Monthly Archives: November 2016

Intune Conditional Access with Exchange Online for Windows PC’s – User Experience

This post will show the end user experience for when Conditional Access is configured to prevent non-domain joined Windows 7 and Windows 10 PC’s from accessing Exchange Online either from the Outlook client, or OWA web mail.If you would like more information on how to configure Conditional Access and for different scenario’s, see Use conditional access with Intune and Configuration Manager

In a ConfigMgr Current Branch 1610 Intune Hybrid environment, I have configured the Conditional Access in the ConfigMgr console which will then open up the Intune admin console

condacc1

I have enabled conditional access policy.

condacc3

Now on a non-domain joined Windows 7 machine when trying to access OWA, the user is presented with the “You can’t get there from here” screen below

nondomainjoined

And on the same Windows 7 machine, if a user tries to configure their Exchange Online account in Outlook application, they will get the same “You can’t get there from here” screen

nondomainjoined2

This looks the same on Windows 10

nondomainjoined3

The same screen when accessing OWA on a Windows 10 machine

nondomainjoined4

What happens if a machine had Outlook configured and working before the Conditional Access policies were put in place? In my testing, when opening the Outlook app, the same screen was displayed when it tried to connect to Exchange Online

condacc2

Advertisements

Adding Intune subscription to ConfigMgr for Hyrbid MDM

This post will show you how to add an Intune subscription to ConfigMgr  for Hybrid MDM and enable enrollment for iOS devices.

To see the benefits of using Intune with ConfigMgr rather than standalone, Microsoft has a good post Choose between Microsoft Intune standalone and hybrid mobile device management with System Center Configuration Manager

My current on-prem environment looks like this:

  • ConfigMgr Current Branch version 1606.
  • User collection created with users whose devices can be enrolled
  • Custom domain add and verified in Office 365 admin portal
  • Azure AD Connect set up to synchronize my user accounts to Azure AD. Steps to set this up are here
  • Intune subscription (You can get a 30 day trial subscription here)

First step to add the Intune subscription is to go into Cloud Services then right click Microsoft Intune Subscriptions and select Add Microsoft Intune Subscription

intune1

Have a read of the Getting Started and click Next.

intune2

Sign in with your Intune account

intune3

Have a read and if you agree, click the checkbox. Note that you can’t change this back unless you contact Microsoft Support.

intune4

Enter in your Intune username and password

intune5

Once you’re signed in, click on Next

intune6

Select the user collection with users whose devices can be enrolled. You can configure your company name and any other settings you like and click Next

intune7

Fill in any other information you would like and click Next

intune8

Specify a company logo if you like and click Next.

intune9

Select the user that you would like to be the Device Enrollment Manager. You can see more info here

intune10

If you would like to use MFA, select the enable checkbox and Next.

intune11

Confirm your settings and click Next.

intune12

Once its finished click Close. You can view the Cloudusersync.log to make sure the role was set up successfully and look out for any errors.

intune13

Next we will create an APN. The Apple Push Notification service (APNs) certificate is used to establish a trust relationship between the management service, Intune, and enrolled iOS mobile devices

intune14

intune15

intune16

Next we will login to the APN certificate portal with an Apple ID. The link is here

intune17

Click on Create Certificate

intune18

Click Accept if you accept the terms and conditions.

intune19

Upload the certificate you created earlier.

intune20

Now Download the certificate

intune21

Now we will configure the iOS platform.

intune22

Click Enable and browse to the certificate you downloaded before and click Ok.

intune23

ConfigMgr CB 1610 -Cloud Management Gateway

One of the features in the newly released 1610 update for ConfigMgr Current Branch is the pre-release Cloud Management Gateway. This is similar to the Azure Cloud Proxy feature released in the Technical Preview 1606. I wrote a post on this here.

One thing to note that seems to be different from the TP, is that the on-prem distribution point isn’t supported for cloud management gateway traffic. You will need to set up an Azure cloud based distribution point for clients to download content (applications etc). However, you can enable the Management Point and Software Update Point to receive cloud management gateway traffic.

You can see the limitations of the Cloud Management Gateway here

This post will show you how I set up the Cloud Management Gateway in a lab. I won’t dive into the certificates part but information can be found at Step-by-step example deployment of the PKI certificates for System Center Configuration Manager: Windows Server 2008 Certification Authority and

A bit of info about my setup:

  • Azure subscription (you can get a trial here)
  • ConfigMgr Current Branch 1610 environment
  • Azure Management certificate uploaded to manage.windowsazure.com
  • Cloud management gateway certificate for <name>.cloudapp.net. Info for that can be found here Note: this name needs to be unique and cannot exist in Azure
  • Workstation certificate installed on clients and exported as the root certificate
  • Management Point and SUP configured for HTTPS
  • Windows 10 client with Workstation Certificate enrolled to test 

