ConfigMgr 2012 R2 & Intune

Similar documents
Armoring your mobile workforce warriors for the 21st century

Phil Schwan Technical

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Office 365 and Azure Active Directory Identities In-depth

Single Sign-On Showdown

Mobile device management at Microsoft

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

M20742-Identity with Windows Server 2016

Course Outline 20742B

20742: Identity with Windows Server 2016

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On-Premises Tools

Identity with Windows Server 2016

METHODOLOGY This program will be conducted with interactive lectures, PowerPoint presentations, discussions and practical exercises.

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

905M 67% of the people who use a smartphone for work and 70% of people who use a tablet for work are choosing the devices themselves

Vendor: Microsoft. Exam Code: Exam Name: Managing Office 365 Identities and Requirements. Version: Demo

Integrating AirWatch and VMware Identity Manager

Identity with Windows Server 2016

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

Tech Dive: Microsoft Azure Identity Management and Office 365

Ten most common Mistakes with AD FS and Hybrid Identity. Sander Berkouwer MVP, DirTeam.com

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: May 2015

RSA SecurID Access Configuration for Microsoft Office 365 STS (Secure Token Service)

At Course Completion After completing this course, students will be able to:

Configuration Guide. BlackBerry UEM Cloud

Overview What is Azure Multi-Factor Authentication? How it Works Get started Choose where to deploy MFA in the cloud MFA on-premises MFA for O365

VMware Identity Manager Administration

Cloud Secure. Microsoft Office 365. Configuration Guide. Product Release Document Revisions Published Date

20398: Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) and On- Premises Tools

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

SafeNet Authentication Client

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Hybrid Identity de paraplu in de cloud

O365 Solutions. Three Phase Approach. Page 1 34

Bring Your Own Device Part I Yuqing Zhao 趙宇清 Protocol Test Suite Developer Microsoft Corporation

Windows 10 Management Technologies: What s New. Michael Niehaus Senior Product Marketing Manager, Windows Microsoft

Identity with Windows Server 2016 (20742)

MD-101: Modern Desktop Administrator Part 2

VMware Identity Manager Integration with Office 365

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Setup Guide for AD FS 3.0 on the Apprenda Platform

Company Portal. Peter Daalmans, IT Concern Greg Ramsey, Dell, INC

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: June 2014

70-742: Identity in Windows Server Course Overview

AAD Connect setup guide

Cloud Secure Integration with ADFS. Deployment Guide

SAP Security in a Hybrid World. Kiran Kola

Conditional Access Policies

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Identity with Microsoft Windows Server 2016 (MS-20742)

Active Directory Services with Windows Server

Table of Contents. VMware AirWatch: Technology Partner Integration

: 20696C: Administering System Center Configuration Manager and Intune

DigitalPersona. SSO for Office 365. On Premise DigitalPersona SSO for Office 365. Solution Deployment Guide

Multi Factor Authentication & Self Password Reset

Managing Microsoft 365 Identity and Access

Microsoft Administering System Center Configuration Manager and Intune

How Microsoft s Enterprise Mobility Suite Provides helps with those challenges

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

VMware Identity Manager Integration with Office 365

Extranet Identity Management and Authentication for SharePoint On Premise, Office 365 and Beyond

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Cloud Access Manager Configuration Guide

Microsoft Managing Office 365 Identities and Requirements. Download Full version :

Active Directory Services with Windows Server

Module 1 Web Application Proxy (WAP) Estimated Time: 120 minutes

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Sophos Mobile. server deployment guide. product version: 9

Vendor: Citrix. Exam Code: 1Y Exam Name: Designing, Deploying and Managing Citrix XenMobile Solutions. Version: Demo

Symantec Mobile Management for Configuration Manager 7.2 MR1 Release Notes

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Setting Up Resources in VMware Identity Manager

Configuration Guide. BlackBerry UEM. Version 12.9

SafeNet Authentication Client

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

Identity with Windows Server 2016 (742)

Active Directory Services with Windows Server

Administering System Center Configuration Manager and Intune

Integrating On-Premises Identity Infrastructure with Microsoft Azure

Coveo Platform 7.0. Microsoft SharePoint Legacy Connector Guide

Table of Contents HOL-1757-MBL-6

VMware Horizon Cloud Service on Microsoft Azure Administration Guide

MS-20696: Managing Enterprise Devices and Apps using System Center Configuration Manager

Object of this document

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for SonicWALL Secure Remote Access

At Course Completion: Course Outline: Course 20742: Identity with Windows Server Learning Method: Instructor-led Classroom Learning

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

One Identity Active Roles 7.2. Azure AD and Office 365 Management Administrator Guide

Sophos Mobile Control SaaS startup guide. Product version: 7

BlackBerry UEM Configuration Guide

Administering System Center Configuration Manager and Intune

"Charting the Course... MOC B Active Directory Services with Windows Server Course Summary

Transcription:

ConfigMgr 2012 R2 & Intune Step by Step explained from setting it up, to identity control (ADFS, DRS and Workplace Join) Tim De Keukelaere Kenny Buntinx #MMSMinnesota #MMSCMIntune

About Kenny @KennyBuntinx http://be.linkedin.com/kennybuntinx http://scug.be/blogs/sccm Kenny Buntinx Managing Consultant Kenny.Buntinx@kbsolutions.be # MMSMinnesota

About Tim @Tim_DK http://be.linkedin.com/in/timdekeukelaere/ http://scug.be/tim/ Tim De Keukelaere Managing Consultant Tim.De.Keukelaere@IT-Essence.be #MMSMinnesota

Key Takeaways Understanding these concepts: ADFS with SSO Workplace join and DRS DirSync UDM Integration with CM12 Hands-on: Knowing how to implement them #MMSMinnesota

About our audience Assumptions Practical experience with System Center Configuration Manager 2012 SP1/R2 Knowledge of Windows Server 2012 R2 About us Not the ADFS, Certificate or Identity Specialists, but we had our share in challenges Not aiming to explain in detail How to enroll all possible devices # MMSMinnesota

WARNING PERMITTING FANCY GADGETS TO BE BROUGHT TO WORK MAKE YOUR LIFE AS AN IT PROFESSIONAL HARDER

Users can work from anywhere on their device with access to their corporate resources. Users can enroll devices for access to the Company Portal for easy access to corporate applications IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity Users can register devices for single signon and access to corporate data with Workplace Join #MMSMinnesota

SETTING UP CM12 AND WINDOWS INTUNE FOR UDM

Requirements for UDM technologies Windows Intune UDM ConfigMgr 2012 SP1 or R2 Domain Controller OS = minimum W2K3 SP2 Minimal Forest Schema = W2K3 SP2 Optional : ADFS 2.0-2.1 3.0 Optional : ADFS Proxy Server Internal and external DNS A / Cname Records Certificates Dirsync with optional password sync Workplace Join (Optional) Forest Functional Level = 2003 Domain Controller OS = minimum W2K8R2 Minimal Forest Schema = W2K12R2 ADFS 3.0 Web Application Proxy (WAP) Internal and external DNS A / Cname Records Certificates #MMSMinnesota

Process Overview Create Windows Intune Subscription Purchase from windowsintune.com Purchase Volume License agreement Add Public DNS details for enrollment redirection Verify Users have Public Domain UPNs and perform AD User Discovery Deploy and Configure AD Directory Synchronization Deploy and Configure AD Federation Services (Not required but strongly recommended!) Reset User Password or use password sync if not using ADFS Configuring Configuration Manager for Mobile Device Management Creating a Windows Intune Subscription in the Configuration Manager console Creating the Windows Intune Connector site system role Verification of Configuration Manager successfully connecting to Windows Intune service # MMSMinnesota

Create Windows Intune Subscription First order of business: create a Windows Intune subscription. This can be performed as a Volume License agreement, through those normal channels. If you do not have a VL Agreement for Configuration Manager you may create a Windows Intune subscription directly from www.windowsintune.com. Once complete, login to the Windows Intune Account Portal account.manage.microsoft.com (with Tenant Account) # MMSMinnesota

Create Verifiable Public Domain To ensure users are synchronized correctly, create a verified public domain within Windows Intune Account Portal. This is a public domain for the company, something like demolabs.be This domain must be able to be verified as a registered domain by an external source Next, configure the on-premise AD Directory Synchronization with Microsoft Online. For device enrollment ensure you have a public DNS CNAME record directing EnterpriseEnrollment to manage.microsoft.com # MMSMinnesota

Demo Adding Domain / Activate Dirsync #MMSMinnesota #MMSMinnesota

Verify User Details and Perform AD User Discovery Ensure users that will be managed have this Public Domain as their primary Universal Principal Name (UPN) in Active Directory. To add UPNs for each user, either edit via ADSI or script, similar to that shown in here: http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/06/ho w-can-i-assign-a-new-upn-to-all-my-users.aspx Once confirmed perform AD User Discovery in Configuration Manager 2012 SP1

Demo Schema Verification / Adding UPN s #MMSMinnesota #MMSMinnesota

DIRSYNC CM12 & INTUNE: STEP BY STEP EXPLAINED

Dirsync with Password Sync ADFS # MMSMinnesota

Sync users/groups from your onpremise AD into the cloud Schedule based CM12 & INTUNE: STEP BY STEP EXPLAINED Dirsync - Purpose # MMSMinnesota

DirSync Requirements 64-bit Edition of Windows Server Windows Server 2008 Datacenter Windows Server 2008 R2 Standard or Enterprise, Windows Server 2008 R2 Datacenter Windows Server 2012 Standard or Datacenter Windows Server 2012 R2 Standard or Datacenter.Net Framework 3.5 SP1 and.net Framework 4.0 or 4.5 Powershell 3.0 Latest version supports DirSync to run on a DC # MMSMinnesota

DirSync - Tips Before sync, check your that your UPN suffix matches! Filtering: OU Based Domain Based User Attribute Based To control the sync with custom attributes, see: http://ronnydejong.com/2013/05/01/windows-intune-selective-active-directory-synchronization/ # MMSMinnesota

Password Sync What it is Feature of DirSync that synchronizes user password hashes from on-premises AD to Windows Azure AD (WAAD) Enables users to log to WAAD services using the same username/password as on-premise AD Part of DirSync No additional software No changes to domain controllers, no reboots # MMSMinnesota

Password Sync What it is Easier, less-expensive alternative to AD FS Single Sign-On, but certainly not the same thing No redirection to on premise authentication No token exchange between the on-premises environment and the cloud Authentication takes place in the cloud Only for single-forest scenario # MMSMinnesota

Password Sync How it works Security considerations Synchronizes hashes from on-premises AD to Azure AD Never see or store plaintext passwords Password Policy considerations Defer to on-premises password policies On-premises complexity policies override cloud policies for synchronized users Passwords of synchronized users never expire in the cloud # MMSMinnesota

Password Sync How it works Checks for password updates every 2 minutes DirSync of other attributes still runs every 3 hours Only sync passwords for users scoped for DirSync Won t sync password hash if user must change Password at next logon Retries failed password syncs Retries every hour for up to 1 day Full Password Sync Available via PowerShell (Set-FullPasswordSync) # MMSMinnesota

Steps to successfully install DirSync # MMSMinnesota

New: Azure Ad Sync Now supports password sync Multi-Forest support Advanced filtering capabilities Objects & Attributes Available here: http://www.microsoft.com/en-us/download/details.aspx?id=44225 #MMSMinnesota

Time to decide: Sync vs Federation Synchronization Federation User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication User attributes are synchronized, authentication is passed back through federation and completed against Windows Server Active Directory

Dirsync with Password Sync ADFS # MMSMinnesota

SSO, DRS AND WORKPLACE JOIN

ADFS 3.0 new features AD FS has become the Swiss Army Knife of Microsoft authentication AD workplace join Single Sign On Work from anywhere Multifactor Authentication Multifactor Access Control Not based on IIS anymore, but on the http.sys Highly customizable! Much more authentication possibilities then in ADFS 2.0/2.1 # MMSMinnesota

Identity capabilities for BYOD with ADFS 3.0 AD Workplace Join Users join their device to their workplace, making the device known to the company s Active Directory Single Sign On (SSO) Users sign-in once to their company from any application and are not prompted for credentials by every company application when using workplace joined devices Work From Anywhere Businesses enable users to work from anywhere while adhering to their IT governance policies around risk management Multi-factor Authentication Businesses require additional factors of authentication when business critical resources are accessed or when there is perceived risk Multi-factor Access Control Businesses set conditional access control to resources based on four core pivots: the user, the device used, the user s network location and use of additional auth factors # MMSMinnesota

*.Domain.com Named Certificates (more secure) CM12 & INTUNE: STEP BY STEP EXPLAINED Certificate Requirements for ADFS 3.0 No additional Subject Alternate Names (SAN) are required Works with Sub-domains Simple Management less expensive in the end More Management more expensive in the end Additional Subject Alternate Names are required for Workplace Join ( SAN = ) Device Registration service (SAN ) # MMSMinnesota

