Work Folders app for Iphone finally released

April 10, 2015 at 1:15 pm in EMS, intune, iOS, Iphone, IT-Dev Connections, IT/Dev Connections, ITDevconnections, Work Folders, Workplace Join by Kenny Buntinx [MVP]

 

We are happy to announce that an iPhone app for Work Folders has been released into the Apple AppStore® and is available as a free download.

( There also is a Work Folders app for iPad released a few months ago.)

Overview

Work Folders is a Windows Server feature that allows individual employees to access their files securely from inside and outside the corporate environment. This app connects to it and enables file access on an Apple iPhone and iPad. Work Folders enables this while allowing the organization’s IT department to fully secure that data.

This app for iOS features an intuitive UI, selective sync, end-to-end encryption, search and in-app file viewing.
It also integrates well with Windows Intune to fully complete the most important mobile device management scenarios around corporate data on mobile devices.

You will learn more about it on our session “Securely Delivering Traditional Windows File Server Home Folders to BYOD Devices’ at

ITnDevConnections_logo_TylerOptimized_236x59

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Enterprise Mobility Suite: Steps to add your O365 infrastructure when already using your hybrid Configmgr 2012 R2 and Windows Intune infrastructure at your company.

April 9, 2015 at 1:03 pm in 0365, azure, configmgr 2012 R2, ECM, EMS, Enterprise Mobility Suite, intune, Intune Standalone, o365, office 365, SCCM 2012, sccm 2012 R2, WAAD, Windows Azure Active Directory by Kenny Buntinx [MVP]

 

Enterprise Mobility Suite (EMS) is Microsoft’s new bundle that includes Azure Active Directory Premium, Windows Intune and Azure Rights Management.The Enterprise Mobility Suite is Microsoft’s answer for Mobile Device Management requirements.

For people that have already Configuration Manager 2012 R2 , you can connect your Windows Intune subscription to get a single pane of glass for management. In the so called hybrid mode you can manage all your assets, from one single console.

Most customers starting with EMS will likely already have an Office 365 infrastructure in place . From that direction it is easy to add your EMS components to the existing o365 WAAD (Windows Azure Active Directory) 

The most common way that WAAD directories where created before any O365 components existed was through the Windows Intune Sign Up process.

When setting up an Windows Intune subscription for the first time, you have to pick a tenant name (In our case demolabsbe.onmicrosoft.com). When you create the tenant name, a Windows Azure Active Directory (WAAD) account is created behind-the-scenes to store your users and groups, using the domain “demolabsbe.onmicrosoft.com” (you can add your domain names to this WAAD account later, but you will always have the original .onmicrosoft.com domain associated with it).

Windows Intune creates the WAAD accounts, but doesn’t let you manage it out of the box . You only can attach custom domains, configure users, groups & global administrators from the Windows Intune account management portal.

Attention: The WAAD account is not the same as a Windows Azure Subscription. A Windows Azure Subscription does not get automatically created or associated to your Windows Intune or Office 365 subscription or visa versa !

Scenario :

The customer has already the Windows Intune subscribtion in place and wants to add a fresh Office 365 tenant to it using the same (.onmicrosoft.com) name .

How ?:

SNAGHTML3dacbdf

1. Select “Free Trial”

image

2. Sign up for new account

image

3. <IMPORTANT> Login again with your administrator@demolabs.onmicrosoft.com account that you used for registering your previous Windows Intune account !!. <IMPORTANT>

image

4. Don’t forget to hit the try button :-)

image

 

5. When you click “Domains” (1) , you will see that your validated domain ( in our case Demolabs.be) is attached and validated (2) . Now the last step is to go thru the wizard “Complete Setup” (3) to complete it .

6. You’re done . Now you can start to assign O365 licenses to your users and play with “Conditional access” as explained in this nice blog post from our colleague MVP Peter Daalmans

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Speaker at IT/Dev Connections – September 14-17

April 9, 2015 at 8:55 am in Devconnections, meetthebelgians, speaking, vegas by Kenny Buntinx [MVP]

 

clip_image001

 

I am proud to announce that the magic duo on mobility “Tim De Keukelaere”  and myself, will be delivering two sessions entitled :

-  “Armoring your mobile workforce for the 21st century”.

– “Securely Delivering Traditional Windows File Server Home Folders to BYOD Devices”

Together with “Peter Daalmans” , I will deliver a session about managing Citrix with CM12 :

– “How to Extend the App Model to Support Your User-Centric XenDesktop in the Data Center”

During this event we are joined by other top quality speakers who will be delivering multiple sessions on a wide range of topics , but also be prepared to #meetthebelgians

More information and registration details can be found here.

Something to look forward to as it also is in the warm and sunny Vegas . Make sure to join us if you are around!

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Deploying IE11 the right way with Enterprise mode & Site Discovery thru Configmgr 2012

January 22, 2015 at 10:37 am in CM12, CM12 R2, CM12 SP1, ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, enterprise mode, IE11, internet explorer, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1 by Kenny Buntinx [MVP]

Deploy Internet Explorer 11 today as from January 2016 only the latest version of IE will be supported on the currently supported OS’s such as Windows 7 – 8.1 – 10. You should really deploy IE11 today and start working with compatibility testing for your web applications.

 

For deploying IE11 you will need a lot of prerequisites fulfilled and you will need to do a lot of work to get it deployed successfully. More or less you will need to do it in four steps:

1. Deploy about 9 prerequisites! You must deploy KB2834140, KB2670838, KB2639308, KB2533623, KB2731771, KB2729094, KB2786081, KB2888049, KB2882822 to be able to install IE11 without any issues. Make sure you download the latest updates!

2. Reboot

3. Deploy IE11 itself. If you need the Google search provider, the only way is to repackage IE11 with IEAK.To customize Internet Explorer 11, first things first: download the Internet Explorer Administration Kit 11 here.

4. Force a reboot here

5. Make sure if you want to use IE11 Enterprise mode, you will need to deploy KB 2929437 after the installation of IE11.

6. Reboot

7. Deploy all security updates thru CM12/WSUS

8. Reboot

Luckily for us we have ConfigMgr 2012 and the fantastic Application model to handle that.

IE11 Enterprise Mode?

Enterprise Mode in IE11 is a compatibility mode that runs web apps in IE8 mode to make them work on IE11. Enterprise Mode is turned on by IT Pro using Group Policy settings for specific domains or pages. It’s much like the compatibility view settings, but provides Internet Explorer 8 compatibility. WebPages that work in Internet Explorer 8 work seamlessly in Enterprise Mode.

More on IE11 Enterprise Mode and Enterprise Mode Site List Manager.

Using the Internet Explorer Site Discovery Tool?

What do you say ??

Not so long ago Microsoft released a little tool that will inventory all the web sites a user visits to provide means to get a grip on web app compatibility. The inventory can be used for all or only some specific clients. The data is collected via WMI and inventoried with System Center Configuration Manager. There are pre-made reports included that can be imported and used in ConfigMgr.

You will find more information here on Enterprise Site Discovery Toolkit for Internet Explorer 11.

 

Collect data using Internet Explorer Site Discovery

Internet Explorer Site Discovery overview

You can use Internet Explorer to collect data on computers running Internet Explorer 11 on either Windows 8.1 or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your Internet Explorer deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.

By default, Internet Explorer doesn’t collect data; you have to turn this feature on if you want to use it. You must make sure that using this feature complies with all applicable local laws and regulatory requirements.

What data is collected?

Data is collected on the configuration characteristics of Internet Explorer and the sites it browses, as shown here.

Data point

Description

URL

URL of the browsed site, including any parameters included in the URL.

Domain

Top-level domain of the browsed site.

ActiveX GUID

The GUID of the ActiveX controls loaded by the site.

Document mode

Document mode used by Internet Explorer for a site, based on page characteristics.

Document mode reason

The reason why a document mode was set by Internet Explorer.

Browser state reason

Additional information about why the browser is in its current state. Also called, browser mode.

Hang count

Number of visits to the URL when the browser hung.

Crash count

Number of visits to the URL when the browser crashed.

Most recent navigation failure (and count)

Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened.

Number of visits

The number of times a site has been visited.

Zone

Zone used by Internet Explorer to browse sites, based on browser settings.

Where is the data stored and how do I collect it?

The data is stored locally, in an industry-standard WMI class, Managed Object Format (.MOF) file. This file remains on the client computer until it’s collected. To collect the file from your client computers, we recommend using Microsoft System Center 2012 R2 Configuration Manager. However, if you don’t use System Center, you can collect the file using any agent that can read the contents of a WMI class on your computer.

