How to Change SCCM MDM Authority to Intune Standalone

Benoit LecoursIntune, SCCM2 Comments

With the release of SCCM 1710, one of the key new features is the Co-Management possibility with Intune. Going in the direction of the Co-Management would eventually allow to offload some management task to Intune and be more aligned with the concept of Modern Management for Windows 10. One of the main requirement to enable Co-Management is to have Intune as the MDM Authority. This goes against what many SCCM admins have done over the past few years, by enabling the Intune Connector in SCCM to manage mobile devices from the SCCM console. This is called Intune in Hybrid mode. Microsoft has come up with a solution to bring back Intune as the MDM authority, which is the Standalone mode. All this without impacting the end-user with his enrolled devices. In this post, we will detail how to move Intune from Hybrid mode to Standalone. Prerequisites to Change SCCM MDM … Read More

Updating your Mobile Devices against Meltdown and Spectre with Intune

Nicolas PilonEMS, IntuneLeave a Comment

Everyone has heard of Meltdown, and Spectre vulnerabilities in modern computers leak passwords and sensitive data. In case you don’t, the most important thing to remember is to update all devices that mainly have an Intel processor, including mobile devices. If you are using Microsoft Intune to manage mobile devices in your organization, you can configure compliant rules to force the users to update their operating system version. For those who want to keep their old OS version, will lose their access to Office 365 at one point. It’s essential that employees know the importance of updating their devices more often, without being enforced. On the other hand, updating OS means some types of the device won’t be supported anymore. In case your company accepts BYOD, some users will require purchasing a new mobile device. In the end, securing your endpoints is more important. In this post, we will use the … Read More

How to Deploy an iOS Application with Intune and SCCM

Benoit LecoursIntune, SCCM11 Comments

Updated 2018-03-19 One of Microsoft Intune feature is to deploy useful mobile applications that your users need to get their job done. We can think of the Office suite such as Word, Excel, Powerpoint and One Note. This blog post will show how to deploy Microsoft Word on managed iOS devices with Microsoft Intune and SCCM. This is the 9th post of the Mobile Device Management with Intune and SCCM 2012 blog series. Microsoft Word for iOS devices requires Mobile Application Management (MAM) policies in Microsoft Intune. Since it’s a pre-requisites for Microsoft Word, we will configure a MAM policy in this post at step 2. MAM policies give the ability to protect company data without affecting personal data. You can also apply restrictions like Save As, Clipboard and many more. You can read more about MAM on Technet. Step 1 | Create the Application in SCCM Creating a mobile … Read More

No Enrollment Policy during Intune Client Installation

Nicolas PilonClient, Intune, SCCM1 Comment

  When a company wants to manage an iOS mobile device, an Apple Push Notification Service (APN) certificate is installed on the iOS devices. This certificate installation makes sure that the connectivity between the devices, Apple, and your MDM solution is trusted. Intune makes no exception to this process. It’s the main reason why, from Intune or SCCM console, you have the possibility to send remote actions directly on iOS devices. After the certificate is configured in Intune, users can install the Company Portal app to enroll their devices (Android, iOS, Windows). When you open the Company Portal for the first time, the user must enter his tenant credentials to identify himself. Once the authentication succeeds, the Company portal will prompt the user to install an MDM profile including the APN certificate. If the configuration of your Apple APN certificate is missing or expires, the No Enrollment Policy error message appears. Do not panic. … Read More

How to enable Android for Work in SCCM and Intune

Benoit LecoursIntune, SCCM6 Comments

Starting with SCCM 1702, mobile device management with SCCM and Microsoft Intune (Hybrid) now supports Android for Work device enrollment and management. You can manage compliance settings, wipe or delete Android devices, deploy apps, and collect software and hardware inventory. Users can download the Android company portal app from Google Play that lets them enroll Android for Work devices. Enable SCCM Android for Work The first step is to create a Google account and configure your Intune subscription to accept Android for Work devices. Refer to our previous blog post, if you don’t already have an active Intune subscription. Create a Google account that will be used as your Android for Work admin account. This account will be shared by the administrators in your team who manage Android devices. It will also be used to manage and publish and approve apps in the Play for Work console Once the account created, open … Read More

Send Sync Request to Intune Mobile Devices from SCCM 1610 Console

Nicolas PilonConsole, Intune, SCCMLeave a Comment

This month, SCCM 1610 was released with a bunch of new features, including exiting Intune features. One of these Intune feature is to send sync request directly from the SCCM console. It’s a new remote actions that Intune administrators will use daily. For example, you can send sync request to a mobile device that is having deployment or client health issue. In fact, each mobile devices managed by Intune need to communicate with Intune to get the latest policy and compliance state. Normally, the Intune client synchronizes every 6 hours for iOS and 8 hours for Android. Additionally, there’s a scan every 15 minutes in the first 6 hours of enrollment. The mobile device can be synchronized as well from the Company Portal application. Take note that Send Sync Request is unavailable for the moment in Intune standalone. Maybe one day! SCCM 1610 Send Sync Request Open the SCCM Console, navigate to … Read More

How to Strengthen Security for Intune with RBAC in SCCM

Nicolas PilonApplication, Console, Intune, SCCMLeave a Comment

  The majority of companies use SCCM to manage laptops, computers, servers and some for mobile devices, if they use Microsoft Intune in hybrid mode. In some situations, Intune and SCCM management is done by 2 different teams. Except for the Full Administrator role in SCCM, it’s possible to separate Intune with Configuration Manager infrastructure in the console by using security roles and security groups (RBAC). The goal is to ensure that an Intune administrator does not access Configuration Manager client devices and objects, as you don’t want to end up with people who may wipes or manages mobile devices when they are supposed to be only Configuration Manager admins. This post will explain how to strengthen security and separate Intune with Configuration Manager infrastructure in SCCM console. Create Devices Collection for Intune Client The first thing to do is create a device collection that targets Intune clients. There’s two ways to create … Read More

Intune Client | Error User License Type Invalid

Nicolas PilonClient, Intune, SCCM6 Comments

  The starting point of all mobile management project is enrolling devices. Without enrollment, you can’t manage any devices. When running in hybrid mode, the enrollment process is different than running Microsoft Intune in standalone mode. The SCCM Service Connection Point role keeps connectivity between both end (SCCM on-premise and the Cloud). Both environments must be synchronized, otherwise, you have chance of getting Intune error User License Type Invalid during Intune enrollment on your mobile devices. This post will explains how to resolve this issue. Intune Error User License Type Invalid This is the error message shown just before the enrollment process when you click Enroll : If you take a look, at the Company Portal log from the mobile device, you will see : <ErrorType>UserLicense</ErrorType><Message>Invalid User License</Message> ** How to see Company Portal log? Please read this Technet post **  Cloud User Sync During the configuration of the Intune subscription in your SCCM, you need to create and configure a … Read More

Use IMEI Numbers with SCCM and Intune to identify Corporate Devices

Nicolas PilonIntune, SCCM1 Comment

Last January, Microsoft released an update for Intune standalone environment in which you can import international mobile equipment identity (IMEI) numbers for mobile device platforms that have an IMEI number to help identify corporate-owned mobile devices. Once enrolled in Intune, devices with imported IMEI numbers are tagged as Corporate, which can be used for applying policies that are different than those applied to Personal devices. What happens if you use an Intune hybrid environment? SCCM has no built in tool to add a list of IMEI numbers and switch device owners from Personal to Company when devices are enrolled. In this post, we will configure SCCM to identify devices based on a list of IMEI numbers and change their ownership from Personal to Company. Before starting, you can read the difference between both ownership attributes. Preparing the Collection The first step is to extract all IMEI numbers of your corporate-owned devices. The idea is to create a list of … Read More

How to install Microsoft Intune Client for MAC OSX

Nicolas PilonClient, Console, Intune, REPORT, SCCMLeave a Comment

Did you ever wanted to install the Microsoft Intune client on MAC OSX? Microsoft Intune standalone supports Apple operating systems since November 2015. SCCM 1602 is required to support the Microsoft Intune client with the SCCM connector (hybrid environment). The Intune client is a lightweight version of the SCCM client. You can deploy some policies, SCEP certificates, VPN and WiFi profiles. There is also a hardware inventory scan on the devices. In a previous post, we explained how to set up a compliance policy for MAC OSX, now that our client is ready to receive the compliance policy, we will install the Microsoft Intune client on Mac OS X devices. Install the Intune Client Mac There is still no way to automatically install the client. Connect on the MAC OSX devices that you want to install Microsoft Intune client Open Safari and go to portal.manage.microsoft.com Click on This device is either not enrolled … Read More