Tuesday, 7 August 2018

Samsung Knox Mobile Enrolment (KME)

If you are in an organisation with Intune and you are wanting an easy way of bulk enrolling Samsung devices then you should know that at the time of writing the only way of doing this is via KME. Samsung is not one of the supported OEM partners for Android Zero-Touch Enrolment, it would appear that, like with the "unification" of the Android Enterprise Work Profile and the Samsung Knox Workspace, Samsung have gone it alone. Interesting. See one of my previous blog posts here to understand more about the challenges I have experienced with the latter.

I will also point out that disappointingly, only the legacy (Device Admin) Android enrolment method is supported at this time in Intune, however it was announced on the release of KME that Android Enterprise support was to follow.

Anyhow I thought I would test KME as in our current organisation we have decided to standardise on Samsung devices.

Some prerequisites;
  • Samsung devices must have Knox 2.4 or newer
  • You will need to register for a Samsung account, log in and then submit an application for KME, which will need to be approved.
  • You must purchase your devices through a Samsung authorised reseller and register them in your KME portal so that your devices can be uploaded when purchased. Note that you are able to upload devices using the Knox Deployment App, however the process for doing this is probably not feasible for large numbers of devices
Log in to the KME Portal, select MDM Profiles > Add

Select "Server URI not required for my MDM" then "Next"

Enter a suitable name for the profile then select "Add MDM Applications"

Enter the following URL. Select "Save"

The remaining options are not mandatory and the defaults are fine so save the changes

At this stage we need to add devices to the portal and as mentioned to do this you need to download and install the Knox Deployment App from the Google Play Store on a master device. Login to the app with your Samsung account credentials

Take the device you wish to add to the portal, connect it to a wifi network and then skip through the rest of the start up wizard until you are at the home screen

On the master device, select a profile and mode, in this example I am using NFC to enrol. Select "Start Deployment"

Gently tap another device to the back of the master device, when you hear a tone, tap the screen

On the device to be uploaded you will see a prompt to update the Knox Enrolment Service, select "Update"


The device will now enrol in KME and automatically download the Intune Company Portal.

The device will now appear in the KME portal. At this point it should now be factory reset to provide the improved enrolment experience when the device is next powered on.

As you can see this is less than ideal for a large number of devices and is probably recommended wherever possible to have you devices purchased through an authorised reseller and they will upload them to the portal for you.

So now the experience is as follows;

Start the wizard, connect to Wi-Fi then accept the terms and conditions

The KME welcome screen is then presented and you can proceed with enrolment.

Remember - KME  does not support Android Enterprise at the moment and it would appear that there is nothing to stop you attempting to enrol a device.

Thanks for taking the time to read this and happy to take any comments!

Friday, 13 July 2018

Intune Android Enterprise Kiosk Devices (COSU)

Android Enterprise (Formerly Android for Work) contains various solution sets which are pertinent to the different use cases of Android mobile devices within the business. The full documentation explaining these can be found here.
Until now the only solution available within Intune was the Work profile solution, which really is designed for BYOD devices. I have been using this for the past 2 years with company owned devices and whilst I can say Microsoft really have drastically improved its integration with Intune, I soon became aware of its limitations, some of which include;
  • A Google account is required, temporarily at least, to download and install the Company Portal app for enrolment
  • There is no way to fully remote wipe then device (we achieved this by creating a Samsung account for all of our A5 devices which is a bit of an admin overhead)
  • There are lots of notifications related to some of the stock apps, which cannot be disabled hampering the user experience
  • There is no way of preventing users from installing apps from the Google play store
In a BYOD scenario, yes the above points are to be expected, also it is relatively simple to ensure company data is secured within the profile itself meaning this is indeed a good solution but in the right application.
Microsoft have now enabled another solution set within Intune called Corporate-Owned Single Use (COSU) which is designed for devices that are used in specific scenarios, like Kiosk browser machines, barcode scanners or inventory machines. Note that these devices do not have user affinity and are not designed to be assigned to a specific user. Microsoft's documentation labels this functionality as enrolment for Android Kiosk style devices. This was announced in the Intune docs for the week commencing the 2nd July and I have been eagerly awaiting one of my tenants to update with the setting, which one did today.
I have to say from what I have seen so far this really is a great solution and I can think of at least two use cases within production where we could use this today.
In this post I am going to show you how to enrol an Android device as a single browser Kiosk, fully locked down so the user cannot access any other settings on the device. I will also deploy the Edge browser App to it. You could further lock down the browser with some app config by restricting browsing only to certain websites.

Create the Enrolment profile and associated dynamic group

This profile is the mechanism for identifying the device as COSU and consists of an enrolment token and QR code. OS support is for Android 6 and later (6 supports the token method only, 7, 8 and 9 support both token and QR code, 9 negates the need to download a QR scanner saving deployment time slightly). Android 5.1 is supported but requires an NFC tag to be create. I will be using an Android 8 Samsung Galaxy A5 2017 for this post.
A dynamic device group is then created referencing the profile. You can create multiple groups of devices populated by different profiles and can target you app and config deployments accordingly

Log in to the Intune portal and navigate to Device Enrolment > Android Enrolment > Kiosk and task device enrolment

Create a profile with a suitable name and select an expiration date

Navigate now to Intune > Groups then create a security group with the following settings, giving it a suitable name for your environment

Create the config and deploy to the group

There are ultimately various settings that can be configured within this profile, however this combination I feel is suitable for the kiosk browser device scenario, it prevents the user from accessing the status bar, including the quick settings, as well as preventing use of the home, back and task manager buttons (On this particular device)

Navigate to Device configuration > Profiles  then create device restrictions profile, ensuring that this is selected under the "Device Owner Only" menu. I should probably explain here that this should be selected because COSU is a subset of the Device Owner Android Enterprise Solution set

Under "General" block "safe boot" and "status bar"

Under "Kiosk" select "single app kiosk" and select edge as the managed Intune app to use for kiosk mode

Now select any required password and power settings for the lock screen timeout, I am going to skip them for the purpose of this demo

Assign the profile to the dynamic device group you created earlier

Navigate to Mobile apps > Apps then assign the edge app to the device group as "required" (note that only required and uninstall are supported for COSU)

Enrol the device

I will be enrolling the device using the QR reader. The following requires a minimum of Android 7

Tap on the first screen you see multiple times on a device that has been factory reset, you will then see the following

Connect to Wifi

The QR reader will then install

Scan the QR code found within the enrolment profile in the Intune portal

Agree the terms and select "Next"

The device will begin to enrol

Agree more terms

The device will now download some updates for Google Play services

If you encounter any issues at this stage you will need to reset the device from here

Or you can opt to retry without a factory reset here (I have found that more often than not this resolves any issues)

Now the device is enrolled

 You will notice that when you access the Google Play store it is fully managed and the only mechanism for apps to install on the device

Wait for the Edge app to be installed

Launch Edge and once the device restrictions are applied you will notice that you cannot access the status bar and hence the settings of the device

And that completes the setup! Many thanks for reading!

Wednesday, 27 June 2018

Intune Windows 10 Kiosk Mode

I have been tasked to start looking at a Kiosk solution for our organisation and noticed that in the "what's new in Intune" documentation a new configuration profile for Windows 10 1803 devices was announced as available as of the week of 8th June. I am unsure of the specific requirements for the project at this stage but typically in the solution we would need to provide a locked down web browser that can only access specific sites so that is what I have decided to configure;

First of all, log in to the Microsoft Store for Business and search for the Kiosk Browser app. Select "Get the app"

Log in to the Intune portal and navigate to Mobile Apps > Microsoft Store for Business. Select "Sync"

Wait a few moments for the app to sync then assign it to a device group containing the kiosk devices

Log in to the device and confirm that the Kiosk Browser has been deployed, carry out a sync on the device from the Intune portal if required

Now navigate to Device configuration - profiles and select "Create Profile"

Enter an appropriate profile name, select the correct platform and select "Kiosk (Preview)" as the profile type.

Select the "Configure" option then add a Kiosk setting

Specify a suitable name for the configuration, set the mode as "Single full-screen app kiosk", select the Kiosk browser as the app to use for kiosk mode and specify the account type as "Autologon"

Select "Ok" twice. Now access the kiosk web browser settings menu. In this example I have set the home page, allowed the home button and allowed the navigation buttons. Select "Ok" twice to save the settings.

Assign the profile to the required device group

Ensure that the profile has deployed to the device by selecting the "Device Install Status" option

Restart the device and you will see it automatically log on using a KioskUser account and then launch the Kiosk browser.

Please note 
I have only been able to achieve the above on a Surface Pro 4 at this stage. I attempted this procedure on a Windows 10 1803 VM in order to be able to take some accurate screenshots of this last step and was unable to get the device to enrol into MDM. Rather than delay this post any longer (It has been in my drafts for weeks!) I will update this part when I find out what is causing the issue.

Friday, 8 June 2018

Samsung Oreo Android Enterprise Work Profile Changes

Thought I would post on this as it could have the potential to cause headaches for enterprises with Android Samsung devices due to the variation in end user experiences that are introduced.

As per the announcement here it would appear that Samsung have taken it upon themselves to provide a "unified" experience, combining their Knox Workspace solution with the Android Enterprise (AE) Work profile. These changes take effect as of the Oreo operating system. I felt that the previous article explained this poorly and my perception was that this would simply be an experience that was "available". Any extra security features that could be leveraged within the Knox Workspace as far as I am aware are not currently supported within Intune so I intended on waiting before deciding on whether we switch to Workspaces as a business.

So I completely misunderstood this and was directed to here which does indicate that this unification is a forced change

This means that if you are running Samsung devices within your enterprise you could see 3 different experiences in your environment at one time;

1. Pre-Oreo
The Workspace is not unified and you will see the standard AE Work Profile experience;

2. Oreo upgrade
This is for a device which already has an AE profile and is upgraded to Oreo. Any existing shortcuts will have an orange key badge;

Note that you can see as of Oreo the Gmail app now has an improved experience for showing unread email notifications;

Also the content for notifications is hidden both within the lock screen and home screen;

The only setting available within Intune turns this feature off therefore it needs to be configured on every device;
Open the "Workspace Settings" App

Notifications and Data > Turn on "Show notification content"

Notifications on lock screen > Show notification content

3. Oreo new enrollment
This gives the new unified experience. Initially, badged apps will only be available by accessing the Workspace directly and you will not be able to add them from there to the home screen;

In order to be able to add these apps to the home screen you will need to do the following;
Access the Workspace settings from within the "more options" menu in the top right of the Workspace;

Workspace style > Turn off  "Hide Workspace apps"

As with the previous experience you will also need to follow the steps to show home screen and lock screen notifications if that is a requirement. Staying in the same menu;
Notifications and data > Turn on "Show notification content"

Notifications on lock screen > Show notification content