Intune for noobs

Intune lab for noobs – part 5 // Android

This is the fifth part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

For Android, there are a handfull of ways we can manage these. In this guide, we will configure Microsoft Intune to manage the method called “Personally owned device with work profile” which is the simplest wat to manage Android devices where we only have control over the corporate data, which is separated from the personal data.

For Android, we will setup the enrollment method, add a configuration profile, a compliance policy and add an application.

Configure enrollment

Navigate to Devices > Android and select Android Enrollment. This will list all available enrollment methods for Android.

For this lab, we will use the “Personally owned device with work profile” which is the simplest and easiest Android management method to get started with (and it doesn’t require you to reset your device to enroll).

Click on the box “Personally owned device with work profile“.

As you will see by the message you are presented with, this is enabled by default. This means that we do not need to make any further configurations.

Configuration profile

To create a Configuration Profile navigate to Devices > Android and select Configuration profiles in the left side menu.

Click on “+ Create profile” to create a new profile. As Platform select “Android Enterprise” and as Profile type select “Device Restrictions” under the “Personally Owned Work Profile” section. Then click Create.

On the first page, give your profile a name and click Next. I use Android as a prefix to indicate that it’s a profile for Android followed by the PIN Requirements to indicate what the profile does.

Find and expand the category Device password. Here we will add similar settings as we did with iOS/iPadOS which is to use Numeric Complex password type which blocks simple password (such as 111111 and similar) and we will require the PIN to be at least six digits. Facial recognition or fingerprint sensors will be available to use instead of PIN. When you have added these settings, click Next.

Assign the profile to your user group and press Next.

On the last page, review your settings and click Create.

We have now successfully created a configuration profile which will require a PIN to be set on our enrolled devices.

Compliance Policy

As with the iOS/iPadOS configuration, we will create a compliance policy which will audit the device to make sure that the PIN requirements are met.

Navigate to Device > Android and select Compliance policies and click “+ Create policy“. Select “Android Enterprise” as Platform and “Personally owned device with work profile” as Profile type. Then click Create.

Give your policy a good name and click Next.

Find and expand the category System Security and configure the password requirements to mimic the configuration profile. Once you have added this, click Next.

On the next page, we will leave the default action but we will add the option “Send notification to end user” and leave the schedule to the default value 0 and then click Next.

On the next page, we will add our user group and click Next.

On the last page, review your settings and then click Create.

We have now successfully created a compliance policy which will audit if the user has set a PIN which meets our requirements.


In the iOS guide, we used a Guided scenario to deploy Microsoft Edge to bot iOS, iPadOS and Android. This means that the Microsoft Edge appliucation will be automatically installed on the Android devices as well.

But we need more than one application, hence we will add one more.

Navigate to Apps > Android and press “+ Add“. Select “Managed Google Play app” as App type and press Select.

Search for an application you want to add and select Approve on the application.

Once the application has been approved, press Sync in the upper left corner of the window. This will take you back to the application list.

Wait a few minutes and then click Refresh on the app list page in order to display your new applications. You will notice that the Assinged status on all new applications are set to “No” which means that no users has been assigned to the applictiaon yet.

To assign the application to a group to distribute it to your devices, click on the application and select Properties in the left side menu.

Click on Edit next to Assignments to add a group to distribute this towards. Add your user group to Available for enrolled devices and click Review + save. Then on the review page click save.

We have now successfully made the application available to all our enrolled Android devices in the Managed Google Play store.

Enroll your device

Now its time to enroll your device and in this scenario it requires the device to be rested to factory default.

On the first page where you are asked to select language, tap five times fast in order to trigger the QR code scanner.

Go to Devices > Android > Android enrollment and select the profile you created earlier. Click on Token and scan the QR which is displayed.

Follow the enrollment guide on your screen (this will vary depending on which version of Android you are running).

Once enrollment is completed, you can find your device if you go to Devices > Android > Android Devices. Click on your device to show more information and perform remote actions such as wipe or removing the PIN if the user has forgotten it.

Ending notes…

There are many ways to manage Android, and in this guide, we went through the simplest one. There is also a method called “Corporate-owned devices with work profile” which is the most powerful method, in my honest opinion. this however requires you to reset your device before enrollment. You will also need to create new Configuration profiles and Compliance policies for this method since it operates a bit different.

I really encourage you to keep playing around with Intune and try out more stuff. We only scratched the surface in this guide, but you have a good foundation to build upon!


Get more information on device compliance

Device compliance is an area which is getting increasingly important and having your devices reporting a “Compliant” status is crucial for Conditional Access to work in a user-friendly way.

But sometimes you end up with a bunch of devices reporting error on a specific compliance setting. The Intune reporting on Compliance leaves you hanging with either a report on just all your “non-compliant” devices or the count on how many devices have a specific error. Figuring out which devices has a specific error is not an easy task.

After digging around a bit I stumbled upon this post INTUNE: REPORT ALL DEVICES THAT ARE NON-COMPLIANT BECAUSE THEY ARE INACTIVE – Microsoft Tech Community which explained how to get this data using Graph API. You get a lot of information from this query.

Since I wasn’t really interested in inactive devices, I needed to tweak the GET query a bit ending up with the following query, since I was looking for devices with a firewall issue.$filter=state eq 'nonCompliant'

If we break down the string a bit you can actually filter this based on the specific compliance setting you want to find.

  1. “” – This is the Graph connection string
  2. “deviceCompliancePolicySettingStateSummaries/” – this defines that we want to look at compliance policy setting state
  3. “Windows10CompliancePolicy” – this is the name of my compliance policy, so this will depend on your naming
  4. “.ActiveFirewallRequired/” – this defines which setting we are looking at
  5. “deviceComplianceSettingStates?$filter=state eq ‘nonCompliant'” – this filters out which state we are looking for. You can change this to “Compliant” to find compliant devices instead

So, if you want to look at another setting than the firewall as in this example, you simply replace that part in the string with the name of what setting you are looking for. Easiest way to find all the setting names in your tenant is to simply run:

This will list all settings and setting names in your tenant.

When you have built your own GET string you will be able to pull the data you need and get information about what devices in a simpler way.

I’m still trying to figure out how to export this in a good way other than the classic copy paste (I’m really bad with PowerShell). Once I figure that out, I’ll post a part two of this! Or if you have a good solution for this, feel free to reuse this or post a link to your solution in the comments!

Modern Workplace

Naming conventions

Ah the precious naming convention. Something that has historically been particularly important, and still is today but in a bit of a different way.

Lately this topic has come up in various situations, and I had started a post about this a few years ago talking about how we did it back then and the reasoning behind how we did back at my former employer. But then life happens and I’m now working in a completely different role.

How did we get here?

So, this whole topic has somewhat of a history. Naming conventions, or naming standards, have always been a hot topic with things almost viewed as you can do it in a correct way or a wrong way (this is extremely exaggerated). Naming things can be an art, where you compress things as much as possible to have as much information as possible in the name of things.

Let’s take computer names for an example, everyone has a standard for this and its roughly the same idea everywhere:

  • You want to identify in which country the device is [SE]
  • You want to identify which city, office, or business unit [STO]
  • Based on historical decisions, you want to separate laptop and desktop [L] / [D]
  • You throw in the word PC to identify it as a PC and not something else [PC]
  • You have a number sequence at the end [1234]

This would give you a computer name such as SESTOLPC1234.

Does this sound familiar? Many choices you made several years back are still present in the name since you haven’t managed to get rid of it due to different internal discussions never leading to a decision.

Same would go for your security groups and distribution groups, you have prefixes based on different objects. Same goes for your Intune profile names.

Does names matter?

So, the big question, does this really matter anymore? I would argue that it does, but not in the same way as it used to do.

At the end of the day, this is only a name. Having a diverse IT environment as workplaces are today, we can only control the naming of a subset of all devices (mainly Windows PCs). This means that your iPhones, iPads, Androids, and Macs won’t follow your naming convention since they simply do not support this fully.

The name is to help identify the device, but if you look at your inventory in e.g. Microsoft Intune, I would guess that most of your iPhones are called “iPhone” leaving your clueless anyway. All devices (except for shared) are connected to a user, so you are usually better of finding devices based on the user. The device also has a lot of meta data which is searchable, such as serial number, which is an effective way of finding the device since the device name is something that potentially changes during the lifecycle of a device.

Key take away

The naming of devices is maybe not as important as it used to be, but there might be scenarios where its useful. The most important thing to remember is that there are no right or wrongs, it’s all based upon the wants and needs of your organization and what makes sense to you. All the different device platforms in the office space supports this in different ways as well, so what is possible on your Windows device might not be possible on your Android devices.

What I usually do for Windows is to use a three-letter pre-fix and the serial number as a name. This pre-fix changes depending on the type of device. One setup could be like this:

  • OPC-1234567 where OPC stands for Office PC
  • SPC-1234567 where SPC stands for Shared PC
  • MTR-1234567 where MTR stands for Microsoft Teams Room
  • KIO-1234567 where KIO stands for Kiosk

Setting names like this is mostly to easily identify what flavour of a Windows device it is, but that would be even better to add as meta-data to the device or using e.g. scope-tags or device categories. There are many ways to add that information to the device, but using different pre-fixes are the simplest.

At the end of the day, device name is something that is more for convenience rather than functionality. Even if my computer is called “Olas computer” or “DESKTOP-Q2E3RE” it would be possible to add it to dynamic groups and find information about it.

Intune Modern Workplace

Once you go Mac…

I used to be an avid Mac user and major Apple fanboy back in like 2011-2013. Then I joined Microsoft and got to see the other side, the dark side… Somewhere in the hidden corners of the internet, I even have a blog post called “once you go Mac, you never go back” saying I would never use anything else then a Mac.

Jokes a side. Coming out of a more communications and media technology world from college, Apple and Macs was the best there was. Then the iPhone came along and changed the whole mobile device world.

I was a Mac user from around 2008 until 2017 even if in the later years I rarely used my personal Mac. Then the Surface Laptop was released and that’s what my personal laptop still is.
Now that I’m about 10 years older than in 2011 and I have a completely different approach to things. One is not better than the other, it totally depends on who will use it if it’s better or not.

This post will not cover HOW to configure, more discuss why and what.

macOS and management

So, how would you go at this?

Just like for mobile devices, there are a lot of different tools for managing macOS. As usual, my approach is Microsoft Intune, but for macOS specifically there might be other tools like Jamf Pro which has a lot more features (but also comes with a completely different price tag).

You know I’m all for making use of what you have and getting the most bang for your buck, so let’s talk about macOS and Microsoft Intune.

Setting the expectations right

One thing to keep in mind when it comes to managing macOS. The possibilities are not even close to what you can do on a Windows 10 machine, and what we can control comes down to what APIs Apple allows mobile device management tools to use. Setting up management for macOS and expecting the functionality of a domain joined computer, this is not what you will get.

The experience is more closely related to how you approach managing mobile device. You put a management layer on top of the experience. There basically three ways to view management of Mac’s:

  • Automated Device Enrollment
  • Device Enrollment
  • User enrolled

The two first ones are the most common ones while User enrolled is more for BYOD scenarios and gives less functionality and manageability. Both device-based methods are very similar, but the Automate Device Enrollment makes use of the Apple Automated Device Enrollment service, ADE (previously DEP), which will increase the possibilities for management and prohibit the user from removing the enrollment.

The experience to enroll macOS is more closely related to how you approach managing mobile device. You put a management layer on top of the experience. macOS utilizes what is called “User Approved enrollment” which means that the user must ALLWAYS approve the installation of management profiles, even is automated device enrollment is used. This will add extra steps to the enrollment process compared to mobile or Windows devices where this is automated in a higher degree.

If you are looking for a more deeply integrated management method, Jamf Pro is more where you need to head, but then we are talking additional licensing.

What to manage

Moving on to what you need to manage on the device. This is of course based on your organizational needs, both regarding configurations and security. There are however a few things that might be a good minimum, such as:

  • Wi-Fi settings
  • Encryption and FileVault (macOS equalent to Bitlocker)
  • PIN/Password
  • Endpoint protection
  • Application distribution
  • Compliance settings
  • SSO extension

There are a lot of more things we could potentially configure, but keeping it to a bare minimum, this is a great start and does not limit us from expanding this down the road.

One thing to use as a guiding principle is to think about what you NEED to manage and not configure settings just because you can. Is there a need to block let’s say Spotlight suggestions, or could this be useful for the user and resulting in a poorer end-user experience? This is important to keep in mind for all platforms, not only macOS to be honest. Don’t block just because you can, configure based on needs.

Why manage?

So why do you want to manage your Mac’s? That is the million-dollar question and something that you need to figure out before even starting. This doesn’t need to be super fancy or technical, just define the goal you have. This might be:

  • Ensure that all devices are secure
  • Get inventory of what devices are used
  • Provide your users with a better experience

Or you could have more defined demands coming from your organization regarding legal demands or security demands.

By managing your Mac’s, you will gain a better understanding of what devices are used within your organization and you can ensure that you provide your users with a good and secure platform. By managing the device, you can also provide settings such as Wi-Fi access automatically to the devices without the need for the end-user to know where to find the information. Same would go for applications. You will bring the platform closer to what you know and love when it comes to device management even though the expectations need to be separate from let’s say the Windows platform.

Me Tips & Tricks

Creating a workplace at home

So, I’m about 10 months late on this topic now that we have all been from home for such a long time. The discussion is turning more towards how we can move BACK to the offices, how and when that can and will be done.

For me, this is an important topic and I thought I would share my learnings from the past 10 months regarding creating a workspace at home.

I really understand that not everyone has the living situation allowing them to set up a good working place. In our apartment we had to set up an extra workplace since both me and my girlfriend are working from home full time for a foreseeable future. This ment some compromises when it comes to optimal space since we only had one spare room, putting my workplace in the bedroom.

Please bear in mind that these are important to me and I totally understand if you don’t have the space, ambition, or willingness to go down this path.

A real desk and a chair you like

Even if it’s quite convenient to setup your office at the kitchen table, it’s far from optimal for several reason. Even though it’s nice to be close to the coffee maker, this is not good for your back and sholders.

Given that you have the space, getting a real desk and chair makes wonders. It doesn’t have to be one of those adjustable desks or expensive gaming chairs. Simple stuff from IKEA is a good start!

For me, this is the most important part. I can leave everything else out, but I need a decent desk and chair to work from home.

A monitor

Having an external monitor is important from a whole lot of aspects. You get some extra real estate while working on those spreadsheets and most importantly you end up in a more ergonomic posture, raising your line of sight. Being someone who has worked extensively from only a laptop monitor in the past, this has become important. For me, it doesn’t have to be a fancy, top-of-the-line screen, even though it does have to have okay aesthetic since it becomes a part of the interior decoration for the room.

A keyboard and mouse you enjoy

This has been one of the bigger pet peeves for me. Finding a good keyboard and mouse. I’ve also discovered I’m fussy on this topic and I have quite specific expectations.

I’ve been using the Microsoft Arc Mouse for a long time, and I really enjoy it. However, that has always been more of a “travel mouse” for when on the go or not at a real desk. It’s a bit small and not to ergonomic for my taste. I was also using an old “all-in-one” Microsoft keyboard which had a bad typing experience.

Those are now replaced with new fancy stuff, Microsoft Compact Designer Keyboard, and a Microsoft Ergonomic Bluetooth Mouse which I really like.

Since I spend a lot of time typing, the keyboard experience is important, and this keyboard feels just like a laptop keyboard (I’m NOT a fan at all of mechanic keyboards).

A webcam

This is something simple and for remote work important to have good Teams meetings. If your setup includes an external monitor, getting an external webcam will really increase your meeting experience. You will be facing the correct screen compared to using your built-in webcam from the laptop, which will not present you in profile and you will be perceived as more engaged in the meeting since you will be looking the in the correct direction.

Keep a clean desk policy

I’ve always been a fan of this, both at the office and at home. Getting stuff out of the way and de-clutter my workspace removes all distractions. It’s also nice to start the workday fresh and since my workplace is in the bedroom, clearing up the desk helps me disconnect.

Take breaks

This is the area I need to improve the most on. I’m bad at taking breaks. However, I do try to take at least one 20–30-minute walk everyday with our dog. But I tend to eat lunch in front of the computer and just go to the kitchen for refill of water or coffee, so more like micro breaks.

Be flexible

This is another area of improvement for me, I tend to not move around as much as I would like. But being flexible where you work from, just like you would at an office, makes you don’t have to stare at the same wall day in and day out. It could give you a sense of an activity-based office. My idea how I will handle 2021 is to start my day at the table dinner table in the living room and then move into my office space when I’ve finished my coffee. However, I still some way to go on that point.

For me, being flexible could also mean that you bring your workspace to new places, or even outside when winter is over. After working as a traveling consultant for several years, my essential office still fits in a backpack.

Evolve your workspace

My home workspace is always evolving and improving. As or right now I have to things I’m thinking about. Replacing the desk for an adjustable one and figure out a good lightning setup with a low fotprint to improve the lighting for Teams meetings.

I also have about a thousand ideas what I would like to do, which are not possible now due to room limitations. But I have dreams of what my home office should look like, and it doesn’t really include that much technology. It has more to do what I want my space to look like.


What is the difference between management scenarios for mobile devices?

A quite common discussion topic when it comes to mobile device management is the different approaches you can take. Therefore, I’ve written down a little something to try to simplify a little bit.

I’ve intentionally left out any preview features and user enrollment for Apple device to focus on the most common scenarios. I will look to cover that in a separate post.

There are of course more technical aspects to this, but from a high level this is something that is good to keep in mind!

Flow description Android

For Android, there are three different type of management:

  • Work Profile
  • Corporate owned fully managed
  • Corporate owned dedicated device

These are used for three different scenarios which are based on the requirements in the environment. Moving existing devices into Microsoft Intune management also affect which management method which should be used.

Personally owned with work profile

Personally owned with work profile is mostly referred to handle Bring Your Own Device (BYOD) scenarios. This is also often used to transition from either no management or legacy management into a Microsoft Intune enrolled device since it does not require the device to be reset to factory default before getting started.

To register a device using Work Profile, the user will need to download the Company Portal application from the Google Play store. When the application is downloaded and installed, user signs into the Company Portal app using the corporate credentials and follows the on-screen wizard how to enroll.

When the device is enrolled, a corporate container is created on the device where all corporate data is stored separately from the personal data. The user will see a new tab on the application pane called Work and all applications will have a small briefcase on them indicating they are work applications.

The IT department can only manage the Work Profile part but can put some restrictions and requirements on the device regarding e.g., PIN-code and Wi-Fi settings. Limited number of remote actions can also be performed such as PIN recovery or removal of corporate data. Applications in the Work Profile part is managed through a Managed Google Play store which is controlled by the Microsoft Intune administrators. Since the applications in the managed Google Play store are centrally managed and assigned, no corporate Google account is needed for the end-user to download and consume applications in the Work Profile.

The personal part of the phone still functions as expected by the user since data is separated and not allowed to stream between the containers.

Personally owned with work profile

Corporate owned fully managed

A corporate owned fully managed device is used where the company buys the device and there is a 1:1 relationship between device and user. To enroll the device as fully managed, the device needs to be new out of the box or been reset to factory default.

Devices could be pre-registered to the customer by the hardware vendor in Google Zero touch to ease the enrollment procedure for the end-user.

When the user receives the device, and the user follows the on-screen onboarding process for initial setup.

If the device is not pre-registered using Google Zero Touch, the user will be asked to scan a QR code which is unique to each customer and must be made available by the IT department.

During the enrollment, the user will be asked to login using their corporate credentials. The user will also be asked to set a PIN-code. As part of the enrollment in Microsoft Intune, configurations, policies, and applications will be applied to the device which has been assigned to the user and/or device.

When the enrollment has finished, the device is ready to be used by the user.

The fully managed device does not separate corporate and personal data as the Work Profile method does, which means that corporate data and personal data is mixed on the device. On the other hand, since the device is fully managed, the IT department has much more control over the device and applied configurations and policies.

Applications are centrally managed by IT, but the public Google Play Store can be made available for the end user. For applications distributed through Microsoft Intune, no Google account is needed for the end user.  

IT can also perform remote actions on the device, such as PIN recovery or data removal.  

Corporate owned fully managed

Corporate owned dedicated devices

Corporate-owned dedicated devices are used when there is not a 1:1 relationship between user and device, in a scenario where multiple users use one device. A good example of this is a kiosk device.

Devices could be pre-registered to the customer by the hardware vendor in Google Zero touch to ease the enrollment procedure.

When the user receives the device, and the user follows the on-screen onboarding process for initial setup.

If the device is not pre-registered using Google Zero Touch, the user will be asked to scan a QR code which is unique to each customer and must be made available by the IT department. These QR codes are unique to each enrollment profile and are valid for 90 days.

During the enrollment, no user sign in is required. Device will be automatically enrolled towards Microsoft Intune and no user affinity is applied. PIN-code can be set as part of the enrollment flow.

During the enrollment to Microsoft Intune, configurations, policies, and applications will be applied to the device which has been assigned to the device.

When the enrollment has finished, the device is ready to be used by the user.

Since the device is supposed to be dedicated to a specific task or function, the features in the OS are limited and can be locked by the IT department. Some built in applications can also be removed if needed.

Applications are centrally managed by IT using Microsoft Intune.   

IT can also perform remote actions on the device, such as PIN recovery or data removal.

Corporate owned dedicated devices

Flow description IOS and iPadOS

Management of iOS and iPadOS does not have the same number of variations as Android. There is however a difference in how you can handle devices based upon if you use Apple Automated Device Enrollment or not.

For iOS/iPadOS management, there are two different ways of managing the device, personal or shared. Shared device is only applicable to iPadOS.

There are however two different ways of enrollning a device depending on if Apple Automated Device Enrollment is used or not.

Personal iOS/iPadOS devices with Apple Automated Device Enrollment

The default management of iOS/iPadOS devices are personal devices where there is a 1:1 relationship between user and device.

If Apple Automated Device Enrollment is used, the devices are pre-registered by the vendor in Apple Business/School Manager. Apple Automated Device Enrollment is used to simplify the enrollment process for the end-user and provide an additional set of control for IT.

When Apple Automated Device Enrollment is used, IT can control the first run experience for the user to remove unnecessary steps. This control will also ensure that the device will be enrolled. When a user receives the device, they will follow the on-screen wizard to get started and register their device.

During the initial setup, the user will be asked to sign in using the corporate credentials and the device will enroll in Microsoft Intune and received the applicable configuration, polices and applications which has been assigned to the user and/or device. When the setup is done, the device is ready to use.

IT can manage configuration, policies, and applications centrally and perform some remote actions such as PIN recovery, data removal or resetting the device. If the devices are deployed in Supervised mode, there is also a possibility to trace lost devices and put them in a “lost mode” to prevent a lost device being used by an inappropriate person.

Applications are downloaded through the Apple App Store. For corporate applications and line-of-business applications, the Company Portal is used to initiate the download and the user will not require an Apple ID to download applications. IT can also do required installations of applications.

Personal iOS/iPadOS devices with Apple Automated Device Enrollment

Personal iOS/iPadOS devices without Apple Automated Device Enrollment

The default management of iOS/iPadOS devices are personal devices where there is a 1:1 relationship between user and device.

If Apple Automated Device Enrollment is not used, user will have to download the Company Portal application from the Apple App Store to enroll the device. Users then sign into the application using their corporate credentials and follow the on-screen instructions on how to enroll the device.

IT can manage configuration, policies, and applications centrally and perform some remote actions such as PIN recovery, data removal or resetting the device.

Applications are downloaded through the Apple App Store. For corporate applications and line-of-business applications, the Company Portal is used to initiate the download and the user will not require an Apple ID to download applications. IT can also do required installations of applications.

Personal iOS/iPadOS devices without Apple Automated Device Enrollment

Shared iPadOS device

Shared iPadOS devices are used when there is not a 1:1 relationship between user and device, in a scenario where multiple users use one device. A good example of this is a kiosk device.

To use the Shared iPadOS scenario, Apple Automated Device Enrollment needs to be used. Devices are registered in the Apple Business/School Manager to connect the device towards the customer.

When a device is to be registered, a user or coordinator starts the device and follows the on-screen instructions. No sign-in is required during this process since the device will not have user affinity.

During the enrollment, the device will receive configurations, policies and applications which has been assigned to the device.

When the registration is completed, the device is ready to use.

IT can manage configuration, policies, and applications centrally and perform some remote actions such as PIN recovery, data removal or resetting the device.

Applications are centrally managed by IT and are installed automatically by assigning them in Microsoft Intune without user interaction.

Shared iPadOS device
Modern Workplace

Dear 2020…

Wow, it’s already a new year. Even if 2020 was a weird year, it went by fast! And for those who wonder, the deer doesn’t have anything really to do with this post. It’s more of a pun… Deer 2020… Okay, I’ll show myself out….

A lot of things to look forward to in 2021, such as a vaccine against Covid-19, new Windows preview builds, new Teams features and much, much more.

The start of a new year is wonderful opportunity time to reflect on the past year, because even though 2020 was a weird year a lot of things happened. I’ve decided to split this one into different areas just to be able to sort out my thoughts a little bit.

Personal life

So personal life… This doesn’t really qualify into this blog usually. But since 2020 ment working from home all the time, personal life is an important part. Relaxing and disconnecting got even more important for me during 2020. I found something that allowed me to disconnect from work stuff and focus on something else which I haven’t really done the last couple of years. Like a lot of other people, I took up golf again during 2020. Not so much because of Covid-19 but more in the sense of this is something I’ve been playing since I was like 6 or 7 years old and I finally found the joy in it again.

Professional life

2020 was the strangest year in my professional life, as for everyone else. I started a new job just a few months before Covid-19 happened, went back to being a consultant again. Since I started right before the pandemic really took off, it’s been a little bit of a weird start for a new job since you haven’t been able to really meet your co-workers nor your customers physically. Strange times!

Also, regarding my professional life I’ve shifted over to this blog as a platform to share my experiences, findings, and learnings. I’ve tried to keep a consistent flow, but my inspiration went on isolation during the end of the year (I blame the darkness). I’m hoping that the lighter times which are coming, and the snow, will get me back on track!

Modern workplace life

This heading is weird, I know, but bear with me…

2020 was probably one of those years that forced a lot of companies and workplaces to jump forward in their thinking and implementation of workplace services. We all saw Teams skyrocket as a meeting platform, VPN usage was of the charts and collaborating digitally is the new black.

I’ve written a bunch of different blog posts about the modern workplace the last year, and also published some old LinkedIn articles.

During the last year, a lot have happened. We are working in a different way and everyone has gotten a taste of what working remote means, proving that we can do stuff while not at the office (hopefully killing that old face-time requirement). The term “work is not a place, it’s something you do” has definitely come into play!

I think the biggest impact for the modern workplace during 2020 was in fact the Covid-19 pandemic. This challenged a lot of companies to drive their adoption fast, or even in some cases get started. It has also put a bigger trust in that the end-user knows how to handle the tools provided and IT’s role in providing the correct information and education has become increasingly important.

During 2020 we saw a lot of great improvements to a lot of popular Microsoft products. One of the most obvious one for the modern workplace was Microsoft Teams. We got A LOT of new functionality during 2020, not only post Ignite, but as a steady stream of news. This really improved on an already great platform. Oh, and let’s not forget about the increase of Teams usage!

Intune also got its steady stream of updates and the “Corporate-owned devices with work profile” management method for Android finally saw the light of day (still in preview however). I think this will be a really nice add-on when released based on the user experience it provides for corporate devices.

One of the most exciting new things, which I still have not tried out, is Microsoft Tunnel. A simple VPN solution for mobile devices which doesn’t require large investments or changes in your infrastructure if you are using a Microsoft based VPN for you Windows devices today. It will be exciting to see this product go into general availability.

Going forward

I most likely forgot a lot of things that I should have included. But hey, it’s been a weird year!

Now let’s focus on what 2021 holds. This blog will keep on living and my focus will stay on the “softer” stuff around modern workplace and not the hardcore technical stuff.

Microsoft 365

Handle templates for Office 365

This is topic has always been a headache. You have your corporate Office-templates hidden away on some on-prem file-share which only a few people have access to. This makes it a bit tricky when we are in world where your devices might not be on-prem anymore, both physically and where they are managed. This gets even more painful when you want to get the templates out to Mac devices.

Of course, there are ways to make use of the old settings where you point out a file share, which could theoretically also live in an Azure blob.

I came from this in the mindset “there has to be something better and cloud ready”. Lo and behold, there is something native to SharePoint we could use!

This concept is more based around the logged in user in the Office suit rather than specific settings on the device. This means that you could also provide unmanaged/external devices with your templates if you have contractors or similar who are using their own devices.

You can read more here about the concept and the limitations (Microsoft Docs).

SharePoint organization assets library

What I found was the organization assets library feature in SharePoint which you can utilize to point out your assets like templates but also images.

This whole setup is based around document libraries on a SharePoint site which you give all your employees reading access to. You can then give restricted access on certain folders if not everyone should see all templates (it’s basic SharePoint access management on folders). This also make it possible for you to assign higher access to people who are responsible for producing templates and they could potentially manage this them self.

One thing which is important to take notice of is that this will create the asset library tenant wide meaning all your users will have this showing up in the Office suite.

Step one – SharePoint site

Create a document library on a new or existing SharePoint site which you will use as your asset repository. My Document Library is called “Office Templates”

Add “Everyone except external” to the visitors access group on your library and give them “Read only” access.

Add some folders and/or templates to your SharePoint library, make sure that they are in a .dotx/.potx/.xltx to work as proper template.

Step two – Configure library

First step is to install the SharePoint Online Management Shell in PowerShell. Detailed information can be found here. In order to invoke this part you will need to be at least a tenant administrator in your Office 365 environment.

Open an elevated PowerShell session and run:

Install-Module -Name Microsoft.Online.SharePoint.PowerShell

To connect to your SharePoint Online infrastructure you will need to run this command where you replace [tenant] with the name of your tenant:

Connect-SPOService -Url https://[tennant]

Next up is to specify the asset library:

Add-SPOOrgAssetsLibrary -LibraryUrl  https://[tenant][Site name]/[Document library name] -OrgAssetType OfficeTemplateLibrary -CdnType Private

When you have successfully executed those few PowerShell lines, you are done and within a few minutes the templates will show up in your users Office clients.

Tips & Tricks

How I stay up to date

A bit of a different type of post this week, just in time for the weekend. Since I know for a fact there is an information overflow for everything right now, I thought I would share where I turn to stay up to date.

There are probably as many sources as there are IT-consultants, but these are my go-to’s. I thought I would share some of the pages I keep track of to stay up to date.


This is where probably my biggest source of news and generic IT information. Twitter is a really good place to consume a lot of information!

Who should you follow? That is a really good question. My feed contains a lot of people within IT, but I’ve found this Twitter-list with people at Microsoft in the Endpoint Manager team. So have a look at that list (you can follow a list).

You should of course follow this list as well containing all my colleges!

Oh, and make sure to follow me @olastromcom


I would say I have two different kind of blogs I keep track of. One kind for technical solutions and one for IT news.

For news, I mostly rely on Microsoft blogs.

For more technical things, I have two which I tend to default to these two:

Where do you get your inspiration and news from and what channel did I miss? Let me know in the comments!


Android for task-workers

Let’s get technical again, it’s been a while.

Android has some rather good benefits for task-workers/front-line workers, especially if the device is shared. Not only is the price-point of the device better, the user experience is quite simple.

There are today two ways of doing this, either dedicated device or the newly released dedicated device with Azure AD Shared Device which is still in preview. In this post I will try to cover both, but the device will not be set into kiosk mode.

How to configure

Decision points

Before you start, there are a few things you need to decide upon:

  • What applications do I need?
  • What is allowed on the device?
  • Is it multi app device or not?
  • How will the device be enrolled?

Using dedicated devices, you can either just enroll the device as a “normal” device but without the user affinity, or you can deploy a single-app or multi-app kiosk where you define what applications can be used. This post will describe how to do the “normal device” setup without user affinity.

The Intune parts…

Enable enrollment

First step is to enable the possibility enable dedicated device enrollment. I’m assuming that you have already setup the Managed Google Play, otherwise you need to do that first by following the wizard.

In the Microsoft Endpoint Manager admin centre (, navigate to Devices > Enroll devices > Android and select the “Corporate-owned dedicated devices”

Click on “Create profile” to create a new profile.

Give your profile a name and select what token type you want to use. Today, there are two to choose from. The default profile for dedicated devices and the preview profile for Azure AD Shared Devices (which you can read all about here). In this example we will use the preview feature, but you can today just as well use the default if you are not keen on using preview features.

Enrollment tokens for dedicated devices can only be valid for 90 days, so make a note of the expiration date and create a reminder to renew it. If you miss to do so, you won’t be able to enroll new devices.

When you are done, hit next two times and then create. Your enrollment token for dedicated devices is now created!

To view the token, click on it in the list and go to “Token” in the left menu. When you press “Show more” the token will be displayed.

This will later be used when a device is enrolled.

Creating a device group

Now we need a device group to be able to target our settings and applications.

In the MEM admin centre, go to Groups and select “New group”. Leave the group type to “Security” and give the group a name. Select “Dynamic Device” as membership type.

Now it’s time to create our very simple membership rule. Set property to “enrollmentProfileName”, operator to “Equals” and the value to the name of the enrollment token we created in the previous step.

Or you can just use this string and replace the [ENROLLMENT TOKEN NAME] with the name of your token.

(device.enrollmentProfileName -eq "[ENROLLMENT TOKEN NAME]")

You can of course build more complex rules if you like, but for the basic setup this is the only thing we need.

Setting device restrictions

For shared devices, there are a few settings that might be good to create. In opposite of how I usually create configuration profiles for personal devices, I tend to have one profile containing most settings for share devices, defining that it’s a shared device and doing some minor restrictions.

When creating a new profile, go to Devices > Android > Configuration Profiles and click “Create profile”. Select Android Enterprise as Platform and make sure use the profile type under “Fully managed, Dedicated, and Corporate-Owned Work Profile” when creating configuration profiles.

In this example I will only create a simple restriction profile with a few settings.

Since its a shared device which we don’t really know how it will be used, how updates are applied might be something you need to take in mind. It’s possible to set it to a maintenance windows to adopt to your business.

This profile will also set a PIN-code which will not be set during the enrollment due to that the general idea with a dedicate device is that it’s a kiosk and does not require a PIN. That is not however what the reality looks like every time.

If you are creating SCEP profiles, make sure that you create SCEP certificates which are device based and not user based since your device will not have a logged-on user so to speak.

Assign the profiles you have created to the device group we created earlier.


When it comes to applications, this is where it will vary a lot depending on your needs.

The important part here is to remember to assign the applications with a device centric approach and not a user centric. Use the group we created earlier or any other device group you have which contains the devices.

For shared or dedicated devices, you might also want to remove a few applications, not only distribute.

The easiest way of doing this for Google Play store applications is to simply add it from you Managed Google Play store and assign your dedicated device group to uninstall the application.

Some vendors, for example Samsung, pre-load their devices with some system applications which for Samsung also includes a separate app store. However, these are usually removed when putting a device into fully managed or dedicated mode, but if you are using e.g. Samsung Knox you will need to look into turning of these applications.

Enroll the device

Now it’s time to enroll the device!

Start up your device and tap the first screen repeatedly to launch the QR scanner.

Select a Wi-Fi network to connect to if you don’t have a cellular connection on the device. Hit next and the device will start to prepare to enroll. Follow the on-screen wizard to get started with the enrollment.

If you are using for example Samung Knox, the experiance will be more streamlined and you won’t be asked some of the choices.

During the enrollment process you will be asked to approve the installation of required applications as a part of the registration process.

Approve installation of apps
Register the device as shared

Once the device is enrolled, you will be presented with the home screen of the device.

Enrollment is complete

Some settings and applications might take a few minutes before they apply, so the device might not be ready to send off to the users just yet. To speed this up, you can access the Intune app on the device and press sync. Make sure that all applications and configuration profiles has been applied to the device before shipping it out!

One thing that is important to keep in mind for this is the licensing. You will most likely require a device license for Intune for these devices since they do not have a user.

Build further on this

Now that you have a dedicated device, you can built on this further using depending on your scenario.

You could for example set up kiosk device, either single- or multi-app using the Managed Home Screen. Using the Managed Home Screen also opens up the possibility to utilize the shared sign in screen mentioned in this post from the Intune team. But I will cover that in a future post instead!

You can also create different enrollment token based on different purposes, you just repeat this guide and create the ones you need for your organization, make sure to give the tokens and groups unique names which makes sense to you.