A guide to Build Your Own Enterprise Mobility Lab


Build Your Own Enterprise Mobility Lab

The world is becoming mobile and organizations need to adopt to stay relevant and competitive. When you start working with solutions for mobile devices you will discover quickly  that mobile solutions require new products that offer these new mobile capabilities. This new mobile infrastructure is often not present in most organizations and the knowledge and skills to install and configure these is not present either.

As an IT Pro where do you start to catch up on all these new technologies? In my experience the best way to learn is getting your hands "dirty" by building it yourself and play with it. Don’t have someone come in to build it for you and/or use a scripts and automation to build it for you. It will not help you understand the technology. Build it yourself, step by step!

The guide attached to the blog provides the step by step instructions on how to build your own Enterprise Mobility lab. It uses all the available Microsoft solutions without the need for a physical lab! Including, Azure IaaS, Azure AD, Intune, ADFS, Web Application Proxy, NDES, etc.

It allows you to test all mobile scenarios and devices like Windows, iOS, and Android. This lab will also get you in a great shape to start validating Windows 10 mobile scenarios like Azure AD Join, Passport, etc. The step by step guidance for these Windows 10 scenarios will be added later.

Choosing an MDM Setup

This guide provides guidance for two different setup options for the Mobile Device Management solution. You will need to choose between a Microsoft Intune Only (Intune) setup and a Hybrid (CM+Intune) setup for the MDM solution.

The decision to choose between the two options will depend on two factors:

  1. Re-use/expand of an existing Configuration Manager 2012 R2 investment.

  2. Availability of capabilities.
    At the time of writing of this document Intune Stand Alone and the Hybrid Intune/Config Manager solution don’t have full parity on all capabilities. If certain capabilities are absolutely required this will influence the decision.

Note: I’m planning to update the guide with Configuration Manager vNext asap.

 

Intune Only Setup:

The Intune Only setup will be configured with only Microsoft Intune for MDM and contains the servers, services and roles as shown in the picture below.

 

Hybrid Setup:

The Hybrid setup will be configured with System Center Configuration Manager 2012 R2 integrated with Microsoft Intune for MDM and contains the servers, services and roles as shown in the picture below. The server with System Center Configuration Manager 2012 R2 (CM1) can be placed in Azure IaaS or on server’s On-Premise.

 

What is included in the Lab

The first sections of the Build Your Own Enterprise Mobility Lab guide includes how to setup a lab containing the core components to test and validate most mobility scenarios. It will include some servers representing your on-perm infrastructure and Azure AD, Intune and Office 365 as shown in the figure below.

Future blogs from us will include addition to this infrastructure and scenario step by step instructions. For example I’m currently in the process of writing the sections for the Windows 10 mobility scenarios following the inclusion of Configuration Manager vNext.

The Build Your Own Enterprise Mobility Lab guide consist of the following ToC:

1       Introduction         1

1.1    Lab objectives      1

1.2    Lab activity flow   1

1.3    Design decisions for lab setup         2

1.3.1 Build Lab Servers On Premise or in Azure IaaS   2

1.3.2 Microsoft Intune Only or Hybrid Setup      3

1.3.3 Microsoft Azure IaaS Lab Setup       6

1.3.4 Credentials 6

1.4    Use of Document 7

1.5    References and Credits 7

1.6    Support and Questions about the Lab       8

1.7    Support for Windows 10         8

2       Pre-Requisites (Certs, Subscriptions, and Domain)         9

2.1    Obtain a Public Domain Name 9

2.2    Request SSL Public (Wildcard) Certificate(s)      10

2.3    Re-use or Create a Microsoft Azure Subscription         11

2.4    Create and Setup an ‘Azure AD’       12

2.5    Setup Intune Trial Tenant       14

2.6    Setup Office 365 Trial Tenant 15

3       Preparing Windows Azure for IaaS   17

3.1    Create a Cloud Service  17

3.2    Create a Storage Account       17

3.3    Create a Virtual Network        18

4       DC1: Setup and Configure AD, DNS, CA and ADFS         20

4.1    DC1: VM - Create the Virtual Machine       20

4.2    DC1: VM – Install Azure PowerShell and Configure a Static IP     21

4.3    DC1: AD - Configure Active Directory Domain Services     22

4.4    DC1: DNS - Configure DC1 as DNS for Virtual Network      23

4.5    DC1: DNS - Configure DC1 with DNS Forwarders         24

4.6    DC1: DNS - Configure an Alternate User Principal Name Suffix         24

4.7    DC1: DNS - Configure DNS for Federation Service, DRS and Enrollment      25

4.8    DC1: AD - Create Organizational Unit Hierarchy 28

4.9    DC1: AD - Create Users and Groups         28

4.10  DC1: CA - Install and Configure Active Directory Certificate Services       29

4.11  DC1: ADFS – Install the Public SSL Wild Card Certificate for ADFS       31

4.12  DC1: ADFS – Install and Configure Active Directory Federation Services       32

4.13  DC1: ADFS – Install Windows PowerShell for single sign-on with AD FS       34

4.14  DC1: ADFS – Workaround for DC1 Hanging on Boot.         35

5       WAP1: Setup Web Application Proxy         37

5.1    WAP1: Create the Virtual Machine   37

5.2    WAP1: VM – Configure and Join WAP1 to the CORP domain.      38

5.3    WAP1: VM – Install Azure PowerShell and Configure a Static IP   39

5.4    WAP1: Export the Public SSL Wild Card Certificate from DC1    40

5.5    WAP1: Import the SSL Wild Card Certificate to WAP1         40

5.6    WAP1: Configure the Azure Endpoint and Public Domain      41

5.7    WAP1: Install and Configure Web Application Proxy         42

5.8    WAP1: Troubleshooting 43

6       Setup and Configure AADSync         44

6.1    Add a Registered Domain to your Tenant  44

6.2    Install and Configure Microsoft Azure Active Directory Sync Services 46

6.3    Explore the AAD Sync Services Tool and Perform Initial Synchronization  48

7       Setup AAD Premium and Office 365 51

7.1    Assign AAD Premium Licenses         51

7.2    Create Test Groups in Azure AD      53

7.3    Assign Office 365 Licenses     55

7.4    Configure DNS for Office 365  56

8       Enable Multi-Factor Authentication  59

9       Integrate SaaS Applications    63

9.1    Integrate with Twitter through Password SSO    63

9.2    Integrate with Google Apps through Federation SSO         65

10     Using Self –Service Features (Azure AD Premium)         66

10.1  Self-Service Password Reset  66

10.2  Self-Service Group Management      68

10.3  Group Approval Workflow      69

10.4  Azure Reports      71

11     Protecting Data With Azure RMS      74

11.1  Configure Azure RMS    74

11.2  Creating and Consuming Protected Content       76

11.3  Protecting Data in Motion With Exchange IRM    79

12     SP1: Claims-Based Access & Resource Publication         83

12.1  SP1: Manually Create a SharePoint Virtual Machine         83

12.2  DC1: Configure DNS     84

12.3  DC1: Configure ADFS    84

12.4  WAP1: Configure WAP   87

12.5  SP1: Install SQL Server Express      88

12.6  SP1: SharePoint Farm Initial Configuration        88

12.7  SP1: Configure Claims Provider in SharePoint    90

13     CM1: Configure MDM with Hybrid Setup (CM+Intune)       94

13.1  CM1: Create the Virtual Machine      94

