System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring the Exchange Connector

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.

This post will show you how to establish a connection between Configuration Manager and your E-Mail Service.

For this example I’ve actually chosen to connect ConfigMgr into my Office 365 account as I made the decision not to have local infrastructure where possible in the lab.

Why would you want to connect ConfigMgr to your Exchange/Office 365 environment?  Well while iOS and Windows Phone utilise direct MDM management, Android doesn’t have a native MDM capability for controlling settings (That is until Intune Wave F is available later this year), but it does allow configuration via ActiveSync policies.

• From within the ConfigMgr admin console, navigate to the Administration node | Expand Hierarchy Configuration | Click on Exchange Server Connectors
• Click on Add Exchange Server on the Ribbon
• Either choose On-premise Exchange Server or Hosted Exchange Server and supply the information of where to connect to.
  For an on-premise exchange this can be either the FQDN of the Exchange server or a URL to the PowerShell component.
  For Office365 (Hosted Exchange Server) use this URL - https://ps.outlook.com/PowerShell-LiveID
• Click Next

• On the Account section either select an existing account if you have one setup already with the relevant permissions, or create a new one.  Take a note of the PowerShell cmdlets the account is required to be able to run.
  
  The following Exchange Server management roles include these cmdlets: Recipient Management; View-Only Organization Management; and Server Management.
  
  If you try to install or use the Exchange Server connector without the required cmdlets, you will see an error logged with the message Invoking cmdlet <cmdlet> failed in the EasDisc.log log file on the site server computer.
  
  There is a script available on the TechNet Gallery by Stephan Schwarz that will help with granting these permissions - http://gallery.technet.microsoft.com/office/Configure-Exchange-cmdlet-c4f2affd
• Click Next

• Choose a schedule for how often you would like for synchronisation to occur, as with everything, be mindful of extra load you may place on both your site server and Exchange.
• Choose to ignore inactive devices based on how long they have been inactive if you wish
• If you’ve chosen an on-premise Exchange connection you can filter down the discovery more, if like me you’ve chosen Office365 hosted Exchange then you cannot.
• Click Next

• On the Settings tab, you can choose at this point to either leave the policies that are applied to the mobile devices to be assigned by Exchange, or choose the Edit button for a relevant group of settings and modify the policy.
  
  Be aware that the settings applied through ConfigMgr will take precedence over the Exchange ActiveSync policies.
• Click Next

• Review the Exchange connector settings in the Summary tab and click Next

• The connector should complete successfully and show the result.  Review and then click Next

System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring Windows Phone 8 Management

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.

This post was slightly delayed due to an issue with the app display name.  More info can be found here and worth checking if your Windows Phone 8 is running English[UK] or European Portuguese.

Preparing the Windows Intune – Windows Phone 8 Company Portal

Step 1 – Obtain the code signing certificate

Go to the Windows Phone Dev Center (https://dev.windowsphone.com/en-us), sign-in using a Windows Live ID and register for an account.
The process will then begin with Symantec and Microsoft to verify your company details.  This may take between 2 – 10 days.

Once approved, and only once approved, make a note of your Symantec Id on the Account summary of the Dev Center and then go to this site to request and pay for your certificate: https://products.websecurity.symantec.com/orders/enrollment/microsoftCert.do

Symantec will send an e-mail with a URL to retrieve your new certificate and 2 URLs to install the root certificates in the chain.

Open a new MMC window (Windows Key + Run -> mmc), from the file menu choose Add/Remove Snapin, select Certificates and then choose Computer account.  Click Next, Finish and then OK.

Use this URL to download and save the Symantec Root CA Cert: https://knowledge.verisign.com/library/VERISIGN/ALL_OTHER/Symantec_Enterprise_Mobile_Root_for_Microsoft.cer

Use the open MMC console to import this certificate into the Trusted Root Certification Authorities store by expanding the nodes then right clicking, choosing All Tasks then Import.

Use this URL to download and save the Symantec Intermediate CA Cert: https://knowledge.verisign.com/library/VERISIGN/ALL_OTHER/Symantec_Enterprise_Mobile_CA_for_Microsoft_Cert.cer

Use the open MMC console to import this certificate into the Intermediate Certification Authorities store by expanding the nodes then right clicking, choosing All Tasks then Import.

Once this has been completed, use the Symantec supplied URL to retrieve your code signing certificate.  This should install the certificate into the Personal store of the currently logged on user.

Close the mmc window if still open and then reopen a new mmc console, use the Add/Remove snapins option and select Certificates, but this time choose “My user account”.

Navigate to the Personal > Certificates node, select the newly imported code signing certificate, right click on it, and choose All Tasks then Export.

