All iOS
Maximum grace period (number)
  • All iOS
Mail synchronization conflict resolution (true/false)
  • All Nokia Symbian
Allow S/MIME software certificates (true/false)
  • All Windows Mobile
Allow specific unsigned applications to run as normal (Application list)
  • All Windows Mobile
Allow user to change storage card encryption (true/false)
  • All Windows Mobile
Allowed message formats (text)
  • All Windows Mobile
Code word (text)
  • All Windows Mobile
Code word frequency (number)
  • All Windows Mobile
Desktop PIM sync (true/false)
  • All Windows Mobile
Email download while roaming (true/false)
  • All Windows Mobile
Encryption algorithm (text)
  • All Windows Mobile
Exclude files from encryption (file list)
  • All Windows Mobile
Infrared (true/false)
  • All Windows Mobile
Management session reset reminder timeout (number)
  • All Windows Mobile
Manager role permission for user (number)
  • All Windows Mobile
Maximum size for HTML email (automatically downloaded) (number)
  • All Windows Mobile
Maximum size for plain text email (automatically downloaded) (number)
  • All Windows Mobile
Maximum size of an attachment (automatically downloaded) (number)
  • All Windows Mobile
Negotiate encryption algorithm (number)
  • All Windows Mobile
POP and IMAP email (true/false)
  • All Windows Mobile
Remote API access to ActiveSync (true/false)
  • All Windows Mobile
Require email encryption (true/false)
  • All Windows Mobile
Require email signing (true/false)
  • All Windows Mobile
Send email immediately (true/false)
  • All Windows Mobile
Send password recovery PIN to Exchange Server (true/false)
  • All Windows Mobile
Signing algorithm (number)
  • All Windows Mobile
SMS and MMS messaging (true/false)
  • All Windows Mobile
Specify file encryption list (file list)
  • All Windows Mobile
Storage card encryption (true/false)
  • All Windows Mobile
Unapproved in ROM application ID (application list)
  • All Windows Mobile
Unsigned applications (true/false)
  • All Windows Mobile
Unsigned file installation (number)
  • All Windows Mobile
User prompts on unsigned files (true/false)
  • All Windows Mobile
Bluetooth (true/false)
  • All Windows Mobile
  • All Nokia Symbian
Calendar history synchronization (number)
  • All Windows Mobile
  • All Nokia Symbian
Calendar synchronization (true/false)
  • All Windows Mobile
  • All Nokia Symbian
Maximum time to keep email (number)
  • All Windows Mobile
  • All Nokia Symbian
Mobile device management while roaming (true/false)
  • All Windows Mobile
  • All Nokia Symbian
Off-peak synchronization frequency (number)
  • All Windows Mobile
  • All Nokia Symbian
Peak days (number)
  • All Windows Mobile
  • All Nokia Symbian
Peak end time (number)
  • All Windows Mobile
  • All Nokia Symbian
Peak start time (number)
  • All Windows Mobile
  • All Nokia Symbian
Peak synchronization frequency (number)
  • All Windows Mobile
  • All Nokia Symbian
Software download while roaming (true/false)
  • All Windows Mobile
  • All Nokia Symbian
Synchronize calendar tasks (true/false)
  • All Windows Mobile
  • All Nokia Symbian
Synchronize contacts (true/false)
  • All Windows Mobile
  • All Nokia Symbian
Wireless LAN (true/false)
  • All Windows Mobile
  • All Nokia Symbian
Camera (true/false)
  • All Windows Mobile
  • All Nokia Symbian
  • All iOS
File encryption on mobile device (true/false)
  • All Windows Mobile
  • All Nokia Symbian
  • All Windows Phone
Password complexity (number)
  • All Windows Mobile
  • All Nokia Symbian
  • All Windows Phone
  • All iOS
Require password settings on mobile devices (true/false)
  • All Windows Mobile
  • All Nokia Symbian
  • All Windows Phone
  • All iOS
Idle time before mobile device is locked (minutes)
  • All Windows Mobile
  • All Nokia Symbian
  • All Windows Phone
  • All Windows RT
  • All iOS
Minimum password length (characters) (number)
  • All Windows Mobile
  • All Nokia Symbian
  • All Windows Phone
  • All Windows RT
  • All iOS
Number of failed logon attempts before device is wiped (number)
  • All Windows Mobile
  • All Nokia Symbian
  • All Windows Phone
  • All Windows RT
  • All iOS
Number of passwords remembered (number)
  • All Windows Mobile
  • All Nokia Symbian
  • All Windows Phone
  • All Windows RT
  • All iOS
Password expiration in days (number)
  • All Windows Mobile
  • All Nokia Symbian
  • All Windows Phone
  • All Windows RT
  • All iOS
Removable storage (true/false)
  • All Windows Mobile
  • All Windows Phone
Allow simple password (true/false)
  • All Windows Mobile
  • All Windows Phone
  • All iOS
Minimum complex characters (number)
  • All Windows Phone
  • All Windows RT
  • All iOS
Allow convenience logon (true/false)
  • All Windows RT

Management via Exchange Server Connector

Another way of managing Mobile Device Settings is via the Exchange Server Connector. The following settings can be configured via Exchange Server 2010/2013 or Configuration Manager 2012 and are applied via Microsoft Active Sync. In this blog you did not see any reference to Android devices, these devices can use Microsoft Active Sync to receive one or more of the settings beneath. (if supported)

Setting Setting
Allow sharing Allowed / Prohibited
Computer Synchronization Allowed / Prohibited
Allow mobile device that cannot be provisioned Allowed / Prohibited
Refresh interval Hours
Require password settings on mobile devices Optional / required
Idle time before mobile device is locked Number
Minimum password length (characters) Number
Number of failed logon attempts before device is wiped Number
Number of passwords remembered Number
Password expiration in days Number
POP and IMAP email Allowed / Prohibited
Maximum time to keep email between 2 weeks – all
Maximum time to keep calendar items between 2 weeks – all
Direct Push when roaming Allowed / Prohibited
Allowed message format plain, HTML or both
Maximum size for plain text email (automatically downloaded) Number
Maximum size for HTML email (automatically downloaded) Number
Maximum size of an attachment (automatically downloaded) Number
Remote Desktop Allowed / Prohibited
Removable Storage Allowed / Prohibited
Camera Allowed / Prohibited
Bluetooth Allowed / Prohibited
Wireless network connections Allowed / Prohibited
Infrared Allowed / Prohibited
Browser Allowed / Prohibited
Storage card encryption Required / optional
File encryption on mobile device Required / optional
SMS and MMS messaging Allowed / Prohibited
Applications List of unsigned applications

Mobile Device Management and the support of all different kind of devices with different operating systems is can be very messy, I hope that this blog gives you some clarification what can be done for what device with what component of Configuration Manager 2012 SP1. More on Windows Intune and Mobile Device Management in later blog posts.

Comments

 
Comments

Hello, thanks for the detailed post. One question, I noticed that there is an option to send a recovery PIN to iOS devices. Does the device have to be enrolled in Windows Intune, or can it just be enrolled in SCCM 2012. Thanks!

Hi, all IOS devices that are enrolled in ConfigMgr via Windows Intune.

Do you know if you can reset device passwords on Windows 8 phones with the device only enrolled in SCCM 2012?

Trackbacks for this post

Leave a Reply


nine − = 0