olastrom.com

  • Intune lab for noobs – part 2 // The basics

    This is part two of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premise AD. But if you already have those in your lab, that’s great!

    Setting up the basics

    First step is to enter the magic world of Microsoft Intune, which you access from endpoint.microsoft.com. This is your go-to place for managing devices and you can also access the Azure Active Directory (Azure AD) from here.

    The default landing page

    To get you going, you will need a test-user and some groups, this is the first thing we will create.

    In this part we will:

    • Enable MFA
    • Create users
    • Create groups
    • Enable Apple enrollment
    • Enable Google Android enrollment
    • Customize Company Portal

    Enabling MFA

    Security is important, even in a lab. I guess you are used to MFA by now, so let’s enable that for our lab tenant in the simplest way we can. It’s default enabled for your Global Admin account, but we need this for all accounts.

    Depending on which way you got your license, this might or might not be available since it requires premium licenses for Azure AD.

    Since there are a lot of better guides than I can ever write on this, this is how you do it in the most simple way: Enable per-user Multi-Factor Authentication – Azure Active Directory | Microsoft Docs

    Creating a user

    (If you already have users with assigned licenses, you can skip this part)

    Simplest way to create a user is to click on Users in the left side menu and then just click “+ New user” in the top ribbon.

    For this lab purpose, we will fill out the bare minimum which to set a user name, name and location (licenses needs location). Select to auto-generate the password and make sure to save it somewhere (OneNote is usually where I keep my lab information).

    Next step is to assign a license to our new user. The easiset way to do this is to simply click on your newly created user and select “Licenses”.

    Click on “+ Assignments” and then select the appropriate license you want to assign. Don’t forget to press save!

    We now have a user which is allowed to enroll devices into Microsoft Intune!

    Create groups

    For this setup, we will create two groups. One user group and one Windows device group. You can of course create more groups, but to simplify we will start with these two!

    To create a group, select Groups in the left side menu and then click “+ New group” in the ribbon.

    For our user-group, we will keep it simple and set a name and use the “Dynamic User” as Membership type. Please note that this requires you to have a Azure AD P1/P2 license, if your trail does not come with that user “Assigned” as group type instead for the two groups we will create. This means that you will have to add the devices and users manually.

    Next step is to create our rule by clicking “Add dynamic query” at the bottom. We will use a very simple rule which says to add all enabled accounts to the group.

    This isn’t a good rule to use in real life, since we will also add all our admin users to this group. But for the sake of keeping things simple, this is good enough I would say.

    Hit “Save” and then “Create“.

    Next up is our Windows Autopilot group.

    Same steps as previously, but this time select “Dynamic Device” as Membership type.

    Next step is to create our rule by clicking “Add dynamic query” at the bottom. This time we will create a rule which will fetch all our Windows Autopilot devices.

    Instead of manually entering the rules, click edit on the far right and add this string:

    (device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))

    You will see that the property, operator and value is populated once you have added it.

    Hit “Save” and then “Create“.

    We have now created all the users and groups we need to get going but you can of course build on this and create even more groups and users to your liking.

    Enable enrollment

    As default, Windows enrollment is always enabled. For iOS, iPadOS, macOS and Android we will need to add some connectors to enable management.

    Apple devices

    To setup Apple enrollment, we need an Apple ID to request a certificate from Apple. For your lab (if you are the only one using it) you can use the Apple account you already have.

    Select Devices in the left side menu, then select Enroll devices, then Apple enrollment. You will notice that all except one options is grayed out since we are missing the Apple MDM Push certificate which enables all the services

    Select the “Apple MDM Push certificate” option and you will be asked to grant Microsoft permission to send information to Apple by checking the box. Secondly, download the CSR and save it somewhere on your computer.

    Next step is to click the “Create your MDM push certificate” and you will be asked to sign in with your Apple ID to the Apple certificate portal.

    As you can see, I have quite the few certificates from different previous labs (and my current one). Your list will most likely be empty.

    Select “Create a Certificate” and accept the terms of use and on the next page upload the CSR file you downloaded previously. I’m also adding a comment for myself that this is for the Intune for Noobs environment. Then click “Upload“.

    Once the CSR is uploaded, an Apple MDM Push certificate will be issued with an expiration date 1 year into the future. Intune will warn you once you are getting close to the renewal date.

    Download the certificate to your computer and save it, then head back to the Microsoft Intune portal and enter the email adress of your Apple ID on step 4 then upload the certificate you just downloaded. Then click “Upload” and you have successfully enabled management of Apple devices and you can close the flyout with the X in the upper right corner to end up back on the “Enroll devices” page.

    Google Android

    To enable the modern management methods of Android called Android Enterprise, you will need to link a Google account to the Managed Google Play.

    Select “Android Management” in the list and you will notice the same thing here, that all options under Android Enterprise is grayed out except to connect the Managed Google Play.

    Click the “Managed Google Play” option and flyout will appear. Grant Microsoft premissions to send information to Google, then click “Launch Google to connect now“. A pop-up will appear asking you to sign-in to Google. If you don’t have a Google account you want to use, or want to create on for the purpose of this lab you can select to create an account to manage your organization with. Otherwise use an existing Google account.

    Once you have signed in, click “Get started” on the landing page displayed.

    Next step is to add your business name (this could be whatever). I’ve named mine the same as in the Microsoft world.

    On the next step, you are asked to fill out some contact information, you can skip this and just check the box at the end. Then finish the wizard.

    Once done and you have selected to finish the setup, you will be redirected back to Intune, and you will see that the service is active.

    Customize Company Portal

    Last thing we will do is to add some customization to Company Portal but also the sign-in experience (which we will use in Windows Autopilot).

    First off, select “All services” in the left side menu and then select “M365 Azure Active Directory“. A new tab will open and select “Azure Active Directory” in the left side menu. Then navigate to “Company Branding” in the list. Select “Configure” to get started. You can add a lot of custom backgrounds and logos, but for now we will only enable “Show option to remain signed in” at the bottom and click save to keep it super simple. You can come back here later and add your custom things.