As this is a pre-release feature, I enabled it when installing the 1610 update

clouggw01

Now you will see the Cloud Management Gateway under the Cloud Services section. Click Create.

clouggw02

Enter in your Azure Subscription ID which can be found from portal.azure.com or manage.windowsazure.com and select the Management Certificate (which needs to already be uploaded to Azure)

clouggw04

When the cloud service PKI certificate is selected from the Browse button, the service name and FQDN will automatically be filled in (this is the common name from when the certificate was requested). Make sure a unique name was chosen earlier for the certificate as it will create a cloud service in Azure with <name>.cloudapp.net

Also specify the client certificate root. You can see instructions here. Make sure this is done properly as the client will get certificate issues when trying to connect to the Management Point.

clouggw05

You have the ability to set thresholds to create alerts regarding the outbound traffic as Azure charges you based on the Outbound traffic.

clouggw06

clouggw07

You can watch the provisioning status. Or even better, examine the  CloudMgr.log so you can see exactly what is going on and look out for any issues or errors.

clouggw08

Enable the site to use PKI certificate. The workstations that communicate with the Cloud Management Gateway need a Workstation certificate enrolled. Workstation Certificates are covered here.

clouggw09

Next the Cloud Management Gateway connection point role will be added.

clouggw10

The information is filled in automatically

clouggw11

Once the role has been added, the Management Point and Software Update Point need to allow Cloud Management Gateway traffic. Make sure the Web Server certificate for the MP/WSUS is configured in IIS. There is a guide on that here 

clouggw11_2clouggw11_3

On the client, while it has a connection to the Internal network, you can restart SMS Agent Host service so it picks up the new Internet management point.

Once that is done on my client, I have given the machine only Internet access and no internal network access. I have restarted SMS Agent Host and you can see in LocationServices.log it is using the Cloud Management Gateway and the ConfigMgr client connection type is set to Internet.

clouggw12

If you’re curious about what it looks like in Azure, if you go to portal.azure.com and go to Cloud Services (classic), you can see it created a ProxyService role which is meant to be running on an A2 VM.

clouggw13

ConfigMgr Intune enrolled device – send sync request

One of the new features of the recently released 1610 update for ConfigMgr current branch is the ability for an admin to initiate a policy sync from the ConfigMgr console for an Intune enrolled device. Previously this had to be done from the Company Portal on the device.

This can be done by right clicking on the device, in my example an enrolled iPhone, clicking on Remote Device Actions, then Send Sync Request.

intunesyncrequest

ConfigMgr CB 1610 Software updates dashboard

One of the nice new enhancements that came with the recently released 1610 update for ConfigMgr current branch is the Software Updates Dashboard. This dashboard is available in the Monitoring > Overview > Security section in the ConfigMgr console

If you haven’t installed update 1610 yet, here is what the dashboard looks like:

sudashboard01

Update 1610 available for ConfigMgr Current Branch

Update 1610 is available for ConfigMgr Current Branch. The update will be rolled out globally in the next few weeks. You can run a script to enable fast ring to get the update now. ConfigMgr 1610: Enable Early Update Ring

Some of the new features include:

Windows 10 Upgrade Analytics integration allows you to assess and analyze device readiness and compatibility with Windows 10 to allow smoother upgrades.

Office 365 Servicing Dashboard and app deployment to clients features help you to deploy Office 365 apps to clients as well as track Office 365 usage and update deployments.

Software Updates Compliance Dashboard allows you to view the current compliance status of devices in your organization and quickly analyze the data to see which devices are at risk.

Cloud Management Gateway provides a simpler way to manage Configuration Manager clients on the Internet. You can use the ConfigMgr console to deploy the service in Microsoft Azure and configure the supported roles to allow cloud management gateway traffic.

Client Peer Cache is a new built-in solution in Configuration Manager that allows clients to share content with other clients directly from their local cache with monitoring and troubleshooting capabilities.

Enhancements in Software Center including customizable branding in more dialogs, notifications of new software, improvements to the notification experience for high-impact task sequence deployments, and ability for users to request applications and view request history directly in Software Center.

New remote control features including performance optimization for remote control sessions and keyboard translation.

This release also includes new features for customers using Configuration Manager connected with Microsoft Intune. Some of the new feature include:

New configuration item settings and improvements now only show settings that apply to the selected platform. We also added lots of new settings for Android (23), iOS (4), Mac (4), Windows 10 desktop and mobile (37), Windows 10 Team (7), Windows 8.1 (11), and Windows Phone 8.1 (3).

Lookout integration allows to check device’s compliance status based on its compliance with Lookout rules.

Request a sync from the admin console improvement allows you to request a policy sync on an enrolled mobile device from the Configuration Manager console.

Support for paid apps in Windows Store for Business allows you to add and deploy online-licensed paid apps in addition to the free apps in Windows Store for Business.

For more info see What’s new in version 1610 of System Center Configuration Manager

1610