CHAPTER 16
Integrating Intune Hybrid into Your Configuration Manager Environment

IN THIS CHAPTER

images Introducing Microsoft Intune

images User Identity Options

images Preparing Your Environment for Intune

images Integrating Intune with Configuration Manager

images Troubleshooting Intune Hybrid

The past several years have seen dramatic changes in the information technology (IT) landscape. To meet the shift toward mobile devices, enterprises are recognizing the “consumerization of IT” and incorporating consumer devices into their IT infrastructure. This movement is being led by tech-savvy users demanding the ability to use the latest devices to access corporate resources from any location. To facilitate this access, employees must allow some control over their devices, and they must agree for their devices to be enrolled in a management solution.

Intune is Microsoft’s mobile device management (MDM, sometimes called modern device management) and mobile application management (MAM) solution. You can integrate Intune with System Center Configuration Manager (ConfigMgr) to provide hybrid management of on-premise and mobile devices using a single console.

Introducing Microsoft Intune

Microsoft Intune is a cloud-based device management solution. It can be deployed in a standalone or hybrid configuration (for more information, see the next section, “Hybrid Versus Standalone”). This chapter focuses on hybrid integration of Intune with ConfigMgr, which enables administrators to manage mobile devices (Android, iOS, Windows Phone, and Windows 8.1 and above) using the ConfigMgr console. This integration was introduced in ConfigMgr 2012 Service Pack (SP) 1 and enhanced with the 2012 Release 2 (R2) version. ConfigMgr previously provided MDM using the Exchange Connector. However, this capability was limited to the basic management features supported by Exchange ActiveSync.

Using Intune provides the following features:

images Secure management of personal and corporate-owned devices across popular mobile platforms

images Self-enrollment of devices

images Hardware and software inventory

images Mobile device configuration (for example, Wi-Fi profiles, email profiles, certificates, and virtual private networks [VPNs])

images MAM policies, including integration with Office mobile apps

images Application deployment (required or available via the Intune company portal)

images Conditional access, which prevents access to email and other services on devices that are not enrolled with Microsoft Intune

Hybrid Versus Standalone

There has been a considerable amount of debate on the subject of using Intune hybrid versus standalone since Intune was first integrated with ConfigMgr 2012 several years ago. Which approach should you use? Which one is better?

Intune standalone means that mobile device management is carried out using a cloud portal. A hybrid solution involves integrating Intune and ConfigMgr, which makes it possible to manage your mobile and on-premise devices using the ConfigMgr console. The best solution—and the one you should use—is the one that works best for your organization. Do note that, as of the time this book was published, Microsoft has stated that Intune standalone is their recommended deployment topology. Microsoft has also developed migration strategies for customers to migrate from Intune hybrid to Intune standalone. With that said, Microsoft has also committed to supporting customers using Intune hybrid.

Intune hybrid and standalone both have pros and cons; however, the rapid cadence of releases from Microsoft constantly changes the advantages of each solution, making it futile to even attempt to provide a comparison table in this book, as it would be obsolete before the book is even published. For more information on choosing between the models, see https://docs.microsoft.com/sccm/mdm/understand/choose-between-standalone-Intune-and-hybrid-mobile-device-management.

As ConfigMgr is the industry standard for computer management, it is great that you can now use it to manage all your devices through a single console. However, historically there was always one major disadvantage: Microsoft would regularly release new Intune features that could be immediately utilized by standalone users, while hybrid customers would have to wait for the changes to be integrated with ConfigMgr, as it was challenging to quickly add new features to this massive on-premise solution.

The wait was quite frustrating for customers, and they often chose to implement standalone Intune as a result. With the release of ConfigMgr Current Branch, Microsoft has committed to upgrading the entire ConfigMgr solution at a rapid rate, using the new servicing model. This makes it easier to add new features in a reasonable time frame.

Microsoft’s Enterprise Mobility + Security

The advent of mobile devices has blurred corporate security boundaries, increasing potential risks. An organization needs an effective strategy to manage the mobile workforce. It is not enough to manage devices; to adhere to strict security and compliance policies, you must adopt an end-to-end management strategy. Microsoft has identified this need and taken a holistic view with the introduction of Enterprise Mobility + Security (EMS). The EMS suite is a licensing bundle that consists of the following products:

images Azure Active Directory (AD) Premium: Enables user identity management

images Microsoft Intune: Provides mobile device and application management

images Azure Information Protection: Enables data protection

images Cloud App Security: Manages cloud app usage and shadow IT

images Advanced Threat Analytics: Provides breach and threat identification

While this book is concerned with Microsoft Intune, it is important to know about EMS and how it fits into the total solution.

Purchasing Microsoft Intune

Microsoft Intune is a subscription-based service, licensed on a per-user basis, with each user entitled to enroll 15 devices. While Intune can be licensed as a single product, purchasing EMS is a more cost-effective approach. The suite can be purchased through an Enterprise Agreement (EA) with Microsoft and became available for purchase through the open licensing model as of March 1, 2015.

If you are unsure whether the product is an appropriate fit for your organization, you can sign up for a trial in one of two ways. Note that you can transition your trial to production in each case:

images To sign up for a 30-day Intune trial, go to https://docs.microsoft.com/intune/free-trial-sign-up and click Try now.

