vendredi 1 mars 2013

[SCCM 2012 & Intune] Mobile management - Part 1: Configure Windows Intune connector in SCCM 2012 SP1


This article is the first part of a series concerning mobile management using SCCM 2012 and Windows Intune.



In the 1st part, I'm going to show you how to configure Windows Intune and System Center Configuration Manager 2012 SP1 to communicate.

PART 1 - CONFIGURE WINDOWS INTUNE CONNECTOR IN SCCM 2012 SP1


1. Prepare your Windows Intune environment
First of all, you need a Windows Intune environment. You can sign up for an account at Windows Intune.
For the next connections, you can open :
 -  https://account.manage.microsoft.com to access the Windows Intune administrator console
 -  https://admin.manage.microsoft.com to access the Windows Intune technical console

Select Domains section and click on Add a domain


Add your domain name

Following the instructions, create a TXT record or a MX record on your public DNS.
Note : With some registrars (OVH in my case), you create a @ host simply by leaving the record "host" blank.

While you are modifying your DNS, create a DNS alias (CNAME record type) that redirects EnterpriseEnrollment.<company domain name> to manage.microsoft.com.


Here is what I get for my own domain.


Click on Verify


Your domain is now allowed in your console :o)



Note: You don't have a public domain or access to your DNS console ?
In this case, don't add domain in Windows Intune. However, in the next step, use your Azure domain (JTTLAB.onmicrosoft.com in my case) as alternative UPN suffix. That's not great in production, but that works for a demo. :o)
In all cases, the user principal name in Azure must exactly match the one in SCCM.



2. Prepare your Active Directory

If your public domain name is not identical to your Active Directory domain, you must create an alternative UPN suffix. This step is not mandatory if you use Intune in Cloud only mode. However, if you want to connect SCCM 2012 and Intune (hybrid mode), that step is mandatory.
In my case, my public domain is nomizo.fr and my Active Directory domain is sc.lab.

Open the Active Directory Domains and Trusts Console

Select the root item and open properties


Add your public domain name





You now need to change UPN of all your users.
In that lab, I use testUser1 and testUser2. To show you why it's so important to change UPN suffix, I will intentionally leave testUser2 UPN suffix to its default value (Active Directory domain).


 Open users properties and change UPN in the Account tab.




3. Create Users in Windows Intune

You can synchronize your Active Directory (all your domain or only some OU) with the Azure Directory thanks to DirSync. http://technet.microsoft.com/en-us/library/hh967629.aspx
(Demo in a next article)

For a demo, you can create users manually or with a bulk import.

Open the Windows Intune administrator console
Select the Users tab and Click on New > User


Provide Display Name and User Name
Specify your domain name as UPN suffix


You must specify the country of the user for licensing reason. This doesn't prevent your users to travel around the world.


In Windows Intune cloud only mode, only users in Windows Intune group are allowed to manage and enroll their mobile. In mixed mode (SCCM + Windows Intune), the list of allowed users is managed in a SCCM collection (see next chapter).


You can receive by email the user credentials.


Here is the temporary password of the user.


As in my own Active Directory, I've now got in Windows Intune two users : testUser1 and testUser2.





4. Prepare SCCM environment

In the Assets and Compliance tab, create a new collection that will contain the users allowed to enroll (and to manage) their mobile devices.






Just remember that testUser1 is properly configured and not testUser2.





5. Create the Windows Intune subscription

In the Configuration Manager console, open the Administration workspace
Expand Hierarchy Configuration and select Windows Intune Subscriptions.
Click on Create Windows Intune Subscription

Click on Next

Click on Sign In

Provide your Windows Intune credentials
  
Select Allow the Configuration Manager console to manage this subscription

Specify the collection you previously created that contains users allowed to enroll their devices
Provide additional information
Specify the site code for device assignment (in SCCM console, mobile devices will appear with this site code)


Simply click on Next
Each platform will be detailed in other posts


Click on Next


Click on Close


You've got now your Windows Intune Subscription !!


In Servers and Site System Roles folder, notice that you've now got a new Distribution Point in the cloud (new feature in SCCM 2012 SP1) where you will deploy the application sources for mobile devices.




6. Create the Windows Intune Connector Site System Role

Now that you Windows Intune subscription is created, we just have to install the role in charge of communications with Windows Intune.

In the Administration workspace, expand Site Configuration and select Servers and Site System Roles
Select a server and click on Add Site System Roles


Click on Next

If needed, provide Proxy settings


Select Windows Intune Connector


Click on Next


Click on Close


You can notice, in the Windows Intune technical console, in Administration > Administration Management > Mobile Device Management folder, that :
 - Mobile device management authority is Set to Configuration Manager
 - Task to set authority is no longer available




7. Watch Logs
Among the logs in SCCM 2012 for Windows Intune (see http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_WITLog), you can look at :

Sitecomp.log that contains information about roles installation (especially those regarding Intune connector)



 


cloudusersync.log that contains information about synchronization of the users allowed to enroll their mobile devices. That log file is located on the server with the Windows Intune connector.
Every 5 minutes, SCCM tries to update allowed users list in Windows Intune.


In this log file, we can understand why testUser1 is authorized in Windows Intune and not testUser2.


You can also look at Dmpuploader.log for synchronization exchanges.



In my next post, I will show you how to configure SCCM 2012 for iOS devices.



See you soon
Julien

Aucun commentaire:

Enregistrer un commentaire