Prerequisites for Remote Connection Profiles in Configuration Manager

 

Updated: May 14, 2015

Applies To: Microsoft Intune, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Note

The information in this topic applies only to System Center 2012 R2 Configuration Manager versions only.

Remote connection profiles in System Center 2012 Configuration Manager have external dependencies and dependencies in the product.

Dependencies external to Configuration Manager

Dependency

More Information

Remote Desktop Gateway server

If you want to enable users to connect on the Internet from outside the company domain, you must install and configure a Remote Desktop Gateway server.

Important

If Remote Desktop or Terminal Services settings are managed by another application or Group Policy settings, remote connection profiles might not work correctly. When you deploy remote connection profiles from the Configuration Manager console, its settings are stored in the local policy of the client computer. These settings might override Remote Desktop settings that are configured by another application. Additionally, if you use Group Policy settings to configure Remote Desktop settings, the settings that are specified in the Group Policy settings override the settings that are configured by Configuration Manager.

For more information about how to install and configure a Remote Desktop Gateway server, see the Windows Server documentation.

If client computers run a host-based firewall, it must enable the Mstsc.exe program.

When you configure a remote connection profile, you must enable the Allow Windows Firewall exception for connections on Windows domains and on private networks setting. When this setting is enabled, Configuration Manager automatically configures Windows Firewall to enable the Mstsc.exe program. However, if client computers run a different host-based firewall, you must manually configure this firewall dependency.

Warning

Group Policy settings to configure Windows Firewall can override the configuration that you set in Configuration Manager. If you use Group Policy to configure Windows Firewall, ensure that Group Policy settings do not block the Mstsc.exe program.

Configuration Manager Dependencies

Dependency

More information

Configuration Manager must have a configured connection to Microsoft Intune by using the Microsoft Intune connector site system role.

For more information about connecting Configuration Manager to Microsoft Intune, see Manage Mobile Devices with Configuration Manager and Microsoft Intune.

In order for a user to connect to a work computer on the company network, that computer must be a primary device of the user.

For more information about user device affinity in Configuration Manager, see How to Manage User Device Affinity in Configuration Manager.

Specific security permissions must have been granted to manage remote connection profiles.

You must have the following security permissions to manage remote connection profiles:

  • To view and manage alerts and reports for compliance settings: Create, Delete, Modify, Modify Report, Read, and Run Report for the Alerts object.

  • To manage configuration baseline deployments: Deploy Configuration Items, Modify Client Status Alert, Modify, Read, and Read Resource for the Collection object.

  • To create and manage configuration baselines and configuration items: Create, Delete, Modify, Modify Folder, Modify Report, Move Object, Read, Run Report, and Set Security Scope permission for the Configuration Item object.

  • To run queries that are related to compliance settings: Read permission for the Query object.

  • To view compliance settings information in the Configuration Manager console: Read permission for the Site object.

  • To select software updates to be used in configuration baselines: Read permission for the Software Updates object.

  • To view status messages for compliance settings: Read permission for the Status Messages object.

The Compliance Settings Manager security role includes these permissions that are required to manage remote connection profiles and compliance settings in Configuration Manager. For more information, see the Configure Role-Based Administration section in the Configuring Security for Configuration Manager topic.