A few days ago we have been working on extending our hybrid demo environment. We made some changes required to demonstrate conditional access with Exchange online. Details on how we set things up will follow shortly in another post.
Once the basics were in place we implemented a policy that would block a user to access their mailbox when using an unmanaged device.
The policy was properly deployed to a collection which included my demo user, however I noticed my demo user could still sync his mail on an iPhone 5 which was not enrolled. Even after an hour or two this condition remained unchanged so something was wrong.
Initial investigation did not show anything out of the ordinary in the Configuration Manager console. However in the Intune console I noticed an entry in the Alerts node:
Saving of Access Rules to Exchange has failed
Microsoft Intune was unable to set the requested mobile device access rules or related settings in Exchange due to the following error: A2CE0100
Unfortunately the “View Troubleshooting Information” link is broken. So is the one on the top right in the console and the right-click one. As such it was hard to find any further details on this specific error.
I made a few attempts to get things working, including the following:
– Modifying the compliance policy (increasing the revision number)
– Removing and adding the user from and to the target collection
– Removing and recreating the deployment of the compliance policy
I can confirm none of the above resolves the issue. The policy still did not get applied.
In the end to get things working again what I had to do was to delete the compliance policy, recreate it from scratch, and deploy it again.
When synching mail on the iPhone 5 a few minutes later, the policy kicked in.
Although the problem was solved and we now have a working demo scenario; in the end I have no idea what went wrong initially and how I could have been troubleshooting this in a more optimized way. Whatever it was it does not seem to resolve itself. Also the repeat count of the alert not increasing indicates the system itself does not do any retries.
I definitely see a few areas for improvement here:
- Fixing the link to the troubleshooting information so the admin can troubleshoot properly and in a most optimized way.
- Exposing Intune alerts to the Configuration Manager Console so the admin does not have to look in multiple locations.
- Having the system retry the action “Saving of Access Rules” at least a few times. In case the alert repeat counter increases the admin can further look into a blocking issue. Otherwise there may have just been a glitch and the issue would have resolved itself.
If you are ever facing the same issue, I hope this article will save you some troubleshooting time!
Last week I was at the Midwest Management Summit (MMS) in Minneapolis, a three day conference organized by the Minnesota System Center User Group.
At this event I had the pleasure to deliver two sessions for which I again teamed up with my friend and ECM MVP Kenny Buntinx. Based on the feedback received on our sessions so far, we did well again at evangelizing Unified Device Management (UDM) with Configuration Manager and Intune.
Having a lot of time for Q&A made these sessions very interactive and allowed attendees to (hopefully) ask all their questions. If you did attend and have further feedback, questions, or comments please make sure to send them to Kenny and/or myself.
Next to speaking I also had the opportunity to attend some really nice sessions. As my focus is on Enterprise Client Management I was really pleased to see so many sessions on ECM topics on the schedule. Building a schedule for the conference was quite challenging.
Having these sessions delivered by community experts is a big plus as you have the chance pick up a lot of experience (and potential pitfalls) from the field. One really nice example of this would be the session on Pull DP’s with Todd Hemsell. Also the sponsor sessions were a great fit: I attended those from 1E and Secunia and really enjoyed the technical level of these sessions. No marketing fluff.
Another highlight for me was the talk on getting MMS right at home where the user group leads could share experiences. Next to that the event also brought back some of the best ingredients from the ‘old MMS’, for example the Configmgr State of the Union and the Jeopardy Quiz.
Overall this has been a really great event – except for the outside temperatures there are really no negatives I could think of.
Although still to be confirmed I sincerely hope there will be a 2015 edition of this event! I for sure would love to attend!
Tip: looking for session content and want to grab it all in one shot? Check out this script to download the files.
Until next time!
To be able to demonstrate Unified Device Management scenarios we recently added some new mobile devices to our demo environment. Amongst these devices are also iPads and iPhones which we had to enroll. The integration between Windows Intune and System Center 2012 R2 Configuration Manager was done earlier on.
Over-the-air enrollment of iOS devices is a rather straightforward process. In this blog post we will outline the step by step procedure to enroll an iPhone.
Time to fire up our iPhone 3GS and get started:
First you need the get the Windows Intune Company Portal app from the App Store. Be aware that this app can only be installed on devices that are running iOS 6 or a later version.
As soon as the Company Portal app is opened you will have to provide your user credentials and tap Sign In. We have ADFS implemented in our demo environment so we provide our AD credentials.
So far so good – but at this point our device is not enrolled yet. The notification icon in the top right corner, and the blue ‘i’ icon on the device name indicate there are still further actions to be taken. Tap the icon at the top or the device name at the bottom.
Tap Add this device.
Tap Add in the top right corner.
The device is being enrolled. This may take a minute.
Tap the install button to install the management profile.
A notification is displayed. Confirm by tapping Install Now.
Tap Install in the top right corner.
Profile installed successfully. Tap Done in the top right corner.
And that is all there is to it!
The device then also becomes visible in the ConfigMgr console. Our ConfigMgr administrators are now able to manage this device.
If you encounter any problems during the enrollment process you can shake the iOS device to get a diagnostics screen. Make sure the Company Portal app is running when you start shaking.
A diagnostics dialog box is shown where you can open up the log file for further analysis or email it.
Removing the profile
The management profile can be removed afterwards as well. This is the out-of-the-box behavior. We can block the user from doing this but that is a subject for a future blog post.
To remove the management profile go to Settings > General > Profile – Management Profile.
I hope you found this information helpful.
Until next time!
In a few weeks I will be heading to Las Vegas for IT/Dev Connections. This conference is taking place at the Aria Resort from September 15th to the 19th.
With MMS being discontinued, this is an event I have been really looking forward to for the past few months. Next to being a first time attendee I am also honored to be able to deliver 2 sessions in the Windows track.
The Windows track has a great line-up of speakers and sessions, and the keynote for this track will be presented by Brad Anderson, Corporate VP at Microsoft (blog).
These are the session titles and abstracts of the sessions that I will be delivering:
Session 1 : System Center 2012 R2 Configuration Manager and Intune: Setup and deployment Notes from the field, with a focus on Single Sign on.
This session dives into what you’ll do at the server level to drive System Center 2012 R2 Configuration Manager and Windows Intune integration for mobile device management.
The session includes real-life experience from the field to set up a subscription, connectors, certificates, Active Directory Federation Services (AD FS 2.0/2.1/3.0), DirSync, and workplace join scenarios among all possible server configurations that enable mobile device management.
Learn best practices for setting up AD FS from the field for user authentication and Single Sign-On; prepare for the challenges if you invested in previous AD FS 2.0/2.1 and want to take advantage of AD …
Session 2 : Managing your hybrid Mobile cloud workforce demystified with System Center Configuration Manager 2012 R2.
Do you need to manage Windows 8.1/RT, including non-Microsoft mobile devices, with Microsoft’s UDM solution (Configuration Manager 2012 R2 plus Intune)? Do you need to provide functionality for deploying the new Intune extensions (such as email profiles), managing your MDM settings, configuring VPN and wireless profiles, and deploying certificates?
Compliance settings, company resource access, and Intune extensions delivered in Configuration Manager are mostly unexplored territory for the Configuration Manager administrator. In this session we’ll use numerous demos to demystify these features. …
Note that Kenny and myself will not be the only Belgians presenting at the conference. Also in the Windows track there will be 2 sessions from our fellow SCUG member Dieter Wijckmans and a session from Michael Van Horenbeeck. Together we will show some serious Belgian Community Power!
Interested? Registrations for the event are still open. Click here for details.
Hope to see you there!
Time for my weekly wrap-up of stuff to catch up with:
- Very helpful blog post from the Microsoft PFE team on how to use the same external ethernet adapter for deploying multiple devices with ConfigMgr OSD.
- Garth at Enhansoft explains in detail how to enable workstation logon audit policy in order to collect top console user details with Configuration Manager.
- On the System Center ConfigMgr team blog you can learn how to collect IMEI from devices enrolled in Windows Intune with System Center 2012 R2 Configuration Manager. IMEI is short for International Mobile Equipment Identity, which is a unique identifier for mobile devices.
- Released: KB2905359 – Installation of the Configuration Manager client agent fails with error code 80041002.
See you next week!