Microsoft has been working with the iOS ecosystem and continues to work with Apple to provide the best possible platform for users and enterprises to work hand in hand. Microsoft has ensured their flagship products are available through the Apple Store as shown below
With Microsoft Intune we have 4 methods of deployment;
iOS App Protection Policies (APP) Managed
This solution is targeted for BYOD devices that are not enrolled but access corporate data from the approved corporate apps, for example; Outlook, Word and Excel. App Protection Policies are placed on the applications that are accessing corporate data to ensure the security requirements are met.
User Enrollment has been designed with the BYOD user in mind, this enrollment allows administrators enforce Password Restrictions, restrict viewing non-corporate documents in corporate apps, restrict viewing corporate documents in unmanaged apps, require encrypted backup and automatically removed apps if the device is unenrolled.
Device Enrollment
Device enrollment is user-initiated through the company portal and is the most common method of enrolling corporate devices. This option provides the largest range of MDM capabilities available within Microsoft Endpoint Manager.
Automated Device Enrollment
Automated device enrollment is designed for corporate-owned devices synced to Microsoft Endpoint Manager via Apple Business Manager. This enrolled provides supervised-mode MDM capabilities, Secure Kiosk, Classroom device and Lock management to a device.
Microsoft has heavily invested in the Android ecosystem and continues to work with Google to provide the best possible platforms for users and enterprises to work hand in hand. Microsoft has ensured their flagship products are available through the Google Play Store as shown below
With Microsoft Intune we have 4 methods of deployment;
Andriod App Protection Policies (APP) Managed
This solution is targeted for BYOD devices that are not enrolled but access corporate data from the approved corporate apps, for example; Outlook, Word and Excel. App Protection Policies are placed on the applications that are accessing corporate data to ensure the security requirements are met.
This solution is targeted for BYOD devices that are enrolled to define a clear boundary between personal and corporate data. As all corporate data is stored within its own encrypted container whereby settings can be defined to control cross-profile contacts, sharing app push, certificate deployment, resource access configuration. This is the most common approach for handling BYOD devices within businesses around the globe.
This solution is targeted for corporate-owned devices that are designed for a particular task. The easy way to describe this would be;
The Android device(s) are owned by an event management company, they loan out the devices to Exhibitors for lead retrieval. As they only need to access one application the device(s) are locked down to this single app. This solution provides a highly configurable home screen experience with “Managed Home Screen” app and following new capabilities have been launched by Microsoft
SCEP certificate-based Wi-Fi (November release)
System app support
Home screen branding customization
Wi-Fi and Bluetooth user controls
Kiosk drop-out code
Android Enterprise Fully Managed
This solution is targeted for corporate-owned devices which will be completely managed by the organization but used by one of their members of staff. This scenario provides a fully secure corporate device that the user is unable to tamper with or modify. The Google Play Store is locked down to only applications approved by the organization, this is my personal preference for only corporate devices.
Coming in 2020: Fully Managed with Work Profile
Expected this year, once more information is available. I will be doing into detail about how to leverage a fully managed with work profile 🙂
One of my pet hates when receiving a new laptop or device is reinstalling all the common modules that I use to complete my work. So in good old Blogabout.Cloud fashion I have created a script that installs the following
Azure
AzureAD
Microsoft Teams
MSOnline
SharePoint Online
CloudConnect
ORCA
This script will also check if the module installed and if a newer version is available within the PSGallery. I have made this script available on GitHub for your downloading pleasure;
The ORCA module is your friend when it comes to reporting on the configuration of ATP. This module makes recommendations on where improvements can be made. So how does it work?
Well I have made this process as simple as it gets
– Download PowerShell Script – Run PowerShell Script – Open HTML page
Done
I have made the script intelligent to check for module updates to ensure you are running the latest and greatest.
Head over to my GitHub repo to download the script today 🙂
Delivering your corporate applications can be a nightmare if you dont have a enterprise delivery solution like System Center or 3rd party mechanism.
So let’s see how Azure Blob Storage and Microsoft Intune can address this issue by using a storage location and PowerShell script.
Azure Storage Account
One of the requirements for this solution is an Azure Storage Account within your Azure subscription, this account will be used for storing the applications which you would like to roll out to your Windows 10 desktops that are managed using Microsoft Intune.
Storage Account
Specify the required settings within the Basic tab for creating a Storage Account.
Basic Properties
Using the default settings as shown below
Advanced Properties
Click Review and Create Click Create
Configuring Storage Account with required Applications
Click Container Specify the Name Select Conditioner (anonymous read access for containers and blobs) under Public Access Level
Blob – Container
Select your container Select Upload Select the files you want to upload Modify the block size if it’s less than the size of the files you are uploading Select Upload
Once the files are upload they all have a unique url which is used to identify the file as shown below.
The PowerShell Script!!!
I have created a PowerShell script that is available on GitHub and should be self-explanatory.
Step 1 – Download all the required files into C:\_Build Step 2 – Run installer files Step 3 – Run additional Powershell scripts (Optional) Step 4 – Remove C:\_Build Step 5 – Create RegKeys (Optional)
Did you know that you could prevent unauthorized access to your Microsoft Cloud applications with Conditional Access? When speaking with a customer recently I had been asked is it possible to prevent external access to their Cloud apps and the answer to that is yes. The customer didn’t want their staff accessing corporate data from their home laptops/desktops so in order to action this we will now switch over to the Microsoft Endpoint Manager Admin Portal.
Click Endpoint security –> Conditional accessNew PolicyProvide name to the Conditional Access PolicySelect All UsersExcluding the Global Admins to the tenant security group, we dont want to chop off our legs now Select All cloud appsConditions –> Client apps –> BrowserGrant –> Block access
Now enable the policy 🙂 and as you can see from below you users is now prevented from login into the Office portal from an internet browser.
Its was announced a while back that Microsoft will be switching off Skype for Business Online in July 2021, which gives their customers time to look at the options for migrating to Microsoft Teams. In my own organization my approach was “Microsoft Teams Roadshow” where I demonstrated to the back office staff the power of Microsoft Teams then moved them to Teams Only. At Microsoft Ignite 2019 it has been announced of 2 new modes which Teams Administrators can implement within their businesses.
Adoption is the biggest challenge for any organization, so let’s look at the options available.
Skype for Business with Teams Collaboration
This allows users to still use Skype for Business for chats, calls and schedule meeting but they can use Teams for group collaboration.
Skype for Business with Teams collaboration and meetings
This allows users to still use Skype for Business for chats and calls but all meetings and group collaboration are undertaken within Teams.
Islands Mode
This allows users to use both Skype for Business and Teams features if you want to adopt usage in this approach.
In recent times I have started to become a bit of an “expert, well I will use that word loosely” for Windows 10. Hybrid Azure AD Join is becoming a very popular option for a lot of the clients that I am currently working with and pops up all the time in discussions about “Modern Management” of Windows 10. I have experienced a few highs and lows when implementing Hybrid Azure AD Join and want to share that knowledge I have gain over the past 6 months.
What is Hybrid Azure AD Join?
Hybrid Azure AD Join is where your Windows 10 device is connected to your local Active Directory Domain and synchronized using Azure Active Directory Connect (AADC) to Azure AD.
Why would you do this?
This enables you to manage your Windows 10 devices from Microsoft Intune and leverage the offers from the cloud. Most organizations today have the required Microsoft subscriptions to implement Microsoft Intune but are unaware of how to start their journey.
What do I need for Hybrid Azure AD Join in a Managed Domain?
Azure Active Directory Connect version 1.1.819 or greater
Devices must be able to connect to the following URLs
https://enterpriseregisteration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com
All Computer Objects from your on-premises Active Directory must be within the sync scope
Service Connection point (SCP) is created for device registration (Completed via running AADC)
Implementing Hybrid Join for your organization
We are now going to run through the steps required to gear up your environment for Hybrid Join, first of all we are going to create the SCP using AADC. When you launch AADC you see “Configure device options”, select this option and proceed
Configure device options
In this section you will receive the following Overview of what can be configured and in this case, we are looking at Hybrid Azure AD Join only.
Hybrid Azure AD Join enables devices in your Active Directory forest to register with Azure AD for access management. Computers in your organization will automatically discover Azure AD using a service connection point (SCP) object that is created in your Active Directory Forest.
Device writeback is a prerequisite for enabling on-premises conditional access using AD FS and Windows Hello for Business. Device writeback synchronizes all devices registered in Azure AD back to on-premises. The device are synchronized to a device container that is created in your Active Directory forest.
Important Note
Device writeback requires the Active Directory Schema version to be Windows 2012 R2 (level 69) or higher
Connect to Azure ADConfigure Hybrid Azure AD Join and proceedTick “Windows 10 or later domain-joined devices.” It is worth remembering that your Windows 10 devices need to be synchronized and ProceedTick your Forest Select Azure Active Directory Click Add Enter your Enterprise Admin CredentialsProceedConfigure and this completes this task
You can confirm that the SCP has been created by launching ADSI Edit and browse to the location displayed below.
Now we have configured Active Directory we need to create a new GPO that configures the Windows 10 device to AutoEnroll into Azure AD. First of all we need the correct GPO templates installed in your SYSVOL, these templates can be download by the below URL.
Once you have installed the required GPOs to your primary domain controller you’ll be able to “Enable automatic MBM enrollment using default Azure AD”
Computer Configuration –> Policies –> Administrative Templates –> Windows Components –> MDMEnable Policy and select Device Credential, User Credential is a legacy option but its recommended to use Device.
Once this policy enabled and linked to the OU where your computers are located, they will become Hybrid Azure AD Joined.
I have been recently working with a customer where we was experiencing issues with connectivity to relevant Microsoft urls. While looking at potential solutions I came across a PowerShell script which tested for the following URLs
The following post contains the new features and updated features from November 2019. This post enables you to quickly glance at the Microsoft Teams Roadmap based on the latest information provided by Microsoft.
