Posted on March 3rd, 2014 No comments
There are not that much real world info on managing iOS devices using Windows Intune and ConfigMgr. I am talking about managing iOS devices, not settings up iOS enrollment or the tons of guides on how to publish and deploy a web link to the App Store. This blog post was born to give some deeper level of insight into iOS management using Windows Intune together with System Center Configuration Manager 2012 R2.
The biggest challenge as I have learnt is that troubleshooting mobile device management using ConfigMgr and Intune leaves a lot to wish for. There really are not that much you can see in terms of what is going on between ConfigMgr, Intune cloud service and the mobile device itself. There are no force buttons to push or pull stuff so you are pretty much left in the dark many times. Apparently there is only one action you can take to force all policies (compliance settings and email profiles for instance) to the iOS device and that is to install an app from the Company Portal iOS app or from the web interface at m.manage.microsoft.com. Apart from that you just have to wait, wait and wait for things to happen.
Custom iOS app deployment options and important knowledge
One of the most not so much talked about feature is the ability to sideload an in-house or custom developed iOS app (IPA file). It is easily done as any other application deployment by adding the IPA and the PLIST file, then distributing it to the cloud distribution point. Although the plist manifest file is required to add the application for deployment it seems to be of no use as the plist file is not distributed with the IPA file itself to the distribution point. I suppose it is more of a way of knowing that you are not deploying apps from the App Store (IPA files, not the web links).
When deploying an IPA you have three options:
1. Deploy it as Available to Users
This will make the app published and available for install, but only in the web interface, i.e. “m.manage.microsoft.com”.
For some reason which I do not know you will not see this app if you are using the Company Portal app. Once again I do not know the background for this but it is really inconsistent behavior and makes the iOS Company Portal app more or less unusable. I have filed a Design Request Change for this at Microsoft Connect.
UPDATE: This is an Apple “feature” and a limitation in what they allow the MDM vendors to do.
2. Deploy it as Required to Users
This will install the app automatically for targeted users. A note will pop up on the screen of the iOS device asking if “m.manage05sub.microsoft.com want to install the following app, is that OK”? After clicking OK/yes the app is installed (or should we say sideloaded to be correct).
3. Deploy it as Required to Devices
This will install the app automatically for targeted devices. A note will pop up on the screen of the iOS device asking if “m.manage05sub.microsoft.com want to install the following app, is that OK”? After clicking OK/yes the app is installed (or should we say sideloaded to be correct).
Log files – shake it baby!
Well, there are a few log files on the CM side but I have not found any relevant information in them, all you can see is that there is some kind of communication with Intune but that’s about it. So basically there are no logs to turn to when troubleshooting. There is however one log file and that can be accessed from an iOS device by logging into the Company Portal app. After login, shake the phone. Yes, you heard me, shake the phone and you will see options to send the log file via email for further analysis. However, although I have read many log files over the years this log file is among the more hard to interpret. They will however likely be more useful to Intune technical support technicians (more on that later). I have filed a DCR for more insight into Intune or the communication via ConfigMgr at Microsoft Connect.
iPad and iPhone collections
Divide iOS devices into collections for iPads and iPhones which is good if you for instance want to target different compliance settings to iPads and iPhones. Create a collection based on “Mobile Device Computer System” where the “Device Model” is like %ipad% and %iphone%.
The query to list all iPhones in a collection:
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%iphone%"
The query to list all iPads in a collection:
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%ipad%"
Email profiles be aware
Do not let the official ConfigMgr blog screenshots fool you. When creating an email profile the Exchange ActiveSync Host should be entered without http:// or https:// as mistakenly demonstrated in the screenshot.
UserLicenseTypeInvalid error message
The error UserLicenseTypeInvalid when trying to enroll an iOS device. Most likely this is due to users not being synced to the Intune service because they are missing from the “Intune users” collection or that there is a problem with actually syncing from CM to Intune. More about that in this blog post.
The Intune Support
Do not hesitate to contact the Intune technical support whenever you encounter a problem. As you have no insight into Intune contacting support is many times the only way to figure it what is or what is not going on with your mobile device management. Support phone numbers for Intune specifically are listed at the Microsoft Support web site.
Posted on February 16th, 2014 No comments
It is no secret that there are challenges related to the user interface in Windows 8.1. It is no secret that it has raised a lot of feelings – both good and bad. It is no secret that Microsoft is aware of the issues and they are bit by bit working on addressing them.
Windows 8.1 is without doubt the greatest and best operating system from Microsoft to date in terms of features and when it comes to security, performance, stability and responsiveness. Add to that an active development and continious distribution of fixes makes which Windows 8.1 the most dynamic Windows release to date.
However, not many enterprises use modern apps on their desktop/laptop machines and will not do so for quite some time. This blog post is intended to show you how you can make Windows 8.1 behave well in enterprises if you want your users to recognize themselves in the new user interface in Windows 8.1.
Boot to Desktop
The option for the user to instantly get to the desktop is imperative when matching the user experience to what they are used to. This means that instead of landing on the start panel after login, the user is taken straight to the desktop. Another issue with the user interface in Windows 8.1 is that if the user for instance open a PDF file from a desktop application, the PDF file will open in the Reader app (that is if Adobe Reader or another PDF reader has been installed). However, after closing the modern app the user is not brought back to the desktop application, instead lands on the Start panel. The below group policy setting solves these two “issues”.
In the Group policy Editor, locate the setting “Go to the desktop instead of Start when signing in or when or when all the apps on a screen are closed” located in User Configuration > (Policies) > Administrative Templates > Start Menu and Taskbar and set it to Enabled.
Desktop background on start panel
A small but never the less important setting that will make your users recognize the desktop is the setting to make the desktop background image being present in the start panel.
Activate this setting by creating a User Group Policy Preference registry item with the following information:
Value name: MotionAccentId_v1.00
Value type: REG_DWORD (32-bit)
Value data: 000000DB (Hexadecimal)
File extensions for modern apps
In Windows 8.1 images there are a bunch of modern apps included, which are installed the first time a user log in to a Windows 8.1 machine. You can when building your Windows 8.1 image remove all provisioned modern apps which will not only speed up the first login to a machine but also prevent users from opening for instance pictures in the modern app picture viewer and instead open them in “Windows Photo Viewer” on the desktop.
Solution 1: Remove all provisioned apps by using Ben Hunter’s excellent script for this, see http://blogs.technet.com/b/deploymentguys/archive/2013/10/21/removing-windows-8-1-built-in-applications.aspx. In the scripts you see the relevant commands which can also be run manually, removing one modern app at a time. See the PowerShell cmdlets Get-AppxProvisionedPackage and Remove-AppxProvisionedPackage.
Solution 2: If you do not want to remove the provisioned apps, you can use Michael Niehaus’s great guide to remove the file associations from the modern apps. Michael also show how to deal with this dynamically at deployment time as you probably want to have this configuration dynamic if you are using Windows 8.1 on touch enabled devices. The blog post is located at http://blogs.technet.com/b/mniehaus/archive/2014/01/10/configuring-file-associations-in-windows-8-1.aspx
Customizing the start panel
Well, there are PowerShell scripts which you can use to export a start panel layout and then send it out to multiple users using group policy settings. However, your users will not be able to actually modify it which kind of make this feature useless to say the least. What you can do to customize the start panel, awaiting better and more dynamic means to centrally manage the layout, is image customizing the layout of the start panel in your Windows 8.1 image, and then use the CopyProfile=true method to make that start panel layout the default for all new user profiles. This will present a default layout of your choice which the end users will be able to modify to their liking.
Remove the (annoying) help guidance arrows
The help arrows that appear the first time a user sign in to a Windows 8.1 machine are important for the users to learn how to reach the charms menu and navigate in the new user interface, when they actively or mistakenly end up there. However these little helper arrows tend to become rather annoying after time and you will be glad to see that there are ways to turn them off.
Create a User Group Policy Preference that adds the following registry:
Value name: DisableHelpSticker
Value type: REG_DWORD (32-bit)
Value data: 1
The power of search
I have been involved in many deployment projects with Windows 7 and my simple conclusion is that users tend to love not to use the built in search box in the start menu in Windows 7. Moving to Windows 8.1 is not going to change that and especially not as the users have no idea that they can just type anything while on the start panel and a search will be performed. I’m still waiting for a group policy setting that will make users use search instead of clicking and clicking and clicking but until that arrives instruct your Windows 7 and Windows 8.1 to use the built in search feature.
Well, by taming how the user interface behaves and my modifying or totally removing the modern apps the start panel goes back to just being the search feature and the new user interface is acting pretty much as it always have traditionally in Windows. And at the time of this writing we know that there will be an update in April 2014 that will present even further improvements to the UI. Things are improving but rest assured, the good old start menu as we know it since Windows 95 will not be back.
Posted on November 8th, 2013 1 comment
When setting up and connecting Windows Intune to System Center Configuration Manager 2012 R2 and you are trying to enroll a mobile device (iOS device), you may receive the error “UserLicenseTypeInvalid”.
Checking the cloudusersync.log on the ConfigMgr server listed the following two lines which seemed to be relevant:
ERROR: SetLicensedUsers exception System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'msub05.manage.microsoft.com'
Solution: Simply restart the SMS_EXECUTIVE service and everything is back on track and you can enroll the user on the mobile device. I have seen this a few times now and thought I’d share some information on it, not sure why it fails quite often though.
UPDATE: I have also seen this (without the error message above) when the user has not been added yet to the User Collection and synced to Intune. Solution is to make sure that the user is added to the Intune user Collection and make sure via cloudusersync.log that the user is added correctly to the Intune service.
Posted on September 24th, 2013 1 comment
Today I held a presentation at the Swedish System Center User Group client day on topic Microsoft User Experience Virtualization (UE-V) and its integration in ConfigMgr 2012 R2. Great to see such interest in UE-V! Afterwards, the most common question I got was “Does UE-V roam email signatures for Outlook?”. Well, the answer is yes, but there is a big “BUT”!
UE-V does roam the email signature but you have to manually set the signature as default in Outlook options > Mail > Signatures when logging into another machine or after reinstalling your own machine. And, there is an issue if you are using a localized version of Office. First an example of how the Outlook email signature is actually roamed when switching to another machine, but note that you must choose to make the email signature “active” on the other machine.
So this is in Office 2010 on a Windows 7 machine. Note that I have set this email signature to be active for new messages. 1980110714567
And after logging onto a Windows 8.1 machine, the email signature did roam with me, but I as a user must make the email signature active by selecting it in the drop down list for new and/or replied or forwarded messages.
Problems with the default templates for localized Office versions
If you are running a localized version of Office you must manually update the UE-V templates to accomodate for localized folder names. The rule as specified for roaming the Outlook email signature in the UE-V template file MicrosoftOffice2010Win32.xml defines the following:
This will save and roam all files (email signatures) in the users %APPDATA%\Microsoft\Signatures folder. The problem is that on a machine with a localized Office version, the email signature folder located in C:\Users\<username>\AppData\Roaming\Microsoft is not called “signatures” but instead localized to “signaturer” (as I am running a Swedish installation of Office).
If you have followed UE-V best practices and put your template files in a network share pointing that out using the UE-V GPO settings, you can just go ahead and edit the template file in the network location replacing “Signatures” with “Signaturer” in my example and the UE-V agents in your environment will by default pick up the new settings within 24 hours.
This behavior is the default for both UE-V 1.0 (with SP1) as well as the coming UE-V 2.0 (which is now in beta). Note that changes might occur before UE-V 2.0 is released.
UPDATE September 25th 2013: Microsoft has posted a KB article which explains more about why the mail signature is not set as default/active when roaming, see http://support.microsoft.com/kb/2889499/en-us.
Posted on April 8th, 2013 No comments
Thinking about moving to Windows 8? Here are 8 really good reasons to take the step and move to Windows 8.
1. Tablets. Windows 8 on tablets rocks and provide a way to add these kind of devices to your existing infrastructure, adding mobility and security very easily.
2. Security improvements. Further improvements from the great security in Windows 7 is added in Windows 8. Examples of that include BitLocker improvements in terms of performance and new protectors such as using BitLocker with only a password. You also find new features such as Secure boot, Virtual smart cards and more in Windows 8 in terms of security .
3. x64 platform. With Windows 8 there is no turning back, forget the x86 platform, the x64 platform is the one to be used with Windows 8 and that would be on the UEFI hardware platform to be able to fully use the potential of Windows 8.
4. Performance. The Windows 8 platform is the most optimized Windows client to date, requiring less memory and providing a really good user experience.
5. Mobility. With new features such as “Windows on a stick” ie. Windows To Go Windows 8 provides means for great mobility. Add to that new improvements in BranchCache as well as DirectAccess which when used with Windows Server 2012 adds even more and improved mobility features to the Windows client.
6. Virtualization. Client Hyper-V is included in Windows 8 Pro and Enterprise. That means no more need to add third party applications to get the virtualization features you’ve been dreaming about. As a presenter it is really good to be running Windows 8 and virtual machines on a native virtualization platform.
7. User profiles and data. Windows 8 do have some improvements to user profile handling, such as primary machines. Add to that the new UE-V (User Experience Virtualization), which unfortunately is only available to MDOP customers, and you will get user settings roaming in no time, and by doing that creating a really good user experience.
8. Compatibility. The compaitiblity rate for applications compared to Windows 7 is really good, although not 100% as you might hope. Most applications will just work but as with all migration projectes, testing needs to be done. Expect significantly less problems if moving from Windows Vista or 7 to Windows 8 compared to the moving from Windows XP.
Posted on February 16th, 2013 No comments
Doing Windows deployments over VPN is not a very good idea and it will work really bad. If you are using MDT to do Windows deployments you can easily prevent deploying Windows over VPN.
The easisest way is to modify the customsettings.ini to simply not install anything if the network card’s gateway is what we define as the VPN gateway. So lets look at the default customsettings.ini before we modify it.
Now let’s look at what we will do to modify it to fit our needs. We will add a check so that the first thing we do is to check if the machine is on a VPN connection and if so not install anything. In the example we have two default gateways defined.
Happy deploying (but not over VPN)!
Posted on January 12th, 2013 No comments
The new framework and infrastructure around apps in Windows 8 brings some new challenges to deal with. To start with you cannot turn off User Account Control if you want to use the modern apps in Windows 8, but there are more going on behind the scenes that are essential to the working of Windows Store Apps.
When a problem do occur Microsoft provide a nifty little troubleshooter tool for Windows Store Apps, download and run the tool from:
Posted on January 5th, 2013 No comments
A unique Windows 8 book for corporations and enterprises is here! It’s called Windows 8 in the Enterprise and provide you with full step by step guides and information on how to successfully implement Windows 8 in your existing environment. The writing started in mid-August and completed in October, after which there have been some editorial and technical reviews and now the book is finally published at Amazon.com. Go grab Windows 8 in the Enterprise now!
Posted on September 20th, 2012 No comments
I came across a rather peculiar thing with MDT 2012 Update 1 recently. MDT 2012 is pretty good at detecting when there are leftovers from previous deployments but this time it failed, and it failed hard.
LiteTouch is trying to install applications. This cannot be performed in Windows PE.
If booting from a USB Flash Disk, please remove all drives before restarting. Otherwise, ensure the hard disk is selected first in the BIOS boot order.
Oh no, I was NOT trying to install applications in WinPE :) It was a pretty plain task sequence and even recreating it with a brand new standard one did not help. However the solution was to remove the MININT and _SMSTaskSequence folders using the good old rd command with the switches /q and /s. Unfortunately I did not save the logs but the point is that if anyone hits this, there is a real easy solution.
Posted on August 17th, 2012 No comments
Windows 8 has RTM:ed and is now available for download via MSDN and TechNet, that is if you have a subscription to these services. If you do not and still want to evaluate Windows 8 there is a 90 day working Windows 8 Enterprise available at http://msdn.microsoft.com/en-us/evalcenter/jj554510.aspx