Thursday, July 30, 2015

Part 3: Intune User Collection in SCCM and Intune security group

Part 3: Intune User Collection in SCCM and Intune security group
To authorize users to enroll their mobile devices using SCCM and Microsoft Intune, we need to create users collection in SCCM and add this collection to Intune subscription.
To create user based collection for mobile device management in SCCM;
1. Open SCCM console
2. Right click on User collections then click on Create User Collection under Assets and Compliance / Overview / User Collections
3. Give friendly name (mine is - Microsoft Intune Users), limit the collection to All Users and Users 
    Groups

4. On Define membership rules for this collection window, Click on Add Rule then choose Query  
    Rule. This will open Query rule properties
4.1 Enter a query rule name (mine is- Intune Users AD) then click on Edit Query Statement

4.2 Edit Query Statement will open Query statement Properties
4.3 On the Query Properties, click on Show Query Language

4.4 Copy following WQL query statement on the Query Language window, then click OK to close
      the window
*************************************************************************************
select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,
SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain
from SMS_R_User where SMS_R_User.UserGroupName = "W2K8\\Microsoft_Intune_users"

*************************************************************************************
Note: Change the domain name and AD user group as required for your environment
4.5 Click OK on Query Rule Properties window
4.6 Then click Apply on the Collection properties window
5. Open Active Directory Users and Computers for your domain
5.1 Create an AD Group (mine is - Microsoft_Intune_users) by selecting a OU then New then Group
5.2 Go to Members tab on the newly created group then add the user names whom you want to give
      permissions to enroll their devices then click on Apply
5. Add the AD Group to SCCM Users collections using Add rule WQL query as mentioned above
6 Wait for some time until SCCM populates the users to the user collection from AD Security group
7. Once the replication is completed, Microsoft Intune Users collection should show the members
Remaining other parts of this article is here

1 comment:

  1. Great article.
    If you have AAD Connect in place to sync the users with Intune, do you need to sync the AD Group for the Intune users to the cloud as well?
    Thanks!

    ReplyDelete