Remote reset PIN on Mobile Devices - SCCM 2012 R2 w/ Intune

Similar Messages

• How to disable remote wipe option for mobile devices

  Hi,
  I have integrated environment of SCCM 2012 R2 and Windows Intune. I am managing Windows phone, Android and IOS devices through this setup. I was trying find an option to disable remote wipe option in the SCCM Console. Only selective wipe should be available.
  Can you please help me on how to configure this setting.
  Regards
  Leela

  I got the below response from the micososft intune team.
  "Issue Definition: Cx would like remote wipe disabled
  in the Admin console.
  Scope Agreement: Disable remote wipe feature from account.
  You will not be able to block this feature using Microsoft Intune.  System
  Center Configuration Manager might be able to control this feature.  You
  might consider opening a case with their team.
  The other thing to consider, is to limit the amount of Admin users you have.
  Anyone that is given Admin rights in Microsoft Intune will have the ability to
  use the wipe feature.  "
  I have raised a ticket with SCCM 2012 team, awaiting their response.
  Regards
  Leela

• WP8.1 MDM Remote Reset PIN and Lock Strange behaviour

  Hi, I have the following issue when sending LockAndResetPin more than once without unlocking the device inbetween.
  >Issue sequential exec on LockAndResetPIN and get on NewPINValue, phone locks and new PIN is in response OK.
  >Access device with new PIN, works OK.
  >Issue sequential exec on LockAndResetPIN and get on NewPINValue, phone locks and new PIN is in response OK.
  >Issue sequential exec on LockAndResetPIN and get on NewPINValue, this time the LockAndResetPIN returns a 500 error and the NewPIN is null.  Even though LockAndResetPIN failed, the previous PIN returned no longer works and you have to wipe the device.
  It does state in the doc that the generated pin may be offensive and therefore you can execute LockAndResetPIN again - however it seems that this causes some nasty behavior.

  Just to update on this issue - it only appears to happen if there was no passcode set.
  So the following works ok - 
  >Set passcode
  >Reset passcode
  >Reset passcode
  >Enter new pin OK
  >Unset passcode
  >Reset passcode
  >Reset passcode - reset fails and new pin is null
  >Enter pin from first reset and it states incorrect pin and you have to reset
  Thanks
  Scott

• Windows 8.1 laptop computer not showing in SCCM 2012 devices collection

  Hi,
  I am trying to do a POC on license management from  SCCM 2012. I have configures a SCCM 2012 server and intune subscription also. I have Android, iOS and desktop apps uploaded (.msi). when I enrolled android and ios devices its shows up in SCCM,
  devices collection but do not show in Intune.
  my company portal is nicely coming up on android and iOS tabs. on the other hand company portal showing only Web apps, on a win8.1/7 laptop.
  When I tried to enroll 2 windows 8.1/ 7 laptop (intel x86), they donot show up in SCCM. clients of intune manually installed, endpoint protection of SCCM installed also on both boxes.
  I tried updating membership in SCCM for both know and unknown type, many time and also triggered Deployment of some desktop app, to the win 8.1 laptops. the desktops are showing in Intune All devices -> all computers nicely. But
  not in SCCM2012.
  what did I missed, I tried to add all the logical roles. below is some details what shows up in Intune:
  indranil

  If you installed the Intune agents on the Win 8.1 and Win 7 systems, then they will never show up in ConfigMgr.
  There are basically two parts of Intune -- a Mobile Device Management piece and a Windows management piece. The Intune connector in ConfigMgr takes over the MDM piece and nothing more. When ConfigMgr takes over this MDM piece, as Torsten said, all MDM devices
  enrolled show up in ConfigMgr and not Intune because that's now controlled by ConfigMgr. The Windows management piece remains unchanged and separate though and so those systems will be directly managed by Intune only or ConfigMgr only.
  So you have three options there:
  - Install the ConfigMgr agent and managed using COnfigMgr
  - Install the Intune agent and manage using Intune
  - Enroll the systems using OMA-DM which manages them as if they were devices. This means so you don't get SCEP or Windows Updates or most of the other ConfigMgr functionality. This is only valid for Win 8.1 though.
  Jason | http://blog.configmgrftw.com

