System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring the Exchange Connector

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.

This post will show you how to establish a connection between Configuration Manager and your E-Mail Service.

For this example I’ve actually chosen to connect ConfigMgr into my Office 365 account as I made the decision not to have local infrastructure where possible in the lab.

Why would you want to connect ConfigMgr to your Exchange/Office 365 environment?  Well while iOS and Windows Phone utilise direct MDM management, Android doesn’t have a native MDM capability for controlling settings (That is until Intune Wave F is available later this year), but it does allow configuration via ActiveSync policies.

• From within the ConfigMgr admin console, navigate to the Administration node | Expand Hierarchy Configuration | Click on Exchange Server Connectors
• Click on Add Exchange Server on the Ribbon
• Either choose On-premise Exchange Server or Hosted Exchange Server and supply the information of where to connect to.
  For an on-premise exchange this can be either the FQDN of the Exchange server or a URL to the PowerShell component.
  For Office365 (Hosted Exchange Server) use this URL - https://ps.outlook.com/PowerShell-LiveID
• Click Next

• On the Account section either select an existing account if you have one setup already with the relevant permissions, or create a new one.  Take a note of the PowerShell cmdlets the account is required to be able to run.
  
  The following Exchange Server management roles include these cmdlets: Recipient Management; View-Only Organization Management; and Server Management.
  
  If you try to install or use the Exchange Server connector without the required cmdlets, you will see an error logged with the message Invoking cmdlet <cmdlet> failed in the EasDisc.log log file on the site server computer.
  
  There is a script available on the TechNet Gallery by Stephan Schwarz that will help with granting these permissions - http://gallery.technet.microsoft.com/office/Configure-Exchange-cmdlet-c4f2affd
• Click Next

• Choose a schedule for how often you would like for synchronisation to occur, as with everything, be mindful of extra load you may place on both your site server and Exchange.
• Choose to ignore inactive devices based on how long they have been inactive if you wish
• If you’ve chosen an on-premise Exchange connection you can filter down the discovery more, if like me you’ve chosen Office365 hosted Exchange then you cannot.
• Click Next

• On the Settings tab, you can choose at this point to either leave the policies that are applied to the mobile devices to be assigned by Exchange, or choose the Edit button for a relevant group of settings and modify the policy.
  
  Be aware that the settings applied through ConfigMgr will take precedence over the Exchange ActiveSync policies.
• Click Next

• Review the Exchange connector settings in the Summary tab and click Next

• The connector should complete successfully and show the result.  Review and then click Next

Intune common logon without ADFS (Aka Password "sync")

Recently Microsoft released a new version of it's DirSync tool that enables organisations to synchronise it's Active Directory (AD) User accounts across into the Azure Directory Services used by Intune, Office 365, CRM etc.

This has previously only enabled organisations to reduce the administrative burden of having to recreate all of their accounts for those users they wanted to access online services, but they then had to either issue separate passwords or implement Active Directory Federation Services (ADFS) to offer a truly seamless single sign-on experience for the users.

With this latest release from Microsoft, they have now introduced the ability to also push passwords up into the Azure DS.  Notice the push aspect, not synchronised as the password cannot be changed in the cloud and replicate back into your AD.

While I wouldn't class this as true Single Sign-on (SSO) as your still effectively authenticating against a different directory service, it's still a great option for Microsoft to have added, giving great flexibility for those organisations that want to take the first steps or who can't/don't know how to deploy ADFS.

Nothing has majorly changed during the install (New Azure logo and Install Directory), so rather than re-inventing the wheel, check out the post link below that I did for installing DirSync. I've then run through the differences in the new version below the other post link.

http://systemscentre.blogspot.co.uk/2013/01/system-center-2012-configuration_12.html

The first thing to note is that you cannot "upgrade" the client as you will be presented with a dialog blocking you from continuing if an older version is installed, so remove the old version first.

The main installation/configuration screen change is this one, which provides the option to push your passwords up along with your users.

Tick the option box to Enable Password Sync and that's it done!

The user account sync element still runs on a 3 hour schedule, but passwords are set to sync within minutes of a change in your local AD.

Intune users can find the new version of DirSync at this link (Requires sign on with an Intune Admin Account):
https://account.manage.microsoft.com/DirSync/DirectorySynchronization.aspx

The TechNet Library article on Implementing Password Sync can be found here:
http://technet.microsoft.com/en-us/library/dn246918.aspx

Testing Windows Phone 8 with System Center 2012 Configuration Manager and Windows Intune

On 30/05/2013 Microsoft release a package that allows administrators to test Windows Phone 8 management via System Center 2012 Configuration Manager (ConfigMgr) and Windows Intune.

Previously the only way to test this feature was to purchase a Windows Phone Dev certificate which involved signing up as a developer at $99 and then purchasing a Symantec certificate at a further $299.

Now you can download this package from Microsoft which includes a pre-signed Company Portal, a script to set the relevant settings in ConfigMgr with a temporary token and also a couple of sample applications.

You can download the package here: http://www.microsoft.com/en-us/download/details.aspx?id=39079

After downloading the MSI, run through the install which basically just extracts the files to a folder.  By default this is - C:\Program Files (x86)\Microsoft\Support Tool for Windows Intune Trial management of Windows Phone 8.

Create an Intune subscription in the System Center 2012 Configuration Manager SP1 console and leave WP8 disabled

Copy the SSP.XAP from the package extraction directory to a UNC available path.

 

Create an Application within the Configuration Manager console and deploy this application to cloud DP (manage.microsoft.com) targeting cloud managed users

 

 

Watch out for the default name of the application and ensure you rename it to something a bit more friendly. 

Run through the deploy wizard and select manage.microsoft.com as the distribution point

 

To enable management of WP8 devices open a command prompt and run the script ConfigureWP8Settings_Field.vbs (found in the package extraction directory) in query mode to get Company Portal name

cscript ConfigureWP8Settings_Field.vbs <server> QuerySSPModelName

 

Replace <server> with the server name for top level site (standalone site or CAS)

The result looks something like this "ScopeId_3C63FB50-0302-48CE-B076-5F93020AC548/Application_42291d36-6ffc-4d18-be78-9efdace3eef5".

 

 

This output will be used in the next step.

Run the script ConfigureWP8Settings_Field.vbs in save mode this time with the SSP name result.
This will populate the necessary certificate information to enable Windows Phone 8 device management

cscript ConfigureWP8Settings_Field.vbs <server> SaveSettings <Company Portal name>
where <Company Portal name> is the output from the earlier step.

After completion of the steps above, verify that WP8 device management is enabled by checking the ConfigMgr console by going to the Intune subscription properties, WP8 tab.
WP8 should be enabled, certificate should be present, and company portal app should be populated with the name you gave the Company Portal app when you set it up.

Assuming you have users sync'd up to the Intune/Azure directory and the UPN's match the accounts known by ConfigMgr, you should now be able to enrol users on their Windows Phone 8 devices.

Also included in this new package is some sample apps so that you can import something straight away for testing!

Windows Phone 8 Company Portal 2.0

The Company Portal app for Windows Phone 8 has been updated to version 2.0 due to the problems found when using it with certain other languages.

The new v2.0 download can be found here:
http://www.microsoft.com/en-us/download/details.aspx?id=36060

According to MS Support the easiest way to get this out to devices will be:

If you are using this inside of System Center 2012 Configuration Manager you will need to turn off the Windows Phone Setting in the Windows Intune Connector, delete your existing SSP Package, Sign the XAP, Create a new SSP Package and redeploy, then add the setting for Windows Phone in the Windows Intune Connector. 

 

If you are using this inside of Windows Intune then you will need to sign the XAP, Upload the Package to Windows Intune, and then delete the old package as you cannot delete the old SSP until the new one is uploaded currently.

System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring Windows Phone 8 Management

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.

This post was slightly delayed due to an issue with the app display name.  More info can be found here and worth checking if your Windows Phone 8 is running English[UK] or European Portuguese.

Preparing the Windows Intune – Windows Phone 8 Company Portal

Step 1 – Obtain the code signing certificate

Go to the Windows Phone Dev Center (https://dev.windowsphone.com/en-us), sign-in using a Windows Live ID and register for an account.
The process will then begin with Symantec and Microsoft to verify your company details.  This may take between 2 – 10 days.

Once approved, and only once approved, make a note of your Symantec Id on the Account summary of the Dev Center and then go to this site to request and pay for your certificate: https://products.websecurity.symantec.com/orders/enrollment/microsoftCert.do

Symantec will send an e-mail with a URL to retrieve your new certificate and 2 URLs to install the root certificates in the chain.

Open a new MMC window (Windows Key + Run -> mmc), from the file menu choose Add/Remove Snapin, select Certificates and then choose Computer account.  Click Next, Finish and then OK.

Use this URL to download and save the Symantec Root CA Cert: https://knowledge.verisign.com/library/VERISIGN/ALL_OTHER/Symantec_Enterprise_Mobile_Root_for_Microsoft.cer

Use the open MMC console to import this certificate into the Trusted Root Certification Authorities store by expanding the nodes then right clicking, choosing All Tasks then Import.

Use this URL to download and save the Symantec Intermediate CA Cert: https://knowledge.verisign.com/library/VERISIGN/ALL_OTHER/Symantec_Enterprise_Mobile_CA_for_Microsoft_Cert.cer

Use the open MMC console to import this certificate into the Intermediate Certification Authorities store by expanding the nodes then right clicking, choosing All Tasks then Import.

Once this has been completed, use the Symantec supplied URL to retrieve your code signing certificate.  This should install the certificate into the Personal store of the currently logged on user.

Close the mmc window if still open and then reopen a new mmc console, use the Add/Remove snapins option and select Certificates, but this time choose “My user account”.

Navigate to the Personal > Certificates node, select the newly imported code signing certificate, right click on it, and choose All Tasks then Export.

Step through the wizard choosing to export the Private Key and to include all certificates in the chain and save the certificate to C:\Intune.

N.B. It is important that you select the option to include all certificates in the chain otherwise later the Company Portal app will fail to download to your device.

Step 2 – Signing the Portal App

To sign Windows Phone 8 applications you will need the Windows Phone 8 SDK installing.
This SDK also requires Windows 8 as the Operating System.

Download the SDK from here:
https://dev.windowsphone.com/en-us/downloadsdk

Once the SDK is installed, navigate to C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\XapSignTool and copy the contents to the C:\Intune folder created earlier

Navigate to C:\Program Files (x86)\Windows Kits\8.0\bin\x86 and copy signtool.exe to the C:\Intune folder

At the Start Screen (Windows 8) search for VS2012 x86 to find the Native Tools command prompt and run it As an Administrator

In the command prompt type:

• CD\
• CD Intune
• XapSignTool.exe sign /f C:\Intune\Certificate.pfx /p xXxXxXxXx C:\Intune\SSP.xap
  (xXxXxXxXx is the password you used for the exported certificate)

This will sign the Company Portal App with your code signing certificate ready for import into Intune/ConfigMgr.

If you want to double check the app has been signed, rename the extension to .zip again and extract one of the .dll files to the C:\Intune folder.  Open the properties of the file by right clicking it and choosing properties, then Digital Signatures.  You can keep checking deeper by choosing the relevant details options for the certificate.

Uploading the Windows Phone 8 Company Portal

At this point I've split the instructions into the steps for both direct management from Intune (Step 3a) and management from ConfigMgr SP1 with Intune (Step 3b).  Choose the relevant step for your management method.

Step 3a – Uploading the signed Company Portal to Windows Intune

Login to the Admin Console here: https://admin.manage.microsoft.com

Navigate in the console to Administration > Mobile Device Management > Windows Phone 8

Click the Upload Signed App File button

Follow the wizard through, specifying the signed xap file and certificate used from the previous steps.

At this point it’s worth waiting about 15 minutes before attempting to enrol a Windows Phone 8 device.

Step 3b – Uploading the signed Company Portal to Configuration Manager

1. Navigate in the ConfigMgr console to Software Library>Overview>Application Management>Applications
2. Click on the Create Application button on the ribbon
3. Drop the selection list down and choose Windows Phone app package (*.xap file)
   
   
4. Click Browse and navigate to the company portal xap file you signed earlier
5. Step through the wizard to complete creating the application
   
6. Deploy the application to the collection of users you are allowing to enrol mobile devices but ensure you choose the Intune cloud distribution point (manage.microsoft.com) during the wizard

7. Navigate in the ConfigMgr console to Administration>Hierarchy Configuration>Windows Intune Subscriptions
8. Click on the Windows Intune Subscription that you setup previously
9. Click on Properties on the ribbon bar
10. On the Windows Intune Subscription Properties screen that opens Click the Windows Phone 8 tab
    

11. Tick the check box next to Enable Windows Phone 8 platform
12. Click Browse next to the Code signing certificate box, navigate to your code-signing certificate and Click OK
13. Enter the password for the certificate
14. Click Browse next to the Company portal app box, select your company app from the list and Click OK

System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring Windows RT Management

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.

System Center 2012 SP1 Configuration Manager when linked with an Intune subscription has the ability to manage Windows RT devices such as the Microsoft Surface or Asus Vivo Tab RT.

First up Windows RT Management/Enrolment requires enabling within ConfigMgr.

1. Navigate in the ConfigMgr console to Administration>Hierarchy Configuration>Windows Intune Subscriptions
2. Click on the Windows Intune Subscription that you setup previously
3. Click on Properties on the ribbon bar
4. On the Windows Intune Subscription Properties screen that opens Click the Windows RT tab
5. Tick the check box next to Enable Windows RT platform
6. Leave the Code signing certificate bit for now and Click OK

N.B. These next steps assume you've followed the previous guides and have setup the required accounts in Intune using DirSync and have the Intune Subscription in ConfigMgr pointed at a collection containing the users that are allowed to enrol devices.

Next we need to enrol the Windows RT device and download the "Company Portal".

• On your Windows RT device (Surface RT in my case) navigate back to the Start Screen
• On the Start Screen start typing Company App  and then click on Settings

• Click/Tap on Company Applications and accept the UAC elevation box that pops up
• Enter your e-mail address and password for the account you synchronised to Intune
  (N.B. If you haven't setup ADFS then remember this will be a unique password for the Intune service.  You may need to go into the Intune account management portal and reset the password if you haven't already)

• Click OK
• If you haven't setup a DNS CNAME on your domain for enterpriseenrollment with the alias pointing to enterpriseenrollment-s.manage.microsoft.com you will be presented with a screen asking you to Try Again or Enter more information.

•  You could either:
• Setup the DNS entries by following Step 2 in this TechNet Library URL: http://technet.microsoft.com/en-us/library/jj733636.aspx
• Click Enter more information and in the Server address box enter enterpriseenrollment-s.manage.microsoft.com
• I had to do the second option in my lab as my hosting provider for my domain moaned that the DNS alias was too long...

• Click OK and wait while the device is registered with Intune/ConfigMgr
• Once that's complete you'll be shown a screen informing you that before you can access company applications and resources that you will need to install a management application, a.k.a the Company Portal

• Click the link shown on the screen to open Internet Explorer to show the Company Portal App Store information
• Click the View in Windows Store button and when the Windows Store opens, Click Install

•  Once the app downloads and installs it should appear on the very right hand side of the Start Screen, move the Company Portal to which ever position best suits you

• Click/Tap the Company Portal app to open it
• You'll then be asked to Sign in again.  Use the credentials you used to enrol the Windows RT device

• Once signed into the application you should then see your company name that you specified in the properties of the Intune Subscription in the ConfigMgr console, any devices you have enrolled and any applications that have recently been made available to you.

• Click/Tap on New Apps to see which applications have been recently made available to you, or All Apps to just show everything.
• Click/Tap on the app you would like to install
• In my example, the application is a link to an application within the Windows store rather than a LoB app that I have the .appx file for so I have a link to View in the Windows Store

• Click/Tap on the View in Windows Store link and then click/tap Buy or Try 

 

 Following this guide will allow you to register a device with Intune/ConfigMgr, ready for deploying applications to it and setting policies, which will be explained in more detail in another blog post.

Another two settings can also be setup for the management of Windows RT Devices, if you require the ability to push out Line of Business apps that don't exist in the Windows Store.

To do this you must supply an Enterprise Sideloading key, which can be obtained from your Microsoft Volume Licensing Service Center portal or if you require another key, from your Licensing LAR.

• Once you have your key, navigate in the ConfigMgr console to Software Library>Windows RT Sideloading Keys
• Click on Create Sideloading Key
• Fill out the information in the Specify Sideloading Key window

If your applications are only signed with an Internal PKI certificate and not one that is publically trusted then you will also need to add your certificate to Intune/ConfigMgr to enable trusting of your certificate that you sign apps with.

• Navigate in the ConfigMgr console to Administration>Windows Intune Subscriptions
• Click on the Windows Intune Subscription that you setup previously
• Click on Properties on the ribbon bar
• On the Windows Intune Subscription Properties screen that opens Click the Windows RT tab
• Click Browse and navigate to your certificate, select it and Click OK
• Click OK