Preview only show first 10 pages with watermark. For full document please download

Build Your Own Enterprise Mobility Lab Step-by

Rating
Date

November 2018
Size

3.2MB
Views

2,567
Categories

Computers & electronics Software Antivirus security software

Transcript

Enterprise Mobility Lab Guide Build Your Own Enterprise Mobility Lab Step-by-Step Guide Date: June 26, 2015 Version: 1.5 Revision and signoff sheet Change record Date Author Version 5-Oct-2014 0.1 12-Nov-2014 0.4 Change reference Initial draft Infrastructure setup & Phone scenario Added chapter 12 - NDES Support (still requires December update!) Added additional Phone scenarios. 13-Nov-2014 0.5 17-Nov-2014 0.6 Updated formatting Added Integrating SaaS Applications and Self-Service chapters Updated NDES Section (Add external NDES Address). Validated NDES is working. Updated formatting 24-Nov-2014 0.7 Rewrote Chapter 2 - Pre-requisites Added chapter 14 Android. Jan-2014 0.8 Jan-2014 0.9 Added content for Intune Only Setup Added content for iOS Scenario Updated Introduction for Intune Only Setup Included several updates Feb-2015 1.0 Included various updates based on training delivery. Added SharePoint VM with Claims Based access scenario Added custom VPN scenario’s Prepared document for release Feb-2015 1.1 Included various updates based on training delivery. Mar-2015 1.2 Updated format of the guide Mar-2015 1.3 Added some Intune Only sections Jun-2015 1.4 Update installation of SP1 for CM2012R2 Jun-2015 1.5 Changed/Fixed enterpriseregistration registration in DC1 DNS and public DNS. Also removed Hover step by step. Reviewers Date Author Version Change reference Page ii Date Author Version Change reference Page iii Contents 1 Introduction ................................................................................................................................................................. 1 1.1 Lab objectives ....................................................................................................................................................................... 1 1.2 Lab activity flow ................................................................................................................................................................... 2 1.3 Design decisions for lab setup ....................................................................................................................................... 2 1.3.1 Build Lab Servers On Premise or in Azure IaaS ......................................................................................... 2 1.3.2 Microsoft Intune Only or Hybrid Setup ........................................................................................................ 4 1.3.3 Microsoft Azure IaaS Lab Setup ...................................................................................................................... 6 1.3.4 Credentials ............................................................................................................................................................... 7 1.4 Use of Document ................................................................................................................................................................. 8 1.5 References and Credits ..................................................................................................................................................... 8 1.6 Support and Questions about the Lab ....................................................................................................................... 9 1.7 Support for Windows 10 .................................................................................................................................................. 9 2 Pre-Requisites (Certs, Subscriptions, and Domain) ......................................................................................... 10 2.1 Obtain a Public Domain Name ................................................................................................................................... 10 2.2 Request SSL Public (Wildcard) Certificate(s) .......................................................................................................... 11 2.3 Re-use or Create a Microsoft Azure Subscription ............................................................................................... 12 2.4 Create and Setup an ‘Azure AD’ ................................................................................................................................. 13 2.5 Setup Intune Trial Tenant .............................................................................................................................................. 15 2.6 Setup Office 365 Trial Tenant ...................................................................................................................................... 16 3 Preparing Windows Azure for IaaS ...................................................................................................................... 18 3.1 Create a Cloud Service ................................................................................................................................................... 18 3.2 Create a Storage Account ............................................................................................................................................. 18 3.3 Create a Virtual Network ............................................................................................................................................... 19 4 DC1: Setup and Configure AD, DNS, CA and ADFS .......................................................................................... 21 4.1 DC1: VM - Create the Virtual Machine..................................................................................................................... 21 4.2 DC1: VM – Install Azure PowerShell and Configure a Static IP ...................................................................... 22 4.3 DC1: AD - Configure Active Directory Domain Services ................................................................................... 23 4.4 DC1: DNS - Configure DC1 as DNS for Virtual Network .................................................................................. 24 4.5 DC1: DNS - Configure DC1 with DNS Forwarders .............................................................................................. 25 4.6 DC1: DNS - Configure an Alternate User Principal Name Suffix ................................................................... 25 4.7 DC1: DNS - Configure DNS for Federation Service, DRS and Enrollment ................................................. 26 4.8 DC1: AD - Create Organizational Unit Hierarchy ................................................................................................. 29 4.9 DC1: AD - Create Users and Groups ......................................................................................................................... 29 Page iv 4.10 DC1: CA - Install and Configure Active Directory Certificate Services ....................................................... 30 4.11 DC1: ADFS – Install the Public SSL Wild Card Certificate for ADFS ............................................................ 32 4.12 DC1: ADFS – Install and Configure Active Directory Federation Services ................................................ 33 4.13 DC1: ADFS – Install Windows PowerShell for single sign-on with AD FS ................................................ 35 4.14 DC1: ADFS – Workaround for DC1 Hanging on Boot. ..................................................................................... 36 5 WAP1: Setup Web Application Proxy ................................................................................................................. 38 5.1 WAP1: Create the Virtual Machine ............................................................................................................................ 38 5.2 WAP1: VM – Configure and Join WAP1 to the CORP domain. ...................................................................... 39 5.3 WAP1: VM – Install Azure PowerShell and Configure a Static IP .................................................................. 40 5.4 WAP1: Export the Public SSL Wild Card Certificate from DC1 ....................................................................... 41 5.5 WAP1: Import the SSL Wild Card Certificate to WAP1 ...................................................................................... 41 5.6 WAP1: Configure the Azure Endpoint and Public Domain .............................................................................. 42 5.7 WAP1: Install and Configure Web Application Proxy ........................................................................................ 43 5.8 WAP1: Troubleshooting ................................................................................................................................................. 44 6 Setup and Configure AADSync ............................................................................................................................ 45 6.1 Add a Registered Domain to your Tenant.............................................................................................................. 45 6.2 Install and Configure Microsoft Azure Active Directory Sync Services ....................................................... 47 6.3 Explore the AAD Sync Services Tool and Perform Initial Synchronization ................................................ 49 7 Setup AAD Premium and Office 365 .................................................................................................................. 52 7.1 Assign AAD Premium Licenses .................................................................................................................................... 52 7.2 Create Test Groups in Azure AD ................................................................................................................................. 54 7.3 Assign Office 365 Licenses ............................................................................................................................................ 56 7.4 Configure DNS for Office 365 ..................................................................................................................................... 57 8 Enable Multi-Factor Authentication .................................................................................................................... 60 9 Integrate SaaS Applications .................................................................................................................................. 64 9.1 Integrate with Twitter through Password SSO ..................................................................................................... 64 9.2 Integrate with Google Apps through Federation SSO ...................................................................................... 66 10 Using Self –Service Features (Azure AD Premium) ......................................................................................... 67 10.1 Self-Service Password Reset ....................................................................................................................................... 67 10.2 Self-Service Group Management ............................................................................................................................. 69 10.3 Group Approval Workflow .......................................................................................................................................... 70 10.4 Azure Reports ................................................................................................................................................................... 72 11 Protecting Data With Azure RMS ........................................................................................................................ 75 11.1 Configure Azure RMS .................................................................................................................................................... 75 11.2 Creating and Consuming Protected Content ...................................................................................................... 77 Page v 11.3 Protecting Data in Motion With Exchange IRM.................................................................................................. 80 12 SP1: Claims-Based Access & Resource Publication.......................................................................................... 84 12.1 SP1: Manually Create a SharePoint Virtual Machine ........................................................................................ 84 12.2 DC1: Configure DNS ...................................................................................................................................................... 85 12.3 DC1: Configure ADFS .................................................................................................................................................... 85 12.4 WAP1: Configure WAP.................................................................................................................................................. 88 12.5 SP1: Install SQL Server Express .................................................................................................................................. 89 12.6 SP1: SharePoint Farm Initial Configuration .......................................................................................................... 89 12.7 SP1: Configure Claims Provider in SharePoint .................................................................................................... 91 13 CM1: Configure MDM with Hybrid Setup (CM+Intune) ................................................................................ 95 13.1 CM1: Create the Virtual Machine ............................................................................................................................. 95 13.2 CM1: VM – Configure and Join CM1 to the CORP domain. .......................................................................... 96 13.3 CM1: VM – Install Azure PowerShell and Configure a Static IP .................................................................... 96 13.4 CM1: Install and Configure SCCM ............................................................................................................................ 97 13.5 CM1: Install and Configure CM2012 R2 SP1 ...................................................................................................... 106 13.6 CM1: Connect to Microsoft Intune Subscription in Configuration Manager ........................................ 107 13.7 CM1: Enable the Firewall for port 1433 and 4022 ........................................................................................... 110 13.8 CM1: Minimize SQL Resource Usage .................................................................................................................... 110 14 Intune: Configure MDM with Intune Only ....................................................................................................... 112 14.1 Intune: Enable base device management for Intune Standalone .............................................................. 112 15 Setup SCEP – NDES1 ............................................................................................................................................... 116 15.1 NDES1: Create the Virtual Machine ....................................................................................................................... 116 15.2 NDES1: VM – Configure and Join NDES1 to the CORP domain. ............................................................... 117 15.3 NDES1: VM – Install Azure PowerShell and Configure a Static IP ............................................................. 117 15.4 DC1: AD – Create the NDES Service Account and SPN ................................................................................. 118 15.5 DC1: Create and Publish the Certificate Templates for NDES ..................................................................... 119 15.6 NDES1: Install and Configure NDES ...................................................................................................................... 122 15.7 DC1: Add External NDES address to Internal Split Brain DNS zone and External DNS zone. ........ 127 15.8 CM1: Configure Certificate Registration Point .................................................................................................. 128 15.9 NDES1: Install Policy Module ................................................................................................................................... 131 15.10 NDES1: Configure NDES Connector ............................................................................................................. 133 15.11 WAP1: Publish NDES1 on WAP1 .................................................................................................................... 135 15.12 Troubleshooting (Optional) ............................................................................................................................. 137 16 Setup SSTP and L2TP VPN - VPN1 ...................................................................................................................... 141 16.1 VPN1: Create the Virtual Machine ......................................................................................................................... 141 Page vi 16.2 VPN1: VM – Configure and Join VPN1 to the CORP domain...................................................................... 144 16.3 VPN1: VM – Install Azure PowerShell ................................................................................................................... 145 16.4 VPN1: Import the SSL Wild Card Certificate to VPN1 .................................................................................... 146 16.5 VPN1: Configure the Firewall for VPN1 ............................................................................................................... 146 16.6 VPN1: Install and Configure SSTP and L2TP VPN ............................................................................................ 148 16.7 DC1: DNS – Add External VPN address to internal Split Brain DNS zone and External DNS zone. 151 16.8 DC1: Provide Users access to VPN ......................................................................................................................... 153 17 Managing Windows Phone 8.1 ........................................................................................................................... 155 17.1 Intune: Configure Intune for Windows Phone .................................................................................................. 155 17.2 CM1: Configure Configuration Manager/Intune for Windows Phone 8.1 ............................................. 156 17.3 Hyper-V: WP8.1 – Enrollment .................................................................................................................................. 162 17.4 CM1: WP8.1 – Adding the IMEI, Device Name and Phone Number to the Inventory ...................... 164 17.5 Intune: WP8.1 – Configuring Policy Settings and Policies based on OMA-URI ................................... 166 17.6 CM1: WP8.1 – Configuring Policy Settings and Policies based on OMA-URI ...................................... 168 17.7 Intune: WP8.1 – Configuring Allow and Deny Lists ......................................................................................... 170 17.8 CM1: WP8.1 – Configuring Allow and Deny Lists ............................................................................................ 171 17.9 Intune: WP8.1 – CM1: WP8.1 - Configure Trusted Root and Certificate Deployment ...................... 174 17.10 CM1: WP8.1 - Configure Trusted Root and Certificate Deployment ............................................... 177 17.11 Intune: WP8.1 - Configure Mail Profile ........................................................................................................ 179 17.12 CM1: WP8.1 - Configure Mail Profile ........................................................................................................... 180 17.13 Intune: WP8.1 – Configure a Custom VPN Profile .................................................................................. 181 17.14 CM1: WP8.1 - Configure Custom VPN Profile .......................................................................................... 184 17.15 Intune: WP8.1 – WP8.1 - Configure WiFi Profile ...................................................................................... 186 17.16 CM1: WP8.1 - Configure WiFi Profile ........................................................................................................... 187 17.17 Intune: WP8.1 – Configuring S/MIME .......................................................................................................... 187 17.18 CM1: WP8.1 – Configuring S/MIME .............................................................................................................. 187 17.19 Device Retirement / Wipe ................................................................................................................................ 187 18 Enterprise Mobility for Android ......................................................................................................................... 188 18.1 Setup Google Play Account ...................................................................................................................................... 188 18.2 Intune: Configure Intune for Android ................................................................................................................... 188 18.3 CM1: Configure Configuration Manager/Intune for Android ..................................................................... 189 18.4 Hyper-V: Android - Create an Android Virtual Machine ............................................................................... 190 18.5 Android: Enrollment and Company Portal .......................................................................................................... 193 18.6 Intune: Android - Configure Policies ..................................................................................................................... 195 Page vii 18.7 CM1: Android – Configuring Policies .................................................................................................................... 195 18.8 Intune: Android - Configure Trusted Root and Certificate Deployment ................................................ 197 18.9 CM1: Android - Configure Trusted Root and Certificate Deployment .................................................... 201 18.10 KNOX Configuration ........................................................................................................................................... 203 19 Enterprise Mobility for iOS .................................................................................................................................. 205 19.1 Prepare to Manage iOS .............................................................................................................................................. 205 19.2 Configure CM/Intune .................................................................................................................................................. 206 19.3 Enrollment ....................................................................................................................................................................... 206 19.4 Intune: iOS - Configure Policies .............................................................................................................................. 206 19.5 CM1: iOS – Configuring Policies ............................................................................................................................. 206 20 Enterprise Mobility for Windows 10 .................................................................................................................. 209 21 Appendix .................................................................................................................................................................. 210 21.1 PowerShell: Reserve a Public VIP Address for Cloud Service ...................................................................... 210 21.2 PowerShell: Stop or Start all Virtual Machines .................................................................................................. 212 Page viii 1 Introduction The world is becoming mobile and organizations need to adopt to stay relevant and competitive. When you start working with solutions for mobile devices you will discover quickly that mobile solutions require new products that offer these new mobile capabilities. This new mobile infrastructure is often not present in most organizations and the knowledge and skills to install and configure these is not present either. As an IT Pro where do you start to catch up on all these new technologies? In my experience the best way to learn is getting your hands "dirty" by building it yourself and play with it. Don’t have someone come in to build it for you and/or use a scripts and automation to build it for you. It will not help you understand the technology. Build it yourself, step by step! The guide attached to the blog provides the step by step instructions on how to build your own Enterprise Mobility lab. It uses all the available Microsoft solutions without the need for a physical lab! Including, Azure IaaS, Azure AD, Intune, ADFS, Web Application Proxy, NDES, etc. It allows you to test all mobile scenarios and devices like Windows, iOS, and Android. This lab will also get you in a great shape to start validating Windows 10 mobile scenarios like Azure AD Join, Passport, etc. The step by step guidance for these Windows 10 scenarios will be added later. 1.1 Lab objectives This lab guide is created with the following objectives in mind: Build Your Own Enterprise Mobility Lab environment to test and demo all Microsoft Enterprise Mobility capabilities Use manual configuration steps to learn, experience and explore all the required Enterprise Mobility technologies. Build a lab environment that can be fully, partly in Azure without a requirement for an on premise infrastructure. Minimize the cost of building the Lab by keeping the credits consumed in Azure as low as possible. For people with an MSDN subscription there is an option to create Azure subscription with monthly credits that can be consumed and will be refreshed every month. The guide will be updated when mobility technologies are updated or new mobility technologies are added. Where possible only Microsoft solutions are used. Page 1 1.2 Lab activity flow The Build Your Own Enterprise Mobility lab a number of prerequisites and activities are required as shown below. Register a Public Domain Name a. Through a public domain register like http://www.godaddy.com or http://www.hover.com. This guide is using GoDaddy. Obtain Public SSL Wildcard Certificate (Required) a. The SSL Certificate will be based on the publicly registered domain name b. These can be obtained through organizations like DigiCert at https://www.digicert.com Setup Subscriptions (Required) a. Microsoft Azure (e.g. existing, trial or through MSDN Subscription) b. Microsoft Azure AD Premium, Microsoft Intune and Office 365 (use existing or trials) Build and configure the lab in Azure IaaS and or (partly) On Premise a. Alternatively the environment can also be (partly) built in on premise. Often this is required in environments where physical domain joined workstations are required. b. This Lab guide assumes the VMs for the Lab are built in Azure IaaS. Setup and configure mobility scenarios a. 1.3 For the different type of mobile devices Design decisions for lab setup Different design decisions need to be made before you start building the lab. This Lab guide can be used for different infrastructure scenarios. The main design decisions to be made are: Build the mobility Lab servers On Premise and/or in Azure IaaS? Build the mobility lab based on Microsoft Intune only (Intune Only) or based on Configuration Manager 2012 R2 integrated with Microsoft Intune (Hybrid)? The following paragraphs explain these design decisions, options and the rationale. 1.3.1 Build Lab Servers On Premise or in Azure IaaS A number of server roles are required to support the Enterprise Mobility lab. Some of these server roles can be combined on a single server and placed on premise or in Azure IaaS as VM’s. From a functionality and conceptual point of view there is no difference in how the mobility solution will work however there are some criteria and requirements that could influence the decision. Page 2 Note: If there is connectivity (e.g. Site-to-Site VPN) between your On-Premise lab environment and Azure IaaS you can choose where to place the servers. To connect your On-premises network to Azure via Site to Site VPN see: Connect an On-premises Network to Azure via Site to Site VPN and Extend Active Directory onto an IaaS VM DC in Azure at http://blogs.technet.com/b/askpfeplat/archive/2014/03/03/connect-an-on-premises-network-to-azure-viasite-to-site-vpn-and-extend-your-active-directory-onto-an-iaas-vm-dc-in-azure.aspx When to build the supporting servers On-Premises? When there is already a Lab/Test environment that you want to re-use. E.g. you want to use an existing on premise Active Directory and Configuration Manager 2012 R2 solution. When there is no Site-to-Site (VPN) connectivity between Azure IaaS and the On-Premise network and there is a need for using physical desktops, laptops that need to support a domain joined scenarios and/or services like PxE boot services. For example if you want to manage and test physical domain joined desktops and laptops in combination with Azure Domain Joined and MDM managed mobile devices in an integrated Microsoft Intune and Configuration Manager Environment. When to build the supporting servers in Azure IaaS? When there is no availability or possibility to build a test environment On-Premise. When there is no site-to-site (VPN) connectivity between your Azure IaaS and On-Premise network and you only need to validate and test mobile scenarios for Azure Domain Joined and MDM managed mobile device scenarios. There is no need to also manage domain joined physical devices in the same environment. Page 3 1.3.2 Microsoft Intune Only or Hybrid Setup This guide provides guidance for two different setup options for the Mobile Device Management solution. You will need to choose between a Microsoft Intune Only (Intune) setup and a Hybrid (CM+Intune) setup for the MDM solution. The decision to choose between the two options will depend on two factors: Re-use/expand of an existing Configuration Manager 2012 R2 investment. Availability of capabilities. At the time of writing of this document Intune Stand Alone and the Hybrid Intune/Config Manager solution don’t have full parity on all capabilities. If certain capabilities are absolutely required this will influence the decision. Intune Only Setup: The Intune Only setup will be configured with only Microsoft Intune for MDM and contains the servers, services and roles as shown in the picture below. Page 4 Hybrid Setup: The Hybrid setup will be configured with System Center Configuration Manager 2012 R2 integrated with Microsoft Intune for MDM and contains the servers, services and roles as shown in the picture below. The server with System Center Configuration Manager 2012 R2 (CM1) can be placed in Azure IaaS or on server’s On-Premise. Page 5 Server name Roles DC1 Active Directory Domain Controller, DNS, Directory Synchronization, Active Directory Certificate Services, Active Directory Federation Services, AADSync CM1 System Center 2012 R2 Configuration Manager ADK WAP1 Web Application Proxy NDES1 Network Device Enrollment Service to support deployment of certificates through the Simple Certificate Enrollment Protocol (SCEP) VPN1 RRAS, SSTP, L2TP SP1 SharePoint 1.3.3 Microsoft Azure IaaS Lab Setup This guide makes the assumption the Enterprise Mobility Lab is built in the Microsoft Azure IaaS. Page 6 When the full lab is built in Microsoft Azure the configuration and servers are shown as in the picture shown below. ▪ When a design decision is made to use Microsoft Intune only for the MDM component the CM1 virtual machine is not required. ▪ Except for the DC1 Virtual Machine the other Virtual machines can be build based on the capabilities required within the mobility lab. 1.3.4 Credentials The table below lists the credentials and access type available in the default datacenter implementation. User Access type User name Password Local Administrator Administrative .\LabAdmin L@b@dm1n Domain Administrator Enterprise Administrator Corp\LabAdmin L@b@dm1n Domain user User Corp\TestUser1 P@ssw0rd Domain user User Corp\TestUser2 P@ssw0rd Domain user User Corp\TestUser3 P@ssw0rd Domain user User Corp\TestUser3 P@ssw0rd Domain user User Corp\NDESUser P@ssw0rd Azure AD user User Bob P@ssw0rd Page 7 1.4 Use of Document The document assumes the entire lab is built in Microsoft Azure IaaS. When you chose to build some or all roles on premise this guide does not provide guidance for this setup. As mentioned earlier the document can be used for a setup with Microsoft Intune only or a hybrid setup with Microsoft Intune combined with System Center Configuration Manager. Most sections in this mobility guide will apply to both setups. However when a section is only applicable to one of the setups, at the start of this sections this has been made visible as shown below. Intune Only Setup If the section starts with this box it only needs to be completed if you have chosen the Intune Only setup. People that have chosen the Hybrid setup can skip this section. Hybrid Setup (CM+Intune) If the section starts with this box it only needs to be completed if you have chosen the Hybrid setup. People that have chosen the Intune Only setup can skip this section. 1.5 References and Credits The following sources have been used or are useful in combination with this guide. ▪ ▪ My Digital Work Thoughts TechNet Blog from Milad Aslaner ▪ PART 1: Building an EMS Lab in one day! http://blogs.technet.com/b/mydigitalworkthoughts/archive/2014/08/19/building-yourazure-iaas-enterprise-mobility-suite-lab.aspx ▪ PART 2: Building an EMS Lab in one day! http://blogs.technet.com/b/mydigitalworkthoughts/archive/2014/08/22/part-2-buildingan-ems-lab-in-one-day.aspx TechNet Blog: Enterprise Mobility stuff worth sharing by Pieter Wigleven Page 8 ▪ ▪ PART 2 - SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/04/25/part2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune.aspx ▪ Part 3 - Protecting NDES with Web Application Proxy (WAP) in the DMZ http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/10/21/part-3protecting-ndes-with-web-application-proxy-wap-in-the-dmz.aspx ▪ Create a VPN profile using Microsoft Intune (Standalone) via Custom OMA-URI’s http://blogs.technet.com/b/ems/archive/2015/01/30/create-a-vpn-profile-usingmicrosoft-intune-standalone-via-custom-oma-uri-s.aspx Microsoft Enterprise Mobility Suite Tips TechNet Blog from Pieter Wigleven ▪ ▪ MSInvolve Mobility training ▪ ▪ Several trainings available from https://www.msinvolve.com Creating an Android x86 Virtual Machine for testing Windows Intune and EMS capabilities by Justin Zarb ▪ 1.6 http://blogs.technet.com/b/tune_in_to_windows_intune/ http://www.theenterprisemobilityguy.com/2014/07/creating-an-android-x86-virtualmachine-for-testing-windows-intune-and-ems-capabilities-3/ Support and Questions about the Lab There is no support for the content provide in this guide. This guide is being developed by the community and for the community. Any questions and or support will need to go through your normal support channels. Therefor try to leverage existing Distribution Groups, forums and Yammer groups as much as possible to get answers to your questions. 1.7 Support for Windows 10 Although this guide provides guidance and the foundation for the infrastructure required to support Windows 10 it is very likely additional upgrades and or updates will be required to support full Windows 10 capabilities. For example Service Pack 2 will be required for Configuration Manager 2012 R2. Early versions of Windows 10 and Windows 10 for Mobile have been tested against this lab infrastructure and worked. Page 9 2 Pre-Requisites (Certs, Subscriptions, and Domain) To successfully complete all labs, you must first prepare the items below, this section leads you through this process. ▪ Obtain e a public domain name that has not been previously used with Office 365 or Azure Active Directory. ▪ Request SSL Public (Wildcard) Certificate(s) ▪ Re-use or register for an Azure subscription. ▪ Create and Setup an Azure AD ▪ Sign-up for an Office trial and Intune trial. Note: If you are planning to deploy this lab over a longer period of time you can also decide to sign-up for the Office 365 and Intune trial at a later stage when you actually require them, This will allow you to use the trial period for a longer time. 2.1 Obtain a Public Domain Name Required Time: 15 minutes You will need a public domain name which can be assigned as the user principal name (UPN) suffix for users in your AD DS forest and can also be registered with Windows Azure AD. The public domain name is also used to simplify the enrollment of devices so you can use your own domain name on the internet you can decide to register your own internet domain name. You may also use a domain name which you already own so long as it hasn’t yet been registered with any Office 365 or Windows Azure AD tenant there are many different online services to register your own domain name. One you well known one is GoDaddy. IMPORTANT: If you register a new domain with a public registrar, you are responsible for the associated cost. These cost of a registered name for a year are as little as $9. In this guide we will refer to your publicly registered domain name as . A sample of a publicly registered domain name is “Contoso.com”. The instructions below and throughout this guide uses GoDaddy.com to register a public domain name. Note 1: Before you buy a domain name you might also want to validate if the name is also not claimed in Azure. For example if you want to use the same name for the Azure AD or the Cloud Service you might want to check if these are not already claimed. Page 10 Note 2: Some samples used on the internet and TechNet are based on GoDaddy.com, but any other domain register will work. For example Office 365 admin center has integration with GoDaddy, but you will also be able to set this up manually. Task Detailed steps Complete these steps from an internet-connected Windows computer. Register a new public domain name at www.godaddy.com Open Internet Explorer and browse to http://www.godaddy.com In the search domain field, enter the domain name that you would like to use for this course and click the Search button. The domain name can be anything you like. For example, you may use something like johndoeiamhc.net. When you identify an available domain name which you would like to purchase, click the Select button to add it to your cart. On the right side of the page, click the Checkout Now button. Verify the information is correct in your shopping cart and click the Proceed to Checkout button. You will be prompted to create a new account with Godaddy or sign in with an existing account. If you already have a Godaddy account, you may sign in and use that account to complete your purchase. If not, supply the requested information and click Create Account. Make sure you take note of your username and password, as this information will be required to complete the labs for this course. Follow the remaining steps to pay for the domain. Note: Making your contact details public will ensure DigiCert is able to send you an e-mail asking you to verify ownership of your domain. You may reverse this setting after your ownership of the domain has been verified by DigiCert, if you choose. 2.2 Request SSL Public (Wildcard) Certificate(s) Required Time: 15 minutes You will need a public certificates for external access to the Web Application Service to provide access to the Active Directory Federation Services (AD FS) used for federated identity and the NDES server to provide access to the SCEP infrastructure. Note: It is required to have a Public Certificate. You cannot create your own certificates with your internal CA in the lab as the certificate will not be trusted by devices you want to enroll. Therefore the enrollment of mobile devices would not work. There are two options you can choose from to obtain a public SSL certificate: Obtain a public SSL Certificate for each Web Application service exposed to the internet. Obtain a single Wildcard Certificate you can use for all Web Application Services. Page 11 To allow a single certificate for multiple services we can request a wildcard “*” certificate. For example “*.contoso.com” will allow us to use the certificate for all other internet services offered by contoso.com like STS.contoso.com and NDES.contoso.com. You can obtain public certificates, from different certificate providers such as DigiCert. If you decide to request separate certificates, for this lab at least two SSL certificates have to be requested each with the following name in the Common Name field: STS. NDES. Two separate certificates will most likely be less expensive as purchasing one Wildcard certificate. However this will not offer the flexibility to use the certificate for other Web Application services in the future. If you decide to request a Wildcard Certificate, one SSL Wildcard Certificate has to be requested with the following name in the Common Name field: ▪ *. Important: During the remainder of the guide the assumption is made a Public SSL Wildcard Certificate from DigiCert is o. This is important as later on in the guide the DigiCert Certificate Utility is used to install the public wildcard certificate. 2.3 Re-use or Create a Microsoft Azure Subscription In this section, you will setup an Azure subscription. If you already have a Microsoft Azure subscription you can re-use this subscription. There are several ways to get an Azure Subscription: - You can re-use a subscription you already have today - With some of the MSDN subscriptions you are also entitle on monthly Microsoft Azure credits you can use. If you already have setup a Microsoft Azure subscription for this you can re-use it, otherwise you can setup one as described in your MSDN site when logged on. - You can sign up for a new Microsoft Azure subscription - You can sign up for a free trial Azure subscription As there will be many way to obtain an Azure subscription we don’t provide detailed instructions. Page 12 2.4 Create and Setup an ‘Azure AD’ In this section, you will create an Azure AD used for the later lab environment. Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you still logged on to the management portal of Manage.windowsazure.com. Create Azure AD Start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. In the address bar of the InPrivate session, navigate to https://manage.windowsazure.com. Sign in with the email address associated with your Azure account. Click ACTIVE DIRECTORY from the navigation bar of the Windows Azure portal. Select + NEW in the bottom left. Select Directory Select CUSTOM CREATE In the Add directory window fill in the following values: a. Directory: Create new Directory b. Name: c. Domain Name: Note: Try to keep the Name and Domain name identical for ease of use. A suggestion is to use the first part of your public domain name. d. Country or Region: Select the “tick symbol” in the lower right to complete the wizard. Select the just created domain by click on it. Enable Azure AD Premium Select your newly created directory. Click Try it now in the Get Azure AD Premium section of the quick start screen. Then click the Activate Trial button at the bottom of the page. In the Activate Azure AD Premium trial click the tick symbol. Wait while the trial is setup. Create Azure AD Admin User Click Users at the top left of the page. At the bottom of the screen select ADD USER. In the USER NAME field type Admin. Click the arrow to go to next screen. In the User Profile screen use the following values: a. FIRST NAME: Admin b. DISPLAY NAME: Admin c. ROLE: Global Administrator (Global is required to be used for AAD Sync) Page 13 Task Detailed steps d. ALTERNATIVE EMAIL ADDRESS: type an alternative e-mail address. Click the arrow to go to the next screen. Click create. Set Password for your new Admin User Write down the temporary password and click the arrow button. Close all browser windows. Open Internet Explorer and go to https://manage.windowsazure.com. Login with the admin account created (admin@.onmicrosoft.com) Type in the Old password that you wrote down above Type the New Password : L@b@dm1n Confirm the new Password : L@b@dm1n Click Save and continue Close Internet Explorer Create Azure Test User Select USERS in the top of the screen. At the bottom of the screen select ADD USER. In the USER NAME field type Bob. Click the arrow to go to next screen. In the User Profile screen use the following values: a. FIRST NAME: Bob b. LAST NAME : Smith c. DISPLAY NAME: Bob Smith d. ROLE: USER Click the arrow to go to the next screen. Click create. Set Password for your new Bob User Write down the temporary password and click the arrow button. Start a new Internet Explorer window in private mode. Open Internet Explorer and go to https://login.microsoftonline.com. Login with the user account created (bob@.onmicrosoft.com) Type in the Old password that you wrote down above Type the New Password : L@b@dm1n Confirm the new Password : L@b@dm1n Click Save and continue Close Internet Explorer Page 14 2.5 Setup Intune Trial Tenant In this section, you will create an Intune trial tenant that will be used later on in the lab. This tenant will be create using the Azure AD that you created in the previous paragraph. Note: If you intend to build this lab over a longer time you might decide to perform this step at a later time to prevent losing available days on your Intune Trial period. Task Detailed steps Complete these steps from an internet-connected Windows computer. Sign up for a trial Microsoft Intune subscription Start a new Internet Explorer window in private mode. Navigate to http://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/try.aspx and click the sign up link. On the sign-up page make sure you select Sign in (see below). This will allow you to use the already created Azure tenant. Sign in with the administrative organizational account that you created in the previous exercise. For example, [email protected]. Click Try Now. In the Order receipt window click Continue. The Windows Intune Account Portal appears. In the left under Management select Users and notice all your users are visible from Azure AD. Click the user Admin (created earlier) Select the Windows Intune checkbox and click Save Under Do you want this user to have Administrative permissions? Click Yes. In the drop down box for the role notice that Global Administrator is selected. In the Set User Location select the country you love the most. Select Save Your Intune Account has now been provisioned. Page 15 2.6 Setup Office 365 Trial Tenant In this section you will provision a trial Office 365 tenant using the E3 plan. Note: If you intend to build this lab over a longer time you might decide to perform this step at a later time to prevent losing available days on your Office 365 Trial period. The Office 365 subscription is not required till later in the guide. The Office 365 E3 Plan includes: ▪ 25 user licenses ▪ Microsoft Office 2013 Pro Plus ▪ Email ▪ Document storage ▪ Data Loss Prevention ▪ Mail archiving and compliance ▪ Team sites for project management Task Detailed steps Complete these steps from an internet-connected Windows computer. Create a trial Office 365 tenant Start a new Internet Explorer session in Private mode. Using a web browser, navigate to http://products.office.com/en-us/business/office-365enterprise-e3-business-software and click Free Trial. Click Sign In at the top right corner of the page. Sign in as admin@.onmicrosoft.com Note: Make sure admin@.onmicrosoft.com is the existing admin account in your Azure AD. Click Try Now to confirm your trial order. Click continue to complete the trial order. Assign Licenses In the Office 365 admin center, click and expand users. Click on Active Users Click Bob in the Display Name column Under Assigned License in the right panel, click on Edit Select the users country Select the checkbox Microsoft Office 365 E3 Plan Click Save Bob now has Office 365 licenses assigned to him. Page 16 Page 17 3 Preparing Windows Azure for IaaS This section describes how to prepare Windows Azure environment to create the different virtual machines. Why do I need a Cloud Service, Virtual Network, VIP and DIP? If you want to learn more about Cloud Service, Virtual Network, VIP and DIP have a look at: Windows Azure Infrastructure Services IP Address Management (Part 1 of 2) - See more at: http://blogs.technet.com/b/yungchou/archive/2014/03/17/windows_2d00_azure_2d00_infrastruct ure_2d00_services_2d00_ip_2d00_address_2d00_management_2d00_part_2d00_1_2d00_of_2d00_2 .aspx#sthash.BGf3imfj.dpuf. 3.1 Create a Cloud Service The Cloud service is required to create a public IP address through which our VM’s can be accessible over the internet. To ensure the “Public Virtual IP (VIP) Address” is maintained even after all Virtual Machines are turned off and de-allocated (to prevent cost) a reserved IP address can be set for the Cloud Service. This can only be done through creating the VM by PowerShell. The appendix of this guide includes a script to achieve this. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Create Azure Cloud Service Select Cloud Service. Select “+ NEW” in the bottom left. Select “Custom Create”. Enter the “URL” of your Cloud Service. This can be any name you like that is not already claimed. Write down this name as you will need it again when creating Virtual Machines. Enter the Region or Affinity Group for your Cloud Service. Choose a location close to you. This must be the same as the location as the location specified in Hydration. Select to complete the wizard by clicking “tick symbol” in the bottom right of the screen. 3.2 Create a Storage Account The Storage will be used to store all your Virtual Machines including the vhd’s. If you don’t create a Storage Account, these can be created automatically when Virtual Machines are created. Page 18 Want to know more about Storage Accounts? If you want to learn more about Storage Accounts go to What is a Storage Account? at http://azure.microsoft.com/en-us/documentation/articles/storage-whatis-account/ Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Create Azure Storage Account Select “Storage” Select “+ NEW” in the bottom left. Select “Quick Create”. Enter the Name of your Storage “URL”. This can be any name you prefer as long as it is not already taken. (e.g. emslabstorage). Enter the Region or Affinity Group for your Storage Account. This must be the same Region as your Cloud Service. This must be the same as the location as the location specified in Hydration. Accept the settings and select “Create Storage Account” by clicking “tick symbol” in the bottom right of the screen. 3.3 Create a Virtual Network The Virtual Network will create a subnet that can be used across the Virtual Machines. Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Create Azure Virtual Network Select “Networks” Select “+ NEW” in the bottom left. Select Custom Create Enter the Name “VirNetMobility” of your Virtual Network and select the Location closest to you. This must be the same as the location as the location specified in Hydration. Go to the next screen by selecting the arrow “->”. Skip the “DNS Servers and VPN Connectivity” screen. You will come back to this later after a DNS server is configured. Go to the next screen by selecting the arrow “->”. Under the CDIR (Address Count) for the Address Space select /24 (256). Page 19 Task Detailed steps Under CDIR (Address Count) in the Subnet line also select /24 (256). Accept the remaining settings in Virtual Network Address Spaces and select to complete the wizard by clicking “tick symbol” in the bottom right of the screen. Page 20 4 DC1: Setup and Configure AD, DNS, CA and ADFS The following section outlines how DC1 will be installed and configured with the following roles: - Active Directory Federation Services - DNS - Directory Synchronization - Active Directory Certificate Services - Active Directory Federation Services Required Time: 15 minutes 4.1 DC1: VM - Create the Virtual Machine This section outlines how to create the virtual machine to be used for DC1. Required Time: 5 minutes (creation time up to 10min) Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Create DC1 Virtual Machine Select Virtual Machines Select Create a Virtual Machine Select From Gallery Make sure Windows Server 2012 R2 Datacenter is selected and the arrow “->” to the next screen. In the Virtual machine configuration window in Virtual Machine Name type the Virtual Machine Name called “DC1” In the Virtual machine configuration window type the New User Name called “LabAdmin” In the 2nd screen of the Virtual machine configuration window type the New Password and Confirm with the password “L@b@dm1n”or any other password you prefer. Please note that Azure does not except commonly used usernames and passwords. Go to the next (3rd) screen by selecting the arrow “->”. In the 3rd and last screen of the Virtual machine configuration window select the Cloud Service that you created earlier (e.g “DeviceDemo”). If you created a Storage Account earlier select the Storage Account (e.g “emslabstorrageaccount” or have a Storage Account being created automatically. Go to the next (4th) screen by selecting the arrow “” Page 21 Task Detailed steps In the 4th and last screen of the Virtual machine configuration window select Microsoft Antimalware under Security Extensions and leave the remaining settings as is. Select to complete the wizard by clicking “tick symbol” in the bottom right of the screen. Wait until the VM provisioning process is finished New VM’s or Existing VM’s? It is also possible to import existing VM’s into Windows Azure. In this lab we will create and configure new VM’s. If you want to learn more about Create and Upload VHD’s to Windows Azure go to Create and upload a Windows Server VHD to Azure at http://azure.microsoft.com/enus/documentation/articles/virtual-machines-create-upload-vhd-windows-server/ 4.2 DC1: VM – Install Azure PowerShell and Configure a Static IP This section will outline how to install the Azure PowerShell extensions on DC1 and configure a static IP address for DC1. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Install Azure PowerShell Select Virtual Machines Select “DC1” and click Connect at the bottom of the screen. Logon to DC1 with “LabAdmin” with the password “L@b@dm1n” Open Server Manager Select Local Server Turn off IE Enhanced Security Configuration by clicking on On. Install and Configure Azure PowerShell on the Virtual Machine as described in How to install and configure Azure PowerShell at http://azure.microsoft.com/enus/documentation/articles/install-configure-powershell/. A direct installation link to the Microsoft Web Platform Installer for Azure PowerShell can be found here: http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409 When the warning appears in Internet Explorer select Run In the Microsoft Azure PowerShell window select Install In the Prerequisites step select I Accept. In the Finish step select Finish. In the Web Platform Installer 5.0 select Exit. Page 22 Task Detailed steps Configure Static IP Open the Azure PowerShell command prompt running as administrator and type AddAzureAccount and provide the username and password of the Azure Administrator configured for the subscription. If more than one subscription is shown, please select the Azure subscription you are using by typing: Select-AzureSubscription [-SubscriptionName] Set a Static Internal IP Address (DIP) for the VM as described in Configure a Static Internal IP Address (DIP) for a VM at http://msdn.microsoft.com/en-us/library/azure/dn630228.aspx. Validate and write down the IP Address assigned to DC1 (we assume 10.0.0.4 for now). Your command should look like: IPCONFIG Test-AzureStaticVNetIP –VNetName VirnetMobility –IPAddress 10.0.0.4 Get-AzureVM -ServiceName -Name DC1 | SetAzureStaticVNetIP -IPAddress 10.0.0.4| Update-AzureVM DC1 VM will reboot. Wait and Logon to DC1 with “LabAdmin” with the password “L@b@dm1n” 4.3 DC1: AD - Configure Active Directory Domain Services This section will outline how to install and configure the Active Directory Domain Services on DC1. Required Time: 20 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Create Select Virtual Machines Select DC1 and click Connect at the bottom of the screen. Logon to DC1 with LabAdmin with the password L@b@dm1n Open Server Manager Under Manage in the top right of the screen click Add Roles and Features In Before You Begin click Next In Installation Type click Role-based or feature-based installation and click Next In Server Selection make sure DC1 is selected and click Next In Server Roles click Active Directory Domain Services When the Add Roles and Features for Active Directory Domain Services Window appears click Add Features Select Next In the Active Directory Domain Services window click Next Page 23 Task Detailed steps In the Confirmation windows click Install Wait till the Feature installation has finished and click Promote this server to a domain controller in the wizard window Promote to a domain controller In the Deployment Configuration step click Add new Forest and type “corp.” in the Root Domain name field. (e.g. corp.devicedemo.net) Select Next In the Domain Controller Options step type the password “L@b@dm1n” and confirm the password. Leave all other field as default and click Next. In the DNS Options step notice the warning about the delegation for the DNS server. We will configure this later. In the Additional Options step leave the default NetBIOS domain name (Corp) and click Next. In the Paths step leave the default paths and click Next. In the Review Options field review the options and click Next. After a successful Prerequisite check in the Installation step click Install. After the installation finishes the server will reboot. 4.4 DC1: DNS - Configure DC1 as DNS for Virtual Network This section will outline how to configure DC1 as the DNS server for the virtual network created in Azure. Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Configure DNS for Virtual Network Make sure you are logged on to the management portal of Azure.microsoft.com. Select Networks Select DNS Servers Select REGISTER DNS SERVER. Under name type DC1 Under IP address type 10.0.0.4 Click register DNS Server Select VIRTUAL NETWORKS Select VirNetMobility. Select Configure Page 24 Task Detailed steps Under dns servers in the ENTER NAME select the name of the domain controller “DC1” Azure will recognize the DNS server name and you can click it. Select SAVE Read the message and click Yes 4.5 DC1: DNS - Configure DC1 with DNS Forwarders This section will outline how to configure DNS forwarders on DC1 to appropriately forward DNS requests for the internet. Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Configure DNS Forwarders Select Virtual Machines . Select “DC1” and click Connect at the bottom of the screen. Logon to DC1 with “LabAdmin” with the password “L@b@dm1n” Open Server Manager Under Tools in the top right of the screen click DNS. In DNS Manager select “DC1” and right click to select Properties. Select the Forwarders tab. Click Edit. Enter the IP address(es) of public name servers. E.g. the 8.8.OpenDNS nameservers (208.67.222.222 (resolver1.opendns.com), 208.67.220.220 (resolver2.opendns.com) 8.8.4.4 (google public dns) , 8.8.8.8 (google public dns) Click OK. Click OK. 4.6 DC1: DNS - Configure an Alternate User Principal Name Suffix The UPN for the Azure Active Directory users will be different to the on-premises domain. In this step, we configure the on-premises domain to use an alternate UPN to allow users to sign in to the cloud services domain name. This will be the domain name that was registered externally e.g. “devicedemo.net”. This section will outline how to configure the alternative UPN on DC1. Page 25 Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Configure UPN If not already, Logon to DC1 with “LabAdmin” with the password “L@b@dm1n” On the Start Screen click Administrative Tools, then start Active Directory Domains and Trusts Right-click Active Directory Domains and Trusts then left-click Properties Select the UPN Suffixes tab In the Alternative UPN Suffixes box, type the alternative UPN suffix (your publicly registered domain name) for the forest, and then click Add Click OK Close Active Directory Domains and Trusts 4.7 DC1: DNS - Configure DNS for Federation Service, DRS and Enrollment To correctly find federation services (STS), perform DRS and enroll devices we need to configure DNS correctly. As we are using a different domain name for the internal Active Directory (corp.) as to the domain of the ADFS service name (later to be configured in this document) sts. we will need to setup a Split-brain DNS internally for . For more information see http://support.microsoft.com/kb/2715326 . This section will outline how to configure a Split Brain DNS configuration for the environment on the DNS server installed on DC1. The two services that we need to register are: ▪ EnterpriseEnrollment - This enables the devices to enroll their devices in Intune. ▪ EnterpriseRegistration – This allows the device to connect to the device registration service (DRS). Note: In the configuration below we are using the Azure AD Device Registration service and not the DRS of the ADFS (STS) server. Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Also make suer you are logged on to DC1. Configure Split-brain DNS to support address If not already, Logon to DC1 with “LabAdmin” with the password “L@b@dm1n” Page 26 Task translation for externally published resources. Detailed steps In Server Manager, on the Tools menu, click DNS to open the DNS snap-in. In the console tree, expand the “DC1” node, Expand Forward Lookup Zones. Right Click Forward Lookup Zone and Click New Zone… In the Welcome to the New Zone Wizard click Next In the Zone Type window select Primary zone. In the Active Directory Zone Replication Scope window select To all DNS servers running … in this domain Click Next In the Zone Name window type . E.g devicedemo.net Click Next. In the Dynamic Update windows select Allow only secure dynamic updates. Click Next. In the Competing the New Zone Wizard window click Finish. Configure DNS for Federation, DRS an Enrollment In the console tree, expand DC1, expand Forward Lookup Zones, right-click , and then click New Host (A or AAAA). In Name, type sts In IP address, type the IP address of DC1 server (e.g. 10.0.0.4). Click Add Host. Click OK Right-click , and then click New Alias (CNAME). In the New Resource Record dialog box, type enterpriseregistration in the Alias name box. In the Fully Qualified Domain Name (FQDN) for target host box, type select enterpriseregistration.windows.net and click OK. Right-click , and then click New Alias (CNAME). In the New Resource Record dialog box, type enterpriseenrollment in the Alias name box. In the Fully Qualified Domain Name (FQDN) for target host box, type select manage.microsoft.com and click OK. In the DNS Management Console that you opened earlier, right-click the server name (DC1), and then click Clear Cache. Type the following command, and then press Enter: Ipconfig /flushdns Get your Public IP for DC1 Make sure you are logged on to the management portal of Azure.microsoft.com. Select Virtual Machines Click DC1 Click Dashboards Page 27 Task Detailed steps On the right site, write down your Public Virtual IP (VIP) Address Configure Public Domain Settings @ GoDaddy (Not required if you use a different Public Domain Provider) NOTE: steps may be different on your Public Domain provider Logon your to http://www.godaddy.com Click on My Account and select Manage my domains. Click on your domain name Click on the DNS Zone file tab Click Add Record Select CNAME (alias) For Host: enter enterpriseregistration and point it to enterpriseregistration.windows.net Click Finish Click Add Record Select CNAME (alias) For Host: enter enterpriseenrollment and point it to manage.microsoft.com Click Finish Click Add Record Select A (host) record Enter STS in the Host field Point the record to the Public virtual IP (VIP) address as assigned in Azure in the Dashboard tab of DC1. Click Validate if the registration was successful. to commit all changes. From a computer connected to the internet open a command prompt. Type Ping enterpriseregistration. and type enter Notice that the name gets resolved to a public IP address. Page 28 Task Detailed steps Type Ping enterpriseenrollment. and type enter Notice that the name gets resolved to a public IP address which is associated with manage.microsoft.com. 4.8 DC1: AD - Create Organizational Unit Hierarchy Create the OU structure as required to restrict the Directory Synchronization between the on-premises Active Directory and Azure Active Directory. Required Time: 5 minutes Task Detailed steps Complete these steps from DC1. Create the Organizational Unit Structure Open Active Directory Users and Computers Expand the Right click the domain name, select New and select Organizational Unit Type Corp and click OK Right click the Corp Organizational Unit, select New and select Organizational Unit Type Users and click OK Right click the Corp Organizational Unit, select New and select Organizational Unit Type Groups Right click the Corp Organizational Unit, select New and select Organizational Unit Type Service Accounts and click OK Right click the Corp Organizational Unit, select New and select Organizational Unit Type Administrators and click OK 4.9 DC1: AD - Create Users and Groups Create an Intune Admin user and sample users for later in the lab. Required Time: 5 minutes Task Detailed steps Complete these steps from DC1. Create an Intune Admin Account Open Active Directory Users and Computers Page 29 Task Detailed steps Right click in the OU created earlier and select Create new user. Use the following values for the new user: a. First name: Intune b. Last name: Admin c. User logonname: IntuneAdmin@ Click next For the Password: use @zureP@ssw0rd Confirm the password Unselect User must change password at the next logon Select Password never expires Click Next Create standard test users. Open Active Directory Users and Computers Richt click in the OU named Corp\Users and select Create new user. Use the following values for the new user: a. First name: Test b. Last name: User1 c. User logonname: TestUser1@ Click Next For the Password: use: P@ssw0rd Confirm the password Unselect User must change password at the next logon Select Password never expires Click Next Create additional Test Users Create Test Groups Repeat step 1 – step 8 for a TestUser2, TestUser3 and TestUser4. Open Active Directory Users and Computers Right click in the OU created earlier and select new GROUP Name the Group TestGroupUser and click OK Repeat the steps and create the following groups TestGroupAdmins, Marketing. 4.10 DC1: CA - Install and Configure Active Directory Certificate Services This section will outline how to install and configure the Active Directory Certificate Services on DC1. Required Time: 5 minutes Page 30 Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Install AD Certificate Service Select Virtual Machines. Select “DC1” and select Connect at the bottom of the screen. Logon to DC1 with “LabAdmin” with the password “L@b@dm1n” Open Server Manager Under Manage in the top right of the screen click Add Roles and Features In Before You Begin click Next In Installation Type click Role-based or feature-based installation and click Next In Server Selection make sure DC1 is selected and click Next In Server Roles click Active Directory Certificate Services When the Add Features that are required for Active Directory Certificate Services? Window appears click Add Features In the Server Roles step Select Next In the Features step click Next In the AD CS step click Next In the Roles Services step leave the defaults click Next In the Confirmation step click Install Wait until the installation is finish Configure AD Certificate service Click on Configure Active Directory Certificate Services on the destination server In the Credentials step leave the Credentials field with CORP\LabAdmin and click Next. In the Roles Services step select Certification Authority and click Next. In the Setup Type step select Enterprise CA and click Next. In the CA Type step select Root CA and click Next. In the Private Key step select Create a new private key and click Next. In the Cryptography step leave all default values and click Next. In the CA Name step leave all default values and click Next. In the Validity Period step leave the default to 5 years and click Next. In the Certificate Database step leave the default values and click Next. In the Confirmation step click Configure. When finished click Close. Click Close for the Add Roles and Features Wizard window Page 31 4.11 DC1: ADFS – Install the Public SSL Wild Card Certificate for ADFS In this section you will import the Public SSL Wild Card Certificate to be used for ADFS and the Web Application Proxy and use it to complete the certificate request required for DigiCert’s certificate enrollment process. You will install the public certificate on the server and export it so it can be installed on other servers during later labs. Note: You cannot use a wild card SSL certificate created with the Enterprise CA installed on DC1. You must use a public SLL Certificate such as one from DigiCert. This is required to successfully enroll mobile devices. Device enrollment will get an Authentication error if a non-public SSL certificate is used. Important: In this section the assumption is made a Public SSL Wildcard Certificate from DigiCert is requested and used. This is important as in this section the DigiCert Certificate Utility is used to install the public wildcard certificate. If you use different certificates please make sure you to perform the below tasks as required for your certificates. Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Download the DigiCert Certificate Utility Switch to the remote desktop session for DC1, which should already be open. In the DC1 VM, launch Internet Explorer. Click the settings icon in the top-right corner | Internet options. Navigate to the Security tab | select Internet | click Custom level. Scroll down to the Downloads section and locate the File download option | select Enable. Click OK | Yes | OK. Navigate to https://www.digicert.com/util/. On the DigiCert Certificate Utility for Windows page, click the DOWNLOAD NOW button | Save. When notified that the download has completed, click Open Folder. Right-click the DigiCertUtil.zip file | Extract All | Extract. Use the DigiCert Certificate Utility to install the public wildcard certificate for ADFS Double-click the DigiCertUtil.exe tool which you extracted in the previous task | click Run. Click I Accept. Click the Account tab in the left navigation bar. Enter your DigiCert username and password and click the Login button Locate the certificate request which you submitted during the first exercise of this lab. The certificate should have a common name in the format of *.domain.com. Click the Install link associated with the certificate. Click the Install button. Page 32 Task Detailed steps NOTE: You would ordinarily run a tool like certreq.exe or use the Certificates MMC snap-in to generate a CSR. That CSR would then be sent to the certificate authority to complete the certificate request so that the certificate can be issued and installed manually. This is a multi-step process that may take some time. The DigiCert utility simplifies this process to save time. Click OK. Leave the DigiCert Certificate Utility open. Export the public certificate In the DigiCert Certificate Utility, click the SSL tab in the left navigation bar. Select the *. certificate from the list of installed certificates | click Export Certificate. Accept the defaults and click Next. Enter and confirm a password of “L@b@dm1n” (without the quotations) and click Next. In the file name field, enter C:\ADFSCert.PFX | click Finish. Click OK. Click Close. 4.12 DC1: ADFS – Install and Configure Active Directory Federation Services This section will outline how to install and configure the Active Directory Federation Services on DC1. Required Time: 30 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Install ADFS Select Virtual Machines Select “DC1” and select Connect at the bottom of the screen. Logon to DC1 with “LabAdmin” with the password “L@b@dm1n” Open Server Manager. In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. On the Before you begin page, click Next. On the Select installation type page, click Role-based or Feature-based installation, and then click Next. On the Select destination server page, click Select a server from the server pool, verify that the target computer is selected, and then click Next. On the Select server roles page, click Active Directory Federation Services, and then click Next. On the Select features page, click Next. The required prerequisites are preselected for you. You do not have to click any other features. Page 33 Task Detailed steps On the Active Directory Federation Service (AD FS) page, click Next. After you verify the information on the Confirm installation selections page, click Install. On the Installation progress page, verify that everything installed correctly, don’t close the window. We come back here quickly. Enable Group Managed Service Accounts Open a PowerShell window as Administrator and type: Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10) Switch back to the Add Roles and Features Wizard Configure ADFS Click Configure the federation service on this server. In the Welcome windows make sure Create the first federation server in a federation server farm is selected and click Next. In the Connect to AS DS leave the domain admin credentials and click Next. For the SSL Certificate select the wildcard cert created earlier from the dropdown menu “*.” For the Federation Service Name change the Wildcard with the name for the federation service “sts.”. (E.g sts.devicedemo.net) In the Federation Service Display Name: enter “Federation Service” without quotations. Click Next. In the Specify Service Account window under Create a group Managed Service Account enter “GSMA_adfs” (without quotations). Click Next. In the Specify Configuration Database window make sure the Create database on this server using the Windows Internal Database is selected. Click Next. In the Review options window make sure all values are correct. Click Next. In the pre-requisite Checks window validate all prerequisites are met and click Configure. Click Close. To test if the ADFS server and DNS configuration is configured correctly open Internet Explorer from DC1 and enter https://sts./adfs/ls/idpinitiatedsignon.htm. A sign in page should appear. Page 34 Task Detailed steps To test the sign in you can sign in with the LabAdmin account. 4.13 DC1: ADFS – Install Windows PowerShell for single sign-on with AD FS This section will outline how to install Windows PowerShell for single sign-on with AD FS on DC1. These cmdlets will be used to configure your Azure AD domains as federated domains. Note: for more information on how to prepare Azure AD to use AD FS and implement and manage single sign-on see: http://msdn.microsoft.com/library/azure/jj205462.aspx. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Install the Microsoft Online Services Sign-in AssistantInstall the Microsoft Online Services Sign-in Assistantinstall Windows PowerShell for single sign-on with AD FS Select Virtual Machines Select “DC1” and select Connect at the bottom of the screen. Logon to DC1 with “LabAdmin” with the password “L@b@dm1n” Open Internet Explorer on DC1 and navigate to http://www.microsoft.com/enus/download/details.aspx?id=41950 Click Download. Select en\msoidcli_64bit.msi and click Next. If the notification window at the bottom of the screen appears select Always allow. Page 35 Task Detailed steps In the notification window at the bottom of the screen select Run. In the Microsoft Online Services Sign-in Setup License screen select I accept the terms in the License Agreement and Privacy Statement. Click Install. After the installation is completed click Finish. When the Window appears to restart the system click to restart the system. Install AAD Module for PowerShell Logon to DC1 with “LabAdmin” with the password “L@b@dm1n” Open Internet Explorer on DC1 and navigate to Open Internet Explorer on DC1 and navigate to Azure Active Directory Module for Windows PowerShell (64-bit version) at http://go.microsoft.com/fwlink/p/?linkid=236297 In the Welcome window click Next. In the License window select I accept the terms in the License Terms. Click Next In the Install Location window click Next. In the Ready to Install window click Install. In the final Window click Finish. 4.14 DC1: ADFS – Workaround for DC1 Hanging on Boot. This section will outline how to implement a workaround/fix for a known issue with AD Certificate Services and ADFS installed on the same server and the MKDS hanging during boot. Note: for more information see: https://social.technet.microsoft.com/Forums/windowsserver/enus/a290c5c0-3112-409f-8cb0-ff23e083e5d1/ad-fs-windows-2012-r2-adfssrv-hangs-in-startingmode?forum=winserverDS. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Install the Microsoft Online Services Sign-in AssistantInstall the Microsoft Online Services Sign-in Assistantinstall In the Azure Management Portal select Virtual Machines Select “DC1” and select Connect at the bottom of the screen. Logon to DC1 with “LabAdmin” with the password “L@b@dm1n” Open command Prompt as Administrator Page 36 Task Windows PowerShell for single sign-on with AD FS Detailed steps In the command prompt type sc qtriggerinfo kdssvc Note: this will show the current trigger start service configuration for kdsscv. The default for the Microsoft Key Distribution Service is using an RPC trigger which will start the service when a request is received on the interface. The workaround is changing the trigger configuration so that it relies on a different trigger. The command to use is sc triggerinfo kdssvc start/networkon which starts the service when the network is on (typically very early in the boot cycle). In the command prompt type sc triggerinfo kdssvc start/networkon In the command prompt type sc qtriggerinfo kdssvc and notice the startup trigger has changed. Note: After a reboot you can validate if all services are running in the Dashboard of Server Manager. We have seen that the Intersite Messaging service (IsmServ) service didn’t start automatically. To prevent this you can also create a Start Service for the Intersite Messaging service (IsmServ) as shown in the steps below. In the command prompt type sc qtriggerinfo IsmServ. You will see that there is no triggered start service for IsmServ. In the command prompt type sc triggerinfo IsmServ start/networkon In the command prompt type sc qtriggerinfo IsmServ and notice the startup trigger has changed. Optionally you can reboot DC1 to experience the change. Page 37 5 WAP1: Setup Web Application Proxy The following section outlines how the Web Application Proxy will be installed and configured on WAP1 5.1 WAP1: Create the Virtual Machine This section outlines how to create the virtual machine to be used for the Web Application Proxy WAP1. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Create Web Authentication Proxy VM Select Virtual Machines. Select “+ NEW” in the bottom left. Select From Gallery Make sure Windows Server 2012 R2 Datacenter is selected and the arrow “->” to the next screen. In the Virtual machine configuration window in Virtual Machine Name type the Virtual Machine Name called “WAP1” In the Virtual machine configuration window type the New User Name called “LabAdmin” In the 2nd screen of the Virtual machine configuration window type the New Password and Confirm with the password “L@b@dm1n” or any other password you prefer. Please note that Azure does not except commonly used usernames and passwords. Go to the next (3rd) screen by selecting the arrow “->”. In the 3rd and last screen of the Virtual machine configuration window select the Cloud Service that you created earlier (e.g “emslabservice”). If you created a Storage Account earlier select the Storage Account (e.g “emslabstrorrageaccount” or have a Storage Account being created automatically. Go to the next (4th) screen by selecting the arrow “->”. In the 4th and last screen of the Virtual machine configuration window select Microsoft Antimalware under Security Extensions and leave the remaining settings as is. Select to complete the wizard by clicking “tick symbol” in the bottom right of the screen. Select to complete the wizard by clicking “tick symbol” in the bottom right of the screen. Page 38 5.2 WAP1: VM – Configure and Join WAP1 to the CORP domain. During these steps we will create the virtual machine to be used for the Web Application Proxy WAP1. Note 1: In many situations depending on the scenario it is recommended to place the Web Application Proxy (WAP) in the DMZ and not have it Domain Joined. However if the WAP needs to support Integrated Windows Authentication (Kerberos) it requires to be domain joined. As this configuration is for demo and PoC purposes we will domain join the WAP to be able to support Integrated Windows authentication as well. Note 2: Also if SharePoint is used to be published and the same SharePoint site needs to be accessed internally (through Kerberos) it is also recommended to have support for Windows integrated authentication (pre-authentication) as SharePoint creates different profiles for Windows Authenticated users and other authenticated users even if it is the same user. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Join WAP1 to Domain Select Virtual Machines Select “WAP1” and click Connect at the bottom of the screen. Logon to WAP1 with “.\LabAdmin” with the password “L@b@dm1n” Open Server Manager Select Local Server Turn off IE Enhanced Security Configuration by clicking on On and selecting Off for Administrators and Users. (for later) Click on WORKGROUP in the Workgroup field. In the Computer Name tab click Change. In the Member of field make sure Domain is selected. In the Domain field type in Corp.. E.g. Corp.devicedemo.net. For User name use LabAdmin and password type L@b@dm1n . Click OK. In the Computer Name/Domain Changes window, click OK. Click OK to reboot the computer. Close the System Properties window. Click Restart Now Page 39 5.3 WAP1: VM – Install Azure PowerShell and Configure a Static IP In this section will outline how to install the Azure PowerShell extensions on WAP1 and configure a static IP address for WAP1. Note: Before continuing with the following sections, it is recommended to update WAP1 with all the latest updates from Microsoft Update. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Install Azure Powershell and configure static IP Select Virtual Machines. Select WAP1 and click Connect at the bottom of the screen. Logon to WAP1 with Corp\LabAdmin with the password L@b@dm1n Open Server Manager Select Local Server Install Azure PowerShell by going to the direct installation here: http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409 When the warning appears in Internet Explorer select Run In the Microsoft Azure PowerShell window select Install In the Prerequisites step, select I Accept. In the Finish step, select Finish. In the Web Platform Installer 5.0 select Exit. Open the Azure PowerShell command prompt running as administrator type AddAzureAccount and provide the username and password of the Azure Administrator configured for the subscription. If more than one subscription is shown, please select the Azure subscription you are using by typing: Select-AzureSubscription [-SubscriptionName] Set Static IP Address (DIP) for the VM as described in Configure a Static Internal IP Address (DIP) for a VM at http://msdn.microsoft.com/en-us/library/azure/dn630228.aspx. Open Azure Powershell, your commands should look like: a. IPCONFIG /all (assuming your IP address is now 10.0.0.5) b. Test-AzureStaticVNetIP –VNetName VirnetMobility –IPAddress 10.0.0.5 c. Get-AzureVM -ServiceName -Name WAP1 | SetAzureStaticVNetIP -IPAddress 10.0.0.5 | Update-AzureVM Page 40 5.4 WAP1: Export the Public SSL Wild Card Certificate from DC1 In this section, we will export the SSL Wild Card certificate from DC1 to a file so it can be imported by the Web Application Proxy server WAP1. Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Export SSL Wildcard Cert Select Virtual Machines. Select DC1 and select Connect at the bottom of the screen. Logon to DC1 with LabAdmin with the password L@b@dm1n Go to the Start screen, type certlm.msc and press Enter to open an MMC console on the desktop. Click Personal Click Certificates Look for the certificate called “*.” (without the quotation), right click the certificate and select All tasks -> Export. In the Welcome to the Certificate Export Wizard page click Next. In the Export Private Key page Select Yes, export the private key. In the Export File Format page click Next In the Security page select Password and enter the password “L@b@dm1n” and confirm the password “L@b@dm1n” (without the quotations). Click Next. In the File to Export page type “c:\ADFSCert” (without the quotations) Click Next In the Completing the Certification Export Wizard click Finish Click OK 5.5 WAP1: Import the SSL Wild Card Certificate to WAP1 In this exercise we will import the SSL Wildcard Certificate used for the ADFS server to the Web Application Proxy server WAP1. Required Time: 5 minutes Page 41 Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Import SSL Cert into WAP1 Select Virtual Machines Select WAP1 and select Connect at the bottom of the screen. Logon to WAP1 with LabAdmin with the password L@b@dm1n Go to the Start screen, type certlm.msc and press Enter to open an MMC console on the desktop. Click Personal Click Certificates Right click Certificates and select All tasks -> Import In the Welcome to the Certificate Import Wizard click Next In the File Import page, in the File name: field enter \\DC1\c$\ADFSCert.PFX and click Next In the Private Key Protection page, in the Password: field enter “L@b@dm1n” (without the quotations) Click Next. In the Certificate Store page leave the default value to Personal and click Next. In the Completing the Certificate Import Wizard page click Finish. In the Certificate Import Wizard dialog box click OK. 5.6 WAP1: Configure the Azure Endpoint and Public Domain As WAP is installed in Azure, in this section we will also need to open the endpoint and configure the public domain. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Configure Azure Endpoint and Public Domain Select Cloud Service. Select the Cloud Service created for this environment. Select Dashboard Scroll down to see your Public Virtual IP (VIP) Address and write this down Go back to the main menu in Azure. Select Virtual Machines. Select WAP1 Page 42 Task Detailed steps In the top menu select Endpoints In the bottom of the screen select ADD In the Add an endpoint to a virtual machine step select the arrow to go to the next screen. In the Specify the details of the endpoint for the NAME field select HTTPS and select the finish button the “tick” symbol. In the bottom of the screen select ADD In the Add an endpoint to a virtual machine step select the arrow  to go to the next screen. In the Specify the details of the endpoint for the NAME field select HTTP and select the finish button the “tick” symbol. In the ENDPOINTS view for WAP1 make sure HTTPS is selected. At the bottom of the screen select manage ACL. In the Specify ACL details for the HTTPS Endpoint a. In the first row under Description, type “Authorized Users” (without the quotation). b. In the first row under REMOTE SUBNET type “0.0.0.0/0” (without the quotation). Finish this step by selecting the “tick” symbol 5.7 WAP1: Install and Configure Web Application Proxy During these steps, we will install and configure the Web Application Proxy on WAP1. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Install Remote Access Select Select Virtual Machines. Select “WAP1” and click Connect at the bottom of the screen. Logon to WAP1 with “Corp\LabAdmin” with the password “L@b@dm1n” Open Server Manager, click Server Manager on the Start screen In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can click Add Roles and Features on the Manage menu. On the Before you begin page, click Next. On the Select installation type page, click Role-based or Feature-based installation, and then click Next. On the Select destination server page, click Select a server from the server pool, verify that the target computer is selected, and then click Next. Page 43 Task Detailed steps On the Select server roles page, click Remote Access, and then click Next. On the Select features page, click Next. The required prerequisites are preselected for you. You do not have to click any other features. On the Remote Access page, click Next. On the Role Services page, select Web Application Proxy. In the Add Roles and Feature Wizard window evaluate the required features and click Add Features. On the Role Services page, click Next. After you verify the information on the Confirm installation selections page, click Install. Wait until the installation process is finished Don’t close the window! Configure Web Application Proxy On the Installation progress page, verify that everything installed correctly Click Open the Web Application Proxy Wizard. In the Welcome windows click Next. In the Federation Service page: For Federation service name: field enter “sts.” (without the quotes). For User name: field type “Corp\LabAdmin” (without the quotes). For Password: field type “L@b@dm1n” (without the quotes). Click Next. In the AD FS Proxy Certificate page select the SSL wild card certificate created earlier called “*.” (without the quotes). Click Next. In the Confirmation page validate the configuration and click Configure. In the Results page confirm the installation was successful and click Close The Remote Access Management Console will start automatically. To test if the WAP server and the public DNS configuration is configured correctly open Internet Explorer from an Internet facing machine and enter https://sts./adfs/ls/idpinitiatedsignon.htm. A sign in page should appear. To test the sign in you can sign in with the LabAdmin account. Close Roles and Feature Wizard 5.8 WAP1: Troubleshooting This chapter includes references to how to troubleshoot ADFS in combination with WAP. ▪ Understanding and fixing Proxy Trust CTL Issues with AD FS 2012 R2 and Web Application Proxy: http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixingproxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx Page 44 6 Setup and Configure AADSync In this exercise, our sample company has a single-domain Active Directory Domain Services (AD DS) forest which they are integrating with Azure Active Directory. The fully qualified domain name of this forest is (e.g. corp.) and all users are currently assigned a user principal name suffix of @ (e.g. @corp.) During lab preparation, you created a new public DNS domain that was chosen by you. In the first lab, you configured the DNS domain to be handled by a public DNS name server running under your 30-day trial Windows Azure subscription. In this exercise, you will install and configure the sync service to synchronize you user account between your company AD and the cloud services. 6.1 Add a Registered Domain to your Tenant In this section, you will add to your AAD tenant the custom domain that you registered with a public registrar. You can do this either from the AAD Administrative portal or you can do it using a PowerShell command as part of configuring the ADFS federation trust with AAD. We will use the PowerShell command below. Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Establish a trust between AD FS and Azure AD by setting up a custom federated domain. Establish a trust between AD FS and Windows Azure AD by converting your custom domain to federated Select Virtual Machines. Select DC1 and click Connect at the bottom of the screen. Logon to DC1 with LabAdmin with the password L@b@dm1n Click the Windows button Click the down arrow to go to all Apps Right click Windows Azure Active Directory Module for Windows PowerShell and select Run as Administrator. Run $cred=Get-Credential. When the cmdlet prompts you for credentials, type your cloud service administrator account credentials created in the earlier step: admin@.onmicrosoft.com with the password L@b@dm1n. Run Connect-MsolService –Credential $cred This cmdlet connects you to Azure AD. Creating a context that connects you to Azure AD is required before running any of the additional cmdlets installed by the tool. Run New-MsolFederatedDomain –DomainName , where is the domain to be added and enabled for single sign-on. This cmdlet adds a new top-level domain or subdomain that will be configured for federated authentication. Page 45 Task Detailed steps Note: If the command returns an error please try again a second time. If it still doesn’t work try to reinstall Windows Azure Active Directory Module for Windows. Note the value of the field the looks like this - MS=ms35071290. This will be used in the next exercise to confirm that you own this domain. Create a TXT record in the public DNS zone for your domain IMPORTANT: Depending on the chosen public domain name register service chose one of the following. If you are using a different public domain name register only follow the instructions below as guidance and use the steps required with your service. For people using a Godaddy: Open Internet Explorer and navigate to http://www.godaddy.com Click the Sign In button and sign in with the account you used to register your public domain during the previous lab. Click My Account and select Manage My Domains. Click in the wheel icon next to your domain name and select Domain details Select the DNS Zone File tab Click on Add Record. Select TXT (text) from the Record Type menu. Type @ in the Host field. In the TXT Value field, paste the value that you noted in the previous task. For example, MS=ms35071290. And click add of Finish. Back in the DNS Zone overview confirm the changes made through clicking on Save Changes . Note: Using the information provided by the results of the New-MsolFederatedDomain cmdlet, contact your domain registrar to create the required DNS record or do it yourself. This verifies that you own the domain. Note that this may take up to 15 minutes to propagate, depending on your registrar. It can take up to 72 hours for changes to propagate through the system. Establish a trust between AD FS and Microsoft Azure AD by converting your custom domain to federated Investigate the AD FS trust created by the PowerShell command Switch back to DC1 and go back to your powershell command Run New-MsolFederatedDomain -DomainName a second time, specifying the same domain name to finalize the process. In the DC1 VM, navigate to the Start screen | type AD FS Management | hit Enter. Expand Trust Relationships | click Relying Party Trusts. Notice that a new relying party trust named Microsoft Office 365 Identity Platform was created by the Convert-MsolDomainToFederated PowerShell cmdlet which was executed to convert the domain to federated in AAD. In Azure AD you will now also see your public domain name as being configured and verified. Verify the custom domain added to Windows Azure Active Directory Switch to your Azure portal In the Windows Azure management portal, click ACTIVE DIRECTORY in the navigation bar. You may have to click OK in the command bar before proceeding. If the navigation bar text is not displayed, click the icon of a pyramid. Page 46 Task Detailed steps Click on the name of the AAD instance created for this lab to open the AAD instance. Click the DOMAINS tab. Select the domain with the publicly registered domain name you added earlier in this exercise. Confirm STATUS is Verified. Verify federated authentication Navigate to https://myapps.microsoft.com from an InPrivate Internet Explorer browsing session. If you are signed-in as a user, click the user name in the upper-right corner of the page | Sign out. In the username field of the Azure Active Directory sign in page, type TestUser1@| press Tab. Windows Azure Active Directory will redirect you to the sign in page for the AD FS instance you deployed in previous exercises. On the AD FS sign in page, sign in with a user name of TestUser1@ and the following password: L@b@dm1n Verify that ADFS successfully authenticates you but you cannot access the Azure portal. Instead you get the message: There was a problem processing your request. This is because we have not synchronized the user identities from the on-premises Active Directory to Azure Active Directory. Click the user name in the upper-right corner of the page | Sign out. 6.2 Install and Configure Microsoft Azure Active Directory Sync Services This section will outline how to install and configure Microsoft Azure Active Directory Sync Services. Required Time: 15 minutes Task Detailed steps Complete these steps on DC1. Make sure you are logged on to the management portal of Manage.windowsazure.com. Configure Directory Integration Sign in to your Azure portal In the Windows Azure management portal, click ACTIVE DIRECTORY in the navigation bar. You may have to click OK in the command bar before proceeding. If the navigation bar text is not displayed, click the icon of a pyramid. Select the tenant you created and which now contains the publicly registered domain. Select DIRECTORY INTEGRATION at the top of the screen. At DIRECTORY SYNC click ACTIVATED Click Save at the bottom of the screen. When asked if you are sure to activate directory sync click Yes. Wait for the configuration change to complete. Page 47 Task Install Azure AD Sync Services Detailed steps Open Internet Explorer on DC1 and navigate to http://www.microsoft.com/enus/download/details.aspx?id=44225. Click Download. In the popup screen at the bottom of the screen Click Run. In the Welcome step select I agree to the license terms and click Install. In the Azure AD Credentials step enter the AAD Global Administrator credentials by using the admin account you created, admin@.onmicrosoft.com with the password of L@b@dm1n. The suffix for this username will tell AADSync which tenant to synchronize the users to in AAD. Click Next In the AD DS Credentials step use the following values: a. Forest: corp. b. Username: CORP\LabAdmin c. Password: L@b@dm1n Click Add Forest Click Next. In the User Matching window leave the default values and click Next. In the Optional Features step select Password synchronization and Password write-back. Click Next. In the Configure step click Configure. In the Finished step click Finish. Verify directory synchronization If not already open, navigate to https://manage.windowsazure.com from an InPrivate Internet Explorer browsing session. Click ACTIVE DIRECTORY in the navigation bar. Click the Azure AD tenant you are using for this training. Click on USERS to verify that all of the local Active Directory user accounts have been synchronized to Azure Active Directory. If they do not yet appear, refresh the screen until they do. Notice that local service accounts have also been synchronized to the directory. You will configure a filter during the next exercise to remove these from the scope of directory synchronization. Click the DIRECTORY INTEGRATION tab. Notice the directory synchronization status displayed in the LAST SYNC field. Launch synchronization service tool Log off and log back in to DC1 as CORP\LabAdmin. This is because the AADSync installation program added your account to the ADSyncAdmins group and therefore you need to refresh your Kerberos ticket. On Search type synchronization service In the tool main page, Click Connectors DoubleClick each connector, confirm with YES and Review the settings Close the tool Page 48 6.3 Explore the AAD Sync Services Tool and Perform Initial Synchronization In this exercise you will be introduced to the various interfaces for the AAD Sync Services tool, including the legacy Synchronization Service Manage console which is a revised version of the FIM Synchronization Service console and the new Synchronization Rules Editor. You will make customizations to the AAD Sync tool which include filtering for the AD DS connector and manually perform the initial synchronization runs to observe the behavior. After completing this exercise, you will understand: ▪ How to navigate the AAD Sync Services tool and perform basic customizations ▪ How to configure some simple synchronization rules ▪ How to manually execute synchronization runs Required Time: 15 minutes Task Detailed steps Complete these steps on DC1. Make sure you are logged on to the management portal of Manage.windowsazure.com. Log back in to DC1 to reflect your new group membership Explore the declarative synchronization rules for the tool ▪ On the DC1 VM, log off and log back in to DC1 as CORP\LabAdmin. This is because the AADSync installation program added your account to the ADSyncAdmins group and therefore you need to refresh your Kerberos ticket. In the DC1 VM, navigate to the Start screen | type Synchronization Rules Editor | hit Enter. Review the list of inbound synchronization rules. Select In from AD – User AccountEnabled | click Edit. Navigate through the various configuration sections. Those familiar with synchronization rule configuration in the FIM Portal will notice a strong similarity. Click Transformations and observe the inbound flows for the attributes which are required for authentication to Azure AD. Click Cancel. Select Outbound from the Rule Types menu on the left. Review the list of outbound synchronization rules, all of which are associated with the AAD connector. Notice that synchronization rules have been defined based on service, with each implementing the export attribute flows required for that particular service. Select Out to AAD – User Identity | click Edit. Click Transformations and observe the outbound flows for the attributes which are required for authentication to Azure AD. Notice that basic identity attributes are also included. Click Cancel. Select Out to AAD – User ExchangeOnline | click Edit. Page 49 Task Detailed steps Click Transformations and notice that this rule includes a much larger set of attribute flows to support Exchange, some of which are duplicated from the Identity User rule we just reviewed. When these flows are duplicated, synchronization rule precedence governs the authoritative transformation definition. Click Cancel. Configure attribute filtering in the corp. forest In the Synchronization Rules Editor, select Inbound from the Rule Types menu on the left. Select the In from AD – User Join synchronization rule for the corp. connector | click Edit. NOTE: This is the inbound synchronization rule which is responsible for projection of users to the Metaverse. We are going to expand the default scoping filter which already prevents projection of critical system objects in AD DS by also preventing projection of contingent workers in the corp. forest. We implemented this by filtering any user that has an account name that starts with “X” using declarative synchronization rules. Click Scoping filter in the left menu. Click Add clause. NOTE: Adding multiple clauses in a group creates an AND condition. Creating multiple groups creates an OR condition between them. Select sAMAccountName from the Attribute menu. Select NOTSTARTSWITH from the Operator menu. Type X in the Value field. Click Save. Explore the Synchronization Service Manager In the DC1 VM, navigate to the Start screen | type Synchronization Service | hit Enter. Notice that the Synchronization Service Manager console which is used by FIM and the DirSync tool is still present. This version of the console has been modified in a number of ways, but is still used for certain configuration activities such as the definition of domain or organizational unit filtering on AD DS connectors. It will also be used for the observation of synchronization operations. For those familiar with FIM notice that the Joiner tab has been removed and Management Agents are now called Connectors. Click Connector | double-click corp.. Click Connect to Active Directory Forest. Notice that the user name used to connect to the on-premises Active Directory forest is the LabAdmin account that you supplied to the configuration wizard. This behavior differs from that of the DirSync tool in that an account is not automatically provisioned by the configuration wizard. In a production deployment, you will want to supply a service account to the wizard. Click through the available tabs in the management agent designer. Notice that many of the configuration pages look identical to those in previous versions of the synchronization engine. However, the tabs to configure legacy synchronization rules for connector filter rules, join and projection rules, and attribute flow rules have been removed. Legacy synchronization rules have been fully deprecated in Page 50 Task Detailed steps AAD Sync Services. There is also no longer an option to define a management agent rules extension on the Configure Extensions tab. Click Cancel. Click Metaverse Designer | select person from the list of object types. Notice that, in the Actions menu on the right, there is no option to configure an object deletion rule for the object type. Object deletion is now exclusively managed via declarative synchronization rules and link type. Select any attribute from the list of attributes and notice that there is also no longer any way to configure attribute precedence in the Metaverse designer. This too is now exclusively managed via declarative synchronization rules. Configure filters on the AD DS connectors In the Synchronization Service Manager console, navigate to the Connectors tab. Right-click corp. | Properties. Click Configure Directory Partitions from the management agent designer. Click Containers | type L@b@dm1n in the Password field | click OK. Uncheck the root DC=corp,DC=,DC= container. Check the CORP folder. Expand CORP | uncheck the SERVICE ACCOUNTS organizational unit | click OK. Click OK. Perform the initial synchronization runs manually to observe the behavior In the Synchronization Service Manager console, navigate to the Connectors tab. Right-click corp. | Run | Full Import | OK. Notice that 63 objects are being deleted. These are the users and groups that are being filtered out as the result of changing the container that AADSync is reading from. Notice the groups with names starting with “ADSync”. These are the groups used to control access to AADSync and will be deleted from AAD in the next steps Right-click corp. | Run | Full Synchronization | OK. Notice that among the 63 objects deleted previously from the corp. connector space, 10 are deleted from the metaverse and 9 are disconnected from the .onmicrosoft.com connector space. Right-click .onmicrosoft.com - AAD | Run | Export. This operations flows the changes to AAD. You should see 9 objects being deleted. Double-click on Deletes and make sure that the objects listed are also deleted from your tenant in AAD. Right-click .onmicrosoft.com - AAD | Run | Delta Import. We are now confirming the exports to AAD. Note that you may get a warning telling you that you need to run a Full Import. This is because the very first time the connector is setup a full import must be run before running any delta import. Just run the Full Import in this case. NOTE: we did not have any contingent worker with a samAccountName starting with an ‘X’ in the OU that is in scope of AADSync, which is OU=USERS,OU=CORP,DC=CORP,DC=,DC=. But if you create such a user in that OU using Active Directory Users and Computers and you manually run the sync operations listed above, you will see that this user will not get provisioned to AAD. This is due to the filter based on the attribute samAccountName that we defined previously Page 51 7 Setup AAD Premium and Office 365 7.1 Assign AAD Premium Licenses Before your users or admins can use or configure AAD Premium features, you will need to assign them licenses. Read on to find out how you can quickly and easy assign licenses to individuals or groups of users Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of manage.windowsazure.com and have completed Section 2.4 Assign licenses to users Select Active Directory Select the Azure AD tenant you created. Select LICENSES at the top of the screen. Select Azure Active Directory Premium Change the Show filter from Assigned Users to All Users. Click the check mark on the right of the screen. Hold down the control key and select user , Admin, TestUser1, TestUser2, Bob and the Microsoft Account used to administer the tenant. Then click Assign from the bottom After successfully assigning the license, you will see a message at the bottom of your screen indicating success. That’s it! Now the admin can configure and use Azure AD Premium services. Assign a license to a group Navigate to the “licenses” tab of your directory if you aren’t there already. Select Azure Active Directory Premium Filter by “ALL GROUPS” You should see the groups that ADSync created in the on-premises Active Directory. These groups start with “ADsync” and were synchronized to your tenant in AAD. Notice that all the groups have their SOURCE FROM property set to Local Active Directory. You can assign licenses to the groups synchronized from your on-premises AD or you can create groups directly in AAD by going to your tenant and clicking on GROUPS at the top of the screen. We will see how to create groups in AAD in a latter section. Select the group Marketing. Click on the “Assign” button on the bottom of the screen once again. Now all members of that group as well as all new users or groups added to that group in the future will get a license for AAD Premium features. Verify license assignment was successful Go back one level by clicking on the arrow on the left. Click on the Configure tab at the top of your directory Page 52 Task Detailed steps Since password reset is one of the Azure AD Premium features, look for the user password reset policy section to see if your license assignment has taken effect for the global administrator account that you are currently logged in as. That’s it! If you can see this section, you have successfully assigned an AAD Premium license to your admin account. You can now configure and use AAD Premium services with this account. Customizing your directory branding Navigate to the “CONFIGURE” tab of your directory. Look under the “directory properties” section for the Customize Branding button. Click the Customize Branding” button. This will bring up a dialog which asks you to provide the default customized branding info for your organization. This default branding will be shown to every user in your organization. Download the sample branding images from OneDrive and save them locally: http://1drv.ms/1sdLC1q. Alternatively, you can create your own, noting the required image sizes. Upload the Banner logo and Sign in page illustration images by browsing to the files locally, Update the Sign in page text and Sign in page background color as you see fit. A color complementary to the logo color works well. In this case, I used #0059FF, which is blue-ish. Once you are finished setting these properties, click the check mark in the lower right to save your default branding settings. Page 53 Task Detailed steps Now that you have updated your branding configuration, users will see a branded experience when signing in to the Access Panel or O365. Also the branding will appear in any email that Password Reset sends on your organization’s behalf. Verify branding update was successful Navigate to https://portal.microsoftonline.com from an InPrivate Internet Explorer browsing session. If you are signed-in as a user, click the user name in the upper-right corner of the page | Sign out. In the username field of the Office 365/Azure Active Directory sign in page, type bob@.onmicrosoft.com | press Tab As soon as you type in your user name and click in the password field, you will now see your organization’s branded experience. 7.2 Create Test Groups in Azure AD In this section, you will create an Azure AD groups used for the later lab environment. Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you still logged on to the management portal of Manage.windowsazure.com. Page 54 Task Create Azure Test Groups Detailed steps Start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. In the address bar of the InPrivate session, navigate to https://manage.windowsazure.com. Sign in with the email address associated with your Azure account. Click ACTIVE DIRECTORY from the navigation bar of the Windows Azure portal. Click on your directory name. At the top of the screen click on the GROUPS tab in your directory Click the “ADD GROUP” link at the bottom of the page to add a group. The dialog that will appear will ask for a group name and description. Use the name Admins TestGroup and provide a description of your choosing, and then click the checkbox to create your new group. We’ll use this group later to assign licenses, apps, and perform selfservice group management operations. That’s it! Now you have a group that you can add members to in order to easily control access to AAD Premium licenses, apps, and other features. Repeat the above for a group called Users TestGroup. Add Users to Azure Test Groups Go to the groups tab in your directory and click on the Admins TestGroup group you created by clicking the white arrow to the right of the group name. Assuming you have no members in this group already, you will see a message indicating as much. Click the ADD MEMBERS link at the top of the page or at the bottom of the page to add members to your group. A dialog will appear showing all the users in your directory, add the Admin account to the group by clicking their name to move them to the selected column and then clicking the checkbox to add them to the group. Note that you can also nest groups by changing the filter criteria at the top of this UI and selecting the “Groups” option. Repeat the above for the group Users TestGroup and add the users TestUser1, TestUser2, TestUser3, TestUSer4 and Bob Page 55 7.3 Assign Office 365 Licenses In this exercise you will be introduced to Office 365 license assignment. Once assigned an office 365 license, users will be able to authenticate and use Office 365 services. In the next paragraph you will then update your external DNS to enable your Office 365 email. After completing this exercise, you will understand: ▪ That users synchronized to Azure Active Directory are not automatically assigned licenses Office 365. ▪ How to assign AAD Premium and Office 365 licenses to users using the portal. Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Assign Office 365 licenses to synchronized users Navigate to https://portal.microsoftonline.com from an InPrivate Internet Explorer browsing session. Notice that the Windows Azure Active Directory sign in page is now branded for Office 365 instead of Windows Azure. Sign in with your Admin organizational account. a. User: Admin@.onmicrosoft.com b. Password: L@b@dm1n Click Users in the left navigation bar, then click Active Users. Select the Test User1, Test User2, Test User3, Test User4 employee user accounts. Click the pencil icon in the right panel to EDIT all selected users. Click Next. From the Set user location menu, select United States. Click Next. Select the Add to existing license agreements option. Select the Microsoft Office 365 Plan E3 option so all sub options are selected. Click Submit. On the results screen, verify that all edits completed successfully and click Finish. Repeat the same steps as previously but with the Admin user. This is because the portal does not let you modify your own information during a bulk edit. Verify authentication to Office 365 using Windows Azure Active Directory In the Office 365 administrative portal, click Admin in the upper-right corner | Sign out. Navigate to https://portal.microsoftonline.com Sign-in with the TestUser1@ account and the following password: L@b@dm1n Notice that the user is redirected to the on-premises ADFS for authentication. Explore the various Office 365 web applications as the test user. Click the user icon in the upper-right corner of the page | Sign out. Page 56 7.4 Configure DNS for Office 365 In this exercise you will be introduced to how to update your external DNS to enable your Office 365 email. After completing this exercise, you will understand: ▪ How to update your external DNS records to enable Office 365 features like email. Required Time: 45 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Configure the domain for use with Exchange Online Navigate to https://portal.office.com from an InPrivate session and sign-in as admin@.onmicrosoft.com. Click on the Admin tile in the middle of the page. Click domains in the left navigation menu. Notice that the domain which you just registered with Azure AD is displayed. Click the Complete setup link to the right of your public domain. In Step 1 click Next In Step 2 notice how the domain in the users email addresses is going to be changed to the public domain that you registered with Azure AD. Make sure only TestUser1, TestUser2, TestUser3 and TestUser4 are selected. At the bottom of the screen click Update selected users. Make sure they are all selected! In Step 3 click on Skip this step as we do not want to add any new user to Office 365. Click Next Click Next to determine what DNS records we need for you GoDaddy domain. For people that are using GoDaddy. Automatically register records in your GoDaddy domain Continue from the same screen in the previous step. You can click on the arrow to see what will be configured on your GoDaddy domain. At the bottom of the screen click Add Records to have the wizard add them for you to GoDaddy.com. Otherwise you can choose to add them yourself by following the instructions provided below. You will then get prompted to enter your credentials for GoDaddy.com Click Accept to allow Office 365 to make the DNS changes to your public domain. If all goes well you will get a message telling you that your domain is all set. Click Finish. Note: Please be aware that it could take up to 24 hours before all services are working correctly. Replicate the DNS records for required Office 365 Exchange Online records in the private DNS zone Steps on DC1 a. Login to the DC1 as CORP\LabAdmin. b. From the start screen type DNS and click on the DNS application shown. Page 57 Task Detailed steps c. Expand DC1 | Forward Lookup Zones and click on . d. Right-click and click on New Alias (CNAME). e. Type autodiscover in the Alias name field. f. Type autodiscover.outlook.com in the Fully qualified domain name (FQDN) for target host field. g. Click OK. Steps in Office 365 administrator portal a. Switch to the Office 365 administration portal in Internet Explorer and click on DOMAINS and then select Manage DNS for your public domain. b. Locate the DNS record listing under the Additional Office 365 Records heading. i. Copy or write down the value from the HOST NAME field. ii. Copy the value from the POINTS TO ADDRESS field Steps on DC1 a. Login to the DC1 as CORP\LabAdmin. b. From the start screen type DNS and click on the DNS application shown. c. Expand DC1 | Forward Lookup Zones and click on . d. Right-click and click on New Alias (CNAME). e. Past the name you copied/wrote down from the HOST NAME field in the previous step in the Alias name field in the DNS management console. f. Past the name you copied/wrote down from the POINTS TO ADDRESS field in the previous step in the Fully qualified domain name (FQDN) for target host field in the DNS management console. NOTE: In a production environment, you would probably want to replicate the MX and SPF records in the local DNS zone, as well, for consistency and possibly application support. This isn’t necessary for our labs, so we’ll save some clicks. Replicate the DNS records for Additional Office 365 for Lync Online in the private DNS zone (Optional if Lync is used onprem) Steps in Office 365 administrator portal a. Switch to the Office 365 administration portal in Internet Explorer and click on DOMAINS and then select Manage DNS for your public domain. b. Locate the DNS records under Lync Online you have not added from the previous steps. c. Copy or write down the names, types and values of all DNS records Steps on DC1 a. Switch back to DC1 in the DNS management console b. Add all the Lync Online DNS records not yet added to the Forward Lookup Zones named . Test that the licensed users can access the Office 365 applications Navigate to https://myapps.microsoft.com from an InPrivate Internet Explorer browsing session. If you are signed-in as a user, click the user name in the upper-right corner of the page | Sign out. In the username field of the Azure Active Directory sign in page, type TestUser1@ | press Tab. Windows Azure Active Directory will redirect you to the sign in page for the AD FS instance you deployed in previous exercises. On the AD FS sign in page, sign in with a user name of TestUser1@ and the following password: L@b@dm1n Page 58 Task Detailed steps Make sure that from the Access Panel you have access to the two Office 365 applications: ▪ Exchange Online ▪ SharePoint Online Page 59 8 Enable Multi-Factor Authentication In this section, you will learn how to enable and configure MFA as an admin, register for MFA as a user, and finally test the resulting MFA experience. Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com with a subscription administrator (MSA account). Enable Azure MFA Navigate to the CONFIGURE tab of your directory. Scroll down until you see the multi-factor authentication section Click on the manage service settings link. This will bring you to the multi-factor authentication administration portal. At the bottom of the first page, select the checkbox Allow users to suspend Multi-Factor Authentication by remembering their devices and keep the default set to 14 days. This will allow the user to remember a device when using MFA so they are not prompted for a second factor unless they come from an unknown device. Keep everything else set to defaults. Click the Save button to commit your changes. Once the operation completes, click the Close button to go back to the MFA administrative portal. Now, let’s enable the user account in your organization for MFA. Click on the USERS tab in the left top corner of the screen. On the next screen, click the check mark next to your user account (TestUser1), then click the enable link on the far right hand side of the screen to enable MFA for this user. When prompted for confirmation, click the enable multi-factor auth button. Click Close on the Updates successful dialog when it appears. The user account is now enabled for multi-factor authentication! The next time the user signs in, he or she will be asked to provide and confirm the authentication information that will be used to perform MFA from that point onwards. Register User for MFA Sign out of any existing sessions you have with the TestUser1 user account. Open a new in-private browsing session (so we do not interfere with the open management portal session you have). Navigate to http://myapps.microsoft.com. Sign in as the user TestUser1 (testuser1@) Page 60 Task Detailed steps After the user is authenticated through ADFS using username and password, the user is asked to provide additional security information: Your admin has required that you set up this account for additional security verification. Click on the Set it up now button On the next page, you can chose among 3 contact methods: a. Authentication phone b. Office phone c. Mobile app Select the Authentication phone contact method Select the method Send me a code by text message Your mobile phone number and country code should be pre-populated on this screen, as we registered them previously for SSPR. If for some reason they are not, please also enter them here. Click Contact me. Enter the 6 digit code that you receive on the next screen and click the Verify button. The next page is where you can configure app passwords. An app password is a password you can use instead of performing multi-factor authentication. This is needed on certain rich apps like Office client apps and phone mail clients to continue to access these accounts when MFA is enabled. For now, we’ll skip this, but you can always get back to it later by going to http://aka.ms/mfasetup, or by clicking the Additional security verification settings tile on the user’s Access Panel profile page. On the app passwords page, click Done. Once you click this button, you are done! You will now be prompted for MFA from now on when you sign in. After performing this step, your browser will refresh and bring you back to the sign in page. Enter the 6 digit text message that is sent again to your phone but do not select the checkbox Don’t ask again for 14 days because we need to test MFA again in the next exercise. This option allows Azure to remember the device in the future so that it does not prompt you for MFA the next time your sign-in (this is the configuration option you enabled earlier with the admin account). Enable additional MFA capabilities So far all the MFA capabilities that we played with are included as part of the Office 365 license that we sign up for at the beginning of this lab. As we have also enrolled our users for an Azure AD Premium license we can leverage additional Azure MFA capabilities, such as: Custom greetings during authentication phone calls Fraud alert MFA SDK Security Reports MFA for on-premises applications/ MFA Server. Page 61 Task Detailed steps One-Time Bypass Block/Unblock Users Customizable caller ID for authentication phone calls Event Confirmation IP Whitelist To configure these capabilities do the followings: Click on ACTIVE DIRECTORY in the left navigation bar of the Azure administrative portal and select your directory where you have enabled Azure AD Premium licenses for your users. Click on USERS Click on MANAGE MULTI-FACTOR AUTH at the bottom of the page. Click on Service Settings at the top of the page Click on Go to Portal at the bottom of the page. You should then see the following page where you can configure advanced settings and access Azure MFA reports. Make sure that the checkbox Allow users to submit Fraud Alerts is selected. In the text box Send fraud alert notifications to these email addresses, make sure you enter your email address. Click Save Click the other options available for customization on this page and evaluate them. Report Fraud Sign out of any existing sessions you have with the TestUser1 user account. Open a new in-private browsing session and navigate back to http://myapps.microsoft.com. Sign in as the user TestUser1 and when you are prompted for MFA click on Use a different verification option to switch to a phone call by clicking on Call me at +x xxxxxxxx… Page 62 Task Detailed steps When you answer your phone select 0# to report fraud. Close the browser and try to sign-in to the Access Panel again. Notice that you can authenticate through ADFS but the MFA fails with the error: Sorry, we're having trouble verifying your account. Please try again. Make sure that you received a fraud alert at the email address you configured above Unblock a user Go back to the Azure Multi-Factor Authentication administrative portal by clicking on Active Directory in the left navigation bar of the Azure administrative portal and by selecting the tab MULTI_FACTOR AUTH PROVIDERS. Then select the MFA provider you created previously and click on MANAGE. Click on the link Block/Unblock Users at the top of the left navigation bar. You should see Testuser1 listed. Notice that the block date and the reason why the user was blocked are provided. Click on Unblock in the ACTION column for that user. In the Unblock Reason text box displayed type in “For the sake of having fun” and click Unblock. Notice that the user was deleted from the list of blocked users. Open a new in-private browsing session and sign-in to http://myapps.microsoft.com as the user TestUser1. Notice that MFA now works for that user. Page 63 9 Integrate SaaS Applications 9.1 Integrate with Twitter through Password SSO Now that you have branded your directory, let’s integrate some applications! In this section, you’ll learn how to add a simple password single sign on application, assign some users and groups to it, and verify it’s working by accessing the access panel to see the application. Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Add SaaS application from gallery In Internet Explorer open a session for https://manage.windowsazure.com In the left hand pane scroll to scroll and select ACTIVE DIRECTORY Select the tenant you created. Navigate to your directory’s Applications tab. Notice that you can see the two Office 365 applications that you assigned to some of the users in this tenant: Once there, click on the ADD button at the bottom of the page. Click on the Add an application from the gallery option to open the Azure AD App Gallery. You can use the Azure AD App Gallery to easily add 2,455 (as 1/31/2015) different preintegrated SaaS applications to your Azure AD directory. Note that the 14 FEATURED APPLICATIONS displayed are the applications with which tight integration through federation and provisioning has been setup. Once there, search for Twitter. Note: you can use any app you like, it need not be twitter, just make sure you have an account already set up in that application you can use to test sign in. If you want to sign up for twitter for this demo, you can do so here: https://twitter.com/. Page 64 Task Detailed steps Once you find twitter, click the check box to add it to your Azure AD Directory That’s it! Now twitter has been integrated into your directory. Click on Configure single-sign-on. Notice that the application has already been integrated for Password Single-sign-On. You will now need to assign some users or groups to this app before those users will be able to see twitter on their Access Panel. Add users and groups to your application Click on the USERS AND GROUPS tab to see which users and groups have been assigned to Twitter. Select the group Users TestGroupSelect and then click the ASSIGN button at the bottom of the screen to grant the members of that group access to Twitter. On the next screen, click the checkbox. After you click the checkbox, the app assignment status will be reflected on the table on the previous screen. Now, when you come to the access panel as a test users and click the Twitter app, you will be asked to provide your credentials which will then be stored securely to allow you to perform single sign in from that point onwards. That’s it! Let’s now log into the Access Panel as one of the members of the group Users TestGroupSelect to see if the app shows up. Verify app assignment Open a new browser window (not private mode) and navigate to http://myapps.microsoft.com. Sign-in as the following user: TestUser1@ Once the access panel loads, you should see the twitter app in the application list. Since we did not specify credentials for this app on behalf of this user, we’ll need to provide them now. Click on the Twitter app. Once the access panel loads, you should see the twitter app in the application list. Page 65 Task Detailed steps Since we did not specify credentials for this app on behalf of this user, we’ll need to provide them now. Click on the Twitter app. If you have not already installed it, you will now be asked to install the Access Panel browser extension. If you already have the extension installed, skip this step. This extension allows you to securely store and retrieve passwords for your users in AAD, effectively enabling single sign in to cloud applications. Click on the green Install now button to begin the installation process. Important – This plug-in does not work when using a private browser mode. In Internet Explorer, click the “run” button to run the installation wizard. In other browsers, follow the instructions provided to install the browser extension. Click Next -> Install -> Finish on the extension setup wizard to install the extension (this will close any open Internet Explorer windows). Follow the instructions on the screen to complete installation of the browser extension (will require you to re-start internet explorer once again). Re-open internet explorer, navigate to myapps.microsoft.com, and sign in with your testuser1@ account again. Click on the Twitter application again When prompted, enter your twitter login information and click Sign in. After you click Sign in, twitter will open in a new tab. Now, every time you come back to the access panel, you can click on twitter to access the app without having to enter your password. 9.2 Integrate with Google Apps through Federation SSO For those of you who have time and want to have some more fun, you can refer to the appendix “Rich Application Integration with Azure AD” for how to integrate with one of the 14 “Featured Applications” that we currently support, such as Google Apps. Page 66 10 Using Self –Service Features (Azure AD Premium) Now that you have integrated an app and added some users to it, let’s try enabling some self-service features and then test them with the user account you created previously. 10.1 Self-Service Password Reset In this section, we’ll enable and configure password reset so that users in your organization can easily recover their passwords if they have forgotten them Required Time: 30 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Enable Password reset self service In Internet Explorer open a session for https://manage.windowsazure.com In the left hand pane scroll to scroll and select ACTIVE DIRECTORY Select your Azure Active Directory bij clicking on the name. Navigate to the CONFIGURE tab of your directory Look for the user password reset policy section. Set the Users enabled for password reset toggle to YES to reveal the rest of the password reset configuration. Set the password reset policy AUTHENTICATION METHODS AVAILABLE TO USERS to allow: ▪ Mobile Phone ▪ Alternate Email Address ▪ Security Questions Keep NUMBER OF AUTHENTICATION METHOD REQUIRED to 1. Change NUMBER OF QUESTIONS REQUIRED TO REGISTER 4. Change NUMBER OF QUESTIONS REQUIRED TO RESET to 3. Enter the 4 SECURITY QUESTIONS ▪ If you have trouble defining them you can use: Page 67 Task Detailed steps i. What number comes after 1? ii. What number comes after 2? iii. What number comes after 3? iv. What number comes after 4? Set REQUIRE USERS TO REGISTER WHEN SIGNING IN TO ACCESS PANEL to YES Change the NUMBER OF DAYS BEFORE USERS MUST CONFIRM THEIR CONTACT DATA to never which is 0. Set the CUSTOMIZE “CONTACT YOUR ADMINISTRATOR” link to YES and enter a properly formatted custom email address in the “CUSTOM EMAIL ADDRESS OR URL” input box (it does not need to be a real email address for the purpose of this lab. Scroll down to the Notifications section. Set the NOTIFY USERS AND ADMINS WHEN THEIR OWN PASSWORD HAS BEEN RESET to YES. This setting will result in an email being sent to the primary and alternate email addresses of a user or admin when their password is reset. Verify your settings are correct and then click the Save button at the bottom of the screen to commit your changes. In just a few clicks, you enabled password reset for every user in your organization. Now users with an AAD premium license can register for password reset so that they can reset their own password if ever they forget it. Register for Password Reset Open a private browsing session (simply so we do not interfere with the open management portal session you have). Navigate to http://myapps.microsoft.com. Sign in as: testuser1@ with the Password of L@b@dm1n Because you enabled the option REQUIRE USERS TO REGISTER WHEN SIGNING IN TO ACCESS PANEL in the previous step, as soon as the user signs in a prompt is displayed allowing the user to register for password reset. Click on the Verify now button to start the Self Service Password Reset registration process. Once you click verify now, you will see a page where you can provide authentication information that will be verified, securely saved, and used to perform any future password reset operations. Click on set it up now for all the authentication methods presented to see what the end-user experience is like. After you have successfully provided information for all 3 authentication methods and this information has been verified you will see a green checkbox next to the following: a. Authentication Phone is set to … b. Authentication Email is set to …. c. 4 Security Questions are configured Page 68 Task Detailed steps Note: users can also register by going to https://aka.ms/ssprsetup, or to the profile tab and clicking the Register for Password Reset tile. Both of these experiences will take through the same registration experience you just went through. These options also allows end users to change their contact information or the answers to their security questions without having to contact helpdesk. Test Password reset In the same browser session you used to register for password reset, sign out of your session by clicking the sign out link on the user account dropdown found in the upper right hand corner of your screen. On the sign in page, enter the username of the user who just registered for password reset and then click on the link Can’t access your account?. This will bring you to the password reset portal. Note: you can also get to the password reset portal by going to https://passwordreset.microsoftonline.com to reset your password directly. Enter the username (testuser1@) and the characters you see in the captcha image and click Next. Since you registered 3 different methods of validating your identity, you will be able to use any of them to reset your password. Select the call my mobile phone option. Enter your full mobile phone number (including country code) and click Call. A spinner will appear indicating the call has been placed. Wait for the call on your phone and answer it when it arrives. Once you receive the call, press the # key on your keypad to verify the request. Once the request has been verified, the page will refresh, and you will be allowed to select a new password. Enter a new password (L@b@dm1n1), confirm it, and click the finish button to save it to the directory. Note: if you get an error telling you that “This password does not meet your corporate password policy” even though you entered a strong password, it is because the Minimum password age is set to 1 day in the Default Domain Policy for corp.. In other word, Azure AD enforces the password policy of the on-premises AD DS. Sign back in with the new password If you see the access panel screen, congrats, you’ve just successfully reset a password with a few clicks. Note: as you just experienced it, the password reset operation is not subject to the AADSync synchronization cycle. It takes effect immediately as Azure AD flows the password through a secure service bus to AADSync, which sets it on a domain controller. Lastly, check your email. Because we enabled the option NOTIFY USERS AND ADMINS WHEN THEIR OWN PASSWORD HAS BEEN RESET, you’ll see an email sent from Microsoft informing you that your password has been reset. 10.2 Self-Service Group Management In this section, you’ll learn how to enable the delegated group management feature and configure it to your liking. Page 69 Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Enable Group Management Back in the Azure Management Portal, navigate to the CONFIGURE tab of your directory Scroll down until you see the group management section. Set DELEGATED GROUP MANAGEMENT ENABLED to YES Set USERS CAN CREATE SECURITY GROUPS to YES Set USERS WHO CAN USE SELF-SERVICE FOR SECURITY GROUPS to SOME and enter the group name: Users TestGroup. Set USERS CAN CREATE O365 GROUPS to YES Set USERS WHO CAN USE SELF-SERVICE FOR O365 GROUPS to SOME and enter the group name: Users TestGroup. Set ENABLE DEDICATED GROUPS to YES. Dedicated groups are groups whose membership is automatically calculated. The only one available for now is “All Users”. Set ENABLE “ALL USERS” GROUP to YES Leave DISPLAY NAME FOR “ALL USERS” GROUP the same. Click the save button at the bottom of the screen. Now your users can request to join groups that others create, as well as create their own groups, by using the Access Panel 10.3 Group Approval Workflow Before users can request to join a group, a group owner must be specified, and the group type must be set to owner approval required. In this section, you’ll learn how to specify a group owner in the admin portal and set its group type to “owner approval required” in the access panel. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Setup a group Click on the GROUPS tab of your directory Notice that the All Users groups was added because you selected the option ENABLE “ALL USERS” GROUP. Select the admin owned group you created earlier (Admins TestGroup) Click on the OWNERS tab. Click on the ADD OWNERS link, or the ADD OWNERS button at the bottom of the screen Click the TestUser1 account to add it as an owner of the admin group, then click the checkbox to commit the changes to the directory. Page 70 Task Detailed steps Now the TestUser1 owns this group. Next, we will set the group to require owner approval when users request to join it. Sign-in as TestUser1 to myapps.microsoft.com Once the Access Panel loads, click the Groups tab. Notice the Admins TestGroup is listed. Click on it. Click on the Edit tile. In the dialog that appears, change the Group policy setting to This group requires owner approval and click the Update button Now, any user can request to join this group, which is subject to approval by the group owner, who is TestUser1. Request to join a group requiring owner approval Sign-in to the Access Panel as TestUser2 with the password L@b@dm1n You will be prompted to verify your contact information. You can click on the green button displayed and then click cancel. Click on the groups tab in the Access Panel. Click on the link list all groups to see the groups that you are not an owner. Click on the group Admins TestGroup Click on the tile Join group. You should see the following message displayed: A request to join has been sent to the owner of the group. Owner approves the request Sign-in to the Office 365 portal (https://portal.office.com) as the owner of the group, who is TestUser1. Click on the Outlook tile. Set the Language and the Time Zone and click on save. Make sure you have received an email from [email protected] with the subject Someone wants to join your group. In the body of the message you should see: Security group name: Admins TestGroup Requestor: TestUser2 Act on this Request Click on the link Act on this Request. You should get redirected to the approval page of the Access Panel for the user TestUser1. You should see the group Admins TestGroup waiting for your approval. Select the group and either click on the Approve or Deny button. Page 71 Task Detailed steps Requestor receives an approval or denial notification Sign-in to the Office 365 portal (https://portal.office.com) as the requestor TestUser2. Click on the Outlook tile. Set the Language and the Time Zone and click on save. Make sure you have received an email from [email protected] with either of the following subjects: ▪ Your group membership request was approved, in case the group owner TestUser1 clicked on the Approve button in the previous step. ▪ Your group membership request was denied, in case the group owner TestUser1 clicked on the Deny button in the previous step. 10.4 Azure Reports In this section, we’ll explore our current reporting capabilities and learn how you can generate some sample data for your tenant. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. View reporting features Select your directory and navigate to the REPORTS tab in the Azure Management Portal. On this page, you will see all the reports AAD Premium has to offer. Check out this documentation to learn more about each one: http://msdn.microsoft.com/library/azure/dn283934.aspx View activity reports On the reports page, find the ACTIVITY LOGS section and click on the PASSWORD RESET ACTIVITY report. Page 72 Task Detailed steps On the confirmation dialog, click the checkbox next to it is acceptable for admins in my organization to view this data and then click the check mark in the lower right to confirm. If you followed the walkthrough from the beginning, you will see a password reset request for the TestUser1 user account. Now, click on the Password reset registration activity report on the left hand side of the screen. If you followed the walkthrough from the beginning, you will also see a password reset registration request for TestUser1. There are lots of other reports you can play with from this location, but most of them will take some time (4+ hours) to have initial data generated. The data generation starts when you opt in for the reporting capability, so definitely come back in a few hours and check out the other activity reports to see all the cool data you generated! View application usage reports Navigate to the APPLICATIONS tab in the Azure Management Portal. Click on the Twitter app. Click on the DASHBOARD tab. On this tab, you can see the usage that has been generated for the twitter app from this walkthrough. View user activity reports Navigate to the USERS tab in the Azure Management Portal. Click on TestUser1. Click on the ACTIVITY tab for this user On this tab, you can see individual user sign-ins and other activities for TestUser1. Note: it will take some time for rich data to be generated, so if you want to see detailed usage reports, come back in a few hours and all the data will show up. View Azure MFA reports Go back to the Azure Multi-Factor Authentication administrative portal by clicking on Active Directory in the left navigation bar of the Azure administrative portal and by selecting the tab MULTI_FACTOR AUTH PROVIDERS. Then select the MFA provider you created previously and click on MANAGE. You will see the list of reports available in the left navigation bar. Click on Fraud Alert and you should see an entry for TestUser1 as shown below. Page 73 Awesome, you now have a working Azure AD Premium and Azure MFA demo environment with lots of cool features enabled! Why don’t you try creating some more users, assigning licenses to them and exploring all the cool features Azure AD Premium has to offer! Azure AD Premium overview Set up Azure AD Synchronization from your on-premises directory Add applications to your Azure Active Directory Add users to your Azure Active Directory Add groups to your Azure Active Directory Configure self-service password reset with on-premises writeback Configure self-service group management Add your own custom domain Customizing your Azure AD Premium Tenant’s branding View and access usage and security reports Publish applications from your on-premises environment to Azure AD Manage Azure AD using Windows PowerShell Configuring Advanced Multi-Factor Authentication Settings Page 74 11 Protecting Data With Azure RMS Microsoft Azure RMS can be deployed as a service hosted in Microsoft Azure that protects sensitive information from unauthorized use. Unlike traditional protection methods, such as firewalls and ACLs, Azure RMS protection is persistent; it remains with the information no matter where it goes or how it is transported. Content authors can determine both which users are authorized to access a certain piece of protected content and also what they are authorized to do with that content. For example, a content author might dictate that a certain group can open, but cannot copy, edit, or print a sensitive document. Azure RMS provides the following benefits: ▪ Safeguards your confidential information from unauthorized users ▪ Restricts user permission in a granular manner, such as rights to Print, Copy, or Save the content ▪ Persistent protection remains with the information, no matter where it goes or how it is transported ▪ Works together with other Microsoft products, such as Exchange and SharePoint, to automate the protection of sensitive information ▪ Protection options are integrated into Microsoft Office products for easy adoption by end users ▪ No server infrastructure to scale and maintain with the hosted service ▪ Simplified collaboration with other Office 365 users outside the organization. Important: This lab is designed to be run from a computer that is using RMS technologies for the first time. If you have already used RMS in your computer, you will need to clear your client configurations so you can activate RMS with the accounts used in this lab. There’s a script in the appendix that can clear your client RMS configurations so you can run this lab. Clearing your client configurations won’t cause data loss, and running the same script at the end of the lab will leave you in a state where you can get back to your original working configuration. 11.1 Configure Azure RMS The following section outlines how the configure Azure RMS Required Time: 20 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you still logged on to the management portal of Manage.windowsazure.com. Enable Rights Management Start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. Page 75 Task Detailed steps In the address bar of the InPrivate session, navigate to https://manage.windowsazure.com. Click ACTIVE DIRECTORY from the navigation bar of the Windows Azure portal. In the menu on the top of the screen click RIGHTS MANAGEMENT Select the same Azure AD tenant as the one you have been using so far and click ACTIVATE Create & Configure a Policy Click the directory that you just activated for Rights Management In the top of the screen click TEMPLATES. You will see two templates already created and Published for your tenant. These are default templates with the most commonly used options. You cannot delete or edit these templates, but you can Archive them (make them disappear from your users’ view) or copy them, or you can create new templates altogether. We will use this option. Click on the Add button at the bottom bar. Select the language in which you want the name and description of the template to be. You can add other languages later. This enables the templates to be displayed in the same language your users have their clients set to. In the Name field enter “TestUser1 and TestUser2 Read-Only”. Notice that while template can be named in any arbitrary fashion, it is recommended that the template names are aligned with the organizations information management policies and that they should briefly describe the type of protection users should expect from the policy. This name will be shown in your users client applications policy list when they use RMS (e.g. in the Protection menu in Office). In Description enter a descriptive text explaining what the policy does. This will be shown at the top of every document that is protected with the policy so it needs to be aimed at the recipients of the policy. Click the check mark on the right of the screen to add the template. Observe that the template is now included in the template list. Click on the template name to be taken to the template properties. You can follow the Quick Start wizard to populate the template properties, but we will do it manually. Click on Rights to add users and rights to the policy. Click on the Add button at the bottom to add people to the policy and indicate their rights. Normally you would want to add groups as recipients of a policy template, but since we haven’t created any mail-enabled groups in this tenant, we will select the Users option instead. In the SHOW drop down list select Users and click on the check mark to the right to make the list of users show up. Click on TestUser1 and TestUser2 on the list. They will be added to the list on the right. Click on the right arrow at the bottom. Select the Viewer option. This will grant both TestUser1 and TestUser2 the right to view content protected with the template, but not to copy, print or edit it. Click on the check mark at the bottom right to finish the creation of the template. After a few seconds you will see your users listed in the policy. You can now click on the Configure option on the upper bar to enter more policy options. Observe that the template is in Archived state. This means that it won’t be shown to users. We will switch it to the Published state before finishing. In the Name and Description section add names and descriptions in more languages if you want. In the Content Expiration option select the third option and enter the number 30 in the field on the right, so content will expire 30 days after it has been protected by this policy. This will make the content inaccessible to all users but the original author. Page 76 Task Detailed steps In the Offline access section select that content will be available for three days after it is opened. This is generally a good balance between flexibility and control since it will allow you to revoke content or track its usage with reasonable accuracy, once those options are released in the portal. Note that additional options will be made available on this page in the future, such as the ability to limit template visibility to specific authors via the Scoped Templates feature. Click on the Publish option to make the template visible to users. Click on the Save icon at the bottom to make all these changes effective. Validate if RMS is working Create an Office document as TestUser1 or TestUser2 and validate the templates are available. 11.2 Creating and Consuming Protected Content We will first look at how to securely share an Office document, and will do the same for an image file. In this scenario, we will apply a protection policy that will grant a specific user permission to view a document. This user will be able to open and read the contents of the document but will be unable to edit, copy, or print the document. All other users, both internally and externally, will not be able to open the document. After completing this exercise, you will understand: ▪ How to protect sensitive documents from unauthorized access and use ▪ How users open RMS-protected content and how permissions are enforced ▪ How the RMS App can extend protection to files of any file type Required Time: 20 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you still logged on to the management portal of Manage.windowsazure.com. Create & Configure a Policy Complete these steps by connecting to the Internet from your own computer. Page 77 Task Detailed steps Note: if you are already using RMS in your computer (either because you are using AD RMS, RMS for Individuals or Azure RMS) you will need to clear your IRM configuration first in order to execute these exercises against the tenant you created. For this you will have to delete the following folders: %localappdata%\Microsoft\MSIPC %localappdata%\Microsoft\DRM And the following registry keys: HKLM\Software\Microsoft\Office\(12.0|14.0|15.0)\Common\DRM HKLM\Software\WoW6432Node\Microsoft\Office\(12.0|14.0|15.0)\Common\DRM HKLM\SOFTWARE\WoW6432Node\Microsoft\MSIPC\ServiceLocation HKLM\SOFTWARE\Microsoft\MSIPC\ServiceLocation HKLM\Software\Microsoft\MSDRM\ServiceLocation HKCU\Software\Microsoft\Office\(12.0|14.0|15.0)\Common\DRM HKCU\Software\WoW6432Node\Microsoft\Office\(12.0|14.0|15.0)\Common\DRM And the following registry values: HKCU\Software\Microsoft\Office\15.0\Common\DRM\DefaultServerURL HKCU\Software\Microsoft\Office\15.0\Common\DRM\DefaultServer First we will install and launch the RMS Sharing app for Windows. Now we will protect a document using the Sharing app. Log on to your client computer. Navigate to http://www.microsoft.com/en-us/download/details.aspx?id=40857 and download and install the RMS Sharing app for Windows. Follow the instructions on screen to complete the installation. Use File Explorer to find an Office file you want to protect. Any Word, PowerPoint or Excel file (that is not already protected) will work. You can create a file and add some random text to it, or you can use any pre-existing file you have. If you plan to use a pre-existing file, it is recommended to work on a copy of the file so you do not affect your original file. Right-click on the file and look at the context menu. Observe that you can choose multiple options such as Share protected and Protect in Place. We will first use the Protect in Place option to protect the file in its current location. Observe that within the Protect in Place option you see a list of policy options. Choose the policy Company-defined Protection. If you get prompted for your credentials enter the ones for TestUser2@ with the password L@b@dm1n. If the authentication is successful you should be able to see the template that your previously defined for you tenant as shown below: Page 78 Task Detailed steps Select the template TestUser1 and TestUser2 Read-Only and click on the Apply button. Wait until the operation finishes. You will notice that the file doesn’t change its icon, name or file extension. Double-click on the file to open it. Once the file opens in Word, you will see a yellow banner on the top of the screen that highlights the fact that the file is now protected. Click on the View Permissions… button. Observe that, despite the file having been protected with a restrictive policy, you still have full control rights on the document. This is because, as the author and owner of the file, you retain full control over the file (just as you have access to the source content in unrestricted form). If a different user tried to open this file, they would see the rights restrictions in place, and they would not be able to print the file or copy content from it. You will try this at a later step in this exercise. Let’s protect the document using the Share Protected option. Open Microsoft Office Word. Enter some words into a blank document and save it. From the File Explorer find the document, right click on it and select Share Protected. If prompted, enter your password and click the Remember my credentials option. In the Users field enter TestUser1’s email address: TestUser1@. Select a permissions level of Viewer. Select the option to expire the document and enter a date that is two weeks in the future. Select the checkbox Email me when someone tries to open this document. Review the other options and click Send. Review the email that was just created and observe that it is an unprotected email with a protected copy of the file in an attachment. Also observe that an additional protected file was created in .PPDF format. This file contains the same contents as the original file and it is protected with the same policy as the file you protected, but it is encoded in a format that is viewable in the RMS Sharing app. This file is useful to users that need to view the file in a device that doesn’t natively support protected Office files. Before sending the file add your personal or business email address to the To… line of the email. This will not grant that account rights to the attachments since you didn’t specify that account when selecting a protection policy, but it will allow you to receive the documents in your devices without having to configure an extra email account. Click Send. Page 79 Task Let’s protect a text file using the RMS Sharing app. Detailed steps Create an empty text file with Notepad, or an image file with MS Paint or some other application. Save it to your desktop. You can also use a pre-existing text or image file you already have. Right-click on the file and select the Share Protected option. Enter Testuser1’s email address, choose a Viewer protection level and leave the other options at their defaults. Click on Send and review the resulting email. Observe that the attachment in the email now has a special file extension starting with the letter P (e.g. a .ptxt file extension for a .txt source file), denoting this is a protected file. Add your personal or business email address to the To… field on the email as you did before so you can receive this file on your devices. Click Send. Now we will open the protected document as an authorized user from a mobile device. Notice that TestUser1 has permission to view the document, but cannot edit, copy, save, or print the contents. Azure RMS Service enforces permissions at a granular level so that you can control both who has access to a particular document and what they can do with it. Unauthorized users will not be able to open this document. In your mobile device (Android, iOS or Windows Phone) go to the corresponding application store and download and install the “RMS Sharing” app. It is a free app from Microsoft. Note: if you don’t have a mobile device running on one of these platforms at hand you can run the cleanup script at the Appendix of this document and perform the following operations in your Windows desktop. Go to https://myapps.microsoft.com and sign-in as TestUser1.Click on the Office 365 Exchange Online tile. You should have received the emails you sent to TestUser1 when performing the Share Protected operations. Open the first email. You will notice the instructions to access the documents, which involve signing up for the Azure RMS service (using RMS for individuals if your organization doesn’t have an account), but you can skip those steps since you have already created a tenant for your lab users. You will notice the two attachments, the first one in an Office format, the second one in PPDF format. If your device has an application able to open protected Office files you can open the first attachment. If your device doesn’t have yet such an application, you can open the .ppdf file. For this exercise you will use the .ppdf file. Depending on your device you will be asked for an application to open the file. Choose the RMS Sharing app. When the RMS Sharing app is launched, you will be prompted to enter a user’s email address. Enter TestUser1’s email address. When prompted, enter the user’s password. When the document opens see that you can view the document and navigate through it, but you can’t edit or copy from it. Click the RMS icon at the bottom of the screen to view the rights that are granted to your user. Close the app and repeat the same steps for the other email, opening the text or image file you protected. Verify that the experience is as expected. 11.3 Protecting Data in Motion With Exchange IRM Azure RMS integration with Exchange Online extends the scope and feature set of both technologies. We have previously demonstrated how you can create and consume protected email messages to ensure the secure messaging of sensitive information. However, Exchange Online integration with Azure RMS also Page 80 enables automatic protection of sensitive information, decryption of protected messages in transit, and other features that enhance the administrator and end users experience. Microsoft RMS Service integration with Exchange Online extends the scope and feature set of both technologies. We have previously demonstrated how you can create and consume protected email messages to ensure the secure messaging of sensitive information. However, Exchange Online integration with Microsoft RMS Service also enables automatic protection of sensitive information, decryption of protected messages in transit, and other features that enhance the administrator and end users experience After completing this exercise, you will understand: ▪ How to enable IRM features in Exchange Online ▪ How Exchange IRM features can automatically protect sensitive content in transit using built-in transport rules and data loss prevention capabilities ▪ How Exchange IRM features can be used natively in Outlook Web Access Required Time: 20 minutes Task Detailed steps Complete these steps by connecting to the Internet from your own computer. First we must enable IRM in Exchange Online via Windows PowerShell. When entering these commands, remember that you can copy them from the lab manual and paste them directly into the lab environment. Log on to your computer. Bring up the Start menu, click Search, type Windows PowerShell in the Apps field, rightclick Windows PowerShell and click Run as Administrator to open Windows PowerShell. Enter the following command and press Enter: $LiveCred = Get-Credential Enter the email address and password of your tenant’s administrator. Enter the following command and press Enter: set-executionpolicy remotesigned Type Y and press Enter to proceed. Enter the following command and press Enter: $Session = New-PSSession ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic – AllowRedirection Enter the following command and press Enter: Import-PSSession $Session Enter the following command and press Enter: Enable-OrganizationCustomization In the current implementation of Exchange Online IRM, Exchange needs a copy of your tenant keys in order to be able to work with protected content. Enter the following command and press Enter: Set-IRMConfiguration –RMSOnlineKeySharingLocation "https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc" Note: if your tenant is hosted in a region other than North America replace “ na” with “eu” for Europe, “ap” for Asia-Pacific or “sa” for South America. Enter the following command and press Enter: Import-RMSTrustedPublishingDomain RMSOnline -name "RMS Online" Enter the following command and press Enter: Set-IRMConfiguration InternalLicensingEnabled $true. This enables IRM support in Exchange Online. Enter the following command and press Enter: Get-IRMConfiguration Page 81 Task Detailed steps Verify that the values for InternalLicensingEnabled, ExternalLicensingEnabled, JournalReportDecryptionEnabled, ClientAccessServerEnabled, and SearchEnabled are all set to True. You can now use the IRM features in Exchange Online. Now let’s review the end user experience in Outlook Web App. We will create a new protected email. Notice that you can create a protected message natively in OWA without downloading any software or hotfixes. Then we will open the protected email in OWA. You can create and consume protected messages in any browser that supports the Outlook Premium Experience. Sign in as TestUser1 to the Access Panel http://myapps.microsoft.com. Click on the Office 365 Exchange Online tile. Click New Mail to create a new mail message. Enter the TestUser2 email address and your own Microsoft email address in the To field. Enter Protected Message in OWA in the Subject, and enter some text in the body of the mail. Click the ellipsis (…) button, click Set permissions, and select the template that you previously created TestUser1 and TestUser2 Read-Only. Notice the banner that appears; the recipient of this message will be able to read the message but will not be able to edit, copy or print the message. Click Send to send the message. Click on the Persona icon on the upper left and select Sign Out. Sign back in to Outlook as TestUser2 and make sure you can read the body of the message with the subject Protected Message in OWA. Notice that you cannot print the email. Now try to read the same email sent to your corporate Microsoft mailbox. You should not be able to read it. Users can forget to apply protection to sensitive information. Transport Protection Rules apply RMS protection to emails in transit based on triggers configured by the administrator. In this demo, we will create a transport protection rule that automatically protects messages that contain the phase “Project Alpha”. Then we will create and send an unprotected message that contains this phrase. We will review the message as the recipient and verify that it has been protected by the transport protection rule. Open Internet Explorer and navigate to https://login.microsoftonline.com. Log in to Office 365 with the email address and password of the administrator account for your tenant. Click on the Admin tile to open the Office 365 admin center. Select Exchange in the left navigation bar. Under the mail flow section click on rules. In the details pane, click the plus (+) button and click Apply rights protection to messages to open the new rule dialog box. In the Name field enter Project Alpha rule. From the Apply this rule drop down menu select The subject or body and then select subject or body includes any of these words. In the Specify words or phrases dialog box, enter Project Alpha in the field, click the plus (+) button, and click OK. Click on the Select One link located to the right of the Do the following drop down menu. Confirm that the Confidential View Only template is selected and click OK. Review the additional options available and click Save. Sign out and sigh back in as TestUser2. Click on Outlook and click New Mail to create a new mail message Enter TestUser1 in the To field, enter Project update in the Subject field, and enter in the Body the following line: Hi TestUser1, the plans for Project Alpha will proceed without delay. Notice that the message is unprotected and click Send. Page 82 Task Detailed steps Wait until the message leaves the outbox and Sign Out. Log in to Office 365 Exchange Online with TestUser1’s email address and password. Click Outlook. Open the message with the subject line Project Update. Notice that Exchange has applied the Confidential View Only template to the message in transit, based on the words contained within the email. Notice that you cannot reply or forward the message and that the same would have happened if the message had been sent from a rich Outlook client or a mobile device. Exchange Online has builtin data loss prevention capabilities that integrate with Azure RMS Service. In this lab, we will create a policy to help our users adhere to U.S. HIPAA regulations. Then we will modify the transport rules created by this policy to protect messages with a rights policy template. Open Internet Explorer and navigate to https://login.microsoftonline.com. Log in to Outlook as the admin. Click on the Admin tile and then click on Exchange in the left navigation bar to open the Exchange admin center. Under compliance management click on data loss prevention. Click the plus sign button and select New DLP Policy from Template. In the Name field, enter HIPAA and in the Description field, type This policy helps us adhere to the U.S. Health Insurance Act. Under Choose a template, select U.S. Health Insurance. Click Save. In the details pane, select the new policy and click Enforce. In the Warning dialog box, click yes. Go back and under Exchange select rules under mail flow. Notice that the rules section has been populated with various transport rules that apply to the U.S. Health Insurance Act. Select U.S. HIPAA: Scan email sent outside – low count and click the Edit button. Review the configuration. This transport rule looks for messages that contain social security numbers. Under the Apply this rule if drop down, click The sender and then select is external/internal. In the select sender location dialog box, select Inside the organization and click OK. Under the Do the following drop down, select Modify the message security and select Apply rights protection to open the select RMS template dialog box. Select the Confidential View Only template and click OK. Click Save and sign out from the portal. Log in as testuser2 and click on Outlook. Click New Email to create a new mail message. Address the message to Testuser1. Enter Contractor info in the Subject line and enter Hi TestUser1, the social security number for the new contractor is 609-90-9090 in the body of the message. Notice that the message is not protected. Click Send. Sign out from Outlook Web Access. Sign back in as TestUser1 to Outlook. Open the message with the subject line Contractor Info and notice that it is protected with the Confidential View Only policy template. The message triggered the DLP policy we created earlier. Close the message and sign out from OWA. Page 83 12 SP1: Claims-Based Access & Resource Publication The following section will guide you through the process of configuring the environment and SharePoint 2013 to support claims-based access to internal network resources in a secure and reliable manner. This lab will require the use of DC1, WAP1 and setup SP1, including an external device that may be used to verify that resources are accessible from outside the network. 12.1 SP1: Manually Create a SharePoint Virtual Machine Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the Azure management console. Create a Open IE in Private mode and logon to your Azure Management portal. Click Virtual Machines on the left panel. Click New at the bottom left of the window. Click From Gallery. Select SharePoint Server 2013 Trial. Click Next. On Blade 1 of virtual machine configuration page complete the following: ▪ ▪ ▪ ▪ Virtual machine Name: SP1 Size: A3 (4 cores, 7Gb memory) New User name: LabAdmin New Password: L@b@dm1n Click Next. On Blade 2 of the virtual machine configuration page complete, the following: ▪ Select the cloud service created for the lab earlier ▪ Select the same storage account created for the lab earlier Click Next. On Blade 3 of the virtual machine configuration page, complete the following: ▪ Select Install the VM Agent ▪ Microsoft Antimalware Click the check mark to commence provisioning the virtual machine. Once SP1 is completely provisioned, select the virtual machine in the Azure management console, then click the Connect button at the bottom of the page. In the remote desktop client, enter the credentials for SP1\LabAdmin, with the password used in Step 5. Page 84 Task Detailed steps Join the system to the internal domain. The server is now ready for use during a later lab. NOTE: Avoid being charged for this virtual machine by clicking the Shutdown button in the Azure management console to de-provision the resources it is consuming. 12.2 DC1: Configure DNS In this activity, create the DNS records for internal and external access to the intranet-hosted resource. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to DC1 Configure intranet A Record This task will enable internal users to access the site using the BYOENTMOBLAB url. Login to DC1 as CORP\LabAdmin Open the DNS Manager Expand the Forward Lookup Zones Expand corp. Create an A record for BYOENTMOBLAB for the IP address of SP1. Leave the DNS Manager open. Configure external A Record This task will allow the split-brain DNS to forward requests to the internal IP address. Expand the zone Create an A record for BYOEntMobLab for the IP address of SP1 Close the DNS Manager. Configure Hosting Provider This task will allow external users to reach the external A record hosted on the corporate DNS server. Log in to your domain registrar’s portal Create BYOENTMOBLAB as a CNAME to the STS A record 12.3 DC1: Configure ADFS This activity will walk through the creation of the required relying party trusts and claim issuance and transform rules required to implement a claims provider for SharePoint. Page 85 Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Configure the Relying Party Trust This task will configure a relying party trust. The relying party trust defines how the AD FS recognizes the relying party application and issues claims to it. In this case, the relying party is our SharePoint web application for the intranet that will be configured in a later activity. Login to DC1 as CORP\LabAdmin From the Start screen, Select Administrative Tools then AD FS Management. Expand Trust Relationships  Relying Party Trusts. In the Actions pane, click Add Relying Party Trust. At the Welcome step, click Start. At the Select Data Source step, click the 3rd radio button – Enter data about the relying party manually. Click Next. At the Specify Display Name step, type SharePoint Internal in the Display name field. Click Next. On the Choose Profile step, select AD FS Profile. Click Next. On the Configure Certificate step, click Next. On the Configure URL step, check Enable support for the WS-Federation Passive protocol. In the Relying party WS-Federation Passive protocol URL field, type https://BYOEntMobLab./_trust/ Click Next. On the Configure Identifiers step, specify the Relying party trust identifier as urn:sharepoint:BYOEntMobLab. The format of urn:*:* is important and should be noted. Click Add. Click Next. On the Configure multi-factor Authentication Now? select to not configure the capability and click Next. Click Next to accept Permitting all users to access the relying party Click Next to add the trust. Ensure that the check box for automatically opening the claim Rules is checked before clicking Close. Configure Issuance Transform Rules This task will configure how AD FS sends values of a Lightweight Directory Access Protocol (LDAP) attribute as claims and specify how the attributes will map to the outgoing claim type that will be used by the relying party. On the Issuance Transform Rules tab, click Add Rule. a. Select the Send LDAP Attributes as Claims template. Click Next. Enter a name for the new claim rule to be created such as SPIntranet - AD From the Attribute store drop-down, select Active Directory. In the Mapping of LDAP attributes to outgoing claim types section, under LDAP Attribute, select E-Mail-Addresses. Under Outgoing Claim Type, select E-Mail Address. Move to the next line in the table. Page 86 Task Detailed steps Under LDAP Attribute, select User-Principal-Name. Under Outgoing Claim Type, select UPN. Click Finish, and then click OK. This has now defined that the two LDAP attributes (E-Mail-Addresses and User-Principal-Name) will be mapped to Claim Attributes (E-Mail-Address and UPN) respectively. Install and Export the Token-Signing certificate This task will export the token signing certificate of the AD FS server with which you want to establish a trust relationship, and then copy the certificate to a location that SharePoint 2013 can access. In the AD FS Management console, expand Service  Certificates Under the Token-signing section double click on the certificate listed to open it. Click Install Certificate. In the Store Location section, select Local Machine, click Next. Select Place all certificates in the following store. Click Browse. Select Trusted Root certification Authorities. Click OK. Click Next. Click Finish. Click OK in the message box indicating that the certificate import was successful. Open the certificate again and click on the Details tab of the certificate. Click Copy to File. Click Next. Select DER encoded binary X.509. Click Next. In the File name field enter \\SP1\C$\ADFS.cer. Click Next Click Finish. Click OK to indicate that the export was successful. Click OK. Install the TokenDecrypting certificate This task will import the token signing certificates to the trusted root authority list that resides on the SharePoint Server. Login to SP1 as CORP\LabAdmin Double click the token signing certificate that you previously exported. Click Install Certificate. In the Store Location section, select Local Machine. Select Place all certificates in the following store. Click Browse. Select Trusted Root certification Authorities. Click OK Click Next. Click Finish. Click OK in the message box indicating that the certificate import was successful. Click OK. Configure the ADFS Token lifetime This task is performed to ensure that a known issue related to the relying token timeout and intermittent ADFS authentication issue, does not occur in this lab. A second part of the resolution is performed on SharePoint in a later lab as part of a script. Page 87 Task Detailed steps Login to DC1 as CORP\LabAdmin Start an elevated PowerShell host. Run the following cmdlet: Set-AdfsRelyingPartyTrust -TargetName "SharePoint Internal" -TokenLifetime 5 The command is successful if there is no error. 12.4 WAP1: Configure WAP This activity will configure the Web Application Server to publish the internal resource website externally. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to WAP1 Publish the internal SharePoint site externally This task will publish the internal SharePoint site externally through the Web Application Proxy. It uses the ADFS configuration completed in the previous activity. It will perform pre-authentication where the user is authenticated by ADFS before a claim is sent to the SharePoint server. Login to WAP1 as CORP\LabAdmin From the Start screen, select Administrative Tools  Remote Access Management. On the left of the window, select Web Application Proxy. From the Task pane on the right of the window, click Publish. On the Welcome step, click Next. On the Preauthentication step, select Active Directory Federation Services (AD FS). Click Next. On the Relying party step, select SharePoint Internal. This information has been retrieved from the AD FS server configuration we performed earlier. Click Next. On the Publishing Settings step enter: a. Name: SharePoint Internal b. External URL: https://BYOEntMobLab. c. External Certificate: *. d. Backend server: https://BYOEntMobLab. Click Next. Click Publish. Click Close. The WAP will now accept inbound requests for our internal SharePoint site. Page 88 12.5 SP1: Install SQL Server Express This activity will guide you through the installation of SQL Express 2014 to support the configuration of SharePoint 2013. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to SP1. Setup the Farm Configuration Database Login as corp\LabAdmin on SP1 Download SQL Server Express 2014 from http://download.microsoft.com/download/E/A/E/EAE6F7FC-767A-4038-A95449B8B05D04EB/Express%2064BIT/SQLEXPR_x64_ENU.exe Once downloaded, start the installation of a New Instance, ensuring that the changes below are made to the installation on the mention pages of the installation wizard: a. Feature Selection – select all features b. Instance Configuration – select the Default Instance radio button Complete the installation. 12.6 SP1: SharePoint Farm Initial Configuration This activity will perform the initial configuration of SharePoint 2013 to host the single server implementation. Required Time: 20 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to SP1 Setup the Farm Configuration Database SharePoint uses a central configuration database for all server participating in the farm. This task will setup and populate the configuration database. From the start screen type SharePoint 2013 Central Administration In the SharePoint Products Configuration wizard popup dialogue, click Yes Click Next, then Yes in the popup dialogue box. On the Connect to a Server page, select Create a New Server Farm. Click Next On the Database settings page, enter SP1 in the Database Server field Enter the username corp\LabAdmin and password L@b@dm1n On the Specify Farm Security Settings page, enter the Passphrase P@ssw0rd and confirm it. On the Web Application configuration page, click Next. Page 89 Task Detailed steps Click Next to commence the configuration. SharePoint will now create and configure the configuration database for the single server SharePoint 2013 implementation. On the Configuration Successful page click Finish. A web page should automatically open titled Help Make SharePoint Better. Click No, I don’t wish to participate. Click OK. On the Welcome page, click Start the Wizard At Service Account, select Use existing managed account Uncheck all checkboxes under Services Click Next The initial farm configuration will complete. On the Create Site Collection page, type Intranet into the Title field Click OK to create the site collection Once the provisioning is complete, click Finish. Configure Alternate Access Mappings SharePoint exposes different URLs, depending on whether content is being accessed from an internal or external location. More information about Alternate Access Mappings may be found at the following link: https://technet.microsoft.com/en-us/library/cc288609.aspx. On the left side of the window, click Application Management. Under Web Applications, click Configure alternate access mappings. Click Edit Public URLs. On the Alternate Access Mapping Collection click on No Selection and change it SharePoint – 80. Verify or configure the following parameters and values: a. Default – http://sp1 b. Intranet – http://BYOEntMobLab c. Internet – https://BYOEntMobLab. Click Save. Configure SSL From the Start screen type IIS and select Internet Information Services (IIS) Manager. Select SP1 (CORP\LabAdmin). In the Feature pane, open Server Certificates. From the Actions pane on the right, select Create Domain Certificate to start the Create certificate wizard. The Common name MUST be BYOENTMOBLAB. The completion of other fields is mandatory, but the values ae irrelevant for this lab. Click Next. Click Select. Select corp-DC1-CA from the list. Click OK. Type BYOENTMOBLAB for the Friendly name of the certificate. Click Finish. Note the presence of the newly issued certificate in the Server Certificate pane. Navigate to SP1 (CORP\LabAdmin) | Sites | SharePoint – 80 in the Connections pane on the left. From the Action pane on the right, select Bindings. Page 90 Task Detailed steps In the Site Bindings window, click Add. In the Type dropdown box, select https. In the SSL Certificate dropdown box, select BYOENTMOBLAB, which is the certificate that was requested earlier. Click OK. Click Close. The SharePoint site is now configured to work with HTTPS. Close the IIS Manager console. Verify the SSL Configuration Using any of the IaaS provisioned servers, start Internet Explorer. Navigate to https://BYOEntMobLab.. Provide the credentials for corp\LabAdmin if prompted. Access will be denied. Verify that http://sp1 is also accessible. 12.7 SP1: Configure Claims Provider in SharePoint This activity will guide you through the creation of a claims provider in SharePoint 2013, and verify the configuration demonstrating resource publication and claims-based access. Required Time: 30 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to SP1 Install the AD FS Token Signing certificate Right click the Token Signing certificate at C:\ADFS.CER. Select Install Certificate from the context menu. In the Store Location section, select Local Machine. Select Place all certificates in the following store. Click Browse. Select Trusted Root certification Authorities. Click OK. Click Next. Click Finish. Click OK in the message box indicating that the certificate import was successful. Create the Claims Provider for SharePoint The tasks below will configure the following: ▪ Define a unique identifier for claims mapping. Typically, this information is in the form of an e-mail address and the administrator of the trusted STS will have to provide this information because only the owner of the STS knows which claim type will be always unique for each user ▪ Create a new SPTrustedTokenIssuer (register the federation service as a trusted issuer of tokens for SharePoint) From the Start screen type SharePoint, right click on SharePoint 2013 Management Shell and select Run as Administrator. Copy the following PowerShell script into notepad on the SP1 server, modifying only those items that are highlighted in yellow. Page 91 Task Detailed steps $CertPath = "C:\ADFS.cer" # Corresponds to the exported certificate path $realm = "urn:sharepoint:BYOEntMobLab" # Corresponds to the ADFS relying party configuration ealier in the lab $signinurl = "https://sts./adfs/ls/" $ClaimProviderName = "BYOENTMOBLAB ADFS" $ClaimProviderDescription = "Claim provider for ADFS" <# DO NOT MODIFY THE SCRIPT BELOW THIS LINE #> Add-PSSnapin Microsoft.SharePoint.PowerShell #Import ADFS Token Signing Certificate $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath) New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert # Setup Claim Mapping – define the claims that will be used $map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" IncomingClaimTypeDisplayName "Account ID" –SameAsIncoming $map2 = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" IncomingClaimTypeDisplayName "Role" –SameAsIncoming $map3 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” IncomingClaimTypeDisplayName "Email Address" –SameAsIncoming # Setup ADFS realm and login URL # Create SharePoint Tusted Token Issuer $ap = New-SPTrustedIdentityTokenIssuer -Name $ClaimProviderName -Description $ClaimProviderDescription -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType $ap.Update() # The following lines implement the SharePoint configuration for the know issue related to the login loop between ADFS and SharePoint. $sts = Get-SPSecurityTokenServiceConfig $sts.LogonTokenCacheExpirationWindow = (New-TimeSpan –minutes 1) $sts.Update() iisreset Save the modified file as C:\SP-ClaimProvider.ps1 In the SharePoint 2013 Management Shell host, perform the following commands: Set-ExecutionPolicy bypass –Force C:\SP-ClaimProvider.ps1 SharePoint is now configured with trusted identity token issuer that is the ADFS server in this lab. Update the SharePoint Web Application This task will configure an existing web application to use SAML sign-in. this will be done by changing the trusted identity provider in the claims authentication type section. From Start screen type SharePoint and select SharePoint Central Administration application. Click Application Management. Under Web Applications, select Manage web applications. Click SharePoint – 80. In the ribbon, click Authentication Providers. In the Authentication Providers window, click Default. In the Edit Authentication window, scroll to Claims Authentication Types. Select Trusted Identity provider. Select BYOENTMOBLAB ADFS. Scroll to the bottom of the window and click Save. Now wait for the window to return to the Authentication Providers window. Do not click save multiple times. The SharePoint site is now configured to use the ADFS server as a trusted identity provider. Page 92 Task Detailed steps Grant Access to ADFS Users This task adds the users’ email addresses with appropriate permissions to the web application to allow authentication by using an email addresses as their SAML-based identity. Using any of the IaaS provisioned servers, start Internet Explorer. Navigate to https://SP1 From the Sign In dropdown box, select Windows Authentication. Provide the credentials for corp\LabAdmin if prompted. If you see an OK button in the lower right corner of the screen, click on it. That will finish setting up the site by creating default groups. In page titled People and Groups: Set Up Groups for this Site, click OK. Click the gear icon at the top right of the window. Click Site Settings. Under Users and Permissions, click Site Permissions. Click Intranet Site Members. Click New. In the text box, enter the email address for TestUser1 as TestUser1@. Click Share. If prompted to select from multiple options, hover over the entries in the drop down box and select the entry that begins with BYOENTMOBLAB ADFS. Click System Account at the top right of the window. Click Sign Out. Close Internet Explorer. Demonstrate a ClaimBased Access Externally This task will demonstrate the claim-based access to the SharePoint application, and verify that the authentication is based on a claim. On an internet connected device outside the IaaS lab, start an In-Private Internet Explorer session. Navigate to https://BYOEntMobLab.. From the signin dropdown box, select BYOENTMOBLAB ADFS. Provide the username as TestUser1@ and the corresponding password. Verify that access is obtained. The claim may be verified by clicking on the email address at the top right of the window, then clicking My Settings. Review the Account Information and correlate the encoding with the information provided at Section Error! Reference source not found. (SharePoint 2013 Claims Encoding) in the Appendix. Sign out from the application, then close the browser session. Remove the Sign In dropdown box Through all the exercises, both NTLM and ADFS were used as authentication methods. This is observed by the Sign In dropdown box and is the default authentication page for the SharePoint Application. In this task, the application will be configured to only use claims authentication. From the desktop, start the SharePoint Central Administration application. Click Application Management. Under We Applications, select Manage web applications. Click SharePoint – 80. Page 93 Task Detailed steps In the ribbon, click Authentication Providers. In the Authentication Providers window, click Default. In the Edit Authentication window, scroll to Sign In Page URL. Select Custom Sign In Page. Type /_trust/default.aspx in the URL field. Scroll to the bottom of the window and click Save. Now wait for the window to return to the Authentication Providers window. Do not click save multiple times, as the SharePoint motto says – “please be patient”. Repeat accessing the internal resource from an external device and verify that the Sign In dropdown box is no longer present. Page 94 13 CM1: Configure MDM with Hybrid Setup (CM+Intune) Hybrid Setup (CM+Intune) (Skip this section if you are setting up an Intune-Only Scenario!) The following section outlines how the Configuration Manager server will be installed and configured. The server 13.1 CM1: Create the Virtual Machine This section outlines how to create the virtual machine to be used for Configuration Manager Server CM1. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Create NDES1 VM Select Virtual Machines. Select “+ NEW” in the bottom left. Select From Gallery Make sure Windows Server 2012 R2 Datacenter is selected and the arrow “->” to the next screen. In the Virtual machine configuration window in Virtual Machine Name type the Virtual Machine Name called “CM1” In the Virtual machine configuration window type the New User Name called “LabAdmin” In the 2nd screen of the Virtual machine configuration window type the New Password and Confirm with the password “L@b@dm1n” or any other password you prefer. Please note that Azure does not except commonly used usernames and passwords. Go to the next (3rd) screen by selecting the arrow “->”. In the 3rd and last screen of the Virtual machine configuration window select the Cloud Service that you created earlier (e.g “emslabservice”). If you created a Storage Account earlier select the Storage Account (e.g “emslabstrorrageaccount” or have a Storage Account being created automatically. Go to the next (4th) screen by selecting the arrow “->”. In the 4th and last screen of the Virtual machine configuration window select Microsoft Antimalware under Security Extensions and leave the remaining settings as is. Select to complete the wizard by clicking “tick symbol” in the bottom right of the screen. Select to complete the wizard by clicking “tick symbol” in the bottom right of the screen. Page 95 13.2 CM1: VM – Configure and Join CM1 to the CORP domain. This section will outline how to join CM1 to the Corp domain. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Join the CM11 VM to the Corp domain. Make sure you are logged on to the management portal of Azure.microsoft.com. Select Virtual Machines . Select CM1 and click Connect at the bottom of the screen. Logon to WAP1 with “.\LabAdmin” with the password “L@b@dm1n Open Server Manager Select Local Server Turn off IE Enhanced Security Configuration by clicking on On and selecting Off for Administrators and Users. (for later) Click on WORKGROUP in the Workgroup field. In the Computer Name tab click Change. In the Member of field make sure Domain is selected. In the Domain field type in Corp.. E.g. Corp.devicedemo.net. and click OK. For User name use LabAdmin and password type L@b@dm1n . Click OK. In the Computer Name/Domain Changes window click OK. Click OK to reboot the computer. Click Close to close the System Properties window. Click Restart Now. 13.3 CM1: VM – Install Azure PowerShell and Configure a Static IP In this section will outline how to install the Azure PowerShell extensions on CM1 and configure a static IP address for CM1. Page 96 Note: Before continuing with the following sections, it is recommended to update CM1 with all the latest updates from Microsoft Update. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Install Azure Powershell and configure static IP Select Virtual Machines. Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin” with the password “L@b@dm1n” Open Server Manager Select Local Server Install Azure PowerShell by going to the direct installation here: http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409 When the warning appears in Internet Explorer select Run In the Microsoft Azure PowerShell window select Install In the Prerequisites step, select I Accept. In the Finish step, select Finish. In the Web Platform Installer 5.0 select Exit. Open the Azure PowerShell command prompt running as administrator type AddAzureAccount and provide the username and password of the Azure Administrator configured for the subscription. If more than one subscription is shown, please select the Azure subscription you are using by typing: Select-AzureSubscription [-SubscriptionName] Set Static IP Address (DIP) for the VM as described in Configure a Static Internal IP Address (DIP) for a VM at http://msdn.microsoft.com/en-us/library/azure/dn630228.aspx. Open Azure Powershell , your commands should look like: a. IPCONFIG /all (assuming your IP address is now 10.0.0.6) b. Test-AzureStaticVNetIP –VNetName VirnetMobility –IPAddress 10.0.0.6 c. Get-AzureVM -ServiceName -Name CM1 | SetAzureStaticVNetIP -IPAddress 10.0.0.6 | Update-AzureVM 13.4 CM1: Install and Configure SCCM This section outlines how we Install and configure Configuration Manager on CM1. Required Time: 60 minutes Page 97 Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select CM1 and click Connect at the bottom of the screen. Logon to CM1 with Corp\LabAdmin. Install and Configure IIS Open Server Manager. To open Server Manager, click Server Manager on the Start screen, or Server Manager in the taskbar on the desktop. In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can click Add Roles and Features on the Manage menu. On the Before you begin page, click Next. On the Installation type step, click Role-based or Feature-based installation, and then click Next. On the Server Selection step, click Select a server from the server pool, verify that the target computer is selected, and then click Next. On the Server roles step, click Web Server (IIS), and then click Next. On the Add Roles and Features window select Add Features On the Select server role step, click Next. Note: The required prerequisites are preselected for you. You do not have to click any other features. On the Features step select .Net Framework 3.5 Features. Select Background Intelligent Transfer Services (BITS). On the Add Roles and Features window select Add Features Select Remote Differential Compression Click Next. In the Web Server Role (IIS) click Next. Under Security select: a. Basic Authentication. b. IP and Domain Restrictions c. URL Authorization d. Windows Authentication Expand Application Development and select: a. ASP b. ASP 3.5 i. c. On the Add Roles and Features window select Add Features ASP 4.5 i. On the Add Roles and Features window select Add Features Under Management Tools select a. Management Service Page 98 Task Detailed steps b. IIS Management Scripts and Tools c. Expand IIS 6 Management Compatibility and select: i. IIS 6 WMI Compatibility Click Next Click Install Click Close Connect to DC1 Select Virtual Machines . Select “DC1” and click Connect at the bottom of the screen. Logon to DC1 with “LabAdmin”. Create System Container in ADSI Edit Go to Server Manager Click Tools Click ADSI Edit In the left pane right click ADSI Edit and select Connect to… Click OK Click Default naming context … and expand Default naming context … Rich click CN=System select New and select object Select container In the Value: field enter System Management Click Next Click Finish In the menu DoubleClick System Right-click System Management Select Properties Click the Security Tab. Click Add Click Object Type Make sure Computers is selected Enter CM1 under Enter the object names to select and click Check Names Click OK In the Permissions for CM1 select Full Control for Allow Click Advanced Select the Permission Entry for CM1 (Corp\CM1) and click Edit Under Applies to: make sure This object and all descendant objects is selected. Click OK Page 99 Task Detailed steps Click OK Click OK Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Download SQL Server and System Center Configuration Manager Start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. In the address bar of the InPrivate session, navigate to http://msdn.microsoft.com Login to you MSDN Subscription by clicking Sign in Use your MSA account to sign in. In the menu click Downloads In the menu click MSDN subscription Access Under Quick Links click Download Software Under SQL Server click SQL Server 2012 with SP2 Click Download for SQL Server 2012 Enterprise Edition with Service Pack 2 (x64) - DVD (English) ISO Click Save as Select Desktop to save the ISO In the menu select Subscriber Downloads Under System Center click System Center 2012 R2 Standard/Datacentre Click Product Key Copy or write down the Product Key Close the Product Keys window. Click Download for System Center 2012 R2 Configuration Manager (x86 and x64) - DVD (Multiple Languages) ISO Click Save as Select Desktop to save the ISO Extend the Schema for Configuration Manager Goto the Desktop of CM1 Double-click mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949 Select the SMSSETUP folder in Explorer Page 100 Task Detailed steps Click the BIN folder in Explorer Click the X64 folder in Explorer Right-click the file extadsch.exe and select Run as Administrator Install SQL Server Go to the Desktop of CM1 Double-click en_sql_server_2012_enterprise_edition_with_service_pack_2_x64_dvd_4685849 In Explorer double-click setup In the SQL Server Installation Center window select Installation. Select New SQL Server stand-alone installation or add features to an existing installation In the Setup Support Rules click OK In the Product Key window click Next In the License terms window select I accept the license terms and click Next In the Setup Role step click Next a. Note: If the Computer restart required window appears, click OK and reboot the computer and run the setup again after CM1 has rebooted. i. After a reboot and running Setup again the setup will also check for Product Updates. In the Product update window click Next. ii. In the Setup Support Rules step click Next. iii. In the Product Key window click Next iv. In the License terms window select I accept the license terms and click Next In the Feature Selection step select: a. Database Engine Services b. Client Tools Connectivity c. Management Tools- Basic d. Reporting Services Click Next In the Installation Rules step select Next In the Instance Configuration step select Next In the Disk Space Requirements step click Next In the Server Configuration step: a. Change the Startup Type of the SQL Server Agent to Automatic. b. Change the Startup Type of the SQL Server Browser to Automatic. c. Change the Account Name for the SQL Server Database Engine to Network Service i. Click Browse to enter a new account ii. In the Select User, Service Account, Group, or Built0in security principal box enter Network service iii. Click Check names iv. Click OK d. In the Collation tab make sure SQL_Latin1_General_CP1_CI_AS is selected and click Next Page 101 Task Detailed steps In the Database Engine Configuration click Add Current User Click Next In the Installation Configuration Rules step click Next In the Ready to Install step click Install. In the Complete step click Close Install the Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1 Update Start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. In the address bar of the InPrivate session, navigate to http://www.microsoft.com/enUS/download/details.aspx?id=39982. Click Download In the Status bar that appears select Run In the Specify Location window select Next In the Join the Customer Experience Improvement program (CEIP) click Next. In the License Agreement window select Accept. In the Select the features you want to install: a. Select User State Microsoft Tool (USMT) b. Unselect Windows Performance Toolkit c. Unselect Windows Assessment Services d. Unselect Windows SQL Server 2012 Express Click Install Once installation has completed click Close Install Configuration manager 2012 R2 On the desktop of CM1 double click mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949 Select the SMSSETUP folder in Explorer Click the BIN folder in Explorer Click the X64 folder in Explorer Right-click the file setup.exe and select Run as Administrator In the Before You Begin window click Next In the Getting Started window select Use typical installation option for stand-alone primary site and click Next In the Configuration Manager window that appears answer the question with Yes. In the Product key window enter the product key you have coped or written down in the earlier step. Click Next In the Microsoft Software License terms select I accept these license terms. Click next In the Prerequisites Licenses window make sure all selection boxes are selected. Page 102 Task Detailed steps In the Prerequisite Downloads make sure Download required files is selected and click Browse. Expand This PC Expand Local Disk (C:) Select Local Disk (C:) Click Make New Folder Name the folder SCCMPrerequisites Click OK In the Prerequisite Downloads click Next In the Site and Installation Settings for the Site code: enter P01 and for the Site name: enter Primary Site 1 Click Next In the Customer Experience Improvement Program window select I don’t want to join the program at this time. Click Next In the Settings Summary windows click Next. After the Prerequisite check has completed click Begin Install After the installation has completed click Close Install Cumulative Update 3 for System Center 2012 R2 Configuration Manager Restart CM1 Start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. In the address bar of the InPrivate session, navigate to http://support.microsoft.com/kb/2994331. Click Hotfix Download Available In the Status bar that appears select Run In the Agreement for Microsoft Serviced page click I Accept In the Hotfix Request page, ensure that under step 1 the hotfix is selected and under step 2 an e-mail address is used you have access to from CM1. Fill in the remaining part of the screen and click Request Now. Go to your inbox of the email address provided from CM1. Download the hotfix from the link in the bottom of the email and save it to the desktop by clicking Save As Click Run When the Window called Microsoft Self-Extractor appears click Continue In the window to select a folder enter c:\temp and click OK. After successfully unzipping all the files click OK If the Configuration Manager Management console is still open make sure it is closed. Page 103 Task Detailed steps With File Explorer navigate to c:\Temp and right click CM12-R2CU3-KB2994331-X64-ENU And select Run as Administrator. In the Welcome screen of CU3 click Next. In the Microsoft Software License Terms ensure I accept these license terms and click Next. In the Prerequisite Check step ensure all statuses are successful and click Next. In the Console Update Option screen ensure the Install the update for the Configuration Manager console is selected and click Next. In the Site Database Update step ensure Yes is selected and click Next. In the Deployment Assistance Options step ensure all checkboxes are selected and click Next. In the Update Package for Configuration Manager Servers keep the default values and click Next. In the Update Package for Configuration Manager Consoles keep the default values and click Next. In the Update Package for Configuration Manager Clients keep the default values and click Next. In the Setup Summary step click Install. After all tasks have been completed successful click Next. In the Installation Complete setup click Finish. Note: The CULevel value is located under the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Setup The CULevel value is set to 3 for Cumulative Update 3. Configure Boundaries On CM1 Go to the Start screen Type Configuration Manager and click Configuration Manager Console In the Configuration Manager console click Administration. Expand Hierarchy Configuration Right-click Boundaries Click Create Boundary In the Create Boundary window for Network select Active Directory site In the Active Directory site name: click Browse Select the Default First Site-Name Click OK Click OK to close the Create Boundary Window Click Boundary Groups Select Create Boundary Group from the Ribbon. For the Name field enter Boundary Group Corp Click Add Select Default First-Site-Name Click OK Page 104 Task Detailed steps Click OK to close the Create Boundary Group window. Configure Discovery Methods Under Administration – Overview – Hierarchy Configuration select Discovery Methods Right-Click Active Directory System Discovery and select Properties In the Active Directory System Discovery Properties select Enable Active Directory System Discovery In the Active Directory System Discovery Properties window click the star . Click Browse In the Select New Container window make sure Corp is selected and click OK Select Discover Objects in Active Directory Groups Click OK Click OK to close the Active Directory System Discovery Properties. Click Yes when asked if you want to run a full discovery now. Click OK Right-Click Active Directory Forest Discovery and select Properties Select Enable Active Directory Forest Discovery Select Automatically create Active Directory site boundaries when they are discovered. Click Yes when asked if you want to run a full discovery now. Click OK Right-Click Active Directory User Discovery and select Properties Select Enable Active Directory User Discovery At Active Directory Containers select the yellow star . In the Path: click Browse Select Corp Select Discover Objects in Active Directory Groups Click OK Click OK If you are asked to run a full scan select yes. Right-Click on Network Discovery and select Properties Check Enable network discovery Select Topology, client, and client operating system Click OK Validate the users and devices are discovered. In the Navigation Pane select Assets and Compliance Select Users In the Ribbon select Refresh. Notice the users discovered. Select Devices Page 105 Task Detailed steps In the Ribbon select Refresh. Notice the Devices (servers running in Azure IAAS) discovered. 13.5 CM1: Install and Configure CM2012 R2 SP1 This section outlines how we Install and configure Configuration Manager 2012 R2 Service Pack 1. This is also required to get support for Windows 10. Note: If you have a System Center 2012 R2 Configuration Manager installation, you need to use the System Center 2012 Configuration Manager SP2 media. Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select CM1 and click Connect at the bottom of the screen. Logon to CM1 with Corp\LabAdmin. Download System Center 2012 R2 Configuration Manager Service Pack 1 Start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. In the address bar of the InPrivate session, navigate to http://msdn.microsoft.com Login to you MSDN Subscription by clicking Sign in Use your MSA account to sign in. In the menu click Downloads In the menu click MSDN subscription Access Under Quick Links click Download Software Note: If you have a System Center 2012 R2 Configuration Manager installation, you need to use the System Center 2012 Configuration Manager SP2 media. In the Search box type: System Center 2012 Configuration Manager with Service Pack 2 Click Download for System Center 2012 Configuration Manager and Endpoint Protection with Service Pack 2 (x86 and x64) - DVD (Multiple Languages). Click/select on Save as Page 106 Task Detailed steps Select Desktop to save the file Click Product Key Copy or write down the Product Key Close the Product Keys window. Install Service Pack 1 Go to the desktop of CM1 Double-click System Center 2012 Configuration Manager and Endpoint Protection with Service Pack 2 (x86 and x64) - DVD (Multiple Languages). Open Explorer and double-click to E:\SMSSETUP\BIN\X64\Setup.exe. In the Before You Begin page click Next In the Getting Started page make sure Upgrade this Configuration Manager site is selected and click Next In the Microsoft Software License Terms make sure I accept these license terms and click Next. In the Prerequisite Licenses page select all 3 check boxes and click Next In the Perquisites Downloads make sure Download Required files is selected and for the path click on Browse and browse to C:\SCCMPrerequisites and click OK In the Perquisites Downloads click Next In the Server Language Selection page make sure English is selected and click Next In the Client Language Selection page make sure English is selected and click Next In the Settings Summary page click Next After the Prerequisite Check you can ignore the Warnings and click Begin Install After the Upgrade is completed click Close 13.6 CM1: Connect to Microsoft Intune Subscription in Configuration Manager This section outlines how to create the Microsoft Intune Subscription from Configuration Manager. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Page 107 Task Detailed steps Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Create a Collection for Mobile Users In the navigation pane of the Configuration Manager console click Assets and Compliance Expand User Collections In the Ribbon click Create User Collection In the Name field enter Mobile Users Click the Browse button Click Next In the Define Membership Rules step add the test users to the collection by clicking on the Add Rule button, and selecting Direct Rule. Follow the wizard to add the test users. Once the test users are added and you are back in the Membership Rules step click Next. In the Summary step click Next In the Completion step click Close Setup and Configure the Intune integration. In the navigation pane of the Configuration Manager console click Administration Expand Overview Expand Cloud Services Right Click Microsoft Intune Subscription Select Add Microsoft Intune Subscription In the Introduction step click Next In the Subscription step select Sign In Select I understand that … and click OK In the Microsoft Intune Sign In page Sign in with the administrative organizational account that you created in the previous exercise. For example, [email protected]. Click Sign In Click Next For Collection click Browse Select Mobile Users Click OK In the Company Name field type a name for your company. In the Configuration Manager site code select P01. Click Next In the Platform step leave all platforms unselected and click Next In the Company contact information fill in the fields or leave them blank and click Next. Page 108 Task Detailed steps In the Company Logo step Click Next In the Summary step click Next In the Completion step click Close Add the Intune Connector on CM1 In the navigation pane of the Configuration Manager console click Administration Expand Overview Expand Site Configuration Select Servers and Site System Roles Right Click \\CM1.corp. and select Add Site System Roles In the General step of the Add Site System Role Wizard click Next. In the Proxy step click Next In the System Role Selection select Windows Intune Connector Click Next In the Summary step click Next In the Completion step click Close. Enable Intune Extensions Note: When the Intune tenant is created it can take up to 24 hours for the tenant to get discovered by our service. Once it’s discovered it will receive the extensions the next time it checks in with the service (every 5 minutes). If you do not see the extensions in the console then you must wait until they appear, there is no way to accelerate this process. In the navigation pane of the Configuration Manager console click Administration Expand Overview Expand Cloud Services Click Extensions for Windows Intune Right click all extensions and enable them. In the License Terms select I accept the license terms and privacy statement and click Yes After enabling each extension make sure the Status is set to Enable. Close the Configuration Manager Management console. Repeat step 1 – 7 until no additional extensions are added in the console. If the Extensions don’t appear continue with the next Lab and try again in a few hours. Important: The reason for repeating the steps above is that not all extensions could be added the first time the Configuration Manager management console is started. It can take several hours before the extensions appear. Note: When you will enrol Mobile device in this environment make sure the Extensions for the specific mobility platform are Enabled! Page 109 13.7 CM1: Enable the Firewall for port 1433 and 4022 This section outlines how to enable the Firewall posts for Configuration Manager. When installing Configuration Manager and SQL on the same server this is not required. Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “Corp\LabAdmin”. Open port TCP 1433 and 4022 in the Firewall Open the Start screen (to prevent the hierarchy manager from generating errors) Select Windows Firewall with Advanced Security Type Windows Firewall. Right click inbound and select New Rule In the Rule Type step select Port and click Next In the Protocol and Ports step specify local ports field enter 1433, 4022 and click Next In the Action step ensure the Allow the connection is enabled and click Next In the Profile step click Next In the Name step enter CM-SQL TCP 1433 and 4022 and click Finish 13.8 CM1: Minimize SQL Resource Usage This section outlines how to minimize the SQL server from using resources on this VM. Although it is a recommended practice to limit the amount of SQL memory in a production environment when the SQL Database is installed on the same server as Configuration Manager, the main reason we do this in our lab is because we use VM’s with limited resources. We want to minimize the impact of SQL on Configuration Manager on the VM. Required Time: 5 minutes Page 110 Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Configure the maximum allowed memory for SQL Open the Start screen Type SQL Server Management Studio. Select SQL Server Management Studio Click Connect Right click the server named CM1 (SQL Server 11… ) and select Properties Click the Memory node. Under Server Memory Options, you can enter the amount that you want for Minimum server memory and Maximum server memory. For Max memory type 1024. Click OK Close SQL Server Management Studio Page 111 14 Intune: Configure MDM with Intune Only Intune Only Setup (This section is not applicable if you are setting up a Hybrid Scenario!) This section outlines the steps required to enable Microsoft Intune to manage device enrollment in an Intune Only setup. To setup Intune for Device management we will perform the following high level steps: Subscribe to Microsoft Intune Configure a domain name Add users and assign licenses for your subscription Manage Microsoft Intune licenses for users Assign administrative users Configure Security Groups Customize the Company Portal Enable Device Management 14.1 Intune: Enable base device management for Intune Standalone After you complete the following tasks, you are ready to manage mobile devices and computers: Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the Intune Administration console at manage.microsoft.com. Assign licenses to users All users must be assigned a license added to the Microsoft Intune Account Portal before devices can be enrolled. Each user can have up to 5 Intune-managed devices. You will now assign rights to the lab users. Log in to the Microsoft Intune Account Portal (http://account.manage.microsoft.com/) with user admin@.onmicrosoft.com and use in private browsing to avoid using MS Corp credentials. Click Add users Select TestUSer1, TestUser2, TestUser3 and TestUser4 and click Edit. On the details page, click Next Page 112 Task Detailed steps On the Settings page select United States in the Set user location field, then click Next. On the Group page select Add to existing group membership Make sure Microsoft Intune checkbox is selected and click Submit. Click Submit On the Results page, verify that all selected users are marked as Complete. Click Finish. Setup tenant administrators After you add additional users to your subscription, we recommend that you grant a user account administrative credentials. The console you use to assign administrative credentials depends on the type of administrator you want to assign, either Global administrator or User management administrator: To assign tenant administrator permissions in the Intune: In the Microsoft Intune Account Portal, click Users. Select a user account (only one!) that you want to promote to a tenant administrator, and then click Edit. On the Details window click Next Click on the Settings tab, and under Assign role, click Yes, and then select User management administrator or Global administrator. Enter the alternate email address for this user, and then click Save. Note: the above steps are not really required as the admin@.onmicrosoft.com already has this role. To view a list of tenant or service administrators: Select Admin Console In the Microsoft Intune administrator console, click Admin > Administrator Management. Under Tasks, click one of the following: * View Service Administrators: The console displays only service administrators that are configured in the administration console. It does not display tenant administrators that have the Global administrator role. * View Tenant Administrators: The console displays only tenant administrators that are assigned the Global administrator role. Create groups In the Microsoft Intune account portal, you can create, edit, and delete security groups. You can use security groups as criteria for the organization groups that service administrators use for day-to-day management of Intune, including deploying software or assigning policies. Intune is also able to create groups based off the membership of groups synced from AD. To Create a security group: In the Microsoft Intune account portal, click Security Groups > New to start the New security group wizard. On the Details page, enter the name Sales, and then click Next. On the Define Membership Criteria page click the top browse button to select members from a security group. Select the group Sales and then click OK, then click Save. On the Direct Membership page select TestUser1 and TestUser2 and click Add and click Save and Close. Customize the company portal You can customize the Intune Company Portal for your company. To customize the Company Portal: Page 113 Task Detailed steps In the Microsoft Intune administration console go Admin > Company Portal. Configure the following with settings you choose for your lab: a. Company Name b. IT department contact name c. IT department phone number d. IT department email address e. Additional information f. Company privacy statement URL g. Support website URL (not displayed) h. Website name (displayed to user) Customized the Theme color, Company logo (max. dimension PNG/JPG I 400x100px) and background for Company Portal, it is recommend that you change the default color in your lab to make it easy to identify if the company portal has been updated Click Save. Verify the Company Portal Configuration Navigate to the page https://portal.manage.microsoft.com, and login as the user [email protected] with the password L@b@dm1n. Review the company portal and confirm that the customizations have been applied. Configure Terms and conditions You can publish terms and conditions that your users see when they first use the company portal from any device. To configure Terms and conditions: In the Microsoft Intune administration console go to Company Portal > Terms and Conditions. (sub folder) Select the option Require users to accept company terms and conditions before using the Company Portal. Update the fields with text suitable for your lab and click Save. Enable device management Before you can enroll mobile devices, you must prepare the Intune service by selecting the appropriate mobile device management authority setting on the Mobile Device Management page of the Administration workspace. The mobile device management authority setting determines whether you manage mobile devices with Intune or System Center Configuration Manager with Intune integration. This guidance assumes Intune is used without System Center Configuration Manager integration so the setting should be set to Microsoft Intune. In the Microsoft Intune administration console click Admin > Mobile Device Management. In the Tasks list, click Manage Mobile devices. The Manage Mobile Devices dialog box opens. Page 114 Task Detailed steps Check the Use Microsoft Intune to manage my devices box and then click OK to use Microsoft Intune to manage mobile devices. Pay close attention to the warning message. Click OK Notice the updated central Mobile Device Management pane. Page 115 15 Setup SCEP – NDES1 The following section outlines how the NDES server will be installed and configured. The NDES server is a proxy server for SCEP responsible for certificate management. 15.1 NDES1: Create the Virtual Machine Description: This section outlines how to create the virtual machine to be used for Server NDES1. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Create NDES1 VM Select Virtual Machines. Select “+ NEW” in the bottom left. Select From Gallery Make sure Windows Server 2012 R2 Datacenter is selected and the arrow “->” to the next screen. In the Virtual machine configuration window in Virtual Machine Name type the Virtual Machine Name called “NDES1” In the Virtual machine configuration window type the New User Name called “LabAdmin” In the 2nd screen of the Virtual machine configuration window type the New Password and Confirm with the password “L@b@dm1n” or any other password you prefer. Please note that Azure does not except commonly used usernames and passwords. Go to the next (3rd) screen by selecting the arrow “->”. In the 3rd and last screen of the Virtual machine configuration window select the Cloud Service that you created earlier (e.g “emslabservice”). If you created a Storage Account earlier select the Storage Account (e.g “emslabstrorrageaccount” or have a Storage Account being created automatically. Go to the next (4th) screen by selecting the arrow “->”. In the 4th and last screen of the Virtual machine configuration window select Microsoft Antimalware under Security Extensions and leave the remaining settings as is. Select to complete the wizard by clicking “tick symbol” in the bottom right of the screen. Select to complete the wizard by clicking “tick symbol” in the bottom right of the screen. Page 116 15.2 NDES1: VM – Configure and Join NDES1 to the CORP domain. This section will outline how to join NDES1 to the Corp domain. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Join the NDES1 VM to the Corp domain. Make sure you are logged on to the management portal of Azure.microsoft.com. Select Virtual Machines . Select NDES1 and click Connect at the bottom of the screen. Logon to WAP1 with “.\LabAdmin” with the password “L@b@dm1n Open Server Manager Select Local Server Turn off IE Enhanced Security Configuration by clicking on On and selecting Off for Administrators and Users. (for later) Click on WORKGROUP in the Workgroup field. In the Computer Name tab click Change. In the Member of field make sure Domain is selected. In the Domain field type in Corp.. E.g. Corp.devicedemo.net. and click OK. For User name use LabAdmin and password type L@b@dm1n . Click OK. In the Computer Name/Domain Changes window click OK. Click OK to reboot the computer. Click Close to close the System Properties window. Click Restart Now. 15.3 NDES1: VM – Install Azure PowerShell and Configure a Static IP In this section will outline how to install the Azure PowerShell extensions on NDES1 and configure a static IP address for NDES1. Page 117 Note: Before continuing with the following sections, it is recommended to update NDES1 with all the latest updates from Microsoft Update. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Install Azure PowerShell and configure static IP Select Virtual Machines. Select “NDES1” and click Connect at the bottom of the screen. Logon to NDES1 with “LabAdmin” with the password “L@b@dm1n” Open Server Manager Select Local Server Install Azure PowerShell by going to the direct installation here: http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409 When the warning appears in Internet Explorer select Run In the Microsoft Azure PowerShell window select Install In the Prerequisites step, select I Accept. In the Finish step, select Finish. In the Web Platform Installer 5.0 select Exit. Open the Azure PowerShell command prompt running as administrator type AddAzureAccount and provide the username and password of the Azure Administrator configured for the subscription. If more than one subscription is shown, please select the Azure subscription you are using by typing: Select-AzureSubscription [-SubscriptionName] Set Static IP Address (DIP) for the VM as described in Configure a Static Internal IP Address (DIP) for a VM at http://msdn.microsoft.com/en-us/library/azure/dn630228.aspx . Open Azure Powershell , your commands should look like: a. IPCONFIG /all (assuming your IP address is now 10.0.0.7) b. Test-AzureStaticVNetIP –VNetName VirnetMobility –IPAddress 10.0.0.7 c. Get-AzureVM -ServiceName -Name NDES1 | Set-AzureStaticVNetIP -IPAddress 10.0.0.7 | Update-AzureVM 15.4 DC1: AD – Create the NDES Service Account and SPN In this lab you will create an NDES Service account that is required for configuring support for SCEP and the NDES server. Page 118 Note: In production environments make sure the user has the "Logon Locally", "Logon as a Service" and "Logon as a batch job" rights. This should be the case by default, however some companies have hardening policies in place to disallow/remove these rights. Additionally a Service Principal Name (SPN is required for the NDES Service Account. Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Create NDES Service Account If not already connected to DC1 select Virtual Machines. Select DC1 and click Connect at the bottom of the screen. Logon to DC1 with Corp\LabAdmin with the password L@b@dm1n In Server Manager, click Tools and click Active Directory Users and Computers from the menu. Expand , Corp Right click on the Service Accounts OU Select New and then select User In the First Name field type SVC_NDES In the User logon name field type SVC_NDES and for the UPN chose the UPN that is the same as your publicly registered domain name. Click Next For the Password and Confirm password field type P@ssw0rd Unselect User must change password at next logon Select Password never expires Click Next Click Finish Create a Service Principal Name (SPN) for the NDES Service Account On DC1 open a PowerShell command as Administrator On the command prompt type setspn -s http/NDES1.corp.devicedemo.net CORP\SVC_NDES Note: If the SPN is not created; NDES to CA call may fail Kerberos authentication. If you are truly using a user account (not a service account e.g. network service or local service); then the fallback to NTLM will work just fine and you will not see any issues apart from some entries in security event log. If you block NTLM in your environment, this step is mandatory. 15.5 DC1: Create and Publish the Certificate Templates for NDES This section will outline how setup the required Certificate Templates in Active Directory Certificate Services on DC1 for usage with NDES. This requires the creation of two certificate templates: Page 119 SCEP Certificate Template - Before mobile devices can request a certificate, we need to set up an appropriate template in our certificate authority. This template is then used to create certificates when requested by the certificate authority. NDES Authentication Template - The NDES server uses this certificate for two purposes, these are: ▪ Traffic between the NDES server and the CRP (Intune - Certificate Registration Point) needs to be encrypted using SSL. The NDES server needs a certificate with Client Authentication Enhanced Key Usages (EKU’s) to enable this encryption. ▪ A certificate using with a Server authentication EKU that is used as an SSL certificate for the IIS web server. This is for an https URL that NDES clients use to connect to the NDES server. For this lab we will cert a single certificate with both the Client Authentication and Server Authentication EKU’s and use it for both scenarios. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Add Request and Issue permissions on the CA for the SVC_NDES service account. If not already connected to DC1 select Virtual Machines. Select DC1 and click Connect at the bottom of the screen. Logon to DC1 with Corp\LabAdmin with the password L@b@dm1n In Server Manager, click Tools and click Certificate Authority from the menu. In the Certificate Authority management console right-click corp-DC1-CA and select Properties Open the Security tab. Click Add Type SVC_NDES and click Check Names After validation click OK Select the user SVC_NDES Make sure Issue and Manage Certificates and Request Certificates is selected. Click OK Note: Issue and Manage Certificates need to be selected for the NDES service account (SVC_NDES) to revoke certificates. Setup the SCEP Certificate Template SCEP Certificate Template SCEP Certificate Template SCEP Certificate Template SCEP Certificate Template SCEP Certificate Template SCEP Certificate Template If not already connected to DC1 select Virtual Machines. Select DC1 and click Connect at the bottom of the screen. Logon to DC1 with LabAdmin with the password L@b@dm1n In Server Manager, click Tools and click Certification Authority from the menu. In the Certification Authority MMC, expand your CA, CORP-DC1-CA in the left pane, right click Certificate Templates and click Manage from the menu. In the Certificate Templates console, scroll down to the User template in the central pane, right click it and click Duplicate Template from the menu. In the Properties of New Template dialog, switch to the General tab. In the Template display name type SCEP General Purpose Page 120 Task Detailed steps In the Properties of New Template dialog, switch to the Request Handling tab. Validate that Signature and Encryption is selected Note: For the purpose of this lab we are selecting Signature and Encryption but in production environment you probably only select the Purpose that is required. In the Properties of New Template dialog, switch to the Subject Name tab. Make sure Supply in the request is selected. In the Certificate Templates window that appears read the message and select OK In the Properties of New Template dialog, switch to the Security tab. Click Add Type SVC_NDES and click Check Names Click OK Select the SVC_NDES name Make sure the Allow Read and Allow Enroll permissions are selected for the SVC_NDES In the Properties of New Template dialog, switch to the Extensions tab, select Application Policies and click Edit. Evaluate the settings and leave them as is. Note: For the purpose of this lab we leave the default settings but in production environment you will probably customize the extensions as required. Click Cancel. Click OK. Close the Certificate Templates Console. Enable the new SCEP Certificate Template In the Certificate Templates Authority management console right-click Certificate Templates, select New and select Certificate Template to Issue Scroll down to the SCEP General Purpose Certificate Template, select it and click OK Setup the Certificate Template to be used for communication between NDES and Intune and SSL Communication with the NDES server. If not already connected to DC1 select Virtual Machines. Select DC1 and click Connect at the bottom of the screen. Logon to DC1 with LabAdmin with the password L@b@dm1n In Server Manager, click Tools and click Certification Authority from the menu. In the Certification Authority MMC, expand your CA, CORP-DC1-CA in the left pane, right click Certificate Templates and click Manage from the menu. In the Certificate Templates console, scroll down to the Workstation Authentication template in the central pane, right click it and click Duplicate Template from the menu. In the Properties of New Template dialog, switch to the General tab. In the Template display name type NDES Communication In the Validity Period type 5 years. In the Properties of New Template dialog, switch to the Subject Name tab. In the Subject Name format select Common Name In the Properties of New Template dialog, switch to the Extensions tab. Under Extensions included in this template select Application Policies Page 121 Task Detailed steps Click Edit Click Add Select Server Authentication from the list and click OK Click OK Click OK. Close the Certificate Templates Console Enable the new NDES Communication Certificate Template. In the Certificate Templates Authority management console right-click Certificate Templates, select New and select Certificate Template to Issue Scroll down to the NDES Communication Certificate Template, select it and click OK 15.6 NDES1: Install and Configure NDES This section outlines the installation and configuration of NDES. This includes: Installation of the NDES role. Assigning IIS admin access rights to the NDES Service account. Configuring the NDES role. Enabling support for long URLs in IIS. Configuring HTTPS based access to NDES. Configuring Request Handling. Exporting the root certificate for use on devices. Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Connect to NDES1 Select Virtual Machines. Select NDES1 and click Connect at the bottom of the screen. Logon to NDES1 with Corp\LabAdmin. Install NDES role Open Server Manager. Click Add Roles and Features on the Manage menu. On the Before you begin page, click Next. On the Installation type step, click Role-based or Feature-based installation, and then click Next. On the Server Selection step, click Select a server from the server pool, verify that NDES1 is selected, and then click Next. On the Server roles step, click Active Directory Certificate Services Page 122 Task Detailed steps Note: The required prerequisites are preselected for you. You do not have to click any other features. On the Add Roles and Features window select Add Features Click Next. On the Select Features window click Next On the AD CS step click Next In the Role Services step uncheck Certificate Authority component, and instead check Network Device Enrollment Service Note: The required prerequisites are preselected for you. You do not have to click any other features. On the Add Roles and Features window select Add Features Click Next In the Web Server Role (IIS) step click Next In the Role Services step also check Request Filtering under Security In the Role Services step also check IIS 6 WMI Compa under Security Click Next In the Confirmation step make sure the checkbox for Restart the destination server automatically if required is checked and click Install. If a confirmation window appears click Yes. Click Close Add Corp SVC_NDES to the local IIS_IUSRS on NDES1 Start Computer Management Browse to System Tools, Local Users and Groups and select Groups Right click on the group called IIS_IUSRS and select Add to Group Click Add Type SVC_NDES and click Check Names After verification of the name click OK Click OK to close the window IIS_IUSRS Properties. Complete Configuration of NDES Role On NDES1 Go back to Server Manager In the top right notice the exclamation mark and click on the exclamation mark. Click on Configure Active Directory Certificate Services in th… Leave the credentials as Corp\LabAdmin and click Next In the Role Services step select/check Network Device Enrolment Service and click Next Page 123 Task Detailed steps In the Service Account for NDES step click Select and when credentials are asked use Corp\SVC_NDES with password L@b@dm1n Click Next In the CA for NDES step click Select and make sure corp-DC1-CA is selected. Click OK Click Next In the RA information step leave all values as default and click Next In the Cryptography for NDES step leave everything as default and click Next Note: As the Certificate Template we configured also has a key length of 2048 we need to ensure this is also configured with a key length of 2048. On the Confirmation step click Configure On completion click Close Configure the support for long URL’s on NDES1 in the registry. The NDES server will receive very long URLs (queries) from the mobile devices and therefore a few changes are needed to ensure that IIS is able to receive and process these very long URLs. On NDES1 go to the start screen and type Regedit and click on Regedit. Add the following registry keys: a. Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value: MaxFieldLength Type DWORD Data: 65534 (decimal) b. Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value: MaxRequestBytes Type DWORD Data: 65534 (decimal) Close Regedit Configure the support for long URL’s on NDES1 in IIS. On NDES1 open Server Manager Click Tools and select Internet Information Services (IIS) Browse to Sites / Default Web Site. In the Features View, under IIS, select Request Filtering On the right side of the console under Actions click Open Feature On the right side of the console under Actions click Edit Feature Settings. Page 124 Task Detailed steps Change the Maximum URL length and Maximum query string to 65534 Reboot the server NDES1. This is mandatory – restarting IIS is not sufficient. Connect to NDES1 Select Virtual Machines . Select NDES1 and click Connect at the bottom of the screen. Logon to NDES1 with Corp\LabAdmin. Validate the NDES server is working correctly for HTTP On NDES1 open Internet Explorer Browse to http://NDES1.corp./certsrv/mscep/mscep.dll and you should receive a NDES page similar to the one below. Note: If you get an error 503 "Service unavailable", check the eventviewer. It's likely that the application pool is stopped due to a missing right for the SVC_NDES. Enroll a Certificate for 443 communication on NDES1 Go to the Start screen, type certlm.msc and press Enter to open an MMC console on the desktop. Right click Personal select All Tasks and select Request New Certificate… On the Certificate Enrollment page click Next In the Select Certificate Enrollment Policy click Next On the Request Certificates window select NDES Communication Click Enroll Click Finish Enable port 443 communication in IIS on On NDES1 open Server Manager. Click Tools and select Internet Information Services (IIS). Page 125 Task NDES using the certificate created in previous step Detailed steps Browse to the Default Web Site. Under Actions in the right hand side click on Bindings. Click Add. Under Type select https. For SSL certificate click Select. Select the Certificate that you enrolled in the previous step. The certificate is issued to NDES1.corp. and is issued by corp-DC1-CA. Click OK. In the Add Site Binding window click OK. In the Site Bindings window click Close. In the IIS console double click SSL Settings. Select Require SSL and Ignore client certificates. In the right window under Actions click on Apply. Validate the NDES server is working correctly for HTTPS Configure HTTP Activation Feature on NDES1 On NDES1 open Internet Explorer Verify you can access the same URL with SSL this time: https://NDES1.corp./certsrv/mscep/mscep.dll Open Server Manager. Click Add Roles and Features on the Manage menu. On the Before you begin page, click Next. On the Installation type step, click Role-based or Feature-based installation, and then click Next. On the Server Selection step, click Select a server from the server pool, verify that NDES1 is selected, and then click Next. On the Server roles step, click Next. In the Features step browse to .NET Framework 4.5 Features expand WCF Services and select HTTP Activation Click Next Click Install Click Close Export the root CA for corp-DC1-CA corp-DC1CA corp-DC1-CA A root certificate is required to be deployed to devices. In this step the root cert is exported for use later in the lab. On NDES1 go to the Start screen, type certlm.msc and press Enter to open an MMC console on the desktop. Browse to Trusted Root Certification Authority, Certificates and Right-click corp-DC1CA. Page 126 Task Detailed steps Select All Tasks and Export In the Welcome window click Next In the Export File format window make sure DER encoded binary x.509 (.CER) is selected and click Next For the file name type c:\corp-DC1-CA.cer Click Next Click Finish Click OK 15.7 DC1: Add External NDES address to Internal Split Brain DNS zone and External DNS zone. In this step you perform two tasks: Configure split-brain DNS for the NDES Server - For certificate management to work we must ensure that the DNS name that is used externally to contact the NDES server also works internally. As we are using a different domain name for the internal Active Directory (corp.) to the domain used externally we must setup a split-brain DNS internally. Configure external DNS for the NDES Server - As the NDES server will need to be published for external devices, we also need to add the host record of the NDES server to the external DNS server. Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Logon to DC1Connect to CM1 Select Virtual Machines. Select DC1 and click Connect at the bottom of the screen. Logon to DC1 with Corp\LabAdmin. Configure Internal DNS for NDES Open Server Manager Click Tools and select DNS to open the DNS Manager. In the console tree, expand DC1, expand Forward Lookup Zones, right-click , and then click New Host (A or AAAA). In Name, type NDES (without the 1 at the end) In IP address, type the IP address of NDES1 server (e.g. 10.0.0.7). Click Add Host. Click OK Click Done Page 127 Task Detailed steps Type the following command, and then press Enter: Ipconfig /flushdns Configure Public Domain Settings @ GoDaddy Logon your publicly registered domain Provider (e.g. GoDaddy) NOTE: steps may be different on your Public Domain provider Click Save to save all settings Add a A(Host) for “NDES” and point it to the Public Virtual IP (VIP) address of our Lab, this is the same IP address as the IP address for sts. Click Save Changes to make sure the changes are processed. 15.8 CM1: Configure Certificate Registration Point Hybrid Setup (CM+Intune) (Skip this section if you are configuring an Intune-Only Setup!) This section outlines how we configure the Certificate Registration Point on CM1 in a Hybrid deployment. Required Time: 15 minutes Page 128 Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select CM1 and click Connect at the bottom of the screen. Logon to CM1 with Corp\LabAdmin. Enroll a Certificate for 443 communication on CM1 Go to the Start screen, type certlm.msc and press Enter to open an MMC console on the desktop. Right click Personal select All Tasks and select Request New Certificate… On the Certificate Enrollment page click Next In the Select Certificate Enrollment Policy click Next On the Request Certificates window select NDES Communication Click Enroll Click Finish Enable port 443 communication in IIS on CM1. On CM1 open Server Manager Click Tools and select Internet Information Services (IIS) Browse to the Default Web Site. Under Actions in the right hand side click on Bindings. Select the row with https and 443 Click Edit For SSL certificate click Select Select the Certificate that you enrolled in the previous step. It probably does not have a Friendly Name and is issued by corp-DC1-CA Click OK In the Add Site Binding window click OK In the Site Bindings window click Close Install Certificate Registration Point on CM1 On CM1 open the Configuration manager Management Console In the Navigation Pane select Administration Navigate to Overview, Site Configuration and select Servers and Site System Roles Right click CM1.corp.. and select Add Site System Roles In the General step click Next In the Proxy step click Next In the System Role Selection select Certificate Registration Point In the Certificate Registration Point step click Add For the URL type the internet facing URL for the CRP: https://ndes./certsrv/mscep/mscep.dll Page 129 Task Detailed steps Note: This URL will be part of the profile send to the devices. This means that the device – out there somewhere on the internet – needs to access this URL. Specify the internet facing URL, not any internal FQDN’s. For the Root CA Certificate click Browse, browse to the exported trusted root certificate (.cer file) Select c:\corp-DC1-CA and click Open Click OK Click Next Click Next When finished click Close Validate successful installation of CRP on CM1 On CM1 open C:\Program Files\Microsoft Configuration Manager\Logs\CRPMSI.log a. This log should read: Installation success or error status: 0 On Cm1 open C:\Program Files\Microsoft Configuration Manager\Logs\crpsetup.log This log must read CRP.msi exited with return code: 0 a. If errors like GetIISWebServiceStringProperty failed are listed, make sure the correct SSL certificate is bound and no hostname is specified in the Edit Site Bindings On CM1 open C:\Program Files\Microsoft Configuration Manager\Logs\crpctrl.log a. It should show that CRP status is 0 (online) like this line: CRP's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined) SMS_CERTIFICATE_REGISTRATION_POINT 4/25/2014 9:50:21 PM 6496 (0x1960) b. However, right after installation of CRP, it might not show that yet. The self-health check runs every 10 minutes, so after 10 minutes it should change from 4 to 0 (online). This can be speed up by restarting the SMS_CERTIFICATE_REGISTRATION_POINT thread if desired. On CM1 open C:\Program Files\SMS_CCM\CRP\Logs\CRP.log a. This log should not contain any errors. b. If you see a Security Exception is thrown in reading inbox path error, grant the Network Service account read permissions to the HKLM\SOFTWARE\Microsoft\SMS\MPFDM\Inboxes registry key. Restart CM1 Connect to CM1 Select Virtual Machines. Select CM1 and click Connect at the bottom of the screen. Logon to CM1 with Corp\LabAdmin. Copy Certificate and Installation Files for Policy Module Note: After the CRP is installed, the system will automatically export the certificate that will be used for NDES plugin (could take up to an hour or so) to the certmgr.box folder under inboxes on the site server. Be patient, it will be generated automatically. On CM1 open File Explorer. Create a folder named c:\NDES Right click on c:\NDES and select Properties Select the Sharing Tab Click on Share In the Fle Sharing Window click on Share Page 130 Task Detailed steps In the Fle Sharing Window click on Done Click on Close to close the NDES properties Window Browse to C:\Program Files\Microsoft Configuration Manager\inboxes\certmgr.box and Copy the certificate found in this folder to C:\NDES. Go to the Desktop of CM1 Double click on mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949.iso The ISO will be mapped in File Explorer. Browse to SMSSETUP\PolicyModule Right click the SMSSETUP\PolicyModule folder and copy it to c:\NDES 15.9 NDES1: Install Policy Module Hybrid Setup (CM+Intune) (Skip this section if you are configuring an Intune-Only Setup!) This section outlines how to install the Policy Module on the NDES server NDES1 in a Hybrid deployment. Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select NDES1 and click Connect at the bottom of the screen. Logon to NDES1 with Corp\LabAdmin. Copy required certificate and policy module source from CM1 to NDES1 On NDES1 open File Explorer Create a folder called C:\NDES Open \\CM1\c$\NDES Copy all content of \\CM1\c$\NDES to C:\NDES on NDES1. Page 131 Task Detailed steps On the NDES server browse to C:\NDES\POLICYMODULE\X64 Run PolicyModuleSetup.exe In the Configuration Manager Policy Module Setup window click Next In the License Agreement step select I accept the license agreement and click Next In the Installation Folder step click Next In the Certificate Registration Point step enter the URL of the CRP: https://CM1.corp./CMCertificateRegistration Leave the CRP port to 443. Click Next In the Client Certificate for Policy Module step click Select. Select the certificate that was enrolled earlier called NDES1.corp.. Click Next In the Client Certificate for Policy Module window validate the Certificate details and click Next In the Certificate Registration Point Certificate window click Browse. Browse to C:\NDES and select the certificate copied from the certmgr.box on CM1 earlier called CRP_CM1.Corp. and click Open Click Next In the Ready to Install window click Install Click Finish. On NDES1 open the registry editor and browse to HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP Change the values of EncryptionTemplate, GeneralPurposeTemplate and SignatureTemplate match the names of the template created for SCEP on your CA. This should be SCEPGeneralPurpose as shown below. Open an elevated command prompt and run iisreset. Open Internet Explorer on the NDES server and browse to Error! Hyperlink reference not valid. registered domain name>/certsrv/mscep/mscep.dll. You should no longer see the web page but instead you should see an http 403 - Forbidden error. This is expected. Copy Certificate and Installation Files for Policy Module Note: After the CRP is installed, the system will automatically export the certificate that will be used for NDES plugin (could take up to an hour or so) to the certmgr.box folder under inboxes on the site server. Be patient, it will be generated automatically. On CM1 open File Explorer. If not already created, create a folder named c:\temp Page 132 Task Detailed steps Right click on c:\temp and select Properties Select the Sharing Tab Click on Share In the Fle Sharing Window click on Share In the Fle Sharing Window click on Done Click on Close to close the Temp properties Window Browse to C:\Program Files\Microsoft Configuration Manager\inboxes\certmgr.box and Copy the certificate found in this folder to C:\Temp. Go to the Desktop of CM1 Double click on mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949.iso The ISO will be mapped in File Explorer. Browse to SMSSETUP\PolicyModule Right click the SMSSETUP\PolicyModule folder and copy it to c:\temp 15.10 NDES1: Configure NDES Connector Intune Only Setup (Skip this section if you are setting up a Hybrid Scenario!) This section you will install and configure the Intune NDES Connector. The NDES Connector manages the connection between NDES server and the Certificate Registration Point (Intune). There are two key steps in this process: Enable the Intune subscription to use the NDES connector. Download and Install the NDES connector on the NDES Server. Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Page 133 Task Detailed steps Connect to NDES1 Select Virtual Machines . Select NDES1 and click Connect at the bottom of the screen. Logon to NDES1 with Corp\LabAdmin. Add required roles and features In Server Manager click Manage and select Add Roles and Features In the Before you begin step click Next In the Select installation step click Next In the Server Selection step make sure NDES1 is selected and click Next In the Server Role step expand Web Server (IIS) a. Expand Management Tools b. Expend IIS 6 Management Compatibility c. Select IIS 6 WMI Compatibility In the Server Role step click Next In the Features step select .NET Framework 3.5 Features a. Expand .NET Framework 3.5 Features b. Select HTTP Activation c. In the pop up window select Add Feautures. In the Features step click Next In the confirmation step make sure Restart the destination server automatically if required is selected. If a pop up window appears click Yes to confirm the Restart. In the confirmation step click Install. Enable the NDES Connector Using Internet Explorer, login to https://manage.microsoft.com with the admin account (admin@.onmicrosoft.com). If required, click the get Silverlight link and complete the installation. In the Intune administration console, click Admin > NDES Connector. Click Configure On-Premises NDES Connector. Select Enable NDES Connector, and then click OK. Install and configure the NDES Connector on NDES1 On the NDES server, navigate to the Intune administration console, and then click Admin > NDES Connector > Download NDES Connector. After the download completes, launch an elevated command prompt and run the setup MSI to install the NDES connector, the policy module and the CRP Web Service. Warning - This will fail if you don’t use an elevated command prompt. Click Next and accept the defaults until you get to the page where you need to select the client certificate. When prompted for the client certificate for the NDES Policy Module, click Select to browse to and select the X.509 certificate file that you want to use. This is the NDES Page 134 Task Detailed steps Communication certificate that you created earlier. It starts with MDES1.corp.. Note: You can confirm that you have the correct certificate by clicking Click here to view certificate properties the cert and checking the enhanced key usage has Client Authentication and Server authentication rights. Click OK. Click Next. Verify the selected certificate, click Next. Click Install. Select the Launch the NDES Connector UI checkbox, click Finish. In the NDES Connector UI, click Sign In and enter your Microsoft Intune tenant or service administrator credentials (admin@.onmicrosoft.com), click Sign in. You should now see a Successfully Enrolled dialog box, click OK. Click the Advanced tab. Provide credentials for an account that has the Issue and manage certificates permission on the Certificate Authority server from which the NDES connector issues certificates. These credentials are Corp\SVC_NDES with password L@b@dm1n. Click Apply. At the confirmation box, click OK. Click Close. On NDES1 open the registry editor and browse to HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP Change the values of EncryptionTemplate, GeneralPurposeTemplate and SignatureTemplate match the names of the template created for SCEP on your CA. This should be SCEPGeneralPurpose as shown below. Note: These values are used by NDES to determine the correct template to use when requesting certificates. Open an elevated command prompt and run iisreset. Open Internet Explorer on the NDES1 server and browse to http://ndes./certsrv/mscep/mscep.dll. The name resolution will get resolved through the split DNS configuration. You should no longer see the web page but instead you should see an http 403 - Forbidden error. This is expected. 15.11 WAP1: Publish NDES1 on WAP1 This section outlines how to publish the NDES server (NDES1) via WAP. Page 135 Note: before you start this lab, please make sure “December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 http://support.microsoft.com/kb/3013769“ is installed on WAP1. This rollup includes KB 3011135 Large URI request in Web Application Proxy fails in Windows Server 2012 R2 http://support.microsoft.com/kb/3011135. You can validate if kb3013769 is installed in Control Panel -> Programs – Programs and Features -> installed Updates. Without this update the NDES server cannot be published through WAP. Note 2: On the 25th of February, Microsoft announced Azure AD Application Proxy support for NDES publishing that can enable Intune deployments with no DMZ requirements. See blog posts Azure AD Application Proxy now support NDES publishing and Pieter Wigleven’s blog here Part 4 - Protecting NDES with Azure AD. There are few points where App Proxy increases security compared to all other alternative solutions: App Proxy terminate all SSL traffic in the cloud and pass to the corpnet only valid traffic. This blocks all layer <7 attacks and several layer 7 attacks as well. Attack like HeartBleed will be completely blocked in the cloud. App Proxy is installed on top of Azure networking and platform solutions that includes DDoS mechanisms. This will block some DDoS attacks and will not let this traffic arrives to on-prem. Microsoft is in charge of all the servers that front-end the traffic to the Internet and committed to patch them instantly if security issues are discovered. This lab is still using the Web Application Proxy approach of publishing the NDES server however you can also decide to use the Azure AD Application Proxy. Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Connect to WAP1 Select Virtual Machines . Select WAP1 and click Connect at the bottom of the screen. Logon to WAP1 with Corp\LabAdmin. Configure the support for long URL’s on WAP1 in the registry. On WAP1 go to the start screen and type Regedit and click on Regedit. Add the following registry keys: a. Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value: MaxFieldLength Type DWORD Data: 65534 (decimal) b. Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters Value: MaxRequestBytes Page 136 Task Detailed steps Type DWORD Data: 65534 (decimal) Close Regedit Publish the NDES server using the Remote Access Management Console On WAP1 open Server Manager. Click Tools and select the Remote Access Management. In the Remote Access Management Console select WAP1 and on the right of the screen click Publish. In the Welcome step click Next. In the Preauthentication step select Pass-through. In the Name field type NDES Server In the external URL field type https://NDES. For the External Certificate select *. for example *.mydemolab.com. In the Backend server URL: field type https://NDES1. for example ndes1.corp.. Click Next. In the Confirmation step click Publish. In the Results step click Close. Reboot WAP1 Note: This is a critical step if you don’t do this certificate management will fail. 15.12 Troubleshooting (Optional) Hybrid Setup (CM+Intune) Some of the below might also apply to an Intune Only Setup! This section outlines how to troubleshoot when the enrollment of certificates is not working. Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. General validation checks for the correct working of NDES. The device time should be accurate. If it’s off 5 minutes or more, you will not get SCEP certificate. Did the Root CA (of the issuing CA) certificate you deployed in ConfigMgr got pushed to the device? Can you access the NDES URL from the internet using a browser? a. Are you getting any certificate errors? Page 137 Task Detailed steps b. Make sure the URL corresponds with what is listed on the certificate (Error! Hyperlink reference not valid. registered domain name> and not Error! Hyperlink reference not valid. registered domain name>) Visit Error! Hyperlink download a file. reference not valid. You should get a response and the option to Push a certificate profile to a Windows device and check in the registry whether the request arrived. a. Open the registry editor and locate the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\MDM b. The request will be visible as a subkey like shown in the screenshow below. The certificate thumbprint will be populated when the actual certificate is received. Open the CRPCTRL.LOG on the ConfigMgr server. The "previous status" should be 0. Check out the file C:\Program Files\Configuration Manager\Logs\crpctrl.log (could also be in x86 program files folder) There should be an entry as follows: CRP's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined) Do you get any requests logged on the IIS server of the NDES? What is the status code? Should be 200 in most cases! Check out the last modified log in C:\inetpub\logs\LogFiles\W3SVC1 Entries should look similar to this (notice the port number 443): 2014-07-07 13:45:27 10.0.0.6 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=MDM 443 - 80.81.82.83 - - 200 0 0 0 Do you see any requests logged in the NDES.log? Check out the log at C:\Program Files\Microsoft Configuration Manager\Logs\NDESPlugin.log Page 138 Task Detailed steps Entries should look similar to this: NDES - Error 12186 in ndesplugin.log? http://blogs.technet.com/b/ems/archive/2014/11/20/ndes-error-12186-in-the-ndesplugin-log.aspx Do you see any request logged on the IIS server of the CRP? What is the status code? Should be 200 in most cases! Check out the last modified log in C:\inetpub\logs\LogFiles\W3SVC1 Do you see any request logged in the CRP log on the CRP server? C:\Program Files\SMS_CCM\CRP\Logs\crp.log Are you getting this error: CRP's previous status was 1 (0 = Online, 1 = Failed, 4 = Undefined) Health check request failed, status code is 403, 'Forbidden'. Make sure you change IIS on your ConfigMgr server - CMCertificateRegistration SSL Settings to Ignore Client Certificates Do you see a certificate being issued on the issuing CA? Page 139 Page 140 16 Setup SSTP and L2TP VPN VPN1 The following section outlines how to setup and configure an SSTP VPN server for the Mobile Devices. This section will create the Virtual machine in a new Cloud Service to allow port 443 to be allocated to the VPN server. In the Cloud Service created previously port 443 is reserved to the NDES server for publishing NDES for Certificate enrollment. Also part of this lab is to ensure the Cloud Service has a reserved IP address so the VPN server can be shut down and dislocated without losing the public IP address. The VPN server will be created with a static IP in the same Virtual Network to ensure communication with the remaining Virtual Machines of the Lab. The creation of the Cloud Service, Reserved Public IP and Virtual Machine will all be done through PowerShell. Warning: Windows Phone 8.1 up till GDR1 does not support SSTP VPN, only IKEv2 VPN. Because an IKEv2 VPN server is not supported in Azure IaaS (during the writing of this document) Windows Phone cannot be used. Reference: http://blogs.msdn.com/b/lighthouse/archive/2013/07/30/how-deploy-sstp-and-l2tp-vpn-inwindows-azure-windows-server-2012.aspx 16.1 VPN1: Create the Virtual Machine Description: This section outlines how to create the new Cloud Service with reserved public IP address and virtual machine VPN1 with a static IP address through PowerShell. The PowerShell script will: Step 1: Log on to my Azure account Step 2: Create Cloud Service for VPN1 Step 3: Create a Public Reserved IP for the Cloud Service Step 4: Select the most recent Windows Server 2012 Image Step 5: Create a new VM for VPN1 with a static IP address Step 6: Configure the EndPoints for VPN1 Required Time: 10 minutes Page 141 Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. (optional) If not already installed, install Azure PowerShell on the Internet connected PC. On the Internet connected PC Start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. Install and Configure Azure PowerShell on the Virtual Machine as described in How to install and configure Azure PowerShell at http://azure.microsoft.com/enus/documentation/articles/install-configure-powershell/. A direct installation link to the Microsoft Web Platform Installer for Azure PowerShell can be found here: http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409 Note: If you are using a machine with Windows 10 Technical Preview and are fighting you might have to uninstall and reinstall Azure PowerShell. When the warning appears in Internet Explorer select Run In the Microsoft Azure PowerShell window select Install In the Prerequisites step select I Accept. In the Finish step select Finish. In the Web Platform Installer 5.0 select Exit. Run a PowerShell script to create the new Cloud Service with a reserved public IP address and the VPN1 Virtual Machine with a static IP address. Run Windows PowerShell ISE as administrator Copy and paste the script below into ISE Make sure all variables (in red starting with the $ sign) in the script below are replaced with values applicable for your environment. a. Make sure the location $Location is the same as the Location as your other Cloud Service b. Make sure the new Cloud Service Name $CloudServiceName is recognizable. For example if the name of your other Cloud Service is DeviceDemo make this one DeviceDemoVPN and the name of the Cloud Service is not already claimed in Azure. c. Make sure the new Reserved IP Address Name $ReservedIPName is recognizable. For example if the name of your other Reserved IP Address Name is DeviceDemo make this one DeviceDemoVPNIP. d. The $VMStaticIP will get an IP address assigned of “10.0.0.8". Make sure this is not already reserved. e. Make sure the name of the Virtual Network ($VNetName) is identical as the name you used for the Virtual network in Azure. f. Make sure the variable for Subnet ($SunbentName) is correct. This needs to be the same as already configured in your existing Virtual Network as shown below. Page 142 Task Detailed steps Execute the script below. Note 1: You might get warning that the DNS server is already in use. This can be ignored. Note 2: If the script fails because of conflicts make sure to do the following before running again: Delete the Cloud Service in Azure. Delete the Reserved IP by execturing: Remove-AzureReservedIP -ReservedIPName "M" -Force # # # # # # # # # # PowerShell command to create a Virtual Machine for VPN1 with a static IP in a NEW Cloud Service with a NEW reserved Public IP Address and the Endpoint for VPN1 Details: Step 1: Log on to my Azure account Step 2: Create Cloud Service for VPN1 Step 3: Create a Public Reserved IP for the Cloud Service Step 4: Select the most recent Windows Server 2012 Image Step 5: Create a new VM for VPN1 with a static IP address Step 6: Configure the EndPoints for for VPN1 # Reference: # Reserved IP addresses: http://michaelcollier.wordpress.com/2013/07/30/the-case-of-thelatest-windows-azure-vm-image/ # Step 1: Log on to my Azure account Add-AzureAccount # Step 2: Create a new Cloud Service for VPN1 $Location = "East US" $CloudServiceName = "DeviceDemoVPN" New-AzureService -ServiceName $CloudServiceName -Location $Location # Step 3: Create a Public Reserved IP for the Cloud Service $ReservedIPName = "DeviceDemoVPNIP" New-AzureReservedIP -ReservedIPName $ReservedIPName -Label $ReservedIPName -Location $Location # Step 4: Select the most recent Windows Server 2012 Image $Images = Get-AzureVMImage ` | where { $_.ImageFamily -eq "Windows Server 2012 Datacenter" } ` | where { $_.Location.Split(";") -contains $location} ` | Sort-Object -Descending -Property PublishedDate # Step 5: Create a new VM for VPN1 with a static IP address $VMName = "VPN1" $InstanceSize = "Small" $AdminUserName = "LabAdmin" $Password = "L@b@dm1n" Page 143 Task Detailed steps $SunbentName = "Subnet-1" $VMStaticIP = "10.0.0.8" $VNetName = "DeviceDemo" New-AzureVMConfig -Name $VMName -InstanceSize $InstanceSize -ImageName $images[0].ImageName | Add-AzureProvisioningConfig -Windows -AdminUsername $AdminUserName -Password $Password | Set-AzureSubnet -SubnetNames $SunbentName | Set-AzureStaticVNetIP -IPAddress $VMStaticIP | New-AzureVM -ServiceName $CloudServiceName –ReservedIPName $ReservedIPName -VNetName $VNetName -Location $Location # Step 6: Configure the EndPoints for for VPN1 $sSTPEndPointName = "SSTP" $sSTPEndpointProtocol = "TCP" $sSTPEnpPointPublicPort = "443" $sSTPEndPointLocalPort = "433" $l2TPEndPointName = "L2TP" $l2TPEndpointProtocol = "UDP" $l2TPEnpPointPublicPort = "1701" $l2TPEndPointLocalPort = "1701" $iPSecEndPointName = "IPSec" $iPSecEndpointProtocol = "UDP" $iPSecEnpPointPublicPort = "500" $iPSecEndPointLocalPort = "500" $iKEv2EndPointName = "IKEv2" $iKEv2EndpointProtocol = "TCP" $iKEv2EnpPointPublicPort = "4500" $iKEv2EndPointLocalPort = "4500" Get-AzureVM -ServiceName $cloudServiceName -Name $vMName | Add-AzureEndpoint -Name $sSTPEndPointName -Protocol $sSTPEndPointProtocol -PublicPort $sSTPEnpPointPublicPort -LocalPort $sSTPEndPointLocalPort | Add-AzureEndpoint -Name $l2TPEndPointName -Protocol $l2TPEndPointProtocol -PublicPort $l2TPEnpPointPublicPort -LocalPort $l2TPEndPointLocalPort | Add-AzureEndpoint -Name $iPSecEndPointName -Protocol $iPSecEndPointProtocol -PublicPort $iPSEcenpPointPublicPort -LocalPort $iPSEcendPointLocalPort | Add-AzureEndpoint -Name $iKEv2EndPointName -Protocol $iKEv2EndPointProtocol -PublicPort $iKEv2EnpPointPublicPort -LocalPort $iKEv2EndPointLocalPort | Update-AzureVM 16.2 VPN1: VM – Configure and Join VPN1 to the CORP domain. This section will outline how to join VPN1 to the Corp domain. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Join the VPN1 VM to the Corp domain. Note: The provisioning of VPN1 can take a few minutes so please be patient. Make sure you are logged on to the management portal of Manage.windowsazure.com. Select Virtual Machines Select VPN1 and click Connect . at the bottom of the screen. Page 144 Task Detailed steps Logon to VPN1 with “.\LabAdmin” with the password “L@b@dm1n Open Server Manager Select Local Server Turn off IE Enhanced Security Configuration by clicking on On and selecting Off for Administrators and Users. (for later) Click on WORKGROUP in the Workgroup field. In the Computer Name tab click Change. In the Member of field make sure Domain is selected. In the Domain field type in Corp.. E.g. Corp.. and click OK. For User name use LabAdmin and password type L@b@dm1n . Click OK. In the Computer Name/Domain Changes window click OK. Click OK to reboot the computer. Click Close to close the System Properties window. Click Restart Now. 16.3 VPN1: VM – Install Azure PowerShell This section will outline how to install the Azure PowerShell extensions on VPN1. Note: Before continuing with the following sections, it is recommended to update VPN1 with all the latest updates from Microsoft Update. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Install Azure PowerShell and configure static IP Select Virtual Machines. Select “VPN1” and click Connect at the bottom of the screen. Logon to VPN1 with “LabAdmin” with the password “L@b@dm1n” Open Server Manager Select Local Server Install Azure PowerShell by going to the direct installation here: http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409 When the warning appears in Internet Explorer select Run In the Microsoft Azure PowerShell window select Install In the Prerequisites step, select I Accept. In the Finish step, select Finish. Page 145 Task Detailed steps In the Web Platform Installer 5.0 select Exit. 16.4 VPN1: Import the SSL Wild Card Certificate to VPN1 In this exercise we will import the SSL Wildcard Certificate (used on the ADFS server) to the Web VPN server VPN1. As this is a wildcard certificate it can also be used for the VPN server. Required Time: 5 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Import SSL Cert into WAP1 If you are already logged on the VPN1 you can skip to step 5. Select Virtual Machines Select VPN1 and select Connect at the bottom of the screen. Logon to VPN1 with LabAdmin with the password L@b@dm1n Go to the Start screen, type certlm.msc and press Enter to open an MMC console on the desktop. Click Personal Click Certificates Right click Certificates and select All tasks -> Import In the Welcome to the Certificate Import Wizard click Next In the File Import page, in the File name: field enter \\DC1\c$\ADFSCert.PFX and click Next In the Private Key Protection page, in the Password: field enter “L@b@dm1n” (without the quotations) Click Next. In the Certificate Store page leave the default value to Personal and click Next. In the Completing the Certificate Import Wizard page click Finish. In the Certificate Import Wizard dialog box click OK. 16.5 VPN1: Configure the Firewall for VPN1 This section outlines how to enable the Firewall posts for the VPN server. Required Time: 5 minutes Page 146 Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Connect to CM1 Select Virtual Machines . Select “VPN1” and click Connect at the bottom of the screen. Logon to VPN1 with “Corp\LabAdmin”. Open ports for SSTP, L2TP, IPSec and IKEv2 in the Firewall Open the Start screen Type Windows Firewall. Select Windows Firewall with Advanced Security Configure exception for SSTP port TCP 443 Right click inbound and select New Rule In the Rule Type step select Port and click Next In the Protocol and Ports step ensure TCP is selected and specify local ports field enter 433 and click Next In the Action step ensure the Allow the connection is enabled and click Next In the Profile step leave all Profiles selected and click Next In the Name step enter SSTP - TCP 433 and click Finish Configure exception for L2TP port UDP 1701 Right click inbound and select New Rule In the Rule Type step select Port and click Next In the Protocol and Ports step ensure UDP is selected and specify local ports field enter 1701 and click Next In the Action step ensure the Allow the connection is enabled and click Next In the Profile step leave all Profiles selected and click Next In the Name step enter L2TP - UDP 1701 and click Finish Configure exception for IPSec port UDP 500 Right click inbound and select New Rule In the Rule Type step select Port and click Next In the Protocol and Ports step ensure UDP is selected and specify local ports field enter 500 and click Next In the Action step ensure the Allow the connection is enabled and click Next In the Profile step leave all Profiles selected and click Next In the Name step enter IPSec - UDP 500 and click Finish Configure exception for IKEv2 port UDP 4500 Page 147 Task Detailed steps Right click inbound and select New Rule In the Rule Type step select Port and click Next In the Protocol and Ports step ensure UDP is selected and specify local ports field enter 4500 and click Next In the Action step ensure the Allow the connection is enabled and click Next In the Profile step leave all Profiles selected and click Next In the Name step enter IKEv2 - UDP 4500 and click Finish 16.6 VPN1: Install and Configure SSTP and L2TP VPN In this section, we will install and configure the SSTP VPN on VPN1. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Install Remote Access ▪ On VPN1 open Server Manager. To open Server Manager, click Server Manager on the Start screen, or Server Manager in the taskbar on the desktop. In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can click Add Roles and Features on the Manage menu. ▪ On the Before you begin page, click Next. ▪ In the Installation type step, click Role-based or Feature-based installation, and then click Next. ▪ In the Server Selection step, click Select a server from the server pool, verify that the target computer is selected, and then click Next. ▪ ▪ ▪ ▪ ▪ ▪ In the Server Roles step, click Remote Access. ▪ ▪ ▪ ▪ In the Web Server Role (IIS) click Next In the Add Roles and Features window select Add Features In the Server Roles step, click Next In the Features step click Next In the Remote Access step click Next In the Roles Services step make sure DirectAcces and VPN (RAS) and Routing are selected and then click Next. In the Role Services step click Install Wait until the installation process is finished Don’t close the window! Once the installation is completed in the Results step click Close. Page 148 Task Configure Routing and Remote Access Detailed steps On the Installation progress page, verify that everything installed correctly Click Open the Getting Started Wizard. In the Configure Remote Access windows click Deploy VPN Only. Right click VPN1(local), and click Configure and Enable Routing and Remote Access. In the Welcome screen of the Routing and remote Access Server Setup Wizard click Next In the Configuration step choose Custom configuration and click Next. In the Custom Configuration step select VPN access and NAT and click Next. In the Completing the Routing and Remote Access Server Setup Wizard click Finish Warning: A message may appear that the port is not accessible and the Firewall needs to be configured. If this happens this message may be ignored. Please make sure to manually star the service by right clicking on VPN1(local). In Start the service window click Start service. The icon of VPN1(local) should now be green to show it is running. Click Finish (if asked) Bind the correct SSL Certificate and assign a static address pool. Right-click on VPN1(local) and select Properties. Select the Security tab. Select Allow custom IPSec policy for L2TP/IKEv2 connection Enter a Preshared Key: with the key L@b@dm1n Page 149 Task Detailed steps Under SSL Certificate Binding change the Certificate: field so the wildcard SSL certificate is selected that you have just imported. This will look like *.. Select the IPv4 tab Select Static address pool and click Add Enter a Start IP address: of 192.168.0.1 Enter an End IP address: of 192.168.0.20 Click OK In the IPv4 tab click OK If you are asked to restart the router confirm the router can be restarted. Configure NAT In the Routing and Remote Access management console click IPv4 node and expand it. Right click NAT and choose New Interface… In the New Interface for IPNAT select an external interface e.g. ”Ethernet ” Page 150 Task Detailed steps In the Network Address Translation Properties dialog, choose Public interface connected to the Internet and check Enable NAT on this interface. Click OK to save the configuration. 16.7 DC1: DNS – Add External VPN address to internal Split Brain DNS zone and External DNS zone. We need to make sure name resolution works for the VPN server from internal as well as over the internet. We are using a different domain name for the internal Active Directory (corp.) as for the domain used externally. Therefor we have setup a Split-brain DNS internally. As the VPN server will need to be published for external devices, we also need to add the host record of the VPN server to the external DNS server Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Logon to DC1Connect to CM1 Select Virtual Machines. Page 151 Task Detailed steps Select DC1 and click Connect at the bottom of the screen. Logon to DC1 with Corp\LabAdmin. Configure Internal DNS for NDES Open Server Manager Click Tools and select DNS to open the DNS Manager. In the console tree, expand DC1, expand Forward Lookup Zones, right-click corp., and then click New Host (A or AAAA). In Name, type VPN In IP address, type the IP address of VPN1 server (e.g. 10.0.0.8). Click Add Host. Click OK Click Done In the console tree, expand DC1, expand Forward Lookup Zones, right-click , and then click New Host (A or AAAA). In Name, type VPN In IP address, type the IP address of VPN1 server (e.g. 10.0.0.8). Click Add Host. Click OK Click Done Type the following command, and then press Enter: Ipconfig /flushdns Configure Public Domain Settings @ GoDaddy Open Internet Explorer in Private mode and logon your publicly registered domain Provider (e.g. GoDaddy) http://www.godaddy.com NOTE: steps may be different for different Public Domain provider Click My Account and select Manage My Domains. Click the Sign In button and sign in with the account you used to register your public domain during the previous lab. Click in the wheel icon and select Domain details Select the DNS Zone File tab Click on Add Record . Select A(Host) from the Record Type menu. For Host: field type VPN For the Point to: field use the external VIP of the Cloud Service of which VPN1 is part of. This can be found in the Cloud Service properties in the Azure management portal as shown in the picture below. Page 152 Task Detailed steps In the GoDaddy Add Zone Record window click Finish Back in the DNS Zone overview confirm the changes made through clicking on Save Changes . 16.8 DC1: Provide Users access to VPN This section will outline how to provide users in the Corp domain access to VPN. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Provide users in the Corp domain access to VPN provide users in the Corp domain access to VPN users in the Corp domain access to VPN users in the Make sure you are logged on to the management portal of Manage.windowsazure.com. Select Virtual Machines . Page 153 Task Detailed steps Corp domain access to VPN Select NDES1 and click Connect at the bottom of the screen. Logon to WAP1 with “Corp\LabAdmin” with the password L@b@dm1n Open Server Manager Click on Tools and select Active Directory Users and Computers Open the OU Corp\Users Right-click Test User1 and click on Properties Select the Dial-in tab Under Network Access Control select Allow Access Click OK Repeat the step above for all other users requiring access to VPN. Page 154 17 Managing Windows Phone 8.1 The following section outlines how to configure the environment for Windows Phone 8.1 and configure several common scenarios through Configuration Manager and or Intune. 17.1 Intune: Configure Intune for Windows Phone Intune Only Setup (This section is not applicable if you are setting up a Hybrid Scenario!) This section outlines how to configure Intune to be used for managing Windows Phones, deploy the Company Portal and several demo applications. To manage Windows Phones a Symantec Enterprise Mobile Code Signing Certificate is required. This certificate is required to create the Application Enrollment Token (AET), and the side loaded applications published through the company portal. For demo purposes the Support Tools for Windows Intune Trial Management of Windows Phone can be used to evaluate the product. It also includes and two sample applications that can be used for WP software distribution scenarios. These will also be used later in this lab. This tool allows Microsoft Intune admins to try out Windows Phone software distribution scenarios during the Trial period. The tool also includes sample applications that can be used to test sideloading and upgrading. We will use these applications in a later exercise. Required Time: 30 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the Intune Administration console at manage.microsoft.com. Download and Install the Windows Phone by using the Support Tool for Windows Intune Trial 1. Start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. 2. Log in to your Windows Intune account via http://manage.microsoft.com. 3. Download and Install the MSI located here http://www.microsoft.com/en-us/download/details.aspx?id=39079. This will extract the sample SSP.xap and other sample xap files included in the MSI. The default location for the files is “C:\Program Files Page 155 Task Detailed steps (x86)\Microsoft\Support Tool for Windows Intune Trial management of Windows Phone” Note: The support tool included in the package is not needed for Windows Intune administrators. It is required for only Microsoft System Center 2012 Configuration Manager Administrators. Note: Windows Phone 8.0 requires that you have a Self Service Portal (SSP) uploaded to the Admin Console before you can begin management of devices. This is not required for Windows Phone 8.1, however if you want to create a customized SSP then you can choose this option for Windows Phone 8.1. 17.2 CM1: Configure Configuration Manager/Intune for Windows Phone 8.1 Hybrid Setup (CM+Intune) (This section is not applicable if you are setting up a Intune-Only Scenario!) This section outlines how to configure CM/Intune to be used for managing Windows Phones, deploy the Company Portal and several demo applications. To manage Windows Phones a Symantec Enterprise Mobile Code Signing Certificate is required. This certificate is required to create the Application Enrollment Token (AET), and the side loaded application published through the company portal. For demo purposes the Support Tools for Windows Intune Trial Management of Windows Phone can be used to evaluate the product. This will also be used in this exercise. This tool facilitates Microsoft System Center 2012 Configuration Manager admins and Microsoft Intune admins to try out Windows Phone software distribution scenarios during the Trial period. Note: For Microsoft employees the subscription can be extended to a you’re through the following link: http://aka.ms/intune-trialextension Required Time: 30 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Page 156 Task Detailed steps Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Create a Windows Phone 8.1 Collection Note: With the current version of Intune not all scenario’s support device targeting. Therefor we will use mostly user targeting. The Query below therefor is only to get an overview of all the managed Windows Phone 8.1 devices in the environment. On CM1 0en the Configuration Manager Management Console In the Navigation Pane select Assets and Compliance Expand Overview Right click Device Collections and select Create Device Collection In the Name field enter Windows Phone 8.1 In limiting Collection click Browse Select All Mobile Devices Click OK In the General step click Next In the Membership Rules step click Add Rule and select Query Rule In the Name field type Windows Phone 8.1 Click Edit Query Statement Click Show Query Language Paste the query below in the Query Statement field: select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_DEVICE_OSINFORMATION on SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_DEVICE_OSINFORMATION.Platform like "Windows Phone" and SMS_G_System_DEVICE_OSINFORMATION.Version like "8.1%" Click OK In the Query Rule Properties window click OK In the Membership Rules step click Next In the Summary step click Next In the Completion step click Close Download and Install the Windows Phone by using the Support Tool for Windows Intune Trial Management of Window Phone Start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. In the address bar of the new InPrivate session, navigate to http://www.microsoft.com/enus/download/details.aspx?id=39079. Click Download. In the bar at the bottom of the screen click Run. The Welcome screen of the Support Tools will appear. Page 157 Task Detailed steps Click Next. In the License Agreement window select I Agree Click Next In the Select Installation Folder select Everyone and click Next In the Confirm Installation screen click Next In the Installation Complete window click Close Create Software Library for Applications Go to the Start screen Type File Explorer and click File Explorer Right click on the C: drive and select New -> Folder Name the folder SoftwareLib Right click the folder SoftwareLib and select Properties Select the Sharing tab Click Advanced Sharing Select Share this folder Click Permissions Make sure Everyone is selected and under Allow select Full Control Click OK In the Advanced Sharing window click OK Select the Security tab. Click Edit Click Add Click select a Principal Click Object Types Select Computer Enter CM1 and click Check Names Click OK Make sure CM1 is selected under Group or User names Under Allow select Full Control Click OK In the SoftwareLib Properties window click Close In File Explorer Select the C: drive. Select Program Files (x86) Select Microsoft Select Support Tool for Windows Intune Trial management of Windows Phone Copy all three folders to the SoftwareLib folder. Create SSP.XAP as Application within the Configuration Manager console Create SSP.XAP In the Configuration Manager console in the Navigation pane Under Software Library – Application Management select Applications In the Ribbon click Create Application Page 158 Task (included in the msi) as Application within the Configuration Manager console Create SSP.XAP (included in the msi) as Application within the Configuration Manager console Detailed steps In the Create Application Wizard windows in the general step for Type: select Windows Phone app package (*.xap file) At Location: click Browse In the File name: field enter \\CM1\SoftwareLib and click Open Select the SSP folder Select SSP.xap and click Open In the General step click Next In the Import Information step click Next In the General Information step for the Name: field enter Company Portal App In the Summary step click Next In the Completion step click Close Deploy the Company Portal App (as Available!!!) Under Applications right click Company Portal App and select Deploy In the Deploy Software Wizard window for the Collection: field click Browse, select the All Users collection and click OK Click Next Click Add and select Distribution Point Select the MANAGE.MICROSOFT.COM Cloud Distribution Point Click OK Click Next In the Deployment Settings step make sure the Purpose: is set to Available. Please note this is very important! If set to available enrolment of devices could fail! In the Scheduling step click next In the User Experience step click Next In the Alerts step click Next In the Summary step click Next In the Completion step click Close Enable management of Windows Phone 8 devices. Go to the Start screen Type CMD right, right click Command Prompt and select Run as Administrator In the command prompt type cd “c:\program Files(x86)\Microsoft\Support Tools for Windows Intune Trial management of Windows Phone\Support Tool” Type cscript ConfigureWP8Settings_Field.vbs CM1.corp. QuerySSPModelName Copy the Model Name: starting with Scope_Id_... Go to the Start screen Type Notepad and select Notepad Paste the Model Name number in Notepad Page 159 Task Detailed steps Make sure the entire number is on a single line in Notepad and the string starting with ScopeId is copied as shown below. In the command prompt type cscript ConfigureWP8Settings_Field.vbs CM1.corp. SaveSettings and press Enter. Where is the string copied in Notepad. Validate the configuration in the Windows Intune Subscription Make sure the Configuration Management console is opened. In the Navigation Pane select Administration Expand Overview Expand Cloud Services Select Windows Intune Subscriptions Right click Windows Intune Subscription and select Properties Select the Windows Phone 8 tab and notice that the Enable Windows Phone 8 enrolment is selected and .pfx section is completed. Click OK Create Demo Application Shapes In the Configuration Manager console in the Navigation pane Under Software Library – Application Management select Applications In the Ribbon click Create Application In the Create Application Wizard windows in the general step for Type: select Windows Phone app package (*.xap file) At Location: click Browse In the File name: field enter \\CM1\SoftwareLib and click Open Select the Sample Apps folder Select Shapes.xap and click Open In the General step click Next In the Import Information step click Next In the General Information step for the Name: field enter Shapes App In the Summary step click Next In the Completion step click Close Deploy the Demo Application Shapes Under Applications right click Shapes App and select Deploy In the Deploy Software Wizard window for the Collection: field click Browse, select the All Users collection and click OK Click Next Click Add and select Distribution Point Select the MANAGE.MICROSOFT.COM Cloud Distribution Point Page 160 Task Detailed steps Click OK Click Next In the Deployment Settings step make sure the Purpose: is set to Available. In the Scheduling step click next In the User Experience step click Next In the Alerts step click Next In the Summary step click Next In the Completion step click Close Create Demo Application ClickMeV1 In the Configuration Manager console in the Navigation pane Under Software Library – Application Management select Applications In the Ribbon click Create Application In the Create Application Wizard windows in the general step for Type: select Windows Phone app package (*.xap file) At Location: click Browse In the File name: field enter \\CM1\SoftwareLib and click Open Select the Sample Apps folder Select ClickMeV1.xap and click Open In the General step click Next In the Import Information step click Next In the General Information step for the Name: field enter Shapes App In the Summary step click Next In the Completion step click Close Deploy the Demo Application ClickMeV1 Under Applications right click ClickMeV1 App and select Deploy In the Deploy Software Wizard window for the Collection: field click Browse, select the All Users collection and click OK Click Next Click Add and select Distribution Point Select the MANAGE.MICROSOFT.COM Cloud Distribution Point Click OK Click Next In the Deployment Settings step make sure the Purpose: is set to Required. In the Scheduling step click next In the User Experience step click Next In the Alerts step click Next In the Summary step click Next In the Completion step click Close Page 161 17.3 Hyper-V: WP8.1 – Enrollment This section outlines how to setup the Windows Phone Emulator and how to enroll a Windows Phone 8.1 in the new environment. When using the emulator see below the shortcuts. Keyboard shortcuts The following keyboard shortcuts within a Hyper-V VM emulate Windows Phone hardware buttons: ▪ Esc - Hardware Back button ▪ F2 - Hardware Start ("Windows") button ▪ F3 - Hardware Search ("Bing") button ▪ F7 - Camera button ▪ F9 - Volume increase button ▪ F10 - Volume decrease button ▪ F12 - Power button (screen goes dark) ▪ F12 x 2 - Screen lock Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Ensure the prerequisites are met on the machine (Only when the Windows Phone Emulator is used) Logon to the machine. If not already installed make sure: a. Hyper-V is installed on the machine Page 162 Task Detailed steps b. Visual Studio 2013 Update 2 or higher is installed on the machine. Can be downloaded from here https://dev.windowsphone.com/en-us/downloadsdk. c. Start the Emulator (Only when the Windows Phone Emulator is used) The Windows Phone 8.1 Update 1 Emulators is installed which can be downloaded from the same link above. Start the Start screen. Type Hyper-V and select Hyper -V Manager If not already running start the Windows Phone Emulator If no Emulator is running start Visual Studio 2013 by going to the Start screen, typing Visual Studio and selecting Visual Studio 2013. In Visual Studio in the menu select Tools and select Developer Power Tools. Under Select Device select a Phone type. Wait for the Emulator to start, close the Emulator and close Visual Studio. Go back to the Hyper-V manager and start the Windows Phone Emulator Configure Internet Access on the Emulator Start the Start screen. (Applies only when the Windows Phone Emulator is used) In the Action pane select Virtual Switch Manager Type Hyper-V and select Hyper -V Manager In the Virtual Switches select Windows Phone Emulator Internal Switch In connection type select External network and select a network with internet connectivity. On the Start screen of the Phone select Internet Explorer Click recommended for the Internet Explorer settings Validate there is internet access. Configure an MSA account on the phone. (Applies only when the Windows Phone Emulator is used. On a physical phone this will be done during the setup of the phone when first turned on (OOBE)) Enroll the Windows Phone On the Start screen of the phone select the Mail tile with the envelope. In the ADD AN ACCOUNT screen select Microsoft account. Click sign in Type the username and password of an MSA account. In the Back Up? Screen click not now On the Windows Phone swipe down from the top of the screen and select ALL SETTINGS Select workplace In workplace click add account In the workplace screen in the Email address field type the UPN of one of the test users you created. For example TestUser1@. In the Intune Sign-in page type the Password for the user. In the ACCOUNT ADDED screen click done Note: The Company Portal will be installed as part of the Enrollment process Troubleshooting Enrollment If you need to troubleshoot enrollment you can follow the instructions in this blog. How to troubleshoot Windows Phone 8.1 enrollment via Microsoft Intune http://www.petervanderwoude.nl/post/how-to-troubleshoot-windows-phone-8-1enrollment-via-microsoft-intune/ Page 163 Task Detailed steps 17.4 CM1: WP8.1 – Adding the IMEI, Device Name and Phone Number to the Inventory Hybrid Setup (CM+Intune) (This section is not applicable if you are setting up a Intune-Only Scenario!) While System Center Configuration Manager and Intune will inventory a lot of information by default, there might be a few items that you think are missing. Well, just as you create custom MOF (Managed Object Format) files to collect additional information on the servers and workstations you manage with System Center Configuration Manager, you can do the same for Windows Phone 8.1. This lab shows you how to create a MOF to inventory the device name (the one the end user specified), IMEI, and the phone number of the device. This is an example that includes the three most common pieces of hardware inventory that customers have requested for Windows Phone 8.1 that isn't included by default. Required Time: 10 minute Task Detailed steps Complete these steps from an internet-connected Windows computer. Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Create a MOF to inventory the device name (the one the end user specified), IMEI, and the phone number of the device. Adding the IMEI, Device Name and Phone Number. Go to the Startscreen Type Notepad and select the Notepad application Copy and paste the following in the Notepad file: #pragma namespace ("\\\\.\\root\\cimv2") instance of __Namespace { Name = "SMS" ; }; #pragma namespace ("\\\\.\\root\\cimv2\\SMS") Page 164 Task Detailed steps instance of __Namespace { Name = "INV_TEMP" ; }; #pragma namespace ("\\\\.\\root\\cimv2\\SMS\\INV_TEMP") class SMS_Class_Template { }; [ SMS_Report (TRUE), SMS_Group_Name ("Device_CUSTOMINFO"), SMS_Class_ID ("MICROSOFT|DEVICE_CUSTOMINFO|1.0"), Namespace ("Reserved"), SMS_DEVICE_URI ("") ] class Device_CUSTOMINFO : SMS_Class_Template { [SMS_Report (TRUE), SMS_DEVICE_URI("WM:./DevDetail/Ext/Microsoft/DeviceName")] String DeviceName; [SMS_Report (TRUE), SMS_DEVICE_URI("WM:./Vendor/MSFT/DeviceInstanceService/IMEI")] String IMEI; [SMS_Report (TRUE), SMS_DEVICE_URI("WM:./Vendor/MSFT/DeviceInstanceService/PhoneNumber")] String PhoneNumber; }; In the Notepad menu select File and Save As Save the file on the Desktop as DeviceName and IMEI and Phone Number.MOF Open the Configuration Manager Management Console In the navigation pane select Administration Navigate to Overview, Site Configuration and select Client Settings Right-click Default Client Settings and choose Properties On the Hardware Inventory pane choose Set Classes…” Click Import Browse to the Desktop and select the file DeviceName and IMEI and Phone Number.MOF Click Open Leave the default selection and click Import Click OK and Click OK again to return to the Configuration Manager console. The next time your Windows Phone 8.1 devices send inventory to Intune you’ll get the additional information specified in the MOF. Note: You can further extend your MOF file by using other data specified in the Windows Phone 8.1 MDM Protocol documentation located here. Page 165 17.5 Intune: WP8.1 – Configuring Policy Settings and Policies based on OMA-URI Intune Only Setup (This section is not applicable if you are setting up a Hybrid Scenario!) To be completed in a future version. This section outlines how to configure policies for Windows Phone in Intune available through the Intune Interface and a policy through OMA-URI. Use the Microsoft Intune Windows Phone OMA-URI Policy to deploy OMA-URI (Open Mobile Alliance Uniform Resource Identifier) settings that can be used to control features on Windows Phone devices. These are standard settings that many mobile device manufacturers use to control device features. This capability is intended to allow you to deploy Windows Phone settings that are not configurable with an Intune policy. For information about the settings you can configure with these policies, see Configure security policy for mobile devices in Microsoft Intune. For help creating OMA-URI settings for Windows Phone devices, see Windows Phone 8.1 MDM protocol documentation. All the settings that can be configured with Windows Phone 8.1 can be found in the Windows Phone 8.1 MDM protocol documentation at http://technet.microsoft.com/enus/library/dn499787.aspx. A complete Windows Phone 8.1 Configuration Baseline of all supported settings is published by Peter van der Woude on TechNet here: https://gallery.technet.microsoft.com/Windows-Phone-81-ebed1836. Required Time: 20 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the Intune Administration console at manage.microsoft.com. Create an OMA-URI Policy to disable Action Center notifications when the device is locked. 1. In the Navigation Pane of the Intune Admin Console click on Policy > Configuration Policies. 2. In the Tasks pane click Add Policy. 3. Navigate to Windows > Windows Phone OMA-URI Policy, select the Create and Deploy a Custom Policy radio button and click Create Policy. 4. The Create Policy window will now appear. 5. In the Name field type Windows Phone – AboveLock / AllowActionCenterNotifications 6. Click Add. Page 166 Task Detailed steps 7. In the Setting name field enter Windows Phone – AboveLock / AllowActionCenterNotifications 8. For Data Type select Integer. 9. In the OMA URI field enter (Case sensitive) ./Vendor/MSFT/PolicyManager/My/AboveLock/AllowActionCenterNotific ations 10. For Value enter 0 (0 means the setting is applied). 11. Click OK. 12. Click Save Policy. 13. At the Do you want to deploy this policy now? prompt click Yes. 14. Click on the group All Mobile Devices then click Add. Click OK. Confirm the configuration is applied. 1. Perform the following steps from your Windows Phone 8.1 device. 2. Ensure that policy has been updated on your device by navigating to settings > workplace, click the enrolled text then click the refresh button. 3. Lock your Windows Phone Device (Press F12 to lock / unlock in the emulator). Note: If you want to prevent the user from using Settings you have to wait until the phone requires a password again. This can be configured in Settings -> Lock Screen -> Require a password after. 4. Pull down the notifications menu, observe that there are no notifications shown and that the horizontal divider cannot be moved to the bottom of the screen. Page 167 17.6 CM1: WP8.1 – Configuring Policy Settings and Policies based on OMA-URI Hybrid Setup (CM+Intune) (This section is not applicable if you are setting up a Intune-Only Scenario!) This section outlines how to configure policies for Windows Phone in CM/Intune available through the Configuration Manager Interface and a policy through OMA-URI. System Center Configuration Manager has the ability to create custom settings with OMA URIs (Open Mobile Alliance Uniform Resource Identifier) to target Configuration Service Providers (CSPs) on a device to directly configure nodes available on a mobile device. This allows us to bridge the gap between what features and functionality are available for a mobile device and what is available for configuration through the System Center Configuration Manager GUI. As not all available settings can be configured through the standard interface of Configuration Manager/Intune this lab also demonstrates how to configure a policy through OMA-URI. All the settings that can be configured with Windows Phone 8.1 can be found in the Windows Phone 8.1 MDM protocol documentation at http://technet.microsoft.com/en-us/library/dn499787.aspx. A complete Windows Phone 8.1 Configuration Baseline of all supported settings is published by Peter van der Woude on TechNet here: https://gallery.technet.microsoft.com/Windows-Phone-81-ebed1836 Required Time: 20 minute Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Go to the Start Screen. Type Configuration Manager Console and Click on it. Create a Password policy through the CM/Intune interface to require a password of 4 characters. In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Items. In the Ribbon click on Create Configuration Item Page 168 Task Detailed steps In the Name field type Windows Phone Password Policy For the Specify the type of configuration item that you want to create: select Mobile Device Click Next In the Mobile Device setting group check Password and click Next In the Require password settings on mobile devices field select Required Check the Minimum password length (characters) and leave the value at 4. Click Next Uncheck Select all In the Supported Platform step check the Windows Phone checkbox. Click Next In the Platform Applicability step click Next In the Summary step click Next In the Complete window click Close Create an OMA-URI Policy to disable Action Center notifications when the device is locked. In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Items. In the Ribbon click on Create Configuration Item In the Name field type Windows Phone - AboveLock/AllowActionCenterNotifications For the Specify the type of configuration item that you want to create: select Mobile Device Click Next Select the checkbox Configure additional settings that are not in the default setting group Click Next In the Additional Settings step click Add Click Create Setting In the name field enter Windows Phone - AboveLock/AllowActionCenterNotifications For Setting type select OMA URI For Data Type select Integer In the OMA URI field enter ./Vendor/MSFT/PolicyManager/My/AboveLock/AllowActionCenterNotifications Click OK In the Browse Settings scroll down to and select the setting Windows Phone AboveLock/AllowActionCenterNotifications Click Select In the following values field enter 0 (0 means the setting is applied) Click OK In the Browse Settings window select Close In the Additional Settings step click Next Page 169 Task Detailed steps In the Supported Platform step check the Windows Phone checkbox. Click Next In the Platform Applicability step click Next In the Summary step click Next Click Close Create a Configuration Baseline for the Windows Phone Policies. In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Baseline In the Ribbon click Create Configuration Baseline In the Name field type Windows Phone - Baseline Click Add and select Configuration Items In the Add Configuration Items window select Windows Phone - Windows Phone Password Policy and click Add In the Add Configuration Items window select Windows Phone AboveLock/AllowActionCenterNotifications and click Add Click OK In the Create configuration Baseline window click OK Deploy the Configuration Baseline In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Baseline Select the Baseline called Windows Phone 8.1 Baseline. In the Ribbon click Deploy In the Deploy Configuration Baseline window click Browse Select the collection called Mobile Users Click OK In the Deploy Configuration Baseline window click OK 17.7 Intune: WP8.1 – Configuring Allow and Deny Lists Intune Only Setup (This section is not applicable if you are setting up a Hybrid Scenario!) To be completed in a future version. Alternatively you can re0use the OMA-URI settings of the next section which will be identical. Page 170 17.8 CM1: WP8.1 – Configuring Allow and Deny Lists Hybrid Setup (CM+Intune) (This section is not applicable if you are setting up a Intune-Only Scenario!) This section describes the creation of an Allow Deny list. The sample allow and deny list demonstrates a list that allows all store apps from Adobe and Microsoft except for the Facebook App from Microsoft. The OMA-URI statement used for this allow deny list is shown below. Details of OMA-URI are explained in the previous lab. As shown in the example below the PublisherName is used to allow all applications with Publisher Name Adobe Systems Incorporated, Microsoft and Microsoft Corporation. Note: Please note to always include the Publisher Name Microsoft as this is required to allow the Company Portal to work! For the Facebook App Exception the App GUID is used. The App GUID and the publisher name of applications can be found in the Windows Phone App Store. For example the GUID of the Facebook app is included in the hyperlink of the App in the Windows Phone store: http://www.windowsphone.com/enus/store/app/facebook/82a23635-5bd9-df11-a844-00237de2db9e. When the OMA-URI statement is pasted in Configuration manager it needs to be pasted as a single sentence as shown below: Page 171 Required Time: 15 minute Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Go to the Start Screen. Type Configuration Manager Console and Click on it. Create an Allow Deny list through OMA-URI In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Items. In the Ribbon click on Create Configuration Item In the Name field type Allow Deny list or Adobe and Microsoft except Facebook For the Specify the type of configuration item that you want to create: select Mobile Device Click Next Select the checkbox Configure additional settings that are not in the default setting group Click Next In the Additional Settings step click Add Click Create Setting In the name field enter Allow Deny list or Adobe and Microsoft except Facebook For Setting type select OMA URI For Data Type select String In the OMA URI field enter ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions Click OK In the Browse Settings scroll down to and select the setting Allow Deny list or Adobe and Microsoft except Facebook Click Select In the following values field enter Note: Please make sure this is all copied and pasted as a single row. Click OK In the Browse Settings window select Close In the Additional Settings step click Next In the Supported Platform step make sure only the Windows Phone checkbox is selected. Click Next In the Platform Applicability step click Next In the Summary step click Next Click Close Create SSP.XAP (included in the msi) as Application within the Configuration Manager console Create SSP.XAP (included in the msi) as Application within the Configuration Manager console In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Baseline Select the Baseline called Windows Phone –Baseline In the Ribbon click Properties Select the Evaluation Conditions tab. Click the Add button and select Configuration Items Select the Windows Phone - Allow Deny list or Adobe and Microsoft except Facebook Click Add Click OK Click OK to close the Windows Phone – Baseline Properties.ield type Windows Phone 8.1 Baselin Validate the Allow Deny list on the Phone. Wait 5 minutes and connect to the Windows Phone enrolled in the environment. Go to All Settings Click Workplace Click on Enrolled Click on the refresh button at the bottom of the screen Go back to the start screen and look what has happened with the already installed applications. If they are not Microsoft or Adobe they should be greyed out. Start the Windows Phone Store App. Select an application that is not an` Adobe or Microsoft application and see the experience. There will be no Install button for the application and a message is listed in the App stating: This app is not available for your device. Tap here for more information. When clicking the message another toast will appear telling this app is disabled by the System Administrator. Search for the words Microsoft Corporation Scroll to the Facebook App and click the App. Notice the same experience as with the other blocked applications. Page 173 Task Detailed steps Select another App with publisher name Microsoft Corporate and notice there is an Install button.dministrator. Searchh for the FaceScroll to the Facebook App, select it and notive the same behaviour and experience as above.SeScrE 17.9 Intune: WP8.1 – CM1: WP8.1 - Configure Trusted Root and Certificate Deployment Intune Only Setup (This section is not applicable if you are setting up a Hybrid Scenario!) To be completed in a future version. This section outlines how to configure and deploy a Trusted Root CA and a SCEP Profile for Windows Phone 8.1 devices. Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Connect to NDES1 Select Virtual Machines . Select “NDES1” and click Connect at the bottom of the screen. Logon to NDES1 with “Corp\LabAdmin”. Create a Certificate Profile for the Trusted Root CA On NDES1 open the Intune Admin Console. (https://manage.microsoft.com) In the Navigation Pane of the Intune Admin Console click on Policy > Configuration Policies. Page 174 Task Detailed steps In the Tasks pane click Add Policy. Navigate to Windows > Trusted Certificate Profile (Windows Phone 8.1 and later), select the Create and Deploy a Custom Policy radio button and click Create Policy. The Create Policy window will now appear. In the Name field type Windows Phone – Trusted Root Certificate Policy. Click Import… and import the root certificate we exported earlier C:\corp-DC1-CA.cer. if you open up the cert it should look like this: Click Save Policy. At the Do you want to deploy this policy now? prompt click Yes. Click on the group All Mobile Devices then click Add. Click OK. Create a SCEP Certificate Profile for Windows Phone devices On NDES1 open the Intune Admin Console. In the Navigation Pane of the Intune Admin Console click on Policy > Configuration Policies. In the Tasks pane click Add Policy. Navigate to Windows > SCEP Certificate Profile (Windows Phone 8.1 and later), select the Create and Deploy a Custom Policy radio button and click Create Policy. The Create Policy window will now appear. In the Name field type Windows Phone – SCEP Certificate Policy. Configure the other settings as show in the screenshots below. Ensuring the value of the SCEP Server URL is https://ndes./certsrv/mscep/mscep.dll. Then click Save Policy. Page 175 Page 176 Task Detailed steps After you have clicked Save policy at the Do you want to deploy this policy now? prompt click Yes. Click on the group All Users then click Add. Click OK. 17.10 CM1: WP8.1 - Configure Trusted Root and Certificate Deployment Hybrid Setup (CM+Intune) (This section is not applicable if you are setting up a Intune-Only Scenario!) This section outlines how to configure and deploy a Trusted Root CA and a SCEP Profile for Windows Phone 8.1 devices. Required Time: 20 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Create a Certificate Profile for the Trusted Root CA On CM1 open the Configuration manager Console In the navigation pane select Assets and compliance and browse to Compliance Settings, Company Resource Access, Certificate Profiles. In the Ribbon click Create Certificate Profile In the Name field type corp-DC1-CA - TrustedRootCA Select Trusted CA certificate and click Next Click Import Browse to and select c:\corp-dc1-ca.cer and click on Open In the Trusted Root CA Certificate step leave all settings as default and click Next In the Supported Platforms step make sure all platforms are selected and click Next In the Summary step click Next Page 177 Task Detailed steps In the Completion step click Close Deploy the Certificate Profile for the Trusted Root CA to all Mobile Users On CM1 open the Configuration manager Console In the navigation pane select Assets and compliance and browse to Compliance Settings, Company Resource Access, Certificate Profiles. Select corp-DC1-CA - TrustedRootCA. In the Ribbon click Deploy In the Deploy Trusted CA Certificate Profile screen under Collection: click Browse to select a collection. Select Mobile Users and click OK. Create a SCEP Certificate Profile for Windows Phone devices On CM1 open the Configuration manager Console In the navigation pane select Assets and compliance and browse to Compliance Settings, Company Resource Access, Certificate Profiles. In the Ribbon click Create Certificate Profile In the Name field type Windows Phone – SCEP Certificate Profile Select Simple Certificate Enrolment Protocol (SCEP) settings and click Next In the SCEP Enrolment step leave the defaults and click Next In the Certificate Properties step for Certificate template name: click Browse The Issuing Certificate Authority should be selected by default (DC1.corp.) For the Certificate template name: click the field and select SCEPGenerealPurpose Click OK Note at this point be aware of: ▪ iOS doesn’t support fully distinguished name as the subject name format or including e-mail address in subject name. ▪ All settings need to be configured according to what you have specified in the template (e.g. the key-length). ▪ If the template name contains non-ASCII characters the cert will not be deployed In the Certificate Properties step use the following other values (leave the other values as default). a. Subject name format: Common Name b. Subject alternative name: select User principal name (UPN) c. Hash Algorithm: select SHA1 d. Root CA certificate: click Select, check corp-DC1-CA - TrustedRootCA and click OK Click Next In the Supported Platform step make sure Windows Phone 8.1 is selected and click Next In the Summary step click Next In the Completion step click Close Deploy the Certificate Profile for the SCEP Certificate for Windows Phone devices On CM1 open the Configuration manager Console In the navigation pane select Assets and compliance and browse to Compliance Settings, Company Resource Access, Certificate Profiles. Select Windows Phone – SCEP Certificate Profile Page 178 Task Detailed steps In the Ribbon click Deploy In the Deploy SCEP Certificate Profile screen under Collection: click Browse to select a collection. Select Mobile Users and click OK. 17.11 Intune: WP8.1 - Configure Mail Profile Intune Only Setup (This section is not applicable if you are setting up a Hybrid Scenario!) This section outlines how to configure and deploy an eMail Profile for Windows Phone 8.1 devices in Intune. Prerequisite: To complete this scenario you need to have am Office 365 subscription setup. Required Time: 20 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to a PC with internet access. Connect to CM1 Open Internet Explorer InPrivate mode. Navigate to http://manage.microsoft.com Sign in with admin@.onmicrosoft.com Click on Policy in the left. Click Configuration Policy Click Add Expand Windows Select Email profile (Windows 8 and later) Click Create Policy In the Name: field type Windows Phone - Email Policy In the Host: field type Outlook.Office365.com In the Account name: field type Office 365 Mail Under Content type to synchronize: make sure all checkboxes are selected. Click Save Policy In the Window Do you want to deploy this policy now? Click Yes Select All Users and click Add Click OK Page 179 Task Detailed steps Validate eMail profile is deployed. On Windows Phone 8.1 go to Settings -> Workplace Click on the Enrolled workplace listed at the bottom. Click the sync icon on the bottom of the screen. After a successful sync go back to the home screen Wait till the eMail profile called Office 365 Mail appears. Open the eMail profile and type in the password. Test sending and receiving an e-mail 17.12 CM1: WP8.1 - Configure Mail Profile Hybrid Setup (CM+Intune) (This section is not applicable if you are setting up a Intune-Only Scenario!) This section outlines how to configure and deploy an eMail Profile for Windows Phone 8.1 devices in Configuration Manager. Prerequisite: To complete this scenario you need to have am Office 365 subscription setup. Required Time: 20 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Create a Certificate Profile for the Trusted Root CA On CM1 open the Configuration manager Console In the navigation pane select Assets and compliance and browse to Compliance Settings, Company Resource Access, Email Profiles. In the Ribbon click Create Exchange ActiveSync Profile In the General step in the Name field type Windows Phone - Email Profile for Office365 In the Exchange ActiveSync step use the following values: a. Exchange Active Sync host: Outlook.Office365.com b. Account name: Office 365 Mail Page 180 Task Detailed steps c. Leave all other values as default and click Next In the Synchronization Settings step make sure all content type to synchronize are selected (Email, Contacts, Calendar, Tasks). Clink Next In the Supported Platforms make sure only Windows Phone is selected. Click Next In the Summary step click Next In the Completion step click Close Validate eMail profile is deployed. On Windows Phone 8.1 go to Settings -> Workplace Click on the Enrolled workplace listed at the bottom Click the sync icon on the bottom of the screen. After a successful sync go back to the home screen Wait till the eMail profile called Office 365 Mail appears. Open the eMail profile and type in the password. Test sending and receiving an e-mail 17.13 Intune: WP8.1 – Configure a Custom VPN Profile Intune Only Setup (This section is not applicable if you are setting up a Hybrid Scenario!) Microsoft Intune allows you to deploy several VPN connection profiles to Windows Phone 8.1 devices. The available options are: ▪ Juniper Pulse ▪ F5 Edge Client ▪ Dell SonicWALL Mobile Connect ▪ CheckPoint Mobile VPN If you want to deploy another type, e.g. IKEv2 based – it’s possible to use custom URI’s. The below provides an example on how to do this. Page 181 Note: In this example you will create a VPN profile for IKEv2 but it will not work as Azure today does not support IKEv2. The intent of this exercise is to show how you can create a custom VPN profile and configure this on a mobile device. Required Time: 20 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Connect to NDES1 Select Virtual Machines . Select “NDES1” and click Connect at the bottom of the screen. Logon to NDES1 with “Corp\LabAdmin”. Create a custom VPN Profile Open IE in private mode. Open the Intune Admin Console ( https://manage.microsoft.com). In the Navigation Pane of the Intune Admin Console click on Policy > Configuration Policies. In the Tasks pane click Add Policy. Navigate to Windows > Windows Phone OMA-URI, select the Create and Deploy a Custom Policy radio button and click Create Policy. The Create Policy window will now appear. In the Name field type Windows Phone – Custom VPN. Add the following OMA-URI Settings Setting name Data Type OMA-URI Value Server string ./Vendor/MSFT/VPN /CUSTOMVPN/Serve r vpn.. DNSSuffix string ./Vendor/MSFT/VPN /CUSTOMVPN/Secur edResources/DNSSu ffix DC1.Corp.. TunnelType string ./Vendor/MSFT/VPN /CUSTOMVPN/Tunn elType IKEv2 Method string ./Vendor/MSFT/VPN /CUSTOMVPN/Auth entication/Method EAP Proxy Server string ./Vendor/MSFT/VPN /CUSTOMVPN/Proxy /Manual/Server proxy. Corp.. Port int ./Vendor/MSFT/VPN /CUSTOMVPN/Proxy /Manual/Port 8080 Page 182 Task Detailed steps BypassProxyForLocal boolean ./Vendor/MSFT/VPN /CUSTOMVPN/Proxy /Manual/BypassProx yForLocal True SplitTunnel boolean ./Vendor/MSFT/VPN /CUSTOMVPN/Polici es/SplitTunnel false BypassForLocal boolean ./Vendor/MSFT/VPN /CUSTOMVPN/Polici es/BypassForLocal false TrustedNetworkDete ction boolean ./Vendor/MSFT/VPN /CUSTOMVPN/Polici es/TrustedNetworkD etection false ConnectionType string ./Vendor/MSFT/VPN /CUSTOMVPN/Polici es/ConnectionType manual Authentication EAP string XML ./Vendor/MSFT/VPN /CUSTOMVPN/Auth entication/EAP Paste the below XML into the value field. 13 0 0 0 13 true false false false false Click Save Policy After you have clicked Save policy at the Do you want to deploy this policy now? prompt click Yes. Click on the group All Users then click Add. Click OK. 17.14 CM1: WP8.1 - Configure Custom VPN Profile Hybrid Setup (CM+Intune) (This section is not applicable if you are setting up an Intune-Only Scenario!) This section explains how to create a custom VPN profile in Configuration Manager for Phone. This section has not yet been validated by the authors and therefor is provided as initial guidance. Required Time: 20 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Go to the Start Screen. Type Configuration Manager Console and Click on it. Create an OMA-URI for a custom VPN Profile. In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Items. In the Ribbon click on Create Configuration Item Page 184 Task Detailed steps In the Name field type ContosoVPN2 (this is just an arbitrary name) For the Specify the type of configuration item that you want to create: select Mobile Device Click Next Select the checkbox Configure additional settings that are not in the default setting group Click Next In the Additional Settings step click Add Click Create Setting In the name field enter ContosoVPN2 Server For Setting type select OMA URI For Data Type select String In the OMA URI field enter ./Vendor/MSFT/VPN/ContosoVPN2/Server Click OK In the Browse Settings scroll down to and select the setting ContosoVPN2 Server Click Select In the following values field enter vpn.. Note: This is the VPN server configured earlier in the lab guide but please note that this server does not support IKEv2 as this is not supported by Azure at this time. Leave all other values as default. Click OK Page 185 Task Detailed steps Configure all of your customer settings for the profile in the same CI as shown below. Once you are finished add the CI to a Configuration Baseline and deploy the Baseline to the users you want to deploy the profile to. Add the CI to the Windows Phone Configuration Baseline. Note: This assumes you already created the baseline earlier. In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Baseline Double click the Windows Phone - Baseline Click Add and select Configuration Items In the Add Configuration Items window select ContosoVPN2 and click Add In the Create configuration Baseline window click OK Deploy the Configuration Baseline The Baseline was already deployed in one of the previous steps. 17.15 Intune: WP8.1 – WP8.1 - Configure WiFi Profile Intune Only Setup Page 186 (This section is not applicable if you are setting up a Hybrid Scenario!) To be completed in a future version. 17.16 CM1: WP8.1 - Configure WiFi Profile Hybrid Setup (CM+Intune) (This section is not applicable if you are setting up an Intune-Only Scenario!) Planned to be added/completed in a next version of this guide. 17.17 Intune: WP8.1 – Configuring S/MIME Intune Only Setup (This section is not applicable if you are setting up a Hybrid Scenario!) To be completed in a future version. 17.18 CM1: WP8.1 – Configuring S/MIME Hybrid Setup (CM+Intune) (This section is not applicable if you are setting up an Intune-Only Scenario!) Planned to be added in a next version of this guide. − Enable EAS Policy − Install Certificate − Configure eMail profile 17.19 Device Retirement / Wipe This topic is not cover by this course. If you would like to test this process then refer to TechNet https://technet.microsoft.com/en-us/library/jj676679.aspx. Page 187 18 Enterprise Mobility for Android The following section outlines how to configure the environment for Android devices and configure several common scenarios. 18.1 Setup Google Play Account This section outlines how to setup a Google Play account. This will be used to login to Google Play and install the Company Portal. If you already have a Google Play account you can skip this section and use that account. Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Setup a Gmail account to be used for the Google Play store If not already open from the previous exercise, start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. In the address bar of the InPrivate session, navigate to https://play.google.com In the right top corner click Sign in On the Sign in page click Create an account Fill in the details for your account Click Next Step On the next page select Create Account. 18.2 Intune: Configure Intune for Android Intune Only Setup (This section is not applicable if you are setting up a Hybrid Scenario!) To be completed in a future version. ▪ Configure security policy for mobile devices in Microsoft Intune at http://technet.microsoft.com/en-us/library/dn646984.aspx ▪ Start managing Android devices with Microsoft Intune at http://technet.microsoft.com/enus/library/dn764960.aspx Page 188 18.3 CM1: Configure Configuration Manager/Intune for Android Hybrid Setup (CM+Intune) (This section is not applicable if you are setting up an Intune-Only Scenario!) This section outlines how to configure CM/Intune to be used for managing Android devices. Required Time: 15 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Create an Android Collection On CM1 open the Configuration Manager Management Console In the Navigation Pane select Assets and Compliance Expand Overview Right click Device Collections and select Create Device Collection In the Name field enter Android 4.4 In limiting Collection click Browse Select All Mobile Devices Click OK In the General step click Next In the Membership Rules step click Add Rule and select Query Rule In the Name field type Android 4.4 Click Edit Query Statement Click Show Query Language Paste the query below in the Query Statement field: select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_DEVICE_OSINFORMATION on Page 189 Task Detailed steps SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_DEVICE_OSINFORMATION.Platform like "Android" and SMS_G_System_DEVICE_OSINFORMATION.Version like "4.4%" Click OK In the Query Rule Properties window click OK In the Membership Rules step click Next In the Summary step click Next In the Completion step click Close As we have not enrolled an Android device there will be no devices added to this collection at this stage. Ensure Enrollment for Android is enabled. On CM1 open the Configuration Manager Management Console In the Navigation Pane select Administration Expand Overview, Cloud Services, Windows Intune Subscriptions Right click Windows Intune Subscription and select properties. Select the Android tab Make sure Enable Android enrollment is selected. Click OK 18.4 Hyper-V: Android - Create an Android Virtual Machine This section will configure an Android VM in Hyper-V. You would only need to perform this section if you don’t own a physical Android device. Note: The crucial step in this exercise is to make sure a Legacy network adapter is used. Note: If the display goes to sleep on your Android VM you can press the menu key to wake. This key is usually between the right-ctrl and right-alt keys. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer that is running Hyper-V. with an external virtual switch that has internet access. Ensure the pre-requisites are met on the machine (Only when a VM for Android is used) Create the VM for x86 Android Download the latest Android-x86 iso from http://www.android-x86.org/download. We used the Android-x86 4.4-r1 live & installation iso and placed it on the machine. From the Start screen type Hyper-V and select Hyper -V Manager. In Hyper-V manager in the Action pane select New -> Virtual Machine. Page 190 Task (Only when a VM for Android is used) Detailed steps In the Before You Begin step click Next. In the Specify Name and Location step type the name of the VM: Android 4.4 R1. Click Next. In the Specify Generation step select Generation 1 and click Next. In the Assign memory step leave the defaults and click Next. In the Configure Networking don’t select a network (default settings) and click Next. In the Connect Virtual Hard Disk ensure Create a virtual hard disk is selected and you can make the size smaller to for example 16GB and click Next. In the Installation Options make sure Install an operating system from a bootable CD/DVDROM is selected and for the Image File (.iso): browse to the location where you have copied the Android iso (http://sourceforge.net/projects/android-x86/files/Release%204.4/androidx86-4.4-r2.iso/download) and click Next. In the Summary step click Finish. Right click the VM just created and select Settings. Page 191 Task Detailed steps Select the Network Adaptor and click Remove. Click Add Hardware in the top left of the screen. Select Legacy Network Adapter and click Add. For the Virtual Switch make sure the switch is selected that has Internet connectivity and Click OK. Page 192 Task Detailed steps Installing Android on the VM(Only when a VM for Android is used) Start the Android VM and follow the instructions in the screenshots and arrows as shown below. Android Setup Start the Android VM and follow the screenshots below. 18.5 Android: Enrollment and Company Portal In this section we will install the Company Portal from the Google Play store, enroll the Android device in Intune and evaluate the Company Portal. Required Time: 10 minutes Task Detailed steps Complete these steps from an Android device or the Android VM created in the previous section. Installing the Company Portal, Enrolling the device and Evaluating the Company Portal Follow the arrows in the screenshots below to install the Company Portal, to enroll the device into Intune and evaluate the Company Portal. The demo will show you: a. Enrollment b. Enrolled devices in the My Devices tab c. How to Rename a device d. How to Remove a Device e. How to Reset a Device Page 193 Page 194 18.6 Intune: Android - Configure Policies Intune Only Setup (Skip this section if you are setting up a Hybrid Scenario!) Planned to be added in a next version of this guide. References: ▪ Configure security policy for mobile devices in Microsoft Intune at http://technet.microsoft.com/en-us/library/dn646984.aspx ▪ Start managing Android devices with Microsoft Intune at http://technet.microsoft.com/enus/library/dn764960.aspx 18.7 CM1: Android – Configuring Policies Hybrid Setup (CM+Intune) (This section is not applicable if you are setting up an Intune-Only Scenario) This section outlines how to configure policies for Android devices in CM/Intune available through the Configuration Manager Interface. Required Time: 20 minute Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Go to the Start Screen. Type Configuration Manager Console and Click on it. Page 195 Task Create a Password policy through the CM/Intune interface to require a password of 4 characters. Detailed steps In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Items. In the Ribbon click on Create Configuration Item In the Name field type Windows Phone Password Policy For the Specify the type of configuration item that you want to create: select Mobile Device Click Next In the Mobile Device setting group check Password and click Next In the Require password settings on mobile devices field select Required Check the Minimum password length (characters) and leave the value at 4. Click Next Uncheck Select all In the Supported Platform step check the Android checkbox. Click Next In the Platform Applicability step click Next In the Summary step click Next In the Complete window click Close. Create a Configuration Baseline for the Android Policies. In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Baseline In the Ribbon click Create Configuration Baseline In the Name field type Android - Baseline Click Add and select Configuration Items In the Add Configuration Items window select Android – Password Policy and click Add Click OK In the Create configuration Baseline window click OK Deploy the Configuration Baseline In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Baseline Select the Baseline called Android Baseline. In the Ribbon click Deploy In the Deploy Configuration Baseline window click Browse Select the collection called Mobile Users Click OK In the Deploy Configuration Baseline window click OK Page 196 18.8 Intune: Android - Configure Trusted Root and Certificate Deployment Intune Only Setup (Skip this section if you are setting up a Hybrid Scenario!) This section outlines how to configure and deploy a Trusted Root CA and a SCEP Profile for Windows Phone 8.1 devices. Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Manage.windowsazure.com. Connect to NDES1 Select Virtual Machines . Select “NDES1” and click Connect at the bottom of the screen. Logon to NDES1 with “Corp\LabAdmin”. Create a Certificate Profile for the Trusted Root CA On NDES1 open the Intune Admin Console. In the Navigation Pane of the Intune Admin Console click on Policy > Configuration Policies. In the Tasks pane click Add Policy. Navigate to Android > Trusted Certificate Profile (Android 4 and later), select the Create and Deploy a Custom Policy radio button and click Create Policy. The Create Policy window will now appear. In the Name field type Android – Trusted Root Certificate Policy. Click Browse and import the root certificate we exported earlier C:\corp-DC1-CA.cer. if you open up the cert it should look like this: Page 197 Task Detailed steps Click Save Policy. At the Do you want to deploy this policy now? prompt click Yes. Click on the group All Mobile Devices then click Add. Click OK. Create a SCEP Certificate Profile for Windows Phone devices On NDES1 open the Intune Admin Console. In the Navigation Pane of the Intune Admin Console click on Policy > Configuration Policies. In the Tasks pane click Add Policy. Navigate to Android > SCEP Certificate Profile (Android 4 and later), select the Create and Deploy a Custom Policy radio button and click Create Policy. The Create Policy window will now appear. In the Name field type Android – SCEP Certificate Policy. Page 198 Task Detailed steps Configure the other settings as show in the screenshots below. Ensuring the value of the SCEP Server URL is https://ndes./certsrv/mscep/mscep.dll. Then click Save Policy. At the Do you want to deploy this policy now? prompt click Yes. Click on the group All Users then click Add. Click OK. Confirm that the certificate is deployed to the device. On your Android device you should see a small icon on the notification bar in the top right corner of the screen. Page 199 Task Detailed steps Drag the notification down from the top of the screen and click the notification. You should then see the details of the certificate, click OK (Password not required). The certificate will now extract. Change the Certificate name to User-Cert-Intune, Click OK. Select the new user cert and then click Allow. The user certificate is now on the device. You can confirm that the Trusted Root Certificate is installed at a later time by doing the following: Open Settings. Under the PERSONAL section click Security. Page 200 Task Detailed steps Scroll down and select Trusted Credentials then select the USER tab, you should see the root cert. You can confirm that the Trusted Root Certificate is installed at a later time by beginning the process of creating a VPN. Open Settings. Under the WIRELESS & NETWORKS section click More… Click VPN Click the + symbol in the top right corner of the screen. At the Edit VPN Profile window, select Type L2TP/IPSEC RSA. Click IPSec User Certificate and you should see a user cert available for use. Click Cancel. 18.9 CM1: Android - Configure Trusted Root and Certificate Deployment Hybrid Setup (CM+Intune) (Skip this section if you are setting up an Intune-Only Scenario!) Page 201 This section outlines how to configure and deploy a Trusted Root CA and a SCEP Profile for Android devices. Required Time: 20 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Create a Certificate Profile for the Trusted Root CA Important: If you already configured and deployed the Trusted Root CA in one of the other platform scenario sections (for example for Windows Phone or iOS) these section can be skipped! On CM1 open the Configuration manager Console In the navigation pane select Assets and compliance and browse to Compliance Settings, Company Resource Access, Certificate Profiles. In the Ribbon click Create Certificate Profile In the Name field type corp-DC1-CA - TrustedRootCA Select Trusted CA certificate and click Next Click Import Browse to and select c:\corp-dc1-ca.cer and click on Open In the Trusted Root CA Certificate step leave all settings as default and click Next In the Supported Platforms step make sure all platforms are selected and click Next In the Summary step click Next In the Completion step click Close Deploy the Certificate Profile for the Trusted Root CA to all Mobile Users Important: If you already configured and deployed the Trusted Root CA in one of the other platform scenario sections (for example for Windows Phone or iOS) these section can be skipped! On CM1 open the Configuration manager Console In the navigation pane select Assets and compliance and browse to Compliance Settings, Company Resource Access, Certificate Profiles. Select corp-DC1-CA - TrustedRootCA. In the Ribbon click Deploy In the Deploy Trusted CA Certificate Profile screen under Collection: click Browse to select a collection. Select Mobile Users and click OK. Create a SCEP Certificate Profile for Android devices On CM1 open the Configuration manager Console In the navigation pane select Assets and compliance and browse to Compliance Settings, Company Resource Access, Certificate Profiles. In the Ribbon click Create Certificate Profile Page 202 Task Detailed steps In the Name field type Android – SCEP Certificate Profile Select Simple Certificate Enrolment Protocol (SCEP) settings and click Next In the SCEP Enrolment step make sure Install to Software Key Storage Provider is selected Note: For Android devices the two TPM options are not supported and when selected certificates will not be enrolled! Click Next In the Certificate Properties step for Certificate template name: click Browse The Issuing Certificate Authority should be selected by default (DC1.corp.) For the Certificate template name: click the field and select SCEPGenerealPurpose Click OK Note at this point be aware of: ▪ iOS doesn’t support fully distinguished name as the subject name format or including e-mail address in subject name. ▪ All settings need to be configured according to what you have specified in the template (e.g. the key-length). ▪ If the template name contains non-ASCII characters the cert will not be deployed In the Certificate Properties step use the following other values (leave the others as default). a. Subject name format: Common Name b. Subject alternative name: select User principal name (UPN) c. Hash Algorithm: select SHA1 d. Root CA certificate: click Select, check corp-DC1-CA - TrustedRootCA and click OK Click Next In the Supported Platform step make sure Android is selected and click Next In the Summary step click Next In the Completion step click Close Deploy the Certificate Profile for the SCEP Certificate Profile for Android devices On CM1 open the Configuration manager Console In the navigation pane select Assets and compliance and browse to Compliance Settings, Company Resource Access, Certificate Profiles. Select Windows Phone – SCEP Certificate Profile In the Ribbon click Deploy In the Deploy SCEP Certificate Profile screen under Collection: click Browse to select a collection. Select Mobile Users and click OK. 18.10 KNOX Configuration Planned to be added in a next version of this guide. Page 203 This section will describes the configuration option with Samsung KNOX. Reference: The follow link provides all the device models and their support for Samsung KNOX: https://www.samsungknox.com/en/products/knox-supported-devices Page 204 19 Enterprise Mobility for iOS 19.1 Prepare to Manage iOS Before you can manage iOS mobile devices with Intune, you need an Apple Push Notification service certificate. This certificate allows Intune to manage iOS and establish an accredited and encrypted IP connection with the mobile device management authority services. Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Create a Company Apple ID An Apple ID is required to create the Apple Push Notification certificate. To Create a new Apple ID: If you don’t have an Apple ID then Navigate to https://appleid.apple.com/account and create an Apple ID. Get a Certificate Signing Request As an administrative user, open the Microsoft Intune administration console, go to Administration > Mobile Device Management > iOS > Upload an APNs Certificate Click Download the APNs certificate request. Save the certificate signing request (.csr) file locally as C:\AppleSigningRequest.csr Note - The .csr file is used to request a trust relationship certificate from the Apple Push Certificates Portal. Get an Apple Push Notification service certificate Go to the Apple Push Certificates Portal and sign in with your Apple ID to create the APNs certificate. Click Create a Certificate. Click Browse and navigate to C:\AppleSigningRequest.csr, click Open. Click Upload. Note - This Apple ID must be used in future to renew your APNs certificate. Click Download and save the file at C:\ApplePushCert.pem. Note - This APNs certificate (.pem) file is used to establish a trust relationship between the Apple Push Notification server and Intune’s mobile device management authority. Add the APNs certificate to Intune In the Microsoft Intune administration console, go to Administration > Mobile Device Management > iOS > Upload an APNs Certificate, and click Upload the APNs certificate. Browse to the certificate (C:\ApplePushCert.pem) file and click Open. Note - You can enter the Apple ID used to create the certificate if you want Intune to remember which Apple ID you should use for annual certificate renewal. With the APNs certificate, Intune can enroll and manage iOS devices by pushing policy to enrolled mobile devices. Note - If you used Internet Explorer to download the APNs certificate, you might receive an error stating the file is not valid when you try to upload it to the Intune administrator console. If you receive this error message, click Cancel and perform the following steps: Sign out of the Apple Push Certificates Portal and then sign back in. Page 205 Task Detailed steps On the Certificates for Third-Party Servers page, download the most recently created APNs certificate. In the Microsoft Intune administration console, click Upload the APNs certificate, browse to the DM_Microsoft_Corporation_Certificate.pem file, and upload it to Intune. 19.2 Configure CM/Intune Planned to be added in a next version of this guide. Note: For more info see: http://technet.microsoft.com/en-us/library/dn408185.aspx Hybrid 19.3 Enrollment Planned to be added in a next version of this guide. 19.4 Intune: iOS - Configure Policies Intune Only Setup (This section is not applicable if you are setting up a Hybrid Scenario!) To be completed in a future version. 19.5 CM1: iOS – Configuring Policies Hybrid Setup (CM+Intune) (This section is not applicable if you are setting up an Intune-Only Scenario) This section outlines how to configure policies for Android devices in CM/Intune available through the Configuration Manager Interface. Page 206 Required Time: 20 minute Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. Connect to CM1 Select Virtual Machines . Select “CM1” and click Connect at the bottom of the screen. Logon to CM1 with “LabAdmin”. Go to the Start Screen. Type Configuration Manager Console and Click on it. Create a Password policy through the CM/Intune interface to require a password of 4 characters. In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Items. In the Ribbon click on Create Configuration Item In the Name field type iOS Password Policy For the Specify the type of configuration item that you want to create: select Mobile Device Click Next In the Mobile Device setting group check Password and click Next In the Require password settings on mobile devices field select Required Check the Minimum password length (characters) and leave the value at 4. Click Next Uncheck Select all In the Supported Platform step check the Android checkbox. Click Next In the Platform Applicability step click Next In the Summary step click Next In the Complete window click Close. Create a Configuration Baseline for the Android Policies. In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Baseline In the Ribbon click Create Configuration Baseline In the Name field type Android - Baseline Click Add and select Configuration Items In the Add Configuration Items window select iOS – Password Policy and click Add Click OK In the Create configuration Baseline window click OK Page 207 Task Deploy the Configuration Baseline Detailed steps In the Navigation Pane of the Configuration Manager console click on Assets and Compliance. Click on Overview -> Compliance Settings ->Configuration Baseline Select the Baseline called iOS Baseline. In the Ribbon click Deploy In the Deploy Configuration Baseline window click Browse Select the collection called Mobile Users Click OK In the Deploy Configuration Baseline window click OK Page 208 20 Enterprise Mobility for Windows 10 Will be added in a next version of this guide. Page 209 21 Appendix 21.1 PowerShell: Reserve a Public VIP Address for Cloud Service Important: Only perform this step after all VM’s for the Cloud Service have been created have been created! The Cloud service has a public IP address assigned called “Public Virtual IP (VIP) Address” through which our VM’s can be accessible over the internet. For Lab and Demo environments, you want to be able to shut down and de-allocate the VM’s when you are not using them. However when all VM’s of a cloud service are de-allocated the Public VIP address for the Cloud Services would also be de-allocated and a new IP address would be created when VM’s are restarted in the Cloud Service again. To ensure the “Public Virtual IP (VIP) Address” is maintained even after all Virtual Machines are turned-off and de-allocated (to prevent cost) a reserved IP address can be set for the Cloud Service. During the writing of this document this can be done only through Azure PowerShell as described in: http://msdn.microsoft.com/en-us/library/azure/dn690120.aspx. As described in the link: ▪ You must reserve the IP address first, before creating the VM. ▪ When creating the VM the reserved IP also needs to be included ▪ Currently, you can’t go back and apply a VIP reservation to a Cloud Service or VM that have already been created. Most of the instructions in this guide are based on configuring the Lab through the Azure Portal and not through PowerShell. Therefor the provided script should only run after all VM’s have been created. You also will need other objects that don’t yet exist like the Virtual Network and Storage Accounts. This PowerShell script performs the following tasks: 1. 2. 3. 4. 5. Logon to your Azure Subscription Create a Public Reserved IP Export VM Configurations and Stops all VMs Removes the VMs while keeping the disks Re-creates the VMs with reserved VIP Important: Please be aware that the Cloud Service and all VM’s will have to be removed. If something goes wrong this script could be quite destructive to your environment!!! Note 1: Every Azure Subscription has the right to reserve up to 5 public VIP’s. Page 210 Note 2: Another workaround to get around this problem is to make use of CNAME records in the public DNS server instead of A records. E.g. Instead of using an IP address you can use the cloud service name .cloudapp.net. We are not sure if this works for this setup as we never tried it. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. (optional) If not already installed, install Azure PowerShell on the Internet connected PC. On the Internet connected PC Start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. Install and Configure Azure PowerShell on the Virtual Machine as described in How to install and configure Azure PowerShell at http://azure.microsoft.com/en-us/documentation/articles/install-configurepowershell/. A direct installation link to the Microsoft Web Platform Installer for Azure PowerShell can be found here: http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409 When the warning appears in Internet Explorer select Run In the Microsoft Azure PowerShell window select Install In the Prerequisites step select I Accept. In the Finish step select Finish. In the Web Platform Installer 5.0 select Exit. Run a PowerShell script to reserve a VIP address and assign it to the Cloud service and all VM’s. Make sure all VM’s have been created Run ISE as administrator Copy and paste the script below into ISE Make sure all variables (in red starting with the $ sign) in the script below are replaced with values applicable for your environment. Execute the script below. # PowerShell command to set a reserved IP address for Cloud Service in Azure # Reference: # Reserved IP addresses: http://msdn.microsoft.com/en-us/library/azure/dn690120.aspx # Log on to my Azure account Add-AzureAccount $subscription = "Visual Studio Ultimate with MSDN" $StorageAccount = “devicedemo” # Set active subscription Get-AzureSubscription -SubscriptionName $subscription | Select-AzureSubscription #specify current Storage Account by: Set-AzureSubscription -SubscriptionName $subscription -CurrentStorageAccount $StorageAccount # Create a Public Reserved IP $ReservedIPName = "DeviceDemoIP" $ReservedIP = New-AzureReservedIP -ReservedIPName $ReservedIPName -Label $ReservedIPName Location "East US" $workingDir = (Get-Location).Path # Define VMs and Cloud Service $vmNames = 'DC1', 'CM1', 'NDES1', 'WAP1' Page 211 Task $serviceName = "DeviceDemo" Detailed steps # Export VM Config and Stop VM ForEach ($vmName in $vmNames) { $Vm = Get-AzureVM –ServiceName $serviceName –Name $vmName $vmConfigurationPath = $workingDir + "\exportedVM_" + $vmName +".xml" $Vm | Export-AzureVM -Path $vmConfigurationPath Stop-AzureVM –ServiceName $serviceName –Name $vmName -Force } # Remove VMs while keeping disks ForEach ($vmName in $vmNames) { } $Vm = Get-AzureVM –ServiceName $serviceName –Name $vmName $vm | Remove-AzureVM -Verbose # Specify VNet for the VMs $vnetname = "DeviceDemo" # Re-create VMs in specified order $vmNames = 'DC1’, 'CM1', 'NDES1', 'WAP1' ForEach ($vmName in $vmNames) { $vmConfigurationPath = $workingDir + "\exportedVM_" + $vmName +".xml" $vmConfig = Import-AzureVM -Path $vmConfigurationPath New-AzureVM -ServiceName $serviceName -VMs $vmConfig -VNetName $vnetname -ReservedIPName $ReservedIPName -WaitForBoot:$false } 21.2 PowerShell: Stop or Start all Virtual Machines This section provides you with a PowerShell script to start or stop all Virtual Machines in your Azure IaaS Lab. The VMs shutdown through this script will be de-allocated so they will not count for your credits. Important: When you use the script to shut down all VM’s they will be de-allocated. If you don’t have a Reserved Public VIP for the Cloud Service it will be lost as well. You will have to reconfigure you’re A(Host) records in your public DNS server. Required Time: 10 minutes Task Detailed steps Complete these steps from an internet-connected Windows computer. Make sure you are logged on to the management portal of Azure.microsoft.com. (optional) If not already installed, install Azure PowerShell on the Internet connected PC. On the Internet connected PC Start a new InPrivate Internet Explorer browsing session | Start Internet Explorer in the desktop | Right-click the Internet Explorer icon in the task bar | Select Start InPrivate Browsing. Install and Configure Azure PowerShell on the Virtual Machine as described in How to install and configure Azure PowerShell at http://azure.microsoft.com/enus/documentation/articles/install-configure-powershell/. A direct installation link to the Microsoft Web Platform Installer for Azure PowerShell can be found here: http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409 Page 212 Task Detailed steps When the warning appears in Internet Explorer select Run In the Microsoft Azure PowerShell window select Install In the Prerequisites step select I Accept. In the Finish step select Finish. In the Web Platform Installer 5.0 select Exit. Run a PowerShell script to start all Azure IaaS VM’s in your Lab. Make sure all VM’s have are running Run ISE as administrator Copy and paste the script below into ISE Make sure all variables (in red starting with the $ sign) in the script below are replaced with values applicable for your environment. If you use an Intune Only Lab you can remove CM1 If you did not setup the VPN Lab and only have one Cloud Service make sure to remove Step 3 for the Second Cloud Service Execute the script below. # PowerShell command to Start all VM's for Hybrid Mobility Lab # Reference: # Step 1: Log on to my Azure account Add-AzureAccount # Step 2 Start VM(s) first Cloud Service $serviceName_CloudService1 = "DeviceDemo" $vmNames_CloudService1 = 'DC1', 'CM1', 'NDES1', 'WAP1' ForEach ($vmName_CloudService1 in $vmNames_CloudService1) { Start-AzureVM –ServiceName $serviceName_CloudService1 –Name $vmName_CloudService1 } # Step 3 Start VM(s) second Cloud Service $serviceName_CloudService2 = "DeviceDemoVPN" $vmNames_CloudService2 = 'VPN1' ForEach ($vmName_CloudService2 in $vmNames_CloudService2) { Start-AzureVM –ServiceName $serviceName_CloudService2 –Name $vmName_CloudService2 } Run a PowerShell script to Stop all VM’s. Note: They will be de- allocated. If you don’t have a Reserved Public VIP for the Cloud Service it will be lost as well. Make sure all VM’s have are running Run ISE as administrator Copy and paste the script below into ISE Make sure all variables (in red starting with the $ sign) in the script below are replaced with values applicable for your environment. If you use an Intune Only Lab you can remove CM1 from$vmNames_CloudService1 If you did not setup the VPN Lab and only have one Cloud Service make sure to remove Step 3 for the Second Cloud Service Execute the script below. # PowerShell command to SutDown all VMs for your Hybrid Mobility Lab # Reference: # Step 1: Log on to my Azure account Page 213 Task Add-AzureAccount Detailed steps # Step 2 Stop VM(s) first Cloud Service $serviceName_CloudService1 = "DeviceDemo" $vmNames_CloudService1 = 'CM1', 'NDES1', 'WAP1', 'DC1' ForEach ($vmName_CloudService1 in $vmNames_CloudService1) { Stop-AzureVM –ServiceName $serviceName_CloudService1 –Name $vmName_CloudService1 Force } # Step 3 Stop VM(s) second Cloud Service $serviceName_CloudService2 = "DeviceDemoVPN" $vmNames_CloudService2 = 'VPN1' ForEach ($vmName_CloudService2 in $vmNames_CloudService2) { Stop-AzureVM –ServiceName $serviceName_CloudService2 –Name $vmName_CloudService2 Force } Page 214

Build Your Own Enterprise Mobility Lab Step-by

Rating

Date

Size

Views

Categories

Share

Transcript