Solved: iOS Devices can connect via InTune, but not Android
We had a big issue at a client recently, which was quite a bear to solve. They used ADFS with On-premise SSO (meaning that they didn’t use DirSync to push passwords into Azure AD/Office 365), so when clients come to authenticate over the web via the Company Portal App, they were referred to our on-prem ADFS for authentication.
This worked fine for our iOS and Windows Devices, no issues at all! But then when we tried to use Android devices, they would be presented with the following error message:
Could not sign in. You will need to sign in again. If you see this message again, please contact your IT Admin.
Don’t you love those messages that tell you to contact yourself?
From the InTune app, you can obtain logs by clicking on the ‘…’ hamburger menu. Opening the log, we see the following errors.
Authentication failed. Current state: FailedToAcquireTokens Failed to acquire Graph token from AAD. SignInService.access$900(SignInService.java:44) SignInService$AadFailureAction.exec(SignInService.java:464) SignInService$AadFailureAction.exec(SignInService.java:444) GraphAccess$GraphTokenFailureDelegate.exec(GraphAccess.java:190) GraphAccess$GraphTokenFailureDelegate.exec(GraphAccess.java:174) AdalContext$AdalAuthenticationRetryCallback.onError(AdalContext.java:228) com.microsoft.aad.adal.AuthenticationContext.waitingRequestOnError(AuthenticationContext.java:899) com.microsoft.aad.adal.AuthenticationContext.onActivityResult(AuthenticationContext.java:758) com.microsoft.windowsintune.companyportal.authentication.aad.AdalContext.onActivityResult(AdalContext.java:150) com.microsoft.windowsintune.companyportal.views.AadAuthenticationActivity.onActivityResult(AadAuthenticationActivity.java:57) Code:-11 primary error: 3 certificate: Issued to: CN=adfs.company.com,OU=E-Commerce,O=Company,L=Somewhere,ST=Georgia,C=US; Issued by: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US on URL: https://adfs.company.com/adfs/ls/?wfresh=\[...\]
The error occurs when the Company Portal app checks our certificates on ADFS to see if we are trustworthy.
The issue is that Android handles cert chaining in a way somewhat differently from iOS and Windows Phone. In short, Android needs all of our certs to be present on our ADFS Servers, where iOS would intelligently lookup the Cert Signer for us.
Import the certs up the chain into the intermediate store on the ADFS Proxies themselves.
So, launch the MMC and add the Certificates Snapin for the Local Computer on your ADFS Server. Find the cert your ADFS Service is using (likely issued to adfs.yourcompany.com), and view it’s parent certificate.
Move a copy of the ‘parent’ cert, (in my case, Symantec) into the Computer\Intermediate Certification Authorities\Certificates store. This part is CRUCIAL!
Next, move copies of your ADFS, ADFS Decrypting, and ADFS Signing Certs into the Personal Store for the ADFS Service.
Finally, restart the ADFS servers, because restarting the service alone is not enough.
With all of this finished, I’m finally able to enroll Android devices into InTune.Continue Reading...
InTune - Don't forget this important e-mail setting!
On a recent InTune deployment, we had a requirement to force encryption and security on mobile devices and also provision mail profiles as well.
During the pilot, we heard informal reports that a user thought they couldn’t send a photo using their company e-mail after migration, but we found this hard to reproduce.
However, during the production roll-out, we discovered that users were unable to add attachments using their InTune configured mail account.
Note that this was an ConfigMgr w/ InTune deployment, and the affected devices were mostly iOS and Android devices.
How do I fix this?
You control this setting from ConfigMgr, so launch the console.
Browse to Assets\Compliance Settings\Company Resource Access\E-mail Profiles
Open Mail Profile
Check the Synchronization Settings tab and ensure the ‘Allow email to be sent from third-party applications’ checkbox is checked.
Will mobile devices reflect this change?
YES! The next time your devices check in for policy, they will note the change and the InTune MDM agent will allow your users to add attachments and send e-mail from other applications again.
How do I force update of my iOS and Android Devices?
If you’re reading this, chances are that you forgot to make this change, and are wondering precisely how screwed you might be.
Mobile Devices refresh their policy in accordance with the Default Device Policy setting in SCCM itself, and respect no other client setting. You can alter this setting under Administration\Client Settings\Default Settings.
The value you want is under Client Policy\Client policy polling interval (minutes)
The default Setting is 60 minutes, meaning that the device will phone home every hour. You could ratchet this setting down to 5 minutes, but your devices in the field will still only check-in once an hour or so.
Once they note the change devices will automatically remediate themselves. So you’re OK!
How do I force a single device to update policy?
You can force a single Device by launching the Company Portal application. In the app, click on ‘devices’ and then click Sync. Assuming good data coverage, this process takes roughly five minutes.
ATLPUG meetup, TONIGHT!
Just a reminder, the new venue will not be ready until next months’ meeting, so please meet us instead at the Microsoft office in Alpharetta, Microsoft Corporation 1125 Sanctuary Pkwy Ste 300, Alpharetta
Join us TONIGHT, December 8th when June Blender will be giving a talk on PowerShell Events! This will be in the Microsoft office in Alpharetta, near the mall! Wear your Santa hats for a special door prize!
About June Blender
June Blender is a technology evangelist for SAPIEN Technologies, Inc. Formerly a Senior Programming Writer at Microsoft Corporation, she is best known for her work with the Windows PowerShell product team from 2006-2012, developing the help system and writing the Get-Help help topics for PowerShell 1.0 – 3.0. In other roles, June wrote content for the Azure Active Directory SDK and Azure PowerShell Help, Windows Driver Kits, Windows Support Tools, and Windows Resource Kits. She lives in magnificent Escalante, Utah, where she works remotely when she’s not out hiking, canyoneering, or convincing lost tourists to try Windows PowerShell. She is a Windows PowerShell MVP, a PowerShell Hero, an Honorary Scripting Guy, and a frequent contributor to PowerShell.org. Contact her at email@example.com and follow her on the SAPIEN Blog and on Twitter at @juneb_get_helpContinue Reading...
DSC - The Simplest Domain Controller config, ever
This post is part of the Learning PowerShell DSC Series, here on FoxDeploy. Click the banner to return to the series jump page!
I’ve been pointing people to my series on DSC for a while now, and noticed that my instructions were not 100% accurate, plus I was sending people all over the web to download the needed files to build a Domain Controller using DSC. So, in this post, I’ll provide much simpler instructions to deploying a one-click domain controller.
I’ve also provided some custom versions of the DSC Resources used in this post, which include some code fixes not yet available on the PowerShell Gallery today.
To avoid heart-ache, I would strongly encourage you to use the copies I’m providing with this post.
- First and foremost, download a .zip of the full repo here
- Now, make sure you have a Windows Server machine ready, running WMF 5.0. If you need it, download it here
- VM Configuration: The VM should have two network adapters.
- The first one should be internal (that is to say facing the VMs where you’d like this DC to be accessible) and once the script completes, you’ll have working DHCP and DNS on this vSwitch.
- The second vNic should be external, if desired. DNS and DHCP will not be provided on this connection.
- Create a new Administrator on this machine. The Admin which you use to run this process becomes the first Domain Administrator in your new Domain.
- Next, extract this to your new Domain Controller to be, under C:\temp.
- Copy all of the xModuleName folders into
$env:ProgramFiles\WindowsPowerShell\Moduleson your VM
- From an Administrative PowerShell prompt, run the below command to unblock all files downloaded.
dir -recurse -path $env:ProgramFiles\\WindowsPowerShell\\Modules | Unblock-File
Now, simply launch OneClickDSC.ps1 in PowerShell, and click the Play button (or hit F5), to launch the GUI.
You only have to provide two values. On the left, if you choose to, you can rename your computer. If you choose to do so, you’ll have to reboot before you can complete DSC Application. But DSC will continue after the reboot, so there’s really no worry.
On the right side of the screen, simply type in the domain name for your new Domain. You’ll then be prompted for credentials.
This prompt is a little bit nonstandard. See, DSC will run a check for DSC consistency regularly, and it will do so using the values you type in on the credentials prompt as the DSC Admin account.
What’s going to happen is that our current account will be elevated to domain admin and when DSC runs this check again for consistency, it will use the credentials we specify here.
Important warning!!!! Make sure to specify your username as NewDomainName\CurrentUserName.
So, if you’re making Domain Ham, and your name is Bacon, then login as Ham\Bacon.
First step for application, is to change the computer’s name. This requires a reboot. So…reboot.
On restart, we can run the following commands to watch the rest of the DSC Application
powershell #Pause the last application Stop-DSCConfiguration -Force #Resume so we can watch it Start-DscConfiguration -ComputerName localhost -Wait -Force -Verbose -UseExisting
Now, if you diverged from using my copy of the DSC resources, you may run into an error, specifically w/ the computername module, around specifying a name for a Computer, without specifying a domain name. This is an open issue in GitHub right now, so hopefully the problem will be resolved soon, but for now, the copy you’ll get w/ this blog post has the proposed fix to the issue.
And…we’re done when we see this screen!
So, I hope this clears up the questions people were asking about how to use this ‘OneClick Domain Controller’.Continue Reading...
Solved: Ubuntu install hangs on Hyper-V
Recently, I’ve been getting more and more interested in Chef, and decided it was time to build out a testlab in my Hyper-V.
I started imaging a new VM using the 14.10 LTS release of Ubuntu, one of the supported environments for Chef Server.
However, during install, my VM would freeze here:
At the same time, I noticed a critical level event from Hyper-V.
‘VMName’ was faulted because the guest executed an intercepting instruction not supported by Hyper-V instruction emulation. If the problem persists, contact Product Support. (Virtual machine ID 8895146E-C175-4CA5-B7A6-57E1D6E48290)
I did a bunch of googling and found…almost no one with this same issue, and I thought it was related to Hyper-V on Windows 10 Tech Preview. As it turns out, this is caused by some generation 2 Virtual Machine features, namely Dynamic Memory.
Install of Ubuntu or other *Nix distro freezes during install on Hyper-V, as a Gen 2 VM
Dynamic Memory does not appear to be supported during install of Ubuntu, and will manifest as errors during OS Install and Parititoning
Disable Dynamic Memory until install is completed. After installing, run ‘sudo apt-get update’ to ensure drivers are up to date, for optimum VM sveltness.Continue Reading...
Quicky: How to use Server Nano TP4 in Hyper-V
Super quicky here. With Windows Server Tech preview 4 shipping now, we have a new release of Server Nano to play with. Ben Armstrong wrote a guide for tech preview 3, but the cmdlets have changed since then, so I figured I’d write this out to help you as well!
Step 1: Get the Server tech preview 4 media here
Step 2: Launch PowerShell, browse to the media\NanoServer folder. (In my case, Drive F:)
Step 3: In PowerShell run the following:
New-NanoServerImage -MediaPath F:\\ -BasePath X:\\Nano -TargetPath 'X:\Nano\VHD\NanoServer.vhd' -GuestDr ivers -Containers -EnableEMS -ComputerName Nano
Let’s break down those parameters:
- MediaPath - the Server TP 4 drive, in my case F:\
- BasePath - the staging directory, this cmdlet will dump a lot of stuff here to do its magic to convert the WIM into a VHD
- TargetPath - where to put the completed VHD
- GuestDrivers - this switch injects the Hyper-V guest Drivers
- Containers - want to try Docker Containers? Put this param in!
- EnableEms - want to play with the new Emergency Management Console for Nano? Sure you do, include this one too!
- ComputerName - Whatcha wanna call this new computer?
These are probaby the most important params.
If it worked, you’ll see something like the following
Now, be warned that this will create a .vhd, so you’re stuck with a Gen 1 VM, which really isn’t so bad, given how little Nano can do today :p
To boot her up:
My next step is to do domain join, and see what all we can load up on her!Continue Reading...