Tag: intune

  • Trying to understand Windows 365

    Trying to understand Windows 365

    You know, devices and new stuff are always fun. But what if you would provide a kick-ass, safe, Windows experience on any device without having to invest in infrastructure or administrative work? To semi-quote on of my all-time favourite TV-show: “Haaaave you met W365” (it’s supposed to be Ted, not W365).

    Have You Met Ted GIFs | Tenor

    I remember hearing about the new Windows Virtual Desktop at Ignite 2018 and thinking “Wow, this is sooo cool! Finally, someone simplified the complexity of VDI solutions a little!”

    It was not perfect, but it had potential! Up until then Azure hadn’t really provided any good solutions for Windows 10 based clients. You could run Windows clients if you imported an image, but it was far from great. It was more for playing around with Windows.

    Windows Virtual Desktop later became Azure Virtual Desktop, but it required a decent amount of work to set up initially. Don’t get me wrong, it’s super awesome given the flexibility it provides you could run anything on it. But it comes with a big challenge, especially if you are not familiar with VDIs. It requires a decent amount of configuration before you can get going. The Azure Virtual Desktop is however GREAT for scenarios where users don’t need a dedicated machine, their session can run in a host pool to make the most out of your Azure resources!

    Windows 365 enters the stage

    Microsoft announced Windows 365 during the summer 2021 (I remember noticing it during my summer vacation). I had a really hard time positioning this compared to the AVD solution, when should I pick what?

    But finally, the coin dropped for me. Windows 365 is for when you just need a virtual computer with no super specific needs (since the configurations are a set list). Like for instance you have a consultant working in your company who already has their own device which they can run a Windows 365 machine on, instead of you having to source and ship a physical device.

    Current sizing of Windows 365

    It also has the quite nice feature of being simple to assign and setup since you assign a provisioning policy and a license to the end user, and you are good to go! This is truly VDI made for the masses if you ask me.

    Of course, there are things you need to setup if you are running this in an enterprise, such as the network connectivity and on-premises domain connection (yes you sadly still need an on-premises AD and hybrid join for this in the enterprise setup, but AAD only is coming). You would also need to setup management profiles in Microsoft Intune or just reuse the ones you have for your physical machines. In Microsoft Intune, the Cloud PC is just a computer amongst all the others, but model will be Cloud PC instead of e.g. Surface Laptop.

    Coming from a device management background, I also really love that you manage everything from the Microsoft Endpoint Management portal, no other fancy tools needed or a need to find your way around the Azure portal!

    Who should use a Cloud PC?

    So, who is the Windows 365 Cloud PC for really? Saying everyone is not the wrong answer, but when you face reality and leave the marketing slides behind, you will notice that most of your users don’t need this. But some absolutely do, and those are in this case the interesting users.

    In the perfect of worlds, you could easily “only” have Cloud PCs and let your users use whatever device they want to access those. In an enterprise scenario, with a lot of history, which would not be feasible. At least not for your FTEs to start with unless you provide them with more lightweight devices and provide a beefier Cloud PC to do their work on.

    In the scenarios I mostly have seen and discussed, there is one main use case we are discussing, and that is consultants who already has a computer (or device for that matter) and instead of providing them with a 5-year-old computer which got put in the spare pile you give them a virtual machine which they can access from their PC. This scenario is also valid for providing consultants with a more basic PC and “beef” it up using a powerful Cloud PC.

    One thing I find useful is that you can run either Windows 10 or Windows 11 on it, you select the image yourself. This means that you could potentially have your physical machine on Windows 10 but run your virtual machine with Windows 11. This could be beneficial in a transition period from Windows 10 to 11 if you want to do some application testing without needing to re-install computers.

    I’ll keep exploring Windows 365, and I’m really hoping Ignite will bring more cool stuff around for it!

  • Intune for noobs – Intro

    I’ve been thinking about doing something more educational for a while now and I think this will be a great start to that. Writing a guide on how to setup your own Microsoft Intune lab. We will take shortcuts and do dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip all fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

    Here are the links to each part, and they are also published in the blog further down in the feed.

    Sharing is caring, so my idea about this guide is to simply help you get started on your own Microsoft Intune journey and learn what it is and what it can do!

    With this base, you can build further on your lab environment as you grow with the concept!

    Enjoy!

  • Intune lab for noobs – part 1 // Pre reqs

    I’ve been thinking about doing something more educational for a while now and I think this will be a great start to that. Writing a guide on how to setup your own Microsoft Intune lab. We will take shortcuts and do dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip all fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

    What do I need?

    There are a few things you will need in order to get started:

    • An Azure AD tenant
    • Microsoft 365 or EMS licenses (E3 or E5)
    • Hyper-V or some other virtualization platform
    • A Windows image
    • A mobile device or two
    • A Google account
    • An Apple ID

    There are more things, but this is a good start.

