Author: Ola Ström

Categories
Intune for noobs

Intune lab for noobs – part 4 // iOS

This is the fourth part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

In this part, we will look at iOS management and how to get going! To test this, you will need an iPhone or an iPad which we can enroll. No reset of the device will be needed.

In the second part of this guide, we configured the Apple MDM Push certificate, which means that we have the basics down for managing iOS, iPadOS and macOS. In this guide we will only look a basic configuration for iOS and iPadOS (it’s the same policies).

There are two types of profiles and policies we will create one Configuration Profile and one Compliance Policy. We will also add an app to distribute.

Configuration Profile

Like always, we are doing everything from the Microsoft Intune portal at endpoint.microsoft.com. Once you have signed in, navigate to Devices > iOS/iPadOS in the left side menu.

Select “Configuration profile” and then click “+ Create profile“.

Select “Device restrictions” as Profile type and click Create at the bottom of the page.

In this example we will create a profile which requires the user to set a PIN for the device. Give the profile a good name, I will call my profile iOS PIN Requirement since its for iOS and the profiles purpose is to require a PIN. Click Next.

Find and expand the category Password to display all available settings for PIN. Some settings will not be applicable since we will not use Apple Automated Device Enrollment.

For this lab, we will require a password (or PIN) which has six digits, we will block the use of a simple code (such as 111111 or such) and we will wipe the device after 10 failed attempts. We will also require PIN immediately when device is locked and lock the screen after 5 minutes.

Since we will not block FaceID or TouchID, this can be used to unlock the device.

When you have set these settings, click Next.

The next step is to assign this profile to our users (we will use user-targeting to have the settings follow the user). Find your user-group that we created in the second part and add that as an included group. When you have added the group, click Next.

Review your settings and click Create.

We have now successfully created a configuration which will require the user to set a PIN on their device.

Compliance Policy

Compliance policies are used to audit if user’s device is following the security messures we have required them to use. We can also notify the user if their device is not compliant.

Navigate to Device > iOS/iPadOS in the left side menu and find “Compliance policies“. Click “+ Create Policy” and then click Create.

You will need to give your policy a name, and in this policy, we will only look if PIN requirements are met. It’s a good idea to create one policy per setting category you are looking at to be able to target end-user information better.

Find and expand the System Security category to display the policy settings for the PIN. For this policy, we want to mimic the settings we set with the configuration profile to verify that the user has set up the PIN according to our requirements.

Once you have set the settings to the same values as the configuration profile, click Next.

Next step is to set what actions will happen if the device is not compliant. We will leave the default “Mark as compliant” and add “Send push notification to end user” and set the schedule to 0 days. Click Next.

We will now assign this to our user group and click Next.

Review your settings before you click Create.

We have now created a compliance policy which will audit the end-user to verify that the PIN is set correctly. If the PIN is missing or incorrect, the device will be flagged as non-compliant, and Microsoft Intune will send a push notification to the end-user’s device.

The compliance value can be used as a condition in a Conditional Access rule.

Application distribution

Of course, we need to distribute applications to our device. For this, we will once again utilize the guided scenarios in Microsoft Intune.

Click on Home in the left side menu and find the “Deploy Edge for mobile” scenario and press Start. If it’s not visible on the landing page, click on “See all >” next to the heading for guided scenarios.

Read through the initial information and click Next.

Add a prefix which will be displayed on the application configuration which will be created and click Next.

Add a Homepage shortcut URL which will be shown as the first link icon on in the Edge application, you can also leave this blank. Then press Next.

We will once again assign this to our user group before we press Next.

Review your settings before you click Create on the last page.

We have now successfully deployed the Microsoft Edge application to both Android and iOS devices.

You can review the application if you navigate to Apps > All apps, where you can see all applications which has been added to your environment. You can also filter out each platform by selection each platform in the left side menu.

The application configuration which where created as part of this guided scenario can be found under Apps > App configuration policies.

Feel free to add additional apps to your environment, easiest is to go to Apps > iOS then select “+ Add” and select “iOS Store app” as App type. Then search for the app that you which to deploy to your devices.

Search for an application you want to deploy by clicking on “Search the app store” and search for an application. When you have found your application, click Select then leave all information to default and click Next.

Applications can be setup as either required or available. Required means that it will be automatically installed, available means that the user will see the application in the Company Portal and install it from there. Since our other application is set as required, we will make this available for enrolled devices by targeting the assignment towards our user group. When you have added the group, click Next.

On the last page, review your settings before you click Create.

You have now successfully added an second app to your iOS devices.

Enroll your device!

Now it’s time to enroll your device by downloading the Company Portal from the Apple AppStore, this will require an Apple ID to download.

Once you have downloaded the application, open the app and sign in with the user we created earlier.

You will be prompted that your device is not managed and asked to enroll it.

