Jump to content




anyweb

Unified Device Management with Configuration Manager 2012 R2 - Part 2. Adding Support for iOS devices



Recommended Posts

Introduction

 

In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In this part we will add Support for iOS devices (Iphone, iPad). Many companies today have users with company or personal owned iPhones with one or more iPads so being able to manage these devices and offer them application choice via a Company Portal is a good thing.

 

In order for iOS devices to check for policy, they need to be contacted by the Apple Push Notification service (APNs). Each company needs an APNs certificate to allow Windows Intune to contact Apple to make this request. When a new policy is created, Intune then contacts Apple for those devices, the devices then check the Intune service for new policy.

 

Users can enroll iOS devices by using the iOS company portal app which was made available in the App store on November 19th 2013. The Windows Intune company portal app can be installed on iOS devices as of iOS 6. The company portal app will allow users to perform the following actions:

  • Change or reset passwords.
  • Download and install company apps.
  • Enroll, unenroll, or wipe company content from their devices.

Step 1. Create an APNs Certificate Request

Before adding iOS enrollment support we first need to complete a few steps to enable our iOS devices to talk to Windows Intune. In the console click on Create APNs certificate request.

 

Create APNs certificate request.png

 

You’ll be prompted where to store the Certificate Signing Request, give it an appropriate path and file name such as in the example below,

 

where to store the certificate signing request.png

 

then click on Download and enter your Windows Intune credentials when prompted. Once the download is complete click on close.

 

csr download complete.png

 

Step 2. Submit the request to the Apple Push Notification service portal.

In the Configuration Manager console, browse to Cloud services in Administration, select your Windows Intune Subscription and right click it, choose properties.

 

windows intune properties.png

 

the brings up the Windows Intune Subscription properties, click on the iOS tab.

 

add iOS support.png

 

Place a checkmark in Enable iOS enrollment and then click on the Apple Push Certificate Portal link as shown in the example below:

 

enable iOS enrollment.png

 

Note: Please use something other than Internet Explorer for the steps below otherwise you may have issues with the certificate PEM files from Apple. Instead use FireFox or Chrome for these steps. You have been warned !

 

sign in with your (previously created) Apple ID to the Apple Push Certificates Portal,

 

sign in with your Apple ID to the Apple Push Certificates Portal with FireFox.png

 

once logged in to the Apple site, click on Create a Certificate

 

create a certificate.png

 

Agree to the terms and conditions if you want to continue and click on Accept

 

agree to the terms.png

 

Browse to the certificate signing request file you saved in the steps above and click on Upload

 

upload CSR using FireFox.png

 

Once it’s done creating your certificate you should receive a confirmation like the example below, however if you did not – make sure to read my note above about Internet Explorer.

 

you have successfully created a new push certificate with the following information.png

 

Tip: Notice the expiration date, it is one year from the day you created the certificate. You’ll have to repeat the process of creating a new certificate one year from now to continue managing iOS devices.

 

Click on Download to download the PEM file (if it’s not a PEM file read my NOTE above) and then save the PEM file

 

save the PEM file.png

 

Copy the newly downloaded PEM file to somewhere useful like D:\temp\iOS_New_Push_Certificate\.

 

Step 3. Add the APNs Certificate

Back in the Enable iOS Enrollment Wizard, browse to the PEM file above

 

APNs certificate is in place.png

 

and click on Apply then OK. Close the wizard.

 

Step 4. Enroll an iOS device

On an iOS device open the Apple App Store., search for Company Portal, select the Windows Intune Company Portal from the list of available apps

 

IMG_4973.PNG

 

Install it by clicking on Open/Install.

 

Once installed locate the app on your device and click on it.

 

IMG_5027.PNG

 

Enter your public domain Intune credentials (or Active Directory credentials if you setup ADFS)

 

IMG_5032.PNG

 

Click on sign in and you will be presented with the company portal.

 

IMG_4958.PNG

 

Notice the 'i' beside my phone device, that means it is not enrolled yet. Click on the device to start the enrollment procedure

 

IMG_4959.PNG

 

Click on Add Device, You will be presented with information about the portal, click on Add in the top right corner.

 

IMG_4960.PNG

 

the device get's enrolled to Windows Intune.

 

IMG_4961.PNG

 

You'll get prompted to install the MDM Profile, click on Install

 

IMG_4962.PNG

 

then click on Install Now...

 

IMG_4963.PNG

 

and off it goes...

 

IMG_4964.PNG

 

you'll again get prompted to click on Install (with a warning about what the administrator can do with your phone)

 

IMG_4965.PNG

 

and if all goes well your device will be successfully enrolled.

 

IMG_4966.PNG

 

Tip: If you have any problems with the enrollment, shake the phone/ipad while the company portal is open and you'll see the following screen, this allows you to troubleshoot via viewing the log file or you can email the log file.

 

IMG_5030.PNG

 

Note: if you shake the device during enrollment (while safari is open) nothing will happen, simply click on the link at the bottom of the enrollment screen to go back to the company portal and Shake the device then, the troubleshooting ability should then appear.

 

Once your iOS device has enrolled you can verify things on the server side, for example open the DDM.Log to review details of the device DDR being created (see below), a file is spotted in the inbox

 

processing file.png

 

and shortly after some discovery information is sent including the device name

 

nialls iphone.png

 

and the username used to enroll the device

 

username used to enroll the device listed in DDM LOG.png

 

and discovery info being processed

 

discovery.png

 

 

Step 5. A quick look at the features.

In the company portal you can now review what features are available on this device by clicking on the device name , on the phone itself you can do the following from the portal

  • reset
  • rename
  • remove

as shown below

 

IMG_4977.PNG

 

and of course you can select to install apps from the app store (we havn't added any yet, that is coming in the next part of this series).

 

In the Configuration Manager console browse to Assets and Compliance, your device should be listed there in the All Mobile Devices collection.

 

all mobile devices.png

 

right click the device and choose Start, Resource Explorer

 

resource explorer.png

 

and you'll get to see what details have been captured from your iOS device, cool !

 

resource explorer opened.png

 

you can also define the ownership of the device as there are new Global Conditions set up to allow you to target software/settings to devices based on ownership.

 

Note: All devices enrolled via Intune into Configuration Manager will have the device ownership set to Personal by default.

 

Right click the device and choose Device Ownership

 

change ownership.png

 

choose Personal or Company from the options available.

 

personal or company.png

 

And we can also do selective wipe/retire via the Retire/Wipe menu

 

retire wipe.png

 

This pops up a new menu describing the two choices available to you.

 

retire from configuration manager.png

 

Related reading

Summary

We've learned how to successfully enroll iOS devices using the Windows Intune Company Portal available from the Apple App Store. Once enrolled the devices appear in Configuration Manager and can be managed.

 

That's all for now, In our next part we will learn how to add applications for iOS devices in our Company Portal. Until next time, adios!

 

Downloads

You can download a Microsoft Word copy of this guide here:

 

How can I manage modern devices in System Center 2012 R2 Configuration Manager Part 2 - Adding support for IOS devices.zip

 

 

 

cheers

niall

Share this post


Link to post
Share on other sites


God Bless You Nial for this work, wonderful guide as always :)

We are looking forward to add apps /next part of this mini series :)

Have a nice day, bye.

Share this post


Link to post
Share on other sites

Hi,

When I try to enroll iPad I got the following message:

 

AccountNotOnBoard

 

The user account is synced with Windows Intune, how to troubleshoot?

Share this post


Link to post
Share on other sites

Hi,

I am trying to enroll iOS devices but the iOS enrolment process failed with "unanticipated error"' I have double checked and verified that UPN is OK, someone faced the same issue?

