introduction to unified device management with intune and...

Introduction to Unified Device Management with Intune and System Center Configuration Manager Most IT pros and the IT organizations they work for have the challenge of supporting a wide diversity of apps, operating systems, and devices for their users. Although each app, operating system, or device might have its own management solution, IT pros need a unified management solution. This demonstration shows how Microsoft System Center 2012 R2 Configuration Manager provides a comprehensive, unified management solution that can handle the ever-increasing diversity of apps, operating systems, and devices. This demonstration also shows how organizations can support Bring Your Own Device (BYOD) initiatives and manage devices that are not domain joined, regardless of whether they are owned by the organization or the users.

Information in this document, including URLs and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products,

domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo,

person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this

document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any

purpose, without the express written permission of Microsoft Corporation.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory,

regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer

or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked

site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only

as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written

license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Copyright © 2014 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveSync, Azure, Forefront, Internet Explorer, Silverlight, Windows, Windows Intune, Windows PowerShell, and Windows Server are either registered trademarks or

trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Overview

Getting started

For these demonstrations, use the following virtual machines (VMs):

CM

DC

PC

SYNC

BYOD

Unified management with System Center 2012 R2 Configuration Manager and Windows Intune

Create a Free 30 day Microsoft Intune Trial

Talking point Action

We now need to get you a Microsoft Intune tenant to use for testing purposes in our lab.

Note you don’t need to provide any credit card information and will not be charged.

Perform the following steps on DC logged on as CORP\Administrator with the password Passw0rd:

1. Go to the Desktop and launch Internet Explorer from the taskbar

2. Enter http://aka.ms/tryintune into the address bar

3. On the website select the Try tab

4. Select Signup for a Microsoft Intune free 30-day-trial

5. Complete the details on the Signup screen DO NOT use your own organizations real name in the New Domain Name field use a variation such as contosolab1 where Contoso is your company name.

6. Click Check availability

7. Enter Admin in New user ID and provide a password.

8. Enter the verification code as seen on screen.

9. Click I accept and continue. Your account will now be created, continue when prompted to do so.

10. On the Don’t lose access to your account page click the Remind me later link.

http://aka.ms/tryintune

Configuring alternate UPN suffixes in AD


The first step in integrating System Center 2012 R2 Configuration Manager and Windows Intune is to configure alternate user principle name (UPN) suffixes in Active Directory. Alternate UPN suffixes allow us to log in to Windows Intune by using the Windows Intune domain name assigned to us when we subscribed (such as xxxxx.onmicrosoft.com). You can also do this in production when your AD DNS name does not match your public DNS name for example corp.contoso.com internally and contosocorp.com externally.

We add alternate UPN suffixes in Active Directory by using the Active Directory Domains and Trusts console. We start the console, then, in the console tree, I right-click Active Directory Domains and Trusts, and then click Properties.

Now, we can enter the Windows Intune domain name assigned to us, click Add, and then click Ok. All our user accounts in the existing Active Directory forest will have the same UPN suffix as our Windows Intune subscription.

Perform the following steps on DC logged on as CORP\Administrator with the password Passw0rd:

1. Start the Active Directory Domains and Trusts console from the Tools menu in Server Manager

2. In the Active Directory Domains and Trusts console, in the console tree, right-click Active Directory Domains and Trusts, and then click Properties.

The Active Directory Domains and Trusts Properties dialog box appears.

3. In the Active Directory Domains and Trusts Properties dialog box, in Alternate UPN suffixes, type IntuneDomain (where IntuneDomain is the domain name for the Windows Intune subscription, such as xxxxx.onmicrosoft.com), and then click Add and OK.

4. Close the Active Directory Domains and Trusts console.

Now, we need to configure the UPN suffix for a user. We can do so for an individual user in the Active Directory Users and Computers console. In the real world, outside this lab you’d need to make sure the UPN matches up for every user who will be able to enroll devices into Intune…of course you can script that with PowerShell.

If we go to the properties of one of the users (Lori Penor), we can see that @corp.contoso.com is the current UPN suffix. We will change the UPN suffix to the domain name for our Windows Intune subscription, and then save the changes.

5. Start the Active Directory Users and Computers console.

6. In the Active Directory Users and Computers console, in the console tree, go to corp.contoso.com/Accounts/Users.

7. In the details pane, right-click Lori Penor, and then click Properties.

The Lori Penor Properties dialog box appears.

8. In the Lori Penor Properties dialog box, on the Account tab, in User logon name, select IntuneDomain (where IntuneDomain is the domain name for the Windows Intune subscription, such as xxxxx.onmicrosoft.com), and then click OK.


9. Close the Active Directory Users and Computers console.

Configuring Windows Intune Active Directory account synchronization


The next step in integrating System Center 2012 R2 Configuration Manager and Windows Intune is to configure synchronization between our Active Directory domain and Windows Intune. Doing so allows our users to log in to Windows Intune with the credentials that they already have, in our case that sync could take some time so we will use the temporary credentials for this lab. We configure Windows Intune Active Directory account synchronization by using the Windows Intune administration portal.

We use our credentials to sign in to the Windows Intune administration portal. Then, we click Users to take us to the user management section of the administration portal. Notice that you only see one user because she’s our only Intune user.

On the Users page, under Active Directory synchronization, we click the Set up link. This takes us to the Set up and manage Active Directory Synchronization page.