Follow the guide through the process.

Once you have enrolled your device, you will notice that the Microsoft Edge application will be installed and that you will be asked to set a PIN code which meets the requirements set earlier in this part.

Navigate to Device > iOS/iPadOS and you will see your device listed. Click on the device to show more settings and to perform remote actions such as removing the PIN, retiring the device which will remove the enrollment or completely wipe the device which will perform a factory reset.

You will also notice that some actions are grayed out since we are not using the Apple Automate Device Enrollment program.

Ending notes…

You can add additional Configuration profiles to your device and applications. Feel free to play around a bit with it and see what you can do!

In the next part, we will setup management for Android.

Categories
Intune for noobs

Intune lab for noobs – part 5 // Android

This is the fifth part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

For Android, there are a handfull of ways we can manage these. In this guide, we will configure Microsoft Intune to manage the method called “Personally owned device with work profile” which is the simplest wat to manage Android devices where we only have control over the corporate data, which is separated from the personal data.

For Android, we will setup the enrollment method, add a configuration profile, a compliance policy and add an application.

Configure enrollment

Navigate to Devices > Android and select Android Enrollment. This will list all available enrollment methods for Android.

For this lab, we will use the “Personally owned device with work profile” which is the simplest and easiest Android management method to get started with (and it doesn’t require you to reset your device to enroll).

Click on the box “Personally owned device with work profile“.

As you will see by the message you are presented with, this is enabled by default. This means that we do not need to make any further configurations.

Configuration profile

To create a Configuration Profile navigate to Devices > Android and select Configuration profiles in the left side menu.

Click on “+ Create profile” to create a new profile. As Platform select “Android Enterprise” and as Profile type select “Device Restrictions” under the “Personally Owned Work Profile” section. Then click Create.

On the first page, give your profile a name and click Next. I use Android as a prefix to indicate that it’s a profile for Android followed by the PIN Requirements to indicate what the profile does.

Find and expand the category Device password. Here we will add similar settings as we did with iOS/iPadOS which is to use Numeric Complex password type which blocks simple password (such as 111111 and similar) and we will require the PIN to be at least six digits. Facial recognition or fingerprint sensors will be available to use instead of PIN. When you have added these settings, click Next.

Assign the profile to your user group and press Next.

On the last page, review your settings and click Create.

We have now successfully created a configuration profile which will require a PIN to be set on our enrolled devices.

Compliance Policy

As with the iOS/iPadOS configuration, we will create a compliance policy which will audit the device to make sure that the PIN requirements are met.

Navigate to Device > Android and select Compliance policies and click “+ Create policy“. Select “Android Enterprise” as Platform and “Personally owned device with work profile” as Profile type. Then click Create.

Give your policy a good name and click Next.

Find and expand the category System Security and configure the password requirements to mimic the configuration profile. Once you have added this, click Next.

On the next page, we will leave the default action but we will add the option “Send notification to end user” and leave the schedule to the default value 0 and then click Next.

On the next page, we will add our user group and click Next.

On the last page, review your settings and then click Create.

We have now successfully created a compliance policy which will audit if the user has set a PIN which meets our requirements.

Applications

In the iOS guide, we used a Guided scenario to deploy Microsoft Edge to bot iOS, iPadOS and Android. This means that the Microsoft Edge appliucation will be automatically installed on the Android devices as well.

But we need more than one application, hence we will add one more.

Navigate to Apps > Android and press “+ Add“. Select “Managed Google Play app” as App type and press Select.

Search for an application you want to add and select Approve on the application.

Once the application has been approved, press Sync in the upper left corner of the window. This will take you back to the application list.

Wait a few minutes and then click Refresh on the app list page in order to display your new applications. You will notice that the Assinged status on all new applications are set to “No” which means that no users has been assigned to the applictiaon yet.

To assign the application to a group to distribute it to your devices, click on the application and select Properties in the left side menu.

Click on Edit next to Assignments to add a group to distribute this towards. Add your user group to Available for enrolled devices and click Review + save. Then on the review page click save.

We have now successfully made the application available to all our enrolled Android devices in the Managed Google Play store.

Enroll your device

Now its time to enroll your device and in this scenario it requires the device to be rested to factory default.

On the first page where you are asked to select language, tap five times fast in order to trigger the QR code scanner.

Go to Devices > Android > Android enrollment and select the profile you created earlier. Click on Token and scan the QR which is displayed.

Follow the enrollment guide on your screen (this will vary depending on which version of Android you are running).

Once enrollment is completed, you can find your device if you go to Devices > Android > Android Devices. Click on your device to show more information and perform remote actions such as wipe or removing the PIN if the user has forgotten it.

Ending notes…

There are many ways to manage Android, and in this guide, we went through the simplest one. There is also a method called “Corporate-owned devices with work profile” which is the most powerful method, in my honest opinion. this however requires you to reset your device before enrollment. You will also need to create new Configuration profiles and Compliance policies for this method since it operates a bit different.

I really encourage you to keep playing around with Intune and try out more stuff. We only scratched the surface in this guide, but you have a good foundation to build upon!

Categories
Intune

Get more information on device compliance

Device compliance is an area which is getting increasingly important and having your devices reporting a “Compliant” status is crucial for Conditional Access to work in a user-friendly way.

But sometimes you end up with a bunch of devices reporting error on a specific compliance setting. The Intune reporting on Compliance leaves you hanging with either a report on just all your “non-compliant” devices or the count on how many devices have a specific error. Figuring out which devices has a specific error is not an easy task.

After digging around a bit I stumbled upon this post INTUNE: REPORT ALL DEVICES THAT ARE NON-COMPLIANT BECAUSE THEY ARE INACTIVE – Microsoft Tech Community which explained how to get this data using Graph API. You get a lot of information from this query.

Since I wasn’t really interested in inactive devices, I needed to tweak the GET query a bit ending up with the following query, since I was looking for devices with a firewall issue.

https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicySettingStateSummaries/Windows10CompliancePolicy.ActiveFirewallRequired/deviceComplianceSettingStates?$filter=state eq 'nonCompliant'

If we break down the string a bit you can actually filter this based on the specific compliance setting you want to find.

  1. “https://graph.microsoft.com/v1.0/deviceManagement/” – This is the Graph connection string
  2. “deviceCompliancePolicySettingStateSummaries/” – this defines that we want to look at compliance policy setting state
  3. “Windows10CompliancePolicy” – this is the name of my compliance policy, so this will depend on your naming
  4. “.ActiveFirewallRequired/” – this defines which setting we are looking at
  5. “deviceComplianceSettingStates?$filter=state eq ‘nonCompliant'” – this filters out which state we are looking for. You can change this to “Compliant” to find compliant devices instead

So, if you want to look at another setting than the firewall as in this example, you simply replace that part in the string with the name of what setting you are looking for. Easiest way to find all the setting names in your tenant is to simply run:

https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicySettingStateSummaries

This will list all settings and setting names in your tenant.

When you have built your own GET string you will be able to pull the data you need and get information about what devices in a simpler way.

I’m still trying to figure out how to export this in a good way other than the classic copy paste (I’m really bad with PowerShell). Once I figure that out, I’ll post a part two of this! Or if you have a good solution for this, feel free to reuse this or post a link to your solution in the comments!

Categories
Modern Workplace

Naming conventions

Ah the precious naming convention. Something that has historically been particularly important, and still is today but in a bit of a different way.

Lately this topic has come up in various situations, and I had started a post about this a few years ago talking about how we did it back then and the reasoning behind how we did back at my former employer. But then life happens and I’m now working in a completely different role.

How did we get here?

So, this whole topic has somewhat of a history. Naming conventions, or naming standards, have always been a hot topic with things almost viewed as you can do it in a correct way or a wrong way (this is extremely exaggerated). Naming things can be an art, where you compress things as much as possible to have as much information as possible in the name of things.

Let’s take computer names for an example, everyone has a standard for this and its roughly the same idea everywhere:

  • You want to identify in which country the device is [SE]
  • You want to identify which city, office, or business unit [STO]
  • Based on historical decisions, you want to separate laptop and desktop [L] / [D]
  • You throw in the word PC to identify it as a PC and not something else [PC]
  • You have a number sequence at the end [1234]

This would give you a computer name such as SESTOLPC1234.

Does this sound familiar? Many choices you made several years back are still present in the name since you haven’t managed to get rid of it due to different internal discussions never leading to a decision.

Same would go for your security groups and distribution groups, you have prefixes based on different objects. Same goes for your Intune profile names.

Does names matter?

So, the big question, does this really matter anymore? I would argue that it does, but not in the same way as it used to do.

At the end of the day, this is only a name. Having a diverse IT environment as workplaces are today, we can only control the naming of a subset of all devices (mainly Windows PCs). This means that your iPhones, iPads, Androids, and Macs won’t follow your naming convention since they simply do not support this fully.

The name is to help identify the device, but if you look at your inventory in e.g. Microsoft Intune, I would guess that most of your iPhones are called “iPhone” leaving your clueless anyway. All devices (except for shared) are connected to a user, so you are usually better of finding devices based on the user. The device also has a lot of meta data which is searchable, such as serial number, which is an effective way of finding the device since the device name is something that potentially changes during the lifecycle of a device.

Key take away

The naming of devices is maybe not as important as it used to be, but there might be scenarios where its useful. The most important thing to remember is that there are no right or wrongs, it’s all based upon the wants and needs of your organization and what makes sense to you. All the different device platforms in the office space supports this in different ways as well, so what is possible on your Windows device might not be possible on your Android devices.

What I usually do for Windows is to use a three-letter pre-fix and the serial number as a name. This pre-fix changes depending on the type of device. One setup could be like this:

  • OPC-1234567 where OPC stands for Office PC
  • SPC-1234567 where SPC stands for Shared PC
  • MTR-1234567 where MTR stands for Microsoft Teams Room
  • KIO-1234567 where KIO stands for Kiosk

Setting names like this is mostly to easily identify what flavour of a Windows device it is, but that would be even better to add as meta-data to the device or using e.g. scope-tags or device categories. There are many ways to add that information to the device, but using different pre-fixes are the simplest.

At the end of the day, device name is something that is more for convenience rather than functionality. Even if my computer is called “Olas computer” or “DESKTOP-Q2E3RE” it would be possible to add it to dynamic groups and find information about it.

Categories
Intune Modern Workplace

Once you go Mac…

I used to be an avid Mac user and major Apple fanboy back in like 2011-2013. Then I joined Microsoft and got to see the other side, the dark side… Somewhere in the hidden corners of the internet, I even have a blog post called “once you go Mac, you never go back” saying I would never use anything else then a Mac.

Jokes a side. Coming out of a more communications and media technology world from college, Apple and Macs was the best there was. Then the iPhone came along and changed the whole mobile device world.

I was a Mac user from around 2008 until 2017 even if in the later years I rarely used my personal Mac. Then the Surface Laptop was released and that’s what my personal laptop still is.
Now that I’m about 10 years older than in 2011 and I have a completely different approach to things. One is not better than the other, it totally depends on who will use it if it’s better or not.

This post will not cover HOW to configure, more discuss why and what.

macOS and management

So, how would you go at this?

Just like for mobile devices, there are a lot of different tools for managing macOS. As usual, my approach is Microsoft Intune, but for macOS specifically there might be other tools like Jamf Pro which has a lot more features (but also comes with a completely different price tag).

You know I’m all for making use of what you have and getting the most bang for your buck, so let’s talk about macOS and Microsoft Intune.

Setting the expectations right

One thing to keep in mind when it comes to managing macOS. The possibilities are not even close to what you can do on a Windows 10 machine, and what we can control comes down to what APIs Apple allows mobile device management tools to use. Setting up management for macOS and expecting the functionality of a domain joined computer, this is not what you will get.

The experience is more closely related to how you approach managing mobile device. You put a management layer on top of the experience. There basically three ways to view management of Mac’s:

  • Automated Device Enrollment
  • Device Enrollment
  • User enrolled

The two first ones are the most common ones while User enrolled is more for BYOD scenarios and gives less functionality and manageability. Both device-based methods are very similar, but the Automate Device Enrollment makes use of the Apple Automated Device Enrollment service, ADE (previously DEP), which will increase the possibilities for management and prohibit the user from removing the enrollment.

The experience to enroll macOS is more closely related to how you approach managing mobile device. You put a management layer on top of the experience. macOS utilizes what is called “User Approved enrollment” which means that the user must ALLWAYS approve the installation of management profiles, even is automated device enrollment is used. This will add extra steps to the enrollment process compared to mobile or Windows devices where this is automated in a higher degree.

If you are looking for a more deeply integrated management method, Jamf Pro is more where you need to head, but then we are talking additional licensing.

What to manage

Moving on to what you need to manage on the device. This is of course based on your organizational needs, both regarding configurations and security. There are however a few things that might be a good minimum, such as:

  • Wi-Fi settings
  • Encryption and FileVault (macOS equalent to Bitlocker)
  • PIN/Password
  • Endpoint protection
  • Application distribution
  • Compliance settings
  • SSO extension

There are a lot of more things we could potentially configure, but keeping it to a bare minimum, this is a great start and does not limit us from expanding this down the road.

One thing to use as a guiding principle is to think about what you NEED to manage and not configure settings just because you can. Is there a need to block let’s say Spotlight suggestions, or could this be useful for the user and resulting in a poorer end-user experience? This is important to keep in mind for all platforms, not only macOS to be honest. Don’t block just because you can, configure based on needs.

Why manage?

So why do you want to manage your Mac’s? That is the million-dollar question and something that you need to figure out before even starting. This doesn’t need to be super fancy or technical, just define the goal you have. This might be:

  • Ensure that all devices are secure
  • Get inventory of what devices are used
  • Provide your users with a better experience

Or you could have more defined demands coming from your organization regarding legal demands or security demands.

By managing your Mac’s, you will gain a better understanding of what devices are used within your organization and you can ensure that you provide your users with a good and secure platform. By managing the device, you can also provide settings such as Wi-Fi access automatically to the devices without the need for the end-user to know where to find the information. Same would go for applications. You will bring the platform closer to what you know and love when it comes to device management even though the expectations need to be separate from let’s say the Windows platform.

Categories
Me Tips & Tricks

Creating a workplace at home

So, I’m about 10 months late on this topic now that we have all been from home for such a long time. The discussion is turning more towards how we can move BACK to the offices, how and when that can and will be done.

For me, this is an important topic and I thought I would share my learnings from the past 10 months regarding creating a workspace at home.

I really understand that not everyone has the living situation allowing them to set up a good working place. In our apartment we had to set up an extra workplace since both me and my girlfriend are working from home full time for a foreseeable future. This ment some compromises when it comes to optimal space since we only had one spare room, putting my workplace in the bedroom.

Please bear in mind that these are important to me and I totally understand if you don’t have the space, ambition, or willingness to go down this path.

A real desk and a chair you like

Even if it’s quite convenient to setup your office at the kitchen table, it’s far from optimal for several reason. Even though it’s nice to be close to the coffee maker, this is not good for your back and sholders.

Given that you have the space, getting a real desk and chair makes wonders. It doesn’t have to be one of those adjustable desks or expensive gaming chairs. Simple stuff from IKEA is a good start!

For me, this is the most important part. I can leave everything else out, but I need a decent desk and chair to work from home.

A monitor

Having an external monitor is important from a whole lot of aspects. You get some extra real estate while working on those spreadsheets and most importantly you end up in a more ergonomic posture, raising your line of sight. Being someone who has worked extensively from only a laptop monitor in the past, this has become important. For me, it doesn’t have to be a fancy, top-of-the-line screen, even though it does have to have okay aesthetic since it becomes a part of the interior decoration for the room.

A keyboard and mouse you enjoy

This has been one of the bigger pet peeves for me. Finding a good keyboard and mouse. I’ve also discovered I’m fussy on this topic and I have quite specific expectations.

I’ve been using the Microsoft Arc Mouse for a long time, and I really enjoy it. However, that has always been more of a “travel mouse” for when on the go or not at a real desk. It’s a bit small and not to ergonomic for my taste. I was also using an old “all-in-one” Microsoft keyboard which had a bad typing experience.

Those are now replaced with new fancy stuff, Microsoft Compact Designer Keyboard, and a Microsoft Ergonomic Bluetooth Mouse which I really like.

Since I spend a lot of time typing, the keyboard experience is important, and this keyboard feels just like a laptop keyboard (I’m NOT a fan at all of mechanic keyboards).

A webcam

This is something simple and for remote work important to have good Teams meetings. If your setup includes an external monitor, getting an external webcam will really increase your meeting experience. You will be facing the correct screen compared to using your built-in webcam from the laptop, which will not present you in profile and you will be perceived as more engaged in the meeting since you will be looking the in the correct direction.

Keep a clean desk policy

I’ve always been a fan of this, both at the office and at home. Getting stuff out of the way and de-clutter my workspace removes all distractions. It’s also nice to start the workday fresh and since my workplace is in the bedroom, clearing up the desk helps me disconnect.

Take breaks

This is the area I need to improve the most on. I’m bad at taking breaks. However, I do try to take at least one 20–30-minute walk everyday with our dog. But I tend to eat lunch in front of the computer and just go to the kitchen for refill of water or coffee, so more like micro breaks.

Be flexible

This is another area of improvement for me, I tend to not move around as much as I would like. But being flexible where you work from, just like you would at an office, makes you don’t have to stare at the same wall day in and day out. It could give you a sense of an activity-based office. My idea how I will handle 2021 is to start my day at the table dinner table in the living room and then move into my office space when I’ve finished my coffee. However, I still some way to go on that point.

For me, being flexible could also mean that you bring your workspace to new places, or even outside when winter is over. After working as a traveling consultant for several years, my essential office still fits in a backpack.

Evolve your workspace

My home workspace is always evolving and improving. As or right now I have to things I’m thinking about. Replacing the desk for an adjustable one and figure out a good lightning setup with a low fotprint to improve the lighting for Teams meetings.

I also have about a thousand ideas what I would like to do, which are not possible now due to room limitations. But I have dreams of what my home office should look like, and it doesn’t really include that much technology. It has more to do what I want my space to look like.

Categories
Intune

What is the difference between management scenarios for mobile devices?

A quite common discussion topic when it comes to mobile device management is the different approaches you can take. Therefore, I’ve written down a little something to try to simplify a little bit.

I’ve intentionally left out any preview features and user enrollment for Apple device to focus on the most common scenarios. I will look to cover that in a separate post.

There are of course more technical aspects to this, but from a high level this is something that is good to keep in mind!

Flow description Android

For Android, there are three different type of management:

  • Work Profile
  • Corporate owned fully managed
  • Corporate owned dedicated device

These are used for three different scenarios which are based on the requirements in the environment. Moving existing devices into Microsoft Intune management also affect which management method which should be used.

Personally owned with work profile

Personally owned with work profile is mostly referred to handle Bring Your Own Device (BYOD) scenarios. This is also often used to transition from either no management or legacy management into a Microsoft Intune enrolled device since it does not require the device to be reset to factory default before getting started.

To register a device using Work Profile, the user will need to download the Company Portal application from the Google Play store. When the application is downloaded and installed, user signs into the Company Portal app using the corporate credentials and follows the on-screen wizard how to enroll.

When the device is enrolled, a corporate container is created on the device where all corporate data is stored separately from the personal data. The user will see a new tab on the application pane called Work and all applications will have a small briefcase on them indicating they are work applications.

The IT department can only manage the Work Profile part but can put some restrictions and requirements on the device regarding e.g., PIN-code and Wi-Fi settings. Limited number of remote actions can also be performed such as PIN recovery or removal of corporate data. Applications in the Work Profile part is managed through a Managed Google Play store which is controlled by the Microsoft Intune administrators. Since the applications in the managed Google Play store are centrally managed and assigned, no corporate Google account is needed for the end-user to download and consume applications in the Work Profile.

The personal part of the phone still functions as expected by the user since data is separated and not allowed to stream between the containers.

Personally owned with work profile

Corporate owned fully managed

A corporate owned fully managed device is used where the company buys the device and there is a 1:1 relationship between device and user. To enroll the device as fully managed, the device needs to be new out of the box or been reset to factory default.

Devices could be pre-registered to the customer by the hardware vendor in Google Zero touch to ease the enrollment procedure for the end-user.

When the user receives the device, and the user follows the on-screen onboarding process for initial setup.

If the device is not pre-registered using Google Zero Touch, the user will be asked to scan a QR code which is unique to each customer and must be made available by the IT department.

During the enrollment, the user will be asked to login using their corporate credentials. The user will also be asked to set a PIN-code. As part of the enrollment in Microsoft Intune, configurations, policies, and applications will be applied to the device which has been assigned to the user and/or device.

When the enrollment has finished, the device is ready to be used by the user.

The fully managed device does not separate corporate and personal data as the Work Profile method does, which means that corporate data and personal data is mixed on the device. On the other hand, since the device is fully managed, the IT department has much more control over the device and applied configurations and policies.

Applications are centrally managed by IT, but the public Google Play Store can be made available for the end user. For applications distributed through Microsoft Intune, no Google account is needed for the end user.  

IT can also perform remote actions on the device, such as PIN recovery or data removal.  

Corporate owned fully managed

Corporate owned dedicated devices

Corporate-owned dedicated devices are used when there is not a 1:1 relationship between user and device, in a scenario where multiple users use one device. A good example of this is a kiosk device.

Devices could be pre-registered to the customer by the hardware vendor in Google Zero touch to ease the enrollment procedure.

When the user receives the device, and the user follows the on-screen onboarding process for initial setup.

If the device is not pre-registered using Google Zero Touch, the user will be asked to scan a QR code which is unique to each customer and must be made available by the IT department. These QR codes are unique to each enrollment profile and are valid for 90 days.

During the enrollment, no user sign in is required. Device will be automatically enrolled towards Microsoft Intune and no user affinity is applied. PIN-code can be set as part of the enrollment flow.

During the enrollment to Microsoft Intune, configurations, policies, and applications will be applied to the device which has been assigned to the device.

When the enrollment has finished, the device is ready to be used by the user.

Since the device is supposed to be dedicated to a specific task or function, the features in the OS are limited and can be locked by the IT department. Some built in applications can also be removed if needed.

Applications are centrally managed by IT using Microsoft Intune.   

IT can also perform remote actions on the device, such as PIN recovery or data removal.

Corporate owned dedicated devices

Flow description IOS and iPadOS

Management of iOS and iPadOS does not have the same number of variations as Android. There is however a difference in how you can handle devices based upon if you use Apple Automated Device Enrollment or not.

For iOS/iPadOS management, there are two different ways of managing the device, personal or shared. Shared device is only applicable to iPadOS.

There are however two different ways of enrollning a device depending on if Apple Automated Device Enrollment is used or not.

Personal iOS/iPadOS devices with Apple Automated Device Enrollment

The default management of iOS/iPadOS devices are personal devices where there is a 1:1 relationship between user and device.

If Apple Automated Device Enrollment is used, the devices are pre-registered by the vendor in Apple Business/School Manager. Apple Automated Device Enrollment is used to simplify the enrollment process for the end-user and provide an additional set of control for IT.

When Apple Automated Device Enrollment is used, IT can control the first run experience for the user to remove unnecessary steps. This control will also ensure that the device will be enrolled. When a user receives the device, they will follow the on-screen wizard to get started and register their device.

During the initial setup, the user will be asked to sign in using the corporate credentials and the device will enroll in Microsoft Intune and received the applicable configuration, polices and applications which has been assigned to the user and/or device. When the setup is done, the device is ready to use.

IT can manage configuration, policies, and applications centrally and perform some remote actions such as PIN recovery, data removal or resetting the device. If the devices are deployed in Supervised mode, there is also a possibility to trace lost devices and put them in a “lost mode” to prevent a lost device being used by an inappropriate person.

Applications are downloaded through the Apple App Store. For corporate applications and line-of-business applications, the Company Portal is used to initiate the download and the user will not require an Apple ID to download applications. IT can also do required installations of applications.

Personal iOS/iPadOS devices with Apple Automated Device Enrollment

Personal iOS/iPadOS devices without Apple Automated Device Enrollment

The default management of iOS/iPadOS devices are personal devices where there is a 1:1 relationship between user and device.

If Apple Automated Device Enrollment is not used, user will have to download the Company Portal application from the Apple App Store to enroll the device. Users then sign into the application using their corporate credentials and follow the on-screen instructions on how to enroll the device.

IT can manage configuration, policies, and applications centrally and perform some remote actions such as PIN recovery, data removal or resetting the device.

Applications are downloaded through the Apple App Store. For corporate applications and line-of-business applications, the Company Portal is used to initiate the download and the user will not require an Apple ID to download applications. IT can also do required installations of applications.

Personal iOS/iPadOS devices without Apple Automated Device Enrollment

Shared iPadOS device

Shared iPadOS devices are used when there is not a 1:1 relationship between user and device, in a scenario where multiple users use one device. A good example of this is a kiosk device.

To use the Shared iPadOS scenario, Apple Automated Device Enrollment needs to be used. Devices are registered in the Apple Business/School Manager to connect the device towards the customer.

When a device is to be registered, a user or coordinator starts the device and follows the on-screen instructions. No sign-in is required during this process since the device will not have user affinity.

During the enrollment, the device will receive configurations, policies and applications which has been assigned to the device.

When the registration is completed, the device is ready to use.

IT can manage configuration, policies, and applications centrally and perform some remote actions such as PIN recovery, data removal or resetting the device.

Applications are centrally managed by IT and are installed automatically by assigning them in Microsoft Intune without user interaction.

Shared iPadOS device
Categories
Modern Workplace

Dear 2020…

Deer-2020

Wow, it’s already a new year. Even if 2020 was a weird year, it went by fast! And for those who wonder, the deer doesn’t have anything really to do with this post. It’s more of a pun… Deer 2020… Okay, I’ll show myself out….

A lot of things to look forward to in 2021, such as a vaccine against Covid-19, new Windows preview builds, new Teams features and much, much more.

The start of a new year is wonderful opportunity time to reflect on the past year, because even though 2020 was a weird year a lot of things happened. I’ve decided to split this one into different areas just to be able to sort out my thoughts a little bit.

Personal life

So personal life… This doesn’t really qualify into this blog usually. But since 2020 ment working from home all the time, personal life is an important part. Relaxing and disconnecting got even more important for me during 2020. I found something that allowed me to disconnect from work stuff and focus on something else which I haven’t really done the last couple of years. Like a lot of other people, I took up golf again during 2020. Not so much because of Covid-19 but more in the sense of this is something I’ve been playing since I was like 6 or 7 years old and I finally found the joy in it again.

Professional life

2020 was the strangest year in my professional life, as for everyone else. I started a new job just a few months before Covid-19 happened, went back to being a consultant again. Since I started right before the pandemic really took off, it’s been a little bit of a weird start for a new job since you haven’t been able to really meet your co-workers nor your customers physically. Strange times!

Also, regarding my professional life I’ve shifted over to this blog as a platform to share my experiences, findings, and learnings. I’ve tried to keep a consistent flow, but my inspiration went on isolation during the end of the year (I blame the darkness). I’m hoping that the lighter times which are coming, and the snow, will get me back on track!

Modern workplace life

This heading is weird, I know, but bear with me…

2020 was probably one of those years that forced a lot of companies and workplaces to jump forward in their thinking and implementation of workplace services. We all saw Teams skyrocket as a meeting platform, VPN usage was of the charts and collaborating digitally is the new black.

I’ve written a bunch of different blog posts about the modern workplace the last year, and also published some old LinkedIn articles.

During the last year, a lot have happened. We are working in a different way and everyone has gotten a taste of what working remote means, proving that we can do stuff while not at the office (hopefully killing that old face-time requirement). The term “work is not a place, it’s something you do” has definitely come into play!

I think the biggest impact for the modern workplace during 2020 was in fact the Covid-19 pandemic. This challenged a lot of companies to drive their adoption fast, or even in some cases get started. It has also put a bigger trust in that the end-user knows how to handle the tools provided and IT’s role in providing the correct information and education has become increasingly important.

During 2020 we saw a lot of great improvements to a lot of popular Microsoft products. One of the most obvious one for the modern workplace was Microsoft Teams. We got A LOT of new functionality during 2020, not only post Ignite, but as a steady stream of news. This really improved on an already great platform. Oh, and let’s not forget about the increase of Teams usage!

Intune also got its steady stream of updates and the “Corporate-owned devices with work profile” management method for Android finally saw the light of day (still in preview however). I think this will be a really nice add-on when released based on the user experience it provides for corporate devices.

One of the most exciting new things, which I still have not tried out, is Microsoft Tunnel. A simple VPN solution for mobile devices which doesn’t require large investments or changes in your infrastructure if you are using a Microsoft based VPN for you Windows devices today. It will be exciting to see this product go into general availability.

Going forward

I most likely forgot a lot of things that I should have included. But hey, it’s been a weird year!

Now let’s focus on what 2021 holds. This blog will keep on living and my focus will stay on the “softer” stuff around modern workplace and not the hardcore technical stuff.

Categories
Microsoft 365

Handle templates for Office 365

This is topic has always been a headache. You have your corporate Office-templates hidden away on some on-prem file-share which only a few people have access to. This makes it a bit tricky when we are in world where your devices might not be on-prem anymore, both physically and where they are managed. This gets even more painful when you want to get the templates out to Mac devices.

Of course, there are ways to make use of the old settings where you point out a file share, which could theoretically also live in an Azure blob.

I came from this in the mindset “there has to be something better and cloud ready”. Lo and behold, there is something native to SharePoint we could use!

This concept is more based around the logged in user in the Office suit rather than specific settings on the device. This means that you could also provide unmanaged/external devices with your templates if you have contractors or similar who are using their own devices.

You can read more here about the concept and the limitations (Microsoft Docs).

SharePoint organization assets library

What I found was the organization assets library feature in SharePoint which you can utilize to point out your assets like templates but also images.

This whole setup is based around document libraries on a SharePoint site which you give all your employees reading access to. You can then give restricted access on certain folders if not everyone should see all templates (it’s basic SharePoint access management on folders). This also make it possible for you to assign higher access to people who are responsible for producing templates and they could potentially manage this them self.

One thing which is important to take notice of is that this will create the asset library tenant wide meaning all your users will have this showing up in the Office suite.

Step one – SharePoint site

Create a document library on a new or existing SharePoint site which you will use as your asset repository. My Document Library is called “Office Templates”

Add “Everyone except external” to the visitors access group on your library and give them “Read only” access.

Add some folders and/or templates to your SharePoint library, make sure that they are in a .dotx/.potx/.xltx to work as proper template.

Step two – Configure library

First step is to install the SharePoint Online Management Shell in PowerShell. Detailed information can be found here. In order to invoke this part you will need to be at least a tenant administrator in your Office 365 environment.

Open an elevated PowerShell session and run:

Install-Module -Name Microsoft.Online.SharePoint.PowerShell

To connect to your SharePoint Online infrastructure you will need to run this command where you replace [tenant] with the name of your tenant:

Connect-SPOService -Url https://[tennant]-admin.sharepoint.com

Next up is to specify the asset library:

Add-SPOOrgAssetsLibrary -LibraryUrl  https://[tenant].sharepoint.com/sites/[Site name]/[Document library name] -OrgAssetType OfficeTemplateLibrary -CdnType Private

Update: You could also use this PnP Community tool to add and configure your library. Add-PnPOrgAssetsLibrary | PnP PowerShell

When you have successfully executed those few PowerShell lines, you are done and within a few minutes the templates will show up in your users Office clients.

Categories
Tips & Tricks

How I stay up to date

A bit of a different type of post this week, just in time for the weekend. Since I know for a fact there is an information overflow for everything right now, I thought I would share where I turn to stay up to date.

There are probably as many sources as there are IT-consultants, but these are my go-to’s. I thought I would share some of the pages I keep track of to stay up to date.

Twitter

This is where probably my biggest source of news and generic IT information. Twitter is a really good place to consume a lot of information!

Who should you follow? That is a really good question. My feed contains a lot of people within IT, but I’ve found this Twitter-list with people at Microsoft in the Endpoint Manager team. So have a look at that list (you can follow a list).

You should of course follow this list as well containing all my colleges!

Oh, and make sure to follow me @olastromcom

Blogs

I would say I have two different kind of blogs I keep track of. One kind for technical solutions and one for IT news.

For news, I mostly rely on Microsoft blogs.

For more technical things, I have two which I tend to default to these two:

Where do you get your inspiration and news from and what channel did I miss? Let me know in the comments!