Microsoft Intune Announcements #TEE2014

Microsoft has announced new capabilities coming to Microsoft Intune for mobile device and application management.

Microsoft Intune helps organizations provide their employees with access to corporate applications, data, and resources from virtually anywhere on almost any device, while helping secure corporate information.  As a cloud service, we continue to rapidly add new capabilities to Intune, over the next few months we will roll out:

  • Intune-managed Office mobile apps that enable your workforce to securely access corporate data using the apps they know and love while preventing data leakage by restricting actions such as copy/cut/paste/save as and ‘open-in’ between apps in your managed app ecosystem
  • App wrapping capabilities that help secure your existing line-of-business applications, integrating these apps into your managed app ecosystem without further development or code changes
  • Managed browser, PDF viewer, AV player, and Image viewer apps for Intune that allow users to securely view content on their devices within the managed app ecosystem
  • Grant access to corporate resources, including access to Exchange email, based upon device enrollment and compliance policies set by the administrator
  • Bulk enrollment of devices using Apple Configurator or service account, simplifying administration and enabling policies and applications to be deployed at a large scale

These are just a few of the great features coming to Intune over the next two months.

This is a part of a blogpost from Microsoft Enterprise Mobility: http://blogs.technet.com/b/enterprisemobility/archive/2014/10/28/enterprise-mobility-teched-announcements.aspx?WT.mc_id=Blog_Intune_Announce_PCIT

Windows Intune – How to enroll a Windows Device and deploy a Windows App

It has been a long time that I have worked with Windows Intune. The most recently blog was about Windows Intune this year in January. I had a day off today. That means for me, it’s time for Intune! I was curious about Direct Management, Deploying Windows Apps to a Windows Device and how to register an Android mobile device via Company Portal. So, I begun with Windows Device enrollment, Windows App deploying and Direct Management.

First you have to know about sideloading and deploying Windows App to different versions of Windows 8.1. There are different ways to deploy or install a Windows app. You can use the Windows Store or, you can use a deployment tool like; ConfigMgr, MDT or Windows Intune. Apps which are available in the Windows App Store are automatically signed and validated as trusted by Microsoft and can be deployed by Windows Intune directly out the Windows Store to the devices. When you have to distribute a business-line(LOB) app directly to a user without using the Windows Store, you have to sideload the app. Sideloading means bypass the validation and signing requirements of the Windows Store and makes you responsible for validating and singing them. You cannot sideload an app that has been downloaded from the Windows Store. Due the corporate policy it’s duly that the company doesn’t want to make there LOB apps available in the Windows Store. For them is sideloading the only option to deploy Windows Store apps. Also, they will be responsible for app updates to users. For sideloading you have to use sideload keys. They are available at Microsoft Volume Licensing. More information about sideloading, check this url: http://technet.microsoft.com/en-us/library/dn613831.aspx

Which versions must be sideloading the apps?

NOTE: Unfortunately, I can’t test sideloading. I don’t have the keys for sideloading. Because of that, I could test only a Windows 8.1 Enterprise Update 1 domain joined.

NOTE: Follow this blog if you don’t have a Windows Store App. https://albertneef.wordpress.com/2014/05/07/create-a-windows-store-app/

UPDATE: Microsoft has changed its Sideloading process for all Windows 8.1 devices.  For Windows Phone 8.1 you can download the .XAP from the Windows Store and put it on your external disk of your mobile device. From the external memory/disk you can install the app. This is also available(via PowerShell, SCCM or Windows Intune) if your Windows 8.1 Pro and Enterprise are domain joined. For devices which are not domain joined (like Windows RT) you have to use Sideloading activation keys. Obtain a Sideloading activation key, see the this site Windows 8 Volume Licensing Guide.  Read more about this process at Technet: http://technet.microsoft.com/en-us/library/dn613831.aspx How to use Sideloading Product Activation Key, see this website: http://technet.microsoft.com/en-us/library/dn613835.aspx


 

Let’s begin with a group policy. We have to enable Allow all trusted app to install in Computer Configuration -> Administrative Templates -> Windows Components -> App Package Deployment or you can change this registry HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1.

Prerequisites:

  • Enterprise PKI server
  • Certificate for ADFS
  • Active directory
  • AD Federation Service
  • Windows Intune subscription
  • Windows 8.1 update 1

Direct Management Setup:

Step 1 ) https://albertneef.wordpress.com/2014/05/05/installing-and-configuring-an-enterprise-pkiadcs-environment/

Step 2 ) https://albertneef.wordpress.com/2014/05/07/installing-and-configuring-adfsdirsync-for-windows-intune/

Step 3 ) From Technet:

Users download the Windows Intune Company Portal app that is available in the Windows Store. The following steps describe the enrollment process.

  1. Go to Settings > PC Settings > Network > Workplace.
  2. Enter the User ID and click Turn on.
  3. Check the Allow apps and services from IT admin dialog box, and click Turn on.

Enable Direct Management on the client:

Go to Change PC Settings

Go to Network

Go to Workplace and click Join. If the device is joined the Workplace successfully, click on the Turn On button. The user needs Local Administrator permission to turn on device management.

You can verify the eventvwr for errors or warnings. Go to Applications and Services\Microsoft\Windows\Workplace Join\Admin. You will see few events.

After few minutes the device is added in Windows Intune, ready to be managed.

Ok, now we have to upload a Windows app. If you don’t have an app yet. Follow this blog to make a simple test app without content. https://albertneef.wordpress.com/2014/05/07/create-a-windows-store-app/

Go to Software -> Overview –> Step 1: Add Software

Click Add Software in the menu.

If you get this message, click Run.

You will get this window. Follow the screenshots/figures

wiappxwiappx2

Right click on the app -> Manage deployment…

I don’t have any groups, so I have to select All Users. Click Next.

Select Available Install. Click Finish.

Check the app again. Deployed is changed to Yes

We have to import the app certificate into Windows Intune. Go to Administration -> Mobile Device Management and click/select Windows. Click Modify Code-Signing Certificates

Go to the AppPackages directory, where you got the appx (app file) and select the *.cer.

wicert

Verify the imported certificate.

It’s time to deploy the app to a Windows Device.

Download the Company portal from the Windows Store.

The device is ready. You can install your test app from the Company Portal.

That’s all folks. You have a device that is being direct managed by Windows Intune and it is ready to deploy Windows Store apps.  If you have any questions or comments about this configuration or about deploying, don’t hesitate to leave a message!

Installing and configuring ADFS/DirSync for Windows Intune

This blogpost is all about Active Directory Federation Services (ADFS) and DirSync. To activate Single Sign On in Microsoft Azure, an on-premise ADFS in combination with DirSync are required. DirSync is to sync your on-premise Active Directory with the Microsoft Azure Active Directory. ADFS will be used for handling the on-premise log in credentials to activated SSO.

ADFS is also required to register your (mobile) device for management. This feature is available in Windows RT/8 and is called Workplace.

In this blogpost I describe the installation and the configuration of ADFS and DirSync. I’m telling you about Device registration and how to prepare the ADFS for Windows Intune.

You will need for this blog one server based on Windows Server 2012 R2 Update 1.

NOTE: I have used an Enterprise PKI to create a certificate for ADFS. Read this blog for installing and configuring an Enterprise PKI environment.  

NOTE: This ADFS environment is only accessible inside the network. If you want to use this outside your internal network, you have to change the FQDN into your public domain name while making a new certificate. Don’t forget  to add the necessary DNS records and configure the firewall(s).

Good luck!

Create a group Managed Service Account (GMSA) . Run this on the domain controller.

  • Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
  • New-ADServiceAccount FsGmsa -DNSHostName w12r2adfs001.systemcenter.local -ServicePrincipalNames http/w12r2adfs001.systemcenter.local

Request a certificate from the PKI server.

MMC -> certificate – Local Computer

Click on the link More Information is required to enroll for this certificate….

Add:

  • Common Name: FQDN of your ADFS server, like: w12r2adfs001.systemcenter.local
  • DNS: FQDN of your adfs server
  • DNS: enterpriseregistration.systemcenter.local

Click Ok.

Click Enroll

Verify if listed in the Certificates(local computer) MMC:

Installing ADFS Role:

Configure the ADFS role:

NOTE: Ignore the last warning. You will get this warning if you have installed an ADFS on another server before. I have reinstalled ADFS on a fresh clean Windows Server 2012 R2 server 😉

Enable Device Registration in ADFS:

Initialize-ADDeviceRegistration

When prompted for a service account, type <domain>\fsgmsa$

Enable-AdfsDeviceRegistration

Via Server Manager open ADFS management console.

Enable Device Authentication

Install the Windows PowerShell for single sign-on with AD FS

It’s time to configure the synchronization between on-premise with Microsoft Azure/Windows Intune.

 

Windows Azure AD Module:

http://technet.microsoft.com/library/jj151815.aspx

Set up a trust between AD FS and Azure AD

  • Connect-MsolService –Credential $cred.
  • Set-MsolAdfscontext -Computer <AD FS primary server> if you run this on the primary ADFS server, you don’t need to run this command.
  • New-MsolFederatedDomain –DomainName <domain> or
  • Convert-MsolDomainToFederated –DomainName <domain>
  • To verify: Get-MsolFederationProperty –DomainName <domain> 

Add UPN for DirSync:

 

Installing DirSync:

DirSync needs Framework 3.5 or 4.0











To check the sync status, you can open Synchronization Service Manager tool located in: C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miiclient.exe

And check the Azure admin webconsole: You will see the on-premise users in the webconsole.

The only thing what you have to do is to change the account  to your newly created UPN suffix.

Also in the account webconsole you have to edit the synchronized on-premise accounts. You need to give them access to Windows Intune, otherwise they can’t register a device or installing an app from the Company Portal.

accessIntune

Add a record in DNS:

an A record for the hostname (if not exists) <your adfs hostname> to an IP address

a CNAME record for enterpriseregistration:

If your environment has multiple UPN suffixes, you must create multiple CNAME records, one for each of those UPN suffixes in DNS.

Also one for enterpriseenrollment. This one is target to: manage.microsoft.com

Test:

You can test if SSO is working. Go to http://manage.microsoft.com or http://portal.manage.microsoft.com and use your on-premise username with the UPN suffix. The website checks and sees your UPN suffix. Now you will be automatically forwarded to the on-premise ADFS website for log in. After that you will be automatically logged in on Windows Intune. You are in the console right now.

That’s all folks. If you have any questions or comments about this blog, please don’t hesitate to leave a message or send me a mail.

Windows Intune update, Q2/Q3 2014

How you doing, how you been? It’s a long time that I wrote a blog on my blogsite. I have been very busy at work and also at home. With 2 little children it’s a little bit messy at home, haha. But, this will change today. My blogsite has got a higher priority for the few coming months. I have (must) to blog more about Windows Intune en System Center, especially the integration Windows Intune with SCCM 2012 R2 (MDM/UDM feature). Beneath that I’m working on a corporate image for a company where I work with. A blog about this experience, with DaRt and MDT 2013 integrated, will coming soon.

This blog is not really that great, but I have to start with something 😉

Windows Intune update, Q2/Q3 2014 

Microsoft has introduce the new update policy for Windows Intune. The old one what Microsoft  managed was releasing a big update of Windows Intune once or twice a year, mostly in Q1 or Q4. The new one is splitting up the update into months, to speed up the release of the features.

The new features what’s coming in Q2/Q3 2014 are:

Flexible Deployment: 

  • Full MDM parity in Windows Intune standalone
  • Email/Wi-Fi Profiles, VPN and Certificates
  • Bulk IT enrollment of devices and devices targeting
  • Cloud-only scalability

Device Configuration Management: 

  • Windows Phone Enterprise Feature Pack support
  • Application Whitelist/Blacklist
  • Customizable IT  Terms of Use
  • Start Screen in Windows 8.1
  • Microsoft Azure AD Premium integration in Company Portal

Email Configuration and Protection: 

  • Access to email only if device is managed

Safety: 

  • Family Safety in Windows 8.1
  • URL Filtering

 Device Data Protection:

  • Application restriction policies for iOS
  • Enterprise Wipe of Email (iOS) and access controls via certs
  • TPM cert enrollment
  • MFA support Intune enrollment.

I got this information from Henk’s blog. Thanks to Henk Hoogendoorn: http://henkhoogendoorn.blogspot.nl/2014/03/windows-intune-roadmap-partner-session.html

 

Deploy APK (Android) app in SCCM 2012 with Windows Intune Connector

A new blog about deploying apps via SCCM. This blog is not for all platforms, but only about Android because I have only an Android Smartphone to test it. The way to manage an Android device is not the same as for iOS or Windows RT/8. Windows Intune doesn’t support direct management for Android, but only for iOS and Windows RT/8. This means you have to connect your android device to Exchange ActiveSync Services (EAS) to manage the device. It could be an on-premise Exchange or the Cloud Exchange like Office365.

But the good part of this blog is that you don’t need or have to use EAS for deploying apps to your android device(s). The only thing you need is the DirSync with your corporate active directory to the Cloud (Windows Azure Active Directory) the users must be familiar in Windows Intune for the log-in the Company Portal.

For iOS and Windows 8/RT is not that easy, because for Windows Modern(Metro) app you have to contact the developer for the APPX file. This is called Sideloading. Sideloading is deploying/installing Windows apps without the Windows Store. For iOS you need 2 files for the app. The files are IPA (the app) and PLIST (a manifest file) For these files you have to contact also the developer.

For configuring the Windows Intune Connector in SCCM, please read this blog: Windows Intune: Wave D and SCCM 2012 Service Pack 1 integration

For configuring the DirSync, please read this blog: System Center 2012 Configuration Manager SP1 and Windows Intune – Configuring and Installing Active Directory Synchronisation (DirSync)

So, let’s begin to download an APK file from the Internet. I’m using the “Quick Search Widget.apk” for testing. I’m downloading the file to E:\Resource\Apps\Android\ and the folder Resource is shared.

Go to the console and go to the Software Library in the menu. Right click on Applications and choose for Create Application.

Change type in the wizard to App Package for Android (*.apk file)

The location is where you downloaded the apk file. Don’t forget to use UNC path and not the local path. Like this \\SERVERNAME\Resource\Apps\Android\name.apk

Click Next

Click Next or add some information about the app.

Click Next

Click Close

Ok, we have added the app in SCCM. Now we have to make a User Collection.

Go to Assets and Compliance and right click on User Collections. Choose for Create User Collection.

In de wizard add some information about the collections. Give it a name and the limiting collection is All Users.

Click on Direct Rule. It opens a new screen. Click Next

We have to find some users they are allowed to downloading the app from the Company Portal. I have 1 user and that is Pietje Puk.

Resource class is User Resource, Attribute name is: User Name and Value: pietje% (% is a wildcard) You can also use SQL queries for a dynamic source and adding, but because of a lab env I’m using direct membership.

Select the user.

Click Next

Click Close

The user(s) are/is added. Click Next.

Click next.

The collection is created and ready for use.

Like this:

Now, we have to go back to Software Library and click on Applications. You will see in the right panel your Android App.

Right click on the app and choose for Deploy.

Collection is the new collection Google that we made earlier in this blog.

Click Add for adding a Distribution point.

You will get 2 distribution point if you are using 1 primary site and Windows Intune integration. Select here for the Cloud (manage.microsoft.com). That is Windows Intune.

Click Next.

This is default. Click Next.

No schedule today, so leave it default.

Also default

Also default. If you use SCOM you could enable SCOM alerts

Click Next.

Click Close

Ok, this can take a while. See the result of the app.

Ok after a minute the status is success (green)

Now we have to test it. Get your device and go to https://m.manage.microsoft.com

Log in with the user that you added in the Google User Collection. Sorry, about the language. This is Dutch.

Click on the blue tile, Download Apps.

You will see the app, in my case Quick Search Widget. Click on the app.

You get some information about the app. Click on the button Download App.

And again click on the link Download App now.

Check the notification bar for the status.

Click on the notification. Choose the location for installing.

That’s all, you have installed a “corporate” approved application from Windows Intune and SCCM 2012.

#1 Troubleshoot: Windows Intune Connector / Subscription

I start with some small blogs about the problems what I have met during the installation or configuration of System Center products, like SCCM and SCOM. These are maybe handy if you have some troubles with Apps, roles, portal, updates or distribution.

Hereby an error when you want to distribute an App to the Cloud (Windows Intune)

The error is:

Cannot access registry keys on server manage.microsoft.com. The operating system reported error: 53

Check the log distmgr.log in C:\Program Files\Microsoft Configuration Manager\Logs\

This happens if you want to distribute an App to the Cloud (manage.microsoft.com). I don’t know why it didn’t work, but I had to reinstall the Windows Intune Connector by deleting the subscription in Administration. After that I have rebooted the server. Added the subscription and the Windows Intune Connector.

Now, I can distribute the Apps to the Cloud, check the log.

Good luck!

Windows Intune v4 Getting Started Guide

Microsoft has released a new version for Windows Intune in December 2012. This update supports the new Microsoft’s operating systems, such as Windows Phone 8, RT and Windows 8 (Ent/Pro). The very important feature is the integration with SCCM 2012 (SP1)

This integration helps you to support the clients of Windows Intune, such as mobile devices and notebooks outside the corporate network, from a single location. You will run the scheduled tasks or distributions from the SCCM 2012 console to the managed Windows Intune clients.

Microsoft made a tutorial for the newest version. 1355761715-WindowsIntuneGettingStartedGuide-Dec2012Release (download PDF)

I’m busy with a new blog to show you the details of the integration with SCCM 2012. But first I have to configure my lab environment for supporting mobile devices over Active Sync and maybe the Windows Intune Exchange Connector.