5 May.
0

Intune for Education Resources

I’m in the final stages of content preparation for the upcoming Microsoft Australia Education Partner national roadshow, and one of the key technologies I’ll be covering is Intune for Education. I covered this briefly back when it was first announced, but now it’s live and it’s time to highlight some of the resources that are available now.

Overview

Get Started Guide

What is Intune for Education?

What is Express Configuration?

After the events kick off I’ll record a few of the demonstrations and post them so that you can see what we are showing around the country.

^ Scroll to Top
 22 Apr.
0

Communication from the Microsoft Intune Team – Welcome to the new Intune on Azure Experience

One of the Intune tenants I managed received the following via email today, a huge step to encourage people to start using the new Intune on Azure experience. Of course the first thing I checked was whether the blades still said “Preview”, because I didn’t read the full text of the message, so I had to go back and check it again, where it explains “We will remove the “Preview” tag once we meet our engineering bar for the new Intune experience” – yes, it does pay to read the full text instead of just skimming over it… but on a positive note… good night Silverlight, don’t let the bed bugs bite.

 

 

Having trouble viewing this email? View as a webpage.
Microsoft Intune
Welcome to the new Intune on Azure admin experience! Now that your groups and users are migrated to Azure AD grouping and targeting, you can use the new Intune admin experience at portal.azure.com. Login with your Intune admin credentials on any
supported modern browser for the Azure console, add Intune as a favorite in the Azure service menu, and enjoy streamlined management of core Enterprise Mobility + Security (EMS) workflows across Azure AD and Intune.

Getting Started

The new portal is a big, but welcome change for many of you accustomed to the classic Intune Silverlight-based experience. Watch a new Microsoft Mechanics video that highlights the new Intune on Azure admin experience. Below, you’ll find links to new documentation to help you get acquainted with the new look and feel.

Updates to Microsoft Intune on Microsoft Azure
Where did my Intune feature go in Azure? The service is rebuilt from the ground up and integrated with Azure AD. The doc here has many useful tips on where to find your favorite feature.
What is the Azure portal preview? Read more here.
Download the Intune on Azure infographic posted here and share with your team.
What’s New?

While migrations are underway for all Intune customers, you’re welcome to use both the Intune on Azure and the classic Intune experience. New features/functionality will be added to the Intune on Azure experience. We will remove the “Preview” tag once we meet our engineering bar for the new Intune experience, but rest assured the new console is already fully supported by our support team. You can always find information on new features at our
What’s New in Intune on Azure page. If you don’t see a feature you want, let us know (or vote up) the item in the Intune User Voice.

And our Favorite…

Finally, we’re very excited for the addition of Microsoft Graph API and have been building out documentation and references for your use. Graph API provides a unified endpoint (REST API) across EMS, Office 365 and Azure. With Graph API, you will be able to automate common tasks from a command line and make it easier to integrate Intune with your existing systems and workflows. Graph API functionality will give you more flexibility than ever before to manage and secure your enterprise. Please read more about Graph API and Intune
here.

Thank you for being an Intune customer, and we hope that you will enjoy the new Intune on Azure experience!

The Intune team

Microsoft
Microsoft Corporation | One Microsoft Way Redmond, WA 98052-6399

This message was sent from an unmonitored email address. Please do not reply to this message.

Legal | Privacy

^ Scroll to Top
 20 Apr.
0

Intune April 2017 Updates

Earlier today I posted about the new features for Intune in the Azure Portal, and below are the general updates for the month. There are updates across MyApps, Managed Browser, Company Portal and Windows 10 Bulk Enrollment amongst others.

