The goal of this series will be to implement and configure Microsoft Intune as MDM (Mobile Device Management) solution for mobile devices (Android, iOS and Windows Phone) and PC.
- Implementation of Microsoft Intune – Part 2
- Implementation of Microsoft Intune – Part 3
- Implementation of Microsoft Intune – Part 4
In order to configure and use Microsoft Intune (or other Microsoft Cloud services like Office 365), you need first to synchronize your on-premises Active Directory with Azure Active Directory. To accomplish this, you have to create a Microsoft Intune account (trial in our case) directly on this web page.
You have to choose a domain name that must be unique and a domain account linked to this new Azure AD domain.
Once connected to your account portal, you will need to add your public domain name that will be used as UPN suffix.
Once your public domain is verified in the Microsoft Intune console, you will have to add the UPN suffix in your local Active Directory. To do this, just connect to a domain controller, right-click and choose Properties on Active Directory Domains and Trusts MMC.
Once UPN suffix is added, you will now need to change user login name of your users. You can do it manually but personally, I prefer to use this little tool called ADModify that will permit to manage that change much more easily.
Now you have your local and your cloud environment that is ready to be synchronized. To accomplish this, you have to download Microsoft Azure Active Directory Connect (download here). If you need more information about Azure AD Connect you can refer to my previous article. The configuration of AADC tool, the creation of our Intune trial account and the synchronization will be covered in this first part.
You need to install the synchronization tool on a Windows Server on your LAN with Internet connectivity (try to avoid DC).
This will be a fresh installation of the tool, but if you have DirSync installed you can use the same tool to upgrade it. You have the choice between using express settings (automatic creation of service account, groups, database, etc.) or customizing required components.
In our case, we will not use express settings to handle customization of some component like service account used to synchronize your on-premises AD with Microsoft Azure AD. The service account must be an Enterprise Administrator account for your local Active Directory.
Then, following your needs you have to choose User sign-in method. In our case, we will prefer Password Synchronization. If you need more details about this part, you can refer to my previous article.
This window will permit to synchronize your local Active Directory forest(s) to a single Azure Active Directory tenant.
In order to avoid duplicate records for the same user inside your Azure Active Directory, if you synchronize several forests for example. This screen can create a rule to identify and regroup them under a single object.
Here you have to choice to synchronize only a group of users. As we use this tool in a lab environment, I will specify to only synchronize my future Intune users.
Finally, we can choose to enable optional features. Some of the features are grayed out because they need prerequisites or additional configuration. For the moment, we will only active Password Writeback feature that is used to synchronize in both ways password of the user.
Make sure to export and backup the keys used to encrypt data in Azure ADSync to a file.
Finally, you can check that synchronization is occurring through the Synchronization Service Manager.
Back to your account portal, you can see users/groups that have been synchronized (logo) and when the last synchronization occurred.
In part 2, we will see how to configure Intune in order to enroll, customize and secure Windows Phone 8.1 devices.