IOS 8 support now available for System Center 2012 R2 Configuration Manager thru an extension for Windows Intune

September 30, 2014 at 4:18 am in ConfigMgr, configmgr 2012 R2, intune, MDM, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, System Center, UDM by Kenny Buntinx [MVP]

 

A new version of the iOS 7 Security Settings extension is now available for System Center 2012 R2 Configuration Manager environments that are configured with the Windows Intune connector. This updated extension adds support for iOS 8 devices. New features include: iOS 8 added to the supported platform list, configuration settings to manage and assess the compliance on iOS 8 devices, company resource access on iOS 8 devices and the ability to define an applicability rule for applications, allowing you to deploy applications to iOS 8 devices.

If you already have the iOS 7 Security Settings extension enabled, an updated extension called iOS 7 and iOS 8 Security Settings will appear as a new item in your Configuration Manager console in the Extensions for Windows Intune node. You will also be able to see other enabled extensions in this location.

To install the updated version, select the iOS 7 and iOS 8 Security Settings extension from the list and then click Enable. You do not need to disable the older version of the extension before you enable this updated version. As the updated version is installed, the configurations you previously made for the extension are retained. Once the installation is complete, only the most recent version of the extension will display in the console.

Read further at http://blogs.technet.com/b/configmgrteam/archive/2014/09/29/ios-8-support-now-available-for-sc-2012-r2-configmgr-via-extension-for-intune.aspx

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

ITDevconnections session wrap-up : Managing Your Hybrid Mobile Cloud Workforce with System Center 2012 R2 Configuration Manager

September 22, 2014 at 7:56 pm in ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, Devconnections, ECM, extensions, intune, profile, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM by Kenny Buntinx [MVP]

 

A big thanks to all who attended at our sessions that where delivered by Tim De Keukelaere and myself. Below are the links to the blog posts we have made earlier and we referenced during the session! Hope to see you all again next year!

clip_image002

All blog posts where written when we encountered challenges or when we wanted to spread information. Some can be outdated, but there isn’t much changed. I’ll start updating them as soon as I find time for it :-) .

Find them here :

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment at http://scug.be/sccm/2014/06/08/windows-intune-configmgr-2012-notes-from-the-field-around-compliance-settings-and-enrollment/

ConfigMgr 2012 R2 & Windows Intune UDM : How to prevent an “End-User” can un-enroll his “Corporate” Windows Phone 8.1 at http://scug.be/sccm/2014/04/24/configmgr-2012-r2-windows-intune-udm-how-to-prevent-an-end-user-can-un-enroll-his-corporate-windows-phone-8-1/

CM12 Extensions for Windows Intune: Resources and gotcha’s at http://scug.be/sccm/2014/02/11/cm12-extensions-for-windows-intune-resources-and-gotchas/

Deny Windows Phone Apps with Configuration Manager \ Intune at http://scug.be/nico/2014/05/22/deny-windows-phone-apps-with-configuration-manager-intune/

Sysctr Configmgr 2012 and Intune : Provisioning Email Profiles and the why the profile may not turn up on devices such as an Ipad. At http://scug.be/sccm/2014/03/21/sysctr-configmgr-2012-and-intune-provisioning-email-profiles-and-the-why-the-profile-may-not-turn-up-on-devices-such-as-an-ipad/

How to Configure Hardware Inventory for Mobile Devices Enrolled by Windows Intune and Configuration Manager at http://technet.microsoft.com/en-us/library/dn469411.aspx

Collecting IMEI from devices enrolled in Windows Intune with System Center 2012 R2 Configuration Manager at http://blogs.technet.com/b/configmgrteam/archive/2014/07/30/collecting-imei-from-devices-enrolled-in-windows-intune-with-sc-2012-r2-configmgr.aspx

“Workplace Join” with ADFS 3.0 Device Registration Services and our ‘Workplace Join Hitman’ PowerShell App to the rescue ! at http://scug.be/sccm/2014/05/20/workplace-join-with-adfs-3-0-device-registration-services-and-our-workplace-join-hitman-powershell-app-to-the-rescue/

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8” at http://scug.be/sccm/2013/07/19/windows-phone-8-not-enrolling-with-the-support-tool-for-windows-intune-trial-management-of-window-phone-8/

