Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Configuration Manager

4 Topics

HAADJ and Intune with OKTA
My question is the following, Is it possible to use OKTA(Third party) as an authentication/Identity provider with Hybrid Azure ID join tenant and enroll devices to Intune? We need to adjust our environment to be able to utilize Intune. To elaborate, Please find the below: -In this environment, We can run AD Sync and sync devices to Azure as Hybrid Azure ID joined. Same steps required here: Configure Hybrid Join in Azure Active Directory | Okta - Sign in Settings in AD(Entra) Connect to "Do not configure" as recommended by Microsoft for Third party federation scenarios (Confirm if this the preferred scenario for AD connect with OKTA). -Hybrid Entra ID join is currently being achieved with GPOs and not using SCP (Targeted deployment) -Autoenrollment to MDM is enabled via GPO and correctly distributed to device/user. Behavior: -Devices show up in Azure however according to MS Intune pre-requisites, UPN in cloud and on-premises should match and mobility license should be assigned in cloud. The situation currently is the domain on-premises is contoso.com and users are provisioned via OKTA to cloud to have contosocorp.com, So upon login they get redirected to contosocorp.com thus having a mismatch in credentials. (in a test environment(without Okta), alternate UPN suffix in domains and trusts is added and UPN is changed to match cloud ---> this worked). -In order for Intune to enroll devices, The login credential should match and a login event to the windows device must appear in Azure Sign in logs(This is confirmed as a pre-requisite by Microsoft), Which is not the case here. -Okta is set to Universal Sync which is not recommended by Okta as not compatible with AD sync according to the following https://help.okta.com/en-us/content/topics/provisioning/azure/haad-join/prereqs-haad.htm#Prerequi2. -If we do use both Okta and AD connect, a user will be provisioned twice in cloud, Once with the contoso.com(without Okta) and once using contosocorp.com(using Okta - will include licensing). -Questions are as following: 1-Any workarounds to use Intune to enroll devices without UPN matching in the current scenarios. 2-If we are to UPN match on Prem and cloud -> How can this be achieved without deprovisioning OKTA(Or removing Provisioning type: Universal sync)? 3-How can we avoid duplications (since both Okta and AD sync will provision users in 365) 4- Perhaps there could be a way to enroll the devices only to Intune but not the users?? Guidance will be very much appreciated. Thank you.
AhmedSHMK
May 20, 2024 Place Microsoft Intune
941Views
0likes
2Comments
Endpoint Security shows clients as unhealthy and device name not shown after Update 2303
Hi together, Endpoint Security shows almost all clients as unhealthy and the device name is not shown after Update Config Manager Version 2303. Any ideas? On SCCM and Security Center everthing is working fine and displayed as normal. Thanks for support and a happy weekend to all. Peter
peterspirit21
May 26, 2023 Place Microsoft Intune
1.2KViews
0likes
0Comments
Unable to deploy PowerShell scripts to a newly co-managed device with Intune
Hi there, I am having issues deploying a PowerShell script through Intune to a device that has recently become co-managed with Configuration Manager. The CCM client was successfully installed and uses a CMG when off-network. The user logs into the device with a local admin account not a domain account. This MS guide states that the Client Apps workload in ConfigMgr doesn't need to be switched to Intune for PowerShell scripts when running on Windows 10 clients newer than 1903. But in case, I have moved the Client Apps workload to Pilot Intune with a device collection containing my device. Intune acknowledges this and displays the correct Intune Managed Workloads on the device overview screen. Even with this switched, I noticed the issue also impacts Win32 and LoB applications too. I cannot get any new applications to push down to the device anymore (since becoming co-managed) despite the workload supposedly being managed by Intune. The other workloads such as Device Configuration can be correctly controlled with Intune as tested with several configuration policies. Running the same script manually on the device worked as expected. Pushing the script to a separate device that isn't co-managed, only AADJ, also worked as expected. I've also tried targeting the script to a user security group instead of a device based group to no avail. I would appreciate any help on this. Best Ethan
Solved
ethanchal
Sep 26, 2022 Place Microsoft Intune
3.3KViews
0likes
2Comments
Quarterly Tech Community Live events for Endpoint Manager
Tech Community Live will now be a quarterly event for Microsoft Endpoint Manager! In case you missed it, this week's event -- April 27th -- will offer 4 Ask Microsoft Anything (AMA) sessions. Here are the topics. Select the desired topic to add it to your calendar and RSVP for reminders. Linux management – 8:00 a.m. Pacific Time Endpoint security in Microsoft Endpoint Manager – 9:00 a.m. Pacific Time Endpoint analytics and the user experience – 10:00 a.m. Pacific Time Windows manageability – 11:00 a.m. Pacific Time First, we realize these times may or may not work for your time zone. Please post your questions early. We are checking daily and providing updates to our teams of experts so they can prepare to answer your questions during the event. Second, what endpoint management topics would like to see at the next Tech Community Live? These events are for you, our esteemed community, so help us make sure they address the areas that matter most to you! #CommunityRocks
Heather_Poulsen
Apr 25, 2022 Place Microsoft Intune
1.2KViews
1like
0Comments