tag:blogger.com,1999:blog-31458374691793156222024-02-24T02:03:03.689+00:00Leon's IT BlogTips and how to's from the cloudy world of Intune and other Microsoft Endpoint Manager technologiesLeon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.comBlogger31125tag:blogger.com,1999:blog-3145837469179315622.post-79133014386610868602021-08-27T13:18:00.003+01:002021-08-27T13:18:39.431+01:00Intune Basics Part 6: Modern Device Management with Android Enterprise - Configuring Corporate-Owned Work Profile Devices<p>Welcome to part 6 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.</p><div>Part 1 can be found <a href="https://www.leonsitblog.com/2019/04/intune-basics-part-1-modern-device.html" target="_blank">here</a> and covers setting up the various Android Enterprise enrolment methods<br /><br /></div><div>Part 2 can be found <a href="https://www.leonsitblog.com/2019/04/intune-basics-part-2-modern-device.html" target="_blank">here</a> and covers the configuration of Azure AD groups</div><div><br /></div><div>Part 3 can be found <a href="https://www.leonsitblog.com/2019/06/intune-basics-part-3-modern-device.html" target="_blank">here</a> and covers the configuration of Personally-owned Work Profile devices<br /><br />Part 4 can be found <a href="https://www.leonsitblog.com/2019/07/intune-basics-part-4-modern-device.html" target="_blank">here</a> and covers the configuration of Dedicated devices</div><div><br /></div><div>Part 5 can be found <a href="https://www.leonsitblog.com/2019/09/intune-basics-part-5-modern-device.html" target="_blank">here</a> and covers the configuration of Fully Managed devices<br /><br />This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post <a href="https://www.leonsitblog.com/2019/01/android-enterprise-and-intune-overview.html" target="_blank">here</a> which I am ensuring is kept up to date as newer functionality is supported within Intune.</div><div><br /></div><div>Well, its admittedly been a while however this post will be picking up again the series to discuss this latest Android Enterprise enrolment type, which was announced as generally available as of the 2106 Intune service release.</div><div><br /></div><div><u>Some Background Info</u></div><div><br /></div><div>Many of you no doubt will have already tested this, or even deployed into production as it has been available in public preview since being first <a href="https://techcommunity.microsoft.com/t5/intune-customer-success/intune-announcing-public-preview-for-android-enterprise/ba-p/1524325" target="_blank">announced</a> on 17th July 2020 and is typically the most sought after enrolment type due to its flexibility. It is commonly referred to as "COPE" within the mobility community, describing its intended use case (Corporate Owned, Personally Enabled). </div><div><br /></div><div>Its definitely worth mentioning at this stage that the implementation of COPE on some other MDM platforms for certain versions of Android, may be different to that of COPE within Intune. You should take this into consideration in migration scenarios as there will be differences in what is visible on the device to Intune than in these scenarios to the respective MDM solutions. This newer iteration is privacy friendly by design, as stated by <a href="https://blog.google/products/android-enterprise/work-profile-privacy/">Google</a> and was mandated as of Android 11. Note that does not mean Android 11 is specifically required to support COPE on devices in Intune, as the functionality was back ported to be supported from Android 8 and newer, this support statement clearly defined in the <a href="https://docs.microsoft.com/en-us/mem/intune/enrollment/android-corporate-owned-work-profile-enroll#device-requirements" target="_blank">documentation</a>.</div><div><br /></div><div>So what does this look like then both to the end user and from an Admin perspective? Well end user wise, almost identical to that of a Personally-Owned Work Profile (COPE) device, in fact it is designed to provide the user with access to an area for their own personal apps and data. From an Admin perspective, along with the previously mentioned point with COPE on other MDM platforms, it is also important to know that there is no way to retire just the Work Profile in this scenario, only a full wipe. Bear that in mind when allowing your users to access personal apps and data on company owned devices.</div><div>Finally I would also add that in my experience, the time it takes to enrol the device in comparison to all of the other Android Enterprise methods is quite a bit longer. Bear that in mind when expecting your users to set up their devices themselves and spec your hardware generously.</div><div><br /></div><div><u>Configuration</u></div><div><br /></div><div>Let's take a look at a Device Restrictions profile which would probably be your first port of call when configuring a COPE device</div><div><br /></div><div>Navigate in the Endpoint Manager admin center to <b>Devices > Android > Configuration profiles </b>select <b>Create profile</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF4TxnB_VlAHzR2pWxoZeKk7qcSh2ElKnlGH0928lTcsm6aifAyGQyuXBqhytO26g8XKPbruLwmXFNj1xLDk0T9f1PfGXg5xYcBGelvtwW_v3RN9CxLwLJwVTq_sAI8Hm00WiCepIFoDM/s563/COPE+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="412" data-original-width="563" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF4TxnB_VlAHzR2pWxoZeKk7qcSh2ElKnlGH0928lTcsm6aifAyGQyuXBqhytO26g8XKPbruLwmXFNj1xLDk0T9f1PfGXg5xYcBGelvtwW_v3RN9CxLwLJwVTq_sAI8Hm00WiCepIFoDM/s16000/COPE+1.png" /></a></div><br /><b><br /></b></div><div style="text-align: left;">Select <b>Android Enterprise </b>for the platform and then <b>Device restrictions </b>within the heading <b>Fully Managed, Dedicated and Corporate-Owned Work Profile</b></div><div style="text-align: left;"><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmXqtEZo-A2ZX5QZDgnkyti-f5uOHg1Fhx8pquC8gBQjgiWtgI-GRWyiW0-PLQ07ekZ4rZUMQVG4E3koi_VRC0GaIf3CobU8cS1NnsalwhVbppAMCW6dhOJj6DdzAUHjuWsIuFXLp0cUY/s738/COPE+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="738" data-original-width="507" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmXqtEZo-A2ZX5QZDgnkyti-f5uOHg1Fhx8pquC8gBQjgiWtgI-GRWyiW0-PLQ07ekZ4rZUMQVG4E3koi_VRC0GaIf3CobU8cS1NnsalwhVbppAMCW6dhOJj6DdzAUHjuWsIuFXLp0cUY/s16000/COPE+2.png" /></a></div><br /></div><div>Enter a <b>name </b>for the profile and then select <b>Next. </b>You will now be presented with all of the available configuration options</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkEEqr9Yc7-GkCKJi2GG_X81ouu9p49BH9sSwFmY0ET70ACRVuThYxIeIVyNlIzoly-uJB6dcGbbRNmZPb96FiiNjK1ZvT21xe9cpwJMhhesU5ckcGJLh8Vtkacdhg5ebZ7oNzZw-opgw/s483/COPE+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="483" data-original-width="481" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkEEqr9Yc7-GkCKJi2GG_X81ouu9p49BH9sSwFmY0ET70ACRVuThYxIeIVyNlIzoly-uJB6dcGbbRNmZPb96FiiNjK1ZvT21xe9cpwJMhhesU5ckcGJLh8Vtkacdhg5ebZ7oNzZw-opgw/s16000/COPE+3.png" /></a></div><br /><div style="text-align: center;"><br /></div><div>As you are probably aware by now, there is a standardised layout which is prevalent for most configuration profiles across all platforms. Settings are grouped by applicability to the different enrolment types that are available</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZiNfWiT9VKBVopmTpsA8ZEX4W0AsqpsPwNRXugkb_JIgE2X5oeP70RNN7ZpsNsvOTb19Pl4hDY149rgL157zPmHHcGTz6224NlAHVboKloelYZp5UksMYhsVk48LWhcHQP1rcna3ntRE/s585/COPE+4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="585" data-original-width="482" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZiNfWiT9VKBVopmTpsA8ZEX4W0AsqpsPwNRXugkb_JIgE2X5oeP70RNN7ZpsNsvOTb19Pl4hDY149rgL157zPmHHcGTz6224NlAHVboKloelYZp5UksMYhsVk48LWhcHQP1rcna3ntRE/s16000/COPE+4.png" /></a></div><div style="text-align: center;"><br /></div><div>It is important to remember this to save both bloating you profile with unnecessary settings, but also you can create some unintended behaviour. If you really want to confuse yourself, like I did within <b>Device experience </b>set the <b>Enrolment </b>profile type to <b>Fully Managed. </b>The device will indeed be enrolled as COPE but the profile will give it the characteristics of a Fully Managed device.<br />So essentially, do not set the below, leave it as <b>Not configured</b></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0MhpaVVTtjp8X4Tv6dKSdyLg_5groZHrYEvazqZT_7JVPAOhXiSlvmAGcnkXUe0ysyLvp_fO_ECZ66OG3gYEtsgxkE1kua4a31NDPEvH9zwiD24KNxn47h5RjuXvYaGPajhYaly9bs_8/s407/COPE+5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="337" data-original-width="407" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0MhpaVVTtjp8X4Tv6dKSdyLg_5groZHrYEvazqZT_7JVPAOhXiSlvmAGcnkXUe0ysyLvp_fO_ECZ66OG3gYEtsgxkE1kua4a31NDPEvH9zwiD24KNxn47h5RjuXvYaGPajhYaly9bs_8/s16000/COPE+5.png" /></a></div><div style="text-align: center;"><br /></div><div style="text-align: left;">I also just wanted to point out some more settings, firstly if you need to enable USB debugging, perhaps for screen sharing your device, then you will need to within the <b>General </b>section set <b>Debugging features </b>to <b>Allow</b></div><div style="text-align: left;"><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc8-qrggCprKlbuS0ZmGRTPwo52OZS7c3qpjoYefPiU5VR23MRP6O3FWzVnGDyFOW2inNcqryLhBco5zg8uglEUGCqw83kAUGvKMVRc9HfcsL0biL0oYcv1phE4zsDi1rAd0-MuDUzVNE/s768/COPE+6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="491" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc8-qrggCprKlbuS0ZmGRTPwo52OZS7c3qpjoYefPiU5VR23MRP6O3FWzVnGDyFOW2inNcqryLhBco5zg8uglEUGCqw83kAUGvKMVRc9HfcsL0biL0oYcv1phE4zsDi1rAd0-MuDUzVNE/s16000/COPE+6.png" /></a></div></div><div style="text-align: center;"><br /></div><div style="text-align: left;">Also note that there are two different places to block <b>Screen capture </b>and the <b>Camera </b>which can be done for apps within the Work Profile only</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnHxCUMTPLlFT3gl4brxwi1WcJCzl1M1-TN4udCzJ7YddcQvAEvB6UyWTRLaE0FWK0StNKw_tasydPvFNlEhwoQW6-bgnBUK-8XLzY7YGn8sixPBE-9PLU_SGQjgFOJIEvh7t4xYTl8Kw/s455/COPE+7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="335" data-original-width="455" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnHxCUMTPLlFT3gl4brxwi1WcJCzl1M1-TN4udCzJ7YddcQvAEvB6UyWTRLaE0FWK0StNKw_tasydPvFNlEhwoQW6-bgnBUK-8XLzY7YGn8sixPBE-9PLU_SGQjgFOJIEvh7t4xYTl8Kw/s16000/COPE+7.png" /></a></div><div style="text-align: center;"><br /></div><div style="text-align: left;">Also within the personal profile (remainder of the device) this restriction can be applied</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPaMgdGASl0QjVeMi8tw5PT8i-hEk3w_wezfMSgjaOOu-NIGLojpLMrjblaPw57YUcgtkyCFtjzekrby-4ZnhjT1VQPvUENjqaX-8SylFOdGWyQXZe4C20ankaYJCrV4jNYMzVeIRZ42A/s573/COPE+8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="573" data-original-width="475" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPaMgdGASl0QjVeMi8tw5PT8i-hEk3w_wezfMSgjaOOu-NIGLojpLMrjblaPw57YUcgtkyCFtjzekrby-4ZnhjT1VQPvUENjqaX-8SylFOdGWyQXZe4C20ankaYJCrV4jNYMzVeIRZ42A/s16000/COPE+8.png" /></a></div><div style="text-align: center;"><br /></div><div style="text-align: left;"><u>Enrolment</u></div><div><u><br /></u></div><div>As a reminder, back in <a href="https://www.leonsitblog.com/2019/04/intune-basics-part-1-modern-device.html" target="_blank">part 1</a> of this serious we configured the various enrolment methods including this one, so lets have a look at what an enrolment looks like. Note that this is being tested on a Samsung Galaxy A12 with Android 11 as the Operating System</div><div><br /></div><div>Tap anywhere in the blank space multiple times, note that this is on a device that is either brand new or has been factory reset</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg61KRZ60u_7p8UtQXrEb-pzItV8JMo-9U7_Y4Jq6Xxq7nRigpYUSJS2jcx6jQV-WaolgrIm1MpbkIBoMwBT3AF2IkQWt6_P6qP-eo-oeyWOU-L210Xl-MtloVjyGAQ4kO-iHhH2eej7F0/s1600/COPE+9.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg61KRZ60u_7p8UtQXrEb-pzItV8JMo-9U7_Y4Jq6Xxq7nRigpYUSJS2jcx6jQV-WaolgrIm1MpbkIBoMwBT3AF2IkQWt6_P6qP-eo-oeyWOU-L210Xl-MtloVjyGAQ4kO-iHhH2eej7F0/w288-h640/COPE+9.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div>Select a <b>Language </b>then <b>Next</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiisSjxQjEbRawJzj1NfvX1UawUwhTSIcIx1FeTthpWj2pBf4-m3-HAc3HG644JhuVU3wQ-TeSUGdtGdEvRq0APu6Pfaq0aQLXMM6WNRGAseVxruE3dp5aPFBvexMFp8VCU8HgiCfUCHZ0/s1600/COPE+10.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiisSjxQjEbRawJzj1NfvX1UawUwhTSIcIx1FeTthpWj2pBf4-m3-HAc3HG644JhuVU3wQ-TeSUGdtGdEvRq0APu6Pfaq0aQLXMM6WNRGAseVxruE3dp5aPFBvexMFp8VCU8HgiCfUCHZ0/w288-h640/COPE+10.jpg" width="288" /></a></div><br /></div><div>Scan the QR code version of the associated COPE Enrolment token</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7h7RWeaHA7NHJEJhhsUc59v0NdrBqye_o7NhZlYZPxR78op6m_vRnKno-gzUr-I-a4ZOKhvLot-eVKAhjA3bLApbb1KZ88tX39UeGXX79dMBjfqrWyu230jDXd4bL_EGAnPBuHLCA6og/s1600/COPE+11.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7h7RWeaHA7NHJEJhhsUc59v0NdrBqye_o7NhZlYZPxR78op6m_vRnKno-gzUr-I-a4ZOKhvLot-eVKAhjA3bLApbb1KZ88tX39UeGXX79dMBjfqrWyu230jDXd4bL_EGAnPBuHLCA6og/w288-h640/COPE+11.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div>Connect to Wi-Fi</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDDaOwgpJESdbGah_-lvlftlBKqxXRV7h8TehEwbMuGKiJIi06qzqYUeLbzwQQfFpH1qAcmb-S3mclfwLmhTC4SPBS79zVh3cHfE_QruH8Xm0GKGp2dFRmqfpMlwxuay9C3CyBBlB_F40/s1600/COPE+12.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDDaOwgpJESdbGah_-lvlftlBKqxXRV7h8TehEwbMuGKiJIi06qzqYUeLbzwQQfFpH1qAcmb-S3mclfwLmhTC4SPBS79zVh3cHfE_QruH8Xm0GKGp2dFRmqfpMlwxuay9C3CyBBlB_F40/w288-h640/COPE+12.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div>Select <b>Next</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHMl2bJQUgO2ZBSxVkAD_ad8NtaN5hHJUfqWJk4qHjBTcK0eV9nsOi-YPLo050Tpt8Gg7ZNv-s06bxDoKruXSTLI8Gb1iSd2q3lr0_bZH50zYwozWvWSN_I1Y_y_uV1taYkZ9Uc-nWEB0/s1600/COPE+13.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHMl2bJQUgO2ZBSxVkAD_ad8NtaN5hHJUfqWJk4qHjBTcK0eV9nsOi-YPLo050Tpt8Gg7ZNv-s06bxDoKruXSTLI8Gb1iSd2q3lr0_bZH50zYwozWvWSN_I1Y_y_uV1taYkZ9Uc-nWEB0/w288-h640/COPE+13.jpg" width="288" /></a></div></div><div><b><br /></b></div><div>The enrolment process will start</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT5CzC3LyuMJo-3cYLW5R21uVkEiukdeE81ztFWd-l2ZlwzbsK1_mDEN32angAwMHGvp9tZCT1SgfD1ir2BacqiX3YwrplfckT5obiDKeJByyRcbytNxNvYb_wQP6wT2-kTzuGHQZEKV4/s1600/COPE+14.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT5CzC3LyuMJo-3cYLW5R21uVkEiukdeE81ztFWd-l2ZlwzbsK1_mDEN32angAwMHGvp9tZCT1SgfD1ir2BacqiX3YwrplfckT5obiDKeJByyRcbytNxNvYb_wQP6wT2-kTzuGHQZEKV4/w288-h640/COPE+14.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div>Agree the terms</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNc0ANgPplwPU3gBuHOTXaTzVTG1hZPHW6weSvaGsJzcXIVWCBLEP42HuYtNC5Pz5iLyhR1HpUcNC5Q6FXJrkKRu3A9zCiM8w8mlr4KQYV36YvacFcpl0i0O0BYtDN9jfgFdsQh__ri8U/s1600/COPE+15.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNc0ANgPplwPU3gBuHOTXaTzVTG1hZPHW6weSvaGsJzcXIVWCBLEP42HuYtNC5Pz5iLyhR1HpUcNC5Q6FXJrkKRu3A9zCiM8w8mlr4KQYV36YvacFcpl0i0O0BYtDN9jfgFdsQh__ri8U/w288-h640/COPE+15.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div>The Work Profile will start being created</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcyF4fAcC0LnUPlmuhcKmsHoJDQczzTJ9hD-sZai7Hq1TUXQ2iDyzq_eW-ObRqRIy0x0xn8Z1oaBHOdldY4BGhmeBC9pU9RWdwriKdp3WfKWP7QD-1M_aGbjUdw73Y9-nK1mU8LRg38mU/s1600/COPE+16.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcyF4fAcC0LnUPlmuhcKmsHoJDQczzTJ9hD-sZai7Hq1TUXQ2iDyzq_eW-ObRqRIy0x0xn8Z1oaBHOdldY4BGhmeBC9pU9RWdwriKdp3WfKWP7QD-1M_aGbjUdw73Y9-nK1mU8LRg38mU/w288-h640/COPE+16.jpg" width="288" /></a></div><div><br /></div><div>Select <b>Accept & continue</b></div><div><b><br /></b></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2XRC_Tfb64_r5dxr1ua9iwQxL8YkFlPBgKPR6La0lomxqf5ol4iLCDp56tlkXCQCZy8otdgbONkqgfXQ324d28lDWdTMgrax9AtRz3y6gLE4wPZ2BrtWYj7M_l57PlgsFMFrwca495W4/s1600/COPE+17.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2XRC_Tfb64_r5dxr1ua9iwQxL8YkFlPBgKPR6La0lomxqf5ol4iLCDp56tlkXCQCZy8otdgbONkqgfXQ324d28lDWdTMgrax9AtRz3y6gLE4wPZ2BrtWYj7M_l57PlgsFMFrwca495W4/w288-h640/COPE+17.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div>Sign in with credentials</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkfn6-tN8HUGva7bsFWIVuGIEOptQd0_jMCm-3Nl13EEx4htP3JchIaZEyq1iLjXLiQfuhuPhIcmvu-p65NbCpUbQaWAMy8wPfAd2CjYFicKTgxhtanmSkyMCe1-7x-Wqd_zUM05XRiDs/s1600/COPE+18.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkfn6-tN8HUGva7bsFWIVuGIEOptQd0_jMCm-3Nl13EEx4htP3JchIaZEyq1iLjXLiQfuhuPhIcmvu-p65NbCpUbQaWAMy8wPfAd2CjYFicKTgxhtanmSkyMCe1-7x-Wqd_zUM05XRiDs/w288-h640/COPE+18.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div>Select <b>Install</b></div><div><b><br /></b></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBU0BaqknIPs5w4YsDmGqn7vIyisQmYARbJPTumcPiis5i5_bAIU9mREDbZPhz2wzDqmXhyphenhyphennYB3qGbNqbTa_fiqE-7W3aqr9a9rKtPAwYJ3rXhmGDzCA4C1SfGPu-Ev9oPitgZk4Xmxqg/s1600/COPE+19.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBU0BaqknIPs5w4YsDmGqn7vIyisQmYARbJPTumcPiis5i5_bAIU9mREDbZPhz2wzDqmXhyphenhyphennYB3qGbNqbTa_fiqE-7W3aqr9a9rKtPAwYJ3rXhmGDzCA4C1SfGPu-Ev9oPitgZk4Xmxqg/w288-h640/COPE+19.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div>Select<b> Next</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6cumDVZPJlK-q16t7_FX8Pr8Z0qG-PCdTCsIYjdag3Ip03u3rSDKKVLCTG4J5f0gcyDGxquwnISGPGJDPe3Skq4sCfeD4iqkF7jxCaivsElZY6zgWTs8PuapfKZED8SLHJ7PK54JZRU8/s1600/COPE+20.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6cumDVZPJlK-q16t7_FX8Pr8Z0qG-PCdTCsIYjdag3Ip03u3rSDKKVLCTG4J5f0gcyDGxquwnISGPGJDPe3Skq4sCfeD4iqkF7jxCaivsElZY6zgWTs8PuapfKZED8SLHJ7PK54JZRU8/w288-h640/COPE+20.jpg" width="288" /></a></div><b><br /></b></div><div>Select <b>Set up</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil4L6SVABfkgf-bQy8k5li88hJ_Agqmjsd09j78-TQjcyVUzcKILvjEZnY5B92cW2taPvhSO32z5JiuvGu2WA0x1rIzYpk4zo1Q-a-dgCwX2c1G-x6D0esWEVaW9R8QZvAvlYCA_TZ3TI/s1600/COPE+21.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil4L6SVABfkgf-bQy8k5li88hJ_Agqmjsd09j78-TQjcyVUzcKILvjEZnY5B92cW2taPvhSO32z5JiuvGu2WA0x1rIzYpk4zo1Q-a-dgCwX2c1G-x6D0esWEVaW9R8QZvAvlYCA_TZ3TI/w288-h640/COPE+21.jpg" width="288" /></a></div><b><br /></b></div><div><b>Sign In</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYYATHHxdg5pRAL8wZXsQys5WFFHze3ucHxqyC9Jwduafek0Xed7MjV9Q9DngZCw4VJxmXw9rKLgp0xEwrOXR-bbXNltphe0IiZwjJln9HFd2wQ0ilinRuwW3G5F9dhqMSH7qUU3uo4vk/s1600/COPE+22.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYYATHHxdg5pRAL8wZXsQys5WFFHze3ucHxqyC9Jwduafek0Xed7MjV9Q9DngZCw4VJxmXw9rKLgp0xEwrOXR-bbXNltphe0IiZwjJln9HFd2wQ0ilinRuwW3G5F9dhqMSH7qUU3uo4vk/w288-h640/COPE+22.jpg" width="288" /></a></div><b><br /></b></div><div>Enter the password again</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil2kjchK4xQiYj_x-xFckR8KTe-Gg7ZTkJGRFKl_xetHhhpRbSNEk3vziPPnfkiSdL3VgYCVpVNWSohdtQDWwsytt9Q8zFcf8CBPGKUzsb6Kv9JLf2IKNk6oLyDpWJDpx7NGVh_OSitcM/s1600/COPE+23.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil2kjchK4xQiYj_x-xFckR8KTe-Gg7ZTkJGRFKl_xetHhhpRbSNEk3vziPPnfkiSdL3VgYCVpVNWSohdtQDWwsytt9Q8zFcf8CBPGKUzsb6Kv9JLf2IKNk6oLyDpWJDpx7NGVh_OSitcM/w288-h640/COPE+23.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div><b>Register</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi91RNOFfBogEo33UJj2Km-TnWgaA0f3wOdh9rLmzN_6ManHGDKQanuRGNMHfj0ZxVwTQop9vpYLlw9RfrmyrtsNEsm4Mh6A-GmNJ67iT0y4py9mfix7HIeGAEcggKbPy_GP5kBlx5zueM/s1600/COPE+24.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi91RNOFfBogEo33UJj2Km-TnWgaA0f3wOdh9rLmzN_6ManHGDKQanuRGNMHfj0ZxVwTQop9vpYLlw9RfrmyrtsNEsm4Mh6A-GmNJ67iT0y4py9mfix7HIeGAEcggKbPy_GP5kBlx5zueM/w288-h640/COPE+24.jpg" width="288" /></a></div><b><br /></b></div><div><b>Done</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIrqXu6-uYjAjmnxWfEt0q_im1Vj3YTgr68t9aMKSAcPeK0pBfngw-NGERZDkEw7Mfrb89EK2GFe3qujjqt6umdq9qADKheToRtgy72MWSgnR2084j28Oy9N_zL6HdOX5uCxBlDBFA9DU/s1600/COPE+38.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIrqXu6-uYjAjmnxWfEt0q_im1Vj3YTgr68t9aMKSAcPeK0pBfngw-NGERZDkEw7Mfrb89EK2GFe3qujjqt6umdq9qADKheToRtgy72MWSgnR2084j28Oy9N_zL6HdOX5uCxBlDBFA9DU/w288-h640/COPE+38.jpg" width="288" /></a></div><b><br /></b></div><div><b>Next</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx4ZhUdhsAMfEIEP9IwKNGSdoEn870BPNVkjr1LB-xxjz_hBsR35WqadRZGLvsJj8rXb8AZO0Wcb9vl46YtHP1-a5sPEGRQ7DKug0V_O5F9zOSrQ1MhVE_yD94TkNaCYKtH0bQYP_EUlk/s1600/COPE+37.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx4ZhUdhsAMfEIEP9IwKNGSdoEn870BPNVkjr1LB-xxjz_hBsR35WqadRZGLvsJj8rXb8AZO0Wcb9vl46YtHP1-a5sPEGRQ7DKug0V_O5F9zOSrQ1MhVE_yD94TkNaCYKtH0bQYP_EUlk/w288-h640/COPE+37.jpg" width="288" /></a></div><b><br /></b></div><div><br /></div><div>The end user can now enter their personal Google account details if they wish, facilitating access to personal apps and data within the personal profile of the device</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFOBGpHaAK4qEGLzbtP3DYqSPr0ar91Vic_BfuDaQPm4KhCmX2aZ_xM1sipf-M9sG6tREAzY6VhOOZhZD-__i20To8nyqMQLKULyuR8dF5Lrpj2hy2rMU72LQXvdk_WoEYnRigjeVTJPM/s1600/COPE+36.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFOBGpHaAK4qEGLzbtP3DYqSPr0ar91Vic_BfuDaQPm4KhCmX2aZ_xM1sipf-M9sG6tREAzY6VhOOZhZD-__i20To8nyqMQLKULyuR8dF5Lrpj2hy2rMU72LQXvdk_WoEYnRigjeVTJPM/w288-h640/COPE+36.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div>Review the terms, scroll down and select an option</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeLQxJ24DJlY7qQ-nq8AQDzuXOopTuLk9f4isKRiSZu_8tJEIvw-49pn1g-3Hwny5cUQrt8OTfTUY0gqRYjv1HWWqrdczqgUr_lmDNurTtpS8JIEPUZ03wG7nBIY34xUF6WZtl5yytKac/s1600/COPE+35.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeLQxJ24DJlY7qQ-nq8AQDzuXOopTuLk9f4isKRiSZu_8tJEIvw-49pn1g-3Hwny5cUQrt8OTfTUY0gqRYjv1HWWqrdczqgUr_lmDNurTtpS8JIEPUZ03wG7nBIY34xUF6WZtl5yytKac/w288-h640/COPE+35.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div>Review and set the date and time then select <b>Next</b></div><div><b><br /></b></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXUx1f4VyiWLoM1wyUWkhkRozAf1qspd0N5dlwCtNDBgZsIlIqkcdt0bSRNJaDHvc9rS62n9gd6c2u4elIVj7FQh0r0jO38gcQH97-SFF7gHf_KUBtTJcUlPTIkpbJJX-r2e0IuF5KmVE/s1600/COPE+34.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXUx1f4VyiWLoM1wyUWkhkRozAf1qspd0N5dlwCtNDBgZsIlIqkcdt0bSRNJaDHvc9rS62n9gd6c2u4elIVj7FQh0r0jO38gcQH97-SFF7gHf_KUBtTJcUlPTIkpbJJX-r2e0IuF5KmVE/w288-h640/COPE+34.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div><b>Review</b> the Google services, scroll down then select <b>Accept</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixYg8o4o7bRUL41UR0I9A-GLI460iZgslswwp_XAoA6GlroD6AM1shiV0pYiqscJ7WLpIpwUPaPnVuxNRAkYlxDEaSW1VES8XejMIGJznlpQ9RYc3ZsWOIyLBzAK4OI7wb4Fquo3ix8lU/s1600/COPE+33.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixYg8o4o7bRUL41UR0I9A-GLI460iZgslswwp_XAoA6GlroD6AM1shiV0pYiqscJ7WLpIpwUPaPnVuxNRAkYlxDEaSW1VES8XejMIGJznlpQ9RYc3ZsWOIyLBzAK4OI7wb4Fquo3ix8lU/w288-h640/COPE+33.jpg" width="288" /></a></div><b><br /></b></div><div>Select a security option</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieOH0dZWm-6emLKFjCpf77cb1Nawmvjll5WZU_FRC4x1R55oyPVNAIKArT8oqlMqGwiLbVtsbuOeqbGD2dsn3hO_Eh_OHwrtaVyjPSzkCeWow1-pQ4z7LosxUcjzJi2Q18L2JCEyrExpI/s1600/COPE+32.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieOH0dZWm-6emLKFjCpf77cb1Nawmvjll5WZU_FRC4x1R55oyPVNAIKArT8oqlMqGwiLbVtsbuOeqbGD2dsn3hO_Eh_OHwrtaVyjPSzkCeWow1-pQ4z7LosxUcjzJi2Q18L2JCEyrExpI/w288-h640/COPE+32.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div>Select an option for Google Assistant</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4RGiKmXf81Ix3ZuYfZMiwlBE_9RDMGNI6Wby6QVCRoYN9A9Aog4ybrZzB9j13JwnMknliCzczvavWtxiiJLNmGUwbywT3RRHBFC85x2ZemWD06zuIAetcVPOgwAo_-zZ4pdlUUI-0fsM/s1600/COPE+31.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4RGiKmXf81Ix3ZuYfZMiwlBE_9RDMGNI6Wby6QVCRoYN9A9Aog4ybrZzB9j13JwnMknliCzczvavWtxiiJLNmGUwbywT3RRHBFC85x2ZemWD06zuIAetcVPOgwAo_-zZ4pdlUUI-0fsM/w288-h640/COPE+31.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div>Review and remove any additional apps as desired, scroll down then select <b>OK</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg8C1rxs2UxXkbuwbrZ4KEZGAU_gX_ttiaRaXpoRu4gMOfBx5ULLF96g3zlFMxTEtZruD6-qqbAwztLChWSSghmmGGiwajc3_Igc85td436M5nNmqvcAiC8rQtZFgWBsVlZWyQQRIxQIM/s1600/COPE+30.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg8C1rxs2UxXkbuwbrZ4KEZGAU_gX_ttiaRaXpoRu4gMOfBx5ULLF96g3zlFMxTEtZruD6-qqbAwztLChWSSghmmGGiwajc3_Igc85td436M5nNmqvcAiC8rQtZFgWBsVlZWyQQRIxQIM/w288-h640/COPE+30.jpg" width="288" /></a></div><br /><b><br /></b></div><div>Review and accept the terms as desired, select<b> Next</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoB4S1ZBc4u2FOiN1iteuUJPcsCyxck1A0nGatr2kK5wDooUJ0-Bb3oOk3-0DHGQk_DH4_Cg3FiXUujdXK70GRlaKGHBC5IbHyqKtTVvv2q5pLbDSdghT0j5q8onFsJZdxBeCXjv9Gkn4/s1600/COPE+29.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoB4S1ZBc4u2FOiN1iteuUJPcsCyxck1A0nGatr2kK5wDooUJ0-Bb3oOk3-0DHGQk_DH4_Cg3FiXUujdXK70GRlaKGHBC5IbHyqKtTVvv2q5pLbDSdghT0j5q8onFsJZdxBeCXjv9Gkn4/w288-h640/COPE+29.jpg" width="288" /></a></div><b><br /></b></div><div>Select an option</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUe9LsfwjvTCe87G2pKBo3uU2hMjsHVGusJ5t7z6X4KDE9x_95dEGhNEa7kHl2q6ZzQJlXkR7syJSVpAkSV1xQ37t1b8yo9M9YEyGrqgK-MK60ZNgAeorwWOZVhts_Df5tFwQSoxUyigc/s1600/COPE+28.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUe9LsfwjvTCe87G2pKBo3uU2hMjsHVGusJ5t7z6X4KDE9x_95dEGhNEa7kHl2q6ZzQJlXkR7syJSVpAkSV1xQ37t1b8yo9M9YEyGrqgK-MK60ZNgAeorwWOZVhts_Df5tFwQSoxUyigc/w288-h640/COPE+28.jpg" width="288" /></a></div><div style="text-align: center;"><br /></div><div>Further review recommended apps, select <b>Install / Finish</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjEv3BdiN_ac73q3h9UwELQQuG6qgch4IIkmlNJzgdioxgkS6vBT1glvCzv1wVac2ZOSug5X4aSsWx0dd6oTK8nfELE6C-2u-WrcLq06rtig0DXq5m_XPspwgTXbpHn0Q0sxrCPtnZljI/s1600/COPE+27.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjEv3BdiN_ac73q3h9UwELQQuG6qgch4IIkmlNJzgdioxgkS6vBT1glvCzv1wVac2ZOSug5X4aSsWx0dd6oTK8nfELE6C-2u-WrcLq06rtig0DXq5m_XPspwgTXbpHn0Q0sxrCPtnZljI/w288-h640/COPE+27.jpg" width="288" /></a></div><b><br /></b></div><div>The device is now enrolled. If you swipe up from the bottom you will see that the personal and work apps are separated, with the same experience as per on a Personally-owned Work Profile device</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoRLEblrX1LHNoA5EW6xKFOoGyzKluZ0AD9xeSDZWP0wAjAslp2g5FbVVEaCDLZVSV3bjqzpvrIhBlJcRY6asb-FkIb5kDQ5wvSeCnJCU2YZhIuZNgXkRz_MGGja6t9L_oGCJNsTkiZAA/s1600/COPE+26.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoRLEblrX1LHNoA5EW6xKFOoGyzKluZ0AD9xeSDZWP0wAjAslp2g5FbVVEaCDLZVSV3bjqzpvrIhBlJcRY6asb-FkIb5kDQ5wvSeCnJCU2YZhIuZNgXkRz_MGGja6t9L_oGCJNsTkiZAA/w288-h640/COPE+26.jpg" width="288" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiysJg_rj6QAGfOB-EeoaP_qtHaNqudPtf7uiZwBWLAMFZfCH_Qqi86oYLSr65GEa6Wg6i_yZLAOYpMksAWGec5pfSmBYNrJGqHfVfKONQIilMSwI-RNayLXVIy4-diQe9MW44dmGilRbM/s1600/COPE+25.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="720" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiysJg_rj6QAGfOB-EeoaP_qtHaNqudPtf7uiZwBWLAMFZfCH_Qqi86oYLSr65GEa6Wg6i_yZLAOYpMksAWGec5pfSmBYNrJGqHfVfKONQIilMSwI-RNayLXVIy4-diQe9MW44dmGilRbM/w288-h640/COPE+25.jpg" width="288" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">That's all for this post, many thanks for reading</div>Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-27393462050412961622021-02-01T08:24:00.000+00:002021-02-01T08:24:06.692+00:00Further exploration and analysis of OEMConfig<p> In a <a href="https://leonashtonleatherland.blogspot.com/2019/02/oem-config-demystified.html">previous post</a> published almost 2 years ago (wow time flies!) I briefly covered what OEMConfig meant in terms of Android device management and figured that now would be a good time to explore this functionality again with you. </p><p>The fact that OEMConfig is supported in Intune isn't indeed hot off the press news, however its still a fairly new initiative which I feel both customers and tech folk alike are pretty much in the dark about. I would suggest that this is probably due to the value offered differing between OEM's and often handsets.</p><p>So, what actually is it? OEMConfig is a way of delivering device configuration value for settings that are mostly not available within Intune. These configurations are delivered via an OEMConfig app, which essentially controls the execution of these settings rather the MDM agent. The app differs across OEM's and sometimes, such as for the example I will be discussing in this post, across models of handset. You should also be aware that some elements of these settings may require additional licensing from one of the supported OEM's, all of which are documented <a href="https://docs.microsoft.com/en-us/mem/intune/configuration/android-oem-configuration-overview#supported-oemconfig-apps">here</a></p><p>The key benefit of OEMConfig is the fact that each time the OEM wishes to release additional functionality, there is little to no development time in order for this to be available on devices. So no delay in waiting for a dedicated profile to be made available in Intune! However, what I would add is that in order to take advantage of this functionality it may actually mean the handset needs to be upgraded, or indeed if the new feature may come under the context of a setting that needs additional licensing. Most of the time I would expect this to be a case of an update needs to be installed on the device.</p><p>In this example, I have a Nokia 5.3 handset which in this scenario, requires an OEMConfig app specific to the model;</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtmu85jEtaGCnaOTz9OKImssLXhkvOAwbHZIwfbi3q2LrebF9j0mbrVu7OSrPxmWSNqgUuFC2r0Ykzaxma0d1UayqbJI5V2vRZTIB9tg76m0nPF8Hj6KGVXEuB8umK7xUhQZMb2T7Ln-Y/s706/FurtherOEMConfig1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="583" data-original-width="706" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtmu85jEtaGCnaOTz9OKImssLXhkvOAwbHZIwfbi3q2LrebF9j0mbrVu7OSrPxmWSNqgUuFC2r0Ykzaxma0d1UayqbJI5V2vRZTIB9tg76m0nPF8Hj6KGVXEuB8umK7xUhQZMb2T7Ln-Y/s16000/FurtherOEMConfig1.png" /></a></div><br /><p>So the requirement now is to deploy this app to the device. Within the Microsoft Endpoint Manager admin center navigate to <b>Apps > Android </b>then select <b>Add </b>then <b>Managed Google Play app </b>as the app type</p><p>Search for the previously mentioned OEMConfig app for Nokia 5.3 devices (noting again that for Nokia devices there are OEMConfig apps per model)</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz43tr33ElWHMJnrMlyIP-og1jrBOdlz_uEe5TEEwOxqBF2BvAWoEG4hgVq6hHYcHb5KFdoaBDwqSCtcTC0DXp1Y8wqtQbt77QkPMvuO2aS2aT2Uqv5VHz3Xpms5GkoDAsJYyp516dSe4/s588/FurtherOEMConfig2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="543" data-original-width="588" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz43tr33ElWHMJnrMlyIP-og1jrBOdlz_uEe5TEEwOxqBF2BvAWoEG4hgVq6hHYcHb5KFdoaBDwqSCtcTC0DXp1Y8wqtQbt77QkPMvuO2aS2aT2Uqv5VHz3Xpms5GkoDAsJYyp516dSe4/s16000/FurtherOEMConfig2.png" /></a></div><br /><p>Select it then click <b>Approve </b>twice, then <b>Done </b>before finally <b>Sync </b>to ensure that the app appears as available</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFXGZeGbXOhMcZ0E8bv5_lrJ3lBt0GwHomNN1i9Km3MFSulePZ-nHAwf1I5elYylZDD30AYuR1dMzieRj0B7D8tw_byQ3obHEoQ7USf60WVeSFByCS6A_5m8cVwyBqww76PcHfAhlhabw/s529/FurtherOEMConfig3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="443" data-original-width="529" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFXGZeGbXOhMcZ0E8bv5_lrJ3lBt0GwHomNN1i9Km3MFSulePZ-nHAwf1I5elYylZDD30AYuR1dMzieRj0B7D8tw_byQ3obHEoQ7USf60WVeSFByCS6A_5m8cVwyBqww76PcHfAhlhabw/s16000/FurtherOEMConfig3.png" /></a></div><br /><p>Once the app appears in the list, select it then <b>properties. </b>Select <b>edit </b>next to <b>assignments </b>then add the appropriate target group as a <b>required </b>assignment. Save any changes</p><p>Now the configuration needs to be defined and then assigned. Navigate to <b>Devices > Android > Configuration Profiles </b>select <b>Create Profile. </b>Choose <b>Android Enterprise</b> as the platform and then <b>OEMConfig </b>for profile.