28 Mar.
0

AAD App Integration In the Azure Portal

This is the first in a series of posts focused on performing common Azure Active Directory tasks in the Ibiza portal, starting with app integration. The other posts in this series will cover topics such as Self Service Group Management, Self Service Password Reset, Multi-Factor Authentication and Conditional Access.

Figure 1: A customised view of the Azure Portal with a focus on the components of the Enterprise Mobility + Security suite from Microsoft.


Figure 2: After selecting the Directory tile, we can see the options that are available, including Enterprise applications.


Figure 3: Enterprise Applications allows us to Add a new app from the details blade, or alternatively we view the available apps from All applications


Figure 4: After selecting Add we are shown the Categories and Add an application blades, which shows the library of existing SaaS apps that have already been integrated, or we can choose to integrate custom line of business apps, set up the AAD Application Proxy, or add another app that isn’t in the gallery.


Figure 5: From the gallery I have chosen to integrate Twitter


Figure 6: To easily identify this app amongst multiple Twitter accounts used in the organisation, I’ve named this one after the account it will be sharing


Figure 7: Intunedin Twitter now appears in All applications


Figure 8: As this has just been created, there are no users or groups assigned, and no activity


Figure 9: You can now Add groups or users to the application


Figure 10: I have selected an existing AAD Security Group – Intunedin tweeters, and
can now Assign the app to that group.


Figure 11: We can now see intunedin tweeters in Users and groups, and can Add others users and groups if needed.


Figure 12: For Single sign-on for Twitter we choose Password-based Sign-on and then Save


Figure 13: With Single sign-on enabled, Update Credentials is now available from Users and groups


Figure 14: After selecting Update Credentials the User Name and Password can be entered for the shared account


Figure 15: After adding the Cloud user to the intunedin tweeters group, the Intunedin Twitter app appears in MyApps


Figure 16: Clicking Intunedin Twitter opens Twitter in another tab and signs in via password vaulting

^ Scroll to Top
 28 Mar.
0

Intune Preview Portal Updates For March 2017

This month the Intune preview in Azure gets additional capabilities, including iOS Lost Mode, Device Actions, custom app categories and LOB app assignment to unenrolled devices, along with new compliance reports.

Support for iOS Lost Mode

For iOS 9.3 and later devices, Intune added support for Lost Mode. You can now lock down a device to prevent all use and display a message and contact phone number of the device lock screen.

The end user will not be able to unlock the device until an admin disables Lost Mode. When Lost Mode is enabled, you can use the Locate device action to display the geographical location of the device on a map in the Intune console.

The device must be a corporate-owned iOS device, enrolled through DEP, that is in supervised mode.

For more information, see What is Microsoft Intune device management?

Improvements to Device Actions report

We’ve made improvements to the Device Actions report to improve performance. Additionally, you can now filter the report by state. For example, you could filter the report to show only device actions that were completed.”

Actions for non-compliance

Actions for non-compliance is a new feature of compliance policies that lets you take action on devices that are out of compliance. You can specify single or multiple actions and specify the time period at which those actions must occur. For example, you can notify users of non-compliant devices immediately after the devices become non-compliant through email, or you can block non-compliant devices from accessing corporate resources after a 3-day grace period via Conditional Access.

Custom app categories

You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be specified in English. See How to add an app to Intune.

Assign LOB apps to users with unenrolled devices

You can now assign line of business apps from the store to users whether or not their devices are enrolled with Intune. If the user’s device is not enrolled with Intune, they must go to the Company Portal website to install it, instead of the Company Portal app.

New compliance reports

You now have compliance reports that give you the compliance posture of devices in your company and allow you to quickly troubleshoot compliance-related issues encountered by your users. You can view information about+

    • Overall compliance state of devices
    • Compliance state for an individual setting
    • Compliance state for an individual policy 

You can also use these reports to drill-down into an individual device to view specific settings and policies that affect that device.

Direct access to Apple enrollment scenarios

For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios using the Enroll Devices workload in the Azure Preview portal. Previously, the Apple enrollment preview was only accessible from links in the classic Intune portal. Intune accounts created before January 2017 will require a one-time migration before these features are available in Azure. The schedule for migration has not been announced yet, but details will be made available as soon as possible. We strongly recommend creating a trial account to test out the new experience if your existing account cannot access the preview.

^ Scroll to Top
 28 Mar.
0

Intune Updates March 2017

Another month, another round of updates for Intune, including an updated Company Portal app for Android, non-managed devices accessing assigned apps and an app signing script for Windows 10 Company Portal.

Full details below from docs.

New Capabilities

New user experience for the Company Portal app for Android

The Company Portal app for Android will be updating its user interface for a more modern look and feel, and better user experience. The notable updates are:

    • Colors: Company Portal tab headers are colored in IT-defined branding.
    • Apps: In the Apps tab, the Featured Apps and All Apps buttons are updated.
    • Search: In the Apps tab, the Search button is a floating action button.
    • Navigating Apps: All Apps view shows a tabbed view of Featured, All, and Categories for easier navigation.
    • Support: My Devices and Contact IT tabs are updated to improve readability.

 

For more details about these changes, see UI updates for Intune end user apps 

Non-managed devices can access assigned apps

As part of the design changes on the Company Portal website, iOS and Android users will be able to install apps assigned to them as “available without enrollment” on their non-managed devices. Using their Intune credentials, users will be able to log into the Company Portal website and see the list of apps assigned to them. The app packages of the “available without enrollment” apps are made available for download via the Company Portal website. Apps which require enrollment for installation are not affected by this change, as users will be prompted to enroll their device if they wish to install those apps.

Signing Script for Windows 10 Company Portal

If you need to download and sideload the Windows 10 Company Portal app, you can now use a script to simplify and streamline the app-signing process for your organization. To download the script and the instructions for using it, see Microsoft Intune Signing Script for Windows 10 Company Portal on TechNet Gallery. For more details about this announcement, see Updating your Windows 10 Company Portal app on the Intune Support Team Blog.

^ Scroll to Top
 22 Mar.
0

Update to Intune App Protection – Microsoft Teams On iOS Now Available

Just a minor update to the March 2017 Intune App Protection list for standalone MAM support – Microsoft Teams for iOS was added, as seen below in the screenshot.

 

^ Scroll to Top
 18 Mar.
0

Blockers For Migrating Intune Tenants

Over the last few weeks I’ve had a few ad-hoc conversations around the requirements for making sure the transition to the new AAD groups and portal goes smoothly, and a post on the topic has just appeared over on the Intune Support blog. In the post they mention six things to clean up to ensure a faster, smoother transition. While the removal of the Silverlight requirement is a big improvement from a browser compatibility perspective, the consolidation of management portals required and the consistency that is delivered is via a common portal UI and access via the Graph API are where the benefits really shine.

1- Policies or apps targeted to ungrouped users/devices

2- Using Exclusion Groups.

3 – Using Nested Groups (also called Implicit Exclusion Groups)

4- Any groups using the ‘Is Manager’ clause.

5- You have conflicting App deployment rules

6 –You are using an old version (prior to December 2016) of the Exchange connector for Intune.

Take a look over at the full post here.

^ Scroll to Top
 16 Mar.
0

Upcoming Windows 10 Training Events

The Microsoft Australia Partner Readiness team have lined up two 3-day Windows 10 training events in Sydney and Perth for April 2017.

Windows 10 Technical Series Training

4th – 6th April 2017 | 8:30am – 5:00pm, GMT+10:00 (Australia/Sydney)

10th – 12th April 2017 | 8:30am – 5:00pm, GMT+08:00 (Australia/Perth)

Level: 300

Target Product: Windows

Audience: technical

Event Identification: AUWW176

Event Description:

Building on deployment, management and security features first introduced with Windows 10 at release, this 3-day workshop, which includes hands-on labs, will provide you with the opportunity to explore the different deployment, management and security options and functionality available for your customers. It will also review the opportunity to develop your business as a Microsoft Cloud Solution Provider — either as a new CSP for Windows or to understand how adding Windows to your existing CSP portfolio can provide opportunities to develop your business further.

THE COURSE

While the course provides extensive information from Microsoft trainers, we believe you will benefit most in developing your understanding of Windows 10 through seeing it in action, and working with it hands-on.

In this course, you will work your way through the labs, demos, and other content to learn about:

• Deployment infrastructure overview

• Applications and updates

• Managing Windows as a Service

• Browsers and Internet Security

• Deploying Secure Boot and Device Guard

• Base system setup

• Configuration

• Managing Client devices

• Advanced Client management

• Analysis of common threats

• Advanced Threat Analytics

• Hardening Windows

• Windows for SMB

• Windows Enterprise Subscription

• Deploying through CSP and managing updates

COMPETENCY ASSESSMENT

Upon completion of the course, you will be given the opportunity to take the Security and Deployment Management assessment for the Windows and Devices competency. This competency provides you with tools, content and resources to help you build and grow your Windows 10 practice and shows customers that you are a trusted expert.

You can register for these events here.

^ Scroll to Top
 11 Mar.
0

Updated MAM With And Without MDM App List March 2017 – Now With Microsoft Teams!

The new kid on the Office block is the new kid on the MAM without MDM block – Microsoft Teams. For the last three months or so iOS and Android have been neck and neck for the number of supported apps, but this month Android pulls ahead.

Above – Pre-Microsoft Teams tally under Intune App Protection in Azure Portal.


Above – No Intune App Protection yet for Microsoft Teams

Above – What’s this? Something new for Android

Above – Since I’ve been tracking this I think this is the first time that Android has pulled ahead

With the Intune SDK updates that were released last year for iOS and Android, including releases for Cordova and Xamarin, I’m hoping we see some third party apps appear in these lists soon. That means over the next few months we should hopefully see Azure Active Directory GA in the Azure Portal, existing Intune tenants migrated to the Azure Portal, and third party apps, along with whatever new functionality also gets rolled in. I think it’s going to be a busy few months…

Anyway, with that information, here’s my latest version of the managed apps list.

App

MAM with MDM

MAM without MDM

Multi-Identity

Acronis Access

iOS

Adobe Acrobat

Android

iOS

Box for EMM

iOS

Foxit Mobile PDF

Android

iOS

Microsoft Dynamics CRM

iOS

Android

iOS

Android

Microsoft Excel

iOS

Android

iOS

Android

iOS

Microsoft Intune Managed Browser

iOS

Android

iOS

Android

Microsoft OneDrive For Business

iOS

Android

iOS

Android

iOS

Android

Microsoft OneNote

iOS

iOS

Microsoft Outlook

iOS

Android

iOS

Android

iOS

Android

Microsoft PowerPoint

iOS

Android

iOS

Android

iOS

Microsoft PowerBI

iOS

Android

iOS

Microsoft Remote Desktop

iOS

Android

iOS

Android

Microsoft RMS Sharing/Azure Information Protection

iOS

Android

Android

Microsoft SharePoint

iOS

Android

iOS

Android

Microsoft Skype For Business

iOS

Android

iOS

Android

Microsoft Teams

iOS

Android

Android

Microsoft Word

iOS

Android

iOS

Android

iOS

Microsoft Work Folders

iOS

Android

Outlook Groups

iOS

Android

iOS

Android

SAP Fiori

Yammer

iOS

Android

iOS

Android

What’s worth calling out right now is that the Azure Information Protection app and OneNote app are only available on one of the platforms as far as MAM only/Intune App Protection are concerned.

^ Scroll to Top
 10 Mar.
0

Windows 10 DynamicManagement CSP Information On MSDN

This week the MDM documentation for Windows 10 was updated to include information on the DynamicManagement CSP, which will allow devices to behave differently based on location, network or time. There are quite a few different scenarios for using this, including enabling additional security requirements, or alternatively focusing on costs by disabling cellular data when roaming. These policies are enforced even when the MDM service cannot be reached.

The configuration service provider provides the following settings…

  • DynamicManagement
    • Notifications Enabled
    • ActiveList
    • Contexts
      • ContextID
        • SignalDefinition
        • SettingsPack
        • SettingsPackResponse
        • ContextStatus
        • Altitude
    • AlertsEnabled

Take a look at the full documentation over on MSDN.

^ Scroll to Top
 3 Mar.
0

Refreshed version of Windows 10 Deployment And Management Kit Available

For those of you looking for an easy way to set up a Hyper-V based test environment for Windows 10 deployment scenarios, take a look at the updated version over on the TechNet Evaluation Center.

The Windows 10 Deployment and Management Lab Kit provides you with a hands-on lab environment for evaluating the latest Microsoft products and tools available for managing your Windows 10 deployment. The kit includes:

Lab environment

The lab includes the latest evaluation versions of:

  • Windows 10 Enterprise, Version 1607
  • System Center Configuration Manager 1511
  • Windows Assessment and Deployment Kit for Windows 10, version 1607
  • Microsoft Deployment Toolkit 2013 Update 2
  • Microsoft Application Virtualization 5.1
  • Microsoft BitLocker Administration and Monitoring 2.5 SP1
  • Windows Server 2012 R2
  • SQL Server 2014

Step-by-step lab guides

Illustrated lab guides take you through multiple deployment and management scenarios:

  • In-Place Upgrade
  • Image Creation
  • Lite-Touch Deployment
  • Zero-Touch Deployment
  • Managing Windows 10 with Configuration Manager
  • Windows Information Protection
  • Code Integrity
  • Windows 10 Provisioning
  • Application Compatibility
  • Application Virtualization
  • Provisioning
  • Web Application Compatibility
  • Microsoft BitLocker Administration and Monitoring
  • Secure Host
  • Credential Guard
  • Windows Store for Business
  • Upgrade Analytics

Windows 10 Deployment and Management Lab Kit system requirements

The lab supports the 64-bit editions of Windows 10 RTM and Windows Server 2012 R2. It must be imported to set up a lab once Hyper-V is installed.

The Hyper-V Host on which the Windows 10 PoC Lab needs to be imported must meet the following minimum specifications:

  • Hyper-V role installed
  • Administrative rights on the device
  • 300 gigabytes of free disk space
  • High-throughput disk subsystem
  • 32 gigabytes of available memory
  • High-end processor for faster processing
  • An External virtual switch in Hyper-V connecting to the external adapter of the host machine for internet connectivity named External 2
  • A Private virtual switch in Hyper-V for private connectivity between the virtual machines named HYD-Corpnet

The required hardware will vary based on the scale of the provisioned lab and the physical resources assigned to each virtual machine.

Lab expires June 1, 2017. A new version will be published prior to expiration.

Things to Know

This lab kit contains evaluation software that is designed for IT professionals interested in evaluating Windows 10 deployment and management products and tools on behalf of their organization. We do not recommend that you install this evaluation if you are not an IT professional or are not professionally managing corporate networks or devices. Additionally, the lab environment is intended for evaluation purposes only. It is a standalone virtual environment and should not be used or connected to your production environment.

Things to Know

This lab kit contains evaluation software that is designed for IT professionals interested in evaluating Windows 10 deployment and management products and tools on behalf of their organization. We do not recommend that you install this evaluation if you are not an IT professional or are not professionally managing corporate networks or devices. Additionally, the lab environment is intended for evaluation purposes only. It is a standalone virtual environment and should not be used or connected to your production environment.

 

^ Scroll to Top
 24 Feb.
0

Windows Server 2016 MCSA Upgrade Exam 70-743

Last week at Ignite Australia 2017 I had to use my MCP credentials to test out the on-site testing facilities, for which I was given a free double-shot exam voucher. Because I’ve already done all of the Windows 10 and EMS related exams that are available I thought I’d try my hand at the Windows Server 2016 70-743 exam, what was the worst that could happen?

Thankfully nothing bad happened, I got through it, but it did highlight just how big and complex Windows Server 2016 is. The updated feature set and the new capabilities in Datacenter edition were more than enough to sink my teeth into, but the thing that has become evident to me with exams like this over the years are that there are huge chunks within Windows Server that I have never really spent any time with. My day to day life with Windows Server doesn’t involve administration, it’s more of a toolbox that I get to play in, primarily hosting VMs, running AD FS, and AAD Connect instances.

These pieces definitely got me through the exam, but the lack of time allocated to preparation showed up with some of the questions, I knew they weren’t hard questions, I just didn’t know enough about the topics they were asking about. Considering that my exam prep involved running through a MeasureUp practice exam and looking at the related articles to the questions, it wasn’t as structured or as hands on as it should have been. I had allocated two full days of study, but the original exam center I had booked at cancelled the exam, so I had to move it to another testing center and do it a day earlier.

I normally try to sit exams on a Friday afternoon, that way if I pass, I don’t have to worry about them on the weekend, and if I don’t succeed, I’ve got some time to focus on the areas that caught me out. If I hadn’t gotten through this exam, it would have been because of some of the networking pieces, especially IPAM. This was reflected in the score report, which was only broken down as 740/741/742 results, rather than a more granular breakdown.

If you work with Windows Server 2012 R2 in a broad sense, I don’t think that upgrading your certs to Windows Server 2016 will be that tough, but you will need to know about the enhancements in 2016, especially in Datacenter.  Knowledge of PowerShell cmdlets and syntax is required, as well as knowing when you would use the different GUI tools.

I was just lucky that my lack of hands on over recent years was made up for with the time I had to spend with Windows Server 2016 over the launch period. If you think you might be able to sit this exam, just do it, maybe get a multi attempt exam voucher if you aren’t confident, but otherwise study up on the new additions, and you should be well on your way.

 

^ Scroll to Top

%d bloggers like this: