Alongside the announcement of down-level support for Windows 7 and Windows 8.1, there is more exciting news in regards to Windows Defender ATP. Since today Windows Defender ATP Security Analytics is extended with two new security controls; BitLocker and Firewall.
In a diptych I’m sharing my experiences, common practices and challenges of implementing Microsoft Intune PFX connector as certificate deployment mechanism in the enterprise.
In my first blog post I covered the basics of implementing a certificate deployment infrastructure based on Microsoft Intune PFX connector. Explained the differences and considerations whether to choose SCEP or PFX as your certificate deployment solution. And explained the certificate issuing workflow. In this second post I’ll go in more detail of the anatomy of the Intune Certificate Connector, setup. Explaining the renewal and revocation process(flow) works. And lastly I give you some pointers where to start your journey, in case of troubleshooting certificate deployment issues.
Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting
May this year Microsoft announced a new capability of automatically enroll devices in Microsoft Intune as part of joining devices in to Azure AD (Premium). By joining a Windows 10 device to Azure AD it is extremely easy for end users to get the benefits of single sign-on, OS state roaming, and management capabilities.
This will work with both Microsoft Intune and with 3rd party MDM solutions. In this blog post I’ll show you how ease and transparent this process is and how powerful the integration is of Microsoft Online Services and Windows 10!
Today the Microsoft Intune product team announced next set of Intune features that will be released between May 19 and May 26. With this monthly release cadence, Microsoft continue to focus on providing customers with best-in-class experiences that help keep users productive while protecting company’s sensitive data. You can expect to see the following new Intune standalone (cloud only) features in this release:
- Ability to extend application protection to your existing line-of-business apps using the Intune App Wrapping Tool for Android (Intune App Wrapping Tool for iOS made available in December 2014)
- Ability to assign help desk permissions to Intune admins, filtering their view of the Intune admin console to only provide access to perform remote tasks (e.g. passcode reset and remote lock)
- RSS feed notification option added for Intune admin to subscribe to be alerted when new Intune service notifications are available for their service instance
- Improved end user experience in the Intune Company Portal app for iOS with step-by-step guidance added on how to access corporate email by enrolling for management and validating device compliance
- Updated Intune Company Portal app for Windows Phone 8.1 to provide enhanced status notifications for app installations
- New custom policy template for managing new Windows 10 features using OMA-URI
- New per-platform mobile device security policy templates for Android, iOS, Windows, and Windows Phone, in addition to new Exchange ActiveSync policy template
- Ability to deploy Google Play store apps that are required/mandatory to install on Android devices
This week the Azure AD Product Team did a great job by updating the Azure Application Proxy service to allow you to publish NDES using Azure Application Proxy, which is great news! Pieter Wigleven, Microsoft Technology Solution Professional on Enterprise Mobility has posted a great serie of posts on setting up certificate distribution to mobile devices. A must read!
Part 1 – First tips and tricks on how to troubleshoot and check existing ConfigMgr/SCEP/NDES infrastructures.
Part 2 – After many asks for clarity, a full guide on how to install and troubleshoot ConfigMgr/SCEP/NDES.
Part 3 – Using an additional reverse proxy in a DMZ in front of NDES. The reverse proxy of choice was Windows Server 2012 R2 with the Web Application Proxy role installed.
Part 4 – Protecting NDES with Azure AD Application Proxy
In part 4 Pieter will outlines the set up of publishing NDES by Azure Application Proxy service, a cool solution that just have been made possible!
Azure AD Application Proxy (Web Application Proxy from the Cloud) lets you publish applications, such as SharePoint sites, Outlook Web Access and other web application, inside your private network and provides secure access to users outside your network via Azure.
Azure AD Application Proxy is built on Azure and gives you a massive amount of network bandwidth and server infrastructure to have better protection against DDOS attacks and superb availability. Furthermore there is no need to open external firewall ports to your on premise network and no DMS server is required. All traffic is originated inbound. For a complete list of outbound ports take a look at this MSDN page.
Azure AD Application Proxy is a feature that is available only if you are using the Premium or Basic editions of Azure Active Directory. For more information, see Azure Active Directory Editions.
If you have Enterprise Mobility Suite (EMS) licenses you are eligible of using this solution. The Azure AD Application Proxy connector only installs on a Windows Server 2012 R2 Operating system, this is also a requirement of the NDES server anyway.
In the first two blog posts I covered the theory how deployment of certificates works to mobile devices using Microsoft Intune NDES connector followed by setup and configuring the connector.
- Part 1 – Deploy certificates to mobile devices using Microsoft Intune NDES – Overview
- Part 2 – Deploy certificates to mobile devices using Microsoft Intune NDES – Connector
- Part 3 – Deploy certificates to mobile devices using Microsoft Intune NDES – Deployment
- Part 4 – Deploy certificates to mobile devices using Microsoft Intune NDES – Troubleshooting
In this third blog – part 3 – I’ll outline the depoyment of both Trusted CA Certificate Profile and SCEP Certificate profiles to mobile devices.
At the moment there’re several scenario’s to manage and provisioning users to Windows Intune in order to enable Enterprise Mobility Management (EMM) or simply said – managing your mobile devices. As the process of provisioning users to Windows Intune in combination with Configuration Manager 2012 R2 is not always clear I’ll provide you some insights and tips where and how to troubleshoot.
As mentioned I’ll will focus in this post on a hybrid scenario using Configuration Manager 2012 R2, Windows Intune and on-premise Active Directory where Azure Active Directory Sync (aka DirSync) is used to syncronize on-premise users to Windows Intune (Azure Active Directory).
Process Overview Windows Intune User provisioning
John Doe is created in (on-premise) Active Directory
John Doe is synchronized by Azure Active Directory Sync to (off-premise) Azure Active Directory
John Doe is discovered by Configuration Manager 2012 R2
John Doe is add to Windows Intune collection in Configuration Manager 2012 R2
John Doe is synchronized by Windows Intune Connector
John Doe is enabled Windows Intune user
Today Microsoft released an updated version of the Windows Assessment and Deployment Kit. This release of Windows ADK includes new and updated functionality to improve assessment and deployment scenarios including support for Windows 8.1 Update.
To determine what version of the Windows ADK you have installed, go to Control Panel > Programs > Programs and Features. The versions are:
- Version 8.100.25984 is for the Windows ADK for Windows 8.1 RTM
- Version 8.100.26629 is for the Windows ADK for Windows 8.1 Update
Version increments between 25984 and 26629 are updated versions of the RTM release. Version increments higher than 26629 are for the Windows 8.1 Update.
For a complete list of changes, see the Windows ADK Release Notes.
For a list of new features included in the Windows ADK for Windows 8.1 Update, see What’s New in the Windows ADK for Windows 8.1.
Today Microsoft announced new enhancements of Windows Intune Service as per next week. These updates include:
- Ability for the administrator to configure email profiles, which can automatically configure the device with the appropriate email server information and related policies, as well as the ability to remove the profile along with the email itself via a remote wipe if needed.
- Support for new configuration settings in iOS 7, including the “Managed open in” capability to protect corporate data by controlling which apps and accounts are used to open documents and attachments, and disabling the fingerprint unlock feature.
- Ability for the administrator to remotely lock the device if it is lost or stolen, and reset the password if the user forgets it.
- In addition to our unified deployment mode and integration with System Center Configuration Manager, Windows Intune can now stand alone as a cloud-only MDM solution. This is a big win for organizations that want a cloud-only management solutions to manage both their mobile devices and PC’s.
Just before the release of System Center 2012 R2 which is expected half of October, Microsoft releases CU3 for System Center 2012 Configuration Manager SP1. This update adds support for Windows 8.1-based client computers in Microsoft System Center 2012 Configuration Manager Service Pack 1. Windows 8.1 is added to the supported platform list for the following features:
- Software distribution
- Software update management
- Compliance Settings
In addition to support for Windows 8.1 and Windows server 2012 R2 this cumulative update provides fixes for the following components:
- Operating System Deployment (OSD)
- Windows PowerShell
- Software Distribution
- Windows Intune
- Endpoint Protection
- Software Updates
For detailed information see KB article http://support.microsoft.com/kb/2882125
The cumulative updated can be downloaded here.
As mentioned it might worth considering to skip the installation of CU3 since R2 will be released October 18th 2013.