Ah the precious naming convention. Something that has historically been particularly important, and still is today but in a bit of a different way.
Lately this topic has come up in various situations, and I had started a post about this a few years ago talking about how we did it back then and the reasoning behind how we did back at my former employer. But then life happens and I’m now working in a completely different role.
How did we get here?
So, this whole topic has somewhat of a history. Naming conventions, or naming standards, have always been a hot topic with things almost viewed as you can do it in a correct way or a wrong way (this is extremely exaggerated). Naming things can be an art, where you compress things as much as possible to have as much information as possible in the name of things.
Let’s take computer names for an example, everyone has a standard for this and its roughly the same idea everywhere:
You want to identify in which country the device is [SE]
You want to identify which city, office, or business unit [STO]
Based on historical decisions, you want to separate laptop and desktop [L] / [D]
You throw in the word PC to identify it as a PC and not something else [PC]
You have a number sequence at the end [1234]
This would give you a computer name such as SESTOLPC1234.
Does this sound familiar? Many choices you made several years back are still present in the name since you haven’t managed to get rid of it due to different internal discussions never leading to a decision.
Same would go for your security groups and distribution groups, you have prefixes based on different objects. Same goes for your Intune profile names.
Does names matter?
So, the big question, does this really matter anymore? I would argue that it does, but not in the same way as it used to do.
At the end of the day, this is only a name. Having a diverse IT environment as workplaces are today, we can only control the naming of a subset of all devices (mainly Windows PCs). This means that your iPhones, iPads, Androids, and Macs won’t follow your naming convention since they simply do not support this fully.
The name is to help identify the device, but if you look at your inventory in e.g. Microsoft Intune, I would guess that most of your iPhones are called “iPhone” leaving your clueless anyway. All devices (except for shared) are connected to a user, so you are usually better of finding devices based on the user. The device also has a lot of meta data which is searchable, such as serial number, which is an effective way of finding the device since the device name is something that potentially changes during the lifecycle of a device.
Key take away
The naming of devices is maybe not as important as it used to be, but there might be scenarios where its useful. The most important thing to remember is that there are no right or wrongs, it’s all based upon the wants and needs of your organization and what makes sense to you. All the different device platforms in the office space supports this in different ways as well, so what is possible on your Windows device might not be possible on your Android devices.
What I usually do for Windows is to use a three-letter pre-fix and the serial number as a name. This pre-fix changes depending on the type of device. One setup could be like this:
OPC-1234567 where OPC stands for Office PC
SPC-1234567 where SPC stands for Shared PC
MTR-1234567 where MTR stands for Microsoft Teams Room
KIO-1234567 where KIO stands for Kiosk
Setting names like this is mostly to easily identify what flavour of a Windows device it is, but that would be even better to add as meta-data to the device or using e.g. scope-tags or device categories. There are many ways to add that information to the device, but using different pre-fixes are the simplest.
At the end of the day, device name is something that is more for convenience rather than functionality. Even if my computer is called “Olas computer” or “DESKTOP-Q2E3RE” it would be possible to add it to dynamic groups and find information about it.
I used to be an avid Mac user and major Apple fanboy back in like 2011-2013. Then I joined Microsoft and got to see the other side, the dark side… Somewhere in the hidden corners of the internet, I even have a blog post called “once you go Mac, you never go back” saying I would never use anything else then a Mac.
Jokes a side. Coming out of a more communications and media technology world from college, Apple and Macs was the best there was. Then the iPhone came along and changed the whole mobile device world.
I was a Mac user from around 2008 until 2017 even if in the later years I rarely used my personal Mac. Then the Surface Laptop was released and that’s what my personal laptop still is. Now that I’m about 10 years older than in 2011 and I have a completely different approach to things. One is not better than the other, it totally depends on who will use it if it’s better or not.
This post will not cover HOW to configure, more discuss why and what.
macOS and management
So, how would you go at this?
Just like for mobile devices, there are a lot of different tools for managing macOS. As usual, my approach is Microsoft Intune, but for macOS specifically there might be other tools like Jamf Pro which has a lot more features (but also comes with a completely different price tag).
You know I’m all for making use of what you have and getting the most bang for your buck, so let’s talk about macOS and Microsoft Intune.
Setting the expectations right
One thing to keep in mind when it comes to managing macOS. The possibilities are not even close to what you can do on a Windows 10 machine, and what we can control comes down to what APIs Apple allows mobile device management tools to use. Setting up management for macOS and expecting the functionality of a domain joined computer, this is not what you will get.
The experience is more closely related to how you approach managing mobile device. You put a management layer on top of the experience. There basically three ways to view management of Mac’s:
Automated Device Enrollment
Device Enrollment
User enrolled
The two first ones are the most common ones while User enrolled is more for BYOD scenarios and gives less functionality and manageability. Both device-based methods are very similar, but the Automate Device Enrollment makes use of the Apple Automated Device Enrollment service, ADE (previously DEP), which will increase the possibilities for management and prohibit the user from removing the enrollment.
The experience to enroll macOS is more closely related to how you approach managing mobile device. You put a management layer on top of the experience. macOS utilizes what is called “User Approved enrollment” which means that the user must ALLWAYS approve the installation of management profiles, even is automated device enrollment is used. This will add extra steps to the enrollment process compared to mobile or Windows devices where this is automated in a higher degree.
If you are looking for a more deeply integrated management method, Jamf Pro is more where you need to head, but then we are talking additional licensing.
What to manage
Moving on to what you need to manage on the device. This is of course based on your organizational needs, both regarding configurations and security. There are however a few things that might be a good minimum, such as:
Wi-Fi settings
Encryption and FileVault (macOS equalent to Bitlocker)
PIN/Password
Endpoint protection
Application distribution
Compliance settings
SSO extension
There are a lot of more things we could potentially configure, but keeping it to a bare minimum, this is a great start and does not limit us from expanding this down the road.
One thing to use as a guiding principle is to think about what you NEED to manage and not configure settings just because you can. Is there a need to block let’s say Spotlight suggestions, or could this be useful for the user and resulting in a poorer end-user experience? This is important to keep in mind for all platforms, not only macOS to be honest. Don’t block just because you can, configure based on needs.
Why manage?
So why do you want to manage your Mac’s? That is the million-dollar question and something that you need to figure out before even starting. This doesn’t need to be super fancy or technical, just define the goal you have. This might be:
Ensure that all devices are secure
Get inventory of what devices are used
Provide your users with a better experience
Or you could have more defined demands coming from your organization regarding legal demands or security demands.
By managing your Mac’s, you will gain a better understanding of what devices are used within your organization and you can ensure that you provide your users with a good and secure platform. By managing the device, you can also provide settings such as Wi-Fi access automatically to the devices without the need for the end-user to know where to find the information. Same would go for applications. You will bring the platform closer to what you know and love when it comes to device management even though the expectations need to be separate from let’s say the Windows platform.
So, I’m about 10 months late on this topic now that we have all been from home for such a long time. The discussion is turning more towards how we can move BACK to the offices, how and when that can and will be done.
For me, this is an important topic and I thought I would share my learnings from the past 10 months regarding creating a workspace at home.
I really understand that not everyone has the living situation allowing them to set up a good working place. In our apartment we had to set up an extra workplace since both me and my girlfriend are working from home full time for a foreseeable future. This ment some compromises when it comes to optimal space since we only had one spare room, putting my workplace in the bedroom.
Please bear in mind that these are important to me and I totally understand if you don’t have the space, ambition, or willingness to go down this path.
A real desk and a chair you like
Even if it’s quite convenient to setup your office at the kitchen table, it’s far from optimal for several reason. Even though it’s nice to be close to the coffee maker, this is not good for your back and sholders.
Given that you have the space, getting a real desk and chair makes wonders. It doesn’t have to be one of those adjustable desks or expensive gaming chairs. Simple stuff from IKEA is a good start!
For me, this is the most important part. I can leave everything else out, but I need a decent desk and chair to work from home.
A monitor
Having an external monitor is important from a whole lot of aspects. You get some extra real estate while working on those spreadsheets and most importantly you end up in a more ergonomic posture, raising your line of sight. Being someone who has worked extensively from only a laptop monitor in the past, this has become important. For me, it doesn’t have to be a fancy, top-of-the-line screen, even though it does have to have okay aesthetic since it becomes a part of the interior decoration for the room.
A keyboard and mouse you enjoy
This has been one of the bigger pet peeves for me. Finding a good keyboard and mouse. I’ve also discovered I’m fussy on this topic and I have quite specific expectations.
I’ve been using the Microsoft Arc Mouse for a long time, and I really enjoy it. However, that has always been more of a “travel mouse” for when on the go or not at a real desk. It’s a bit small and not to ergonomic for my taste. I was also using an old “all-in-one” Microsoft keyboard which had a bad typing experience.
Those are now replaced with new fancy stuff, Microsoft Compact Designer Keyboard, and a Microsoft Ergonomic Bluetooth Mouse which I really like.
Since I spend a lot of time typing, the keyboard experience is important, and this keyboard feels just like a laptop keyboard (I’m NOT a fan at all of mechanic keyboards).
