Mobile devices are a big problem for every companies because a smartphone is not a computer where the IT Admin can create policy and limit the “power range” of users/devices. With System Center 2012 Configuration Manager it’s possible manage mobile devices thanks to Windows Intune, the Microsoft’s MDM.
Windows Intune is a standalone solution so you can use it without install SCCM but if you have Configuration Manager and the requirement is manage also smartphones and tablets, it’s mandatory connect it with Intune.
The procedure is not too complicated but there are many steps. The first one is enable the connection between Intune and SCCM; this is possible from Administration pane -> Cloud Services -> Windows Intune Subscriptions, from the ribbon bar, click on Add Windows Intune Subscriptions as showed in figure 1.
Figure 1 – Add New Windows Intune Subscriptions
Note: in my case I’ve already added the subscription, remember that is not possible add more then one subscription. It’s also important another detail….you must have a subscription in Windows Intune.
Insert your credentials and accept the condition. Be careful because when you accept the condition, the Intune subscription will be enabled only to accept connection from Configuration Manager. This means that you will not able to use Windows Intune as standalone solution, in case you plan to remove the connection with SCCM!!!
Insert the name of your organization, the site code source and close the wizard. Before open the proprieties of subscription it’s necessary request a new APN from Apple in case you want manage device based on iOS. The request is free and require only an Apple ID; after downloaded the certificate it’s possible re-open the subscription proprieties, as showed in figure 2.
Figure 2 – Subscription Details
Here you can enable the OSs model that you want manage; for Android is very easy because is required check a box, for iOS is required add the certificate downloaded from Apple’s Web Site….is a little bit more difficult for Windows Phone and Windows RT because to publish/manage the device is required a certificate from Symantec (300$ per year!). I think that this is a big limit because not all the companies want pay 300 dollars every year only to manage a device.
For those that want try to manage Windows Phone, there’s the possibility to download a Support Tool for Windows Intune from this link: http://www.microsoft.com/en-us/download/details.aspx?id=39079 where you can generate a trial certificate.
The second step is add the Windows Intune Connector, as showed in figure 3, from Site-Role section.
Figure 3 – Add Windows Intune Connector Role
Now it’s time to move into your Windows Intune subscription! In order to use correctly SCCM and Intune is necessary integrate your Active Directory structure with Azure Active Directory: this is a requirement because the Company Portal App authenticate the users from Intune so your internal account must stay also on Azure AD.
From Admin Portal, go to Users section and enable the Active Directory Integration. Synchronization is provided by Microsoft Azure DirSync (based on Forefront Identity Manager) so you must download it and install the software….maybe into a dedicated machine, as showed in figure 4. Setup is faster because you must insert the Azure credentials and Domain Admin credentials. By default all the object are synchronize but there’s an unofficial way to restrict the containers analysis.
Figure 4 – DirSync Setup
After 24 hours, more or less, you are ready to see your users also on Azure AD as showed in figure 5. As you can see, synchronized users have a different icon near name.
Figure 5 – Users List
One of the last step is add the public UPN domain into your Active Directory. This operation is required only if your local domain is different than public: in my case my internal domain is insidetechnologies.lcl and my public domain is insidetechnologies.eu.
To add the new UPN, open Active Directory Domain and Trust as showed in figure 6.
Figure 6 – New UPN Domain
After added the domain UPN it’s very important change also UPN for those users that needs use Intune service.
Last step….enable users from Intune web site! To do this is necessary click on user and check Windows Intune, as showed in figure 7.
Figure 7 – Enable User in Windows Intune
It’s time to test it! Take an Android device, or iOS, and download the Company Portal App from store, insert the domain credentials and wait few seconds, if everything is right you will receive a message to accept the new rules provided from Intune; in case of iOS will be required install the Management Portal.
Go back to SCCM Console and open the Device List to see the new devices, as showed in figure 8.
Figure 8 – Mobile Devices Available
Finish! Now it’s possible deploy software for your devices and create specific configuration rule, like Email Profile (only for iOS and WP), VPN Profile, WiFi Profile and much more!
Try Windows Intune for 30 days: http://www.microsoft.com/it-it/windows/windowsintune/try.aspx
Try System Center 2012 R2 Configuration Manager: http://technet.microsoft.com/it-it/evalcenter
S