SCCM, Intune, and you

With System Center 2012 Configuration Manager Service pack 1 came new ways to manage new OS types.  Mac and Unix/Linux management were big additions, but perhaps equally big was the expansion of mobile device management to manage things like iOS devices, Android devices, Windows Phone 8, and Windows RT devices.  This management is a richer management than we had for ActiveSync devices in SCCM 2012 RTM and different than what we have for older devices like WinCE and Windows mobile 6.x devices in SCCm 2007 and SCCM 2012 RTM.  This new functionality is via a connection with Intune, Microsoft’s cloud solution for device management.


What is Intune?

Intune is a fully standalone solution for managing devices from the cloud.  It is a subscription service you can use and it will manage full OS machines as well as mobile OS like those I mention above.  Rather than duplicate efforts for mobile device management the SCCM 2012 product leverages Intune’s communications and functionalities to mange these devices, but moves the management responsibility back to the SCCM admin console so all management of devices can be done in one place.


How to hook SCCM and Intune together?

There are many settings and specifics to setting up Intune and configuring it to work with SCCM.  Craig Morris from the SCCM product group put together a great blog post on the subject so I’m not going to try and duplicate that here, but rather give a few key pointers to be aware of.


The first step to hooking SCCM and Intune together is to have SCCM and Intune.  You need to have SCCM 2012 SP1 as a minimum, and then you need to setup an Intune account.  There is a 30 day free trial so clear your calendar for the next month and give it a shot to see if it is right for you.  TIP 1 - When you set it up you probably don’t want to use any existing account you have to use for Hotmail, MSDN, SkyDrive, etc.  Intune will be tied to your account so you probably want to setup or use some kind of generic account for your company rather than one tied to you personally.  It makes it easier for you to retire down the road when that day comes. Smile


TIP 2 - The next pointer is that once you setup Intune and you start poking around DO NOT set the Mobile Device Management Authority.  This setting can be done once, and only once.  If you do it wrong you have to “tear up” your Intune site, throw it away, and make another one.  Let SCCM set it for you when you are ready.


The next part of integration is up to you what you want to do.  In the ideal world you would setup Single Sign On (SSO) so your users can use their domain credentials.  For me and my test lab I was limited by the lack of an internet resolvable domain name so I couldn’t do it and had to do some workarounds.  If you do want to set it up you will need to look into setting up an Active Directory Federation Services (ADFS) to aid in the syncing.  This leads to TIP 3 – Make sure the Universal Principal Name (UPN) of your domain user accounts can be resolved by the Microsoft AZURE cloud.  Said in other terms, if your users have accounts like user@domain.internal and your company is externally reachable by .., you are going to have some hurdles to jump over to get things working correctly.  Once you have your UPN figured out, use DIRSYNC to get accounts into Intune and then activate them in Intune.


Once you have  all that in place you get to head to the SCCM 2012 admin console to complete the last bits.  You need to setup an Intune subscription to link things together, and you need to setup an Intune connector site system role (similar to a Distribution Point) so you can publish content for devices into the Intune cloud.  In this process you should also create a user based collection as your control point of what users will be allowed to use devices managed via Intune.  You might want to start with only a test user or two (who has the correct UPN) and eventually expand to all the users in your organization.  TIP 4 - Keep the users in this collection set as activated users in Intune for best results.


Now what?

These will get you a link between Intune and SCCM, so now you are ready to manage some devices.  I’ll be adding some future blog posts to talk about how to setup a connection with each type of mobile device and distribute software to it… so stay tuned.