A webcam
This is something simple and for remote work important to have good Teams meetings. If your setup includes an external monitor, getting an external webcam will really increase your meeting experience. You will be facing the correct screen compared to using your built-in webcam from the laptop, which will not present you in profile and you will be perceived as more engaged in the meeting since you will be looking the in the correct direction.
Keep a clean desk policy
I’ve always been a fan of this, both at the office and at home. Getting stuff out of the way and de-clutter my workspace removes all distractions. It’s also nice to start the workday fresh and since my workplace is in the bedroom, clearing up the desk helps me disconnect.
Take breaks
This is the area I need to improve the most on. I’m bad at taking breaks. However, I do try to take at least one 20–30-minute walk everyday with our dog. But I tend to eat lunch in front of the computer and just go to the kitchen for refill of water or coffee, so more like micro breaks.
Be flexible
This is another area of improvement for me, I tend to not move around as much as I would like. But being flexible where you work from, just like you would at an office, makes you don’t have to stare at the same wall day in and day out. It could give you a sense of an activity-based office. My idea how I will handle 2021 is to start my day at the table dinner table in the living room and then move into my office space when I’ve finished my coffee. However, I still some way to go on that point.
For me, being flexible could also mean that you bring your workspace to new places, or even outside when winter is over. After working as a traveling consultant for several years, my essential office still fits in a backpack.
Evolve your workspace
My home workspace is always evolving and improving. As or right now I have to things I’m thinking about. Replacing the desk for an adjustable one and figure out a good lightning setup with a low fotprint to improve the lighting for Teams meetings.
I also have about a thousand ideas what I would like to do, which are not possible now due to room limitations. But I have dreams of what my home office should look like, and it doesn’t really include that much technology. It has more to do what I want my space to look like.
A quite common discussion topic when it comes to mobile device management is the different approaches you can take. Therefore, I’ve written down a little something to try to simplify a little bit.
I’ve intentionally left out any preview features and user enrollment for Apple device to focus on the most common scenarios. I will look to cover that in a separate post.
There are of course more technical aspects to this, but from a high level this is something that is good to keep in mind!
Flow description Android
For Android, there are three different type of management:
Work Profile
Corporate owned fully managed
Corporate owned dedicated device
These are used for three different scenarios which are based on the requirements in the environment. Moving existing devices into Microsoft Intune management also affect which management method which should be used.
Personally owned with work profile
Personally owned with work profile is mostly referred to handle Bring Your Own Device (BYOD) scenarios. This is also often used to transition from either no management or legacy management into a Microsoft Intune enrolled device since it does not require the device to be reset to factory default before getting started.
To register a device using Work Profile, the user will need to download the Company Portal application from the Google Play store. When the application is downloaded and installed, user signs into the Company Portal app using the corporate credentials and follows the on-screen wizard how to enroll.
When the device is enrolled, a corporate container is created on the device where all corporate data is stored separately from the personal data. The user will see a new tab on the application pane called Work and all applications will have a small briefcase on them indicating they are work applications.
The IT department can only manage the Work Profile part but can put some restrictions and requirements on the device regarding e.g., PIN-code and Wi-Fi settings. Limited number of remote actions can also be performed such as PIN recovery or removal of corporate data. Applications in the Work Profile part is managed through a Managed Google Play store which is controlled by the Microsoft Intune administrators. Since the applications in the managed Google Play store are centrally managed and assigned, no corporate Google account is needed for the end-user to download and consume applications in the Work Profile.
The personal part of the phone still functions as expected by the user since data is separated and not allowed to stream between the containers.
Personally owned with work profile
Corporate owned fully managed
A corporate owned fully managed device is used where the company buys the device and there is a 1:1 relationship between device and user. To enroll the device as fully managed, the device needs to be new out of the box or been reset to factory default.
Devices could be pre-registered to the customer by the hardware vendor in Google Zero touch to ease the enrollment procedure for the end-user.
When the user receives the device, and the user follows the on-screen onboarding process for initial setup.
If the device is not pre-registered using Google Zero Touch, the user will be asked to scan a QR code which is unique to each customer and must be made available by the IT department.
During the enrollment, the user will be asked to login using their corporate credentials. The user will also be asked to set a PIN-code. As part of the enrollment in Microsoft Intune, configurations, policies, and applications will be applied to the device which has been assigned to the user and/or device.
When the enrollment has finished, the device is ready to be used by the user.
The fully managed device does not separate corporate and personal data as the Work Profile method does, which means that corporate data and personal data is mixed on the device. On the other hand, since the device is fully managed, the IT department has much more control over the device and applied configurations and policies.
