Running up a test environment for Intune and ConfigMgr Current Branch or Technical Preview

 

Image result for intune microsoftImage result for intune microsoft

 

I setup Intune quite a lot for Intune Hybrid POC’s, and I thought I’d run off a simple guide for those that want to spin this stuff up in their own lab at home.

The goal of this guide is to get it running so you can tinker with the features available through Mobile Device Management (MDM), this isn’t a guide on how to get Intune and ConfigMgr setup for a production environment, and it falls short of covering what you can do with Intune with the supported platforms (Windows, IOS and Android).

 

Here are the key things you will need to do before you can proceed to enroll devices into your environment, and I’ll walk you through each action:

 

  1. Choose to either setup a Public DNS , reuse an existing one that you own, or use the one Microsoft gives you when you sign up for an Intune Evaluation, see notes below *
  2. Register for an Intune Evaluation or an EMS Evaluation or even both here and here, see notes below **
  3. Configure Intune to recognise your Public DNS, if required
  4. Configure your Active Directory to use an additional UPN, if required, see notes below ***
  5. Configure your Active Directory test user(s) UPN, if required, see notes below ****
  6. Synchronise your lab Active Directory with Azure Active Directory from your Intune Evaluation using ADConnect here
  7. Provide the AD Users that you wish to allow to enroll devices, with an Intune license
  8. Configure ConfigMgr with your Intune evaluation
  9. Enroll devices, for this I’ll show an Android being enrolled, and if my wife let’s me, a recent iPhone!

 

Notes:

* You can either use your own Public DNS record that you can point a device at when enrolling, or use the one Microsoft provides when you sign up for an Intune Evaluation, there are alternatives to DNS such as enrolling using Azure, but this is limited to Windows 10 devices and not within the scope of all Mobile Devices

** Both the Intune and EMS evaluations give access to Intune, only one or the other is needed. You can register for both. Doing so will require registering the Intune evaluation first, and then while remaining logged in to Intune, and in the same browser session, visit the EMS link and go through the motions of associating your EMS evaluation with your Intune evaluation.

*** You’ll only need to do this if your Public DNS is not going to be the same as your lab’s Active Directory forest and domain, say you already have a Domain Controller and it doesn’t match with your Public DNS. If you are able to choose and create a Public DNS first, then you should go straight to using your Public DNS as your Active Directory name (example.com as an example)

**** You’ll only need to do this if your Public DNS differs from your Active Directory Forest and domain name

 

To be able to even get to the above stuff, you’re going to need the ground-work established, in the form of the following:

  • A device with Hyper-V , and a good amount of memory available
  • At least one Domain Controller

No need for more than one Domain Controller, unless you need different directory services to play with, such as testing trusts between domains, forests and things around their complex configurations.

If you are starting out then a simple test environment consisting of one domain controller, destined to be used to kick the tires on Mobile Device Management using Hybrid Intune with ConfigMgr, will do

  • A Standalone Primary Site server running either Technical Preview if you want to check out the latest pre-release features, or Current Branch, with at least 6GB with SQL Memory usage throttled back to 4GB at a minimum.

There is a correlation between how much memory and how much patience an administrator has, the more memory available the less patience needed, there is another variable Disk IOPS ,but let’s not go there, just make sure you are not saturating your disk subsystems with too many Virtual Machines ,such that things run at a snails pace

 

Let’s assume you have a stable lab environment that meets the above requirements, a public DNS record, and get on with setting it all up.

 

For the guide, instead of using the Public DNS record Microsoft provides when running up an Intune Evaluation, I used SYSTEMCENTER.CO.UK as the Public DNS record hosted by GoDaddy, letting Microsoft configure the DNS entries automatically for me. nice touch. My Lab Active Directory is not called SYSTEMCENTER.CO.UK, therefore I had to configure UPN suffixes and set a User account’s UPN to make all this work.

 

Setup a new Public DNS, or reuse an existing one that you own

Later on, when you register for an Intune Evaluation, Microsoft will give you a personalised Domain name ending with .onmicrosoft.com, if you are going to use that then you’ll need to do the UPN sections below and can skip this section.

An example of the DNS scenarios are:

Mismatched DNS and AD names:

  • Public DNS: Example.com or Example.onmicrosoft.com
  • Active Directory: InternalLab.com

Matched DNS and AD names

  • Public DNS: Example.com
  • Active Directory: Example.com

 

If you’re going to use your own DNS, my best advice would be to do three things:

  1. Have a read of this
  2. Choose a DNS hosting Provider, Microsoft have a relationship with GoDaddy and Register.com, others will work ,you’ll just have to configure their DNS Zone entries manually
  3. Choose a DNS name, if this is going to go beyond an evaluation, and you’re setting up inside a company, use an appropriate domain-name name, otherwise be creative

 

Once you have your DNS created, or already have one, its time to move on.

 

Register for an Intune Evaluation or an EMS Evaluation

 

To get Intune Hybrid with ConfigMgr working, you’re going to need an Intune Evaluation, or alternatively an Enterprise Mobility + Security (EMS) Evaluation.

The EMS evaluation contains an Intune license, as well as access to a bunch of EMS features, the Intune evaluation obviously gives you just that, and both can be signed up for and combined together.

You can either go just for the Intune Evaluation step below, or the EMS step, or do both.

Here we go.

 

Setup an Intune Evaluation

 

The Intune registration process is quite straightforward, I’ll cover the key highlights.

  • You’ll be prompted for details about yourself, along with some basic contact details
  • It’ll ask you to create a Username for the first user in your Intune (Evaluation) Tenant, you can call this whatever you want, it’ll become the Global Administrator, call it Administrator, Admin, your choice
  • It’ll ask you to enter a company name to prefix before .onmicrosoft.com, this can anything you want that is available, it’ll tell you if your choice is not available, you could use your Public DNS as the prefix (Example.com, you’d enter Example so it becomes example.onmicrosoft.com), or something entirely random.

 

image

 

Once you’ve clicked Create my account you’ll be prompted to prove you are not a robot, by verifying a 6 digit code sent via SMS to your mobile, go through the motions until it tells you that you are done.

 

image

 

Click You’re ready to go and head to your inbox, within minutes you should see an on-boarding email with information about your trial.

 

Setup an EMS Evaluation

 

Setting up your EMS Evaluation is a cinch once you’ve got your Intune Evaluation up and running, simply remain logged into the Intune Portal and from the same web browser session, visit the EMS Evaluation page. You’ll be prompted to add the Enterprise Mobility + Security E5 package to your Intune Evaluation account.

 

image

 

Made so easy, just click Yes, add it to my account

If you’re opting to just use an EMS evaluation, then fill in the registration details and set yourself up an evaluation.

 

image

 

Done. 250 users for 3 months of EMS usage, not a bad run for an evaluation, considering what you get, the EMS suite of products including Intune.

 

You should see an email in your inbox  for this evaluation as well.

 

There isn’t any need to do anything further with Intune or EMS at this point in time.

 

Configure Intune to recognise your Public DNS

 

You can skip this step if you are using the <CompanyName>.onmicrosoft.com domain that Microsoft sets up when you register for an Intune Evaluation.

If you have your own Public DNS and you want to use that, then Intune will need to be told to verify and recognise the domain. Visit the Intune Portal at portal.office.com and select Setup \ Domains to get underway.

Clicking Add Domain will prompt you for details about your domain.

If Microsoft have a relationship with the DNS provider hosting your DNS record, they can automatically add the Zone file entries for you, such as the CNAME entries for device enrollment, as well as other records to support the EMS+Intune suite of products.

If Microsoft doesn’t have this relationship and you have to do it by hand, here is the documentation on what is needed to edit your Public DNS’s zone file.

If you needed too, once you’ve have the Domain verified by Intune, you’re ready to move on.

 

Configure your Active Directory to use an additional UPN if required

 

You can skip this step if your Public DNS is the same as your Active Directory Forest and Domain name. If that is the case, and your lab domain is example.com, and your Public DNS record is example.com, the same, skip over this section.

So you’re Public DNS record is either your own unique DNS which differs from your Active Directory Forest name, or the one Microsoft provided.

Either way, you will need to add these as additional UPN’s to your Active Directory, so that you can assign them as UPN’s to Active Directory User accounts that’ll be used to enroll with mobile devices.

Intune will then recognise the user when they attempt to enroll a device.

 

For this guide I built using the following:

Mismatched DNS and AD names:

  • Public DNS: SystemCenter.co.uk
  • Active Directory: InternalLab.com

 

The procedure is quite straight forward for this lab environment, visit your Domain Controller and open Active Directory Domains and Trusts, right click the Active Directory Domains and Trusts [ Servername ] entry and select Properties then add your UPN suffix:

 

image

 

You can see that I’ve already added an alternative UPN suffix for a Public DNS record that I own SystemCenter.co.uk.

Add yours.

Once you’ve added your Public DNS, or the <CompanyName>.onmicrosoft.com address Microsoft gave you, it’ll show up as an option when opening a User account in Active Directory Users and Computers.

Configure your Active Directory test user(s) UPN

Again, you’ll only need to handle the UPN stuff if your Public DNS is different from your Active Directory Forest and Domain name. If that is not the case, and your lab domain is example.com and your Public DNS record is example.com, the same, then skip over this section.

For testing I suggest creating a new Active Directory User account specifically for enrollment, you can use an existing account if you wish.

 

image

 

For this test user which will be used for device enrollment, under the Account tab of the User accounts properties, you can see I’ve changed the UPN to the UPN suffix that I added using Active Directory Domains and Trusts. If you were using <CompanyName>.onmicrosoft.com as your public DNS, the one Microsoft provides for free, you’d see it here and be able to choose it.

 

In Intune Hybrid mode with ConfigMgr, the principle reason why you want the AD Users UPN suffixes to contain your Public DNS, or the <CompanyName>.onmicrosoft.com Microsoft provided DNS, is so that their account is synchronised to Azure AD, and recognised by Intune during enrollment due to the DNS being verified (added) by Intune.

Intune won’t recognised your AD Users UPN if it isn’t the verified Public DNS, or the DNS record that Microsoft provides, and since I expect no one will build a lab to match the Microsoft provided DNS, most likely they have a mismatch than a match between the AD name and the DNS name, it means the AD User has to have the Public DNS or the Microsoft provided DNS as an UPN entry, so that they can be recognised by Intune during enrollment.

 

Synchronise your lab Active Directory with Azure Active Directory using ADConnect

 

Now we need to synchronise the on-premise (your lab) Active Directory (AD) with the Azure Active Directory (AAD), so that AAD knows about your users accounts, and their UPN if it was touched.

This isn’t that difficult to setup in a lab environment, simply download ADConnect from here and install it onto your lab Domain Controller, and provide it with your Intune Global Administrator account details, while entering or providing the information it needs to synchronise the Active Directory objects to Azure. I’d let it replicate everything rather than restricting it, at least for setting up this lab.

Microsoft Docs have a good walk through on how to setup ADConnect here.

 

Provide the AD Users that you wish to allow to enroll devices, with an Intune license

 

Once you see the Users appearing in the Intune Portal (intune.office.com), you will be able to see if you’ve done all of this properly.

Go to Users > Active Users, and you should see the Users from your labs AD listed.

 

image

 

Click on the user account you want to use for enrollment of a device, note that it should be the one you will add to your ConfigMgr user-based collection for Intune Users later on in this guide when you integrate ConfigMgr with Intune.

Once the User is shown in the Intune Portal, select Edit under Product Licenses.

 

image

 

Now assign the EMS licence, the Intune licence, or both, to the Azure Active Directory User.

 

image

 

Configure ConfigMgr with your Intune evaluation

 

This is it, once ConfigMgr is made the MDM Authority for Intune, you could technically perform device enrolment's.

 

I’m using Technical Preview currently at 1702, and the procedure for setting up ConfigMgr to become the MDM Authority for your new Intune Evaluation isn’t that complicated at all.

 

Visit your Current Branch or Technical Preview Site server, make sure you have the Service Connection Point already setup as part of the Servicing feature of ConfigMgr, you probably let it install during setup. The Service Connection Point in Online mode is a mandatory requirement.

Add a Microsoft Intune Subscription from Administration \ Cloud Services \ Microsoft Intune Subscription node in the ConfigMgr Console.

The process is straight forward, it’ll ask you for your Intune Global Administrator Username and Password, the user-based collection you want to use that gives permissions to users so that they can perform an enrollment of their device, and some branding information.

After the wizard finishes you then turn on the platforms you wish to support, Windows, IOS or Android.

The procedure for adding Intune to ConfigMgr is well documented, and as long as you have an Intune Evaluation, and the collection already created, passing through the wizard should be a breeze.

If you have issues with unexpected errors when trying to login during integration of ConfigMgr with Intune, have a look at turning off IE’s compatibility mode, as well as setting IE to allow scripts to run.

Once you’ve completed this task, you can visit the Intune Portal at manage.microsoft.com to see that the MDM Authority has been set for ConfigMgr.

 

image

 

You will also want to enable and run an Active Directory User Discovery on the Site server, so that ConfigMgr knows about your AD Users, once done you can then add your device enrollment account(s) to the Collection referenced when you added the Intune subscription to ConfigMgr.

 

The platform is now ready for device enrollment.

 

Enroll devices,

 

Now since we have three platforms to perform enrollment on, I’m going to stop here and leave it for future guides.

I enrolled a Samsung Galaxy S7 Edge with ease using Technical Preview Build 1702, and there is much more to cover, for now you should have Intune and ConfigMgr talking together nicely, your AD synchronising to your Azure AD, and your DNS all sorted out.

From here you can setup the platform details for IOS, attempt to configure settings for mobiles, diving into a technically rich area of activity right now, mobile device management.