20 Apr.

Updates to Microsoft Intune on Microsoft Azure – New Microsoft Mechanics Video

A new video has been added to the Microsoft Mechanics channel on YouTube for Updates to Microsoft Intune on Microsoft Azure. It includes demonstrations of Role Based Access Controls, tighter integration with Azure Active Directory Groups; reporting and automation capabilities leveraging the Microsoft Graph API and more.

^ Scroll to Top
 20 Apr.

What’s New In The Microsoft Intune Preview In Azure Portal For April 2017

Over the last few weeks I’ve been talking to quite a few people who have started using the Intune preview in the Azure Portal for more of their day to day management tasks, and it’s always interesting to hear the things that most people are excited about. For a while the typical response was “No more Silverlight”, but over time this has changed as people are seeing more functionality light up, as well as new functionality that is being rolled in. Some of the more exciting ones for me are the Windows 10 ones that are opening up scenarios that target education, which is obviously setting the stage for Intune for Education when that becomes available. That’s not to say the Android and iOS updates aren’t welcome, because they certainly are, it’s just that for the next few months that’s the segment I’ll be heavily focused on.

Below is the full list of updates from docs, and as you can see it’s a pretty big list this month, with plenty of links for further information.

April 2017

Support for managed configuration options for Android apps

Android apps in the Play store that support managed configuration options can now be configure by Intune. This feature lets IT view the list of configuration values supported by an app, and provides a guided, first-class UI to allow them to configure those values.+

Remote assistance for Android devices

Intune now uses the TeamViewer software, purchased separately, to enable you to give remote assistance to your users who are running Android devices. For more information see Remote control Android devices using TeamViewer.+

New Android policy for complex PINs

You can now set a required password type of Numeric complex in an Android device profile for devices that run Android 5.0 and above. Use this setting to prevent device users from creating a PIN that contains repeating, or consecutive numbers, like 1111, or 1234.+

Additional support for Android for Work devices

    • Manage password and work profile settings

      This new Android for Work device restriction policy now lets you manage password and work profile settings on Android for Work devices you manage.

    • Allow data sharing between work and personal profiles


This Android for Work device restriction profile now has new options to help you configure data sharing between work and personal profiles.+

    • Restrict copy and paste between work and personal profiles

      A new custom device profile for Android for Work devices now lets you restrict whether copy and paste actions between work and personal apps are allowed.


For more information, see Device restrictions for Android for Work.+

Assign LOB apps to iOS and Android devices

You can now assign line of business (LOB) apps for iOS (.ipa files) and Android (.apk files) to users or devices.+

New device policies for iOS

    • Apps on Home screen – Controls which apps users see on the Home screen of their iOS device. This policy changes the layout of the Home screen, but does not deploy any apps you specified that are not installed.
    • Connections to AirPrint devices – Controls which AirPrint devices (network printers) that end users of iOS device can connect to.
    • Connections to AirPlay devices – Controls which AirPlay devices (like Apple TV) that end users of iOS device can connect to.
    • Custom lock screen message – Configures a custom message that users will see on the lock screen of their iOS device, that replaces the default lock screen message. For more information, see Available device actions


Restrict push notifications for iOS apps

In an Intune device restriction profile, you can now configure the following notification settings for iOS devices:+

    • Fully turn on or off notification for a specified app.
    • Turn on or off, the notification in the notification center for a specified app.
    • Specify the alert type, either None, Banner, or Modal Alert.
    • Specify whether badges are allowed for this app.
    • Specify whether notification sounds are allowed.


Configure iOS apps to run in single app mode autonomously

You can now use an Intune device profile to configure iOS devices to run specified apps in autonomous single app mode. When this mode is configured, and the app is run, the device is locked so that it can only run that app. An example of this is when you configure an app that lets users take a test on the device. When the app’s actions are complete, or you remove this policy, the device returns to its normal state.+

Configure trusted domains for email and web browsing on iOS devices

From an iOS device restriction profile, you can now configure the following domain settings:+

    • Unmarked email domains – Emails that the user sends or receives which don’t match the domains you specify here will be marked as untrusted.
    • Managed web domains – Documents downloaded from the URLs you specify here will be considered managed (Safari only).
    • Safari password auto-fill domains – Users can save passwords in Safari only from URLs matching the patterns you specify here. To use this setting, the device must be in supervised mode and not configured for multiple users. (iOS 9.3+)


VPP apps available in iOS Company Portal

You can now assign iOS volume-purchased (VPP) apps as Available installs to end users. End users will need an Apple Store account to install the app.+

Synchronize eBooks from Apple VPP Store

You can now synchronize books you purchased from the Apple volume-purchase program store with Intune, and assign these to users.+