Requirements for ADFS 3.0 Forest Schema must be 2012 R2 for DRS Service account: Group Managed Service Accounts (Gmsa) is recommended but not a requirement! Group Managed Service Accounts are not available by default because the KDS Root Key has not been set. Use the following PowerShell command to create the key: "Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) If ADFS is installed on DC with use of Gmsa, read http://scug.be/sccm/2014/01/15/adfs-3-0-onwindows-2012-r2-adfssrv-hangs-in-starting-mode-and-makes-youre-domain-controller-unusableafter-reboot/ # MMSMinnesota

Other requirements for ADFS 3.0 Federation name E.g. federation.demolabs.be SQL version WID or SQL Load balance or not Use F5 or equivalent Foresee A-Record on : Internal DNS server Federation. demolabs.be 192.168.0.x External DNS Server Federation. demolabs.be 81.x.x.x # MMSMinnesota

STEPS TO INSTALL ADFS 3.0

HTTPS - 403 *.Demolabs.be SSL Cert 2048 Bits CM12 & INTUNE: STEP BY STEP EXPLAINED Cloud Lab Setup Domain Controller Demolabs.be ADFS / DirSync Federation Trust Intune Wave x Integration External DNS Registration A-Record: Federation.Demolabs.Be A-Record: EnterpriseRegistration.Demolabs.Be A-Record: Workfolders.Demolabs.be Public IP: 82.x.x.x *.Demolabs.be SSL Cert 2048 Bits *.Demolabs.be SSL Cert 2048 Bits HTTPS - 403 HTTPS - 403 HTTPS - 403 Workfolders Server Firewall NAT Web Appl Proxy (Not domain joined) Firewall NAT # MMSMinnesota

Steps to install ADFS 3.0 # MMSMinnesota

Steps to install ADFS 3.0 Validate if your ADFS server works successfully internally https://federation.demolabs.be/adfs/ls/idpinitiatedsignon.aspx Customize your ADFS server to your needs : E.g: Change logo with powershell : Set-AdfsWebTheme -TargetName default -Logo @{path="c:\admin\adfs\demolabs-logo-1.png"} But there is much more: http://technet.microsoft.com/enus/library/dn280950.aspx # MMSMinnesota

Demo ADFS Check / Customization #MMSMinnesota #MMSMinnesota

STEPS TO INSTALL THE WEB APPLICATION PROXY (WAP)

Steps to install WAP # MMSMinnesota

Steps to install WAP Validate if your ADFS server works successfully through the WAP externally (internet) https://federation.demolabs.be/adfs/ls/idpinitiatedsignon.aspx Configuration through the Remote Access Management snap-in. # MMSMinnesota

Deploy and Configure AD Federation Services Install the Windows Azure Active Directory Module on the ADFS server To set up SSO by using the Windows Azure Active Directory Module for Windows PowerShell, use the following commands: 1. Connect-MsolService -Credential:(get-credential) 2. Use one of the following commands, as appropriate for your situation: Convert-MSOLDomainToFederated -DomainName:<federated domain name> Update-MSOLFederatedDomain -DomainName:<federated domain name> To make sure you re dirsync tenant accounts password doesn t expire : Set-MSOLUser identity user@mydomain.com PasswordNeverExpires $true StrongPasswordRequired $true Prevent that your Self- signed certificate for token signing in Azure is about to expire. See : http://scug.be/sccm/2014/04/23/configmgr-2012-windows-intune-sso-self-signed-certificate-for-tokensigning-is-about-to-expire-now-what/ # MMSMinnesota

WHAT IS WORKPLACE JOIN?

Expanding device support with DRS Not Joined to AD Workplace Joined Domain Joined Active Directory Limited access No IT Control # MMSMinnesota

STEPS TO ENABLE DEVICE REGISTRATION SERVICE (DRS) FOR WORKPLACE JOIN

Workplace join Requirements ADFS 3.0 with DRS enabled and a Web Authentication proxy (WAP) *.Domain.com certificate or custom certificates with SAN defined : for DRS, your SSL cert needs to contain SAN (subject alternative name) entries for enterpriseregistration + each distinct UPN suffix in use by users in your forest(s). So for example: Enterpriseregistration.Demolabs.be Enterpriseregistration.Demolabs.com Enterpriseregistration.corp. Demolabs.be If you plan to use client certificate authentication, you must also configure the firewall to allow traffic on port 49443 Necessary Host A / Cname records in both internal/external DNS Servers # MMSMinnesota

Steps to enable workplace join Create Host A Record on Public DNS called enterpriseregistration. demolabs.be Create CNAME (Alias) record in the internal DNS called enterpriseregistration. demolabs.be This record points to the host (A) record of the AD FS federation service internally. Configure the WAP Proxy to find the enterpriseregistration.demolabs.be #MMSMinnesota

Steps to enable DRS Remember : New Device class requires a schema change to Active Directory (R2)! Open a Windows PowerShell command window and type: Initialize-ADDeviceRegistration When prompted for a service account, type your gmsa account - Demolabs\svc.adfs Now run the Windows PowerShell cmdlet. Enable-AdfsDeviceRegistration On the ADFS server, Edit the Global Primary Authentication Policy and select the check box next to Enable Device Authentication. #MMSMinnesota

Troubleshooting Workplace Join - BackEnd Lookup enterpriseregistration.demolabs.be It should resolve to the IP of your Web Application Proxy (WAP) In case no IP is resolved, check your public domains DNS zone and validate CNAME enterpriseregistration is pointing to your Web Application Proxy. Type in a browser: https://enterpriseregistration.demolabs.be/enrollmentserver/contract?api-version=1.0 #MMSMinnesota

Troubleshooting Workplace Join - Client Event viewer is still your best friend! Microsoft Workplace Join to troubleshoot! URL (enterpriseregistration.xxxx.yyyy) cannot be resolved or reached. #MMSMinnesota

Lost Device Protection Devices registered via Workplace Join are registered within Active Directory in the container : CN=<Device ID>,CN=RegisteredDevices,DC=mydomain,DC=com. Lost devices can be denied access by disabling or deleting the appropriate object within AD. Access through AD FS is immediately revoked for the workplace joined client. From testing thus far, devices joined, left and re-registered via Workplace Join are not currently cleaned up within the RegisteredDevices container. Some PowerShell scripting is currently required to enforce this. #MMSMinnesota

Demo Workplace Join / Lost Devices #MMSMinnesota #MMSMinnesota

Workplace Join Hitman tool Beta available via TechNet Galleries: http://gallery.technet.microsoft.com/workplace-join-hitman-8c691238#content

ENABLE WINDOWS INTUNE THROUGH CONFIGMGR 2012 R2

Prep your ConfigMgr environment Implement Cumulative Update 3 https://support.microsoft.com/kb/2994331 Hotfix: https://support.microsoft.com/kb/2990658 #MMSMinnesota

Intune Subscription Prerequisites Intune User Collection (Licenses) Company logo 400 x 100 pixels (optional) (Optional) Create a APNs certificate for ios (Optional) Supply Windows RT Sideloading Keys (Optional) Request/Buy a Windows Phone 8 Code Signing certificate and code-sign the Windows Phone 8 Company Portal App. (Optional) Enable the Android platform #MMSMinnesota

Demo Intune Subscription Onboarding #MMSMinnesota #MMSMinnesota

Modern Platforms vs Features integrated into CfgMgr Windows 8 RT Windows Phone 8 ios (5.x, 6.x, 7.x) Android (2.3+ via EAS) Android (4.0+ via native agent) Windows 8.1 (x86/x64 and RT) Not on ConfigMgr R2 yet? Over the air device enrollment Available user targeted applications User and device settings management Device inventory Remote device retirement Remote device wipe (full and selective) Company branding Web apps and remote apps Required application deployment VPN/Wi-Fi/certificate profiles Additional settings #MMSMinnesota

On-premises connector Setup Troubleshooting Intune subscription: AdminUILog\SmsAdminUI.log Connector setup: sitecomp.log and ConnectorSetup.log Connector certificate: certmgr.log #MMSMinnesota

User Sync Troubleshooting Cloudusersync.log Cloud user collection in Admin Console Cloud user ID #MMSMinnesota

Demo Device Enrollments #MMSMinnesota #MMSMinnesota

Search Criteria CM12 & INTUNE: STEP BY STEP EXPLAINED Enrollment Support Info LSU, MSU, account id, user id(last 6 digits) email domain or other feature specific keyword Time of incident (time zone) Logs (DMPUploader.log, DMPDownloader.log, CloudUserSync.log) Example AccountId : 21c26ac1 29b40f LsuId : LSUA01 MsuId : MSUA01 UserID : d7facc Domain : contoso.onmicrosoft.com

Q & A CM12 & INTUNE: STEP BY STEP EXPLAINED

Evaluations Please provide session feedback by clicking the Eval button in the scheduler app. One lucky winner will get a free ticket to the next MMS! Tim De Keukelaere Kenny Buntinx #MMSMinnesota #MMSCMIntune Platinum Sponsors: Gold Sponsors: Visit all of our sponsors in the expo area and online! MMS Minnesota 2014

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback