Sunday, 20 January 2019

Intune Android Enteprise Fully Managed Devices

Microsoft have recently announced the public preview release for the initial support of the Fully Managed Device solution set within Intune, I thought that for a change I would write up a little something on this 😁

As a recap, this is now the 3rd solution set to be supported, to see how the different solutions are applicable for different use case scenarios I would recommend as a refresher to take a look at my previous post on Intune and Android Enterprise

Now just to be clear, at the time of writing, this is what is currently supported along with the caveat  of the public preview tag;
  • App config and deployment
  • Device restriction config profiles
  • Deployment of the above config to user groups only
Now this doesn't sound a lot to get excited about but actually the device restrictions are the same  settings as what has been available for the dedicated device solution set which has matured over the past 6 months. So there are ample options to get started with a small test group of users, also I am sure you will see support for more features in the coming months.

Now at this point I would like explain a term you will see within the Intune portal associated to creating config with AE devices, Device Owner. 

On an Android device, the App that applies policies to the device is called the Device Policy Controller. When the DPC is operating in a way that it has control over the whole device, this is called Device Owner. It now kind of makes sense that the same device restrictions are available for both Fully Managed and Dedicated, one would assume the same group of settings for Fully Managed with Work Profile / COPE
The term "Work Profile Only" in the screenshot above I believe is actually incorrect and should be changed to "Profile Owner Only". This the correct term for when the DPC is operating in a mode which only controls the Work Profile and has limited access to the remainder of the device.

Okay so lets give this a whirl along with deploying some additional config to the device

Navigate in the M365 Device Management Portal to Device Enrollment > Android Enrollment > Corporate owned, fully managed user devices (Preview)

Select yes

Now remembering at the moment we can only scope configurations to users, let's create a user group, navigate to Groups > New Group

Populate using the below information, also ensuring that the group has the appropriate users added to it

Click create

Now lets provision two apps so we deploy both an available and required app deployment to the device to observe the experience. Log into the Managed Google Play store, lets find the Outlook and Edge apps. Approve them.

Back in the portal navigate to Client Apps > Managed Google Play and select Sync

The apps with now be available in Client Apps > Apps

Now deploy them by selecting the app, Assignments > Add group > Specify the assignment type (required for one app and available for the other)

Now lets create some devices restrictions config and deploy it to the user group. Device Configuration > Profiles > Create profile.

Input a suitable name, select Android Enterprise for the platform and then select device restrictions under the device owner only menu

Select settings, I have included various settings in this profile but I would just like to highlight the block factory reset option I have selected here

Click on OK then assign the profile to the same group we created previously.

Now lets enrol the device, ensure that it is in a state where it has been recently been factory reset, or is brand new out of the box. I will enrol the device use the QR code reader method, which requires Android 7.0 or newer

Tap on the screen multiple times to reveal the QR code reader setup. Select next

Connect to a Wifi network

Wait for a few seconds and the QR reader will now install

Now its ready to go and scan the QR code from the portal, which we enabled previously

Follow through the wizard and enrolment will commence

Accept the terms

Enrolment will continue

Accept the terms for chrome and then you are prompted for credentials. Enter the username and password.

Click the link when prompted

The device is then enrolled

You will now see the required app install

On launching the Google play store you can see the available app we deployed, so literally the only apps that a user can install on the device are what have been made available by the organisation

You will also notice that there are no apps with the badge symbol on them, like you may have already seen with a Work Profile enrolled device.

Okay so lets check our device config and attempt to factory reset the device

Cool, so the restriction has applied.

Now remember, this feature is in public preview so it is not recommended for production deployments, I would recommend reviewing the documented considerations here

Thanks for reading!

Tuesday, 8 January 2019

Removing CMG Settings from Configuration Manager

Just a quick post this evening, thought I would take a break from the MD-101 Study, which I am taking the Beta exam for soon. Actually this issue was preventing me being able to create a CMG in my lab so I really needed to get it sorted before continuing.

So I first ran into this issue yesterday when I was trying to remove a CMG from my test lab, I had the following error;

I reached out to one of my cool twitter dudes, Jake Stoker, who is an EM+S warrior, to say that I may need some help and would give him a shout.

I carried out some research first this evening and stumbled across a couple of posts Microsoft MVP Anoop C Nair created on how to Clean up SCCM CMG and Cloud Services from SCCM and then saw Anoop comment at the bottom of the post with a link to FIX – Error SCCM Azure AD Web App Already Exists 

This sounded promising because I had previously experienced the issue described in the title of the second post but it would appear that I had already removed the Azure Service for Cloud Management.

I then noticed that the Server (1) and Client (2) applications were still showing under the actual connection to the Azure tenant 

Okay so maybe I needed to delete the app registrations manually in Azure AD.

Nope still the same issue.

After having a DM conversation on Twitter with Jake again this evening it was established that if there are other Azure Services Configured, like the OMS and Microsoft Store for Business, these also need to be removed, before trying to remove association with the Azure Tenant. (Kind of sounds really basic now doesn't it?) Anyway the additional steps I carried out were as follows

Navigated to Administration > Cloud Services > Azure Services then removed the OMS and MSFB connections one by one

I was then able to remove Azure AD Tenant connection from Config Manager, realising that the Applications within Azure AD could remain in place and in fact, that I didn't need to delete the CMG Server and Client Apps.

This post may help someone, but I actually just wanted to point out why I absolutely love collaborating within the EM+S community, everyone is so helpful. Thanks Jake and Anoop!

Friday, 4 January 2019

Android Enterprise and Intune: An Overview

I have been an adopter of the Android Enterprise feature set within my current organisation pretty much from the outset if it being available within Microsoft Intune. There still seems to be a huge amount of confusion in this area, so I have decided to focus this post on explaining the exactly what Android Enterprise is, what you can and cannot do with it (from an Intune perspective). The following is based on a presentation that I gave at the Windows Management User Group in London at the end of October, the session was recorded and can be found here


It has always been promoted that the open source Android OS is very flexible which makes it an attractive prospect for use within the Enterprise, it also enables OEM's such as Sony or Samsung to add their own value adds to the OS before shipping it with their devices. This in itself brings its own challenges and has been a contributing factor to the fragmentation we see within the Android space today.
For an EMM  to be able to control things on a device, such as disable the Bluetooth or camera, requires access to Device Management API's. These were traditionally not included within the source code of Android, hence the inclusion of this kind of functionality would not only be at the discretion of the OEM's, but also would mean additional development time for the EMM vendor to support the functionality, if indeed it would at all. This has led to inconsistent behaviour across devices when trying to manage them by an EMM within the enterprise

Device Admin / "Legacy" Android Device Management

So how have we been managing Android devices until now then? Device Admin API's were introduced as far back as Android 2.2 which were originally designed to give certain apps admin privileges on a device. For example facilitating remote wipe when configuring a device to connect to Exchange Active Sync. Other than a few basic settings, on a Non-Samsung device, there was very little available. Samsung on the other hand over the years have developed their Knox API set on top of the Android OS and provide far more management functionality than any other OEM. You only have to look in the Intune console at the "Knox Only" settings that are available and ultimately only applicable to Samsung devices;

Android Enterprise

So what does this solution bring to the table? Well in a nutshell, lots. Also I just want to add at this stage from an Intune perspective that Microsoft, even though they are very late (in comparison to other EMM's) to the game in releasing some AE features, they seem to be making some sensible moves. An example being that they have utilised the Android Device Policy app in conjunction with the Android Management API to communicate with the Intune service for enrolling Dedicated Devices (will explain what this is shortly). I am going to echo the words of a super cool Android guru I have met, albeit virtually, called Jason Bayton "This makes me happy"

Solution Sets

Probably the most important thing to understand with AE is there are various ways of managing devices through different "Solution Sets", which address common enterprise scenarios rather than the single way of management we had previously with the "one size fits all" of Device Admin. I will explain what these are briefly;

Work Profile

This was the first solution set to be supported within Intune and is primarily designed for use in BYOD / Employee owned device scenario. A profile containing apps and company data is deployed to the device

Key points
  • The device is not fully managed by Intune
  • You cannot carry out a full factory reset / wipe
  • Simple to control access to and from the profile - so may be suitable for a company owned use case in some organisations

Dedicated Devices

This is currently the only other solution set supported in Intune at this time, it is designed for use in kiosk scenarios, both customer facing (e.g. kiosk tablet in a hotel room) and employee facing (e.g. field service management)

Key points
  • Not for use in scenarios where users affinity is required (no emails, device isn't assigned to a specific user)
  • Formerly called COSU (Company Owned Single Use)

Fully Managed Device

Public preview for support of this in Intune should be released this month. The solution set is designed for managing company owned devices and gives the ability to fully control the device, giving no scope for users to install personal apps and hence data

Key Points
  • To transition to this from company owned devices enrolled with Work Profiles will mean factory resetting the device
  • Formerly called COBO (Company Owned Business Only)

Fully Managed with Work Profile

This seems to be by far the most sought after solution set within the Mobility community and is designed for company owned scenarios where the organisation wants to be able to secure company apps within a profile but have the ability to be able to give the user limited access for personal use. It is not supported by Intune.

Key points
  • This has only fairly recently been supported by some of the other EMM providers, even though no dates have been announced by Microsoft for Intune I would expect something to be announced soon
  • Formerly called COPE (Company Owned Personally Enabled)

Managed Google Play

Another significant benefit of AE is the integration available with the Managed Google Play store. This prevents the need for a Google account to be created on the device in order to install company apps, in addition it also provides a silent app deployment experience for required deployments. Also managed configs are available which enable provisioned settings to be deployed with apps in order to pre configure them.
Improvements to the way managed Google Play integrates with Intune were announced at Ignite, further illustrating Microsoft's commitment to AE

Zero-Touch enrollment

The Android Enterprise ZTE program introduces the ability to purchase devices from an approved reseller and the devices are provisioned within the Zero Touch portal, thus facilitating bulk enrolment. It is an equivalent of Apple's Device Enrolment Program. Note that only certain OEM's are supported for this and not Samsung - they have their own equivalent to this called Knox Mobile Enrollment, which is also supported within Intune

That's it for this post, there are some more interesting developments for me to cover but I am going to save them for another day. Many thanks for reading, drop me a comment below if you have any queries.

Saturday, 8 December 2018

New Intune Android Enterprise Kiosk Settings

I have been testing the recently released additions to the Android Enterprise Kiosk profile settings and thought I would just write a quick post to show you how these new settings improve the solution.
Before I start, I just wanted to clarify some terminology - this Android Enterprise solution set is now called the "Dedicated Device" solution by Google and no longer "Corporately Owned, Single-Use" as per their documentation. I have submitted a request so that this is reflected in the Microsoft Intune Documentation to try and avoid some confusion later on down the line

To follow the steps in this post, please initially refer to my previous one which details how to deploy a single app kiosk. In addition to this configuration, this time though I have selected a multiple app kiosk, specifying the Microsoft Edge and Teamviewer Apps;

Also in addition, ensure that both the Teamviewer and Managed Home Screen apps are synced from the Managed Google Play store and deployed to the appropriate Azure AD group / users.

Now for the new settings, in the M365 Device Management portal navigate to Device Configuration > Profiles > Locate your kiosk profile and select it > Properties > Settings > Kiosk. Scroll down and you will now see the new settings available

Virtual home button
This enables the user to switch between the managed home screen app and the other apps that are specified in multiple app kiosk. Particularly useful when devices are not able to use their back button when enrolled in Kiosk mode. The documentation states that for some handsets in order to access the virtual home scree button the user will need to swipe up, as I had to with the device I tested with (Samsung Galaxy A5 2016)

Launch the Edge browser, then swipe from the bottom of the screen up to see the virtual home button;

Leave Kiosk Mode
This provides a method for an administrator to exit kiosk mode for troubleshooting or additional configuration purposes, like installing software updates.

Tap the back button multiple times to reveal the menu, then select "Exit kiosk"

Enter the PIN

You can now access the settings and other apps on the device

To enter kiosk mode again, simply launch the Managed Home Screen app from apps menu

Set custom background
You can now set a custom wallpaper based on a URL in order to add some company branding to the device. 

Some useful additions to the solution I feel, also it shouldn't be too long before the Android Enterprise Fully Managed Device solution set (formerly COBO - Corporately Owned, Business Only) will be available as a public preview.

Stay tuned for some more Android Enterprise related posts! Thanks for reading!

Saturday, 1 December 2018

Intune Windows 10 1809 Edge Kiosk

The release of Windows 10 1809 introduced the ability to configure the Edge browser using assigned access with a local account on a device. This post will show you how to configure a single app public kiosk browser using the required custom settings within Intune

Configuring this will give you significant benefits in additional functionality over that of the Intune Kiosk Browser app, a feature comparison can be found here

In this example I enrolled the device within Intune during the setup wizard. I then created a local standard user account on the device, also I would recommend at this stage ensuring the device has a suitable hostname. Make sure that you have logged into the device at least once with the local account.

Now in the M365 Device Management portal navigate to Device Configuration > Profiles then create a new Windows 10 Custom Profile.

In this example I will be adding the following custom OMA-URI settings to the profile;

Assigned access configuration - this specifies the app to run in kiosk mode along with local user account that should apply the setting. Note that the local user account in this example should be substituted with your own, and prefixed with the device's hostname

OMA-URI; ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
Data type; String
Value; {"Account":"KIOSK\\Kiosk User","AUMID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"}

Set Kiosk Mode Type - Sets the display mode to a public browsing kiosk

OMA-URI; ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
Data type; Integer
Value; 1

Configure Edge Timeout settings - This reset's the users session after a specified number of minutes of inactivity. The time you want (values are valid for 1-1440 minutes)

OMA-URI; ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
Data type; Integer
Value; 15

Set start pages - Specify the URL(s) that load when the browser launches for the first time

OMA-URI; ./Vendor/MSFT/Policy/Config/Browser/HomePages
Data type; String
Value; Website URL's in chevrons - <><>

So the settings will now look like this under the single profile

Save the profile and then deploy it to a group which contains the Kiosk device.

Carry out a sync on the device and then restart.

Ensure that the settings have applied to the device by viewing the device install status within the properties of the profile

Now log in and you will see Edge launch in kiosk mode, with your default start pages, all tabs launching in InPrivate mode, you will also notice the sessions timeout after the specified time period.

You could also add other supported CSP's to further develop the kiosk solution as required - give it a try!