Unified Device Management with Configuration Manager 2012 R2 - Part 2. Adding Support for iOS devices

[anyweb 412]

Introduction

 

In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In this part we will add Support for iOS devices (Iphone, iPad). Many companies today have users with company or personal owned iPhones with one or more iPads so being able to manage these devices and offer them application choice via a Company Portal is a good thing.

 

In order for iOS devices to check for policy, they need to be contacted by the Apple Push Notification service (APNs). Each company needs an APNs certificate to allow Windows Intune to contact Apple to make this request. When a new policy is created, Intune then contacts Apple for those devices, the devices then check the Intune service for new policy.

 

Users can enroll iOS devices by using the iOS company portal app which was made available in the App store on November 19^th 2013. The Windows Intune company portal app can be installed on iOS devices as of iOS 6. The company portal app will allow users to perform the following actions:

• Change or reset passwords.
• Download and install company apps.
• Enroll, unenroll, or wipe company content from their devices.

Step 1. Create an APNs Certificate Request

Before adding iOS enrollment support we first need to complete a few steps to enable our iOS devices to talk to Windows Intune. In the console click on Create APNs certificate request.

 

 

You’ll be prompted where to store the Certificate Signing Request, give it an appropriate path and file name such as in the example below,

 

 

then click on Download and enter your Windows Intune credentials when prompted. Once the download is complete click on close.

 

 

Step 2. Submit the request to the Apple Push Notification service portal.

In the Configuration Manager console, browse to Cloud services in Administration, select your Windows Intune Subscription and right click it, choose properties.

 

 

the brings up the Windows Intune Subscription properties, click on the iOS tab.

 

 

Place a checkmark in Enable iOS enrollment and then click on the Apple Push Certificate Portal link as shown in the example below:

 

 

Note: Please use something other than Internet Explorer for the steps below otherwise you may have issues with the certificate PEM files from Apple. Instead use FireFox or Chrome for these steps. You have been warned !

 

sign in with your (previously created) Apple ID to the Apple Push Certificates Portal,

 

 

once logged in to the Apple site, click on Create a Certificate

 

 

Agree to the terms and conditions if you want to continue and click on Accept

 

 

Browse to the certificate signing request file you saved in the steps above and click on Upload

 

 

Once it’s done creating your certificate you should receive a confirmation like the example below, however if you did not – make sure to read my note above about Internet Explorer.

 

 

Tip: Notice the expiration date, it is one year from the day you created the certificate. You’ll have to repeat the process of creating a new certificate one year from now to continue managing iOS devices.

 

Click on Download to download the PEM file (if it’s not a PEM file read my NOTE above) and then save the PEM file

 

 

Copy the newly downloaded PEM file to somewhere useful like D:\temp\iOS_New_Push_Certificate\.

 

Step 3. Add the APNs Certificate

Back in the Enable iOS Enrollment Wizard, browse to the PEM file above

 

 

and click on Apply then OK. Close the wizard.

 

Step 4. Enroll an iOS device

On an iOS device open the Apple App Store., search for Company Portal, select the Windows Intune Company Portal from the list of available apps

 

 

Install it by clicking on Open/Install.

 

Once installed locate the app on your device and click on it.

 

 

Enter your public domain Intune credentials (or Active Directory credentials if you setup ADFS)

 

 

Click on sign in and you will be presented with the company portal.

 

 

Notice the 'i' beside my phone device, that means it is not enrolled yet. Click on the device to start the enrollment procedure

 

 

Click on Add Device, You will be presented with information about the portal, click on Add in the top right corner.

 

 

the device get's enrolled to Windows Intune.

 

 

You'll get prompted to install the MDM Profile, click on Install

 

 

then click on Install Now...

 

 

and off it goes...

 

 

you'll again get prompted to click on Install (with a warning about what the administrator can do with your phone)

 

 

and if all goes well your device will be successfully enrolled.

 

 

Tip: If you have any problems with the enrollment, shake the phone/ipad while the company portal is open and you'll see the following screen, this allows you to troubleshoot via viewing the log file or you can email the log file.

 

 

Note: if you shake the device during enrollment (while safari is open) nothing will happen, simply click on the link at the bottom of the enrollment screen to go back to the company portal and Shake the device then, the troubleshooting ability should then appear.

 

Once your iOS device has enrolled you can verify things on the server side, for example open the DDM.Log to review details of the device DDR being created (see below), a file is spotted in the inbox

 

 

and shortly after some discovery information is sent including the device name

 

 

and the username used to enroll the device

 

 

and discovery info being processed

 

 

 

Step 5. A quick look at the features.

In the company portal you can now review what features are available on this device by clicking on the device name , on the phone itself you can do the following from the portal

• reset
• rename
• remove

as shown below

 

 

and of course you can select to install apps from the app store (we havn't added any yet, that is coming in the next part of this series).

 

In the Configuration Manager console browse to Assets and Compliance, your device should be listed there in the All Mobile Devices collection.

 

 

right click the device and choose Start, Resource Explorer

 

 

and you'll get to see what details have been captured from your iOS device, cool !

 

 

you can also define the ownership of the device as there are new Global Conditions set up to allow you to target software/settings to devices based on ownership.

 

Note: All devices enrolled via Intune into Configuration Manager will have the device ownership set to Personal by default.

 

Right click the device and choose Device Ownership

 

 

choose Personal or Company from the options available.

 

 

And we can also do selective wipe/retire via the Retire/Wipe menu

 

 

This pops up a new menu describing the two choices available to you.

 

 

Related reading

• How can I manage modern devices using System Center 2012 R2 Configuration Manager ? - Part 1
• James Bannan, an awesome Configuration Manager MVP - http://www.jamesbannanit.com/
• James and Peter demoing BYOD - Unifying BYOD Management with Windows Intune and Configuration Manager 2012 - http://channel9.msdn...and/2013/WCL309
• What’s New in System Center 2012 R2 Configuration Manager - http://technet.micro...y/dn236351.aspx
• How to Manage Mobile Devices by Using Configuration Manager and Windows Intune http://technet.micro...e10#BKMK_RTcert
• Support Tool for Windows Intune Trial Management of Window Phone 8 - http://www.microsoft...s.aspx?id=39079
• Set up Windows Intune Direct Management for Windows Phone 8 Mobile Devices - http://technet.micro...y/jj733640.aspx
• How to: Edit DNS records - A, CNAME, MX, TXT, and SRV https://help.hover.c...-MX-TXT-and-SRV
• Configuring Configuration Manager SP1 to manage mobile devices using Windows Intune- http://blogs.technet...ows-intune.aspx
• Deploying and Configuring Mobile Device Management Infrastructure - http://channel9.msdn...MS/2013/UD-B309
• Windows Intune Company Portal App - http://blogs.technet...-available.aspx

Summary

We've learned how to successfully enroll iOS devices using the Windows Intune Company Portal available from the Apple App Store. Once enrolled the devices appear in Configuration Manager and can be managed.

 

That's all for now, In our next part we will learn how to add applications for iOS devices in our Company Portal. Until next time, adios!

 

Downloads

You can download a Microsoft Word copy of this guide here:

 

How can I manage modern devices in System Center 2012 R2 Configuration Manager Part 2 - Adding support for IOS devices.zip

 

 

 

cheers

niall

[Malik4u 0]

God Bless You Nial for this work, wonderful guide as always

We are looking forward to add apps /next part of this mini series

Have a nice day, bye.

[Malik4u 0]

Hi,

When I try to enroll iPad I got the following message:

 

AccountNotOnBoard

 

The user account is synced with Windows Intune, how to troubleshoot?

[Malik4u 0]

Hi,

I am trying to enroll iOS devices but the iOS enrolment process failed with "unanticipated error"' I have double checked and verified that UPN is OK, someone faced the same issue?

Here is the link on TechNet forum with screenshot.

http://social.technet.microsoft.com/Forums/en-US/a2662744-3656-4938-bd11-d5032dcc9623/ios-device-failed-to-enroll-sccm2012-r2?forum=configmanagerdeployment#a2662744-3656-4938-bd11-d5032dcc9623

[anyweb 412]

do you have internet access on that ios device ? it doesnt look like it in the screenshot, have you tried shaking the ios device and reading the logs ?

[Malik4u 0]

Hi Nial,

http://social.technet.microsoft.com/Forums/en-US/a2662744-3656-4938-bd11-d5032dcc9623/ios-device-failed-to-enroll-sccm2012-r2?forum=configmanagerdeployment#06c2309c-4883-47f8-ab34-f26d92a947a8

Could you please have a look on screenshots available on above link ... I am connected to internet + I can enroll Android device, not iOS.

[anyweb 412]

i've replied there, p.s. there are two 'L' s in Niall.

[Malik4u 0]

Thanks,

 

I am connected to internet + PEM file is also on Place.

 

Due to some reasons I cant copy the URL here, so please have a look on the TechNet to see the Screensport + Log File.

[anyweb 412]

did you follow all the steps in my guide above ? what user account did you use, was it a user@yourpublicdomain.com account or a user@yourpublicdomain.onmicrosoft.com account ?

[Malik4u 0]

did you follow all the steps in my guide above ? what user account did you use, was it a user@yourpublicdomain.com account or a user@yourpublicdomain.onmicrosoft.com account ?

Hi Niall

I used your guide to set up the LAB env.

I used user@yourpublicdomain.com

And I use the same user@yourpublicdomain.com in case of Android.

[anyweb 412]

hmm ok, did you try enrolling more than once ? have you tried signing out of the app and trying again ?

[Malik4u 0]

Thanks for reply, YES I have done this /tested this several times. Even I restored the iPad to factory settings, installed the app again, and try the login, same result

[anyweb 412]

ok is the device managed by any other mobile device management solution (airwatch for example), if so then those MDM certificates need to be uninstalled first before trying the above, also have you tried using any other user ?? have you verified the user you are testing with is in the Windows Intune Users collection ?

[Malik4u 0]

ok is the device managed by any other mobile device management solution (airwatch for example), if so then those MDM certificates need to be uninstalled first before trying the above, also have you tried using any other user ?? have you verified the user you are testing with is in the Windows Intune Users collection ?

Thanks for reply.

1. This device has NOT been managed by other MDM Solutions, in fact it was brand new device never used before.

2. user@yourpublicdomain.com is in Windows intune User Collection (limiting to all users collection, for testing purposes).

3. Does the log file (available at: https://bth.itslearning.com/data/640/11518/CompanyPortal-Log.log ) shows something suspecios?

 

.... You mentioned about the certificate, I have requested the APN certificaes + PEM file more then once but sure that have used the correct APN to correct PEM file ,.... does this make any diffirence?

OR Should I try to revoke the unused certificates?

[anyweb 412]

you didn't say if you tried any other user yet, if not please do try, as regards your logs i've had a look and it's hard to tell when the failure occured so can you please go through the login process again and when you see the failure take note of the exact time, then attach the new logs here stating WHEN the failure occured ok ?

[Malik4u 0]

Hi,
I have tested with 2nd user as well, same results.
⦁ Login with the first user -> Failed
⦁ Clean Safari History + Cache -> 2ndUser -> Login Attempt ->Fail
⦁ Restore the iPad to factory ->Test -> Fail
2nd iPad (untouched, brand new)
⦁ Login with the first user -> Failed
⦁ Clean Safari History + Cache -> 2ndUser -> Login Attempt ->Fail
⦁ Restore the iPad to factory ->Test -> Fail

---- Log Files are attached also for both uses , both devices including error appear time ---


Besides iOS device enrolment, I noticed that when I select AppStore app, nothing appear,
But when Android is selected, Google Play appears as usual.
I have turned off Windows firewall (for testing only) + I am NOT using any proxy .

1st-Device-Logs.zip

2nd-Device-Logs.zip

[anyweb 412]

let's stick to one problem at a time please - ok i asked you to state WHEN the problem occurred so I can reference it in your logs, can you tell me when that was ? (i.e. you signed in and then it failed at WHAT time) ?

[Malik4u 0]

let's stick to one problem at a time please - ok i asked you to state WHEN the problem occurred so I can reference it in your logs, can you tell me when that was ? (i.e. you signed in and then it failed at WHAT time) ?

Hi Niall,

Its in the Log File Name as:

1stUser2ndLoginAttempt_11.07_CompanyPortal-Log

2ndUser_1stLoginAttempt_11.09_CompanyPortal-Log

2ndUser_2ndLoginAttempt_11.11_CompanyPortal-Log

 

2nd-Dev-1stUserLogin_11.19-CompanyPortal-Log

2nd-Dev-2ndUser_1stLogin_11.22_CompanyPortal-Log

2nd-Dev-2ndUser_2ndLogin_11.24_CompanyPortal-Log

 

Please let me know if are able to download the log files (1st-Device-Logs.zip) and (2nd-Device-Logs.zip)

[Malik4u 0]

And here comes the SCCM 2012 R2 logs (maybe you needed them as well?)

 

CloudMgr.log

cloudusersync.log

dmpdownloader.log

dmpuploader.log

[anyweb 412]

"MDMServer2012R2.konfig.local" <----- that might be your problem !

 

I had to rebuild my lab and use a 'real' FQDN to get things flowing

 

so for example, my working Windows Intune+ConfigMgr lab has CM12 server has an FQDN of CM12.windowsintunenoob.com, the non-working Windows Intune+configmgr lab was sccm.server2008r2.lab.local

 

 

I think .local FQDN's will cause problems with iOS, I had no success with iOS and .local in my first lab.

[Malik4u 0]

"MDMServer2012R2.konfig.local" <----- that might be your problem !

 

I had to rebuild my lab and use a 'real' FQDN to get things flowing

 

so for example, my working Windows Intune+ConfigMgr lab has CM12 server has an FQDN of CM12.windowsintunenoob.com, the non-working Windows Intune+configmgr lab was sccm.server2008r2.lab.local

 

 

I think .local FQDN's will cause problems with iOS, I had no success with iOS and .local in my first lab.

Hmmmm,

Thanks for your reply and support.

Thats odd then ... because in my 1st LAB env. I set up the ADDS with the public domain name with SPAM&#33; suffix.

(NAMalikSPAM&#33;)

Then ADDS FQDN was ending up "MDMServer2012R2.NAMalikSPAM&#33;"

.... and I had the same error message for iOS.

[Malik4u 0]

Should I sign up for the another intune 30 days trial and build from scratch now and have a test ?

I can start de-syncronization for the current IntuneSubscription.

OR try to rename the ADDS name ?

[anyweb 412]

all i can recommend is you try another domain name, i'm not 100% sure it's the issue but i wanted to mention it at least, the log files don't really tell me enough to determine the source of the failure

[Malik4u 0]

Ok, greate.

I will do that , now I am going to unauthorize the domain + desync the ADDS replication with Intune.

Of course will sign up for the new Intune Subscription.

 

----- CM12.windowsintunenoob.com ----- in your example , windowsintunenoob.com MUST NOT be publicly available domain ?

Can I use example.com with ADDS and add UPN Suffix with my public SPAM&#33; domain?

Edited December 16, 2013 by Malik4u

[anyweb 412]

in my example windowsintunenoob.com does match a public domain name with the same name even though it's just a lab