Apple Volume Purchase Program (VPP) expands but changes nothing around supportability for side loading within Configmgr & Intune hybrid or standalone.

December 18, 2014 at 10:40 am in Apple, EMM, EMS, intune, Intune Standalone, scc, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, VPP by Kenny Buntinx [MVP]

 

Great news for our customers!

There are a number of ways of deploying apps to iOS devices throughout your enterprise. You can purchase and assign apps with MDM through the Volume Purchase Program (VPP), or create and deploy your own in-house apps by joining the iOS Developer Enterprise Program. Additionally, if you are in a shared-device deployment scenario you can install apps and content locally with Apple Configurator or your MDM solutions such as Windows Intune.

As more than an half year ago, when I wrote about the following SCUG acticle : “CM12 and intune : Deploying Windows *.ipa IOS Applications requires a *.plist file” , regarding that Apple’s Volume Purchase Program (VPP) was only available in limited countries as Germany and UK . That caused challenges for side loading applications thru your MDM solution such as Configmgr 2012 R2 and Intune on the Hybrid model.

Now Apple has expanded the Volume Purchase Program (VPP) (http://www.apple.com/business/vpp/ ) to a lot of more countries as shown below :

Australia, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom, and United States.

This will make our life certainly much easier as we have a “Licensed way” of deploying volume licensed apps on IOS and OSX.

Distributing the app with your MDM solution such as ConfigMgr with Intune

To distribute an iOS application, you must have a valid .ipa package and a manifest (plist) file. The manifest file is an XML .plist file that is used to find, download and install any iOS applications that are located outside the App Store. The manifest file cannot exceed 10 KB. For more information, see the relevant Apple documentation.

· The .ipa package must be valid. This means that the package was signed by Apple and the expiration date indicated in the provisioning profile is still valid.

· For iOS applications, Windows Intune can distribute enterprise certificate iOS applications. Not all Apple developer certificate applications are supported.

· Your enterprise must be registered for the iOS Developer Enterprise Program.

· Make sure that your organization’s firewall allows access to the iOS provisioning and certification web sites.

I saw many people having difficulty to upload and deploy the IOS application in the forums and internet. Mainly because they do not have access to a VPP program from Apple, but that is now more or less history. I managed to upload the IOS (*.ipa) application into Configuration Manager 2012 R2, and also manage to download and install the uploaded IOS application to the IPad from the Company Portal however :

GOTCHA: Not all applications have a plist file, it also depends on the MAC OSX (they have been changing the locations in 10.6 and again in 10.9.1. – checkout this thread http://hints.macworld.com/article.php?story=20121101064200135

Currently Configuration Manager 2012 R2 with Intune hybrid is not supporting the whole VPP Program yet. Hopefully they will change that soon!

Hope it Helps,

Kenny Buntinx

Windows Phone 8.1 Self Service Portal (SSP) changes with Windows Intune’s November Release

November 20, 2014 at 6:20 am in company portal, hybrid, intune, Intune Standalone, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, SSP, System Center, Windows Intune, windows inune, Windows Phone 8.1, WP 8.1, WP8.1 by Kenny Buntinx [MVP]

Hi ,

As you already probably knew , new Windows Intune capabilities are added as we speak for Windows Intune standalone thru the so called “November Release” as discussed here : http://blogs.technet.com/b/microsoftintune/archive/2014/11/17/new-microsoft-intune-capabilities-coming-this-week.aspx 

The Microsoft Intune Company Portal for Windows Phone app helps you search, browse and install apps made available to you by your company, through the Microsoft Intune standalone of Hybrid (Configmgr and Windows Intune). Apps can be installed without requiring a connection to your corporate network. You can also enroll your personal computers and devices in the service and locate contact information for your IT team.

One additional change that was not clearly communicated is a change to how the Intune Company Portal or Self Service Portal (SSP) app for Windows Phone 8.1 is offered and installed.

Before , If you wanted to manage and deploy applications on your Windows phone 8 and 8.1 , the Company Portal app was offered as a deployable download at Microsoft’s Download Center, sign it with a Symantec code signing Certificate and deploy it to the management system infrastructure to enable device enrollment for Windows Phone 8 and 8.1 devices. The download was infused with a Symantec certificate to ensure trustworthiness of the app and to help secure enrollments.

Microsoft has now updated the Windows Intune Company Portal app for Windows Phone 8.1. The Symantec certificate is no longer embedded and no longer required because the app is now only available through the Microsoft Store.

However , there are some things to take into account when doing hybrid or standalone implementations.

Starting this week for Windows Intune standalone only , Microsoft removed the requirement that a company have an AET (Application Enrollment Token) and signed Company Portal app before we let them enroll, but devices must be enrolled for management before they can install sideloaded apps from our MDM, and they must also have the AET.

In short this means that you do not longer need the Symantec certificate to enroll and manage WP8.1 devices ( not WP 8.0! ) , but you will still need the Symantec certificate to sideload any application that doesn’t come thru the app store .

Anything else still requires both cert and signed SSP.xap from download center –> so are Hybrid implementations still today.

My advise for now:

1. Admins who want to stay on the old school ssp.xap for now ( For hybrid deployment this is mandatory !!! )

    • Don’t tell users about store app
    • Add store app to blocked list, for extra insurance, so they can’t run it
    • Just keep doing what you’re doing

Hybrid users could still install the SSP from store if you do not blacklist the application. However , if the do install the SSP from the store , they can’t enroll unless a cert and signed ssp have been uploaded, but they can use the portal in the “unenrolled” scenario.

2. Admins who want to move to appx from app store ( Intune standalone only !! )

    • Create an app that uninstalls ssp.xap
    • Tell users to start by installing store app and using link in app to enroll just like android or IOS

Conclusion:

The only new thing you get with the App Store SSP version is the ability to show users “Terms and Conditions” . Period.

If companies want to sideload applications, there’s still no way around having the Symantec cert

The new App Store SSP is taking the version to 4.1.2777.2 and can be found over here :

http://www.windowsphone.com/s?appid=0b4016fc-d7b2-48a2-97a9-7de3b5ea7424

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

CM12 OSD : HP Zbook 17 is failing during OSD and is giving bluescreens all the way.

October 16, 2014 at 8:45 am in CM12, CM12 R2, CM12 SP1, OSD, wdf, Windows 7, Windows 7 SP1, Windows7 by Kenny Buntinx [MVP]

 

Today we had a failing HP Zbook 17 and we where not able to do OSD staging on it . It remembered me at a blog post 6 months ago on an update called KB2685811 at http://support.microsoft.com/kb/2685811 to update the Kernel-Mode Driver Framework to v1.11

What it is – The Windows Driver Frameworks (WDF) is a set of libraries that you can use to write device drivers that run on the Windows operating system. WDF defines a single driver model that is supported by two frameworks: Kernel-Mode Driver Kernel Mode Driver Framework (KMDF) and User-Mode Driver Framework (UMDF). KMDF\UMDF are provided by Microsoft to allow component drivers to leverage the framework to minimize what is needed to be included with the driver.  This is great for the IT Professional until a driver is written to a specific version of the KMDF\UMDF which your system may not currently support.  This happened previously with Windows Vista and is now being seen on some Windows 7 systems that do not have the 1.11 version of KMDF and the 1.11 version of UMDF

Why you need them – Without these there is a potential of experiencing a failure in you Windows 7 OS Deployment process\ seeing devices in Device Manager that you know have drivers available to them, but aren’t properly installed. To ensure this does not happen you should update your base image with KMDF 1.11 and UMDF 1.11 to make sure that current and future drivers will be installed properly. Dell – HP – Lenovo are delivering more and more drivers released on the latest WDF framework !

Now here is the “gotcha”, in order for this to work for OS Deployments, you have 2 options based on Dustin Hedges blog called http://deploymentramblings.wordpress.com

- Build a brand new WIM file and inject the hotfix (using DISM). Then import that WIM back into SCCM for deployment, test, retest, retest, deploy to production. Apply the update using DISM: cmd.exe /c X:\windows\system32\dism.exe /ScratchDir:%OSDisk%\Scratch /Image:%OSDisk%\ /Add-Package /PackagePath:%_SMSTSMDataPath%\Packages\\Windows6.1-KB2685811-x64.cab

- Package it up and inject it offline during your existing deployments, see the following blog post at  http://deploymentramblings.wordpress.com/2013/10/24/osd-injecting-the-windows-7-kernel-mode-driver-framework-kmdf/

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client management

IOS 8 support now available for System Center 2012 R2 Configuration Manager thru an extension for Windows Intune

September 30, 2014 at 4:18 am in ConfigMgr, configmgr 2012 R2, intune, MDM, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, System Center, UDM by Kenny Buntinx [MVP]

 

A new version of the iOS 7 Security Settings extension is now available for System Center 2012 R2 Configuration Manager environments that are configured with the Windows Intune connector. This updated extension adds support for iOS 8 devices. New features include: iOS 8 added to the supported platform list, configuration settings to manage and assess the compliance on iOS 8 devices, company resource access on iOS 8 devices and the ability to define an applicability rule for applications, allowing you to deploy applications to iOS 8 devices.

If you already have the iOS 7 Security Settings extension enabled, an updated extension called iOS 7 and iOS 8 Security Settings will appear as a new item in your Configuration Manager console in the Extensions for Windows Intune node. You will also be able to see other enabled extensions in this location.

To install the updated version, select the iOS 7 and iOS 8 Security Settings extension from the list and then click Enable. You do not need to disable the older version of the extension before you enable this updated version. As the updated version is installed, the configurations you previously made for the extension are retained. Once the installation is complete, only the most recent version of the extension will display in the console.

Read further at http://blogs.technet.com/b/configmgrteam/archive/2014/09/29/ios-8-support-now-available-for-sc-2012-r2-configmgr-via-extension-for-intune.aspx

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

ITDevconnections session wrap-up : Managing Your Hybrid Mobile Cloud Workforce with System Center 2012 R2 Configuration Manager

September 22, 2014 at 7:56 pm in ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, Devconnections, ECM, extensions, intune, profile, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM by Kenny Buntinx [MVP]

 

A big thanks to all who attended at our sessions that where delivered by Tim De Keukelaere and myself. Below are the links to the blog posts we have made earlier and we referenced during the session! Hope to see you all again next year!

clip_image002

All blog posts where written when we encountered challenges or when we wanted to spread information. Some can be outdated, but there isn’t much changed. I’ll start updating them as soon as I find time for it :-) .

Find them here :

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment at http://scug.be/sccm/2014/06/08/windows-intune-configmgr-2012-notes-from-the-field-around-compliance-settings-and-enrollment/

ConfigMgr 2012 R2 & Windows Intune UDM : How to prevent an “End-User” can un-enroll his “Corporate” Windows Phone 8.1 at http://scug.be/sccm/2014/04/24/configmgr-2012-r2-windows-intune-udm-how-to-prevent-an-end-user-can-un-enroll-his-corporate-windows-phone-8-1/

CM12 Extensions for Windows Intune: Resources and gotcha’s at http://scug.be/sccm/2014/02/11/cm12-extensions-for-windows-intune-resources-and-gotchas/

Deny Windows Phone Apps with Configuration Manager \ Intune at http://scug.be/nico/2014/05/22/deny-windows-phone-apps-with-configuration-manager-intune/

Sysctr Configmgr 2012 and Intune : Provisioning Email Profiles and the why the profile may not turn up on devices such as an Ipad. At http://scug.be/sccm/2014/03/21/sysctr-configmgr-2012-and-intune-provisioning-email-profiles-and-the-why-the-profile-may-not-turn-up-on-devices-such-as-an-ipad/

How to Configure Hardware Inventory for Mobile Devices Enrolled by Windows Intune and Configuration Manager at http://technet.microsoft.com/en-us/library/dn469411.aspx

Collecting IMEI from devices enrolled in Windows Intune with System Center 2012 R2 Configuration Manager at http://blogs.technet.com/b/configmgrteam/archive/2014/07/30/collecting-imei-from-devices-enrolled-in-windows-intune-with-sc-2012-r2-configmgr.aspx

“Workplace Join” with ADFS 3.0 Device Registration Services and our ‘Workplace Join Hitman’ PowerShell App to the rescue ! at http://scug.be/sccm/2014/05/20/workplace-join-with-adfs-3-0-device-registration-services-and-our-workplace-join-hitman-powershell-app-to-the-rescue/

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8” at http://scug.be/sccm/2013/07/19/windows-phone-8-not-enrolling-with-the-support-tool-for-windows-intune-trial-management-of-window-phone-8/

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ITDevconnections session wrap-up : System Center 2012 R2 Configuration Manager and Intune: Setup and Deployment Notes from the Field, with a Focus on Single Sign-On

September 22, 2014 at 1:24 pm in ADFS, ADFS 2.1, ADFS 3.0, CM12, CM12 R2, CM12 SP1, Devconnections, ECM, intune, ITDevconnections, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM by Kenny Buntinx [MVP]

 

A big thanks to all who attended at our sessions that Tim De Keukelaere and myself presented. Below are the links to the blog posts we have made earlier and we referenced during the session! Hope to see you all again next year!

clip_image002

 

All blog posts where written when we encountered challenges or when we wanted to spread information. Some can be outdated, like the ADFS 2.1 blogs , but there isn’t much changed. I’ll start updating them as soon as I find time for it :-)

Find them here :

Conquering BYOD with Implementing ConfigMgr 2012 R2 and Windows Intune,“ADFS”, “WAP”, “Workplace Join” and “Work Folders”. Part I at http://scug.be/sccm/2014/01/09/conquering-byod-with-implementing-configmgr-2012-r2-and-windows-intuneadfs-wap-workplace-join-and-work-folders-part-i/

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1 at http://scug.be/sccm/2013/07/04/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved/

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 2 at http://scug.be/sccm/2013/07/08/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved-part-2/

ADFS & Workplace Join & Intune : "Profile Installation Failed" error when iOS device is Workplace Joined by using DRS on a Windows Server 2012 R2-based server at http://scug.be/sccm/2014/08/21/adfs-workplace-join-intune-profile-installation-failed-error-when-ios-device-is-workplace-joined-by-using-drs-on-a-windows-server-2012-r2-based-server/

ADFS 2.1 in combo with windows Intune stops working with ‘Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘Domain\ADFS_srvc’, error code 0×5 at http://scug.be/sccm/2014/01/22/adfs-2-1-in-combo-with-windows-intune-stops-working-with-error-15404-state-19-could-not-obtain-information-about-windows-nt-groupuser-domainadfs_srvc-error-code-0×5/

ADFS 3.0 on Windows 2012 R2: adfssrv hangs in starting mode and makes you’re domain controller unusable after reboot at http://scug.be/sccm/2014/01/15/adfs-3-0-on-windows-2012-r2-adfssrv-hangs-in-starting-mode-and-makes-youre-domain-controller-unusable-after-reboot/

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment at http://scug.be/sccm/2014/06/08/windows-intune-configmgr-2012-notes-from-the-field-around-compliance-settings-and-enrollment/

“Workplace Join” with ADFS 3.0 Device Registration Services and our ‘Workplace Join Hitman’ PowerShell App to the rescue ! at http://scug.be/sccm/2014/05/20/workplace-join-with-adfs-3-0-device-registration-services-and-our-workplace-join-hitman-powershell-app-to-the-rescue/

Configmgr 2012 & Windows Intune SSO : Self- signed certificate for token signing is about to expire. Now What? At http://scug.be/sccm/2014/04/23/configmgr-2012-windows-intune-sso-self-signed-certificate-for-token-signing-is-about-to-expire-now-what/

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8” at http://scug.be/sccm/2013/07/19/windows-phone-8-not-enrolling-with-the-support-tool-for-windows-intune-trial-management-of-window-phone-8/

Windows Intune & Dirsync : Error message “stopped-server-down” (FIM Synchronization Service Manager) at http://scug.be/sccm/2013/07/18/windows-intune-dirsync-error-message-stopped-server-down-fim-synchronization-service-manager/

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ADFS & Workplace Join & Intune : "Profile Installation Failed" error when iOS device is Workplace Joined by using DRS on a Windows Server 2012 R2-based server

August 21, 2014 at 4:59 am in ADFS, ADFS 3.0, CM12, CM12 R2, CM12 SP1, intune, MDM, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, UDM, Workplace Join by Kenny Buntinx [MVP]

Hi,

We’ve got in our lab environment our 2012 R2 Workplace Join environment up & running with one Windows 8.1 client successfully browsing the claims app. When we tried to workplace join an IPAD device, it could go as far as the Workplace Join screen.

If you want to know what ‘Workplace join’ is and how to manage it, please visit my earlier blog post at  http://scug.be/sccm/2014/05/20/workplace-join-with-adfs-3-0-device-registration-services-and-our-workplace-join-hitman-powershell-app-to-the-rescue/

Attempt to install the profile resulted in two different errors:

- On the Ipad you should see the profile install fail on the iPad. Assuming that the Apple iOS device is configured by using the over-the-air enrollment. An Apple certificate for the IOS device is expired. In this situation, you receive an error message that resembles the following: ‘Profile Installation Failed the server certificate for federation server name/otaprofile/profile?operation=enroll is invalid.’

- If I look on the ADFS WAP server , I see the following issue in the eventvwr

clip_image001

There are two main places you can start when troubleshooting an iOS-specific issue. 

1) The DRS event logs on the AD FS server.  May shed some light as to what is wrong.
2) The iOS device logs.  You’ll need to download the iPhone Configuration Utility (works with iPads as well).  http://support.apple.com/kb/DL1466

Microsoft has released a Hotfix for this http://support.microsoft.com/kb/2970746. Make sure to download and install it !

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Sysctr Enterprise Client Management : It will be a busy fall …

August 20, 2014 at 7:24 am in even, events, IT-Dev Connections, IT/Dev Connections, mms, MMS-2014, MMS2014, speak, speaking by Kenny Buntinx [MVP]

 

A lot of exciting things are happening in the System Center community these days with a lot of events around the corner.

IT-Dev Connections , SCU Europe , TechED Europe and Midland Management Summit 2014 are right around the corner and other local user group events are being planned as well.

I always enjoy being part of these events and meet old and new friends all with the same interest: System Center products and common technology’s

imagesNY3IY65Z

This blog post will be around my events I will attended and support from the community. It will list all sessions which I’m presenting and attending , both national and International.

Hope you will attend one of my sessions and if you do, make sure to take the time to meet up and have a beer !

Date Event Location Sessions
15-19 September IT/Dev Connections Las Vegas
1 October SCUG.BE Microsoft HQ Belgium To be determined , but hey , we will have a local CDM speaker and we have Jason Sandys in the house for ECM.
4 October App-V User Group UK 2014 London – Microsoft Attendee …
3-7 November MVP Summit Microsoft HQ Redmond NDA – What can I say Emoticon die tong uitsteekt :-P
10-12 November Midland Management Summit  2014 Minnesota

 

Hope it Helps,

Kenny Buntinx

Enterprise Client Management MVP

SCCM 2012 : “Another Installation is already in Progress” when deploying Applications thru OSD deployment.

August 18, 2014 at 11:26 am in agent, Application Model, applications, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, OSD, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, Task Sequence by Kenny Buntinx [MVP]

 

At one of my current customers, I have been stuck for two days now, that one or two randomly selected applications where failing If we looked in the ‘Status Messages’ and dig al little deeper , we saw in there that :

‘Another installation is already in progress.Complete that installation before proceeding with this install.’

 image

Knowing this is a highly secured environment , my first guess would be policies. However I overruled this thinking strategy because during the OSD process , GPO’s aren’t applied …—> That is a fact , except for one scenario I already blogged about it as described here  ‘http://scug.be/sccm/2013/02/13/configmgr-2012-rtmsp1-applications-failed-to-install-during-osd-with-error-code-16389-and-denied-logon-for-domain-users-policy/’ , but that was not the issue…

Back to the drawing board and digging deeper in the smstslog file … Suddenly when hitting the F8 button a popup arrived that I needed a reboot to complete the “Kaspersky Antimalware Client”  … WTF is that doing in my task sequence.

Apparently someone at the customer decided to set a policy at the Kaspersky management server , to Push / Install a Kaspersky client when he detects and scans the network for computers that did not had a Kaspersky mgmt. agent installed. That little process hijacked my Task sequence installation process and jumped in the middle to install that Kaspersky agent .

Case Closed …My advise – before troubleshooting Configmgr , just start asking questions who did changes on other parts of the environment Emoticon die tong uitsteekt

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

MVP Award Renewal for 2014-2015: Enterprise Client Management

July 1, 2014 at 7:02 pm in ECM, MVP by Kenny Buntinx [MVP]

 

I’m very proud to inform you that my MVP award got renewed for the year 2014 – 2015 on Enterprise Client Management. This is certainly a great honor for me.

Thank you Microsoft, blog readers and all the community members that helped me out!

Thanks for the recognition. I am delighted.

Kenny Buntinx

Enterprise Client Management MVP

images7T7SFLEG