Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting

In a diptych I’m sharing my experiences, common practices and challenges of implementing Microsoft Intune PFX connector as certificate deployment mechanism in the enterprise.

IntunePFX

In my first blog post I covered the basics of implementing a certificate deployment infrastructure based on Microsoft Intune PFX connector. Explained the differences and considerations whether to choose SCEP or PFX as your certificate deployment solution. And explained the certificate issuing workflow. In this second post I’ll go in more detail of the anatomy of the Intune Certificate Connector, setup. Explaining the renewal and revocation process(flow) works. And lastly I give you some pointers where to start your journey, in case of troubleshooting certificate deployment issues.

Part 1 – Deploying Microsoft Intune Connector in an Enterprise world: common practices

Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting

Continue reading “Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting”

Advertisements

Integrate your Microsoft Intune device enrollment with Azure AD!

May this year Microsoft announced a new capability of automatically enroll devices in Microsoft Intune as part of joining devices in to Azure AD (Premium). By joining a Windows 10 device to Azure AD it is extremely easy for end users to get the benefits of single sign-on, OS state roaming, and management capabilities.

image

This will work with both Microsoft Intune and with 3rd party MDM solutions. In this blog post I’ll show you how ease and transparent this process is and how powerful the integration is of Microsoft Online Services and Windows 10!

Continue reading “Integrate your Microsoft Intune device enrollment with Azure AD!”

What’s new in Microsoft Intune Service Update – May 2015

Latest-UpdatesToday the Microsoft Intune product team announced next set of Intune features that will be released between May 19 and May 26.  With this monthly release cadence, Microsoft continue to focus on providing customers with best-in-class experiences that help keep users productive while protecting company’s sensitive data. You can expect to see the following new Intune standalone (cloud only) features in this release:

  • Ability to extend application protection to your existing line-of-business apps using the Intune App Wrapping Tool for Android (Intune App Wrapping Tool for iOS made available in December 2014)
  • Ability to assign help desk permissions to Intune admins, filtering their view of the Intune admin console to only provide access to perform remote tasks (e.g. passcode reset and remote lock)
  • RSS feed notification option added for Intune admin to subscribe to be alerted when new Intune service notifications are available for their service instance
  • Improved end user experience in the Intune Company Portal app for iOS with step-by-step guidance added on how to access corporate email by enrolling for management and validating device compliance
  • Updated Intune Company Portal app for Windows Phone 8.1 to provide enhanced status notifications for app installations
  • New custom policy template for managing new Windows 10 features using OMA-URI
  • New per-platform mobile device security policy templates for Android, iOS, Windows, and Windows Phone, in addition to new Exchange ActiveSync policy template
  • Ability to deploy Google Play store apps that are required/mandatory to install on Android devices

Continue reading “What’s new in Microsoft Intune Service Update – May 2015”

Deploy *.appx files to Windows Phone 8.1 with the upcoming Microsoft Intune March service update

The Microsoft Intune Team announced the next service update for Microsoft Intune will become available between March 4, 2015 and March 7, 2015.

With notable attention with the new service update you’re able to deploy *.appx files to Windows Phone 8.1 devices. The *.appx extension – aka as Metro App – is normally only available for the Windows 8.1 platform. By enabling *.appx support for Windows Phone 8.1 Microsoft is taking the next step into the universal app erea.

New Intune standalone (cloud only) features that will be released as part of this service update include:

  • Ability to streamline the enrollment of iOS devices purchased directly from Apple or an authorized reseller with the Device Enrollment Program (DEP). The Device Enrollment Program (DEP) provides a fast, streamlined way to deploy your corporate-owned Mac or iOS devices, whether purchased directly from Apple or through participating Apple Authorized Resellers
  • Ability to restrict access to SharePoint Online and OneDrive for Business based upon device enrollment and compliance policies
  • Management of OneDrive apps for iOS and Android devices
  • Ability to deploy .appx files to Windows Phone 8.1 devices
  • Ability to restrict the number of devices a user can enroll in Intune

Further, as part of this service update, we Microsoft will be providing hybrid customers with the ability to create custom WiFi profiles with pre-shared keys (PSK) for Android devices. This will be expected to be alvailable in the next service update for Intune standalone (cloud only).

For more detailed information see the Microsoft Intune Team Blog

Publish NDES by Azure AD Application Proxy

This week the Azure AD Product Team did a great job by updating the Azure Application Proxy service to allow you to publish NDES using Azure Application Proxy, which is great news! Pieter Wigleven, Microsoft Technology Solution Professional on Enterprise Mobility has posted a great serie of posts on setting up certificate distribution to mobile devices. A must read!

Part 1 – First tips and tricks on how to troubleshoot and check existing ConfigMgr/SCEP/NDES infrastructures.
Part 2 – After many asks for clarity, a full guide on how to install and troubleshoot ConfigMgr/SCEP/NDES.
Part 3 – Using an additional reverse proxy in a DMZ in front of NDES. The reverse proxy of choice was Windows Server 2012 R2 with the Web Application Proxy role installed.
Part 4 – Protecting NDES with Azure AD Application Proxy

ndes_azure_application_proxy

In part 4 Pieter will outlines the set up of publishing NDES by Azure Application Proxy service, a cool solution that just have been made possible!

—————————————————————————————-

Azure AD Application Proxy (Web Application Proxy from the Cloud) lets you publish applications, such as SharePoint sites, Outlook Web Access and other web application, inside your private network and provides secure access to users outside your network via Azure.

Azure AD Application Proxy is built on Azure and gives you a massive amount of network bandwidth and server infrastructure to have better protection against DDOS attacks and superb availability. Furthermore there is no need to open external firewall ports to your on premise network and no DMS server is required. All traffic is originated inbound. For a complete list of outbound ports take a look at this MSDN page.

Important notes:

Azure AD Application Proxy is a feature that is available only if you are using the Premium or Basic editions of Azure Active Directory. For more information, see Azure Active Directory Editions.
If you have
Enterprise Mobility Suite (EMS) licenses you are eligible of using this solution. The Azure AD Application Proxy connector only installs on a Windows Server 2012 R2 Operating system, this is also a requirement of the NDES server anyway.

Read more…

Get in touch with the Microsoft Enterprise Mobility Suite ‘blackbelt’s’ and drop your feedback!

we-started-our-day-at-building-33-which-is-next-to-building-34-which-is-where-ceo-steve-ballmer-works

I’m very excited having the opportunity to meet the product teams on Enterprise Mobility Suite (EMS) during a 4-day stay in Redmond (WA) next week! As my employer Inovativ is participating in the Red Carpet Program we’re invited to join the Enterprise Mobility airlift. An airlift is an event which outlines new features being released in a new wave/product release. This airlift includes deep dive sessions on Azure AD Premium, Microsoft Intune and Azure RMS. As Microsoft Partner we’ll be lined up with the latest technology and have the chance to discuss and provide feedback on the components involved with the Enterprise Mobility Suite.

Further I’m looking foward to meet some community friends in person like Mr. ‘IoT’ and ‘Enterprise Mobility’ Rob Tiffany. I let me assure that the coffee is ready at Satya’s office ;-)

So I challenge you to collect your best feedback and questions on Azure AD Premium, Microsoft Intune, Azure Rights Management and bring it on, I’ll forward them to the PG’s! You can drop me a line by Twitter, Facebook or by e-mail

Continue reading “Get in touch with the Microsoft Enterprise Mobility Suite ‘blackbelt’s’ and drop your feedback!”

Block un-enrollment Windows Phone devices by Microsoft Intune

With the December update of Microsoft Intune a cool feature OMA-URI support has been added. This seemingly small feature introduces ‘endless’ management capabilities and scenario’s which allows you to take full advantage of managing Windows Phone devices with Microsoft Intune. This is useful when the setting you need is not configurable in a mobile device security policy.

image

A good example is to block the removal of Workplace of your managed Windows Phones. By default users are able to un-enroll their devices and thus become unmanaged.  In this blog I’ll show you how to prevent un-enrollement and the ability to factory reset Windows Phone device by an OMA-URI policy template. Continue reading “Block un-enrollment Windows Phone devices by Microsoft Intune”