iOS deployment scenarios with Microsoft Endpoint Manager

iOS deployment scenarios with Microsoft Endpoint Manager

Microsoft has been working with the iOS ecosystem and continues to work with Apple to provide the best possible platform for users and enterprises to work hand in hand. Microsoft has ensured their flagship products are available through the Apple Store as shown below

With Microsoft Intune we have 4 methods of deployment;

iOS App Protection Policies (APP) Managed

This solution is targeted for BYOD devices that are not enrolled but access corporate data from the approved corporate apps, for example; Outlook, Word and Excel. App Protection Policies are placed on the applications that are accessing corporate data to ensure the security requirements are met.

More information can be found via the following url about App Protection Policies. https://docs.microsoft.com/en-us/intune/apps/app-protection-policy

User Enrollment

User Enrollment has been designed with the BYOD user in mind, this enrollment allows administrators enforce Password Restrictions, restrict viewing non-corporate documents in corporate apps, restrict viewing corporate documents in unmanaged apps, require encrypted backup and automatically removed apps if the device is unenrolled.

Device Enrollment

Device enrollment is user-initiated through the company portal and is the most common method of enrolling corporate devices. This option provides the largest range of MDM capabilities available within Microsoft Endpoint Manager.

Automated Device Enrollment

Automated device enrollment is designed for corporate-owned devices synced to Microsoft Endpoint Manager via Apple Business Manager. This enrolled provides supervised-mode MDM capabilities, Secure Kiosk, Classroom device and Lock management to a device.

Regards,
The Author – Blogabout.Cloud

Android deployment scenarios with Microsoft Endpoint Manager

Android deployment scenarios with Microsoft Endpoint Manager

Microsoft has heavily invested in the Android ecosystem and continues to work with Google to provide the best possible platforms for users and enterprises to work hand in hand. Microsoft has ensured their flagship products are available through the Google Play Store as shown below

With Microsoft Intune we have 4 methods of deployment;

Andriod App Protection Policies (APP) Managed

This solution is targeted for BYOD devices that are not enrolled but access corporate data from the approved corporate apps, for example; Outlook, Word and Excel. App Protection Policies are placed on the applications that are accessing corporate data to ensure the security requirements are met.

More information can be found via the following url about App Protection Policies. https://docs.microsoft.com/en-us/intune/apps/app-protection-policy

Android Enterprise Work Profile

This solution is targeted for BYOD devices that are enrolled to define a clear boundary between personal and corporate data. As all corporate data is stored within its own encrypted container whereby settings can be defined to control cross-profile contacts, sharing app push, certificate deployment, resource access configuration. This is the most common approach for handling BYOD devices within businesses around the globe.

More information about enrollment for Work Profile can be found via the following url https://docs.microsoft.com/en-us/intune/enrollment/android-work-profile-enroll

Andriod Enterprise dedicated (kiosk)

This solution is targeted for corporate-owned devices that are designed for a particular task. The easy way to describe this would be;

The Android device(s) are owned by an event management company, they loan out the devices to Exhibitors for lead retrieval. As they only need to access one application the device(s) are locked down to this single app. This solution provides a highly configurable home screen experience with “Managed Home Screen” app and following new capabilities have been launched by Microsoft

  • SCEP certificate-based Wi-Fi (November release)
  • System app support
  • Home screen branding customization
  • Wi-Fi and Bluetooth user controls
  • Kiosk drop-out code

Android Enterprise Fully Managed

This solution is targeted for corporate-owned devices which will be completely managed by the organization but used by one of their members of staff. This scenario provides a fully secure corporate device that the user is unable to tamper with or modify. The Google Play Store is locked down to only applications approved by the organization, this is my personal preference for only corporate devices.

Coming in 2020: Fully Managed with Work Profile

Expected this year, once more information is available. I will be doing into detail about how to leverage a fully managed with work profile 🙂

Regards,
The Author – Blogabout.Cloud

Common PowerShell modules using by IT Pro within Office 365 space

Common PowerShell modules using by IT Pro within Office 365 space

One of my pet hates when receiving a new laptop or device is reinstalling all the common modules that I use to complete my work. So in good old Blogabout.Cloud fashion I have created a script that installs the following

  • Azure
  • AzureAD
  • Microsoft Teams
  • MSOnline
  • SharePoint Online
  • CloudConnect
  • ORCA

This script will also check if the module installed and if a newer version is available within the PSGallery. I have made this script available on GitHub for your downloading pleasure;

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-CommonModules.ps1

Regards
The Author – Blogabout.Cloud

Office 365 ATP Recommended Configuration Analyzer Report

Office 365 ATP Recommended Configuration Analyzer Report

The ORCA module is your friend when it comes to reporting on the configuration of ATP. This module makes recommendations on where improvements can be made. So how does it work?

Well I have made this process as simple as it gets

– Download PowerShell Script
– Run PowerShell Script
– Open HTML page

Done

I have made the script intelligent to check for module updates to ensure you are running the latest and greatest.

