configmgr 2012 r2 & intune -...
TRANSCRIPT
ConfigMgr 2012 R2 & IntuneStep by Step explained from setting it up, to identity control
(ADFS , DRS and Workplace Join)
Tim De KeukelaereKenny Buntinx
#MMSMinnesota#MMSCMIntune
CM12 & INTUNE: STEP BY STEP EXPLAINED
About Kenny
Kenny Buntinx
Managing Consultant
# MMSMinnesota
@KennyBuntinx
http://be.linkedin.com/KennyBuntinx
http://scug.be/blogs/sccm
CM12 & INTUNE: STEP BY STEP EXPLAINED
About Tim
Tim De Keukelaere
Managing Consultant
#MMSMinnesota
@Tim_DK
http://be.linkedin.com/in/timdekeukelaere/
http://scug.be/tim/
CM12 & INTUNE: STEP BY STEP EXPLAINED
Key Takeaways
#MMSMinnesota
• ADFS with SSO
• Workplace join and DRS
• DirSync
• UDM Integration with CM12
Understanding these concepts:
• Knowing how to implement them
Hands-on:
CM12 & INTUNE: STEP BY STEP EXPLAINED
Assumptions
# MMSMinnesota
• Practical experience with System Center Configuration Manager 2012 SP1/R2
• Knowledge of Windows Server 2012 R2
About our audience
• Not the ADFS, Certificate or Identity Specialists, but we had our share in “challenges”
• Not aiming to explain in detail “How to enroll all possible devices”
About us
WARNINGPERMITTING FANCY GADGETS TO BE BROUGHT TO WORK
MAKE YOUR LIFE AS AN IT PROFESSIONAL HARDER
CM12 & INTUNE: STEP BY STEP EXPLAINED
CM12 & INTUNE: STEP BY STEP EXPLAINED
#MMSMinnesota
Users can work from anywhere on their device with access to their corporate resources.
Users can register devices for single sign-on and access to corporate data with Workplace Join
Users can enroll devices for access to the Company Portal for easy access to corporate applications
IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity
CM12 & INTUNE: STEP BY STEP EXPLAINED
SETTING UP CM12 AND
WINDOWS INTUNE FOR UDM
CM12 & INTUNE: STEP BY STEP EXPLAINED
Requirements for UDM technologies
#MMSMinnesota
Windows Intune UDM
• ConfigMgr 2012 SP1 or R2
• Domain Controller OS = minimumW2K3 SP2
• Minimal Forest Schema = W2K3 SP2
• Optional : ADFS 2.0 - 2.1 – 3.0
• Optional : ADFS Proxy Server
• Internal and external DNS A / Cname Records
• Certificates
• Dirsync with optional password sync
Workplace Join (Optional)
• Forest Functional Level = 2003
• Domain Controller OS = minimumW2K8R2
• Minimal Forest Schema = W2K12R2
• ADFS 3.0
• Web Application Proxy (WAP)
• Internal and external DNS A / Cname Records
• Certificates
CM12 & INTUNE: STEP BY STEP EXPLAINED
Process Overview
# MMSMinnesota
Create Windows Intune Subscription
•Purchase from windowsintune.com
•Purchase Volume License agreement
Add Public DNS details for enrollment redirection
Verify Users have Public Domain UPNs
and perform AD User Discovery
Deploy and Configure
AD Directory Synchronization
Deploy and Configure
AD Federation Services
(Not required but strongly recommended!)
Reset User Password
or use password sync if not using ADFS
Configuring Configuration Manager for Mobile
Device Management
•Creating a Windows Intune Subscription in the Configuration
Manager console
•Creating the Windows Intune Connector site system role
Verification of Configuration Manager successfully connecting
to Windows Intune service
CM12 & INTUNE: STEP BY STEP EXPLAINED
Create Windows Intune Subscription
First order of business: create a Windows Intune subscription.
This can be performed as a Volume License agreement, through
those normal channels.
If you do not have a VL Agreement for Configuration Manager you may create a Windows Intune subscription directly from www.WindowsIntune.com .
Once complete, login to the Windows Intune Account Portal
account.manage.microsoft.com (with Tenant Account)
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Create Verifiable Public Domain
To ensure users are synchronized correctly, create a verified public
domain within Windows Intune Account Portal. This is a public domain for the company, something like demolabs.be
This domain must be able to be verified as a registered domain by an external source
Next, configure the on-premise AD Directory Synchronization with
Microsoft Online.
For device enrollment ensure you have a public DNS CNAME record
directing EnterpriseEnrollment to manage.microsoft.com
# MMSMinnesota
#MMSMinnesota#MMSMinnesota
Demo
Adding Domain / Activate Dirsync
CM12 & INTUNE: STEP BY STEP EXPLAINED
Verify User Details and Perform AD User Discovery
Ensure users that will be managed have this Public Domain as their
primary Universal Principal Name (UPN) in Active Directory.
To add UPNs for each user, either edit via ADSI or script, similar to that
shown in here:
http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/06/ho
w-can-i-assign-a-new-upn-to-all-my-users.aspx
Once confirmed perform AD User Discovery in Configuration
Manager 2012 SP1
#MMSMinnesota#MMSMinnesota
Demo
Schema Verification / Adding UPN’s
CM12 & INTUNE: STEP BY STEP EXPLAINED
DIRSYNC
CM12 & INTUNE: STEP BY STEP EXPLAINED
# MMSMinnesota
Dirsync
with
Password Sync
ADFS
CM12 & INTUNE: STEP BY STEP EXPLAINED
Dirsync - Purpose
Sync users/groups
from your on-
premise AD into the
cloud
Schedule based
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
DirSync Requirements 64-bit Edition of Windows Server
Windows Server 2008 Datacenter
Windows Server 2008 R2 Standard or Enterprise, Windows Server 2008 R2
Datacenter
Windows Server 2012 Standard or Datacenter
Windows Server 2012 R2 Standard or Datacenter
.Net Framework 3.5 SP1 and .Net Framework 4.0 or 4.5
Powershell 3.0
Latest version supports DirSync to run on a DC
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
DirSync - Tips
Before sync , check your that your UPN suffix matches !
Filtering:
OU Based
Domain Based
User Attribute Based
To control the sync with custom attributes , see:
http://ronnydejong.com/2013/05/01/windows-intune-selective-active-directory-synchronization/
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Password Sync – What it is
Feature of DirSync that synchronizes user password hashes
from on-premises AD to Windows Azure AD (WAAD)
Enables users to log to WAAD services using the same
username/password as on-premise AD
Part of DirSync– No additional software
– No changes to domain controllers, no reboots
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Password Sync – What it is
Easier, less-expensive alternative to AD FS Single Sign-On, but
certainly not the same thing
No redirection to on premise authentication
No token exchange between the on-premises environment and the cloud
Authentication takes place in the cloud
Only for single-forest scenario
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Password Sync – How it works
Security considerations
Synchronizes hashes from on-premises AD to Azure AD
Never see or store plaintext passwords
Password Policy considerations
Defer to on-premises password policies
On-premises complexity policies override cloud policies for synchronized users
Passwords of synchronized users “never expire” in the cloud
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Password Sync – How it works Checks for password updates every 2 minutes
DirSync of other attributes still runs every 3 hours
Only sync passwords for users scoped for DirSync Won’t sync password hash if “user must change Password at next logon”
Retries failed password syncs Retries every hour for up to 1 day
Full Password Sync Available via PowerShell (Set-FullPasswordSync)
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Steps to successfully install DirSync
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
New: Azure Ad Sync
• Now supports password sync
• Multi-Forest support
• Advanced filtering capabilities– Objects & Attributes
• Available here:– http://www.microsoft.com/en-us/download/details.aspx?id=44225
#MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Time to decide: Sync vs Federation
User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory
User attributes are synchronized , authentication is passed back through federation and completed against Windows Server Active Directory
Synchronization
Federation
AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication
CM12 & INTUNE: STEP BY STEP EXPLAINED
# MMSMinnesota
Dirsync
with
Password Sync
ADFS
CM12 & INTUNE: STEP BY STEP EXPLAINED
SSO, DRS
AND WORKPLACE JOIN
CM12 & INTUNE: STEP BY STEP EXPLAINED
ADFS 3.0 new features AD FS has become the Swiss Army Knife of Microsoft authentication
AD workplace join
Single Sign On
Work from anywhere
Multifactor Authentication
Multifactor Access Control
Not based on IIS anymore , but on the http.sys
Highly customizable !
