You are browsing the archive for Windows Intune.

Enterprise Mobility : In the land of NDES – Where one eye is King and you need to watch your CRL Delta files

7:26 pm in 1702, certificates, CM12 R2 SP1, ConfigMgr 2012 R2 SP1, ConfigMgr CB, Configmgr Current Branch, CRL, EMS, Enterprise Mobility Suite, error 500, intune, Intune Standalone, ndes, NDES Connector, Windows Intune, Windws Intune by Kenny Buntinx [MVP]

I was doing a EMS POC and deployment of certificates on mobile devices was a requirement. So I needed to setup an NDES server with a separate Subordinate CA for MDM , NDES Server and SCCM Certificate Registration Point (CRP). Big deal I thought as I did it a already multiple times. At my customer we worked close with the server team and setup the infrastructure which was working fine at first sight.

After a reboot of the NDES server I was struggling to get the Network Device Enrollment Service (NDES) up and running again as it would throw me an error 500.

Image result for error 500 ndes

The event log of the NDES Server told me the following:

The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.
The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.

When the service starts, it searches for two certificates that are used by the service :

1. The service searches in the machine MY store AND

2. The certificate must have the following extensions AND

For the Key Exchange certificate:

– ExtendedKeyUsage: “Certificate Request Agent”

– KeyUsage: Encryption (0x20)

For the enrollment agent certificate:

– ExtendedKeyUsage: “Certificate Request Agent”

– KeyUsage: Signature (0x80) 

3. The certificate must not be archived AND

4. The computer must have the private key for the certificate AND

5. The certificate must be issued by the same CA that the service is configured for AND

6. The certificate must have a valid chain AND

7. If there is more than one certificate for either of the certificates that meets the previous criteria, the service will select the most recent one (the latest that was issued)

Troubleshooting certificate issues will require you to enable the CryptoAPI 2.0 Event Logging :

The CryptoAPI 2.0 Diagnostics is a feature available from Windows Server 2008 that supports the trouble shooting of issues concerned with:

– Certificate Chain Validation

– Certificate Store Operations

– Signature Verification

Enable CAPI2 logging by opening the Event Viewer and navigating to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2 directory and expand it.  You should see a view named Operational.Next, right-click on the Operational view and click the Enable Log menu item.

Searching the right information under the capi2 operational log :

image

I was quite sure, that I was able to download the CRL (Certificate Revocation List) and I double checked that by browsing to the URL ‘.crl”>http://pki.xxx.be/CertEnroll/<NameOfYourSubCA>.crl’ and I was able to download the file. When digging deeper in the eventID’s , I found at EventID 42 , the following URL ‘.crl”>http://pki.xxx.be/CertEnroll/<NameOfYourSubCA+>.crl’ was shown. This means it was looking for the  availability of the Delta CRL, which was visible on the web site of my CRL:

image

When I finally tried to download this CRL Delta file, it failed. I remembered myself, that IIS is treating the + sign very differently in URL’s.

I needed to set the setting “Allow double escaping” in the web.config file as shown below :

clip_image002

After enabling this, NDES was able to retrieve the Delta CRL file and start the service gracefully.

So if your NDES Server is throwing “The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.”, do not only check your certificates on the Server, check also your CRLs and Delta CRLs!

Hope it Helps,

Kenny Buntinx

MVP Enterprise Mobility

images7T7SFLEG

ConfigMgr 2012 NDES Site Role not healthy anymore after R2 SP1 upgrade

8:06 am in configmgr 2012 R2, ConfigMgr 2012 R2 SP1, EMS, ndes, R2 SP1, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SP1, Windows Intune, windows inune by Kenny Buntinx [MVP]

 

A key feature of the mobile device management capabilities provided by System Center 2012 R2 Configuration Manager with Windows Intune is the ability to provision client certificates to managed devices.  Organizations that use an enterprise PKI for client authentication to resources like WiFi and VPN can use this feature to provision certificates to Windows, Windows Phone, iOS, and Android devices managed through Windows Intune.  This article provides an in-depth look at how this feature works, and where you can go to find out all of the information you need to get up and running.

For those customers that are using NDES and did an upgrade from System center Configuration Manager 2012 R2 to System center Configuration Manager 2012 R2 SP1  they will notice that their NDES Server hosting the NDES Site Server role will fail to reinstall as shown below in the screenshot :

image

Investigating the issue a little further and going to look at the logging (CRPSetup.log) on the NDES server hosting the NDES Site Server role , we got the error message “Enabling WCF 40 returned code 50. Please enable WCF HTTP Activation. “

image

The question is why it would complain now as it worked before . After investigation it turns out that System Center Configuration Manager 2012 R2 Sp1 supports now  the provisioning of  personal information exchange (.pfx) files to user’s devices including Windows 10, iOS, and Android devices. Devices can use PFX files to support encrypted data exchange.

In the Supported Configurations for Configuration Manager ( https://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SiteSystemRolePrereqs ) , we found out that now “Http activation is required”

image

After enabling the feature , the role started to reinstall itself .

image

Looking at the log file it seems that is is installed :

image

Looks like the role installed itself and thus problem solved.

