Jump to content


Unified Device Management with Configuration Manager 2012 R2 - Part 4. Configuring compliance on iOS devices

Recommended Posts



In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In Part 2 we added Support for iOS devices (Iphone, iPad). In Part 3 we learned the difference between App Package for iOS (*.ipa file) and applications from the Apple App Store. We learned how to deploy them to iOS devices and configured the deployment type so that the applications were made available to the user based on the iPhone or Ipad operating system version, in addition we also checked device Ownership information and deployed the application based on those requirements.


System Center 2012 R2 Configuration Manager with Windows Intune integration provides new abilities (double the default settings groups that were offered in Configuration Manager 2012 Service Pack 1) for configuring settings for mobile device management. In this part we will learn how to use and configure compliance settings in order to enable or disable certain configurable features on iOS devices. We will enforce a Password requirement and make it a minimum password length, this is a common requirement for organizations.


The following lists the default settings groups (or headings) of the mobile device settings which are now available, each default settings group contains many configurable settings:

  • Password
  • Device
  • Email Management
  • Store
  • Browser
  • Internet Explorer
  • Content Rating
  • Cloud
  • Security
  • Peak synchronization
  • Roaming
  • Encryption
  • Wireless communications
  • Certificates
  • System Security
  • Windows Server Work folders

Note: In addition to the above, you can configure additional settings that are not listed by clicking on configure additional settings that are not listed in the default settings groups when creating your configuration item. There are many additional settings available so do take a look at them.


The following page on Technet explains the above settings in more detail and shows which settings are applicable by platform type.




Note: Although the list above is quite extensive and contains several configurable settings per heading, not all default settings groups apply to any one device type, the applicability of a setting is listed during Configuration Item creation.


Step 1. Create a new Mobile Device configuration item

Compliance Settings within Configuration Manager are used to control the settings on your mobile devices. In the Configuration Manager console, click on Assets and Compliance, and expand Compliance Settings. Locate Configuration Items, right click and choose Create Configuration Item.


Create Configuration Item.png


In the wizard that appears, give your configuration Item a suitable name which desribes the functionality of the Configuration Item such as Minimum Password Length, then from the drop down menu select Mobile Device as the type of Configuration Item you are going to create like in the example below


create configuration item - Name and configuration item type.png


and then click on Categories, then Create to create a new category, enter All iOS - Password. This will make it easier later to filter our configuration items for each platform and heading group.


create category called All iOS Password.png


so that it looks look the following example


General - create configuration item wizard.png


Place a checkmark in the Password default settings group.


Password default settings group.png


click on next and the Password default settings group settings are revealed, we will configure the minimum password length here, set it to a value that works in your organization and change the Require password settings on mobile devices dop down menu to Required and make sure that Remediate noncompliant settings checkbox is checked as shown in the screenshot below.


minimum password length.png


Tip: Although there are many settings in each default settings group, to make it easier to track compliance for each setting you configure, consider creating one Configuration Item per setting.


On the Supported Platforms screen you can select the devices you want to support, for example iPhone as shown in the screenshot below, if you choose to select All Systems (default) then the next screen will be populated with those platforms that are not supported by the setting you have chosen.


supported platforms.png


In the Platform Applicability screen any platforms that are NOT supported by the settings you chose will be listed,


Platform Applicability.png


complete the wizard


wizard complete.png


Step 2. Create a Configuration Baseline

Now that we've created our Configuration Item, we will add it to a Configuration Baseline. To do that we need to create the baseline. In Configuration Baselines, right click and choose Create Configuration Baseline


Create Configuration Baseline.png


Give it a suitable name like All iOS Mobile Device Management baseline and click on Add, then add our previously created Configuration Item from Step 1.


All iOS configuration baseline.png


and don't forget to add any assigned Categories to improve search filtering


assigned categories.png


Step 3. Create a new device collection

Create a new device collection called All iOS devices, limit it to All Mobile devices


All iOS devices collection.png


and setup a membership query to look for Operating Systems like iOS.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "iOS%"

membership query.png


And below is our collection populated with iOS devices after creation


all ios devices.png


Step 4. Deploy the Configuration Baseline

Now that we have created our configuration item which has compliance rules defined for Password minimum length, and added it to a configuration baseline we are ready to deploy it to a collection.


Note: You can deploy compliance settings for Mobile Devices to a user or device collection. If you deploy the baseline to a user collection, the compliance settings are applied to all the enrolled devices for those users.


In this example, we will deploy it to our previously created collection called All iOS Devices.


Right click on the All iOS Mobile Device Management baseline configuration baseline created above and choose Deploy.


deploy configuration baseline.png


Place a checkmark in Remediate noncompliant rules when supported and Generate an alert. Next select the browse button beside collection and specify the All iOS Devices collection, select the Schedule to Simple Schedule and set it to run every 1 days.


remediate noncompliant rules when supported.png


Step 5. Monitor Compliance using Reports.

Configuration Manager has several built-in reports including of course reports for Compliance. In the Monitoring node click on Reports, and expand to Compliance Settings Management.


compliance settings management reports.png


Select the following report, Summary Compliance by a configuration baseline and fill in the values requested


All iOS Mobile Device Management baseline compliance report.png


Click on View Report to get details of compliance


view report.png


and you can drill your way through the compliance reports to see how your Compliance Settings are taking shape !

In the screenshot below for example we can see that the compliance state was not applicable as we targeted our configuration item to iPhone IOS only (and excluded iPads).


not applicable to iPads.png


and below we can see a compliant device


phone is compliant.png


Step 6. Verify the settings change on a targeted mobile device

You will of course want to verify the settings change on a mobile device that you have targeted with these compliance settings.


Tip: It can take up to 24 hours for the policy to arrive so patience is important.


Note: The screenshots below are only related to the change we enforced above (minimum password length) so obviously whatever setting you target to your modern devices will have to be verified accordingly.


In the first screenshot we can see that the device has received the policy and alerts the user, clicking on continue allows the user to make the change, or the user can delay it (within the deadline of 60 minutes) by clicking later.




the user is prompted to enter the old password (4 chars in this case)




and then the user must enter the new password with 6 characters (from our configured compliance settings)




and re-enter it and click on save to confirm




congratulations ! All done.



Recommended Reading



In this part we've looked at how we can configure settings on mobile devices using Compliance Settings within Configuration Manager. We then saw how to report on the compliance and finally how to verify those settings were applied on targeted devices. Until next time, adios !


Continue on to Part 5.



You can download a Microsoft Word copy of this guide here:


How can I manage modern devices in System Center 2012 R2 Configuration Manager Part 4 configuring compliance on iOS devices.zip



Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.