ConfigMgr 2012 R2 & Intune Step by Step explained from setting it up, to identity control (ADFS, DRS and Workplace Join) Tim De Keukelaere Kenny Buntinx #MMSMinnesota #MMSCMIntune
About Kenny @KennyBuntinx http://be.linkedin.com/kennybuntinx http://scug.be/blogs/sccm Kenny Buntinx Managing Consultant Kenny.Buntinx@kbsolutions.be # MMSMinnesota
About Tim @Tim_DK http://be.linkedin.com/in/timdekeukelaere/ http://scug.be/tim/ Tim De Keukelaere Managing Consultant Tim.De.Keukelaere@IT-Essence.be #MMSMinnesota
Key Takeaways Understanding these concepts: ADFS with SSO Workplace join and DRS DirSync UDM Integration with CM12 Hands-on: Knowing how to implement them #MMSMinnesota
About our audience Assumptions Practical experience with System Center Configuration Manager 2012 SP1/R2 Knowledge of Windows Server 2012 R2 About us Not the ADFS, Certificate or Identity Specialists, but we had our share in challenges Not aiming to explain in detail How to enroll all possible devices # MMSMinnesota
WARNING PERMITTING FANCY GADGETS TO BE BROUGHT TO WORK MAKE YOUR LIFE AS AN IT PROFESSIONAL HARDER
Users can work from anywhere on their device with access to their corporate resources. Users can enroll devices for access to the Company Portal for easy access to corporate applications IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity Users can register devices for single signon and access to corporate data with Workplace Join #MMSMinnesota
SETTING UP CM12 AND WINDOWS INTUNE FOR UDM
Requirements for UDM technologies Windows Intune UDM ConfigMgr 2012 SP1 or R2 Domain Controller OS = minimum W2K3 SP2 Minimal Forest Schema = W2K3 SP2 Optional : ADFS 2.0-2.1 3.0 Optional : ADFS Proxy Server Internal and external DNS A / Cname Records Certificates Dirsync with optional password sync Workplace Join (Optional) Forest Functional Level = 2003 Domain Controller OS = minimum W2K8R2 Minimal Forest Schema = W2K12R2 ADFS 3.0 Web Application Proxy (WAP) Internal and external DNS A / Cname Records Certificates #MMSMinnesota
Process Overview Create Windows Intune Subscription Purchase from windowsintune.com Purchase Volume License agreement Add Public DNS details for enrollment redirection Verify Users have Public Domain UPNs and perform AD User Discovery Deploy and Configure AD Directory Synchronization Deploy and Configure AD Federation Services (Not required but strongly recommended!) Reset User Password or use password sync if not using ADFS Configuring Configuration Manager for Mobile Device Management Creating a Windows Intune Subscription in the Configuration Manager console Creating the Windows Intune Connector site system role Verification of Configuration Manager successfully connecting to Windows Intune service # MMSMinnesota
Create Windows Intune Subscription First order of business: create a Windows Intune subscription. This can be performed as a Volume License agreement, through those normal channels. If you do not have a VL Agreement for Configuration Manager you may create a Windows Intune subscription directly from www.windowsintune.com. Once complete, login to the Windows Intune Account Portal account.manage.microsoft.com (with Tenant Account) # MMSMinnesota
Create Verifiable Public Domain To ensure users are synchronized correctly, create a verified public domain within Windows Intune Account Portal. This is a public domain for the company, something like demolabs.be This domain must be able to be verified as a registered domain by an external source Next, configure the on-premise AD Directory Synchronization with Microsoft Online. For device enrollment ensure you have a public DNS CNAME record directing EnterpriseEnrollment to manage.microsoft.com # MMSMinnesota
Demo Adding Domain / Activate Dirsync #MMSMinnesota #MMSMinnesota
Verify User Details and Perform AD User Discovery Ensure users that will be managed have this Public Domain as their primary Universal Principal Name (UPN) in Active Directory. To add UPNs for each user, either edit via ADSI or script, similar to that shown in here: http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/06/ho w-can-i-assign-a-new-upn-to-all-my-users.aspx Once confirmed perform AD User Discovery in Configuration Manager 2012 SP1
Demo Schema Verification / Adding UPN s #MMSMinnesota #MMSMinnesota
DIRSYNC CM12 & INTUNE: STEP BY STEP EXPLAINED
Dirsync with Password Sync ADFS # MMSMinnesota
Sync users/groups from your onpremise AD into the cloud Schedule based CM12 & INTUNE: STEP BY STEP EXPLAINED Dirsync - Purpose # MMSMinnesota
DirSync Requirements 64-bit Edition of Windows Server Windows Server 2008 Datacenter Windows Server 2008 R2 Standard or Enterprise, Windows Server 2008 R2 Datacenter Windows Server 2012 Standard or Datacenter Windows Server 2012 R2 Standard or Datacenter.Net Framework 3.5 SP1 and.net Framework 4.0 or 4.5 Powershell 3.0 Latest version supports DirSync to run on a DC # MMSMinnesota
DirSync - Tips Before sync, check your that your UPN suffix matches! Filtering: OU Based Domain Based User Attribute Based To control the sync with custom attributes, see: http://ronnydejong.com/2013/05/01/windows-intune-selective-active-directory-synchronization/ # MMSMinnesota
Password Sync What it is Feature of DirSync that synchronizes user password hashes from on-premises AD to Windows Azure AD (WAAD) Enables users to log to WAAD services using the same username/password as on-premise AD Part of DirSync No additional software No changes to domain controllers, no reboots # MMSMinnesota
Password Sync What it is Easier, less-expensive alternative to AD FS Single Sign-On, but certainly not the same thing No redirection to on premise authentication No token exchange between the on-premises environment and the cloud Authentication takes place in the cloud Only for single-forest scenario # MMSMinnesota
Password Sync How it works Security considerations Synchronizes hashes from on-premises AD to Azure AD Never see or store plaintext passwords Password Policy considerations Defer to on-premises password policies On-premises complexity policies override cloud policies for synchronized users Passwords of synchronized users never expire in the cloud # MMSMinnesota
Password Sync How it works Checks for password updates every 2 minutes DirSync of other attributes still runs every 3 hours Only sync passwords for users scoped for DirSync Won t sync password hash if user must change Password at next logon Retries failed password syncs Retries every hour for up to 1 day Full Password Sync Available via PowerShell (Set-FullPasswordSync) # MMSMinnesota
Steps to successfully install DirSync # MMSMinnesota
New: Azure Ad Sync Now supports password sync Multi-Forest support Advanced filtering capabilities Objects & Attributes Available here: http://www.microsoft.com/en-us/download/details.aspx?id=44225 #MMSMinnesota
Time to decide: Sync vs Federation Synchronization Federation User attributes are synchronized including the password hash, Authentication can be completed against either Azure or Windows Server Active Directory AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication User attributes are synchronized, authentication is passed back through federation and completed against Windows Server Active Directory
Dirsync with Password Sync ADFS # MMSMinnesota
SSO, DRS AND WORKPLACE JOIN
ADFS 3.0 new features AD FS has become the Swiss Army Knife of Microsoft authentication AD workplace join Single Sign On Work from anywhere Multifactor Authentication Multifactor Access Control Not based on IIS anymore, but on the http.sys Highly customizable! Much more authentication possibilities then in ADFS 2.0/2.1 # MMSMinnesota
Identity capabilities for BYOD with ADFS 3.0 AD Workplace Join Users join their device to their workplace, making the device known to the company s Active Directory Single Sign On (SSO) Users sign-in once to their company from any application and are not prompted for credentials by every company application when using workplace joined devices Work From Anywhere Businesses enable users to work from anywhere while adhering to their IT governance policies around risk management Multi-factor Authentication Businesses require additional factors of authentication when business critical resources are accessed or when there is perceived risk Multi-factor Access Control Businesses set conditional access control to resources based on four core pivots: the user, the device used, the user s network location and use of additional auth factors # MMSMinnesota
*.Domain.com Named Certificates (more secure) CM12 & INTUNE: STEP BY STEP EXPLAINED Certificate Requirements for ADFS 3.0 No additional Subject Alternate Names (SAN) are required Works with Sub-domains Simple Management less expensive in the end More Management more expensive in the end Additional Subject Alternate Names are required for Workplace Join ( SAN = ) Device Registration service (SAN ) # MMSMinnesota
Requirements for ADFS 3.0 Forest Schema must be 2012 R2 for DRS Service account: Group Managed Service Accounts (Gmsa) is recommended but not a requirement! Group Managed Service Accounts are not available by default because the KDS Root Key has not been set. Use the following PowerShell command to create the key: "Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) If ADFS is installed on DC with use of Gmsa, read http://scug.be/sccm/2014/01/15/adfs-3-0-onwindows-2012-r2-adfssrv-hangs-in-starting-mode-and-makes-youre-domain-controller-unusableafter-reboot/ # MMSMinnesota
Other requirements for ADFS 3.0 Federation name E.g. federation.demolabs.be SQL version WID or SQL Load balance or not Use F5 or equivalent Foresee A-Record on : Internal DNS server Federation. demolabs.be 192.168.0.x External DNS Server Federation. demolabs.be 81.x.x.x # MMSMinnesota
STEPS TO INSTALL ADFS 3.0
HTTPS - 403 *.Demolabs.be SSL Cert 2048 Bits CM12 & INTUNE: STEP BY STEP EXPLAINED Cloud Lab Setup Domain Controller Demolabs.be ADFS / DirSync Federation Trust Intune Wave x Integration External DNS Registration A-Record: Federation.Demolabs.Be A-Record: EnterpriseRegistration.Demolabs.Be A-Record: Workfolders.Demolabs.be Public IP: 82.x.x.x *.Demolabs.be SSL Cert 2048 Bits *.Demolabs.be SSL Cert 2048 Bits HTTPS - 403 HTTPS - 403 HTTPS - 403 Workfolders Server Firewall NAT Web Appl Proxy (Not domain joined) Firewall NAT # MMSMinnesota
Steps to install ADFS 3.0 # MMSMinnesota
Steps to install ADFS 3.0 Validate if your ADFS server works successfully internally https://federation.demolabs.be/adfs/ls/idpinitiatedsignon.aspx Customize your ADFS server to your needs : E.g: Change logo with powershell : Set-AdfsWebTheme -TargetName default -Logo @{path="c:\admin\adfs\demolabs-logo-1.png"} But there is much more: http://technet.microsoft.com/enus/library/dn280950.aspx # MMSMinnesota
Demo ADFS Check / Customization #MMSMinnesota #MMSMinnesota
STEPS TO INSTALL THE WEB APPLICATION PROXY (WAP)
Steps to install WAP # MMSMinnesota
Steps to install WAP Validate if your ADFS server works successfully through the WAP externally (internet) https://federation.demolabs.be/adfs/ls/idpinitiatedsignon.aspx Configuration through the Remote Access Management snap-in. # MMSMinnesota
Deploy and Configure AD Federation Services Install the Windows Azure Active Directory Module on the ADFS server To set up SSO by using the Windows Azure Active Directory Module for Windows PowerShell, use the following commands: 1. Connect-MsolService -Credential:(get-credential) 2. Use one of the following commands, as appropriate for your situation: Convert-MSOLDomainToFederated -DomainName:<federated domain name> Update-MSOLFederatedDomain -DomainName:<federated domain name> To make sure you re dirsync tenant accounts password doesn t expire : Set-MSOLUser identity user@mydomain.com PasswordNeverExpires $true StrongPasswordRequired $true Prevent that your Self- signed certificate for token signing in Azure is about to expire. See : http://scug.be/sccm/2014/04/23/configmgr-2012-windows-intune-sso-self-signed-certificate-for-tokensigning-is-about-to-expire-now-what/ # MMSMinnesota
WHAT IS WORKPLACE JOIN?
Expanding device support with DRS Not Joined to AD Workplace Joined Domain Joined Active Directory Limited access No IT Control # MMSMinnesota
STEPS TO ENABLE DEVICE REGISTRATION SERVICE (DRS) FOR WORKPLACE JOIN
Workplace join Requirements ADFS 3.0 with DRS enabled and a Web Authentication proxy (WAP) *.Domain.com certificate or custom certificates with SAN defined : for DRS, your SSL cert needs to contain SAN (subject alternative name) entries for enterpriseregistration + each distinct UPN suffix in use by users in your forest(s). So for example: Enterpriseregistration.Demolabs.be Enterpriseregistration.Demolabs.com Enterpriseregistration.corp. Demolabs.be If you plan to use client certificate authentication, you must also configure the firewall to allow traffic on port 49443 Necessary Host A / Cname records in both internal/external DNS Servers # MMSMinnesota
Steps to enable workplace join Create Host A Record on Public DNS called enterpriseregistration. demolabs.be Create CNAME (Alias) record in the internal DNS called enterpriseregistration. demolabs.be This record points to the host (A) record of the AD FS federation service internally. Configure the WAP Proxy to find the enterpriseregistration.demolabs.be #MMSMinnesota
Steps to enable DRS Remember : New Device class requires a schema change to Active Directory (R2)! Open a Windows PowerShell command window and type: Initialize-ADDeviceRegistration When prompted for a service account, type your gmsa account - Demolabs\svc.adfs Now run the Windows PowerShell cmdlet. Enable-AdfsDeviceRegistration On the ADFS server, Edit the Global Primary Authentication Policy and select the check box next to Enable Device Authentication. #MMSMinnesota
Troubleshooting Workplace Join - BackEnd Lookup enterpriseregistration.demolabs.be It should resolve to the IP of your Web Application Proxy (WAP) In case no IP is resolved, check your public domains DNS zone and validate CNAME enterpriseregistration is pointing to your Web Application Proxy. Type in a browser: https://enterpriseregistration.demolabs.be/enrollmentserver/contract?api-version=1.0 #MMSMinnesota
Troubleshooting Workplace Join - Client Event viewer is still your best friend! Microsoft Workplace Join to troubleshoot! URL (enterpriseregistration.xxxx.yyyy) cannot be resolved or reached. #MMSMinnesota
Lost Device Protection Devices registered via Workplace Join are registered within Active Directory in the container : CN=<Device ID>,CN=RegisteredDevices,DC=mydomain,DC=com. Lost devices can be denied access by disabling or deleting the appropriate object within AD. Access through AD FS is immediately revoked for the workplace joined client. From testing thus far, devices joined, left and re-registered via Workplace Join are not currently cleaned up within the RegisteredDevices container. Some PowerShell scripting is currently required to enforce this. #MMSMinnesota
Demo Workplace Join / Lost Devices #MMSMinnesota #MMSMinnesota
Workplace Join Hitman tool Beta available via TechNet Galleries: http://gallery.technet.microsoft.com/workplace-join-hitman-8c691238#content
ENABLE WINDOWS INTUNE THROUGH CONFIGMGR 2012 R2
Prep your ConfigMgr environment Implement Cumulative Update 3 https://support.microsoft.com/kb/2994331 Hotfix: https://support.microsoft.com/kb/2990658 #MMSMinnesota
Intune Subscription Prerequisites Intune User Collection (Licenses) Company logo 400 x 100 pixels (optional) (Optional) Create a APNs certificate for ios (Optional) Supply Windows RT Sideloading Keys (Optional) Request/Buy a Windows Phone 8 Code Signing certificate and code-sign the Windows Phone 8 Company Portal App. (Optional) Enable the Android platform #MMSMinnesota
Demo Intune Subscription Onboarding #MMSMinnesota #MMSMinnesota
Modern Platforms vs Features integrated into CfgMgr Windows 8 RT Windows Phone 8 ios (5.x, 6.x, 7.x) Android (2.3+ via EAS) Android (4.0+ via native agent) Windows 8.1 (x86/x64 and RT) Not on ConfigMgr R2 yet? Over the air device enrollment Available user targeted applications User and device settings management Device inventory Remote device retirement Remote device wipe (full and selective) Company branding Web apps and remote apps Required application deployment VPN/Wi-Fi/certificate profiles Additional settings #MMSMinnesota
On-premises connector Setup Troubleshooting Intune subscription: AdminUILog\SmsAdminUI.log Connector setup: sitecomp.log and ConnectorSetup.log Connector certificate: certmgr.log #MMSMinnesota
User Sync Troubleshooting Cloudusersync.log Cloud user collection in Admin Console Cloud user ID #MMSMinnesota
Demo Device Enrollments #MMSMinnesota #MMSMinnesota
Search Criteria CM12 & INTUNE: STEP BY STEP EXPLAINED Enrollment Support Info LSU, MSU, account id, user id(last 6 digits) email domain or other feature specific keyword Time of incident (time zone) Logs (DMPUploader.log, DMPDownloader.log, CloudUserSync.log) Example AccountId : 21c26ac1 29b40f LsuId : LSUA01 MsuId : MSUA01 UserID : d7facc Domain : contoso.onmicrosoft.com
Q & A CM12 & INTUNE: STEP BY STEP EXPLAINED
Evaluations Please provide session feedback by clicking the Eval button in the scheduler app. One lucky winner will get a free ticket to the next MMS! Tim De Keukelaere Kenny Buntinx #MMSMinnesota #MMSCMIntune Platinum Sponsors: Gold Sponsors: Visit all of our sponsors in the expo area and online! MMS Minnesota 2014