Sysctr Enterprise Client Management : It will be a busy fall …

August 20, 2014 at 7:24 am in even, events, IT-Dev Connections, IT/Dev Connections, mms, MMS-2014, MMS2014, speak, speaking by Kenny Buntinx [MVP]

 

A lot of exciting things are happening in the System Center community these days with a lot of events around the corner.

IT-Dev Connections , SCU Europe , TechED Europe and Midland Management Summit 2014 are right around the corner and other local user group events are being planned as well.

I always enjoy being part of these events and meet old and new friends all with the same interest: System Center products and common technology’s

imagesNY3IY65Z

This blog post will be around my events I will attended and support from the community. It will list all sessions which I’m presenting and attending , both national and International.

Hope you will attend one of my sessions and if you do, make sure to take the time to meet up and have a beer !

Date Event Location Sessions
15-19 September IT/Dev Connections Las Vegas
1 October SCUG.BE Microsoft HQ Belgium To be determined , but hey , we will have a local CDM speaker and we have Jason Sandys in the house for ECM.
4 October App-V User Group UK 2014 London – Microsoft Attendee …
3-7 November MVP Summit Microsoft HQ Redmond NDA – What can I say Emoticon die tong uitsteekt :-P
10-12 November Midland Management Summit  2014 Minnesota

 

Hope it Helps,

Kenny Buntinx

Enterprise Client Management MVP

SCCM 2012 : “Another Installation is already in Progress” when deploying Applications thru OSD deployment.

August 18, 2014 at 11:26 am in agent, Application Model, applications, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, OSD, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, Task Sequence by Kenny Buntinx [MVP]

 

At one of my current customers, I have been stuck for two days now, that one or two randomly selected applications where failing If we looked in the ‘Status Messages’ and dig al little deeper , we saw in there that :

‘Another installation is already in progress.Complete that installation before proceeding with this install.’

 image

Knowing this is a highly secured environment , my first guess would be policies. However I overruled this thinking strategy because during the OSD process , GPO’s aren’t applied …—> That is a fact , except for one scenario I already blogged about it as described here  ‘http://scug.be/sccm/2013/02/13/configmgr-2012-rtmsp1-applications-failed-to-install-during-osd-with-error-code-16389-and-denied-logon-for-domain-users-policy/’ , but that was not the issue…

Back to the drawing board and digging deeper in the smstslog file … Suddenly when hitting the F8 button a popup arrived that I needed a reboot to complete the “Kaspersky Antimalware Client”  … WTF is that doing in my task sequence.

Apparently someone at the customer decided to set a policy at the Kaspersky management server , to Push / Install a Kaspersky client when he detects and scans the network for computers that did not had a Kaspersky mgmt. agent installed. That little process hijacked my Task sequence installation process and jumped in the middle to install that Kaspersky agent .

Case Closed …My advise – before troubleshooting Configmgr , just start asking questions who did changes on other parts of the environment Emoticon die tong uitsteekt

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

MVP Award Renewal for 2014-2015: Enterprise Client Management

July 1, 2014 at 7:02 pm in ECM, MVP by Kenny Buntinx [MVP]

 

I’m very proud to inform you that my MVP award got renewed for the year 2014 – 2015 on Enterprise Client Management. This is certainly a great honor for me.

Thank you Microsoft, blog readers and all the community members that helped me out!

Thanks for the recognition. I am delighted.

Kenny Buntinx

Enterprise Client Management MVP

images7T7SFLEG

ITPROceed – Take home a signed copy of Jack Madden’s EMM Book!

June 10, 2014 at 7:27 pm in EMM, it, ITPROceed, MDM, UDM by Kenny Buntinx [MVP]

 

A few weeks ago Tim De Keukelaere and myself have had the honor to attend and present a session at BriForum in London.

During the event we have had the chance to network and meet up with some great people. One of them was Jack Madden (@jackmadden) who is an expert in the field of Enterprise Mobility Management. We brought home a few copies of his new book on Enterprise Mobility Management. Jack was kind enough to sign the books for us – which adds some extra uniqueness to them.

We will be raffling these books during the next session Tim and I are presenting, which will be at ITPROCeed in Antwerp this Thursday. If you have registered for the event then make sure to attend our session to have a chance on taking home a signed copy of the book.

See you at ITPROCeed!

Kenny Buntinx

Enterprise Client Management MVP

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment

June 8, 2014 at 4:00 pm in BYOD, Cloud, CM12, CM12 R2, configmgr 2012 R2, ConfigMgr 2012 SP1, ECM, email Profile, email Profiles, intune, iOS, ipa, Ipad, ITPROceed, MDM, OMA-DM, OMA-URI, personal, plist, policy, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM, windows 8.1, Windows Intune, Windows Intune Extensions, Windows Phone 8.1, Windws Intune, Work Folders, WP 8.1 by Kenny Buntinx [MVP]

 

Today there isn’t much hands on information about managing mobile devices such as Windows Phone , iPhone or Android using the MDM solution with Windows Intune and System Center Configuration Manager 2012 R2. This blog post is intended to give you better knowledge and to consolidate the earlier blogs I have been writing. Troubleshoot MDM in Intune / ConfigMgr

The big challenge is troubleshooting mobile device management in general, but particularly using ConfigMgr and Intune because a current Configmgr is a product that is known for its extensive logging.

With Windows Intune connected to System Center Configuration Manager 2012 R2, you have 6 log files on premise where you can look into:

  • ConnectorSetup.log (Records details of connector role installation)
  • FeatureExtensionInstaller.log (Records information about the installation and removal of individual extensions when they are enabled or disabled in the Configuration Manager console)
  • CertMgr.log (Records certificate and proxy account information)
  • Cloudusersync.log (Records license enablement for users)
  • DMPuploader.log (Records details for uploading database changes to Windows Intune)
  • DMPdownloader.log (Records details on downloads from Windows Intune)

1. Enrolling the mobile devices

  • OMA-DM and OMA-URI:

First of all, you will need to know what OMA-DM is. OMA-DM is an open standard that Apple – Android and Microsoft are using. All MDM solutions use the OMA-DM API to manage those devices. More information on OMA-DM can be found here.

Microsoft has released together with WP 8.1, a comprehensive guide called; ‘Windows Phone 8.1 MDM protocol documentation’. You will need this guide as a reference to find all custom not-so-out-of-the-box OMA-URI’s. An OMA-URI can be seen as a registry setting or hive. You can download it here.

If enrollment does not work, please verify that the right platform is selected in your “windows Intune Subscription”, otherwise you will get these kind of errors:

ERROR: Service health log: User ‘******************************32ad82′ is not eligible to enroll a device of type ‘WindowsPhone’. Reason ‘DeviceTypeNotSupported’.

clip_image002[4]

  • Enrollment for Windows Phone 8 or 8.1:

Enrollment for Windows Phone happens does not have the same experience like IOS or Android. With Windows Phone 8 or 8.1 you will need to go to the settings page and search for either ‘company portal’ or ‘workplace join’. Don’t you love Microsoft’s consistency here?

  • Trouble enrolling your Windows Phone?

SSP portal software Certificate Signing :

Make sure that your SSP portal software is signed with either your personal ‘Symantec Certificate’ you need to buy or you use the “support tool for Windows Intune”. Download the company portal at Windows Intune Company Portal for Windows Phone.

If the SSP Portal is not signed correctly or the certificate expired, your phones will stop enrolling and you’ll never get any error message. It just shows you on the phone it can’t find the server…

Read the release notes for sure :

Read here: http://technet.microsoft.com/en-us/library/jj662694.aspx

Windows Phone 8.1 devices fail to enroll with Windows Intune when device authentication is enabled in AD FS 2012 R2 (aka 3.0) called ‘Workplace Join’.

Issue: When you enroll a Windows Phone 8.1 device, enrollment fails if the optional setting for device authentication is enabled as part of global authentication policy in Active Directory Federated Services (AD FS).

Workaround: Disable device authentication on the AD FS server by unchecking Enable device authentication in Edit Global Authentication Policy.

  • Your phone is enrolled and you want to protect it from enrollment?

You have corporate owned Windows Phones and you want the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t un-enroll a “corporate” device and to prevent them from doing so , unless you are the ConfigMgr 2012 MDM admin.

As this seemed a logic to me, we couldn’t do it out of the box with windows phone 8 or 8.1 and Windows Intune. Missed opportunity, I would say. However with the launch of Windows Phone 8.1 at Build conference , there was a new set of OMA-DM management capabilities being added.

Read the complete blog post on how to do it here:

ConfigMgr 2012 R2 & Windows Intune UDM : How to prevent an “End-User” can un-enroll his “Corporate” Windows Phone 8.1 at http://scug.be/sccm/2014/04/24/configmgr-2012-r2-windows-intune-udm-how-to-prevent-an-end-user-can-un-enroll-his-corporate-windows-phone-8-1/

  • Enrollment for IOS or Android :

On an iOS device open the Apple App Store., search for Company Portal, select the Windows Intune Company Portal from the list of available apps. Once installed, open the application and ‘Click’ on Add Device, You will be presented with information about the portal, click on Add in the top right corner.

There are no specific requirements for enrolling Android devices except enrolling thru the Self Service Portal.

2. Debugging on the mobile devices

There really are not that much you can see in terms of what is going on between the Intune tenants in the cloud and the mobile device itself. There is no real interface to push or pull stuff so you are pretty much left in the dark many times.

However most of the changes made in ConfigMgr are replicated up to the Intune Cloud service every 5 minutes. Apart from that you just will have to wait for things to happen.

  • WP 8 / 8.1: Really nothing you can see on the device. No log file that you can find, retrieve or view. Microsoft should really do something about this.

 

  • IOS: Shake it, shake it hard! There is however one log file and that can be accessed from an iOS device by logging into the Company Portal app. After login, shake the iPhone or iPad. Shake the phone and you will see options to send the log file via email for further analysis.

Funny Note: The shake action is disable-able from iOS / Settings area.  For a fun practical joke on a colleague you can disable the shake action and see how long they shake the device before giving up!

  • Android: No specific experiences , but honestly , I don’t think there is something that Microsoft provides out of the box

If you get the UserLicenseTypeInvalid error message when trying to enroll an iOS/Andriod device , most likely this is due to users not being synced or having an issue with the Configmgr AD user discovery or if the ConfigMgr connector to the Intune service didn’t sync properly as than they are missing from the “Intune users” collection.

3. Targeting the mobile devices

Divide Mobile devices into different collections for Windows Phones, Windows RT, Android, iPads and iPhones if you for instance want to target different compliance settings to different sets of devices.

Create your collections based on the class “Mobile Device Computer System” where the “Device Model” is your key identifier.

  • The query to list all Windows Phone 8 in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_DEVICE_OSINFORMATION on SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_DEVICE_OSINFORMATION.Platform like "Windows Phone" and SMS_G_System_DEVICE_OSINFORMATION.Version like "8.0%"

  • The query to list all Windows Phone 8.1 in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_DEVICE_OSINFORMATION on SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_DEVICE_OSINFORMATION.Platform like "Windows Phone" and SMS_G_System_DEVICE_OSINFORMATION.Version like "8.1%"

  • The query to list all Windows Phone RT in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Model like "Surface%"

  • The query to list all iPhones in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%iphone%"

  • The query to list all iPads in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%ipad%"

  • The query to list all Android in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "Android%"

4. Targeting Applications on the mobile devices

WP 8 / 8.1:

You first need to join the Windows Phone Dev Center before you can request a code-signing certificate from Symantec. Your Windows Phone Dev Center account is required to obtain a code signing certificate from Symantec. If you are not in a hurry and want to do a POC or for a trial certificate, see Support tool for Windows Phone trial management .

This Symantec certificate is needed to deploy the company portal app. Download the company portal at Windows Intune Company Portal for Windows Phone.

Windows Phone 8.1 can handle *.xap, *.appx, *.appxbundle while windows phone 8.0 can only handle *.xap

  • Deploy it as ‘Available’ to Users:

This will make the application published and available for install, but only in the SSP Portal.

  • Deploy it as ‘Required’ to Users:

This will install the app automatically for targeted users. It will silently install the application.

  • Deploy it as ‘Required’ to Devices:

This will install the app automatically for targeted devices. It will silently install the application.

  • Remote Uninstall for apps deployed to users and devices:

This will silently uninstall the app automatically for targeted devices.

Windows RT devices :

This post contains the steps which you, as an IT administrator, can perform to troubleshoot and investigate software distribution (download and install) issues on the Windows RT client

http://blogs.technet.com/b/configmgrteam/archive/2013/03/13/troubleshooting-windows-rt-client-software-distribution-issues.aspx

IOS:

To sideload an application *.ipa you need either to have developed it in-house or bought it from a developer who allows you to side load it and have a correct Apple developer account as well. https://developer.apple.com/programs/ios/

You cannot side load an app that you have downloaded and paid for in ITunes, which would be wrong in terms of license agreements. For those applications, you can create a link to the application in Appstore and distribute that link.

So if you want to side load an application that you bought from Appstore, I would suggest that you Contact that Company/developer and see if they are interested in selling the application to you that way instead of through the Appstore.

There are a number of ways of deploying apps to iOS devices throughout your enterprise. You can purchase and assign apps with MDM through the Volume Purchase Program (VPP), or create and deploy your own in-house apps by joining the iOS Developer Enterprise Program. Additionally, if you are in a shared-device deployment scenario you can install apps and content locally with Apple Configurator or your MDM solutions such as Windows Intune.

When deploying an IPA you have three options:

  • Deploy it as ‘Available’ to Users:

This will make the application published and available for install, but only in the SSP Portal.

  • Deploy it as ‘Required’ to Users:

This will install the app automatically for targeted users. A note will pop up on the screen of the iOS device asking if “Microsoft” is allowed to install the application. After clicking OK the app gets installed.

  • Deploy it as ‘Required’ to Devices:

This will install the app automatically for targeted devices. A note will pop up on the screen of the iOS device asking if “Microsoft” is allowed to install the application. After clicking OK the app gets installed.

I have written a blog post to clarify the support around CM12 and intune : Deploying Windows *.ipa IOS Applications requires a *.plist file at http://scug.be/sccm/2014/03/18/cm12-and-intune-deploying-windows-ipa-ios-applications-requires-a-plist-file/

  • Remote Uninstall for apps deployed to users and devices:

This will silently uninstall the app automatically for targeted devices.

Android:

As I have not deployed any software to android devices so far, I am going to exclude this section from any comment.

5. Providing Company Resource Access the mobile devices

When a user enrolls their device into Windows Intune, an organization’s certificates, Wi-Fi, VPN, and email profiles can automatically be configured on the device.   This will enable users to quickly access internal corporate resources with the appropriate security configurations set, without having to call the help desk.  Access to email and corporate data stored in OneDrive for Business can be automatically restricted if a user tries to access those resources on a device which is not enrolled for management.  Access can automatically be restricted if the device is de-enrolled from Windows Intune or falls out of the compliance policy set by the administrator.  For example, if someone jailbreaks their previously-enrolled iPad, access to Exchange and OneDrive for Business can be revoked until the problem is corrected.

As a cloud service, The ‘Extensions for Windows Intune’ feature provides frequent, dynamic feature updates to System Center 2012 R2 Configuration Manager without any on-premises infrastructure update roughly every quarter. The product team is currently rolling out those updates to ConfigMgr thru the so called “Windows Intune extensions or ‘W.E.A.V.E’ feature which provides additional support for additional released Windows Intune features for Unified Device Management.

I have written a blog post that explains it into detail about those so called CM12 Intune extensions:

CM12 Extensions for Windows Intune: Resources and gotcha’s at http://scug.be/sccm/2014/02/11/cm12-extensions-for-windows-intune-resources-and-gotchas/

On the other hand we have:

Email Profiles:

Extensions like email profile provisioning make it very easy for end users to connect to corporate email from their mobile devices while at the same time, it ensures that administrators can protect corporate data by having the ability to selectively wipe email from lost or stolen mobile devices

The ConfigMgr administrator can now configure email profiles that supply both email server information and related policies.However sometimes the profile doesn’t come down and therefore I have written the following blob that explains into detail:

Configmgr 2012 and Intune: Provisioning Email Profiles and the why the profile may not turn up on devices such as an Ipad at http://scug.be/sccm/2014/03/21/sysctr-configmgr-2012-and-intune-provisioning-email-profiles-and-the-why-the-profile-may-not-turn-up-on-devices-such-as-an-ipad/

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

Certificate Profiles:

Certificate profiles in System Center 2012 Configuration Manager works with Active Directory Certificate Services and the Network Device Enrollment Service (NDES) role to provision authentication certificates for managed devices so that users can seamlessly access company resources.

For example, you can create and deploy certificate profiles to provide the necessary certificates for users to initiate VPN and wireless connections.

Certificate profiles in Configuration Manager provide the following management capabilities:

  • Certificate enrollment and renewal from an enterprise certification authority (CA) for devices that run iOS, Windows 8.1, Windows RT 8.1, and Android, These certificates can then be used for Wi-Fi and VPN connections.
  • Deployment of trusted root CA certificates and intermediate CA certificates to configure a chain of trust on devices for VPN and Wi-Fi connections when server authentication is required.
  • Monitor and report about the installed certificates.

TIP: Be aware that this profile can be deployed to ‘User based Collections’ or ‘Device based Collections’

VPN Profiles:

VPN profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor VPN profiles. By deploying these settings, you reduce the end-user effort that is required to connect to resources on the company network.

When a VPN profile deployment is removed, the VPN profile is not removed from client devices. If you want to remove the profile from devices, you must manually remove it.

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

Wi-Fi Profiles:

Wi-Fi profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor wireless network settings to devices in your organization. By deploying these settings, you minimize the effort that end users require to connect to corporate wireless networks.

When a Wi-Fi profile deployment is removed, the Wi-Fi profile is not removed from client devices. If you want to remove the profile from devices, you must manually remove it.

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

6. Calling Microsoft (Intune) Support

Do not hesitate to contact the Intune technical support whenever you encounter a problem. As you have no insight into Intune contacting support is many times the only way to figure it what is or what is not going on with your mobile device management.  Support phone numbers for Intune specifically are listed at the Microsoft Support web site.

They will need the following information to help you solving the case swiftly, please collect that information before calling Microsoft PSS/CSS

Search criteria

  • LSU, MSU, account id, user id(last 6 digits)
  • email domain or other feature specific keyword
  • Time of incident (time zone)
  • Logs (DMPUploader.log, DMPDownloader.log, CloudUserSync.log)

Example

  • AccountId : 21c26ac1……29b40f
  • LsuId           : LSUA01
  • MsuId         : MSUA01
  • UserID : ……d7facc
  • Domain : contoso.onmicrosoft.com

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

ITPROceed , 12th of June ! Be there !

June 6, 2014 at 5:15 am in events, MDM, speaking, UDM by Kenny Buntinx [MVP]

 

Microsoft and the Belgian IT community to put a whole new ITPRO event on the agenda.

This event will also be your opportunity to socialize with fellow System Center administrators and ITPRO consultants to exchange knowledge, meet with one of the most popular Microsoft speakers of all time and have a nice lunch with the Belgian System Center MVP’s!

clip_image001

· Registration website

Tickets for this event sold out a while ago – I hope you were in time to grab yours so you can be part of what will be the biggest IT Pro event in Belgium this year. We really count on you to be there !! If you cannot attend this event , please make sure that your cancel reservation , so others can take you’re seat !

With a total of four tracks (SQL, System Center, Azure and Office Services) there will be a broad variety of content being offered by various speakers.

I am honored to be a speaker at this event. Together with my friend Tim De Keukelaere , I will be delivering a session on unified mobile device management with Configuration Manager and Windows Intune. It is entitled Managing your hybrid Mobile cloud Workforce Demystified

clip_image003

Hope to meet you there!

Kenny Buntinx

MVP enterprise Client Management

“Workplace Join” with ADFS 3.0 Device Registration Services and our ‘Workplace Join Hitman’ PowerShell App to the rescue !

May 20, 2014 at 5:00 pm in ADFS 3.0, BRIFORUM, ConfigMgr, configmgr 2012 R2, drs, intune, powershell, SCCM 2012, sccm 2012 R2, Workplace Join by Kenny Buntinx [MVP]

 

Domain Join is what we have had for a long time, tight admin control, group policy, managing the desktop in full glory and control. "Workplace Join is much lighter, and is about authenticating an unknown device like a Surface RT, iOS or Android device. We will put a certificate on the device, and can challenge the device for this as part of claims based authentication to applications or other resources such as data, plus there is no admin control of the device, it remains under the control of the end user.

When coupled with BYO device management with a solution like Windows Intune, you can apply policy, deploy apps and control access to resources on machines that you otherwise have no control over."

Through the new Workplace Join feature within R2, AD FS becomes a focal point for mobile access in the enterprise and an integral component in the Microsoft Bring Your Own Device (BYOD) vision with Windows Intune. Workplace Join allows unmanaged or untrusted operating systems such as Windows RT / Windows 8.1 and IOS to be moved into a more controlled access context, by allowing their registration and affiliation with Active Directory.

Workplace Join is made possible by the Device Registration Service (DRS) that is included with the Active Directory Federation Role in Windows Server 2012 R2. When a device is Workplace Joined, the DRS provisions a device object in Active Directory and sets a certificate on the consumer device that is used to represent the device identity. The DRS is meant to be both internal and external facing. Companies that deploy both DRS and the Web Application Proxy will be able to Workplace Join devices from any internet connected location. To further secure this process, additional factors can be also used with Windows Azure Active Authentication (Phone Factor).

Lost Device Protection

As covered earlier, devices registered via ‘Workplace Join’ are registered within Active Directory in the following container ;

CN=<Device ID>,CN=RegisteredDevices,DC=mydomain,DC=com.

Lost devices can be denied access by disabling or deleting the appropriate object within AD (I moved the device objects to another OU to test this). Access through AD FS is immediately revoked for the workplace joined client.

From testing thus far, devices joined, left and re-registered via Workplace Join are currently not cleaned up within the ‘RegisteredDevices’ container. Some PowerShell scripting is currently required to enforce this. Later in this blog post we will explain you what we made available thru powershell.

image

This is question comes up all the time … how do I map a user to the devices that they have registered ?

1. The first attempt of Microsoft can be found here as this blog post is provided by Adam Hall . This is the output if you run the original script :

image

2. The second attempt to optimize the readout was done by a colleague Stijn Callebaut and it was already an improvement

image  

The optimized code could be found below :

#user is provide by argument
if ($args.count -ne 1)
{        
    Write-Host "Usage: GetRegisteredDeviceForUser.ps1 <user name>"
    exit 1 
}

#get user's sid
$domain = Get-ADDomain
$userName = $args[0]
$userSid = (New-Object System.Security.Principal.NTAccount($domain.NetBIOSName, $userName)).Translate([System.Security.Principal.SecurityIdentifier]).value

#search device object when registeredUser = user sid
$objDefaultNC = New-Object System.DirectoryServices.DirectoryEntry

$ldapPath = "LDAP://CN=RegisteredDevices," + $objDefaultNC.distinguishedName 
$objDeviceContainer = New-Object System.DirectoryServices.DirectoryEntry($ldapPath)
$strFilter = "(&(objectClass=msDS-Device)(msDS-RegisteredOwner=$userSid))"

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDeviceContainer 
$objSearcher.PageSize = 100
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Onelevel"
$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults){
    $props = @{
        cn=$objResult.Properties['cn']
        whencreated=$objResult.Properties['whencreated']
        whenchanged=$objResult.Properties['whenchanged']
        displayname=$objResult.Properties['displayname']
        }
    new-object PSObject -Property $props
            
}

3. But weren’t quite there yet. We wanted three things :

  • Easy browsing and easily find devices registered to a user
  • Easy selection of the devices needed
  • Delete the devices properly

A colleague working with me on a project and good friend Kurt Depre , learned to use Powershell Xaml thru MVP Kaido Jarvemets for our customer project and said he would make a great interface for my issue. After some days of testing we finally can show you the result of our powershell tool.

The tool is called Workplace Join Hitman and can let you do easy searching for devices that are workplace joined by a single user and revoke access by deleting the object .

image

You can download it and please rate the tool if you like it. It’s downloadable on Technet Gallery here : http://gallery.technet.microsoft.com/WorkPlace-Join-Hitman-8c691238

It is not perfect , but it is intended to give you some idea’s to further automate the process when a device is stolen , lost or just discontinued. Next idea is to do that in a kind of Orchestrator workflow.

Hope it Helps , 

Kenny Buntinx

Enterprise Client Management MVP

Excited : Speaking at Briforum London this year

April 28, 2014 at 2:13 pm in BRIFORUM, speaking by Kenny Buntinx [MVP]

This year is my first and therefore also special BRIFORUM event for me and my dear friend “Tim De Keukelaere” as we are presenting “ConfigMgr 2012 R2 and Intune: Setup and Deployment Notes from the Field (with focus on Single Sign-on & ADFS)” on 20-21 May 2014 . It’s so special as it is  the 10th occurrence of this event for the past ten years in London !

4296_625292

This conference has great International speakers and I think this is one of the few events where they are presenting “vendor independent” and makes this conference unique.

BriForum_London_RegisterNow_030414_300x250

I will be not to late to join these magnificent sessions ! So if you haven’t already registered , do so on Briforum Website!

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ConfigMgr 2012 R2 & Windows Intune UDM : How to prevent an “End-User” can un-enroll his “Corporate” Windows Phone 8.1

April 24, 2014 at 8:30 pm in 2012R2, 8.1, Compliance Management, configmgr 2012 R2, intune, MDM, OMA-DM, OMA-URI, policy, sccm 2012 R2, UDM, Windows Intune, Windows Intune Extensions, windows inune, Windows Phone 8.1, Windws Intune, WP 8.1 by Kenny Buntinx [MVP]

 

Scenario :

Last week we had a discussion at a customer during a  Windows Intune UDM Proof of concept and the customer was willing to order about 3000 corporate owned Nokia Lumia 630 Windows Phones. He wanted us to provide the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t un-enroll a “corporate” device and to prevent them from doing so , unless you are the ConfigMgr 2012 MDM admin.

As this seemed a logic request to me , we couldn’t do it out of the box with windows phone 8 or with Windows Intune. Missed opportunity , I would say. However with the launch of Windows Phone 8.1 at Build conference , there was a new set of OMA-DM management capabilities being added.

At this stage , the writing and the testing of the blog post  is being done with a developer edition of Windows Phone 8.1. I doubt that when being rolled out as RTM , these policies will be changed.

Solution to problem :

First of all , you will need to know what OMA-DM is . OMA-DM is an open standard that Apple – Android and Microsoft are using. All MDM solutions use the OMA-DM API to manage those devices. More information on OMA-DM can be found here .

Microsoft has released together with WP 8.1 , a comprehensive guide called ; ‘Windows Phone 8.1 MDM protocol documentation’ . You will need this guide as a reference to find all custom not-so-out-of-the-box OMA-URI’s. An OMA-URI can be seen as a registry setting or hive. You can download it here .

Panu Saukko , a good friend and fellow Enterprise Client Management MVP , pointed me in the right direction inside the document on how to reach the goal : Blocking a user from un-enrolling their device. Without the golden tip from Panu , we would never succeed as there is an Typo in the document.

Panu pointed out that according to the document, the OMA-URI should be according to page 133 & 143 inside the ‘Windows Phone 8.1 MDM protocol documentation’ :

./Vendor/MSFT/PolicyManager/My/Experience/AllowManulMDMUnenrollment

Again there is a typo in that document , it should be

./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment

Now that we have found the error in the OMA-URI , Let’s show some magic with Compliance settings , Configuration Items and Configuration Baselines in CM 12 R2 :

Creating the ‘Configuration Item’ :

1. Go to “Asset & Compliance” , click on “Compliance Settings” , go to “Compliance Items” and create a New Configuration Item as shown below

image

2. Give the new Compliance item the following Name : ‘Deny WP8.1 MDM UnEnrollment’ and hit “next”

image

3. Select the checkbox : ‘Configure additional settings that are not in the default settings groups’ and click “next” to continue

SNAGHTMLa70f0d3

4. In the next window that opens , click the ‘Add’ button.

image

5. Hit the “Create Setting” tab.

image

6. Now comes the interesting stuff .

    • Give it a Name
    • 1. Settings Type : OMA-URI
    • 2. Data Type : Integer
    • 3. OMA-URI : ./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment

image

7. Highlight your recently created ‘Deny MDM Unenrollment’ and hit the ‘Select’ button

image

8. Now comes the interesting stuff again

    • 1. Rule Type : Value
    • 2. Data Type : 0 (0 = un-enroll not allowed / 1 =  enroll allowed)
    • 3. Set ‘Remediate noncompliant rules when supported’
    • 4. Set Noncompliance severity for reports to ‘Warning’ 

SNAGHTMLa838aba

9. Click next to continue.

image

10. As this setting is only applicable for Windows Phone , we select only this platform and click ‘next’ to continue.

SNAGHTMLa8ee6fe

11. Click next to continue , until the end .

SNAGHTMLa901184

Once created , you will see something like this in the screenshot below . After creating the ‘Configuration Item’ , we are going to create and deploy the ‘Configuration Baseline’

image 

Creating the ‘Configuration Baseline’ :

1. Now go to baselines and create a new ‘Configuration Baseline’

image

2. Give the ‘Configuration Baseline’ a name and click “Add” to add your ‘’Configuration Item’’

SNAGHTMLa979112

3. Search for your previously created ‘Configuration Item’ and click add.

SNAGHTMLa996df0[5]

4. Hit OK , to continue

SNAGHTMLa9b28cf

5. Click ‘OK’ to continue

SNAGHTMLa9be549

When created , you will see something similar in your console as show below in the screenshot :

image

Deployment of the ‘Configuration Baseline’ ONLY to the ‘Corporate Owned’ devices :

As we only wanted to prevent un-enrollment when a ‘device owner’ in CM12 R2 is set to “corporate” , we first need to create a collection that contains only devices set to corporate as shown below . Devices enrolled using the ConfigMgr 2012/Windows Intune UDM solution can be assigned to be either "Company" or "Personal" devices. Note that a device is automatically assigned to be Personal by default.

image

image

Now that that is done , create a ‘Device collection’ that is only containing resources that are ‘Company’ devices. To do that , use the following query where ‘System Resource – Device Owner’ is set to ‘1’ for ‘Company’ . Value 2 is “personal”

image

Now deploy your ‘Compliance baseline – Deny wp8.1 UnEnrollment’ to the collection called ‘All Mobile Devices set as Corporate Owned Devices

The END Result ? :

As the policies come down from Configuration Manager 2012 R2 with Windows Intune on the WP8.1 device and the user tries to un-enroll , following message is shown :

clip_image002

images

Hope it  Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Configmgr 2012 & Windows Intune SSO : Self- signed certificate for token signing is about to expire. Now What?

April 23, 2014 at 12:15 pm in ADFS, ADFS 2.1, ADFS 3.0, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, intune, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, sso, Windows Intune, Windows Intune Extensions, windows inune by Kenny Buntinx [MVP]

 

This morning at a customer , I received the following mail in my mailbox , saying that my ADFS token would expire.

AD FS 2.0 or 2.1 and probably 3.0 generates each year by default a new self- signed certificate for token signing 20 days before the certificate expires . Rollover of the certificate , or generate a new certificate when the existing certificate is about to expire , and make them the primary certificate , applies only to self-signed certificates that are generated by AD FS 2.x . The token signing certificate is essential for the stability of the Federation Service . If this is changed, the change must be reported to Windows Azure AD . Otherwise fail applications for cloud services such as my Windows Intune Service.

image

When the token signing certificate of your home AD FS organization expires, then federation metadata between AD FS and Office 365 falls out of synch. Equally, when changes are made on the Office 365 or Windows Intune that require updating the metadata, a similar issue arises. The “Microsoft Office 365 Federation Metadata Update Automation Installation Tool” script provide by the AD FS team checks the that federation metadata is validated regularly and any changes replicated between the two federating parties.

You must have the Microsoft Federation Metadata Update Automation Installation Tool download and configure your primary federation server or another recordable federation server, the Windows Azure AD Federation Metadata regularly automatically checks and updates so that changes in the certificate token-signing in the AD FS 2.1 Federation service will be copied automatically onto Windows Azure AD.

You can download the script here : http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

The script is called : O365-Fed-MetaData-Update-Task-Installation.ps1

To execute this tool successfully:

  • You must make sure that you have installed the latest version of the Microsoft Online Services Module for Windows PowerShell 
  • You need to have a functioning AD FS 2.0 Federation Service (execute this on your primary ADFS server)
  • You need to have access to Global Administrator credentials for your Office 365 tenant
  • You need to have at least one verified domain in the Office 365 tenant must be of type ‘Federated’
  • This tool must be executed on a writable Federation Server
  • The currently logged on user must be a member of the local Administrators group
  • The Microsoft Online Services Module for Windows PowerShell must be installed. You can download the module from http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx0

When running the tool and you comply with the above prerequisites , the following screenshot appears as shown below :

image

It’s worth bearing in mind that the password policy will render the script unusable in the event of a password change on either the Windows Intune side with the MSOL account you specify and the Domain side with the user account used to initiate the scheduled task. It is possible to create service accounts to do this on both sides. However, I’d consider the security consequences of such a change before automatically doing so. This can be done on the O365 side with an Office 365 standard account via the Set-MSOLUser cmdlet.

For example:  Set-MSOLUser –identity user@MyPreciousChosenDomain.onmicrosoft.com –PasswordNeverExpires $true –StrongPasswordRequired $true

The account could also technically be a federated account, but I don’t believe that’s a good idea. In the event that the trust is broken, then a federated account won’t be able to connect to MSOL to update the federated domain information and you would be in trouble big time!

To verify the scheduled task is executed correctly , open task scheduler and verify that the task is there :

image;-

That’s again an automated task , without worrying that your infrastructure is in danger :-)

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP