• Providing a modern workplace

    Providing a modern workplace

    This is a topic I’ve covered in some earlier article from the aspect of how we did it at my former employer. This time my idea is to cover this in a broader and more generic sense.

    Living in 2020, IT is more than ever a big part and an enormous influence on your work environment and how productive you are.

    IT is shifting from being a “technical” topic to be more of an HR topic, since it influences so many parts of your employment, a poor IT experience will heavily influence how happy you are with your employer. However, IT are still the ones responsible for it.

    From talking with friends, peers, former co-workers, and customers there are a few things that tends to come back when it comes to IT in bigger organizations. And that is the lack of trust in that end-users knows what tools they need to perform their work and expects to get tools that support them in their daily work. There are of course exceptions to this but speaking in general terms I’m guessing that you don’t ask IT what tools you need to do your job; you ask your peers. Well unless you work in IT, then I guess you would ask IT… You get the point!

    Users has diverse needs

    We need to start considering our computers and mobile devices as tools, not “toys” in lack of better words.

    If you think about it, if you were left one day at work without a computer and/or mobile device, would you be productive? Probably not. This means that these are crucial tools for our work since you are doing your business through them. Giving you something that is not fit for purpose would eventually be a bad investment, or not the correct tool. Still, computers and mobile devices are rarely considered business critical from an IT Service Management perspective.

    If you think about it, your company spends a lot of time finding the right machinery, servers etc. for your business needs, but what about that computer you spend your day in front of doing business? Was that selected based on what your needs are or where you given the “corporate computer”?

    Trying to stick to a “one size fits all” setup is deemed to fail eventually in a modern workplace. I have different needs for my computer/phone than people working as e.g. a communications professional. Also, a manager has different needs than the peers in their team.

    I’m not saying that you should buy all the shiny things people points at and don’t standardize. What I’m saying is be smart in what you are buying. You have a diverse team with diverse needs, make sure you can full fill them!

    For whom are IT working?

    One thing that is extremely important, but sometimes forgotten, is for WHOM IT exist.

    IT does not exist to provide IT with work tasks. IT exists to enable the employees of the company with tools fit for their needs to do their job in the best feasible way.

    This is something we shall never forget. This is important. This is the sole purpose of an IT department. To be a support function to the core business.

    At the same time, end-users need to understand that there is reason behind why things are done in a certain way. If they don’t know, it’s time to tell them!

    Set goals and visions

    To combat this, listen to what your end-users wants and communicate with them. Set clear roadmaps and vision for where you should be in let’s say five years. This will give you a goal to work towards and a roadmap to share.

    By listening to your end-users, I’m not saying that they should dictate your every move. Be coherent in what their pain-points are and strive to minimize them. Thas how you can add real value and build trust in the organization.

    I far to often hear “those people at IT have no idea what they are doing”. That shouldn’t be true. We should be the best at providing the services for OUR users. We should be the ones knowing their needs and strive to meet them.

  • Key take-aways from Ignite 2020

    Key take-aways from Ignite 2020

    Ignite 2020 was a bit different from previous Ignite to say non the less. Instead of having an in-person event in New Orleans, the experience this year was a 100% digital.

    It was as always, a bit overwhelming with a lot of interesting sessions, but you didn’t have to walk between sessions. Oh, and the coffee was really good this year!

    Looking at what was covered from the modern workplace at Ignite this year there was one common theme. Remote working and the new normal that Covid-19 creates. There was a lot of talk about how the world has changed the playing field for remote work and that we might never go back completely to how it was before. Something that I find very intriguing since this is an areas I’m passionate about.

    If you would only watch two of the sessions from Ignite 2020, I would really recommend that you watch Satya Nadella’s keynote on Building Digital Resilience and Jared Spataro’s keynote on The Future of Work. Those two were really good!

    This was a year for refinements from device management. New options for what you can do during Windows Autopilot and Co-management/tenant attach. A lot of new things which will help a lot of companies on the road to transition from traditional management to modern management! If you want to geek out, here are all the Endpoint Manager related sessions, all the Teams sessions and all the Office 365 sessions.

    Microsoft Tunnel

    On of the things that really cought my eye on an early stage was Microsoft Tunnel, which is a Microsoft VPN solution without the need for any third party licenses. I think this will be very beneficial for scenarios where you are utilizing Microsoft solutions for VPN for Windows and don’t want to invest in additional services for your mobile devices.

    Microsoft Tunnel is in public preview and is available on iOS and Android. You can read all about it here.

    Microsoft Edge

    Microsoft has been pushing the new Edge for a while now, and for a good reason too!

    It’s a really good browser, built on Chromium but with Microsoft integrations. I’ve been using this browser since it first came out, and it’s really good now.

    Microsoft is pushing it even more now and was also highlighting the Internet Explorer compatibility mode.

    BUT the big thing for Ignite was Application Management for Edge on Windows 10 which brings the Application Protection Policy features from the mobile platforms to the desktop Edge browser. This means that you can manage just the application instead of the whole device. Additionally, Microsoft Edge will support the new Microsoft Endpoint Data Loss Prevention (DLP) service which will be launched in October from day one.

    There were a bunch of other improvements to Edge presented as well, you can read all about it here.

    Microsoft Teams

    If you think there were a lot of new improvements introduced for Microsoft Endpoint Manager, it was nothing compared to Microsoft Teams.

    It’s becoming increasingly clear that Microsoft Teams should not be considered a product, it’s a platform.

    There were so many new things ranging from power platform and low-code solution for automated workflows to improved meeting experiences and wellbeing.

    A few of the highlights that caught my attention were:

    • Breakout sessions
    • Custom layouts and new together scenes
    • Wellbeing and productivity insights
    • Improved first-line workers functionallity

    You can read more in details here.

  • What is Windows Autopilot – management edition

    What is Windows Autopilot – management edition

    There are A LOT of misconceptions what Windows Autopilot is. Today I will try to sort those misconceptions out.

    You have already heard a lot of different presentations about Windows Autopilot, why you should use it and why it’s so great. Because of that, I’ll leave most of those things out. This wont a technical post about what Windows Autopilot is, this will be more of the management edition of this.

    Windows Autopilot – the concept

    The basic theory behind Windows Autopilot is to streamline and take away time-consuming phases in the setup process of a corporate computer.

    In the “traditional world” you would need to be on the corporate network and press F12 on the computer to initiate the installation of your custom image, that your IT-guys built. This custom image of Windows contains all your customizations, drivers and settings are pushed through Group Policy Objects, also called GPO. Many companies requires the computer to be “known” before it’s installed and you do what is called a pre-stage where you create the computer account in the active directory (AD) and assign group memberships. This process can take from an hour up to a few hours based on your connection and size of image (it’s usually pretty big).

    In the world of Windows Autopilot, you take advantage of that the hardware manufacturer has already put a Windows 10 installation on the computer, with drivers installed from the factory (this is actually how computers are shipped even if you don’t use Windows Autopilot). Your vendor/partner/IT-department registers the computer hardware ID, which is unique to each computer, with your Microsoft tenant. Computer can also be joined to Azure AD groups based on this hardware ID.

    When the computer is launched the first time, the user will be greeted with “Welcome to Contoso” and then asked to sign in. When sign in is completed, the computer is registered in Microsoft Intune and settings and customizations are applied.

    This process is A LOT faster than traditional OS-deployment. The entire process and the computer are ready to use in 30-60 minutes (based on connectivity). All traffic is routed through the internet during setup and any connectivity to the corporate infrastructure can be routed through VPN if needed.

    If you do the math, you can deploy a whole lot of more computer for a lower cost using Windows Autopilot.

    Windows Autopilot – the reality

    This sounds pretty neat huh?

    But what is Windows Autopilot? Is it a completely new tool? Will it replace Microsoft Intune? What will my IT-technicians do, they spend 80% of the time installing computers today?

    Without getting to technical about this, Windows Autopilot is a new name on a bunch of things that has been around for a while. And some new features.

    Windows Autopilot is utilizing a lot of different technologies and should be viewed more as a workflow or a process rather than a technical feature. It combines the power of Azure AD, Microsoft Intune, and Microsoft Store for Business to provide a streamlined process for installing new computers. That’s about it.

    This means that Windows Autopilot is nothing else than an automated and standardized process of setting up computers for your company.

    However, from a technical point of view, there is a lot more things going on though. But this is the simple version.

    Key take-away

    The key take-away, and the thing to consider, around Windows Autopilot is if you need all the fancy switches and total customization you have with the traditional approach. Or would a lighter weight management do the trick for you? It probably will…

    There are of course some if’s and but’s around this, but in general there aren’t that much. Your users could get their computer delivered straight to them and set them up by login in, given that they have internet access at their location.

    There are options to prepare the computer for the user by having a technician do half the registration and setup to then re-seal the computer and ship it off to the user, if you want to minimize the amount of work being done by the end-user. This way, initial setup will be shorter for the end-user.

    If you view Windows Autopilot as an automated process to setup computers in your organization and not a technology, things get a lot easier. With that said, it won’t suite all your special situations for computers, but you will cover most cases for office-based work!

  • Expectation management and communications

    Expectation management and communications

    Before we get started, I’m in no way pretending to be a communications professional. These are just my experiences and learnings down the road.

    Let’s face it, and we all know this. In general, we in IT are not great in end-user communication and expectation management. We live and breathe technology, and somewhere we sometimes forget that someone is supposed to use our fancy-best-of-breed-solution.

    Okay, a bit over generalizing but if you have worked in IT, I think you might recognize this. We often forget about the end-user and we fail to tell them about all the wonderful things we do, but also what they can expect from us.

    I will try to provide you with a high-level view, to help YOU take the decisions what to do and why, not really the HOW in this post.

    Now that we have managed the expectations, let’s get into this.

    Expectations management

    Since you are reading this, I assume that you are in some way involved in the end-user service area and are either providing or helping to provide services to end users. You are operating in the layer where most users interact.

    But what have you promised your end users? What are they buying from you? Do they know or are they just “paying the bill”? This is something that varies between organizations, depending on size, location, culture, and previous structures of the IT department.

    But what are you selling to your end users? Are they just buy “a computer” or are there more services attached like deskside support and a helpdesk?

    There are a lot of questions related to this, and hence one of the themes for this post.

    What do your users THINK that they are buying and what are you delivering?

    This is the most important part which is also the trickiest one. To set an expectation with your users (which are your customers) on what they will receive buying the service from you. It might be that you are the only one that are allowed to provide this service within you organization, or that you are the preferred one but they could operate it them self or turn to a third party to provide this.

    None the less, making it clear for the end users on what to expect from your service is increasingly important. Especially since enabling new services is three clicks and a credit card away…

    What value are you adding to the equation?

    End-user communications

    Enter end-user communications. This is a hard area and there is a reason that organizations hire communications professionals. They might not know all about fancy IT stuff (that’s not why they were hired), but you can make sure that they know all about getting your message out there!

    From my experience by working in the end-user area, this is something that is super important but also, very often forgotten about. We tend to update something we consider as small, but it might have huge end-user impact. If we don’t successfully inform our users about this, we might cause unnecessary frustrations. Even though we need to adopt an Evergreen mindset, we need to make sure that our users know what’s going on. Keep them in the loop.

    I’m no communications expert, but I’ve seen and delivered the outcome from projects where there were a lot of end-user communications and less communication. What do you think where the most successful, in the aspect of user adoption?

    Yes, the projects where extensive end-user communications were performed.

    However, you always need to adopt amount/channels/information to whomever is the target for the change. Some information might only be needed by your support people, other information might be of more value to your end-users.

    The go-do / take away

    So, what is the takeaway from this?

    Try to define your services for your end-users possible and communicate these. A PDF hidden away on a SharePoint site will never be found, putting it on some sort of intranet site might be a better idea to clearly state to your end-users what they can expect by buying the service from you and what value you add to them.

    This is of course something that varies between businesses, but defining services is a crucial step to set the expectations right with your users.

    I would also really encourage you to reach out to your communications professionals within your business for advice and work together with them. They can really help you get you message out there, making sure that your end-users (customers) understand why things are happening and changing in the way they are. But don’t expect them to do your work for you. You will still need to put in the effort but getting their advice and/or input might change the success rate of your project.

  • Why managed Android matters

    Why managed Android matters

    Looking at the Swedish market, most of the companies I meet are managing their devices. These devices are usually iOS/iPadOS devices since, let’s face it, iOS has been superior in the Mobile Device Management segment throughout the years since they have had more settings exposed to MDM than Android. This has however changed over the years and the difference is not at all the same as of let’s say 3-5 years ago.

    We can always discuss why platform A is better than platform B, but let’s not get into that. Everyone will have a separate opinion on this.

    Looking at where we are today, many companies I meet manage their iPhones and iPads but haven’t really gotten around to Android yet. It’s still in some sense viewed as a secondary platform and not something that is wanted (it’s one more platform to provide end-user support on for one thing).

    I fully respect this. However….

    Looking back at my previous posts about what tools people to expect to use in the workplace, we are seeing a lot of growing demand for Android devices.

    This could be out of personal preferences, the fact that the device is cheaper or the iPhone not being available in the market where the user lives. But this means that dodging the question of Android becomes harder and harder. And the later you get on top of Android, the harder the transition will be since Android is a lot different to manage compared to iOS/iPadOS.

    For Android, you have to options depending on your wants and needs. You have Work Profile and Device Owner.

    Management methods for Android

    You should AT ALL COST avoid using Device Administrator since this is a legacy protocol which will be decommissioned by Google.

    In this post I will not cover the dedicated devices method since this is meant for special adoptions and not regular end-users.

    Work Profile

    Work Profile is the most basic version of Android management and it has the least impact on already existing phones. Your users must download the Company Portal to enroll into Intune. This will create a separate “work sphere” where all corporate data will live.

    This is the easiest form of Android management and you can deploy applications, configurations, and compliance policies. The work data will be separated from the personal data, but there are some limitations around management. This is the easiest way to start managing your Android devices without too much user impact.

    Device Owner

    Device owner or fully managed is the full feathered version of Android management where Intune takes total control of the device. This is more like how the iOS devices would be in a supervised mode. This management method also enabled Google Zero Touch enrollment (or Samsung Knox) for easier user onboarding. But you can of course have your users scan a QR code on first launch.

    A huge benefit with this from a corporate perspective is that the user won’t need a Google account to enroll and download corporate applications. They can add a personal Google account, but it’s not needed to use it as a corporate device. Google accounts can otherwise be a hassle for less experienced user.

    Company-owned work enabled

    This version of Android management is when this blogpost is being written to officially launched, it’s still in preview.

    This is however a combination of Work Profile and Device owner management where you as an organization gains full control over the device (giving you more management capabilities) but corporate data and personal data is separated.

    This requires a device reset, just as device owner, but the user will get one corporate sphere and one personal sphere. The data is managed in the corporate sphere and left to the end users’ privacy in the personal sphere.

    In my view, this will be the more attractive version of Android management overall since you can have a separation between personal and corporate data.

    This method works extra smooth if you combine it with Google Zero Touch or Samsung Knox. If you don’t see a possibility to have this in place, you can of course have your users scan a QR code on first launch.

    Where should you start?

    Start small and start easy. If you have a lot of Android devices today, Work Profile is the best place to start. Having users reset their devices containing photos, apps etc. is not a popular thing to do. You could argue that it’s a corporate device and your users must comply, but this is not an effective way to build trust and getting the devices into management.

    If you have just a few devices and looking to introduce Android into your environment, Device owner or the new Corporate-owned work enabled method is the way to go. You will have fresh devices going in and the need for a reset doesn’t exist. Combine this with Google Zero Touch or Samsung Knox and you will have a killer user on-boarding experience!

    What are your thoughs on Android and where do you stand today? Comment below!

  • What is the difference between a user and a device?

    What is the difference between a user and a device?

    As I’m browsing through the Microsoft Q&A forum for Intune related question, there is one thing that I see which seems to be a quite common misconception. That misconception is the difference between what a user is and what a device is.

    It’s not that people don’t know the physical difference between what a user (a person) and a device (an object) is, it’s in the sense of how they differ in Intune management and the cloud world.

    Let’s try to sort this out, shall we?

    Definitions:
    • User noun – “A person who uses or operates something.”
    • Device noun – “A thing made or adapted for a particular purpose, especially a piece of mechanical or electronic equipment”

    Disclaimer: I’m trying to wright this extremely simple and basically assuming that the term user and device is not known.

    Who is the user?

    The user is the person who in your organization is consuming the services and using devices. Users are usually a 1:1 scenario, but you might also have service users and group users. Behind a user there is in most cases ONE person (the Microsoft license structure kind of assumes this as well).

    In an Intune context, the user is the person who uses the device. The user is in a the most common context tied to a specific device where the user is the primary user and owner of the device.

    A user might have multiple devices such as a computer, a phone, and a tablet.

    An Azure AD user

    What is the device?

    The device is the piece hardware which the services are consumed on. This can be a computer, tablet, or phone. The device must, in an Intune context, run any of the supported operating systems:

    • iOS
    • iPadOS
    • macOS
    • Windows 10
    • Android

    The device usually has one main user and owner, which is the one tied to the device in Intune and Azure AD.

    An Intune enrolled device

    What is the difference and why does it matter?

    But why does this all matter?

    The reason this is important is in how you in Intune would distribute configurations, compliance policies, applications and so on.

    When you distribute any of these in Intune, you get to select whether you want to assign this to users or devices. Without knowing the difference, knowing which option to select is hard.

    However, the item itself is never applied to the user. It is ALWAYS applied to the device. The assignment only decides on what devices to apply the item in question.

    If you assign to a device

    If you assign your e.g. configuration with a device centric approach, this means that the configuration will only follow that device. If the user uses another device, the configuration will not be present on the second device.

    If you assign to a user

    If you assign your e.g. configuration with a user centric approach, this means that the configuration will follow the user. If the user uses another device, the configuration will apply also to that device (given it’s applicable for the device type).

    The key take away

    It pretty much defines how your configurations, policies and applications are distributed and utilized.

    The conclusion of this is that, depending on what scenario you want to fulfill, you might have to assign things in different ways. There are also a few things that might make more sense in distributing in one way or another.

    One thing that is important to keep in mind around applications is however the fun topic of licensing. Depending on how you have licensed an application, you might have to distribute in a certain way. So that is something that is important to think about when purchasing applications.

  • Silent Bitlocker in Windows Autopilot

    When enrolling devices through Windows Autopilot and using Intune enabling Bitlocker without user interaction can be a little bit of a hassle since the default behavior is to ask the end-user to encrypt the device in runtime.

    This pop-up can easily confuse end-users and the device is not really “ready to use” once the Enrollment Status Page (ESP) has closed.

    There are several different solutions for this, where running a PowerShell-scrip as a Win32 app during enrollment is the most common one.

    BUT I’ve found a way to skip this, but it does have some distinct limitations (except for all other Bitlocker requirements):

    • Use Intune for device management
    • Device can only be joined to the Azure AD
    • Running Windows 10 1809 or later
    • No third-party disk encryption services can be used

    So how do you configure this?

    In Microsoft Intune, go to Endpoint Security > Disk encryption and create a new profile:

    Select “Windows 10 and later” as platform and choose the Bitlocker profile, then click create. Give your profile a name based on your naming convention and click next.

    To enforce Bitlocker during enrollment, you need to

    • Set “Enable full disk encryption for OS and fixed drives” to Yes
    • Set “Hide prompt about third-party encryption” to Yes
    • Set “Allow standard users to enable encryption during Autopilot” to Yes

    A heads up on these settings though, if you are using any third-party encryption, you might break the machine and you will have to re-install the machine. So be careful if applying to existing machines.

    Then set your preferred settings for Bitlocker on OS and fixed drives, this is what I am running in this lab setup. One good setting to use is “Require device to back up recovery information to Azure AD” to ensure that you have the recovery information available for the machine. These settings might vary based on your organizational needs and requirements.

    Click next until you end up on “Assignments” and select your targeted device group.

    Click next and review your settings before hitting “Create” on the Review + Create page.

    And that’s it! Your devices will now silently encrypt using Bitlocker during Autopilot enrollment.

  • The end of an era

    It has finally happened. The process of decommissioning the old trusty Internet Explorer has begun.

    Microsoft announced on the 17th of August that Micrsoft 365 will lose its support for Internet Explorer on August 17th, 2021. This is a quite tremendous change for many organizations, but it shouldn’t come as a surprise that Internet Explorer will be phased out eventually. Also, the “old” Edge will reach its end of life March 9th, 2021.

    M365_Edge_ProductTeams_0-1597603232572.png
    Image source: https://techcommunity.microsoft.com/t5/image/serverpage/image-id/212662i312B0747F33CC94E/image-size/large?v=1.0&px=999

    Back when Windows 10 launched, there were a lot of buzz around the new, improved, browser Edge. However, it never took of (I however really liked it). A lot of business systems where built back when Internet Explorer was the thing and not always have the effort been put into adopting it to modern web.

    With Windows 10, something called Enterprise Site Mode list was introduced, which was basically a XML list of sites where if you tried to go to them using Edge you would get redirected to Internet Explorer since that site was on your “not compatible” list for Edge.

    We used this to a limited extent at my previous employer, but Internet Explorer was the default browser since we had no clue what other systems would have issues if we transitioned to Edge (or Chrome for that matter).

    However, that was a few years ago and a lot has happened to Edge and there is a new Chromium (Chrome) based version out which is really good! And if you are a fan of the Chrome browser, but don’t want to have yet another browser installed to confuse your users, the new improved Edge is the way to go. It’s Chrome, but in a Microsoft shell (and you have Azure AD support without any extension).

    But what does this all mean?

    It means that it’s time to take the bull by its horn and start moving away from Internet Explorer as the default browser. The death of Internet Explorer is yet not announced in any shape or form but losing support for Microsoft 365 services is a major step in that direction.

    The first step you need to take is to change into modern browser as the default for all your users. Since I’m a Microsoft advocate, I would suggest looking at the new Edge if you haven’t done so yet.

    The new Edge comes for all supported Windows platforms, but also macOS, Android and iOS/iPadOS. You could have the same browser for all corporate web interactions on all platforms (and of course directing mobile devices traffic using Application Protection Policies).

    Also, deploying Microsoft Edge out to your clients is easy. If you are using Microsoft Intune to manage your devices, Edge for Windows is part of the “App type” to make it even easier to deploy.

    What is your default browser today and are you looking to shift to the new Microsoft Edge?

    Comment below!

  • While you were away…

    While you were away…

    Summer holidays are always fun, but it also means that I try to stay offline (at least form work stuff) to disconnect and recharge. Covid-19 is still around which means a lot of us will keep working remotely (and practicing social distancing) and this drives a lot of development in the modern workplace area.

    Except from the mandatory updates for the computer (and phone this time), there is some catching up to do. I´ve gathered some highlights of what was released during the summer:

    Some Teams updates with the long anticipated pop-out meeting feature: https://techcommunity.microsoft.com/t5/microsoft-teams-blog/what-s-new-in-microsoft-teams-july-2020/ba-p/1551561

    And of course, one of the most exciting device news this year. The Surface Duo is officially launched: https://blogs.windows.com/devices/2020/08/12/available-for-preorder-today-surface-duo-is-purpose-built-for-mobile-productivity/

    Support for Hybrid Azure AD join though VPN in Windows Autopilot: https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-whats-new#new-in-windows-10-version-2004

    Preview in Intune for Android Enterprise corporate-owned devices with a work profile (COPE): https://techcommunity.microsoft.com/t5/intune-customer-success/intune-announcing-public-preview-for-android-enterprise/ba-p/1524325

    Microsoft Ignite will be an online experience which will take place 22nd to 24th of September: https://www.microsoft.com/en-us/ignite

    There has of course been a lot of other interesting news, but these are some of the highlights in my world!

  • Make better looking PowerPoint presentations

    Okay, so this isn’t a new feature in PowerPoint but it doesn’t make is less useful! (And I don’t think everyone knows about it).

    There is a feature in PowerPoint called Design Ideas which helps you create better looking slides. It will give you several suggestions based on the content of you slide, like if you have bullet points you can show them in a more visually attractive way.

    What I also really like, is that it will adapt to the template I user, like this one created with a corporate template. It will match the color scheme and not go to crazy with its suggestions.

    The feature is called Design Ideas and you need to enable it in the ribbon. I use it quite frequently to make the PPTs a little more fun.

    If you are not using a template, it will list some suggestions for you with more creative ideas then if you are using a corporate template.

    What is your best PowerPoint tip? Share it in the comments!

    Bonus…

    However, sometimes you get weird suggestions like this GIF of water I got on a new slide. I´m guessing this is NOT what Microsoft meant by fluid framework…