    Getting a tenant

    This can sound like the most cumbersome and expensive part, but it doesn’t have to be. Depending on your level of commitment, there are different ways to go at this. The Azure AD itself is free of charge, but you will need licenses to run Microsoft Intune. You could either buy these or get a test tenant for free from Microsoft. You can either get a one-month free trial from the Microsoft 365 info page which isn’t persistent if you don’t buy the license once it has expired. You can also sign up for a free trial of Microsoft Intune from Microsoft Docs, then enable a 90-day free trial of Enterprise Mobility + Security E5 if you go to Devices > Enroll Devices > Windows Enrollment > Automatic Enrollment. This will include everything you need to test Intune, but no Microsoft 365 services.

    The best option is to sign up for the Microsoft 365 Developer program and get a tenant and licenses which will be renewed every 90 days if you sign in at least once.

    My recommendation for your lab is to get the later one. You will want something that sticks around for more than 30 or 90 days.

    By using the Microsoft 365 Developer program, you can also get sample data (users, generated emails, SharePoint sites) to make the environment more realistic with minimal effort.

    The setup process is simple, you will need to register with Microsoft and then you will be able to create your tenant. Microsoft has a good step by step guide which you can find here!

    Give your tenant a cool name (or just something you remember) and you are ready to go!

    Once you have your tenant setup, use your admin account to sign in to endpoint.microsoft.com and BAAAM, you are now in the Intune portal!

    Hyper-V or another virtualization platform

    The reason we want a virtualization platform is to spin up some virtual test clients. There are numerous ways of doing this, but for small scale this is the simplest way.

    If you are using a Windows based machine, you can enable in different ways. Easiest way is to simply run the PowerShell console as admin and run the following command (something I learned by writing this post):

    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

    When the command is successful, reboot the machine.

    If you are not comfortable with PowerShell, you can simply enable it in the “Turn Windows Features on or off” section of Programs and Features in the Settings app.

    We will come back to how to use Hyper-V in a later section were we setup Windows management.

    Getting a Windows image

    There are a lot of different ways of getting a Windows image for testing purposes. If you have an MSDN/Visual Studio subscription, you can download this from your subscription repository of download. But if you don’t have that, the easiest way of getting a Windows image is to simply download it from Microsoft using the Media Creation Tool found here.

    Once you have downloaded and started the tool, you can follow the on-screen wizard to obtain the image.

    First, accept the terms and conditions page, then make sure to select “Create installation media”.

    Select the language you require and make sure you get the 64-bit version (you don’t need 32 bit).

    Select that you want this as an ISO-file

    When you press next, it will ask you where you want to save the file and the download will start.

    Mobile devices

    Depending on what you want to do with your lab, I suggest you get at least one mobile phone. This could be any phone which is fairly up to date (iOS 12 and higher or Android 6.0 or higher).

    For my lab, I’m using a cheap Samsung Galaxy A20 that I got on a sale which is running Android 10 and an iPhone X (which is my primary personal device). However, if possible, I strongly recommend using secondary devices for your lab, at least if you want the wipe features.

    Google Account

    Why do we need a Google account in the Microsoft world? It’s simply to activate and be able to use the Managed Google Play store and activate enterprise features. This can be a regular Google account; I’m using one that I’ve had for ages (in the real world make sure to use a dedicated which is NOT personal). If you already have a Gmail account, that will do just fine!

    If you plan on sharing this environment with more people, use a dedicated account.

    Apple ID

    To enroll Apple devices in Microsoft Intune, we need to obtain a certificate from Apple. For that, we need an Apple ID.

    Same goes here, for your personal lab you can use an already existing Apple ID which is not dedicated for the purpose (for real world use, setup a dedicated account). We will use this account later when we configure iOS/iPadOS management!

    Ending notes…

    And that’s about it for pre-reqs to setup your own Microsoft Intune lab!

    In the next step, we will do some basic configuration of your brand-new Microsoft Intune tenant!

  • Intune lab for noobs – part 2 // The basics

    This is part two of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premise AD. But if you already have those in your lab, that’s great!

    Setting up the basics

    First step is to enter the magic world of Microsoft Intune, which you access from endpoint.microsoft.com. This is your go-to place for managing devices and you can also access the Azure Active Directory (Azure AD) from here.

    The default landing page

    To get you going, you will need a test-user and some groups, this is the first thing we will create.

    In this part we will:

    • Enable MFA
    • Create users
    • Create groups
    • Enable Apple enrollment
    • Enable Google Android enrollment
    • Customize Company Portal

    Enabling MFA

    Security is important, even in a lab. I guess you are used to MFA by now, so let’s enable that for our lab tenant in the simplest way we can. It’s default enabled for your Global Admin account, but we need this for all accounts.

    Depending on which way you got your license, this might or might not be available since it requires premium licenses for Azure AD.

    Since there are a lot of better guides than I can ever write on this, this is how you do it in the most simple way: Enable per-user Multi-Factor Authentication – Azure Active Directory | Microsoft Docs

    Creating a user

    (If you already have users with assigned licenses, you can skip this part)

    Simplest way to create a user is to click on Users in the left side menu and then just click “+ New user” in the top ribbon.

    For this lab purpose, we will fill out the bare minimum which to set a user name, name and location (licenses needs location). Select to auto-generate the password and make sure to save it somewhere (OneNote is usually where I keep my lab information).

    Next step is to assign a license to our new user. The easiset way to do this is to simply click on your newly created user and select “Licenses”.

    Click on “+ Assignments” and then select the appropriate license you want to assign. Don’t forget to press save!

    We now have a user which is allowed to enroll devices into Microsoft Intune!

    Create groups

    For this setup, we will create two groups. One user group and one Windows device group. You can of course create more groups, but to simplify we will start with these two!

    To create a group, select Groups in the left side menu and then click “+ New group” in the ribbon.

    For our user-group, we will keep it simple and set a name and use the “Dynamic User” as Membership type. Please note that this requires you to have a Azure AD P1/P2 license, if your trail does not come with that user “Assigned” as group type instead for the two groups we will create. This means that you will have to add the devices and users manually.

    Next step is to create our rule by clicking “Add dynamic query” at the bottom. We will use a very simple rule which says to add all enabled accounts to the group.

    This isn’t a good rule to use in real life, since we will also add all our admin users to this group. But for the sake of keeping things simple, this is good enough I would say.

    Hit “Save” and then “Create“.

    Next up is our Windows Autopilot group.

    Same steps as previously, but this time select “Dynamic Device” as Membership type.

    Next step is to create our rule by clicking “Add dynamic query” at the bottom. This time we will create a rule which will fetch all our Windows Autopilot devices.

    Instead of manually entering the rules, click edit on the far right and add this string:

    (device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))

    You will see that the property, operator and value is populated once you have added it.

    Hit “Save” and then “Create“.

    We have now created all the users and groups we need to get going but you can of course build on this and create even more groups and users to your liking.

    Enable enrollment

    As default, Windows enrollment is always enabled. For iOS, iPadOS, macOS and Android we will need to add some connectors to enable management.

    Apple devices

    To setup Apple enrollment, we need an Apple ID to request a certificate from Apple. For your lab (if you are the only one using it) you can use the Apple account you already have.

    Select Devices in the left side menu, then select Enroll devices, then Apple enrollment. You will notice that all except one options is grayed out since we are missing the Apple MDM Push certificate which enables all the services

    Select the “Apple MDM Push certificate” option and you will be asked to grant Microsoft permission to send information to Apple by checking the box. Secondly, download the CSR and save it somewhere on your computer.

    Next step is to click the “Create your MDM push certificate” and you will be asked to sign in with your Apple ID to the Apple certificate portal.

    As you can see, I have quite the few certificates from different previous labs (and my current one). Your list will most likely be empty.

    Select “Create a Certificate” and accept the terms of use and on the next page upload the CSR file you downloaded previously. I’m also adding a comment for myself that this is for the Intune for Noobs environment. Then click “Upload“.

    Once the CSR is uploaded, an Apple MDM Push certificate will be issued with an expiration date 1 year into the future. Intune will warn you once you are getting close to the renewal date.

    Download the certificate to your computer and save it, then head back to the Microsoft Intune portal and enter the email adress of your Apple ID on step 4 then upload the certificate you just downloaded. Then click “Upload” and you have successfully enabled management of Apple devices and you can close the flyout with the X in the upper right corner to end up back on the “Enroll devices” page.

    Google Android

    To enable the modern management methods of Android called Android Enterprise, you will need to link a Google account to the Managed Google Play.

    Select “Android Management” in the list and you will notice the same thing here, that all options under Android Enterprise is grayed out except to connect the Managed Google Play.

    Click the “Managed Google Play” option and flyout will appear. Grant Microsoft premissions to send information to Google, then click “Launch Google to connect now“. A pop-up will appear asking you to sign-in to Google. If you don’t have a Google account you want to use, or want to create on for the purpose of this lab you can select to create an account to manage your organization with. Otherwise use an existing Google account.

    Once you have signed in, click “Get started” on the landing page displayed.

    Next step is to add your business name (this could be whatever). I’ve named mine the same as in the Microsoft world.

    On the next step, you are asked to fill out some contact information, you can skip this and just check the box at the end. Then finish the wizard.

    Once done and you have selected to finish the setup, you will be redirected back to Intune, and you will see that the service is active.

    Customize Company Portal

    Last thing we will do is to add some customization to Company Portal but also the sign-in experience (which we will use in Windows Autopilot).

    First off, select “All services” in the left side menu and then select “M365 Azure Active Directory“. A new tab will open and select “Azure Active Directory” in the left side menu. Then navigate to “Company Branding” in the list. Select “Configure” to get started. You can add a lot of custom backgrounds and logos, but for now we will only enable “Show option to remain signed in” at the bottom and click save to keep it super simple. You can come back here later and add your custom things.

    Click save and then close the Azure AD portal and head back to Microsoft Intune.

    In Microsoft Intune, select “Tenant administration” in the left side menu, then navigate to “Customization“. This is where you call add customizations to the Company Portal app, which is the end-user side of Microsoft Intune and the portal where users get applications and information.

    To edit the settings for the portal, click Edit at the top of the page (next to Settings).

    To keep things simple, we will only add the required information to this, but you can come back later and add more.

    I’ll add my company name, and leave the rest of the branding part to default.

    Further down under Configuration I will add a URL to my “Privacy statement”. In this case it’s just the URL to my blog. You need to add something and it’s a good idea to choose something that exists so you can try the link when playing around in the company portal

    Once you have added those two, click “Review + save” and then “Save“.

    Ending notes…

    We have now prepared our Microsoft Intune environment to start doing some real stuff. In the next part we will setup some really simple management of Windows including enrollment through Windows Autopilot.

  • Intune lab for noobs – part 3 // Windows

    This is the third part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

    Windows management

    As I stated in the previous part, Windows management is enabled by default. However, there is one you will need to enable which is Automatic Enrollment. This requires and Azure AD Premium license which is included in the EMS and M365 Dev setup.

    To enable this, select Devices in the left side menu. Then navigate to Windows, then Windows Enrollment. Select the “Automatic Enrollment” option.

    Make sure to set the “MDM user scope” to All then click save. You can leave everything else set to default.

    That’s about it! We are now ready to start setting things up for your lab!

    Guided scenarios

    As I said, we will take some shortcuts in this tutorial to get you going, therefor we will use the Guided Scenarios found on the landing page of Microsoft Intune (just click Home in the left side menu).

    Click start under “Deploy Windows 10 and later in cloud configuration” and the wizard for setting up a basic Windows Autopilot configuration will kick-off.

    On the first screen, read through the information and then click Next.

    On the Basics tab, leave “Apply device name template” set to default, but add a Resource Name Prefix such as Win10 to help you visually identify that this is for Windows. Then click Next.

    On the Apps tab, leave everything to default, this will install Microsoft Teams and Microsoft Edge, but not the full M365 Apps suite (this can be added later on if needed). Click Next.

    Since we already created a device group, select “Choose an existing group” and add the device group you created earlier. Click Next.

    On the last page you will be able to review your settings under “Configurations to be made“. When you are happy with your options, select “Deploy” and wait for the process to finish.

    You have now taken a real shortcut to get going with basic settings for your Windows devices.

    You can of course build further on this, but as part of this tutorial we will leave it at this.

    Preparing a Windows device

    So next step is to prepare your Windows device for Windows Autopilot. The easiest way to do this to export the Hardware ID using PowerShell. Don’t be alarmed, you don’t need to be a code monkey or script kiddie to run this, it’s rows that you need.

    Depending on what state your device is in, you can either run this from an elevated PowerShell prompt when you are in a Windows session which is up and running. In my example down below, I will run this from a Virtual Machine in Hyper-V during the OOBE setup. To create a Windows 10 VM in Hyper-V, you can follow this guide from Microsoft.

    If you are using Hyper-V, make sure to enable the TPM feature in Settings on the virtual machine. We will need this for Bitlocker.

    Once you reach the start of the OOBE, stop at selecting language.

    Press SHIFT and F10 (you might need FN as well depending on your keyboard) to launch a command prompt. Then type powershell and hit enter to start PowerShell.

    Next, we will run three lines of PowerShell commands. You can find more information about it on Microsoft Docs.

    Install-Script -name Get-WindowsAutopilotInfo -Force
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
    Get-WindowsAutoPilotInfo -Online

    Run the lines in the PowerShell windows. You can copy-paste by going to Clipboard > Type Clipboard text in the Hyper-V session.

    You will be asked to press Y for yes a few times during the process to install the script.

    When you have ran the “Get-WindowsAutoPilotInfo -Online” line, it will install a few modules and then you will be asked to sign in using your Microsoft account. Use the account you have signed into Intune with (it has the required access as Global Admin, but a user with the Intune Admin role will be sufficient in the long run).

    When you run this the first time you will be asked for consent for using this, scroll down and press Accept.

    Once you have accepted, the process of gathering the Hardware ID will start automatically, but don’t close the session until it has finished. This will take up to a few minutes. Once you can confirm that the script has finished successfully, turn of the computer or reset Windows if you are doing this from an already up and running Windows client (you will lose all data).

    Head back over to Microsoft Intune to confirm that the computer was successfully imported by navigating to Devices > Windows > Windows Enrollment and select Devices.

    This is the section where all your imported Windows Autopilot devices will be listed, and you can see if a Deployment profile has been assigned to the device.

    Once the Deployment profile has been a assigned to the device, you will see that the Profile status is set to “Assigned“. This usually takes about 10-15 minutes and you can’t do more than just wait. If you click on the machine you can see some more information, such as what profile is assigned.

    Enroll your device

    Now it’s just the fun part left. Enroll your device!

    Just simply start your computer or virtual machine again and follow in the on-screen instructions. Once you have selected language, keyboard locale and network (if physical device) you will end up on a screen saying, “Welcome to [your company name]” and you will be asked to sign in.

    Sign in using the account we created earlier and just follow the flow. If this is the first time you sign in with this user, you will be asked to setup MFA and change the password.

    The enrollment typically takes between 20-30 minutes depending on how many applications are being assigned. You can follow the progress on the screen. You can expand each section to track progress.

    At one point in the process, you will be asked to sign in again, this is to set the user affinity and configure the “Account setup“.

    Ending notes

    We have now successfully setup an extremely basic Windows configuration that you can play around with. If you go to Devices > Windows > Windows Devices you will see all your enrolled devices and information about them. You can also perform remote actions on them, which I encourage to try!

    Since this is an isolated lab environment, try stuff out. You can’t really break anything and worst-case scenario you will have to re-install the Windows client.

    Play around. Have fun.

    In the next part we will dig into iOS management!

  • Intune lab for noobs – part 4 // iOS

    This is the fourth part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

    In this part, we will look at iOS management and how to get going! To test this, you will need an iPhone or an iPad which we can enroll. No reset of the device will be needed.

    In the second part of this guide, we configured the Apple MDM Push certificate, which means that we have the basics down for managing iOS, iPadOS and macOS. In this guide we will only look a basic configuration for iOS and iPadOS (it’s the same policies).

    There are two types of profiles and policies we will create one Configuration Profile and one Compliance Policy. We will also add an app to distribute.

    Configuration Profile

    Like always, we are doing everything from the Microsoft Intune portal at endpoint.microsoft.com. Once you have signed in, navigate to Devices > iOS/iPadOS in the left side menu.

    Select “Configuration profile” and then click “+ Create profile“.

    Select “Device restrictions” as Profile type and click Create at the bottom of the page.

    In this example we will create a profile which requires the user to set a PIN for the device. Give the profile a good name, I will call my profile iOS PIN Requirement since its for iOS and the profiles purpose is to require a PIN. Click Next.

    Find and expand the category Password to display all available settings for PIN. Some settings will not be applicable since we will not use Apple Automated Device Enrollment.

    For this lab, we will require a password (or PIN) which has six digits, we will block the use of a simple code (such as 111111 or such) and we will wipe the device after 10 failed attempts. We will also require PIN immediately when device is locked and lock the screen after 5 minutes.

    Since we will not block FaceID or TouchID, this can be used to unlock the device.

    When you have set these settings, click Next.

    The next step is to assign this profile to our users (we will use user-targeting to have the settings follow the user). Find your user-group that we created in the second part and add that as an included group. When you have added the group, click Next.

    Review your settings and click Create.

    We have now successfully created a configuration which will require the user to set a PIN on their device.

    Compliance Policy

    Compliance policies are used to audit if user’s device is following the security messures we have required them to use. We can also notify the user if their device is not compliant.

    Navigate to Device > iOS/iPadOS in the left side menu and find “Compliance policies“. Click “+ Create Policy” and then click Create.

    You will need to give your policy a name, and in this policy, we will only look if PIN requirements are met. It’s a good idea to create one policy per setting category you are looking at to be able to target end-user information better.

    Find and expand the System Security category to display the policy settings for the PIN. For this policy, we want to mimic the settings we set with the configuration profile to verify that the user has set up the PIN according to our requirements.

    Once you have set the settings to the same values as the configuration profile, click Next.

    Next step is to set what actions will happen if the device is not compliant. We will leave the default “Mark as compliant” and add “Send push notification to end user” and set the schedule to 0 days. Click Next.

    We will now assign this to our user group and click Next.

    Review your settings before you click Create.

    We have now created a compliance policy which will audit the end-user to verify that the PIN is set correctly. If the PIN is missing or incorrect, the device will be flagged as non-compliant, and Microsoft Intune will send a push notification to the end-user’s device.

    The compliance value can be used as a condition in a Conditional Access rule.

    Application distribution

    Of course, we need to distribute applications to our device. For this, we will once again utilize the guided scenarios in Microsoft Intune.

    Click on Home in the left side menu and find the “Deploy Edge for mobile” scenario and press Start. If it’s not visible on the landing page, click on “See all >” next to the heading for guided scenarios.

    Read through the initial information and click Next.

    Add a prefix which will be displayed on the application configuration which will be created and click Next.

    Add a Homepage shortcut URL which will be shown as the first link icon on in the Edge application, you can also leave this blank. Then press Next.

    We will once again assign this to our user group before we press Next.

    Review your settings before you click Create on the last page.

    We have now successfully deployed the Microsoft Edge application to both Android and iOS devices.

    You can review the application if you navigate to Apps > All apps, where you can see all applications which has been added to your environment. You can also filter out each platform by selection each platform in the left side menu.

    The application configuration which where created as part of this guided scenario can be found under Apps > App configuration policies.

    Feel free to add additional apps to your environment, easiest is to go to Apps > iOS then select “+ Add” and select “iOS Store app” as App type. Then search for the app that you which to deploy to your devices.

    Search for an application you want to deploy by clicking on “Search the app store” and search for an application. When you have found your application, click Select then leave all information to default and click Next.

    Applications can be setup as either required or available. Required means that it will be automatically installed, available means that the user will see the application in the Company Portal and install it from there. Since our other application is set as required, we will make this available for enrolled devices by targeting the assignment towards our user group. When you have added the group, click Next.

    On the last page, review your settings before you click Create.

    You have now successfully added an second app to your iOS devices.

    Enroll your device!

    Now it’s time to enroll your device by downloading the Company Portal from the Apple AppStore, this will require an Apple ID to download.

    Once you have downloaded the application, open the app and sign in with the user we created earlier.

    You will be prompted that your device is not managed and asked to enroll it.

    Follow the guide through the process.

    Once you have enrolled your device, you will notice that the Microsoft Edge application will be installed and that you will be asked to set a PIN code which meets the requirements set earlier in this part.

    Navigate to Device > iOS/iPadOS and you will see your device listed. Click on the device to show more settings and to perform remote actions such as removing the PIN, retiring the device which will remove the enrollment or completely wipe the device which will perform a factory reset.

    You will also notice that some actions are grayed out since we are not using the Apple Automate Device Enrollment program.

    Ending notes…

    You can add additional Configuration profiles to your device and applications. Feel free to play around a bit with it and see what you can do!

    In the next part, we will setup management for Android.

  • Intune lab for noobs – part 5 // Android

    This is the fifth part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

    For Android, there are a handfull of ways we can manage these. In this guide, we will configure Microsoft Intune to manage the method called “Personally owned device with work profile” which is the simplest wat to manage Android devices where we only have control over the corporate data, which is separated from the personal data.

    For Android, we will setup the enrollment method, add a configuration profile, a compliance policy and add an application.

    Configure enrollment

    Navigate to Devices > Android and select Android Enrollment. This will list all available enrollment methods for Android.

    For this lab, we will use the “Personally owned device with work profile” which is the simplest and easiest Android management method to get started with (and it doesn’t require you to reset your device to enroll).

    Click on the box “Personally owned device with work profile“.

    As you will see by the message you are presented with, this is enabled by default. This means that we do not need to make any further configurations.

    Configuration profile

    To create a Configuration Profile navigate to Devices > Android and select Configuration profiles in the left side menu.

    Click on “+ Create profile” to create a new profile. As Platform select “Android Enterprise” and as Profile type select “Device Restrictions” under the “Personally Owned Work Profile” section. Then click Create.

    On the first page, give your profile a name and click Next. I use Android as a prefix to indicate that it’s a profile for Android followed by the PIN Requirements to indicate what the profile does.

    Find and expand the category Device password. Here we will add similar settings as we did with iOS/iPadOS which is to use Numeric Complex password type which blocks simple password (such as 111111 and similar) and we will require the PIN to be at least six digits. Facial recognition or fingerprint sensors will be available to use instead of PIN. When you have added these settings, click Next.

    Assign the profile to your user group and press Next.

    On the last page, review your settings and click Create.

    We have now successfully created a configuration profile which will require a PIN to be set on our enrolled devices.

    Compliance Policy

    As with the iOS/iPadOS configuration, we will create a compliance policy which will audit the device to make sure that the PIN requirements are met.

    Navigate to Device > Android and select Compliance policies and click “+ Create policy“. Select “Android Enterprise” as Platform and “Personally owned device with work profile” as Profile type. Then click Create.

    Give your policy a good name and click Next.

    Find and expand the category System Security and configure the password requirements to mimic the configuration profile. Once you have added this, click Next.

    On the next page, we will leave the default action but we will add the option “Send notification to end user” and leave the schedule to the default value 0 and then click Next.

    On the next page, we will add our user group and click Next.

    On the last page, review your settings and then click Create.

    We have now successfully created a compliance policy which will audit if the user has set a PIN which meets our requirements.

    Applications

    In the iOS guide, we used a Guided scenario to deploy Microsoft Edge to bot iOS, iPadOS and Android. This means that the Microsoft Edge appliucation will be automatically installed on the Android devices as well.

    But we need more than one application, hence we will add one more.

    Navigate to Apps > Android and press “+ Add“. Select “Managed Google Play app” as App type and press Select.

    Search for an application you want to add and select Approve on the application.

    Once the application has been approved, press Sync in the upper left corner of the window. This will take you back to the application list.

    Wait a few minutes and then click Refresh on the app list page in order to display your new applications. You will notice that the Assinged status on all new applications are set to “No” which means that no users has been assigned to the applictiaon yet.

    To assign the application to a group to distribute it to your devices, click on the application and select Properties in the left side menu.

    Click on Edit next to Assignments to add a group to distribute this towards. Add your user group to Available for enrolled devices and click Review + save. Then on the review page click save.

    We have now successfully made the application available to all our enrolled Android devices in the Managed Google Play store.

    Enroll your device

    Now its time to enroll your device and in this scenario it requires the device to be rested to factory default.

    On the first page where you are asked to select language, tap five times fast in order to trigger the QR code scanner.

    Go to Devices > Android > Android enrollment and select the profile you created earlier. Click on Token and scan the QR which is displayed.

    Follow the enrollment guide on your screen (this will vary depending on which version of Android you are running).

    Once enrollment is completed, you can find your device if you go to Devices > Android > Android Devices. Click on your device to show more information and perform remote actions such as wipe or removing the PIN if the user has forgotten it.

    Ending notes…

    There are many ways to manage Android, and in this guide, we went through the simplest one. There is also a method called “Corporate-owned devices with work profile” which is the most powerful method, in my honest opinion. this however requires you to reset your device before enrollment. You will also need to create new Configuration profiles and Compliance policies for this method since it operates a bit different.

    I really encourage you to keep playing around with Intune and try out more stuff. We only scratched the surface in this guide, but you have a good foundation to build upon!

  • Get more information on device compliance

    Device compliance is an area which is getting increasingly important and having your devices reporting a “Compliant” status is crucial for Conditional Access to work in a user-friendly way.

    But sometimes you end up with a bunch of devices reporting error on a specific compliance setting. The Intune reporting on Compliance leaves you hanging with either a report on just all your “non-compliant” devices or the count on how many devices have a specific error. Figuring out which devices has a specific error is not an easy task.

    After digging around a bit I stumbled upon this post INTUNE: REPORT ALL DEVICES THAT ARE NON-COMPLIANT BECAUSE THEY ARE INACTIVE – Microsoft Tech Community which explained how to get this data using Graph API. You get a lot of information from this query.

    Since I wasn’t really interested in inactive devices, I needed to tweak the GET query a bit ending up with the following query, since I was looking for devices with a firewall issue.

    https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicySettingStateSummaries/Windows10CompliancePolicy.ActiveFirewallRequired/deviceComplianceSettingStates?$filter=state eq 'nonCompliant'

    If we break down the string a bit you can actually filter this based on the specific compliance setting you want to find.

    1. “https://graph.microsoft.com/v1.0/deviceManagement/” – This is the Graph connection string
    2. “deviceCompliancePolicySettingStateSummaries/” – this defines that we want to look at compliance policy setting state
    3. “Windows10CompliancePolicy” – this is the name of my compliance policy, so this will depend on your naming
    4. “.ActiveFirewallRequired/” – this defines which setting we are looking at
    5. “deviceComplianceSettingStates?$filter=state eq ‘nonCompliant’” – this filters out which state we are looking for. You can change this to “Compliant” to find compliant devices instead

    So, if you want to look at another setting than the firewall as in this example, you simply replace that part in the string with the name of what setting you are looking for. Easiest way to find all the setting names in your tenant is to simply run:

    https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicySettingStateSummaries

    This will list all settings and setting names in your tenant.

    When you have built your own GET string you will be able to pull the data you need and get information about what devices in a simpler way.

    I’m still trying to figure out how to export this in a good way other than the classic copy paste (I’m really bad with PowerShell). Once I figure that out, I’ll post a part two of this! Or if you have a good solution for this, feel free to reuse this or post a link to your solution in the comments!

  • Once you go Mac…

    Once you go Mac…

    I used to be an avid Mac user and major Apple fanboy back in like 2011-2013. Then I joined Microsoft and got to see the other side, the dark side… Somewhere in the hidden corners of the internet, I even have a blog post called “once you go Mac, you never go back” saying I would never use anything else then a Mac.

    Jokes a side. Coming out of a more communications and media technology world from college, Apple and Macs was the best there was. Then the iPhone came along and changed the whole mobile device world.

    I was a Mac user from around 2008 until 2017 even if in the later years I rarely used my personal Mac. Then the Surface Laptop was released and that’s what my personal laptop still is.
    Now that I’m about 10 years older than in 2011 and I have a completely different approach to things. One is not better than the other, it totally depends on who will use it if it’s better or not.

    This post will not cover HOW to configure, more discuss why and what.

    macOS and management

    So, how would you go at this?

    Just like for mobile devices, there are a lot of different tools for managing macOS. As usual, my approach is Microsoft Intune, but for macOS specifically there might be other tools like Jamf Pro which has a lot more features (but also comes with a completely different price tag).

    You know I’m all for making use of what you have and getting the most bang for your buck, so let’s talk about macOS and Microsoft Intune.

    Setting the expectations right

    One thing to keep in mind when it comes to managing macOS. The possibilities are not even close to what you can do on a Windows 10 machine, and what we can control comes down to what APIs Apple allows mobile device management tools to use. Setting up management for macOS and expecting the functionality of a domain joined computer, this is not what you will get.

    The experience is more closely related to how you approach managing mobile device. You put a management layer on top of the experience. There basically three ways to view management of Mac’s:

    • Automated Device Enrollment
    • Device Enrollment
    • User enrolled

    The two first ones are the most common ones while User enrolled is more for BYOD scenarios and gives less functionality and manageability. Both device-based methods are very similar, but the Automate Device Enrollment makes use of the Apple Automated Device Enrollment service, ADE (previously DEP), which will increase the possibilities for management and prohibit the user from removing the enrollment.

    The experience to enroll macOS is more closely related to how you approach managing mobile device. You put a management layer on top of the experience. macOS utilizes what is called “User Approved enrollment” which means that the user must ALLWAYS approve the installation of management profiles, even is automated device enrollment is used. This will add extra steps to the enrollment process compared to mobile or Windows devices where this is automated in a higher degree.

    If you are looking for a more deeply integrated management method, Jamf Pro is more where you need to head, but then we are talking additional licensing.

    What to manage

    Moving on to what you need to manage on the device. This is of course based on your organizational needs, both regarding configurations and security. There are however a few things that might be a good minimum, such as:

    • Wi-Fi settings
    • Encryption and FileVault (macOS equalent to Bitlocker)
    • PIN/Password
    • Endpoint protection
    • Application distribution
    • Compliance settings
    • SSO extension

    There are a lot of more things we could potentially configure, but keeping it to a bare minimum, this is a great start and does not limit us from expanding this down the road.

    One thing to use as a guiding principle is to think about what you NEED to manage and not configure settings just because you can. Is there a need to block let’s say Spotlight suggestions, or could this be useful for the user and resulting in a poorer end-user experience? This is important to keep in mind for all platforms, not only macOS to be honest. Don’t block just because you can, configure based on needs.

    Why manage?

    So why do you want to manage your Mac’s? That is the million-dollar question and something that you need to figure out before even starting. This doesn’t need to be super fancy or technical, just define the goal you have. This might be:

    • Ensure that all devices are secure
    • Get inventory of what devices are used
    • Provide your users with a better experience

    Or you could have more defined demands coming from your organization regarding legal demands or security demands.

    By managing your Mac’s, you will gain a better understanding of what devices are used within your organization and you can ensure that you provide your users with a good and secure platform. By managing the device, you can also provide settings such as Wi-Fi access automatically to the devices without the need for the end-user to know where to find the information. Same would go for applications. You will bring the platform closer to what you know and love when it comes to device management even though the expectations need to be separate from let’s say the Windows platform.

  • What is the difference between a user and a device?

    What is the difference between a user and a device?

    As I’m browsing through the Microsoft Q&A forum for Intune related question, there is one thing that I see which seems to be a quite common misconception. That misconception is the difference between what a user is and what a device is.

    It’s not that people don’t know the physical difference between what a user (a person) and a device (an object) is, it’s in the sense of how they differ in Intune management and the cloud world.

    Let’s try to sort this out, shall we?

    Definitions:
    • User noun – “A person who uses or operates something.”
    • Device noun – “A thing made or adapted for a particular purpose, especially a piece of mechanical or electronic equipment”

    Disclaimer: I’m trying to wright this extremely simple and basically assuming that the term user and device is not known.

    Who is the user?

    The user is the person who in your organization is consuming the services and using devices. Users are usually a 1:1 scenario, but you might also have service users and group users. Behind a user there is in most cases ONE person (the Microsoft license structure kind of assumes this as well).

    In an Intune context, the user is the person who uses the device. The user is in a the most common context tied to a specific device where the user is the primary user and owner of the device.

    A user might have multiple devices such as a computer, a phone, and a tablet.

    An Azure AD user

    What is the device?

    The device is the piece hardware which the services are consumed on. This can be a computer, tablet, or phone. The device must, in an Intune context, run any of the supported operating systems:

    • iOS
    • iPadOS
    • macOS
    • Windows 10
    • Android

    The device usually has one main user and owner, which is the one tied to the device in Intune and Azure AD.

    An Intune enrolled device

    What is the difference and why does it matter?

    But why does this all matter?

    The reason this is important is in how you in Intune would distribute configurations, compliance policies, applications and so on.

    When you distribute any of these in Intune, you get to select whether you want to assign this to users or devices. Without knowing the difference, knowing which option to select is hard.

    However, the item itself is never applied to the user. It is ALWAYS applied to the device. The assignment only decides on what devices to apply the item in question.

    If you assign to a device

    If you assign your e.g. configuration with a device centric approach, this means that the configuration will only follow that device. If the user uses another device, the configuration will not be present on the second device.

    If you assign to a user

    If you assign your e.g. configuration with a user centric approach, this means that the configuration will follow the user. If the user uses another device, the configuration will apply also to that device (given it’s applicable for the device type).

    The key take away

    It pretty much defines how your configurations, policies and applications are distributed and utilized.

    The conclusion of this is that, depending on what scenario you want to fulfill, you might have to assign things in different ways. There are also a few things that might make more sense in distributing in one way or another.

    One thing that is important to keep in mind around applications is however the fun topic of licensing. Depending on how you have licensed an application, you might have to distribute in a certain way. So that is something that is important to think about when purchasing applications.