Jump to content


anyweb

Unified Device Management with Configuration Manager 2012 R2 - Part 2. Adding Support for iOS devices

Recommended Posts

Introduction

 

In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In this part we will add Support for iOS devices (Iphone, iPad). Many companies today have users with company or personal owned iPhones with one or more iPads so being able to manage these devices and offer them application choice via a Company Portal is a good thing.

 

In order for iOS devices to check for policy, they need to be contacted by the Apple Push Notification service (APNs). Each company needs an APNs certificate to allow Windows Intune to contact Apple to make this request. When a new policy is created, Intune then contacts Apple for those devices, the devices then check the Intune service for new policy.

 

Users can enroll iOS devices by using the iOS company portal app which was made available in the App store on November 19th 2013. The Windows Intune company portal app can be installed on iOS devices as of iOS 6. The company portal app will allow users to perform the following actions:

  • Change or reset passwords.
  • Download and install company apps.
  • Enroll, unenroll, or wipe company content from their devices.

Step 1. Create an APNs Certificate Request

Before adding iOS enrollment support we first need to complete a few steps to enable our iOS devices to talk to Windows Intune. In the console click on Create APNs certificate request.

 

Create APNs certificate request.png

 

You’ll be prompted where to store the Certificate Signing Request, give it an appropriate path and file name such as in the example below,

 

where to store the certificate signing request.png

 

then click on Download and enter your Windows Intune credentials when prompted. Once the download is complete click on close.

 

csr download complete.png

 

Step 2. Submit the request to the Apple Push Notification service portal.

In the Configuration Manager console, browse to Cloud services in Administration, select your Windows Intune Subscription and right click it, choose properties.

 

windows intune properties.png

 

the brings up the Windows Intune Subscription properties, click on the iOS tab.

 

add iOS support.png

 

Place a checkmark in Enable iOS enrollment and then click on the Apple Push Certificate Portal link as shown in the example below:

 

enable iOS enrollment.png

 

Note: Please use something other than Internet Explorer for the steps below otherwise you may have issues with the certificate PEM files from Apple. Instead use FireFox or Chrome for these steps. You have been warned !

 

sign in with your (previously created) Apple ID to the Apple Push Certificates Portal,

 

sign in with your Apple ID to the Apple Push Certificates Portal with FireFox.png

 

once logged in to the Apple site, click on Create a Certificate

 

create a certificate.png

 

Agree to the terms and conditions if you want to continue and click on Accept

 

agree to the terms.png

 

Browse to the certificate signing request file you saved in the steps above and click on Upload

 

upload CSR using FireFox.png

 

Once it’s done creating your certificate you should receive a confirmation like the example below, however if you did not – make sure to read my note above about Internet Explorer.

 

you have successfully created a new push certificate with the following information.png

 

Tip: Notice the expiration date, it is one year from the day you created the certificate. You’ll have to repeat the process of creating a new certificate one year from now to continue managing iOS devices.

 

Click on Download to download the PEM file (if it’s not a PEM file read my NOTE above) and then save the PEM file

 

save the PEM file.png

 

Copy the newly downloaded PEM file to somewhere useful like D:\temp\iOS_New_Push_Certificate\.

 

Step 3. Add the APNs Certificate

Back in the Enable iOS Enrollment Wizard, browse to the PEM file above

 

APNs certificate is in place.png

 

and click on Apply then OK. Close the wizard.

 

Step 4. Enroll an iOS device

On an iOS device open the Apple App Store., search for Company Portal, select the Windows Intune Company Portal from the list of available apps

 

IMG_4973.PNG

 

Install it by clicking on Open/Install.

 

Once installed locate the app on your device and click on it.

 

IMG_5027.PNG

 

Enter your public domain Intune credentials (or Active Directory credentials if you setup ADFS)

 

IMG_5032.PNG

 

Click on sign in and you will be presented with the company portal.

 

IMG_4958.PNG

 

Notice the 'i' beside my phone device, that means it is not enrolled yet. Click on the device to start the enrollment procedure

 

IMG_4959.PNG

 

Click on Add Device, You will be presented with information about the portal, click on Add in the top right corner.

 

IMG_4960.PNG

 

the device get's enrolled to Windows Intune.

 

IMG_4961.PNG

 

You'll get prompted to install the MDM Profile, click on Install

 

IMG_4962.PNG

 

then click on Install Now...

 

IMG_4963.PNG

 

and off it goes...

