Join David M. Franklyn for an in-depth discussion in this video Configuring Windows Intune Integration, part of Microsoft System Center Configuration Manager Essential Training.
- [Instructor] So on our third demo, we're going to go ahead and setup Windows Intune Integration with Configuration Manager 2016. And before we do that, let's take a very quick look at our Microsoft Intune infrastructure we have and we get to that by going to a web browser, because Microsoft Intune is cloud based and therefore, the console is an actual webpage. But we'll go ahead and type in the URL, https://www.office.com and then we're going to log in with the account that we have for this.
So I've made an account, just named after me and the password, I'll put in the password. I won't tell you what that is though. Because that is private. But in your case, your account is what you will use when you sign up for Intune and as you can see, this is Office 365. But Office 365 has the admin page and in the admin page, then on the right hand side, you'll have a console tree that shows you all the different things you can do in Office 365, including at the bottom, the admin centers for three important parts, security, compliance, Azure AD, for the Azure active directory, and Intune.
So I'm going to go to Intune, so this brings up the Intune console, or the main page console, and from here there's a variety of things you can do, from getting started to a system overview, mobile device management. We scroll a little bit to the left, there's the mobile app management. We really haven't done anything because the purpose of what we're doing now is the integration of this console and all the functionality that it has, into Configuration Manager current branch. So what we're going to do is just going to minimize this at this time and now go and complete the steps to get to the point where we're actually integrating.
And we do this from NorthAm-CFG2 and in the Configuration Manager console, and I believe this is the website we're in. Let's go ahead and close that. So we want to go to the Configuration Manager console, and in the administration workspace, we're going to go to our site configuration, and then Servers and Site System Rules. And there's our server right there. So at this point, we want to find the distribution point and add the certificate we've created for it to that distribution point.
So here we see is the distribution point, we can right click it and go to properties, we'll go to properties in the ribbon. So what we're going to do here is previously we had this just in HTTP, that we wouldn't have to worry about certificates, mobile devices or Mac computers. Now we're going to switch over to HTTPS. And once you do that, we need to change the type of connection to allow both intranet connections, as we've already had, and also internet. So, here is Allow Intranet and Internet Connections.
Now, if you ever check on this, and there's nothing in there except allow intranet only connections and the other two options are present, that is because you didn't put a fully qualified domain name when you installed the last role, so just go ahead and add another role and make sure you put in the fully qualified domain name of the system. Which you should have done anyways. Or, if you're not set up to native mode. But you should be in the case of how we've installed everything. But in any case, now that we're allowing intra and internet connections, we want to import the certificate.
So you notice here, create a self-signed certificate, no, we're going to import a certificate and we're going to browse for and find a certificate file we had before for the distribution point. So we click Browse. And if you remember these we put at the root of the D drive and there's the DPCert we want, right there, and we click on Open and it requires the password. The password we put in earlier, which is capital P, a, 5, 5, w, ., r, d, And then click OK and now we have set up that site system role to have a certificate.
Now we're going to set a similar functionality on the management point. So again, we've still selected NorthAm-CFG2 and down in the site system roles detail pane, click Management point, right click it, and then properties. And then we also want to make sure HTTPS is selected, rather than HTTP and we also want to allow intra and internet connections. So we select the bottom one there. And we're also going to select Allow mobile devices and MAC computers to use this management point.
Now, if you didn't have any mobile device or MAC computers, obviously you wouldn't need to select that. And in the case of our Windows Intune subscription, we don't actually have any at this time. But for many folks, in the past they've used Microsoft Intune to do mobile device management because Configuration Manager didn't, or wasn't able to do it. But now that we can integrate them, we can take the mobile devices that are being managed by Intune and also be able to manage them in the system center configuration manager console.
So, by checking this, it just allows that to happen. And now we're going to click OK. So that part is done. Now, we're going to add a site system role. So, in the details pane on top, ensure NorthAm-CFG2 is selected, and you can go to the home tab and see this, or you can just simply right click it. What we're going to do is add site system roles and that brings up the add site system roles wizard. So what I was talking about before, when you only see the intranet connection and none of the others, you got to make sure that you have the fully qualified domain name to find things on the internet, added to this area when you're adding a site system role.
But in this case, we already have it so we click Next. We're not using a proxy server at this point, at least to connect to the internet, click Next. And we want to add the enrollment point and also the enrollment proxy point. The enrollment proxy point just facilitates at both ends of the connection, the outside client coming in and the inside, the firewall specification that you have for Configuration Manager. And then click Next on that. And now we get the specify the enrollment point setting, so we can put this in.
And in the specify enrollment point setting, we're not really going to make any changes here, notice it's still HTTPS, and we're going to use the computer account of the enrollment point, rather than user account, so click Next. And really the same applies for the enrollment proxy point. We're suing HTTPS, course HTTPS uses Port 443 by default, so we're not going to change that. You could, theoretically, to add to extra security, come up with a different port number, but all you client connections and everything in between will have to know that.
So you'd have to basically enable that new port number for HTTPS at both ends of your communication. We're not going to do that, we're going to click Next. And now we'll just confirm the settings. And those roles were added successfully, we can say Close. And now we're going to go up one to our sites and we see our site here and we want to go to the properties of our site, not the properties of the site system, but the properties of the site.
And in the properties of our site we want to go to the client computer communications tab, that's right here, and in this case we're going to add the certificate we had, so we're going to check the Use PKI client certificate (client authentication capability) when available, and then in the trusted root certificate authority, we're going to set up the certificate authority we're going to use, which is the root certificate authority. So click Set on that, and now it wants us to enable that root certificate authority.
So we're going to click the New button here. And in the New button we need to find the root certificate that was created on the domain controller. It was not created as part of this particular course. But when the certificate services were first installed and installed correctly, one of the tasks you do when just setting up a active directory certificate server is to go in and make a copy of the root certificate, so you can place it on other existing computers.
So we're going to type here in the URL of the open box, \\dc1\c$ and then we'll see the root Dave certificate that I made for this and say Open on that, and that is the certificate, that is the root certificate that we want to provide and then say OK and finally, OK again. And from here, we'd normally go on to add the Microsoft Intune subscription directly to our site.
And this requires us to go up to the cloud services node within administration and then go to Microsoft Intune subscriptions and add it. But you can see it's grayed out here. So why is that? Well, initially if you remember, we didn't install a service connection point on this site when it was a standalone because we knew that the CAS, the CIS on Central CFG1 would take over that role. So what that means is we need to do the adding of the Microsoft Intune subscription on the CAS.
So now let's go over to Central CFG1 and configure it. So here we are on the Central CFG1, we want to go to administration then cloud services, open cloud services if it's not already open. And then select Microsoft Intune subscription and then we click add Microsoft Intune subscription. And we get the create Microsoft Intune subscription wizard. So, we are going to do this. Note in the getting started, there's a lot of information about this.
You sign into it with the Microsoft Intune organizational account and password to complete the wizard and that's what I showed you earlier when I used the browser to log in to my Intune site. So you need the same credentials for yours. And then we click Next here and now we're going to sign in and if you don't have one, you can subscribe. If you click this link it will take you to a page where you can sign up for it and get it. Now I do want to mention that you can get a trial subscription of Microsoft Intune and it used to be, of course, this one that was part of Office 365.
But Microsoft is in the process now of moving Intune from Office 365 into Azure. And I really can't tell you what the process will be once that happens but I can probably assure you, or in most cases assure you, that they will still have a trial subscription you can try for even demonstration purposes or learning purposes here. I'm not sure where it will be. So here if you click this link you can get a trial or pay for one. I'm not sure that link would remain fresh.
But perhaps in another current branch version, they'll update it there as well. So in any case, I'm going to sign in and here's a very important message in this pop-up Window. So, when you set this up, it's permanent. It says, are your sure you want to permanently use Configuration Manager to manage mobile devices? So if you set this up, you really can't go back. You cannot change the selection at a later time. So they make you click the box that says I understand that.
And once you've completed the whole task, then it's too late, so keep that in mind as well. I'm going to click OK now and it will take me to my subscription page. And I'll go ahead and sign in. So it's on microsoft.com and put in my correct password and then sign in. Okay, and so it's found it. Once this is grayed out your can click Next and now you can specify the user collection who's members will be able to enroll their devices for management and if you click browse, it will take you to the user collections.
Now in the case of what I have here, I don't have any user collections at this time. I just didn't make one for purposes of concentrating on the hierarchy rather than the actual collection tasks. So I'm just going to use the All Users here and in the real world you'll have one that you'll create that you want to designate for this. You'll probably have users in a variety of different collections depending on how your company is set up, how your infrastructure is set up. You might have geographically related users.
For example, I could put in Seoul, Korea users and then the Charlotte IT team, or perhaps the Atlanta Executives, things like that that I might put in my company, but at this point we don't have any, so we're just going to use All Users. Say OK and we can put in things like the company name, and a URL to company privacy documentation if you have that, because what we're saying is, okay someone's got a smartphone and they're going to use that smartphone to connect to the company and maybe peruse different folders and shares and maybe open up documents and work on them, even when they're not in the office and that's fine, but should they expect privacy for their device and the private things they have on it, and should the company expect a segregation of the company corporate data from anything you're doing privately, like Facebook or something.
Notice the device enrollment limit. At first, it doesn't seem like much but this is the maximum numbers that a single user can enroll. So now we're going to click Next and now we can put in specific company contact information. So I'm just going to put here, Veteran IT Person that we created earlier and we can put in a phone number and then an email address, and remember we added the VetITP@DaveMCT.com email address into the active directory properties.
And a support website. So you can have a support website URL, where you could have, perhaps links to help pages for those who are trying to enroll their device or connect to the company with their device and it's not working and tell them what to do or who further to call. We can also have a specific website that the user will see upon entering through the portal and any additional information we could have and that could include help desk numbers, 24/7 help desk numbers et cetera.
Click Next. We can even include a company logo if we have one. It doesn't have to be the default. In our case, we're not going to do it, so it's just going to be the default. It will be this color scheme. Click Next. The device enrollment manager. So here we can actually add a person. Who can enroll devices for others. So we're going to click Next on that, since we don't have a device enrollment manager set in this very small number of user domain. And then in multi-factor authentication, you can set this up.
Now this can only be used with Windows products, or in this case, Windows 8.1 or Windows Phone 8.1 and above. So that would also include Windows 10, it would also include Windows 10 mobile, which is an actual operating system for a phone. But in this case we're not actually setting it up for this, so we're not going to turn it on. We'll just say Next and in the summary we'll say Next. And there you go. Now we can say Close. And now we see our Microsoft Intune subscription.
Within it we can go to configure platforms and the platforms, of course, are listed here. We have Android, iOS, and MAC OS 10 through mobile device management that was previously in Intune. And Windows and Windows phone. Windows includes Windows 10 and Windows mobile. So when we talk about Windows phone, more specifically we're talking about Windows phone 8 or 8.1. So at this point we have now added our Microsoft Intune subscription.
So now we're going to enroll and configure an actual Windows 10 device. So we're going to add a Windows work group computer into the device enrollment. So we need to do this from the NA1 primary site. We're still in central, so let's go ahead and switch over to it. And here we are back on NorthAm CFG2. So we're going to go to the administration workspace in the console, and then we're going to go up to client settings, or down as the case may be.
And in client settings, in the default client settings, we're going to double click it, and go to the enrollment page. So here in enrollment, we have our various settings, and under user settings, we're going to allow users to enroll modern devices. We're going to say yes to that. And in the set profile, we're going to create one, and we will click in the enrollment profile pop-up window, Create, and we're going to name this the DaveMCT Mobile Enrollment and the management site code will be NA1 and that's all we need to do there.
Click OK. And then click OK again. Now one thing I do want to add about this is we did not select the allow user to enroll mobile devices and MAC computers. Beyond that, just modern devices, which includes just the Windows 10, whereas, this is much broader, enroll mobile devices will be Android, will be iOS, and even MAC computers with the OS 10 operating systems. So we're not setting that up at this point. So we can say, now that we've set up modern devices, we can say OK, and the next thing we're going to do is setup a certificate profile and we're going to the assets and compliance page and we're going to create a certificate profile here in compliance company resource, and here it is, company, scroll down here a little bit, company resource access.
So this just allows someone to come in and use resources in the company or the organization, but provide a certificate for them to do so before they're allowed to do so. So in this case, we're going to create a certificate profile by selecting certificate profile and then create certificate profile, and we're going to name this DaveMCT Cert Profile, and in this case, we are going to configure a trusted certificate authority certificate, and click Next, and then we're going to import the certificate.
And this is going to be the root certificate. So, once again, we are doing this as administrator. We're on DC1 connected to the admin share for the C drive and there we see the root Dave cer and that's exactly the one we want. So we're going to select it and click Open, and notice it comes up with a certificate thumbprint, which is like a hash value, and click Next. Just want to make sure, before I finish clicking Next, that we're going to the proper destination store.
And it's going to the root destination store and that is correct. In the select platforms that will be provisioned with a certificate profile, we want Windows 10. Now if you expand it, we can go to different versions of Windows 10. But in this case, we're just selecting all of them and then click Next and then Next on confirm the settings and then close. And that is pretty much all you need to do then to integrate Microsoft Intune into Configuration Manager.
The next step, of course, would be to add your individual devices that you have. All your different mobile devices from the internet in to it. We're not doing that here. This ends our demonstration on configuring Configuration Manager and Microsoft Intune.
- Planning and deploying a standalone primary site
- Ensuring domain and site server prerequisites
- Planning and expanding a standalone primary site
- Planning and deploying a multiple-site hierarchy
- Planning resource discovery and client deployment
- Managing content and replicating data in Configuration Manager
- Configuring Internet and cloud-based client management
- Advanced monitoring
- Upgrading to Configuration Manager current branch