• SCCM 2012 Design Consideration / Advice

  I have been tasked with a SCCM 2012 Design.  We will be starting a fresh so I want to get this design right the first time and looking to you all on advice / Considerations I need to look at.  Any help/feedback is appreciated.
  Company Layout:
  1 Main Office (Corporate Headquarters)
  15+ Remote Locations with T1 Connections back to Main Office
  3 Remote Locations with 100MB Connection to Main Office
  2 Remote Locations with 10MB Connection to Main Office
  2 Remote Locations with T3 Connections back to Main Office
  300+ Remote Sales Rep (Work From home, coffee shops, etc...)
  Approxamitly 3500 Clients throughout the organization
  What we want to accomplish with SCCM:
  Hardware/Software Inventory
  Computer Imaging & Users State Migration
  Deploy Packages / Applications
  Application Portal (Self Service)
  Windows/Software Updates (Even to Remote Sales Reps)
  Manage Mobile Devices
  What are your thoughts on the design?  Do we run SQL on the CAS/Primary Site Servers or do we run it on a separate server? 
  Main Office = CAS (Probably Don't need), & Primary Site, & a Distribution Point for Internet Based Clients.
  Primary Site Roles:
  Site Server
  Component Server
  SMS Provider
  Site System
  Site Database Server
  Application Catalog Web Service Point
  Application Catalog Website Point
  Distribution Point
  Management Point
  Software Update Point
  State Migration Point
  Fallback Status Point
  Remote Offices do I do all Secondary Sites or Mix and match DP or do I make some of them Primary Sites?
  Secondary Site Roles:
  Site Server
  Component Server
  SMS Provider
  Site System
  Site Database Server
  Management Point
  Distribution Point
  Software Update Service
  State Migration Point
  Fallback Status Point
  Also do you agree with the specs I am thinking for each server role?
  CAS
  8 cores (Intel Xeon 5504 or comparable CPU) 
  32 GB of RAM 
  500 GB of disk space 
  Primary
  4 cores (Intel Xeon 5140 or comparable CPU)
  16 GB of RAM
  500 GB of hard disk space 
  Secondary Site
  4 cores (Intel Xeon 5140 or comparable CPU)
  8 GB of RAM
  200 GB of hard disk space
  Distribution Points
  2 cores (Intel Xeon 5140 or comparable CPU)
  8 GB of RAM
  200 GB of hard disk space 

  Based on that you'll have a total of approx. 3500 clients in your organization I do not see the immediate requirements of secondary sites but if you have sites with approx. 500 users a secondary site is a good idea.
  IOPS is the most important thing when looking at hardware requirements for a site server due to it being SQL intensive. And it is actually only the database file storage that requires high IOPS. Due to that measuring IOPS is more of an art than science I
  cant give you any numbers but SSD drives is nice to have :)
  Based on your list of hardware I guess you've found
  http://technet.microsoft.com/en-us/library/hh846235.aspx and
  http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigClientNumbers
  As you wrote and that other has written, do not use a CAS for this scenario.
  If you can pull of some SSDs I would say something like
  120 GB non-SSD for OS (remember, that pagefile needs some room too!)
  80 GB non-SSD for Program Files
  64 GB SSD for Database's
  64 GB non-SSD for logs
  500 GB non-SSD for Content Source
  500 GB non-SSD for Content Library
  Figures above is an estimate for your Primary Site Server based on the information you've given. I can not guarantee these figures due to forum post. The point of this post is to show you where you need SSD/lots of IOPS for good performance.
  I usually recommend you to run your system as virtual machines due to the fact that you can use snapshots while performing upgrades and other maintenance tasks.
  Tim Nilimaa | Blog: http://infoworks.tv | Twitter: @timnilimaa