Much more authentication possibilities then in ADFS 2.0/2.1
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Identity capabilities for BYOD with ADFS 3.0
# MMSMinnesota
•Users join their device to their workplace, making the device known to the company’s Active Directory
AD Workplace Join
•Users sign-in once to their company from any application and are not prompted for credentials by every company application when using workplace joined devices
Single Sign On (SSO)
•Businesses enable users to work from anywhere while adhering to their IT governance policies around risk management
Work From Anywhere
•Businesses require additional factors of authentication when business critical resources are accessed or when there is perceived risk
Multi-factor Authentication
•Businesses set conditional access control to resources based on four core pivots: the user, the device used, the user’s network location and use of additional auth factors
Multi-factor Access Control
CM12 & INTUNE: STEP BY STEP EXPLAINED
Certificate Requirements for ADFS 3.0
# MMSMinnesota
*.D
om
ain
.co
m
•No additional Subject Alternate Names (SAN) are required
•Works with Sub-domains
•Simple Management – less expensive in the end
“N
am
ed
Ce
rtific
ate
s”
(mo
re s
ec
ure
)
•More Management – more expensive in the end
•Additional Subject Alternate Names are required for
•Workplace Join ( SAN = …)
•Device Registration service (SAN …)
CM12 & INTUNE: STEP BY STEP EXPLAINED
Requirements for ADFS 3.0
Forest Schema must be 2012 R2 for DRS
Service account:
Group Managed Service Accounts (Gmsa) is recommended but not a requirement !
Group Managed Service Accounts are not available by default because the KDS Root Key has
not been set. Use the following PowerShell command to create the key:
• "Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)“
If ADFS is installed on DC with use of Gmsa , read http://scug.be/sccm/2014/01/15/adfs-3-0-on-
windows-2012-r2-adfssrv-hangs-in-starting-mode-and-makes-youre-domain-controller-unusable-
after-reboot/
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Other requirements for ADFS 3.0
Federation name
E.g. federation.demolabs.be
SQL version WID or SQL
Load balance or not Use F5 or equivalent
Foresee A-Record on :
Internal DNS server Federation.
demolabs.be 192.168.0.x
External DNS Server Federation.
demolabs.be 81.x.x.x
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
STEPS TO INSTALL ADFS 3.0
CM12 & INTUNE: STEP BY STEP EXPLAINED
Lab Setup
# MMSMinnesota
Cloud
Intune Wave x IntegrationExternal DNS Registration
A-Record: Federation.Demolabs.BeA-Record: EnterpriseRegistration.Demolabs.Be
A-Record: Workfolders.Demolabs.bePublic IP: 82.x.x.xFederation Trust
*.Demolabs.beSSL Cert 2048 Bits
*.Demolabs.beSSL Cert 2048 Bits
*.Demolabs.beSSL Cert 2048 Bits
FirewallNAT
FirewallNAT
Web Appl Proxy(Not domain joined)
Workfolders Server
Domain ControllerDemolabs.be
ADFS / DirSync
HTT
PS
- 40
3
HTTPS - 403HTTPS - 403HTTPS - 403
CM12 & INTUNE: STEP BY STEP EXPLAINED
Steps to install ADFS 3.0
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Steps to install ADFS 3.0 Validate if your ADFS server works successfully internally
https://federation.demolabs.be/adfs/ls/idpinitiatedsignon.aspx
Customize your ADFS server to your needs :
E.g: Change logo with powershell : Set-AdfsWebTheme -TargetName
default -Logo @{path="c:\admin\ADFS\Demolabs-Logo-1.png"}
But there is much more: http://technet.microsoft.com/en-
us/library/dn280950.aspx
# MMSMinnesota
#MMSMinnesota#MMSMinnesota
Demo
ADFS Check / Customization
CM12 & INTUNE: STEP BY STEP EXPLAINED
STEPS TO INSTALL THE WEB
APPLICATION PROXY (WAP)
CM12 & INTUNE: STEP BY STEP EXPLAINED
Steps to install WAP
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Steps to install WAP
Validate if your ADFS server works successfully through the
WAP externally (internet)
https://federation.demolabs.be/adfs/ls/idpinitiatedsignon.aspx
Configuration through the Remote Access Management
snap-in.
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Deploy and Configure AD Federation Services
Install the Windows Azure Active Directory Module on the ADFS server
To set up SSO by using the Windows Azure Active Directory Module for Windows PowerShell, use the
following commands:
1. Connect-MsolService -Credential:(get-credential)
2. Use one of the following commands, as appropriate for your situation:
Convert-MSOLDomainToFederated -DomainName:<federated domain name>
Update-MSOLFederatedDomain -DomainName:<federated domain name>
To make sure you’re dirsync tenant accounts password doesn’t expire :
Set-MSOLUser –identity [email protected] –PasswordNeverExpires $true –StrongPasswordRequired $true
Prevent that your Self- signed certificate for token signing in Azure is about to expire. See :
http://scug.be/sccm/2014/04/23/configmgr-2012-windows-intune-sso-self-signed-certificate-for-token-signing-is-about-to-expire-now-what/
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
WHAT IS WORKPLACE JOIN ?
CM12 & INTUNE: STEP BY STEP EXPLAINED
Expanding device support with DRS
# MMSMinnesota
Limited access
No IT Control
Active Directory
Not Joined to AD Workplace Joined Domain Joined
CM12 & INTUNE: STEP BY STEP EXPLAINED
STEPS TO ENABLE DEVICE
REGISTRATION SERVICE (DRS)
FOR WORKPLACE JOIN
CM12 & INTUNE: STEP BY STEP EXPLAINED
Workplace join Requirements
ADFS 3.0 with DRS enabled and a Web Authentication proxy (WAP) *.Domain.com certificate or custom certificates with SAN defined :
for DRS, your SSL cert needs to contain SAN (subject alternative name) entries for
“enterpriseregistration” + each distinct UPN suffix in use by users in your forest(s).
So for example:
Enterpriseregistration.Demolabs.be
Enterpriseregistration.Demolabs.com
Enterpriseregistration.corp. Demolabs.be
If you plan to use client certificate authentication, you must also configure the firewall to allow traffic on port 49443
Necessary Host A / Cname records in both internal/external DNS Servers
# MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Steps to enable workplace join
Create Host A Record on Public DNS called enterpriseregistration.
demolabs.be
Create CNAME (Alias) record in the internal DNS called enterpriseregistration.
demolabs.be This record points to the host (A) record of the AD FS federation
service internally.
Configure the WAP Proxy to find the enterpriseregistration.demolabs.be
#MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Steps to enable DRS
Remember : New Device class requires a schema change to Active Directory (R2)!
Open a Windows PowerShell command window and type: Initialize-ADDeviceRegistration
When prompted for a service account, type your gmsa account - Demolabs\svc.adfs
Now run the Windows PowerShell cmdlet. Enable-AdfsDeviceRegistration
On the ADFS server , Edit the Global Primary Authentication Policy and select the check box next to Enable Device Authentication.
#MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Troubleshooting Workplace Join - BackEnd
Lookup “enterpriseregistration.demolabs.be”
It should resolve to the IP of your Web Application Proxy (WAP)
In case no IP is resolved, check your public domains DNS zone and validate
CNAME “enterpriseregistration” is pointing to your Web Application Proxy.
Type in a browser: https://enterpriseregistration.demolabs.be/EnrollmentServer/contract?api-version=1.0
#MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Troubleshooting Workplace Join - Client
Event viewer is still your best friend !
Microsoft|Workplace Join to troubleshoot!
URL (enterpriseregistration.xxxx.yyyy) cannot be resolved or reached.
#MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Lost Device Protection
Devices registered via Workplace Join are registered within Active Directory in the container :
– CN=<Device ID>,CN=RegisteredDevices,DC=mydomain,DC=com.
Lost devices can be denied access by disabling or deleting the appropriate object within AD. Access through AD FS is immediately revoked for the workplace joined client.
From testing thus far, devices joined, left and re-registered via Workplace Join are not currently cleaned up within the RegisteredDevices container. Some PowerShell scripting is currently required to enforce this.
#MMSMinnesota
#MMSMinnesota#MMSMinnesota
Demo
Workplace Join / Lost Devices
CM12 & INTUNE: STEP BY STEP EXPLAINED
Workplace Join Hitman toolBeta available via TechNet Galleries:
http://gallery.technet.microsoft.com/WorkPlace-Join-Hitman-8c691238#content
CM12 & INTUNE: STEP BY STEP EXPLAINED
ENABLE WINDOWS INTUNE
THROUGH
CONFIGMGR 2012 R2
CM12 & INTUNE: STEP BY STEP EXPLAINED
Prep your ConfigMgr environment
• Implement Cumulative Update 3– https://support.microsoft.com/kb/2994331
• Hotfix:– https://support.microsoft.com/kb/2990658
#MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
Intune Subscription Prerequisites
Intune User Collection (Licenses)
Company logo 400 x 100 pixels (optional)
(Optional) Create a APNs certificate for iOS
(Optional) Supply Windows RT Sideloading Keys
(Optional) Request/Buy a Windows Phone 8 Code Signing
certificate and code-sign the Windows Phone 8 Company Portal App.
(Optional) Enable the Android platform
#MMSMinnesota
#MMSMinnesota#MMSMinnesota
Demo
Intune Subscription Onboarding
CM12 & INTUNE: STEP BY STEP EXPLAINED
“Modern” Platforms vs “Features” integrated into CfgMgr
#MMSMinnesota
• Windows 8 RT• Windows Phone 8• iOS (5.x, 6.x, 7.x)• Android (2.3+ via EAS)• Android (4.0+ via native agent)• Windows 8.1 (x86/x64 and RT)
• Over the air device enrollment
• Available user targeted applications
• User and device settings management
• Device inventory
• Remote device retirement
• Remote device wipe
(full and selective)
• Company branding
• Web apps and remote apps
• Required application deployment
• VPN/Wi-Fi/certificate profiles
• Additional settingsNot on ConfigMgr R2 yet ?
CM12 & INTUNE: STEP BY STEP EXPLAINED
On-premises connector Setup Troubleshooting
• Intune subscription: AdminUILog\SmsAdminUI.log
• Connector setup: sitecomp.log and ConnectorSetup.log
• Connector certificate: certmgr.log
#MMSMinnesota
CM12 & INTUNE: STEP BY STEP EXPLAINED
User Sync Troubleshooting
• Cloudusersync.log
• Cloud user collection in Admin Console
• Cloud user ID
#MMSMinnesota
#MMSMinnesota#MMSMinnesota
Demo
Device Enrollments
CM12 & INTUNE: STEP BY STEP EXPLAINED
Enrollment Support Info
•LSU, MSU, account id, user id(last 6 digits)
•email domain or other feature specific keyword
•Time of incident (time zone)
•Logs (DMPUploader.log, DMPDownloader.log, CloudUserSync.log)
Search Criteria
•AccountId : 21c26ac1……29b40f
•LsuId : LSUA01
•MsuId : MSUA01
•UserID : ……d7facc
•Domain : contoso.onmicrosoft.com
Example
CM12 & INTUNE: STEP BY STEP EXPLAINED
Q & A
EvaluationsPlease provide session feedback by
clicking the Eval button in the
scheduler app. One lucky winner will
get a free ticket to the next MMS!
Visit all of our sponsors in the expo area and online!
Platinum Sponsors:
Gold Sponsors:
MMS Minnesota 2014
Tim De Keukelaere
Kenny Buntinx
#MMSMinnesota
#MMSCMIntune