Step through the wizard choosing to export the Private Key and to include all certificates in the chain and save the certificate to C:\Intune.

N.B. It is important that you select the option to include all certificates in the chain otherwise later the Company Portal app will fail to download to your device.

Step 2 – Signing the Portal App

To sign Windows Phone 8 applications you will need the Windows Phone 8 SDK installing.
This SDK also requires Windows 8 as the Operating System.

Download the SDK from here:
https://dev.windowsphone.com/en-us/downloadsdk

Once the SDK is installed, navigate to C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\XapSignTool and copy the contents to the C:\Intune folder created earlier

Navigate to C:\Program Files (x86)\Windows Kits\8.0\bin\x86 and copy signtool.exe to the C:\Intune folder

At the Start Screen (Windows 8) search for VS2012 x86 to find the Native Tools command prompt and run it As an Administrator

In the command prompt type:

• CD\
• CD Intune
• XapSignTool.exe sign /f C:\Intune\Certificate.pfx /p xXxXxXxXx C:\Intune\SSP.xap
  (xXxXxXxXx is the password you used for the exported certificate)

This will sign the Company Portal App with your code signing certificate ready for import into Intune/ConfigMgr.

If you want to double check the app has been signed, rename the extension to .zip again and extract one of the .dll files to the C:\Intune folder.  Open the properties of the file by right clicking it and choosing properties, then Digital Signatures.  You can keep checking deeper by choosing the relevant details options for the certificate.

Uploading the Windows Phone 8 Company Portal

At this point I've split the instructions into the steps for both direct management from Intune (Step 3a) and management from ConfigMgr SP1 with Intune (Step 3b).  Choose the relevant step for your management method.

Step 3a – Uploading the signed Company Portal to Windows Intune

Login to the Admin Console here: https://admin.manage.microsoft.com

Navigate in the console to Administration > Mobile Device Management > Windows Phone 8

Click the Upload Signed App File button

Follow the wizard through, specifying the signed xap file and certificate used from the previous steps.

At this point it’s worth waiting about 15 minutes before attempting to enrol a Windows Phone 8 device.

Step 3b – Uploading the signed Company Portal to Configuration Manager

1. Navigate in the ConfigMgr console to Software Library>Overview>Application Management>Applications
2. Click on the Create Application button on the ribbon
3. Drop the selection list down and choose Windows Phone app package (*.xap file)
   
   
4. Click Browse and navigate to the company portal xap file you signed earlier
5. Step through the wizard to complete creating the application
   
6. Deploy the application to the collection of users you are allowing to enrol mobile devices but ensure you choose the Intune cloud distribution point (manage.microsoft.com) during the wizard

7. Navigate in the ConfigMgr console to Administration>Hierarchy Configuration>Windows Intune Subscriptions
8. Click on the Windows Intune Subscription that you setup previously
9. Click on Properties on the ribbon bar
10. On the Windows Intune Subscription Properties screen that opens Click the Windows Phone 8 tab
    

11. Tick the check box next to Enable Windows Phone 8 platform
12. Click Browse next to the Code signing certificate box, navigate to your code-signing certificate and Click OK
13. Enter the password for the certificate
14. Click Browse next to the Company portal app box, select your company app from the list and Click OK

System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring Windows RT Management

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.

System Center 2012 SP1 Configuration Manager when linked with an Intune subscription has the ability to manage Windows RT devices such as the Microsoft Surface or Asus Vivo Tab RT.

First up Windows RT Management/Enrolment requires enabling within ConfigMgr.

1. Navigate in the ConfigMgr console to Administration>Hierarchy Configuration>Windows Intune Subscriptions
2. Click on the Windows Intune Subscription that you setup previously
3. Click on Properties on the ribbon bar
4. On the Windows Intune Subscription Properties screen that opens Click the Windows RT tab
5. Tick the check box next to Enable Windows RT platform
6. Leave the Code signing certificate bit for now and Click OK

N.B. These next steps assume you've followed the previous guides and have setup the required accounts in Intune using DirSync and have the Intune Subscription in ConfigMgr pointed at a collection containing the users that are allowed to enrol devices.

Next we need to enrol the Windows RT device and download the "Company Portal".

• On your Windows RT device (Surface RT in my case) navigate back to the Start Screen
• On the Start Screen start typing Company App  and then click on Settings

• Click/Tap on Company Applications and accept the UAC elevation box that pops up
• Enter your e-mail address and password for the account you synchronised to Intune
  (N.B. If you haven't setup ADFS then remember this will be a unique password for the Intune service.  You may need to go into the Intune account management portal and reset the password if you haven't already)

• Click OK
• If you haven't setup a DNS CNAME on your domain for enterpriseenrollment with the alias pointing to enterpriseenrollment-s.manage.microsoft.com you will be presented with a screen asking you to Try Again or Enter more information.

•  You could either:
• Setup the DNS entries by following Step 2 in this TechNet Library URL: http://technet.microsoft.com/en-us/library/jj733636.aspx
• Click Enter more information and in the Server address box enter enterpriseenrollment-s.manage.microsoft.com
• I had to do the second option in my lab as my hosting provider for my domain moaned that the DNS alias was too long...

• Click OK and wait while the device is registered with Intune/ConfigMgr
• Once that's complete you'll be shown a screen informing you that before you can access company applications and resources that you will need to install a management application, a.k.a the Company Portal

• Click the link shown on the screen to open Internet Explorer to show the Company Portal App Store information
• Click the View in Windows Store button and when the Windows Store opens, Click Install

•  Once the app downloads and installs it should appear on the very right hand side of the Start Screen, move the Company Portal to which ever position best suits you

• Click/Tap the Company Portal app to open it
• You'll then be asked to Sign in again.  Use the credentials you used to enrol the Windows RT device

• Once signed into the application you should then see your company name that you specified in the properties of the Intune Subscription in the ConfigMgr console, any devices you have enrolled and any applications that have recently been made available to you.

• Click/Tap on New Apps to see which applications have been recently made available to you, or All Apps to just show everything.
• Click/Tap on the app you would like to install
• In my example, the application is a link to an application within the Windows store rather than a LoB app that I have the .appx file for so I have a link to View in the Windows Store

• Click/Tap on the View in Windows Store link and then click/tap Buy or Try 

 

 Following this guide will allow you to register a device with Intune/ConfigMgr, ready for deploying applications to it and setting policies, which will be explained in more detail in another blog post.

Another two settings can also be setup for the management of Windows RT Devices, if you require the ability to push out Line of Business apps that don't exist in the Windows Store.

To do this you must supply an Enterprise Sideloading key, which can be obtained from your Microsoft Volume Licensing Service Center portal or if you require another key, from your Licensing LAR.

• Once you have your key, navigate in the ConfigMgr console to Software Library>Windows RT Sideloading Keys
• Click on Create Sideloading Key
• Fill out the information in the Specify Sideloading Key window

If your applications are only signed with an Internal PKI certificate and not one that is publically trusted then you will also need to add your certificate to Intune/ConfigMgr to enable trusting of your certificate that you sign apps with.

• Navigate in the ConfigMgr console to Administration>Windows Intune Subscriptions
• Click on the Windows Intune Subscription that you setup previously
• Click on Properties on the ribbon bar
• On the Windows Intune Subscription Properties screen that opens Click the Windows RT tab
• Click Browse and navigate to your certificate, select it and Click OK
• Click OK

System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring and Installing Active Directory Synchronisation (DirSync)

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.


This post will explain how to setup the DirSync tool that will synchronise your internal AD accounts across to the Windows Azure AD platform for usage by Intune and other online services such as Office 365.  It's important to note that if you already have this setup for an O365 subscription you don't need to do this again just for Intune and vice versa for a new O365 if you already have Intune.

Just as a bit of background, you may want to read this link to see just what is Windows Azure AD Tenant?
http://technet.microsoft.com/en-us/library/jj573650.aspx

This link will give you some idea around what preparing for AD Sync
http://technet.microsoft.com/en-us/library/hh967642.aspx

This link will allow you to download the DirSync Prep Tool which will perform a series of checks across your domain to find any potential problems.
http://technet.microsoft.com/en-us/library/jj151831.aspx

• Running the Prep Tool will start the analysis for Office 365, but 99% of the rules apply to Intune in terms of Directory Synchronisation.

• When it's complete, review the report and correct anything that might cause a problem.

• Once your happy that you're ready to go, Login to the Intune account portal at https://account.manage.microsoft.com and Click on the Users link on the left under the Management grouping.
• Look for the Active Directory synchronisation wording above the users and Click Setup

• A 6 step guide page will open, Click the Activate button at step 3
• On step 4, Choose the relevant OS platform, in this example I've chosen 64 bit as I'm installing it on Windows Server 2012
• Click Download to get the DirSync tool 

• Back on the main users page, the Setup link next to the Active Directory synchronisation text should now say Deactivate. If not it may still be setting up in the background.

• To allow your users to logon to the Company Portal later on, they will need an account that matches the Universal Principal Name (UPN) of the accounts that ConfigMgr knows about.
  
  This requires you to add a domain to the Intune portal and then verify it to ensure that you do indeed own the domain name.
  
• Click on the Domains link under the Management heading on the left hand side of the account management portal
• Click Add a domain

 

• Enter the name of your domain and Click Next

 

• You'll then be presented with some methods of verifying your domain, usually by adding a TXT entry to the DNS records or by changing your MX record. 
• Walk through the instructions to complete this and when ready click verify next to your domain name back on the Domain page

• All things being good, you should then see your domain as verified.

 

• However, sometimes things never go smoothly.  Certain domain registrars such as 1&1 don't accept the MX record method as it's not a registered TLD.  They also don't allow you to add TXT records to your DNS.
  
  Thankfully Todd Douglas across on the O365 forums posted an alternative method.
  
• Using this method you basically you create a subdomain within the 1&1 control panel using the ID ringed as shown in the screenshot as the subdomain name.  You then add to this subdomain a CNAME that points to ps.microsoftonline.com and when done, you can verify your domain fine.

 

 

 

 

•  Once your domain is verified, it's time to install the DirSync tool.
• This tool has some specific requirements for the account running it.
• The account installing it must be a local admin on the server (obviously)
• The account installing it must be in the Enterprise Admins group.
  
  The Enterprise Admins group membership is temporary only and is just used during setup to create a service account in AD to be used by the sync tool going forwards to read AD.
• Another thing to watch out for is even if the account you are logged onto the server with has local admin rights, you may get told by the installer that it doesn't 

• This is because you must right click the installer and choose Run as administrator.

 

 

• Step through the installer, there's nothing really in the way of configuration options to worry about.

 

• When the installer completes, either leave the option to Start Configuration Wizard now ticked or untick it and then find the Configuration Wizard on your Start Screen/Menu

 

• Review the Welcome screen and then Click Next. 

• Supply the credentials for an account in Intune that has permissions to create accounts.
  N.B. I would advise manually creating a dedicated account for this in the Intune accounts management portal.  Don't be tempted to use your account or the one created when you first setup the service.
  

 

• If at this point you get a Configuration error message, check in the account management portal that AD Synchronisation has finished setting up and then retry. 

• Supply the credentials for the account in your AD that has admin rights.  The documentation says it needs Enterprise admins rights, but you might get away with just domain admin rights.

•  This step allows you to start setting up an Exchange hybrid deployment.  I'm only interested in getting Intune working at the moment, so I'll skip this bit.

• Configuration doesn't take long, Click Next when it completes. 

• Leave the option to Synchronise directories now ticked (unless you're aware of the advanced PowerShell options to scope the synchronisations down) and Click Next 

• A message box will pop up with a link to some online information regarding verifying the sync is working. Click OK. 

 

 

• To quickly check if the Sync Tool is working, browse in explorer to: C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell
• Find the miisclient.exe file and right click and Run as Administrator 

• This will open a console (look familiar?) and you can easily check the status of the sync. 

• After a little while, depending on the size of your AD, spec of the sync server and speed of your Internet connection, you should see some accounts start to appear. 

• That should complete the setup of users within Intune.  Users that are allowed to enrol mobile devices is controlled within ConfigMgr by the properties of the Intune Subscription and selecting a collection.

Troubleshooting a lab environment scenario

One of the first problems I ran into when setting this up in a lab environment that I hadn't hit elsewhere, was the fact that my internal domain name didn't relate to anything externally verifiable.

So while I do own an external domain name, my lab is using trustlab.local as it's domain name which bears no relevance to my external name. This also mean my user accounts Universal Principal Names (UPNs) didn't match the accounts created in Windows Azure AD.

This meant that after setting up my Subscription and the DirSync, none of my test users could access the company portal on a mobile device (https://m.manage.microsoft.com), just getting a message than an error had occurred.

Checking the cloudusersync.log file in the ConfigMgr logs directory showed this:

That's because my UPN's for those accounts don't match with the accounts within Intune.

Consider the account for Mark.Harrison

• Without a verified domain in Intune, the DirSync tool will create this as mark.harrison@trustmarque.onmicrosoft.com
• With a verified domain in intune, but no matching UPN, the dirsync tool will do the same as above.

They only way around this is to have added an additional UPN to the forest/domain and then change those accounts to use the new UPN BEFORE you setup the DirSync tool.

This would then create the account as mark.harrison@mycorrectdomainname.com

If you've already setup the sync tool, then you won't be able to delete the account from Intune and you will either need to deactivate the AD Sync and then manually remove the accounts from Intune and then re-activate the sync or delete the account in AD, let it sync and remove it, then re-add the account with the matching UPN.

In short, your domain UPN MUST match a verified domain that has been added to Intune.



Thanks must also go to Craig Morris at Microsoft for confirming my thought process on the UPN mismatch issue on this one.  Keep an eye out for some blog posts from him also coming soon on this subject.