 

New capabilities

MyApps available for Managed Browser

Microsoft MyApps now have better support within the Managed Browser. Managed Browser users who are not targeted for management will be brought directly to the MyApps service, where they can access their admin-provisioned SaaS apps. Users who are targeted for Intune management will continue to be able to access MyApps from the built-in Managed Browser bookmark.+

New icons for the Managed Browser and the Company Portal

The Managed Browser is receiving updated icons for both the Android and iOS versions of the app. The new icon will contain the updated Intune badge to make it more consistent with other apps in Enterprise Mobility + Security (EM+S). You can see the new icon for the Managed Browser on the what’s new in Intune app UI page.+

The Company Portal is also receiving updated icons for the Android, iOS, and Windows versions of the app to improve consistency with other apps in EM+S. These icons will be gradually released across platforms from April to late May.+

Sign-in progress indicator in Android Company Portal

An update to the Android Company Portal app shows a sign-in progress indicator when the user launches or resumes the app. The indicator progresses through new statuses, beginning with “Connecting…”, then “Signing in…”, then “Checking for security requirements…” before allowing the user to access the app. You can see the new screens for the Company Portal app for Android on the what’s new in Intune app UI page.+

Block apps from accessing SharePoint Online

You can now create an app-based conditional access policy to block apps, which don’t have app protection policies applied to them, from accessing SharePoint Online. In the apps-based conditional access scenario, you can specify the apps that you want to have access to SharePoint Online using the Azure portal.+

Bulk Enroll Windows 10 devices

You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer, and apply the package to corporate-owned devices you’d like to bulk enroll and manage. Once the package is applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on. Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service and Company Portal scenarios are not supported at this time.

^ Scroll to Top
 20 Apr.
0

Updates to Microsoft Intune on Microsoft Azure – New Microsoft Mechanics Video

A new video has been added to the Microsoft Mechanics channel on YouTube for Updates to Microsoft Intune on Microsoft Azure. It includes demonstrations of Role Based Access Controls, tighter integration with Azure Active Directory Groups; reporting and automation capabilities leveraging the Microsoft Graph API and more.

^ Scroll to Top
 20 Apr.
0

What’s New In The Microsoft Intune Preview In Azure Portal For April 2017

Over the last few weeks I’ve been talking to quite a few people who have started using the Intune preview in the Azure Portal for more of their day to day management tasks, and it’s always interesting to hear the things that most people are excited about. For a while the typical response was “No more Silverlight”, but over time this has changed as people are seeing more functionality light up, as well as new functionality that is being rolled in. Some of the more exciting ones for me are the Windows 10 ones that are opening up scenarios that target education, which is obviously setting the stage for Intune for Education when that becomes available. That’s not to say the Android and iOS updates aren’t welcome, because they certainly are, it’s just that for the next few months that’s the segment I’ll be heavily focused on.

Below is the full list of updates from docs, and as you can see it’s a pretty big list this month, with plenty of links for further information.

April 2017

Support for managed configuration options for Android apps

Android apps in the Play store that support managed configuration options can now be configure by Intune. This feature lets IT view the list of configuration values supported by an app, and provides a guided, first-class UI to allow them to configure those values.+

Remote assistance for Android devices

Intune now uses the TeamViewer software, purchased separately, to enable you to give remote assistance to your users who are running Android devices. For more information see Remote control Android devices using TeamViewer.+

New Android policy for complex PINs

You can now set a required password type of Numeric complex in an Android device profile for devices that run Android 5.0 and above. Use this setting to prevent device users from creating a PIN that contains repeating, or consecutive numbers, like 1111, or 1234.+

Additional support for Android for Work devices

    • Manage password and work profile settings

      This new Android for Work device restriction policy now lets you manage password and work profile settings on Android for Work devices you manage.

    • Allow data sharing between work and personal profiles

+

This Android for Work device restriction profile now has new options to help you configure data sharing between work and personal profiles.+

    • Restrict copy and paste between work and personal profiles

      A new custom device profile for Android for Work devices now lets you restrict whether copy and paste actions between work and personal apps are allowed.

+

For more information, see Device restrictions for Android for Work.+

Assign LOB apps to iOS and Android devices

You can now assign line of business (LOB) apps for iOS (.ipa files) and Android (.apk files) to users or devices.+

New device policies for iOS

    • Apps on Home screen – Controls which apps users see on the Home screen of their iOS device. This policy changes the layout of the Home screen, but does not deploy any apps you specified that are not installed.
    • Connections to AirPrint devices – Controls which AirPrint devices (network printers) that end users of iOS device can connect to.
    • Connections to AirPlay devices – Controls which AirPlay devices (like Apple TV) that end users of iOS device can connect to.
    • Custom lock screen message – Configures a custom message that users will see on the lock screen of their iOS device, that replaces the default lock screen message. For more information, see Available device actions

+

Restrict push notifications for iOS apps

In an Intune device restriction profile, you can now configure the following notification settings for iOS devices:+

    • Fully turn on or off notification for a specified app.
    • Turn on or off, the notification in the notification center for a specified app.
    • Specify the alert type, either None, Banner, or Modal Alert.
    • Specify whether badges are allowed for this app.
    • Specify whether notification sounds are allowed.

+

Configure iOS apps to run in single app mode autonomously

You can now use an Intune device profile to configure iOS devices to run specified apps in autonomous single app mode. When this mode is configured, and the app is run, the device is locked so that it can only run that app. An example of this is when you configure an app that lets users take a test on the device. When the app’s actions are complete, or you remove this policy, the device returns to its normal state.+

Configure trusted domains for email and web browsing on iOS devices

From an iOS device restriction profile, you can now configure the following domain settings:+

    • Unmarked email domains – Emails that the user sends or receives which don’t match the domains you specify here will be marked as untrusted.
    • Managed web domains – Documents downloaded from the URLs you specify here will be considered managed (Safari only).
    • Safari password auto-fill domains – Users can save passwords in Safari only from URLs matching the patterns you specify here. To use this setting, the device must be in supervised mode and not configured for multiple users. (iOS 9.3+)

+

VPP apps available in iOS Company Portal

You can now assign iOS volume-purchased (VPP) apps as Available installs to end users. End users will need an Apple Store account to install the app.+

Synchronize eBooks from Apple VPP Store

You can now synchronize books you purchased from the Apple volume-purchase program store with Intune, and assign these to users.+

Multi-user management for Samsung KNOX Standard devices

Devices that run Samsung KNOX Standard are now supported for multi-user management by Intune. This means that end users can sign in and out of the device with their Azure Active Directory credentials, and the device is centrally managed whether it’s in use or not. When end users sign-in, they have access to apps and additionally get any policies applied to them. When users sign out, all app data is cleared.+

Additional Windows device restriction settings

We’ve added support for additional Windows device restriction settings like additional Edge browser support, device lock screen customization, start menu customizations, Windows Spotlight search set wallpaper, and proxy setting.+

Multi-user support for Windows 10 Creators Update

We’ve added support for multi-user management for devices that run the Windows 10 Creators Update and are Azure Active Directory domain-joined. This means that when different standard users log onto the device with their Azure AD credentials, they will receive any apps and policies that were assigned to their user name. Users cannot currently use the Company Portal for self-service scenarios like installing apps.+

Fresh Start for Windows 10 PCs

A new Fresh Start device action for Windows 10 PCs is now available. When you issue this action, any apps that were installed on the PC are removed, and the PC is automatically updated to the latest version of Windows. This can be used to help remove pre-installed OEM apps that are often delivered with a new PC. You can configure if user data is retained when this device action is issued.+

Additional Windows 10 upgrade paths

You can now create an edition upgrade policy to upgrade devices to the following additional Windows 10 editions:+

    • Windows 10 Professional
    • Windows 10 Professional N
    • Windows 10 Professional Education
    • Windows 10 Professional Education N

+

Bulk Enroll Windows 10 devices

You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer, and apply the package to corporate-owned devices you’d like to bulk enroll and manage. Once the package is applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on. Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service and Company Portal scenarios are not supported at this time.+

New MAM settings for PIN and managed storage locations

Two new app settings are now available to help you with mobile application management (MAM) scenarios:+

  • Disable app PIN when device PIN is managed – Detects if a device PIN is present on the enrolled device, and if so, bypasses the app PIN triggered by the app protection policies. This setting will allow for a reduction in the number of times a PIN prompt is displayed to users opening a MAM-enabled application on an enrolled device. This feature is available for both Android and iOS.
  • Select which storage services corporate data can be saved to -Allows you to specify which storage locations in which to save corporate data. Users can save to the selected storage location services, which means all other storage location services not listed will be blocked.

    List of supported storage location services:

    • OneDrive
    • Business SharePoint Online
    • Local storage
^ Scroll to Top
 18 Apr.
0

Configuring Windows Information Protection In The Azure Portal Preview

A few weeks ago I made several posts about Azure Active Directory Preview in the Azure Portal, and this week it’s time to start looking at some of the Intune preview capabilities in the Azure Portal. Today I’ll start with Windows Information Protection, which has moved into the Intune Mobile Application Management blade.

Previously this is where the Platform choices (highlighted above) only showed iOS and Android, but now we have Windows 10 making a long overdue appearance. Once I fill out the Name and Description I choose to Add apps.

Add Apps provides the option of adding Recommended Apps as one of the options, which you can see is a collection of Microsoft Desktop and Store apps.

Once the Recommended Apps have been added (you don’t need to select them, or select them all), you can then choose to customise the app list further by clicking Add apps.


Now we can add Store apps.


And Desktop apps.


We can also choose to Import apps via AppLocker XML files.


We can also Add apps that are exempt.



Required setting provides
options
that should look familiar if you have configured WIP from the Silverlight based classic Intune portal.


The first page of Configure advanced settings gives the ability to start identifying the trusted network boundaries, and how Data protection should be enforced.


You can add the Name and Value of several identified boundaries


Enabling Windows Hello for Business as a sign in method is also configured here.


Finally we need to deploy this, so we need to choose Add user group and then we can target the users we want the policy to apply to.

^ Scroll to Top
 29 Mar.
0

AAD Self Service Group Management In the Azure Portal

Following on from the last two posts, this time the focus is on Azure Active Directory Self Service Group Management capabilities.

Figure 1: The first step is enabling the Self Service Group Management settings in the Azure Portal, under Directory, Users and Groups – Group settings, General settings.

Figure 2: Signed in as Admin, I choose the option to Create Group.

Figure 3: Choose the appropriate details, this case I have selected the Group policy of The group requires owner approval and Group type of Security

Figure 4: The Marketing group now appears underneath Groups I own

Figure 5: Signed in as the user Cloud, they are only a member of four groups. Here I select Join group.

Figure 6: After finding the Marketing group, I can choose to Join Group

Figure 7. I need to provide a Business justification

Figure 8: I receive notice that the request has been sent.

Figure 9: Admin receives notification via email and via the notification icon that there is something that needs their attention

Figure 10: Notifications advises that the request needs to be approved

Figure 11: Just confirming that I want to Approve the request


Figure 12: Switching back to the user Cloud, we can see that the Marketing group is now listed.

Figure 13: We can now see the details of the Marketing group

Figure 14: Going back to Apps for the user Cloud, we can see the SaaS apps they have access to. We want to make members of the Marketing group able to use an additional Twitter account we have just added.

Figure 15: Back in the portal I can select the ausmarkos Twitter app

Figure 16: I assign the Marketing group to the ausmarkos Twitter app

Figure 17: Back in the myapps portal as Cloud user, I can see that ausmarkos Twitter has been added to the top of the Apps list

^ Scroll to Top
 29 Mar.
0

AAD Application Proxy In The Azure Portal

Following on from yesterday’s post, I’ll continue with the app publishing story, but this time via the Azure Active Directory Application Proxy. The app proxy allows you to publish on-prem web apps, while leveraging the identity security benefits that Azure Active provides.

\

Figure 1: The initial steps for setting up the AAD App Proxy include choosing Enterprise Applications within Azure Active Directory, and then clicking Application Proxy

Figure 2: Next we need to choose Download Connector

Figure 3: From the server where we want to run the connector we run setup.

Figure 4: The only configuration we need to perform on the server is signing in to our Azure AD Global Admin account.

Figure 5: Switching back to the Azure Portal, choose Add an application, and then populate the Add your own on-premises application

Figure 6: Once the new app has been added, we can make some customisations, including enabling the app and choosing a logo, amongst others.

Figure 7: Next we should add a test user or group, and we do this via Add Assignment, Users and Groups, and Invite.

Figure 8: Signing in to myapps.microsoft.com we can see that internalapp is now published to Admin

Figure 9: Clicking on internalapp opens up a new tab, where you can see the msappproxy.net URL and the successfully loaded web page from the internal server we published.

^ Scroll to Top
 28 Mar.
0

AAD App Integration In the Azure Portal

This is the first in a series of posts focused on performing common Azure Active Directory tasks in the Ibiza portal, starting with app integration. The other posts in this series will cover topics such as Self Service Group Management, Self Service Password Reset, Multi-Factor Authentication and Conditional Access.

Figure 1: A customised view of the Azure Portal with a focus on the components of the Enterprise Mobility + Security suite from Microsoft.


Figure 2: After selecting the Directory tile, we can see the options that are available, including Enterprise applications.


Figure 3: Enterprise Applications allows us to Add a new app from the details blade, or alternatively we view the available apps from All applications


Figure 4: After selecting Add we are shown the Categories and Add an application blades, which shows the library of existing SaaS apps that have already been integrated, or we can choose to integrate custom line of business apps, set up the AAD Application Proxy, or add another app that isn’t in the gallery.


Figure 5: From the gallery I have chosen to integrate Twitter


Figure 6: To easily identify this app amongst multiple Twitter accounts used in the organisation, I’ve named this one after the account it will be sharing


Figure 7: Intunedin Twitter now appears in All applications


Figure 8: As this has just been created, there are no users or groups assigned, and no activity


Figure 9: You can now Add groups or users to the application


Figure 10: I have selected an existing AAD Security Group – Intunedin tweeters, and
can now Assign the app to that group.


Figure 11: We can now see intunedin tweeters in Users and groups, and can Add others users and groups if needed.


Figure 12: For Single sign-on for Twitter we choose Password-based Sign-on and then Save


Figure 13: With Single sign-on enabled, Update Credentials is now available from Users and groups


Figure 14: After selecting Update Credentials the User Name and Password can be entered for the shared account


Figure 15: After adding the Cloud user to the intunedin tweeters group, the Intunedin Twitter app appears in MyApps


Figure 16: Clicking Intunedin Twitter opens Twitter in another tab and signs in via password vaulting

^ Scroll to Top
 28 Mar.
0

Intune Preview Portal Updates For March 2017

This month the Intune preview in Azure gets additional capabilities, including iOS Lost Mode, Device Actions, custom app categories and LOB app assignment to unenrolled devices, along with new compliance reports.

Support for iOS Lost Mode

For iOS 9.3 and later devices, Intune added support for Lost Mode. You can now lock down a device to prevent all use and display a message and contact phone number of the device lock screen.

The end user will not be able to unlock the device until an admin disables Lost Mode. When Lost Mode is enabled, you can use the Locate device action to display the geographical location of the device on a map in the Intune console.

The device must be a corporate-owned iOS device, enrolled through DEP, that is in supervised mode.

For more information, see What is Microsoft Intune device management?

Improvements to Device Actions report

We’ve made improvements to the Device Actions report to improve performance. Additionally, you can now filter the report by state. For example, you could filter the report to show only device actions that were completed.”

Actions for non-compliance

Actions for non-compliance is a new feature of compliance policies that lets you take action on devices that are out of compliance. You can specify single or multiple actions and specify the time period at which those actions must occur. For example, you can notify users of non-compliant devices immediately after the devices become non-compliant through email, or you can block non-compliant devices from accessing corporate resources after a 3-day grace period via Conditional Access.

Custom app categories

You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be specified in English. See How to add an app to Intune.

Assign LOB apps to users with unenrolled devices

You can now assign line of business apps from the store to users whether or not their devices are enrolled with Intune. If the user’s device is not enrolled with Intune, they must go to the Company Portal website to install it, instead of the Company Portal app.

New compliance reports

You now have compliance reports that give you the compliance posture of devices in your company and allow you to quickly troubleshoot compliance-related issues encountered by your users. You can view information about+

    • Overall compliance state of devices
    • Compliance state for an individual setting
    • Compliance state for an individual policy 

You can also use these reports to drill-down into an individual device to view specific settings and policies that affect that device.

Direct access to Apple enrollment scenarios

For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios using the Enroll Devices workload in the Azure Preview portal. Previously, the Apple enrollment preview was only accessible from links in the classic Intune portal. Intune accounts created before January 2017 will require a one-time migration before these features are available in Azure. The schedule for migration has not been announced yet, but details will be made available as soon as possible. We strongly recommend creating a trial account to test out the new experience if your existing account cannot access the preview.

^ Scroll to Top

%d bloggers like this: