Tools Mobile Device Management Lead image: Lead Image © konstantynov,
Lead Image © konstantynov,

Mobile device management with Microsoft System Center 2012 R2

Professional Cleanup

Integrating the Windows Intune management tool and Microsoft System Center Configuration Manager for centralized management of mobile devices. By Marc Grote

With System Center Configuration Manager 2012 SP1 and newer in combination with Windows Intune, Microsoft supports the integration of Android, Apple iOS, Windows Phone 8/8.1, and Windows RT for holistic client management. The system thus supports uniform management of various features, such as software distribution on mobile endpoints, and the establishment of device policies for centralized control over device features to ensure compliance with centralized IT requirements. In this article, I cover the integration of Intune and SCCM and centralized client management.

To be able to manage mobile endpoints with System Center Configuration Manager (SCCM) [1], enterprises need to have a Windows Intune subscription and connect this with SCCM. Windows Intune [2] is a cloud-based management tool for Windows computers and mobile endpoints. A Windows Intune client is installed on the endpoints you want to manage, and it handles communication with Windows Intune.

Administrators can used the web-based Intune management console to install applications on managed Windows endpoints, set up centralized antivirus protection in the form of Intune Endpoint Protection (this is System Center Endpoint Protection and Microsoft Security Essentials in another guise), distribute Windows Updates (this is already supported by the Windows Server Update Server – WSUS), manage mobile endpoints with Apple iOS, Android, Windows Phone 8/8.1, and Windows RT, and manage policies to ensure compliance.

Windows Intune is primarily aimed at small to medium-sized companies with a limited IT staff or at companies that do not want to invest in System Center products, such as SCCM or System Center Endpoint Protection (SCEP) [3].

SCCM and Intune Join Forces

For enterprises that already use System Center Configuration Manager 2012 SP1 and newer, Microsoft offers a Windows Intune Connector for SCCM. Its purpose is to manage all the mobile endpoints in SCCM. Thanks to SCCM/Windows Intune integration, IT departments can use SCCM to manage all their computers; Windows Intune is required for one-off setup and management of the mobile endpoints. After successfully registering a device with Windows Intune, it appears in the SCCM management console and can be managed using SCCM.

The management options for mobile endpoints with SCCM include:

Integrating Intune with SCCM

After setting up your Windows Intune subscription (Figure 1), you can use Intune to manage Windows endpoints if you do not want to use SCCM exclusively for this task. If you want to use the Windows endpoint management options in Windows Intune but also manage mobile endpoints in SCCM, it is important not to assign mobile endpoint management authorization to Intune before connecting with SCCM. The background is that when you install the Windows Intune Connector, this authorization is assigned to SCCM, and a retrospective change to Windows Intune is not possible.

The Windows Intune Portal lets you modify the look and feel.
Figure 1: The Windows Intune Portal lets you modify the look and feel.

The next step is to integrate the public DNS domain name of your enterprise into your Intune subscription. Each user account in Intune must have a publicly verifiable DNS domain name. Microsoft requires a validation of the domain name by adding a TXT entry to the customer's DNS Forward Lookup zone. The Intune management console provides information on how to do this. After doing so, it can take up to 72 hours for the public DNS infrastructure to allow a successful validation of the domain name in the Windows Intune console, although the validation is typically quicker.

You then need to add the DNS domain name you created to your local Active Directory infrastructure as the User Principal Name (UPN) suffix. To do so, launch the MMC Active Directory Domains and Trusts [4] snap-in. In larger, distributed Active Directory environments with many locations, make sure you allow enough time for the new UPN suffix to replicate before you set up Active Directory synchronization between your local Active Directory and Windows Intune.

Syncing User Data

To manage mobile endpoints in Intune and SCCM, you need to have user accounts that are managed by Windows Intune; the accounts are uniquely assigned as the device owners. If you have a smaller number of users, you can create the Intune user accounts manually in the Intune console. If you have a larger number of users or want to use features such as bidirectional synchronization of directories or password synchronization, Microsoft recommends setting up the directory synchronization tool to sync your local Active Directory with Windows Intune.

The DirSync Tool [5], which incidentally comes from the Forefront Identity Manager, can be downloaded from the Microsoft website and installed on a member server in the local Active Directory environment. When you set this up, you need to supply the user credentials of the Intune enterprise account and of a local Active Directory domain administrator. Bidirectional directory replication between Windows Intune and your local Active Directory is possible, as is password replication. Both options require additional configuration steps.

After setting up DirSync and completing an initial sync of the user objects in Windows Intune, you can convert the users to Windows Intune users in the Intune management console and complete other settings.

To enroll a mobile endpoint in Intune successfully, your next step is to make another change to the public DNS zone configuration and create a CNAME entry in the Forward Lookup zone. This entry forwards the Enterpriseenrollment.<PublicDNSDomainname>.<tld> DNS FQDN to The enrollment process for an endpoint uses this DNS FQDN to connect the endpoint with the Windows Intune Portal.

Client Certificates

Depending on which platform you are using, the most complex process now starts before you can finally manage mobile endpoints with Windows Intune and SCC (Figure 2). For the iOS platform you need to request an Apple Push Notification certificate from Apple; for Windows Phone 8 you need to purchase a code signature certificate from Verisign. Windows Tablets with RT and RT 8.1 and Windows 8.1 devices that do not belong to the domain require a sideload key if you want access to apps other than those in the Windows App Store and if you want to set up your own app store.

After completing the install, the Windows Intune Connector is available in the SCCM management console.
Figure 2: After completing the install, the Windows Intune Connector is available in the SCCM management console.

Companies with an Enterprise Software license can acquire a sideload key, and Microsoft recently loosened the requirements and restrictions for getting one. Administrators still need to note that all apps transferred by means of a sideload must be digitally signed. You can use public signature certificates or your internal public key infrastructure for this. Fortunately, you don't need to fulfill any additional requirements to manage Android devices [6].

After successfully setting up the Intune subscription and fulfilling all the requirements for Intune/SCCM integration, you can now start configuring System Center 2012 SP1 or newer (Figure 3). In the SCCM management console, you first need to add the Windows Intune Subscription to the Administration | Cloud Services node and log in to the Intune Portal with your Intune enterprise account. Later in the Intune integration wizard sequence, you will be prompted to state which mobile endpoint platforms you want to support. The choices are Windows Phone 8.0/8.1, Windows RT/8.1, Android, and Apple iOS.

Following Intune integration, administrators can configure policies for mobile endpoints in System Center.
Figure 3: Following Intune integration, administrators can configure policies for mobile endpoints in System Center.

SCCM uses "Collections" of users and devices as the basis for distributing software and other SCCM activities. At this point, it makes sense to add all device owners activated in Windows Intune as the userbase for a new user Collection in SCCM. The Windows Intune Connector then uses this Collection as an additional authorization mechanism for users who will be able to roll out mobile devices in Intune. In additional subscription configuration steps, you can modify the look and feel of the Intune enterprise portal, adding, for example, your company logo and contact information.

Installing the Intune Connector

After setting up the Windows Intune subscription in the SCCM management console, your next step is to install the Windows Intune Connector Site System role. SCCM uses a concept with location roles that handle specific functions in SCCM management [7]. You need to add the Windows Intune Connector in the SCCM management console to the Administration | Overview | Site Configuration | Servers and Site System Roles node.

There is no need to modify the Intune Connector configuration. During the connector install, an additional Site System Role (Site System Server) named is added; this is not configurable. Proceed by checking that the Site System role has installed correctly by checking the Monitoring | Overview | System Status | Site Status node in the SCCM management console [8].

Managing Mobile Devices

After installing the Intune Connector, you now have the matching extensions in the SCCM management console. They include support for Windows Phone 8.1, Apple iOS security setting, and email profile extensions to configure Exchange ActiveSync accounts on managed Apple iOS devices and support remote reset. To enable the extensions for Windows Intune, you need to terminate the SCCM management console and then launch it again.

Nothing should stop you from enrolling a mobile client now. Depending on the endpoint's platform and version, enrolling the device involves different activities. For example, you can download, register, and install the Intune enterprise portal application on Google Play for an Android device with version 4.0 or newer.

After installing the app, the device owner needs to log in with their Intune account and confirm the message on management through enterprise device policies. Then, the enrollment process in Intune starts, and the enrolled endpoint should immediately appear in the Intune management console and in the SCCM management console after a brief delay.

SCCM uses the Windows Intune Subscription to communicate with cloud services. SCCM administrators can now draw on many of the well-known SCCM technologies and management tasks to manage mobile devices, access hardware and software inventory features, or distribute apps to the endpoints. Additionally, policies for mobile devices can be created in the Intune management console and assigned to devices and device groups. The configuration options in the Intune policies go well beyond those for creating mobile device policies in Exchange Server 2013 and are easily on a par with many other commercial mobile device management offerings.


Thanks to the integration of Windows Intune and System Center Configuration Manager, admins can anticipate uniform and holistic management of mobile devices; the use of policies means many mobile device features can be managed centrally, improving security in enterprise use. The drawbacks include the considerable effort involved in the initial Windows Intune and SCCM setup and the requirements you need to satisfy before you can fully leverage the potential of Windows Intune and SCCM integration.