Compliance Settings for Mobile Devices in SCCM

Benoit LecoursSCCM2 Comments

Download and own all parts of the blog series in a single PDF file. Use our products page or use the download button below. This blog post won’t be updated, only the document will be.

 

In Part 1 of this series, we prepared the Intune environment for mobile device management. We also make sure we got the Intune subscription account.

In Part 2, we configured Active Directory and create users in Intune.

In Part 3, we prepared our Configuration Manager server in order to link it to Intune using the SCCM connector.

In Part 4, we enrolled an Apple iOS devices in SCCM.

In Part 5, we enrolled an Android device in SCCM.

In Part 6, we enrolled an Windows Phone device in SCCM.

In Part 7, we will create a compliance setting on a mobile device.

Now that our devices are enrolled, we can begin the fun management stuff. The first topic we will cover is how to configure a compliance settings for your mobile devices. They are used to define configurations that you want to manage and assess compliance on mobile devices. In this post I will block a Windows Phone 8.1 from accessing the Application Store.

What can be managed by compliance settings depends on your device OS. Use the following links to see all available settings :

Create Configuration Items

The first step is to create a Configuration Item (CI) that will block the Application Store.

  • Open your SCCM Console
  • Go to Assets and Compliance / Overview / Compliance Settings / Configuration Items
  • Right-Click Configuration Item and select Create Configuration Items

Compliance Settings mobile devices sccm

  •  Name your CI and select Mobile device in the Specify the type of configuration item that you want to create dropbox, then click Next

Compliance Settings mobile devices sccm

  •  From the Mobile device setting groups select Store, click Next

Compliance Settings mobile devices sccm

  • In the Application Store dropbox, select Prohibited and click Next

Compliance Settings mobile devices sccm

  • Specify that you want to apply the CI on Windows Phone

Compliance Settings mobile devices sccm

  • Review the platform exclusion. In this example the wizard is warning us that my CI is unsupported on Windows Phone 8.0. I’m using a Windows Phone 8.1 so we’re good to proceed. See the link provided at the beginning of the post to view all supported CI.
  • Click Next

Compliance Settings mobile devices sccm

  •  Review the CI wizard and click Next

Compliance Settings mobile devices sccm

  • Wait for the process to complete

Compliance Settings mobile devices sccm

  • Click Close once it’s finished

Compliance Settings mobile devices sccm

Create Configuration Baseline

Once our CI is created we must add it to a Configuration Baseline before we can deploy it to our users.

  • Open your SCCM Console
  • Go to Assets and Compliance / Overview / Compliance Settings / Configuration Baselines
  • Right-Click Configuration Baselines and select Create Configuration Baseline

Compliance Settings mobile devices sccm

  • Name you Configuration Baseline and click Add / Configuration Items

Compliance Settings mobile devices sccm

  • Select your CI that you created in the previous step and click Add
  • The CI will appear in the bottom window
  • Click OK

Compliance Settings mobile devices sccm

  • Confirm that you CI has been added and click OK

Compliance Settings mobile devices sccm

  • Everything is created, we must now deploy the Baseline to our users
  • Right-click the Baseline you just created and select Deploy

Compliance Settings mobile devices sccm

  • Your baseline will appear on the right. You could add more CI to the same Baseline if needed
  • Check the Remediate noncompliant rules when supported and Allow remediation outside the maintenance window. If you do not select this check box, the remediation will wait for the next maintenance window before applying the settings.
  • Select the collection on which you want to apply the Baseline
  • Click OK

Compliance Settings mobile devices sccm

Initiate compliance check on device

Before the Baseline can be applied on the device, it must check for compliance. We’ll force a compliance check on the device.

  • Take your Windows Phone and open the Company Portal App
  • Swipe to the left and select your device

Compliance Settings mobile devices sccm

  • Select the 3 little dots on the bottom right
  • Select Check Compliance

Compliance Settings mobile devices sccm

  • Wait for the compliance check to complete

Compliance Settings mobile devices sccm

  • Done

Compliance Settings mobile devices sccm

Verify

Now that the compliance check has been made, we’ll verify that our Store is locked.

On the device

  • Find the Store tile
  • The tile is grayed out, good job !

Compliance Settings mobile devices sccm

  • If you try to open it, the App disabled notification appears

Compliance Settings mobile devices sccm

In the SCCM Console

  • Open the SCCM Console
  • Go to Assets and Compliance / Overview / Compliance Settings / Configuration Baseline
  • You can see the compliance count

Compliance Settings mobile devices sccm

  • Go to Monitoring / Overview / Reporting / Reports / Compliance and Settings Management
  • You can run reports to see your compliance status

Compliance Settings mobile devices sccm

Troubleshooting

It’s a bit complicated to troubleshoot compliance setting on mobile device. Unlike on a Windows computer, you can’t get information from the log files (DCMAgent.log and CIAgent.log), on mobile device you don’t have any logs for that. The only information that you have is if your device is compliant or not.
I would recommend to create many simple Configuration Items and test them as you roll them out.
You’re done ! Experiment with other Configuration Items. This is the key to success before implementing a BYOD company policy.

Compliance Settings mobile devices sccm

2 Comments on “Compliance Settings for Mobile Devices in SCCM”

  1. I just tried this feature out instead I used the security feature Camera and made it “Prohibited” for all android operating systems. I deployed it to the users phone but its not blocking the camera app. Perhaps this doesn’t work on rooted Android devices running a custom rom of Lollipop?

    1. Nevermind… it took 15 minutes for it to be applied to the android device ( even after forcing compliancy check) Thanks guys!

Leave a Reply

Your email address will not be published. Required fields are marked *