Click Sign in if you wish to add the trial to an existing Office 365 subscription. Otherwise, enter your information to sign up.

To extend the trial an additional 30 days, contact Intune support. Local support telephone numbers are available in the TechNet documentation at https://technet.microsoft.com/jj839713.aspx.

NOTE: SELECTING AN AZURE DOMAIN NAME

During the sign-up process you must choose a new Azure domain name in the format mydomain.onmicrosoft.com.

Choose wisely, as this name cannot be changed later, and it is for all your Microsoft cloud services—Intune, Office 365, and so on. You are notified immediately if the domain name is available, and you can then continue the process by selecting a username. The username and domain name combine to generate a user ID for the first global administrator account, in the format admin@mydomain.onmicrosoft.com.

Use this account to sign in to the Office 365, Intune, and Azure portals.

images Existing Microsoft cloud customers can sign up for a 90-day EMS trial through the FastTrack program, at http://fasttrack.microsoft.com/ems. This program allows customers to explore new resources at their own pace. It helps with planning for successful rollouts and onboarding of new users.

Using the Management Portals

At the time this book was published, Intune was being migrated from a Silverlight-based portal to the Azure portal. The classic Intune admin portal was being discontinued, and Intune management is now available via the Azure portal. Currently the following can be used to manage the various configurations and features of Microsoft Intune:

images Office 365 Admin Center (https://portal.office.com): You can use the Office 365 admin center to carry out some preliminary configuration for the hybrid solution. Use it to add and verify a custom domain, as described in the “Preparing Your Environment for Intune” section, later in this chapter.

The admin center can also be used to access the Intune admin console. Navigate to Admin Centers -> Intune.

images Intune Admin Portal (https://manage.microsoft.com): The Intune admin portal is currently used only for day-to-day management of computers. Mobile device management using Intune standalone has been migrated to the Azure portal. In a hybrid environment, most management activities are performed using the Configuration Manager console. This is discussed further in Chapter 17, “Managing Mobile Devices.”

images Azure Portal (https://portal.azure.com): Intune management is carried out using the Azure portal. Navigate to More Services -> Monitoring and Management -> Intune to access the Intune tiles, as shown in Figure 16.1.

NOTE: SINGLE IDENTITY ACROSS MICROSOFT CLOUD SERVICES

Azure Active Directory (Azure AD) is the primary directory that provides access to Microsoft cloud services such as Office 365, Azure, and Intune. It is vitally important to link these services together correctly. For example, if you use Office 365, you already use Azure AD (even though you do not manage your users via the Azure portal). In this case, do not create a new tenant if you purchase Intune or Azure services.

A screenshot shows the Microsoft Azure Intune window.

FIGURE 16.1 Managing Intune via the Azure portal.

Using Intune Storage

When you create a paid Intune subscription, you are allocated 20GB of Azure cloud storage. This storage is only used for line-of-business applications to be deployed to mobile devices. It is not required for store apps or for compliance and configuration policies.

Use the Intune admin console to check how much storage you are using. Navigate to Admin -> Storage Use. You can purchase additional storage as needed.

A trial Intune subscription entitles you to 2GB of Azure storage.

User Identity Options

User accounts and groups are utilized to manage and secure access to corporate resources. Azure AD is a comprehensive identity and access management solution that Microsoft leverages for authentication to online services (including Intune and Office 365). Microsoft provides three user identity models:

images Cloud identity

images Synchronized identity

images Federated identity

Each model presents varying levels of complexity, and it is important to choose the model that works best for your business. The following sections discuss these models in more detail.

Cloud Identity

The cloud identity model is not commonly used in an enterprise environment. The model uses Azure AD to create and manage users. Azure AD verifies passwords, and on-premise identity configuration is not required.

This model is normally used only in small organizations that do not have on-premise AD.

Synchronized Identity (Password Synchronization)

In the synchronized model, user identity is managed on-premise using AD. Selected user accounts and password hashes are synchronized to Azure AD. Passwords are verified by Azure AD to provide a “same sign-on” experience.

Various tools are available to synchronize the user accounts and password hashes. Azure AD Connect was the recommended tool at the time this book was published, and it is the only tool currently undergoing Microsoft development. Azure AD Connect is discussed in the “Synchronizing Active Directory” section, later in this chapter.

Federated Identity

The federated identity model requires a synchronized identity model to be in place already. However, unlike with the synchronized identity model, the password hash is not synchronized to Azure AD, as passwords are verified by on-premise AD to provide a single sign-on experience.

This model typically uses Active Directory Federation Services (ADFS) and is the most complex model to implement. Additional network and server infrastructure is required to achieve high availability.

NOTE: THE IDENTITY MODEL USED IN THIS BOOK

This book uses the synchronized identity model. ADFS configuration is beyond the scope of the book.

You can easily switch from synchronized identity to federated identity at a later stage, if required.

Preparing Your Environment for Intune

After purchasing Intune (or EMS), there are a number of tasks required to prepare your on-premise and cloud environments:

images Adding and verifying a custom domain

images Creating Domain Name System (DNS) records

images Adding a user principal name (UPN)

images Synchronizing Active Directory

images Creating an alternate login ID (optional)

This work will already have occurred if you are using Office 365 services. The following sections describe these tasks in detail.

Adding and Verifying a Custom Domain

The first task in preparing your environment for Intune is to create a custom domain. For enterprise production environments, the authors recommend adding a custom domain name with which your users are familiar and comfortable. Add this custom domain prior to synchronizing your user accounts so that the users can receive a custom UPN and then can access resources using credentials they recognize. Typically, this will be their primary Simple Mail Transfer Protocol (SMTP) email address.

Follow these steps to add a custom domain:

1. Log in to the Office 365 portal (https://portal.office.com) using the global administrator account.

2. Navigate to Settings -> Domains. Initially you see only your onmicrosoft.com domain. Configuring the custom domain in advance simplifies management of user identities. (UPNs are discussed in the section “Adding a User Principal Name,” later in this chapter.)

NOTE: CUSTOM DOMAINS

Your custom domain must be an Internet-routable domain, and you need to verify your ownership of this domain. This custom domain is then added as an alternative UPN suffix in Active Directory.

3. Select Add Domain and enter your custom domain name. This book uses the domain EMSlab.ie.

4. The next screen of the wizard, shown in Figure 16.2, presents instructions to verify your ownership of this domain. You must add a specific record to the DNS records of the domain, and Microsoft verifies that new record. This action does not affect any existing DNS records.

A screenshot shows the emslab.ie dialog box.

FIGURE 16.2 Verifying the domain.

Two verification methods are available:

images Adding a TXT record (preferred)

images Adding an MX record (alternative)

Adding a TXT record is the easiest option. Follow the hyperlink in the wizard for additional information on this process with the various domain name registrars.

The DNS record can take up to 24 hours to propagate fully after being added, although it is normally available within an hour. Once the record is propagated, click Verify. You will receive the error “Verification DNS record not found” if you have not waited a sufficient amount of time before verification. Once the domain is verified, its status changes in the portal.

Creating DNS Records

The authors recommend that you create DNS records to assist with enrolling Windows devices. While doing so is optional, it provides a better support experience.

You create a CNAME record for your domain that redirects EnterpriseEnrollment-s .yourdomain.com to manage.microsoft.com. When the MDM agent in Windows starts the enrollment process, it examines the email address provided and searches the DNS records for that domain for this CNAME value.

images If the CNAME is found, the enrollment is redirected to Microsoft servers, and the process continues without any further user intervention.

images If the CNAME value is not found, you are prompted to enter the server name (manage.microsoft.com) to continue.

Creating a CNAME record helps ensure seamless enrollment of Windows devices in a production environment. You also could create a CNAME record that redirects to Enterprise- Registration.windows.net to support Windows 8.1 and Windows 10 mobile devices that register with Azure AD.

Adding a User Principal Name

A UPN is a login name for an Active Directory user, based on Internet standard RFC 822. The UPN usually maps to the user’s primary SMTP address.

The “Adding and Verifying a Custom Domain” section, earlier in this chapter, discusses adding to Intune a custom domain name that is verified by Microsoft. This section shows how to add that domain as a UPN suffix in Active Directory.

To add a UPN, log on to a domain controller (DC) and perform the following steps:

1. Open Active Directory Domains and Trusts. Right-click Active Directory Domains and Trusts and choose Properties.

2. Add an alternative UPN suffix (that is, a custom domain name), as shown in Figure 16.3.

A screenshot shows the Active Directory Domains and Trusts [Pantheon.Odyssey] dialog box.

FIGURE 16.3 Adding an alternative UPN suffix.

3. You can now change the UPN for your users so it matches the primary SMTP address. Using Active Directory User and Computers, open the properties of a user account and then select the Account tab.

4. Using the dropdown arrow, select the alternate UPN suffix and ensure that the logon name matches the primary SMTP address, as shown in Figure 16.4.

It would be inefficient to perform this procedure manually for a large number of users. Community-developed scripts are available, and several tools exist to make bulk changes.

A screenshot shows the Gerry Properties dialog box.

FIGURE 16.4 Changing the user UPN.

TIP: THE ADMODIFY TOOL

ADModify is a recommended tool for making mass changes of UPNs in Active Directory. The Microsoft TechNet library has detailed instructions on the correct usage of this tool. See https://technet.microsoft.com/library/aa996216(v=exchg.65).aspx for additional information.

Synchronizing Active Directory

After adding the custom domain to both on-premise Active Directory and Azure Active Directory, you can synchronize your user accounts with Microsoft Azure.

This book uses the commonly implemented synchronized user identity model (password synchronization). Azure AD Connect is the recommended tool for integrating your on-premise AD with Azure AD; it replaces older directory synchronization tools such as DirSync and Azure AD Sync, both of which reached end-of-support in April 2017.

NOTE: ABOUT PASSWORD SYNCHRONIZATION

Password synchronization involves synchronizing the hashes of user passwords from your on-premise AD to Azure AD. It allows users to log on to Microsoft Online services using the same password they use to access local network resources. This is not a single sign-on solution, as there is no token sharing or exchange in the process.

At the time this book was published, Azure AD Connect 1.1 was the current version of the tool. This version has new and improved features, including the following:

images Automatic Upgrades: Previous upgrades of DirSync, Azure AD Sync, and Azure AD Connect were manual.

images More Frequent Synchronizations: Previous synchronization intervals were three hours. Azure AD Connect 1.1 supports synchronization intervals of 30 minutes.

images Multi-factor Authentication (MFA): Azure AD Connect 1.1 now natively supports MFA.

Table 16.1 shows the prerequisite requirements for Azure AD Connect.

TABLE 16.1 Azure AD Connect Software Prerequisites

Component

Prerequisite

Details

Accounts

Azure User ID (Global Administrator)

Created when signing up for Microsoft Intune.

Local Active Directory

Must be enterprise administrator.

Azure AD

Custom domain

Added to Azure and verified.

On premise infrastructure

Minimum AD schema and forest functional level

Windows Server 2003.

For password writeback

DCs must be Windows Server 2008 (with SP 2) or later.

Windows Server 2008 DCs must have KB2386717 applied.

Domain controller

A writable DC must be available. Read-only DC is not supported.

Firewall ports

Communication between Azure AD Connect and on-premise AD.

53 (TCP/UDP): DNS

88 (TCP/UDP): Kerberos

135 (TCP/UDP): RPC

389 (TCP/UDP): LDAP

636 (TCP/UDP): LDAP/SSL

1024–65353 (TCP/UDP): Random high RPC Port

Communication between Azure AD Connect and Azure AD.

80 (TCP/UDP): HTTP

443 (TCP/UDP): HTTPS

Azure AD Connect server

In order to use password synchronization

Windows Server 2008 R2 SP 1 Standard or later.

.NET Framework

4.5.1 or later.

Microsoft PowerShell

3.0 or later.

Database

SQL Server 2012 Express

Installed automatically with express installation. Supports approximately 100,000 objects.

Full SQL Server version for more than 100,000 objects.

NOTE: USE THE LATEST VERSION OF WINDOWS SERVER

Table 16.1 lists the minimum requirements. However, the authors recommend installing Azure AD Connect on the latest available Windows Server operating system.

Table 16.2 lists the minimum hardware requirements for the Azure AD Connect server.

TABLE 16.2 Azure AD Connect Minimum Hardware Requirements

Number of Active Directory Objects

CPU (GHz)

RAM (GB)

Hard Disk (GB)

Fewer than 50,000

1.6

4

70

50,000–100,000

1.6

16

100

100,000–300,000

1.6

32

300

300,000–600,000

1.6

32

450

More than 600,000

1.6

32

500

Download AzureADConnect.msi from the Microsoft Download Center, at https://www.microsoft.com/download/details.aspx?id=47594.

Two installation methods exist for Azure AD Connect:

images Express: Supports the most common implementation scenarios

images Custom: For more advanced options (recommended by the authors, so that you can choose which organizational units [OUs] to synchronize to Azure)

This book assumes that you are using the most common topology, which is a single on-premise forest with one or more domains and a single Azure AD. This scenario is supported by the Azure AD Connect express installation.

Before installing Azure, AD Connect, examine the official Microsoft Azure documentation to discover the differences and the details of each option. In particular, you should understand the expected behavior when you make specific choices.

TIP: USING A DEDICATED SERVER FOR AZURE AD CONNECT

In an enterprise environment, you should install Azure AD Connect on a dedicated server. Although it supports an express installation, the authors recommend choosing a custom installation for control over many important aspects of the implementation, including the following:

images Filtering to synchronize only the OUs you require

images Using a dedicated SQL instance (rather than SQL Server Express)

Follow these steps to install Azure AD Connect:

1. Log on to the server as a local administrator.

2. Launch the installer to start the Microsoft Azure Active Direct Connect installation wizard.

3. Check the box to agree to the license terms and privacy notice and click Continue.

4. Choose between an express or custom installation. Choose Customize if you want to make any changes to the default installation (such as selecting which user accounts to synchronize). This is the recommended option.

5. When you are presented with the choices for installing required components, choose whether to accept the default configuration. If you do, the wizard installs a local SQL Server 2012 Express instance. The wizard also creates the appropriate security groups and assigns the correct permissions. Remember that the authors recommend using an existing SQL Server instance for advanced management purposes. Click Install to continue. The required components are installed.

6. When prompted to do so, choose the single sign-on method you want for your users, as shown in Figure 16.5. If you are not federating with ADFS, choose Password Synchronization. Click Next to continue.

A screenshot shows the Microsoft Azure Active Directory Connect dialog box.

FIGURE 16.5 Selecting the user sign-in method.

7. Enter your Azure Active Directory credentials. (You must be global administrator on the tenant; this process creates an Azure AD account that is used for subsequent synchronizations.) If this account has multi-factor authentication enabled, you need to complete the MFA challenge. Click Next to commence the Microsoft Online verification process.

8. Provide details for your on-premise Active Directory. (You must be an enterprise administrator.) Choose your forest and select Active Directory as the directory type. Enter your on-premise AD account and click Add Directory. After the directory is configured, click Next to continue.

9. By default, all domains and OUs are synchronized. This is not recommended. You should deselect domains and OUs as required. Click Next to continue.

10. When you are asked how your users should be uniquely identified, accept the default settings, which are appropriate for most scenarios, or change them. Click Next to continue.

11. On the next page, which gives you the option to filter users and devices, filter by AD group if this installation is part of a pilot project. If you wish to synchronize all user accounts in the selected OUs, accept the default and click Next to continue.

12. When you are presented with some optional features, check the box for any features you want and click Next. You are informed that you have completed the wizard and are ready to configure Azure AD Connect.

13. Choose to start the synchronization process as soon as the configuration completes and click Install to finish.

14. Verify that the users have synchronized to Azure AD. Log in to the Azure or Office 365 portal to view the synchronized accounts. Note that the user format matches the UPN configured in AD.

Although Azure AD Connect supports synchronization intervals of 30 minutes, you may want to use PowerShell to manually force the synchronization. Follow these steps:

1. Launch PowerShell as administrator.

2. Navigate to the %ProgramFiles%Microsoft Azure AD Syncin folder.

3. Execute DirectorySyncClientCmd.exe with the delta parameter.

Implementing an Alternate Login ID (Optional)

The “Adding a User Principal Name” section discusses the most common approach to enabling user account synchronization to Azure AD so that users can be authenticated for access to one of the associated services (for example, Intune, Office 365). As part of this process, you modified the UPN to use an Internet-routable domain name and configured it to match the user’s primary SMTP address. However, this is not always possible, as in some organizations you may not be allowed or able to alter the existing UPN.

This problem is resolved by implementing alternate login ID functionality, which enables you to configure the sign-in experience to use an alternative user attribute in Active Directory Domain Services rather than using the usual UPN.

TIP: USING THE MAIL ATTRIBUTE

The authors highly recommend using the mail attribute as the alternate login ID.

You can use the alternate login ID functionality in conjunction with each of the three user identity models. You must configure how your users are identified during Azure AD Connect installation. You cannot edit or repair this configuration afterward. More information on configuring an alternate login ID can be found at https://technet.microsoft.com/library/dn659436.aspx.

Integrating Intune with Configuration Manager

With the on-premise and cloud environments prepared and the on-premise user accounts synchronized with Azure AD, you can now integrate Microsoft Intune with ConfigMgr. This is achieved by adding an Intune subscription in the ConfigMgr console.

NOTE: LICENSING USERS

Microsoft Intune is a subscription cloud service. If Intune is deployed in a standalone model, you must assign Intune (or EMS) licenses to users via Azure or Office 365 portals. This entitles them to enroll up to 15 mobile devices.

When you integrate Intune with ConfigMgr, the behavior is different. You license users by adding them to the Configuration Manager collection configured in the Intune subscription. This is described in the “Creating a User Collection” section, later in this chapter.

A number of tasks are required to integrate Intune and Configuration Manager:

images Configure user discovery

images Create a user collection

images Add an Intune subscription

images Add the service connection point

These tasks are discussed in the following sections. After ConfigMgr and Intune are integrated, you will be able to manage mobile devices. This is described in detail in Chapter 17.

NOTE: DESKTOP COMPUTER MANAGEMENT WITH INTUNE

Microsoft Intune also allows you to manage desktop computers if you install and configure an Intune agent. However, when ConfigMgr and Intune are integrated, it is expected that the computer management is provided by ConfigMgr, which provides a much more comprehensive management solution.

Configuring User Discovery

ConfigMgr does not discover AD users by default; Active Directory User Discovery must be enabled. Follow these steps to enable Active Directory User Discovery:

1. In the console, navigate to Administration -> Discovery Methods -> Active Directory User Discovery.

2. Check the box Enable Active Directory User Discovery, as shown in Figure 16.6. Click the yellow starburst icon and select the OUs you require. Only users in these OUs will be discovered. If you selected specific OUs when configuring Azure AD Connect, remember to include them. Click Apply.

A screenshot shows the Active Directory User Discovery Properties dialog box.

FIGURE 16.6 Enabling Active Directory User Discovery.

3. When you are prompted to run full discovery as soon as possible, click Yes and monitor the progress by using the ADUSRDIS.LOG file.

The discovery agent contacts a DC to locate the user resources. It discovers user accounts from the specified OUs in Active Directory Domain Services and creates discovery data records (DDRs) when sufficient resource information can be found. The users are then available in the ConfigMgr console.

NOTE: VERIFYING THE UPN

Use the following SQL query to verify that the UPN of the discovered users is consistent with the custom domain added to Intune (replacing P01 with your site code):

Click here to view code image

SELECT UserPrincipalName,
    COUNT(*) AS NumOfOccurances FROM (SELECT
    RIGHT(User_Principal_Name0,
    LEN(User_Principal_Name0)-PATINDEX('%@%',
    User_Principal_Name0)) AS UserPrincipalName FROM CM_P01.dbo.v_R_User)
AS sub GROUP BY UserPrincipalName

Creating a User Collection

You should create a user collection before adding a Microsoft Intune subscription. You will be prompted to select this collection when adding the subscription. Users who will be entitled to enroll devices for management should be added to this collection.

TIP: INCREMENTAL USER COLLECTIONS

The authors recommend creating an incremental collection so that users are added as quickly as possible.

Adding an Intune Subscription

The Microsoft Intune subscription allows you to specify your configuration settings for the Microsoft Intune service. This includes specifying which collection of users can enroll their devices and defining the mobile device platforms to manage. You can also customize the look and feel of the Intune company portal by adding contact information and branding with a company logo.

The Intune subscription is responsible for the following:

images Retrieving the certificate needed to connect to Intune

images Enabling users to enroll devices

images Configuring the supported mobile platforms

NOTE: SERVER BROWSER ISSUES

The security restrictions on the browser of a server operating system can cause issues with connecting to or authenticating with the Intune service. Disable Internet Explorer Enhanced Security Configuration before adding the Intune subscription.

Figure 16.7 shows another typical issue. This particular issue can be solved by enabling scripting in the security settings of the Internet zone.

A screenshot shows Subscription dialog box. The message in the box insists to enable JavaScript and to check the online help of the web browser to learn how to allow JavaScript and to find out whether the browser supports JavaScript.

FIGURE 16.7 Server browser issues.

To add an Intune subscription to Configuration Manager, follow these steps:

1. In the ConfigMgr console, navigate to Administration -> Overview -> Hierarchy -> Cloud Services. Right-click Microsoft Intune Subscriptions, and choose Add Microsoft Intune Subscription, as shown in Figure 16.8.

A screenshot shows the navigation pane in which under Cloud Services, Microsoft Intune Subscriptions is selected.

FIGURE 16.8 Adding an Intune subscription.

2. In the first dialog of the Create Microsoft Intune Subscription Wizard that appears, read the steps to complete the wizard and the prerequisites for managing the following platforms, as shown in Figure 16.9:

images Windows: Sideloading keys

images Windows Phone 8: Code-signing certificate

images Windows Phone 8.1: Sideloading keys

images iOS: Apple Push Notification Service certificate

Click Next to continue.

A screenshot shows introduction of the Create Microsoft Intune Subscription Wizard dialog box.

FIGURE 16.9 The Create Microsoft Intune Subscription Wizard.

3. Select Sign In to sign in to Microsoft Intune (see Figure 16.10).

Signing in to Microsoft Intune is displayed.

FIGURE 16.10 Signing in to Microsoft Intune.

4. Confirm that you want to set Configuration Manager to be the mobile device management authority, as shown in Figure 16.11.

NOTE: MICROSOFT MDM AUTHORITIES

A mobile device management authority is the management service that has permission to manage a set of devices. Microsoft has MDM authorities for the following:

images Intune

images Configuration Manager with Intune

images Office 365

Understand the consequences of setting this authority: If the MDM authority was previously set to Intune or Office 365, the ConfigMgr integration will fail.

A screenshot shows the "Set the Mobile Device Management Authority" dialog box.

FIGURE 16.11 Setting the mobile device management authority.

5. Enter your Intune credentials and click Sign In. This account must be a global administrator on the tenant. The account is authenticated and the Intune screen disappears.

6. Click Next to continue creating the subscription.

7. Complete the general configuration of the Intune Subscription, shown in Figure 16.12:

images Select the ConfigMgr collection configured earlier in this chapter, in the “Creating a User Collection” section. (Members of this collection are entitled to enroll devices.)

images Specify how you would like your company name to appear on the company portal on your managed mobile devices. You can also provide a URL to company privacy documentation.

images Choose the color scheme for the company portal. You can choose standard colors or customize the color using the palette.

images Verify the Configuration Manager site code.

images Use the dropdown to select a device enrollment limit, from 1 to 15. This limit defines the maximum number of devices a user can enroll and is optional. Note that an Intune license entitles a user to enroll a maximum of 15 devices.

Click Next to continue.

A screenshot shows the general configuration of the Create Microsoft Intune Subscription Wizard dialog box.

FIGURE 16.12 Intune subscription general configuration.

8. Specify the company contact information for the company portal, as shown in Figure 16.13. Enter the following information, which will be displayed to the user:

images IT department contact name

images IT department phone number

images IT department email address

images Website name

images Additional information

Click Next to continue.

9. Customize the company portal by adding the company logo (see Figure 16.14). Click Next to continue.

NOTE: COMPANY LOGO SPECIFICATIONS

The company logo can be added as a JPEG or PNG file type. The maximum allowed file size is 750KB, and the maximum resolution is 400 × 100 pixels.

The company contact information is specified in the Create Microsoft Intune Subscription Wizard dialog box.

FIGURE 16.13 Specifying company contact information.

The company logo is specified in the Create Microsoft Intune Subscription Wizard dialog box.

FIGURE 16.14 Specifying your company logo.

10. Add device enrollment managers, if required, and click Next to continue.

NOTE: DEVICE ENROLLMENT MANAGER

A standard user can enroll a maximum of 15 devices (depending on the device enrollment limit that is configured). A device enrollment manager does not have this limitation and can enroll more than this number. This is a special Intune account and is suitable when you want to enroll many shared user-less devices.

All of the device enrollment manager’s devices are enrolled as company owned. This is discussed in more detail in Chapter 17.

11. Check the box to enable multi-factor authentication, if required. (There are several methods of configuring MFA, but they are beyond the scope of this book. See https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication for more information.) Click Next to continue.

12. Review the configuration in the Summary dialog box and click Next to configure the Intune subscription.

13. Close the wizard.

The Intune Subscription is now added, and you can verify that a new site system is created (manage.microsoft.com). This is the cloud distribution point.

