You don't sync accounts to "publicly available domains" at all. They are synced to Windows Azure. That's a prerequisite if you want to manage them that way.
What MDM features have you planned to implement or are requested?
Torsten,
Thank you for the reply. All the how-to's I've seen including this one on Technet,
http://technet.microsoft.com/en-us/library/jj884158.aspx
steps through the process and states "All user accounts must have a publicly verifiable domain name that can be verified by Windows Intune". I realize Intune integrated ConfigMgr is a pre-req. to manage IOS mobile devices. And, I know it doesn't matter if the device is company owned or BYOD. My point is SCCM MDM seems more BYOD focused. Otherwise, why should I need to sync to Windows Azure if all the resources needed [Active Directory, System Center, the IPad] are all on my internal network is all I'm saying.
Ultimately I would like to be able to use SCCM to deploy apps to company owned IPads, and wanted to get input from other users who are using SCCM to deploy apps to Ipads, to find out how effectively that setup has worked for them.
Hi Edd,
I don't really understand your statement either, so sorry about that.
What I can say is that Configuration Manager is focussing on Mobile Device Management in general no matter if the devices are company-owned or not.
You can influence Ownership of a device (Personal vs Company). Based on that criteria you can deploy different settings for instance.
The reason why you need DirSync is to understand which Domain User Accounts are allowed to enroll a d
I agree with the other posters. The unified solution of ConfigMgr 2012R2/Windows Intune is perfect for all Mobile Device Management, not just iOS devices.
The question of BYOD is irrelevant. A device is a device, no matter who owns it. Nico has mentioned the functionality included in this solution - assigning ownership of the device (Personal v Company). You can, for example, then deploy apps to Company devices only. Note that the default ownership for a device is Personal.
Here is how you implement MDM with ConfigMgr 2012R2 & Windows Intune.
http://www.gerryhampsoncm.blogspot.ie/2014/01/mobile-device-management-in-sccm-2012-r2.html
Thanks for the reply and the link.
I used your article along with the step-by-steps on Technet, but cannot get devices to enroll, neither Android or IOS works. I setup my public UPN and Dirsync. My test AD accounts are syncing with my public UPN to Intune okay. I've setup the Intune connector and enabled Android and IOS with the APN cert., installed the site role and set the All Users and User Groups collection to be able to enroll devices. I've verified my test accounts are in Config Manager as well. I can login to Intune and the company portal with my user accounts okay. But, when I try to enroll my devices is where I run into issues.
From the dmpdownloader.log I get the following error when I try to enroll an IPad:
ERROR: Service health log: APNS certificate for account id 'XXXX-XXXX-XXXX-XXXXXX' is missing or invalid
When I try to enroll an Android I get the following error:
ERROR: Service health log: Failed to load Enrollment Policy for accountId 'XXXX-XXXX-XXXX-XXXXXX' , userId ******************************41d7c5
I've tried with multiple user accounts. I've tried disabling and re-enabling the Android and IOS connectors in SCCM. I've tried recreating my Apple cert. I'm stuck, and don't know what else to do at this point to get it working. Any help is appreciated.
I created an "Intune Users" collection and added my synced test accounts to that collection. Then I configured the Intune subscription in my Config Manager to use that collection to be able to enroll devices. But, I still can't enroll either device, IOS or Android. I get the same errors in the dmpdownloader.log mentioned in my previous post.
As an added note, I'm using SP1 not R2. Not sure if that matters, but thought I would point that out.
- Edited by Edd B 12 hours 38 minutes ago
I created an "Intune Users" collection and added my synced test accounts to that collection. Then I configured the Intune subscription in my Config Manager to use that collection to be able to enroll devices. But, I still can't enroll either device, IOS or Android. I get the same errors in the dmpdownloader.log mentioned in my previous post.
As an added note, I'm using SP1 not R2. Not sure if that matters, but thought I would point that out.
- Edited by Edd B Thursday, January 16, 2014 11:47 PM
I created an "Intune Users" collection and added my synced test accounts to that collection. Then I configured the Intune subscription in my Config Manager to use that collection to be able to enroll devices. But, I still can't enroll either device, IOS or Android. I get the same errors in the dmpdownloader.log mentioned in my previous post.
As an added note, I'm using SP1 not R2. Not sure if that matters, but thought I would point that out.
- Edited by Edd B Thursday, January 16, 2014 11:47 PM
Because you are having difficulty with both iOS and Android this would seem perhaps to be a general issue rather than device specific.
The dmpdownloader.log file deals with messages downloaded from Intune (not much success there). What does the dmpuploader.log file say (this should verify that the Intune Connector is able to upload policy to the Windows Intune service)?
Have you tried re-creating the entire Windows Intune Connector ie add and remove the Windows Intune Connector site system role (not to be confused with the Intune Subscription on which you carry out device-specific configuration)? When you add the Connector again verify the installation in the Sitecomp.log
Have you checked CloudUserSync.log on your Intune Connector server. You should see a line(s) with:
Total Successfully added users to Cloud = _some_number_
If you don't see the line, the clients don't have a right to enroll devices.
I suspect that there is some problem with your UPNs somewhere (e.g. AD user accounts have incorrect UPNs).
Panu
So I deactivated my Dirsync, and deleted my synced account from Intune. Removed the Intune connector in Config Mgr. Removed the Intune role, and rebooted the server. Then went back into my Intune account and reactivated Dirsync. From the cloudusersync log I get the following errors:
* Starting user sync ... SMS_CLOUD_USERSYNC 1/21/2014 10:16:13 AM 4264 (0x10A8)
* WARNING: Failed to get lsu url. default release one will be used. exception = System.NullReferenceException: Object reference not set to an instance of an object.~~ at Microsoft.ConfigurationManager.DmpConnector.UserSync.CloudUserUpload..ctor() SMS_CLOUD_USERSYNC 1/21/2014 10:16:13 AM 4264 (0x10A8)
*Starting user delta sync, raise failure status messages = True SMS_CLOUD_USERSYNC 1/21/2014 10:16:13 AM 4264 (0x10A8)
I verified my synced accounts reappeared in Intune with the correct UPN and are activated accounts. I continued on and added the Intune connecter and the Intune site role in Config Mgr. There were no errors in the sitecomp log, and I received a Synchronization complete entry.
From the dmpuploader log:
*Found connector certificate with subject 'CN=XXXXXX-XXXXXXXX_SCCMConnector', Account ID 'XXXXXX-XXXXXXX-XXXXXXX', Client ID 'XXXXXXX-XXXXXXX-XXXXXXX' SMS_DMP_UPLOADER 1/21/2014 10:16:31 AM 2528 (0x09E0)
*Intune tenant ID: XXXXXXX-XXXXXX-XXXXXX SMS_DMP_UPLOADER 1/21/2014 10:16:32 AM 2528 (0x09E0)
*Ping cloud returned nothing SMS_DMP_UPLOADER 1/21/2014 10:16:32 AM 2528 (0x09E0)
*Ping cloud....
We block outbound ICMP at our firewall. So, I'm not sure if that would cause a problem. I also recall reading in another forum post that another user tracked down an issue related to corrupt connector certificates in their database. Any idea if this might be the problem in my case, or how I could go about verifying this?
I am wondering if us blocking outbound and inbound ICMP on our firewall is the root of this issue. Since ping is being blocked, the server can never make a proper connection to Intune. The dmpuploader log shows:
*Ping cloud ... SMS_DMP_UPLOADER 1/21/2014 1:41:51 PM 2528 (0x09E0)
*Ping cloud returned nothing SMS_DMP_UPLOADER 1/21/2014 1:41:51 PM 2528 (0x09E0)every 5 minutes without any confirmations that policies have ever been uploaded.
Does anyone know what the address is that the "Ping cloud..." is referring to? Then I can forward that to our network team to punch a hole in our firewall to see if that fixes my problem.
You haven't enabled mobile device management in your Intune account BEFORE you connected it with ConfigMgr? If you have enabled the standalone Intune MDM, you cannot integrate the Intune account with ConfigMgr. Or more precisely you can, but it won't work.
And outbound HTTPS is enabled from Intune connector server? My understanding is that only HTTPS is required.
Panu
I think you should open a case at Microsoft support. I've run out of ideas. :-(
Panu
This topic is archived. No further replies will be accepted.
Other recent topics
