With the SP1 release of System Center 2012 Configuration Manager, we now have the ability to connect to Windows Intune to manage mobile devices via the Internet. This allows you to use the Configuration Manager console to provision mobile devices, apply policy, and target apps to mobile devices even when those devices are not connected to the corporate network.
This blog will cover the configuration and deployment work needed to successfully connect Configuration Manager SP1 to the Windows Intune Service, resulting in the ability for users to connect and enroll their mobile devices.
Note: If you want to use Configuration Manager to manage these users and their mobile devices DO NOT add then in them to the Windows Intune group in the Windows Intune administration portal. This is used to enable users for PC management directly via the Windows Intune service
In order for Configuration Manager to manage these devices in the same context as other devices, it is necessary to create a Windows Intune subscription and synchronize user accounts from Active Directory to Microsoft Online. In order to do that we need to perform the following tasks:
- Sign up for a Windows Intune organizational account
- Add a public company domain and CNAME DNS entry
- Verify users have public domain User Principal Names (UPNs)
- If you plan to use single sign-on, deploy and configure Active Directory Federated Services (ADFS)
- Deploy and Configure Active Directory Synchronization
- Reset users Microsoft Online password – If not using ADFS*
- Configure Configuration Manager for mobile device management
- Create the Windows Intune Subscription in the Configuration Manager console
- Add the Windows Intune Connector Site System role
- Verify that Configuration Manager successfully connects to Windows Intune
* Additionally we recommend that customers deploy AD FS (Active Directory Federated Services) to allow users to have a single sign-on experience (using AD user account AND password). This makes user management simpler and easier and provides a better experience for users.
Creating the Windows Intune Subscription
The first order of business is to create a Windows Intune Subscription (if you are a Volume License customer please see your Microsoft/Partner sales representative). If your company does not have a volume license agreement for Configuration Manager you may create a Windows Intune Subscription directly from www.WindowsIntune.com .
Once this is complete log on with the admin account created to the Windows Intune Account Portal at admin.manage.microsoft.com
Add the Public Company Domain and CNAME DNS entry
After verifying that you are able to successfully connect to the above website, you’ll need to add your company’s public domain (for example <yourcompany>.com).This domain must be able to be verified by Windows Intune, with services like Verisign, Godaddy, etc.
If this step is not performed you might end up with users with onmicrosoft.com UPN related names. See this article from the O365 team and how this can be changed once a verified domain is created.
For Device enrollment ensure you have a public DNS CNAME record directing EnterpriseEnrollment to manage.microsoft.com
Verify that Users have a Public Domain User Principal Name (UPN)
Next we need to prepare your on-premise Active Directory environment to synchronize with Microsoft Online. At this point we have NOT configured Active Directory Synchronization (DirSync). The O365 link above outlines the process to change the users UPN on Microsoft Online, if Dirsync has already been configured.
We also need to change or add the public domain UPN to every user that will enroll mobile devices into Configuration Manager in the on-premise Active Directory environment if this hasn’t already be created. For example email@example.com.
I’ve provided a link to outline a scriptable way to set these, if they have not been set.
Or you can set these manually by following this article.
To summarize, at this point we have ensured that once we configure ADFS and Dirsync (the next steps), both Microsoft Online and the on-premise Active Directory environment will have the same UPN for each user. This is critical to allowing these users to enroll mobile devices. We use the users’ UPN as the identification key between Configuration Manager and Windows Intune.
Deploy and Configure Active Directory Federated Services (ADFS) to provide single sign-on
To provide users with an integrated sign-on experience (and reduce the need for administrators to manage two passwords for users) it is strongly recommended that you deploy ADFS. ADFS provides the capability for a cloud server to leverage on-premise Active Directory credentials. In layman’s terms the flow works as follows;
- User attempts to log on into website/service
- User is asked to provide domain credentials
- Credentials are passed to ADFS on-premise (and potentially through a ADFS Proxy server in the company’s DMZ)
- AD/ADFS then passes a token to the user’s device that allows him/her to connect to the website/server
Note: No Active Directory password is passed to the website or service.
To deploy and configure ADFS, follow the steps outlined in Single Sign-on Learn more in the Windows Intune Account portal, under the Users node.
Additionally here are some useful links on preparing for single sign-on and how to actually deploy and verify your ADFS installation
- Preparing for Single Sign-on: http://technet.microsoft.com/en-us/library/jj151786
- Deploying ADFS 2.0: http://technet.microsoft.com/en-us/library/jj151794 . This article fully details the requirements needed, the planning and deployment process, as well as how to verify that ADFS has been deployed and configured correctly.
Deploy and Configure Active Directory Synchronization
Now that the environment is prepared, we configure the on-premise Active Directory Synchronization with Microsoft Online. I won’t go into the details here, but here’s a link that outlines the entire set of steps needed.
Once you have successfully deployed and configured Active Directory Dirsync, log on to the Windows Intune Account Portal (http://account.manage.microsoft.com). Select Domain, and then select the option to activate Active Directory Dirsync. This will allow Intune to retrieve the user details from Microsoft Online. Think of this step as a similar process to adding a subscriber to a database replication.
This will trigger a full synchronization to Intune. In a short while, you should be able to see the users listed in the Users node of the Account Portal and then you can verify that they have your company’s public domain UPN.
Reset Users Microsoft Online password – If not using ADFS
Perform this step only if you will not be using ADFS (AD Federated Services) to provide single signon functionality to users – which is highly recommended. Otherwise admin will need to manage 2 passwords for each user (one for on-premise Active Directory and a second for AAD/MSODS (Azure Active Directory/Microsoft Online Directory Services)
In order for the users to be able to log on to the Windows Intune service (and Microsoft Online), they need a Microsoft Online/Azure AD password set.
You may perform these activities for an individual user or in bulk via the Windows Intune Account Portal. Or leverage PowerShell to programmatically activate them. Details in the link below
Configuring Configuration Manager for Mobile Device Management
With both on-premise Active Directory and the Intune Account Portal now reflecting the same user, account management is complete. The next step is to get these users into Configuration Manager. This is done by using the existing AD User Discovery task.
With AD User Discovery complete, I recommend you can create a custom report to verify the UPN of the users discovered is consistent with the Intune Account Portal, using the following SQL query:
SELECT UserPrincipalName, COUNT(*) AS NumOfOccurances FROM (SELECT RIGHT(User_Principal_Name0, LEN(User_Principal_Name0)-PATINDEX(‘%@%’, User_Principal_Name0)) AS UserPrincipalName FROM CM_EC1.dbo.v_R_User) AS sub GROUP BY UserPrincipalName
Finally we are ready to connect Configuration Manager to the Windows Intune Service.
There are two steps we need to perform to complete this connection:
- Create a Windows Intune Subscription object in the Configuration Manager console.
- Create a Windows Intune Connector Site System Role, within the Configuration Manager console.
Creating a Windows Intune Subscription in the Configuration Manager Console
In the Administration workspace, expand Hierarchy Configuration, and then click Windows Intune Subscriptions
Note: This node will only be available for a top most site, central administration site or a standalone primary site. A subscription can currently not be created from other sites in the hierarchy.
On the Home tab, in the Create group, click Create Windows Intune Subscription.
You will be presented with a welcome message that outlines what certificates, etc. will be needed for each of the mobile device Platforms supported.
Next you will be asked to log on to the Windows Intune Account Portal. This login will retrieve the certificate needed by the Windows Intune Connector Site System role we will create shortly.
Note: The certificate is already requested when the sign in completed, and not at the end of the wizard. Even more important, this will invalidate any existing connector that was created previously with the same admin account.
Additionally you’ll be asked to select Configuration Manager as the management console for managing these mobile devices. This is important, as it will determine where all mobile device management for your company will be performed from.
Next, complete the following tab:
This will define the user collection that you will use to enable users to enroll mobile devices. As well as define how the users will see the various self-service portals.
Lastly you will select what primary site all mobile devices will be assigned to once they are enrolled.
Now we need to select which platforms your company wishes to support in their environment. On this Platforms tab we will again outline the requirements needed to enroll a mobile device of each platform type. These platforms can also be added and configured later, through the Windows Intune Subscription property pages.
For this release we support the following mobile device platforms:
- Windows RT
- Windows Phone 8
- iOS (5.x, 6.x)
- Android (2.1 and later)*
*Android features supported through the Exchange Connector only.
Important: We strongly recommend the Exchange Connector is also deployed on the infrastructure used to provide native mobile device management (MDM) support (in this case Configuration Manager). The Exchange Connector adds value to the native MDM capabilities of SP1, by allowing the discovery of devices in the company, and thus providing the potential pool of devices that could be supported via the native MDM solution. It also provides further remote wipe capabilities.
Although sideloaded applications do not have to be certified by the Windows Store or installed through the Windows Store, they can only be installed on sideloading-enabled devices. To enable a Windows RT device for sideloading, you must first obtain sideloading product activation keys. For information about how to obtain sideloading product activation keys, see Microsoft Volume Licensing.
To distribute line-of-business apps to Windows RT users, you must also ensure that the apps are signed with a certification authority that is trusted by the users’ devices. You can either obtain a non-Microsoft public certificate, or use a code-signing certificate from your organization’s certification authority. For information, see Acquire a Code Signing Certificate.
These are not required fields.
Windows Phone 8
Windows Phone 8 requires a code signing certificate to install applications.
To distribute applications and external links to users who have Windows Phone 8 devices, you must first distribute the Company Portal app to these users. Once you have created the application containing the Company Portal. It will automatically be deployed to manage.microsoft.com when WP8 is enabled for enrollment.
Users access the Company Portal app when they enroll their devices in Windows Intune. To complete the enrollment process, users must install the Company Portal app. When you distribute applications and external links to users, they can access the applications and links by visiting the Company Portal app.
Before you can distribute the Company Portal app to users, you must make sure that the app is signed by a mobile code-signing certificate that is trusted by users’ devices. To obtain the code-signing certificate, complete the following steps:
- Establish a Company Dev Center account on the Windows Phone Dev Center. As part of this process, you will receive a Publisher ID. For more information, see Registration Info.
- Visit the Symantec Enterprise Mobile Code Signing Certificate website to complete the required steps to obtain an enterprise mobile code-signing certificate. When this process is complete, Symantec will deliver a certificate that can be imported into the certificate store on a computer.
- In the Certificates snap-in on the computer where the certificate is imported, export the certificate in PFX format. Be sure to export the private key with the certificate. The .pfx file will be used to generate an application enrollment token (AET) and sign company apps. For more information about how to export the certificate in PFX format, see Export a Certificate with the Private Key.
In order for iOS devices to check for policy, they need to be contacted by the Apple Push Notification service (APNs). Each company needs an APNs certificate to allow Windows Intune to contact Apple to make this request. When a new policy is created, Intune then contacts Apple for those devices, the devices then check the Intune service for new policy.
Note there are a series of steps needed in order to retrieve a certificate from Apple.
- Use the Request APNs Certificate Service Request (CSR) action to retrieve from the Windows Intune Service a CSR file that can then be uploaded to Apple.
- Connect to Apple’s Push Notification Portal website to upload the CSR and retrieve an APN certificate.
- Upload the APN certificate to Configuration Manager (using the Windows Intune Subscription wizard).
Windows Intune Subscription Wizard Completion
Once each platform has been configured the Windows Intune Subscription is complete. The wizard will show all the details you’ve created, for confirmation. At this point, select Summary and then click Close. The subscription has now been created.
Creating the Windows Intune Connector Site System role
The final set is to create the site system role that will connect to the Windows Intune Service. This role can only be installed on a machine that belongs to the topmost site code, either standalone primary or CAS.
Under Site Configuration, Servers and Site System Roles, Select the option at Add Site System roles (if using an existing site system.
New for SP1 is the ability to specify a proxy server for the site system, rather than having to define this for every site system role. Complete these proxy details, if needed.
Next select the role Windows Intune Connector.
Then, complete the wizard.
Note, in order for the connector to communicate with the Windows Intune Service, you may need to add the following sites, to the connector server’s trusted sites list:
At this point all configuration is complete!
How to Verify that Configuration Manager is successfully connecting to the Windows Intune Service
Perform the following actions to verify successful configuration.
- Check the cloudusersync.log to verify users have successfully sync’d to Microsoft Online (and Windows Intune). this will confirm the UPN names are consistent. If any users fail to sync, it’s most likely due to UPN mismatches.
- Check Sitecomp.log to verify that the site role was created successfully
- Check certmgr.log as well, which will share the connector certificate with the machine hosting the role. This will happen after role install is complete, the logs of the components (UserSync, DMP*Loader) might indicate at the beginning that it is waiting for the cert
- Check the Dmpuploader.log to verify the connector site system role is able upload policy etc. to the Windows Intune Service.
- Check the Dmpdownloader.log to verify that the connector is able to download messages from Windows Intune. Note: this log might only show a ping at the beginning, there might be no messages created for download initially
Cloudusersync.log, Dmpuploader.log and Dmpdownloader.log are all found on the Windows Intune Connector role (%sms install dir%logs).
At this point the approved users (Users contained within the User Collection you selected), on the supported platforms, should be able to enroll the devices.
This posting is provided “AS IS” with no warranties and confers no rights.