    Click save and then close the Azure AD portal and head back to Microsoft Intune.

    In Microsoft Intune, select “Tenant administration” in the left side menu, then navigate to “Customization“. This is where you call add customizations to the Company Portal app, which is the end-user side of Microsoft Intune and the portal where users get applications and information.

    To edit the settings for the portal, click Edit at the top of the page (next to Settings).

    To keep things simple, we will only add the required information to this, but you can come back later and add more.

    I’ll add my company name, and leave the rest of the branding part to default.

    Further down under Configuration I will add a URL to my “Privacy statement”. In this case it’s just the URL to my blog. You need to add something and it’s a good idea to choose something that exists so you can try the link when playing around in the company portal

    Once you have added those two, click “Review + save” and then “Save“.

    Ending notes…

    We have now prepared our Microsoft Intune environment to start doing some real stuff. In the next part we will setup some really simple management of Windows including enrollment through Windows Autopilot.

  • Intune lab for noobs – part 3 // Windows

    This is the third part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

    Windows management

    As I stated in the previous part, Windows management is enabled by default. However, there is one you will need to enable which is Automatic Enrollment. This requires and Azure AD Premium license which is included in the EMS and M365 Dev setup.

    To enable this, select Devices in the left side menu. Then navigate to Windows, then Windows Enrollment. Select the “Automatic Enrollment” option.

    Make sure to set the “MDM user scope” to All then click save. You can leave everything else set to default.

    That’s about it! We are now ready to start setting things up for your lab!

    Guided scenarios

    As I said, we will take some shortcuts in this tutorial to get you going, therefor we will use the Guided Scenarios found on the landing page of Microsoft Intune (just click Home in the left side menu).

    Click start under “Deploy Windows 10 and later in cloud configuration” and the wizard for setting up a basic Windows Autopilot configuration will kick-off.

    On the first screen, read through the information and then click Next.

    On the Basics tab, leave “Apply device name template” set to default, but add a Resource Name Prefix such as Win10 to help you visually identify that this is for Windows. Then click Next.

    On the Apps tab, leave everything to default, this will install Microsoft Teams and Microsoft Edge, but not the full M365 Apps suite (this can be added later on if needed). Click Next.

    Since we already created a device group, select “Choose an existing group” and add the device group you created earlier. Click Next.

    On the last page you will be able to review your settings under “Configurations to be made“. When you are happy with your options, select “Deploy” and wait for the process to finish.

    You have now taken a real shortcut to get going with basic settings for your Windows devices.

    You can of course build further on this, but as part of this tutorial we will leave it at this.

    Preparing a Windows device

    So next step is to prepare your Windows device for Windows Autopilot. The easiest way to do this to export the Hardware ID using PowerShell. Don’t be alarmed, you don’t need to be a code monkey or script kiddie to run this, it’s rows that you need.

    Depending on what state your device is in, you can either run this from an elevated PowerShell prompt when you are in a Windows session which is up and running. In my example down below, I will run this from a Virtual Machine in Hyper-V during the OOBE setup. To create a Windows 10 VM in Hyper-V, you can follow this guide from Microsoft.

    If you are using Hyper-V, make sure to enable the TPM feature in Settings on the virtual machine. We will need this for Bitlocker.

    Once you reach the start of the OOBE, stop at selecting language.

    Press SHIFT and F10 (you might need FN as well depending on your keyboard) to launch a command prompt. Then type powershell and hit enter to start PowerShell.

    Next, we will run three lines of PowerShell commands. You can find more information about it on Microsoft Docs.

    Install-Script -name Get-WindowsAutopilotInfo -Force
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
    Get-WindowsAutoPilotInfo -Online

    Run the lines in the PowerShell windows. You can copy-paste by going to Clipboard > Type Clipboard text in the Hyper-V session.

    You will be asked to press Y for yes a few times during the process to install the script.

    When you have ran the “Get-WindowsAutoPilotInfo -Online” line, it will install a few modules and then you will be asked to sign in using your Microsoft account. Use the account you have signed into Intune with (it has the required access as Global Admin, but a user with the Intune Admin role will be sufficient in the long run).

    When you run this the first time you will be asked for consent for using this, scroll down and press Accept.

    Once you have accepted, the process of gathering the Hardware ID will start automatically, but don’t close the session until it has finished. This will take up to a few minutes. Once you can confirm that the script has finished successfully, turn of the computer or reset Windows if you are doing this from an already up and running Windows client (you will lose all data).

    Head back over to Microsoft Intune to confirm that the computer was successfully imported by navigating to Devices > Windows > Windows Enrollment and select Devices.

    This is the section where all your imported Windows Autopilot devices will be listed, and you can see if a Deployment profile has been assigned to the device.

    Once the Deployment profile has been a assigned to the device, you will see that the Profile status is set to “Assigned“. This usually takes about 10-15 minutes and you can’t do more than just wait. If you click on the machine you can see some more information, such as what profile is assigned.

    Enroll your device

    Now it’s just the fun part left. Enroll your device!

    Just simply start your computer or virtual machine again and follow in the on-screen instructions. Once you have selected language, keyboard locale and network (if physical device) you will end up on a screen saying, “Welcome to [your company name]” and you will be asked to sign in.

    Sign in using the account we created earlier and just follow the flow. If this is the first time you sign in with this user, you will be asked to setup MFA and change the password.

    The enrollment typically takes between 20-30 minutes depending on how many applications are being assigned. You can follow the progress on the screen. You can expand each section to track progress.

    At one point in the process, you will be asked to sign in again, this is to set the user affinity and configure the “Account setup“.

    Ending notes

    We have now successfully setup an extremely basic Windows configuration that you can play around with. If you go to Devices > Windows > Windows Devices you will see all your enrolled devices and information about them. You can also perform remote actions on them, which I encourage to try!

    Since this is an isolated lab environment, try stuff out. You can’t really break anything and worst-case scenario you will have to re-install the Windows client.

    Play around. Have fun.

    In the next part we will dig into iOS management!

  • Intune lab for noobs – part 4 // iOS

    This is the fourth part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

    In this part, we will look at iOS management and how to get going! To test this, you will need an iPhone or an iPad which we can enroll. No reset of the device will be needed.

    In the second part of this guide, we configured the Apple MDM Push certificate, which means that we have the basics down for managing iOS, iPadOS and macOS. In this guide we will only look a basic configuration for iOS and iPadOS (it’s the same policies).

    There are two types of profiles and policies we will create one Configuration Profile and one Compliance Policy. We will also add an app to distribute.

    Configuration Profile

    Like always, we are doing everything from the Microsoft Intune portal at endpoint.microsoft.com. Once you have signed in, navigate to Devices > iOS/iPadOS in the left side menu.

    Select “Configuration profile” and then click “+ Create profile“.

    Select “Device restrictions” as Profile type and click Create at the bottom of the page.

    In this example we will create a profile which requires the user to set a PIN for the device. Give the profile a good name, I will call my profile iOS PIN Requirement since its for iOS and the profiles purpose is to require a PIN. Click Next.

    Find and expand the category Password to display all available settings for PIN. Some settings will not be applicable since we will not use Apple Automated Device Enrollment.

    For this lab, we will require a password (or PIN) which has six digits, we will block the use of a simple code (such as 111111 or such) and we will wipe the device after 10 failed attempts. We will also require PIN immediately when device is locked and lock the screen after 5 minutes.

    Since we will not block FaceID or TouchID, this can be used to unlock the device.

    When you have set these settings, click Next.

    The next step is to assign this profile to our users (we will use user-targeting to have the settings follow the user). Find your user-group that we created in the second part and add that as an included group. When you have added the group, click Next.

    Review your settings and click Create.

    We have now successfully created a configuration which will require the user to set a PIN on their device.

    Compliance Policy

    Compliance policies are used to audit if user’s device is following the security messures we have required them to use. We can also notify the user if their device is not compliant.

    Navigate to Device > iOS/iPadOS in the left side menu and find “Compliance policies“. Click “+ Create Policy” and then click Create.

    You will need to give your policy a name, and in this policy, we will only look if PIN requirements are met. It’s a good idea to create one policy per setting category you are looking at to be able to target end-user information better.

    Find and expand the System Security category to display the policy settings for the PIN. For this policy, we want to mimic the settings we set with the configuration profile to verify that the user has set up the PIN according to our requirements.

    Once you have set the settings to the same values as the configuration profile, click Next.

    Next step is to set what actions will happen if the device is not compliant. We will leave the default “Mark as compliant” and add “Send push notification to end user” and set the schedule to 0 days. Click Next.

    We will now assign this to our user group and click Next.

    Review your settings before you click Create.

    We have now created a compliance policy which will audit the end-user to verify that the PIN is set correctly. If the PIN is missing or incorrect, the device will be flagged as non-compliant, and Microsoft Intune will send a push notification to the end-user’s device.

    The compliance value can be used as a condition in a Conditional Access rule.

    Application distribution

    Of course, we need to distribute applications to our device. For this, we will once again utilize the guided scenarios in Microsoft Intune.

    Click on Home in the left side menu and find the “Deploy Edge for mobile” scenario and press Start. If it’s not visible on the landing page, click on “See all >” next to the heading for guided scenarios.

    Read through the initial information and click Next.

    Add a prefix which will be displayed on the application configuration which will be created and click Next.

    Add a Homepage shortcut URL which will be shown as the first link icon on in the Edge application, you can also leave this blank. Then press Next.

    We will once again assign this to our user group before we press Next.

    Review your settings before you click Create on the last page.

    We have now successfully deployed the Microsoft Edge application to both Android and iOS devices.

    You can review the application if you navigate to Apps > All apps, where you can see all applications which has been added to your environment. You can also filter out each platform by selection each platform in the left side menu.

    The application configuration which where created as part of this guided scenario can be found under Apps > App configuration policies.

    Feel free to add additional apps to your environment, easiest is to go to Apps > iOS then select “+ Add” and select “iOS Store app” as App type. Then search for the app that you which to deploy to your devices.

    Search for an application you want to deploy by clicking on “Search the app store” and search for an application. When you have found your application, click Select then leave all information to default and click Next.

    Applications can be setup as either required or available. Required means that it will be automatically installed, available means that the user will see the application in the Company Portal and install it from there. Since our other application is set as required, we will make this available for enrolled devices by targeting the assignment towards our user group. When you have added the group, click Next.

    On the last page, review your settings before you click Create.

    You have now successfully added an second app to your iOS devices.

    Enroll your device!

    Now it’s time to enroll your device by downloading the Company Portal from the Apple AppStore, this will require an Apple ID to download.

    Once you have downloaded the application, open the app and sign in with the user we created earlier.

    You will be prompted that your device is not managed and asked to enroll it.

    Follow the guide through the process.

    Once you have enrolled your device, you will notice that the Microsoft Edge application will be installed and that you will be asked to set a PIN code which meets the requirements set earlier in this part.

    Navigate to Device > iOS/iPadOS and you will see your device listed. Click on the device to show more settings and to perform remote actions such as removing the PIN, retiring the device which will remove the enrollment or completely wipe the device which will perform a factory reset.

    You will also notice that some actions are grayed out since we are not using the Apple Automate Device Enrollment program.

    Ending notes…

    You can add additional Configuration profiles to your device and applications. Feel free to play around a bit with it and see what you can do!

    In the next part, we will setup management for Android.

  • Intune lab for noobs – part 5 // Android

    This is the fifth part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

    For Android, there are a handfull of ways we can manage these. In this guide, we will configure Microsoft Intune to manage the method called “Personally owned device with work profile” which is the simplest wat to manage Android devices where we only have control over the corporate data, which is separated from the personal data.

    For Android, we will setup the enrollment method, add a configuration profile, a compliance policy and add an application.

    Configure enrollment

    Navigate to Devices > Android and select Android Enrollment. This will list all available enrollment methods for Android.

    For this lab, we will use the “Personally owned device with work profile” which is the simplest and easiest Android management method to get started with (and it doesn’t require you to reset your device to enroll).

    Click on the box “Personally owned device with work profile“.

    As you will see by the message you are presented with, this is enabled by default. This means that we do not need to make any further configurations.

    Configuration profile

    To create a Configuration Profile navigate to Devices > Android and select Configuration profiles in the left side menu.

    Click on “+ Create profile” to create a new profile. As Platform select “Android Enterprise” and as Profile type select “Device Restrictions” under the “Personally Owned Work Profile” section. Then click Create.

    On the first page, give your profile a name and click Next. I use Android as a prefix to indicate that it’s a profile for Android followed by the PIN Requirements to indicate what the profile does.

    Find and expand the category Device password. Here we will add similar settings as we did with iOS/iPadOS which is to use Numeric Complex password type which blocks simple password (such as 111111 and similar) and we will require the PIN to be at least six digits. Facial recognition or fingerprint sensors will be available to use instead of PIN. When you have added these settings, click Next.

    Assign the profile to your user group and press Next.

    On the last page, review your settings and click Create.

    We have now successfully created a configuration profile which will require a PIN to be set on our enrolled devices.

    Compliance Policy

    As with the iOS/iPadOS configuration, we will create a compliance policy which will audit the device to make sure that the PIN requirements are met.

    Navigate to Device > Android and select Compliance policies and click “+ Create policy“. Select “Android Enterprise” as Platform and “Personally owned device with work profile” as Profile type. Then click Create.

    Give your policy a good name and click Next.

    Find and expand the category System Security and configure the password requirements to mimic the configuration profile. Once you have added this, click Next.

    On the next page, we will leave the default action but we will add the option “Send notification to end user” and leave the schedule to the default value 0 and then click Next.

    On the next page, we will add our user group and click Next.

    On the last page, review your settings and then click Create.

    We have now successfully created a compliance policy which will audit if the user has set a PIN which meets our requirements.

    Applications

    In the iOS guide, we used a Guided scenario to deploy Microsoft Edge to bot iOS, iPadOS and Android. This means that the Microsoft Edge appliucation will be automatically installed on the Android devices as well.

    But we need more than one application, hence we will add one more.

    Navigate to Apps > Android and press “+ Add“. Select “Managed Google Play app” as App type and press Select.

    Search for an application you want to add and select Approve on the application.

    Once the application has been approved, press Sync in the upper left corner of the window. This will take you back to the application list.

    Wait a few minutes and then click Refresh on the app list page in order to display your new applications. You will notice that the Assinged status on all new applications are set to “No” which means that no users has been assigned to the applictiaon yet.

    To assign the application to a group to distribute it to your devices, click on the application and select Properties in the left side menu.

    Click on Edit next to Assignments to add a group to distribute this towards. Add your user group to Available for enrolled devices and click Review + save. Then on the review page click save.

    We have now successfully made the application available to all our enrolled Android devices in the Managed Google Play store.

    Enroll your device

    Now its time to enroll your device and in this scenario it requires the device to be rested to factory default.

    On the first page where you are asked to select language, tap five times fast in order to trigger the QR code scanner.

    Go to Devices > Android > Android enrollment and select the profile you created earlier. Click on Token and scan the QR which is displayed.

    Follow the enrollment guide on your screen (this will vary depending on which version of Android you are running).

    Once enrollment is completed, you can find your device if you go to Devices > Android > Android Devices. Click on your device to show more information and perform remote actions such as wipe or removing the PIN if the user has forgotten it.

    Ending notes…

    There are many ways to manage Android, and in this guide, we went through the simplest one. There is also a method called “Corporate-owned devices with work profile” which is the most powerful method, in my honest opinion. this however requires you to reset your device before enrollment. You will also need to create new Configuration profiles and Compliance policies for this method since it operates a bit different.

    I really encourage you to keep playing around with Intune and try out more stuff. We only scratched the surface in this guide, but you have a good foundation to build upon!

  • Get more information on device compliance

    Device compliance is an area which is getting increasingly important and having your devices reporting a “Compliant” status is crucial for Conditional Access to work in a user-friendly way.

    But sometimes you end up with a bunch of devices reporting error on a specific compliance setting. The Intune reporting on Compliance leaves you hanging with either a report on just all your “non-compliant” devices or the count on how many devices have a specific error. Figuring out which devices has a specific error is not an easy task.

    After digging around a bit I stumbled upon this post INTUNE: REPORT ALL DEVICES THAT ARE NON-COMPLIANT BECAUSE THEY ARE INACTIVE – Microsoft Tech Community which explained how to get this data using Graph API. You get a lot of information from this query.

    Since I wasn’t really interested in inactive devices, I needed to tweak the GET query a bit ending up with the following query, since I was looking for devices with a firewall issue.

    https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicySettingStateSummaries/Windows10CompliancePolicy.ActiveFirewallRequired/deviceComplianceSettingStates?$filter=state eq 'nonCompliant'

    If we break down the string a bit you can actually filter this based on the specific compliance setting you want to find.

    1. “https://graph.microsoft.com/v1.0/deviceManagement/” – This is the Graph connection string
    2. “deviceCompliancePolicySettingStateSummaries/” – this defines that we want to look at compliance policy setting state
    3. “Windows10CompliancePolicy” – this is the name of my compliance policy, so this will depend on your naming
    4. “.ActiveFirewallRequired/” – this defines which setting we are looking at
    5. “deviceComplianceSettingStates?$filter=state eq ‘nonCompliant’” – this filters out which state we are looking for. You can change this to “Compliant” to find compliant devices instead

    So, if you want to look at another setting than the firewall as in this example, you simply replace that part in the string with the name of what setting you are looking for. Easiest way to find all the setting names in your tenant is to simply run:

    https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicySettingStateSummaries

    This will list all settings and setting names in your tenant.

    When you have built your own GET string you will be able to pull the data you need and get information about what devices in a simpler way.

    I’m still trying to figure out how to export this in a good way other than the classic copy paste (I’m really bad with PowerShell). Once I figure that out, I’ll post a part two of this! Or if you have a good solution for this, feel free to reuse this or post a link to your solution in the comments!

  • Naming conventions

    Ah the precious naming convention. Something that has historically been particularly important, and still is today but in a bit of a different way.

    Lately this topic has come up in various situations, and I had started a post about this a few years ago talking about how we did it back then and the reasoning behind how we did back at my former employer. But then life happens and I’m now working in a completely different role.

    How did we get here?

    So, this whole topic has somewhat of a history. Naming conventions, or naming standards, have always been a hot topic with things almost viewed as you can do it in a correct way or a wrong way (this is extremely exaggerated). Naming things can be an art, where you compress things as much as possible to have as much information as possible in the name of things.

    Let’s take computer names for an example, everyone has a standard for this and its roughly the same idea everywhere:

    • You want to identify in which country the device is [SE]
    • You want to identify which city, office, or business unit [STO]
    • Based on historical decisions, you want to separate laptop and desktop [L] / [D]
    • You throw in the word PC to identify it as a PC and not something else [PC]
    • You have a number sequence at the end [1234]

    This would give you a computer name such as SESTOLPC1234.

    Does this sound familiar? Many choices you made several years back are still present in the name since you haven’t managed to get rid of it due to different internal discussions never leading to a decision.

    Same would go for your security groups and distribution groups, you have prefixes based on different objects. Same goes for your Intune profile names.

    Does names matter?

    So, the big question, does this really matter anymore? I would argue that it does, but not in the same way as it used to do.

    At the end of the day, this is only a name. Having a diverse IT environment as workplaces are today, we can only control the naming of a subset of all devices (mainly Windows PCs). This means that your iPhones, iPads, Androids, and Macs won’t follow your naming convention since they simply do not support this fully.

    The name is to help identify the device, but if you look at your inventory in e.g. Microsoft Intune, I would guess that most of your iPhones are called “iPhone” leaving your clueless anyway. All devices (except for shared) are connected to a user, so you are usually better of finding devices based on the user. The device also has a lot of meta data which is searchable, such as serial number, which is an effective way of finding the device since the device name is something that potentially changes during the lifecycle of a device.

    Key take away

    The naming of devices is maybe not as important as it used to be, but there might be scenarios where its useful. The most important thing to remember is that there are no right or wrongs, it’s all based upon the wants and needs of your organization and what makes sense to you. All the different device platforms in the office space supports this in different ways as well, so what is possible on your Windows device might not be possible on your Android devices.

    What I usually do for Windows is to use a three-letter pre-fix and the serial number as a name. This pre-fix changes depending on the type of device. One setup could be like this:

    • OPC-1234567 where OPC stands for Office PC
    • SPC-1234567 where SPC stands for Shared PC
    • MTR-1234567 where MTR stands for Microsoft Teams Room
    • KIO-1234567 where KIO stands for Kiosk

    Setting names like this is mostly to easily identify what flavour of a Windows device it is, but that would be even better to add as meta-data to the device or using e.g. scope-tags or device categories. There are many ways to add that information to the device, but using different pre-fixes are the simplest.

    At the end of the day, device name is something that is more for convenience rather than functionality. Even if my computer is called “Olas computer” or “DESKTOP-Q2E3RE” it would be possible to add it to dynamic groups and find information about it.

  • Once you go Mac…

    Once you go Mac…

    I used to be an avid Mac user and major Apple fanboy back in like 2011-2013. Then I joined Microsoft and got to see the other side, the dark side… Somewhere in the hidden corners of the internet, I even have a blog post called “once you go Mac, you never go back” saying I would never use anything else then a Mac.

    Jokes a side. Coming out of a more communications and media technology world from college, Apple and Macs was the best there was. Then the iPhone came along and changed the whole mobile device world.

    I was a Mac user from around 2008 until 2017 even if in the later years I rarely used my personal Mac. Then the Surface Laptop was released and that’s what my personal laptop still is.
    Now that I’m about 10 years older than in 2011 and I have a completely different approach to things. One is not better than the other, it totally depends on who will use it if it’s better or not.

    This post will not cover HOW to configure, more discuss why and what.

    macOS and management

    So, how would you go at this?

    Just like for mobile devices, there are a lot of different tools for managing macOS. As usual, my approach is Microsoft Intune, but for macOS specifically there might be other tools like Jamf Pro which has a lot more features (but also comes with a completely different price tag).

    You know I’m all for making use of what you have and getting the most bang for your buck, so let’s talk about macOS and Microsoft Intune.

    Setting the expectations right

    One thing to keep in mind when it comes to managing macOS. The possibilities are not even close to what you can do on a Windows 10 machine, and what we can control comes down to what APIs Apple allows mobile device management tools to use. Setting up management for macOS and expecting the functionality of a domain joined computer, this is not what you will get.

    The experience is more closely related to how you approach managing mobile device. You put a management layer on top of the experience. There basically three ways to view management of Mac’s:

    • Automated Device Enrollment
    • Device Enrollment
    • User enrolled

    The two first ones are the most common ones while User enrolled is more for BYOD scenarios and gives less functionality and manageability. Both device-based methods are very similar, but the Automate Device Enrollment makes use of the Apple Automated Device Enrollment service, ADE (previously DEP), which will increase the possibilities for management and prohibit the user from removing the enrollment.

    The experience to enroll macOS is more closely related to how you approach managing mobile device. You put a management layer on top of the experience. macOS utilizes what is called “User Approved enrollment” which means that the user must ALLWAYS approve the installation of management profiles, even is automated device enrollment is used. This will add extra steps to the enrollment process compared to mobile or Windows devices where this is automated in a higher degree.

    If you are looking for a more deeply integrated management method, Jamf Pro is more where you need to head, but then we are talking additional licensing.

    What to manage

    Moving on to what you need to manage on the device. This is of course based on your organizational needs, both regarding configurations and security. There are however a few things that might be a good minimum, such as:

    • Wi-Fi settings
    • Encryption and FileVault (macOS equalent to Bitlocker)
    • PIN/Password
    • Endpoint protection
    • Application distribution
    • Compliance settings
    • SSO extension

    There are a lot of more things we could potentially configure, but keeping it to a bare minimum, this is a great start and does not limit us from expanding this down the road.

    One thing to use as a guiding principle is to think about what you NEED to manage and not configure settings just because you can. Is there a need to block let’s say Spotlight suggestions, or could this be useful for the user and resulting in a poorer end-user experience? This is important to keep in mind for all platforms, not only macOS to be honest. Don’t block just because you can, configure based on needs.

    Why manage?

    So why do you want to manage your Mac’s? That is the million-dollar question and something that you need to figure out before even starting. This doesn’t need to be super fancy or technical, just define the goal you have. This might be:

    • Ensure that all devices are secure
    • Get inventory of what devices are used
    • Provide your users with a better experience

    Or you could have more defined demands coming from your organization regarding legal demands or security demands.

    By managing your Mac’s, you will gain a better understanding of what devices are used within your organization and you can ensure that you provide your users with a good and secure platform. By managing the device, you can also provide settings such as Wi-Fi access automatically to the devices without the need for the end-user to know where to find the information. Same would go for applications. You will bring the platform closer to what you know and love when it comes to device management even though the expectations need to be separate from let’s say the Windows platform.

  • Creating a workplace at home

    Creating a workplace at home

    So, I’m about 10 months late on this topic now that we have all been from home for such a long time. The discussion is turning more towards how we can move BACK to the offices, how and when that can and will be done.

    For me, this is an important topic and I thought I would share my learnings from the past 10 months regarding creating a workspace at home.

    I really understand that not everyone has the living situation allowing them to set up a good working place. In our apartment we had to set up an extra workplace since both me and my girlfriend are working from home full time for a foreseeable future. This ment some compromises when it comes to optimal space since we only had one spare room, putting my workplace in the bedroom.

    Please bear in mind that these are important to me and I totally understand if you don’t have the space, ambition, or willingness to go down this path.

    A real desk and a chair you like

    Even if it’s quite convenient to setup your office at the kitchen table, it’s far from optimal for several reason. Even though it’s nice to be close to the coffee maker, this is not good for your back and sholders.

    Given that you have the space, getting a real desk and chair makes wonders. It doesn’t have to be one of those adjustable desks or expensive gaming chairs. Simple stuff from IKEA is a good start!

    For me, this is the most important part. I can leave everything else out, but I need a decent desk and chair to work from home.

    A monitor

    Having an external monitor is important from a whole lot of aspects. You get some extra real estate while working on those spreadsheets and most importantly you end up in a more ergonomic posture, raising your line of sight. Being someone who has worked extensively from only a laptop monitor in the past, this has become important. For me, it doesn’t have to be a fancy, top-of-the-line screen, even though it does have to have okay aesthetic since it becomes a part of the interior decoration for the room.

    A keyboard and mouse you enjoy

    This has been one of the bigger pet peeves for me. Finding a good keyboard and mouse. I’ve also discovered I’m fussy on this topic and I have quite specific expectations.

    I’ve been using the Microsoft Arc Mouse for a long time, and I really enjoy it. However, that has always been more of a “travel mouse” for when on the go or not at a real desk. It’s a bit small and not to ergonomic for my taste. I was also using an old “all-in-one” Microsoft keyboard which had a bad typing experience.

    Those are now replaced with new fancy stuff, Microsoft Compact Designer Keyboard, and a Microsoft Ergonomic Bluetooth Mouse which I really like.

    Since I spend a lot of time typing, the keyboard experience is important, and this keyboard feels just like a laptop keyboard (I’m NOT a fan at all of mechanic keyboards).

    A webcam

    This is something simple and for remote work important to have good Teams meetings. If your setup includes an external monitor, getting an external webcam will really increase your meeting experience. You will be facing the correct screen compared to using your built-in webcam from the laptop, which will not present you in profile and you will be perceived as more engaged in the meeting since you will be looking the in the correct direction.

    Keep a clean desk policy

    I’ve always been a fan of this, both at the office and at home. Getting stuff out of the way and de-clutter my workspace removes all distractions. It’s also nice to start the workday fresh and since my workplace is in the bedroom, clearing up the desk helps me disconnect.

    Take breaks

    This is the area I need to improve the most on. I’m bad at taking breaks. However, I do try to take at least one 20–30-minute walk everyday with our dog. But I tend to eat lunch in front of the computer and just go to the kitchen for refill of water or coffee, so more like micro breaks.

    Be flexible

    This is another area of improvement for me, I tend to not move around as much as I would like. But being flexible where you work from, just like you would at an office, makes you don’t have to stare at the same wall day in and day out. It could give you a sense of an activity-based office. My idea how I will handle 2021 is to start my day at the table dinner table in the living room and then move into my office space when I’ve finished my coffee. However, I still some way to go on that point.

    For me, being flexible could also mean that you bring your workspace to new places, or even outside when winter is over. After working as a traveling consultant for several years, my essential office still fits in a backpack.

    Evolve your workspace

    My home workspace is always evolving and improving. As or right now I have to things I’m thinking about. Replacing the desk for an adjustable one and figure out a good lightning setup with a low fotprint to improve the lighting for Teams meetings.

    I also have about a thousand ideas what I would like to do, which are not possible now due to room limitations. But I have dreams of what my home office should look like, and it doesn’t really include that much technology. It has more to do what I want my space to look like.

  • What is the difference between management scenarios for mobile devices?

    A quite common discussion topic when it comes to mobile device management is the different approaches you can take. Therefore, I’ve written down a little something to try to simplify a little bit.

    I’ve intentionally left out any preview features and user enrollment for Apple device to focus on the most common scenarios. I will look to cover that in a separate post.

    There are of course more technical aspects to this, but from a high level this is something that is good to keep in mind!

    Flow description Android

    For Android, there are three different type of management:

    • Work Profile
    • Corporate owned fully managed
    • Corporate owned dedicated device

    These are used for three different scenarios which are based on the requirements in the environment. Moving existing devices into Microsoft Intune management also affect which management method which should be used.

    Personally owned with work profile

    Personally owned with work profile is mostly referred to handle Bring Your Own Device (BYOD) scenarios. This is also often used to transition from either no management or legacy management into a Microsoft Intune enrolled device since it does not require the device to be reset to factory default before getting started.

    To register a device using Work Profile, the user will need to download the Company Portal application from the Google Play store. When the application is downloaded and installed, user signs into the Company Portal app using the corporate credentials and follows the on-screen wizard how to enroll.

    When the device is enrolled, a corporate container is created on the device where all corporate data is stored separately from the personal data. The user will see a new tab on the application pane called Work and all applications will have a small briefcase on them indicating they are work applications.

    The IT department can only manage the Work Profile part but can put some restrictions and requirements on the device regarding e.g., PIN-code and Wi-Fi settings. Limited number of remote actions can also be performed such as PIN recovery or removal of corporate data. Applications in the Work Profile part is managed through a Managed Google Play store which is controlled by the Microsoft Intune administrators. Since the applications in the managed Google Play store are centrally managed and assigned, no corporate Google account is needed for the end-user to download and consume applications in the Work Profile.

    The personal part of the phone still functions as expected by the user since data is separated and not allowed to stream between the containers.

    Personally owned with work profile

    Corporate owned fully managed

    A corporate owned fully managed device is used where the company buys the device and there is a 1:1 relationship between device and user. To enroll the device as fully managed, the device needs to be new out of the box or been reset to factory default.

    Devices could be pre-registered to the customer by the hardware vendor in Google Zero touch to ease the enrollment procedure for the end-user.

    When the user receives the device, and the user follows the on-screen onboarding process for initial setup.

    If the device is not pre-registered using Google Zero Touch, the user will be asked to scan a QR code which is unique to each customer and must be made available by the IT department.

    During the enrollment, the user will be asked to login using their corporate credentials. The user will also be asked to set a PIN-code. As part of the enrollment in Microsoft Intune, configurations, policies, and applications will be applied to the device which has been assigned to the user and/or device.

    When the enrollment has finished, the device is ready to be used by the user.

    The fully managed device does not separate corporate and personal data as the Work Profile method does, which means that corporate data and personal data is mixed on the device. On the other hand, since the device is fully managed, the IT department has much more control over the device and applied configurations and policies.

    Applications are centrally managed by IT, but the public Google Play Store can be made available for the end user. For applications distributed through Microsoft Intune, no Google account is needed for the end user.  

    IT can also perform remote actions on the device, such as PIN recovery or data removal.  

    Corporate owned fully managed

    Corporate owned dedicated devices

    Corporate-owned dedicated devices are used when there is not a 1:1 relationship between user and device, in a scenario where multiple users use one device. A good example of this is a kiosk device.

    Devices could be pre-registered to the customer by the hardware vendor in Google Zero touch to ease the enrollment procedure.

    When the user receives the device, and the user follows the on-screen onboarding process for initial setup.

    If the device is not pre-registered using Google Zero Touch, the user will be asked to scan a QR code which is unique to each customer and must be made available by the IT department. These QR codes are unique to each enrollment profile and are valid for 90 days.

    During the enrollment, no user sign in is required. Device will be automatically enrolled towards Microsoft Intune and no user affinity is applied. PIN-code can be set as part of the enrollment flow.

    During the enrollment to Microsoft Intune, configurations, policies, and applications will be applied to the device which has been assigned to the device.

    When the enrollment has finished, the device is ready to be used by the user.

    Since the device is supposed to be dedicated to a specific task or function, the features in the OS are limited and can be locked by the IT department. Some built in applications can also be removed if needed.

    Applications are centrally managed by IT using Microsoft Intune.   

    IT can also perform remote actions on the device, such as PIN recovery or data removal.

    Corporate owned dedicated devices

    Flow description IOS and iPadOS

    Management of iOS and iPadOS does not have the same number of variations as Android. There is however a difference in how you can handle devices based upon if you use Apple Automated Device Enrollment or not.

    For iOS/iPadOS management, there are two different ways of managing the device, personal or shared. Shared device is only applicable to iPadOS.

    There are however two different ways of enrollning a device depending on if Apple Automated Device Enrollment is used or not.

    Personal iOS/iPadOS devices with Apple Automated Device Enrollment

    The default management of iOS/iPadOS devices are personal devices where there is a 1:1 relationship between user and device.

    If Apple Automated Device Enrollment is used, the devices are pre-registered by the vendor in Apple Business/School Manager. Apple Automated Device Enrollment is used to simplify the enrollment process for the end-user and provide an additional set of control for IT.

    When Apple Automated Device Enrollment is used, IT can control the first run experience for the user to remove unnecessary steps. This control will also ensure that the device will be enrolled. When a user receives the device, they will follow the on-screen wizard to get started and register their device.

    During the initial setup, the user will be asked to sign in using the corporate credentials and the device will enroll in Microsoft Intune and received the applicable configuration, polices and applications which has been assigned to the user and/or device. When the setup is done, the device is ready to use.

    IT can manage configuration, policies, and applications centrally and perform some remote actions such as PIN recovery, data removal or resetting the device. If the devices are deployed in Supervised mode, there is also a possibility to trace lost devices and put them in a “lost mode” to prevent a lost device being used by an inappropriate person.

    Applications are downloaded through the Apple App Store. For corporate applications and line-of-business applications, the Company Portal is used to initiate the download and the user will not require an Apple ID to download applications. IT can also do required installations of applications.

    Personal iOS/iPadOS devices with Apple Automated Device Enrollment

    Personal iOS/iPadOS devices without Apple Automated Device Enrollment

    The default management of iOS/iPadOS devices are personal devices where there is a 1:1 relationship between user and device.

    If Apple Automated Device Enrollment is not used, user will have to download the Company Portal application from the Apple App Store to enroll the device. Users then sign into the application using their corporate credentials and follow the on-screen instructions on how to enroll the device.

    IT can manage configuration, policies, and applications centrally and perform some remote actions such as PIN recovery, data removal or resetting the device.

    Applications are downloaded through the Apple App Store. For corporate applications and line-of-business applications, the Company Portal is used to initiate the download and the user will not require an Apple ID to download applications. IT can also do required installations of applications.

    Personal iOS/iPadOS devices without Apple Automated Device Enrollment

    Shared iPadOS device

    Shared iPadOS devices are used when there is not a 1:1 relationship between user and device, in a scenario where multiple users use one device. A good example of this is a kiosk device.

    To use the Shared iPadOS scenario, Apple Automated Device Enrollment needs to be used. Devices are registered in the Apple Business/School Manager to connect the device towards the customer.

    When a device is to be registered, a user or coordinator starts the device and follows the on-screen instructions. No sign-in is required during this process since the device will not have user affinity.

    During the enrollment, the device will receive configurations, policies and applications which has been assigned to the device.

    When the registration is completed, the device is ready to use.

    IT can manage configuration, policies, and applications centrally and perform some remote actions such as PIN recovery, data removal or resetting the device.

    Applications are centrally managed by IT and are installed automatically by assigning them in Microsoft Intune without user interaction.

    Shared iPadOS device
  • Dear 2020…

    Dear 2020…

    Wow, it’s already a new year. Even if 2020 was a weird year, it went by fast! And for those who wonder, the deer doesn’t have anything really to do with this post. It’s more of a pun… Deer 2020… Okay, I’ll show myself out….

    A lot of things to look forward to in 2021, such as a vaccine against Covid-19, new Windows preview builds, new Teams features and much, much more.

    The start of a new year is wonderful opportunity time to reflect on the past year, because even though 2020 was a weird year a lot of things happened. I’ve decided to split this one into different areas just to be able to sort out my thoughts a little bit.

    Personal life

    So personal life… This doesn’t really qualify into this blog usually. But since 2020 ment working from home all the time, personal life is an important part. Relaxing and disconnecting got even more important for me during 2020. I found something that allowed me to disconnect from work stuff and focus on something else which I haven’t really done the last couple of years. Like a lot of other people, I took up golf again during 2020. Not so much because of Covid-19 but more in the sense of this is something I’ve been playing since I was like 6 or 7 years old and I finally found the joy in it again.

    Professional life

    2020 was the strangest year in my professional life, as for everyone else. I started a new job just a few months before Covid-19 happened, went back to being a consultant again. Since I started right before the pandemic really took off, it’s been a little bit of a weird start for a new job since you haven’t been able to really meet your co-workers nor your customers physically. Strange times!

    Also, regarding my professional life I’ve shifted over to this blog as a platform to share my experiences, findings, and learnings. I’ve tried to keep a consistent flow, but my inspiration went on isolation during the end of the year (I blame the darkness). I’m hoping that the lighter times which are coming, and the snow, will get me back on track!

    Modern workplace life

    This heading is weird, I know, but bear with me…

    2020 was probably one of those years that forced a lot of companies and workplaces to jump forward in their thinking and implementation of workplace services. We all saw Teams skyrocket as a meeting platform, VPN usage was of the charts and collaborating digitally is the new black.

    I’ve written a bunch of different blog posts about the modern workplace the last year, and also published some old LinkedIn articles.

    During the last year, a lot have happened. We are working in a different way and everyone has gotten a taste of what working remote means, proving that we can do stuff while not at the office (hopefully killing that old face-time requirement). The term “work is not a place, it’s something you do” has definitely come into play!

    I think the biggest impact for the modern workplace during 2020 was in fact the Covid-19 pandemic. This challenged a lot of companies to drive their adoption fast, or even in some cases get started. It has also put a bigger trust in that the end-user knows how to handle the tools provided and IT’s role in providing the correct information and education has become increasingly important.

    During 2020 we saw a lot of great improvements to a lot of popular Microsoft products. One of the most obvious one for the modern workplace was Microsoft Teams. We got A LOT of new functionality during 2020, not only post Ignite, but as a steady stream of news. This really improved on an already great platform. Oh, and let’s not forget about the increase of Teams usage!

    Intune also got its steady stream of updates and the “Corporate-owned devices with work profile” management method for Android finally saw the light of day (still in preview however). I think this will be a really nice add-on when released based on the user experience it provides for corporate devices.

    One of the most exciting new things, which I still have not tried out, is Microsoft Tunnel. A simple VPN solution for mobile devices which doesn’t require large investments or changes in your infrastructure if you are using a Microsoft based VPN for you Windows devices today. It will be exciting to see this product go into general availability.

    Going forward

    I most likely forgot a lot of things that I should have included. But hey, it’s been a weird year!

    Now let’s focus on what 2021 holds. This blog will keep on living and my focus will stay on the “softer” stuff around modern workplace and not the hardcore technical stuff.