Multi-user management for Samsung KNOX Standard devices

Devices that run Samsung KNOX Standard are now supported for multi-user management by Intune. This means that end users can sign in and out of the device with their Azure Active Directory credentials, and the device is centrally managed whether it’s in use or not. When end users sign-in, they have access to apps and additionally get any policies applied to them. When users sign out, all app data is cleared.+

Additional Windows device restriction settings

We’ve added support for additional Windows device restriction settings like additional Edge browser support, device lock screen customization, start menu customizations, Windows Spotlight search set wallpaper, and proxy setting.+

Multi-user support for Windows 10 Creators Update

We’ve added support for multi-user management for devices that run the Windows 10 Creators Update and are Azure Active Directory domain-joined. This means that when different standard users log onto the device with their Azure AD credentials, they will receive any apps and policies that were assigned to their user name. Users cannot currently use the Company Portal for self-service scenarios like installing apps.+

Fresh Start for Windows 10 PCs

A new Fresh Start device action for Windows 10 PCs is now available. When you issue this action, any apps that were installed on the PC are removed, and the PC is automatically updated to the latest version of Windows. This can be used to help remove pre-installed OEM apps that are often delivered with a new PC. You can configure if user data is retained when this device action is issued.+

Additional Windows 10 upgrade paths

You can now create an edition upgrade policy to upgrade devices to the following additional Windows 10 editions:+

    • Windows 10 Professional
    • Windows 10 Professional N
    • Windows 10 Professional Education
    • Windows 10 Professional Education N


Bulk Enroll Windows 10 devices

You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer, and apply the package to corporate-owned devices you’d like to bulk enroll and manage. Once the package is applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on. Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service and Company Portal scenarios are not supported at this time.+

New MAM settings for PIN and managed storage locations

Two new app settings are now available to help you with mobile application management (MAM) scenarios:+

  • Disable app PIN when device PIN is managed – Detects if a device PIN is present on the enrolled device, and if so, bypasses the app PIN triggered by the app protection policies. This setting will allow for a reduction in the number of times a PIN prompt is displayed to users opening a MAM-enabled application on an enrolled device. This feature is available for both Android and iOS.
  • Select which storage services corporate data can be saved to -Allows you to specify which storage locations in which to save corporate data. Users can save to the selected storage location services, which means all other storage location services not listed will be blocked.

    List of supported storage location services:

    • OneDrive
    • Business SharePoint Online
    • Local storage
^ Scroll to Top
 18 Apr.

Configuring Windows Information Protection In The Azure Portal Preview

A few weeks ago I made several posts about Azure Active Directory Preview in the Azure Portal, and this week it’s time to start looking at some of the Intune preview capabilities in the Azure Portal. Today I’ll start with Windows Information Protection, which has moved into the Intune Mobile Application Management blade.

Previously this is where the Platform choices (highlighted above) only showed iOS and Android, but now we have Windows 10 making a long overdue appearance. Once I fill out the Name and Description I choose to Add apps.

Add Apps provides the option of adding Recommended Apps as one of the options, which you can see is a collection of Microsoft Desktop and Store apps.

Once the Recommended Apps have been added (you don’t need to select them, or select them all), you can then choose to customise the app list further by clicking Add apps.

Now we can add Store apps.

And Desktop apps.

We can also choose to Import apps via AppLocker XML files.

We can also Add apps that are exempt.

Required setting provides
that should look familiar if you have configured WIP from the Silverlight based classic Intune portal.

The first page of Configure advanced settings gives the ability to start identifying the trusted network boundaries, and how Data protection should be enforced.

You can add the Name and Value of several identified boundaries

Enabling Windows Hello for Business as a sign in method is also configured here.

Finally we need to deploy this, so we need to choose Add user group and then we can target the users we want the policy to apply to.

^ Scroll to Top
 29 Mar.

AAD Self Service Group Management In the Azure Portal

Following on from the last two posts, this time the focus is on Azure Active Directory Self Service Group Management capabilities.

Figure 1: The first step is enabling the Self Service Group Management settings in the Azure Portal, under Directory, Users and Groups – Group settings, General settings.

Figure 2: Signed in as Admin, I choose the option to Create Group.

Figure 3: Choose the appropriate details, this case I have selected the Group policy of The group requires owner approval and Group type of Security

Figure 4: The Marketing group now appears underneath Groups I own

Figure 5: Signed in as the user Cloud, they are only a member of four groups. Here I select Join group.

Figure 6: After finding the Marketing group, I can choose to Join Group

Figure 7. I need to provide a Business justification

Figure 8: I receive notice that the request has been sent.

Figure 9: Admin receives notification via email and via the notification icon that there is something that needs their attention

Figure 10: Notifications advises that the request needs to be approved

Figure 11: Just confirming that I want to Approve the request

Figure 12: Switching back to the user Cloud, we can see that the Marketing group is now listed.

Figure 13: We can now see the details of the Marketing group

Figure 14: Going back to Apps for the user Cloud, we can see the SaaS apps they have access to. We want to make members of the Marketing group able to use an additional Twitter account we have just added.

Figure 15: Back in the portal I can select the ausmarkos Twitter app

Figure 16: I assign the Marketing group to the ausmarkos Twitter app

Figure 17: Back in the myapps portal as Cloud user, I can see that ausmarkos Twitter has been added to the top of the Apps list

^ Scroll to Top
 29 Mar.

AAD Application Proxy In The Azure Portal

Following on from yesterday’s post, I’ll continue with the app publishing story, but this time via the Azure Active Directory Application Proxy. The app proxy allows you to publish on-prem web apps, while leveraging the identity security benefits that Azure Active provides.


Figure 1: The initial steps for setting up the AAD App Proxy include choosing Enterprise Applications within Azure Active Directory, and then clicking Application Proxy

Figure 2: Next we need to choose Download Connector

Figure 3: From the server where we want to run the connector we run setup.

Figure 4: The only configuration we need to perform on the server is signing in to our Azure AD Global Admin account.

Figure 5: Switching back to the Azure Portal, choose Add an application, and then populate the Add your own on-premises application

Figure 6: Once the new app has been added, we can make some customisations, including enabling the app and choosing a logo, amongst others.

Figure 7: Next we should add a test user or group, and we do this via Add Assignment, Users and Groups, and Invite.

Figure 8: Signing in to myapps.microsoft.com we can see that internalapp is now published to Admin

Figure 9: Clicking on internalapp opens up a new tab, where you can see the msappproxy.net URL and the successfully loaded web page from the internal server we published.

^ Scroll to Top
 28 Mar.

AAD App Integration In the Azure Portal

This is the first in a series of posts focused on performing common Azure Active Directory tasks in the Ibiza portal, starting with app integration. The other posts in this series will cover topics such as Self Service Group Management, Self Service Password Reset, Multi-Factor Authentication and Conditional Access.

Figure 1: A customised view of the Azure Portal with a focus on the components of the Enterprise Mobility + Security suite from Microsoft.

Figure 2: After selecting the Directory tile, we can see the options that are available, including Enterprise applications.

Figure 3: Enterprise Applications allows us to Add a new app from the details blade, or alternatively we view the available apps from All applications

Figure 4: After selecting Add we are shown the Categories and Add an application blades, which shows the library of existing SaaS apps that have already been integrated, or we can choose to integrate custom line of business apps, set up the AAD Application Proxy, or add another app that isn’t in the gallery.

Figure 5: From the gallery I have chosen to integrate Twitter

Figure 6: To easily identify this app amongst multiple Twitter accounts used in the organisation, I’ve named this one after the account it will be sharing

Figure 7: Intunedin Twitter now appears in All applications

Figure 8: As this has just been created, there are no users or groups assigned, and no activity

Figure 9: You can now Add groups or users to the application

Figure 10: I have selected an existing AAD Security Group – Intunedin tweeters, and
can now Assign the app to that group.

Figure 11: We can now see intunedin tweeters in Users and groups, and can Add others users and groups if needed.

Figure 12: For Single sign-on for Twitter we choose Password-based Sign-on and then Save

Figure 13: With Single sign-on enabled, Update Credentials is now available from Users and groups

Figure 14: After selecting Update Credentials the User Name and Password can be entered for the shared account

Figure 15: After adding the Cloud user to the intunedin tweeters group, the Intunedin Twitter app appears in MyApps

Figure 16: Clicking Intunedin Twitter opens Twitter in another tab and signs in via password vaulting

^ Scroll to Top
 28 Mar.

Intune Preview Portal Updates For March 2017

This month the Intune preview in Azure gets additional capabilities, including iOS Lost Mode, Device Actions, custom app categories and LOB app assignment to unenrolled devices, along with new compliance reports.

Support for iOS Lost Mode

For iOS 9.3 and later devices, Intune added support for Lost Mode. You can now lock down a device to prevent all use and display a message and contact phone number of the device lock screen.

The end user will not be able to unlock the device until an admin disables Lost Mode. When Lost Mode is enabled, you can use the Locate device action to display the geographical location of the device on a map in the Intune console.

The device must be a corporate-owned iOS device, enrolled through DEP, that is in supervised mode.

For more information, see What is Microsoft Intune device management?

Improvements to Device Actions report

We’ve made improvements to the Device Actions report to improve performance. Additionally, you can now filter the report by state. For example, you could filter the report to show only device actions that were completed.”

Actions for non-compliance

Actions for non-compliance is a new feature of compliance policies that lets you take action on devices that are out of compliance. You can specify single or multiple actions and specify the time period at which those actions must occur. For example, you can notify users of non-compliant devices immediately after the devices become non-compliant through email, or you can block non-compliant devices from accessing corporate resources after a 3-day grace period via Conditional Access.

Custom app categories

You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be specified in English. See How to add an app to Intune.

Assign LOB apps to users with unenrolled devices

You can now assign line of business apps from the store to users whether or not their devices are enrolled with Intune. If the user’s device is not enrolled with Intune, they must go to the Company Portal website to install it, instead of the Company Portal app.

New compliance reports

You now have compliance reports that give you the compliance posture of devices in your company and allow you to quickly troubleshoot compliance-related issues encountered by your users. You can view information about+

    • Overall compliance state of devices
    • Compliance state for an individual setting
    • Compliance state for an individual policy 

You can also use these reports to drill-down into an individual device to view specific settings and policies that affect that device.

Direct access to Apple enrollment scenarios

For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios using the Enroll Devices workload in the Azure Preview portal. Previously, the Apple enrollment preview was only accessible from links in the classic Intune portal. Intune accounts created before January 2017 will require a one-time migration before these features are available in Azure. The schedule for migration has not been announced yet, but details will be made available as soon as possible. We strongly recommend creating a trial account to test out the new experience if your existing account cannot access the preview.

^ Scroll to Top
 28 Mar.

Intune Updates March 2017

Another month, another round of updates for Intune, including an updated Company Portal app for Android, non-managed devices accessing assigned apps and an app signing script for Windows 10 Company Portal.

Full details below from docs.

New Capabilities

New user experience for the Company Portal app for Android

The Company Portal app for Android will be updating its user interface for a more modern look and feel, and better user experience. The notable updates are:

    • Colors: Company Portal tab headers are colored in IT-defined branding.
    • Apps: In the Apps tab, the Featured Apps and All Apps buttons are updated.
    • Search: In the Apps tab, the Search button is a floating action button.
    • Navigating Apps: All Apps view shows a tabbed view of Featured, All, and Categories for easier navigation.
    • Support: My Devices and Contact IT tabs are updated to improve readability.


For more details about these changes, see UI updates for Intune end user apps 

Non-managed devices can access assigned apps

As part of the design changes on the Company Portal website, iOS and Android users will be able to install apps assigned to them as “available without enrollment” on their non-managed devices. Using their Intune credentials, users will be able to log into the Company Portal website and see the list of apps assigned to them. The app packages of the “available without enrollment” apps are made available for download via the Company Portal website. Apps which require enrollment for installation are not affected by this change, as users will be prompted to enroll their device if they wish to install those apps.

Signing Script for Windows 10 Company Portal

If you need to download and sideload the Windows 10 Company Portal app, you can now use a script to simplify and streamline the app-signing process for your organization. To download the script and the instructions for using it, see Microsoft Intune Signing Script for Windows 10 Company Portal on TechNet Gallery. For more details about this announcement, see Updating your Windows 10 Company Portal app on the Intune Support Team Blog.

^ Scroll to Top
 22 Mar.

Update to Intune App Protection – Microsoft Teams On iOS Now Available

Just a minor update to the March 2017 Intune App Protection list for standalone MAM support – Microsoft Teams for iOS was added, as seen below in the screenshot.


^ Scroll to Top
 18 Mar.

Blockers For Migrating Intune Tenants

Over the last few weeks I’ve had a few ad-hoc conversations around the requirements for making sure the transition to the new AAD groups and portal goes smoothly, and a post on the topic has just appeared over on the Intune Support blog. In the post they mention six things to clean up to ensure a faster, smoother transition. While the removal of the Silverlight requirement is a big improvement from a browser compatibility perspective, the consolidation of management portals required and the consistency that is delivered is via a common portal UI and access via the Graph API are where the benefits really shine.

1- Policies or apps targeted to ungrouped users/devices

2- Using Exclusion Groups.

3 – Using Nested Groups (also called Implicit Exclusion Groups)

4- Any groups using the ‘Is Manager’ clause.

5- You have conflicting App deployment rules

6 –You are using an old version (prior to December 2016) of the Exchange connector for Intune.

Take a look over at the full post here.

^ Scroll to Top

%d bloggers like this: