Earlier today I posted about the new features for Intune in the Azure Portal, and below are the general updates for the month. There are updates across MyApps, Managed Browser, Company Portal and Windows 10 Bulk Enrollment amongst others.
Microsoft MyApps now have better support within the Managed Browser. Managed Browser users who are not targeted for management will be brought directly to the MyApps service, where they can access their admin-provisioned SaaS apps. Users who are targeted for Intune management will continue to be able to access MyApps from the built-in Managed Browser bookmark.+
The Managed Browser is receiving updated icons for both the Android and iOS versions of the app. The new icon will contain the updated Intune badge to make it more consistent with other apps in Enterprise Mobility + Security (EM+S). You can see the new icon for the Managed Browser on the what’s new in Intune app UI page.+
The Company Portal is also receiving updated icons for the Android, iOS, and Windows versions of the app to improve consistency with other apps in EM+S. These icons will be gradually released across platforms from April to late May.+
An update to the Android Company Portal app shows a sign-in progress indicator when the user launches or resumes the app. The indicator progresses through new statuses, beginning with “Connecting…”, then “Signing in…”, then “Checking for security requirements…” before allowing the user to access the app. You can see the new screens for the Company Portal app for Android on the what’s new in Intune app UI page.+
You can now create an app-based conditional access policy to block apps, which don’t have app protection policies applied to them, from accessing SharePoint Online. In the apps-based conditional access scenario, you can specify the apps that you want to have access to SharePoint Online using the Azure portal.+
You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer, and apply the package to corporate-owned devices you’d like to bulk enroll and manage. Once the package is applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on. Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service and Company Portal scenarios are not supported at this time.^ Scroll to Top
A new video has been added to the Microsoft Mechanics channel on YouTube for Updates to Microsoft Intune on Microsoft Azure. It includes demonstrations of Role Based Access Controls, tighter integration with Azure Active Directory Groups; reporting and automation capabilities leveraging the Microsoft Graph API and more.
Over the last few weeks I’ve been talking to quite a few people who have started using the Intune preview in the Azure Portal for more of their day to day management tasks, and it’s always interesting to hear the things that most people are excited about. For a while the typical response was “No more Silverlight”, but over time this has changed as people are seeing more functionality light up, as well as new functionality that is being rolled in. Some of the more exciting ones for me are the Windows 10 ones that are opening up scenarios that target education, which is obviously setting the stage for Intune for Education when that becomes available. That’s not to say the Android and iOS updates aren’t welcome, because they certainly are, it’s just that for the next few months that’s the segment I’ll be heavily focused on.
Below is the full list of updates from docs, and as you can see it’s a pretty big list this month, with plenty of links for further information.
Android apps in the Play store that support managed configuration options can now be configure by Intune. This feature lets IT view the list of configuration values supported by an app, and provides a guided, first-class UI to allow them to configure those values.+
Intune now uses the TeamViewer software, purchased separately, to enable you to give remote assistance to your users who are running Android devices. For more information see Remote control Android devices using TeamViewer.+
You can now set a required password type of Numeric complex in an Android device profile for devices that run Android 5.0 and above. Use this setting to prevent device users from creating a PIN that contains repeating, or consecutive numbers, like 1111, or 1234.+
This new Android for Work device restriction policy now lets you manage password and work profile settings on Android for Work devices you manage.
This Android for Work device restriction profile now has new options to help you configure data sharing between work and personal profiles.+
A new custom device profile for Android for Work devices now lets you restrict whether copy and paste actions between work and personal apps are allowed.
You can now use an Intune device profile to configure iOS devices to run specified apps in autonomous single app mode. When this mode is configured, and the app is run, the device is locked so that it can only run that app. An example of this is when you configure an app that lets users take a test on the device. When the app’s actions are complete, or you remove this policy, the device returns to its normal state.+
You can now assign iOS volume-purchased (VPP) apps as Available installs to end users. End users will need an Apple Store account to install the app.+
Devices that run Samsung KNOX Standard are now supported for multi-user management by Intune. This means that end users can sign in and out of the device with their Azure Active Directory credentials, and the device is centrally managed whether it’s in use or not. When end users sign-in, they have access to apps and additionally get any policies applied to them. When users sign out, all app data is cleared.+
We’ve added support for additional Windows device restriction settings like additional Edge browser support, device lock screen customization, start menu customizations, Windows Spotlight search set wallpaper, and proxy setting.+
We’ve added support for multi-user management for devices that run the Windows 10 Creators Update and are Azure Active Directory domain-joined. This means that when different standard users log onto the device with their Azure AD credentials, they will receive any apps and policies that were assigned to their user name. Users cannot currently use the Company Portal for self-service scenarios like installing apps.+
A new Fresh Start device action for Windows 10 PCs is now available. When you issue this action, any apps that were installed on the PC are removed, and the PC is automatically updated to the latest version of Windows. This can be used to help remove pre-installed OEM apps that are often delivered with a new PC. You can configure if user data is retained when this device action is issued.+
You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer, and apply the package to corporate-owned devices you’d like to bulk enroll and manage. Once the package is applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on. Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service and Company Portal scenarios are not supported at this time.+
Two new app settings are now available to help you with mobile application management (MAM) scenarios:+
List of supported storage location services:
A few weeks ago I made several posts about Azure Active Directory Preview in the Azure Portal, and this week it’s time to start looking at some of the Intune preview capabilities in the Azure Portal. Today I’ll start with Windows Information Protection, which has moved into the Intune Mobile Application Management blade.
Previously this is where the Platform choices (highlighted above) only showed iOS and Android, but now we have Windows 10 making a long overdue appearance. Once I fill out the Name and Description I choose to Add apps.
Add Apps provides the option of adding Recommended Apps as one of the options, which you can see is a collection of Microsoft Desktop and Store apps.
Once the Recommended Apps have been added (you don’t need to select them, or select them all), you can then choose to customise the app list further by clicking Add apps.
Now we can add Store apps.
And Desktop apps.
We can also choose to Import apps via AppLocker XML files.
We can also Add apps that are exempt.
Required setting provides
that should look familiar if you have configured WIP from the Silverlight based classic Intune portal.
The first page of Configure advanced settings gives the ability to start identifying the trusted network boundaries, and how Data protection should be enforced.
You can add the Name and Value of several identified boundaries
Enabling Windows Hello for Business as a sign in method is also configured here.
Finally we need to deploy this, so we need to choose Add user group and then we can target the users we want the policy to apply to.^ Scroll to Top
Following on from the last two posts, this time the focus is on Azure Active Directory Self Service Group Management capabilities.
Figure 1: The first step is enabling the Self Service Group Management settings in the Azure Portal, under Directory, Users and Groups – Group settings, General settings.
Figure 2: Signed in as Admin, I choose the option to Create Group.
Figure 3: Choose the appropriate details, this case I have selected the Group policy of The group requires owner approval and Group type of Security
Figure 4: The Marketing group now appears underneath Groups I own
Figure 5: Signed in as the user Cloud, they are only a member of four groups. Here I select Join group.
Figure 6: After finding the Marketing group, I can choose to Join Group
Figure 7. I need to provide a Business justification
Figure 8: I receive notice that the request has been sent.
Figure 9: Admin receives notification via email and via the notification icon that there is something that needs their attention
Figure 10: Notifications advises that the request needs to be approved
Figure 11: Just confirming that I want to Approve the request
Figure 12: Switching back to the user Cloud, we can see that the Marketing group is now listed.
Figure 13: We can now see the details of the Marketing group
Figure 14: Going back to Apps for the user Cloud, we can see the SaaS apps they have access to. We want to make members of the Marketing group able to use an additional Twitter account we have just added.
Figure 15: Back in the portal I can select the ausmarkos Twitter app
Figure 16: I assign the Marketing group to the ausmarkos Twitter app
Figure 17: Back in the myapps portal as Cloud user, I can see that ausmarkos Twitter has been added to the top of the Apps list^ Scroll to Top
Following on from yesterday’s post, I’ll continue with the app publishing story, but this time via the Azure Active Directory Application Proxy. The app proxy allows you to publish on-prem web apps, while leveraging the identity security benefits that Azure Active provides.
Figure 1: The initial steps for setting up the AAD App Proxy include choosing Enterprise Applications within Azure Active Directory, and then clicking Application Proxy
Figure 2: Next we need to choose Download Connector
Figure 3: From the server where we want to run the connector we run setup.
Figure 4: The only configuration we need to perform on the server is signing in to our Azure AD Global Admin account.
Figure 5: Switching back to the Azure Portal, choose Add an application, and then populate the Add your own on-premises application
Figure 6: Once the new app has been added, we can make some customisations, including enabling the app and choosing a logo, amongst others.
Figure 7: Next we should add a test user or group, and we do this via Add Assignment, Users and Groups, and Invite.
Figure 8: Signing in to myapps.microsoft.com we can see that internalapp is now published to Admin
Figure 9: Clicking on internalapp opens up a new tab, where you can see the msappproxy.net URL and the successfully loaded web page from the internal server we published.
This is the first in a series of posts focused on performing common Azure Active Directory tasks in the Ibiza portal, starting with app integration. The other posts in this series will cover topics such as Self Service Group Management, Self Service Password Reset, Multi-Factor Authentication and Conditional Access.
Figure 1: A customised view of the Azure Portal with a focus on the components of the Enterprise Mobility + Security suite from Microsoft.
Figure 2: After selecting the Directory tile, we can see the options that are available, including Enterprise applications.
Figure 3: Enterprise Applications allows us to Add a new app from the details blade, or alternatively we view the available apps from All applications
Figure 4: After selecting Add we are shown the Categories and Add an application blades, which shows the library of existing SaaS apps that have already been integrated, or we can choose to integrate custom line of business apps, set up the AAD Application Proxy, or add another app that isn’t in the gallery.
Figure 5: From the gallery I have chosen to integrate Twitter
Figure 6: To easily identify this app amongst multiple Twitter accounts used in the organisation, I’ve named this one after the account it will be sharing
Figure 7: Intunedin Twitter now appears in All applications
Figure 8: As this has just been created, there are no users or groups assigned, and no activity
Figure 9: You can now Add groups or users to the application
Figure 10: I have selected an existing AAD Security Group – Intunedin tweeters, and
can now Assign the app to that group.
Figure 11: We can now see intunedin tweeters in Users and groups, and can Add others users and groups if needed.
Figure 12: For Single sign-on for Twitter we choose Password-based Sign-on and then Save
Figure 13: With Single sign-on enabled, Update Credentials is now available from Users and groups
Figure 14: After selecting Update Credentials the User Name and Password can be entered for the shared account
Figure 15: After adding the Cloud user to the intunedin tweeters group, the Intunedin Twitter app appears in MyApps
Figure 16: Clicking Intunedin Twitter opens Twitter in another tab and signs in via password vaulting^ Scroll to Top
This month the Intune preview in Azure gets additional capabilities, including iOS Lost Mode, Device Actions, custom app categories and LOB app assignment to unenrolled devices, along with new compliance reports.
For iOS 9.3 and later devices, Intune added support for Lost Mode. You can now lock down a device to prevent all use and display a message and contact phone number of the device lock screen.
The end user will not be able to unlock the device until an admin disables Lost Mode. When Lost Mode is enabled, you can use the Locate device action to display the geographical location of the device on a map in the Intune console.
The device must be a corporate-owned iOS device, enrolled through DEP, that is in supervised mode.
For more information, see What is Microsoft Intune device management?
We’ve made improvements to the Device Actions report to improve performance. Additionally, you can now filter the report by state. For example, you could filter the report to show only device actions that were completed.”
Actions for non-compliance is a new feature of compliance policies that lets you take action on devices that are out of compliance. You can specify single or multiple actions and specify the time period at which those actions must occur. For example, you can notify users of non-compliant devices immediately after the devices become non-compliant through email, or you can block non-compliant devices from accessing corporate resources after a 3-day grace period via Conditional Access.
You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be specified in English. See How to add an app to Intune.
You can now assign line of business apps from the store to users whether or not their devices are enrolled with Intune. If the user’s device is not enrolled with Intune, they must go to the Company Portal website to install it, instead of the Company Portal app.
You now have compliance reports that give you the compliance posture of devices in your company and allow you to quickly troubleshoot compliance-related issues encountered by your users. You can view information about+
You can also use these reports to drill-down into an individual device to view specific settings and policies that affect that device.
For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios using the Enroll Devices workload in the Azure Preview portal. Previously, the Apple enrollment preview was only accessible from links in the classic Intune portal. Intune accounts created before January 2017 will require a one-time migration before these features are available in Azure. The schedule for migration has not been announced yet, but details will be made available as soon as possible. We strongly recommend creating a trial account to test out the new experience if your existing account cannot access the preview.^ Scroll to Top
Another month, another round of updates for Intune, including an updated Company Portal app for Android, non-managed devices accessing assigned apps and an app signing script for Windows 10 Company Portal.
Full details below from docs.
The Company Portal app for Android will be updating its user interface for a more modern look and feel, and better user experience. The notable updates are:
For more details about these changes, see UI updates for Intune end user apps
As part of the design changes on the Company Portal website, iOS and Android users will be able to install apps assigned to them as “available without enrollment” on their non-managed devices. Using their Intune credentials, users will be able to log into the Company Portal website and see the list of apps assigned to them. The app packages of the “available without enrollment” apps are made available for download via the Company Portal website. Apps which require enrollment for installation are not affected by this change, as users will be prompted to enroll their device if they wish to install those apps.
If you need to download and sideload the Windows 10 Company Portal app, you can now use a script to simplify and streamline the app-signing process for your organization. To download the script and the instructions for using it, see Microsoft Intune Signing Script for Windows 10 Company Portal on TechNet Gallery. For more details about this announcement, see Updating your Windows 10 Company Portal app on the Intune Support Team Blog.^ Scroll to Top
Just a minor update to the March 2017 Intune App Protection list for standalone MAM support – Microsoft Teams for iOS was added, as seen below in the screenshot.
^ Scroll to Top