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ITDevconnections session wrap-up : System Center 2012 R2 Configuration Manager and Intune: Setup and Deployment Notes from the Field, with a Focus on Single Sign-On

September 22, 2014 at 1:24 pm in ADFS, ADFS 2.1, ADFS 3.0, CM12, CM12 R2, CM12 SP1, Devconnections, ECM, intune, ITDevconnections, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM by Kenny Buntinx [MVP]

 

A big thanks to all who attended at our sessions that Tim De Keukelaere and myself presented. Below are the links to the blog posts we have made earlier and we referenced during the session! Hope to see you all again next year!

clip_image002

 

All blog posts where written when we encountered challenges or when we wanted to spread information. Some can be outdated, like the ADFS 2.1 blogs , but there isn’t much changed. I’ll start updating them as soon as I find time for it :-)

Find them here :

Conquering BYOD with Implementing ConfigMgr 2012 R2 and Windows Intune,“ADFS”, “WAP”, “Workplace Join” and “Work Folders”. Part I at http://scug.be/sccm/2014/01/09/conquering-byod-with-implementing-configmgr-2012-r2-and-windows-intuneadfs-wap-workplace-join-and-work-folders-part-i/

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1 at http://scug.be/sccm/2013/07/04/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved/

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 2 at http://scug.be/sccm/2013/07/08/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved-part-2/

ADFS & Workplace Join & Intune : "Profile Installation Failed" error when iOS device is Workplace Joined by using DRS on a Windows Server 2012 R2-based server at http://scug.be/sccm/2014/08/21/adfs-workplace-join-intune-profile-installation-failed-error-when-ios-device-is-workplace-joined-by-using-drs-on-a-windows-server-2012-r2-based-server/

ADFS 2.1 in combo with windows Intune stops working with ‘Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘Domain\ADFS_srvc’, error code 0×5 at http://scug.be/sccm/2014/01/22/adfs-2-1-in-combo-with-windows-intune-stops-working-with-error-15404-state-19-could-not-obtain-information-about-windows-nt-groupuser-domainadfs_srvc-error-code-0×5/

ADFS 3.0 on Windows 2012 R2: adfssrv hangs in starting mode and makes you’re domain controller unusable after reboot at http://scug.be/sccm/2014/01/15/adfs-3-0-on-windows-2012-r2-adfssrv-hangs-in-starting-mode-and-makes-youre-domain-controller-unusable-after-reboot/

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment at http://scug.be/sccm/2014/06/08/windows-intune-configmgr-2012-notes-from-the-field-around-compliance-settings-and-enrollment/

“Workplace Join” with ADFS 3.0 Device Registration Services and our ‘Workplace Join Hitman’ PowerShell App to the rescue ! at http://scug.be/sccm/2014/05/20/workplace-join-with-adfs-3-0-device-registration-services-and-our-workplace-join-hitman-powershell-app-to-the-rescue/

Configmgr 2012 & Windows Intune SSO : Self- signed certificate for token signing is about to expire. Now What? At http://scug.be/sccm/2014/04/23/configmgr-2012-windows-intune-sso-self-signed-certificate-for-token-signing-is-about-to-expire-now-what/

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8” at http://scug.be/sccm/2013/07/19/windows-phone-8-not-enrolling-with-the-support-tool-for-windows-intune-trial-management-of-window-phone-8/

Windows Intune & Dirsync : Error message “stopped-server-down” (FIM Synchronization Service Manager) at http://scug.be/sccm/2013/07/18/windows-intune-dirsync-error-message-stopped-server-down-fim-synchronization-service-manager/

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ADFS & Workplace Join & Intune : "Profile Installation Failed" error when iOS device is Workplace Joined by using DRS on a Windows Server 2012 R2-based server

August 21, 2014 at 4:59 am in ADFS, ADFS 3.0, CM12, CM12 R2, CM12 SP1, intune, MDM, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, UDM, Workplace Join by Kenny Buntinx [MVP]

Hi,

We’ve got in our lab environment our 2012 R2 Workplace Join environment up & running with one Windows 8.1 client successfully browsing the claims app. When we tried to workplace join an IPAD device, it could go as far as the Workplace Join screen.

If you want to know what ‘Workplace join’ is and how to manage it, please visit my earlier blog post at  http://scug.be/sccm/2014/05/20/workplace-join-with-adfs-3-0-device-registration-services-and-our-workplace-join-hitman-powershell-app-to-the-rescue/

Attempt to install the profile resulted in two different errors:

- On the Ipad you should see the profile install fail on the iPad. Assuming that the Apple iOS device is configured by using the over-the-air enrollment. An Apple certificate for the IOS device is expired. In this situation, you receive an error message that resembles the following: ‘Profile Installation Failed the server certificate for federation server name/otaprofile/profile?operation=enroll is invalid.’

- If I look on the ADFS WAP server , I see the following issue in the eventvwr

clip_image001

There are two main places you can start when troubleshooting an iOS-specific issue. 

1) The DRS event logs on the AD FS server.  May shed some light as to what is wrong.
2) The iOS device logs.  You’ll need to download the iPhone Configuration Utility (works with iPads as well).  http://support.apple.com/kb/DL1466

Microsoft has released a Hotfix for this http://support.microsoft.com/kb/2970746. Make sure to download and install it !

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Sysctr Enterprise Client Management : It will be a busy fall …

August 20, 2014 at 7:24 am in even, events, IT-Dev Connections, IT/Dev Connections, mms, MMS-2014, MMS2014, speak, speaking by Kenny Buntinx [MVP]

 

A lot of exciting things are happening in the System Center community these days with a lot of events around the corner.

IT-Dev Connections , SCU Europe , TechED Europe and Midland Management Summit 2014 are right around the corner and other local user group events are being planned as well.

I always enjoy being part of these events and meet old and new friends all with the same interest: System Center products and common technology’s

imagesNY3IY65Z

This blog post will be around my events I will attended and support from the community. It will list all sessions which I’m presenting and attending , both national and International.

Hope you will attend one of my sessions and if you do, make sure to take the time to meet up and have a beer !

Date Event Location Sessions
15-19 September IT/Dev Connections Las Vegas
1 October SCUG.BE Microsoft HQ Belgium To be determined , but hey , we will have a local CDM speaker and we have Jason Sandys in the house for ECM.
4 October App-V User Group UK 2014 London – Microsoft Attendee …
3-7 November MVP Summit Microsoft HQ Redmond NDA – What can I say Emoticon die tong uitsteekt :-P
10-12 November Midland Management Summit  2014 Minnesota

 

Hope it Helps,

Kenny Buntinx

Enterprise Client Management MVP

SCCM 2012 : “Another Installation is already in Progress” when deploying Applications thru OSD deployment.

August 18, 2014 at 11:26 am in agent, Application Model, applications, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, OSD, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, Task Sequence by Kenny Buntinx [MVP]

 

At one of my current customers, I have been stuck for two days now, that one or two randomly selected applications where failing If we looked in the ‘Status Messages’ and dig al little deeper , we saw in there that :

‘Another installation is already in progress.Complete that installation before proceeding with this install.’

 image

Knowing this is a highly secured environment , my first guess would be policies. However I overruled this thinking strategy because during the OSD process , GPO’s aren’t applied …—> That is a fact , except for one scenario I already blogged about it as described here  ‘http://scug.be/sccm/2013/02/13/configmgr-2012-rtmsp1-applications-failed-to-install-during-osd-with-error-code-16389-and-denied-logon-for-domain-users-policy/’ , but that was not the issue…

Back to the drawing board and digging deeper in the smstslog file … Suddenly when hitting the F8 button a popup arrived that I needed a reboot to complete the “Kaspersky Antimalware Client”  … WTF is that doing in my task sequence.

Apparently someone at the customer decided to set a policy at the Kaspersky management server , to Push / Install a Kaspersky client when he detects and scans the network for computers that did not had a Kaspersky mgmt. agent installed. That little process hijacked my Task sequence installation process and jumped in the middle to install that Kaspersky agent .

Case Closed …My advise – before troubleshooting Configmgr , just start asking questions who did changes on other parts of the environment Emoticon die tong uitsteekt

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

MVP Award Renewal for 2014-2015: Enterprise Client Management

July 1, 2014 at 7:02 pm in ECM, MVP by Kenny Buntinx [MVP]

 

I’m very proud to inform you that my MVP award got renewed for the year 2014 – 2015 on Enterprise Client Management. This is certainly a great honor for me.

Thank you Microsoft, blog readers and all the community members that helped me out!

Thanks for the recognition. I am delighted.

Kenny Buntinx

Enterprise Client Management MVP

images7T7SFLEG

ITPROceed – Take home a signed copy of Jack Madden’s EMM Book!

June 10, 2014 at 7:27 pm in EMM, it, ITPROceed, MDM, UDM by Kenny Buntinx [MVP]

 

A few weeks ago Tim De Keukelaere and myself have had the honor to attend and present a session at BriForum in London.

During the event we have had the chance to network and meet up with some great people. One of them was Jack Madden (@jackmadden) who is an expert in the field of Enterprise Mobility Management. We brought home a few copies of his new book on Enterprise Mobility Management. Jack was kind enough to sign the books for us – which adds some extra uniqueness to them.

We will be raffling these books during the next session Tim and I are presenting, which will be at ITPROCeed in Antwerp this Thursday. If you have registered for the event then make sure to attend our session to have a chance on taking home a signed copy of the book.

See you at ITPROCeed!

Kenny Buntinx

Enterprise Client Management MVP

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment

June 8, 2014 at 4:00 pm in BYOD, Cloud, CM12, CM12 R2, configmgr 2012 R2, ConfigMgr 2012 SP1, ECM, email Profile, email Profiles, intune, iOS, ipa, Ipad, ITPROceed, MDM, OMA-DM, OMA-URI, personal, plist, policy, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM, windows 8.1, Windows Intune, Windows Intune Extensions, Windows Phone 8.1, Windws Intune, Work Folders, WP 8.1 by Kenny Buntinx [MVP]

 

Today there isn’t much hands on information about managing mobile devices such as Windows Phone , iPhone or Android using the MDM solution with Windows Intune and System Center Configuration Manager 2012 R2. This blog post is intended to give you better knowledge and to consolidate the earlier blogs I have been writing. Troubleshoot MDM in Intune / ConfigMgr

The big challenge is troubleshooting mobile device management in general, but particularly using ConfigMgr and Intune because a current Configmgr is a product that is known for its extensive logging.

With Windows Intune connected to System Center Configuration Manager 2012 R2, you have 6 log files on premise where you can look into:

  • ConnectorSetup.log (Records details of connector role installation)
  • FeatureExtensionInstaller.log (Records information about the installation and removal of individual extensions when they are enabled or disabled in the Configuration Manager console)
  • CertMgr.log (Records certificate and proxy account information)
  • Cloudusersync.log (Records license enablement for users)
  • DMPuploader.log (Records details for uploading database changes to Windows Intune)
  • DMPdownloader.log (Records details on downloads from Windows Intune)

1. Enrolling the mobile devices

  • OMA-DM and OMA-URI:

First of all, you will need to know what OMA-DM is. OMA-DM is an open standard that Apple – Android and Microsoft are using. All MDM solutions use the OMA-DM API to manage those devices. More information on OMA-DM can be found here.

Microsoft has released together with WP 8.1, a comprehensive guide called; ‘Windows Phone 8.1 MDM protocol documentation’. You will need this guide as a reference to find all custom not-so-out-of-the-box OMA-URI’s. An OMA-URI can be seen as a registry setting or hive. You can download it here.

If enrollment does not work, please verify that the right platform is selected in your “windows Intune Subscription”, otherwise you will get these kind of errors:

ERROR: Service health log: User ‘******************************32ad82′ is not eligible to enroll a device of type ‘WindowsPhone’. Reason ‘DeviceTypeNotSupported’.

clip_image002[4]

  • Enrollment for Windows Phone 8 or 8.1:

Enrollment for Windows Phone happens does not have the same experience like IOS or Android. With Windows Phone 8 or 8.1 you will need to go to the settings page and search for either ‘company portal’ or ‘workplace join’. Don’t you love Microsoft’s consistency here?

  • Trouble enrolling your Windows Phone?

SSP portal software Certificate Signing :

Make sure that your SSP portal software is signed with either your personal ‘Symantec Certificate’ you need to buy or you use the “support tool for Windows Intune”. Download the company portal at Windows Intune Company Portal for Windows Phone.

If the SSP Portal is not signed correctly or the certificate expired, your phones will stop enrolling and you’ll never get any error message. It just shows you on the phone it can’t find the server…

Read the release notes for sure :

Read here: http://technet.microsoft.com/en-us/library/jj662694.aspx

Windows Phone 8.1 devices fail to enroll with Windows Intune when device authentication is enabled in AD FS 2012 R2 (aka 3.0) called ‘Workplace Join’.

Issue: When you enroll a Windows Phone 8.1 device, enrollment fails if the optional setting for device authentication is enabled as part of global authentication policy in Active Directory Federated Services (AD FS).

Workaround: Disable device authentication on the AD FS server by unchecking Enable device authentication in Edit Global Authentication Policy.

  • Your phone is enrolled and you want to protect it from enrollment?

You have corporate owned Windows Phones and you want the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t un-enroll a “corporate” device and to prevent them from doing so , unless you are the ConfigMgr 2012 MDM admin.

As this seemed a logic to me, we couldn’t do it out of the box with windows phone 8 or 8.1 and Windows Intune. Missed opportunity, I would say. However with the launch of Windows Phone 8.1 at Build conference , there was a new set of OMA-DM management capabilities being added.

Read the complete blog post on how to do it here:

ConfigMgr 2012 R2 & Windows Intune UDM : How to prevent an “End-User” can un-enroll his “Corporate” Windows Phone 8.1 at http://scug.be/sccm/2014/04/24/configmgr-2012-r2-windows-intune-udm-how-to-prevent-an-end-user-can-un-enroll-his-corporate-windows-phone-8-1/

  • Enrollment for IOS or Android :

On an iOS device open the Apple App Store., search for Company Portal, select the Windows Intune Company Portal from the list of available apps. Once installed, open the application and ‘Click’ on Add Device, You will be presented with information about the portal, click on Add in the top right corner.

There are no specific requirements for enrolling Android devices except enrolling thru the Self Service Portal.

2. Debugging on the mobile devices

There really are not that much you can see in terms of what is going on between the Intune tenants in the cloud and the mobile device itself. There is no real interface to push or pull stuff so you are pretty much left in the dark many times.

However most of the changes made in ConfigMgr are replicated up to the Intune Cloud service every 5 minutes. Apart from that you just will have to wait for things to happen.

  • WP 8 / 8.1: Really nothing you can see on the device. No log file that you can find, retrieve or view. Microsoft should really do something about this.

 

  • IOS: Shake it, shake it hard! There is however one log file and that can be accessed from an iOS device by logging into the Company Portal app. After login, shake the iPhone or iPad. Shake the phone and you will see options to send the log file via email for further analysis.

Funny Note: The shake action is disable-able from iOS / Settings area.  For a fun practical joke on a colleague you can disable the shake action and see how long they shake the device before giving up!

  • Android: No specific experiences , but honestly , I don’t think there is something that Microsoft provides out of the box

If you get the UserLicenseTypeInvalid error message when trying to enroll an iOS/Andriod device , most likely this is due to users not being synced or having an issue with the Configmgr AD user discovery or if the ConfigMgr connector to the Intune service didn’t sync properly as than they are missing from the “Intune users” collection.

3. Targeting the mobile devices

Divide Mobile devices into different collections for Windows Phones, Windows RT, Android, iPads and iPhones if you for instance want to target different compliance settings to different sets of devices.

Create your collections based on the class “Mobile Device Computer System” where the “Device Model” is your key identifier.

  • The query to list all Windows Phone 8 in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_DEVICE_OSINFORMATION on SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_DEVICE_OSINFORMATION.Platform like "Windows Phone" and SMS_G_System_DEVICE_OSINFORMATION.Version like "8.0%"

  • The query to list all Windows Phone 8.1 in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_DEVICE_OSINFORMATION on SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_DEVICE_OSINFORMATION.Platform like "Windows Phone" and SMS_G_System_DEVICE_OSINFORMATION.Version like "8.1%"

  • The query to list all Windows Phone RT in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Model like "Surface%"

  • The query to list all iPhones in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%iphone%"

  • The query to list all iPads in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%ipad%"

  • The query to list all Android in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "Android%"

4. Targeting Applications on the mobile devices

WP 8 / 8.1:

You first need to join the Windows Phone Dev Center before you can request a code-signing certificate from Symantec. Your Windows Phone Dev Center account is required to obtain a code signing certificate from Symantec. If you are not in a hurry and want to do a POC or for a trial certificate, see Support tool for Windows Phone trial management .

This Symantec certificate is needed to deploy the company portal app. Download the company portal at Windows Intune Company Portal for Windows Phone.

Windows Phone 8.1 can handle *.xap, *.appx, *.appxbundle while windows phone 8.0 can only handle *.xap

  • Deploy it as ‘Available’ to Users:

This will make the application published and available for install, but only in the SSP Portal.

  • Deploy it as ‘Required’ to Users:

This will install the app automatically for targeted users. It will silently install the application.

  • Deploy it as ‘Required’ to Devices:

This will install the app automatically for targeted devices. It will silently install the application.

  • Remote Uninstall for apps deployed to users and devices:

This will silently uninstall the app automatically for targeted devices.

Windows RT devices :

This post contains the steps which you, as an IT administrator, can perform to troubleshoot and investigate software distribution (download and install) issues on the Windows RT client

http://blogs.technet.com/b/configmgrteam/archive/2013/03/13/troubleshooting-windows-rt-client-software-distribution-issues.aspx

IOS:

To sideload an application *.ipa you need either to have developed it in-house or bought it from a developer who allows you to side load it and have a correct Apple developer account as well. https://developer.apple.com/programs/ios/

You cannot side load an app that you have downloaded and paid for in ITunes, which would be wrong in terms of license agreements. For those applications, you can create a link to the application in Appstore and distribute that link.

So if you want to side load an application that you bought from Appstore, I would suggest that you Contact that Company/developer and see if they are interested in selling the application to you that way instead of through the Appstore.

There are a number of ways of deploying apps to iOS devices throughout your enterprise. You can purchase and assign apps with MDM through the Volume Purchase Program (VPP), or create and deploy your own in-house apps by joining the iOS Developer Enterprise Program. Additionally, if you are in a shared-device deployment scenario you can install apps and content locally with Apple Configurator or your MDM solutions such as Windows Intune.

When deploying an IPA you have three options:

  • Deploy it as ‘Available’ to Users:

This will make the application published and available for install, but only in the SSP Portal.

  • Deploy it as ‘Required’ to Users:

This will install the app automatically for targeted users. A note will pop up on the screen of the iOS device asking if “Microsoft” is allowed to install the application. After clicking OK the app gets installed.

  • Deploy it as ‘Required’ to Devices:

This will install the app automatically for targeted devices. A note will pop up on the screen of the iOS device asking if “Microsoft” is allowed to install the application. After clicking OK the app gets installed.

I have written a blog post to clarify the support around CM12 and intune : Deploying Windows *.ipa IOS Applications requires a *.plist file at http://scug.be/sccm/2014/03/18/cm12-and-intune-deploying-windows-ipa-ios-applications-requires-a-plist-file/

  • Remote Uninstall for apps deployed to users and devices:

This will silently uninstall the app automatically for targeted devices.

Android:

As I have not deployed any software to android devices so far, I am going to exclude this section from any comment.

5. Providing Company Resource Access the mobile devices

When a user enrolls their device into Windows Intune, an organization’s certificates, Wi-Fi, VPN, and email profiles can automatically be configured on the device.   This will enable users to quickly access internal corporate resources with the appropriate security configurations set, without having to call the help desk.  Access to email and corporate data stored in OneDrive for Business can be automatically restricted if a user tries to access those resources on a device which is not enrolled for management.  Access can automatically be restricted if the device is de-enrolled from Windows Intune or falls out of the compliance policy set by the administrator.  For example, if someone jailbreaks their previously-enrolled iPad, access to Exchange and OneDrive for Business can be revoked until the problem is corrected.

As a cloud service, The ‘Extensions for Windows Intune’ feature provides frequent, dynamic feature updates to System Center 2012 R2 Configuration Manager without any on-premises infrastructure update roughly every quarter. The product team is currently rolling out those updates to ConfigMgr thru the so called “Windows Intune extensions or ‘W.E.A.V.E’ feature which provides additional support for additional released Windows Intune features for Unified Device Management.

I have written a blog post that explains it into detail about those so called CM12 Intune extensions:

CM12 Extensions for Windows Intune: Resources and gotcha’s at http://scug.be/sccm/2014/02/11/cm12-extensions-for-windows-intune-resources-and-gotchas/

On the other hand we have:

Email Profiles:

Extensions like email profile provisioning make it very easy for end users to connect to corporate email from their mobile devices while at the same time, it ensures that administrators can protect corporate data by having the ability to selectively wipe email from lost or stolen mobile devices

The ConfigMgr administrator can now configure email profiles that supply both email server information and related policies.However sometimes the profile doesn’t come down and therefore I have written the following blob that explains into detail:

Configmgr 2012 and Intune: Provisioning Email Profiles and the why the profile may not turn up on devices such as an Ipad at http://scug.be/sccm/2014/03/21/sysctr-configmgr-2012-and-intune-provisioning-email-profiles-and-the-why-the-profile-may-not-turn-up-on-devices-such-as-an-ipad/

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

Certificate Profiles:

Certificate profiles in System Center 2012 Configuration Manager works with Active Directory Certificate Services and the Network Device Enrollment Service (NDES) role to provision authentication certificates for managed devices so that users can seamlessly access company resources.

For example, you can create and deploy certificate profiles to provide the necessary certificates for users to initiate VPN and wireless connections.

Certificate profiles in Configuration Manager provide the following management capabilities:

  • Certificate enrollment and renewal from an enterprise certification authority (CA) for devices that run iOS, Windows 8.1, Windows RT 8.1, and Android, These certificates can then be used for Wi-Fi and VPN connections.
  • Deployment of trusted root CA certificates and intermediate CA certificates to configure a chain of trust on devices for VPN and Wi-Fi connections when server authentication is required.
  • Monitor and report about the installed certificates.

TIP: Be aware that this profile can be deployed to ‘User based Collections’ or ‘Device based Collections’

VPN Profiles:

VPN profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor VPN profiles. By deploying these settings, you reduce the end-user effort that is required to connect to resources on the company network.

When a VPN profile deployment is removed, the VPN profile is not removed from client devices. If you want to remove the profile from devices, you must manually remove it.

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

Wi-Fi Profiles:

Wi-Fi profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor wireless network settings to devices in your organization. By deploying these settings, you minimize the effort that end users require to connect to corporate wireless networks.

When a Wi-Fi profile deployment is removed, the Wi-Fi profile is not removed from client devices. If you want to remove the profile from devices, you must manually remove it.

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

6. Calling Microsoft (Intune) Support

Do not hesitate to contact the Intune technical support whenever you encounter a problem. As you have no insight into Intune contacting support is many times the only way to figure it what is or what is not going on with your mobile device management.  Support phone numbers for Intune specifically are listed at the Microsoft Support web site.

They will need the following information to help you solving the case swiftly, please collect that information before calling Microsoft PSS/CSS

Search criteria

  • LSU, MSU, account id, user id(last 6 digits)
  • email domain or other feature specific keyword
  • Time of incident (time zone)
  • Logs (DMPUploader.log, DMPDownloader.log, CloudUserSync.log)

Example

  • AccountId : 21c26ac1……29b40f
  • LsuId           : LSUA01
  • MsuId         : MSUA01
  • UserID : ……d7facc
  • Domain : contoso.onmicrosoft.com

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

ITPROceed , 12th of June ! Be there !

June 6, 2014 at 5:15 am in events, MDM, speaking, UDM by Kenny Buntinx [MVP]

 

Microsoft and the Belgian IT community to put a whole new ITPRO event on the agenda.

This event will also be your opportunity to socialize with fellow System Center administrators and ITPRO consultants to exchange knowledge, meet with one of the most popular Microsoft speakers of all time and have a nice lunch with the Belgian System Center MVP’s!

clip_image001

· Registration website

Tickets for this event sold out a while ago – I hope you were in time to grab yours so you can be part of what will be the biggest IT Pro event in Belgium this year. We really count on you to be there !! If you cannot attend this event , please make sure that your cancel reservation , so others can take you’re seat !

With a total of four tracks (SQL, System Center, Azure and Office Services) there will be a broad variety of content being offered by various speakers.

I am honored to be a speaker at this event. Together with my friend Tim De Keukelaere , I will be delivering a session on unified mobile device management with Configuration Manager and Windows Intune. It is entitled Managing your hybrid Mobile cloud Workforce Demystified

clip_image003

Hope to meet you there!

Kenny Buntinx

MVP enterprise Client Management