Tuesday 22 November 2016

Microsoft Intune - enterprise enrollment CNAME best practice

I was asked this question recently and I didn't know the answer so I did some research.

What is the correct DNS CNAME record to configure for Enterprise Enrollment of mobile devices with Intune?

First, I should explain that this CNAME is only required if you are enrolling Windows devices. It is not required for iOS and Android.

There are three options:
  1. Redirect enterpriseenrollment.yourdomain.com to manage.microsoft.com
  2. Redirect enterpriseenrollment-s.yourdomain.com to manage.microsoft.com
  3. Don't configure a CNAME at all
So this is the scoop on the three options:
  1. This is a throwback to the early stages of this technology. It still works but is now deemed to be less secure and not recommended by Microsoft. You will still find this referenced on many online blog posts simply because they have not been updated.
  2. This is now the recommended configuration. It uses a secure channel (hence the -s).
  3. This will also work but means that the user has to enter "manage.microsoft.com" as the server name during the enrollment process. This would be #2 in terms of preference.

Edit Feb 1st 2017:

manage.microsoft.com is being deprecated on Feb 11th 2017 and will no longer work for enrolling Windows devices.

You should to create a CNAME in DNS that redirects EnterpriseEnrollment.yourdomain.com to EnterpriseEnrollment-s.manage.microsoft.com.

You can see this information in the official docs

I hope this clears up any confusion. Until next time.......

No comments:

Post a Comment