anyweb 429 Report post Posted November 29, 2013 Introduction In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In this part we will add Support for iOS devices (Iphone, iPad). Many companies today have users with company or personal owned iPhones with one or more iPads so being able to manage these devices and offer them application choice via a Company Portal is a good thing. In order for iOS devices to check for policy, they need to be contacted by the Apple Push Notification service (APNs). Each company needs an APNs certificate to allow Windows Intune to contact Apple to make this request. When a new policy is created, Intune then contacts Apple for those devices, the devices then check the Intune service for new policy. Users can enroll iOS devices by using the iOS company portal app which was made available in the App store on November 19th 2013. The Windows Intune company portal app can be installed on iOS devices as of iOS 6. The company portal app will allow users to perform the following actions: Change or reset passwords. Download and install company apps. Enroll, unenroll, or wipe company content from their devices. Step 1. Create an APNs Certificate Request Before adding iOS enrollment support we first need to complete a few steps to enable our iOS devices to talk to Windows Intune. In the console click on Create APNs certificate request. You’ll be prompted where to store the Certificate Signing Request, give it an appropriate path and file name such as in the example below, then click on Download and enter your Windows Intune credentials when prompted. Once the download is complete click on close. Step 2. Submit the request to the Apple Push Notification service portal. In the Configuration Manager console, browse to Cloud services in Administration, select your Windows Intune Subscription and right click it, choose properties. the brings up the Windows Intune Subscription properties, click on the iOS tab. Place a checkmark in Enable iOS enrollment and then click on the Apple Push Certificate Portal link as shown in the example below: Note: Please use something other than Internet Explorer for the steps below otherwise you may have issues with the certificate PEM files from Apple. Instead use FireFox or Chrome for these steps. You have been warned ! sign in with your (previously created) Apple ID to the Apple Push Certificates Portal, once logged in to the Apple site, click on Create a Certificate Agree to the terms and conditions if you want to continue and click on Accept Browse to the certificate signing request file you saved in the steps above and click on Upload Once it’s done creating your certificate you should receive a confirmation like the example below, however if you did not – make sure to read my note above about Internet Explorer. Tip: Notice the expiration date, it is one year from the day you created the certificate. You’ll have to repeat the process of creating a new certificate one year from now to continue managing iOS devices. Click on Download to download the PEM file (if it’s not a PEM file read my NOTE above) and then save the PEM file Copy the newly downloaded PEM file to somewhere useful like D:\temp\iOS_New_Push_Certificate\. Step 3. Add the APNs Certificate Back in the Enable iOS Enrollment Wizard, browse to the PEM file above and click on Apply then OK. Close the wizard. Step 4. Enroll an iOS device On an iOS device open the Apple App Store., search for Company Portal, select the Windows Intune Company Portal from the list of available apps Install it by clicking on Open/Install. Once installed locate the app on your device and click on it. Enter your public domain Intune credentials (or Active Directory credentials if you setup ADFS) Click on sign in and you will be presented with the company portal. Notice the 'i' beside my phone device, that means it is not enrolled yet. Click on the device to start the enrollment procedure Click on Add Device, You will be presented with information about the portal, click on Add in the top right corner. the device get's enrolled to Windows Intune. You'll get prompted to install the MDM Profile, click on Install then click on Install Now... and off it goes... you'll again get prompted to click on Install (with a warning about what the administrator can do with your phone) and if all goes well your device will be successfully enrolled. Tip: If you have any problems with the enrollment, shake the phone/ipad while the company portal is open and you'll see the following screen, this allows you to troubleshoot via viewing the log file or you can email the log file. Note: if you shake the device during enrollment (while safari is open) nothing will happen, simply click on the link at the bottom of the enrollment screen to go back to the company portal and Shake the device then, the troubleshooting ability should then appear. Once your iOS device has enrolled you can verify things on the server side, for example open the DDM.Log to review details of the device DDR being created (see below), a file is spotted in the inbox and shortly after some discovery information is sent including the device name and the username used to enroll the device and discovery info being processed Step 5. A quick look at the features. In the company portal you can now review what features are available on this device by clicking on the device name , on the phone itself you can do the following from the portal reset rename remove as shown below and of course you can select to install apps from the app store (we havn't added any yet, that is coming in the next part of this series). In the Configuration Manager console browse to Assets and Compliance, your device should be listed there in the All Mobile Devices collection. right click the device and choose Start, Resource Explorer and you'll get to see what details have been captured from your iOS device, cool ! you can also define the ownership of the device as there are new Global Conditions set up to allow you to target software/settings to devices based on ownership. Note: All devices enrolled via Intune into Configuration Manager will have the device ownership set to Personal by default. Right click the device and choose Device Ownership choose Personal or Company from the options available. And we can also do selective wipe/retire via the Retire/Wipe menu This pops up a new menu describing the two choices available to you. Related reading How can I manage modern devices using System Center 2012 R2 Configuration Manager ? - Part 1 James Bannan, an awesome Configuration Manager MVP - http://www.jamesbannanit.com/ James and Peter demoing BYOD - Unifying BYOD Management with Windows Intune and Configuration Manager 2012 - http://channel9.msdn...and/2013/WCL309 What’s New in System Center 2012 R2 Configuration Manager - http://technet.micro...y/dn236351.aspx How to Manage Mobile Devices by Using Configuration Manager and Windows Intune http://technet.micro...e10#BKMK_RTcert Support Tool for Windows Intune Trial Management of Window Phone 8 - http://www.microsoft...s.aspx?id=39079 Set up Windows Intune Direct Management for Windows Phone 8 Mobile Devices - http://technet.micro...y/jj733640.aspx How to: Edit DNS records - A, CNAME, MX, TXT, and SRV https://help.hover.c...-MX-TXT-and-SRV Configuring Configuration Manager SP1 to manage mobile devices using Windows Intune- http://blogs.technet...ows-intune.aspx Deploying and Configuring Mobile Device Management Infrastructure - http://channel9.msdn...MS/2013/UD-B309 Windows Intune Company Portal App - http://blogs.technet...-available.aspx Summary We've learned how to successfully enroll iOS devices using the Windows Intune Company Portal available from the Apple App Store. Once enrolled the devices appear in Configuration Manager and can be managed. That's all for now, In our next part we will learn how to add applications for iOS devices in our Company Portal. Until next time, adios! Downloads You can download a Microsoft Word copy of this guide here: How can I manage modern devices in System Center 2012 R2 Configuration Manager Part 2 - Adding support for IOS devices.zip cheers niall Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 2, 2013 God Bless You Nial for this work, wonderful guide as always We are looking forward to add apps /next part of this mini series Have a nice day, bye. Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 4, 2013 Hi, When I try to enroll iPad I got the following message: AccountNotOnBoard The user account is synced with Windows Intune, how to troubleshoot? Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 12, 2013 Hi, I am trying to enroll iOS devices but the iOS enrolment process failed with "unanticipated error"' I have double checked and verified that UPN is OK, someone faced the same issue? Here is the link on TechNet forum with screenshot. http://social.technet.microsoft.com/Forums/en-US/a2662744-3656-4938-bd11-d5032dcc9623/ios-device-failed-to-enroll-sccm2012-r2?forum=configmanagerdeployment#a2662744-3656-4938-bd11-d5032dcc9623 Share this post Link to post Share on other sites
anyweb 429 Report post Posted December 12, 2013 do you have internet access on that ios device ? it doesnt look like it in the screenshot, have you tried shaking the ios device and reading the logs ? Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 12, 2013 Hi Nial, http://social.technet.microsoft.com/Forums/en-US/a2662744-3656-4938-bd11-d5032dcc9623/ios-device-failed-to-enroll-sccm2012-r2?forum=configmanagerdeployment#06c2309c-4883-47f8-ab34-f26d92a947a8 Could you please have a look on screenshots available on above link ... I am connected to internet + I can enroll Android device, not iOS. Share this post Link to post Share on other sites
anyweb 429 Report post Posted December 12, 2013 i've replied there, p.s. there are two 'L' s in Niall. Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 12, 2013 Thanks, I am connected to internet + PEM file is also on Place. Due to some reasons I cant copy the URL here, so please have a look on the TechNet to see the Screensport + Log File. Share this post Link to post Share on other sites
anyweb 429 Report post Posted December 13, 2013 did you follow all the steps in my guide above ? what user account did you use, was it a user@yourpublicdomain.com account or a user@yourpublicdomain.onmicrosoft.com account ? Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 13, 2013 did you follow all the steps in my guide above ? what user account did you use, was it a user@yourpublicdomain.com account or a user@yourpublicdomain.onmicrosoft.com account ? Hi Niall I used your guide to set up the LAB env. I used user@yourpublicdomain.com And I use the same user@yourpublicdomain.com in case of Android. Share this post Link to post Share on other sites
anyweb 429 Report post Posted December 13, 2013 hmm ok, did you try enrolling more than once ? have you tried signing out of the app and trying again ? Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 14, 2013 Thanks for reply, YES I have done this /tested this several times. Even I restored the iPad to factory settings, installed the app again, and try the login, same result Share this post Link to post Share on other sites
anyweb 429 Report post Posted December 14, 2013 ok is the device managed by any other mobile device management solution (airwatch for example), if so then those MDM certificates need to be uninstalled first before trying the above, also have you tried using any other user ?? have you verified the user you are testing with is in the Windows Intune Users collection ? Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 15, 2013 ok is the device managed by any other mobile device management solution (airwatch for example), if so then those MDM certificates need to be uninstalled first before trying the above, also have you tried using any other user ?? have you verified the user you are testing with is in the Windows Intune Users collection ? Thanks for reply. 1. This device has NOT been managed by other MDM Solutions, in fact it was brand new device never used before. 2. user@yourpublicdomain.com is in Windows intune User Collection (limiting to all users collection, for testing purposes). 3. Does the log file (available at: https://bth.itslearning.com/data/640/11518/CompanyPortal-Log.log ) shows something suspecios? .... You mentioned about the certificate, I have requested the APN certificaes + PEM file more then once but sure that have used the correct APN to correct PEM file ,.... does this make any diffirence? OR Should I try to revoke the unused certificates? Share this post Link to post Share on other sites
anyweb 429 Report post Posted December 15, 2013 you didn't say if you tried any other user yet, if not please do try, as regards your logs i've had a look and it's hard to tell when the failure occured so can you please go through the login process again and when you see the failure take note of the exact time, then attach the new logs here stating WHEN the failure occured ok ? Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 16, 2013 Hi,I have tested with 2nd user as well, same results.⦁ Login with the first user -> Failed⦁ Clean Safari History + Cache -> 2ndUser -> Login Attempt ->Fail⦁ Restore the iPad to factory ->Test -> Fail2nd iPad (untouched, brand new)⦁ Login with the first user -> Failed⦁ Clean Safari History + Cache -> 2ndUser -> Login Attempt ->Fail⦁ Restore the iPad to factory ->Test -> Fail---- Log Files are attached also for both uses , both devices including error appear time ---Besides iOS device enrolment, I noticed that when I select AppStore app, nothing appear,But when Android is selected, Google Play appears as usual.I have turned off Windows firewall (for testing only) + I am NOT using any proxy . 1st-Device-Logs.zip 2nd-Device-Logs.zip Share this post Link to post Share on other sites
anyweb 429 Report post Posted December 16, 2013 let's stick to one problem at a time please - ok i asked you to state WHEN the problem occurred so I can reference it in your logs, can you tell me when that was ? (i.e. you signed in and then it failed at WHAT time) ? Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 16, 2013 let's stick to one problem at a time please - ok i asked you to state WHEN the problem occurred so I can reference it in your logs, can you tell me when that was ? (i.e. you signed in and then it failed at WHAT time) ? Hi Niall, Its in the Log File Name as: 1stUser2ndLoginAttempt_11.07_CompanyPortal-Log 2ndUser_1stLoginAttempt_11.09_CompanyPortal-Log 2ndUser_2ndLoginAttempt_11.11_CompanyPortal-Log 2nd-Dev-1stUserLogin_11.19-CompanyPortal-Log 2nd-Dev-2ndUser_1stLogin_11.22_CompanyPortal-Log 2nd-Dev-2ndUser_2ndLogin_11.24_CompanyPortal-Log Please let me know if are able to download the log files (1st-Device-Logs.zip) and (2nd-Device-Logs.zip) Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 16, 2013 And here comes the SCCM 2012 R2 logs (maybe you needed them as well?) CloudMgr.log cloudusersync.log dmpdownloader.log dmpuploader.log Share this post Link to post Share on other sites
anyweb 429 Report post Posted December 16, 2013 "MDMServer2012R2.konfig.local" <----- that might be your problem ! I had to rebuild my lab and use a 'real' FQDN to get things flowing so for example, my working Windows Intune+ConfigMgr lab has CM12 server has an FQDN of CM12.windowsintunenoob.com, the non-working Windows Intune+configmgr lab was sccm.server2008r2.lab.local I think .local FQDN's will cause problems with iOS, I had no success with iOS and .local in my first lab. Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 16, 2013 "MDMServer2012R2.konfig.local" <----- that might be your problem ! I had to rebuild my lab and use a 'real' FQDN to get things flowing so for example, my working Windows Intune+ConfigMgr lab has CM12 server has an FQDN of CM12.windowsintunenoob.com, the non-working Windows Intune+configmgr lab was sccm.server2008r2.lab.local I think .local FQDN's will cause problems with iOS, I had no success with iOS and .local in my first lab. Hmmmm, Thanks for your reply and support. Thats odd then ... because in my 1st LAB env. I set up the ADDS with the public domain name with SPAM! suffix. (NAMalikSPAM!) Then ADDS FQDN was ending up "MDMServer2012R2.NAMalikSPAM!" .... and I had the same error message for iOS. Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 16, 2013 Should I sign up for the another intune 30 days trial and build from scratch now and have a test ? I can start de-syncronization for the current IntuneSubscription. OR try to rename the ADDS name ? Share this post Link to post Share on other sites
anyweb 429 Report post Posted December 16, 2013 all i can recommend is you try another domain name, i'm not 100% sure it's the issue but i wanted to mention it at least, the log files don't really tell me enough to determine the source of the failure Share this post Link to post Share on other sites
Malik4u 0 Report post Posted December 16, 2013 (edited) Ok, greate. I will do that , now I am going to unauthorize the domain + desync the ADDS replication with Intune. Of course will sign up for the new Intune Subscription. ----- CM12.windowsintunenoob.com ----- in your example , windowsintunenoob.com MUST NOT be publicly available domain ? Can I use example.com with ADDS and add UPN Suffix with my public SPAM! domain? Edited December 16, 2013 by Malik4u Share this post Link to post Share on other sites
anyweb 429 Report post Posted December 16, 2013 in my example windowsintunenoob.com does match a public domain name with the same name even though it's just a lab Share this post Link to post Share on other sites