Requirements

Before you start, you need to make sure you have the following:

Setup and configuration package, including:

    • Configuration-related PowerShell scripts
    • IETelemetry.mof file
    • Sample System Center 2012 report templates

Both the PowerShell script and .mof file need to be copied to the same location on the client computer, before you run the scripts.

Setting up your client computers for data collection

On your test computer, run the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file, update security privileges for the new WMI classes, and to set the registry key.

To set up your computers:

  1. Create a Package/Program in Configmgr 2012 that runs the IETElemetrySetUp.ps1
  2. Restart your computer to start collecting your WMI data.

Using System Center 2012 R2 Configuration Manager to collect your data

After you’ve collected all of the data, you’ll need to get the local files off of your computers. To do this, use the hardware inventory process in System Center Configuration Manager, in one of the following ways.

Collect your hardware inventory using the MOF Editor while connecting to a computer

You can collect your hardware inventory using the MOF Editor, while you’re connected to your client computers.

To collect your inventory

1. From the System Center Configuration Manager, click Administration, click Client Settings, double-click Default Client Settings, click Hardware Inventory, and then click Set Classes.

clip_image002

2. Click Add, click Connect, and connect to a computer that has completed the setup process and has already existing classes.

3. Change the WMI Namespace to root\cimv2\IETelemetry, and click Connect

clip_image004

4. Select the check boxes next to the following classes, and then click OK:

· IESystemInfo

· IEURLInfo

· IECountInfo

5. Click OK to close the default windows.

Your environment is now ready to collect your hardware inventory and review the sample reports.

Collect your hardware inventory using the MOF Editor with a MOF import file

You can collect your hardware inventory using the MOF Editor and a MOF import file.

To collect your inventory:

1. From the System Center Configuration Manager, click Administration, click Client Settings, double-click Default Client Settings, click Hardware Inventory, and then click Set Classes.

2. Click Import, choose the MOF file from the downloaded package we provided, and click Open.

3. Pick the inventory items to install, and then click Import.

4. Click OK to close the default windows.

Your environment is now ready to collect your hardware inventory and review the sample reports.

Collect your hardware inventory using the SMS_DEF.MOF file

You can collect your hardware inventory using the using the Systems Management Server (SMS_DEF.MOF) file.

To collect your inventory:

1. Using a text editor like Notepad, open the SMS_DEF.MOF file, located in your <Config_Manager_install_location>\inboxes\clifiles.src\hinv directory.

2. Add this text to the end of the file:

[SMS_Report (TRUE), SMS_Group_Name ("IESystemInfo"), SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"), Namespace ("root\\\\cimv2\\\\IETelemetry") ] Class IESystemInfo: SMS_Class_Template { [SMS_Report (TRUE), Key ] String SystemKey; [SMS_Report (TRUE) ] String IEVer; }; [SMS_Report (TRUE), SMS_Group_Name ("IEURLInfo"), SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"), Namespace ("root\\\\cimv2\\\\IETelemetry") ] Class IEURLInfo: SMS_Class_Template { [SMS_Report (TRUE), Key ] String URL; [SMS_Report (TRUE) ] String Domain; [SMS_Report (TRUE) ] UInt32 DocMode; [SMS_Report (TRUE) ] UInt32 DocModeReason; [SMS_Report (TRUE) ] UInt32 Zone; [SMS_Report (TRUE) ] UInt32 BrowserStateReason; [SMS_Report (TRUE) ] String ActiveXGUID[]; [SMS_Report (TRUE) ] UInt32 CrashCount; [SMS_Report (TRUE) ] UInt32 HangCount; [SMS_Report (TRUE) ] UInt32 NavigationFailureCount; [SMS_Report (TRUE) ] UInt32 NumberOfVisits; [SMS_Report (TRUE) ] UInt32 MostRecentNavigationFailure; }; [SMS_Report (TRUE), SMS_Group_Name ("IECountInfo"), SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"), Namespace ("root\\\\cimv2\\\\IETelemetry") ] Class IECountInfo: SMS_Class_Template { [SMS_Report (TRUE), Key ] String CountKey; [SMS_Report (TRUE) ] UInt32 CrashCount; [SMS_Report (TRUE) ] UInt32 HangCount; [SMS_Report (TRUE) ] UInt32 NavigationFailureCount; };

3. Save the file and close it to the same location.

Your environment is now ready to collect your hardware inventory and review the sample reports.

Viewing the sample reports

The sample reports, SCCM Report Sample – ActiveX.rdll and SCCM Report Sample – Site Discovery.rdl, work with System Center 2012, so you can review your collected data.

SCCM Report Sample – ActiveX.rdl

Gives you a list of all of the ActiveX-related sites visited by the client computer.

clip_image006

SCCM Report Sample – Site Discovery.rdl

Gives you a list of all of the sites visited by the client computer.

clip_image008

Turning off data collection on your client computers

After you’ve collected all of your data, you’ll need to turn this functionality off.

To stop collecting data:

On your test computer, start PowerShell in elevated mode and run IETElemetrySetUp.ps1 using this command: powershell .\IETElemetrySetUp.ps1 -IEFeatureOff. clip_image009

Turning off data collection only disables the Internet Explorer Site Discovery feature – all data already written to WMI stays on the client computer.

Deleting already stored data from client computers

You can completely remove the data stored on your client computers.

To delete existing data:

On the client computer, start PowerShell in elevated mode (using admin privileges) and run these commands:

    1. Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo
    2. Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo
    3. Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo
    4. Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Swiss 09/02/2015: CMCE R2 Community Event Speaker

January 21, 2015 at 9:52 pm in CMCE, speak, speaking, Swiss by Kenny Buntinx [MVP]

 

I am proud to announce that I received an invitation to talk in Zurich at the 9th of February 2015 in Zurich at a community event called CMCE

image

The magic duo on mobility “Tim De keukelaere”  and myself, will be delivering two sessions entitled “Armoring your mobile workforce for the 21st century”. Focus for both sessions will be on Unified Device Management with Configuration Manager and Microsoft Intune. The first session will be a general overview and during the second session we will deep-dive further into the technical details and demonstrate some more advanced scenarios around managing and deploying Certificates , WIFI and VPN profiles and not so out of the box technical solutions.

During this one day event we are joined by other top quality speakers who will be delivering multiple sessions on a wide range of topics.

More information and registration details can be found here.

Something to look forward to. Make sure to join us if you are around!

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Windows 7 Configmgr 2012 Balloon tips : Setting it more then 5 sec to display.

January 20, 2015 at 7:06 am in CM12, CM12 R2, CM12 SP1, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, Portal, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, Software Center by Kenny Buntinx [MVP]

 

The balloon tip when System Center configuration manager 2012 SP1 / R2 wants to install  your software is only shown for a few seconds. Often users complain that they can’t read the balloon tip that fast. So we have to increase the display time of the balloon.

image

Right click and choose New, Registry Item

Key Path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify
Value name: Balloontip
Value type: REG_DWORD
Value Data (dec): 00000020

Click OK and you’re all set!

This changes the display time to 20 seconds.

You can handle this with creating a Configuration Item and deploying it thru a Configuration Baseline . Below you will find the steps :

1. Create a configuration Item called “ RegSetting BalloonTip “

image 

image

2. In the settings , create the regkey to check as specified above in the first section of this blog post .

image

3. Create the compliance Rule and enter the value you want . In this case it will be 20 seconds.

image

4. Save your configuration Item. Create a Configuration baseline that contains you Configuration Item and deploy it to your workstations. Make sure to select “Remediate non complaint rules when supported” in your deployment.

image

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

The Enterprise Mobility Suite and the 10 reasons why you’re company needs it

January 14, 2015 at 10:58 am in azure, CM12, CM12 R2, ConfigMgr, EMS, hybrid, intune, Intune Standalone, RMS, sccm, sccm 2012 R2, System Center by Kenny Buntinx [MVP]

 

Together, Windows Server 2012 R2, System Center 2012 R2 Configuration Manager, Microsoft Azure AD Premium , Microsoft Azure RMS and Microsoft Intune , also called the Enterprise Mobility Suite (EMS) help organizations address the consumerization of IT. With Microsoft’s people-centric IT solution, organizations can empower their users, unify their environment, and protect their data, ultimately helping to embrace consumerization and a people- centric IT model, while maintaining corporate compliance.

What can the Microsoft Enterprise Mobility Suite (EMS) bring for you :

· Enabling your end users to work on the device or devices they love and providing them with consistent and secure access to corporate resources from those devices. Part of the way we do that is by providing a hybrid identity solution, enabled by Azure Active Directory Premium.

· Delivering comprehensive application and mobile device management from both your existing on-premises infrastructure, including Microsoft System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure. This helps to unify your environment. EMS provides mobile device management, enabled by Windows Intune

· Helping protect your data by protecting corporate information and managing risk. EMS provides data protection, enabled by Azure Rights Management service

Here are the 10 reasons why to consider EMS:

10. The ability to protect corporate information by selectively wiping apps and data. With System Center Configuration Manager 2012 and/or Microsoft Intune, IT can selectively and remotely wipe any device, including applications and sensitive company data, management policies and networking profiles.

9. Identification of compromised mobile devices. Jailbreak and root detection enables IT to determine which devices accessing corporate resources are at-risk, so that IT can choose to take appropriate action on those devices, including removing them from the management system and selectively wiping the devices.

8. Comprehensive settings management across platforms, including certificates, virtual private networks (VPNs), and wireless network and email profiles. With System Center Configuration Manager 2012 and/or Microsoft Intune, IT can provision certificates, VPN’s, and wi-fi profiles on personal devices within a single administration console.

7. Access on-premises and in-the-cloud resources with common identity. IT can better protect corporate information, manage and control resource access, and mitigate risk by being able to manage a single identity for each user across both on-premises and cloud-based applications. IT can better protect corporate information and mitigate risk by being able to restrict access to corporate resources based on user, device, and location.

6. Simplified, user-centric application management across devices. IT gains efficiency with a single management console, where policies and applications can be applied across groups (user and device types).

5. Enhance end-user productivity with self-service and Single-Sign-On (SSO) experiences. Help users be more productive by providing each with a single identity to use no matter what they access, whether they are working in the office, working remotely, or connecting to a cloud-based Software-as-a-Service (SaaS) application. Access company resources consistently across devices. Users can work from the device of their choice to access corporate resources regardless of location.

4. Protect information anywhere with Microsoft Azure RMS. Protecting information at rest and in transit requires authentication and preventing alteration, both key requirements for protecting sensitive corporate information.

The Microsoft Azure Rights Management Solution (RMS) that can help enterprises transition from a device-centric to a people-centric, consumerized IT environment without compromising compliance on document protection.

3. Single Pane of Glass Mobile device management of on-premises and cloud-based mobile devices. IT can manage mobile devices completely through the cloud with Microsoft Intune or extend its System Center Configuration Manager infrastructure with Microsoft Intune to manage their devices (PCs, Macs, or servers) and publish corporate apps and services, regardless of whether they’re corporate-connected or cloud-based.

2. Simplified registration and enrollment for BYOD. Users can register their devices for access to corporate resources and enroll in the Microsoft Intune management service to manage their devices and install corporate apps through a consistent company portal.

And… Number 1 if you ask me for the Microsoft Enterprise Mobility Suite…

1. Enable users to work on the device of their choice and from where they want. Give your users access to applications, data and resources from any device from virtually everywhere, while ensuring documents are secured and your mobile devices are compliant.

Hope it Helps ,

Kenny Buntinx

Enterprise Mobility Suite: Steps to get to Azure AD Premium when already using your hybrid Configmgr 2012 R2 and Windows Intune infrastructure.

December 30, 2014 at 9:32 am in azure, CM12, CM12 R2, ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, EMS, Enterprise Mobility Suite, intune, Intune Standalone, Mobility, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, WAAD, Windws Intune by Kenny Buntinx [MVP]

 

Enterprise Mobility Suite (EMS) is Microsoft’s new bundle that includes Azure Active Directory Premium, Windows Intune and Azure Rights Management.The Enterprise Mobility Suite is Microsoft’s answer for Mobile Device Management requirements.

For people that have already Configuration Manager 2012 R2 , you can connect your Windows Intune subscription to get a single pane of glass for management. In the so called hybrid mode you can manage all your assets, from one single console.

While you can create a new WAAD (Windows Azure Active Directory) account directly from the Windows Azure Management Portal, but the most common way that WAAD directories where created before EMS existed was through the Windows Intune Sign Up process.

When setting up an Windows Intune subscription for the first time, you have to pick a tenant name (In our case demolabsbe.onmicrosoft.com). When you create the tenant name, a Windows Azure Active Directory (WAAD) account is created behind-the-scenes to store your users and groups, using the domain “demolabsbe.onmicrosoft.com” (you can add your domain names to this WAAD account later, but you will always have the original .onmicrosoft.com domain associated with it).

Windows Intune creates the WAAD accounts, but doesn’t let you manage it out of the box . You only can attach custom domains, configure users, groups & global administrators from the Windows Intune account management portal.

Attention: The WAAD account is not the same as a Windows Azure Subscription. A Windows Azure Subscription does not get automatically created or associated to your Windows Intune or Office 365 subscription or visa versa !

When you log in with your Windows Intune tenant account into the Windows Azure Management Portal (https://manage.windowsazure.com) you will see a message that there are no associated Azure Subscriptions.

Windows Azure however lets you manage all the advanced settings of WAAD accounts, including names, premium features, Apps, SSO access, multi-factor authentication, etc. The Enterprise Mobility Suite (EMS) feature , Windows Azure AD Premium can only be managed properly when you link your Windows Intune WAAD to your organizational Windows Azure Subscription.

 
Step 1: How to add your  Existing Windows Azure Active Directories to your Windows Azure Subscription ?

 

The process to add a WAAD account to your Windows Azure subscription used to be pretty painful , but now you can easily do this by adding an “Existing WAAD account”. The process is as follows:

1. Login to Windows Azure Management Portal with your Microsoft Account.

2. Click on the Active Directory category on the left, and then click the New button.

clip_image002

3. Choose New > App Services > Active Directory > Directory > Custom Create.

4. On the Add Directory dialog, click the Directory dropdown, and choose Use Existing Directory.

clip_image004

5. The dialog will switch, and inform you that you will be signed out, and need to sign in with a Global Administrator for the existing WAAD account. Check the box and click Sign Out.

clip_image006

6. Login with a Global Administrator for the WAAD account.

7. Once you login, you’ll be asked to confirm the link. Linking will make the Microsoft Account a Global Administrator in the WAAD account. Proceed through this, and you will be asked to Sign Out.

image

image

8. After Signing Out, and signing back in with your Microsoft Account, you’ll now see the WAAD account in the list of Active Directory accounts in the Windows Azure Management Portal!

image

 

Step 2 : Activate Azure AD Premium  and assign licenses to your users

 

Now that your previous created Windows Azure Active Directories from Windows Intune are visible within our Azure subscription , we can add the Azure AD Premium features to it .

In the picture below , you will see a newly created WAAD called EMSExperts from the Azure portal . By default the Azure AD Premium  can be found under the licenses tab. Now you can assign licenses to users.

image

In the other picture below , you will see the previously created WAAD from Windows intune ( added to the azure subscription later ) called MSCloudExperts. By default only the Windows Intune licenses can be found but the Azure AD Premium cannot be found under the licenses tab.

image

To add the “Azure AD Premium” licenses , you must go to the bottom of the page and hit the “Activate Trial” or “Purchase”  .

image

Now you will see that there are 2 license plans added to your WAAD . One for Windows Intune and one for Azure AD Premium. Now you can assign licenses to your users accordingly

image

 

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Hybrid scenarios with System Center Configuration Manager 2012 R2 – Windows Intune – ADFS – WAP – NDES – Workplace Join: Hotfixes you really need in your environment.

December 29, 2014 at 8:26 pm in ADFS, ADFS 3.0, CM12, CM12 R2, CM12 SP1, ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, EMS, hybrid, intune, Intune Standalone, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, WAP by Kenny Buntinx [MVP]

 

To make the most out of you’re lab or production environment when going to implement several features that are combined when using System Center Configuration Manager 2012 R2 and Intune for mobile workforce deployment, I will advise you to install the following hotfixes :

For your System Center Configuration manager 2012 R2 environment and Windows Intune connector:

 

1. Install Cu3 KB2994331 . A lot of things are fixed in each Cu , but not every fix is noted down in the release notes. It is therefore very important that you install the latest cumulative updates in general !

Why CU’s Matter (again ! ) –> Pre CU3 NDES templates need to be recreated > Re-targeting from device to user is not sufficient as there no good migration happening when upgrading from Cu1 or Cu2 !

2. Install KB article 2990658 . This hotfix greatly reduces the time that’s required to execute a successful retire or wipe of an MDM device by using a notification to "push" these tasks. Without this hotfix, retire and wipe operations could require 24 hours to run successfully, because they relied on a "pull" mechanism of this frequency . This hotfix will probably included when the next Cumulative Update will be released.

3. Install KB article 3002291 . This hotfix will fix when a user becomes a cloud-managed user In Microsoft SystemCenter 2012 R2 Configuration Manager, a settings policy may not target the assignment for the user.

For your ADFS and WAP (Web Application Proxy) with Server 2012 R2 environment:

 

1. To fix the "Profile Installation Failed" error when iOS device is workplace-joined by using DRS on a Windows Server 2012 R2-based server , look at Knowledgebase article 2970746 and make sure you deploy KB2967917 on your WAP Server , which is the July 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 .

2.  To fix the “Large URI request in Web Application Proxy fails in Windows Server 2012 R2” when deploying and NDES server thru the Web Application Proxy (WAP) , look at Knowledgebase article 3011135 (Issue found and resolved by Pieter Wigleven) and make sure you deploy KB3013769 on your WAP Server , which is the December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

For your CA (certificate Authority) infrastructure when you want to use NDES:

 

1. The issuing CA needs to be Windows Server 2008R2 (with KB2483564) or preferable with a Windows Server 2012 R2 OS.

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Apple Volume Purchase Program (VPP) expands but changes nothing around supportability for side loading within Configmgr & Intune hybrid or standalone.

December 18, 2014 at 10:40 am in Apple, EMM, EMS, intune, Intune Standalone, scc, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, VPP by Kenny Buntinx [MVP]

 

Great news for our customers!

There are a number of ways of deploying apps to iOS devices throughout your enterprise. You can purchase and assign apps with MDM through the Volume Purchase Program (VPP), or create and deploy your own in-house apps by joining the iOS Developer Enterprise Program. Additionally, if you are in a shared-device deployment scenario you can install apps and content locally with Apple Configurator or your MDM solutions such as Windows Intune.

As more than an half year ago, when I wrote about the following SCUG acticle : “CM12 and intune : Deploying Windows *.ipa IOS Applications requires a *.plist file” , regarding that Apple’s Volume Purchase Program (VPP) was only available in limited countries as Germany and UK . That caused challenges for side loading applications thru your MDM solution such as Configmgr 2012 R2 and Intune on the Hybrid model.

Now Apple has expanded the Volume Purchase Program (VPP) (http://www.apple.com/business/vpp/ ) to a lot of more countries as shown below :

Australia, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom, and United States.

This will make our life certainly much easier as we have a “Licensed way” of deploying volume licensed apps on IOS and OSX.

Distributing the app with your MDM solution such as ConfigMgr with Intune

To distribute an iOS application, you must have a valid .ipa package and a manifest (plist) file. The manifest file is an XML .plist file that is used to find, download and install any iOS applications that are located outside the App Store. The manifest file cannot exceed 10 KB. For more information, see the relevant Apple documentation.

· The .ipa package must be valid. This means that the package was signed by Apple and the expiration date indicated in the provisioning profile is still valid.

· For iOS applications, Windows Intune can distribute enterprise certificate iOS applications. Not all Apple developer certificate applications are supported.

· Your enterprise must be registered for the iOS Developer Enterprise Program.

· Make sure that your organization’s firewall allows access to the iOS provisioning and certification web sites.

I saw many people having difficulty to upload and deploy the IOS application in the forums and internet. Mainly because they do not have access to a VPP program from Apple, but that is now more or less history. I managed to upload the IOS (*.ipa) application into Configuration Manager 2012 R2, and also manage to download and install the uploaded IOS application to the IPad from the Company Portal however :

GOTCHA: Not all applications have a plist file, it also depends on the MAC OSX (they have been changing the locations in 10.6 and again in 10.9.1. – checkout this thread http://hints.macworld.com/article.php?story=20121101064200135

Currently Configuration Manager 2012 R2 with Intune hybrid is not supporting the whole VPP Program yet. Hopefully they will change that soon!

Hope it Helps,

Kenny Buntinx