Build Your Own Enterprise Mobility Lab
The world is becoming mobile and organizations need to adopt to stay relevant and competitive. When you start working with solutions for mobile devices you will discover quickly that mobile solutions require new products that offer these new mobile capabilities. This new mobile infrastructure is often not present in most organizations and the knowledge and skills to install and configure these is not present either.
As an IT Pro where do you start to catch up on all these new technologies? In my experience the best way to learn is getting your hands "dirty" by building it yourself and play with it. Don’t have someone come in to build it for you and/or use a scripts and automation to build it for you. It will not help you understand the technology. Build it yourself, step by step!
The guide attached to the blog provides the step by step instructions on how to build your own Enterprise Mobility lab. It uses all the available Microsoft solutions without the need for a physical lab! Including, Azure IaaS, Azure AD, Intune, ADFS, Web Application Proxy, NDES, etc.
It allows you to test all mobile scenarios and devices like Windows, iOS, and Android. This lab will also get you in a great shape to start validating Windows 10 mobile scenarios like Azure AD Join, Passport, etc. The step by step guidance for these Windows 10 scenarios will be added later.
Choosing an MDM Setup
This guide provides guidance for two different setup options for the Mobile Device Management solution. You will need to choose between a Microsoft Intune Only (Intune) setup and a Hybrid (CM+Intune) setup for the MDM solution.
The decision to choose between the two options will depend on two factors:
Re-use/expand of an existing Configuration Manager 2012 R2 investment.
Availability of capabilities.
At the time of writing of this document Intune Stand Alone and the Hybrid Intune/Config Manager solution don’t have full parity on all capabilities. If certain capabilities are absolutely required this will influence the decision.
Note: I’m planning to update the guide with Configuration Manager vNext asap.
Intune Only Setup:
The Intune Only setup will be configured with only MicrosoftIntune for MDM and contains the servers, services and roles as shown in the picture below.
Hybrid Setup:
The Hybrid setup will be configured with System Center Configuration Manager 2012 R2 integrated with Microsoft Intune for MDM and contains the servers, services and roles as shown in the picture below. The server with System Center Configuration Manager 2012 R2 (CM1) can be placed in Azure IaaS or on server’s On-Premise.
What is included in the Lab
The first sections of the Build Your Own Enterprise Mobility Lab guide includes how to setup a lab containing the core components to test and validate most mobility scenarios. It will include some servers representing your on-perm infrastructure and Azure AD, Intune and Office 365 as shown in the figure below.
Future blogs from us will include addition to this infrastructure and scenario step by step instructions. For example I’m currently in the process of writing the sections for the Windows 10 mobility scenarios following the inclusion of Configuration Manager vNext.
The Build Your Own Enterprise Mobility Lab guide consist of the following ToC:
1 Introduction 1
1.1 Lab objectives 1
1.2 Lab activity flow 1
1.3 Design decisions for lab setup 2
1.3.1 Build Lab Servers On Premise or in Azure IaaS 2
1.3.2 Microsoft Intune Only or Hybrid Setup 3
1.3.3 Microsoft Azure IaaS Lab Setup 6
1.3.4 Credentials 6
1.4 Use of Document 7
1.5 References and Credits 7
1.6 Support and Questions about the Lab 8
1.7 Support for Windows 10 8
2 Pre-Requisites (Certs, Subscriptions, and Domain) 9
2.1 Obtain a Public Domain Name 9
2.2 Request SSL Public (Wildcard) Certificate(s) 10
2.3 Re-use or Create a Microsoft Azure Subscription 11
2.4 Create and Setup an ‘Azure AD’ 12
2.5 Setup Intune Trial Tenant 14
2.6 Setup Office 365 Trial Tenant 15
3 Preparing Windows Azure for IaaS 17
3.1 Create a Cloud Service 17
3.2 Create a Storage Account 17
3.3 Create a Virtual Network 18
4 DC1: Setup and Configure AD, DNS, CA and ADFS 20
4.1 DC1: VM - Create the Virtual Machine 20
4.2 DC1: VM – Install Azure PowerShell and Configure a Static IP 21
4.3 DC1: AD - Configure Active Directory Domain Services 22
4.4 DC1: DNS - Configure DC1 as DNS for Virtual Network 23
4.5 DC1: DNS - Configure DC1 with DNS Forwarders 24
4.6 DC1: DNS - Configure an Alternate User Principal Name Suffix 24
4.7 DC1: DNS - Configure DNS for Federation Service, DRS and Enrollment 25
4.8 DC1: AD - Create Organizational Unit Hierarchy 28
4.9 DC1: AD - Create Users and Groups 28
4.10 DC1: CA - Install and Configure Active Directory Certificate Services 29
4.11 DC1: ADFS – Install the Public SSL Wild Card Certificate for ADFS 31
4.12 DC1: ADFS – Install and Configure Active Directory Federation Services 32
4.13 DC1: ADFS – Install Windows PowerShell for single sign-on with AD FS 34
4.14 DC1: ADFS – Workaround for DC1 Hanging on Boot. 35
5 WAP1: Setup Web Application Proxy 37
5.1 WAP1: Create the Virtual Machine 37
5.2 WAP1: VM – Configure and Join WAP1 to the CORP domain. 38
5.3 WAP1: VM – Install Azure PowerShell and Configure a Static IP 39
5.4 WAP1: Export the Public SSL Wild Card Certificate from DC1 40
5.5 WAP1: Import the SSL Wild Card Certificate to WAP1 40
5.6 WAP1: Configure the Azure Endpoint and Public Domain 41
5.7 WAP1: Install and Configure Web Application Proxy 42
5.8 WAP1: Troubleshooting 43
6 Setup and Configure AADSync 44
6.1 Add a Registered Domain to your Tenant 44
6.2 Install and Configure Microsoft Azure Active Directory Sync Services 46
6.3 Explore the AAD Sync Services Tool and Perform Initial Synchronization 48
7 Setup AAD Premium and Office 365 51
7.1 Assign AAD Premium Licenses 51
7.2 Create Test Groups in Azure AD 53
7.3 Assign Office 365 Licenses 55
7.4 Configure DNS for Office 365 56
8 Enable Multi-Factor Authentication 59
9 Integrate SaaS Applications 63
9.1 Integrate with Twitter through Password SSO 63
9.2 Integrate with Google Apps through Federation SSO 65
10 Using Self –Service Features (Azure AD Premium) 66
10.1 Self-Service Password Reset 66
10.2 Self-Service Group Management 68
10.3 Group Approval Workflow 69
10.4 Azure Reports 71
11 Protecting Data With Azure RMS 74
11.1 Configure Azure RMS 74
11.2 Creating and Consuming Protected Content 76
11.3 Protecting Data in Motion With Exchange IRM 79
12 SP1: Claims-Based Access & Resource Publication 83
12.1 SP1: Manually Create a SharePoint Virtual Machine 83
12.2 DC1: Configure DNS 84
12.3 DC1: Configure ADFS 84
12.4 WAP1: Configure WAP 87
12.5 SP1: Install SQL Server Express 88
12.6 SP1: SharePoint Farm Initial Configuration 88
12.7 SP1: Configure Claims Provider in SharePoint 90
13 CM1: Configure MDM with Hybrid Setup (CM+Intune) 94
13.1 CM1: Create the Virtual Machine 94
13.2 CM1: VM – Configure and Join CM1 to the CORP domain. 95
13.3 CM1: VM – Install Azure PowerShell and Configure a Static IP 95
13.4 CM1: Install and Configure SCCM 96
13.5 CM1: Install and Configure CM2012 R2 SP1 105
13.6 CM1: Connect to Microsoft Intune Subscription in Configuration Manager 106
13.7 CM1: Enable the Firewall for port 1433 and 4022 109
13.8 CM1: Minimize SQL Resource Usage 109
14 Intune: Configure MDM with Intune Only 111
14.1 Intune: Enable base device management for Intune Standalone 111
15 Setup SCEP – NDES1 115
15.1 NDES1: Create the Virtual Machine 115
15.2 NDES1: VM – Configure and Join NDES1 to the CORP domain. 116
15.3 NDES1: VM – Install Azure PowerShell and Configure a Static IP 116
15.4 DC1: AD – Create the NDES Service Account and SPN 117
15.5 DC1: Create and Publish the Certificate Templates for NDES 118
15.6 NDES1: Install and Configure NDES 121
15.7 DC1: Add External NDES address to Internal Split Brain DNS zone and External DNS zone. 126
15.8 CM1: Configure Certificate Registration Point 127
15.9 NDES1: Install Policy Module 130
15.10 NDES1: Configure NDES Connector 132
15.11 WAP1: Publish NDES1 on WAP1 134
15.12 Troubleshooting (Optional) 136
16 Setup SSTP and L2TP VPN - VPN1 140
16.1 VPN1: Create the Virtual Machine 140
16.2 VPN1: VM – Configure and Join VPN1 to the CORP domain. 143
16.3 VPN1: VM – Install Azure PowerShell 144
16.4 VPN1: Import the SSL Wild Card Certificate to VPN1 145
16.5 VPN1: Configure the Firewall for VPN1 145
16.6 VPN1: Install and Configure SSTP and L2TP VPN 147
16.7 DC1: DNS – Add External VPN address to internal Split Brain DNS zone and External DNS zone. 150
16.8 DC1: Provide Users access to VPN 152
17 Managing Windows Phone 8.1 154
17.1 Intune: Configure Intune for Windows Phone 154
17.2 CM1: Configure Configuration Manager/Intune for Windows Phone 8.1 155
17.3 Hyper-V: WP8.1 – Enrollment 161
17.4 CM1: WP8.1 – Adding the IMEI, Device Name and Phone Number to the Inventory 163
17.5 Intune: WP8.1 – Configuring Policy Settings and Policies based on OMA-URI 165
17.6 CM1: WP8.1 – Configuring Policy Settings and Policies based on OMA-URI 167
17.7 Intune: WP8.1 – Configuring Allow and Deny Lists 169
17.8 CM1: WP8.1 – Configuring Allow and Deny Lists 170
17.9 Intune: WP8.1 – CM1: WP8.1 - Configure Trusted Root and Certificate Deployment 173
17.10 CM1: WP8.1 - Configure Trusted Root and Certificate Deployment 176
17.11 Intune: WP8.1 - Configure Mail Profile 178
17.12 CM1: WP8.1 - Configure Mail Profile 179
17.13 Intune: WP8.1 – Configure a Custom VPN Profile 180
17.14 CM1: WP8.1 - Configure Custom VPN Profile 183
17.15 Intune: WP8.1 – WP8.1 - Configure WiFi Profile 185
17.16 CM1: WP8.1 - Configure WiFi Profile 186
17.17 Intune: WP8.1 – Configuring S/MIME 186
17.18 CM1: WP8.1 – Configuring S/MIME 186
17.19 Device Retirement / Wipe 186
18 Enterprise Mobility for Android 187
18.1 Setup Google Play Account 187
18.2 Intune: Configure Intune for Android 187
18.3 CM1: Configure Configuration Manager/Intune for Android 188
18.4 Hyper-V: Android - Create an Android Virtual Machine 189
18.5 Android: Enrollment and Company Portal 192
18.6 Intune: Android - Configure Policies 194
18.7 CM1: Android – Configuring Policies 194
18.8 Intune: Android - Configure Trusted Root and Certificate Deployment 196
18.9 CM1: Android - Configure Trusted Root and Certificate Deployment 200
18.10 KNOX Configuration 202
19 Enterprise Mobility for iOS 204
19.1 Prepare to Manage iOS 204
19.2 Configure CM/Intune 205
19.3 Enrollment 205
19.4 Intune: iOS - Configure Policies 205
19.5 CM1: iOS – Configuring Policies 205
20 Enterprise Mobility for Windows 10 208
21 Appendix 209
21.1 PowerShell: Reserve a Public VIP Address for Cloud Service 209
21.2 PowerShell: Stop or Start all Virtual Machines 211
Have Fun!
Roel Schellens