This article is the first part of a series concerning mobile management using SCCM 2012 and Windows Intune.
- Part 1: Configure Windows Intune connector in SCCM 2012 SP1
- Part 2: Configure SCCM 2012 for iOS devices
- Part 3: Deploy an application on iOS devices with SCCM 2012 SP1
- Part 4: Managing Mobile device configuration with SCCM 2012 SP1
- Part 5: Getting reports on Mobile devices with SCCM 2012 SP1
In the 1st part, I'm going to show you how to configure Windows Intune and System Center Configuration Manager 2012 SP1 to communicate.
PART 1 - CONFIGURE WINDOWS INTUNE CONNECTOR IN SCCM 2012 SP1
1. Prepare your Windows Intune environment
First of all, you need a Windows Intune environment. You can sign up for an account at Windows Intune.
For the next connections, you can open :
- https://account.manage.microsoft.com to access the Windows Intune administrator console
- https://admin.manage.microsoft.com to access the Windows Intune technical console
- https://account.manage.microsoft.com to access the Windows Intune administrator console
- https://admin.manage.microsoft.com to access the Windows Intune technical console
Select Domains section and click on Add a domain
Add your domain name
Following the instructions, create a TXT record or a MX record on your public DNS.
Note : With some registrars (OVH in my case), you create a @ host simply by leaving the record "host" blank.
While you are modifying your DNS, create a DNS alias (CNAME record type)
that redirects EnterpriseEnrollment.<company domain name> to
manage.microsoft.com.
Here is what I get for my own domain.
Click on Verify
Your domain is now allowed in your console :o)
Note: You don't have a public domain or access to your DNS console ?
In this case, don't add domain in Windows Intune. However, in the next step, use your Azure domain (JTTLAB.onmicrosoft.com in my case) as alternative UPN suffix. That's not great in production, but that works for a demo. :o)
In all cases, the user principal name in Azure must exactly match the one in SCCM.
2. Prepare your Active Directory
If your public domain name is not identical to your Active Directory domain, you must create an alternative UPN suffix. This step is not mandatory if you use Intune in Cloud only mode. However, if you want to connect SCCM 2012 and Intune (hybrid mode), that step is mandatory.
In my case, my public domain is nomizo.fr and my Active Directory domain is sc.lab.
Open the Active Directory Domains and Trusts Console
Select the root item and open properties
Add your public domain name
You now need to change UPN of all your users.
In that lab, I use testUser1 and testUser2. To show you why it's so important to change UPN suffix, I will intentionally leave testUser2 UPN suffix to its default value (Active Directory domain).
In that lab, I use testUser1 and testUser2. To show you why it's so important to change UPN suffix, I will intentionally leave testUser2 UPN suffix to its default value (Active Directory domain).
Open users properties and change UPN in the Account tab.
3. Create Users in Windows Intune
You can synchronize your Active Directory (all your domain or only some OU) with the Azure Directory thanks to DirSync. http://technet.microsoft.com/en-us/library/hh967629.aspx
(Demo in a next article)
For a demo, you can create users manually or with a bulk import.
Open the Windows Intune administrator console
Select the Users tab and Click on New > User
Provide Display Name and User Name
Specify your domain name as UPN suffix
You must specify the country of the user for licensing reason. This doesn't prevent your users to travel around the world.
In Windows Intune cloud only mode, only users in Windows Intune group are allowed to manage and enroll their mobile. In mixed mode (SCCM + Windows Intune), the list of allowed users is managed in a SCCM collection (see next chapter).
You can receive by email the user credentials.
Here is the temporary password of the user.
As in my own Active Directory, I've now got in Windows Intune two users : testUser1 and testUser2.
4. Prepare SCCM environment
In the Assets and Compliance tab, create a new collection that will contain the users allowed to enroll (and to manage) their mobile devices.
Just remember that testUser1 is properly configured and not testUser2.
5. Create the Windows Intune subscription
In the Configuration Manager console, open the Administration workspace
Expand Hierarchy Configuration and select Windows Intune Subscriptions.
Click on Create Windows Intune Subscription
Provide your Windows Intune credentials
Select Allow the Configuration Manager console to manage this subscription
Specify the collection you previously created that contains users allowed to enroll their devices
Provide additional information
Specify the site code for device assignment (in SCCM console, mobile devices will appear with this site code)
Simply click on Next
Each platform will be detailed in other posts
Click on Next
Click on Close
You've got now your Windows Intune Subscription !!
In Servers and Site System Roles folder, notice that you've now got a new Distribution Point in the cloud (new feature in SCCM 2012 SP1) where you will deploy the application sources for mobile devices.
6. Create the Windows Intune Connector Site System Role
Now that you Windows Intune subscription is created, we just have to install the role in charge of communications with Windows Intune.
In the Administration workspace, expand Site Configuration and select Servers and Site System Roles
Select a server and click on Add Site System Roles
Click on Next
If needed, provide Proxy settings
Select Windows Intune Connector
Click on Next
Click on Close
You can notice, in the Windows Intune technical console, in Administration > Administration Management > Mobile Device Management folder, that :
- Mobile device management authority is Set to Configuration Manager
- Task to set authority is no longer available
7. Watch Logs
Among the logs in SCCM 2012 for Windows Intune (see http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_WITLog), you can look at :
Sitecomp.log that contains information about roles installation (especially those regarding Intune connector)
cloudusersync.log that contains information about synchronization of the users allowed to enroll their mobile devices. That log file is located on the server with the Windows Intune connector.
Every 5 minutes, SCCM tries to update allowed users list in Windows Intune.
In this log file, we can understand why testUser1 is authorized in Windows Intune and not testUser2.
You can also look at Dmpuploader.log for synchronization exchanges.
In my next post, I will show you how to configure SCCM 2012 for iOS devices.
See you soon
Julien
Aucun commentaire:
Enregistrer un commentaire
Remarque : Seul un membre de ce blog est autorisé à enregistrer un commentaire.