Applications are centrally managed by IT, but the public Google Play Store can be made available for the end user. For applications distributed through Microsoft Intune, no Google account is needed for the end user.
IT can also perform remote actions on the device, such as PIN recovery or data removal.
Corporate owned fully managed
Corporate owned dedicated devices
Corporate-owned dedicated devices are used when there is not a 1:1 relationship between user and device, in a scenario where multiple users use one device. A good example of this is a kiosk device.
Devices could be pre-registered to the customer by the hardware vendor in Google Zero touch to ease the enrollment procedure.
When the user receives the device, and the user follows the on-screen onboarding process for initial setup.
If the device is not pre-registered using Google Zero Touch, the user will be asked to scan a QR code which is unique to each customer and must be made available by the IT department. These QR codes are unique to each enrollment profile and are valid for 90 days.
During the enrollment, no user sign in is required. Device will be automatically enrolled towards Microsoft Intune and no user affinity is applied. PIN-code can be set as part of the enrollment flow.
During the enrollment to Microsoft Intune, configurations, policies, and applications will be applied to the device which has been assigned to the device.
When the enrollment has finished, the device is ready to be used by the user.
Since the device is supposed to be dedicated to a specific task or function, the features in the OS are limited and can be locked by the IT department. Some built in applications can also be removed if needed.
Applications are centrally managed by IT using Microsoft Intune.
IT can also perform remote actions on the device, such as PIN recovery or data removal.
Corporate owned dedicated devices
Flow description IOS and iPadOS
Management of iOS and iPadOS does not have the same number of variations as Android. There is however a difference in how you can handle devices based upon if you use Apple Automated Device Enrollment or not.
For iOS/iPadOS management, there are two different ways of managing the device, personal or shared. Shared device is only applicable to iPadOS.
There are however two different ways of enrollning a device depending on if Apple Automated Device Enrollment is used or not.
Personal iOS/iPadOS devices with Apple Automated Device Enrollment
The default management of iOS/iPadOS devices are personal devices where there is a 1:1 relationship between user and device.
If Apple Automated Device Enrollment is used, the devices are pre-registered by the vendor in Apple Business/School Manager. Apple Automated Device Enrollment is used to simplify the enrollment process for the end-user and provide an additional set of control for IT.
When Apple Automated Device Enrollment is used, IT can control the first run experience for the user to remove unnecessary steps. This control will also ensure that the device will be enrolled. When a user receives the device, they will follow the on-screen wizard to get started and register their device.
During the initial setup, the user will be asked to sign in using the corporate credentials and the device will enroll in Microsoft Intune and received the applicable configuration, polices and applications which has been assigned to the user and/or device. When the setup is done, the device is ready to use.
IT can manage configuration, policies, and applications centrally and perform some remote actions such as PIN recovery, data removal or resetting the device. If the devices are deployed in Supervised mode, there is also a possibility to trace lost devices and put them in a “lost mode” to prevent a lost device being used by an inappropriate person.
Applications are downloaded through the Apple App Store. For corporate applications and line-of-business applications, the Company Portal is used to initiate the download and the user will not require an Apple ID to download applications. IT can also do required installations of applications.
Personal iOS/iPadOS devices with Apple Automated Device Enrollment
Personal iOS/iPadOS devices without Apple Automated Device Enrollment
The default management of iOS/iPadOS devices are personal devices where there is a 1:1 relationship between user and device.
If Apple Automated Device Enrollment is not used, user will have to download the Company Portal application from the Apple App Store to enroll the device. Users then sign into the application using their corporate credentials and follow the on-screen instructions on how to enroll the device.
IT can manage configuration, policies, and applications centrally and perform some remote actions such as PIN recovery, data removal or resetting the device.
Applications are downloaded through the Apple App Store. For corporate applications and line-of-business applications, the Company Portal is used to initiate the download and the user will not require an Apple ID to download applications. IT can also do required installations of applications.
Personal iOS/iPadOS devices without Apple Automated Device Enrollment
Shared iPadOS device
Shared iPadOS devices are used when there is not a 1:1 relationship between user and device, in a scenario where multiple users use one device. A good example of this is a kiosk device.
To use the Shared iPadOS scenario, Apple Automated Device Enrollment needs to be used. Devices are registered in the Apple Business/School Manager to connect the device towards the customer.
When a device is to be registered, a user or coordinator starts the device and follows the on-screen instructions. No sign-in is required during this process since the device will not have user affinity.
During the enrollment, the device will receive configurations, policies and applications which has been assigned to the device.
When the registration is completed, the device is ready to use.
IT can manage configuration, policies, and applications centrally and perform some remote actions such as PIN recovery, data removal or resetting the device.
Applications are centrally managed by IT and are installed automatically by assigning them in Microsoft Intune without user interaction.
Wow, it’s already a new year. Even if 2020 was a weird year, it went by fast! And for those who wonder, the deer doesn’t have anything really to do with this post. It’s more of a pun… Deer 2020… Okay, I’ll show myself out….
A lot of things to look forward to in 2021, such as a vaccine against Covid-19, new Windows preview builds, new Teams features and much, much more.
The start of a new year is wonderful opportunity time to reflect on the past year, because even though 2020 was a weird year a lot of things happened. I’ve decided to split this one into different areas just to be able to sort out my thoughts a little bit.
Personal life
So personal life… This doesn’t really qualify into this blog usually. But since 2020 ment working from home all the time, personal life is an important part. Relaxing and disconnecting got even more important for me during 2020. I found something that allowed me to disconnect from work stuff and focus on something else which I haven’t really done the last couple of years. Like a lot of other people, I took up golf again during 2020. Not so much because of Covid-19 but more in the sense of this is something I’ve been playing since I was like 6 or 7 years old and I finally found the joy in it again.
Professional life
2020 was the strangest year in my professional life, as for everyone else. I started a new job just a few months before Covid-19 happened, went back to being a consultant again. Since I started right before the pandemic really took off, it’s been a little bit of a weird start for a new job since you haven’t been able to really meet your co-workers nor your customers physically. Strange times!
Also, regarding my professional life I’ve shifted over to this blog as a platform to share my experiences, findings, and learnings. I’ve tried to keep a consistent flow, but my inspiration went on isolation during the end of the year (I blame the darkness). I’m hoping that the lighter times which are coming, and the snow, will get me back on track!
Modern workplace life
This heading is weird, I know, but bear with me…
2020 was probably one of those years that forced a lot of companies and workplaces to jump forward in their thinking and implementation of workplace services. We all saw Teams skyrocket as a meeting platform, VPN usage was of the charts and collaborating digitally is the new black.
I’ve written a bunch of different blog posts about the modern workplace the last year, and also published some old LinkedIn articles.
During the last year, a lot have happened. We are working in a different way and everyone has gotten a taste of what working remote means, proving that we can do stuff while not at the office (hopefully killing that old face-time requirement). The term “work is not a place, it’s something you do” has definitely come into play!
I think the biggest impact for the modern workplace during 2020 was in fact the Covid-19 pandemic. This challenged a lot of companies to drive their adoption fast, or even in some cases get started. It has also put a bigger trust in that the end-user knows how to handle the tools provided and IT’s role in providing the correct information and education has become increasingly important.
During 2020 we saw a lot of great improvements to a lot of popular Microsoft products. One of the most obvious one for the modern workplace was Microsoft Teams. We got A LOT of new functionality during 2020, not only post Ignite, but as a steady stream of news. This really improved on an already great platform. Oh, and let’s not forget about the increase of Teams usage!
Intune also got its steady stream of updates and the “Corporate-owned devices with work profile” management method for Android finally saw the light of day (still in preview however). I think this will be a really nice add-on when released based on the user experience it provides for corporate devices.
One of the most exciting new things, which I still have not tried out, is Microsoft Tunnel. A simple VPN solution for mobile devices which doesn’t require large investments or changes in your infrastructure if you are using a Microsoft based VPN for you Windows devices today. It will be exciting to see this product go into general availability.
Going forward
I most likely forgot a lot of things that I should have included. But hey, it’s been a weird year!
Now let’s focus on what 2021 holds. This blog will keep on living and my focus will stay on the “softer” stuff around modern workplace and not the hardcore technical stuff.
This is topic has always been a headache. You have your corporate Office-templates hidden away on some on-prem file-share which only a few people have access to. This makes it a bit tricky when we are in world where your devices might not be on-prem anymore, both physically and where they are managed. This gets even more painful when you want to get the templates out to Mac devices.
Of course, there are ways to make use of the old settings where you point out a file share, which could theoretically also live in an Azure blob.
I came from this in the mindset “there has to be something better and cloud ready”. Lo and behold, there is something native to SharePoint we could use!
This concept is more based around the logged in user in the Office suit rather than specific settings on the device. This means that you could also provide unmanaged/external devices with your templates if you have contractors or similar who are using their own devices.
You can read more here about the concept and the limitations (Microsoft Docs).
SharePoint organization assets library
What I found was the organization assets library feature in SharePoint which you can utilize to point out your assets like templates but also images.
This whole setup is based around document libraries on a SharePoint site which you give all your employees reading access to. You can then give restricted access on certain folders if not everyone should see all templates (it’s basic SharePoint access management on folders). This also make it possible for you to assign higher access to people who are responsible for producing templates and they could potentially manage this them self.
One thing which is important to take notice of is that this will create the asset library tenant wide meaning all your users will have this showing up in the Office suite.
Step one – SharePoint site
Create a document library on a new or existing SharePoint site which you will use as your asset repository. My Document Library is called “Office Templates”
Add “Everyone except external” to the visitors access group on your library and give them “Read only” access.
Add some folders and/or templates to your SharePoint library, make sure that they are in a .dotx/.potx/.xltx to work as proper template.
Step two – Configure library
First step is to install the SharePoint Online Management Shell in PowerShell. Detailed information can be found here. In order to invoke this part you will need to be at least a tenant administrator in your Office 365 environment.
When you have successfully executed those few PowerShell lines, you are done and within a few minutes the templates will show up in your users Office clients.
A bit of a different type of post this week, just in time for the weekend. Since I know for a fact there is an information overflow for everything right now, I thought I would share where I turn to stay up to date.
There are probably as many sources as there are IT-consultants, but these are my go-to’s. I thought I would share some of the pages I keep track of to stay up to date.
Twitter
This is where probably my biggest source of news and generic IT information. Twitter is a really good place to consume a lot of information!
Who should you follow? That is a really good question. My feed contains a lot of people within IT, but I’ve found this Twitter-list with people at Microsoft in the Endpoint Manager team. So have a look at that list (you can follow a list).
You should of course follow this list as well containing all my colleges!
Android has some rather good benefits for task-workers/front-line workers, especially if the device is shared. Not only is the price-point of the device better, the user experience is quite simple.
There are today two ways of doing this, either dedicated device or the newly released dedicated device with Azure AD Shared Device which is still in preview. In this post I will try to cover both, but the device will not be set into kiosk mode.
How to configure
Decision points
Before you start, there are a few things you need to decide upon:
What applications do I need?
What is allowed on the device?
Is it multi app device or not?
How will the device be enrolled?
Using dedicated devices, you can either just enroll the device as a “normal” device but without the user affinity, or you can deploy a single-app or multi-app kiosk where you define what applications can be used. This post will describe how to do the “normal device” setup without user affinity.
The Intune parts…
Enable enrollment
First step is to enable the possibility enable dedicated device enrollment. I’m assuming that you have already setup the Managed Google Play, otherwise you need to do that first by following the wizard.
In the Microsoft Endpoint Manager admin centre (https://endpoint.microsoft.com), navigate to Devices > Enroll devices > Android and select the “Corporate-owned dedicated devices”
Click on “Create profile” to create a new profile.
Give your profile a name and select what token type you want to use. Today, there are two to choose from. The default profile for dedicated devices and the preview profile for Azure AD Shared Devices (which you can read all about here). In this example we will use the preview feature, but you can today just as well use the default if you are not keen on using preview features.
Enrollment tokens for dedicated devices can only be valid for 90 days, so make a note of the expiration date and create a reminder to renew it. If you miss to do so, you won’t be able to enroll new devices.
When you are done, hit next two times and then create. Your enrollment token for dedicated devices is now created!
To view the token, click on it in the list and go to “Token” in the left menu. When you press “Show more” the token will be displayed.
This will later be used when a device is enrolled.
Creating a device group
Now we need a device group to be able to target our settings and applications.
In the MEM admin centre, go to Groups and select “New group”. Leave the group type to “Security” and give the group a name. Select “Dynamic Device” as membership type.
Now it’s time to create our very simple membership rule. Set property to “enrollmentProfileName”, operator to “Equals” and the value to the name of the enrollment token we created in the previous step.
Or you can just use this string and replace the [ENROLLMENT TOKEN NAME] with the name of your token.
You can of course build more complex rules if you like, but for the basic setup this is the only thing we need.
Setting device restrictions
For shared devices, there are a few settings that might be good to create. In opposite of how I usually create configuration profiles for personal devices, I tend to have one profile containing most settings for share devices, defining that it’s a shared device and doing some minor restrictions.
When creating a new profile, go to Devices > Android > Configuration Profiles and click “Create profile”. Select Android Enterprise as Platform and make sure use the profile type under “Fully managed, Dedicated, and Corporate-Owned Work Profile” when creating configuration profiles.
In this example I will only create a simple restriction profile with a few settings.
Since its a shared device which we don’t really know how it will be used, how updates are applied might be something you need to take in mind. It’s possible to set it to a maintenance windows to adopt to your business.
This profile will also set a PIN-code which will not be set during the enrollment due to that the general idea with a dedicate device is that it’s a kiosk and does not require a PIN. That is not however what the reality looks like every time.
If you are creating SCEP profiles, make sure that you create SCEP certificates which are device based and not user based since your device will not have a logged-on user so to speak.
Assign the profiles you have created to the device group we created earlier.
Applications
When it comes to applications, this is where it will vary a lot depending on your needs.
The important part here is to remember to assign the applications with a device centric approach and not a user centric. Use the group we created earlier or any other device group you have which contains the devices.
For shared or dedicated devices, you might also want to remove a few applications, not only distribute.
The easiest way of doing this for Google Play store applications is to simply add it from you Managed Google Play store and assign your dedicated device group to uninstall the application.
Some vendors, for example Samsung, pre-load their devices with some system applications which for Samsung also includes a separate app store. However, these are usually removed when putting a device into fully managed or dedicated mode, but if you are using e.g. Samsung Knox you will need to look into turning of these applications.
Enroll the device
Now it’s time to enroll the device!
Start up your device and tap the first screen repeatedly to launch the QR scanner.
Select a Wi-Fi network to connect to if you don’t have a cellular connection on the device. Hit next and the device will start to prepare to enroll. Follow the on-screen wizard to get started with the enrollment.
If you are using for example Samung Knox, the experiance will be more streamlined and you won’t be asked some of the choices.
During the enrollment process you will be asked to approve the installation of required applications as a part of the registration process.
Approve installation of apps
Register the device as shared
Once the device is enrolled, you will be presented with the home screen of the device.
Enrollment is complete
Some settings and applications might take a few minutes before they apply, so the device might not be ready to send off to the users just yet. To speed this up, you can access the Intune app on the device and press sync. Make sure that all applications and configuration profiles has been applied to the device before shipping it out!
One thing that is important to keep in mind for this is the licensing. You will most likely require a device license for Intune for these devices since they do not have a user.
Build further on this
Now that you have a dedicated device, you can built on this further using depending on your scenario.
You could for example set up kiosk device, either single- or multi-app using the Managed Home Screen. Using the Managed Home Screen also opens up the possibility to utilize the shared sign in screen mentioned in this post from the Intune team. But I will cover that in a future post instead!
You can also create different enrollment token based on different purposes, you just repeat this guide and create the ones you need for your organization, make sure to give the tokens and groups unique names which makes sense to you.
I’ve been struggling quite a lot with how to write this post to make it relevant and adding something to the discussion. I also really want it to be inspiring and not only my opinions and personal thoughts.
The whole Covid-19 has really made me think about remote work and how the “new world” will look post Covid-19. It’s a hard topic to be concreate about since we are in the middle of the change.
Oh, and the picture to this article is our new Chief Sunbathing Officer who takes her new role very serious.
Work is changing
Let’s face it, the work life is changing and a lot more sudden than most were expecting it to. The Covid-19 pandemic really challenged everyone to push their digital transformation in a much higher speed than some might have intended to. But also, the perception of remote work.
Looking at this year’s Microsoft Ignite, the common dominator was remote work for the workplace area.
When suddenly everyone had to start to work remotely, it wasn’t impossible anymore and we adopted to this situation. Even a lot of areas where it was deemed “not suitable” to work remotely suddenly were left without a choice and managed the situation.
We are still not seeing the end of this, so a lot of things will still change!
So where does this put us?
One thing which tends to pop-up when this is discussed is “when we go back to normal people will be expected to come back to the office”. But what if this is the new normal? Or at least partially a new normal.
Working from home has in my experience often been viewed as something you only do with special reasons, and often with approval from management. Now when Covid-19 is putting everyone in a situation where remote work is kind of then new normal, I’m strongly hoping to see a shift in the culture and mindset around this.
One thing I tend to hear often is the argument that “the employees are not feeling well since they are isolated”, and I completely understand that. Working from home/remotely put new constraints on the social aspect of things, the natural interaction by the coffee machine does not exist in the same way. However, there are also people who feel stressed over the fact that they are expected to show up at an office at a given time every day based on “that’s how it’s always been”. So why adopt everything based on the people who like the office? That doesn’t really cut it in 2020 to be honest and the new policy Microsoft put out regarding their new remote work policy is spot on where “Offer as much flexibility as possible” is somewhat of the message of it. You can read more about it in this brilliant article or go straight to the source.
The world is changing, and we had a shift about one hundred years ago where the eight-hour workday was enforced. After World War II most of the industrialized world had 40 hour works weeks. In Sweden, the 40-hour work week we see today were introduced in the 1950’s and introduced in the labour law in the 1970’s. (Of course, there are more to this from a legal and union perspective, but let’s leave all that). That was 50 years ago.
Choosing where to work
What is the point I’m grasping at?
What I’m getting at is that there will be a before and after Covid-19. We have now proven that remote work is something that works, and we are still productive. So why do we feel the need to enforce everyone to go back to the office?
I’m not saying that we should remove all offices and have everyone working from home. However, it should be up to each one to be trusted in choosing to work where they are the most productive. That could be the office but just as well from home. Or a combination which I believe strongly in based on choosing the office as a workplace and not the expectation “to show up”. Given that we all have a job to do, we are trusted in much more sensitive and important things than where we choose to do our job.
This will put more trust in the employer and increase the sense of being trusted with that I can myself choose how I do my job. The old term “work is not a place, it something you do” fit very well into this context.
Looking to myself and how I resonate around these things, I’m currently in a situation where I motivate why I go to the office rather than why do I work remotely.
Work-life balance
In my world, this comes down to one thing and that is work life balance. Even though I’m extremely passionate about what I do for a living, living is not only working in my world. There must be time for other things to relax and disconnect. There must be room for flexibility during my day, the sense of owning your own time.
For me, work-life balance is about being able to control and own my own time. During Covid this has been a challenge to manage since working from home means that you never leave your workplace. But for me this is something I’ve learned to deal with. It also breaks up my workday into pieces giving me possibilities to do errands, go to the gym, walk the dog and such things during the day and work a little more focused during late afternoons. For me, late afternoons are where I’m the most productive while before lunch is a less productive period of the day (not to speak of 7:30 until 9:00).
Conclusion
To be honest, I don’t really know what the conclusion of this is since this is more my thoughts on the topic.
The Covid-19 pandemic has proven that remote work is possible, and we are most likely seeing the new “normal”. There will for sure be a before and after Covid-19 and the work life will have to adopt to this.
However, everyone is different. Some need to be at an office surrounded by other people or just can’t work from home. There is also the other group who are more productive remote and do not feel the need for an office in the same sense.
You often see arguments that people need the office to perform and feel well as an argument that we need to get everyone back to the offices. But what about the other group of people who has been thriving during the last couple of months, where the trip to the office was a stressful moment. Are they less important or why are we expecting them to just adopt?
I think the “Offer as much flexibility as possible” quote I mentioned in the middle of this post will play a key part even for companies which are not called Microsoft. People are now seeing that it’s possible to work remote and finding what is working for them. I think they key part as I view this, is to offer a flexibility where I as an employee is trusted with selecting where my office should be. If that is 100% at home, 100% at the office or a mix shouldn’t matter. Work is not a place, it’s something you do.
This will be a cultural shift, not a technical shift. We have proven that our tools allow it, now we just need the corporate culture to allow it. For some, this change will happen fast while for others this will take time.
However, my strong belief is this will be a key element for many companies to hire Millennials and GenZ going forward. Why should I join a company which requires me to come to an office, when the other offers me the flexibility to choose when I go to the office?
These were my thoughts around this whole thing, what do you think?
We are about a year in to Covid-19 and remote work has been introduced to a whole lot more people. It has also proven that remote work is possible even for people who were really sceptic about the concept pre-covid.
One thing that has really blossomed during this pandemic is remote meetings, using tools such as Microsoft Teams. Many of you were pretty used to having online-meetings even before this pandemic, but not to the extent we see today.
Enhance your meetings
Given that you are by now probably quite used to online meetings, it’s time to take the next step in your meeting experience and turn on that webcam.
For some strange reason, it seems like we in IT are particular hesitant towards using the webcam during meetings. We are the ones that should lead by example, and we probably encourage others to use their webcam during meetings.
By turning on your webcam you will increase the experience not only for you, but for everyone in the meeting. The feeling of presence will increase and getting a face on whom ever is speaking is making it a lot easier to follow along and will decrease the interruptions.
What if your hair is not on point?
My hair is not on point either, but if you are dressed you are good to go! It’s okay to not be comfortable with how you look today, but imaging that you are at the office, then you would meet people non the less.
Also, we are all in the same situation at the moment.
But the room I’m sitting in is such a mess!
If you are using Teams (or Zoom for that matter) you can use custom backgrounds or just blur the background. It’s perfect for situations when your background is not on point. I regularly use it if I’m sitting at a café or such, to not get people walking behind me. One of my favourite background to use is however the Ollivianders store background from Harry Potter.
My point is…
What is the point I’m trying to get at?
Make the effort to show up to meetings using the webcam. I do that all the time. Sometimes I’m the only one with my webcam on, but I leave it on. It also makes others turn on their camera (without asking).
Let’s all make it a custom to turn on that webcam when we join a meeting to increase the experience for everyone!
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
