configmgr 2012 r2 & intune -...

ConfigMgr 2012 R2 & IntuneStep by Step explained from setting it up, to identity control

(ADFS , DRS and Workplace Join)

Tim De KeukelaereKenny Buntinx

#MMSMinnesota#MMSCMIntune

CM12 & INTUNE: STEP BY STEP EXPLAINED

About Kenny

Kenny Buntinx

Managing Consultant

[email protected]

# MMSMinnesota

@KennyBuntinx

http://be.linkedin.com/KennyBuntinx

http://scug.be/blogs/sccm

http://be.linkedin.com/KennyBuntinx

http://scug.be/blogs/sccm


About Tim

Tim De Keukelaere

Managing Consultant

[email protected]

#MMSMinnesota

@Tim_DK

http://be.linkedin.com/in/timdekeukelaere/

http://scug.be/tim/

http://be.linkedin.com/in/timdekeukelaere/

http://scug.be/tim/


Key Takeaways

#MMSMinnesota

• ADFS with SSO

• Workplace join and DRS

• DirSync

• UDM Integration with CM12

Understanding these concepts:

• Knowing how to implement them

Hands-on:


Assumptions

# MMSMinnesota

• Practical experience with System Center Configuration Manager 2012 SP1/R2

• Knowledge of Windows Server 2012 R2

About our audience

• Not the ADFS, Certificate or Identity Specialists, but we had our share in “challenges”

• Not aiming to explain in detail “How to enroll all possible devices”

About us

WARNINGPERMITTING FANCY GADGETS TO BE BROUGHT TO WORK

MAKE YOUR LIFE AS AN IT PROFESSIONAL HARDER


#MMSMinnesota

Users can work from anywhere on their device with access to their corporate resources.

Users can register devices for single sign-on and access to corporate data with Workplace Join

Users can enroll devices for access to the Company Portal for easy access to corporate applications

IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity


SETTING UP CM12 AND

WINDOWS INTUNE FOR UDM


Requirements for UDM technologies

#MMSMinnesota

Windows Intune UDM

• ConfigMgr 2012 SP1 or R2

• Domain Controller OS = minimumW2K3 SP2

• Minimal Forest Schema = W2K3 SP2

• Optional : ADFS 2.0 - 2.1 – 3.0

• Optional : ADFS Proxy Server

• Internal and external DNS A / Cname Records

• Certificates

• Dirsync with optional password sync

Workplace Join (Optional)

• Forest Functional Level = 2003

• Domain Controller OS = minimumW2K8R2

• Minimal Forest Schema = W2K12R2

• ADFS 3.0

• Web Application Proxy (WAP)

• Internal and external DNS A / Cname Records

• Certificates


Process Overview

# MMSMinnesota

Create Windows Intune Subscription

•Purchase from windowsintune.com

•Purchase Volume License agreement

Add Public DNS details for enrollment redirection

Verify Users have Public Domain UPNs

and perform AD User Discovery

Deploy and Configure

AD Directory Synchronization

Deploy and Configure

AD Federation Services

(Not required but strongly recommended!)

Reset User Password

or use password sync if not using ADFS

Configuring Configuration Manager for Mobile

Device Management

•Creating a Windows Intune Subscription in the Configuration

Manager console

•Creating the Windows Intune Connector site system role

Verification of Configuration Manager successfully connecting

to Windows Intune service


Create Windows Intune Subscription

First order of business: create a Windows Intune subscription.

This can be performed as a Volume License agreement, through

those normal channels.

If you do not have a VL Agreement for Configuration Manager you may create a Windows Intune subscription directly from www.WindowsIntune.com .

Once complete, login to the Windows Intune Account Portal

account.manage.microsoft.com (with Tenant Account)

# MMSMinnesota


Create Verifiable Public Domain

To ensure users are synchronized correctly, create a verified public

domain within Windows Intune Account Portal. This is a public domain for the company, something like demolabs.be

This domain must be able to be verified as a registered domain by an external source

Next, configure the on-premise AD Directory Synchronization with

Microsoft Online.

For device enrollment ensure you have a public DNS CNAME record

directing EnterpriseEnrollment to manage.microsoft.com

# MMSMinnesota

#MMSMinnesota#MMSMinnesota

Demo

Adding Domain / Activate Dirsync


Verify User Details and Perform AD User Discovery

Ensure users that will be managed have this Public Domain as their

primary Universal Principal Name (UPN) in Active Directory.

To add UPNs for each user, either edit via ADSI or script, similar to that

shown in here:

http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/06/ho

w-can-i-assign-a-new-upn-to-all-my-users.aspx

Once confirmed perform AD User Discovery in Configuration

Manager 2012 SP1


Demo

Schema Verification / Adding UPN’s


DIRSYNC


# MMSMinnesota

Dirsync

with

Password Sync

ADFS


Dirsync - Purpose

Sync users/groups

from your on-

premise AD into the

cloud

Schedule based

# MMSMinnesota


DirSync Requirements 64-bit Edition of Windows Server

Windows Server 2008 Datacenter

Windows Server 2008 R2 Standard or Enterprise, Windows Server 2008 R2

Datacenter

Windows Server 2012 Standard or Datacenter

Windows Server 2012 R2 Standard or Datacenter

.Net Framework 3.5 SP1 and .Net Framework 4.0 or 4.5

Powershell 3.0

Latest version supports DirSync to run on a DC

# MMSMinnesota


DirSync - Tips

Before sync , check your that your UPN suffix matches !

Filtering:

OU Based

Domain Based

User Attribute Based

To control the sync with custom attributes , see:

http://ronnydejong.com/2013/05/01/windows-intune-selective-active-directory-synchronization/

# MMSMinnesota

http://ronnydejong.com/2013/05/01/windows-intune-selective-active-directory-synchronization/


Password Sync – What it is

Feature of DirSync that synchronizes user password hashes

from on-premises AD to Windows Azure AD (WAAD)

Enables users to log to WAAD services using the same

username/password as on-premise AD

Part of DirSync– No additional software

– No changes to domain controllers, no reboots

# MMSMinnesota


Password Sync – What it is

Easier, less-expensive alternative to AD FS Single Sign-On, but

certainly not the same thing

No redirection to on premise authentication

No token exchange between the on-premises environment and the cloud

Authentication takes place in the cloud

Only for single-forest scenario

# MMSMinnesota


Password Sync – How it works

Security considerations

Synchronizes hashes from on-premises AD to Azure AD

Never see or store plaintext passwords

Password Policy considerations

Defer to on-premises password policies

On-premises complexity policies override cloud policies for synchronized users

Passwords of synchronized users “never expire” in the cloud

# MMSMinnesota


Password Sync – How it works Checks for password updates every 2 minutes

DirSync of other attributes still runs every 3 hours

Only sync passwords for users scoped for DirSync Won’t sync password hash if “user must change Password at next logon”

Retries failed password syncs Retries every hour for up to 1 day

Full Password Sync Available via PowerShell (Set-FullPasswordSync)

# MMSMinnesota


Steps to successfully install DirSync

# MMSMinnesota


New: Azure Ad Sync

• Now supports password sync

• Multi-Forest support

• Advanced filtering capabilities– Objects & Attributes

• Available here:– http://www.microsoft.com/en-us/download/details.aspx?id=44225

#MMSMinnesota


Time to decide: Sync vs Federation

User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory

User attributes are synchronized , authentication is passed back through federation and completed against Windows Server Active Directory

Synchronization

Federation

AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication


# MMSMinnesota

Dirsync

with

Password Sync

ADFS


SSO, DRS

AND WORKPLACE JOIN


ADFS 3.0 new features AD FS has become the Swiss Army Knife of Microsoft authentication

AD workplace join

Single Sign On

Work from anywhere

Multifactor Authentication

Multifactor Access Control

Not based on IIS anymore , but on the http.sys

Highly customizable !

Much more authentication possibilities then in ADFS 2.0/2.1

# MMSMinnesota


Identity capabilities for BYOD with ADFS 3.0

# MMSMinnesota

•Users join their device to their workplace, making the device known to the company’s Active Directory

AD Workplace Join

•Users sign-in once to their company from any application and are not prompted for credentials by every company application when using workplace joined devices

Single Sign On (SSO)

•Businesses enable users to work from anywhere while adhering to their IT governance policies around risk management

Work From Anywhere

•Businesses require additional factors of authentication when business critical resources are accessed or when there is perceived risk

Multi-factor Authentication

•Businesses set conditional access control to resources based on four core pivots: the user, the device used, the user’s network location and use of additional auth factors

Multi-factor Access Control


Certificate Requirements for ADFS 3.0

# MMSMinnesota

*.D

om

ain

.co

m

•No additional Subject Alternate Names (SAN) are required

•Works with Sub-domains

•Simple Management – less expensive in the end

“N

am

ed

Ce

rtific

ate

s”

(mo

re s

ec

ure

)

•More Management – more expensive in the end

•Additional Subject Alternate Names are required for

•Workplace Join ( SAN = …)

•Device Registration service (SAN …)


Requirements for ADFS 3.0

Forest Schema must be 2012 R2 for DRS

Service account:

Group Managed Service Accounts (Gmsa) is recommended but not a requirement !

Group Managed Service Accounts are not available by default because the KDS Root Key has

not been set. Use the following PowerShell command to create the key:

• "Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)“

If ADFS is installed on DC with use of Gmsa , read http://scug.be/sccm/2014/01/15/adfs-3-0-on-

windows-2012-r2-adfssrv-hangs-in-starting-mode-and-makes-youre-domain-controller-unusable-

after-reboot/

# MMSMinnesota

http://scug.be/sccm/2014/01/15/adfs-3-0-on-windows-2012-r2-adfssrv-hangs-in-starting-mode-and-makes-youre-domain-controller-unusable-after-reboot/


Other requirements for ADFS 3.0

Federation name

E.g. federation.demolabs.be

SQL version WID or SQL

Load balance or not Use F5 or equivalent

Foresee A-Record on :

Internal DNS server Federation.

demolabs.be 192.168.0.x

External DNS Server Federation.

demolabs.be 81.x.x.x

# MMSMinnesota


STEPS TO INSTALL ADFS 3.0


Lab Setup

# MMSMinnesota

Cloud

Intune Wave x IntegrationExternal DNS Registration

A-Record: Federation.Demolabs.BeA-Record: EnterpriseRegistration.Demolabs.Be

A-Record: Workfolders.Demolabs.bePublic IP: 82.x.x.xFederation Trust

*.Demolabs.beSSL Cert 2048 Bits



FirewallNAT

FirewallNAT

Web Appl Proxy(Not domain joined)

Workfolders Server

Domain ControllerDemolabs.be

ADFS / DirSync

HTT

PS

- 40

3

HTTPS - 403HTTPS - 403HTTPS - 403


Steps to install ADFS 3.0

# MMSMinnesota


Steps to install ADFS 3.0 Validate if your ADFS server works successfully internally

https://federation.demolabs.be/adfs/ls/idpinitiatedsignon.aspx

Customize your ADFS server to your needs :

E.g: Change logo with powershell : Set-AdfsWebTheme -TargetName

default -Logo @{path="c:\admin\ADFS\Demolabs-Logo-1.png"}

But there is much more: http://technet.microsoft.com/en-

us/library/dn280950.aspx

# MMSMinnesota

https://federation.vnextdemo.be/adfs/ls/idpinitiatedsignon.aspx

http://technet.microsoft.com/en-us/library/dn280950.aspx


Demo

ADFS Check / Customization


STEPS TO INSTALL THE WEB

APPLICATION PROXY (WAP)


Steps to install WAP

# MMSMinnesota


Steps to install WAP

Validate if your ADFS server works successfully through the

WAP externally (internet)

https://federation.demolabs.be/adfs/ls/idpinitiatedsignon.aspx

Configuration through the Remote Access Management

snap-in.

# MMSMinnesota

https://federation.vnextdemo.be/adfs/ls/idpinitiatedsignon.aspx


Deploy and Configure AD Federation Services

Install the Windows Azure Active Directory Module on the ADFS server

To set up SSO by using the Windows Azure Active Directory Module for Windows PowerShell, use the

following commands:

1. Connect-MsolService -Credential:(get-credential)

2. Use one of the following commands, as appropriate for your situation:

Convert-MSOLDomainToFederated -DomainName:<federated domain name>

Update-MSOLFederatedDomain -DomainName:<federated domain name>

To make sure you’re dirsync tenant accounts password doesn’t expire :

Set-MSOLUser –identity [email protected] –PasswordNeverExpires $true –StrongPasswordRequired $true

Prevent that your Self- signed certificate for token signing in Azure is about to expire. See :

http://scug.be/sccm/2014/04/23/configmgr-2012-windows-intune-sso-self-signed-certificate-for-token-signing-is-about-to-expire-now-what/

# MMSMinnesota

mailto:[email protected]


WHAT IS WORKPLACE JOIN ?


Expanding device support with DRS

# MMSMinnesota

Limited access

No IT Control

Active Directory

Not Joined to AD Workplace Joined Domain Joined


STEPS TO ENABLE DEVICE

REGISTRATION SERVICE (DRS)

FOR WORKPLACE JOIN


Workplace join Requirements

ADFS 3.0 with DRS enabled and a Web Authentication proxy (WAP) *.Domain.com certificate or custom certificates with SAN defined :

for DRS, your SSL cert needs to contain SAN (subject alternative name) entries for

“enterpriseregistration” + each distinct UPN suffix in use by users in your forest(s).

So for example:

Enterpriseregistration.Demolabs.be

Enterpriseregistration.Demolabs.com

Enterpriseregistration.corp. Demolabs.be

If you plan to use client certificate authentication, you must also configure the firewall to allow traffic on port 49443

Necessary Host A / Cname records in both internal/external DNS Servers

# MMSMinnesota


Steps to enable workplace join

Create Host A Record on Public DNS called enterpriseregistration.

demolabs.be

Create CNAME (Alias) record in the internal DNS called enterpriseregistration.

demolabs.be This record points to the host (A) record of the AD FS federation

service internally.

Configure the WAP Proxy to find the enterpriseregistration.demolabs.be

#MMSMinnesota


Steps to enable DRS

Remember : New Device class requires a schema change to Active Directory (R2)!

Open a Windows PowerShell command window and type: Initialize-ADDeviceRegistration

When prompted for a service account, type your gmsa account - Demolabs\svc.adfs

Now run the Windows PowerShell cmdlet. Enable-AdfsDeviceRegistration

On the ADFS server , Edit the Global Primary Authentication Policy and select the check box next to Enable Device Authentication.

#MMSMinnesota


Troubleshooting Workplace Join - BackEnd

Lookup “enterpriseregistration.demolabs.be”

It should resolve to the IP of your Web Application Proxy (WAP)

In case no IP is resolved, check your public domains DNS zone and validate

CNAME “enterpriseregistration” is pointing to your Web Application Proxy.

Type in a browser: https://enterpriseregistration.demolabs.be/EnrollmentServer/contract?api-version=1.0

#MMSMinnesota


Troubleshooting Workplace Join - Client

Event viewer is still your best friend !

Microsoft|Workplace Join to troubleshoot!

URL (enterpriseregistration.xxxx.yyyy) cannot be resolved or reached.

#MMSMinnesota

http://ipsts.files.wordpress.com/2013/09/clip_image011.png

http://ipsts.files.wordpress.com/2013/09/clip_image011.png


Lost Device Protection

Devices registered via Workplace Join are registered within Active Directory in the container :

– CN=<Device ID>,CN=RegisteredDevices,DC=mydomain,DC=com.

Lost devices can be denied access by disabling or deleting the appropriate object within AD. Access through AD FS is immediately revoked for the workplace joined client.

From testing thus far, devices joined, left and re-registered via Workplace Join are not currently cleaned up within the RegisteredDevices container. Some PowerShell scripting is currently required to enforce this.

#MMSMinnesota


Demo

Workplace Join / Lost Devices


Workplace Join Hitman toolBeta available via TechNet Galleries:

http://gallery.technet.microsoft.com/WorkPlace-Join-Hitman-8c691238#content


ENABLE WINDOWS INTUNE

THROUGH

CONFIGMGR 2012 R2


Prep your ConfigMgr environment

• Implement Cumulative Update 3– https://support.microsoft.com/kb/2994331

• Hotfix:– https://support.microsoft.com/kb/2990658

#MMSMinnesota

https://support.microsoft.com/kb/2994331

https://support.microsoft.com/kb/2990658


Intune Subscription Prerequisites

Intune User Collection (Licenses)

Company logo 400 x 100 pixels (optional)

(Optional) Create a APNs certificate for iOS

(Optional) Supply Windows RT Sideloading Keys

(Optional) Request/Buy a Windows Phone 8 Code Signing

certificate and code-sign the Windows Phone 8 Company Portal App.

(Optional) Enable the Android platform

#MMSMinnesota

http://www.symantec.com/verisign/code-signing/windows-phone

http://www.microsoft.com/en-us/download/details.aspx?id=36060


Demo

Intune Subscription Onboarding


“Modern” Platforms vs “Features” integrated into CfgMgr

#MMSMinnesota

• Windows 8 RT• Windows Phone 8• iOS (5.x, 6.x, 7.x)• Android (2.3+ via EAS)• Android (4.0+ via native agent)• Windows 8.1 (x86/x64 and RT)

• Over the air device enrollment

• Available user targeted applications

• User and device settings management

• Device inventory

• Remote device retirement

• Remote device wipe

(full and selective)

• Company branding

• Web apps and remote apps

• Required application deployment

• VPN/Wi-Fi/certificate profiles

• Additional settingsNot on ConfigMgr R2 yet ?


On-premises connector Setup Troubleshooting

• Intune subscription: AdminUILog\SmsAdminUI.log

• Connector setup: sitecomp.log and ConnectorSetup.log

• Connector certificate: certmgr.log

#MMSMinnesota


User Sync Troubleshooting

• Cloudusersync.log

• Cloud user collection in Admin Console

• Cloud user ID

#MMSMinnesota


Demo

Device Enrollments


Enrollment Support Info

•LSU, MSU, account id, user id(last 6 digits)

•email domain or other feature specific keyword

•Time of incident (time zone)

•Logs (DMPUploader.log, DMPDownloader.log, CloudUserSync.log)

Search Criteria

•AccountId : 21c26ac1……29b40f

•LsuId : LSUA01

•MsuId : MSUA01

•UserID : ……d7facc

•Domain : contoso.onmicrosoft.com

Example


Q & A

EvaluationsPlease provide session feedback by

clicking the Eval button in the

scheduler app. One lucky winner will

get a free ticket to the next MMS!

Visit all of our sponsors in the expo area and online!

Platinum Sponsors:

Gold Sponsors:

MMS Minnesota 2014

Tim De Keukelaere

Kenny Buntinx

#MMSMinnesota

#MMSCMIntune

configmgr 2012 r2 & intune -...

Documents