A blog with focus on Windows 10 and cloud <solutions
RSS icon Email icon Home icon

  • Intune/ConfigMgr email profiles are removed and not readded on iOS devices

    Posted on July 16th, 2014 By Andreas Stenhall + No comments

    If you are using System Center Configuration Manager 2012 R2 and Windows Intune to deploy email profiles to your iOS devices you should be aware of the fact that the email policy will vanish from your users’ iOS devices and then user then need to log in to the company portal for the email profile to get deployed once again to the iOS device. This is true in the following scenarios:

    • You make a change to the email policy, for instance changing the name of the email policy in the ConfigMgr console.
    • You install Cumulative Update 2 for System Center Configuration Manager 2012 R2.

    No status on a fix for this bug at the moment.

  • Notes from the field: iOS device management using ConfigMgr 2012 R2 and Windows Intune

    Posted on March 3rd, 2014 By Andreas Stenhall + 1 comment

    There are not that much real world info on managing iOS devices using Windows Intune and ConfigMgr. I am talking about managing iOS devices, not settings up iOS enrollment or the tons of guides on how to publish and deploy a web link to the App Store. This blog post was born to give some deeper level of insight into iOS management using Windows Intune together with System Center Configuration Manager 2012 R2.

    UPDATE March 18 2014: Bug deploying email profiles to iOS using ConfigMgr / Intune

    Troubleshoot MDM in Intune / ConfigMgr

    The biggest challenge as I have learnt is that troubleshooting mobile device management using ConfigMgr and Intune leaves a lot to wish for. There really are not that much you can see in terms of what is going on between ConfigMgr, Intune cloud service and the mobile device itself. There are no force buttons to push or pull stuff so you are pretty much left in the dark many times. Apparently there is only one action you can take to force all policies (compliance settings and email profiles for instance) to the iOS device and that is to install an app from the Company Portal iOS app or from the web interface at m.manage.microsoft.com. Apart from that you just have to wait, wait and wait for things to happen.

    Custom iOS app deployment options and important knowledge

    One of the most not so much talked about feature is the ability to sideload an in-house or custom developed iOS app (IPA file). It is easily done as any other application deployment by adding the IPA and the PLIST file, then distributing it to the cloud distribution point. Although the plist manifest file is required to add the application for deployment it seems to be of no use as the plist file is not distributed with the IPA file itself to the distribution point. I suppose it is more of a way of knowing that you are not deploying apps from the App Store (IPA files, not the web links).

    When deploying an IPA you have three options:

    1. Deploy it as Available to Users
    This will make the app published and available for install, but only in the web interface, i.e. “m.manage.microsoft.com”. For some reason which I do not know you will not see this app if you are using the Company Portal app. Once again I do not know the background for this but it is really inconsistent behavior and makes the iOS Company Portal app more or less unusable. I have filed a Design Request Change for this at Microsoft Connect.

    UPDATE: This is an Apple “feature” and a limitation in what they allow the MDM vendors to do.

    2. Deploy it as Required to Users
    This will install the app automatically for targeted users. A note will pop up on the screen of the iOS device asking if “m.manage05sub.microsoft.com want to install the following app, is that OK”? After clicking OK/yes the app is installed (or should we say sideloaded to be correct).

    3. Deploy it as Required to Devices
    This will install the app automatically for targeted devices. A note will pop up on the screen of the iOS device asking if “m.manage05sub.microsoft.com want to install the following app, is that OK”? After clicking OK/yes the app is installed (or should we say sideloaded to be correct).

    Log files – shake it baby!

    Well, there are a few log files on the CM side but I have not found any relevant information in them, all you can see is that there is some kind of communication with Intune but that’s about it. So basically there are no logs to turn to when troubleshooting. There is however one log file and that can be accessed from an iOS device by logging into the Company Portal app. After login, shake the phone. Yes, you heard me, shake the phone and you will see options to send the log file via email for further analysis. However, although I have read many log files over the years this log file is among the more hard to interpret. They will however likely be more useful to Intune technical support technicians (more on that later). I have filed a DCR for more insight into Intune or the communication via ConfigMgr at Microsoft Connect.

    iPad and iPhone collections

    Divide iOS devices into collections for iPads and iPhones which is good if you for instance want to target different compliance settings to iPads and iPhones. Create a collection based on “Mobile Device Computer System” where the “Device Model” is like %ipad% and %iphone%.

    The query to list all iPhones in a collection:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
    SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
    SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%iphone%"

    The query to list all iPads in a collection:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
    SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
    SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%ipad%"

    Email profiles be aware

    Do not let the official ConfigMgr blog screenshots fool you. When creating an email profile the Exchange ActiveSync Host should be entered without http:// or https:// as mistakenly demonstrated in the screenshot.

    UserLicenseTypeInvalid error message

    The error UserLicenseTypeInvalid when trying to enroll an iOS device. Most likely this is due to users not being synced to the Intune service because they are missing from the “Intune users” collection or that there is a problem with actually syncing from CM to Intune. More about that in this blog post.

    The Intune Support

    Do not hesitate to contact the Intune technical support whenever you encounter a problem. As you have no insight into Intune contacting support is many times the only way to figure it what is or what is not going on with your mobile device management.  Support phone numbers for Intune specifically are listed at the Microsoft Support web site.

  • UserLicenseTypeInvalid when enrolling an iOS device in Intune/ConfigMgr

    Posted on November 8th, 2013 By Andreas Stenhall + 1 comment

    When setting up and connecting Windows Intune to System Center Configuration Manager 2012 R2 and you are trying to enroll a mobile device (iOS device), you may receive the error “UserLicenseTypeInvalid”.

    Checking the cloudusersync.log on the ConfigMgr server listed the following two lines which seemed to be relevant:

    ERROR: SetLicensedUsers exception System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'msub05.manage.microsoft.com'

    Solution: Simply restart the SMS_EXECUTIVE service and everything is back on track and you can enroll the user on the mobile device. I have seen this a few times now and thought I’d share some information on it, not sure why it fails quite often though.

    UPDATE: I have also seen this (without the error message above) when the user has not been added yet to the User Collection and synced to Intune. Solution is to make sure that the user is added to the Intune user Collection and make sure via cloudusersync.log that the user is added correctly to the Intune service.

  • Cloud management of clients using brand new Windows Intune

    Posted on April 19th, 2010 By Andreas Stenhall + No comments

    It seems System Center Online Desktop Manager has been re-branded as Windows Intune, and it was just presented at MMS in Las Vegas. What Windows Intune do is to provide means to manage and monitor Windows 7 clients in the cloud. This is recommended for 25-500 PC:s.

    What it does for you:

    • Patch management – keeps your machines updated and report back to you.
    • Unwanted code – keeps your machines clear of all unwanted code, or malware to be specific.
    • Inventory  – provide you with software and hardware inventory.
    • Security policies – centrally manage policies for firewall and malware protection settings.
    • Remote Assistance – connect to your client machines regardless of where they are with remote assistance.
    • Threats and alerts – recevice information from the clients to proactively monitor health and status.

    More at: http://www.windowsintune.com/