Part 1 – Deploy certificates to mobile devices using Microsoft Intune NDES – Overview

With the recent updates of Microsoft Intune it is possible now deploying certificate profiles using Network Device Enrollment Service (NDES) to mobile devices.

In this blog series I’ll cover the different aspects of certifcate enrollment proces by using Microsoft Intune (standalone).

Overview

Before going in details about NDES and hereby an brief overview of how NDES process works in relation to Microsoft Intune.

Microsoft Intune Standalone NDES

Continue reading

Updated Windows Phone 8.1 Enterprise Device Management Protocol

As per latest update release (currently enrolled) of Microsoft Intune, it provides now full support of OMA-URI. This seemingly small feature introduces ‘endless’ capabilities which opens a new era of Enterprise Mobility! Endless possibilities and scenario’s allows you to take full benefit of all existing and new features which offers Microsoft Intune and Windows Phone 8.1.

According to the Microsoft Intune update of December the Windows Phone 8.1 Enterprise Device Management Protocol guide has been updated including improved current feature set and introduces new capabilities such as managing Wi-Fi profiles configuration for Windows Phone 8.1.

image

Hereby an overview of updated and new Windows Phone 8.1 capabilities:

New in Windows Phone 8.1

  • Enterprise application restrictions
  • EnterpriseAssignedAccess configuration service provider
  • Logging support for Enterprise server creation
  • PolicyManager configuration service provider
  • RemoteLock configuration service provider
  • RemoteRing configuration service provider
  • VPN configuration service provider
  • Web Authentication Broker Support in enrollment process
  • Wi-Fi configuration service provider

Updated in Windows Phone 8.1

  • Certificate configuration
  • CertificateStore configuration service provider
  • Discovery web service
  • DMClient configuration service provider
  • Enterprise application install, update, uninstall

The updated Windows Phone 8.1 Enterprise Device Management Protocol document can be downloaded here.

Create DNS records for Microsoft Intune including Workplace Join & Work Folders

In order to take benefit of all related services to Microsoft Intune and attached services regarding Enterprise Mobility Suite (EMS) a number of DNS records must be added in your public DNS namespace. Hereby an overview of DNS records required including their associated services.

Just to be sure yourdomain.com is used as fictive placeholder and must be replaced with your own organization (public) namespace.

Entry Type Address Purpose
enterpriseenrollment.yourdomain.com CNAME manage.microsoft.com To ease enrollment process of mobile devices
sts A Required for single-sign on (SSO) and points to your AD FS server(s)
enterpriseregistration A sts.yourdomain.com Required for Workplace Join (device registration discovery)
enterpriseregistration.yourdomain.com CNAME enterpriseregistration.windows.net Required for Azure Workplace Join (device registration discovery)
enterpriseregistration.region.yourdomain.com CNAME enterpriseregistration.windows.net Required for Azure Workplace Join (device registration discovery)
workfolders CNAME workfolders.yourdomain.com Points to your Workfolders enabled File Server(s)
discovery A discovery.yourdomain.com Required for discovery Work Folders URL

Use Alternate Login ID implementing Enterprise Mobility Suite in a Multi-Forest scenario

Last week I came across a scenario where Alternate Login ID feature of Active Directory Federation Services (AD FS) came at its best.

Scenario

Part of an Enterprise Mobility Suite (EMS) implementation we were facing a challange to overcome. In this scenario the customer has multi-forest (fictive contoso.local & adatum.local) AD structure with a two-way forest trust relationship. The user resources are currently located in te frabrikam.local (blue) where all server resources are part of the contoso.local (grey) domain including AD FS.

ADFS cross forest Mirosoft Intune Infrastructure

As fabrikam.com is the public domain namespace used, we added a UPN suffix for the fabrikam.local domain to make sure the user objects synced from the on-premise Active Directory – by Azure Active Directory Sync – matches the public User Principal Name (UPN) domain namespace.

Continue reading

Ervaar de kracht van Enterprise Mobility tijdens Experts Live 2014!

Met nog een week te gaan is het bijna zover…Experts Live 2014! Het grootste Microsoft Community event van Nederland met 7 tracks, meer dan 40 sessies en top sprekers uit binnen- en buitenland. Daarnaast heeft de organisatie ook dit jaar weer een inspirerende spreker voor de keynote weten te strikken… niemand minder dan Tom Coronel!

image

Continue reading

KB3002291: MDM settings are not applied to cloud-managed users in Configuration Manager 2012 R2

hotfixJust drop you a quick line a new hotfix for Configuration Manager 2012 R2 is released which improves the process of getting policies applied to mobile devices. When a user becomes a cloud-managed user (CloudUserID), a settings policy may not target the assignment for the user this due to different user(s) with same clouduserID. This behavior was introduced by CU2 and CU3.

  • This problem affects only environments that use the Intune Connector together with Configuration Manager 2012 R2.
  • This problem occurs only when Cumulative Update 2 or Cumulative Update 3 for Configuration Manager is installed.

To apply this hotfix, you must have Cumulative Update 2 or Cumulative Update 3 for System Center 2012 R2 Configuration Manager installed.

For more details and download see http://support2.microsoft.com/kb/3002291

For a complete list of all available hotfixes and update please consult the List of Public Microsoft Support Knowledge Base Articles wiki page.

Update: Hotfix solves issue publishing Network Device Enrollement Service (NDES) through Web Application Proxy (WAP) KB30137609

UPDATE! Hereby a quick note that you no longer have to contact support, it’s available in the in the December Windows Update. Just install the latest Windows Update on your Windows Server 2012 R2 and you should be good to go. December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 http://support.microsoft.com/kb/3013769

UPDATE! A private hofix (for now) is available that fixes URL length issues with Windows Application Proxy (applicable for NDES deployments) KB523052. This hotfix can be requested through a PSS case. For more details click here.

For those who are using Web Application Proxy (WAP) and intent or already have been published Network Device Enrolment Service (NDES) might noticed this isn’t working, even when pass-through preauthentication is configured. This post will go into details how NDES is working including a brief explanation of the issue.

The Network Device Enrollment Service (NDES) allows mobile devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP). The user certificates can be used for managing company resource access (E-mail, WiFi- and VPN profiles) instead of using user name + password. This existing technique is recently emphatically re-evaluated by the use and application for mobile device management in relation to BYOD scenarios.

Continue reading