Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Microsoft Intune

 

Updated: February 8, 2017

Applies To: System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Note

The information in this topic applies to System Center 2012 Configuration Manager SP1 or later, and System Center 2012 R2 Configuration Manager or later.

Use the following checklist to help you configure Configuration Manager SP1 to manage mobile devices by using the Microsoft Intune service.

For additional information about these steps, see Manage Mobile Devices with Configuration Manager and Microsoft Intune.

Step

More information

Sign up for a Microsoft Intune account

Sign up for an account at Microsoft Intune.

For more information, see Task 1: Subscribe to Microsoft Intune in the documentation library for Intune.

Make sure that you have a publicly registered domain name

All user accounts must have a publicly registered UPN that can be verified by Microsoft Intune. GoDaddy or Symantec are typical examples of companies that provide domain names.

Verify that users have a public domain UPN

Before synchronizing the Active Directory user account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library.

You can create a Configuration Manager custom report to verify that the UPN of the users who are discovered is consistent with the Intune Account Portal by using the following SQL query:

SELECT UserPrincipalName, 
COUNT(*) AS NumOfOccurances FROM (SELECT RIGHT(User_Principal_Name0, 
LEN(User_Principal_Name0)-PATINDEX('%@%', 
User_Principal_Name0)) AS UserPrincipalName FROM CM_EC1.dbo.v_R_User) 
AS sub GROUP BY UserPrincipalName

Optional, but strongly recommended: Deploy and configure Active Directory Federated Services (AD FS)

When you set up single sign-on, your users can sign in with their corporate credentials to access the services in Intune.

For more information, see the following topics:

Deploy and configure directory synchronization

Directory synchronization lets you populate Intune with synchronized user accounts. The synchronized user accounts and security groups are added to Intune. For more information, see Configure directory synchronization in the Active Directory documentation library.

Optional, not recommended: If you are not using AD FS, reset users’ Microsoft Online passwords

If you are not using AD FS, you must set a Microsoft Online password for each user.

Create a DNS alias

Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to enterpriseenrollment-s.manage.microsoft.com. For example, if Melissa's email address is Meliss@contoso.com, you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com.

The CNAME record is used as part of the enrollment process.

Obtain the required certificates or keys for mobile device platforms

For Windows RT devices:

For Windows Phone 8 devices:

For iOS devices:

Create the Microsoft Intune subscription

To create the Microsoft Intune subscription

Add the Microsoft Intune connector site system role

To configure the Microsoft Intune Connector role

Verify that Configuration Manager is successfully connecting to the Microsoft Intune service

  • Check the Cloudusersync.log to verify that user accounts are successfully synchronized.

  • Check the Sitecomp.log to verify that the Microsoft Intune connector was created successfully.