How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB? To Manage iOS and Mac OS devices via Intune and Hybrid SCCM CB, we need an APNs cert. 

In this video tutorial, we can see how to get the certs from Apple and How to upload them to SCCM CB for a hybrid solution. How to Create Apple Push Notification Service (APNs) Certificate to Manage iOS and Mac OS X devices via Intune.

You must have an apple id/user name and password to upload and download the certs for SCCM CB hybrid. More detailed Videos are coming up on my YouTube Channel Subscribe here.  

Following is the location and file where I saved the downloaded cert from the SCCM CB  hybrid environment C:\Users\anoop\Documents\Apple Cert\Apple_Cert_4_How_2_Manage.CSR

SCCM_Apple_Push_Certificates How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB
How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

 

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

Go to the following website !! Apple Website:-

https://identity.apple.com/pushcert/  

At the end of this process, you would be able to manage iOS and Mac OS devices via Microsoft Intune and or SCCM CB hybrid environment !!

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments? We are going to How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments? Ok, at 3 topics in this post. 

1. How to Create Compliance policies using intune and SCCM CB Hybrid environment.

2. How to deploy Compliance policies and

3. Differences between the compliance policy settings !!

I have created a quick and dirty video tutorial to explain all these steps, and the video is embedded in this post as well 🙂 First and foremost, the compliance policies work along with Conditional Access policies.

To have permission to access corporate resources like Mails, SharePoint online, etc… the device must be compliant with the policies we set!  SCCM CB and Intune Compliance policies can be deployed only to users, not device collections or groups.

How to Create SCCM CB Hybrid Compliance Policy?

As you can see in the following picture: – In SCCM CB, we can specify the type of compliance policy that you want to create. There are two options 1. Compliance rules for devices managed with SCCM clients 2. Compliance rules for devices managed without SCCM clients (MDM clients etc…).

Moreover, it gives the granularity to select the different device platforms like Windows 8.1, Windows 10 mobile, iOS and Android and KNOX, etc… a Very useful option in SCCM CB Hybrid compliance settings! The steps to create an SCCM CB compliance policy are explained in the video tutorial above.

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How to create a Compliance Policy using Intune?

As you must have noticed one general compliance policy for all the platforms. There is no option to create different compliance policies for different device platforms like iOS, Android, and Windows.

Yes, in Intune compliance policies, we don’t have the option to select a specific OS platform.

The three common segregation available is

1. System Security

2. Device Health and

3. Device Properties.

All the steps to create Intune compliance policy is explained in the video tutorial above.

Intune_Vs_SCCM_Compliance_Policies_1 How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How to Deploy Compliance Policies using SCCM CB Hybrid?

Yes, compliance policies can deploy only to User Collections, not to device collections in SCCM. No DEVICE Collections in the drop-down menu !! Yes, this makes sense because compliance policies are associated with conditional access policies in BYOD and CYOD scenarios.

And another point is the granularity that SCCM CB provides in terms of Compliance rules/policy evaluation schedule. You can change the Compliance policies evaluation schedule !!! By default SCCM CB compliance policy evaluation schedule is 23 hours. You can change and customize it according to your needs. The steps to deploy the SCCM compliance policy are explained in the video tutorial above.

Intune_Vs_SCCM_Compliance_Policies_2 How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How to deploy compliance policy using Intune?

Yes, compliance policies can deploy only to User Groups in Intune, not device groups. Moreover, there is no granularity given in the scheduling of the compliance policies if you compare it with SCCM CB. Rather Intune provides global settings for all the compliance policies we create for that tenant.

Check out the Intune compliance policy settings… what is that?? It’s compliance status validity period ……Nice !!  It’s a global setting – We can’t specify 31 days for one compliance setting and 20 days for another compliance setting!! All the steps to deploy Intune compliance policy is explained in the video tutorial above.

Intune_Vs_SCCM_Compliance_Policies_4 How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

Difference Between Intune vs SCCM CB Hybrid Compliance Policies

Following are the differences that I have noticed in Intune vs SCCM CB Hybrid Compliance Policies:-
There is no option to select a specific supported platform in Intune. However, with SCCM CB, we can create platform-specific compliance policies.

Intune_Vs_SCCM_Compliance_Policies_5
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

– There is no Granularity in Deploy Scheduling options with Intune. However, many more scheduling options are available for SCCM CB compliance policies.

Intune_Vs_SCCM_Compliance_Policies_3
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

Outcome/Result of Compliance policies – Windows 10 device

Following is an example of a Windows 10 machine that is AAD and MDM joined, but it’s not in compliance. The device encryption is not enabled on the Windows 10 machine.

Intune_Vs_SCCM_Compliance_Policies_6
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

  Following is an example of a Windows 10 device that is compliant with the policies which an organization set. Once Windows 10 is compliant, the user can access corporate mail and other resources.

Intune_Vs_SCCM_Compliance_Policies_7

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User

Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User? In this post, I would like to share the video tutorial to explain. Microsoft Intune introduced MAM Reporting options with the Intune 2305 release.

 Let’s learn how to create Intune App Protection Policies for iOS iPadOS. In this article – Create Intune App Protection Policies For IOS IPadOS. App Protection Policies can be applied to both enrolled and non-enrolled devices. APP can be used for third-party MDM solutions.

MAM policies created in the MEM portal are different from the MAM policies which we create from Intune portal for MDM-enrolled devices. Outlook Groups is the newest application included in the Azure portal for Intune MAM-enabled applications.

Let’s check how to enable Intune App Protection Policies for Android and iOS devices. You can get more details and end-user experience from the video given below.

Intune MAM Policies and App Reporting?

Also, I can see the PREVIEW option to add custom applications for MAM policies without MDM enrollment. This is an excellent feature. Settings –>Preview – Line-of-business apps –>  Preview – Add a custom app.

Intune MAM Policies and App Reporting?
Video Tutorial to Learn about Intune MAM Policies App Reporting by Specific User Endpoint Manager

“1. How to Create Intune MAM (Mobile Application Management) – Without MDM Enrollment

2. MAM policies App Reporting By Specific Users.  

Resources

SCCM Related Posts Real World Experiences Of SCCM Admins (anoopcnair.com)

SCCM Video Tutorials For IT Pros – HTMD Blog #2 (howtomanagedevices.com)

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Learn How to Setup Dynamic Device Groups in Intune

Learn How to Setup Dynamic Device Groups in Intune? Do you want to add mobile devices automatically to Microsoft Intune Device Groups? Intune Dynamic groups are always a customer request for a long back.

This feature is similar to dynamic collections in SCCM/ConfigMgr. There is two way to do it. One is using the Azure AD Premium feature called AAD Dynamic Groups, and another one is pretty new in Intune, something called Device Group Mapping.

Updated Post -> How To Create Nested Azure AD Dynamic Groups.

How to add devices/users automatically to Intune Groups using Azure AD Dynamic Groups?

Learn How to Setup Dynamic Device Groups in Intune?

  • Log in to the Azure AD portal (AAD Premium subscription should be there).
Learn How to Setup Dynamic Device Groups in Intune
Learn How to Setup Dynamic Device Groups in Intune

Read More -> Create AAD Dynamic Groups Based On MDM Intune SCCM Management

Navigate via – Directory –> Groups –> Open the group (MDM Group) –> Configure. Enable Dynamic Group (Only available for AAD Premium subscriptions) Membership –> Add Users where <Department> is equal to “IT”. 

  • Login to AAD.Portal.Azure.com.
  • Navigate to the Azure Active Directory -> Groups node -> Click on the New Group button.
  • Group Type -> Security
  • Group Name -> HTMD AAD Group based on Dept
  • Group Description -> To add all devices or users from a dept
  • Membership Type -> Dynamic User

In this scenario, all the users from the IT department will get added to the AAD Dynamic Security Group called MDM Groups.

Don’t panic if the group is not reflecting with users immediately, give it some time. It will get updated. 

Once the AAD Dynamic Group is created and updated, login to Intune portal (endpoint.microsoft.com)  and Create a New User Group to fetch all the devices of IT department users.

Learn How to Setup Dynamic Device Groups in Intune
Learn How to Setup Dynamic Device Groups in Intune

Whenever a new user joins to IT department, that user will automatically get added to Intune MDM group as well. Provisioning and de-provisioning of groups made easy with this.

More Details -> Create AAD Dynamic Groups Based On Domain Join Type Hybrid Azure AD And Azure AD

There are two options to build the Azure AD dynamic group query. You can use the rule builder or rule syntax text box to create or edit an AAD device group dynamic membership rule.

  • Rule Builder -> Graphical interface – Easy to create the dynamic query.
  • Rule Syntax -> Advanced technical users for complex queries.

You need to follow the steps mentioned below to use Azure AD dynamic group Rule Builder to create dynamic query rules for Hybrid Azure AD joined devices.

  • Under Configure Rules -> Choose Property drop-down list.
  • Select deviceTrustType as the property from the drop-down list.

How to Add Devices automatically to Intune Device Groups using Device Group Mapping?

Learn How to Setup Dynamic Device Groups in Intune?

Click on the Admin tab in Intune console. Navigate via Device Group Mapping – enable Device Group Mapping – Create a Device Group and ADD a CATEGORY to manage device group mapping rules. Once you click on Create Device Group, it will guide you through creating one device group.

When every user enrolls (During Enrollment Process) to Intune using the Microsoft Intune Company Portal application, the User will get an extra/additional screen to select “Choose the best category for this device”. Right now, I have only created one category, “ADMIN” for users to select. You are free to create Intune device category for each department !!

More details on AAD Groups Based On Intune Device Categories

Learn How to Setup Dynamic Device Groups in Intune
Learn How to Setup Dynamic Device Groups in Intune

Resources

SCCM Related Posts Real World Experiences Of SCCM Admins (anoopcnair.com)

SCCM Video Tutorials For IT Pros – HTMD Blog #2 (howtomanagedevices.com)

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…