configmgr 2012 r2 & intune - .configmgr 2012 r2 & intune step by step explained from setting it up,

Download ConfigMgr 2012 R2 & Intune - .ConfigMgr 2012 R2 & Intune Step by Step explained from setting it up,

Post on 19-Jul-2018

216 views

Category:

Documents

3 download

Embed Size (px)

TRANSCRIPT

  • ConfigMgr 2012 R2 & IntuneStep by Step explained from setting it up, to identity control

    (ADFS , DRS and Workplace Join)

    Tim De KeukelaereKenny Buntinx

    #MMSMinnesota#MMSCMIntune

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    About Kenny

    Kenny Buntinx

    Managing Consultant

    Kenny.Buntinx@kbsolutions.be

    # MMSMinnesota

    @KennyBuntinx

    http://be.linkedin.com/KennyBuntinx

    http://scug.be/blogs/sccm

    http://be.linkedin.com/KennyBuntinxhttp://scug.be/blogs/sccm

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    About Tim

    Tim De Keukelaere

    Managing Consultant

    Tim.De.Keukelaere@IT-Essence.be

    #MMSMinnesota

    @Tim_DK

    http://be.linkedin.com/in/timdekeukelaere/

    http://scug.be/tim/

    http://be.linkedin.com/in/timdekeukelaere/http://scug.be/tim/

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Key Takeaways

    #MMSMinnesota

    ADFS with SSO

    Workplace join and DRS

    DirSync

    UDM Integration with CM12

    Understanding these concepts:

    Knowing how to implement them

    Hands-on:

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Assumptions

    # MMSMinnesota

    Practical experience with System Center Configuration Manager 2012 SP1/R2

    Knowledge of Windows Server 2012 R2

    About our audience

    Not the ADFS, Certificate or Identity Specialists, but we had our share in challenges

    Not aiming to explain in detail How to enroll all possible devices

    About us

  • WARNINGPERMITTING FANCY GADGETS TO BE BROUGHT TO WORK

    MAKE YOUR LIFE AS AN IT PROFESSIONAL HARDER

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    #MMSMinnesota

    Users can work from anywhere on their device with access to their corporate resources.

    Users can register devices for single sign-on and access to corporate data with Workplace Join

    Users can enroll devices for access to the Company Portal for easy access to corporate applications

    IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    SETTING UP CM12 AND

    WINDOWS INTUNE FOR UDM

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Requirements for UDM technologies

    #MMSMinnesota

    Windows Intune UDM

    ConfigMgr 2012 SP1 or R2

    Domain Controller OS = minimumW2K3 SP2

    Minimal Forest Schema = W2K3 SP2

    Optional : ADFS 2.0 - 2.1 3.0

    Optional : ADFS Proxy Server

    Internal and external DNS A / Cname Records

    Certificates

    Dirsync with optional password sync

    Workplace Join (Optional)

    Forest Functional Level = 2003

    Domain Controller OS = minimumW2K8R2

    Minimal Forest Schema = W2K12R2

    ADFS 3.0

    Web Application Proxy (WAP)

    Internal and external DNS A / Cname Records

    Certificates

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Process Overview

    # MMSMinnesota

    Create Windows Intune Subscription

    Purchase from windowsintune.com

    Purchase Volume License agreement

    Add Public DNS details for enrollment redirection

    Verify Users have Public Domain UPNs

    and perform AD User Discovery

    Deploy and Configure

    AD Directory Synchronization

    Deploy and Configure

    AD Federation Services

    (Not required but strongly recommended!)

    Reset User Password

    or use password sync if not using ADFS

    Configuring Configuration Manager for Mobile

    Device Management

    Creating a Windows Intune Subscription in the Configuration

    Manager console

    Creating the Windows Intune Connector site system role

    Verification of Configuration Manager successfully connecting

    to Windows Intune service

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Create Windows Intune Subscription

    First order of business: create a Windows Intune subscription.

    This can be performed as a Volume License agreement, through

    those normal channels.

    If you do not have a VL Agreement for Configuration Manager you may create a Windows Intune subscription directly from www.WindowsIntune.com .

    Once complete, login to the Windows Intune Account Portal

    account.manage.microsoft.com (with Tenant Account)

    # MMSMinnesota

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Create Verifiable Public Domain

    To ensure users are synchronized correctly, create a verified public

    domain within Windows Intune Account Portal. This is a public domain for the company, something like demolabs.be

    This domain must be able to be verified as a registered domain by an external source

    Next, configure the on-premise AD Directory Synchronization with

    Microsoft Online.

    For device enrollment ensure you have a public DNS CNAME record

    directing EnterpriseEnrollment to manage.microsoft.com

    # MMSMinnesota

  • #MMSMinnesota#MMSMinnesota

    Demo

    Adding Domain / Activate Dirsync

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Verify User Details and Perform AD User Discovery

    Ensure users that will be managed have this Public Domain as their

    primary Universal Principal Name (UPN) in Active Directory.

    To add UPNs for each user, either edit via ADSI or script, similar to that

    shown in here:

    http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/06/ho

    w-can-i-assign-a-new-upn-to-all-my-users.aspx

    Once confirmed perform AD User Discovery in Configuration

    Manager 2012 SP1

  • #MMSMinnesota#MMSMinnesota

    Demo

    Schema Verification / Adding UPNs

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    DIRSYNC

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    # MMSMinnesota

    Dirsync

    with

    Password Sync

    ADFS

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Dirsync - Purpose

    Sync users/groups

    from your on-

    premise AD into the

    cloud

    Schedule based

    # MMSMinnesota

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    DirSync Requirements 64-bit Edition of Windows Server

    Windows Server 2008 Datacenter

    Windows Server 2008 R2 Standard or Enterprise, Windows Server 2008 R2

    Datacenter

    Windows Server 2012 Standard or Datacenter

    Windows Server 2012 R2 Standard or Datacenter

    .Net Framework 3.5 SP1 and .Net Framework 4.0 or 4.5

    Powershell 3.0

    Latest version supports DirSync to run on a DC

    # MMSMinnesota

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    DirSync - Tips

    Before sync , check your that your UPN suffix matches !

    Filtering:

    OU Based

    Domain Based

    User Attribute Based

    To control the sync with custom attributes , see:

    http://ronnydejong.com/2013/05/01/windows-intune-selective-active-directory-synchronization/

    # MMSMinnesota

    http://ronnydejong.com/2013/05/01/windows-intune-selective-active-directory-synchronization/

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Password Sync What it is

    Feature of DirSync that synchronizes user password hashes

    from on-premises AD to Windows Azure AD (WAAD)

    Enables users to log to WAAD services using the same

    username/password as on-premise AD

    Part of DirSync No additional software

    No changes to domain controllers, no reboots

    # MMSMinnesota

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Password Sync What it is

    Easier, less-expensive alternative to AD FS Single Sign-On, but

    certainly not the same thing

    No redirection to on premise authentication

    No token exchange between the on-premises environment and the cloud

    Authentication takes place in the cloud

    Only for single-forest scenario

    # MMSMinnesota

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Password Sync How it works

    Security considerations

    Synchronizes hashes from on-premises AD to Azure AD

    Never see or store plaintext passwords

    Password Policy considerations

    Defer to on-premises password policies

    On-premises complexity policies override cloud policies for synchronized users

    Passwords of synchronized users never expire in the cloud

    # MMSMinnesota

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Password Sync How it works Checks for password updates every 2 minutes

    DirSync of other attributes still runs every 3 hours

    Only sync passwords for users scoped for DirSync Wont sync password hash if user must change Password at next logon

    Retries failed password syncs Retries every hour for up to 1 day

    Full Password Sync Available via PowerShell (Set-FullPasswordSync)

    # MMSMinnesota

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Steps to successfully install DirSync

    # MMSMinnesota

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    New: Azure Ad Sync

    Now supports password sync

    Multi-Forest support

    Advanced filtering capabilities Objects & Attributes

    Available here: http://www.microsoft.com/en-us/download/details.aspx?id=44225

    #MMSMinnesota

  • CM12 & INTUNE: STEP BY STEP EXPLAINED

    Time to decide: Sync vs Federation

    User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory

    User attributes are synchronized , authentication is passed bac