You are browsing the archive for scc.

Apple Volume Purchase Program (VPP) expands but changes nothing around supportability for side loading within Configmgr & Intune hybrid or standalone.

10:40 am in Apple, EMM, EMS, intune, Intune Standalone, scc, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, VPP by Kenny Buntinx [MVP]


Great news for our customers!

There are a number of ways of deploying apps to iOS devices throughout your enterprise. You can purchase and assign apps with MDM through the Volume Purchase Program (VPP), or create and deploy your own in-house apps by joining the iOS Developer Enterprise Program. Additionally, if you are in a shared-device deployment scenario you can install apps and content locally with Apple Configurator or your MDM solutions such as Windows Intune.

As more than an half year ago, when I wrote about the following SCUG acticle : “CM12 and intune : Deploying Windows *.ipa IOS Applications requires a *.plist file” , regarding that Apple’s Volume Purchase Program (VPP) was only available in limited countries as Germany and UK . That caused challenges for side loading applications thru your MDM solution such as Configmgr 2012 R2 and Intune on the Hybrid model.

Now Apple has expanded the Volume Purchase Program (VPP) ( ) to a lot of more countries as shown below :

Australia, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom, and United States.

This will make our life certainly much easier as we have a “Licensed way” of deploying volume licensed apps on IOS and OSX.

Distributing the app with your MDM solution such as ConfigMgr with Intune

To distribute an iOS application, you must have a valid .ipa package and a manifest (plist) file. The manifest file is an XML .plist file that is used to find, download and install any iOS applications that are located outside the App Store. The manifest file cannot exceed 10 KB. For more information, see the relevant Apple documentation.

· The .ipa package must be valid. This means that the package was signed by Apple and the expiration date indicated in the provisioning profile is still valid.

· For iOS applications, Windows Intune can distribute enterprise certificate iOS applications. Not all Apple developer certificate applications are supported.

· Your enterprise must be registered for the iOS Developer Enterprise Program.

· Make sure that your organization’s firewall allows access to the iOS provisioning and certification web sites.

I saw many people having difficulty to upload and deploy the IOS application in the forums and internet. Mainly because they do not have access to a VPP program from Apple, but that is now more or less history. I managed to upload the IOS (*.ipa) application into Configuration Manager 2012 R2, and also manage to download and install the uploaded IOS application to the IPad from the Company Portal however :

GOTCHA: Not all applications have a plist file, it also depends on the MAC OSX (they have been changing the locations in 10.6 and again in 10.9.1. – checkout this thread

Currently Configuration Manager 2012 R2 with Intune hybrid is not supporting the whole VPP Program yet. Hopefully they will change that soon!

Hope it Helps,

Kenny Buntinx

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1

1:42 pm in ADFS, best practices, con, ConfigMgr 2012 SP1, intune, scc, SCCM 2012 SP1, Windows Intune by Kenny Buntinx [MVP]


With the SP1 release of System Center 2012 Configuration Manager, we now have the ability to connect to Windows Intune to manage mobile devices via the Internet. This allows you to use the Configuration Manager console to provision mobile devices, apply policy, and target apps to mobile devices even when those devices are not connected to the corporate network.

To provide users with an integrated sign-on experience (and reduce the need for administrators to manage two passwords for users) it is highly recommended that you deploy ADFS. ADFS provides the capability for a cloud server to leverage on-premise Active Directory credentials.

To deploy and configure ADFS 2.1 (server 2012) , follow the steps outlined below. This blog will cover the configuration and deployment work needed to successfully connect their device with corporate credentials . Before you install ADFS 2.1 on Windows Server 2012, you have to think through some of the requirements.

The benefits of implementing ADFS:

  • Improves user productivity by enabling true single sign-on to domain joined computers
  • Reduces usability issues by allowing users to use AD credentials to access all “Windows Intune" or “Office 365” services and not have to remember two identities and two passwords
  • Allows administrators the ability to enforce the organization’s password policies and account restrictions in both the on-premises and cloud-based organizations
  • Increases security of AD credentials since passwords are never synced to the cloud, all authentication happens on-premises
  • Reduces overall administration time and costs associated due to the above points

Based on a lot of TechNet articles , this was my design :



  • Will feature two ADFS farm servers (For redundancy reasons)
  • Will have two ADFS proxy servers (For redundancy reasons)
  • Will have one DirSync server (separate VM for preformance)
  • Will use a HW load balancer (Cisco , F5 , Citrix Netscaler) instead of Microsoft multicast NLB ( It doesn’t really work that well – or call it bad experiences) on both ADFS farm and ADFS proxy servers
  • Due to the size of the environment (Less than 50,000), WID (Windows Internal Database) server will have to be used
  • This WID SQL server will be running SQL Express edition.

In addition, we need to determine a few things upfront, as it will speed up the installation work. My personal experience is that you really need one of the internal Network guys from the customer to make this happen. We as “configmgr” guy’s are not familiar on how a customers network is organized and who is responsible for what part of the network)

  • External IP address of the federation service (In my example 212.x.x.x)
  • DMZ IP address of the federation service (which will be assigned to NLB as a shared virtual IP address , in my example 192.168.x.20)
  • DMZ server dedicated IP addresses (In my example 192.168.x.1 and 192.168.x.2) , they also reside in workgroup (not domain joined)
  • Internal ADFS farm shared virtual IP address assigned to the ADFS farm NLB (in my example 10.x.x.20)
  • Internal ADFS server dedicated IP addresses (in my example 10.x.x.1 and 10.x.x.2)
  • Fully qualified DNS name of the federation service, or ADFS FQDN (in my example 
  • Service accounts used for various purposes in the setup
  • Public SSL certificate to secure traffic associated with ADFS. Certificates used for server authentication and token signing. Try to order a *.<yourdomainname> certificate.This will make your life much easier. (in my example * 
  • Necessary firewall ports are open from the Internet to ADFS Proxy server (port 443)
  • Necessary firewall ports are open from ADFS Proxy server to internal ADFS server (port 443)
  • Necessary firewall ports are open from the Internet to Dirsync server and visa versa (port 443)

This brings us to the end of this post. In the next few posts, we’ll cover additional configuration and installation steps and bring this Windows Intune SSO / ADFS 2.1 infrastructure on Windows Server 2012 to a usable state.

Stay Tuned !


Hope it Helps ,

Kenny Buntinx

Enterprise Client MVP