 

IMG_4964.PNG

 

you'll again get prompted to click on Install (with a warning about what the administrator can do with your phone)

 

IMG_4965.PNG

 

and if all goes well your device will be successfully enrolled.

 

IMG_4966.PNG

 

Tip: If you have any problems with the enrollment, shake the phone/ipad while the company portal is open and you'll see the following screen, this allows you to troubleshoot via viewing the log file or you can email the log file.

 

IMG_5030.PNG

 

Note: if you shake the device during enrollment (while safari is open) nothing will happen, simply click on the link at the bottom of the enrollment screen to go back to the company portal and Shake the device then, the troubleshooting ability should then appear.

 

Once your iOS device has enrolled you can verify things on the server side, for example open the DDM.Log to review details of the device DDR being created (see below), a file is spotted in the inbox

 

processing file.png

 

and shortly after some discovery information is sent including the device name

 

nialls iphone.png

 

and the username used to enroll the device

 

username used to enroll the device listed in DDM LOG.png

 

and discovery info being processed

 

discovery.png

 

 

Step 5. A quick look at the features.

In the company portal you can now review what features are available on this device by clicking on the device name , on the phone itself you can do the following from the portal

  • reset
  • rename
  • remove

as shown below

 

IMG_4977.PNG

 

and of course you can select to install apps from the app store (we havn't added any yet, that is coming in the next part of this series).

 

In the Configuration Manager console browse to Assets and Compliance, your device should be listed there in the All Mobile Devices collection.

 

all mobile devices.png

 

right click the device and choose Start, Resource Explorer

 

resource explorer.png

 

and you'll get to see what details have been captured from your iOS device, cool !

 

resource explorer opened.png

 

you can also define the ownership of the device as there are new Global Conditions set up to allow you to target software/settings to devices based on ownership.

 

Note: All devices enrolled via Intune into Configuration Manager will have the device ownership set to Personal by default.

 

Right click the device and choose Device Ownership

 

change ownership.png

 

choose Personal or Company from the options available.

 

personal or company.png

 

And we can also do selective wipe/retire via the Retire/Wipe menu

 

retire wipe.png

 

This pops up a new menu describing the two choices available to you.

 

retire from configuration manager.png

 

Related reading

Summary

We've learned how to successfully enroll iOS devices using the Windows Intune Company Portal available from the Apple App Store. Once enrolled the devices appear in Configuration Manager and can be managed.

 

That's all for now, In our next part we will learn how to add applications for iOS devices in our Company Portal. Until next time, adios!

 

Downloads

You can download a Microsoft Word copy of this guide here:

 

How can I manage modern devices in System Center 2012 R2 Configuration Manager Part 2 - Adding support for IOS devices.zip

 

 

 

cheers

niall

Share this post


Link to post
Share on other sites

Hi,

I am trying to enroll iOS devices but the iOS enrolment process failed with "unanticipated error"' I have double checked and verified that UPN is OK, someone faced the same issue?

Here is the link on TechNet forum with screenshot.

http://social.technet.microsoft.com/Forums/en-US/a2662744-3656-4938-bd11-d5032dcc9623/ios-device-failed-to-enroll-sccm2012-r2?forum=configmanagerdeployment#a2662744-3656-4938-bd11-d5032dcc9623

Share this post


Link to post
Share on other sites

do you have internet access on that ios device ? it doesnt look like it in the screenshot, have you tried shaking the ios device and reading the logs ?

Share this post


Link to post
Share on other sites

Hi Nial,

http://social.technet.microsoft.com/Forums/en-US/a2662744-3656-4938-bd11-d5032dcc9623/ios-device-failed-to-enroll-sccm2012-r2?forum=configmanagerdeployment#06c2309c-4883-47f8-ab34-f26d92a947a8

Could you please have a look on screenshots available on above link ... I am connected to internet + I can enroll Android device, not iOS.

Share this post


Link to post
Share on other sites

did you follow all the steps in my guide above ? what user account did you use, was it a user@yourpublicdomain.com account or a user@yourpublicdomain.onmicrosoft.com account ?

Share this post


Link to post
Share on other sites

did you follow all the steps in my guide above ? what user account did you use, was it a user@yourpublicdomain.com account or a user@yourpublicdomain.onmicrosoft.com account ?

Hi Niall

I used your guide to set up the LAB env.

I used user@yourpublicdomain.com

And I use the same user@yourpublicdomain.com in case of Android.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.