Here is the link on TechNet forum with screenshot.

http://social.technet.microsoft.com/Forums/en-US/a2662744-3656-4938-bd11-d5032dcc9623/ios-device-failed-to-enroll-sccm2012-r2?forum=configmanagerdeployment#a2662744-3656-4938-bd11-d5032dcc9623

Share this post


Link to post
Share on other sites

do you have internet access on that ios device ? it doesnt look like it in the screenshot, have you tried shaking the ios device and reading the logs ?

Share this post


Link to post
Share on other sites

Hi Nial,

http://social.technet.microsoft.com/Forums/en-US/a2662744-3656-4938-bd11-d5032dcc9623/ios-device-failed-to-enroll-sccm2012-r2?forum=configmanagerdeployment#06c2309c-4883-47f8-ab34-f26d92a947a8

Could you please have a look on screenshots available on above link ... I am connected to internet + I can enroll Android device, not iOS.

Share this post


Link to post
Share on other sites

i've replied there, p.s. there are two 'L' s in Niall.

Share this post


Link to post
Share on other sites

Thanks,

 

I am connected to internet + PEM file is also on Place.

 

Due to some reasons I cant copy the URL here, so please have a look on the TechNet to see the Screensport + Log File.

Share this post


Link to post
Share on other sites

did you follow all the steps in my guide above ? what user account did you use, was it a user@yourpublicdomain.com account or a user@yourpublicdomain.onmicrosoft.com account ?

Share this post


Link to post
Share on other sites

did you follow all the steps in my guide above ? what user account did you use, was it a user@yourpublicdomain.com account or a user@yourpublicdomain.onmicrosoft.com account ?

Hi Niall

I used your guide to set up the LAB env.

I used user@yourpublicdomain.com

And I use the same user@yourpublicdomain.com in case of Android.

Share this post


Link to post
Share on other sites

hmm ok, did you try enrolling more than once ? have you tried signing out of the app and trying again ?

Share this post


Link to post
Share on other sites

Thanks for reply, YES I have done this /tested this several times. Even I restored the iPad to factory settings, installed the app again, and try the login, same result :(

Share this post


Link to post
Share on other sites

ok is the device managed by any other mobile device management solution (airwatch for example), if so then those MDM certificates need to be uninstalled first before trying the above, also have you tried using any other user ?? have you verified the user you are testing with is in the Windows Intune Users collection ?

Share this post


Link to post
Share on other sites

ok is the device managed by any other mobile device management solution (airwatch for example), if so then those MDM certificates need to be uninstalled first before trying the above, also have you tried using any other user ?? have you verified the user you are testing with is in the Windows Intune Users collection ?

Thanks for reply.

1. This device has NOT been managed by other MDM Solutions, in fact it was brand new device never used before.

2. user@yourpublicdomain.com is in Windows intune User Collection (limiting to all users collection, for testing purposes).

3. Does the log file (available at: https://bth.itslearning.com/data/640/11518/CompanyPortal-Log.log ) shows something suspecios?

 

.... You mentioned about the certificate, I have requested the APN certificaes + PEM file more then once but sure that have used the correct APN to correct PEM file ,.... does this make any diffirence?

OR Should I try to revoke the unused certificates?

Share this post


Link to post
Share on other sites

you didn't say if you tried any other user yet, if not please do try, as regards your logs i've had a look and it's hard to tell when the failure occured so can you please go through the login process again and when you see the failure take note of the exact time, then attach the new logs here stating WHEN the failure occured ok ?

Share this post


Link to post
Share on other sites

Hi,
I have tested with 2nd user as well, same results.
⦁ Login with the first user -> Failed
⦁ Clean Safari History + Cache -> 2ndUser -> Login Attempt ->Fail
⦁ Restore the iPad to factory ->Test -> Fail
2nd iPad (untouched, brand new)
⦁ Login with the first user -> Failed
⦁ Clean Safari History + Cache -> 2ndUser -> Login Attempt ->Fail
⦁ Restore the iPad to factory ->Test -> Fail

---- Log Files are attached also for both uses , both devices including error appear time ---


Besides iOS device enrolment, I noticed that when I select AppStore app, nothing appear,
But when Android is selected, Google Play appears as usual.
I have turned off Windows firewall (for testing only) + I am NOT using any proxy .

post-4293-0-87993600-1387193530_thumb.png

post-4293-0-95235600-1387193538_thumb.png

1st-Device-Logs.zip

2nd-Device-Logs.zip

Share this post


Link to post
Share on other sites

let's stick to one problem at a time please - ok i asked you to state WHEN the problem occurred so I can reference it in your logs, can you tell me when that was ? (i.e. you signed in and then it failed at WHAT time) ?

Share this post


Link to post
Share on other sites

let's stick to one problem at a time please - ok i asked you to state WHEN the problem occurred so I can reference it in your logs, can you tell me when that was ? (i.e. you signed in and then it failed at WHAT time) ?

Hi Niall,

Its in the Log File Name as:

1stUser2ndLoginAttempt_11.07_CompanyPortal-Log

2ndUser_1stLoginAttempt_11.09_CompanyPortal-Log

2ndUser_2ndLoginAttempt_11.11_CompanyPortal-Log

 

2nd-Dev-1stUserLogin_11.19-CompanyPortal-Log

2nd-Dev-2ndUser_1stLogin_11.22_CompanyPortal-Log

2nd-Dev-2ndUser_2ndLogin_11.24_CompanyPortal-Log

 

Please let me know if are able to download the log files (1st-Device-Logs.zip) and (2nd-Device-Logs.zip)

Share this post


Link to post
Share on other sites

"MDMServer2012R2.konfig.local" <----- that might be your problem !

 

I had to rebuild my lab and use a 'real' FQDN to get things flowing

 

so for example, my working Windows Intune+ConfigMgr lab has CM12 server has an FQDN of CM12.windowsintunenoob.com, the non-working Windows Intune+configmgr lab was sccm.server2008r2.lab.local

 

 

I think .local FQDN's will cause problems with iOS, I had no success with iOS and .local in my first lab.

Share this post


Link to post
Share on other sites

"MDMServer2012R2.konfig.local" <----- that might be your problem !

 

I had to rebuild my lab and use a 'real' FQDN to get things flowing

 

so for example, my working Windows Intune+ConfigMgr lab has CM12 server has an FQDN of CM12.windowsintunenoob.com, the non-working Windows Intune+configmgr lab was sccm.server2008r2.lab.local

 

 

I think .local FQDN's will cause problems with iOS, I had no success with iOS and .local in my first lab.

Hmmmm,

Thanks for your reply and support.

Thats odd then ... because in my 1st LAB env. I set up the ADDS with the public domain name with SPAM&#33; suffix.

(NAMalikSPAM&#33;)

Then ADDS FQDN was ending up "MDMServer2012R2.NAMalikSPAM&#33;"

.... and I had the same error message for iOS.

Share this post


Link to post
Share on other sites

Should I sign up for the another intune 30 days trial and build from scratch now and have a test ?

I can start de-syncronization for the current IntuneSubscription.

OR try to rename the ADDS name ?

Share this post


Link to post
Share on other sites

all i can recommend is you try another domain name, i'm not 100% sure it's the issue but i wanted to mention it at least, the log files don't really tell me enough to determine the source of the failure

Share this post


Link to post
Share on other sites

Ok, greate.

I will do that , now I am going to unauthorize the domain + desync the ADDS replication with Intune.

Of course will sign up for the new Intune Subscription.

 

----- CM12.windowsintunenoob.com ----- in your example , windowsintunenoob.com MUST NOT be publicly available domain ?

Can I use example.com with ADDS and add UPN Suffix with my public SPAM&#33; domain?

Edited by Malik4u

Share this post


Link to post
Share on other sites

in my example windowsintunenoob.com does match a public domain name with the same name even though it's just a lab

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×