Hope it helps ,

Kenny Buntinx

MVP Enterprise Client Management

Windows Phone 8.1 Self Service Portal (SSP) changes with Windows Intune’s November Release

6:20 am in company portal, hybrid, intune, Intune Standalone, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, SSP, System Center, Windows Intune, windows inune, Windows Phone 8.1, WP 8.1, WP8.1 by Kenny Buntinx [MVP]

Hi ,

As you already probably knew , new Windows Intune capabilities are added as we speak for Windows Intune standalone thru the so called “November Release” as discussed here : http://blogs.technet.com/b/microsoftintune/archive/2014/11/17/new-microsoft-intune-capabilities-coming-this-week.aspx 

The Microsoft Intune Company Portal for Windows Phone app helps you search, browse and install apps made available to you by your company, through the Microsoft Intune standalone of Hybrid (Configmgr and Windows Intune). Apps can be installed without requiring a connection to your corporate network. You can also enroll your personal computers and devices in the service and locate contact information for your IT team.

One additional change that was not clearly communicated is a change to how the Intune Company Portal or Self Service Portal (SSP) app for Windows Phone 8.1 is offered and installed.

Before , If you wanted to manage and deploy applications on your Windows phone 8 and 8.1 , the Company Portal app was offered as a deployable download at Microsoft’s Download Center, sign it with a Symantec code signing Certificate and deploy it to the management system infrastructure to enable device enrollment for Windows Phone 8 and 8.1 devices. The download was infused with a Symantec certificate to ensure trustworthiness of the app and to help secure enrollments.

Microsoft has now updated the Windows Intune Company Portal app for Windows Phone 8.1. The Symantec certificate is no longer embedded and no longer required because the app is now only available through the Microsoft Store.

However , there are some things to take into account when doing hybrid or standalone implementations.

Starting this week for Windows Intune standalone only , Microsoft removed the requirement that a company have an AET (Application Enrollment Token) and signed Company Portal app before we let them enroll, but devices must be enrolled for management before they can install sideloaded apps from our MDM, and they must also have the AET.

In short this means that you do not longer need the Symantec certificate to enroll and manage WP8.1 devices ( not WP 8.0! ) , but you will still need the Symantec certificate to sideload any application that doesn’t come thru the app store .

Anything else still requires both cert and signed SSP.xap from download center –> so are Hybrid implementations still today.

My advise for now:

1. Admins who want to stay on the old school ssp.xap for now ( For hybrid deployment this is mandatory !!! )

    • Don’t tell users about store app
    • Add store app to blocked list, for extra insurance, so they can’t run it
    • Just keep doing what you’re doing

Hybrid users could still install the SSP from store if you do not blacklist the application. However , if the do install the SSP from the store , they can’t enroll unless a cert and signed ssp have been uploaded, but they can use the portal in the “unenrolled” scenario.

2. Admins who want to move to appx from app store ( Intune standalone only !! )

    • Create an app that uninstalls ssp.xap
    • Tell users to start by installing store app and using link in app to enroll just like android or IOS

Conclusion:

The only new thing you get with the App Store SSP version is the ability to show users “Terms and Conditions” . Period.

If companies want to sideload applications, there’s still no way around having the Symantec cert

The new App Store SSP is taking the version to 4.1.2777.2 and can be found over here :

http://www.windowsphone.com/s?appid=0b4016fc-d7b2-48a2-97a9-7de3b5ea7424

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment

4:00 pm in BYOD, Cloud, CM12, CM12 R2, configmgr 2012 R2, ConfigMgr 2012 SP1, ECM, email Profile, email Profiles, intune, iOS, ipa, Ipad, ITPROceed, MDM, OMA-DM, OMA-URI, personal, plist, policy, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM, windows 8.1, Windows Intune, Windows Intune Extensions, Windows Phone 8.1, Windws Intune, Work Folders, WP 8.1 by Kenny Buntinx [MVP]

 

Today there isn’t much hands on information about managing mobile devices such as Windows Phone , iPhone or Android using the MDM solution with Windows Intune and System Center Configuration Manager 2012 R2. This blog post is intended to give you better knowledge and to consolidate the earlier blogs I have been writing. Troubleshoot MDM in Intune / ConfigMgr

The big challenge is troubleshooting mobile device management in general, but particularly using ConfigMgr and Intune because a current Configmgr is a product that is known for its extensive logging.

With Windows Intune connected to System Center Configuration Manager 2012 R2, you have 6 log files on premise where you can look into:

  • ConnectorSetup.log (Records details of connector role installation)
  • FeatureExtensionInstaller.log (Records information about the installation and removal of individual extensions when they are enabled or disabled in the Configuration Manager console)
  • CertMgr.log (Records certificate and proxy account information)
  • Cloudusersync.log (Records license enablement for users)
  • DMPuploader.log (Records details for uploading database changes to Windows Intune)
  • DMPdownloader.log (Records details on downloads from Windows Intune)

1. Enrolling the mobile devices

  • OMA-DM and OMA-URI:

First of all, you will need to know what OMA-DM is. OMA-DM is an open standard that Apple – Android and Microsoft are using. All MDM solutions use the OMA-DM API to manage those devices. More information on OMA-DM can be found here.

Microsoft has released together with WP 8.1, a comprehensive guide called; ‘Windows Phone 8.1 MDM protocol documentation’. You will need this guide as a reference to find all custom not-so-out-of-the-box OMA-URI’s. An OMA-URI can be seen as a registry setting or hive. You can download it here.

If enrollment does not work, please verify that the right platform is selected in your “windows Intune Subscription”, otherwise you will get these kind of errors:

ERROR: Service health log: User ‘******************************32ad82′ is not eligible to enroll a device of type ‘WindowsPhone’. Reason ‘DeviceTypeNotSupported’.

clip_image002[4]

  • Enrollment for Windows Phone 8 or 8.1:

Enrollment for Windows Phone happens does not have the same experience like IOS or Android. With Windows Phone 8 or 8.1 you will need to go to the settings page and search for either ‘company portal’ or ‘workplace join’. Don’t you love Microsoft’s consistency here?

  • Trouble enrolling your Windows Phone?

SSP portal software Certificate Signing :

Make sure that your SSP portal software is signed with either your personal ‘Symantec Certificate’ you need to buy or you use the “support tool for Windows Intune”. Download the company portal at Windows Intune Company Portal for Windows Phone.

If the SSP Portal is not signed correctly or the certificate expired, your phones will stop enrolling and you’ll never get any error message. It just shows you on the phone it can’t find the server…

Read the release notes for sure :

Read here: http://technet.microsoft.com/en-us/library/jj662694.aspx

Windows Phone 8.1 devices fail to enroll with Windows Intune when device authentication is enabled in AD FS 2012 R2 (aka 3.0) called ‘Workplace Join’.

Issue: When you enroll a Windows Phone 8.1 device, enrollment fails if the optional setting for device authentication is enabled as part of global authentication policy in Active Directory Federated Services (AD FS).

Workaround: Disable device authentication on the AD FS server by unchecking Enable device authentication in Edit Global Authentication Policy.

  • Your phone is enrolled and you want to protect it from enrollment?

You have corporate owned Windows Phones and you want the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t un-enroll a “corporate” device and to prevent them from doing so , unless you are the ConfigMgr 2012 MDM admin.

As this seemed a logic to me, we couldn’t do it out of the box with windows phone 8 or 8.1 and Windows Intune. Missed opportunity, I would say. However with the launch of Windows Phone 8.1 at Build conference , there was a new set of OMA-DM management capabilities being added.

Read the complete blog post on how to do it here:

ConfigMgr 2012 R2 & Windows Intune UDM : How to prevent an “End-User” can un-enroll his “Corporate” Windows Phone 8.1 at http://scug.be/sccm/2014/04/24/configmgr-2012-r2-windows-intune-udm-how-to-prevent-an-end-user-can-un-enroll-his-corporate-windows-phone-8-1/

  • Enrollment for IOS or Android :

On an iOS device open the Apple App Store., search for Company Portal, select the Windows Intune Company Portal from the list of available apps. Once installed, open the application and ‘Click’ on Add Device, You will be presented with information about the portal, click on Add in the top right corner.

There are no specific requirements for enrolling Android devices except enrolling thru the Self Service Portal.

2. Debugging on the mobile devices

There really are not that much you can see in terms of what is going on between the Intune tenants in the cloud and the mobile device itself. There is no real interface to push or pull stuff so you are pretty much left in the dark many times.

However most of the changes made in ConfigMgr are replicated up to the Intune Cloud service every 5 minutes. Apart from that you just will have to wait for things to happen.

  • WP 8 / 8.1: Really nothing you can see on the device. No log file that you can find, retrieve or view. Microsoft should really do something about this.

 

  • IOS: Shake it, shake it hard! There is however one log file and that can be accessed from an iOS device by logging into the Company Portal app. After login, shake the iPhone or iPad. Shake the phone and you will see options to send the log file via email for further analysis.

Funny Note: The shake action is disable-able from iOS / Settings area.  For a fun practical joke on a colleague you can disable the shake action and see how long they shake the device before giving up!

  • Android: No specific experiences , but honestly , I don’t think there is something that Microsoft provides out of the box

If you get the UserLicenseTypeInvalid error message when trying to enroll an iOS/Andriod device , most likely this is due to users not being synced or having an issue with the Configmgr AD user discovery or if the ConfigMgr connector to the Intune service didn’t sync properly as than they are missing from the “Intune users” collection.

3. Targeting the mobile devices

Divide Mobile devices into different collections for Windows Phones, Windows RT, Android, iPads and iPhones if you for instance want to target different compliance settings to different sets of devices.

Create your collections based on the class “Mobile Device Computer System” where the “Device Model” is your key identifier.

  • The query to list all Windows Phone 8 in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_DEVICE_OSINFORMATION on SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_DEVICE_OSINFORMATION.Platform like "Windows Phone" and SMS_G_System_DEVICE_OSINFORMATION.Version like "8.0%"

  • The query to list all Windows Phone 8.1 in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_DEVICE_OSINFORMATION on SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_DEVICE_OSINFORMATION.Platform like "Windows Phone" and SMS_G_System_DEVICE_OSINFORMATION.Version like "8.1%"

  • The query to list all Windows Phone RT in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Model like "Surface%"

  • The query to list all iPhones in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%iphone%"

  • The query to list all iPads in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%ipad%"

  • The query to list all Android in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "Android%"

4. Targeting Applications on the mobile devices

WP 8 / 8.1:

You first need to join the Windows Phone Dev Center before you can request a code-signing certificate from Symantec. Your Windows Phone Dev Center account is required to obtain a code signing certificate from Symantec. If you are not in a hurry and want to do a POC or for a trial certificate, see Support tool for Windows Phone trial management .

This Symantec certificate is needed to deploy the company portal app. Download the company portal at Windows Intune Company Portal for Windows Phone.

Windows Phone 8.1 can handle *.xap, *.appx, *.appxbundle while windows phone 8.0 can only handle *.xap

  • Deploy it as ‘Available’ to Users:

This will make the application published and available for install, but only in the SSP Portal.

  • Deploy it as ‘Required’ to Users:

This will install the app automatically for targeted users. It will silently install the application.

  • Deploy it as ‘Required’ to Devices:

This will install the app automatically for targeted devices. It will silently install the application.

  • Remote Uninstall for apps deployed to users and devices:

This will silently uninstall the app automatically for targeted devices.

Windows RT devices :

This post contains the steps which you, as an IT administrator, can perform to troubleshoot and investigate software distribution (download and install) issues on the Windows RT client

http://blogs.technet.com/b/configmgrteam/archive/2013/03/13/troubleshooting-windows-rt-client-software-distribution-issues.aspx

IOS:

To sideload an application *.ipa you need either to have developed it in-house or bought it from a developer who allows you to side load it and have a correct Apple developer account as well. https://developer.apple.com/programs/ios/

You cannot side load an app that you have downloaded and paid for in ITunes, which would be wrong in terms of license agreements. For those applications, you can create a link to the application in Appstore and distribute that link.

So if you want to side load an application that you bought from Appstore, I would suggest that you Contact that Company/developer and see if they are interested in selling the application to you that way instead of through the Appstore.

There are a number of ways of deploying apps to iOS devices throughout your enterprise. You can purchase and assign apps with MDM through the Volume Purchase Program (VPP), or create and deploy your own in-house apps by joining the iOS Developer Enterprise Program. Additionally, if you are in a shared-device deployment scenario you can install apps and content locally with Apple Configurator or your MDM solutions such as Windows Intune.

When deploying an IPA you have three options:

  • Deploy it as ‘Available’ to Users:

This will make the application published and available for install, but only in the SSP Portal.

  • Deploy it as ‘Required’ to Users:

This will install the app automatically for targeted users. A note will pop up on the screen of the iOS device asking if “Microsoft” is allowed to install the application. After clicking OK the app gets installed.

  • Deploy it as ‘Required’ to Devices:

This will install the app automatically for targeted devices. A note will pop up on the screen of the iOS device asking if “Microsoft” is allowed to install the application. After clicking OK the app gets installed.

I have written a blog post to clarify the support around CM12 and intune : Deploying Windows *.ipa IOS Applications requires a *.plist file at http://scug.be/sccm/2014/03/18/cm12-and-intune-deploying-windows-ipa-ios-applications-requires-a-plist-file/

  • Remote Uninstall for apps deployed to users and devices:

This will silently uninstall the app automatically for targeted devices.

Android:

As I have not deployed any software to android devices so far, I am going to exclude this section from any comment.

5. Providing Company Resource Access the mobile devices

When a user enrolls their device into Windows Intune, an organization’s certificates, Wi-Fi, VPN, and email profiles can automatically be configured on the device.   This will enable users to quickly access internal corporate resources with the appropriate security configurations set, without having to call the help desk.  Access to email and corporate data stored in OneDrive for Business can be automatically restricted if a user tries to access those resources on a device which is not enrolled for management.  Access can automatically be restricted if the device is de-enrolled from Windows Intune or falls out of the compliance policy set by the administrator.  For example, if someone jailbreaks their previously-enrolled iPad, access to Exchange and OneDrive for Business can be revoked until the problem is corrected.

As a cloud service, The ‘Extensions for Windows Intune’ feature provides frequent, dynamic feature updates to System Center 2012 R2 Configuration Manager without any on-premises infrastructure update roughly every quarter. The product team is currently rolling out those updates to ConfigMgr thru the so called “Windows Intune extensions or ‘W.E.A.V.E’ feature which provides additional support for additional released Windows Intune features for Unified Device Management.

I have written a blog post that explains it into detail about those so called CM12 Intune extensions:

CM12 Extensions for Windows Intune: Resources and gotcha’s at http://scug.be/sccm/2014/02/11/cm12-extensions-for-windows-intune-resources-and-gotchas/

On the other hand we have:

Email Profiles:

Extensions like email profile provisioning make it very easy for end users to connect to corporate email from their mobile devices while at the same time, it ensures that administrators can protect corporate data by having the ability to selectively wipe email from lost or stolen mobile devices

The ConfigMgr administrator can now configure email profiles that supply both email server information and related policies.However sometimes the profile doesn’t come down and therefore I have written the following blob that explains into detail:

Configmgr 2012 and Intune: Provisioning Email Profiles and the why the profile may not turn up on devices such as an Ipad at http://scug.be/sccm/2014/03/21/sysctr-configmgr-2012-and-intune-provisioning-email-profiles-and-the-why-the-profile-may-not-turn-up-on-devices-such-as-an-ipad/

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

Certificate Profiles:

Certificate profiles in System Center 2012 Configuration Manager works with Active Directory Certificate Services and the Network Device Enrollment Service (NDES) role to provision authentication certificates for managed devices so that users can seamlessly access company resources.

For example, you can create and deploy certificate profiles to provide the necessary certificates for users to initiate VPN and wireless connections.

Certificate profiles in Configuration Manager provide the following management capabilities:

  • Certificate enrollment and renewal from an enterprise certification authority (CA) for devices that run iOS, Windows 8.1, Windows RT 8.1, and Android, These certificates can then be used for Wi-Fi and VPN connections.
  • Deployment of trusted root CA certificates and intermediate CA certificates to configure a chain of trust on devices for VPN and Wi-Fi connections when server authentication is required.
  • Monitor and report about the installed certificates.

TIP: Be aware that this profile can be deployed to ‘User based Collections’ or ‘Device based Collections’

VPN Profiles:

VPN profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor VPN profiles. By deploying these settings, you reduce the end-user effort that is required to connect to resources on the company network.

When a VPN profile deployment is removed, the VPN profile is not removed from client devices. If you want to remove the profile from devices, you must manually remove it.

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

Wi-Fi Profiles:

Wi-Fi profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor wireless network settings to devices in your organization. By deploying these settings, you minimize the effort that end users require to connect to corporate wireless networks.

When a Wi-Fi profile deployment is removed, the Wi-Fi profile is not removed from client devices. If you want to remove the profile from devices, you must manually remove it.

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

6. Calling Microsoft (Intune) Support

Do not hesitate to contact the Intune technical support whenever you encounter a problem. As you have no insight into Intune contacting support is many times the only way to figure it what is or what is not going on with your mobile device management.  Support phone numbers for Intune specifically are listed at the Microsoft Support web site.

They will need the following information to help you solving the case swiftly, please collect that information before calling Microsoft PSS/CSS

Search criteria

  • LSU, MSU, account id, user id(last 6 digits)
  • email domain or other feature specific keyword
  • Time of incident (time zone)
  • Logs (DMPUploader.log, DMPDownloader.log, CloudUserSync.log)

Example

  • AccountId : 21c26ac1……29b40f
  • LsuId           : LSUA01
  • MsuId         : MSUA01
  • UserID : ……d7facc
  • Domain : contoso.onmicrosoft.com

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

ConfigMgr 2012 R2 & Windows Intune UDM : How to prevent an “End-User” can un-enroll his “Corporate” Windows Phone 8.1

8:30 pm in 2012R2, 8.1, Compliance Management, configmgr 2012 R2, intune, MDM, OMA-DM, OMA-URI, policy, sccm 2012 R2, UDM, Windows Intune, Windows Intune Extensions, windows inune, Windows Phone 8.1, Windws Intune, WP 8.1 by Kenny Buntinx [MVP]

 

Scenario :

Last week we had a discussion at a customer during a  Windows Intune UDM Proof of concept and the customer was willing to order about 3000 corporate owned Nokia Lumia 630 Windows Phones. He wanted us to provide the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t un-enroll a “corporate” device and to prevent them from doing so , unless you are the ConfigMgr 2012 MDM admin.

As this seemed a logic request to me , we couldn’t do it out of the box with windows phone 8 or with Windows Intune. Missed opportunity , I would say. However with the launch of Windows Phone 8.1 at Build conference , there was a new set of OMA-DM management capabilities being added.

At this stage , the writing and the testing of the blog post  is being done with a developer edition of Windows Phone 8.1. I doubt that when being rolled out as RTM , these policies will be changed.

Solution to problem :

First of all , you will need to know what OMA-DM is . OMA-DM is an open standard that Apple – Android and Microsoft are using. All MDM solutions use the OMA-DM API to manage those devices. More information on OMA-DM can be found here .

Microsoft has released together with WP 8.1 , a comprehensive guide called ; ‘Windows Phone 8.1 MDM protocol documentation’ . You will need this guide as a reference to find all custom not-so-out-of-the-box OMA-URI’s. An OMA-URI can be seen as a registry setting or hive. You can download it here .

Panu Saukko , a good friend and fellow Enterprise Client Management MVP , pointed me in the right direction inside the document on how to reach the goal : Blocking a user from un-enrolling their device. Without the golden tip from Panu , we would never succeed as there is an Typo in the document.

