Vol. 19, #18 - May 5, 2014 - Issue #978


Mobile Device Management

  1. Editor's Corner
    • Mobile Device Management
    • Tip of the Week: Shrinking a Virtual Hard Disk
    • Recommended for Learning
    • Microsoft Virtual Academy
    • Quote of the Week
  2. Admin Toolbox
    • Admin Tools We Think You Shouldn't Be Without
  3. Events Calendar
    • Americas
    • Europe
    • Asia Pacific
  4. Webcast Calendar
    • Register for Webcasts
  5. Tech Briefing
    • Mobile Device Management
    • Enterprise IT
    • System Center
    • Windows Azure
  6. Windows Server News
    • Cloud Storage system decisions shouldn't hinge on cost
    • Easy fixes for three remote connectivity problems
    • The how and why of live cloning a VM in Hyper-V 2012 R2
    • Knowing your infrastructure helps deliver premium VM performance
  7. WServerNews FAVE Links
    • Darcy Oake's Jaw-Dropping Dove Illusions - Britain's Got Talent 20
    • Cat Fishing For A Cat
    • Erix - Magic Juke Box
    • Terra Incognita Duo - Ukraine's Got Talent
  8. WServerNews - Product of the Week
    • Identify Misconfigured Permissions in Active Directory for Free


Identify Misconfigured Permissions in Active Directory for Free

The SolarWinds® Permissions Analyzer for Active Directory™ makes it easy to get a complete hierarchical view of the effective permissions & access rights for a specific file folder or share drive all from one dashboard on your desktop. With this free tool you get complete visibility into the effective permissions & access rights for a specific file folder (NTFS) or share drive. Easily see which permissions a user has for an object and why (group membership or direct permissions). Browse permissions by group or individual user, and analyze user permissions based on group membership combined with specific permissions. Permissions Analyzer is quick to deploy and easy to use.

Download the Free Permissions Analyzer Tool Today.


Editor's Corner

This week's newsletter is all about Mobile Device Management (MDM) using Windows Intune and System Center. We welcome Simon May, Enterprise Client Evangelist at Microsoft, who has contributed our guest editorial on this subject. Simon previously contributed to our newsletter back in November of last year in iOS and the Enterprise (Issue #957) with an article about managing Apple iOS devices in enterprise environments using the new Device Registration Service in Windows Server 2012 R2. His article in this week's issue builds and expands upon the topic of his previous article.

Speaking of building things, remember our recent issue titled Implementing Wi-Fi in Enterprise Environments (Issue #967)? We got a lot of feedback on that issue--see the Mailbag sections of Issue #968 and #Issue #970. But in all that feedback I was surprised no one pointed out this Dilbert comic strip about building a nationwide wireless network:

And now on to our guest editorial by Simon May...

Mobile Device Management

The last time I wrote for this newsletter I was talking about beginning to embrace iOS devices with a Microsoft infrastructure, using the device registration service in Windows Server 2012 R2. As useful as device registration is and as useful as using a registered device as a 2nd authentication factor is managing the device is a higher priority for people. This is the realm of (Mobile Device Management) MDM software. Of course simply managing a device isn't just what IT needs to do, we often need to deploy software to devices, often termed Mobile Application Management. The need for performing these tasks most often based on the perceived risk of not managing the devices that people use to connect to the corporate network.

The risk is of course that someone might "lose" some corporate data or provide someone unauthorized access to corporate data through malware or some such access.

Managing mobile devices is a far more political task than managing the traditional, domain-joined, PCs that most IT Pros are used to (although many are now managing mobile devices too). The biggest challenge is that in the main those devices aren't corporate assets so you don't have ultimate control over them. The second issue comes from the users of the devices themselves, they expect everything to "just work" like their devices and the services that power their devices do, they expect complexity to be taken away and things to be easy -- although they don't expect EVERYTHING to be done for them.

Wouldn't it be cool if you could set something up that gave you always on management for those always connected devices? Something that automatically provisioned email, provided company endorsed or controlled applications and methods and means for safely removing those things from the device without affecting the user's personal photos, apps and music on the device they own? There are lots of solutions out there that do part of this, but not many that integrate as seamlessly with other services and with what you're using to manage those domain-joined PCs as Windows Intune and System Center Configuration Manager. Most people I talk to don't even realize that Microsoft has an MDM solution in Windows Intune.

In this article I'll show you the steps to get up and running with MDM using Windows Intune and System Center and also show you how you can do some simple MDM too.

The Pre-reqs

This article would kill a million digital trees if I wrote up a step-by-step guide for some of this, so I'm just going to assume you can do the basics if you're reading this newsletter. The first thing you need is a fully functional domain on-prem, you'll also need a Windows Server 2012 R2 server running System Center Configuration Manager 2012 R2 that's fully configured. There are some good guides out there if you have a search. There is also a TechNet lab that you can use as your starting point:

The next thing you'll need to try this out is a 30 day trial at for Windows Intune:

You'll then need to go into Windows Intune and configure Directory Synchronization. If you wanted to you could configure this against your actual active Directory since it'll make no changes to your AD if you don't enable hybrid deployment. I'd probably want to do this in a lab though to be honest.

Next go into your AD and add a UPN for your new Windows Intune tenant. The name will be.onmicrosoft.com. You do this by right clicking on the top element in Active Directory Users and Computers.

Now in your Configuration Manager console you'll want to add a new user collection just for your iOS device management pilot (something like Mobile Enabled Users) and you'll need to add your test subjects to that group.

The final thing you'll need is, rather obviously an iOS device.

Connecting Configuration Manager and Windows Intune for iOS management

Now is where the technical stuff starts to come in properly -- it's interesting to note at this point that it's designed to be easy to setup to save you time even though it's not something you'll do often. In the Configuration Manager console go to Administration > Cloud Services > Windows Intune Subscriptions. Select Add Windows Intune Subscription from the ribbon and the wizard will start…I'm not going to tell you how to use this wizard other than to give you some tips. The first thing you'll see is the Set the Mobile Device Management Authority dialogue box -- this one is important. It's telling you that you are on a one way path to putting your Windows Intune account into hybrid mode and that there is no going back. Say yes.


Figure 1

Now provide your Windows Intune administrator account details (they need to be Global Admin details), provide the name of your Configuration Manager collection that contains your lab rats…er sample users… The purpose of what we're doing is to manage iOS to be sure to select iOS as the device type, if you select other device types then your going beyond the scope of this article, but you can read the documentation on TechNet.

You now need to click away from the wizard and go back to the Configuration Manager console.

We now need to get a cert from Apple to allow us to manage our iOS devices. On the ribbon click Create APNs Certificate Request and provide the folder and file name to download the certificate to, click Download and provide your Windows Intune sign in details again. Now on the Request Apple Push Notification Certificate Signing Request click the link for the Apple Push Certificate Portal. You now enter the world of Apple and you'll need to sign in with an Apple ID (you have one right?).

Having signed in click Create a certificate then read and accept the terms of service and upload your .cer file that you downloaded from Windows Intune moments ago. You'll probably be prompted to run or save some JASON, save it if you like, go back to the Apple portal and you'll find you've been issued a cert which you can download in .pem format.

Now go back to the wizard we were on a few moments ago and upload the certificate and complete the wizard with all the fancy company name stuff. We're almost done on the setup, but there is one last thing to do.

Go to Site Configuration > Servers and Site System Roles and add the Windows Intune Connector role to an appropriate site server. Time for a coffee, we need to wait for Intune and CM12 to parle. You'll know they have when you see something in the Extensions for Windows Intune node.

Most of the setup is now done -- at least the one-time only stuff.

Device Enrollment

The first stage of making a device manageable is getting it enrolled -- if from the old-world of PC management this is a combination of joining a domain and installing an agent…without the pain. It's something that your users should do, so it's pretty simple.

In the Windows Intune portal in Users click a user you want to use for test (these should be your on-prem AD users that have synced), add the user to Windows Intune by checking the box, this assigns a license. You'll need to provide a location. Make a note of the users name in the portal, it will [email protected] Now this is very important: the UPN in Windows Intune (actually Azure AD) must match with the UPN of the on-prem user for the user account you're using for test so go to the users account in your on-prem AD and set the UPN to match your Windows Intune UPN. If this seems broken at this point it kinda is…we're doing this for a PoC normally you'd register you domain with Windows Intune and work with your public DNS registrar to authenticate it but we are skipping that step here.

Search for Company Portal in the App Store on an iPad you want to use as a test, install it, launch it and sign in as your test user -- use their on-prem password. At this point the user can browse your company portal and see if it's worth them enrolling their device -- see some steps later to make that a compelling thing for them to do.


Figure 2

Tap the users name at the top of the app and tap Add Device. They will be given some info about what it means to add their device and if tap Add they will then be taken to a screen to install a Management (or SCEP) profile. This is enrollment in action and after a while (when update cycles have run in Configuration Manager) you'll see the iOS device appear in the Mobile Devices device collection.

Enable iOS 7 Extensions

Mobile device operating systems more forward on a more rapid pace than enterprises like to move with their infrastructure investments but thankfully Microsoft have embraced that. Windows Intune and Configuration Manager have implemented extensions which allow Microsoft to get a new group of configurable settings out almost as quickly as those OSes being released but more importantly they've made updating your infrastructure drop dead easy.

To enable iOS extensions in Configuration Manager go to the Administration Workspace, then enable Email Profiles Extension and iOS Security Settings both times accept the EULA and the extensions will now be downloaded - only once for the hierarchy. When the extensions show as enabled close the Configuration Manager console and restart it, you'll be told that new extensions have been enabled and they will install, this might require elevation, but once it's done it's done for everyone!

Automatically configure email and policy settings

Now it's time to make enrolling a device compelling for your users, by taking some of their pain away. First let's enable access to their corporate email.

Go to Email Profile right click and select Create Exchange Active Sync Profile

Now provide a profile name such as "corporate email" then provide the name of your activesync server (if you don't want to use your actual Exchange servers then sign up for an Office365 account with your Intune test tenant at Office.com -- they share an Azure AD so it's simply just a case of licensing a specific user with an Exchange trial). Select the appropriate settings for synchronization -- push is pretty usual, finally be sure to select the supported platforms that match the iOS device you are using for testing.

Now we need to deploy our settings -- we are in Config Man after all, so select our settings so click Deploy on the ribbon and deploy the settings to our user collection we are using for testing. These settings will deploy but this can take some time depending upon your devices connectivity etc.

Sure you could argue that a user could set these things up manually but then you're relying on them to do that, with enrollment you can be sure you got it right!

Deploy Apps from the App Store

iOS devices support both sideloaded and App Store installed apps, there are some apps that you might want to get your users to install to make them more productive -- such as the recently released and hugely popular Office for iPad apps. All we need to make this possible is the URI for the apps in the Apple App Store…the fastest way I've found to get those is to find the app in the app store on the device and send an email to myself linking to the app.


Figure 3

With this URI simply go to the Software Library workspace > Overview > Application Management > Applications and Click Create Application. Select App package for iOS from App Store and paste the app store location from the email into the Wizard and complete the wizard making sure to keep things understandable for your "users" Select your application and deploy it to the all users collection.

Wait a few minutes and then check the Company Portal on your device, you should see the app appear in the New Apps section. Select the app, you'll be taken to it in the App Store and you'll be able to install it from there.

What happens when someone leaves the company?

People leave companies all the time for reasons good or bad and you need to be able to respond to that. Of course they also lose their nice devices and forget to retire them before they recycle them.

To see the effect of someone retiring their device go to the company portal, select your device under My Devices then select Remove Device and confirm by tapping Remove, in a few minutes time you'll find the email connection will be removed but you'll still have your Word App installed.

Looking at what just happened you can see that we removed the company specific stuff (like their email, along with its data) but left the apps that they got from the public store. Neat and just what the user would expect -- but without ever telling you that!


Hopefully you've found this article an interesting look at just the tip of the iceberg as to what's possible with Windows Intune and Configuration Manager on iOS devices. It really is the tip of the iceberg though, there are tons of settings and things you can do with this management platform, including custom URIs for management of unthinkable (yet) things.

About Simon May

Simon May is Enterprise Client Evangelist for Microsoft Corp. He can be reached on twitter at

or by email at [email protected]

Send us feedback

Got feedback on this issue?Let us know at [email protected]

Tip of the Week: Shrinking a Virtual Hard Disk

The following tip is excerpted from my book Training Guide: Installing and Configuring Windows Server 2012 from Microsoft Press:

Before you use either Windows PowerShell or Hyper-V Manager to shrink a VHD or VHDX file, you should log on to the guest operating system and use the Disk Management snap-in to shrink the volume on the virtual disk you want to shrink. For more information, see Ben Armstrong's post titled "Shrinking a virtual hard disk in Windows 8" in his Virtual PC Guy Blog:

GOT TIPS you'd like to share with other readers? Email us at [email protected]

Recommended for Learning

This week we have a couple of Mobile Device Management titles you might want to check out:

Citrix XenMobile Mobile Device Management

Mobile device management 35 Success Secrets - 35 Most Asked Questions On Mobile device management - What You Need To Know

Microsoft Virtual Academy

A quick announcement from the Microsoft Virtual Academy:

May 8: Defense in Depth: Windows 8.1 Security

Bring your questions to "Defense in Depth: Windows 8.1 Security," a live, online session on May 8 highlighting tips and tricks for protecting your data in the real world. See how Windows 8.1 addresses security as a whole system, one layer at a time. Explore methods of developing a secure baseline and how to harden your Windows Enterprise architectures from pass-the-hash and other advanced attacks. Don't miss this lively and informative look at how to stop hackers and malware engineers. Register here:

Quote of the Week

"If you are small and wish to take on the big, the first step you need to plan before you wage your challenge is your path of escape." -- Chin-Ning Chu

Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at [email protected] and we’ll try to troubleshoot things from our end.


Admin Toolbox

Admin Tools We Think You Shouldn't Be Without

Do you know which users have access to sensitive files or directories? Using Permissions Analyzer, you’ll be able to easily see what permissions a user or group of users has for an object and why.

This mini wireless keyboard with touchpad from FAVI also has a built-in laser pointer:

Exchange PST Capture lets you search your environment for PST files so you can import them into mailboxes hosted on Exchange Server 2010 and 2013 or Exchange Online:

Events Calendar


TechEd North America on May 12-15, 2014 in Houston, Texas

Microsoft Worldwide Partner Conference (WPC 2014) in July, 2014 in Washington, D.C.

Microsoft SQL Server PASS Summit 2014 on November 4-7, 2014 in Seattle, Washington


TechEd Europe on October 27-31, 2014 in Barcelona, Spain

Asia Pacific

TechEd New Zealand on September 9-12, 2014 in Auckland, New Zealand

Add your event

PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 95,000 subscribers about? Contact [email protected]


Webcast Calendar

Register for Webcasts

Add your Webcast

PLANNING A WEBCAST you'd like to tell our subscribers about? Contact [email protected]


Tech Briefing

Mobile device management

Step-By-Step: Utilizing Windows Intune and SCCM to Manage Android Devices (CanITPro)

Windows Server 2012 R2 and BYOD (Part 1) (WindowsNetworking.com)|


Enterprise IT

Clustered Storage Spaces on Dell JBODs Introduction (Flo's Datacenter Report)

Reset a user password with PowerShell (4sysops)


System Center

New Enhancements to Windows Intune (Server & Cloud Blog)

Cmdlet Reference Download for System Center 2012 (Microsoft Download Center)


Windows Azure

Active Directory From On-Premises To The Cloud – Windows Azure AD Whitepaper (Jorge's Quest for Knowledge)

Windows Azure Virtual Machine Readiness Assessment (Microsoft Download Center)

Windows Server News

Cloud Storage system decisions shouldn't hinge on cost

There are many considerations to take into account when deciding on your next cloud storage system. Having a thorough understanding of primary key features, such as reliability, accessibility, and size limitations, will direct you towards the right choice for your enterprise. With the help of this exclusive article, avoid expensive cloud storage blunders.

Easy fixes for three remote connectivity problems

It is common for mobile workers to run into connectivity problems. Fortunately, there are three simple fixes you can start applying today to avoid potential pitfalls. Find out why remote connectivity problems happen and what you can do to fix -- and even prevent -- them in this special report.

The how and why of live cloning a VM in Hyper-V 2012 R2

An underutilized, but extremely valuable, feature in Windows Server 2012 R2 Hyper-V is its live cloning capability. In this in-depth article, learn why you should start paying attention to this new and improved virtual machine cloning feature and realize how you can start proactively using it today.

Knowing your infrastructure helps deliver premium VM performance

Understanding how various virtual machine (VM) resources impact a VM's size will ensure considerably greater application performance. However, it is crucial to look at relationships between groups of VMs sharing resources rather than studying them within a single VM. Learn more in this special report.

WServerNews FAVE Links

This Week's Links We Like. Tips, Hints And Fun Stuff

GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]


Darcy Oake's Jaw-Dropping Dove Illusions - Britain's Got Talent 20

Not only can illusionist Darcy make doves appear out of nowhere, he also has an even bigger trick up his sleeve.

Cat Fishing For A Cat

A cat is using a fishing pole with bait attached to lure in the other cat.

Erix - Magic Juke Box

Erix with his 'Magic Juke Box' at the French television show 'The Worlk's Greatest Cabaret' hosted by Patrick Sebastien.

Terra Incognita Duo - Ukraine's Got Talent

The duo 'Terra Incognita' receives a standing ovation for their beautiful and expressive acrobatic dance performance at 'Ukraine's Got Talent.'


WServerNews - Product of the Week

Identify Misconfigured Permissions in Active Directory for Free

The SolarWinds® Permissions Analyzer for Active Directory™ makes it easy to get a complete hierarchical view of the effective permissions & access rights for a specific file folder or share drive all from one dashboard on your desktop. With this free tool you get complete visibility into the effective permissions & access rights for a specific file folder (NTFS) or share drive. Easily see which permissions a user has for an object and why (group membership or direct permissions). Browse permissions by group or individual user, and analyze user permissions based on group membership combined with specific permissions. Permissions Analyzer is quick to deploy and easy to use.

Download the Free Permissions Analyzer Tool Today.


WServerNews - Editors

Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com

Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.