Perform the following steps on SYNC logged on as CORP\Administrator with the password Passw0rd:

1. Open https://account.manage.microsoft.com in Internet Explorer.

2. On the Windows Intune sign in web page, type IntuneAdmin (where IntuneAdmin is the administrative credential for the Windows Intune subscription), and then click Sign in.

The Windows Intune administration portal is displayed. If you are prompted to provide a phone number click Remind me later.

3. In the navigation pane, under Management, click Users.

The Users page is displayed.

4. On the Users page, under Active Directory synchronization, click the Set up link.

Tip The Active Directory synchronization area is toward the upper portion of the page below Active | Deleted and Single sign-on.

The Set up and manage Active Directory Synchronization page is displayed.

On the Set up and manage Active Directory Synchronization page, we can see the six steps that we must perform to set Active Directory synchronization.


In step 1, we prepare for directory synchronization. We ensure that our on-premises environment meets the software and system resource requirements. There is a hyperlink that takes us to content that describes the software and system resource requirements for performing directory synchronization. For this demonstration, we have already verified that our environment meets the necessary prerequisites.

In step 2, we verify that the appropriate domains have been added to Windows Intune. The domains could be the domain provided to us by Windows Intune (our xxxxx.onmicrosoft.com domain) or a domain that we already own (such as contoso.com). For the purposes of this demonstration, we will be using the xxxxx.onmicrosoft.com domain.

In step 3, we activate Active Directory synchronization. Doing so enables Windows Intune to synchronize with our on-premises Active Directory infrastructure. To perform the activation, we simply click Activate.

This process of activating Active Directory synchronization is a one-way process and cannot be changed after it is enabled. So, we will receive a window asking us to confirm that we want to activate the synchronization. We do want to activate, so we click Activate.

When we do, we can see that the status Active Directory synchronization is enabled is displayed beneath 3 Activate Active Directory synchronization.

5. On the Set up and manage Active Directory Synchronization page, under 3 Activate Active Directory synchronization, click Activate.

The Do you want to activate Active Directory synchronization window appears.

6. In the Do you want to activate Active Directory synchronization window, click Activate.

On the Set up and manage Active Directory Synchronization page, under 3 Activate Active Directory synchronization, the status Active Directory synchronization is activated is displayed.

In step 4, we are to download, install, and run the Directory Synchronization tool. The Directory Synchronization tool runs on a server in our on-premises environment on any system that meets the requirements. We have already downloaded and installed the tool on our server. Now, we need to configure Azure Active Directory synchronization by using the Microsoft Azure Active Directory Sync Tool Configuration Wizard.

7. On the desktop, right-click Directory Sync Configuration, and then click Run as administrator.

The User Account Control dialog box is displayed.

8. In the User Account Control dialog box, click Yes.

The Azure Active Directory Sync Tool Configuration Wizard starts.


We will need to run wizard as an administrator, so when the User Account Control dialog box appears, we click Yes, and the Azure Active Directory Sync Tool Configuration Wizard starts.

Now, we need to complete the Azure Active Directory Sync Tool Configuration Wizard. We don’t have anything to change on the Welcome page, so we click Next and move on to the next page.

9. In the Azure Active Directory Sync Tool Configuration Wizard, on the Welcome page, click Next.

On this wizard page, we enter the credentials for a user who is an admin in our Windows Intune subscription. We enter the user name in UPN format, provide the password, and then continue to the next wizard page.

10. On the Azure Active Directory Credentials page, perform the following steps, and then click Next:

a. In User name, type IntuneAdmin (where IntuneAdmin is the user account for the Windows Intune administrator account in UPN format). a. In Password, type IntuneAdminPassword (where

IntuneAdminPassword is the password for the Windows Intune administrator account specified in User name).

On this wizard page, we enter the credentials for a user who has administrator permission in our Active Directory domain. We enter the credentials, and then move on to the next wizard page.

11. On the Active Directory Credentials page, perform the following steps, and then click Next:

a. In User name, type CORP\Administrator. b. In Password, type Passw0rd.

On this wizard page, we need to enable the tool to synchronize information from Azure Active Directory to our on-premises Active Directory infrastructure. We select the Enable Hybrid Deployment check box, and then continue to the next wizard page.

12. On the Hybrid Deployment page, select the Enable Hybrid Deployment check box, and then click Next.

On this wizard page, we need to enable password synchronization between Azure Active Directory and our on-premises Active Directory infrastructure. This helps users by requiring them to remember just one password instead of two: their on-prem AD password. Note that we don’t synchronize the actual passwords, just a hash of the passwords.

13. On the Password Synchronization page, select the Enable Password Sync check box, and then click Next.


On the Configuration page, we can see the progress of the Azure Active Directory Sync tool configuration. When configuration is complete, we click Next to continue to the next wizard page.

On the Configuration page, we can see the configuration progress. This process can take a few minutes. After the necessary period of time, the configuration is complete.

14. Click Next.

On the Finished page, we review the completion status. Note that the synchronization starts immediately (based on the Synchronize your directories now check box). Click Finish.

15. On the Finished page, hover the mouse pointer over the Synchronize your directories now check box, and then click Finish.

The Azure Active Directory Sync Tool Configuration Wizard dialog box appears.

16. In the Azure Active Directory Sync Tool Configuration Wizard dialog box, click OK.

17. Close Internet Explorer.

18. Close File Explorer.

Verifying directory synchronization


The Directory Synchronization tool doesn’t take long to synchronize our on-premises Active Directory user accounts, in practice this can take a while but will happen every 60 minutes, with passwords syncing every two minutes. Let’s go to the administration portal in Windows Intune to see if the user accounts have been synchronized, yet.

If we go to the Users page, we can see that the users from our on-premises Active Directory infrastructure have been synchronized.

Perform the following steps on CM logged on as CORP\Administrator with the password Passw0rd:

1. Open https://account.manage.microsoft.com in Internet Explorer.


The Users page is displayed, which contains the list of users.

3. On the Users page, move the mouse pointer over the users who have been synchronized from the on-premises Active Directory infrastructure.


Now that we have verified directory synchronization, we’re ready to proceed to the next step in integrating System Center 2012 R2 Configuration Manager and Windows Intune.

Creating a user collection for Windows Intune device enrollment


The next step in integrating System Center 2012 R2 Configuration Manager and Windows Intune is to create a user collection for users who will be managed through Windows Intune. This user collection is used to identify the users who can enroll devices in Windows Intune, which will subsequently be managed by System Center 2012 R2 Configuration Manager.

The quickest way to create our user collection is to use the Configuration Manager Windows PowerShell cmdlets. I’ll open a Windows PowerShell script in the Windows PowerShell ISE that contains the Windows PowerShell commands we need to run to create our user collection.

First, we need to load the ConfigurationManager Windows PowerShell module by using the Import-Module cmdlet, which we can see in line 1.


1. Start the Windows PowerShell ISE as an administrator.

2. In the Windows PowerShell ISE, open the Add_CM_Windows_Intune_User_Collection.ps1 script, which is stored in C:\DemoContent.

3. In Windows PowerShell ISE, highlight line 1 in the script, and then press F8 or click Run Selection on the toolbar at the top of the console.

The ConfigurationManager Windows PowerShell module is loaded.

The Configuration Manager cmdlets assume that we are working from the Configuration Manager Windows PowerShell provider. So, we will use the cd command to change to the provider. The Configuration Manager Windows PowerShell provider is the same name as our Configuration Manager site (NYC).

4. In Windows PowerShell ISE, highlight line 3 in the script, and then press F8 or click Run Selection on the toolbar at the top of the console.

The default directory is changed to the Configuration Manager provider (NYC).

The next step is to create the user collection by using the New-CMUserCollection cmdlet. The Name parameter provides the name of the new user collection (Windows Intune Users), and the

5. In the Windows PowerShell ISE, highlight line 5 in the script, move the mouse pointer over the parameters when discussed in the


LimitingCollectionName provides the parent collection that will limit the users who can be added to our collection (All Users and User Groups). For our purposes, we are including all user and user groups.

speaker notes, and then press F8 or click Run Selection on the toolbar at the top of the console.

The Windows Intune Users user collection is created.

Every user collection needs to have a way to determine the users who will belong to the collection, which are called membership rules. We need to create a membership rule for our new user collection by using the Add-CMUserCollectionQueryMembershipRule cmdlet. We specify the membership rule name in the RuleName parameter. We specify the user collection name to which the rule will be applied in the CollectionName parameter (which will be our Windows Intune Users collection). And finally, we create a rule based on a query of the Configuration Manager database, which is specified in the QueryExpression parameter. Our query will select all the users who are members of the Windows_Intune_Users Active Directory global security group (as you can see in the WHERE clause in the query).

6. In the Windows PowerShell ISE, highlight line 7 in the script, move the mouse pointer over the parameters when discussed in the speaker notes, and then press F8 or click Run Selection on the toolbar at the top of the console.

The Windows Intune Users user collection membership rule is created.

Now, let’s see what our new user collection looks like in the Configuration Manager console. If we go to the User Collections node in the Assets and Compliance workspace, we can see our Windows Intune Users user collection.

7. On the taskbar, click Configuration Manager Console.

The User Account Control dialog box opens.


The Configuration Manager console starts.

9. In the navigation pane of the Configuration Manager console, click Assets and Compliance.

10. In the Assets and Compliance workspace, go to Overview/User Collections.

11. In the details pane, click Windows Intune Users.

If we look at the properties of the Windows Intune Users user collection, we can also see the membership rule that we created in Windows PowerShell.

12. On the ribbon, click Properties in the properties group.

The Windows Intune Users Properties dialog box opens.


13. In the Windows Intune Users Properties, click the Membership Rules tab.

14. In the Windows Intune Users Properties, click Cancel.

Now, let’s see which users are members of the Windows Intune Users user collection. If we double-click the Windows Intune Users user collection, the list of members is automatically displayed in the details pane. We can see that Dan Park and Lori Penor are members of the collection.

Now that we’ve created our user collection, let’s configure the Windows Intune subscription for System Center 2012 R2 Configuration Manager.

15. In the details pane, double-click Windows Intune Users.

The users who are members of the Windows Intune Users user collection are displayed.

Configure the Windows Intune subscription


Configuring the integration between System Center 2012 R2 Configuration Manager and Windows Intune is easy. The Create Windows Intune Subscription Wizard walks us through the process of collecting all the information necessary to integrate System Center 2012 R2 Configuration Manager and Windows Intune.

In the Configuration Manager console, we go the Windows Intune Subscriptions node in the Administration workspace. On the ribbon, we click Add Windows Intune Subscription, which starts the Create Windows Intune Subscription Wizard.

We don’t need to provide any information on the Introduction wizard page, so we’ll just click Next.


1. In the navigation pane of the Configuration Manager console, click Administration.

2. In the Administrator workspace, go to Overview/Cloud Services/Windows Intune Subscriptions.

3. On the ribbon, click Add Windows Intune Subscription in the Create group.

The Create Windows Intune Subscription Wizard starts.

4. In the Create Windows Intune Subscription Wizard, on the Introduction page, click Next.


On the Subscription page, we configure the account used to integrate with Windows Intune. This account must be a Windows Intune administrator account.

Note that configuring a Windows Intune subscription to be integrated with System Center 2012 R2 Configuration Manager is a permanent change and cannot be reversed. When this process is completed, you cannot interactively manage the Windows Intune subscription by using the Windows Intune administration portal.

We provide the credentials for the Windows Intune administrator account, and then sign in to Windows Intune. System Center 2012 R2 Configuration Manager will provide one more warning, and we click Yes to confirm the process. As we can tell, they want us to be certain, because this change cannot be reversed.

5. On the Subscription page, click Sign In.

The Set the Mobile Device Management Authority dialog box is displayed.

6. In the Set the Mobile Device Management Authority dialog box, select the I understand that after I complete the sign-in process, the mobile device management authority is permanently set to Configuration Manager and cannot be changed check box, and then click OK.

The Subscription dialog box is displayed.

7. In the Subscription dialog box, enter IntuneAdmin (where IntuneAdmin are the credentials for the Windows Intune administrator account), and then click Sign in.

The Configuration Manager dialog box is displayed.

8. In the Configuration Manager dialog box, click Yes.

9. On the Subscription page, click Next.

On this wizard page, we select the user collection (Windows Intune Users) that we created earlier in the demonstration. Again, users in this collection will be able to enroll their devices for management.

We also specify the company name (Contoso LTD) and our Configuration Manager site code (NYC).

We could also provide a URL for any company-specific privacy documentation and select a specific color scheme for our Company Portal. However, we’ll just accept the default values for these settings and move on to the next wizard page.

10. On the General page, click Browse.

The Select Collection dialog box is displayed.

11. In the Select Collection dialog box, click Windows Intune Users, and then click OK.

12. In Company name, type Contoso LTD.

13. In Configuration Manager site code, select NYC.

14. Click Next.

On the Platforms page, we select the device types that we want to support through Windows Intune. If we select all the check boxes for all the platforms (Android, IOS, Windows, and Windows Phone 8), we can see the requirements for each type of device.

15. On the Platforms page, select all the check boxes.

16. In Platform requirements, move the mouse pointer over the requirements for each type of device.


Android devices do not have any requirements; iOS devices require that we have an Apple Push Notification Service certificate.

Windows devices (including Windows 8.1, Windows RT 8.1, Windows 8, and Windows RT) require sideloading keys and a code-signing certificate. Windows Phone 8 devices require a code-signing certificate, as well.

We’ll clear the check boxes for iOS and Android, and then continue to the next wizard page.

17. Clear all check boxes.

18. Click Next.

On this wizard page, we provide contact information for the Windows Intune Company Portal. This information should provide users with contact information and additional help using the Windows Intune Company Portal.

For this demonstration, we will enter some fictitious information, and then continue to the next wizard page.

19. On the Company Contact Information page, perform the following steps, and then click Next:

a. In IT department contact name, type Mark Hassall. b. In IT department phone number, type 1 555-555-5555. c. In IT department email address, type [email protected]. d. In Support website URL, type https://support.contoso.com. e. In Website name, type Contoso IT Support.

The Company Logo page lets us upload a company logo, which is shown on the Windows Intune Company Portal. For this demonstration, we don’t have a logo, so we will proceed to the next wizard page.

20. On the Company Logo page, click Next.

On the Summary page, we can see all the information collected during the wizard. All of this information is correct, so we click Next to configure our Windows Intune subscription.

21. On the Summary page, review the information the wizard has collected.

22. Click Next.

On the Progress page, we see the progress for configuring our Windows Intune subscription. This operation primarily works locally, so it doesn’t take too long.

23. On the Progress page, view the progress for creating the Windows Intune subscription.

On the Completion page, we see that our Windows Intune subscription has been successfully created. Most of the information here is a repeat of the information we saw earlier on the Summary page.

24. On the Completion page, review the information in Details, and then click Close.


However, we notice that we need to add the Windows Intune Connector site system role to our System Center 2012 R2 Configuration Manager environment. We will do that in the next demonstration. Everything looks good on this page, so we can click Close and move on to creating the Windows Intune Connector site system role.

Adding the Windows Intune Connector site system role


Now that the Windows Intune subscription is complete (and our manage.microsoft.com DP has been added), we need to complete the System Center 2012 R2 Configuration Manager–Windows Intune integration by adding the Windows Intune Connector site system role. We do this by using the Add Site System Roles Wizard. This wizard walks us through the process of collecting all the information necessary to add the Windows Intune site system role.

In the Configuration Manager console, we go the Windows Intune Subscriptions node in the Administration workspace. On the ribbon, we click Add Windows Intune Subscription, which starts the Create Windows Intune Subscription Wizard.



2. In the Administrator workspace, go to Overview/Site Configuration/Servers and Site System Roles.

3. In the details pane, click \\CM.corp.contoso.com.

4. On the ribbon, click Add Site System Roles in the Server group, on the Home tab.

The Add Site System Roles Wizard starts.

On the General page, we can select the server to which we want to add the site system role. There is other information (like the site system account to be used when installing the site system role), but for our simplistic environment (one site server), we can accept the default values and move on to the next wizard page.

5. In the Add Site System Roles Wizard, on the General page, click Next.

The Proxy page is used when we want to specify a web proxy server that provides Internet connectivity. Again, for this simple

6. On the Proxy page, click Next.


environment, we don’t have a web proxy server, so we can accept the default values and move on to the next page.

This wizard page is where we select the Windows Intune Connector site system role. We select the check box next to the role, and then move on to the next wizard page.

7. On the System Role Selection page, select the Windows Intune Connector check box, and then click Next.

On the Summary page, we can see all the information collected during the wizard. All of this information is correct, so we click Next to install the Windows Intune Connector site system role.

8. On the Summary page, review the information the wizard has collected.

9. Click Next.

On the Progress page, we see the progress for installing the Windows Intune Connector site system role. This operation primarily works locally, so it doesn’t take too long.

10. On the Progress page, view the progress for installing the Windows Intune Connector site system role.

On the Completion page, we see that our Windows Intune Connector has been successfully installed. Most of the information here is a repeat of the information we saw earlier on the Summary page.

Everything looks good on this page, so we can click Close and see whether our Windows Intune Integration is working.

11. On the Completion page, review the information in Details, and then click Close.

Verifying System Center 2012 R2 Configuration Manager–Windows Intune integration


Now that the System Center 2012 R2 Configuration Manager–Windows Intune integration is configured, let’s go to Windows Intune and verify that the integration was successful. We can verify the integration by ensuring that the Mobile Device Management Authority for Windows Intune is set to Configuration Manager.

First, we log in to the Windows Intune administration portal by using our Windows Intune administrative credentials.


1. In Internet Explorer, go to https://manage.microsoft.com.

The Windows Intune sign-in web page appears.


2. On the Windows Intune sign-in web page, type IntuneAdmin (where IntuneAdmin is the administrative credentials for the Windows Intune subscription), and then click Sign in.

The Windows Intune administration portal is displayed.

We can view the configuration of the Mobile Device Management Authority in the Mobile Device Management node in the Administration workspace. If we look immediately beneath the Mobile Device Management Authority section, we see the status Mobile device management authority: Set to Configuration Manager. This status tells us that Windows Intune mobile device management is managed by System Center 2012 R2 Configuration Manager and that our integration was successful.

3. In the Windows Intune administration portal, in the navigation pane, click Administration.

4. In the Administration workspace, click Mobile Device Management.

5. In the details pane, notice the text immediately beneath the Mobile Device Management Authority section (which indicates that System Center 2012 R2 Configuration Manager is the authority). You should no longer manage Windows Intune from the management portal. It is fine to manage the accounts from http://account.manage.microsoft.com.

6. Close this Internet Explorer tab.

As you can see, integration of System Center 2012 R2 Configuration Manager with Windows Intune is easy to configure. This integration extends the management capabilities of System Center 2012 R2 Configuration Manager to include devices that are not domain members or that are never attached to an organization’s intranet. System Center 2012 R2 Configuration Manager and Windows Intune provide a unified management solution for a broad range of users and their devices.

http://account.manage.microsoft.com/

Authorizing users in Windows Intune


Now that System Center 2012 R2 Configuration Manager–Windows Intune integration is configured, let’s go to Windows Intune and verify that the integration was successful. We can verify the integration by ensuring that the Mobile Device Management Authority for Windows Intune is set to Configuration Manager.

First, we log in to the Windows Intune administration portal by using our Windows Intune administrative credentials.


1. In Internet Explorer, go to https://account.manage.microsoft.com.

The Windows Intune sign-in web page appears.

2. On the Windows Intune sign-in web page, type IntuneAdmin (where IntuneAdmin is the administrative credentials for the Windows Intune subscription), and then click Sign in.

The Windows Intune administration portal is displayed.

Now, let’s select some of our synchronized users who are members of the Windows Intune Users collection in System Center 2012 R2 Configuration Manager, which we created earlier in the demonstration. If you remember, Dan Park and Lori Penor were the users who were members of that collection. Users in the Windows Intune Users collection are authorized to enroll devices to Windows Intune.

First, we select Dan Park and Lori Penor, and then click the Activate synched users link to start the Activate Synced Users Wizard. This wizard walks us through the process of activating our synched users.


The Users page is displayed.

4. On the Users page, select the check boxes next to Dan Park and Lori Penor.

5. From the Actions menu, click the Activate synched users link.

Tip The Actions menu is immediately above the list of users.

The Activate Synced Users Wizard starts.

On the Windows Intune user group page, we select the primary country in which the user will reside from the list.

Note that the users will automatically be made members of the Windows Intune user group in Windows Intune. This means that Windows Intune can manage the users.

Let’s move on to the next wizard page.

6. In the Activate Synced Users Wizard, on the Windows Intune user group page, in Set user location, select location (where location is the location of the user, such as United States or Canada), and then click Next.


On this wizard page, we verify that the email address listed is correct. An email message will be sent to this address that contains the new user passwords for the users that we are activating. The email address looks correct, so we click Activate to activate the users.

7. On the Send results in email page, verify that the email address is correct, and then click Activate.

On this wizard page, we see the temporary passwords that have been created for our users. We start Notepad and save these passwords for later in the demonstration. The users will be asked to change their password the first time they log on to Windows Intune. The passwords are sent by email in case the users forget them before they log on for the first time.

Now that we have saved the passwords, we can finish the wizard and move on to enrolling a device with Windows Intune.

8. Start Notepad.

9. On the Results page, copy and paste the temporary passwords for Dan Park and Lori Penor into Notepad.

10. Click Finish.

Creating a virtual private network profile


Before we focus on the Windows 8.1 and Windows Phone 8 / 8.1 device side of management, let's create a virtual private network (VPN) profile that we can use to determine whether we are successful. If successful, all managed devices should receive the VPN profile we are going to create.

We create VPN profiles in the VPN profiles node in the Assets and Compliance workspace by completing the Create VPN Profile Wizard.



2. In the Assets and Compliance workspace, go to Overview/Compliance Settings/Company Resource Access/VPN Profiles.

3. On the ribbon, click Create VPN Profile in the Create group, on the Home tab.

The Create VPN Profile Wizard starts.


On this wizard, page, we type the user friendly name for our VPN profile. This name appears in the Configuration Manager console only, not on the devices. We enter our VPN profile name, and then continue to the next wizard page.

4. In the Create VPN Profile Wizard, on the General page, in Name, type Contoso VPN Profile, and then click Next.

On this page, we select the type of VPN connection we want to make. Many VPN server vendors are supported. For our purposes, we select the Microsoft Automatic connection type.

Next, we add a VPN server (or VPN server farm) to the VPN connection. In the Add or Edit VPN Server dialog box, we enter a friendly name and the fully qualified domain name (FQDN) for our VPN server farm.

Finally, we configure the connection-specific Domain Name System (DNS) suffix for our VPN connection (corp.contoso.com).

Now that we've set those values, let's move on to the next wizard page.

5. On the General: Connection page, in Connection type, select Microsoft SSL (SSTP).

6. In Server list, select Add.

The Add or Edit VPN Server dialog box appears.

7. In the Add or Edit VPN Server dialog box, complete the following steps:

a. In Friendly name, type Contoso VPN Server Farm. b. In IP address or FQDN, type remote.contoso.com. c. Click OK.

8. In Connection specific DNS suffix, type corp.contoso.com.

9. Click Next.

On this page, we select the authentication method our VPN connection will use. A variety of authentication methods (protocols) are supported, but for our purposes, we select an authentication method that Windows 8.1 and Windows Phone 8.1 support (MSCHAP v2). After we have selected the appropriate authentication method, we will move on to the next wizard page.

10. On the General: Authentication Method page, in Authentication method, select MSCHAP v2, and then click Next.

On this page, we can configure any proxy settings required for our VPN connection. Again, we don't need to configure these settings, so we will go on to the next wizard page.

11. On the General: Proxy Settings page, click Next.

On this page, we can configure whether we want the VPN to connect automatically based on a DNS domain suffix. For example, we could automatically establish the VPN connection anytime the user referenced the domain name corp.contoso.com. So, if the user used

12. On the General: Automatic VPN page, click Next.


corp.contoso.com in a URL in a Universal Naming Convention path, Windows 8.1 would automatically establish the VPN connection.

We don't need to automatically start the VPN connection, so let's move on to the next wizard page.

On this page, we select the applicable operating system platforms for our VPN profile. For our purposes, we want to select all Windows 8.1 platforms and all Windows Phone platforms.

After we have selected the appropriate platforms, we’re ready to move on to the next wizard page.

13. On the General: Supported Platforms page, select the following check boxes:

Windows 8.1 and all sub-check boxes

14. Click Next.

On this wizard page, we review all the information collected during the wizard. After we have reviewed the information, we click Next to create our VPN profile.

15. On the Summary page, review the information collected during the wizard, and then click Next.

On this wizard page, the progress for creating our VPN profile is displayed. After the VPN profile has been created, the Completion wizard page is displayed.

16. On the Progress page, monitor the progress for creating the VPN profile.

On this wizard page, we review the completion status of the wizard. We can see that everything worked properly, so we click Close to finish the wizard.

We can see that Contoso VPN Profile appears in the list of available

VPN profiles.

17. On the Completion page, review the completion status of the wizard, and then click Close.

Contoso VPN Profile appears in the list of VPN profiles.

18. Keep the Configuration Manager console open.

Deploying a VPN Profile


After we have created our VPN profile, we need to deploy it to our users. We deploy VPN profiles by using the Deploy VPN Profile dialog



box in the Configuration Manager console. Let's open the dialog box and deploy our Contoso VPN Profile.


2. In the Assets and Compliance workspace, go to Overview/Compliance Settings/Company Resource Access/VPN Profiles.

3. In the details pane, click Contoso VPN Profile.

4. On the ribbon, click Deploy in the Deployment group, on the Home tab.

The Deploy VPN Profile dialog box appears.

In the Deploy VPN Profile dialog box, we need to select the user collection to which we will deploy our VPN profile. In our scenario, we select our Windows Intune Users user collection.

Other settings in this dialog box affect the generation of alerts and schedule-related settings. We could customize these settings based on our organization's requirements, but for now, we don't need to configure anything other than the targeted collection, so click OK to deploy our VPN profile.

We've seen how easy it is to integrate System Center 2012 R2 Configuration Manager and Windows Intune. Now, let's look at how to enroll devices and deploy the VPN profile that we created.

5. In the Deploy VPN Profile dialog box, click Browse.

The Select Collection dialog box appears.

6. In the Select Collection dialog box, click Windows Intune Users, and then click OK.

The Deploy VPN Profile dialog box gains focus.

7. In the Deploy VPN Profile dialog box, click OK.

The Contoso VPN Profile shows Yes in the Deployed column.

8. Minimize the Configuration Manager console.

Enabling Windows 8.1 device management for the Windows Intune subscription


We configure the Windows Intune subscription that we added earlier in the process in the Configuration Manager console. We go to the Windows Intune Subscriptions node in the Administration workspace. On the ribbon, we click Properties, which opens the Windows Intune




Subscription Property dialog box. Because we are configuring Windows 8.1 device management, we go to the Windows tab.

2. In the Administrator workspace, go to Overview/Cloud Services/Windows Intune Subscriptions.

3. In the details pane, click Windows Intune Subscription.

4. On the ribbon, click Properties in the Properties group.

The Windows Intune Subscription Property dialog box opens.

5. In the Windows Intune Subscription Property dialog box, click the Windows tab.

On the Windows tab, we provide the necessary items to support Windows devices, which means we configure a code-signing certificate.

For this demonstration, we will use a certificate that was used to code-sign a Windows Store app, which is located on DC.

6. On the Windows tab, select the Enable Windows enrollment check box.

7. Click Browse.

The Open dialog box is displayed.

8. In the Open dialog box, go to \\DC\Source$\SampleApps, select Tiles_Sample.cer, and then click Open.

9. Click OK.

We also need to provide a sideloading key. We enter the sideloading key in the Software Library workspace.

We would typically obtain a sideloading key from Microsoft licensing for our organization, but for the purposes of these steps, we’ll enter a fictitious sideloading key.

10. In the navigation pane of the Configuration Manager console, click Software Library.

11. In the Software Library workspace, go to Overview/Application Management/Windows Sideloading Keys.

12. On the ribbon, click Create Sideloading Key in the Create group.

The Specify Sideloading Key dialog box opens.

13. Complete the Specify Sideloading Key dialog box by performing the following steps:

a. In Name, type Contoso Sideloading Key. b. In in Key, type 12345-12345-12345-12345-12345. c. Provide 5 activations. d. Click OK.


The new sideloading key appears in the details pane.

After entering the code-signing certificate and the sideloading key, we have successfully configured the Windows Intune subscription in System Center 2012 R2 Configuration Manager to manage Windows 8.1 devices. Now, let's enroll our Windows 8.1 device with Windows Intune.

14. Minimize the Configuration Manager console.

Associating Microsoft account with local user account


As the first step, we need to associate a Microsoft account with the CORP\Lori domain account. We will do that by using the Connect to a Microsoft account on this PC wizard.

Perform the following steps on BYOD logged on as Lori Penor with the password Passw0rd:

15. Press Win + I, and then click Change PC settings.

16. Tap or click Accounts.

17. Tap or click Connect to a Microsoft account.

18. The Connect to a Microsoft account on this PC wizard starts.

19. Enter Lori’s password: Passw0rd

20. Select the link Create a new account be sure to note your password.

21. Fill out the requested details, click Next

22. On the Add security info page enter at least a Birthdate (16 or older) and Gender and one alternate email address, click Next

23. On the Communication Preferences page enter the characters shown and click Next

24. On the Help us protect your info page click the I can’t do this right now link


25. Click Next and then Switch

Enrolling Windows 8.1 device with Windows Intune


Now that we've configured System Center 2012 R2 Configuration Manager and Windows Intune to support Windows 8.1, let's enroll our Windows 8.1 device.

To enroll their Windows 8.1 devices, users provide their email address. Windows 8.1 takes the domain portion of their email address and performs auto-discovery by looking for a DNS record named EnterpriseEnrollment. For example, if the user's email account is [email protected], then Windows 8.1 automatically looks for EnterpriseEnrollment.contoso.com (which points to manage.microsoft.com).

The problem is that in our environment, we do not have a public-facing DNS where we could add the EnterpriseEnrollment.contoso.com DNS record. Instead, we will use a workaround by making a registry modification.

Again, although this works for our evaluation environment, we should never do this in a production environment. Instead, we should add the EnterpriseEnrollment DNS record to our public-facing DNS.

Perform the following steps on BYOD logged on as the Microsoft account that is associated with the BYOD\Lori account earlier in the process:

1. Start the Windows PowerShell integrated scripting environment (ISE) as an administrator.

2. In the Windows PowerShell ISE, open the Contoso_BYOD_WindowsIntune_Override_Enrollment_UPN.ps1 script, which is stored in the C:\DemoContent folder.

3. In Windows PowerShell ISE, highlight the entire script, and then press F8 or click Run Selection on the toolbar at the top of the console.

Tip You can highlight the entire script by pressing Ctrl+A.

The registry is updated.

4. Minimize the Windows PowerShell ISE.

We enroll our device on the Workplace panel, in the Network panel, in PC settings.

