The Ultimate Intune Setup Guide – Stage 4: Enable ConfigMgr 2012 R2 Management

 

Now that we’ve setup our Intune cloud services, it’s time to integrate the service with our on-prem Configuration Manager 2012 R2 hierarchy.

In my lab environment, I’ve got a single Primary Site with all roles installed on the one site server. In a multi-tier hierarchy, the Intune connector roles can only be installed at the CAS site.

1. The first thing we’ll want to do is ensure all of our prerequisites are met. If you’ve followed my previous three posts (here, here and here) you will already have Intune setup, public domains added and user accounts being synchronized. There are some outstanding steps to get our clients to work with ConfigMgr

   Create required DNS entries

   Our enterprise Mobile Device Management (MDM) clients will automatically look for their management services via a public URL during registration. This URL is EnterpriseEnrollment.<Your Company>.com

   In my lab scenario, that would be EnterpriseEnrollment.mattslabs.com

   As we want these devices to speak via Intune for management, we need to redirect the DNS requests via a CNAME record to the Microsoft Intune management services.

   1. Open your public DNS management tools. In my example my domain is hosted with GoDaddy, so I’m using their DNS management console

      You can see here I’ve got my ADFS A record defined and the TXT record required for domain verification from this post

   2. Create a new CNAME record, name it EnterpriseEnrollment and target it at manage.microsoft.com

   3. The CNAME record you now must create should point to enterpriseenrollment-s.manage.microsoft.com. See /en-us/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune for more information.

   4. Save your zone file and wait until the record is replicated

      

   5. You should eventually be able to ping EnterpriseEnrollment.mattslabs.com which will now resolve to manage.microsoft.com enterpriseenrollment-s.manage.microsoft.com

      

2. The second requirement is the certificates needed to push software to devices. In my lab I plan to manage Windows Phone, Android and iOS devices.

   1. Acquiring the Windows Phone certificate.

      To side-load software onto Windows Phone devices via Intune, a Symantec Code Signing Certificate is required. These certificates must be purchased directly from Symantec. https://www.symantec.com/en/au/code-signing/windows-phone/

      As I’m not willing to spend a few hundred dollars on my lab, there is a handy tool available for lab scenarios called Support Tool for Windows Intune Trial Management of Windows Phone. You can download it from https://www.microsoft.com/en-us/download/details.aspx?id=39079

      Download this MSI and leave it for later. In the next post (Stage 5), I’ll explain how to get the Support Tool working.

   2. Acquiring the iOS Apple Push Notification certificate

      To manage and deploy to iOS devices, you must have an Apple Push Notification (APN) certificate.

      Open your Configuration Manager Console, and browse to Administration > Overview > Cloud Services

      Right-click on Windows Intune Subscriptions and select Create APNs certificate request

      Set a path for the Certificate Request to be saved to

      

      When prompted, add your Intune Administrator credentials and press Sign in

      Once complete, close the window and browse to the location of the saved .csr file

      

      Browse to the Apple Push Certificates Portal https://go.microsoft.com/fwlink/?LinkId=269844

      Sign-in or create an Apple ID

      

      Click on Create a Certificate

      

      Accept the EULA

      

      On the Create a New Push Certificate page, select the Choose File button and select the .csr file previously generated

      

      Click Upload

      

      After the success confirmation dialog, click the Download button to download your APN Certificate

      

      Hold onto this file for later

      

3. Next, we can start to configure Configuration Manager. Open the Configuration Manager Console, browse to Administration > Overview > Cloud Services

   Right-click on Windows Intune Subscriptions and select Add Windows Intune Subscription

   You’ll be prompted with the Create Windows Intune Subscription Wizard

   1. Press Next to start the Wizard

      

   2. Click the sign-in button and enter your Intune Administrator credentials

      

      You’ll be prompted to confirm the ownership of the Intune MDM capabilities. Essentially, if you want to use Intune for MDM, it either has to be via the Intune Web console, or via the Configuration Manager console. It is one or the other, never both.

      Tick the check-box and press OK

   3. In the General Configuration, configure the user Collection in which you want members to have the ability to enrol their devices, some Company Branding and also the Configuration Manager Site Code in which any devices enrolled will become a member

      

   4. Tick the Android and iOS support buttons, and if you have a Symantec Windows Phone certificate, select Windows Phone 8

      Note: For those who are going to use the Support Tool for Windows Intune Trial Management of Windows Phone to test the Windows Phone management, don’t enable the Windows Phone 8 management. We’ll do this via the tool in my next blog post (Stage 5)

   5. Select the Apple APN certificate created earlier

   6. Provide some contact details for your users to see in the Intune Portal

      

   7. Add your Company Logo (if required)

      

   8. Complete the wizard

      

4. To complete the installation process, we finally have to add the Windows Intune Connector site system role. To do this, open the Configuration Manager Console, browse to Administration > Overview > Site Configuration > Servers and Site System Roles

   

   Note here we have a manage.microsoft.com server in the list. This is where you apps/etc will be stored for your MDM devices when they’re synchronized in later

   Right-click on your Primary Site Server, and select Add Site System Roles

   

   You’ll be presented with the Add Site System Roles Wizard

   1. Leave the General and Proxy settings default (unless you need to go through the proxy to get Internet access)

      

   2. In the System Role Selection window, select the Windows Intune Connector and press Next

   3. Press Next on the Summary screen and wait for a successful completion screen

      

   4. After a few minutes the role should be up and running.

5. Finally, lets confirm that the integration and cloud sync is working. From the Configuration Manager Console, browse to Assets and Compliance > Overview > Users

   You should see all of your users listed

   

   Right-click on the title column, and add the column Cloud User ID

   This will add an extra column and display all of the Cloud User ID’s which has come from the Intune service. If the Cloud User ID is empty, that user will not be able to enrol their device or access any of the Intune services.

   

   Finally, browse https://portal.manage.microsoft.com to view your ConfigMgr Intune Branding

   

We’ve now successfully configured the Configuration Manager integration with Intune.

Comments

• Anonymous
  January 01, 2003
  Thanks a lot of all your posts
  
• Anonymous
  September 09, 2015
  Hi Matt,
  Really fantastic blog series you have here, it's been very helpful. I've followed through with a lot in these series but there's one thing I'm wondering;
  When I go to Users under Assets and Compliance and right click on the title bar, I don't see an option for "Cloud User ID". Was this removed in 2012 R2 SP1? I've checked my cloudusersync.log and everything looks fine, I just don't have that column available, which of course makes me question if I've done something wrong...
• Anonymous
  September 28, 2015
  Hey @JonRohrich. You're right, the column has been removed. If you want to confirm the CloudUserID is syncing correctly, you'll need to query SQL.
  
  select * from v_R_User
• Anonymous
  October 09, 2015
  Thanks for the posts, very handy. Do you know if it is possible to manage more than one Intune tenant with a single SCCM environment? Once you've added your first Windows Intune subscription, will it allow you to add another?
• Anonymous
  October 12, 2015
  Hey @Mike Elliott. No, you can only have one Intune tenant per ConfigMgr hierarchy.
• Anonymous
  November 11, 2015
  Great article Matt. Do you have an article on Conditional Access with an On-Premise Exchange? Is the Exchange Connector really mandatory for Conditional Access to work? Thanks!
• Anonymous
  November 11, 2015
  Hey @BSR1979at. A post on Conditional Access would be great. I'll add it to my list of to-do's.
  Yes, the Exchange Connector is mandatory. We use it to sync the EAS (Exchange Active Sync) ID's to Intune.
• Anonymous
  November 12, 2015
  Hey Matt, thanks for your quick response. Can you point me to a way how to handle the transition for active ActiveSync devices ? Compliance policy on the SCCM is active (mandatory password, email must be enrolled with Intune, etc.) If I enable the Exchange Connector that will override the ActiveSync policy on the Exchange right? (currently all devices must be approved from an admin). Do we need to remove the active email profile on the active EAS devices an then enroll with Intune (email Profile will be pushed). Thanks!
• Anonymous
  November 25, 2015
  Hi BSR1979at. If you want to use Intune Conditional Access, you need to disable all the Exchange Allow/Block/Quarantine rules.
• Anonymous
  January 12, 2016
  Hi Matt, very useful posts, thank you. however, I'm not seeing the "Windows Intune Connector" in the System Role Selection window. I have one site code, I have one server and it's primary, I've successfully added my Intune Subscription, but still no connector! Any ideas?
• Anonymous
  June 07, 2016
  Hi,I've SCCM 1602 for one of my customer and we've added Intune subscription without any issue but when i run "Add System Role Wizard" on primary SCCM Server, I don't have any option to select "Windows Intune Connector" in my Wizard. Am I missing anything? Any help in this regard will be highly appreciated. Thanks.
  • Anonymous
    June 07, 2016
    Hi, The Windows Intune Connector has been renamed from 1511 to the Connection Service Point. Matt
    • Anonymous
      June 08, 2016
      I am having the same problem. I don't see 'Connection Service Point' either.
      • Anonymous
        June 14, 2016
        There's no 'Service Connection Point'?
• Anonymous
  July 28, 2016
  Hi.I have problem. I connect trial intune tenant to sccm. Mdm work correctly, but customer buy 50ems licenc in new tenant. Can i delete old subscription and add new? Many thanks. Sorry for my englishJiri
  • Anonymous
    July 31, 2016
    Hi Jiri. Yes you can, however remember you can only have ONE Intune subscription assigned per Configuration Manager hierarchy, and that ALL devices will need to re-enroll once you've changed Intune subscription. Matt
• Anonymous
  November 21, 2016
  Hi, thanks and its very helpful. A doubt, is it possible to enroll devices with cloud Id (created in azure ad, not a on-premise active directory user)? I tried to login and getting error that this user is not licensed to use Company Portal. It is possible to allow Cloud Users to enroll devices when SCCM integrated with Intune?
  • Anonymous
    November 21, 2016
    Hi Nagameena. No, it's not possible to use Intune hybrid without onprem identities. In this scenario, you should be using Intune standalone. Matt
    • Anonymous
      December 02, 2016
      Thanks Matt...it was very helpful. Few questions,1. Everytime I create a new user in On-Premise Active Directory, it get populates in Cloud Azure AD properly in sometime defined. But CloudUserID is not getting generating automatically. SMS_Executive Services to be restarted and CloudUserSync to be restarted in regedit. This is annoying, please help.
      • Anonymous
        December 04, 2016
        That definitely shouldn't be happening. I suggest raising a case - it should be pretty obvious from the CloudUserSync logs as to what the cause is.