Wednesday, 25 September 2019

Intune Basics Part 5: Modern Device Management with Android Enterprise - Configuring Fully Managed Devices

Welcome to part 5 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.

Part 1 can be found here and covers setting up the various Android Enterprise enrollment methods

Part 2 can be found here and covers the configuration of Azure AD groups

Part 3 can be found here and covers the configuration of Work Profile devices

Part 4 can be found here and covers the configuration of Dedicated devices

This series is intent on getting you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

This post will cover the enrollment and configuration of a Fully Managed device, which is well, pretty much exactly as it sounds - Intune has full control over the device and there is no facility provided for the user to have personal apps and data. If you followed my last post on Dedicated devices, you will see a similar process configuration wise, in fact the same Configuration Profile is used for both Dedicated and Fully Managed. A caveat to this statement is the setting Users and Accounts > Account Changes which is at this time not supported to be set to Blocked on Fully Managed Devices


Enabling the above will cause enrollment issues as described in Peter Egerton's blog here

There are different methods which you can use to enroll your device which is dependant on the OS as detailed in the documentation and in this example I am going to use the QR code method on an Android 7.0 device.

Ensure the device is either new out of the box or has been factory reset and at the first screen tap anywhere in the white space 6 times

Select Next


Connect to Wifi


The QR reader will now download and install


You can now scan the enrollment token


Encrypt the device if prompted.


Accept any terms then select Next


The device will commence updating Google Play Services


Accept the terms to launch Chrome


Authenticate with Azure AD credentials


I have deployed a compliance policy setting for encryption to my Android Fully Managed devices which means that secure startup must be enabled, this prevents the device from booting into the OS until a pin or password is entered. Select Start


Just to be clear - in this example we are being prompted to "enable" encryption because secure startup isnt enabled and not because the device isnt encrypted

Select Secure Startup


Select Set Screen Lock Type  in this example I am setting a PIN


Select a lock screen notifications option


Set up fingerprints if required


Select Require PIN when device powers on to enable secure startup, enter your PIN when prompted


Select the back button at the top left


Follow the prompts to commence installing apps


Select START to commence device registration


Sign in to the Microsoft Intune app when prompted


Select Next


Select DONE to complete device registration


And then one more time to complete the enrollment


With Fully Managed there is the ability to enable any system apps on the device and on the handset I am testing, a Samsung Galaxy A5 (2016),  I wish to enable the gallery application

To do this first I need the package name so in my example I have deployed the Package Name Viewer 2.0 application. On launching it search for Gallery you may need to try a search in both the User Apps and System Apps tabs


Within the M365 Device Management Console navigate to Client Apps > Apps



Add an app and for the app type select Android Enterprise system app


Enter the system app details including specifying the package name


Select OK then Add 

Deploy the app to an AAD group

Now you can see the system app enabled on the device


That's it for this post, feel free to reach out to me if you have any questions. Thanks for reading!

Monday, 26 August 2019

Intune Windows 10 app install behaviour and the Enrollment Status Page

So this is a fairly short post but I thought I would share an interesting scenario I encountered when working with enrolling AAD joined Windows 10 devices into Intune. These devices;
  1. Were Autopilot provisioned 
  2. Had 2 win32 apps deployed (Azure Information Protection Client and Office 365)
  3. Had 1 store app deployed (Company Portal)
  4. Had 1 line of business app deployed which included the installation of the Configuration Manager client. This would hence be bringing the device into a Co-managed state.
Initially I wanted access to the device blocked until the AIP client, Office 365 and the Company Portal was installed so I configured a custom Enrollment Status Page (ESP);

I logged into the M365 Device Management Portal and navigated to Device Enrollment > Windows Enrollment > Enrollment Status Page


Created the ESP, ensuring the Block device use until these required apps are installed if they are assigned to the user/device option was selected and I specified all apps other than the LOB application, with the intention of this app installing last


I ended up getting intermittent failures with this configuration so I attempted by including only the LOB app as a blocking app, still the same intermittant results.

Now this was my misunderstanding, but even if you select specific apps to be blocking apps within the ESP, if there are other required app deployments it doesnt necessarily mean that the apps specified within the ESP will be installed first. So in my scenario, sometimes one of the apps was failing to install and others, two were failing.

I havent looked into the logs for this but I belive it was due to the LOB app being installed at some point before any of the blocking apps had been installed. My LOB app was enabling the device for Co-management and in my scenario the client apps workload was only enabled for "Pilot Intune". I even attempted for testing purposes to query individual devices based on thier hostname in order to be included into the device collection scoped for the pilot co-management workloads as soon as the device appeared within the Configuration Manager console using the following query;

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Name = "Hostname"

But ultimately the default Co-management workload values are set first and taking into consideration policy refresh there was still enough delay to cause a problem for app install.

So ultimately at this moment in time there is no way to control the install order of required app deployments. In order to get around the issue in my scenario I simply deployed all apps within the device context and the LOB app within the user context, meaning it will always install last. I also set the LOB app as a blocking app meaning that by the time the user is able to log on to the system, the installation is completed and the LOB app is a considerable way through its process and the Configuration Manager client is installed.

Providing you are only using Win32 apps you could also consider creating app dependencies as another way of controlling app install order, however you would need to ensure you are provisioning Windows 10 1903 devices in order to be able to tracks these apps within the ESP. 

As we always say, every day is a learning day and if anyone has any comments or suggestions then please feel free to drop a comment within this post.

Thanks for reading!

Sunday, 21 July 2019

Intune Basics Part 4: Modern Device Management with Android Enterprise - Configuring Dedicated Devices

Welcome to part 4 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.

Part 1 can be found here and covers setting up the various Android Enterprise enrollment methods

Part 2 can be found here and covers the configuration of Azure AD Groups

Part 3 can be found here and covers the configuration of Work Profile devices

This series is intent on getting you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

This post focuses on how to configure an Android Enterprise Dedicated device which is designed for single purpose scenarios, such as digital signage, stock take, or field operative usage. Devices configured in this way are not designed to have any user specific data on them and as a result they have no user affinity. My previous post was published a year ago which details how to configure a single app kiosk, in this post I will be configuring a multiple app kiosk.

First of all you will need to deploy the Managed Home Screen to your device group, to form the basis of the locked down experience. As of the May 2019 Intune service update this app will already be available for deployment within your tenant

Within the M365 Device Management portal navigate to Client Apps > Apps


Select the Managed Home Screen App and assign it as required to your device group (note that this should be a dynamic device group scoped by the EnrollmentProfileName attribute)


Now for the multi app kiosk configuration. Note that you can deploy some of this via the app config channels (the ability to bundle default settings with a deployed app - see here) associated with the Managed Home Screen app, indeed some of these settings are only available via this method.
In this example I am going to deploy some apps to our Dedicated device and add some of them to a folder. I am also going to create a web link, as well as configure a default wallpaper.

First of all, assign all of the apps as Required to the target AAD device group

Now navigate to Device Configuration > Profiles


Create a profile and give it a suitable name, for the Platform select Android Enterprise and in the Profile Type select Device Restrictions within the Device Owner Only menu



Select the Dedicated Devices settings group, for Kiosk Type select Multi-app and then add all of the apps you wish to be available on the Managed Home Screen


Scroll down to view additional settings for Leave kiosk mode select enable and set a code. Specify the URL to your background within Set Custom URL background. Finally set both Wi-Fi configuration and Bluetooth configuration to Enable


Save the profile and then assign to the same AAD device group as we have with our app assignments

Now to configure a folder for our apps and create a web link. Navigate to Client apps > App configuration policies


Add a configuration policy, giving it a suitable name. For Device enrollment type select Managed devices and under Platform select Android


Select Associated app and then choose the Managed Home Screen app. You will now see the Configuration settings menu appear. Select this


There are two ways in which to define configuration settings, using the configuration designer, or manually entering the JSON data. For both the folder settings and the web link, these configurations can only be defined by entering the JSON data. Refer to this article for more information on how to choose a configuration settings format.

I am going to create a folder called Tools and put some apps in it for the user, select Enter JSON data


Copy in the following code, substituting the folder_name and package values to reflect your requirements for the name of the folder and the apps you wish to include in the folder

 {  
   "kind": "androidenterprise#managedConfiguration",  
   "productId": "com.microsoft.launcher.enterprise",  
   "managedProperty": [  
     {  
       "key": "managed_folders",  
       "valueBundleArray": [  
         {  
           "managedProperty": [  
             {  
               "key": "folder_name",  
               "valueString": "Tools"  
             },  
             {  
               "key": "applications",  
               "valueBundleArray": [  
                 {  
                   "managedProperty": [  
                     {  
                       "key": "package",  
                       "valueString": "com.csdroid.pkg"  
                     }  
                   ]  
                 },  
                 {  
                   "managedProperty": [  
                     {  
                       "key": "package",  
                       "valueString": "com.farproc.wifi.analyzer"  
                     }  
                   ]  
                 },  
                 {  
                   "managedProperty": [  
                     {  
                       "key": "package",  
                       "valueString": "com.qrcodescanner.barcodescanner"  
                     }  
                   ]  
                 }  
               ]  
             }  
           ]  
         }  
       ]  
     }  
   ]  
 }  

Now create a second configuration policy for the web link. Copy in the following code to this, substituting the link and labels values as appropriate

 {  
   "kind": "androidenterprise#managedConfiguration",  
   "productId": "com.microsoft.launcher.enterprise",  
   "managedProperty": [  
     {  
       "key": "weblinks",  
       "valueBundleArray": [  
         {  
           "managedProperty": [  
             {  
               "key": "link",  
               "valueString": "http://leonashtonleatherland.blogspot.com"  
             },  
             {  
               "key": "label",  
               "valueString": "Leon's IT Blog"  
             }  
           ]  
         }  
       ]  
     }  
   ]  
 }  

Assign both of the app config policies to the AAD device group

Now let's enroll the device and see how these settings apply, navigate to Device enrollment > Android enrollment


Select Corporate-owned dedicated devices the select the apprioprate enrollment profile (again - remembering that your AAD device group will be populated based on this profile, so ensure you select the correct one if you have multiple)


Select Token and then Show token. This is what we will use to enroll the device


The device I am using is Android 7.0 and therefore supports QR code enrollment, which is the enrollment type I will use in this example. There are other supported methods for enrollment, which are documented here and are OS version dependent

To commence enrollment, the device must factory reset or indeed new out of the box - so essentially in the Out-of-Box Experience (OOBE) state


Tap multiple times in any white space, until you see the below screen. Select Next


Connect to Wifi


The QR reader will now install


Scan the QR code we mentioned in previous steps

Encrypt the device when prompted


Enrollment will continue


Agree any terms


The Google Play Store and Google Play Services will now update on the device


Enrollment completes and you now see the regular Android home screen experience


After a few moments you will see apps start to deploy to the device


Now the configuration is complete, and you can immediately see the custom wallpaper and in this example the Tools folder we created


Also the web link has been pinned, launch it and it will open in the deployed browser


Select Managed Setting to show the locked down menu providing the end user Bluetooth and WiFi access, as we specified within our Configuration Profile


For troubleshooting purposes, you can exit kiosk mode but tapping the back button multiple times and select Exit Kiosk


Enter the PIN when prompted


The device is now out of Kiosk mode


Launch the Managed Home Screen to put the device back in to Kiosk mode


Well that completes this post, I hope you found it useful - see you in the next part of this series where I will be talking about Fully Managed devices

Thanks for reading!