X

Intune and Exchange ActiveSync (Part 2)

If you would like to read the other parts in this article series please go to:

Preparing to Manage Windows Phone Devices

Windows Phone devices are the ones that require more Intune preparation work so they can be enrolled and managed. Before we can use Intune to manage Windows devices, we must establish a trust relationship between the device and Intune. Certificates allow Intune to establish an accredited and encrypted IP connection as well as app-signing to help protect devices from malware.

To support the Company Portal app for Windows Phone 8.0 and to deploy company apps to Windows Phone 8.1 we must get a Symantec Enterprise Mobile Code Signing Certificate. We cannot use a certificate issued by our own certification authority because only the Symantec certificate is trusted by Windows Phone devices. This certificate is used to:

  1. Sign a company portal app for deployment to Windows Phone 8.0 for enrollment and phone management;
  2. Sign company apps so Intune can deploy them to Windows Phones 8.0 or 8.1.

To do this, we need a developer account, a Symantec code signing certificate plus a few other bits and pieces. The entire process is very well documented on the Internet, so I will not cover this in here and will skip to Windows Phone 8.1 devices. For these, we only need the above if we want to deploy line-of-business applications to the devices. As we simply want to manage the devices themselves, the process is much easier.

First we need to configure a DNS CNAME to help users connect to the Intune company portal. A DNS alias (CNAME record type) makes it easier for Windows Phone and Windows device users to enroll their devices by not asking users to provide the server name during enrollment. To achieve this we need the following two records:

TYPE

Host Name

Points to

TTL

CNAME

enterpriseenrollment.company_domain.com

manage.microsoft.com

1 Hour

CNAME

enterpriseregistration.company_domain.com

enterpriseregistration.windows.net

1 Hour

In my case I have created these records for my nunomota.pt domain as follows:


Figure 1

Because I signed in using my Office 365 credentials, Intune is using the same Azure AD and my Office 365 tenant. As such, I already have my nunomota.pt domain added and verified in the Intune Account Portal:


Figure 2

If you do not, you can easily add your domain by clicking on Add a domain and then following the easy step-by-step instructions. Once you have added and verified your domain, go back to the Intune administration console, click ADMIN > Mobile Device Management > Windows Phone. Type the verified domain in Step 1: Enrollment Server Address box and then click Test Auto-Detection:


Figure 3

If all the DNS records are in place, the test will be successful:


Figure 4

As we can see from the screenshot below, we can now start managing Windows Phone 8.1 devices without the need for the code signing certificate as long as we do not want to deploy apps to these devices:


Figure 5

Preparing to Manage iOS Devices

Let us move on to iOS mobile devices now. Before we can use Intune to manage these devices, we need to get an Apple Push Notification service (APNs) certificate. This certificate allows Intune to manage iOS and establish an accredited and encrypted IP connection with the mobile device management authority service (Intune in this case).

To get such certificate:

  1. As an administrative user open the Microsoft Intune administration console and go to ADMIN > Mobile Device Management > iOS:


Figure 6

  1. Click on Enable the iOS platform which will take you to the Upload an APNs Certificate screen:


Figure 7

  1. Click Download the APNs Certificate Request. Save the certificate signing request (.csr) file locally. The .csr file is used to request a trust relationship certificate from the Apple Push Certificates Portal;
  2. Go to the Apple Push Certificates Portal and sign in with your company Apple ID to create the APNs certificate. This Apple ID must be used in future to renew the APNs certificate.


Figure 8

  1. Once you login, click on Create a Certificate:


Figure 9

  1. Accept the terms and conditions and click Accept;
  2. Upload the APNs certificate request created earlier by using the Browse... button and click Upload:


Figure 10

  1. Next, download the APNs certificate and save the file locally. This APNs certificate (.pem) file is used to establish a trust relationship between the Apple Push Notification server and Intune’s mobile device management authority. Notice that it is only valid for 1 year so we will have to manually renew it every year:


Figure 11

  1. Back in the Microsoft Intune administration console, click Upload the APNs Certificate. Browse to the certificate (.pem) file and click Open. You can enter the Apple ID used to create the certificate if you want Intune to remember which Apple ID you should use for annual certificate renewal. With the APNs certificate, Intune can enroll and manage iOS devices by pushing policy to enrolled mobile devices. Click Upload:


Figure 12

  1. We are now ready to enroll and manage iOS devices:


Figure 13

Preparing to Manage Android Devices

Last but not least, we get to Android devices. The good news is that Intune management of Android mobile devices does not require any additional configuration! We can verify this by going to ADMIN > Mobile Device Management. Here we should see Ready for enrollment under Android:


Figure 14

So now we are ready to start enrolling and managing Windows Phone, iOS and Android devices. But before we do so, we need to add users to Intune and assign them an Intune license.

Adding Intune Users and Assigning Licenses

Before a user can access Intune or enroll a device, an administrator must complete the following tasks:

  1. Add user accounts: each user account we add to our subscription is stored in our instance of Azure AD, which provides identity and directory services for our subscription. When we use other cloud services with the same account, such as Office 365, some user accounts might already be available in the account portal. In this case, all we have to do is assign a license for Intune to those user accounts. There are three ways to add new user accounts to the account portal (we can use any combination of these): manually add users, import multiple users from a CSV file or synchronize user accounts from our on-premises AD.
  2. Set the sign-in status: before a user can sign in to Intune, the user account must have a sign-in status of Allowed. When we add user accounts to our subscription by using any method, Intune assigns the user account a sign-in status of Allowed. When we add user accounts by bulk-import using a CSV file, we can change the sign-in status to Blocked. We can also change the sign-in status for a user at a later time when we edit the settings of that user account.
  3. Assign a license to user accounts to use Intune: before a user can access resources for Intune, the user account must have a license to use the subscription. By default, when we manually add or bulk import user accounts to our subscription, Intune assigns an available license to the user account. Similarly, we can edit a user account to add or revoke the license at a later time. When we use bulk-import to add multiple user accounts, the choice to assign a license applies to each user account we import at that time. User accounts that are added to our Azure AD from an AD synchronization are not automatically assigned a license by Intune.

In my case, as I signed in to Intune using my Office 365 credentials, Intune will use the same Azure AD as my Office 365 tenant. This means that through Intune I should see all the users I added or created in Office 365. Because I had already set up directory synchronization using Azure Active Directory Synchronization tool (AADSync), all I need to do is assign an Intune license to my users. To do so, in the Intune Account Portal go to Users:


Figure 15

As I mentioned, all my Office 365 users are already listed:


Figure 16

If we check any of them, we will see that they do not have an Intune license assigned. To assign an individual user a license, all we need to do is select the Microsoft Intune box and click Save:


Figure 17

We can easily apply a variety of filters to our user list. For this scenario, the most useful one is the Not Microsoft Intune users which will list all the users that do not currently have an Intune license assigned:


Figure 18

If you need to add individual users:

  1. In the Intune account portal, click New > User to start the New user wizard:


Figure 19

  1. On the Details page, complete the required fields:


Figure 20

  1. On the Settings page decide if the user will have any administrative permissions and set its location:


Figure 21

  1. On the Group page, click Next to accept the default and assign a license for Intune to the user’s account. This will count against the set of 100 licenses that we have available as part of our free trial:


Figure 22

  1. On the Email page, specify up to five email addresses that will receive notification of the user name and temporary password for the account. Separate multiple email addresses by semicolons (;). When ready, click Create to add the user to your subscription.


Figure 23

  1. On the Results page we can view the new account name and its temporary password (Intune automatically creates the temporary password):


Figure 24

The new user now appears in the Users node of the account portal.

To bulk-add users we upload a comma-separated values (CSV) file that contains our user data. The CSV file we upload requires that the first row contains in correct sequence each of the user data column labels. These can be First Name, Last Name, Job Title, City, etc., but the only two that are required are User Name and Display Name. Then, for each user in the CSV file, we must include the user name (such john@nunomota.pt) and a display name (like John Doe).

We can also use the CSV template provided in the Bulk add users wizard:


Figure 25

The whole process is very straightforward so I will not be covering it as it is not the main objective of this article series.

Conclusion

In this part of this article series, we had a look at what needs to be done before we can start managing Windows Phone, iOS and Android devices. We also looked at how we can add users and assign Intune licenses. In the next part we will look and Intune groups and Intune Mobile Device Security Policies.

If you would like to read the other parts in this article series please go to: