Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

Deploy SCEP profile to mobile decives without User Affinity

Deploying SCEP-profiles to mobile devices without user affinity is not possible. And here is why that feature is needed. My customer has a conference room solution that involves an iPad to display booking details and schema outside of every conference room.

This tablet needs access to the internal 802.1x protected Wifi as well as an VPP-app to display the booking details and so on.

The idea here is to enrol the devices in Apple DEP and assign a DEP profile that does not involve User Affinity. Then some sort of mechanism is setup that add enrolled devices based on pre-registered serial numbers to certain collections right after they appear in Configuration Manager.

On these collections, we deploy the VPP app with per-device license as well as Wifi and SCEP profiles. In addition, the VPP-app is configured to run in Kiosk-mode.

If that is achieved we can in most cases with very little help from users reset these device from Servicedesk since there is no need to supply an enrolment account during the first-run-wizard.

For example, after a wipe have been initiated and the device is up again the user gets instructions to choose language, pick an open wifi-network to get access to Internet. After that the enrolment is automated within like 20 min. The device receives the SCEP-profile and the Wifi-profile to get access to the internal network. Now the VPP-app is installed automatically without AppleID and autoconfigured to contact the web service for the conference room details.

If we don’t achieve this we must use Enrolment Manager accounts to configure the devices automatically. That will involve an onsite technician every time the device needs to be reset or set up. And since this solution involves more the 1000 IPads the support-cost will be high compared to a situation where most resets can be done without involving the onsite technicians.

Also having Enrolment Manger accounts known to many technicians is somewhat a security risk since these accounts can be used to enrol any device and get access the internal network quite easy if the credentials are compromised.

25 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Daniel Persson shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        Have you got any update on this? Any workarounds you figured to overcome the limitation?

      Feedback and Knowledge Base