sccm 2012 mobile device management

Update 2018/08/14

Microsoft has announced that on September 1, 2019, they will retire the hybrid MDM service offering. If you have SCCM in Hybrid mode, plan your migration to Intune Standalone. If you’re planning to do Mobile Device Management, please see our new post on that topic

Managing Mobile devices is a challenge that all SCCM admins will face in the near future. With the rise of BYOD (Bring Your Own Device), businesses need to have control over every asset used by their employees. With the various mobile operating systems (iOS, Windows Phone, Windows RT, Android), this task can be overwhelming but it’s not as complicated than it looks. You just need to understand the main concepts and apply the right method to each operating systems.

Mobile Device Management has been introduced with SCCM 2012 SP1 and many enhancements have been made with the R2 release. Microsoft has also released new features in the past weeks which make the solution even better. It’s simply the most complete solution if you manage your devices through SCCM 2012 and have to manage mobile devices. We’ve compiled the full list of features in the Features List section of this post.

A Microsoft Intune subscription is needed in order to enroll mobile devices which then sync data with Configuration Manager. Operational tasks occur in the SCCM console which provides unified management across both on-premises and in the cloud devices.

The blog post series will describe everything about SCCM 2012 Mobile Device Management with Intune, from the beginning of the implementation of the various operational tasks.

This blog post will continue to grow so be sure to come back often.

Download and own part 1 to 8 of the blog series in a single PDF file. Use our products page or use the download button below. This blog post won’t be updated, only the document will be.

SCCM 2012 Mobile Device Management blog series

Features List

SCCM 2012 SP1

  • The client settings group to configure mobile device enrollment settings is no longer named Mobile Devices but Enrollment
  • Mobile devices that are enrolled by Configuration Manager SP1 now use the client policy polling interval setting in the Client Policy client setting group and no longer use the polling interval in the renamed Enrollment client setting group
  • You can enroll mobile devices that run Windows Phone 8, Windows RT, and iOS when you use the Windows Intune connector
  • Users who have mobile devices that are enrolled with Intune and Android devices that are managed by the Exchange Server connector can install apps from the company portal. The company portal is the Application Catalog equivalent for these mobile devices
  • The new Retire option for mobile devices in the Configuration Manager console is supported only for mobile devices that are enrolled by Microsoft Intune

SCCM 2012 R2

  • Users can enroll Android devices by using the company portal app which will be available on Google Play. The management agent gives you the more management capabilities (SCCM 2012 R2)
  • Users can enroll iOS devices by using the iOS company portal app which will be available in the App store. The company portal app will allow users to perform more actions
  • Devices that run Windows RT, iOS and Android now support a deployment purpose of Required
  • Wipe and retire functions now include the option to only remove company content from devices
  • You can configure enrolled devices as company-owned or personal-owned. Company-owned allows you to get software inventory on on all mobile devices
  • You can use Microsoft Intune to manage Windows 8.1 devices that are not joined to the domain and do not have the Configuration Manager client installed
  • Extensions for Intune allow you to integrate new mobile device management capabilities into the Configuration Manager console

Intune Standalone Update – November 19th, 2014

  • Enhanced user interface for Intune administration console
  • Ability to restrict access to Exchange on-premises email based upon device enrollment
  • Bulk enrollment of devices using a single service account
  • Lockdown of Supervised iOS devices and devices using Samsung KNOX with Kiosk mode
  • Targeting of policies and apps by device groups
  • Ability to report on and allow or block a specific set of applications
  • Enforcement of application install or uninstall
  • Deployment of certificates, email, VPN and WiFi profiles
  • Ability to push free store apps to iOS devices
  • More convenient access to internal corporate resources using per-app VPN configurations for iOS devices
  • Remote pin reset for Windows Phone 8.1 devices
  • Multi-factor authentication at enrollment for Windows 8.1 and Windows Phone 8.1 devices
  • Ability to restrict administrator access to a specific set of user and device groups
  • Updated Intune Company Portal apps to support customizable terms and conditions
  • Enhanced user interface for Intune Company Portal website

Intune Standalone Update – December 9th, 2014

  • Mobile Application Management
  • Conditional Access to Exchange Online
  • Deep Management of the Office Mobile Apps on iOS and Android
  • Managed Browser
  • Managed PDF View, AV Player and Image Viewer apps
  • Bulk enrollment of iOS devices using Apple Configurator


SCCM 2012 Mobile Device Management


Comments (10)


02.15.2018 AT 01:37 PM
Is there an updated version of this guide ?


07.08.2016 AT 03:19 AM
Thanks for the guides. I have just one question. On an enrolled iOS device, how can you get the s/mime email signing and encryption to work. It doesn't seem to work no matter how much we try. Some of the sccm settings even render other email accounts unable to sign/encrypt messages but none of the configuration items we tried actually made it possible to use an imported certificate for signing.

Nicolas Pilon

07.09.2016 AT 10:39 PM
Hello, When you talk about email signing and encryption, do you mean SSL? You can set the SSL thru email profile. Do you have a email profile? Thanks


07.11.2016 AT 01:04 AM
Hi, yes we have an email profile. The profile itself is working but switching on SSL doesn't work at all. We have an imported cert on the iphone, we have the management profile active with ssl switched on but on the advanced mail settings for signature or encryption no certificate is found. Thanks

Cassie Rott

07.06.2016 AT 04:27 AM
Your guides are lifesavers for the first time user trying to teach myself everything about SCCM and InTune... I am currently stuck trying to lock down iPhones like I have Windows Phones lockdowns. Configuration Baselines do not work and we are using DEP - I have a support ticket with Microsoft and get a different answer every week. Is there anything you can do to help me - I work for a county government and our Sheriff department wants iPhones we are going to order 150 if we can get it to work. Thank you

Nicolas Pilon

07.07.2016 AT 11:22 PM
Hello Cassie, Thanks for the comment. When you say lockdown, are you saying in kiosk mode? Do you have configured a deployment profile for DEP? Thanks

Charles Edge

01.15.2015 AT 01:38 PM
Thank you for putting together such a comprehensive list! Do you have any thoughts around InTune compared to third party MDMs and various OS-centric features?

Todd Hamlin

01.14.2015 AT 01:24 PM
Thank you for compiling this information. Knowing that "You can use Microsoft Intune to manage Windows 8.1 devices that are not joined to the domain and do not have the Configuration Manager client installed" was a key point for our organization.