Head over to my GitHub repo to download the script today 🙂

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-ATPReport.ps1

Regards,
The Author – Blogabout.Cloud

Delivering your applications to Windows 10 Clients using Azure Blob Storage and Intune

Delivering your applications to Windows 10 Clients using Azure Blob Storage and Intune

Delivering your corporate applications can be a nightmare if you dont have a enterprise delivery solution like System Center or 3rd party mechanism.

So let’s see how Azure Blob Storage and Microsoft Intune can address this issue by using a storage location and PowerShell script.

Azure Storage Account

One of the requirements for this solution is an Azure Storage Account within your Azure subscription, this account will be used for storing the applications which you would like to roll out to your Windows 10 desktops that are managed using Microsoft Intune.

Storage Account

Specify the required settings within the Basic tab for creating a Storage Account.

Basic Properties

Using the default settings as shown below

Advanced Properties

Click Review and Create
Click Create

Configuring Storage Account with required Applications

Click Container
Specify the Name
Select Conditioner (anonymous read access for containers and blobs) under Public Access Level

Blob – Container

Select your container
Select Upload
Select the files you want to upload
Modify the block size if it’s less than the size of the files you are uploading
Select Upload

Once the files are upload they all have a unique url which is used to identify the file as shown below.

The PowerShell Script!!!

I have created a PowerShell script that is available on GitHub and should be self-explanatory.

Step 1 – Download all the required files into C:\_Build
Step 2 – Run installer files
Step 3 – Run additional Powershell scripts (Optional)
Step 4 – Remove C:\_Build
Step 5 – Create RegKeys (Optional)

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-AppsfromBlobStorage.ps1

Publish script via Intune

If you are having issues with script not executing, please visit this URL to ensure you met all the Microsoft pre-requisites.

https://docs.microsoft.com/en-us/intune/apps/intune-management-extension

Regards
The Author – Blogabout.Cloud

Preventing unauthorized external access from home to your Microsoft Cloud applications with Conditional Access

Preventing unauthorized external access from home to your Microsoft Cloud applications with Conditional Access

Did you know that you could prevent unauthorized access to your Microsoft Cloud applications with Conditional Access? When speaking with a customer recently I had been asked is it possible to prevent external access to their Cloud apps and the answer to that is yes. The customer didn’t want their staff accessing corporate data from their home laptops/desktops so in order to action this we will now switch over to the Microsoft Endpoint Manager Admin Portal.

https://devicemanagement.microsoft.com

Click Endpoint security –> Conditional access
New Policy
Provide name to the Conditional Access Policy
Select All Users
Excluding the Global Admins to the tenant security group, we dont want to chop off our legs now
Select All cloud apps
Conditions –> Client apps –> Browser
Grant –> Block access

Now enable the policy 🙂 and as you can see from below you users is now prevented from login into the Office portal from an internet browser.

Regards
The Author – Blogabout.Cloud

Migrating from Skype for Business Online to Microsoft Teams at your pace, providing its done before July 2021 o’course

Migrating from Skype for Business Online to Microsoft Teams at your pace, providing its done before July 2021 o’course

Its was announced a while back that Microsoft will be switching off Skype for Business Online in July 2021, which gives their customers time to look at the options for migrating to Microsoft Teams. In my own organization my approach was “Microsoft Teams Roadshow” where I demonstrated to the back office staff the power of Microsoft Teams then moved them to Teams Only. At Microsoft Ignite 2019 it has been announced of 2 new modes which Teams Administrators can implement within their businesses.

Adoption is the biggest challenge for any organization, so let’s look at the options available.

Skype for Business with Teams Collaboration

This allows users to still use Skype for Business for chats, calls and schedule meeting but they can use Teams for group collaboration.

Skype for Business with Teams collaboration and meetings

This allows users to still use Skype for Business for chats and calls but all meetings and group collaboration are undertaken within Teams.

Islands Mode

This allows users to use both Skype for Business and Teams features if you want to adopt usage in this approach.

Regards
The Author – Blogabout.Cloud

Understanding Hybrid Azure AD Join for Windows 10 devices

Understanding Hybrid Azure AD Join for Windows 10 devices

In recent times I have started to become a bit of an “expert, well I will use that word loosely” for Windows 10. Hybrid Azure AD Join is becoming a very popular option for a lot of the clients that I am currently working with and pops up all the time in discussions about “Modern Management” of Windows 10. I have experienced a few highs and lows when implementing Hybrid Azure AD Join and want to share that knowledge I have gain over the past 6 months.

What is Hybrid Azure AD Join?

Hybrid Azure AD Join is where your Windows 10 device is connected to your local Active Directory Domain and synchronized using Azure Active Directory Connect (AADC) to Azure AD.

Why would you do this?

This enables you to manage your Windows 10 devices from Microsoft Intune and leverage the offers from the cloud. Most organizations today have the required Microsoft subscriptions to implement Microsoft Intune but are unaware of how to start their journey.

What do I need for Hybrid Azure AD Join in a Managed Domain?

  • Azure Active Directory Connect version 1.1.819 or greater
  • Devices must be able to connect to the following URLs
    • https://enterpriseregisteration.windows.net
    • https://login.microsoftonline.com
    • https://device.login.microsoftonline.com
    • https://autologon.microsoftazuread-sso.com
  • All Computer Objects from your on-premises Active Directory must be within the sync scope
  • Service Connection point (SCP) is created for device registration (Completed via running AADC)

Implementing Hybrid Join for your organization

We are now going to run through the steps required to gear up your environment for Hybrid Join, first of all we are going to create the SCP using AADC. When you launch AADC you see “Configure device options”, select this option and proceed

Configure device options

In this section you will receive the following Overview of what can be configured and in this case, we are looking at Hybrid Azure AD Join only.

Hybrid Azure AD Join enables devices in your Active Directory forest to register with Azure AD for access management. Computers in your organization will automatically discover Azure AD using a service connection point (SCP) object that is created in your Active Directory Forest.

Device writeback is a prerequisite for enabling on-premises conditional access using AD FS and Windows Hello for Business. Device writeback synchronizes all devices registered in Azure AD back to on-premises. The device are synchronized to a device container that is created in your Active Directory forest.

Important Note

Device writeback requires the Active Directory Schema version to be Windows 2012 R2 (level 69) or higher
Connect to Azure AD
Configure Hybrid Azure AD Join and proceed
Tick “Windows 10 or later domain-joined devices.” It is worth remembering that your Windows 10 devices need to be synchronized and Proceed
Tick your Forest
Select Azure Active Directory
Click Add
Enter your Enterprise Admin Credentials
Proceed
Configure and this completes this task

You can confirm that the SCP has been created by launching ADSI Edit and browse to the location displayed below.

Now we have configured Active Directory we need to create a new GPO that configures the Windows 10 device to AutoEnroll into Azure AD. First of all we need the correct GPO templates installed in your SYSVOL, these templates can be download by the below URL.

https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy#configure-the-auto-enrollment-for-a-group-of-devices

Once you have installed the required GPOs to your primary domain controller you’ll be able to “Enable automatic MBM enrollment using default Azure AD”

Computer Configuration –> Policies –> Administrative Templates –> Windows Components –> MDM
Enable Policy and select Device Credential, User Credential is a legacy option but its recommended to use Device.

Once this policy enabled and linked to the OU where your computers are located, they will become Hybrid Azure AD Joined.

Gotchas !!!

This Microsoft link is your friend if you encounter any issues with Windows Enrollment Errors
https://docs.microsoft.com/en-us/intune/enrollment/troubleshoot-windows-enrollment-errors

You can also follow the official Microsoft documentation
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains

Regards
The Author – Blogabout.Cloud

Testing Device Registration Connectivity for Microsoft Intune

Testing Device Registration Connectivity for Microsoft Intune

I have been recently working with a customer where we was experiencing issues with connectivity to relevant Microsoft urls. While looking at potential solutions I came across a PowerShell script which tested for the following URLs

login.microsoftonline.com
device.login.microsoftonline.com
enterpriseregistration.windows.net

However this script didnt take into account “Single Sign On” and its required URL.
autologon.microsoftazuread-sso.com

I have made the necessary modifications which now allow for it test autologon.microsoftazuread-sso.com, as shown above.

Download the script

Test-DeviceRegConnectivity (153 downloads)

Regards
The Author – Blogabout.Cloud

Microsoft Teams Roadmap Announcements for November 2019

Microsoft Teams Roadmap Announcements for November 2019

The following post contains the new features and updated features from November 2019. This post enables you to quickly glance at the Microsoft Teams Roadmap based on the latest information provided by Microsoft.

New Features

New Features Current Status
Teams Sharing Integration with OneDrive In Development
Pending teams In Development
Microsoft Whiteboard integration in Microsoft Teams In Development
Sensitivity labels for Teams, Office 365 Groups, and SharePoint Sites (public preview) In Development
SharePoint and Teams – pages and lists improvements Launched
SharePoint – OneDrive – Teams – file upload limit up to 50GB In development
Microsoft Teams – “Colleague joined Teams” notifications In Development
Microsoft Teams – New location for New Chat button, Recent, and Contacts tabs in Chat app In Development
Teams for Linux client In Development
Class Insights in Teams In Development
Mute meeting chats in Teams In Development
Media optimization for Microsoft Teams Calling and Meetings for Citrix VDI In Development

Updated Features

Updated Current Status
Microsoft Teams – Sensitivity Labels In Development
Microsoft Teams -Private channels Rolling out
SharePoint and Microsoft Teams: new Files experience In Development
Microsoft Teams – Secure private channels In Development
Microsoft Teams – Presenter and Attendee roles for Meetings In Development
Microsoft Teams – Meet now Rolling Out
Pending teams In Development
SharePoint – OneDrive – Teams – file upload limit up to 100GB In Development
New Calendar App replaces Meetings App In Teams Launched
Microsoft Teams – Meet now Launched
Microsoft Teams – Screen sharing in Teams/Skype for Business interop Launched

Remember if you would like to receive all the Microsoft Roadmaps updates to your Teams Client, check out this post.

Regards
The Author – Blogabout.Cloud