I was recently implementing Intune with ConfigMgr 2012 integration on a client site as a Proof of Concept for Mobile Device Management.
For those unaware Intune is a Mobile Device Management solution that does much more than just manage your end user devices – it also gives the ability to give granular control to Exchange and SharePoint systems via a feature called Conditional Access. Essentially this allows compliance checks against devices prior to allowing access to platforms which contain your company data. For those with an existing Microsoft infrastructure, it also integrates seamlessly in to Configuration Manager which means you’re able to manage not only your corporate Windows devices but also your corporate and personally owned devices which are registered with the Intune platform – all from one pane of glass – Winner!
With the promise of such riches at the end of the deployment for my client, I was disappointed to fall at the hurdle of enrolling user devices – but, we got there!
So the issue –
When trying to enrol a device in to Intune:
– A Windows RT device could workplace join, but could not turn on device management (we did not try with other Windows versions but I would imagine the same issue would occur)
– An iOS device would report that the user name was not recognized – Can’t enrol device for user and this user account is not authorized to use Windows Intune
– Windows Mobile device would report that a user was not authorized to use the device
Having checked my configuration, ensuring that the user account I was attempting to use had an EMS license attached, double checked my cloudusersync.log to ensure the ConfigMgr integration was all working correctly and my DNS entries were fine and dandy I was stumped.
By chance, the user account I was utilising to concept this work had a pretty complex password which was a pain to type on a mobile device – so I decided, after much frustration, to change the password to something simpler – and there I uncovered the issue –
A newly provisioned user must log in and change their password. Intune will not allow a user to log in and enrol a device with the password which was assigned during account setup.
Just as a caveat – my client was not using ADFS, just DirSync with Password Sync for authentication and it is possible this issue will not occur where ADFS is being utilised for sign-on.