Panu pointed out that according to the document, the OMA-URI should be according to page 133 & 143 inside the ‘Windows Phone 8.1 MDM protocol documentation’ :

./Vendor/MSFT/PolicyManager/My/Experience/AllowManulMDMUnenrollment

Again there is a typo in that document , it should be

./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment

Now that we have found the error in the OMA-URI , Let’s show some magic with Compliance settings , Configuration Items and Configuration Baselines in CM 12 R2 :

Creating the ‘Configuration Item’ :

1. Go to “Asset & Compliance” , click on “Compliance Settings” , go to “Compliance Items” and create a New Configuration Item as shown below

image

2. Give the new Compliance item the following Name : ‘Deny WP8.1 MDM UnEnrollment’ and hit “next”

image

3. Select the checkbox : ‘Configure additional settings that are not in the default settings groups’ and click “next” to continue

SNAGHTMLa70f0d3

4. In the next window that opens , click the ‘Add’ button.

image

5. Hit the “Create Setting” tab.

image

6. Now comes the interesting stuff .

    • Give it a Name
    • 1. Settings Type : OMA-URI
    • 2. Data Type : Integer
    • 3. OMA-URI : ./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment

image

7. Highlight your recently created ‘Deny MDM Unenrollment’ and hit the ‘Select’ button

image

8. Now comes the interesting stuff again

    • 1. Rule Type : Value
    • 2. Data Type : 0 (0 = un-enroll not allowed / 1 =  enroll allowed)
    • 3. Set ‘Remediate noncompliant rules when supported’
    • 4. Set Noncompliance severity for reports to ‘Warning’ 

SNAGHTMLa838aba

9. Click next to continue.

image

10. As this setting is only applicable for Windows Phone , we select only this platform and click ‘next’ to continue.

SNAGHTMLa8ee6fe

11. Click next to continue , until the end .

SNAGHTMLa901184

Once created , you will see something like this in the screenshot below . After creating the ‘Configuration Item’ , we are going to create and deploy the ‘Configuration Baseline’

image 

Creating the ‘Configuration Baseline’ :

1. Now go to baselines and create a new ‘Configuration Baseline’

image

2. Give the ‘Configuration Baseline’ a name and click “Add” to add your ‘’Configuration Item’’

SNAGHTMLa979112

3. Search for your previously created ‘Configuration Item’ and click add.

SNAGHTMLa996df0[5]

4. Hit OK , to continue

SNAGHTMLa9b28cf

5. Click ‘OK’ to continue

SNAGHTMLa9be549

When created , you will see something similar in your console as show below in the screenshot :

image

Deployment of the ‘Configuration Baseline’ ONLY to the ‘Corporate Owned’ devices :

As we only wanted to prevent un-enrollment when a ‘device owner’ in CM12 R2 is set to “corporate” , we first need to create a collection that contains only devices set to corporate as shown below . Devices enrolled using the ConfigMgr 2012/Windows Intune UDM solution can be assigned to be either "Company" or "Personal" devices. Note that a device is automatically assigned to be Personal by default.

image

image

Now that that is done , create a ‘Device collection’ that is only containing resources that are ‘Company’ devices. To do that , use the following query where ‘System Resource – Device Owner’ is set to ‘1’ for ‘Company’ . Value 2 is “personal”

image

Now deploy your ‘Compliance baseline – Deny wp8.1 UnEnrollment’ to the collection called ‘All Mobile Devices set as Corporate Owned Devices

The END Result ? :

As the policies come down from Configuration Manager 2012 R2 with Windows Intune on the WP8.1 device and the user tries to un-enroll , following message is shown :

clip_image002

images

Hope it  Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Configmgr 2012 & Windows Intune SSO : Self- signed certificate for token signing is about to expire. Now What?

12:15 pm in ADFS, ADFS 2.1, ADFS 3.0, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, intune, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, sso, Windows Intune, Windows Intune Extensions, windows inune by Kenny Buntinx [MVP]

 

This morning at a customer , I received the following mail in my mailbox , saying that my ADFS token would expire.

AD FS 2.0 or 2.1 and probably 3.0 generates each year by default a new self- signed certificate for token signing 20 days before the certificate expires . Rollover of the certificate , or generate a new certificate when the existing certificate is about to expire , and make them the primary certificate , applies only to self-signed certificates that are generated by AD FS 2.x . The token signing certificate is essential for the stability of the Federation Service . If this is changed, the change must be reported to Windows Azure AD . Otherwise fail applications for cloud services such as my Windows Intune Service.

image

When the token signing certificate of your home AD FS organization expires, then federation metadata between AD FS and Office 365 falls out of synch. Equally, when changes are made on the Office 365 or Windows Intune that require updating the metadata, a similar issue arises. The “Microsoft Office 365 Federation Metadata Update Automation Installation Tool” script provide by the AD FS team checks the that federation metadata is validated regularly and any changes replicated between the two federating parties.

You must have the Microsoft Federation Metadata Update Automation Installation Tool download and configure your primary federation server or another recordable federation server, the Windows Azure AD Federation Metadata regularly automatically checks and updates so that changes in the certificate token-signing in the AD FS 2.1 Federation service will be copied automatically onto Windows Azure AD.

You can download the script here : http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

The script is called : O365-Fed-MetaData-Update-Task-Installation.ps1

To execute this tool successfully:

  • You must make sure that you have installed the latest version of the Microsoft Online Services Module for Windows PowerShell 
  • You need to have a functioning AD FS 2.0 Federation Service (execute this on your primary ADFS server)
  • You need to have access to Global Administrator credentials for your Office 365 tenant
  • You need to have at least one verified domain in the Office 365 tenant must be of type ‘Federated’
  • This tool must be executed on a writable Federation Server
  • The currently logged on user must be a member of the local Administrators group
  • The Microsoft Online Services Module for Windows PowerShell must be installed. You can download the module from http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx0

When running the tool and you comply with the above prerequisites , the following screenshot appears as shown below :

image

It’s worth bearing in mind that the password policy will render the script unusable in the event of a password change on either the Windows Intune side with the MSOL account you specify and the Domain side with the user account used to initiate the scheduled task. It is possible to create service accounts to do this on both sides. However, I’d consider the security consequences of such a change before automatically doing so. This can be done on the O365 side with an Office 365 standard account via the Set-MSOLUser cmdlet.

For example:  Set-MSOLUser –identity user@MyPreciousChosenDomain.onmicrosoft.com –PasswordNeverExpires $true –StrongPasswordRequired $true

The account could also technically be a federated account, but I don’t believe that’s a good idea. In the event that the trust is broken, then a federated account won’t be able to connect to MSOL to update the federated domain information and you would be in trouble big time!

To verify the scheduled task is executed correctly , open task scheduler and verify that the task is there :

image;-

That’s again an automated task , without worrying that your infrastructure is in danger :-)

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ConfigMgr 2012 SP1 R2 Intune: CloudUserSync – delta sync to cloud failed

5:14 am in CM12, CM12 R2, CM12 SP1, ConfigMgr, ConfigMgr 2012, intune, MDM, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM, Windows Intune by Kenny Buntinx [MVP]

 

Hi,

After configuring a trial intune subscription I got a funny error in the CloudUserSync log:

ERROR: SetLicensedUsers exception The Dmp Connector cannot connect to Windows Intune. Verify that you are connected to the Internet,….
UserSync: Failed to perform delta sync. error = Unknown error 0x8013150C, 0x8013150C

further down in the log file :

ERROR: GetServiceAddresses – LSU cannot be reached: System.ServiceModel.ProtocolException: The content type text/html; charset=UTF-8 of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly

 

If you search for this error you can see this happening with other services as well (Azure) and it is where the binding from your local server doesn’t match the endpoint (in this case intune/Azure)

Turned out that the customer provide me with a demo lab environment and it was still sitting on System Center Configuration Manager R2 Preview Smile

#Notetomyself : Check all components on the correct versioning before you start . Never take it for granted Smile with tongue out

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8”

8:47 am in ADFS, Cloud, CM12, ConfigMgr 2012 SP1, intune, SCCM 2012 SP1, Windows Intune by Kenny Buntinx [MVP]

 

At a customer and integrating/managing Windows Phone 8 with Windows Intune and System Center Configuration Manager 2012 SP1 ? Using the Support Tool for Windows Intune Trial Management of Window Phone 8 (can be downloaded at http://www.microsoft.com/en-sg/download/details.aspx?id=39079) ?

The Support Tool for Windows Intune Trial Management of Window Phone 8 facilitates Microsoft System Center 2012 Configuration Manager admins to try out Windows Phone 8 software distribution scenarios during the Trial period.

However we couldn’t get our Windows phone 8 enrolled. It always came back with the following error on the phone : “We weren’t able to set up this company account on your phone”.

Verify the following before going forward :

  • If Are you using ADFS , check my previous blog post “Troubleshooting ADFS 2.1 Services for Windows Intune (WaveD)”.
  • Have you synced your AD accounts to Azure AD? Is dirsync working correctly ? Check from Azure AD that you see your local AD users there.
  • Make sure the UPN is set correctly to your Domain ( SCUG.be instead of scug.onmicrosoft.com)
  • Set CNAME to manage.microsoft.com

SNAGHTMLfb3cfe6

  • Reset your Users password. Because the user must reset the password after the first logon, logon to e.g. portal.manage.microsoft.com with the user account, before enrolling the device.
  • It is important that you first synchronize your AD users to Azure and after that add the user account to user collection that is allowed to enroll the devices. If you first add the user to the collection and the new user is not in Azure AD, you need to wait up to 24 h. (Tnx to my fellow MVP Panu Sauko!)
  • If you get the latter error message, change the language & regional settings of your mobile phone to en-US and try to enroll again. (Tnx to my fellow MVP Panu Sauko!)

Going down in the logs , by the way very difficult on a Windows phone 8 or Windows Intune side , the only option was to look into the System Center Configuration Manager Log files .

Looking in the dmpdownloader.log and found the following line appearing every time I tried to enroll the WP8 device . Strange .

ERROR: Service health log: WP appStoreURI is missing for account 73dab792-979c-40be-947b-b7c8040e725b and userId ******************************33d16d

image

Solution :

Apparently to that message , it seems that we have Certificate issues on the Company portal . After re-registering the steps below , it works . Before it executed also successfully ,and I thought everything was OK , but I was wrong. So if you have the above error message “ Service health log: WP appStoreURI is missing for account “ , it means there is something wrong with your company portal and signed certificates.

  • Step 1 : Disable the Windows Phone 8 support on the intune connector :

image

1.  Create your application “Company portal” that is included in the toolkit.

2. The first step to enable the management of Windows Phone 8 devices is to run the script that is included  cscript ConfigureWP8Settings.vbs <server> QuerySSPModelName . It is important to notate the Scope_ID<GUID> information as it will be used in the next step.

3.  Next we need to run the script again but this time in Save mode with the SSP name to populate the necessary certificate information that enables Windows Phone 8 Management.  The command will will use this time is: cscript ConfigureWP8Settings.vbs <server> SaveSettings <Company Portal name> where <Company Portal name> is the output for Model Name from the earlier step.

4.  After completion of the steps above, you can now verify that Windows Phone 8 device management is enabled.  

image

Now you can enroll your Windows Phone 8 devices in your Windows Intune Unified Trial Account. It works like a charm now .

image

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1

1:42 pm in ADFS, best practices, con, ConfigMgr 2012 SP1, intune, scc, SCCM 2012 SP1, Windows Intune by Kenny Buntinx [MVP]

 

With the SP1 release of System Center 2012 Configuration Manager, we now have the ability to connect to Windows Intune to manage mobile devices via the Internet. This allows you to use the Configuration Manager console to provision mobile devices, apply policy, and target apps to mobile devices even when those devices are not connected to the corporate network.

To provide users with an integrated sign-on experience (and reduce the need for administrators to manage two passwords for users) it is highly recommended that you deploy ADFS. ADFS provides the capability for a cloud server to leverage on-premise Active Directory credentials.

To deploy and configure ADFS 2.1 (server 2012) , follow the steps outlined below. This blog will cover the configuration and deployment work needed to successfully connect their device with corporate credentials . Before you install ADFS 2.1 on Windows Server 2012, you have to think through some of the requirements.

The benefits of implementing ADFS:

  • Improves user productivity by enabling true single sign-on to domain joined computers
  • Reduces usability issues by allowing users to use AD credentials to access all “Windows Intune" or “Office 365” services and not have to remember two identities and two passwords
  • Allows administrators the ability to enforce the organization’s password policies and account restrictions in both the on-premises and cloud-based organizations
  • Increases security of AD credentials since passwords are never synced to the cloud, all authentication happens on-premises
  • Reduces overall administration time and costs associated due to the above points

Based on a lot of TechNet articles , this was my design :

image

 

  • Will feature two ADFS farm servers (For redundancy reasons)
  • Will have two ADFS proxy servers (For redundancy reasons)
  • Will have one DirSync server (separate VM for preformance)
  • Will use a HW load balancer (Cisco , F5 , Citrix Netscaler) instead of Microsoft multicast NLB ( It doesn’t really work that well – or call it bad experiences) on both ADFS farm and ADFS proxy servers
  • Due to the size of the environment (Less than 50,000), WID (Windows Internal Database) server will have to be used
  • This WID SQL server will be running SQL Express edition.

In addition, we need to determine a few things upfront, as it will speed up the installation work. My personal experience is that you really need one of the internal Network guys from the customer to make this happen. We as “configmgr” guy’s are not familiar on how a customers network is organized and who is responsible for what part of the network)

  • External IP address of the federation service (In my example 212.x.x.x)
  • DMZ IP address of the federation service (which will be assigned to NLB as a shared virtual IP address , in my example 192.168.x.20)
  • DMZ server dedicated IP addresses (In my example 192.168.x.1 and 192.168.x.2) , they also reside in workgroup (not domain joined)
  • Internal ADFS farm shared virtual IP address assigned to the ADFS farm NLB (in my example 10.x.x.20)
  • Internal ADFS server dedicated IP addresses (in my example 10.x.x.1 and 10.x.x.2)
  • Fully qualified DNS name of the federation service, or ADFS FQDN (in my example Federation.SCUG.be) 
  • Service accounts used for various purposes in the setup
  • Public SSL certificate to secure traffic associated with ADFS. Certificates used for server authentication and token signing. Try to order a *.<yourdomainname> certificate.This will make your life much easier. (in my example *.SCUG.be) 
  • Necessary firewall ports are open from the Internet to ADFS Proxy server (port 443)
  • Necessary firewall ports are open from ADFS Proxy server to internal ADFS server (port 443)
  • Necessary firewall ports are open from the Internet to Dirsync server and visa versa (port 443)

This brings us to the end of this post. In the next few posts, we’ll cover additional configuration and installation steps and bring this Windows Intune SSO / ADFS 2.1 infrastructure on Windows Server 2012 to a usable state.

Stay Tuned !

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client MVP