You can now configure management of the various platforms (see Figure 16.15), as discussed in Chapter 17.

Under Configure Platforms in a context menu, Android, iOS and Mac OS X (MDM), Windows, and Windows Phone are listed.

FIGURE 16.15 Configuring platforms.

Adding the Service Connection Point

In previous versions of ConfigMgr, when you added the Intune subscription, you were immediately informed that you were not finished with the Intune integration and still needed to add the Intune connector role. This connector was responsible for low-level communication with the Intune service.

The Intune connector role is not present in ConfigMgr Current Branch, and the service connection point (SCP) is now responsible for this functionality. This site system role is discussed in Chapter 6, “Installing and Updating System Center Configuration Manager.”

The authors recommend adding the SCP during ConfigMgr installation. This is actually the default action. If you skipped this step during installation, you must add the role now. The role can only be added on a central administration site (CAS) or standalone primary site. Follow these steps:

1. In the ConfigMgr console, navigate to Administration -> Site Configuration -> Servers and Site System Roles.

2. Right-click the server you require and select Add Site System Roles. The Add Site System Roles Wizard is launched.

3. Specify the service connection point role and click Next to continue.

4. Choose the device connection mode. Online is the recommended setting.

5. Click Next to continue.

6. Confirm your settings on the summary screen and click Next to add the role.

NOTE: SERVICE CONNECTION POINT MODES

Figure 16.16 shows the service connection point modes. Online mode is a persistent connection and the recommended setting. This mode is required if you configure an Intune subscription. If you create the Intune subscription while the service connection point is in Offline mode, it is automatically changed to Online.

A screenshot shows the Service connection point Properties dialog box.

FIGURE 16.16 Service connection point modes.

Removing an Intune Subscription

You can switch to a different Intune subscription. This may be necessary, for example, if you configured a trial subscription and want to move to a different paid subscription. Begin by performing the following steps to delete the subscription:

1. In the Configuration Manager console, navigate to Administration -> Overview -> Cloud Services and select Microsoft Intune Subscription.

2. Right-click Microsoft Intune Subscription and select Delete.

3. Navigate to Administration -> Overview -> Site Configuration and select Servers and Site System Roles.

4. Highlight the server with the service connection point.

5. Right-click Service connection point in the Site System Roles pane and select Remove Role.

6. Confirm that you wish to remove the role.

Now, create a new subscription. Follow these steps:

1. Create a new service connection point.

2. Add a new Intune subscription.

3. Set Configuration Manager to be the MDM authority.

CAUTION: DELETING A SUBSCRIPTION DELETES ALL ASSOCIATED INFORMATION

Enrollments, policies, and deployments associated with a deleted subscription are lost, and you must re-enroll all devices.

Removal of Intune Extensions

Earlier versions of ConfigMgr used Intune extensions to deliver new features out of band so they could be delivered at a more rapid cadence than service packs or cumulative updates. These extensions are no longer required in ConfigMgr Current Branch. New features are now delivered through regular Configuration Manager upgrades.

Troubleshooting Intune Hybrid

Configuration Manager is a very stable solution. However, sometimes things go wrong, and you need to be able to troubleshoot and resolve these issues. ConfigMgr administrators are generally very skilled at troubleshooting by analyzing the huge number of log files at their disposal. However, when you add and configure an Intune subscription, you add to the complexity of integration with a cloud service.

There are a number of tools available to troubleshoot Intune integration, discussed in the next sections.

Viewing Site and Component Status

To view site and component status, in the ConfigMgr console, navigate to Monitoring -> System Status. Using Site Status and Component Status provides a good overview of the health of the ConfigMgr servers and components. Figures 16.17 and 16.18 provide examples.

Right-click any component and choose Messages -> All to see detailed information, including errors and warnings.

Configuration Manager Site Status is displayed.

FIGURE 16.17 Configuration Manager Site Status.

Configuration Manager Component Status is displayed.

FIGURE 16.18 Configuration Manager Component Status.

For Intune integration, concentrate on the following components:

images SMS_Cloud_Services_Manager

images SMS_CloudUserSync

images SMS_DMP_Downloader

images SMS_DMP_Uploader

Using Log Files

ConfigMgr is well known for having extensive logging capabilities. Find the log files in the installation folder at %ProgramFiles%Microsoft Configuration ManagerLogs.

Table 16.3 describes log files that are useful in troubleshooting Intune integration issues.

TABLE 16.3 Log Files for Intune Integration Troubleshooting

Log File

Purpose

CloudUserSync.log

Records license enablement for users. (Figure 16.19 shows an example.) Ensure that Intune licensed user accounts have been synchronized.

Dmpdownloader.log

Records details on downloads from Microsoft Intune. Review it for communication errors.

Dmpuploader.log

Records details for uploading database changes to Microsoft Intune. Review it for communication errors.

Outgoingcontentmanager.log

Records content uploaded to Microsoft Intune. Review it for errors.
CloudUserSync.log file is shown.

FIGURE 16.19 CloudUserSync.log file.

You can enable verbose logging for any of the components (but do not forget to turn it off again). Follow these steps:

1. Open the registry on the Configuration Manager server and navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftSMSCOMPONENTS.

2. Select the component for which you need to enable verbose logging.

3. If there already is a DWORD key called Verbose Logging, change the value.

4. If the key is not there, create it and change the value.

Table 16.4 lists verbose logging values.

TABLE 16.4 Verbose Logging Values

Value

Definition

0

Default value; displays errors and important information

1

Displays errors, important information, warnings, and general information

2

All logging

Viewing Intune Status

To view Intune status, open the Intune Subscription properties. Note the link in the bottom-left corner: Check service status. Clicking this link brings you to the Current Status page, shown in Figure 16.20, where you can see details of any current issues or outages on your tenant. You can access this page directly by using the URL https://status.manage.microsoft.com/StatusPage/ServiceDashboard.

A screenshot shows the Microsoft Intune current service status in a table with Status, Service Instance, and Details indicated as column headings.

FIGURE 16.20 Intune service current status.

NOTE: INTUNE SERVICE DASHBOARD

The Intune Service Dashboard has been migrated to the Office 365 management portal.

Troubleshooting Directory Synchronization

Directory synchronization can be a complex operation with many moving parts, many of which may be out of your control. It is difficult to troubleshoot an issue without full visibility of all the elements.

Several online documents are available to assist you, including the following:

images Troubleshoot Azure AD Connect Installation Issues: https://support.microsoft.com/kb/3121701

images Troubleshoot Connectivity Issues with Azure AD Connect: https://azure.microsoft.com/documentation/articles/active-directory-aadconnect-troubleshoot-connectivity/

Utilizing Microsoft Support for Intune

At the time this book was published, Microsoft offered free support for Intune-related issues—for both trial and production environments.

For urgent issues, you can contact Microsoft by telephone. You can find a full list of local numbers for Intune support in the TechNet library. Local language is supported in most locations, and English is supported in all locations. See https://technet.microsoft.com/library/jj839713.aspx for further information.

For a less urgent issue, you can create an online support request through the Office 365 admin center, at https://portal.office.com. Follow these steps:

1. Navigate to Support -> Service Requests.

2. In the Create a service request page, which presents a list of support options, click More to see more options.

3. Select Mobile Device Management. You are presented with two dropdown boxes to identify the issue.

4. Make a selection in the Feature box. You can choose Intune: Service Administration, for example.

5. Select a symptom. This is a dynamic portal, and different choices are available, depending on the feature you select. You can choose Subscriptions and licenses, for example.

6. In the Issue Summary box, summarize your issue in one sentence.

7. Enter further details in the Issue details box. Click Next to continue. Microsoft provides hyperlinks to some documentation that may assist you.

8. If you still need to create a service request, click Yes, continue.

9. Add further details about the service affected. You can attach log files or screenshots if you wish. Click Next to continue.

10. Confirm your contact details and click Submit request.

Accessing the Microsoft TechNet Forum

The Intune TechNet forum is a useful free troubleshooting tool. You can search for issues similar to yours to see if a solution already exists. Create a new thread if you cannot find a suitable answer. The Microsoft community is very strong in this area, and questions are typically answered very quickly. To use the forum, open an Internet browser and go to https://social.technet.microsoft.com/Forums/home?category=microsoftintune&filter=alltypes&sort=lastpostdesc.

Using the Configuration Manager Hybrid Diagnostics Tool

Microsoft’s System Center Configuration Manager Hybrid Diagnostics tool checks for a number of issues related to Intune integration; Figure 16.21 shows an example. Download the tool from https://www.microsoft.com/download/details.aspx?id=53306.

The current version of the tool performs the following checks:

images Verifies that the SMSExec service is running

images Verifies the service connection point certificate

images Checks for potential conflicts between service connection point certificates

images Verifies the DNS CNAME entry for the specified UPN

images Verifies device type enablement in Configuration Manager

images Looks for known errors in status messages

images Verifies UPN synchronization in Azure AD

images Verifies that the specified user is a member of the cloud user collection

The screenshot shows System Center Configuration Manager Hybrid Diagnostics dialog box.

FIGURE 16.21 Hybrid Diagnostics tool.

Summary

This chapter described the tasks you need to perform to integrate Configuration Manager and Intune in a hybrid solution. It discussed a number of choices that need to be made during the process.

After providing an overview of Intune, this chapter introduced user identity, including a description of each method to assist with deciding which is right for your organization. The chapter discussed the preparation of AD and Azure AD prior to integration. Remember that Azure AD Connect is now the only recommended tool for directory synchronization.

The integration is relatively straightforward. This chapter showed how to add the service connection point and Intune subscription. Configuring the Intune subscription enables you to customize the Intune company portal on the clients.

Finally, this chapter looked at some useful troubleshooting techniques and showed the values in log files and the status in the Configuration Manager console.

Chapter 17 discusses managing mobile devices. It walks through the enrollment of each of the device types and then shows the management possibilities provided by the Intune-integrated hybrid solution.

Chapter 17 also focuses on Windows 10. Windows 10 mobile and desktop devices can be enrolled for MDM management using the Intune hybrid integration. Standalone Intune also provides computer management with the Intune client. However, if possible, the authors recommend managing Windows 10 desktops using the full ConfigMgr client, as it provides a more comprehensive management experience.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset