[SCCM 2012 & Intune] Mobile management - Part 1: Configure Windows Intune connector in SCCM 2012 SP1

This article is the first part of a series concerning mobile management using SCCM 2012 and Windows Intune.

• Part 1: Configure Windows Intune connector in SCCM 2012 SP1
• Part 2: Configure SCCM 2012 for iOS devices
• Part 3: Deploy an application on iOS devices with SCCM 2012 SP1
• Part 4: Managing Mobile device configuration with SCCM 2012 SP1
• Part 5: Getting reports on Mobile devices with SCCM 2012 SP1

In the 1st part, I'm going to show you how to configure Windows Intune and System Center Configuration Manager 2012 SP1 to communicate.

PART 1 - CONFIGURE WINDOWS INTUNE CONNECTOR IN SCCM 2012 SP1

1. Prepare your Windows Intune environment

First of all, you need a Windows Intune environment. You can sign up for an account at Windows Intune.

For the next connections, you can open :
 -  https://account.manage.microsoft.com to access the Windows Intune administrator console
 -  https://admin.manage.microsoft.com to access the Windows Intune technical console

Select Domains section and click on Add a domain

Add your domain name

 

Following the instructions, create a TXT record or a MX record on your public DNS.

Note : With some registrars (OVH in my case), you create a @ host simply by leaving the record "host" blank.

While you are modifying your DNS, create a DNS alias (CNAME record type) that redirects EnterpriseEnrollment.<company domain name> to manage.microsoft.com.

Here is what I get for my own domain.

Click on Verify

Your domain is now allowed in your console :o)

Note: You don't have a public domain or access to your DNS console ?

In this case, don't add domain in Windows Intune. However, in the next step, use your Azure domain (JTTLAB.onmicrosoft.com in my case) as alternative UPN suffix. That's not great in production, but that works for a demo. :o)

In all cases, the user principal name in Azure must exactly match the one in SCCM.

2. Prepare your Active Directory

If your public domain name is not identical to your Active Directory domain, you must create an alternative UPN suffix. This step is not mandatory if you use Intune in Cloud only mode. However, if you want to connect SCCM 2012 and Intune (hybrid mode), that step is mandatory.

In my case, my public domain is nomizo.fr and my Active Directory domain is sc.lab.

Open the Active Directory Domains and Trusts Console

Select the root item and open properties

Add your public domain name

You now need to change UPN of all your users.
In that lab, I use testUser1 and testUser2. To show you why it's so important to change UPN suffix, I will intentionally leave testUser2 UPN suffix to its default value (Active Directory domain).

 Open users properties and change UPN in the Account tab.

3. Create Users in Windows Intune

You can synchronize your Active Directory (all your domain or only some OU) with the Azure Directory thanks to DirSync. http://technet.microsoft.com/en-us/library/hh967629.aspx

(Demo in a next article)

For a demo, you can create users manually or with a bulk import.

Open the Windows Intune administrator console
Select the Users tab and Click on New > User

Provide Display Name and User Name
Specify your domain name as UPN suffix

You must specify the country of the user for licensing reason. This doesn't prevent your users to travel around the world.

In Windows Intune cloud only mode, only users in Windows Intune group are allowed to manage and enroll their mobile. In mixed mode (SCCM + Windows Intune), the list of allowed users is managed in a SCCM collection (see next chapter).

You can receive by email the user credentials.

Here is the temporary password of the user.

As in my own Active Directory, I've now got in Windows Intune two users : testUser1 and testUser2.

4. Prepare SCCM environment

In the Assets and Compliance tab, create a new collection that will contain the users allowed to enroll (and to manage) their mobile devices.

 

Just remember that testUser1 is properly configured and not testUser2.

5. Create the Windows Intune subscription

In the Configuration Manager console, open the Administration workspace
Expand Hierarchy Configuration and select Windows Intune Subscriptions.
Click on Create Windows Intune Subscription

Click on Next

 

Click on Sign In

 

Provide your Windows Intune credentials

  

Select Allow the Configuration Manager console to manage this subscription

 

Specify the collection you previously created that contains users allowed to enroll their devices

Provide additional information

Specify the site code for device assignment (in SCCM console, mobile devices will appear with this site code)

Simply click on Next
Each platform will be detailed in other posts

Click on Next

Click on Close

You've got now your Windows Intune Subscription !!

In Servers and Site System Roles folder, notice that you've now got a new Distribution Point in the cloud (new feature in SCCM 2012 SP1) where you will deploy the application sources for mobile devices.

6. Create the Windows Intune Connector Site System Role

Now that you Windows Intune subscription is created, we just have to install the role in charge of communications with Windows Intune.

In the Administration workspace, expand Site Configuration and select Servers and Site System Roles

Select a server and click on Add Site System Roles

Click on Next

 

If needed, provide Proxy settings

Select Windows Intune Connector

Click on Next

Click on Close

You can notice, in the Windows Intune technical console, in Administration > Administration Management > Mobile Device Management folder, that :
 - Mobile device management authority is Set to Configuration Manager
 - Task to set authority is no longer available

7. Watch Logs
Among the logs in SCCM 2012 for Windows Intune (see http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_WITLog), you can look at :

Sitecomp.log that contains information about roles installation (especially those regarding Intune connector)

 

cloudusersync.log that contains information about synchronization of the users allowed to enroll their mobile devices. That log file is located on the server with the Windows Intune connector.

Every 5 minutes, SCCM tries to update allowed users list in Windows Intune.

In this log file, we can understand why testUser1 is authorized in Windows Intune and not testUser2.


You can also look at Dmpuploader.log for synchronization exchanges.



In my next post, I will show you how to configure SCCM 2012 for iOS devices.



See you soon
Julien

My latest Favorite Publications

*** Jump Start:About 6 hours of information about Windows 8 features. Great !!
*** Taste of Premier - How Windows To Go for Windows 8 can Work for You: full demo and recommendations for Windows To Go.
** Windows 8 Deployment: short demo of a migration from XP to Windows 8 with MDT.
* Windows 8 Demonstrations: short video of some key features. If you don't have enough time for the Jump Start videos.

*** What’s New in Configuration Manager SP1: Detailed article about what's new in SCCM 2012 SP1. If you don't want to read it or if you want demo, I recommend you to watch the Site Hierarchy and Role Enhancements with System Center 2012 Configuration Manager Service Pack 1 and Supporting Windows 8 and Windows Server 2012 with System Center 2012 Configuration Manager Service Pack 1 videos.
*** Endpoint Protection in System Center 2012 SP1: New features of Endpoint protection in SCCM 2012 SP1
*** Business Hours vs. Maintenance Windows with System Center 2012 Configuration Manager: All is in the title !
** Managing App-V 5 Virtual Applications with System Center 2012 Configuration Manager SP1

**  TechNet Radio: Upgrading System Center 2012 Configuration Manager to Service Pack 1: Presentation of some new features in SP1 and demo of an upgrade.
** New Distribution Points in Configuration Manager SP1: first article of a series about new DP in SCCM 2012 SP1. In this article, Kerim Hanif tell us about DP in Windows Azure. Really relevant !!

*** TechNet Radio: Cloud-Based Management with Windows Intune and System Center 2012 SP1:  Presentation of Intune with SCCM 2012 SP1, Intune Standalone and demo of new features in Wave D.
*** How to Manage Mobile Devices by Using the Windows Intune Connector in Configuration Manager: How to Guide from the technet library.
*** |FR] Video Showcases : how to add a computer in Windows 7, 8, RT... in Intune ? How to synchronize my local Active Directory in Intune ?...
** Managing Mobile Devices with System Center 2012 Configuration Manager SP1 and Windows Intune: Key features regarding intune integration in SCCM 2012 SP1.
** Client Update Process: what happened during a Windows Intune upgrade ? should I restart ?...
*** Policy Settings for Mandatory Updates: How to handle notifications and restart when deployins a mandatory deployment or a Windows Intune upgrade.
** About Service Notifications: notifications concerning Microsoft schedules maintenance to the Windows Intune service
* Showcases: nothing particular excepted that these short videos can be useful before starting you own presentation... and the music is great :o)

*** Windows Server 2012 Test Lab Guides
** Windows Server 2012-New User Interface Options: How to manage Core servers and to Install/Remove Gui console.

Search in Technet

Find the right article in the Technet website can be a painful exercise.

Often, if you try to use the search engine on the top, you will get a lot of answers especially some discussions from the technet forum (http://social.technet.microsoft.com/forums/...). If you try to do your research with Bing or Google, nobody know what you could discover...


However, Microsoft has implemented and documented for us THE solution :

For SCCM 2012, you can use the following URL :
http://www.bing.com/search?q=%28%22My%20Search%22%29%20site:technet.microsoft.com/en-us/library%20meta:search.MSCategory%28gg682056%29

If Bing, is already opened, you just have to type  
("My Search") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056)


Obviously, you replace "My Search" by what you are looking for.
For example, if you are looking for a reference about application supersedence, you can use the following URL :
http://www.bing.com/search?q=%28%22Superseded%22%29%20site:technet.microsoft.com/en-us/library%20meta:search.MSCategory%28gg682056%29



To get more information and to get the search syntax for the other System Center products, just read Information and Support for System Center 2012.



See you soon !
Julien