Managing Apple iOS Devices From Windows Intune

This was the most exciting thing I saw at MMS 2012.  I knew what System Center was capable of, but I wasn’t expecting to see iPhones and iPads (as well as Android, etc) being managed by Microsoft from the cloud, using the same solution for managing PCs.

This week I’ve been setting up a demo environment in Windows Intune “Wave D” (thanks to my colleagues at work for the help in setting up the “partner”).  It’s one thing to manage PCs, but you really score points with customers when you can show a Microsoft product managing the rivals.  I use Ubuntu as my guest OS when showing of Hyper-V.  I want to show of an iPad Mini being managed by Windows Intune Smile

The process is “documented” on TechNet, with links from the Windows Intune console.  I use “documented” very loosely.  The information incomplete in my opinion.  So here are my notes:

A step I missed in this documentation is choosing your mobile device management solution.  I chose the Windows Intune option, instead of using System Center with Windows Intune, which was under Tasks in Administration > Mobile Device Management.

The Push Notification Certificate

The first requirement for managing iOS devices is that you have an Apple ID for your company.  There is no cost to this.  This contrasts with the €75/year cost of signing up for a Windows Phone developer account for managing Windows Phone 8.

Now open the Windows Intune admin console and browse to Administration > Mobile Device Management > iOS > Upload an APNs Certificate.  Confusion point: there is more to this than a simple upload.  Here’s how.  Click Download The APNs Certificate Request.  This downloads a .CSR file certificate request.

Now you browse to the Apple Push Certificates Portal.  Here is where you upload the .CSR file that you just downloaded from Windows Intune.  If like me, you’re using IE, you will likely be prompted about a .JSON file.  Ignore that.  Refresh the page (I muddled about here trying to figure out the JSON thing) and you should end up with something like the below:


Click Download to get a file called MDM_ Microsoft Corporation_Certificate.PEM; this is the certificate that you will be uploading to Windows Intune.  It will uniquely identify your organisation to managed iOS devices (or something like that). 

Return  to Windows Intune where you downloaded the .CER file, and click Upload The APNs Certificate. Browse in the dialog and select the .PEM file you just got from Apple.  You also need to supply the Apple ID name that was used in the Apple Push Certificates Portal to create the PEM file.


That all sounds messy.  I agree.  But you only have to do it once in your portal … every year.  Check the previous Apple screenshot and look at the expiry date for the APN certificate.  It only lasts for 1 year.  Set a recurring reminder in your (and your colleagues) calendar to repeat this process in advance of the expiration (you don’t want to be digging up email addresses and passwords).  And document what accounts/passwords are being used.  Please use a strong passphrase for your Apple ID.

Create User Accounts

You create user accounts in the Windows Intune Accounts site.  You can set up AD synchronisation instead of manually creating your users.  A warning: management of the devices will not work unless you add the users to the Windows Intune user group in the Accounts site.  Open the user, click Group, and check the Windows Intune box:


Enroll the Device

This is a crude mechanism.  You need to supply the IOS device user (probably via email) with the following information:

At this point there’s a whole bunch of crap that happens from the Apple side.  You have to OK lots of things to enable the device to volunteer to be managed: Install, Install, Install Now, Install, and then Done.  A Company Portal “app” (it’s actually a web shortcut that opens the mobile site in Safari) is installed on the iOS device.  Now the user can open the Company Portal, log in using their Intune account, and install company supplied apps.  Here’s a screenshot of a user browsing a serious business app on an iPad Mini in the Windows Intune catalog.


You can add apps from the Apple App Store (just links which open the App Store and allow the user to install apps as always) or you can develop in-house apps and side-load them directly from Windows Intune, bypassing the app store completely.  Good news: you use the exact same tool for managing apps on all types of devices, including PCs.  And it’s pretty simple to use too.

The Management Profile

Part of the configuration on the device is setting up the Management Profile.  You can find this under Settings > General > Profile – Management Profile.


You can expand More Details to see more information (might be useful for troubleshooting certificates).  You can remove management of the device by Intune (“returning” the device to the user) by clicking Remove.  It takes a few seconds to remove the profile.  Management Profile should disappear from Profile after this and Windows Intune is now nothing to do with the machine again.

Device Not Appearing In the Console

The “documentation” says:

To enable iOS devices to receive notifications using a wireless connection, make sure that port 5223 is open.

There is no mention if this is an inbound or outbound port requirement, or if it is TCP (probably) and/or UDP.  You could also read it as a firewall requirement on the actual iOS device itself (which it isn’t).  I had the devices on the lab at work and, while I could pull down apps from and browse the Company Portal, the devices refused to appear in the console.

Want to check if it’s working OK?  Log into the Company Portal on the device in question, and browse to Support.  If the name of the device appears there then comms seem to be OK and the device is registered … at least in my experience – I have no idea if that’s a valid indicator but it works for me … so far.


On the Wi-Fi in the company lab, the devices refused to register.  I put them onto 3G and they registered pretty quickly, and you can see lots of information for each device.

Reinstalling The Management Profile

I decided to remote the management profile and try to re-add the iOS device to Windows Intune.  I could not get the device to re-register to Windows Intune using the above process.  I believe the correct procedure is to log into the Company Portal, hit Support, click Change, and click Add Another Device.  This has worked for me a couple of times.


You can create Mobile Device Security Policy objects in the admin console.  There are some generic and some iOS specific settings:





The certificate stuff is a bit fiddly but you’ll only have to do that once per company, per year.  I can’t be sure, but I guess that is an Apple restriction on the validity of the APN certificate.  After that, it’s a pretty simple process.

Enrolment of these consumer style devices will always (with any product) be user driven.  You can’t push management onto a consumer (or BYOD) device.  If necessary, you could do the sneaker-net thing.  I can envision helpdesks doing a lot of that for BYOD management.

Some of the Apple folks in the office were very impressed with this solution.  Centralised management of mobile (particularly iOS) is a hot topic right now.  Windows Intune does a nice job.  Does it have all the bells and whistles of a Zenprise?  No, but Intune has a nice price at around €4.89/user/month (with 5 devices/user).  Throw in Software Assurance (€8.98/user/month) and those Windows PCs can be upgraded to the rights of SA, including Windows 8 Enterprise.

Thumbs up!

Technorati Tags: ,,

3 thoughts on “Managing Apple iOS Devices From Windows Intune”

  1. Hi Aidan,

    Attended an InTune launch event in London a couple of days ago, myself and a colleague struggled (and that’s after talking to MS staff at the event) to see how this management of iOS is any different to ActiveSync policy control from an Exchange server.

    Given that 95%+ of iOS devices in Enterprise will connect to Exchange anyway, are you aware of any specific advantages of using InTune to manage iOS vs just using pre existing Exchange infrastructure? (And that includes O365 Exchange which offers the same AS policies).

    That’s not a slight to InTune I should add, just keen to really understand the differences/drivers from a customer perspective.



    1. Windows Intune does auditing, reporting, and app delivery. App delivery is possible from the official app stores and directly (sideloading). You can’t do that with Exchange.

  2. can intune deploy and manage iOS updates for apple devices?
    I see everywhere it can manage and deploy apps and app updates but i couldn’t find any article describing about pushing iOS Updates.
    looking forward for you response.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.