With System Center Configuration Manager 2012 SP1 and newer in combination with Windows Intune, Microsoft supports the integration of Android, Apple iOS, Windows Phone 8/8.1, and Windows RT for holistic client management. The system thus supports uniform management of various features, such as software distribution on mobile endpoints, and the establishment of device policies for centralized control over device features to ensure compliance with centralized IT requirements. In this article, I cover the integration of Intune and SCCM and centralized client management.

To be able to manage mobile endpoints with System Center Configuration Manager (SCCM) [1], enterprises need to have a Windows Intune subscription and connect this with SCCM. Windows Intune [2] is a cloud-based management tool for Windows computers and mobile endpoints. A Windows Intune client is installed on the endpoints you want to manage, and it handles communication with Windows Intune.

Administrators can used the web-based Intune management console to install applications on managed Windows endpoints, set up centralized antivirus protection in the form of Intune Endpoint Protection (this is System Center Endpoint Protection and Microsoft Security Essentials in another guise), distribute Windows Updates (this is already supported by the Windows Server Update Server – WSUS), manage mobile endpoints with Apple iOS, Android, Windows Phone 8/8.1, and Windows RT, and manage policies to ensure compliance.

Windows Intune is primarily aimed at small to medium-sized companies with a limited IT staff or at companies that do not want to invest in System Center products, such as SCCM or System Center Endpoint Protection (SCEP) [3].

SCCM and Intune Join Forces

For enterprises that already use System Center Configuration Manager 2012 SP1 and newer, Microsoft offers a Windows Intune Connector for SCCM. Its purpose is to manage all the mobile endpoints in SCCM. Thanks to SCCM/Windows Intune integration, IT departments can use SCCM to manage all their computers; Windows Intune is required for one-off setup and management of the mobile endpoints. After successfully registering a device with Windows Intune, it appears in the SCCM management console and can be managed using SCCM.

The management options for mobile endpoints with SCCM include:

• Removing and resetting managed endpoints.
• Configuring compatibility settings for devices. This includes settings for passwords, security, wireless roaming, encryption, and wireless communication.
• Installing apps on devices.
• Installing apps from vendor stores (Windows Phone Store, App Store, or Google Play).
• Hardware and software inventory for mobile endpoints.

Integrating Intune with SCCM

After setting up your Windows Intune subscription (Figure 1), you can use Intune to manage Windows endpoints if you do not want to use SCCM exclusively for this task. If you want to use the Windows endpoint management options in Windows Intune but also manage mobile endpoints in SCCM, it is important not to assign mobile endpoint management authorization to Intune before connecting with SCCM. The background is that when you install the Windows Intune Connector, this authorization is assigned to SCCM, and a retrospective change to Windows Intune is not possible.

Figure 1: The Windows Intune Portal lets you modify the look and feel.

The next step is to integrate the public DNS domain name of your enterprise into your Intune subscription. Each user account in Intune must have a publicly verifiable DNS domain name. Microsoft requires a validation of the domain name by adding a TXT entry to the customer's DNS Forward Lookup zone. The Intune management console provides information on how to do this. After doing so, it can take up to 72 hours for the public DNS infrastructure to allow a successful validation of the domain name in the Windows Intune console, although the validation is typically quicker.

You then need to add the DNS domain name you created to your local Active Directory infrastructure as the User Principal Name (UPN) suffix. To do so, launch the MMC Active Directory Domains and Trusts [4] snap-in. In larger, distributed Active Directory environments with many locations, make sure you allow enough time for the new UPN suffix to replicate before you set up Active Directory synchronization between your local Active Directory and Windows Intune.

Syncing User Data

To manage mobile endpoints in Intune and SCCM, you need to have user accounts that are managed by Windows Intune; the accounts are uniquely assigned as the device owners. If you have a smaller number of users, you can create the Intune user accounts manually in the Intune console. If you have a larger number of users or want to use features such as bidirectional synchronization of directories or password synchronization, Microsoft recommends setting up the directory synchronization tool to sync your local Active Directory with Windows Intune.

The DirSync Tool [5], which incidentally comes from the Forefront Identity Manager, can be downloaded from the Microsoft website and installed on a member server in the local Active Directory environment. When you set this up, you need to supply the user credentials of the Intune enterprise account and of a local Active Directory domain administrator. Bidirectional directory replication between Windows Intune and your local Active Directory is possible, as is password replication. Both options require additional configuration steps.

After setting up DirSync and completing an initial sync of the user objects in Windows Intune, you can convert the users to Windows Intune users in the Intune management console and complete other settings.

To enroll a mobile endpoint in Intune successfully, your next step is to make another change to the public DNS zone configuration and create a CNAME entry in the Forward Lookup zone. This entry forwards the Enterpriseenrollment.<PublicDNSDomainname>.<tld> DNS FQDN to manage.microsoft.com . The enrollment process for an endpoint uses this DNS FQDN to connect the endpoint with the Windows Intune Portal.