13.2  CM1: VM – Configure and Join CM1 to the CORP domain.      95

13.3  CM1: VM – Install Azure PowerShell and Configure a Static IP     95

13.4  CM1: Install and Configure SCCM    96

13.5  CM1: Install and Configure CM2012 R2 SP1       105

13.6  CM1: Connect to Microsoft Intune Subscription in Configuration Manager  106

13.7  CM1: Enable the Firewall for port 1433 and 4022         109

13.8  CM1: Minimize SQL Resource Usage         109

14     Intune: Configure MDM with Intune Only  111

14.1  Intune: Enable base device management for Intune Standalone 111

15     Setup SCEP – NDES1    115

15.1  NDES1: Create the Virtual Machine  115

15.2  NDES1: VM – Configure and Join NDES1 to the CORP domain.     116

15.3  NDES1: VM – Install Azure PowerShell and Configure a Static IP     116

15.4  DC1: AD – Create the NDES Service Account and SPN   117

15.5  DC1: Create and Publish the Certificate Templates for NDES    118

15.6  NDES1: Install and Configure NDES 121

15.7  DC1: Add External NDES address to Internal Split Brain DNS zone and External DNS zone.   126

15.8  CM1: Configure Certificate Registration Point     127

15.9  NDES1: Install Policy Module 130

15.10 NDES1: Configure NDES Connector 132

15.11 WAP1: Publish NDES1 on WAP1      134

15.12 Troubleshooting (Optional)    136

16     Setup SSTP and L2TP VPN - VPN1   140

16.1  VPN1: Create the Virtual Machine    140

16.2  VPN1: VM – Configure and Join VPN1 to the CORP domain.      143

16.3  VPN1: VM – Install Azure PowerShell        144

16.4  VPN1: Import the SSL Wild Card Certificate to VPN1         145

16.5  VPN1: Configure the Firewall for VPN1      145

16.6  VPN1: Install and Configure SSTP and L2TP VPN         147

16.7  DC1: DNS – Add External VPN address to internal Split Brain DNS zone and External DNS zone.    150

16.8  DC1: Provide Users access to VPN  152

17     Managing Windows Phone 8.1         154

17.1  Intune: Configure Intune for Windows Phone     154

17.2  CM1: Configure Configuration Manager/Intune for Windows Phone 8.1      155

17.3  Hyper-V: WP8.1 – Enrollment 161

17.4  CM1: WP8.1 – Adding the IMEI, Device Name and Phone Number to the Inventory       163

17.5  Intune: WP8.1 – Configuring Policy Settings and Policies based on OMA-URI    165

17.6  CM1: WP8.1 – Configuring Policy Settings and Policies based on OMA-URI    167

17.7  Intune: WP8.1 – Configuring Allow and Deny Lists         169

17.8  CM1: WP8.1 – Configuring Allow and Deny Lists         170

17.9  Intune: WP8.1 – CM1: WP8.1 - Configure Trusted Root and Certificate Deployment     173

17.10 CM1: WP8.1 - Configure Trusted Root and Certificate Deployment  176

17.11 Intune: WP8.1 - Configure Mail Profile      178

17.12 CM1: WP8.1 - Configure Mail Profile         179

17.13 Intune: WP8.1 – Configure a Custom VPN Profile         180

17.14 CM1: WP8.1 - Configure Custom VPN Profile     183

17.15 Intune: WP8.1 – WP8.1 - Configure WiFi Profile 185

17.16 CM1: WP8.1 - Configure WiFi Profile         186

17.17 Intune: WP8.1 – Configuring S/MIME       186

17.18 CM1: WP8.1 – Configuring S/MIME  186

17.19 Device Retirement / Wipe       186

18     Enterprise Mobility for Android        187

18.1  Setup Google Play Account     187

18.2  Intune: Configure Intune for Android        187

18.3  CM1: Configure Configuration Manager/Intune for Android      188

18.4  Hyper-V: Android - Create an Android Virtual Machine      189

18.5  Android: Enrollment and Company Portal 192

18.6  Intune: Android - Configure Policies         194

18.7  CM1: Android – Configuring Policies         194

18.8  Intune: Android - Configure Trusted Root and Certificate Deployment  196

18.9  CM1: Android - Configure Trusted Root and Certificate Deployment  200

18.10 KNOX Configuration      202

19     Enterprise Mobility for iOS      204

19.1  Prepare to Manage iOS  204

19.2  Configure CM/Intune     205

19.3  Enrollment  205

19.4  Intune: iOS - Configure Policies      205

19.5  CM1: iOS – Configuring Policies      205

20     Enterprise Mobility for Windows 10  208

21     Appendix    209

21.1  PowerShell: Reserve a Public VIP Address for Cloud Service       209

21.2  PowerShell: Stop or Start all Virtual Machines    211

Have Fun!

Roel Schellens

BYO_Ent_Mob_LabGuide_v1_5.pdf


Comments (0)

Skip to main content