5. In the notification area (system tray), click the network icon.

The Networks panel is displayed.

6. On the Networks panel, select View Connection Settings.

PC settings opens and displays the Network panel.

7. In PC settings, in the Network panel, select Workplace.


The Workplace panel opens.

Users only need their email account to enroll their device, so we enter our Lori Penor email address, and then click Turn on. This allows System Center 2012 R2 Configuration Manager and Windows Intune to manage our device.

8. In the Workplace panel, in Enter your user ID to get workplace access or turn on device management, type [email protected] (where xxx is the domain for the Windows Intune subscription), and then click Turn on.

Windows 8.1 locates the Windows Intune servers. The Windows Intune sign in page is displayed.

We need to enter the password for our Windows Intune account and sign in to Windows Intune.

9. On the Windows Intune sign in page, in the password you noted for the account in Notepad on the CM server, type the password for [email protected] (where xxx is the domain for the Windows Intune subscription), and then click Sign in.

10. Change the password when prompted to Passw0rd . Directory Sync will eventually update this password with the on-prem AD password for this account.

The Allow apps and services from IT admin page is displayed.

After we are signed in to Windows Intune, Windows 8.1 displays a notification about having apps and services being provided by the organization's IT admin. This notification makes the user aware that some features of their device will be now managed by the IT department. This is especially critical in BYOD scenarios, where the user owns the device. Let's agree to allow our organization to manage our device. When we have connected to the workplace, we can close PC settings.

11. On the Allow apps and services from IT admin page, review the information, select I agree, and then click Turn on.

Windows 8.1 connects to the workplace.

12. Close PC settings.

Now, let's install the Company Portal app. We can do this by searching for the app on the Start screen. When we find the Company Portal Install app entry, we select it and are taken to the Company Portal app page in the Windows Store app.

13. On the Start screen, type Company Portal.

The list of search results is displayed.

14. In the list of search results, select Company Portal Install app.

The Windows Store app opens to the Company Portal app.


Let's install the Company Portal app. It only takes a few minutes for the installation process to finish, and we are notified that the Company Portal app was successfully installed.

15. On the Company Portal app page, click Install.

Company Portal app installation begins. After a few moments, you are notified that installation is complete.

16. Close the Windows Store app.

Now, let's run the Company Portal app. Again, we search for the app, and then select it from the list of search results.

17. On the Start screen, type Company Portal.

The list of search results is displayed.

18. In the list of search results, select Company Portal.

The Company Portal app starts, and the Windows Intune sign-in page appears.

We need to sign in to Windows Intune, so we provide Lori Penor's Windows Intune credentials. The Company Portal app opens.

19. On the Windows Intune sign-in page, in Password, type the password for [email protected] (where xxx is the domain for the Windows Intune subscription), and then click Sign in.

The Company Portal information is displayed.

In the Company Portal app, our BYOD device is listed under My Devices.

20. In the Company Portal app, under My Devices, view the list of devices.

If we scroll to the right, we can see the contact information for the Contoso IT department. We entered this information when configuring our Windows Intune subscription. We can see the contact name, phone number, and other information that we provided.

21. In the Company Portal app, scroll to the right.

22. Under Contact IT, view the contact information for the IT department.

Now, let's see if our VPN profile was deployed to our Windows 8.1 device.

23. Close the Company Portal app.

Verifying VPN profile is deployed to Windows 8.1 device


Now, let's see if the VPN profile that we deployed earlier has been deployed to our Windows 8.1 device. To ensure that our Windows Phone device has the most recent settings, we will sync our device with our Contoso LTD workplace (Windows Intune). We can do this by running the MDMAgent.exe command from an elevated command prompt.

Perform the following steps on BYOD logged on as the Microsoft account that is associated with the BYOD\Lori account created earlier in the process:

1. Press Windows logo key+X, and then click Command Prompt (Admin).

The User Account Control dialog box is displayed.


If we run the MDMAgent.exe command, Windows 8.1 immediately starts syncing with our Windows Intune subscription. After a few moments, the synchronization process is complete and our device has the most current settings.

3. At the command prompt, type the following command, and then press Enter:

MDMAgent.exe

The command runs successfully, but no status message is displayed.

4. Minimize the command prompt.

Now, let's click the network icon in the notification area to open the Networks panel. As we can see, the Contoso VPN Profile VPN connection that we created earlier is listed, which confirms that we were successful.

5. In the notification area (system tray), click the network icon.

The Networks panel opens.

6. The Contoso VPN Profile VPN connection is listed in the Networks panel.

Note It can take up to five minutes for the connection profile to show up in the Networks panel.

Let's go back to the desktop on our device.

As we have seen, it is easy to configure System Center 2012 R2 Configuration Manager and Windows Intune to support Windows 8.1. And it is also easy for users to enroll their devices in the workplace (Windows Intune subscription) that we create.

7. Click anywhere on the desktop.

The Networks panel closes.


We have also seen how configuration settings (such as VPN profiles) are pushed to devices, which helps ensure that all of our devices are compliant with organizational and regulatory agency standards.

Of course, this is but a small sample of the management potential, but we can see how easy it is to perform mobile device management by using System Center 2012 R2 Configuration Manager and Windows Intune.

You have completed this lab. Congratulations!

Formatted: Tab stops: Not at 2.01"

introduction to unified device management with intune and...

Documents