You are browsing the archive for intune.

Enterprise Mobility : In the land of NDES – Where one eye is King and you need to watch your CRL Delta files

7:26 pm in 1702, certificates, CM12 R2 SP1, ConfigMgr 2012 R2 SP1, ConfigMgr CB, Configmgr Current Branch, CRL, EMS, Enterprise Mobility Suite, error 500, intune, Intune Standalone, ndes, NDES Connector, Windows Intune, Windws Intune by Kenny Buntinx [MVP]

I was doing a EMS POC and deployment of certificates on mobile devices was a requirement. So I needed to setup an NDES server with a separate Subordinate CA for MDM , NDES Server and SCCM Certificate Registration Point (CRP). Big deal I thought as I did it a already multiple times. At my customer we worked close with the server team and setup the infrastructure which was working fine at first sight.

After a reboot of the NDES server I was struggling to get the Network Device Enrollment Service (NDES) up and running again as it would throw me an error 500.

Image result for error 500 ndes

The event log of the NDES Server told me the following:

The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.
The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.

When the service starts, it searches for two certificates that are used by the service :

1. The service searches in the machine MY store AND

2. The certificate must have the following extensions AND

For the Key Exchange certificate:

– ExtendedKeyUsage: “Certificate Request Agent”

– KeyUsage: Encryption (0x20)

For the enrollment agent certificate:

– ExtendedKeyUsage: “Certificate Request Agent”

– KeyUsage: Signature (0x80) 

3. The certificate must not be archived AND

4. The computer must have the private key for the certificate AND

5. The certificate must be issued by the same CA that the service is configured for AND

6. The certificate must have a valid chain AND

7. If there is more than one certificate for either of the certificates that meets the previous criteria, the service will select the most recent one (the latest that was issued)

Troubleshooting certificate issues will require you to enable the CryptoAPI 2.0 Event Logging :

The CryptoAPI 2.0 Diagnostics is a feature available from Windows Server 2008 that supports the trouble shooting of issues concerned with:

– Certificate Chain Validation

– Certificate Store Operations

– Signature Verification

Enable CAPI2 logging by opening the Event Viewer and navigating to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2 directory and expand it.  You should see a view named Operational.Next, right-click on the Operational view and click the Enable Log menu item.

Searching the right information under the capi2 operational log :

image

I was quite sure, that I was able to download the CRL (Certificate Revocation List) and I double checked that by browsing to the URL ‘.crl”>http://pki.xxx.be/CertEnroll/<NameOfYourSubCA>.crl’ and I was able to download the file. When digging deeper in the eventID’s , I found at EventID 42 , the following URL ‘.crl”>http://pki.xxx.be/CertEnroll/<NameOfYourSubCA+>.crl’ was shown. This means it was looking for the  availability of the Delta CRL, which was visible on the web site of my CRL:

image

When I finally tried to download this CRL Delta file, it failed. I remembered myself, that IIS is treating the + sign very differently in URL’s.

I needed to set the setting “Allow double escaping” in the web.config file as shown below :

clip_image002

After enabling this, NDES was able to retrieve the Delta CRL file and start the service gracefully.

So if your NDES Server is throwing “The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.”, do not only check your certificates on the Server, check also your CRLs and Delta CRLs!

Hope it Helps,

Kenny Buntinx

MVP Enterprise Mobility

images7T7SFLEG

Ignite keynote summary from an ECM perspective

7:27 pm in ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr V.next, EMS, Enterprise Mobility Suite, hybrid, Ignite, intune, Intune Standalone, SCCM 2012, sccm 2012 R2, SCCM v.Next, System Center, System Center 2016 by Kenny Buntinx [MVP]

 

For me this was the best keynote ever for all Microsoft’s events I’ve been at, virtually or physically. Wrapped up after three hours, I want to give you guys a heads up for what is happening in my area of expertise, Enterprise Client Management.

The conference is being held in Chicago and has over 20K people in the house. If you want you can watch a replay of this morning’s keynote on demand at http://news.microsoft.com/ignite2015/

Most Important Ignite Keynote Announcements from an enterprise Client Management perspective

Windows Update for Business – This is an advanced version of what you already know today and it’s called WSUS. Together with Windows 10 it will allow you to control which machines get Windows Updates or even feature updates. Integration with your existing tools like System Center and the Enterprise Mobility Suite – so that these tools can continue to be that ‘single pane of glass’ for all of your systems management.

Office 2016 Public Preview – Available for Office 365 subscribers and those who want to run the full standalone install.  This version will really kick down the #EMS offering on IOS , Android or Windows. Office will be the key in the whole mobility story.

Windows Server 2016 – A second technical preview is now available for download and testing and will allow you to unlock some additional Hybrid functionallity , such as updates for Hyper-V ,ADFS , Workfolders , etc .

System Center 2016 – Has new provisioning, monitoring and automation abilities for your data center. A new preview will be available soon online

· New technical preview for ConfigMgr 2016 for Windows10 available for a trial at http://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview

New features in today’s Technical Preview includes:

          • Support for Windows 10 upgrade with OS deployment task sequence
          • Support for installing Configuration Manager on Azure Virtual Machines
          • Ability to manage Windows 10 mobile devices via MDM with on-premises Configuration Manager infrastructure

· New service packs for Configuration Manager 2012 and 2012 R2 (They will be released somewhere next week)

These will deliver full compatibility with existing features for Windows 10 deployment and management as well as several other features, including:

          • App-V publishing performance
          • Scalability improvements
          • Content distribution improvements
          • Native support for SQL Server 2014
          • Hybrid Parity (Intune) and new features

Microsoft Advanced Threat Analytics – Brings on premise Azure AD level security monitoring and threat detection.  This software/service is the result of Microsoft’s acquisition last November of Aorato and it’s a great add-on for EMS and AD premium. The preview is available now from here.

 

During Brad Anderson’s piece of the keynote, his team showed 11 different technologies on stage and here are links to all of those services and programs:

I hope that you are as thrilled and exited as myself and that we can show you all these cool things in our own lab and we hope that we can see you at one of our SCUG.be events.

Hope it helps,

Kenny Buntinx

MVP Enterprise Client Management MVP

Work Folders app for Iphone finally released

1:15 pm in EMS, intune, iOS, Iphone, IT-Dev Connections, IT/Dev Connections, ITDevconnections, Work Folders, Workplace Join by Kenny Buntinx [MVP]

 

We are happy to announce that an iPhone app for Work Folders has been released into the Apple AppStore® and is available as a free download.

( There also is a Work Folders app for iPad released a few months ago.)

Overview

Work Folders is a Windows Server feature that allows individual employees to access their files securely from inside and outside the corporate environment. This app connects to it and enables file access on an Apple iPhone and iPad. Work Folders enables this while allowing the organization’s IT department to fully secure that data.

This app for iOS features an intuitive UI, selective sync, end-to-end encryption, search and in-app file viewing.
It also integrates well with Windows Intune to fully complete the most important mobile device management scenarios around corporate data on mobile devices.

You will learn more about it on our session “Securely Delivering Traditional Windows File Server Home Folders to BYOD Devices’ at

ITnDevConnections_logo_TylerOptimized_236x59

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Enterprise Mobility Suite: Steps to add your O365 infrastructure when already using your hybrid Configmgr 2012 R2 and Windows Intune infrastructure at your company.

1:03 pm in 0365, azure, configmgr 2012 R2, ECM, EMS, Enterprise Mobility Suite, intune, Intune Standalone, o365, office 365, SCCM 2012, sccm 2012 R2, WAAD, Windows Azure Active Directory by Kenny Buntinx [MVP]

 

Enterprise Mobility Suite (EMS) is Microsoft’s new bundle that includes Azure Active Directory Premium, Windows Intune and Azure Rights Management.The Enterprise Mobility Suite is Microsoft’s answer for Mobile Device Management requirements.

For people that have already Configuration Manager 2012 R2 , you can connect your Windows Intune subscription to get a single pane of glass for management. In the so called hybrid mode you can manage all your assets, from one single console.

Most customers starting with EMS will likely already have an Office 365 infrastructure in place . From that direction it is easy to add your EMS components to the existing o365 WAAD (Windows Azure Active Directory) 

The most common way that WAAD directories where created before any O365 components existed was through the Windows Intune Sign Up process.

When setting up an Windows Intune subscription for the first time, you have to pick a tenant name (In our case demolabsbe.onmicrosoft.com). When you create the tenant name, a Windows Azure Active Directory (WAAD) account is created behind-the-scenes to store your users and groups, using the domain “demolabsbe.onmicrosoft.com” (you can add your domain names to this WAAD account later, but you will always have the original .onmicrosoft.com domain associated with it).

Windows Intune creates the WAAD accounts, but doesn’t let you manage it out of the box . You only can attach custom domains, configure users, groups & global administrators from the Windows Intune account management portal.

Attention: The WAAD account is not the same as a Windows Azure Subscription. A Windows Azure Subscription does not get automatically created or associated to your Windows Intune or Office 365 subscription or visa versa !

Scenario :

The customer has already the Windows Intune subscribtion in place and wants to add a fresh Office 365 tenant to it using the same (.onmicrosoft.com) name .

How ?:

SNAGHTML3dacbdf

1. Select “Free Trial”

image

2. Sign up for new account

image

3. <IMPORTANT> Login again with your administrator@demolabs.onmicrosoft.com account that you used for registering your previous Windows Intune account !!. <IMPORTANT>

image

4. Don’t forget to hit the try button :-)

image

 

5. When you click “Domains” (1) , you will see that your validated domain ( in our case Demolabs.be) is attached and validated (2) . Now the last step is to go thru the wizard “Complete Setup” (3) to complete it .

6. You’re done . Now you can start to assign O365 licenses to your users and play with “Conditional access” as explained in this nice blog post from our colleague MVP Peter Daalmans

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

The Enterprise Mobility Suite and the 10 reasons why you’re company needs it

10:58 am in azure, CM12, CM12 R2, ConfigMgr, EMS, hybrid, intune, Intune Standalone, RMS, sccm, sccm 2012 R2, System Center by Kenny Buntinx [MVP]

 

Together, Windows Server 2012 R2, System Center 2012 R2 Configuration Manager, Microsoft Azure AD Premium , Microsoft Azure RMS and Microsoft Intune , also called the Enterprise Mobility Suite (EMS) help organizations address the consumerization of IT. With Microsoft’s people-centric IT solution, organizations can empower their users, unify their environment, and protect their data, ultimately helping to embrace consumerization and a people- centric IT model, while maintaining corporate compliance.

What can the Microsoft Enterprise Mobility Suite (EMS) bring for you :

· Enabling your end users to work on the device or devices they love and providing them with consistent and secure access to corporate resources from those devices. Part of the way we do that is by providing a hybrid identity solution, enabled by Azure Active Directory Premium.

· Delivering comprehensive application and mobile device management from both your existing on-premises infrastructure, including Microsoft System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure. This helps to unify your environment. EMS provides mobile device management, enabled by Windows Intune

· Helping protect your data by protecting corporate information and managing risk. EMS provides data protection, enabled by Azure Rights Management service

Here are the 10 reasons why to consider EMS:

10. The ability to protect corporate information by selectively wiping apps and data. With System Center Configuration Manager 2012 and/or Microsoft Intune, IT can selectively and remotely wipe any device, including applications and sensitive company data, management policies and networking profiles.

9. Identification of compromised mobile devices. Jailbreak and root detection enables IT to determine which devices accessing corporate resources are at-risk, so that IT can choose to take appropriate action on those devices, including removing them from the management system and selectively wiping the devices.

8. Comprehensive settings management across platforms, including certificates, virtual private networks (VPNs), and wireless network and email profiles. With System Center Configuration Manager 2012 and/or Microsoft Intune, IT can provision certificates, VPN’s, and wi-fi profiles on personal devices within a single administration console.

7. Access on-premises and in-the-cloud resources with common identity. IT can better protect corporate information, manage and control resource access, and mitigate risk by being able to manage a single identity for each user across both on-premises and cloud-based applications. IT can better protect corporate information and mitigate risk by being able to restrict access to corporate resources based on user, device, and location.

6. Simplified, user-centric application management across devices. IT gains efficiency with a single management console, where policies and applications can be applied across groups (user and device types).

5. Enhance end-user productivity with self-service and Single-Sign-On (SSO) experiences. Help users be more productive by providing each with a single identity to use no matter what they access, whether they are working in the office, working remotely, or connecting to a cloud-based Software-as-a-Service (SaaS) application. Access company resources consistently across devices. Users can work from the device of their choice to access corporate resources regardless of location.

4. Protect information anywhere with Microsoft Azure RMS. Protecting information at rest and in transit requires authentication and preventing alteration, both key requirements for protecting sensitive corporate information.

The Microsoft Azure Rights Management Solution (RMS) that can help enterprises transition from a device-centric to a people-centric, consumerized IT environment without compromising compliance on document protection.

3. Single Pane of Glass Mobile device management of on-premises and cloud-based mobile devices. IT can manage mobile devices completely through the cloud with Microsoft Intune or extend its System Center Configuration Manager infrastructure with Microsoft Intune to manage their devices (PCs, Macs, or servers) and publish corporate apps and services, regardless of whether they’re corporate-connected or cloud-based.

2. Simplified registration and enrollment for BYOD. Users can register their devices for access to corporate resources and enroll in the Microsoft Intune management service to manage their devices and install corporate apps through a consistent company portal.

And… Number 1 if you ask me for the Microsoft Enterprise Mobility Suite…

1. Enable users to work on the device of their choice and from where they want. Give your users access to applications, data and resources from any device from virtually everywhere, while ensuring documents are secured and your mobile devices are compliant.

Hope it Helps ,

Kenny Buntinx

Enterprise Mobility Suite: Steps to get to Azure AD Premium when already using your hybrid Configmgr 2012 R2 and Windows Intune infrastructure.

9:32 am in azure, CM12, CM12 R2, ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, EMS, Enterprise Mobility Suite, intune, Intune Standalone, Mobility, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, WAAD, Windws Intune by Kenny Buntinx [MVP]

 

Enterprise Mobility Suite (EMS) is Microsoft’s new bundle that includes Azure Active Directory Premium, Windows Intune and Azure Rights Management.The Enterprise Mobility Suite is Microsoft’s answer for Mobile Device Management requirements.

For people that have already Configuration Manager 2012 R2 , you can connect your Windows Intune subscription to get a single pane of glass for management. In the so called hybrid mode you can manage all your assets, from one single console.

While you can create a new WAAD (Windows Azure Active Directory) account directly from the Windows Azure Management Portal, but the most common way that WAAD directories where created before EMS existed was through the Windows Intune Sign Up process.

When setting up an Windows Intune subscription for the first time, you have to pick a tenant name (In our case demolabsbe.onmicrosoft.com). When you create the tenant name, a Windows Azure Active Directory (WAAD) account is created behind-the-scenes to store your users and groups, using the domain “demolabsbe.onmicrosoft.com” (you can add your domain names to this WAAD account later, but you will always have the original .onmicrosoft.com domain associated with it).

Windows Intune creates the WAAD accounts, but doesn’t let you manage it out of the box . You only can attach custom domains, configure users, groups & global administrators from the Windows Intune account management portal.

Attention: The WAAD account is not the same as a Windows Azure Subscription. A Windows Azure Subscription does not get automatically created or associated to your Windows Intune or Office 365 subscription or visa versa !

When you log in with your Windows Intune tenant account into the Windows Azure Management Portal (https://manage.windowsazure.com) you will see a message that there are no associated Azure Subscriptions.

Windows Azure however lets you manage all the advanced settings of WAAD accounts, including names, premium features, Apps, SSO access, multi-factor authentication, etc. The Enterprise Mobility Suite (EMS) feature , Windows Azure AD Premium can only be managed properly when you link your Windows Intune WAAD to your organizational Windows Azure Subscription.

 
Step 1: How to add your  Existing Windows Azure Active Directories to your Windows Azure Subscription ?

 

The process to add a WAAD account to your Windows Azure subscription used to be pretty painful , but now you can easily do this by adding an “Existing WAAD account”. The process is as follows:

1. Login to Windows Azure Management Portal with your Microsoft Account.

2. Click on the Active Directory category on the left, and then click the New button.

clip_image002

3. Choose New > App Services > Active Directory > Directory > Custom Create.

4. On the Add Directory dialog, click the Directory dropdown, and choose Use Existing Directory.

clip_image004

5. The dialog will switch, and inform you that you will be signed out, and need to sign in with a Global Administrator for the existing WAAD account. Check the box and click Sign Out.

clip_image006

6. Login with a Global Administrator for the WAAD account.

7. Once you login, you’ll be asked to confirm the link. Linking will make the Microsoft Account a Global Administrator in the WAAD account. Proceed through this, and you will be asked to Sign Out.

image

image

8. After Signing Out, and signing back in with your Microsoft Account, you’ll now see the WAAD account in the list of Active Directory accounts in the Windows Azure Management Portal!

image

 

Step 2 : Activate Azure AD Premium  and assign licenses to your users

 

Now that your previous created Windows Azure Active Directories from Windows Intune are visible within our Azure subscription , we can add the Azure AD Premium features to it .

In the picture below , you will see a newly created WAAD called EMSExperts from the Azure portal . By default the Azure AD Premium  can be found under the licenses tab. Now you can assign licenses to users.

image

In the other picture below , you will see the previously created WAAD from Windows intune ( added to the azure subscription later ) called MSCloudExperts. By default only the Windows Intune licenses can be found but the Azure AD Premium cannot be found under the licenses tab.

image

To add the “Azure AD Premium” licenses , you must go to the bottom of the page and hit the “Activate Trial” or “Purchase”  .

image

Now you will see that there are 2 license plans added to your WAAD . One for Windows Intune and one for Azure AD Premium. Now you can assign licenses to your users accordingly

image

 

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Hybrid scenarios with System Center Configuration Manager 2012 R2 – Windows Intune – ADFS – WAP – NDES – Workplace Join: Hotfixes you really need in your environment.

8:26 pm in ADFS, ADFS 3.0, CM12, CM12 R2, CM12 SP1, ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, EMS, hybrid, intune, Intune Standalone, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, WAP by Kenny Buntinx [MVP]

 

To make the most out of you’re lab or production environment when going to implement several features that are combined when using System Center Configuration Manager 2012 R2 and Intune for mobile workforce deployment, I will advise you to install the following hotfixes :

For your System Center Configuration manager 2012 R2 environment and Windows Intune connector:

 

1. Install Cu3 KB2994331 . A lot of things are fixed in each Cu , but not every fix is noted down in the release notes. It is therefore very important that you install the latest cumulative updates in general !

Why CU’s Matter (again ! ) –> Pre CU3 NDES templates need to be recreated > Re-targeting from device to user is not sufficient as there no good migration happening when upgrading from Cu1 or Cu2 !

2. Install KB article 2990658 . This hotfix greatly reduces the time that’s required to execute a successful retire or wipe of an MDM device by using a notification to "push" these tasks. Without this hotfix, retire and wipe operations could require 24 hours to run successfully, because they relied on a "pull" mechanism of this frequency . This hotfix will probably included when the next Cumulative Update will be released.

3. Install KB article 3002291 . This hotfix will fix when a user becomes a cloud-managed user In Microsoft SystemCenter 2012 R2 Configuration Manager, a settings policy may not target the assignment for the user.

For your ADFS and WAP (Web Application Proxy) with Server 2012 R2 environment:

 

1. To fix the "Profile Installation Failed" error when iOS device is workplace-joined by using DRS on a Windows Server 2012 R2-based server , look at Knowledgebase article 2970746 and make sure you deploy KB2967917 on your WAP Server , which is the July 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 .

2.  To fix the “Large URI request in Web Application Proxy fails in Windows Server 2012 R2” when deploying and NDES server thru the Web Application Proxy (WAP) , look at Knowledgebase article 3011135 (Issue found and resolved by Pieter Wigleven) and make sure you deploy KB3013769 on your WAP Server , which is the December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

For your CA (certificate Authority) infrastructure when you want to use NDES:

 

1. The issuing CA needs to be Windows Server 2008R2 (with KB2483564) or preferable with a Windows Server 2012 R2 OS.

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Apple Volume Purchase Program (VPP) expands but changes nothing around supportability for side loading within Configmgr & Intune hybrid or standalone.

10:40 am in Apple, EMM, EMS, intune, Intune Standalone, scc, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, VPP by Kenny Buntinx [MVP]

 

Great news for our customers!

There are a number of ways of deploying apps to iOS devices throughout your enterprise. You can purchase and assign apps with MDM through the Volume Purchase Program (VPP), or create and deploy your own in-house apps by joining the iOS Developer Enterprise Program. Additionally, if you are in a shared-device deployment scenario you can install apps and content locally with Apple Configurator or your MDM solutions such as Windows Intune.

As more than an half year ago, when I wrote about the following SCUG acticle : “CM12 and intune : Deploying Windows *.ipa IOS Applications requires a *.plist file” , regarding that Apple’s Volume Purchase Program (VPP) was only available in limited countries as Germany and UK . That caused challenges for side loading applications thru your MDM solution such as Configmgr 2012 R2 and Intune on the Hybrid model.

Now Apple has expanded the Volume Purchase Program (VPP) (http://www.apple.com/business/vpp/ ) to a lot of more countries as shown below :

Australia, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom, and United States.

This will make our life certainly much easier as we have a “Licensed way” of deploying volume licensed apps on IOS and OSX.

Distributing the app with your MDM solution such as ConfigMgr with Intune

To distribute an iOS application, you must have a valid .ipa package and a manifest (plist) file. The manifest file is an XML .plist file that is used to find, download and install any iOS applications that are located outside the App Store. The manifest file cannot exceed 10 KB. For more information, see the relevant Apple documentation.

· The .ipa package must be valid. This means that the package was signed by Apple and the expiration date indicated in the provisioning profile is still valid.

· For iOS applications, Windows Intune can distribute enterprise certificate iOS applications. Not all Apple developer certificate applications are supported.

· Your enterprise must be registered for the iOS Developer Enterprise Program.

· Make sure that your organization’s firewall allows access to the iOS provisioning and certification web sites.

I saw many people having difficulty to upload and deploy the IOS application in the forums and internet. Mainly because they do not have access to a VPP program from Apple, but that is now more or less history. I managed to upload the IOS (*.ipa) application into Configuration Manager 2012 R2, and also manage to download and install the uploaded IOS application to the IPad from the Company Portal however :

GOTCHA: Not all applications have a plist file, it also depends on the MAC OSX (they have been changing the locations in 10.6 and again in 10.9.1. – checkout this thread http://hints.macworld.com/article.php?story=20121101064200135

Currently Configuration Manager 2012 R2 with Intune hybrid is not supporting the whole VPP Program yet. Hopefully they will change that soon!

Hope it Helps,

Kenny Buntinx

Windows Phone 8.1 Self Service Portal (SSP) changes with Windows Intune’s November Release

6:20 am in company portal, hybrid, intune, Intune Standalone, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, SSP, System Center, Windows Intune, windows inune, Windows Phone 8.1, WP 8.1, WP8.1 by Kenny Buntinx [MVP]

Hi ,

As you already probably knew , new Windows Intune capabilities are added as we speak for Windows Intune standalone thru the so called “November Release” as discussed here : http://blogs.technet.com/b/microsoftintune/archive/2014/11/17/new-microsoft-intune-capabilities-coming-this-week.aspx 

The Microsoft Intune Company Portal for Windows Phone app helps you search, browse and install apps made available to you by your company, through the Microsoft Intune standalone of Hybrid (Configmgr and Windows Intune). Apps can be installed without requiring a connection to your corporate network. You can also enroll your personal computers and devices in the service and locate contact information for your IT team.

One additional change that was not clearly communicated is a change to how the Intune Company Portal or Self Service Portal (SSP) app for Windows Phone 8.1 is offered and installed.

Before , If you wanted to manage and deploy applications on your Windows phone 8 and 8.1 , the Company Portal app was offered as a deployable download at Microsoft’s Download Center, sign it with a Symantec code signing Certificate and deploy it to the management system infrastructure to enable device enrollment for Windows Phone 8 and 8.1 devices. The download was infused with a Symantec certificate to ensure trustworthiness of the app and to help secure enrollments.

Microsoft has now updated the Windows Intune Company Portal app for Windows Phone 8.1. The Symantec certificate is no longer embedded and no longer required because the app is now only available through the Microsoft Store.

However , there are some things to take into account when doing hybrid or standalone implementations.

Starting this week for Windows Intune standalone only , Microsoft removed the requirement that a company have an AET (Application Enrollment Token) and signed Company Portal app before we let them enroll, but devices must be enrolled for management before they can install sideloaded apps from our MDM, and they must also have the AET.

In short this means that you do not longer need the Symantec certificate to enroll and manage WP8.1 devices ( not WP 8.0! ) , but you will still need the Symantec certificate to sideload any application that doesn’t come thru the app store .

Anything else still requires both cert and signed SSP.xap from download center –> so are Hybrid implementations still today.

My advise for now:

1. Admins who want to stay on the old school ssp.xap for now ( For hybrid deployment this is mandatory !!! )

    • Don’t tell users about store app
    • Add store app to blocked list, for extra insurance, so they can’t run it
    • Just keep doing what you’re doing

Hybrid users could still install the SSP from store if you do not blacklist the application. However , if the do install the SSP from the store , they can’t enroll unless a cert and signed ssp have been uploaded, but they can use the portal in the “unenrolled” scenario.

2. Admins who want to move to appx from app store ( Intune standalone only !! )

    • Create an app that uninstalls ssp.xap
    • Tell users to start by installing store app and using link in app to enroll just like android or IOS

Conclusion:

The only new thing you get with the App Store SSP version is the ability to show users “Terms and Conditions” . Period.

If companies want to sideload applications, there’s still no way around having the Symantec cert

The new App Store SSP is taking the version to 4.1.2777.2 and can be found over here :

http://www.windowsphone.com/s?appid=0b4016fc-d7b2-48a2-97a9-7de3b5ea7424

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

IOS 8 support now available for System Center 2012 R2 Configuration Manager thru an extension for Windows Intune

4:18 am in ConfigMgr, configmgr 2012 R2, intune, MDM, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, System Center, UDM by Kenny Buntinx [MVP]

 

A new version of the iOS 7 Security Settings extension is now available for System Center 2012 R2 Configuration Manager environments that are configured with the Windows Intune connector. This updated extension adds support for iOS 8 devices. New features include: iOS 8 added to the supported platform list, configuration settings to manage and assess the compliance on iOS 8 devices, company resource access on iOS 8 devices and the ability to define an applicability rule for applications, allowing you to deploy applications to iOS 8 devices.

If you already have the iOS 7 Security Settings extension enabled, an updated extension called iOS 7 and iOS 8 Security Settings will appear as a new item in your Configuration Manager console in the Extensions for Windows Intune node. You will also be able to see other enabled extensions in this location.

To install the updated version, select the iOS 7 and iOS 8 Security Settings extension from the list and then click Enable. You do not need to disable the older version of the extension before you enable this updated version. As the updated version is installed, the configurations you previously made for the extension are retained. Once the installation is complete, only the most recent version of the extension will display in the console.

Read further at http://blogs.technet.com/b/configmgrteam/archive/2014/09/29/ios-8-support-now-available-for-sc-2012-r2-configmgr-via-extension-for-intune.aspx

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management