The Ultimate Intune Setup Guide – Stage 4: Enable ConfigMgr 2012 R2 Management

 

Now that we’ve setup our Intune cloud services, it’s time to integrate the service with our on-prem Configuration Manager 2012 R2 hierarchy.

In my lab environment, I’ve got a single Primary Site with all roles installed on the one site server. In a multi-tier hierarchy, the Intune connector roles can only be installed at the CAS site.

  1. The first thing we’ll want to do is ensure all of our prerequisites are met. If you’ve followed my previous three posts (here, here and here) you will already have Intune setup, public domains added and user accounts being synchronized. There are some outstanding steps to get our clients to work with ConfigMgr

    Create required DNS entries

    Our enterprise Mobile Device Management (MDM) clients will automatically look for their management services via a public URL during registration. This URL is EnterpriseEnrollment.<Your Company>.com

    In my lab scenario, that would be EnterpriseEnrollment.mattslabs.com

    As we want these devices to speak via Intune for management, we need to redirect the DNS requests via a CNAME record to the Microsoft Intune management services.

    1. Open your public DNS management tools. In my example my domain is hosted with GoDaddy, so I’m using their DNS management console

      image You can see here I’ve got my ADFS A record defined and the TXT record required for domain verification from this post

    2. Create a new CNAME record, name it EnterpriseEnrollment and target it at manage.microsoft.com

    3. The CNAME record you now must create should point to enterpriseenrollment-s.manage.microsoft.com. See /en-us/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune for more information.

    4. Save your zone file and wait until the record is replicated

      image8

    5. You should eventually be able to ping EnterpriseEnrollment.mattslabs.com which will now resolve to manage.microsoft.com enterpriseenrollment-s.manage.microsoft.com

      capture

  2. The second requirement is the certificates needed to push software to devices. In my lab I plan to manage Windows Phone, Android and iOS devices.

    1. Acquiring the Windows Phone certificate.

      To side-load software onto Windows Phone devices via Intune, a Symantec Code Signing Certificate is required. These certificates must be purchased directly from Symantec. https://www.symantec.com/en/au/code-signing/windows-phone/

      As I’m not willing to spend a few hundred dollars on my lab, there is a handy tool available for lab scenarios called Support Tool for Windows Intune Trial Management of Windows Phone. You can download it from https://www.microsoft.com/en-us/download/details.aspx?id=39079

      Download this MSI and leave it for later. In the next post (Stage 5), I’ll explain how to get the Support Tool working.

    2. Acquiring the iOS Apple Push Notification certificate

      To manage and deploy to iOS devices, you must have an Apple Push Notification (APN) certificate.

      Open your Configuration Manager Console, and browse to Administration > Overview > Cloud Services

      Right-click on Windows Intune Subscriptions and select Create APNs certificate request image27

      Set a path for the Certificate Request to be saved to

      image39

      When prompted, add your Intune Administrator credentials and press Sign in

      Once complete, close the window and browse to the location of the saved .csr file

      image43

      Browse to the Apple Push Certificates Portal https://go.microsoft.com/fwlink/?LinkId=269844

      Sign-in or create an Apple ID

      image15

      Click on Create a Certificate

      Accept the EULA

      On the Create a New Push Certificate page, select the Choose File button and select the .csr file previously generated

      image51

      Click Upload

      image55

      After the success confirmation dialog, click the Download button to download your APN Certificate

      image59

      Hold onto this file for later

      image63

  3. Next, we can start to configure Configuration Manager. Open the Configuration Manager Console, browse to Administration > Overview > Cloud Services

    Right-click on Windows Intune Subscriptions and select Add Windows Intune Subscription image67

    You’ll be prompted with the Create Windows Intune Subscription Wizard

    1. Press Next to start the Wizard

      image71

    2. Click the sign-in button and enter your Intune Administrator credentials

      image75

      You’ll be prompted to confirm the ownership of the Intune MDM capabilities. Essentially, if you want to use Intune for MDM, it either has to be via the Intune Web console, or via the Configuration Manager console. It is one or the other, never both.

      Tick the check-box and press OK image79 image83

    3. In the General Configuration, configure the user Collection in which you want members to have the ability to enrol their devices, some Company Branding and also the Configuration Manager Site Code in which any devices enrolled will become a member

      image91

    4. Tick the Android and iOS support buttons, and if you have a Symantec Windows Phone certificate, select Windows Phone 8 image95

      Note: For those who are going to use the Support Tool for Windows Intune Trial Management of Windows Phone to test the Windows Phone management, don’t enable the Windows Phone 8 management. We’ll do this via the tool in my next blog post (Stage 5)

    5. Select the Apple APN certificate created earlier image99

    6. Provide some contact details for your users to see in the Intune Portal

      image103

    7. Add your Company Logo (if required)

      image107

    8. Complete the wizard

      image111

  4. To complete the installation process, we finally have to add the Windows Intune Connector site system role. To do this, open the Configuration Manager Console, browse to Administration > Overview > Site Configuration > Servers and Site System Roles

    image1

    Note here we have a manage.microsoft.com server in the list. This is where you apps/etc will be stored for your MDM devices when they’re synchronized in later

    Right-click on your Primary Site Server, and select Add Site System Roles

    image5

    You’ll be presented with the Add Site System Roles Wizard

    1. Leave the General and Proxy settings default (unless you need to go through the proxy to get Internet access)

      image9image12

    2. In the System Role Selection window, select the Windows Intune Connector and press Next

    3. Press Next on the Summary screen and wait for a successful completion screen

      image19

    4. After a few minutes the role should be up and running.

  5. Finally, lets confirm that the integration and cloud sync is working. From the Configuration Manager Console, browse to Assets and Compliance > Overview > Users

    You should see all of your users listed

    image23

    Right-click on the title column, and add the column Cloud User ID

     This will add an extra column and display all of the Cloud User ID’s which has come from the Intune service. If the Cloud User ID is empty, that user will not be able to enrol their device or access any of the Intune services.

    image30

    Finally, browse https://portal.manage.microsoft.com to view your ConfigMgr Intune Branding

    image44

We’ve now successfully configured the Configuration Manager integration with Intune.