• Pulling Mobile Device Info from ConfigMgr

  I setup a connector between ConfigMgr 2012 SP1 and Service Manager 2012 R2. Also, the ConfigMgr environment is setup to sync devices from Exchange 2010. However, it does not appear that the ConfigMgr connector in Service Manager is pulling the mobile devices
  into the CMDB. I have confirmed that the collection selected in the connector has the mobile devices in it. I have also confirmed that the account used in the connector has the correct permissions. I have tried just about every combination I can think of to
  get the ConfigMgr connector to populate mobile devices in the CMDB.
  To ensure that is not related to this one environment, I also setup the connector in my lab. My lab is using ConfigMgr 2012 SP1, Service Manager 2012 SP1, and Exchange 2010. I connected a Window Phone 8 VM, an iPad, and an Android VM to Exchange via Active
  Sync. Then I setup the connector between Exchange and ConfigMgr. The mobile devices were brought into ConfigMgr. Then I setup the ConfigMgr to Service Manager connector, and once again it did not bring over the mobile devices.
  I am suspicious that it may not be working because ConfigMgr does not consider these to be managed devices. This is due to the fact that they do not have a ConfigMgr agent installed. I noticed that when I setup the connector, the number listed next to the
  All Systems collection does not match the total number of actual systems in the collection, but the total number of systems with the ConfigMgr agent installed. To confirm my suspicion I setup a Windows Mobile 6.5 emulator, and setup my ConfigMgr as an enrollment
  point. I then installed the ConfigMgr mobile agent on the 6.5 emulator image and synced it with my management point. After confirming the device was connected, and in the All Systems collection, I ran the ConfigMgr connector in Service Manager. When the connector
  finished running I confirmed that the Windows Mobile 6.5 device with the agent installed was present in the CMDB under the Mobile Device (SCCM) class. However, the Windows Phone 8, iPad, and Android devices are still not imported by the connector.
  Has anyone run into this before? Is there a way around this?

  m-commerce based application which requires
  some informations of device like either SIM
  card number or mobile number.java_at_core
  See the solution to getting the phone number offerred by PeppeME in thread
  http://forum.java.sun.com/thread.jspa?forumID=76&threadID=5201724
  If this works for you, don't forget to give Peppe a share of the Dukes.
  Darryl

• Remotely wiping Mail for Exchange devices?

  MfE v2.3.0 release note and user guide tells possibilities to remotely wipe and lock mobile devices. How can this be done?
  Does the following MS Exchange add-on give us possibility to remotely wipe MfE devices?
  http://technet.microsoft.com/en-us/library/bb50883​7(EXCHG.65).aspx
  http://www.microsoft.com/downloads/details.aspx?Fa​milyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&displa​...
  What about security locking the phones - how this one should be done? Exchange 2003 SP2 has some preferences under System Manager - Global Settings - Mobile Services - Preferences - Device Security. Is this the place to be used?
  Any docimentation available from Nokia, how we should deploy this remote management feature and what are the recommended values for the parameters above?

  Check the following web site. I think, and I could be totaly mistaken, the functionality you are looking is part of the NOKIA INTELLISYNC SUITE.
  http://www.businesssoftware.nokia.com/
  Información sobre Symbian / NSERIES en Español en http://symbianespanol.wordpress.com

• Managing Mobile Devices

  We are currently in Office365 and use Intune for desktop management. Many of our users use their mobile devices to access their e-mail.
  We'd like to look at using Intune's Mobile Device Management capabilities but I have a question. If we were to choose (on the Admin - Mobile Device Management page) to make Intune our manger, by turning that option on am I going to affect any of our current
  users that are using "un-managed" devices to access Office365 e-mail? We'd like to setup a pilot group before rolling it out agency wide.
  Thank you.

  Hi,
  No, you deploy that policy when you want to and to a group if you like so you can limit and test conditional access for office365. so no problem in turning on MDM.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Deploy Symantec certificate profiles to mobile devices using Microsoft Intune to manage company resources like WiFi

  We are planning to deploy Symantec certificate profiles to Mobile devices to manage company resource like WiFi. I've seen documentation on Technet and the post here http://ronnydejong.com/2014/12/15/part-1-deploy-certificates-to-mobile-devices-using-microsoft-intune-ndes-overview/ that
  we need to install Intune NDES connector which needs to be installed on NDES server. These docs are true when we are using Microsoft PKI.
  Here, we're planning to use Symantec cloud PKI to deploy the certificates to mobile devices. So, I would like to know which are the required on-premises components ? NPS, NDES  or something else? Any documentation URL would be helpful ;) We're in planning
  face hence the question in the forum. 
  Regards
  Anoop
  Anoop C Nair (My Blog www.AnoopCNair.com)
  - Twitter @anoopmannur -
  FaceBook Forum For SCCM

  Thank you Jason for the reply !
  Sorry for stupid questions !
  Does that mean, NDES is needed only for initial enrollment process of a mobile device? We don't need it deploying Symantec certificate profiles to manage company resources like WiFi VPN etc... Or I'm totally lost here? 
  My understanding is : Mobile devices will get enrolled to Intune and that device will become a managed device. Now, the mobile device needs to get a connectivity to company resources like VPN or WiFi and for the we may need to deploy certificate profiles.
  Isn't it ? So, you were saying for this process we don't need to have NDES. (or I'm wrong here as well).
  If so, we'll be deploying a public certificate to all the devices via certificate profile deployment and the devices need to get connected with issuing authority to get a device specific private key before connecting to WiFi or VPN?
  Regards
  Anoop 
  Anoop C Nair (My Blog www.AnoopCNair.com)
  - Twitter @anoopmannur -
  FaceBook Forum For SCCM

• Sccm 2012 r2 console, devices, column layout and order is reset to default

  Hi :)
  I am running sccm 2012 r2 console on sccm server. I've added some columns into Assets and Management, Devices (beside default name, client, site code, client activity) ie. client version, endpoint protection enabled etc. I've left console open up and running
  and after some when I get back, column layout is reset to default 4 columns :(
  Can you fix please that system center consoles remember column layout and order ? (sc vmm 2012 r2 does not remember only when you add column maximum memory). :(

  This has to be something to do with the consolesettings.dat file. Do you have folder redirection set up on the AppData\Roaming folder? I have managed to recreate your issue using the following method:
  1. Add in some columns to the Devices view.
  2. Go to the \\server\username\AppData\Roaming\Microsoft\ConfigMgr10 and deleted the consolesettings.dat file.
  3. Relaunced the console and the columns have reset to default. 
  4. Set the columns again, closed down the console and the .dat file is recreated.
  5. Re launch the SCCM console and the settings are retained.
  I suggest you check either the C:\Users\%username%\AppData\Roaming\Microsoft\ConfigMgr10\consolesettings.dat. or \\server\username\AppData\Roaming\Microsoft\ConfigMgr10\consolesettings.dat and the time stamp of the file. Do some tests and recreate
  the steps above. 
  Somewhere along the line your dat file is being removed with your bespoke settings.
  Cheers
  Paul | sccmentor.wordpress.com

• SCCM 2012 RTM & Windows Mobile 6.5 device inventory

  Hi all
  I have an issue collecting the right hardware information on these devices. I have setup device enrollment which works fine but I can't get it to inventory either the IMEI of the device or phone number.
  Looking at the hardware inventory classes I cant seem to find anything relating to IMEI or phone number under mobile device classes.
  Am I going to have to go down the custom mof route? Searching around it seems that IMEI and number collection was in SCCM 2007 but can't find it in 2012...
  Any help would be greatly appreciated.

  Hi Panu
  Thanks for your response, it seems that the Device ID field is blank on the harware inventories for my 6.5 devices :( So far I have tried a Psion EP10 and a HTC HD2 both with the same results.
  Unfortunately Activesync is not an option due to additional licensing costs and with the number of devices being rolled out it would take us over our Exchange standard mailbox limit.
  Looks like I have 2 slightly different problems then:
  1) Why is the device ID not being returned?
  2) Do I need to create a custom mof file to collect the phone number?

• Windows 8.1 Mobile Device Management and SCCM 2012 R2 - 'Turn on' option missing

  I am trying to test a virtual desktop with SCCM 2012 R2 integrated with Intune. There is no Configuration Manager client on the workstation, the Intune subscription is configured and enabled for Windows enrolment, AD is synchronizing with Intune, DNS has
  the enrolment record added and resolves, the user can logon to Intune from the client using Internet Explorer and the client has had the registry key added with the DiscoveryService  configured to manage.microsoft.com. The problem is that on
  the 8.1 workstation in Workplace Settings the only option is 'Join' and the 'Turn-on' option is missing. How do I get it to appear?

  Yes I am using an activated version of 8.1 Enterprise, it is in a workgroup and I am logged in as a member of the local Administrator's group but not Administrator. I even joined the domain again and then removed it. Still there is only the 'Join'
  option and no 'Turn on' option. This is driving me nuts.

• Windows 8.1 mobile device management using integrated environment of SCCM 2012 R2 and Windows intune

  Can we avoid the dependency on the Symantec certificate  for enabling windows phone enrollment under Administration->Cloud services -> Windows InTune subscriptions - Windows Phones. My environment will have only windows 8.1 phones.
  Regards
  Leela

  See http://status.manage.microsoft.com/StatusPage/ServiceDashboard. 
  Engineers are investigating a service issue impacting access to portal via mobile devices.
  (Started on 12/30/2014 8:00:00 AM UTC)
  1/8/2015 11:42:49 PM (UTC)
  Current Status: Engineers are continuing to troubleshoot potential issues related to Active Directory Federation Services (ADFS). Engineers have gathered additional traces and logging data for deeper analysis. User Experience: Affected users with Windows Phone,
  iOS, or Android devices are unable to access their company portal and receive repeated prompts to enter credentials. If incorrect credentials are entered, users will receive an error stating that they have entered a bad password. Customer Impact: Engineers
  have received reports that some customers are experiencing this issue. A subset of users are affected by this event. Other users remain unaffected. Incident Start Time: Tuesday, December 30, 2014, at 8:00 AM UTC Next Update by: Tuesday, January 13, 2015, at
  12:00 AM UTC
  Torsten Meringer | http://www.mssccmfaq.de

• SCCM 2012 R2 and Mobile devices

  Hi ,
  is there any way to get IP address for WMD. all devices are connected to our wireless network.
  Thanks,
  Kareem Behery

  That means enrolled via Microsoft Intune? If so, the IP address is not part of the default inventory of mobile devices. For a complete list, per OS, see:
  http://technet.microsoft.com/en-us/library/dn469411.aspx
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Selective Remote Wipe mobile device by using SCCM2012 R2

  Hi all.  I've got SCCM2012 R2 installed and would like to test out the new Selective Remote Wipe feature (wipe company content only).  I've created the Exchange Connector, running the connection to our Exchange server through a service account,
  and this service account has been granted with the Exchange Organiziation Management and View-Only permission.  In SCCM2012 R2 admin console, I can see the list of mobile device that connected to our Exchange server through ActiveSync.  However,
  when I try to do a Retire / Wipe action on the mobile device, I only able to select the option "Wipe the mobile device and retire it from Configuration Manager" (a FULL wipe of the device, which is not what I wanted).  The option above, "Wipe
  company content and retire the mobile device from Configuration Manager" is dimmed out, not configurable.  Am I missing something here?  Thank you.  

  Selective Wipe is only available when you integrate ConfigMgr with Windows Intune. The Exchange Connector is not enough.
  http://www.gerryhampsoncm.blogspot.ie/2014/02/mdm-in-sccm-2012-r2-device-ownership.html
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson