Monday, 3 February 2014

MDM in SCCM 2012 R2 - Troubleshooting

Back to ConfigMgr main menu
Back to MDM Menu

As you will be aware ConfigMgr 2012 R2 provides very extensive logging to aid in troubleshooting. Log files are provided for every step of the MDM process. You just need to know where to look.

What is the problem? 

You cannot enrol any device - you clearly have a global problem. Have you created the subscription and connector correctly?

You cannot enrol iOS devices - verify your APN.

You cannot enrol Windows 8 Phones - verify your code signing certificate and signed company app.

You cannot enrol any device with a specific user - verify the users UPN and that it has synchronized with Intune. Verify that the user has been discovered by ConfigMgr and that you have added them to the "Intune Users" collection. 

The process is as follows:

1. Intune Subscription and Connector

Review the sitecomp.log file. Verify that the "CloudUserSync" site component has been created without error.

2. Configure UPN and sync AD users with Intune

Browse to the DirSync folder and launch miisclient.exe as Administrator

(C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe)

Right click the Active Directory Connector and choose Run.

Choose "Full Import Full Sync".  

Verify success of the sync. Click on "Updates".

Verify the change you require.

Note that DirSync synchronises with Azure every 3 hours by default. You can run it manually using the procedure above as often as you require (eg. you have added a new user, changed a password or added a UPN).

3. Discover AD Users

Review the adusrdis.log file. Verify that Data Discovery Records (DDRs) are created for your users.

4. Add user to Intune User collection

Adding a user to the Intune Users collection allows that user to enrol mobile devices. When you add a user to the collection check in the console to verify that it was actually added. You may have to right click on the collection to "Update Membership". 

If you do not want to wait for the scheduled syncronization with Intune you can force the sync by restarting the "CloudUserSync" site component. 

Right click on any site component and choose to start the Configuration Manager Service Manager. 

Right click on the SMS_CLOUD_USERSYNC component and select Query.

You will see that the component is running. Right click again and choose to stop it

Reverse the process to start it again.

(Note that restarting the server has the same effect but that's a little extreme.)

Verify that your change was successful using the cloudusersync.log file.

5. Enrol devices

Check the Dmpuploader.log to verify the connector site system role is able upload policy etc. to the Windows Intune Service.

Check the Dmpdownloader.log to verify that the connector is able to download messages from Windows Intune. Note: this log might only show a ping at the beginning, there might be no messages created for download initially.

6. Exchange Connector

Verify success or failure using the EasDisc.log file.

No comments:

Post a comment