</p><p>Give the profile a suitable name and then click <b>Select an OEMConfig app </b>to ensure the correct app is associated with the profile. After selecting <b>Next </b>you will now see the settings that are available, which can be configured using the default configuration designer</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha3LTLwx8SU8LSH2xqd0Ultk5t7LTC-GzOYhes5kbPdLlQg6FoXHWSaT-HVb7XAEh4T7dQKjdM3o-kJebbexKnqCtlg-caNROt_8QTyr-IveP5sh8-BtrtsyBHnu_gBtN1B7w4gQJ9iuM/s687/FurtherOEMConfig4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="538" data-original-width="687" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha3LTLwx8SU8LSH2xqd0Ultk5t7LTC-GzOYhes5kbPdLlQg6FoXHWSaT-HVb7XAEh4T7dQKjdM3o-kJebbexKnqCtlg-caNROt_8QTyr-IveP5sh8-BtrtsyBHnu_gBtN1B7w4gQJ9iuM/s16000/FurtherOEMConfig4.png" /></a></div><br /><p>In this example, we are going to enforce location services on the device, so next to L<b>ocation </b>select C<b>onfigure </b>then <b>Enabled </b>from the drop-down menu on the next screen</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifEAiXQFH8AHzx_zKwHslXETTt6F2GNzClhX11caPSgRVB9c4sCwr-ftYIo1UtZZF8vnLD880jAZL7cBWAyvS5eDcHIlm7zoNJ4sG0apP9wkKEyQfdRpmozDHBwxJE4JsgwPfivCu_dEk/s631/FurtherOEMConfig5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="486" data-original-width="631" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifEAiXQFH8AHzx_zKwHslXETTt6F2GNzClhX11caPSgRVB9c4sCwr-ftYIo1UtZZF8vnLD880jAZL7cBWAyvS5eDcHIlm7zoNJ4sG0apP9wkKEyQfdRpmozDHBwxJE4JsgwPfivCu_dEk/s16000/FurtherOEMConfig5.png" /></a></div><br /><p>Select <b>Next </b>twice and then assign the profile to the appropriate target group. <b>Next </b>then <b>Create </b>completes the assignment of the configuration.</p><p>As you can see, initially location services were disabled on my test device</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHvlY21HewAVqT0zWeINlAZm9MJO5Ta3Vzunm-TvLfrDR76mhhunypsOi_AP9eNJky8lerI8skA7vXq6UhIYtraHpQlJp3NAjxE49iXYnhRSIUYXt0ONosXGoouOgAbNCMgyoAWNJvrro/s708/FurtherOEMConfig6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="708" data-original-width="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHvlY21HewAVqT0zWeINlAZm9MJO5Ta3Vzunm-TvLfrDR76mhhunypsOi_AP9eNJky8lerI8skA7vXq6UhIYtraHpQlJp3NAjxE49iXYnhRSIUYXt0ONosXGoouOgAbNCMgyoAWNJvrro/s16000/FurtherOEMConfig6.png" /></a></div><br /><p>Now you can see they are enabled, in addition, the prompts for the OEMConfig app install and confirmation of the setting being enabled are also visible</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEStKkvOkiAYhwM_H4PwF6kk0tAP4PtLxxWtp6hB7SxSecIYGYO0lV5oAL8yPD7NgpuQ3bsJeIvInWspTar2cRgRgRwvXgifvR6iQPb9y216qF4GHnytfSP8J3tRMWoevG8kzoZgNxHpc/s709/FurtherOEMConfig7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="709" data-original-width="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEStKkvOkiAYhwM_H4PwF6kk0tAP4PtLxxWtp6hB7SxSecIYGYO0lV5oAL8yPD7NgpuQ3bsJeIvInWspTar2cRgRgRwvXgifvR6iQPb9y216qF4GHnytfSP8J3tRMWoevG8kzoZgNxHpc/s16000/FurtherOEMConfig7.png" /></a></div><br /><p>I have to admit that initially, I thought there was significant value in the ability to be able to control this setting on these handsets. The problem is that in this specific scenario it does not prevent the end-user from altering the setting, which is also clearly stated on the app within the store</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQeh7Zgw8nkU6IqFNb2qZYdW9pVW_Uh8KxkpTa8j_TiYObeGiTYH6oGd3oyQBkO1ADi95-BGp-6xhBt7kSKDJdDQiVb7M139kZx2QFwUGeK8Hh0KpKWbjt0z_omPmcluUbh2tD7RRuVMY/s642/FurtherOEMConfig8.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="642" data-original-width="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQeh7Zgw8nkU6IqFNb2qZYdW9pVW_Uh8KxkpTa8j_TiYObeGiTYH6oGd3oyQBkO1ADi95-BGp-6xhBt7kSKDJdDQiVb7M139kZx2QFwUGeK8Hh0KpKWbjt0z_omPmcluUbh2tD7RRuVMY/s16000/FurtherOEMConfig8.png" /></a></div><br /><p>I also attempted to modify the setting and wait for / force a sync to see if it reverted again without any luck. I intend to explore this further and will update this post if I have any further information on why this is the case. </p><p>That aside I believe this still demonstrates the possibilities with using this technology and it should be something you should consider as a contributing factor when selecting company-owned Android devices.</p><p>Many thanks for reading this post, if you have any questions please feel free to reach out to me!</p>Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-58363023207935490982020-04-02T07:26:00.000+01:002020-04-02T07:26:53.204+01:00Using ADMX ingestion to configure the Zoom desktop application with IntuneDue to recent events I am seeing that organisations are having to come up with solutions quickly in order to enable their workforce, most of which it is the first time they are working from home. After working for a customer recently who wishes to deploy the Zoom desktop client to their whole organisation, I had a conversation with them and it was apparent that actually they were not entirely sure how specifically they wanted Zoom configured on install. On browsing the <a href="https://support.zoom.us/hc/en-us/articles/201362163-Mass-Installation-and-Configuration-for-Windows" target="_blank">documentation</a> I soon realised that there were some Group Policy templates available so, thinking ahead I thought it would be a good idea to see if I could import these policies to support any additional configuration requirements post install if the customers requirements changed over time.<br />
<div>
<br /></div>
<div>
So for a bit of background on this, as of Windows 10 1703 functionality was made available within the Intune service (and obviously the Window OS) giving the ability to support ADMX backed policies. So essentially the ability to transmit Group Policy settings in a format that are understood by the MDM client using the Policy CSP. This being achieved by importing or "ingesting" ADMX files and then configuring specific settings in relation to the ingested content. There are some caveats and considerations which I am going to explain in this post and I want to keep it as simple as possible. Over time support has been provided for ADMX settings with the Administrative Templates profile within the Intune portal and most recently announced - these settings are now presented in an interface very similar to the experience of the Group Policy Management Console;</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1xUk_ttI0Z1xfVcDu2JJoyDg72ID9MkNf3i1c8prKS9O_cIJlP5rcKvVugQbLll09xvdMl8TnWQrVwqTNR6JPx6jT-vhs7Cjn9aCmQxLxHd0H79P5WbGAE_7jhug9F-WTuXNtn1V28M4/s1600/ADMXProfile1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="691" data-original-width="612" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1xUk_ttI0Z1xfVcDu2JJoyDg72ID9MkNf3i1c8prKS9O_cIJlP5rcKvVugQbLll09xvdMl8TnWQrVwqTNR6JPx6jT-vhs7Cjn9aCmQxLxHd0H79P5WbGAE_7jhug9F-WTuXNtn1V28M4/s1600/ADMXProfile1.png" /></a></div>
<div>
<br /></div>
<div>
So how do we approach this then? First of all <a href="https://support.zoom.us/hc/en-us/articles/360039100051#h_4d806a45-02f2-470b-acb3-b96320d16c3f" target="_blank">download</a> the ADMX files for the Windows Desktop client. There are two versions, ZoomMeetings_HKCU if you want to deploy the policies within the users scope and ZoomMeetings_HKLM for devices. I went with the latter and then opened up the file with an xml editor.</div>
<div>
<br /></div>
<div>
From this, as per the <a href="https://docs.microsoft.com/en-us/windows/client-management/mdm/win32-and-centennial-app-policy-configuration" target="_blank">documentation</a> I needed to confirm that the registry keys for these policies were not within the exclusions list (I assumed this would be fine however its always worth a check)</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZHvStPszVhdr_c0jJ9_NrnOxufxG3q3q1awfFsIhEtajvj6uhOUhcfjIaL1mIu-kmA1dQrqbqwDQ4RdLax7S905NGMn744e_KywzIwtbL8WFiJlBriCfy1tmhYEd73HCLg1FMsafXxEo/s1600/ADMXFile1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="514" data-original-width="554" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZHvStPszVhdr_c0jJ9_NrnOxufxG3q3q1awfFsIhEtajvj6uhOUhcfjIaL1mIu-kmA1dQrqbqwDQ4RdLax7S905NGMn744e_KywzIwtbL8WFiJlBriCfy1tmhYEd73HCLg1FMsafXxEo/s1600/ADMXFile1.png" /></a></div>
<div>
<br /></div>
<div>
I also wanted to look at the policies available and take note of the values supported for each policy, to use when creating the custom configuration profile to deploy the required settings</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZymdCZ2Nf1r_svb4OJGWEeJDfldECkCBya8tOj7oUYM8iB4b2ZoyWrH0xgkSDN6nBEKc7-VxdI2yIsf82SI0cMdi3rz_MiS98bCteSKwwJ_1AcryZifIjfTw3538M85wWzGHGpYMdnKM/s1600/ADMXFile2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="648" data-original-width="365" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZymdCZ2Nf1r_svb4OJGWEeJDfldECkCBya8tOj7oUYM8iB4b2ZoyWrH0xgkSDN6nBEKc7-VxdI2yIsf82SI0cMdi3rz_MiS98bCteSKwwJ_1AcryZifIjfTw3538M85wWzGHGpYMdnKM/s1600/ADMXFile2.png" /></a></div>
<div>
<br /></div>
<div>
So lets take two settings in this example, we wish to prevent the end user from logging in using either their Google or Facebook credentials. What we essentially need to do now is deploy the ADMX file with an OMA-URI setting in order for it to be ingested and then disable these two settings using additional OMA-URI's for each. In order to know what values to use for these OMA-URI's a good approach (thanks Per Larsen for your <a href="https://www.youtube.com/watch?v=upzmm6iVK8I&t=857s" target="_blank">excellent presentation</a> at WMUG back in August 2019) is to deploy the ingested ADMX to the device first so these values are available in the registry.</div>
<div>
<br /></div>
<div>
First of all login to the Endpoint Manager admin center (EMAC) and navigate to <b>Devices > Windows > Configuration Profiles > Create profile</b></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-txOxOSNsUSoyBSYbQM-RYoEQaeFYNsoDpKhkGqvpX5XppA2TC5X8Tk6gHjn3pfMtHssYi0gH6UX8-aDzOlWCp_x3UiXfXH6U2cQfyzes1545Jui-1UY2EsRftRI5RofCvMaIQsYnfDQ/s1600/EMAC1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="445" data-original-width="614" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-txOxOSNsUSoyBSYbQM-RYoEQaeFYNsoDpKhkGqvpX5XppA2TC5X8Tk6gHjn3pfMtHssYi0gH6UX8-aDzOlWCp_x3UiXfXH6U2cQfyzes1545Jui-1UY2EsRftRI5RofCvMaIQsYnfDQ/s1600/EMAC1.png" /></a></div>
<div>
<br />
<br /></div>
<div>
Select <b>Windows 10 and later</b> as the platform and <b>Custom</b> as the profile type, give the profile a suitable name. Just as a reminder this profile will eventually contain both the fully ingested ADMX file and in addition the two OMA-URI strings for our settings.</div>
<div>
<br /></div>
<div>
Select add and then fill in the appropriate values;</div>
<div>
<br /></div>
<div>
<b>Name; </b>Something descriptive</div>
<div>
<b>Description; </b>Add if required</div>
<div>
<b>OMA-URI; </b>Should be in the following format with the items in bold being custom providing they are unique on the device ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/<b>CustomZoomADMX</b>/Policy/<b>CustomZoomADMX</b></div>
<div>
<b>Data type; </b>String</div>
<div>
<b>Value; </b>The pasted contents of the ADMX file</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjQ4DeQEM2CU_9Gjp-8zZ2AyZvxAukqVSiJo4VSHiuYd0ctxbyWKC7Uuo2U0kD7Y2W5PaIJOIseFn18KMaFt8QD2k96CaQd03asQTlHdE87nZ_a_ahiVJjf-Aybzl6kUWfyvDM43ccz2I/s1600/OMA-URI1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="360" data-original-width="540" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjQ4DeQEM2CU_9Gjp-8zZ2AyZvxAukqVSiJo4VSHiuYd0ctxbyWKC7Uuo2U0kD7Y2W5PaIJOIseFn18KMaFt8QD2k96CaQd03asQTlHdE87nZ_a_ahiVJjf-Aybzl6kUWfyvDM43ccz2I/s1600/OMA-URI1.png" /></a></div>
<div>
<br /></div>
<div>
Assign this to a device and then once the MDM profile has reported back as successfully deployed in Intune open the registry and navigate to <b>HKLM:\Software\Microsoft\PolicyManager\ADMXInstalled </b>to verify that the policy exists, there is a status and policy count</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2-f5gXdGcIGoccaTrpnuS1YDx2zGHkOejX4etiVrVEhEjX6OdSY0FnrH-9VmVpLCRRDxbt0gkk8UmzmuPHmc5c8mGbKLAvLvLxHPn9EPPmfD_bVsfdnzTxFw5EEqwc3sBDQl0VFsKA48/s1600/Registry1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="116" data-original-width="513" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2-f5gXdGcIGoccaTrpnuS1YDx2zGHkOejX4etiVrVEhEjX6OdSY0FnrH-9VmVpLCRRDxbt0gkk8UmzmuPHmc5c8mGbKLAvLvLxHPn9EPPmfD_bVsfdnzTxFw5EEqwc3sBDQl0VFsKA48/s1600/Registry1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkvMgeL0XUc_2GgLrVDVypyV0zqViWxVenbd8RWw_ws4FiKJS2t6VZ_MBL_8RnlK9v9yZnNnXwFJpnlTWBiDXQJgQABoLCrFHly4HY2WgzBUG9YrVJ0r2Lg9V7XBErAhxR0Ece6AS1WR4/s1600/Registry2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="150" data-original-width="591" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkvMgeL0XUc_2GgLrVDVypyV0zqViWxVenbd8RWw_ws4FiKJS2t6VZ_MBL_8RnlK9v9yZnNnXwFJpnlTWBiDXQJgQABoLCrFHly4HY2WgzBUG9YrVJ0r2Lg9V7XBErAhxR0Ece6AS1WR4/s1600/Registry2.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now navigate to <b>HKLM:\Software\Microsoft\PolicyManager\ADMXDefault </b>and referring back to the ADMX file the settings we required were within the <b>zoomgeneral </b>category</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmRNUEqOlWIoM1tbUuQVY0zdAPSZBITz9iqC06wTlSgUbgql_qvTMd2mXwWd9E2oSgmwXNUEPCCXfh3IJslFpl0b8V-EnIaDSLs3xa09HCPJgby3CWilJj4HlKNjOJRGTflLAhkmADrE4/s1600/Registry3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="289" data-original-width="599" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmRNUEqOlWIoM1tbUuQVY0zdAPSZBITz9iqC06wTlSgUbgql_qvTMd2mXwWd9E2oSgmwXNUEPCCXfh3IJslFpl0b8V-EnIaDSLs3xa09HCPJgby3CWilJj4HlKNjOJRGTflLAhkmADrE4/s1600/Registry3.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now we can go back to the profile we created earlier to add two more OMA-URI's using the above values</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
To enable the <b>disable Facebook login policy</b></div>
<div class="separator" style="clear: both; text-align: left;">
./Device/Vendor/MSFT/Policy/Config/<b>CustomZoomADMX~Policy~ZoomUsCommunication~zoomgeneral</b>/<b>DisableFacebookLogin_Policy</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
The same for the Google</div>
<div class="separator" style="clear: both; text-align: left;">
./Device/Vendor/MSFT/Policy/Config/<b>CustomZoomADMX~Policy~ZoomUsCommunication~zoomgeneral</b>/<b>DisableGoogleLogin_Policy</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Remembering that the available values for these settings can be found in the original ADMX file so the are both <b>string </b>and set to <b><enabled/></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcd2HV96NCMjuoqWr-rPYkUKRU_GBKqHKWBmS42tr3Mgv_cFf4g9GXYR6e6j2UrGSoNTIKp142mRIwSNIPYLfoA8XFD4e1WoI1gOvb9jDEl_ryrsefQ6qJjfIxPEDHZVyTnyb3PPzNuh0/s1600/OMA-URI2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="358" data-original-width="551" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcd2HV96NCMjuoqWr-rPYkUKRU_GBKqHKWBmS42tr3Mgv_cFf4g9GXYR6e6j2UrGSoNTIKp142mRIwSNIPYLfoA8XFD4e1WoI1gOvb9jDEl_ryrsefQ6qJjfIxPEDHZVyTnyb3PPzNuh0/s1600/OMA-URI2.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidPLCXakFPg2QdEZWPaQtpV3sOkJlgQ2KtI7TAuXSyWHNonhj1jf-8PcglcmEK0nC7bNVpaJRYHL1MkU6wdCRyLRW7F80-o087xsRGt9nxr8Y-TxZAgtLv7Aus5kA5xDCzOf3PqnfkkSg/s1600/OMA-URI3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="350" data-original-width="566" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidPLCXakFPg2QdEZWPaQtpV3sOkJlgQ2KtI7TAuXSyWHNonhj1jf-8PcglcmEK0nC7bNVpaJRYHL1MkU6wdCRyLRW7F80-o087xsRGt9nxr8Y-TxZAgtLv7Aus5kA5xDCzOf3PqnfkkSg/s1600/OMA-URI3.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCjLiVkIzcHaxEK-dHWTK6BTX_G0ymmbL2KcR0A8dVZU0I5vDaWtttmi7Clsu-59XXsn1JJ0TMQWNKj-PKiwLa5sdpOvEpl5CEOrsRKvPCN06FvE-ejAaZE0CUaGjj-b0_WGLX0oC9-rw/s1600/OMA-URI4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="274" data-original-width="576" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCjLiVkIzcHaxEK-dHWTK6BTX_G0ymmbL2KcR0A8dVZU0I5vDaWtttmi7Clsu-59XXsn1JJ0TMQWNKj-PKiwLa5sdpOvEpl5CEOrsRKvPCN06FvE-ejAaZE0CUaGjj-b0_WGLX0oC9-rw/s1600/OMA-URI4.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Remember to change the beginning of the OMA-URI's to <b>./User </b>if using user based ADMX policies</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Originally the experience when launching the Zoom app on the device displayed the following options</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-3FIiimMlBgswlEyhds4P5zZjJGl54wHOj5Hdiv4Cyk3TAdoefx5lcuBjr1SAEIIgPry3cWt1IUn6xM_jcAXgAw4SeV-7d7uXm5WGLTK5gneHuUOc-4uvKgzMeCgdgkW8XuApwDLxRUw/s1600/ZoomSignInOptions1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="486" data-original-width="725" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-3FIiimMlBgswlEyhds4P5zZjJGl54wHOj5Hdiv4Cyk3TAdoefx5lcuBjr1SAEIIgPry3cWt1IUn6xM_jcAXgAw4SeV-7d7uXm5WGLTK5gneHuUOc-4uvKgzMeCgdgkW8XuApwDLxRUw/s1600/ZoomSignInOptions1.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After carrying out a policy sync you can now see the settings have applied</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbtazp-E_J6Hd5DC9zFV0ji286mLtAP95xLRt_eYhR_LpbEpiDO9rvA6i4sX64K8FyfR2BpqIHoHRa3X0AUMjULkTTA1uBb6MCFTEMhjZzrcXqIdsuK3ZuGEVO45V7-QCsIOEqsutfz8E/s1600/ZoomSignInOptions2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="489" data-original-width="734" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbtazp-E_J6Hd5DC9zFV0ji286mLtAP95xLRt_eYhR_LpbEpiDO9rvA6i4sX64K8FyfR2BpqIHoHRa3X0AUMjULkTTA1uBb6MCFTEMhjZzrcXqIdsuK3ZuGEVO45V7-QCsIOEqsutfz8E/s1600/ZoomSignInOptions2.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I hope you have found this useful, thanks for reading!</div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com2tag:blogger.com,1999:blog-3145837469179315622.post-78055583724161816692020-03-28T19:11:00.000+00:002020-03-28T19:11:28.085+00:00Getting started with Windows 10 device configuration options within IntuneIf there is one thing that is noticeable when looking at the various Windows 10 configuration options within Intune and that's the fact that, well there are lots. But is this really necessary? What should be used and when?<br />
<br />
In this blog post I thought I would summarise my findings along with some general tips that I have picked up along the way from both resources within the community and through my own experiences.<br />
<br />
I am going to step through this in order of preference in which I would recommend to look at the various options.<br />
<br />
Now to add at this point, this post has been in draft for a while and in that time the M365 Device Management Admin Console (DMAC) has significantly changed. Indeed with this months <a href="https://docs.microsoft.com/en-us/mem/intune/fundamentals/whats-new#week-of-march-16-2020-2003-service-release" target="_blank">service release</a> of Intune, there have been some significant additions that are now in public preview. In fact this console is now called the Endpoint Manager Admin Center (EMAC) and will provide in the future a unified interface to manage both Intune and Configuration Manager clients. The layout I feel is now much more intuitive, with more of a platform specific approach. At the time of writing the layout of this is different to that of what is available in the Intune console via the Azure portal, so please bear that in mind when following along with this post.<br />
<br />
<u>Security Baselines</u><br />
<u><br /></u>One of the fundamental reasons for configuring Windows 10 is to provide a secure system for users within your organisation. Security baselines are a very simple way of deploying a super secure configuration in very little time at all. These are a groups of recommended settings developed from within Microsoft security engineering teams and are available in three types - Windows 10, Microsoft Defender ATP and Microsoft Edge. Individual settings can be changed to suit your organisation's needs and I would recommend to deploy the base set and take your time to test fully in a small pilot before proceeding. I will re iterate again - <i>take your time</i> on piloting any of these before rolling them out into widescale production<br />
<br />
These settings are located within the EMAC, navigate to <b>Endpoint Security > Security Baselines </b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHoxZXdEngrDA6-YYALWxM0d135vH-FBBTh_t1OL-U92t28W90-CdD4LFQoZ8FAMpgnQHQ3hFdWWebdTEK6_zhz-D2xMHhxl8Xxekycn3FQ8Pp3phGNzYg5xZsXZ-zpv30GxmOl4SoHNs/s1600/SecurityBaselines1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="536" data-original-width="729" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHoxZXdEngrDA6-YYALWxM0d135vH-FBBTh_t1OL-U92t28W90-CdD4LFQoZ8FAMpgnQHQ3hFdWWebdTEK6_zhz-D2xMHhxl8Xxekycn3FQ8Pp3phGNzYg5xZsXZ-zpv30GxmOl4SoHNs/s1600/SecurityBaselines1.png" /></a></div>
<br />
You can now select a specific baseline type, create, amend as appropriate and assign it. What I particularly like is way each individual setting is reported back as compliant or not, the baseline will then attempt to configure the device back to the setting specified within the baseline.<br />
<br />
I have to admit though there are some aspects of baselines which are almost a "one size fits all" as there are some settings that it would appear cannot be set back to simply "not configured". Certainly a great way to get start though if applicable for your particular scenario.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<u>Security Administrator focused policies</u></div>
<div class="separator" style="clear: both; text-align: left;">
<u><br /></u></div>
<div class="separator" style="clear: both; text-align: left;">
These policies contain in the most part the same settings that are available within the Device Restriction and Endpoint Protection policy types (explained further below) but are now exposed within the Endpoint Security node alongside baselines</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6W9Hw5TdS0QKrXU_64lvW0Lj5vPTX0rvvElWMFXmstjJNyQdFVrCw440V8icj1JS7MV7VDVj4_46iqLX-fFaAJ7TLR9dwpxVsp4-TA9T_AjyD6WhVzuyLwnj64snlI-f3ThT-hg0Hk20/s1600/MDMProfilesSecurity.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="674" data-original-width="423" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6W9Hw5TdS0QKrXU_64lvW0Lj5vPTX0rvvElWMFXmstjJNyQdFVrCw440V8icj1JS7MV7VDVj4_46iqLX-fFaAJ7TLR9dwpxVsp4-TA9T_AjyD6WhVzuyLwnj64snlI-f3ThT-hg0Hk20/s1600/MDMProfilesSecurity.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If you are needing some additional flexibility and you are comfortable with the expectations of using public preview features, then take a look at these new options that will provide you with settings grouped within specific profile types. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The new <b>Microsoft Defender </b>profile type within <b>Antivirus (Preview) </b>contains additional settings that are not available within the traditional Device Restrictions profile, so if you are using the Defender AV engine within your environment I would certainly recommend taking at look here first</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<u>Endpoint Protection and Device Restrictions</u><br />
<u><br /></u>Until the recent announcement of the new Security Admin focused MDM Policies and fairly recent introduction of Security Baselines, traditionally security related policies were included within the Endpoint Protection and Device Restrictions profile types. These also provide a simple way of configuring settings of the same type and will provide additional options to secure Windows 10 outside of what is not currently available within baselines more related to restricting specific options being available to the end user. Settings for improving user experience are also found within the Device Restrictions profile type<br />
<br />
To create these profile types navigate to <b>Devices > Windows > Configuration Profiles</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1M79M_WbcbxbfmQan5zIk4eToLCR68r2DkSY642FYEIXwJECWXhLOpXNNYnNdkMqav6xEV4x1NaQBnFVCBezJQkEIjeZ_DMkNs8FpcajiMmQ9V2AJMYb7H2WUzu39PyY1G-R9Mr7teN0/s1600/MDMProfilesEPandDR1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="605" data-original-width="672" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1M79M_WbcbxbfmQan5zIk4eToLCR68r2DkSY642FYEIXwJECWXhLOpXNNYnNdkMqav6xEV4x1NaQBnFVCBezJQkEIjeZ_DMkNs8FpcajiMmQ9V2AJMYb7H2WUzu39PyY1G-R9Mr7teN0/s1600/MDMProfilesEPandDR1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
After selecting the correct platform the profile type can be selected<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLUbwCL6ED25VHbFRWby1DqoxdosxAvcx1OlqrgAYL0UMhkllCwituZuXV4jjg9XoRlsidToOjaeXuf-6olEzcfUK-kNcjx7pjYjiTTl5xY1Rbn4lKoFbYbR_cMy_5I-HQeMwl2IhJecg/s1600/MDMProfilesEPandDR2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="718" data-original-width="427" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLUbwCL6ED25VHbFRWby1DqoxdosxAvcx1OlqrgAYL0UMhkllCwituZuXV4jjg9XoRlsidToOjaeXuf-6olEzcfUK-kNcjx7pjYjiTTl5xY1Rbn4lKoFbYbR_cMy_5I-HQeMwl2IhJecg/s1600/MDMProfilesEPandDR2.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib6l7IOZ-VliDC251w_qUxsx4TPfJRDeDabvpAMbWy5tRDBfowVIRcE9Z5XBKRgeD2ECYSkthUgzLlBvI6lSPkawb7F7vEGXwZam_rhW1FTSB2StEl0rxHF1qXszHF3GUwL99KeTs1Oos/s1600/MDMProfilesEPandDR3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="718" data-original-width="427" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib6l7IOZ-VliDC251w_qUxsx4TPfJRDeDabvpAMbWy5tRDBfowVIRcE9Z5XBKRgeD2ECYSkthUgzLlBvI6lSPkawb7F7vEGXwZam_rhW1FTSB2StEl0rxHF1qXszHF3GUwL99KeTs1Oos/s1600/MDMProfilesEPandDR3.png" /></a></div>
<br />
If you are in an organisation that already has these profiles deployed and are considering deploying Security Baselines, then I would recommend isolating a test device into its own Azure AD Group with the existing configuration deployed and then create a baseline and deploy to it. You will then be able to identify any conflicts that arise and remove settings from conflicting profiles as appropriate, leaving the setting available within the baseline.<br />
<br />
<u>Administrative Templates</u><br />
<u><br /></u>Traditional device configuration settings have been delivered in the form of group policies to devices that are joined to an ADDS Domain using the ADMX format. The ability to support the configuration of traditional settings within Windows and Win32 Applications using this method was supported within Intune as of Windows 10 1703, this however required the importing of ADMX files via a process called ingestion which had its risks.<br />
<br />
The Administrative Templates profile type contains various settings to configure Windows, Office and Microsoft Edge (Version 77 or newer) so this should be the next area you explore for your required settings.<br />
<br />
More recently announced was a new intuitive change to the display of these settings very similar to the experience from with the Group Policy Management Console<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOmqWa4Vcy8zYZb0-hdx70sWeobRWl4U4Pu1omLhf7YiiFnhpkfDj8F8iIE7QnQeCLdVdsBBueL4Nk9lpKQ7FYvg1ALRq752en6BB1P73W-9YJO0ELieeo0XZBo1K1Jzo2fMze_CK3cvI/s1600/ADMX1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="681" data-original-width="610" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOmqWa4Vcy8zYZb0-hdx70sWeobRWl4U4Pu1omLhf7YiiFnhpkfDj8F8iIE7QnQeCLdVdsBBueL4Nk9lpKQ7FYvg1ALRq752en6BB1P73W-9YJO0ELieeo0XZBo1K1Jzo2fMze_CK3cvI/s1600/ADMX1.png" /></a></div>
<br />
<u>Additional Windows 10 profile types</u><br />
<u><br /></u>
It is now at this stage I would recommend if there are any other settings you are looking for then to explore the additional Windows 10 and later profile types. These you will have seen within the profile type dropdown list in addition to Endpoint Protection and Device Restrictions<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqVtFmERfN40Ze8cwPpQhxVM1fE5DkFOYyngik5cYlH-Ptr_Tcl4dzI4su46R2MJU0UgA2-lSrUPOLbCXNu9YasEEV7FK4Dq3Mb-PJZkpLbGsb7yiyikrKUPhmioSyPiYZxacyoBVHCN0/s1600/MDMProfilesOther.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="703" data-original-width="755" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqVtFmERfN40Ze8cwPpQhxVM1fE5DkFOYyngik5cYlH-Ptr_Tcl4dzI4su46R2MJU0UgA2-lSrUPOLbCXNu9YasEEV7FK4Dq3Mb-PJZkpLbGsb7yiyikrKUPhmioSyPiYZxacyoBVHCN0/s1600/MDMProfilesOther.png" /></a></div>
<br />
<u>Configuration Service Providers (CSP's)</u><br />
<u><br /></u>
A CSP is an interface in which to manage configuration settings for modern settings and applications within Windows 10 via Intune. CSP's utilise a standards based protocol which is compatible across various MDM's known as Open Mobile Alliance Device Management (OMA-DM) and are transmitted in the form of Synchronisation Markup Language (SyncML) messages. Specific CSP settings can be defined using OMA-URI's (Uniform Resource Identifiers) within the "Custom" configuration profile option.<br />
<br />
So essentially, if there is not a setting within any of the MDM profiles, check out the <a href="https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference" target="_blank">CSP reference documentation</a> to see if there is a setting available for you to configure. Additional CSP's are released with each Windows 10 version which means that you have the benefit of being able to create this custom configuration right after release.<br />
<br />
To create this custom configuration you will need to specify the OMA-URI, data type and value, this example is setting the timezone<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggi9lrTUzksrRlAL3YLX_hpl4WOv0toNCTJ6OdaEvUsxiMjXe7M9lbxsfop3_FI3EuwlZ1GmCK8W0Df_BGqPQE1j_aX0dnSQrvmo94YNztaQOFWnDx5zthvra9eK3DWjas2RKcLURLBX4/s1600/CSP1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="479" data-original-width="710" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggi9lrTUzksrRlAL3YLX_hpl4WOv0toNCTJ6OdaEvUsxiMjXe7M9lbxsfop3_FI3EuwlZ1GmCK8W0Df_BGqPQE1j_aX0dnSQrvmo94YNztaQOFWnDx5zthvra9eK3DWjas2RKcLURLBX4/s1600/CSP1.png" /></a></div>
That's all for this post, I hope you have found it useful. Thanks for reading!Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-41994839965103976542020-01-30T09:32:00.000+00:002020-01-30T09:32:43.661+00:00Resolving Wifi display connection issues when deploying MDM baselines within IntuneI have been working with Windows 10 MDM within Intune for the past few months and after a conversation with my colleague I soon realised that this would make a good blog post, so I hope this quick tip saves you some time.<br />
<br />
Security Baselines are great, simple to set up and deploy and a very quick way of ensuring your Windows 10 devices are secure. They are also a very quick way of crippling your estate if you are not careful with your testing beforehand, so I cannot stress this enough - test thoroughly before even attempting to deploy to any quantity of devices.<br />
<br />
So just to recap, to deploy a security baseline is as simple as the following;<br />
<br />
Log into the Microsoft Endpoint Manager admin center, navigate to <b>Endpoint security > Security baselines</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj88Kt5ua1Q9zA_wPxJ2cX-9mhCk5ZJyPvayRNrUqApn0kAOCcmBiZ08LwKY_3bO_cbyyJvzR6zkxk6LuMbVRF6pGAxfy7GxS7yg0ExDI5bvoKovctq0vJf4ewsf38TbXaAFKWlM01IRPc/s1600/IntuneWifiDirectIssues1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="633" data-original-width="665" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj88Kt5ua1Q9zA_wPxJ2cX-9mhCk5ZJyPvayRNrUqApn0kAOCcmBiZ08LwKY_3bO_cbyyJvzR6zkxk6LuMbVRF6pGAxfy7GxS7yg0ExDI5bvoKovctq0vJf4ewsf38TbXaAFKWlM01IRPc/s1600/IntuneWifiDirectIssues1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Under the <b>Windows 10 Security Baselines </b>heading select the <b>MDM Security Baseline </b>option</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMULDzFm-xwKImwkODGYwd09Vy5SFD8rlwDtVxsv1TeFRBqTJ_JQTqrQY9eq2g_pciopoeLZ1Z7fpiNv8GgFtwrKp7DvmrLrvYlvzx5PqxdQYOUjqGgadWccGMvV3c4ESziob3uujL_wQ/s1600/IntuneWifiDirectIssues2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="325" data-original-width="523" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMULDzFm-xwKImwkODGYwd09Vy5SFD8rlwDtVxsv1TeFRBqTJ_JQTqrQY9eq2g_pciopoeLZ1Z7fpiNv8GgFtwrKp7DvmrLrvYlvzx5PqxdQYOUjqGgadWccGMvV3c4ESziob3uujL_wQ/s1600/IntuneWifiDirectIssues2.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Create profile</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdAG8moFse7wcRIA66iU75w9r_m0uM73fiyro40VV4JtEWo8IP-waFkAQPK294E88OwODDbj_s6jthyphenhyphenC_5N_F5QncG978dWUFQj_7AEZTYyPVcdPCZS6VFJvLF_f8Gp6WUrGGc5Q3MQ9E/s1600/IntuneWifiDirectIssues3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="348" data-original-width="696" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdAG8moFse7wcRIA66iU75w9r_m0uM73fiyro40VV4JtEWo8IP-waFkAQPK294E88OwODDbj_s6jthyphenhyphenC_5N_F5QncG978dWUFQj_7AEZTYyPVcdPCZS6VFJvLF_f8Gp6WUrGGc5Q3MQ9E/s1600/IntuneWifiDirectIssues3.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Give your profile a suitable name, select <b>Next</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9DbJ8kxSC9P_hxRA-FEJ-DJGIBMZDKW8yvFgfmUEwTrt0Bd5pYnPI6EXY-celATKmwjzO1nlOpVLkKuwCMSKSb5DtJS-wjwc9jYQI4F7WnrEt4xR_WLpec0waJTc7owrsV0B3viMnhlo/s1600/IntuneWifiDirectIssues4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="758" data-original-width="630" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9DbJ8kxSC9P_hxRA-FEJ-DJGIBMZDKW8yvFgfmUEwTrt0Bd5pYnPI6EXY-celATKmwjzO1nlOpVLkKuwCMSKSb5DtJS-wjwc9jYQI4F7WnrEt4xR_WLpec0waJTc7owrsV0B3viMnhlo/s1600/IntuneWifiDirectIssues4.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Now you will be able to see all of the settings available within the profile. We are just going to accept the defaults for demo purposes, however I stress again, test these settings thoroughly before attempting to deploy into production</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfim1h8Ja5MHZ7mrMU4uTbgOZv_5KbIBOVhcwkBGqAUSHxaloyrq7V47Y63cK8lylihI-OM7zSVOUVoDGlFY12PMzVL2fRNh-b1NjbEAAC2zzP5L4DpCI_TvQmumyRXFou7KLZiTSz6_o/s1600/IntuneWifiDirectIssues5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="758" data-original-width="564" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfim1h8Ja5MHZ7mrMU4uTbgOZv_5KbIBOVhcwkBGqAUSHxaloyrq7V47Y63cK8lylihI-OM7zSVOUVoDGlFY12PMzVL2fRNh-b1NjbEAAC2zzP5L4DpCI_TvQmumyRXFou7KLZiTSz6_o/s1600/IntuneWifiDirectIssues5.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select the groups you wish to deploy the baseline to then click <b>Next</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-_ykI0TCHboi0LE6wFj7tffRxuTl8uOph2JEoFbeYjhP2cWMQem616Z_QJ3YvqMACZldSFqapX7C57bN_sBH1Ax6Vbc5tlEcfD4OebjtkYAnZiwZkQS_iGQziJUL22cymfn0_X_eq-3I/s1600/IntuneWifiDirectIssues6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="760" data-original-width="735" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-_ykI0TCHboi0LE6wFj7tffRxuTl8uOph2JEoFbeYjhP2cWMQem616Z_QJ3YvqMACZldSFqapX7C57bN_sBH1Ax6Vbc5tlEcfD4OebjtkYAnZiwZkQS_iGQziJUL22cymfn0_X_eq-3I/s1600/IntuneWifiDirectIssues6.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Create </b>to complete the deployment of the baseline</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQRnLls8kckNJhIxEFc1P-GvVDNHPj2zKizSlmvhQ0wrvPqHgq2P_pt0G3KK7-veLepXel8gCLvX_FsuHg7toGimlRmLfPmZDmVrcFFuavbCDoEJuATafIV3sYskn1ehgIaz9UDHD462I/s1600/IntuneWifiDirectIssues7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="756" data-original-width="754" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQRnLls8kckNJhIxEFc1P-GvVDNHPj2zKizSlmvhQ0wrvPqHgq2P_pt0G3KK7-veLepXel8gCLvX_FsuHg7toGimlRmLfPmZDmVrcFFuavbCDoEJuATafIV3sYskn1ehgIaz9UDHD462I/s1600/IntuneWifiDirectIssues7.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After a short test phase with my secure configuration, which includes MDM profiles, custom configuration and a security baseline, it was soon established that both the Windows + P (Select a display mode) and Windows + K (Quick connect) options were no longer available on devices. Not ideal for usability. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It turns out this was related to the Windows 10 Device Restriction MDM profile setting <b>General > Device discovery </b>being set to <b>Block</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaoabyXSGyfTk-O0O1OeNgChbTPp8Hw9uJMhxZzzeKfpd_d8PWvqE9aA3oz9yRuIoxE_M_Izt87fGtyos4Tbb4rLMpmYMDLLvwMNhBd-2NeqiZ39FLNXcN1-OIuGCU_G-TcKDD4fdA-zc/s1600/IntuneWifiDirectIssues8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="410" data-original-width="750" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaoabyXSGyfTk-O0O1OeNgChbTPp8Hw9uJMhxZzzeKfpd_d8PWvqE9aA3oz9yRuIoxE_M_Izt87fGtyos4Tbb4rLMpmYMDLLvwMNhBd-2NeqiZ39FLNXcN1-OIuGCU_G-TcKDD4fdA-zc/s1600/IntuneWifiDirectIssues8.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
I had set this originally, following <a href="https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/windows-10-1803-with-mobile-device-management" target="_blank">NCSC guidelines</a> for Windows 10 MDM</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Great, I thought, now connecting to wireless monitors shouldn't be a problem. But I soon found out that the connection was just timing out. I figured out that this time it was indeed the security baseline causing the issue, but which setting was it? My initial hunch was that it almost seemed firewall related, but when I viewed the local firewall settings on the device experiencing the issue, I could see the appropriate firewall rule was indeed configured</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiNM8ATTtpfZQ27n2mjKPIQRPeTjVj5zNgUqTv4Rsw8aVJu6yyTiKD9zHdlsyizcHjljTt6VBvJCOvJfcBkLANEMT5FUwAY5zxDBIEMnX86npT4GfHXBHz_q3md8ijc__X7dn1agvPSoY/s1600/IntuneWifiDirectIssues9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="704" data-original-width="557" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiNM8ATTtpfZQ27n2mjKPIQRPeTjVj5zNgUqTv4Rsw8aVJu6yyTiKD9zHdlsyizcHjljTt6VBvJCOvJfcBkLANEMT5FUwAY5zxDBIEMnX86npT4GfHXBHz_q3md8ijc__X7dn1agvPSoY/s1600/IntuneWifiDirectIssues9.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
On further investigation I soon realised that the May 2019 MDM baseline contains a setting that by default prevents the merge of firewall rules within group policy and hence the settings contained in local group policy would not apply. It is documented <a href="https://docs.microsoft.com/en-us/intune/protect/security-baseline-settings-mdm-all?pivots=mdm-may-2019#microsoft-defender-firewall" target="_blank">here</a> and affects the public profile</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I therefore needed to create a Firewall exclusion and configured a new profile in the following manner;</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Navigate to <b>Devices > Windows </b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxVWZe9ZSgfWPKSWE7epu5X2tFvU9tOJfaGpDNOR60OhK6zGNNEvDcN4k9QlKtoshlccg-X8XAHJilY7JJ_zj8Ok6kLNTz7ylX97vJXCvmbzbpaIFZ4R4dv-8ftrBelBqDe756wJb2GDI/s1600/IntuneWifiDirectIssues10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="504" data-original-width="556" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxVWZe9ZSgfWPKSWE7epu5X2tFvU9tOJfaGpDNOR60OhK6zGNNEvDcN4k9QlKtoshlccg-X8XAHJilY7JJ_zj8Ok6kLNTz7ylX97vJXCvmbzbpaIFZ4R4dv-8ftrBelBqDe756wJb2GDI/s1600/IntuneWifiDirectIssues10.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Configuration Profiles </b>and then <b>Create Profile</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdPpGPhLdab1HxAaI6pDwQ-ywnuBabW8M3GHw-AV5dUg46vDDLCRnDcC1f-hQvV5qAU9la4sTZBB8G8smshTGVEKgi6esmAPllKVJTLsEMsuFOMQEx1SQYx9T8cbqbStgzNg7M5iJpdi4/s1600/IntuneWifiDirectIssues11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="354" data-original-width="445" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdPpGPhLdab1HxAaI6pDwQ-ywnuBabW8M3GHw-AV5dUg46vDDLCRnDcC1f-hQvV5qAU9la4sTZBB8G8smshTGVEKgi6esmAPllKVJTLsEMsuFOMQEx1SQYx9T8cbqbStgzNg7M5iJpdi4/s1600/IntuneWifiDirectIssues11.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Enter a suitable name, select <b>Windows 10 and later </b>for the platform and then <b>Endpoint protection</b> for the profile type</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6xH9naLjr0bLPav4Xynz1pX_d4rZtezcH13R8Wp_zSHD-U4r-i7lvhmifgCb7rI0NdX8B7ZKwPER0ar-TuhZDjdsE73qaFFEFdiVZ27IumglqZSN0B0_KdSl71OWfH4hXE59OR7IzkI0/s1600/IntuneWifiDirectIssues12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="572" data-original-width="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6xH9naLjr0bLPav4Xynz1pX_d4rZtezcH13R8Wp_zSHD-U4r-i7lvhmifgCb7rI0NdX8B7ZKwPER0ar-TuhZDjdsE73qaFFEFdiVZ27IumglqZSN0B0_KdSl71OWfH4hXE59OR7IzkI0/s1600/IntuneWifiDirectIssues12.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Navigate to <b>Microsoft Defender Firewall </b>under the Firewall rules heading select <b>Add</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio7gcAT40dIr_YIf13OoKhKJD9o24mQ2ctSOze30tLqncrEHJUyxNvPSM2fmWockFk8_EEW1fGOC7E42kU2dmZ30tqX1GOwcaItx2UvRekDftWreA4ASejDjAWBsjyEXfZWQviBEUKMyk/s1600/IntuneWifiDirectIssues13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="584" data-original-width="654" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio7gcAT40dIr_YIf13OoKhKJD9o24mQ2ctSOze30tLqncrEHJUyxNvPSM2fmWockFk8_EEW1fGOC7E42kU2dmZ30tqX1GOwcaItx2UvRekDftWreA4ASejDjAWBsjyEXfZWQviBEUKMyk/s1600/IntuneWifiDirectIssues13.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Populate the settings based on the <b>Wireless Display (TCP-In) </b>Firewall rule</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2JUd3_uHant28_G83dwHMcUj7OILAks6nTcuOB5FKe9PrKq0Soh7xsESwwliDlXRZAYPqSDO2o_VqohKtX0oxglsTq6TKvEtw_bYq_jh5EleDLXy-nmqasnw-XoGVE_WjKJ9_56hZH5g/s1600/IntuneWifiDirectIssues14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="669" data-original-width="645" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2JUd3_uHant28_G83dwHMcUj7OILAks6nTcuOB5FKe9PrKq0Soh7xsESwwliDlXRZAYPqSDO2o_VqohKtX0oxglsTq6TKvEtw_bYq_jh5EleDLXy-nmqasnw-XoGVE_WjKJ9_56hZH5g/s1600/IntuneWifiDirectIssues14.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLTqprgf2lbPHZoSrFIrBdU9Q2Rub9_oS68BbpQH4C_bGiBOaidbYzhgPaxNMxawPwhfjAJdvsHr5c9koF7WVn81G_eHnL6kaeK5VbnXSRYFLPBEzVb1GyPB2pSYuQnv_ndMTnR9h_RBo/s1600/IntuneWifiDirectIssues15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="432" data-original-width="626" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLTqprgf2lbPHZoSrFIrBdU9Q2Rub9_oS68BbpQH4C_bGiBOaidbYzhgPaxNMxawPwhfjAJdvsHr5c9koF7WVn81G_eHnL6kaeK5VbnXSRYFLPBEzVb1GyPB2pSYuQnv_ndMTnR9h_RBo/s1600/IntuneWifiDirectIssues15.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The profile should then be deployed to your devices enabling you to connect to Wi-Fi displays once more.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Thanks for reading this post!</div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com5tag:blogger.com,1999:blog-3145837469179315622.post-15993977406873676022019-09-25T09:06:00.001+01:002021-08-24T14:58:45.162+01:00Intune Basics Part 5: Modern Device Management with Android Enterprise - Configuring Fully Managed DevicesWelcome to part 5 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.<br />
<br /><div>Part 1 can be found <a href="https://www.leonsitblog.com/2019/04/intune-basics-part-1-modern-device.html" target="_blank">here</a> and covers setting up the various Android Enterprise enrolment methods<br /><br /></div><div>Part 2 can be found <a href="https://www.leonsitblog.com/2019/04/intune-basics-part-2-modern-device.html" target="_blank">here</a> and covers the configuration of Azure AD groups<br /><br />Part 3 can be found <a href="https://www.leonsitblog.com/2019/06/intune-basics-part-3-modern-device.html" target="_blank">here</a> and covers the configuration of Personally-owned Work Profile devices<br /><br />Part 4 can be found <a href="https://www.leonsitblog.com/2019/07/intune-basics-part-4-modern-device.html" target="_blank">here</a> and covers the configuration of Dedicated devices</div><div><br /></div><div>This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post <a href="https://www.leonsitblog.com/2019/01/android-enterprise-and-intune-overview.html" target="_blank">here</a> which I am ensuring is kept up to date as newer functionality is supported within Intune.</div>
<br />
This post will cover the enrollment and configuration of a Fully Managed device, which is well, pretty much exactly as it sounds - Intune has full control over the device and there is no facility provided for the user to have personal apps and data. If you followed my last post on Dedicated devices, you will see a similar process configuration wise, in fact the same Configuration Profile is used for both Dedicated and Fully Managed. A caveat to this statement is the setting <b>Users and Accounts > Account Changes </b>which is at this time not supported to be set to <b>Blocked </b>on Fully Managed Devices<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOOGMRKuXQ_7lSo6X16vPoYOFipEzu8agu8N5VbBkKK4HXovQPzK2Hu8R2mEtlm9MxAEu_d_PqLc3iZBeZ0dZynYz5rVco3Y0FAK-k9MbTulPZzk8swotRl3kHMyaDHwWLd2MTR-G_sfw/s1600/FullyManaged1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="202" data-original-width="636" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOOGMRKuXQ_7lSo6X16vPoYOFipEzu8agu8N5VbBkKK4HXovQPzK2Hu8R2mEtlm9MxAEu_d_PqLc3iZBeZ0dZynYz5rVco3Y0FAK-k9MbTulPZzk8swotRl3kHMyaDHwWLd2MTR-G_sfw/s1600/FullyManaged1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Enabling the above will cause enrollment issues as described in Peter Egerton's blog <a href="https://morethanpatches.com/2019/07/16/error-enrolling-android-fully-managed-with-microsoft-intune/" target="_blank">here</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There are different methods which you can use to enroll your device which is dependant on the OS as detailed in the <a href="https://docs.microsoft.com/en-us/intune/android-dedicated-devices-fully-managed-enroll" target="_blank">documentation</a> and in this example I am going to use the QR code method on an Android 7.0 device.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Ensure the device is either new out of the box or has been factory reset and at the first screen tap anywhere in the white space 6 times</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPV_ckSetr22Yb-gfXPdx8EHNZOREJ9QYhqlAdJTmgsaigVJqeRd4ELICPYCaV7fXi_eREzq-qgpd7C1GIzgKg9DwSUNkDKUhEa4OFucoimMe4gT0F285yNIx-OlwCL9hFCBJ8OvnKG_k/s1600/FullyManaged2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPV_ckSetr22Yb-gfXPdx8EHNZOREJ9QYhqlAdJTmgsaigVJqeRd4ELICPYCaV7fXi_eREzq-qgpd7C1GIzgKg9DwSUNkDKUhEa4OFucoimMe4gT0F285yNIx-OlwCL9hFCBJ8OvnKG_k/s640/FullyManaged2.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Next</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAofI7QuUHKMwFGTfwYnolf0IvMOQvgVaq2OgMilVQ8K0hwsZEkv4p0yVtHiRu1kp-S5J3pUgM6hd5udPkfT6bwZ8XQtFJUpv0hAc25R5rUDsfNF2c1u3NOP_J2uK8CzncSxAWa9R7eeA/s1600/FullyManaged3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAofI7QuUHKMwFGTfwYnolf0IvMOQvgVaq2OgMilVQ8K0hwsZEkv4p0yVtHiRu1kp-S5J3pUgM6hd5udPkfT6bwZ8XQtFJUpv0hAc25R5rUDsfNF2c1u3NOP_J2uK8CzncSxAWa9R7eeA/s640/FullyManaged3.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Connect to Wifi</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipISAqCQFRlICHzU7ITUFhTUopnfceppz3GVy0_1sHaWK34oqlzLYbwXWs0KhSd-pkhInQVPtFl0AqFsOL9srWVrlJMiiO5BWK6BC3VZPqyDCM9EfSp4eXfcsFKeELS7T6Xv3gj1dd8Sg/s1600/FullyManaged4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipISAqCQFRlICHzU7ITUFhTUopnfceppz3GVy0_1sHaWK34oqlzLYbwXWs0KhSd-pkhInQVPtFl0AqFsOL9srWVrlJMiiO5BWK6BC3VZPqyDCM9EfSp4eXfcsFKeELS7T6Xv3gj1dd8Sg/s640/FullyManaged4.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The QR reader will now download and install</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilG9MbOienc85xFUX-eSZn7_ESec4m6hUSGMijJpwRMsq8risx_hzlvwnXBLVWgRTLJuGAoJvMeaf-uzaKsiB6bXRf4dsLGQZ2LX_F0o6S2IEeLR5VzGplQix2R4qdlntJtTXcZ2S6r0Y/s1600/FullyManaged5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilG9MbOienc85xFUX-eSZn7_ESec4m6hUSGMijJpwRMsq8risx_hzlvwnXBLVWgRTLJuGAoJvMeaf-uzaKsiB6bXRf4dsLGQZ2LX_F0o6S2IEeLR5VzGplQix2R4qdlntJtTXcZ2S6r0Y/s640/FullyManaged5.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You can now scan the enrollment token</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcmQ2YF7xjCGsZxk3tq3gAJwQYQS4DRjst8oQpe7XkyqPslf6Ik4o0K8Kd5_k47i4egesvvEF4Ts7bTtaTJRydqXgcNOY1SsXLVQbwe-o8n7hcEuh0-6HmmMQmyBOws-ElMi0YKPy42TU/s1600/FullyManaged6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcmQ2YF7xjCGsZxk3tq3gAJwQYQS4DRjst8oQpe7XkyqPslf6Ik4o0K8Kd5_k47i4egesvvEF4Ts7bTtaTJRydqXgcNOY1SsXLVQbwe-o8n7hcEuh0-6HmmMQmyBOws-ElMi0YKPy42TU/s640/FullyManaged6.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Encrypt the device if prompted.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh06mGTsyNDn3QYnI6VbNZpR1OzBBtMJkCQ7-3iWtwi4UuYUEsyI5NDfzsT5sft_aIg-TzFPFNs4JwWptrm64FzGHUTFempbziEFJ38771ylIHma1EDMFCAKymViYe_7LcCnjn4Sfuj4M4/s1600/FullyManaged7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh06mGTsyNDn3QYnI6VbNZpR1OzBBtMJkCQ7-3iWtwi4UuYUEsyI5NDfzsT5sft_aIg-TzFPFNs4JwWptrm64FzGHUTFempbziEFJ38771ylIHma1EDMFCAKymViYe_7LcCnjn4Sfuj4M4/s640/FullyManaged7.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Accept any terms then select <b>Next</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWQ01tF8ksEDlVLU_qnOW_3up7B8KPWqyKO7JF8H2tYIOYxxZ86dDnjco0G2N9Pn2TFHNs1Jd-cagW-o_jAZuzbkCL1FFdXqT5xvcrDADc3TvTPIL-BZwb5g8-B-RLhYcc4677rNZMMQU/s1600/FullyManaged8.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWQ01tF8ksEDlVLU_qnOW_3up7B8KPWqyKO7JF8H2tYIOYxxZ86dDnjco0G2N9Pn2TFHNs1Jd-cagW-o_jAZuzbkCL1FFdXqT5xvcrDADc3TvTPIL-BZwb5g8-B-RLhYcc4677rNZMMQU/s640/FullyManaged8.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The device will commence updating Google Play Services</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidJdDJKbkk4XL6jS5GyJ_qL9912lWZKsw-jjpx1Jq5bXKDhhhYwBPqhOWBxN3qLJdPDLwFKIVAV9qDvbqhjq64taWpFpKlEQpO2RMjGClcM7dhrGOTPmkmNqY31roqt1GqNBKYzHVXeE4/s1600/FullyManaged9.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidJdDJKbkk4XL6jS5GyJ_qL9912lWZKsw-jjpx1Jq5bXKDhhhYwBPqhOWBxN3qLJdPDLwFKIVAV9qDvbqhjq64taWpFpKlEQpO2RMjGClcM7dhrGOTPmkmNqY31roqt1GqNBKYzHVXeE4/s640/FullyManaged9.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Accept the terms to launch Chrome</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKzCWdQzDJDVn2p1D4YkOLGh5JBoMt1nTPqjI1dz3vqap7dtwgzuRI-V7pansrGjHaxoZjEnuTAAm352FhmniS9GkNXcZXrKUuBunrm7tWk44LrCsZGLI3aOb5TikB5o_FjpaogRnzC6o/s1600/FullyManaged10.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKzCWdQzDJDVn2p1D4YkOLGh5JBoMt1nTPqjI1dz3vqap7dtwgzuRI-V7pansrGjHaxoZjEnuTAAm352FhmniS9GkNXcZXrKUuBunrm7tWk44LrCsZGLI3aOb5TikB5o_FjpaogRnzC6o/s640/FullyManaged10.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Authenticate with Azure AD credentials</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKbBdrlsEjFphnAdmvUfe9vG5R8m0zOKOV6SSFLT7sY2G1oAvljHoTNNeEo60AUJDxRTkiklL5gw4mgonxcauyaB1OlS2OXHITRjt-dBFi0UxIppuWzFvOxberUnYo9ule41sYYRSq3D8/s1600/FullyManaged11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKbBdrlsEjFphnAdmvUfe9vG5R8m0zOKOV6SSFLT7sY2G1oAvljHoTNNeEo60AUJDxRTkiklL5gw4mgonxcauyaB1OlS2OXHITRjt-dBFi0UxIppuWzFvOxberUnYo9ule41sYYRSq3D8/s640/FullyManaged11.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I have deployed a compliance policy setting for encryption to my Android Fully Managed devices which means that secure startup must be enabled, this prevents the device from booting into the OS until a pin or password is entered. Select <b>Start</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlZDfta3ayUpUEP5-_FnweQqfCmUWNslOc5YWxufvWsT8Kiy5kkjT-YrVaHUTM9Kjo9ieuQ6UCL-NqjDiAOfPf4V1ni30x_th2m_kEULvrdG6AdFNU4oi1bcWfzUCfR6nWIzZc0iUhn1c/s1600/FullyManaged12.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlZDfta3ayUpUEP5-_FnweQqfCmUWNslOc5YWxufvWsT8Kiy5kkjT-YrVaHUTM9Kjo9ieuQ6UCL-NqjDiAOfPf4V1ni30x_th2m_kEULvrdG6AdFNU4oi1bcWfzUCfR6nWIzZc0iUhn1c/s640/FullyManaged12.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Just to be clear - in this example we are being prompted to "enable" encryption because secure startup isnt enabled and not because the device isnt encrypted</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Secure Startup</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-ioGBGIHe5xrYMC6wM1oO3DIYmpSjnvtPdtGP1YNqY2lo5N93YqEfU2UaMPJ7wfKOCJrjFVhCNZ8QqLfu_LIfiBk4NRZKvwEIzig2gIVwkrXi0YQQuMNnuD1sNjxSVHu6OCRJfwN7OTY/s1600/FullyManaged13.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-ioGBGIHe5xrYMC6wM1oO3DIYmpSjnvtPdtGP1YNqY2lo5N93YqEfU2UaMPJ7wfKOCJrjFVhCNZ8QqLfu_LIfiBk4NRZKvwEIzig2gIVwkrXi0YQQuMNnuD1sNjxSVHu6OCRJfwN7OTY/s640/FullyManaged13.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Set Screen Lock Type </b> in this example I am setting a PIN</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlP-XsHpJzV-5tuWlepgfij7K37Tt5EkZeEpEyV4FRFKckpNeo_aW2C9L5XEuUdC7hlTM7U70vxbChpV8zPxtdtV4pNQK5wWbcrYXGzN1nx5gcuAJ3XFHxkRR3BEX-vRa6H_Xsxg_HPPM/s1600/FullyManaged14.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlP-XsHpJzV-5tuWlepgfij7K37Tt5EkZeEpEyV4FRFKckpNeo_aW2C9L5XEuUdC7hlTM7U70vxbChpV8zPxtdtV4pNQK5wWbcrYXGzN1nx5gcuAJ3XFHxkRR3BEX-vRa6H_Xsxg_HPPM/s640/FullyManaged14.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select a lock screen notifications option</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNWkgnrVs927_Bjmt6RB8uv58XjdkSHIbhjfsdR640EnlJL0JbLUKRsjKMvzE_epwQ-5RgImCM5T7kRienI52eJoIULkapWCliXEES-eq6O0BAPoP79IpvKxyMwxIQBob47qA6e-DB-5k/s1600/FullyManaged15.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNWkgnrVs927_Bjmt6RB8uv58XjdkSHIbhjfsdR640EnlJL0JbLUKRsjKMvzE_epwQ-5RgImCM5T7kRienI52eJoIULkapWCliXEES-eq6O0BAPoP79IpvKxyMwxIQBob47qA6e-DB-5k/s640/FullyManaged15.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Set up fingerprints if required</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs8rq3YrHs1ENTHBffGLgdeoj7sHuFtb_iUwb_-g3QOhG8GRGZ06W0kocAV0q31DaBpvv7AiZDgF_hBr8pd-EOkX8axIhj6Rt1Ep23WwjCPmVeO3c170oBousrHoPcHkPY8FVim4wBWRA/s1600/FullyManaged16.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs8rq3YrHs1ENTHBffGLgdeoj7sHuFtb_iUwb_-g3QOhG8GRGZ06W0kocAV0q31DaBpvv7AiZDgF_hBr8pd-EOkX8axIhj6Rt1Ep23WwjCPmVeO3c170oBousrHoPcHkPY8FVim4wBWRA/s640/FullyManaged16.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Require PIN when device powers on </b>to enable secure startup, enter your PIN when prompted</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwXvQ8IsBbqCzzs_5Gigin4KRoi_AHmLOnUwTFw569NfCIJvIk89zZXtE0m0A6flEXkbqNsORR7onZ-09dFwhtuvQGN-5LZuf9QXU4KymlIXfSG1iyy6lkC9raTwigdpMO4WgoBuGFAvo/s1600/FullyManaged17.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwXvQ8IsBbqCzzs_5Gigin4KRoi_AHmLOnUwTFw569NfCIJvIk89zZXtE0m0A6flEXkbqNsORR7onZ-09dFwhtuvQGN-5LZuf9QXU4KymlIXfSG1iyy6lkC9raTwigdpMO4WgoBuGFAvo/s640/FullyManaged17.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select the back button at the top left</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihzC4H6DluRc68qCUUHJOmYpLdL5u_ab5z2fXejZoQhuyGpFXCiveIODCVrUWJh6vAQJqwK4JXeBCkwd0Gv2H06TJqVHu3SJsvhIMtp2mJRwi63rZ2KxbF_LgKRYTECAj2oG8J4eu6SEk/s1600/FullyManaged18.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihzC4H6DluRc68qCUUHJOmYpLdL5u_ab5z2fXejZoQhuyGpFXCiveIODCVrUWJh6vAQJqwK4JXeBCkwd0Gv2H06TJqVHu3SJsvhIMtp2mJRwi63rZ2KxbF_LgKRYTECAj2oG8J4eu6SEk/s640/FullyManaged18.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Follow the prompts to commence installing apps</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGJatGeDFuvDoZGd0b-OTCsucrVU0tq9xxhggW-yfUPCsbpag8C0aRMDu7pdQxhwvOjzVioN-7NRWKVnAlMo8f2yCS5Q8XRYcNc6ggM7-lQkqjIklvLV1cQR_WXChlSZI1kDQ5GHv3fr8/s1600/FullyManaged19.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGJatGeDFuvDoZGd0b-OTCsucrVU0tq9xxhggW-yfUPCsbpag8C0aRMDu7pdQxhwvOjzVioN-7NRWKVnAlMo8f2yCS5Q8XRYcNc6ggM7-lQkqjIklvLV1cQR_WXChlSZI1kDQ5GHv3fr8/s640/FullyManaged19.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>START </b>to commence device registration</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB_lARRKDDWNKMg9fJ-JyDCytwC2ObkGWWthZMP109-5YayXpBw_9f_Wb9zB27NxGVd3ZkDsMfRSL_4CwY-se5MfhDftST-sQ50CPA7sCpg-6rVDUZ4cMv8-O99hZBP-my5-gR9sE8vww/s1600/FullyManaged20.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB_lARRKDDWNKMg9fJ-JyDCytwC2ObkGWWthZMP109-5YayXpBw_9f_Wb9zB27NxGVd3ZkDsMfRSL_4CwY-se5MfhDftST-sQ50CPA7sCpg-6rVDUZ4cMv8-O99hZBP-my5-gR9sE8vww/s640/FullyManaged20.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Sign in to the Microsoft Intune app when prompted</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNp4r8AfQ8PKwny9Jcfd50cir5l8LqnFW61lX05LvMpTMK1lXNTtfdjAbIzLAB5nckrx9rlCJRqPC9FaThH8_ZbhS4fbEFmVH6AyVpmnpuBOEiR1ZTzKvnZDIBhjb1BktQEaZmkBk6Cg0/s1600/FullyManaged21.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNp4r8AfQ8PKwny9Jcfd50cir5l8LqnFW61lX05LvMpTMK1lXNTtfdjAbIzLAB5nckrx9rlCJRqPC9FaThH8_ZbhS4fbEFmVH6AyVpmnpuBOEiR1ZTzKvnZDIBhjb1BktQEaZmkBk6Cg0/s640/FullyManaged21.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Next</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNcL0VAck6eqbvH4V7N4ww6LKbqqhNrohKIxl57jwRYNj41yjuCXnjYb0mjE7jE9xfRDpNnpeZv36J4vakzGJzfyGjUCrrlcgJpgcz9K0VMN_uTbQzAmW92T6kgz2NA4gNYDwUJanXPsE/s1600/FullyManaged22.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNcL0VAck6eqbvH4V7N4ww6LKbqqhNrohKIxl57jwRYNj41yjuCXnjYb0mjE7jE9xfRDpNnpeZv36J4vakzGJzfyGjUCrrlcgJpgcz9K0VMN_uTbQzAmW92T6kgz2NA4gNYDwUJanXPsE/s640/FullyManaged22.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>DONE </b>to complete device registration</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWsrCDFTCU0n9eVTRS-f08nz7SOTRAYBI2Fimr1sqpc3QWUAd-xUGKFWXs22GKj5yrtHiYbnqLmNCLfr4SFIsqSFIj4OxyqZB2kh0Keht2AYBTWqKThuBh4pJrVyVOZkHNlXL2G2j00GU/s1600/FullyManaged23.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWsrCDFTCU0n9eVTRS-f08nz7SOTRAYBI2Fimr1sqpc3QWUAd-xUGKFWXs22GKj5yrtHiYbnqLmNCLfr4SFIsqSFIj4OxyqZB2kh0Keht2AYBTWqKThuBh4pJrVyVOZkHNlXL2G2j00GU/s640/FullyManaged23.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
And then one more time to complete the enrollment</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl2Phiz_pi9nMJCP8Zpi6deKqVSkPVsVqq_y6boEDBBZDkI_wnQ7z7QSJflWc2eZ_2RSubAMH8kRxvWaVrig8aUhNndMoZx3rSfOVeN7VgFQlc7fBpP81JU8z9Q04sR3Z0Z8PhE8jT4ls/s1600/FullyManaged24.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl2Phiz_pi9nMJCP8Zpi6deKqVSkPVsVqq_y6boEDBBZDkI_wnQ7z7QSJflWc2eZ_2RSubAMH8kRxvWaVrig8aUhNndMoZx3rSfOVeN7VgFQlc7fBpP81JU8z9Q04sR3Z0Z8PhE8jT4ls/s640/FullyManaged24.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
With Fully Managed there is the ability to enable any system apps on the device and on the handset I am testing, a Samsung Galaxy A5 (2016), I wish to enable the gallery application</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
To do this first I need the package name so in my example I have deployed the Package Name Viewer 2.0 application. On launching it search for Gallery you may need to try a search in both the <b>User Apps </b>and <b>System Apps</b> tabs</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgutoHcKXJjKCMGntZ7hv2cfaBDQ2EWyAyDztssJEdqz8G4izmHag_PF9B_b6-mQkJrYVp6WWyCm-ykhSIaZ1mLkLjQf5VgYN39szS6-QCvSJRV-ukvfkqwz2IbCNuiuLytU9YuyjixvfE/s1600/FullyManaged28.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgutoHcKXJjKCMGntZ7hv2cfaBDQ2EWyAyDztssJEdqz8G4izmHag_PF9B_b6-mQkJrYVp6WWyCm-ykhSIaZ1mLkLjQf5VgYN39szS6-QCvSJRV-ukvfkqwz2IbCNuiuLytU9YuyjixvfE/s640/FullyManaged28.png" width="360" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
Within the M365 Device Management Console navigate to <b>Client Apps > Apps</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio5rbI4XAy1HL3YR3tsVgs4bx7-Ai8hcrYqPw93_YVeP9yLCHdt4Fdn29t6L9UXojEbPmLR6f94u5TcPQ7w8PwJ5YKkD4PtI3w8QinNywJHUFX2i6vjagFL1vYjVmGX6YdNO4yIMbKEIo/s1600/FullyManaged25.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="552" data-original-width="608" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio5rbI4XAy1HL3YR3tsVgs4bx7-Ai8hcrYqPw93_YVeP9yLCHdt4Fdn29t6L9UXojEbPmLR6f94u5TcPQ7w8PwJ5YKkD4PtI3w8QinNywJHUFX2i6vjagFL1vYjVmGX6YdNO4yIMbKEIo/s1600/FullyManaged25.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Add an app and for the app type select <b>Android Enterprise system app</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLyDeAzntf9UJLBKMVokI4tVF8o3XBZWCmH2_gb8j-kp__7AqZk58zuwowDIA3ojaO-XG9SPuPN_AmRxz8ZW17QKBbF5cziGRk1DpO2Pve4GRJ7E8DbDLuSOMhfA9jlnLsYfTLs-cqEmg/s1600/FullyManaged26.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="585" data-original-width="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLyDeAzntf9UJLBKMVokI4tVF8o3XBZWCmH2_gb8j-kp__7AqZk58zuwowDIA3ojaO-XG9SPuPN_AmRxz8ZW17QKBbF5cziGRk1DpO2Pve4GRJ7E8DbDLuSOMhfA9jlnLsYfTLs-cqEmg/s1600/FullyManaged26.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Enter the system app details including specifying the package name</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglH8QfHAKDDcr-buWHaxlGHYHSAHE11HceVTpCMfhQoihC3RPNtaM3lEtlrK4kCSur4QIFtgyHBiwlniB306vfDRm0l5_zNM9dsDLXju1jwUIvwsen4e9mbmPBr0h3bCK01ZeaWAL7juU/s1600/FullyManaged27.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="230" data-original-width="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglH8QfHAKDDcr-buWHaxlGHYHSAHE11HceVTpCMfhQoihC3RPNtaM3lEtlrK4kCSur4QIFtgyHBiwlniB306vfDRm0l5_zNM9dsDLXju1jwUIvwsen4e9mbmPBr0h3bCK01ZeaWAL7juU/s1600/FullyManaged27.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>OK </b>then <b>Add </b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Deploy the app to an AAD group</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now you can see the system app enabled on the device</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBY4UCa7j-Cn8XgDP6SkMTxS4I6AOfiCVBV0RIQC_xziSnakVEx-YvYPLPtojEruRm8HmhXE6u_dBCNFtKmx0k7b5Jhwfm3jmkkw8JX0lQ-7Q0IudxHv8xejxoGQUqfu6rU0fc709By_o/s1600/FullyManaged28.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBY4UCa7j-Cn8XgDP6SkMTxS4I6AOfiCVBV0RIQC_xziSnakVEx-YvYPLPtojEruRm8HmhXE6u_dBCNFtKmx0k7b5Jhwfm3jmkkw8JX0lQ-7Q0IudxHv8xejxoGQUqfu6rU0fc709By_o/s640/FullyManaged28.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
That's it for this post, feel free to reach out to me if you have any questions. Thanks for reading!</div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-37234606145442836232019-08-26T22:03:00.000+01:002019-08-27T20:04:26.854+01:00Intune Windows 10 app install behaviour and the Enrollment Status PageSo this is a fairly short post but I thought I would share an interesting scenario I encountered when working with enrolling AAD joined Windows 10 devices into Intune. These devices;<br />
<ol>
<li>Were Autopilot provisioned </li>
<li>Had 2 win32 apps deployed (Azure Information Protection Client and Office 365)</li>
<li>Had 1 store app deployed (Company Portal)</li>
<li>Had 1 line of business app deployed which included the installation of the Configuration Manager client. This would hence be bringing the device into a Co-managed state.</li>
</ol>
<div>
Initially I wanted access to the device blocked until the AIP client, Office 365 and the Company Portal was installed so I configured a custom Enrollment Status Page (ESP);</div>
<div>
<br /></div>
<div>
I logged into the M365 Device Management Portal and navigated to <b>Device Enrollment </b>> <b>Windows Enrollment </b>> <b>Enrollment Status Page</b></div>
<div>
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8DATXDa4z2lirnFH_Hl7oPPtnpimvbwYzmrE3FEhyDQD_I_lYXqqXSIvb9HHJXYZeARwq7P12RwWxiD5ANI2KsbzT8TpVx00W-1dCy2S_DjWeteaUFPiCRvqhhSG9RvDscB-963i-0VQ/s1600/ESP1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="546" data-original-width="784" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8DATXDa4z2lirnFH_Hl7oPPtnpimvbwYzmrE3FEhyDQD_I_lYXqqXSIvb9HHJXYZeARwq7P12RwWxiD5ANI2KsbzT8TpVx00W-1dCy2S_DjWeteaUFPiCRvqhhSG9RvDscB-963i-0VQ/s1600/ESP1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Created the ESP, ensuring the <b>Block device use until these required apps are installed if they are assigned to the user/device </b>option was selected and I specified all apps other than the LOB application, with the intention of this app installing last</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5PhZ3Wcci16ZWex7RMuhRfTSjOXC1xdxssXv9HDlgGKUDd7zqUcSlH46uyPS54T69xXwt77KJYB8rkkg29lLr4CtqMmwDl_dn_Wj1X5GasBmh4pVAaZp40FgcA97gqbUr9dO0pCzi8no/s1600/ESP2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="742" data-original-width="579" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5PhZ3Wcci16ZWex7RMuhRfTSjOXC1xdxssXv9HDlgGKUDd7zqUcSlH46uyPS54T69xXwt77KJYB8rkkg29lLr4CtqMmwDl_dn_Wj1X5GasBmh4pVAaZp40FgcA97gqbUr9dO0pCzi8no/s1600/ESP2.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I ended up getting intermittent failures with this configuration so I attempted by including only the LOB app as a blocking app, still the same intermittant results.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now this was my misunderstanding, but even if you select specific apps to be blocking apps within the ESP, if there are other required app deployments it doesnt necessarily mean that the apps specified within the ESP will be installed first. So in my scenario, sometimes one of the apps was failing to install and others, two were failing.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I havent looked into the logs for this but I belive it was due to the LOB app being installed at some point before any of the blocking apps had been installed. My LOB app was enabling the device for Co-management and in my scenario the client apps workload was only enabled for "Pilot Intune". I even attempted for testing purposes to query individual devices based on thier hostname in order to be included into the device collection scoped for the pilot co-management workloads as soon as the device appeared within the Configuration Manager console using the following query;</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Name = "<i>Hostname</i>"</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
But ultimately the default Co-management workload values are set first and taking into consideration policy refresh there was still enough delay to cause a problem for app install.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So ultimately at this moment in time there is no way to control the install order of required app deployments. In order to get around the issue in my scenario I simply deployed all apps within the device context and the LOB app within the user context, meaning it will always install last. I also set the LOB app as a blocking app meaning that by the time the user is able to log on to the system, the installation is completed and the LOB app is a considerable way through its process and the Configuration Manager client is installed.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Providing you are only using Win32 apps you could also consider creating app dependencies as another way of controlling app install order, however you would need to ensure you are provisioning Windows 10 1903 devices in order to be able to tracks these apps within the ESP. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As we always say, every day is a learning day and if anyone has any comments or suggestions then please feel free to drop a comment within this post.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Thanks for reading!</div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com1tag:blogger.com,1999:blog-3145837469179315622.post-58244161664615963262019-07-21T22:22:00.001+01:002021-08-24T14:58:05.143+01:00Intune Basics Part 4: Modern Device Management with Android Enterprise - Configuring Dedicated DevicesWelcome to part 4 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.<br />
<br /><div>Part 1 can be found <a href="https://www.leonsitblog.com/2019/04/intune-basics-part-1-modern-device.html" target="_blank">here</a> and covers setting up the various Android Enterprise enrolment methods<br /><br /></div><div>Part 2 can be found <a href="https://www.leonsitblog.com/2019/04/intune-basics-part-2-modern-device.html" target="_blank">here</a> and covers the configuration of Azure AD groups<br /><br />Part 3 can be found <a href="https://www.leonsitblog.com/2019/06/intune-basics-part-3-modern-device.html" target="_blank">here</a> and covers the configuration of Personally-owned Work Profile devices<br /><br />Part 5 can be found <a href="https://www.leonsitblog.com/2019/09/intune-basics-part-5-modern-device.html" target="_blank">here</a> and covers the configuration of Fully Managed devices</div><div><br />This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post <a href="https://www.leonsitblog.com/2019/01/android-enterprise-and-intune-overview.html" target="_blank">here</a> which I am ensuring is kept up to date as newer functionality is supported within Intune.</div>
<br />
This post focuses on how to configure an Android Enterprise Dedicated device which is designed for single purpose scenarios, such as digital signage, stock take, or field operative usage. Devices configured in this way are not designed to have any user specific data on them and as a result they have no user affinity. My <a href="https://leonashtonleatherland.blogspot.com/2018/07/intune-android-enterprise-kiosk-devices.html" target="_blank">previous post</a> was published a year ago which details how to configure a single app kiosk, in this post I will be configuring a multiple app kiosk.<br />
<br />
First of all you will need to deploy the Managed Home Screen to your device group, to form the basis of the locked down experience. As of the May 2019 Intune service update this app will already be <a href="https://docs.microsoft.com/en-us/intune/whats-new#android-enterprise-app-management-" target="_blank">available for deployment</a> within your tenant<br />
<br />
Within the M365 Device Management portal navigate to <b>Client Apps > Apps</b><br />
<div style="text-align: center;">
<b><br /></b></div>
<div style="text-align: center;">
<b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYSsBEx4afQ7VXpJrN8exf-yoGxAoB4w1G7W9MNGdh3Oe1s4PDEgdhcqtUiP7X0hNDp-7g2KADRDTNUSys0NpZryOZ6vzBLtgOsDK-rQNobo8XmQn2YC8RMFgmmmMh5TKN70UH4qHjkTE/s1600/ManagedHomeScreen.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="610" data-original-width="620" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYSsBEx4afQ7VXpJrN8exf-yoGxAoB4w1G7W9MNGdh3Oe1s4PDEgdhcqtUiP7X0hNDp-7g2KADRDTNUSys0NpZryOZ6vzBLtgOsDK-rQNobo8XmQn2YC8RMFgmmmMh5TKN70UH4qHjkTE/s1600/ManagedHomeScreen.png" /></a></b><br />
</div>
Select the Managed Home Screen App and assign it as <b>required</b> to your device group (note that this should be a dynamic device group scoped by the EnrollmentProfileName attribute)<br />
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt9VO01JvUkRr_9fTCF2RXaFrGvitkx22LVKVZgHHCdNvN8UiXXMrIONy9bsZ5ESFhHKCVcqHnwg0aKcXzQoA_kGYtGBOcg4VBCHjlfDyGPJI2RjfrQk1jglE4nIq3VFqDwJ4FaFIla1g/s1600/ManagedHomeScreen1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="507" data-original-width="664" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt9VO01JvUkRr_9fTCF2RXaFrGvitkx22LVKVZgHHCdNvN8UiXXMrIONy9bsZ5ESFhHKCVcqHnwg0aKcXzQoA_kGYtGBOcg4VBCHjlfDyGPJI2RjfrQk1jglE4nIq3VFqDwJ4FaFIla1g/s1600/ManagedHomeScreen1.png" /></a></div>
<div style="text-align: center;">
<br /></div>
Now for the multi app kiosk configuration. Note that you can deploy some of this via the app config channels (the ability to bundle default settings with a deployed app - see <a href="https://docs.microsoft.com/en-us/intune/app-configuration-policies-overview" target="_blank">here</a>) associated with the <a href="https://docs.microsoft.com/en-us/intune/app-configuration-managed-home-screen-app" target="_blank">Managed Home Screen</a> app, indeed some of these settings are only available via this method.<br />
In this example I am going to deploy some apps to our Dedicated device and add some of them to a folder. I am also going to create a web link, as well as configure a default wallpaper.<br />
<div style="text-align: center;">
<br /></div>
First of all, assign all of the apps as <b>Required </b>to the target AAD device group<br />
<div style="text-align: center;">
<br /></div>
Now navigate to <b>Device Configuration > Profiles</b><br />
<div style="text-align: center;">
<b><br /></b>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqiX71jvyfCGblHFunjwEvmyRki48X5bvEbQGvKvJxVewbSJTgyzWC_xCcbp-9ttNsWSmpAoYv4gBT2wx6NZBM7YQvRGpP8VCv9gwpfdRtaNUN6Xh8QP80vLXw1g_9-M-7XfL72Tp5DGc/s1600/DedicatedConfig1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="482" data-original-width="627" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqiX71jvyfCGblHFunjwEvmyRki48X5bvEbQGvKvJxVewbSJTgyzWC_xCcbp-9ttNsWSmpAoYv4gBT2wx6NZBM7YQvRGpP8VCv9gwpfdRtaNUN6Xh8QP80vLXw1g_9-M-7XfL72Tp5DGc/s1600/DedicatedConfig1.png" /></a></div>
<div style="text-align: center;">
<br /></div>
Create a profile and give it a suitable name, for the Platform select <b>Android Enterprise</b> and in the Profile Type select <b>Device Restrictions </b>within the <b>Device Owner Only </b>menu<br />
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1nA0U2cD5X0qlFX5MxulHaPYbzVwzr2zeM3tHpUm8fWF1rud0U39UrdBkb22-gTLowhQPCzI9tV9LDv4cjjGD6o9nYP3BRiI4j6BmjJ5lM-jkBzVRwuhryM1Bp98RfZkw8Yj-Uxa-xvU/s1600/DedicatedConfig2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="634" data-original-width="409" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1nA0U2cD5X0qlFX5MxulHaPYbzVwzr2zeM3tHpUm8fWF1rud0U39UrdBkb22-gTLowhQPCzI9tV9LDv4cjjGD6o9nYP3BRiI4j6BmjJ5lM-jkBzVRwuhryM1Bp98RfZkw8Yj-Uxa-xvU/s1600/DedicatedConfig2.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguAc4iAIqswi04QmTMmGM2_RdSpQuLUL42QCGS6M8hHm6gN3Yc-GQyR7c8AEkCPERE569GdXjSJakTi3Y3CM_Jz2ptzOaidff9p23TQw75VCoCvvalZObqMFmFC_-kO0UdPIULsr4-46M/s1600/DedicatedConfig3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="338" data-original-width="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguAc4iAIqswi04QmTMmGM2_RdSpQuLUL42QCGS6M8hHm6gN3Yc-GQyR7c8AEkCPERE569GdXjSJakTi3Y3CM_Jz2ptzOaidff9p23TQw75VCoCvvalZObqMFmFC_-kO0UdPIULsr4-46M/s1600/DedicatedConfig3.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select the <b>Dedicated Devices </b>settings group, for Kiosk Type select <b>Multi-app </b>and then add all of the apps you wish to be available on the Managed Home Screen</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSvphjFdtYNR5FZH5UlmKnOBme1Jn5bjBb6Dure3XyfKt7ya9inmlqxVX7TpOrn5FR9Ye6VhIA3_EgJHGY6OIymFHaLHTpPzP8LF8OKG9-WTvclo2fWnun1soTdY67Inku-apVvjzMSEg/s1600/DedicatedConfig4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="663" data-original-width="733" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSvphjFdtYNR5FZH5UlmKnOBme1Jn5bjBb6Dure3XyfKt7ya9inmlqxVX7TpOrn5FR9Ye6VhIA3_EgJHGY6OIymFHaLHTpPzP8LF8OKG9-WTvclo2fWnun1soTdY67Inku-apVvjzMSEg/s1600/DedicatedConfig4.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Scroll down to view additional settings for <b>Leave kiosk mode </b>select <b>enable</b> and set a code. Specify the URL to your background within <b>Set Custom URL background. </b>Finally set both <b>Wi-Fi configuration </b>and <b>Bluetooth configuration </b>to <b>Enable</b></div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikglm1-u167fznxzQyalf6I0WYJ7tcWWNyYaUF02xquZMUolryzpKdadfY00lsrSQJkRgcyUBf3GH5084tgI7nwpVAyf9pkpVs-_NQ_diGC34iYQGJfWYjJSSVSEi9Wv4XMelRaqVs7Tk/s1600/DedicatedConfig5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="343" data-original-width="733" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikglm1-u167fznxzQyalf6I0WYJ7tcWWNyYaUF02xquZMUolryzpKdadfY00lsrSQJkRgcyUBf3GH5084tgI7nwpVAyf9pkpVs-_NQ_diGC34iYQGJfWYjJSSVSEi9Wv4XMelRaqVs7Tk/s1600/DedicatedConfig5.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Save the profile and then assign to the same AAD device group as we have with our app assignments</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now to configure a folder for our apps and create a web link. Navigate to <b>Client apps > App configuration policies</b></div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLkqloC0SodHskMRpWU5RY6QqqVmpd7eTj-cDSpwcM1arZrNIbiG1Pv45V02hw10qHeGBACEViw3SjnEGdU8Y1CrHVxPqwZKIQ2HBzRwNL7sFsrBl68gPyA2Zul_69T1UaTGAVddhsrzU/s1600/DedicatedConfig6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="619" data-original-width="612" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLkqloC0SodHskMRpWU5RY6QqqVmpd7eTj-cDSpwcM1arZrNIbiG1Pv45V02hw10qHeGBACEViw3SjnEGdU8Y1CrHVxPqwZKIQ2HBzRwNL7sFsrBl68gPyA2Zul_69T1UaTGAVddhsrzU/s1600/DedicatedConfig6.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Add a configuration policy, giving it a suitable name. For <b>Device enrollment type </b>select <b>Managed devices </b>and under <b>Platform </b>select <b>Android</b></div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3zSoNjcJqudfRbIgn0ERjJT2sBjXOZVlTCcH8l4UJJIIG5-i5k3znebk8IwgJkC9Mr18ChkjjUz6L1BEIy-XGz-yIJiMgx9O-y75LxvPQSxd7Ex4L9nXF8zn4Gl73LhPJ4AvYbD7_YCY/s1600/DedicatedConfig7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="655" data-original-width="479" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3zSoNjcJqudfRbIgn0ERjJT2sBjXOZVlTCcH8l4UJJIIG5-i5k3znebk8IwgJkC9Mr18ChkjjUz6L1BEIy-XGz-yIJiMgx9O-y75LxvPQSxd7Ex4L9nXF8zn4Gl73LhPJ4AvYbD7_YCY/s1600/DedicatedConfig7.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Associated app </b>and then choose the <b>Managed Home Screen </b>app. You will now see the <b>Configuration settings </b>menu appear. Select this</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfZm-YC7UouwAkw8rNo-F4oHnPX0MnMLlgFaL7S3c8_jVUU5sSBWxMy1Fb_aoiPpWsNMqkfdGWA9vFrdtHPSxyyJitCKY5brwrs2QPKW3EShjdMBgb8vfKbAHn7wMA5t_9nfiL1tskXNk/s1600/DedicatedConfig8.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="658" data-original-width="479" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfZm-YC7UouwAkw8rNo-F4oHnPX0MnMLlgFaL7S3c8_jVUU5sSBWxMy1Fb_aoiPpWsNMqkfdGWA9vFrdtHPSxyyJitCKY5brwrs2QPKW3EShjdMBgb8vfKbAHn7wMA5t_9nfiL1tskXNk/s1600/DedicatedConfig8.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There are two ways in which to define configuration settings, using the configuration designer, or manually entering the JSON data. For both the folder settings and the web link, these configurations can only be defined by entering the JSON data. Refer to <a href="https://docs.microsoft.com/en-us/intune/app-configuration-managed-home-screen-app#choosing-a-configuration-settings-format" target="_blank">this article</a> for more information on how to choose a configuration settings format.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I am going to create a folder called <b>Tools </b>and put some apps in it for the user, select <b>Enter JSON data</b></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibDVoMg0o-gqm3Rb5FJjCs0VUfrCb0HUaIvWIBB9c_GguDkEq7bVTR0P4peQGw1_zW2F9HY6N4OcTFMmhTS_iI4UM0OXGhhp6WVPRf5cXIc23x_TNH06_CCroxUeqrqZS9KfOFYhqHeHs/s1600/DedicatedConfig9.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="566" data-original-width="712" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibDVoMg0o-gqm3Rb5FJjCs0VUfrCb0HUaIvWIBB9c_GguDkEq7bVTR0P4peQGw1_zW2F9HY6N4OcTFMmhTS_iI4UM0OXGhhp6WVPRf5cXIc23x_TNH06_CCroxUeqrqZS9KfOFYhqHeHs/s1600/DedicatedConfig9.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Copy in the following code, substituting the <b>folder_name</b> and <b>package</b> values to reflect your requirements for the name of the folder and the apps you wish to include in the folder</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<pre style="background: rgb(240, 240, 240); border: 1px dashed rgb(204, 204, 204); color: black; font-family: consolas; font-size: 14px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; overflow-wrap: normal; word-wrap: normal;"> {
"kind": "androidenterprise#managedConfiguration",
"productId": "com.microsoft.launcher.enterprise",
"managedProperty": [
{
"key": "managed_folders",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "folder_name",
"valueString": "Tools"
},
{
"key": "applications",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "package",
"valueString": "com.csdroid.pkg"
}
]
},
{
"managedProperty": [
{
"key": "package",
"valueString": "com.farproc.wifi.analyzer"
}
]
},
{
"managedProperty": [
{
"key": "package",
"valueString": "com.qrcodescanner.barcodescanner"
}
]
}
]
}
]
}
]
}
]
} </code></pre>
<br />
Now create a second configuration policy for the web link. Copy in the following code to this, substituting the <b>link </b>and <b>labels </b>values as appropriate<br />
<br />
<pre style="background: rgb(240, 240, 240); border: 1px dashed rgb(204, 204, 204); color: black; font-family: consolas; font-size: 14px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; overflow-wrap: normal; word-wrap: normal;"> {
"kind": "androidenterprise#managedConfiguration",
"productId": "com.microsoft.launcher.enterprise",
"managedProperty": [
{
"key": "weblinks",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "link",
"valueString": "http://leonashtonleatherland.blogspot.com"
},
{
"key": "label",
"valueString": "Leon's IT Blog"
}
]
}
]
}
]
}
</code></pre>
<br />
Assign both of the app config policies to the AAD device group<br />
<div style="text-align: center;">
<br /></div>
Now let's enroll the device and see how these settings apply, navigate to <b>Device enrollment > Android enrollment</b><br />
<div style="text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-B-VRHdQQsn0yZYACOWNw9S05eLUsxkrCkugPFib_lMDZyrBjj31iG6rFRa3UTL7BHyjQonKI4889hjwEMSxL1_GbNAscorbhpQ_f-unhLjtV3_f3SvQ2MSaQ9syThtykZL6K7A6Vew8/s1600/Enrollment1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="439" data-original-width="627" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-B-VRHdQQsn0yZYACOWNw9S05eLUsxkrCkugPFib_lMDZyrBjj31iG6rFRa3UTL7BHyjQonKI4889hjwEMSxL1_GbNAscorbhpQ_f-unhLjtV3_f3SvQ2MSaQ9syThtykZL6K7A6Vew8/s1600/Enrollment1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Corporate-owned dedicated devices </b>the select the apprioprate enrollment profile (again - remembering that your AAD device group will be populated based on this profile, so ensure you select the correct one if you have multiple)</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ5z_f5K6HAiLc3uPOektrkXN4tCAFtYnRF0FqpIgoKpcU6g1MMsvasCNnc8stgJLT68jr6MLSMEcj2j9hkTtYu4UJDfNolUC8plNyu2NHrz5VdwuJtP8JVFPl2jPwwGZsM1WFmWNYC2o/s1600/Enrollment2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="424" data-original-width="544" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ5z_f5K6HAiLc3uPOektrkXN4tCAFtYnRF0FqpIgoKpcU6g1MMsvasCNnc8stgJLT68jr6MLSMEcj2j9hkTtYu4UJDfNolUC8plNyu2NHrz5VdwuJtP8JVFPl2jPwwGZsM1WFmWNYC2o/s1600/Enrollment2.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Token </b>and then <b>Show token</b>. This is what we will use to enroll the device</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO-pLnrW89V-tOeeOCZ3JIzbWSsqEVvgSqa_n5cCb4RzaWzbvhZxHaSf4sxdrWzvBR4_HhBqABwZy2JKeI5Du44oPfHwctxzbRBAhkpksBjTTZqjfFXKI5nN7Qjot5fLzAG_kC09pEjcg/s1600/Enrollment3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="703" data-original-width="719" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO-pLnrW89V-tOeeOCZ3JIzbWSsqEVvgSqa_n5cCb4RzaWzbvhZxHaSf4sxdrWzvBR4_HhBqABwZy2JKeI5Du44oPfHwctxzbRBAhkpksBjTTZqjfFXKI5nN7Qjot5fLzAG_kC09pEjcg/s1600/Enrollment3.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The device I am using is Android 7.0 and therefore supports QR code enrollment, which is the enrollment type I will use in this example. There are other supported methods for enrollment, which are documented <a href="file:///C:/Users/Leon/OneDrive/Blogging%20and%20online%20presence/Blog%20Photos/AE%20Basics%20Part%204/Enrollment3.png" target="_blank">here</a> and are OS version dependent</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
To commence enrollment, the device must factory reset or indeed new out of the box - so essentially in the Out-of-Box Experience (OOBE) state</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQp6AA8lXri_C9nxs1fKgp0cZEbKyJVK8RcU8hE0CTACns_lMuxePVzH4mkET_KoQiIJDTiUXlxLza7jKrOJ1Ozo81-6Ya4JPWFCk3XDqwSAyp0AgfTlYo1JXEpuH4wVmtZOcsCxt3KPQ/s1600/Screenshot_20190721-212309.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQp6AA8lXri_C9nxs1fKgp0cZEbKyJVK8RcU8hE0CTACns_lMuxePVzH4mkET_KoQiIJDTiUXlxLza7jKrOJ1Ozo81-6Ya4JPWFCk3XDqwSAyp0AgfTlYo1JXEpuH4wVmtZOcsCxt3KPQ/s640/Screenshot_20190721-212309.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Tap multiple times in any white space, until you see the below screen. Select <b>Next</b></div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8i1mx0GdQUcR8SdE_eeagFT5LvC8zqaKz3N-ijg_lMWMcxj2KZTMX4aUBmAuGoFpFz72epDyL_2n7lf7kfss0zT1d43HJlgR0DIsc3lSpUd8-6Of4Q9p6hTqwPrLIWkz3gxrFTDo0TfI/s1600/Screenshot_20190721-212347.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8i1mx0GdQUcR8SdE_eeagFT5LvC8zqaKz3N-ijg_lMWMcxj2KZTMX4aUBmAuGoFpFz72epDyL_2n7lf7kfss0zT1d43HJlgR0DIsc3lSpUd8-6Of4Q9p6hTqwPrLIWkz3gxrFTDo0TfI/s640/Screenshot_20190721-212347.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Connect to Wifi</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1FMNkhzRilUfxYk9Ep99JCuwZFNLs7zz7mGwuSSLEWriQee9KiliUmL_YguiV3YuStnRuqkfr5k_uIfD_Oo0ph-q4dkqHvi6p1NS4j3kkDaws9JAFy3klxAKOE8oZJTUhwrQ3FA6fzjE/s1600/Screenshot_20190721-212411.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1FMNkhzRilUfxYk9Ep99JCuwZFNLs7zz7mGwuSSLEWriQee9KiliUmL_YguiV3YuStnRuqkfr5k_uIfD_Oo0ph-q4dkqHvi6p1NS4j3kkDaws9JAFy3klxAKOE8oZJTUhwrQ3FA6fzjE/s640/Screenshot_20190721-212411.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The QR reader will now install</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrKap4kweegZGgQiZo_cV-y2XWhlRSs3_d1BCFM59vPLv6uOvWJUIpk_xMjbhujSKJnOh6OIR-z1pVwGrmo40flv19nqO4WADMtLmtqVFdgY8uHJZgw2UtIH6Jfaq0jNefSVPdYzBh0gw/s1600/Screenshot_20190721-212457.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrKap4kweegZGgQiZo_cV-y2XWhlRSs3_d1BCFM59vPLv6uOvWJUIpk_xMjbhujSKJnOh6OIR-z1pVwGrmo40flv19nqO4WADMtLmtqVFdgY8uHJZgw2UtIH6Jfaq0jNefSVPdYzBh0gw/s640/Screenshot_20190721-212457.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Scan the QR code we mentioned in previous steps</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Encrypt the device when prompted</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOD9nu23nCldi1m-Mfs_eOHbyfOLBy3c7NGdpgPV4ohNeQa1MgPbfNJfN7JibPHZgRRK1Bq7enQY5yakZXvj5IZ1F8yMYTOdj8nsfsTTPR11SMg1U3uerV85t72qflwvPSbWs-dypy7hg/s1600/Screenshot_20190721-212624.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOD9nu23nCldi1m-Mfs_eOHbyfOLBy3c7NGdpgPV4ohNeQa1MgPbfNJfN7JibPHZgRRK1Bq7enQY5yakZXvj5IZ1F8yMYTOdj8nsfsTTPR11SMg1U3uerV85t72qflwvPSbWs-dypy7hg/s640/Screenshot_20190721-212624.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Enrollment will continue</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVfcDEJih-Xgvgc2FgX65X41qYXoT6v1KR06JGI8iVr3F7AQYea9NtxqmpSvVuOUWuvLPsUoUj3OpKOrXtRhoPOcxKxl9mVFqPN3-xQJAm643y4DMPTMawYg1zq8NROuQzya2ck2kBrzI/s1600/Screenshot_20190721-212911.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVfcDEJih-Xgvgc2FgX65X41qYXoT6v1KR06JGI8iVr3F7AQYea9NtxqmpSvVuOUWuvLPsUoUj3OpKOrXtRhoPOcxKxl9mVFqPN3-xQJAm643y4DMPTMawYg1zq8NROuQzya2ck2kBrzI/s640/Screenshot_20190721-212911.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Agree any terms</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJhI1xwFV41oRl969qcxRy9A1Cu6H13dgSomLlhzF0AUsuR7mAZ7Pc989urJxWYeHn_13HxT315zFDNnglGHSjt463mO4bh9hH4ZEMWGl5NgX6H-k4adOPF62Ubjr8LGDa4C83qeGOGEQ/s1600/Screenshot_20190721-212947.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJhI1xwFV41oRl969qcxRy9A1Cu6H13dgSomLlhzF0AUsuR7mAZ7Pc989urJxWYeHn_13HxT315zFDNnglGHSjt463mO4bh9hH4ZEMWGl5NgX6H-k4adOPF62Ubjr8LGDa4C83qeGOGEQ/s640/Screenshot_20190721-212947.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The Google Play Store and Google Play Services will now update on the device</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS-wkVHfToCX2u6lRIKPB-4c5wDLlfP1B3jH4Qy9s3WVhpepKu5yWdQ31XPLd_j-GseFSdtUXxsg3x-hp3zmNm8Tx10AOnJD320Rex4TuOv4JIaKDGCwwxj5LYoEtdRtl13Ba0f6td7dw/s1600/Screenshot_20190721-213029.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS-wkVHfToCX2u6lRIKPB-4c5wDLlfP1B3jH4Qy9s3WVhpepKu5yWdQ31XPLd_j-GseFSdtUXxsg3x-hp3zmNm8Tx10AOnJD320Rex4TuOv4JIaKDGCwwxj5LYoEtdRtl13Ba0f6td7dw/s640/Screenshot_20190721-213029.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Enrollment completes and you now see the regular Android home screen experience</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_QKVgIeERgtC8EmlrMXoXCO8J-YVPizUKsV_fnBEhFEsl6B9v5nqQ4Dn2Ch-I_iLRhpCfSO16wVZzWxzAF4OYGhUjLc_AqO55dSbr5mguaYKZ3tVZm5TuqL1FYt5c7BdKL4jbPJf-VKA/s1600/Screenshot_20190721-213218.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_QKVgIeERgtC8EmlrMXoXCO8J-YVPizUKsV_fnBEhFEsl6B9v5nqQ4Dn2Ch-I_iLRhpCfSO16wVZzWxzAF4OYGhUjLc_AqO55dSbr5mguaYKZ3tVZm5TuqL1FYt5c7BdKL4jbPJf-VKA/s640/Screenshot_20190721-213218.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After a few moments you will see apps start to deploy to the device</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNyCx9rznMH1bZQI_5bRJql_xSkWUCrtx6vmW-K165Ws1RUi6WGcyQO9cgy7mzQt2WZI3sJPq5KU1WFItk-4sLDVkb7ES_EESoPJsTHuSOmobg9UOLC3RMM1-ehluaZmOWP9MdFWjNr0E/s1600/Screenshot_20190721-213825.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNyCx9rznMH1bZQI_5bRJql_xSkWUCrtx6vmW-K165Ws1RUi6WGcyQO9cgy7mzQt2WZI3sJPq5KU1WFItk-4sLDVkb7ES_EESoPJsTHuSOmobg9UOLC3RMM1-ehluaZmOWP9MdFWjNr0E/s640/Screenshot_20190721-213825.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now the configuration is complete, and you can immediately see the custom wallpaper and in this example the <b>Tools </b>folder we created</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg04IwWIxeNB_4llcCqKCLK7K7VYCXfcQnMbnBxJvBLyD-YgKSyRFvxtFBBOFvCJFPfN3DqMJ3AZ9qaIvEe83cinwJrlyWZyHMf7caYpd6Wa0ypxVJh1mKTtSs7sx_ZZHY7Pu3YrlF6sp0/s1600/Screenshot_20190721-214120.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg04IwWIxeNB_4llcCqKCLK7K7VYCXfcQnMbnBxJvBLyD-YgKSyRFvxtFBBOFvCJFPfN3DqMJ3AZ9qaIvEe83cinwJrlyWZyHMf7caYpd6Wa0ypxVJh1mKTtSs7sx_ZZHY7Pu3YrlF6sp0/s640/Screenshot_20190721-214120.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Also the web link has been pinned, launch it and it will open in the deployed browser</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD_gtYhGWA4yrZJcdzVYuiQeLOH-LzQxFd-PKQRqZfKvAXYeRJuDTdK97kORO98fWYkfAoU8jWDrhgbPIy0RV-b352ee0_2sf1wZOftwWEmyy8p9AS0PlvtD2T-JAyyGoBIVV5ltucICE/s1600/Screenshot_20190721-214329.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD_gtYhGWA4yrZJcdzVYuiQeLOH-LzQxFd-PKQRqZfKvAXYeRJuDTdK97kORO98fWYkfAoU8jWDrhgbPIy0RV-b352ee0_2sf1wZOftwWEmyy8p9AS0PlvtD2T-JAyyGoBIVV5ltucICE/s640/Screenshot_20190721-214329.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Managed Setting </b>to show the locked down menu providing the end user Bluetooth and WiFi access, as we specified within our Configuration Profile</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBxTQSvxtqYMXmSYdEM5jWV_7-oOliblMXSqH2K93tJ6HU15quv_Uoeqho12e-wbmtXT4rCE7_vvIEzgkcpXX1cJu_Y5JzX-CLP870aqQ0dPb9NWcqkgpOIcbeXf6C1LO37okyFVFQI1E/s1600/Screenshot_20190721-214509.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBxTQSvxtqYMXmSYdEM5jWV_7-oOliblMXSqH2K93tJ6HU15quv_Uoeqho12e-wbmtXT4rCE7_vvIEzgkcpXX1cJu_Y5JzX-CLP870aqQ0dPb9NWcqkgpOIcbeXf6C1LO37okyFVFQI1E/s640/Screenshot_20190721-214509.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
For troubleshooting purposes, you can exit kiosk mode but tapping the back button multiple times and select <b>Exit Kiosk</b></div>
<div class="separator" style="clear: both; text-align: center;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdlKCpwjKA4joo2TF204x1flztKDrSYgYw0o04pxpUOjvVmLpzDhth7W-FJLRK_bGMKKWc7vW5kQk5T3gTwASihTXsc9Lm1kAYBq_jCs-dxBK504RowRgq9zKFY4ktnR1rsN1DH9vTApw/s1600/Screenshot_20190721-214556.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdlKCpwjKA4joo2TF204x1flztKDrSYgYw0o04pxpUOjvVmLpzDhth7W-FJLRK_bGMKKWc7vW5kQk5T3gTwASihTXsc9Lm1kAYBq_jCs-dxBK504RowRgq9zKFY4ktnR1rsN1DH9vTApw/s640/Screenshot_20190721-214556.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Enter the PIN when prompted</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwl-hwSn7FCMQqQfx09EQVu8dADsO5Z-jlCnCm7Csa-qx6Ehn5jKhKzxkd3OJbBIbwkA52V4f7G4_bPQaWYAO6Ie1EyIh7W_KlCuGaxfKI0x34RD0u3XOGyxhJQUtelCtqNLtNsvAkdYk/s1600/Screenshot_20190721-214617.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwl-hwSn7FCMQqQfx09EQVu8dADsO5Z-jlCnCm7Csa-qx6Ehn5jKhKzxkd3OJbBIbwkA52V4f7G4_bPQaWYAO6Ie1EyIh7W_KlCuGaxfKI0x34RD0u3XOGyxhJQUtelCtqNLtNsvAkdYk/s640/Screenshot_20190721-214617.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The device is now out of Kiosk mode</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGd5keVxWm6NkoBIjNMeLQP7nynA9Vxc_cAUj2JM899spmQeXGWi5n6jiGBtea9lfg2qcaXvY32NHc6TdXrpj85nPjE03lYQu8vVvnZ8jSQpdgcUX3WNI6iVROyFIaJgwTBjct1KekdGg/s1600/Screenshot_20190721-214724.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGd5keVxWm6NkoBIjNMeLQP7nynA9Vxc_cAUj2JM899spmQeXGWi5n6jiGBtea9lfg2qcaXvY32NHc6TdXrpj85nPjE03lYQu8vVvnZ8jSQpdgcUX3WNI6iVROyFIaJgwTBjct1KekdGg/s640/Screenshot_20190721-214724.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Launch the Managed Home Screen to put the device back in to Kiosk mode</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsTDd0jZoVR9IQ2GwaXXDln1hOPE3Ct1NHwWSd79z0XlAz_O8eit8ISzSH0-j-UZ4mdXruX6q3xz4euvWwmOn-WcQG6iZPzzrGZIEj-bzLondlA6P-o40gCtovL1mXY2eC0V5eInG5_Bs/s1600/Screenshot_20190721-214733.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsTDd0jZoVR9IQ2GwaXXDln1hOPE3Ct1NHwWSd79z0XlAz_O8eit8ISzSH0-j-UZ4mdXruX6q3xz4euvWwmOn-WcQG6iZPzzrGZIEj-bzLondlA6P-o40gCtovL1mXY2eC0V5eInG5_Bs/s640/Screenshot_20190721-214733.png" width="360" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Well that completes this post, I hope you found it useful - see you in the next part of this series where I will be talking about Fully Managed devices</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Thanks for reading!</div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-998111590636950472019-06-27T23:50:00.003+01:002021-08-24T14:57:28.335+01:00Intune Basics Part 3: Modern Device Management with Android Enterprise - Personally-owned Work Profile ConfigurationWelcome to part 3 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.
<br />
<br /><div>Part 1 can be found <a href="https://www.leonsitblog.com/2019/04/intune-basics-part-1-modern-device.html" target="_blank">here</a> and covers setting up the various Android Enterprise enrolment methods<br /><br /></div><div>Part 2 can be found <a href="https://www.leonsitblog.com/2019/04/intune-basics-part-2-modern-device.html" target="_blank">here</a> and covers the configuration of Azure AD groups<br /><br />Part 4 can be found <a href="https://www.leonsitblog.com/2019/07/intune-basics-part-4-modern-device.html" target="_blank">here</a> and covers the configuration of Dedicated devices</div><div><br /></div><div>Part 5 can be found <a href="https://www.leonsitblog.com/2019/09/intune-basics-part-5-modern-device.html" target="_blank">here</a> and covers the configuration of Fully Managed devices<br /><br />This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post <a href="https://www.leonsitblog.com/2019/01/android-enterprise-and-intune-overview.html" target="_blank">here</a> which I am ensuring is kept up to date as newer functionality is supported within Intune.</div>
<br />
This post focuses on the Work Profile solution set which is primarily designed for the enrollment of personally owned devices. When enrolled, Intune only has primary control over the apps and settings that are deployed within the profile with very limited access to the remainder of the device. This therefore creates a secure location for company apps and data and also is privacy friendly, giving the end user piece of mind when enrolling a personal device.<br />
In my humble opinion there is / has been a valid use case for using Work Profiles with company owned devices, especially if organisations with Intune were early adopters of Android Enterprise. Initially this was the only solution set available and it also had the attraction of providing seamless app deployment to devices.<br />
<div>
In this scenario it is also useful to pre declare a device so that it is labelled as company owned and hence you can scope it to an Azure AD device group (see my previous post <a href="https://leonashtonleatherland.blogspot.com/2019/04/intune-basics-part-2-modern-device.html" target="_blank">here</a> )<br />
<br />
First of all, I will show you how to pre declare a device. Again to reiterate - this is only required if you are using Work Profiles on company owned devices;<br />
<br />
Log into the M365 Device Management Portal. Navigate to <b>Device Enrollment > Corporate Device Identifiers > Add > Enter Manually</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUtX2YlBBhJaVrDZnT8lwNJbp9A2elnrVY2aUvtuwoRA6bMQp6Da1r2SCQBm5SKKdBMEoTdAqS5dr1TP2zY9p5xX0LjkxlZ2gpRHrnW3iI6SSdLmkP92GprpS9fSvydrMbx8b3muRG27M/s1600/CorpDevID2.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="490" data-original-width="724" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUtX2YlBBhJaVrDZnT8lwNJbp9A2elnrVY2aUvtuwoRA6bMQp6Da1r2SCQBm5SKKdBMEoTdAqS5dr1TP2zY9p5xX0LjkxlZ2gpRHrnW3iI6SSdLmkP92GprpS9fSvydrMbx8b3muRG27M/s1600/CorpDevID2.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Select <b>IMEI</b> for the identifier type and then enter the device's IMEI and a suitable description. Click <b>Add</b> to finish<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggsosv17NneVOivGnoNxrmygcx2DutKm-R-Yhw2SreQPUkYoeBRI8u0xnBW5NleK_qgIsTUS7TsHcDisaQ-vYrucBdtCi1CH77q0E9z0fT-TvigTzJVQw8MeOvrWv5xf7xAy78sNukZv8/s1600/CorpDevID3.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="790" data-original-width="568" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggsosv17NneVOivGnoNxrmygcx2DutKm-R-Yhw2SreQPUkYoeBRI8u0xnBW5NleK_qgIsTUS7TsHcDisaQ-vYrucBdtCi1CH77q0E9z0fT-TvigTzJVQw8MeOvrWv5xf7xAy78sNukZv8/s1600/CorpDevID3.PNG" /></a></div>
<br />
<br />
Now the device appears in the list. Note that once it is enrolled it's status will change from "Not contacted" to "Enrolled"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFmPcR28C0NL3R_od7DcorN9d-Nb4wVH_iM94OwpSubCBYYLMJ0wqYqoAXLR6FBCH-zrOGQMYw4LfyWbIbXFeVz_gay5SoCSnGA1OAej8aeg7oKET-myI7CcBaumpthY550HmwO7Y0gmI/s1600/CorpDevID4.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="367" data-original-width="1425" height="102" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFmPcR28C0NL3R_od7DcorN9d-Nb4wVH_iM94OwpSubCBYYLMJ0wqYqoAXLR6FBCH-zrOGQMYw4LfyWbIbXFeVz_gay5SoCSnGA1OAej8aeg7oKET-myI7CcBaumpthY550HmwO7Y0gmI/s400/CorpDevID4.PNG" width="400" /></a></div>
<br />
<br />
So let's get started with creating some Work Profile Configuration to deploy to devices.</div>
<div>
Navigate to Device configuration > Profiles > Create profile<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjznxEWwgg_cRBLyLa8neI69orq74e4L0ouuzcDSPvrWdgw7rmqJqpiEn1ehfLVpXzxgiZU96VyNRFvkqxmk_4b06bQSpWXeVNetjR2rFHEZ_qBI_BqmQHzapBc6PewxkixFVENi5Ub6SE/s1600/WorkProfile1.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="911" data-original-width="1600" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjznxEWwgg_cRBLyLa8neI69orq74e4L0ouuzcDSPvrWdgw7rmqJqpiEn1ehfLVpXzxgiZU96VyNRFvkqxmk_4b06bQSpWXeVNetjR2rFHEZ_qBI_BqmQHzapBc6PewxkixFVENi5Ub6SE/s400/WorkProfile1.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Enter a suitable profile name, I like to make mine as descriptive as possible so in this example it is called "Android Work Profile Device Restrictions - Company" Also select "Android Enterprise" as the platform</div>
<br />
<b></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinfx7xPaLd3ck7OMa3aceQ-BFzk_fF7q7p3Eic-pv3nT75cuFNiYdbE3PCVWsBKzH5u7kmqLe0rcMt7ZqAy3v3Fxo5gpUXey6y1JlzhHRk9T7CDEUKo1hEn6lUEGyAYIBWvaWxRW8bE-c/s1600/WorkProfile8.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1258" data-original-width="1500" height="335" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinfx7xPaLd3ck7OMa3aceQ-BFzk_fF7q7p3Eic-pv3nT75cuFNiYdbE3PCVWsBKzH5u7kmqLe0rcMt7ZqAy3v3Fxo5gpUXey6y1JlzhHRk9T7CDEUKo1hEn6lUEGyAYIBWvaWxRW8bE-c/s400/WorkProfile8.PNG" width="400" /></a></div>
<br />
<br />
Under profile type select "Device restrictions" within the "Work profile only" menu<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOwsqEg0SaHhawyBIGz45MhrE_bi9l6j8r1xW0wgAnbEQYj76F78F-jhLYN4u_IvYggmuE3n1w3ky04LY0rNgDy8Ak5VpNZ_M6ZMJuyY4hGJKlcT0jESetOdAO375ZZIUg6Wa4eF0XNpo/s1600/WorkProfile3.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="523" data-original-width="777" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOwsqEg0SaHhawyBIGz45MhrE_bi9l6j8r1xW0wgAnbEQYj76F78F-jhLYN4u_IvYggmuE3n1w3ky04LY0rNgDy8Ak5VpNZ_M6ZMJuyY4hGJKlcT0jESetOdAO375ZZIUg6Wa4eF0XNpo/s320/WorkProfile3.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
You now have access to all of the settings available<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXHK_Pikyq07JrQ4k8sGlmoY8R1c0Eqypkqln-i0o_OBFCAiJm2F0r2f_dakpUUN8DjCjiJPxu-Pasddv-3BtsH-oDPnbcqcbfqHHDVLiNgEvfENPpfN7eisOfEVD_oF_SwrqnSr3b8pE/s1600/WorkProfile4.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1021" data-original-width="919" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXHK_Pikyq07JrQ4k8sGlmoY8R1c0Eqypkqln-i0o_OBFCAiJm2F0r2f_dakpUUN8DjCjiJPxu-Pasddv-3BtsH-oDPnbcqcbfqHHDVLiNgEvfENPpfN7eisOfEVD_oF_SwrqnSr3b8pE/s320/WorkProfile4.PNG" width="288" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Now this part is dependant on your organisational requirements, however as a bare minimal I would suggest at least deploying this profile with the default options selected. In this example let's have a look at some security settings, including setting different passcodes for the device itself and the work profile.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select "Prevent any sharing across boundaries" under the "Data sharing between work and personal profile" option</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUamg3Xy0ZIYwNKpccmraxzAr3LkEuXCAx_qj8mraKDISuJqPqoIVbmIm6gA85lVJFHCxJYHkoUDKbXP0by7LtFv3VeN7hHy4jeZ_eRnAfft57x06i7AOMWLDqmWtcZq2PX7jFwYemChY/s1600/WorkProfile5.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="390" data-original-width="567" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUamg3Xy0ZIYwNKpccmraxzAr3LkEuXCAx_qj8mraKDISuJqPqoIVbmIm6gA85lVJFHCxJYHkoUDKbXP0by7LtFv3VeN7hHy4jeZ_eRnAfft57x06i7AOMWLDqmWtcZq2PX7jFwYemChY/s400/WorkProfile5.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Scroll down now and lets specify the option to require a Work Profile password and set the minimum password length to 8</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqrqxSkHFMeyrdrSD_LgLrbmqcSN4f_r8okqGqLIYquez7MTodpLVC6akQWFiQWaf-4YW5YSQ9ds4jFak56CJS7_kD3hksCESAM16d85Rf5EqQH2IzzqZ91L8Sd1K0hlCK3Eg31DKU6pU/s1600/WorkProfile6.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="263" data-original-width="557" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqrqxSkHFMeyrdrSD_LgLrbmqcSN4f_r8okqGqLIYquez7MTodpLVC6akQWFiQWaf-4YW5YSQ9ds4jFak56CJS7_kD3hksCESAM16d85Rf5EqQH2IzzqZ91L8Sd1K0hlCK3Eg31DKU6pU/s400/WorkProfile6.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now under "Device Password" set the minimum length to 4</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguS__YIR59LmcOfM8ryB6FrDMpy9tEAKtaH7WLRCHSSbznF4Ykm6bxY1jHuI7a6JL-Us52SSm5PW5i3flA6c6iuddkna6T5Z7wLowe-PVb7wPPE4ayZnPu9HSF3vJ-IYxHdI1irh1eRmc/s1600/WorkProfile7.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="998" data-original-width="1600" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguS__YIR59LmcOfM8ryB6FrDMpy9tEAKtaH7WLRCHSSbznF4Ykm6bxY1jHuI7a6JL-Us52SSm5PW5i3flA6c6iuddkna6T5Z7wLowe-PVb7wPPE4ayZnPu9HSF3vJ-IYxHdI1irh1eRmc/s400/WorkProfile7.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select "OK" twice, then "Create" to save the profile</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now we need to deploy it to our device group, this policy is for company owned devices. Under the properties of the profile select Assignments > Select groups to include</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7RNHxjqi8tvw9UI_V70wJGLuD_13eKVpRkgD_8MZzHFHEfWdQoVTADOGjJRoqNUyT7bPgRXBBRVKCmDB8tEDsZH-EbdiuJlxd1TmVaExAs1Phr7NPnAnOwkWBDWuU3TpWYblzeL3SASE/s1600/WorkProfile9.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="883" data-original-width="1600" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7RNHxjqi8tvw9UI_V70wJGLuD_13eKVpRkgD_8MZzHFHEfWdQoVTADOGjJRoqNUyT7bPgRXBBRVKCmDB8tEDsZH-EbdiuJlxd1TmVaExAs1Phr7NPnAnOwkWBDWuU3TpWYblzeL3SASE/s400/WorkProfile9.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select our "Android Work Profile - Company Devices" Group > Select > Save. Thats the configuration profile deployed</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBkq3ff82am0LWSO38NfHomRMogvilNjeh8-d7kMDkNjyKIdWAPtj-Qiz6t4hFHUihYpnM-NpjxgsOqupGCsF_pC-dmo-13gucAJohln977w0gLKIUPgbzkcoBTPjYhTAX_oyVOQB1JtA/s1600/WorkProfile10.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="903" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBkq3ff82am0LWSO38NfHomRMogvilNjeh8-d7kMDkNjyKIdWAPtj-Qiz6t4hFHUihYpnM-NpjxgsOqupGCsF_pC-dmo-13gucAJohln977w0gLKIUPgbzkcoBTPjYhTAX_oyVOQB1JtA/s400/WorkProfile10.PNG" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now its time to enroll the device. Install the Company Portal app from the Google Play store. Log int with your credentials</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoAYjM12kxmUORvs9yd51llxSfPP-H9iChPrZSlXfSBQvJsS-DVaD4-KkFo71tM805klFYTdsCP-jJanRsCmaEv4IqQaZDvai27bg3Pl6MuSDx3QPo6mY11Nx68iuIVX9DUPb3Go23jDs/s1600/WorkProfile11.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1063" data-original-width="901" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoAYjM12kxmUORvs9yd51llxSfPP-H9iChPrZSlXfSBQvJsS-DVaD4-KkFo71tM805klFYTdsCP-jJanRsCmaEv4IqQaZDvai27bg3Pl6MuSDx3QPo6mY11Nx68iuIVX9DUPb3Go23jDs/s320/WorkProfile11.PNG" width="270" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select "Continue"</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2CS000EXd57qJ3OmlNYKnBsyP-URU0ixNLRwdKK0ObEKYXDkPO4b8WpbCx_Z2LVbYvZQyfTTk41keRuhuO_vHhE6Mo5oVG8qPhrY2ToQWlfrPGIZZgP_u9U4buplCpv3a6brCmQrgxtk/s1600/WorkProfile12.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="843" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2CS000EXd57qJ3OmlNYKnBsyP-URU0ixNLRwdKK0ObEKYXDkPO4b8WpbCx_Z2LVbYvZQyfTTk41keRuhuO_vHhE6Mo5oVG8qPhrY2ToQWlfrPGIZZgP_u9U4buplCpv3a6brCmQrgxtk/s400/WorkProfile12.PNG" width="210" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
"Continue" again</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW2BTvuyIW91CAJDlpyz1GrRnuKe2p4AYXiWmV2Xbhf2khZDaPQ-jGYC2v2jRwjy4aNfRosxVMbfuyUrp9Bc-1qPcXvuAP41K4aewjned9tj5pcsZfBywj-tOn1-xWe4OM4LJrp6UTyyM/s1600/WorkProfile13.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="839" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW2BTvuyIW91CAJDlpyz1GrRnuKe2p4AYXiWmV2Xbhf2khZDaPQ-jGYC2v2jRwjy4aNfRosxVMbfuyUrp9Bc-1qPcXvuAP41K4aewjned9tj5pcsZfBywj-tOn1-xWe4OM4LJrp6UTyyM/s400/WorkProfile13.PNG" width="208" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select "Next"</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh3RFqO2H-Q4ZHH-CpPC5DdMQs7L2kNQJw7C-8hW0fR1c2jKYx6bqyCfCp7NlKGdE1m-XSdrqbWglwTHAfOo_btCDhtRKITX9HcUtQMq3kayTwCH-uijBpIRfPIup4aAwYdpqZs5_kjkc/s1600/WorkProfile14.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="828" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh3RFqO2H-Q4ZHH-CpPC5DdMQs7L2kNQJw7C-8hW0fR1c2jKYx6bqyCfCp7NlKGdE1m-XSdrqbWglwTHAfOo_btCDhtRKITX9HcUtQMq3kayTwCH-uijBpIRfPIup4aAwYdpqZs5_kjkc/s400/WorkProfile14.PNG" width="206" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Accept the terms</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0s30_k6W6xPCvdxwipy1gkY5Bpdn6j27z_tcJQDscIafZoTXKfzTMyX-bg7TuQ_mwjzibaLxnawR8rwbpqfg2-ykNhIpYRo52hE_Q1sXG6GOkvxIHSCZhOtVTVwwpM6MS08G31ME1lTU/s1600/WorkProfile15.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="879" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0s30_k6W6xPCvdxwipy1gkY5Bpdn6j27z_tcJQDscIafZoTXKfzTMyX-bg7TuQ_mwjzibaLxnawR8rwbpqfg2-ykNhIpYRo52hE_Q1sXG6GOkvxIHSCZhOtVTVwwpM6MS08G31ME1lTU/s400/WorkProfile15.PNG" width="218" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The device will now enroll</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFtvitt3_8NTyS6nI9ycjwatgM8w3T_4mIocdWsERowz1QMHiVlZqx3LENgUySdNY9hFuJKaHKVsk-1hcisVZCnsrbcnAzgIqQbAT4s-4Gv8jhX7apQdOvbMaSSrtTVhSI9lk8mypklKk/s1600/WorkProfile16.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1483" data-original-width="857" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFtvitt3_8NTyS6nI9ycjwatgM8w3T_4mIocdWsERowz1QMHiVlZqx3LENgUySdNY9hFuJKaHKVsk-1hcisVZCnsrbcnAzgIqQbAT4s-4Gv8jhX7apQdOvbMaSSrtTVhSI9lk8mypklKk/s400/WorkProfile16.PNG" width="230" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select "Continue" then "Done" enrollment is now complete</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXLEUvBuv7xOcYIt1lspogYCg7w5KYVkqGtqowCmTP3OF4e729HuRz-HZyKAbte7tnlUlsVkzjIRRbRLAKhZd9XVq6FTcXb759JALuJdCu5YJmW9hzgXMO5wtXAF4CKaJRgaX50K3Oaiw/s1600/WorkProfile17.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="842" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXLEUvBuv7xOcYIt1lspogYCg7w5KYVkqGtqowCmTP3OF4e729HuRz-HZyKAbte7tnlUlsVkzjIRRbRLAKhZd9XVq6FTcXb759JALuJdCu5YJmW9hzgXMO5wtXAF4CKaJRgaX50K3Oaiw/s400/WorkProfile17.PNG" width="210" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDOSxRNmmE5HnYKYdGEkHQ0QGHL-cdN0yCelCQcsVLLYbO9bPnzEQ66zgxERV_ysWhKz6pOMo4muFP_r4ko8dqjzrZXycCyW-dBM8svcxnwIEoMYTpk7d5dyjRvJIqkFKGs7Pbtx79n58/s1600/WorkProfile18.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="839" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDOSxRNmmE5HnYKYdGEkHQ0QGHL-cdN0yCelCQcsVLLYbO9bPnzEQ66zgxERV_ysWhKz6pOMo4muFP_r4ko8dqjzrZXycCyW-dBM8svcxnwIEoMYTpk7d5dyjRvJIqkFKGs7Pbtx79n58/s400/WorkProfile18.PNG" width="208" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The deployment status can be monitored within the properties of the profile under the "Device Status" report</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-ZURJKkeiF_c72cfI3uzl-i9ou6GRgRi6EDLFlxGZhyiuBEYWBDNB05q58nG_YabcNC3hXHx21lhLP1OkaRAB1oc7_gveqZjr8SP-NiP8l88mLBYI6nytQzjiR51vZ-2lEyoQrnl9le4/s1600/WorkProfile19.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="509" data-original-width="1600" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-ZURJKkeiF_c72cfI3uzl-i9ou6GRgRi6EDLFlxGZhyiuBEYWBDNB05q58nG_YabcNC3hXHx21lhLP1OkaRAB1oc7_gveqZjr8SP-NiP8l88mLBYI6nytQzjiR51vZ-2lEyoQrnl9le4/s400/WorkProfile19.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5w26Jx7TrCUMteDW3o_R3T4yx5t8A5O1fef7lLrFOTP-_6mTy2i3KT6RiEaPtfElO7nC1t19_U5vC5sLrAtqN9MPi_3nD1HkRPs8K8tWOpJS2upqTQEY8JaXSvLRpKTwWta2sNZFz0JQ/s1600/WorkProfile20.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="586" data-original-width="1600" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5w26Jx7TrCUMteDW3o_R3T4yx5t8A5O1fef7lLrFOTP-_6mTy2i3KT6RiEaPtfElO7nC1t19_U5vC5sLrAtqN9MPi_3nD1HkRPs8K8tWOpJS2upqTQEY8JaXSvLRpKTwWta2sNZFz0JQ/s400/WorkProfile20.PNG" width="400" /></a></div>
The device is now prompting for a passcode to be set, select the prompt<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWSF23G41ml_cEWBceBzTdqz4Y3F9Esqk23btN65iozSZL-gKVsi8zaTIMkczDBHB0-nPJWN4Um5Vf0FDcIRT1BRaVViAkbcbo3tCWgyCIUH79TJByCIx_6kp9aouOpJ8ji5iFEEk5_K0/s1600/WorkProfile21.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1593" data-original-width="899" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWSF23G41ml_cEWBceBzTdqz4Y3F9Esqk23btN65iozSZL-gKVsi8zaTIMkczDBHB0-nPJWN4Um5Vf0FDcIRT1BRaVViAkbcbo3tCWgyCIUH79TJByCIx_6kp9aouOpJ8ji5iFEEk5_K0/s400/WorkProfile21.PNG" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now I am going to select "Password" for this example to illustrate some default behaviour</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir2GORHy-WKzGX7GggQOR6IUlynIWpsWRqT1q1EkFs9GGEG0Fh1uVLhnMUl9Qqy_hIQQNumKX10bjv1SXvPWH1jXNeUPSfy3qzMaHi6aMZv_BOzINt-uX-b3zzosSEQMIiAJKIV5uCODo/s1600/WorkProfile22.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="629" data-original-width="937" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir2GORHy-WKzGX7GggQOR6IUlynIWpsWRqT1q1EkFs9GGEG0Fh1uVLhnMUl9Qqy_hIQQNumKX10bjv1SXvPWH1jXNeUPSfy3qzMaHi6aMZv_BOzINt-uX-b3zzosSEQMIiAJKIV5uCODo/s400/WorkProfile22.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select "PIN"</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgww28QbZKNI5ZwZwckroqG5VCZCWeZZXXS8s8g6diA7XwhYK8pRtnYmNuyqqTp1HCITrHcSZezXbh1sNBwKZYbtz3nQSGykzkAcJOKP60l4D2zRj4jUnfNfEOVic_y_PzNHrYCNHyngeM/s1600/WorkProfile23.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="693" data-original-width="922" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgww28QbZKNI5ZwZwckroqG5VCZCWeZZXXS8s8g6diA7XwhYK8pRtnYmNuyqqTp1HCITrHcSZezXbh1sNBwKZYbtz3nQSGykzkAcJOKP60l4D2zRj4jUnfNfEOVic_y_PzNHrYCNHyngeM/s400/WorkProfile23.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You are prompted for a minimum of 4 digits, as we expect</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyeCLxwQ1iO5IPcNvevZMLIxaT0d7oKKDccp3CWAPkX07sPZSaoaTtmbTYJ-mDxrxueg5s_b5dPgMaB4Br-tPwGgCXHPO3QqPzctMmVmaGLGFAnvFlTM7IazxFV5l7BeDYoZ3v-S-dN5I/s1600/WorkProfile24.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="735" data-original-width="903" height="325" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyeCLxwQ1iO5IPcNvevZMLIxaT0d7oKKDccp3CWAPkX07sPZSaoaTtmbTYJ-mDxrxueg5s_b5dPgMaB4Br-tPwGgCXHPO3QqPzctMmVmaGLGFAnvFlTM7IazxFV5l7BeDYoZ3v-S-dN5I/s400/WorkProfile24.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The device now prompts for the work profile PIN to be set and also the device PIN again</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhce6EpEZreYgVd7Vi2yQGYaCD2DC4yWJDMiJTthnJ72fPn6t7EnjvZhh9_Tne7lH6bYVFOA6v-VoneKiJNLK5NXx73eF9IVwQSyugXvn6wnAFFXTS0ISSzW0avXGRxE0FqviUKKLbFT2s/s1600/WorkProfile25.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1391" data-original-width="943" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhce6EpEZreYgVd7Vi2yQGYaCD2DC4yWJDMiJTthnJ72fPn6t7EnjvZhh9_Tne7lH6bYVFOA6v-VoneKiJNLK5NXx73eF9IVwQSyugXvn6wnAFFXTS0ISSzW0avXGRxE0FqviUKKLbFT2s/s400/WorkProfile25.PNG" width="270" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This is because be default the below option will be turned on</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGhk6kEu6rYkmk9l9TSHGar_g8WgDHNkvC-zh27smQ2x0LtSFWgA5xIOX0h7_EGDt6HSuOs-bphzawTdLC0-7N4vJVKKIynt42rykHmVOC-6EF9Caug811PFU3ApgE5t-TRSQMCpfVFtc/s1600/WorkProfile26.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="915" data-original-width="935" height="391" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGhk6kEu6rYkmk9l9TSHGar_g8WgDHNkvC-zh27smQ2x0LtSFWgA5xIOX0h7_EGDt6HSuOs-bphzawTdLC0-7N4vJVKKIynt42rykHmVOC-6EF9Caug811PFU3ApgE5t-TRSQMCpfVFtc/s400/WorkProfile26.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Referring to the following article <a href="https://docs.microsoft.com/en-us/intune/device-restrictions-android-for-work#work-profile-password">https://docs.microsoft.com/en-us/intune/device-restrictions-android-for-work#work-profile-password</a> "By default, the end user can use the two separately defined PINs, or users can choose to combine the PINs into the stronger of the two PINs." So the default setting will combine the work profile PIN setting with the device PIN and use the stronger of the two. Careful consideration should be made and an effective communication plan to your end users before enabling this</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The "secure work profile" option should now be selected. First the device prompts for the lock screen password</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidqUaqeZaDLAnauxTeLyXiJGMiPKp6Zcdd86lO3Kn0v4l9yegwqz9Ti13fjf_S8kShFJEmG2L-sDwjBIZzKfDZ9nXnl04EzSeyMc6R9rm5Uh2gBzhZ9FtKIgR3BmL75iQ8YTBVJ51rTS0/s1600/20190627_233031.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidqUaqeZaDLAnauxTeLyXiJGMiPKp6Zcdd86lO3Kn0v4l9yegwqz9Ti13fjf_S8kShFJEmG2L-sDwjBIZzKfDZ9nXnl04EzSeyMc6R9rm5Uh2gBzhZ9FtKIgR3BmL75iQ8YTBVJ51rTS0/s400/20190627_233031.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Then the Work Profile PIN can be set</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwBqURd_zH7JXYz8jBiVndNXtc9ZKWlKelANxWQxPGirRUnPsTUKX1ac8b3vXIUOgrdyaz3HTPUj9jPR8viOxlS9v3XVr6jpkPojwrzyXKarHpnsNiDgScGz8OlXUX8Eu0HGnfz8bfYYQ/s1600/20190627_233610.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwBqURd_zH7JXYz8jBiVndNXtc9ZKWlKelANxWQxPGirRUnPsTUKX1ac8b3vXIUOgrdyaz3HTPUj9jPR8viOxlS9v3XVr6jpkPojwrzyXKarHpnsNiDgScGz8OlXUX8Eu0HGnfz8bfYYQ/s400/20190627_233610.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now they can proceed and set the Work Profile PIN</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Well that's got you up and running with your Work Profile configuration, thanks for reading this post and stay tuned for part 4.</div>
</div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-37268903732332638592019-04-27T08:41:00.002+01:002021-08-24T16:15:55.016+01:00Intune Basics Part 2: Modern Device Management with Android Enterprise - Creating Groups<div><b>Last updated: 24/08/21</b></div><div><br /></div><div>
Welcome to part 2 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.<br />
<br /><div>Part 1 can be found <a href="https://www.leonsitblog.com/2019/04/intune-basics-part-1-modern-device.html" target="_blank">here</a> and covers setting up the various Android Enterprise enrolment methods<br /><br /></div><div>Part 3 can be found <a href="https://www.leonsitblog.com/2019/06/intune-basics-part-3-modern-device.html" target="_blank">here</a> and covers the configuration of Personally-owned Work Profile devices<br /><br />Part 4 can be found <a href="https://www.leonsitblog.com/2019/07/intune-basics-part-4-modern-device.html" target="_blank">here</a> and covers the configuration of Dedicated devices</div><div><br /></div><div>Part 5 can be found <a href="https://www.leonsitblog.com/2019/09/intune-basics-part-5-modern-device.html" target="_blank">here</a> and covers the configuration of Fully Managed devices<br /><br />This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post <a href="https://www.leonsitblog.com/2019/01/android-enterprise-and-intune-overview.html" target="_blank">here</a> which I am ensuring is kept up to date as newer functionality is supported within Intune.</div></div>
<div>
<br /></div>
<div>
This post will talk about the creation of Azure AD (AAD) user and device groups, and provide some recommendations and considerations for your environment.<br />
<br />
It must be clear before commencing an implementation to understand if, along with company issued devices, your organisation will support a BYOD policy for Android Enterprise. This is crucial for some decisions that need to be made on the creation of AAD groups and in some cases creates interesting scenarios. An example of which could be that a user has a company issued phone and they wish to enrol their personally owned Android tablet which they are fully entitled to do under their organisations IT policy. Do you wish to deploy a different set of apps between personal devices and company owned? If so then some apps will need to be assigned to devices groups rather than users.<br />
<br />
Dynamic AAD Groups can be used for the above which can be created by the following process<br />
<br />
Log into the Endpoint Manager admin center and select <b>Groups</b><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpjD3LS3dkaxd87pBKpqfObqt-bmIcRgLuDTtcOwEN9iPfAlkom4YPTpPXGTz7FrnyyX3alPt4ZTWAo1WF_TzJfeBXxzHudhycu0JsqeHs043jerjzGpgj5RCYZF5rxydmPTxRBRXUJ1E/s356/AAD+Groups+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="356" data-original-width="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpjD3LS3dkaxd87pBKpqfObqt-bmIcRgLuDTtcOwEN9iPfAlkom4YPTpPXGTz7FrnyyX3alPt4ZTWAo1WF_TzJfeBXxzHudhycu0JsqeHs043jerjzGpgj5RCYZF5rxydmPTxRBRXUJ1E/s16000/AAD+Groups+1.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>New group</b></div>
<div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoE4ZpUNWxjp6goby1kiFsWynu9oaYqr8Q1SW5s2tbMiWFOZntZBKeaRozI-POxxsNxCpkNtQqDnfzG-76wBa7gCUxeoE_sfojGNw7pCcfnteLp2BFb0_EG6C2PlK3Pwi56wuisiRTrwQ/s366/AAD+Groups+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="366" data-original-width="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoE4ZpUNWxjp6goby1kiFsWynu9oaYqr8Q1SW5s2tbMiWFOZntZBKeaRozI-POxxsNxCpkNtQqDnfzG-76wBa7gCUxeoE_sfojGNw7pCcfnteLp2BFb0_EG6C2PlK3Pwi56wuisiRTrwQ/s16000/AAD+Groups+2.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Security</b> for the group type and select an appropriate <b>name </b>with the <b>Membership type</b> of <b>Dynamic Device</b></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyGllqiESCh4XD3bP1dcRBsabFBZwRG1Lu3Ce-Wp0-tf87dHHazYftscmaAi5Es6Imb5tA1pqunO65NC9d0tYq-iX6ZUBZxWnjQ7MPWUX56cVHDQTZXO2NY97YbsxuSIM-80fQEqR6rLY/s373/AAD+Groups+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="373" data-original-width="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyGllqiESCh4XD3bP1dcRBsabFBZwRG1Lu3Ce-Wp0-tf87dHHazYftscmaAi5Es6Imb5tA1pqunO65NC9d0tYq-iX6ZUBZxWnjQ7MPWUX56cVHDQTZXO2NY97YbsxuSIM-80fQEqR6rLY/s16000/AAD+Groups+3.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Add dynamic query</b></div>
<div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl5PdpS6UhgYMlCln0LbVrS5bynv4eqBLvJN0wKW5WADX2aN2Vw6_g_mBwfaYDjsyyYIjvhz1Vntzk8p5xBMcN-7XiXr2v7JlYdTqv19azpu6ZlUkfWLjLLauwabI-diRlV2d6VoLUAoY/s467/AAD+Groups+4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="467" data-original-width="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl5PdpS6UhgYMlCln0LbVrS5bynv4eqBLvJN0wKW5WADX2aN2Vw6_g_mBwfaYDjsyyYIjvhz1Vntzk8p5xBMcN-7XiXr2v7JlYdTqv19azpu6ZlUkfWLjLLauwabI-diRlV2d6VoLUAoY/s16000/AAD+Groups+4.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Use the rule builder to add the following Properties, Operators and Values:</div><div class="separator" style="clear: both; text-align: left;"><b>deviceOSType Equals AndroidForWork</b></div><div class="separator" style="clear: both; text-align: left;"><b>And deviceOwnership Equals Personal</b></div><div class="separator" style="clear: both; text-align: left;">Select <b>Save </b>to complete the changes</div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMUieFCwoQCq1DzjXVEJjwr4fRV97nYZVtDWDOkpvIXAeoj5YZz70vwoq9yNArpawNtdi8CcJSC8QbgcMa60C1YfMtNGW6SYj1l7eoMfb9EJRHRytesnpXUZ1zttR43yq9Vd1plURyPSg/s739/AAD+Groups+5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="452" data-original-width="739" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMUieFCwoQCq1DzjXVEJjwr4fRV97nYZVtDWDOkpvIXAeoj5YZz70vwoq9yNArpawNtdi8CcJSC8QbgcMa60C1YfMtNGW6SYj1l7eoMfb9EJRHRytesnpXUZ1zttR43yq9Vd1plURyPSg/s16000/AAD+Groups+5.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div></div>
<div class="separator" style="clear: both; text-align: left;">Note that you can also <b>Edit </b>the rule syntax directly</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXQyvsNa4MlEhGoNi0HYeqvgKD50KuwavZ0e3KeBaiHlGIpdQv-M0tVW3rCbAs_D40ZxrGWAG0FA7DXmxyrh341ucR-yXV_Q0Ih941o5UCPze8cuQs01uMBc79MEwEM_q45gHANjKI5Yg/s731/AAD+Groups+6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="437" data-original-width="731" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXQyvsNa4MlEhGoNi0HYeqvgKD50KuwavZ0e3KeBaiHlGIpdQv-M0tVW3rCbAs_D40ZxrGWAG0FA7DXmxyrh341ucR-yXV_Q0Ih941o5UCPze8cuQs01uMBc79MEwEM_q45gHANjKI5Yg/s16000/AAD+Groups+6.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">For convenience, I have added some queries below with which you can use to build some groups for yourself to cover most use cases. The names I have used are just suggestions, however the queries will need to be copied.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><u>Personally-Owned Work Profile Devices</u></div><div class="separator" style="clear: both; text-align: left;">So I am going to start with the most confusing due to the terminology that is being used, which will highlight an important point - this enrolment type can indeed be used in Corporately owned scenarios.</div><div class="separator" style="clear: both; text-align: left;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">Name: <b>Android_Personally_Owned_Work_Profile_BYOD</b></div><div class="separator" style="clear: both; text-align: left;">Query: <b>(device.deviceOSType -eq "AndroidForWork") and (device.deviceOwnership -eq "Personal")</b></div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<div class="separator" style="clear: both;">Name: <b>Android_Personally_Owned_Work_Profile_Corp</b></div><div class="separator" style="clear: both;">Query: <b>(device.deviceOSType -eq "AndroidForWork") and (device.deviceOwnership -eq "Company")</b></div></div>
<div class="separator" style="clear: both; text-align: left;"><br /></div>
<div class="separator" style="clear: both; text-align: left;"><u>Dedicated and Corporate-Owned Work Profile Devices</u></div>
<div class="separator" style="clear: both; text-align: left;">These can be created using the rule builder by very simply referencing the <b>enrollmentProfileName </b>property and then the name of the profile that was created back in <a href="https://www.leonsitblog.com/2019/04/intune-basics-part-1-modern-device.html" target="_blank">part 1</a> of this series</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoFSxOVwjgRYUE5rOGyqbBF9UTdcZnV1VrMjevbXi5P1Wkfn-DekgnTDTCGp-UHHYYswRXktbgjdwEqiAKAKMcjfEtmnvtlONE2Ll8tiNT9fmjbgdV8fFEQrz8o_s9CoBsAWkX6MK8htM/s634/AAD+Groups+7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="374" data-original-width="634" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoFSxOVwjgRYUE5rOGyqbBF9UTdcZnV1VrMjevbXi5P1Wkfn-DekgnTDTCGp-UHHYYswRXktbgjdwEqiAKAKMcjfEtmnvtlONE2Ll8tiNT9fmjbgdV8fFEQrz8o_s9CoBsAWkX6MK8htM/s16000/AAD+Groups+7.png" /></a></div><div class="separator" style="clear: both; text-align: left;">Create as many as you need for each of your enrolment profiles</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><u>Fully Managed Devices</u></div>
<div class="separator" style="clear: both; text-align: left;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">Name: <b>Android_Fully_Managed</b></div><div class="separator" style="clear: both; text-align: left;">Query: <b>(device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq null)</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Please refer <a href="https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-dynamic-membership" target="_blank">here</a> for the AAD Dynamic Group documentation</div>
<div class="separator" style="clear: both; text-align: left;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
The same methodology is valid for the creation of user groups, it may be a requirement to scope some user groups to different departments in order to differentiate app deployments or compliance requirements.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Another useful user query is to create an <b>Intune_Users</b> group</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggs_JEaCAP_fO2oMIL6W_3iMDXjq2bjVK1F7PXL5kY-6C1iP7r7E5LMOb6ZGWIuSyN0tV4rro8dN2i0lti-d4Tkiw8GZ3E6Bd_oBWixVDw3kfi_LxQNl43hRsUrDeLo7OriADUSMKpvYA/s589/AAD+Groups+8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="399" data-original-width="589" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggs_JEaCAP_fO2oMIL6W_3iMDXjq2bjVK1F7PXL5kY-6C1iP7r7E5LMOb6ZGWIuSyN0tV4rro8dN2i0lti-d4Tkiw8GZ3E6Bd_oBWixVDw3kfi_LxQNl43hRsUrDeLo7OriADUSMKpvYA/s16000/AAD+Groups+8.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">That concludes this post, many thanks for reading!</div>
</div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-40980959190933727362019-04-22T19:41:00.008+01:002021-08-24T15:02:05.573+01:00Intune Basics Part 1: Modern Device Management with Android Enterprise - Enable Enrollment<div><b>Last updated: 24/08/21</b></div><div><br /></div><div>
Welcome to part 1 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.<br />
<br />Part 2 can be found <a href="https://www.leonsitblog.com/2019/04/intune-basics-part-2-modern-device.html" target="_blank">here</a> and covers the configuration of Azure AD groups</div><div><br />Part 3 can be found <a href="https://www.leonsitblog.com/2019/06/intune-basics-part-3-modern-device.html" target="_blank">here</a> and covers the configuration of Personally-owned Work Profile devices<br /><br />Part 4 can be found <a href="https://www.leonsitblog.com/2019/07/intune-basics-part-4-modern-device.html" target="_blank">here</a> and covers the configuration of Dedicated devices</div><div><br /></div><div>Part 5 can be found <a href="https://www.leonsitblog.com/2019/09/intune-basics-part-5-modern-device.html" target="_blank">here</a> and covers the configuration of Fully Managed devices<br /><br />
This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post <a href="https://www.leonsitblog.com/2019/01/android-enterprise-and-intune-overview.html" target="_blank">here</a> which I am ensuring is kept up to date as newer functionality is supported within Intune.</div>
<div>
<br /></div>
<div>
This post will be discussing the steps required to associate your Intune tenant with Google, along with any other initial mandatory steps required before you can commence enrolling and configuring Android devices within Android Enterprise, utilising all of the available solution sets.<br />
<br />
In preparation, create a Google account with a suitable generic name for the sole purpose of binding your Intune Tenant with the Managed Google Play store. You could consider using a shared mailbox or distribution group within your organisation for this <br />
<br />
Log in to the Endpoint Manager admin center<br />
<br />
Navigate to<b> Devices > Android > Android Enrollment</b> select <b>Managed Google Play</b></div><div><b><br /></b></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLqR_3oEfSnEBoZlIZVYGNgJU2ymAgwtXdvF5PKQOt1laws12HjmteFIcB18eecEIGApM2X_DgPmIWbABQvWbS7qZDIag_11KEKlAVtamrZ5FOcdMZ2lschZ95VmPCha7hyphenhyphenngW9sSFyns/s783/1+-+MGP.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="419" data-original-width="783" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLqR_3oEfSnEBoZlIZVYGNgJU2ymAgwtXdvF5PKQOt1laws12HjmteFIcB18eecEIGApM2X_DgPmIWbABQvWbS7qZDIag_11KEKlAVtamrZ5FOcdMZ2lschZ95VmPCha7hyphenhyphenngW9sSFyns/s16000/1+-+MGP.png" /></a></div><br /></div><div>
<div class="separator" style="clear: both; text-align: left;">
Check the box to agree the terms and then select <b>Launch Google to connect now</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxnaouxxk5lOjlo46ZuAxiEWqH-TAerSAG22tE0ZZGKGXFbogUO4tl7sCYTGksysb3aHNoo6FBCnQ57F0qgt6InrPKj0vz6uXjWpFY8TTBgdi8UPiJsv49DNmRvFg_oCo_TlgBnWNukXE/s746/2+-+Agree+MGP.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="430" data-original-width="746" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxnaouxxk5lOjlo46ZuAxiEWqH-TAerSAG22tE0ZZGKGXFbogUO4tl7sCYTGksysb3aHNoo6FBCnQ57F0qgt6InrPKj0vz6uXjWpFY8TTBgdi8UPiJsv49DNmRvFg_oCo_TlgBnWNukXE/s16000/2+-+Agree+MGP.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Complete sign up </b>enter your Google account credentials if prompted</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL2wMfjIuEm7LH66hrgdvGLJqgsgpYjN7AwuOk2cIsORV08Fzi80bOrHPEXtnlkS5rXY2eKdOlKxNI0ecV36SVMFva0qzjIe_qXiJTueRMce015GBEp5DrfrdRQRAJqrk8_42G1MGz-qM/s795/3+-+Complete+MGP.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="454" data-original-width="795" height="365" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL2wMfjIuEm7LH66hrgdvGLJqgsgpYjN7AwuOk2cIsORV08Fzi80bOrHPEXtnlkS5rXY2eKdOlKxNI0ecV36SVMFva0qzjIe_qXiJTueRMce015GBEp5DrfrdRQRAJqrk8_42G1MGz-qM/w640-h365/3+-+Complete+MGP.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">Setup is now complete and now you will have access to configure the various enrolment methods</div><div class="separator" style="clear: both; text-align: left;"><br /></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqze09DsJGHKFQVuNZvdM1XEmCIdbqR-m6WNarTi-vaRtV4UGXrlssveDirSytdWDr26sLuvpRZLLJeAKkFWKBGE-BKRrWY_XK_wdYl2r3kHSWx9VNTbax9qPLH1UOkwFeEovAkxCf2iU/s664/4+-+Enrolment+Methods+Available.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="258" data-original-width="664" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqze09DsJGHKFQVuNZvdM1XEmCIdbqR-m6WNarTi-vaRtV4UGXrlssveDirSytdWDr26sLuvpRZLLJeAKkFWKBGE-BKRrWY_XK_wdYl2r3kHSWx9VNTbax9qPLH1UOkwFeEovAkxCf2iU/s16000/4+-+Enrolment+Methods+Available.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;"><u>Personally-owned Work Profile</u></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">
Now to ensure that users are able to enrol their Android devices using the Personally-owned Work Profile method (typically for BYOD use case scenarios) this will need to be enabled within enrolment restrictions. In addition, unless there are any specific reasons to do so, the Android Device Administrator enrolment should be disabled</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Navigate to <b>Devices > Enroll devices > Enrollment Restrictions. </b>Select the <b>All Users </b>policy within <b>Device type restrictions</b></div>
<div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgenZDJozvKlZwOYyMqo1TbFhX6U6DSK_WQ7PaIseM-xVXdjkaauka2MhihYYDSxXQFsYNSXip5N-klm-znf8genJlzJJWSE8lWukyaOYecQB-fvwvz4VA4Xnu5ZXPQQzDhieGDBCENXos/s743/5-+Device+Restrictions.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="416" data-original-width="743" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgenZDJozvKlZwOYyMqo1TbFhX6U6DSK_WQ7PaIseM-xVXdjkaauka2MhihYYDSxXQFsYNSXip5N-klm-znf8genJlzJJWSE8lWukyaOYecQB-fvwvz4VA4Xnu5ZXPQQzDhieGDBCENXos/s16000/5-+Device+Restrictions.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Click <b>Properties</b> then <b>Edit </b>next to <b>Platform settings</b>.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK0RaebfhopxPoDxLkJ9UsVlF749G5dwQt_ZL1ShIEKOS6f707kmRykgOgitaS98HTlg9sEpxpcvTtGW8wn0eHYB57kq9cKjqzROuN8tOS1GG1GR6684v6xziCdGIIUr5a-QcQeFfFnPc/s376/6-+Device+Restrictions+edit+1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="246" data-original-width="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK0RaebfhopxPoDxLkJ9UsVlF749G5dwQt_ZL1ShIEKOS6f707kmRykgOgitaS98HTlg9sEpxpcvTtGW8wn0eHYB57kq9cKjqzROuN8tOS1GG1GR6684v6xziCdGIIUr5a-QcQeFfFnPc/s16000/6-+Device+Restrictions+edit+1.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">Select <b>Allow </b>for <b>Android Enterprise (work profile) </b>and <b>Block </b>for <b>Android device administrator</b>. Note that these settings only effect devices that are enrolled from this point forward and not any existing devices</div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZKi_YHFYK0maVdtaU_TWxTtIMqK9_ZP_0N3ltJngbL0MtKDfs-SohHMfXeMlhYweSqWiL8Yjkat8Xf8PiZjyv_pBu4_QyEAYFusHotgb5bjU0fQpj2Aw9Wz2Df7dfGekoT65o-2VFFNI/s297/6-+Device+Restrictions+edit+2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="263" data-original-width="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZKi_YHFYK0maVdtaU_TWxTtIMqK9_ZP_0N3ltJngbL0MtKDfs-SohHMfXeMlhYweSqWiL8Yjkat8Xf8PiZjyv_pBu4_QyEAYFusHotgb5bjU0fQpj2Aw9Wz2Df7dfGekoT65o-2VFFNI/s16000/6-+Device+Restrictions+edit+2.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Review + save </b>then<b> Save</b> to finally complete the configuration.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div><div class="separator" style="clear: both; text-align: left;"><u>Dedicated</u></div><div class="separator" style="clear: both; text-align: left;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Next up, lets create an enrolment token for enrolling "Dedicated Devices" typically designed for devices that are for single use, without any user association.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">Navigate to <b>Devices > Android > Android Enrollment > Corporate-owned Dedicated Devices</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTb4u9Z5BcvqeyOptW-ctxwZidDewFkT19fHYn75DC2VP9GhEMrIlEOeAniVe3pQLf_lwwwX5drY4Aw3HghR5vzEKr24UrFv_l0O5aM6TG_rNrB1_BQGBkJDOck4ZNXA2hS_3UPzcgHfw/s665/8+-+Dedicated.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="460" data-original-width="665" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTb4u9Z5BcvqeyOptW-ctxwZidDewFkT19fHYn75DC2VP9GhEMrIlEOeAniVe3pQLf_lwwwX5drY4Aw3HghR5vzEKr24UrFv_l0O5aM6TG_rNrB1_BQGBkJDOck4ZNXA2hS_3UPzcgHfw/s16000/8+-+Dedicated.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select <b>Create profile</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqRTiVw3uAnzmbS3PRcKMMyXPDppM0lMqirj6W2kBegNACJkFQLPQqGT-64Oq1Dc9jfjsOJpTT7I3HWlSI6gSfc-qxJ1ZJTKWLQfWFknw2C4S6fFBtSNBAVscdpEEJ_zitQ3Mr2dRuwnA/s363/9+-+Dedicated+create.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="84" data-original-width="363" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqRTiVw3uAnzmbS3PRcKMMyXPDppM0lMqirj6W2kBegNACJkFQLPQqGT-64Oq1Dc9jfjsOJpTT7I3HWlSI6gSfc-qxJ1ZJTKWLQfWFknw2C4S6fFBtSNBAVscdpEEJ_zitQ3Mr2dRuwnA/s16000/9+-+Dedicated+create.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Enter a suitable <b>name</b> then select an appropriate <b>Token type </b>would should be <b>Corporate-owned dedicated device (default) </b>unless specifically configuring shared mode. Select <b>Next </b>then <b>Create</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVi1Gs1dKq7aDeknx_sqfGXQ7ZPtrjw9IcTaf-uTO4ECyhhMw2AWD6zj3znmYdsshpITgeKOmxNRKZ3gpBFdZafkhvQ9j1NsJtGWgTcF_WUx4hFFa1jTTw9MjQxYmqnBRSbQppmxf4LFY/s770/10+-+Dedicated+config.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="770" data-original-width="694" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVi1Gs1dKq7aDeknx_sqfGXQ7ZPtrjw9IcTaf-uTO4ECyhhMw2AWD6zj3znmYdsshpITgeKOmxNRKZ3gpBFdZafkhvQ9j1NsJtGWgTcF_WUx4hFFa1jTTw9MjQxYmqnBRSbQppmxf4LFY/s16000/10+-+Dedicated+config.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: justify;"><span style="text-align: left;">Create as many profiles as you need for different configurations. All will become clear in part 2 of this </span><span style="text-align: left;">series on how these can be used to scope configurations to different device groups</span></div><div class="separator" style="clear: both; text-align: center;"><span style="text-align: left;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-tQDTc8tNcvyjf5-A-q-6BNhBminkMRmv4rxWARGLpLhULqC598miiQBK62T5hhu_A-phimnNr2QdB6NZcpZQX7h8NEl9t57xcGJ0_oAqVWvbll0V9JF5YwUZVXAsmxkCGJywtOnLdmk/s374/11+-+Multiple+profiles.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="297" data-original-width="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-tQDTc8tNcvyjf5-A-q-6BNhBminkMRmv4rxWARGLpLhULqC598miiQBK62T5hhu_A-phimnNr2QdB6NZcpZQX7h8NEl9t57xcGJ0_oAqVWvbll0V9JF5YwUZVXAsmxkCGJywtOnLdmk/s16000/11+-+Multiple+profiles.png" /></a></div><div><br /></div><u>Fully Managed</u><br /><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">To enable Fully Managed device enrolment functionality, navigate to <b>Devices > Android > Android Enrollment > Corporate-owned, Fully Managed user devices</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht98-LZMPbADxMt0qC_9MLjglXvvH_H8Z1TD5zzIgIdUmd0aTjuf-2gUB-MuG0pp3TfchnjL_Ues0DbqrZ_4PlAbZxECZMSqbCFaJzYSQ8sWC60UToO2jB_9Xd6qc3yVvdbJvv-unypAw/s665/12+-+Fully+Managed.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="460" data-original-width="665" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht98-LZMPbADxMt0qC_9MLjglXvvH_H8Z1TD5zzIgIdUmd0aTjuf-2gUB-MuG0pp3TfchnjL_Ues0DbqrZ_4PlAbZxECZMSqbCFaJzYSQ8sWC60UToO2jB_9Xd6qc3yVvdbJvv-unypAw/s16000/12+-+Fully+Managed.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">Select <b>Yes </b>to enable the enrolment token</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6IWZ__f-6eED2el93JKY18Dm1RsucoAzxdIHhCeUsr2aoqs_1YwJOpptP7dKyqid5N5cRLHyW-5UDqQ3S_nnTYcgtKatwVrUKWmv5pS-RxfH4RW9nfbXcD4Yl0Agsiw4MRURsj22nJSs/s698/13+-+Fully+Managed+Token.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="698" data-original-width="500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6IWZ__f-6eED2el93JKY18Dm1RsucoAzxdIHhCeUsr2aoqs_1YwJOpptP7dKyqid5N5cRLHyW-5UDqQ3S_nnTYcgtKatwVrUKWmv5pS-RxfH4RW9nfbXcD4Yl0Agsiw4MRURsj22nJSs/s16000/13+-+Fully+Managed+Token.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"><u>Corporate-Owned Work Profile</u></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">To conclude, a profile needs to be created for facilitating this enrolment method in the following manner:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Navigate to <b>Devices > Android > Android Enrollment > Corporate-owned devices with work profile</b></div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp4b6gCpVg4Y9CqQiLJtxSgnFzojZxhFu0hFg5dMsX2cZ0OCi_ahWKHn2kIhvTZNT763CmYkjw2JBnWm-0dNqZSentYHb0b2u1qaNa2xJzgb6XAYJ1Qde-oTbUFhTazOfA9RvZBKbBj8M/s665/14+-+COPE.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="460" data-original-width="665" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp4b6gCpVg4Y9CqQiLJtxSgnFzojZxhFu0hFg5dMsX2cZ0OCi_ahWKHn2kIhvTZNT763CmYkjw2JBnWm-0dNqZSentYHb0b2u1qaNa2xJzgb6XAYJ1Qde-oTbUFhTazOfA9RvZBKbBj8M/s16000/14+-+COPE.png" /></a></div><b><br /></b></div><div class="separator" style="clear: both; text-align: left;">Select <b>Create profile</b></div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOEmXwGyj8-Q6RggIrRlZw3SoSkosPDEeWBPaBEnl4QoRi4dIvhl-gDNUh6bEO4tNnxBwLrnMMJgZ56xBck0GTrNc_7NpzQ8kpXFoNqpFSH2kNAtoRklj8uuYFi5OcQab3YZlADOXLrx0/s431/15+-+COPE+Create+Profile.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="93" data-original-width="431" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOEmXwGyj8-Q6RggIrRlZw3SoSkosPDEeWBPaBEnl4QoRi4dIvhl-gDNUh6bEO4tNnxBwLrnMMJgZ56xBck0GTrNc_7NpzQ8kpXFoNqpFSH2kNAtoRklj8uuYFi5OcQab3YZlADOXLrx0/s16000/15+-+COPE+Create+Profile.png" /></a></div><b><br /></b></div><div class="separator" style="clear: both; text-align: left;">Enter a suitable <b>name</b> for the profile then select <b>Next </b>followed by <b>Create. </b>You can create multiple profiles if necessary</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHds1I0PSu11XDKmOj5WkostQS05Y2ebT5F9m_yDS_R8eNggecyA5bi71uJzAzQM9780EDRWnkd9iZJfSeWu7fd7Rm4j5iM3FdtCtMsw3BBQ0O8e5EUTmSy02NiVRkKxCPcTp44fZnZM0/s844/16+-+COPE+Configure+Profile.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="844" data-original-width="481" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHds1I0PSu11XDKmOj5WkostQS05Y2ebT5F9m_yDS_R8eNggecyA5bi71uJzAzQM9780EDRWnkd9iZJfSeWu7fd7Rm4j5iM3FdtCtMsw3BBQ0O8e5EUTmSy02NiVRkKxCPcTp44fZnZM0/s16000/16+-+COPE+Configure+Profile.png" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div>
<div class="separator" style="clear: both; text-align: left;">
That concludes this part of the series, meaning that the various enrolment methods have been set up.</div>
<div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Many thanks for reading this post!</div></div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com1tag:blogger.com,1999:blog-3145837469179315622.post-78345152503116827662019-02-28T23:07:00.001+00:002019-07-22T19:44:17.591+01:00OEM Config Demystified<br />
At the end of a previous blog post - <a href="https://leonashtonleatherland.blogspot.com/2019/01/android-enterprise-and-intune-overview.html" target="_blank">Android Enterprise and Intune: An Overview</a> I mentioned that there were other exciting developments within the Android space. I was referring to an initiative which strives to completely transform the way Android devices are managed within the enterprise, namely OEM Config. I just thought I would spend a few moments trying to spread the word on this especially within the Intune world.<br />
<br />
What prompted me to write this post is the latest <a href="https://www.blog.google/products/android-enterprise/google-and-samsung-simplify-choosing-android-enterprise/" target="_blank">announcement</a> of the partnership between Samsung and Google to support the above, which for me was unexpected.<br />
<br />
OEM Config is essentially a way of delivering new functionality for a specific OEM, such as Samsung, to an EMM solution via the app config channels. What this would means is less time and I am assuming almost zero day support in new features being available. There would be no delay in feature release due to waiting for, in the case of Intune - the Azure / Device Management portal having interface changes made. Once the initial changes are made to support the design of OEM Config this would be all that was needed.<br />
<br />
The above is then delivered to the device by a single app, which I think we can expect to see all sorts of weird and wonderful names made up from each OEM, Samsung's being called the Knox Service Plugin. Note that, if you hadn't read the above Samsung announcement, this is due to be released in the Spring.<br />
<br />
So when will Intune support this? There is no indication yet, but I would be very surprised if after the latest Samsung announcement eyebrows within the Intune product group haven't been raised.<br />
<br />
I have included additional resources below which are authored by Android expert Jason Bayton that will go into further depth;<br />
<br />
<a href="https://bayton.org/docs/enterprise-mobility/android/what-is-oemconfig/" target="_blank">https://bayton.org/docs/enterprise-mobility/android/what-is-oemconfig/</a><br />
<a href="https://www.brianmadden.com/opinion/The-state-of-Android-Enterprise-in-2018" target="_blank">https://www.brianmadden.com/opinion/The-state-of-Android-Enterprise-in-2018</a>Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-47193841955711082672019-01-20T09:21:00.000+00:002019-08-19T09:52:28.222+01:00Intune Android Enterprise Fully Managed DevicesMicrosoft have recently announced the public preview release for the initial support of the Fully Managed Device solution set within Intune, I thought that for a change I would write up a little something on this 😁<br />
<br />
As a recap, this is now the 3rd solution set to be supported, to see how the different solutions are applicable for different use case scenarios I would recommend as a refresher to take a look at my previous post on <a href="http://leonashtonleatherland.blogspot.com/2019/01/android-enterprise-and-intune-overview.html" target="_blank">Intune and Android Enterprise</a><br />
<br />
Now just to be clear, at the time of writing, this is what is currently supported along with the caveat of the public preview tag;<br />
<ul>
<li>App config and deployment</li>
<li>Device restriction config profiles</li>
<li>Deployment of the above config to user groups only<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike></li>
</ul>
<div>
Now this doesn't sound a lot to get excited about but actually the device restrictions are the same settings as what has been available for the dedicated device solution set which has matured over the past 6 months. So there are ample options to get started with a small test group of users, also I am sure you will see support for more features in the coming months.</div>
<div>
<br /></div>
<div>
Now at this point I would like explain a term you will see within the Intune portal associated to creating config with AE devices, Device Owner. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiupLseEipT30KI9UJR12w-7S16d2KdZ6Gd_7gPOSMp81smC4ZwG5q1VwpjOzRss3XsE-RximFG-Qscoj0f4izpa8WnS7FhRjNxadoLhcDkdO0OaV3tqa2MIlvAHbww16vA0UnI_QUu7vA/s1600/DeviceOwner.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="392" data-original-width="372" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiupLseEipT30KI9UJR12w-7S16d2KdZ6Gd_7gPOSMp81smC4ZwG5q1VwpjOzRss3XsE-RximFG-Qscoj0f4izpa8WnS7FhRjNxadoLhcDkdO0OaV3tqa2MIlvAHbww16vA0UnI_QUu7vA/s320/DeviceOwner.PNG" width="303" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
On an Android device, the App that applies policies to the device is called the Device Policy Controller. When the DPC is operating in a way that it has control over the whole device, this is called Device Owner. It now kind of makes sense that the same device restrictions are available for both Fully Managed and Dedicated<span style="background-color: white;">, one would assume the same group of settings for Fully Managed with Work Profile / COPE</span></div>
<div>
<span style="background-color: white;"></span>The term "Work Profile Only" in the screenshot above I believe is actually incorrect and should be changed to "Profile Owner Only". This the correct term for when the DPC is operating in a mode which only controls the Work Profile and has limited access to the remainder of the device.</div>
<div>
<br /></div>
<div>
Okay so lets give this a whirl along with deploying some additional config to the device</div>
<div>
<br /></div>
<div>
Navigate in the M365 Device Management Portal to Device Enrollment > Android Enrollment > Corporate owned, fully managed user devices (Preview)</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglu1OFtQSqRBQjYjhw6he6CXUUC9DvyXEP2XLHBnwydyLEjWVVqhzkam7XFRVtbUUd0oPlB65JYGKpwZqyfUxS8Ng8vBARDqc3ECdAarGbaxYiYO0Jhos7KbKAVXxWCLSmmI7043z2mcE/s1600/CorpFMD.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="797" data-original-width="1466" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglu1OFtQSqRBQjYjhw6he6CXUUC9DvyXEP2XLHBnwydyLEjWVVqhzkam7XFRVtbUUd0oPlB65JYGKpwZqyfUxS8Ng8vBARDqc3ECdAarGbaxYiYO0Jhos7KbKAVXxWCLSmmI7043z2mcE/s400/CorpFMD.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
Select yes</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7rstHi17ahiTEj98Qi0Gbf5JTMr2G1q-LfBdQD4w681O1rNCcw_NwfPx2TWhF7dHXnRQzBdAsuz1YYHSO_ntYLwGfGEoG3reZpVMMvweIlgpA2Pd9YiYHNjXZ5cFkIcG7I1DqAnfajO8/s1600/CorpFMDYes.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="382" data-original-width="827" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7rstHi17ahiTEj98Qi0Gbf5JTMr2G1q-LfBdQD4w681O1rNCcw_NwfPx2TWhF7dHXnRQzBdAsuz1YYHSO_ntYLwGfGEoG3reZpVMMvweIlgpA2Pd9YiYHNjXZ5cFkIcG7I1DqAnfajO8/s400/CorpFMDYes.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
Now remembering at the moment we can only scope configurations to users, let's create a user group, navigate to Groups > New Group</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkNx6iHTrtGvWO3HEPNa_sLO9iOpOPeDTo0-mE2pT_XfBR1l3dh1w_ku_VV2Hjb8TWAvxXnQQW7UNnwrutcX7Z3-bcOyeF8lVumrjdZ8xXjdYVPr8Imrafg18ar_1bSuaZegCPTA3Q6Dw/s1600/NewGroup.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="735" data-original-width="1207" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkNx6iHTrtGvWO3HEPNa_sLO9iOpOPeDTo0-mE2pT_XfBR1l3dh1w_ku_VV2Hjb8TWAvxXnQQW7UNnwrutcX7Z3-bcOyeF8lVumrjdZ8xXjdYVPr8Imrafg18ar_1bSuaZegCPTA3Q6Dw/s400/NewGroup.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Populate using the below information, also ensuring that the group has the appropriate users added to it</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWaZ972mwQkFocAfVOBoL31dWog0VXn8tOiE5tRDFj5thASVQqbOnjhfvNmg0zclFZjbs3mh7EZsAfR6nBtcOB3PW7rSJy5MhXBpy0yNWe8xPk5gdFIzQ_AVlE8p6yOS_5DJtFASUpaf8/s1600/GroupConfig.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="752" data-original-width="1133" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWaZ972mwQkFocAfVOBoL31dWog0VXn8tOiE5tRDFj5thASVQqbOnjhfvNmg0zclFZjbs3mh7EZsAfR6nBtcOB3PW7rSJy5MhXBpy0yNWe8xPk5gdFIzQ_AVlE8p6yOS_5DJtFASUpaf8/s400/GroupConfig.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
Click create</div>
<div>
<br /></div>
<div>
Now lets provision two apps so we deploy both an available and required app deployment to the device to observe the experience. Log into the Managed Google Play store, lets find the Outlook and Edge apps. Approve them.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyQlgqy_119ltBIq28k5hZF3PPDj_dbx7tWyV97Silq9ywCWazMwZaQznim5QS_ZYVIqVBJKIxC7rhbNCggAy3qAWax-wMtZauc3pBC3ZIWEm5FWP6Bs6kR30FSvFrAdV8WzKSocxFMe4/s1600/ManagedGooglePlayApprove.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="562" data-original-width="1366" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyQlgqy_119ltBIq28k5hZF3PPDj_dbx7tWyV97Silq9ywCWazMwZaQznim5QS_ZYVIqVBJKIxC7rhbNCggAy3qAWax-wMtZauc3pBC3ZIWEm5FWP6Bs6kR30FSvFrAdV8WzKSocxFMe4/s400/ManagedGooglePlayApprove.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
Back in the portal navigate to Client Apps > Managed Google Play and select Sync</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq1d8qLXaGYFL4SeY78kZkeoPx0-pBIW6Die1TZEclpP1EOQX0IemC8Cb03EqPOPL80vyGZofKqcEHdyvUhfL2bZB489yCf08kYpandmTSvyzXCBJPTlK_CDQkC05KBMB1-oKxadcUovM/s1600/ManagedGooglePlaySync.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="757" data-original-width="1221" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq1d8qLXaGYFL4SeY78kZkeoPx0-pBIW6Die1TZEclpP1EOQX0IemC8Cb03EqPOPL80vyGZofKqcEHdyvUhfL2bZB489yCf08kYpandmTSvyzXCBJPTlK_CDQkC05KBMB1-oKxadcUovM/s400/ManagedGooglePlaySync.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
The apps with now be available in Client Apps > Apps</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYPiUNRBsryTY5PsOmKhAaADdJqz0hhlXGaN7KOuPOUuaoYHvaJwNXiKuePNlwgBX1-0b40F7j8tRnPdij83MXQs0I3c5J51sXWcCvTWDLhT9mx_2lf5DU8cSqqfueIGJsiA_kzLv_M18/s1600/ClientApps.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="549" data-original-width="1600" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYPiUNRBsryTY5PsOmKhAaADdJqz0hhlXGaN7KOuPOUuaoYHvaJwNXiKuePNlwgBX1-0b40F7j8tRnPdij83MXQs0I3c5J51sXWcCvTWDLhT9mx_2lf5DU8cSqqfueIGJsiA_kzLv_M18/s400/ClientApps.PNG" width="400" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now deploy them by selecting the app, Assignments > Add group > Specify the assignment type (required for one app and available for the other)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4A32B55hYf1uOtJCW7ssBiCULUzpOESPsRFydmx_wdL5eWTw_gNGzg7_pygydckXG1eOo2ttjDa2HbA2yLRD5O8Gm4MHvvWuCi-TuEJ56JyLlyxnTxygDtlDEALI9pmAkrY5CAhhMmtU/s1600/AppAssignment.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="725" data-original-width="1339" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4A32B55hYf1uOtJCW7ssBiCULUzpOESPsRFydmx_wdL5eWTw_gNGzg7_pygydckXG1eOo2ttjDa2HbA2yLRD5O8Gm4MHvvWuCi-TuEJ56JyLlyxnTxygDtlDEALI9pmAkrY5CAhhMmtU/s400/AppAssignment.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Now lets create some devices restrictions config and deploy it to the user group. Device Configuration > Profiles > Create profile.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4seAv5BoOuft8GeD8wDCRFTxpQ8FPqsgzhB8WpIlGO-SyPhGhEZmwpfJrbEaNv2LGn2DtrnaKmL9yqZvMV9BkiHg76rNGd-yEPAxYBgkWsL_e4BmTdcURiiMryEQg1FXOU47xJ-Vd7QQ/s1600/CreateAEProfile.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="498" data-original-width="979" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4seAv5BoOuft8GeD8wDCRFTxpQ8FPqsgzhB8WpIlGO-SyPhGhEZmwpfJrbEaNv2LGn2DtrnaKmL9yqZvMV9BkiHg76rNGd-yEPAxYBgkWsL_e4BmTdcURiiMryEQg1FXOU47xJ-Vd7QQ/s400/CreateAEProfile.PNG" width="400" /></a></div>
<br />
<br />
Input a suitable name, select Android Enterprise for the platform and then select device restrictions under the device owner only menu<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNzQ1alao5Y3mhwacUxQjaVG-8nAjQw1WBwvpoHZfyVzpKQxmIS4X6BZk5-MbpCzWHCAC8vbJTzC4Jcx9fvjp9elMoZppQBsePoNhjpROzUbE2y-lJw8ZZwA3qZK-hAxR2GiHLuSIwxWw/s1600/CreateAEProfileDetails.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="652" data-original-width="428" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNzQ1alao5Y3mhwacUxQjaVG-8nAjQw1WBwvpoHZfyVzpKQxmIS4X6BZk5-MbpCzWHCAC8vbJTzC4Jcx9fvjp9elMoZppQBsePoNhjpROzUbE2y-lJw8ZZwA3qZK-hAxR2GiHLuSIwxWw/s400/CreateAEProfileDetails.PNG" width="262" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select settings, I have included various settings in this profile but I would just like to highlight the block factory reset option I have selected here</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh65RDEZZLxwYWZm_Oi5LU01fCz0IyDFdftlwqRYXv6LaSwI37_2ZyISwBmHsDBDn5YmwQCQdRQ-feJVuRg0nmAwaTjzbKPYDUWaxE6jvn1mdCtwcwaPQkhaj_LQvz4DmzPWTsBYaniME0/s1600/BlockFactoryReset.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="726" data-original-width="839" height="345" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh65RDEZZLxwYWZm_Oi5LU01fCz0IyDFdftlwqRYXv6LaSwI37_2ZyISwBmHsDBDn5YmwQCQdRQ-feJVuRg0nmAwaTjzbKPYDUWaxE6jvn1mdCtwcwaPQkhaj_LQvz4DmzPWTsBYaniME0/s400/BlockFactoryReset.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Click on OK then assign the profile to the same group we created previously.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now lets enrol the device, ensure that it is in a state where it has been recently been factory reset, or is brand new out of the box. I will enrol the device use the QR code reader method, which requires Android 7.0 or newer</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGMNS9XJ_y-TPmJaj8tr16T6tI-1pJhYW9y2x5UYBqrfOGvQjTodZYB1M1Evv2QwWH10Z6Qd4AOKi8R9w0zIQlhKf7x4bdwpsrrYGDSV18eBa2zdc8fQjprVMQhiTLZd7m0tUFkTnKbH0/s1600/OOBE.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGMNS9XJ_y-TPmJaj8tr16T6tI-1pJhYW9y2x5UYBqrfOGvQjTodZYB1M1Evv2QwWH10Z6Qd4AOKi8R9w0zIQlhKf7x4bdwpsrrYGDSV18eBa2zdc8fQjprVMQhiTLZd7m0tUFkTnKbH0/s320/OOBE.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Tap on the screen multiple times to reveal the QR code reader setup. Select next</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ-vEnFfB4okhlzguW-5gvmjA3KGvp9_ZHHXIqMCNdeCGSNozteLhpx3OgMOq3vzQCbkljXCCKxQ78aLCY8Z4-ZrCP20kvrKkX_m5q6KiwK5-nknplKbj1mVLlZIeHSAG-Dh6t3IfZ_vk/s1600/QRSetup.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ-vEnFfB4okhlzguW-5gvmjA3KGvp9_ZHHXIqMCNdeCGSNozteLhpx3OgMOq3vzQCbkljXCCKxQ78aLCY8Z4-ZrCP20kvrKkX_m5q6KiwK5-nknplKbj1mVLlZIeHSAG-Dh6t3IfZ_vk/s320/QRSetup.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Connect to a Wifi network</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-s8qRaw8hCwMg2saXxDmDldkxWXhtSjYIp666aNgTrHYzmPO7ffWblrpsCMwsD40rkkV2jOzUNUTi1lthBY64ANtkYRRwNjRT19f1eUoqjrb3WowuPWwStMEs5CCmaTfdtUvcA3dZDNg/s1600/ConnectWifi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-s8qRaw8hCwMg2saXxDmDldkxWXhtSjYIp666aNgTrHYzmPO7ffWblrpsCMwsD40rkkV2jOzUNUTi1lthBY64ANtkYRRwNjRT19f1eUoqjrb3WowuPWwStMEs5CCmaTfdtUvcA3dZDNg/s320/ConnectWifi.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
Wait for a few seconds and the QR reader will now install</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiRN1d31FdD_aaagsq_JxoFBHAMcorEPClkFcBxOT7Wfqmg5DXPbHByGvbSOlYIvDON5VJstjSEc5oRiGeyMCPj9ttdi1Sv8klESJqzUMtegmrjjELagcd3ak8bufrek7mn2WPf_ydLb8/s1600/QRinstall.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiRN1d31FdD_aaagsq_JxoFBHAMcorEPClkFcBxOT7Wfqmg5DXPbHByGvbSOlYIvDON5VJstjSEc5oRiGeyMCPj9ttdi1Sv8klESJqzUMtegmrjjELagcd3ak8bufrek7mn2WPf_ydLb8/s320/QRinstall.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now its ready to go and scan the QR code from the portal, which we enabled previously</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV2_8ntJIKzB8CYtV5e-StLOWzx43UNFlFao24oRsRbLFlbkAfTm3EwufVsYPxPPCqFB0OOUn-f-UlibynUHViz4tnYlmDRT-wW9wG_kxHDbmxkNrXksNiOwQdsPAGveve1aRq8CYvlCA/s1600/QRReady.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV2_8ntJIKzB8CYtV5e-StLOWzx43UNFlFao24oRsRbLFlbkAfTm3EwufVsYPxPPCqFB0OOUn-f-UlibynUHViz4tnYlmDRT-wW9wG_kxHDbmxkNrXksNiOwQdsPAGveve1aRq8CYvlCA/s320/QRReady.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Follow through the wizard and enrolment will commence</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBDF25NhUMUTL-HIHvzyNa47TrvBUrLqotxZU2YttEUx8bHANluedzB24xDUBl2mgOsCgxIo4Mag1_uuK8Fb4VX_g2NJAsmLYpltGVutTbQYe1RBvWLiPz4s8PDqv9BFwpZNLno74qpPM/s1600/EnrolmentStart.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBDF25NhUMUTL-HIHvzyNa47TrvBUrLqotxZU2YttEUx8bHANluedzB24xDUBl2mgOsCgxIo4Mag1_uuK8Fb4VX_g2NJAsmLYpltGVutTbQYe1RBvWLiPz4s8PDqv9BFwpZNLno74qpPM/s320/EnrolmentStart.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Accept the terms</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifXgWbRkRgASyos1AECK43itBeSJBIG41sT1zhBqStGUJodhA0o43F799u50rxOYlCX_9-H7XI0ZVf4ccvezLXO0c0RQ69pQD7_nDPMAydd9cwCSNy0D-hJf26JET3lS5tJfO7FvpZQaQ/s1600/AcceptTerms.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifXgWbRkRgASyos1AECK43itBeSJBIG41sT1zhBqStGUJodhA0o43F799u50rxOYlCX_9-H7XI0ZVf4ccvezLXO0c0RQ69pQD7_nDPMAydd9cwCSNy0D-hJf26JET3lS5tJfO7FvpZQaQ/s320/AcceptTerms.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Enrolment will continue</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5P2z40OilkZlTL2X0xSx9Na16fwJ6f1m6vZUMAqLvBja6qXCwP74WSCtDr-a8QY1bRayhUzRl7Axw8ibUqS4qQas4Hy_h8jPBMV3QgY20LcP09ojxgwE1XW38uW5TwRRadx0xixlNsfs/s1600/EnrolmentContinue.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5P2z40OilkZlTL2X0xSx9Na16fwJ6f1m6vZUMAqLvBja6qXCwP74WSCtDr-a8QY1bRayhUzRl7Axw8ibUqS4qQas4Hy_h8jPBMV3QgY20LcP09ojxgwE1XW38uW5TwRRadx0xixlNsfs/s320/EnrolmentContinue.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Accept the terms for chrome and then you are prompted for credentials. Enter the username and password.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsc_8ye7jyrM-ig-PfNy5mCaF8fpzGrqf6Hb3jC8nLevBoQY80eWFDK2ekgx7XQIrzHJGRcZTrOow0LdcWxUcjO6FlpGedb6v6VewjzFzrN7qUcAJqZm62_PA3jN8_fWMqTGOLrgk_j_o/s1600/Credentials.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsc_8ye7jyrM-ig-PfNy5mCaF8fpzGrqf6Hb3jC8nLevBoQY80eWFDK2ekgx7XQIrzHJGRcZTrOow0LdcWxUcjO6FlpGedb6v6VewjzFzrN7qUcAJqZm62_PA3jN8_fWMqTGOLrgk_j_o/s320/Credentials.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Click the link when prompted</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrwPnH3lglpGfMPgz_Z-YxhXFI8TonH3MLteppdDCzMfHTYX5bb5FHa7eG8Zq0m9NN-5qHIdddRKxR0pjnwdvSJLm5iSOJNGlyepxNJ3blncmMC51xkII05lR6Mlajqy2IOg76ZX9PVUw/s1600/ClickPrompt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrwPnH3lglpGfMPgz_Z-YxhXFI8TonH3MLteppdDCzMfHTYX5bb5FHa7eG8Zq0m9NN-5qHIdddRKxR0pjnwdvSJLm5iSOJNGlyepxNJ3blncmMC51xkII05lR6Mlajqy2IOg76ZX9PVUw/s320/ClickPrompt.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The device is then enrolled</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE731hPAD7iyaZjhicrWPyb30162geYJYEMi62Qh9wANo7hU4XqEdH23lYTlQX0clrDMUQ4mib11yHT_W__AvnQ1ZBYa03hrLee0ZP4mc5zeWCMkufDgj1AWuMc1rabjvHWoYMMv_G4ZM/s1600/Enrolled.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE731hPAD7iyaZjhicrWPyb30162geYJYEMi62Qh9wANo7hU4XqEdH23lYTlQX0clrDMUQ4mib11yHT_W__AvnQ1ZBYa03hrLee0ZP4mc5zeWCMkufDgj1AWuMc1rabjvHWoYMMv_G4ZM/s320/Enrolled.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You will now see the required app install</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkF6Qn9oLnYt80XrcKS5BibGOot4oIy8XgcVCJK86UIYAa4C6K4FZW1BnSHX3TNNmw2PDqYnBK-Kv4_OF9sluHiyvx3M9PvrDuhfPO2xmecwPqIejHvZIqCtK4ip00u8WC4ZTac3cLrZQ/s1600/RequiredAppInstall.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkF6Qn9oLnYt80XrcKS5BibGOot4oIy8XgcVCJK86UIYAa4C6K4FZW1BnSHX3TNNmw2PDqYnBK-Kv4_OF9sluHiyvx3M9PvrDuhfPO2xmecwPqIejHvZIqCtK4ip00u8WC4ZTac3cLrZQ/s320/RequiredAppInstall.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
On launching the Google play store you can see the available app we deployed, so literally the only apps that a user can install on the device are what have been made available by the organisation</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcDlwiM_bAY5RkB1jytG-2fVWRS0bOakmubDcAYnmxcC_bF0_wHC0oHB8uUs0uFFQnkqDrnIw-pek-iYMl55f8Z3pMc_qWewR8wvu__a4G8cY58dGjllMIc8DaA9GRZuyzydbr9YhputU/s1600/AvailbleApp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcDlwiM_bAY5RkB1jytG-2fVWRS0bOakmubDcAYnmxcC_bF0_wHC0oHB8uUs0uFFQnkqDrnIw-pek-iYMl55f8Z3pMc_qWewR8wvu__a4G8cY58dGjllMIc8DaA9GRZuyzydbr9YhputU/s320/AvailbleApp.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You will also notice that there are no apps with the badge symbol on them, like you may have already seen with a Work Profile enrolled device.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga8FSmU-ONSabRriVE6Y33u4qYmQL4iV0IPuLxze-Q1um6p4gnE4sr3UcE20My99r_wnuF71tut8XjjXCmHDGHk9aTuDJZwYEkyC07HSrO2jDsV4jFIxu_wKpgui2smVhjy3XNx0FwF38/s1600/NoBadge.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga8FSmU-ONSabRriVE6Y33u4qYmQL4iV0IPuLxze-Q1um6p4gnE4sr3UcE20My99r_wnuF71tut8XjjXCmHDGHk9aTuDJZwYEkyC07HSrO2jDsV4jFIxu_wKpgui2smVhjy3XNx0FwF38/s320/NoBadge.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Okay so lets check our device config and attempt to factory reset the device</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9jITzsQipayy0UtVjTk6Rn9eHQbu94vD1GtKPiMUQaO-YE3RcmyG2MP3i-qFPHhP6PYylMkJbk8fCz59xoMY71QeYF-28oImbGiiO4FM1GeeChfZB9t9vwsVAix3V1DrChaCG3fydr-s/s1600/NoFactoryReset.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9jITzsQipayy0UtVjTk6Rn9eHQbu94vD1GtKPiMUQaO-YE3RcmyG2MP3i-qFPHhP6PYylMkJbk8fCz59xoMY71QeYF-28oImbGiiO4FM1GeeChfZB9t9vwsVAix3V1DrChaCG3fydr-s/s320/NoFactoryReset.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Cool, so the restriction has applied.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now remember, this feature is in public preview so it is not recommended for production deployments, I would recommend reviewing the documented considerations <a href="https://docs.microsoft.com/en-us/intune/android-fully-managed-enroll#considerations-for-this-preview-feature" target="_blank">here</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Thanks for reading!</div>
<br />Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com2tag:blogger.com,1999:blog-3145837469179315622.post-55690273014097142302019-01-08T22:06:00.004+00:002019-07-22T19:46:31.554+01:00Removing CMG Settings from Configuration Manager<div>
Just a quick post this evening, thought I would take a break from the MD-101 Study, which I am taking the Beta exam for soon. Actually this issue was preventing me being able to create a CMG in my lab so I really needed to get it sorted before continuing.</div>
<div>
<br /></div>
<div>
So I first ran into this issue yesterday when I was trying to remove a CMG from my test lab, I had the following error;</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS8yb7jq-FNZvJoM4IgwhGYINp2rE9c0-bRrcf1DuUyAIfJNy0d0e1KiTtzo63_NY1uoq0dwckD5lqM6cSJGGwE_PRyYHnI8kCqQKrGp_HQMKePvBNWvFe2GA51uNMsqUb1qLiflaAJBk/s1600/AzureTenantError.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="552" data-original-width="1083" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS8yb7jq-FNZvJoM4IgwhGYINp2rE9c0-bRrcf1DuUyAIfJNy0d0e1KiTtzo63_NY1uoq0dwckD5lqM6cSJGGwE_PRyYHnI8kCqQKrGp_HQMKePvBNWvFe2GA51uNMsqUb1qLiflaAJBk/s320/AzureTenantError.PNG" width="320" /></a></div>
<div>
<br /></div>
<div>
I reached out to one of my cool twitter dudes, Jake Stoker, who is an EM+S warrior, to say that I may need some help and would give him a shout.</div>
<div>
<br /></div>
<div>
I carried out some research first this evening and stumbled across a couple of posts Microsoft MVP Anoop C Nair created on how to Clean up <a href="https://www.anoopcnair.com/remove-sccm-cmg/" target="_blank">SCCM CMG and Cloud Services from SCCM</a> and then saw Anoop comment at the bottom of the post with a link to <a href="https://www.anoopcnair.com/fix-error-sccm-azure-ad-web-app-already-exists/" target="_blank">FIX – Error SCCM Azure AD Web App Already Exists</a> </div>
<div>
<br /></div>
<div>
This sounded promising because I had previously experienced the issue described in the title of the second post but it would appear that I had already removed the Azure Service for Cloud Management.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEjza9dB8OyRXFGhlBAeC1cNKw6ZJOn9cIqfQWtDuBRX5-Jgl-2IH9Wm0F7Y4zelb-txt3JPD3ciudmYFE89yC5tsiRAswRDyHPPkS0iKq44uxNBlUjmNjY7jU3v9TJATHvsRQQjulysY/s1600/AzureService.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="410" data-original-width="733" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEjza9dB8OyRXFGhlBAeC1cNKw6ZJOn9cIqfQWtDuBRX5-Jgl-2IH9Wm0F7Y4zelb-txt3JPD3ciudmYFE89yC5tsiRAswRDyHPPkS0iKq44uxNBlUjmNjY7jU3v9TJATHvsRQQjulysY/s320/AzureService.PNG" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
I then noticed that the Server (1) and Client (2) applications were still showing under the actual connection to the Azure tenant </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVebE8NqNNEZpxwY1LhOuYfI9rK57L89uoG58ZlRSVj4C7AAzbv-m6RfDjHpriBuaLH5RR4TCIVoF8fjML819ZXtAvL_ZHTXWYiTx6ziRz-aupKSlC3qJfwavbT7OAlX7zjAL_le6T7qU/s1600/AzureADTenant.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="583" data-original-width="663" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVebE8NqNNEZpxwY1LhOuYfI9rK57L89uoG58ZlRSVj4C7AAzbv-m6RfDjHpriBuaLH5RR4TCIVoF8fjML819ZXtAvL_ZHTXWYiTx6ziRz-aupKSlC3qJfwavbT7OAlX7zjAL_le6T7qU/s320/AzureADTenant.PNG" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Okay so maybe I needed to delete the app registrations manually in Azure AD.</div>
<div>
<br /></div>
<div>
Nope still the same issue.</div>
<div>
<br /></div>
<div>
After having a DM conversation on Twitter with Jake again this evening it was established that if there are other Azure Services Configured, like the OMS and Microsoft Store for Business, these also need to be removed, before trying to remove association with the Azure Tenant. (Kind of sounds really basic now doesn't it?) Anyway the additional steps I carried out were as follows</div>
<div>
<br /></div>
<div>
Navigated to Administration > Cloud Services > Azure Services then removed the OMS and MSFB connections one by one</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijOwO7-aaqjoWaeWx9FjqvGtsObFHk4lzvoNr9aDxLEYIddWHEPP_ZXcZkmAhi1qG5iIJQGWn6SP_KS-zvBXLuouDSsm_2w51MlsH8XHWboPgKd472wHesZCbYP3BirJEzLOuX1f9Tfb0/s1600/AzureServicesDelete.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="380" data-original-width="1041" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijOwO7-aaqjoWaeWx9FjqvGtsObFHk4lzvoNr9aDxLEYIddWHEPP_ZXcZkmAhi1qG5iIJQGWn6SP_KS-zvBXLuouDSsm_2w51MlsH8XHWboPgKd472wHesZCbYP3BirJEzLOuX1f9Tfb0/s320/AzureServicesDelete.PNG" width="320" /></a></div>
<div>
<br /></div>
<div>
I was then able to remove Azure AD Tenant connection from Config Manager, realising that the Applications within Azure AD could remain in place and in fact, that I didn't need to delete the CMG Server and Client Apps.</div>
<div>
<br /></div>
<div>
This post may help someone, but I actually just wanted to point out why I absolutely love collaborating within the EM+S community, everyone is so helpful. Thanks Jake and Anoop!</div>
<div>
<br /></div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-40647130888835682082019-01-04T23:14:00.003+00:002021-08-24T15:01:36.967+01:00Android Enterprise and Intune: An Overview<b>Last updated: 23/08/21</b><br />
<br />
The purpose of this post is to act as a main point of reference for anyone wanting to understand the Android Enterprise functionality that is supported within Microsoft Intune. It was initially based on a <a href="https://www.youtube.com/watch?v=hvwbMHTrZro" target="_blank">presentation</a> that I gave at the Windows Management User Group in London at the end of October 2018, however the platform is developing all of the time so my aim is to keep this post as up to date as possible. I will also link any appropriate posts I create to provide you further information in specific areas<br />
<h2>
History</h2>
It has always been promoted that the open source Android OS is very flexible which makes it an attractive prospect for use within the Enterprise, it also enables OEM's such as Sony or Samsung to add their own value adds to the OS before shipping it with their devices. This in itself brings its own challenges and has been a contributing factor to the fragmentation we see within the Android space today.<br />
For an EMM to be able to control things on a device, such as disable the Bluetooth or camera, requires access to Device Management API's. These were traditionally not included within the source code of Android, hence the inclusion of this kind of functionality would not only be at the discretion of the OEM's, but also would mean additional development time for the EMM vendor to support the functionality, if indeed it would at all. This has led to inconsistent behaviour across devices when trying to manage them by an EMM within the enterprise<br />
<br />
<h2>
Device Admin / "Legacy" Android Device Management</h2>Device Admin API's were introduced as far back as Android 2.2 which were originally designed to give certain apps admin privileges on a device. For example facilitating remote wipe when configuring a device to connect to Exchange Active Sync. Other than a few basic settings, on a Non-Samsung device, there was very little available. Samsung on the other hand over the years have developed their Knox API set on top of the Android OS and provide far more management functionality than any other OEM. You only have to look in the Intune console at the "Knox Only" settings that are available and ultimately only applicable to Samsung devices;<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHQGv1AnDrn5YRzfnQ-BbNGKl2Zdwq_Xxm-V9eNzS1gknbRyu_2My4P7aIEM7i_8kTNPLXQYNevVuy-iHqRpSD1HNy5r6W3D0Laba8k_bi1A2LWNAtMurGUYu7KCSszWao9G12fXSF800/s1600/KnoxOnly.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="648" data-original-width="850" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHQGv1AnDrn5YRzfnQ-BbNGKl2Zdwq_Xxm-V9eNzS1gknbRyu_2My4P7aIEM7i_8kTNPLXQYNevVuy-iHqRpSD1HNy5r6W3D0Laba8k_bi1A2LWNAtMurGUYu7KCSszWao9G12fXSF800/s320/KnoxOnly.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<p style="clear: both; text-align: left;"> Device Admin is now considered as legacy Android device management with <a href="https://developers.google.com/android/work/device-admin-deprecation" target="_blank">Google deprecating certain functionality</a> in Android 9 with it being removed in Android 10. Microsoft made a <a href="https://www.blog.google/products/android-enterprise/da-migration/" target="_blank">statement here</a> which also explains the current stance on this and in addition further considerations are <a href="https://techcommunity.microsoft.com/t5/intune-customer-success/using-intune-to-manage-purpose-built-specialty-devices-without/ba-p/1522313" target="_blank">discussed here</a> where there is still some scenarios where Device Admin is currently the only option for managing a device</p><h2 class="separator" style="clear: both; text-align: left;">
Android Enterprise</h2>
<div class="separator" style="clear: both; text-align: left;">
So what does this solution bring to the table? Well in a nutshell, lots. Also I just want to add at this stage from an Intune perspective that Microsoft, even though they are very late (in comparison to other EMM's) to the game in releasing some AE features, they seem to be making some sensible moves. An example being that they have utilised the Android Management API for leveraging native management functionality provided and developed natively by Google. This is applicable to the Fully Managed scenarios. I am going to echo the words of a super cool Android guru I have met called <a href="https://bayton.org/" target="_blank">Jason Bayton</a> "This makes me happy"</div>
<h2 class="separator" style="clear: both; text-align: left;">
Solution Sets</h2>
<div class="separator" style="clear: both; text-align: left;">
Probably the most important thing to understand with AE is there are various ways of managing devices through different "Solution Sets", which address common enterprise scenarios rather than the single way of management we had previously with the "one size fits all" of Device Admin. I will explain what these are;</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h3 class="separator" style="clear: both; text-align: left;">Personally-Owned Work Profile</h3>
<div>
<br /></div>
<div>
This was the first solution set to be supported within Intune and is primarily designed for use in BYOD / Employee owned device scenario. A profile containing apps and company data is deployed to the device</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGrYicLz1-kTK6tJHwIGIpKCvRRS8nEu-KVOiJIazlfW8z9amj3TP42jzH3G4bjcXtKbYVjG2Hs274MOj2ef6ND6PXv2DbQVnTXGOZDI4aVvXmLA-umeLKSiD2zJaJDrprcpWABMYV0c8/s1600/AndroidEnterpriseWorkProfile.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="759" data-original-width="390" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGrYicLz1-kTK6tJHwIGIpKCvRRS8nEu-KVOiJIazlfW8z9amj3TP42jzH3G4bjcXtKbYVjG2Hs274MOj2ef6ND6PXv2DbQVnTXGOZDI4aVvXmLA-umeLKSiD2zJaJDrprcpWABMYV0c8/s320/AndroidEnterpriseWorkProfile.png" width="164" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
Key points</div>
<ul>
<li>The device is not fully managed by Intune</li>
<li>You cannot carry out a full factory reset / wipe</li>
<li>Simple to control access to and from the profile - so may be suitable for a company owned use case in some organisations</li>
</ul>
<div>
<br /></div>
<h3>
Dedicated Devices</h3>
<div>
<br /></div>
<div>
This solution set is designed for use in kiosk scenarios, both customer facing (e.g. kiosk tablet in a hotel room) and employee facing (e.g. field service management)</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX3FwZM2kIWy_h4FL0hdmtjFll99p_rM9TUOxymn89rqDRecj-VjQsY8QQrLgKxqAbpBw8vAx9gw8ADYrbw68NWfemy9THWEu5J6u5OpMDJCPpL5Tp5bZzPqs-5HARxR_V_x_AcaP2B3M/s1600/AndroidEnterpriseDedicatedDevices.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="825" data-original-width="433" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX3FwZM2kIWy_h4FL0hdmtjFll99p_rM9TUOxymn89rqDRecj-VjQsY8QQrLgKxqAbpBw8vAx9gw8ADYrbw68NWfemy9THWEu5J6u5OpMDJCPpL5Tp5bZzPqs-5HARxR_V_x_AcaP2B3M/s320/AndroidEnterpriseDedicatedDevices.png" width="167" /></a></div>
<div>
Key points</div>
<ul>
<li>Not for use in scenarios where users affinity is required (no emails, device isn't assigned to a specific user)</li>
<li>AKA COSU (Corporate Owned Single Use)</li>
</ul>
<div>
<br /></div>
<h3>
Fully Managed Device</h3>
<div>
<br /></div>
<div>
This solution set is designed for managing company owned devices and gives the ability to fully control the device, also the administrator has the option of allowing access to the Public Google Play store. In addition system apps can be enabled on the device at the package level.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRSFLg2cHSGg4T5CxsHW7YHVEZbLqXRe-sNVPjGHA8AIhqJg7YQM36MXAlP2TdKAxAru0vPIMNuLvKvxfMp0nfzaLtdRfMIVsel-05wG4FpzJW_D87u9mMQFazIGul7-huVgKNNHf98XQ/s1600/AndroidEnterpriseFullyManagedDevice.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="758" data-original-width="389" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRSFLg2cHSGg4T5CxsHW7YHVEZbLqXRe-sNVPjGHA8AIhqJg7YQM36MXAlP2TdKAxAru0vPIMNuLvKvxfMp0nfzaLtdRfMIVsel-05wG4FpzJW_D87u9mMQFazIGul7-huVgKNNHf98XQ/s320/AndroidEnterpriseFullyManagedDevice.png" width="164" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Key Points</div>
<ul>
<li>To transition to this from company owned devices enrolled with Work Profiles will mean factory resetting the device</li>
<li>AKA COBO (Corporate Owned Business Only)</li>
</ul>
<div>
<br /></div>
<h3>
Work Profile on Fully Managed Device</h3>
<div>
<br /></div>
<div>
This is designed for company owned scenarios where the organisation wants to be able to secure company apps within a profile but have the ability to be able to give the user limited access for personal use. This is not supported within the Android Management API and therefore not available within Intune. Google have announced that as of Android 11 this specific solution set will no longer be supported</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1H6IYk041S6OHba6PRHOh9aEMaqlXvZPKECXS_GkvHrfT3GayxOCAnnTkzqe6tNtHzktQNxH2QFGbEll-5lpCo94j4OHyc0kJ2SswRIL0CHTcpaW_mJbKi0ZhVGwioip5xiv8jaKE-T0/s1600/AndroidEnterpriseFullyManagedWithWorkProfile.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="762" data-original-width="390" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1H6IYk041S6OHba6PRHOh9aEMaqlXvZPKECXS_GkvHrfT3GayxOCAnnTkzqe6tNtHzktQNxH2QFGbEll-5lpCo94j4OHyc0kJ2SswRIL0CHTcpaW_mJbKi0ZhVGwioip5xiv8jaKE-T0/s320/AndroidEnterpriseFullyManagedWithWorkProfile.png" width="163" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Key points</div><ul>
<li><div class="separator" style="clear: both; text-align: left;">
AKA COPE (Corporate Owned Personally Enabled)</div>
</li><li><div class="separator" style="clear: both; text-align: left;">Not supported in Intune</div></li></ul><div><br /></div><h3 style="text-align: left;">Corporate-Owned Work Profile</h3><div><br /></div><div>This recently implemented solution set has been back ported to support Android 8 and later and also also designed for scenarios where personal usage is permitted on company owned devices. It is similar to the Work Profile solution other than the provisioning process is different and further control is available within the personal profile of the device</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1xC44UUKyRnBkcowqQ6GJSAHFiJk8FiH7JV53wv-xP8_4lKIE2iaiGm-pa9U7nZiiqxGnpSJCgXRqZem257dHqDup1RNmob14c6Nea2MoV59IZ_u7Zyza1eNqs54S14lpsNtNTU4Lz5M/s759/CorpOwnedWorkProfile.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="759" data-original-width="391" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1xC44UUKyRnBkcowqQ6GJSAHFiJk8FiH7JV53wv-xP8_4lKIE2iaiGm-pa9U7nZiiqxGnpSJCgXRqZem257dHqDup1RNmob14c6Nea2MoV59IZ_u7Zyza1eNqs54S14lpsNtNTU4Lz5M/w165-h320/CorpOwnedWorkProfile.png" width="165" /></a></div><div><br /></div><div><br /></div><div>Key points</div><div><ul style="text-align: left;"><li>Available in public preview for Intune</li><li>Is also a COPE use case</li><li>Intune's iteration of COPE is different to the Work Profile on Fully Managed Device functionality that is available on other MDM platforms</li></ul></div><div><br /></div>
<h2 class="separator" style="clear: both; text-align: left;">
Managed Google Play</h2>
<div>
Another significant benefit of AE is the integration available with the Managed Google Play store. This prevents the need for a Google account to be created on the device in order to install company apps, in addition it also provides a silent app deployment experience for required deployments. Also managed configs are available which enable provisioned settings to be deployed with apps in order to pre configure them.</div>
<div>
Improvements to the way managed Google Play integrates with Intune have now been implemented which facilitate the approval or unapproval of apps within the Managed Google Play Store, directly from the Intune portal.</div>
<div>
<br /></div>
<h2>
Zero-Touch Enrolment</h2>
The Android Enterprise ZTE program introduces the ability to purchase devices from an approved reseller and the devices are provisioned within the Zero Touch portal, thus facilitating bulk enrolment. It is an equivalent of Apple's Device Enrolment Program. Note that only certain OEM's are supported for this and not Samsung - they have their own equivalent to this called Knox Mobile Enrollment, which is also supported within Intune<br />
<div>
<br />
<h2>
<span style="font-size: large;">OEM Config</span></h2>
</div>
<div>
OEM Config is now supported within Intune across <a href="https://docs.microsoft.com/en-us/intune/android-oem-configuration-overview#supported-oemconfig-apps" target="_blank">various platforms</a> and with it brings a whole new concept of Android device configuration. It is a standard that has been developed by the app config community and its is based around the concept of a single app developed by the OEM which is deployed via Managed Google Play. Various device configuration settings are then bundled with the app via the standard app config channels in order to configure the device, bringing new functionality to Intune pretty much as soon as the OEM has released it without the delay for development time usually required.</div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com2tag:blogger.com,1999:blog-3145837469179315622.post-87783152667547108292018-12-08T23:00:00.000+00:002019-07-22T19:44:17.657+01:00New Intune Android Enterprise Kiosk SettingsI have been testing the recently released additions to the Android Enterprise Kiosk profile settings and thought I would just write a quick post to show you how these new settings improve the solution.<br />
Before I start, I just wanted to clarify some terminology - this Android Enterprise solution set is now called the "Dedicated Device" solution by Google and no longer "Corporately Owned, Single-Use" as per their <a href="https://developers.google.com/android/work/overview" target="_blank">documentation</a>. I have submitted a request so that this is reflected in the Microsoft Intune Documentation to try and avoid some confusion later on down the line<br />
<br />
To follow the steps in this post, please initially refer to my <a href="http://leonashtonleatherland.blogspot.com/2018/07/intune-android-enterprise-kiosk-devices.html" target="_blank">previous one</a> which details how to deploy a single app kiosk. In addition to this configuration, this time though I have selected a multiple app kiosk, specifying the Microsoft Edge and Teamviewer Apps;<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT0WrBdnUXK7YCoiaX1_Mv8mqTduqhVBlgAKQBJHAVtS5RcK6jQMsqyNygJfxBE3fu6GAu_1EP59SnJ_m_CpcGxYz2vX7tXIXv_xqi3iPtpWehEgo2hQKdh96FASq8dx__EdJWA8S0mwg/s1600/MultiAppKiosk.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="875" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT0WrBdnUXK7YCoiaX1_Mv8mqTduqhVBlgAKQBJHAVtS5RcK6jQMsqyNygJfxBE3fu6GAu_1EP59SnJ_m_CpcGxYz2vX7tXIXv_xqi3iPtpWehEgo2hQKdh96FASq8dx__EdJWA8S0mwg/s320/MultiAppKiosk.PNG" width="320" /></a></div>
<br />
Also in addition, ensure that both the Teamviewer and Managed Home Screen apps are synced from the Managed Google Play store and deployed to the appropriate Azure AD group / users.<br />
<br />
Now for the new settings, in the M365 Device Management portal navigate to Device Configuration > Profiles > Locate your kiosk profile and select it > Properties > Settings > Kiosk. Scroll down and you will now see the new settings available<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRH4OFQN_8shy_l5WJg2YA84-9oTEco51VrtwXLaN5ROYfMjwxSqXN5xvF5RtnqcJmIEqHhnGobEsDeRe77Jsg8Bl7JsfWcWvfuylXFdGjTGgP8oxk62dJSTnTTPM6J_optIdPYqZ4zbM/s1600/NewKioskSettings.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="735" data-original-width="1334" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRH4OFQN_8shy_l5WJg2YA84-9oTEco51VrtwXLaN5ROYfMjwxSqXN5xvF5RtnqcJmIEqHhnGobEsDeRe77Jsg8Bl7JsfWcWvfuylXFdGjTGgP8oxk62dJSTnTTPM6J_optIdPYqZ4zbM/s320/NewKioskSettings.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<u>Virtual home button</u><br />
This enables the user to switch between the managed home screen app and the other apps that are specified in multiple app kiosk. Particularly useful when devices are not able to use their back button when enrolled in Kiosk mode. The documentation states that for some handsets in order to access the virtual home scree button the user will need to swipe up, as I had to with the device I tested with (Samsung Galaxy A5 2016)<br />
<br />
Launch the Edge browser, then swipe from the bottom of the screen up to see the virtual home button;<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5nxsfaFPfeMu5MWCOxqRjaBg2HrIFQsEZRy8FgskvcR21aSZMuNauE3x9W4853av_EQYKQwhLyQcVMkn464o-4LPjMARcEngjD06FqYqJRl6IQID2GLzRt070NsSO3TXd0DITkXpWD7A/s1600/VirtualHomeButton.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5nxsfaFPfeMu5MWCOxqRjaBg2HrIFQsEZRy8FgskvcR21aSZMuNauE3x9W4853av_EQYKQwhLyQcVMkn464o-4LPjMARcEngjD06FqYqJRl6IQID2GLzRt070NsSO3TXd0DITkXpWD7A/s320/VirtualHomeButton.png" width="180" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<u>Leave Kiosk Mode</u></div>
<div class="separator" style="clear: both; text-align: left;">
This provides a method for an administrator to exit kiosk mode for troubleshooting or additional configuration purposes, like installing software updates.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Tap the back button multiple times to reveal the menu, then select "Exit kiosk"</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWRSE586B8CiVyhThXKiWJhTh-oEI9s9DCmh027RbSBV3zsXyFSEQJO24Gz1WKLiw5yjpyjPTheUkgXEw0WJnyRDjRi8XmsjhgBE7ZQrjmBAMq9DJTAg5fN2Az8I9C5eMolJOcnCi_Sg8/s1600/ExitKiosk.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWRSE586B8CiVyhThXKiWJhTh-oEI9s9DCmh027RbSBV3zsXyFSEQJO24Gz1WKLiw5yjpyjPTheUkgXEw0WJnyRDjRi8XmsjhgBE7ZQrjmBAMq9DJTAg5fN2Az8I9C5eMolJOcnCi_Sg8/s320/ExitKiosk.png" width="180" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
Enter the PIN</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFaSnzEc3nEZ246t4ZkUOQwASH6JtruSOeNG6NctbXR1OYoqWOs07Jn61jEqOaljs3o83n-R6ZRo7KlXpcHyNbdXrmRhWiJQlc3pJ4u-4YtQ6QLkpTNLKwVwQqfttE291yeWiIWQ-IAwU/s1600/EnterPIN.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFaSnzEc3nEZ246t4ZkUOQwASH6JtruSOeNG6NctbXR1OYoqWOs07Jn61jEqOaljs3o83n-R6ZRo7KlXpcHyNbdXrmRhWiJQlc3pJ4u-4YtQ6QLkpTNLKwVwQqfttE291yeWiIWQ-IAwU/s320/EnterPIN.png" width="180" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
You can now access the settings and other apps on the device</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHbhXnhVP2s6RNBSc96ADJ3oPc8Rb91TLf8CoE2Otc2bMajv4SGpzPA72yt4gYVxPstokh9j-B4rOVvarrdlmdJIeOBkl_j1OJm0H6nEeB8_Qbfpmtr-1RR1LjJR8Q9vsP2yYIUL4aKC8/s1600/AccessToDevice.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHbhXnhVP2s6RNBSc96ADJ3oPc8Rb91TLf8CoE2Otc2bMajv4SGpzPA72yt4gYVxPstokh9j-B4rOVvarrdlmdJIeOBkl_j1OJm0H6nEeB8_Qbfpmtr-1RR1LjJR8Q9vsP2yYIUL4aKC8/s320/AccessToDevice.png" width="180" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
To enter kiosk mode again, simply launch the Managed Home Screen app from apps menu</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjykWsIkOmB6AnxQ8_ZWA6dE24wkDbnFm-55gD9ckznp9Q1YOKbjyx2Nlw6beVCiDBQsBXUPhaa4dDMCOjlW_ZsTqSF6MP4Lowd7plai_7erWEAzvyWk2hz5SU24fHiP7oB-fJ57IiKonk/s1600/ManagedHomeScreen.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjykWsIkOmB6AnxQ8_ZWA6dE24wkDbnFm-55gD9ckznp9Q1YOKbjyx2Nlw6beVCiDBQsBXUPhaa4dDMCOjlW_ZsTqSF6MP4Lowd7plai_7erWEAzvyWk2hz5SU24fHiP7oB-fJ57IiKonk/s320/ManagedHomeScreen.png" width="180" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<u>Set custom background</u></div>
<div class="separator" style="clear: both; text-align: left;">
You can now set a custom wallpaper based on a URL in order to add some company branding to the device. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimEHrrUGJvlpmnKfmOMjm50OKfz-hi6SNOHe3Me2lZzYsbryWmFLLmoswzP0zm1C_kJdcX_mERZP-PfcyyVC_TMiy_WOZ5_Qj66tVVSJ_pDGQj2yJd6HLcSc4AGm4N1iMxIXnbTgg6-KY/s1600/CustomURLBackground.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimEHrrUGJvlpmnKfmOMjm50OKfz-hi6SNOHe3Me2lZzYsbryWmFLLmoswzP0zm1C_kJdcX_mERZP-PfcyyVC_TMiy_WOZ5_Qj66tVVSJ_pDGQj2yJd6HLcSc4AGm4N1iMxIXnbTgg6-KY/s320/CustomURLBackground.png" width="180" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Some useful additions to the solution I feel, also it shouldn't be too long before the Android Enterprise Fully Managed Device solution set (formerly COBO - Corporately Owned, Business Only) will be available as a public preview.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Stay tuned for some more Android Enterprise related posts! Thanks for reading!</div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com2tag:blogger.com,1999:blog-3145837469179315622.post-65552007980244932782018-12-01T20:09:00.000+00:002019-07-22T19:47:16.943+01:00Intune Windows 10 1809 Edge KioskThe release of Windows 10 1809 introduced the ability to configure the Edge browser using assigned access with a local account on a device. This post will show you how to configure a single app public kiosk browser using the required custom settings within Intune<br />
<br />
Configuring this will give you significant benefits in additional functionality over that of the Intune Kiosk Browser app, a feature comparison can be found <a href="https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy#feature-comparison-of-kiosk-mode-and-kiosk-browser-app" target="_blank">here</a><br />
<br />
In this example I enrolled the device within Intune during the setup wizard. I then created a local standard user account on the device, also I would recommend at this stage ensuring the device has a suitable hostname. Make sure that you have logged into the device at least once with the local account.<br />
<br />
Now in the M365 Device Management portal navigate to Device Configuration > Profiles then create a new Windows 10 Custom Profile.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg__0YpNlS-duK1F37QeOdytkbYjULUUykeGQNrkwSCVQN3shadJJ65Rrp3NZWEbtpqnh5JPK1qShx8kYpCMvv-6kYGOnFpY_WDzZg-7W6varUUhek0aiXmYj4YywW2fyaWJRc5OBNVdfw/s1600/Create+Profile.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="849" data-original-width="897" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg__0YpNlS-duK1F37QeOdytkbYjULUUykeGQNrkwSCVQN3shadJJ65Rrp3NZWEbtpqnh5JPK1qShx8kYpCMvv-6kYGOnFpY_WDzZg-7W6varUUhek0aiXmYj4YywW2fyaWJRc5OBNVdfw/s320/Create+Profile.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
In this example I will be adding the following custom OMA-URI settings to the profile;<br />
<br />
<b>Assigned access configuration</b> - this specifies the app to run in kiosk mode along with local user account that should apply the setting. Note that the local user account in this example should be substituted with your own, and prefixed with the device's hostname<br />
<br />
<ul>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6XlAGVPsA0UpOtHIAmrEL1cs68AdGRYmPXQO2-G3LC177YNRR8I3PgJjhW3cDe1AoiDHp8Cks1gZ6SuDZ8nxxPlbFRthO8w834mP2QThUBKqOetRzRVb576Ufr2ad8R95suUvRkn8PtU/s1600/AssignedAccessSettings.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="656" data-original-width="869" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6XlAGVPsA0UpOtHIAmrEL1cs68AdGRYmPXQO2-G3LC177YNRR8I3PgJjhW3cDe1AoiDHp8Cks1gZ6SuDZ8nxxPlbFRthO8w834mP2QThUBKqOetRzRVb576Ufr2ad8R95suUvRkn8PtU/s320/AssignedAccessSettings.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
OMA-URI; ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp<br />
Data type; String<br />
Value; {"Account":"KIOSK\\Kiosk User","AUMID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"}<br />
<br />
<br />
<b>Set Kiosk Mode Type</b> - Sets the display mode to a public browsing kiosk<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_sk4eIDwwS4DcLNXrHwzRC7AHBkcSm8ALpoSAFWJfrl71PXr4LBB2M2o6tOCH7bPK7EhM1wsJ8b1LCsumgW_oQD0y5kMN2oKM0q8nLb9kleZl-WiilkXIrK_BXUXTztETO_SRHFCylkw/s1600/ConfigureKioskMode.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="271" data-original-width="576" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_sk4eIDwwS4DcLNXrHwzRC7AHBkcSm8ALpoSAFWJfrl71PXr4LBB2M2o6tOCH7bPK7EhM1wsJ8b1LCsumgW_oQD0y5kMN2oKM0q8nLb9kleZl-WiilkXIrK_BXUXTztETO_SRHFCylkw/s320/ConfigureKioskMode.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
OMA-URI; <span style="-webkit-text-stroke-width: 0px; background-color: white; color: black; display: inline !important; float: none; font-family: Segoe UI,SegoeUI,Segoe WP,Helvetica Neue,Helvetica,Tahoma,Arial,sans-serif; font-size: 13.93px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode</span></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Data type; Integer</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Value; 1</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Configure Edge Timeout settings</b> - This reset's the users session after a specified number of minutes of inactivity. The time you want (values are valid for 1-1440 minutes)</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUhrW8h3q7M1ZNMlmczcGc03N4XDlM1MmFVORPG49cQmTxaToTLNUeK39-7Njk-cngfkaTFq6Ts2014R9nRMKNbuBo-UmhyRxLI8Q6jMzjHskHSXAfdgPnKTJd2YxlJFMif-spheboj3o/s1600/EdgeBrowserSessionTimeout.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="258" data-original-width="576" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUhrW8h3q7M1ZNMlmczcGc03N4XDlM1MmFVORPG49cQmTxaToTLNUeK39-7Njk-cngfkaTFq6Ts2014R9nRMKNbuBo-UmhyRxLI8Q6jMzjHskHSXAfdgPnKTJd2YxlJFMif-spheboj3o/s320/EdgeBrowserSessionTimeout.PNG" width="320" /></a></div>
OMA-URI; ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout</div>
<div>
Data type; Integer</div>
<div>
Value; 15</div>
<div>
<br /></div>
<div>
<b>Set start pages</b> - Specify the URL(s) that load when the browser launches for the first time</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjJrOr6Q1Q9kFzIbjyutrh_Sk9BMqJutxwRbUk9vLqbPaOaTbrGX_ZbXWTnN_f41zW_j_bN6dp1HbhngVmUgkI86FoKSZL373wfcVXIVfT1DskU2f6SOhNWwWrG5urOAgaxusZlC7DW4w/s1600/DefaultStartPages.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="380" data-original-width="574" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjJrOr6Q1Q9kFzIbjyutrh_Sk9BMqJutxwRbUk9vLqbPaOaTbrGX_ZbXWTnN_f41zW_j_bN6dp1HbhngVmUgkI86FoKSZL373wfcVXIVfT1DskU2f6SOhNWwWrG5urOAgaxusZlC7DW4w/s320/DefaultStartPages.PNG" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
OMA-URI; ./Vendor/MSFT/Policy/Config/Browser/HomePages</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Data type; String</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Value; Website URL's in chevrons - <https://leonashtonleatherland.blogspot.co.uk><https://docs.microsoft.com/en-us/intune/whats-new></div>
<br /><div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
So the settings will now look like this under the single profile</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLsunZMi3asn0aLwyw0-lWXkQEoG9HNOmIR3AWb_fbxwuEH2AwR9D4AbNVeh_9riEx4_m95GxWUtfpVyTLrZC6skY0UZU4D-sGXpt-83tCYJcZLXTX17hFeepITHAVAb6QJkBR8JmgmpE/s1600/AllSettings.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="348" data-original-width="580" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLsunZMi3asn0aLwyw0-lWXkQEoG9HNOmIR3AWb_fbxwuEH2AwR9D4AbNVeh_9riEx4_m95GxWUtfpVyTLrZC6skY0UZU4D-sGXpt-83tCYJcZLXTX17hFeepITHAVAb6QJkBR8JmgmpE/s320/AllSettings.PNG" width="320" /></a></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Save the profile and then deploy it to a group which contains the Kiosk device.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Carry out a sync on the device and then restart.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Ensure that the settings have applied to the device by viewing the device install status within the properties of the profile</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbc7MK8jj8V0l8_I1pH8eDihE6s_NjiQ7QPSKUhNV6lgYremBjwMnJIVsEWN_wtgp88u8NBb03dXSHm_ddYfx0bvbimy5rx2-rAxK0Q0bx6EjE5A0WK3N3WvONLl9I6ornrNy304FmJRE/s1600/EdgeKioskDeploymentStatus.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="405" data-original-width="1029" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbc7MK8jj8V0l8_I1pH8eDihE6s_NjiQ7QPSKUhNV6lgYremBjwMnJIVsEWN_wtgp88u8NBb03dXSHm_ddYfx0bvbimy5rx2-rAxK0Q0bx6EjE5A0WK3N3WvONLl9I6ornrNy304FmJRE/s320/EdgeKioskDeploymentStatus.PNG" width="320" /></a></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Now log in and you will see Edge launch in kiosk mode, with your default start pages, all tabs launching in InPrivate mode, you will also notice the sessions timeout after the specified time period.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvKaFfiB9W8Kc8pXDTHOKOEDHWHRUUq4CngZD-7gwiurndM70xil5vcxmXcjKbaBx8lr6TAuDhKjGDdaqyCHJUxeDGwZttNN2IgWgp-RfTf5-vZX-XNDE4V6T3WKjyW7zWCZDD2fWqKZM/s1600/EdgeKioskBroswerConfigured.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvKaFfiB9W8Kc8pXDTHOKOEDHWHRUUq4CngZD-7gwiurndM70xil5vcxmXcjKbaBx8lr6TAuDhKjGDdaqyCHJUxeDGwZttNN2IgWgp-RfTf5-vZX-XNDE4V6T3WKjyW7zWCZDD2fWqKZM/s320/EdgeKioskBroswerConfigured.jpg" width="320" /></a></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
You could also add other <a href="https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy#supported-policies-for-kiosk-mode" target="_blank">supported CSP's</a> to further develop the kiosk solution as required - give it a try! </div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; margin: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<b></b><b></b><br />
<br />
<br />
<br /></div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com2tag:blogger.com,1999:blog-3145837469179315622.post-899256940048348982018-08-07T22:50:00.000+01:002019-07-22T19:46:47.292+01:00Samsung Knox Mobile Enrolment (KME)If you are in an organisation with Intune and you are wanting an easy way of bulk enrolling Samsung devices then you should know that at the time of writing the only way of doing this is via KME. Samsung is not one of the <a href="https://www.android.com/intl/en_uk/enterprise/management/zero-touch/" target="_blank">supported OEM partners</a> for Android Zero-Touch Enrolment, it would appear that, like with the "unification" of the Android Enterprise Work Profile and the Samsung Knox Workspace, Samsung have gone it alone. Interesting. See one of my previous blog posts <a href="http://leonashtonleatherland.blogspot.com/2018/06/samsung-oreo-android-enterprise-work.html?m=0" target="_blank">here</a> to understand more about the challenges I have experienced with the latter.<br />
<br />
I will also point out that disappointingly, only the legacy (Device Admin) Android enrolment method is supported at this time in Intune, however it was announced on the release of KME that Android Enterprise support was to follow.<br />
<br />
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Anyhow I thought I would test KME as in our current organisation we have decided to standardise on Samsung devices.</span><br />
<br />
Some prerequisites;<br />
<ul>
<li>Samsung devices must have Knox 2.4 or newer</li>
<li>You will need to register for a Samsung account, log in and then submit an application for KME, which will need to be approved.</li>
<li>You must purchase your devices through a Samsung authorised reseller and <a href="https://docs.samsungknox.com/KME-Getting-Started/Content/Register_resellers.htm" target="_blank">register them in your KME portal</a> so that your devices can be uploaded when purchased. Note that you are able to upload devices using the Knox Deployment App, however the process for doing this is probably not feasible for large numbers of devices</li>
</ul>
<div>
Log in to the KME Portal, select MDM Profiles > Add</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhbo0CSBmBVqKHY1KRzZS-DAJpTICguZk3fluKxnVzQy2hM75PIhVgJX4kl61iXSJ4IkYL4V_YGA5w5fEG2_qfmpf76lowb7ssukBGRGaj_Xn7dGICWndH-AaIvwprSn0zwu5a-wubnVk/s1600/KMEMDMProfileAdd.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="206" data-original-width="1106" height="73" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhbo0CSBmBVqKHY1KRzZS-DAJpTICguZk3fluKxnVzQy2hM75PIhVgJX4kl61iXSJ4IkYL4V_YGA5w5fEG2_qfmpf76lowb7ssukBGRGaj_Xn7dGICWndH-AaIvwprSn0zwu5a-wubnVk/s400/KMEMDMProfileAdd.PNG" width="400" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
Select "Server URI not required for my MDM" then "Next"</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_RUhfiAoAi2fxifSy1FLgqev6eKxMQYCLg-EGKbkOTpXIM6m5rMzr7Dk-6JspLdeDRhKRtA9LLiUdpXJJB3M6ne2307cK7s2JMnQsJV9zCcwki_cwuJ7OnOBstF11aCmtc426y-RivtM/s1600/URINotRequired.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="706" data-original-width="986" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_RUhfiAoAi2fxifSy1FLgqev6eKxMQYCLg-EGKbkOTpXIM6m5rMzr7Dk-6JspLdeDRhKRtA9LLiUdpXJJB3M6ne2307cK7s2JMnQsJV9zCcwki_cwuJ7OnOBstF11aCmtc426y-RivtM/s400/URINotRequired.PNG" width="400" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div>
<br /></div>
<div>
Enter a suitable name for the profile then select "Add MDM Applications"</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYPHDql5g_Ay4Goh9QmKj-LUFiA3_BiTA2vJoCNBQzapm2hx9tRTaMZFAVuG2XNxWzmoPu2WqG5KCUj5O3YzNLjvNGWp7EeKmwta7ImZW7dkSdMoMU3CBghHTXVMkc3AkpLFbTdYH2ta0/s1600/ProfileName.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="721" data-original-width="683" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYPHDql5g_Ay4Goh9QmKj-LUFiA3_BiTA2vJoCNBQzapm2hx9tRTaMZFAVuG2XNxWzmoPu2WqG5KCUj5O3YzNLjvNGWp7EeKmwta7ImZW7dkSdMoMU3CBghHTXVMkc3AkpLFbTdYH2ta0/s400/ProfileName.PNG" width="378" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
Enter the following URL. Select "Save"</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVP9d7hSGhpBACRXmvikulzghWbLjN8XzIkxE2vKbhLKZVEcI9cCwST5nd3lBBjV7QoahSF_QqhhhD_7_6CJJHxXsrp9WJUusanonyyGG7R8epOXA3UYa1faKSH-aIHGpc-0cMmp_ZP9g/s1600/APKURL.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="242" data-original-width="609" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVP9d7hSGhpBACRXmvikulzghWbLjN8XzIkxE2vKbhLKZVEcI9cCwST5nd3lBBjV7QoahSF_QqhhhD_7_6CJJHxXsrp9WJUusanonyyGG7R8epOXA3UYa1faKSH-aIHGpc-0cMmp_ZP9g/s400/APKURL.PNG" width="400" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
The remaining options are not mandatory and the defaults are fine so save the changes</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibDyuyFwkQXeoNhF5_lh2HcfZyRSH_Xr_tTz6QqgiS_i6La__DAZSSCT8nHqT7b59f6sQql1oqV_Wfs6-DJLbUILMfpW22FaW2DZZfipM7POAXy5jPttq2YeqgFebEYuvvtyOmTD6ipPc/s1600/SaveProfile.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="655" data-original-width="735" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibDyuyFwkQXeoNhF5_lh2HcfZyRSH_Xr_tTz6QqgiS_i6La__DAZSSCT8nHqT7b59f6sQql1oqV_Wfs6-DJLbUILMfpW22FaW2DZZfipM7POAXy5jPttq2YeqgFebEYuvvtyOmTD6ipPc/s400/SaveProfile.PNG" width="400" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
At this stage we need to add devices to the portal and as mentioned to do this you need to download and install the Knox Deployment App from the Google Play Store on a master device. Login to the app with your Samsung account credentials</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZkblU6ZN3wUMJvrQQUnHh4j7yta3QBWlVPmtftF_rYOxgFt1NCaUed4Qr3oalkOa7C2Hgk_lqZDJLnS2FQGHoFLq_0u1Qgy0txi9bTV-6kXdAzPc76ksJNth2BKQfMwB22VZ-ysNCvt8/s1600/KDA.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="707" data-original-width="398" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZkblU6ZN3wUMJvrQQUnHh4j7yta3QBWlVPmtftF_rYOxgFt1NCaUed4Qr3oalkOa7C2Hgk_lqZDJLnS2FQGHoFLq_0u1Qgy0txi9bTV-6kXdAzPc76ksJNth2BKQfMwB22VZ-ysNCvt8/s400/KDA.PNG" width="225" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Take the device you wish to add to the portal, connect it to a wifi network and then skip through the rest of the start up wizard until you are at the home screen</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghXuGB1OC9D50i1IVbg0EC4CsQaYm85nV5uuzVIH0fDZ8g9p_yRrj889mog6qA3zD1gNzf2fM01Su-hp5mUi3DAbvn5-VnfV39LZjVswy3nUx-SQDBTp06oORiBM3ivC2PvruxomhUh4s/s1600/HomeScreenNew.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="893" data-original-width="500" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghXuGB1OC9D50i1IVbg0EC4CsQaYm85nV5uuzVIH0fDZ8g9p_yRrj889mog6qA3zD1gNzf2fM01Su-hp5mUi3DAbvn5-VnfV39LZjVswy3nUx-SQDBTp06oORiBM3ivC2PvruxomhUh4s/s400/HomeScreenNew.PNG" width="223" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
On the master device, select a profile and mode, in this example I am using NFC to enrol. Select "Start Deployment"</div>
<div style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;" /></div>
<div class="separator" style="-webkit-text-stroke-width: 0px; background-color: transparent; clear: both; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: center; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjA1sCEpas4Aqlvgjw9nFLDEevsI8D5TtkKiBOWO8EaE5yMMWaes3rrexw8rZ9Vxfrtc11RH4WaMOMmXt3x4uCBffgeU_VDX8Udf_85HMuqvKHJiyb1T6pbdPD-z9V0rKwZXvySJqyZ8U/s1600/KDAProfileAndMode.PNG" imageanchor="1" style="margin-left: 16px; margin-right: 16px;"><img border="0" data-original-height="857" data-original-width="504" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjA1sCEpas4Aqlvgjw9nFLDEevsI8D5TtkKiBOWO8EaE5yMMWaes3rrexw8rZ9Vxfrtc11RH4WaMOMmXt3x4uCBffgeU_VDX8Udf_85HMuqvKHJiyb1T6pbdPD-z9V0rKwZXvySJqyZ8U/s400/KDAProfileAndMode.PNG" style="cursor: move;" width="233" /></a></div>
<div style="text-align: left;">
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<div style="text-align: left;">
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<div style="text-align: left;">
Gently tap another device to the back of the master device, when you hear a tone, tap the screen</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPXh3FRC-6Y6dtwSjdXAYruoYHQvqWiXcEiiuL5F2uaRrZgKuNPzVe3c2ZR2zU6cf64bp-AavOdYqKqBXE6fctiB0o9TuOxKunvY0Eq5WHet4XbP6BlBIFKqLKCUtYnYMbzQHJl051wNs/s1600/TouchToBeam.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="887" data-original-width="493" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPXh3FRC-6Y6dtwSjdXAYruoYHQvqWiXcEiiuL5F2uaRrZgKuNPzVe3c2ZR2zU6cf64bp-AavOdYqKqBXE6fctiB0o9TuOxKunvY0Eq5WHet4XbP6BlBIFKqLKCUtYnYMbzQHJl051wNs/s400/TouchToBeam.PNG" width="221" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
On the device to be uploaded you will see a prompt to update the Knox Enrolment Service, select "Update"</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmdmEykDvCHZ3lxGBeyKAECxeeE1KAOksoT1iWmWMAz7WG1NBBgc5Qsk7JzlgZkMqMNDE1PvVxBJsWlGQ2CX1K7bjgjsoIZhmrWYld27HsShofvlL5zLr1GQOWzc8WGPOcnwYN3p4OgMw/s1600/KnoxEnrolmentServiceUpdate.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="893" data-original-width="502" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmdmEykDvCHZ3lxGBeyKAECxeeE1KAOksoT1iWmWMAz7WG1NBBgc5Qsk7JzlgZkMqMNDE1PvVxBJsWlGQ2CX1K7bjgjsoIZhmrWYld27HsShofvlL5zLr1GQOWzc8WGPOcnwYN3p4OgMw/s400/KnoxEnrolmentServiceUpdate.PNG" width="223" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
"Next"</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpC0jJN4Pw9AJiojjw4esNJ9sprzB_WnQ8FZuCY-n60W1XuinPkgNq76vI9FsAfH3NtXoSkX6sR0-wXykiIwUZmljX2d12k8M53zvu-Bh4A-5Xu5Rr-9lOFgnr71xY6t1dMfH-NActxYk/s1600/KMEWizardStart.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="890" data-original-width="502" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpC0jJN4Pw9AJiojjw4esNJ9sprzB_WnQ8FZuCY-n60W1XuinPkgNq76vI9FsAfH3NtXoSkX6sR0-wXykiIwUZmljX2d12k8M53zvu-Bh4A-5Xu5Rr-9lOFgnr71xY6t1dMfH-NActxYk/s400/KMEWizardStart.PNG" width="225" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The device will now enrol in KME and automatically download the Intune Company Portal.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizx2zGgN-he00oOzB5emZzc2Niv5NWmA-y2GvKWnBAWuGJGq48lNLpGT5wVhxaOoswEExvsdacPgW1nkQLkbGF-dH-SPy4G1QJ5bfl3RYNhUXrekQ75OeVJ4rjKv8XJg18gwnnSa_vmRY/s1600/CompanyPortalLogin.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="812" data-original-width="500" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizx2zGgN-he00oOzB5emZzc2Niv5NWmA-y2GvKWnBAWuGJGq48lNLpGT5wVhxaOoswEExvsdacPgW1nkQLkbGF-dH-SPy4G1QJ5bfl3RYNhUXrekQ75OeVJ4rjKv8XJg18gwnnSa_vmRY/s400/CompanyPortalLogin.PNG" width="246" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
The device will now appear in the KME portal. At this point it should now be factory reset to provide the improved enrolment experience when the device is next powered on.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPc5YJ49LJ_jQwpexTPzA79990Fa0TfAGRH7wupEAgBxkfRvfX90bg08Xs03IKjVXFDRjETtlzOf_6fR0DvZ1QiSRTbP78j_16E_f-CfGgjjZ1GKAH8n_NE9OHYQ07ZUCnOjS7Gpw8Cxo/s1600/KMEEnrolledDevice.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="484" data-original-width="1590" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPc5YJ49LJ_jQwpexTPzA79990Fa0TfAGRH7wupEAgBxkfRvfX90bg08Xs03IKjVXFDRjETtlzOf_6fR0DvZ1QiSRTbP78j_16E_f-CfGgjjZ1GKAH8n_NE9OHYQ07ZUCnOjS7Gpw8Cxo/s400/KMEEnrolledDevice.PNG" width="400" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
As you can see this is less than ideal for a large number of devices and is probably recommended wherever possible to have you devices purchased through an authorised reseller and they will upload them to the portal for you.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
So now the experience is as follows;</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Start the wizard, connect to Wi-Fi then accept the terms and conditions</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDeHP4_rRiAcrvWxBviTxZ_SyzSe3rmQuKh_raIsKaCt5JOPVCj8rLCMg4aielt7z-PkwUPtz-A5kmUoFvYK0UHtFLAwkmT5_wKO1WxuNno6pudRtKfGUHxoKKJh8YUoxkVSmHlm_YPHA/s1600/terms2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDeHP4_rRiAcrvWxBviTxZ_SyzSe3rmQuKh_raIsKaCt5JOPVCj8rLCMg4aielt7z-PkwUPtz-A5kmUoFvYK0UHtFLAwkmT5_wKO1WxuNno6pudRtKfGUHxoKKJh8YUoxkVSmHlm_YPHA/s320/terms2.jpg" width="180" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The KME welcome screen is then presented and you can proceed with enrolment.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhspLfOFjUv72L6o_ew_IzQhJkYczVUI58FXg1phN1i_6Oax0YiY3C5BEhFF2Gc9eDVXDbajReu24so8Lpzx17JDAZvsrJeJfIZavkfGfL2APUui50-mM4d84kzCkdvET9OV-caRcNJ56o/s1600/KMEWizardStart.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="890" data-original-width="502" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhspLfOFjUv72L6o_ew_IzQhJkYczVUI58FXg1phN1i_6Oax0YiY3C5BEhFF2Gc9eDVXDbajReu24so8Lpzx17JDAZvsrJeJfIZavkfGfL2APUui50-mM4d84kzCkdvET9OV-caRcNJ56o/s400/KMEWizardStart.PNG" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Remember - KME does not support Android Enterprise at the moment and it would appear that there is nothing to stop you attempting to enrol a device.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Thanks for taking the time to read this and happy to take any comments!</div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com2tag:blogger.com,1999:blog-3145837469179315622.post-76051716989917241722018-07-13T23:08:00.002+01:002019-07-22T19:44:17.525+01:00Intune Android Enterprise Kiosk Devices (COSU)Android Enterprise (Formerly Android for Work) contains various solution sets which are pertinent to the different use cases of Android mobile devices within the business. The full documentation explaining these can be found <a href="https://developers.google.com/android/work/requirements" style="-webkit-text-stroke-width: 0px; background-color: transparent; color: #0066cc; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" target="_blank">here</a>.<br />
Until now the only solution available within Intune was the Work profile solution, which really is designed for BYOD devices. I have been using this for the past 2 years with company owned devices and whilst I can say Microsoft really have drastically improved its integration with Intune, I soon became aware of its limitations, some of which include;<br />
<ul>
<li>A Google account is required, temporarily at least, to download and install the Company Portal app for enrolment</li>
<li>There is no way to fully remote wipe then device (we achieved this by creating a Samsung account for all of our A5 devices which is a bit of an admin overhead)</li>
<li>There are lots of notifications related to some of the stock apps, which cannot be disabled hampering the user experience</li>
<li>There is no way of preventing users from installing apps from the Google play store</li>
</ul>
In a BYOD scenario, yes the above points are to be expected, also it is relatively simple to ensure company data is secured within the profile itself meaning this is indeed a good solution but in the right application.<br />
Microsoft have now enabled another solution set within Intune called Corporate-Owned Single Use (COSU) which is designed for devices that are used in specific scenarios, like Kiosk browser machines, barcode scanners or inventory machines. Note that these devices do not have user affinity and are not designed to be assigned to a specific user. Microsoft's <a href="https://docs.microsoft.com/en-us/intune/android-kiosk-enroll" target="_blank">documentation</a> labels this functionality as enrolment for Android Kiosk style devices. This was announced in the Intune docs for the week commencing the <a href="https://docs.microsoft.com/en-us/intune/whats-new#week-of-july-2-2018" target="_blank">2nd July</a> and I have been eagerly awaiting one of my tenants to update with the setting, which one did today.<br />
I have to say from what I have seen so far this really is a great solution and I can think of at least two use cases within production where we could use this today.<br />
In this post I am going to show you how to enrol an Android device as a single browser Kiosk, fully locked down so the user cannot access any other settings on the device. I will also deploy the Edge browser App to it. You could further lock down the browser with some app config by restricting browsing only to certain websites.<br />
<br />
<u>Create the Enrolment profile and associated dynamic group</u><br />
<u><br /></u>
This profile is the mechanism for identifying the device as COSU and consists of an enrolment token and QR code. OS support is for Android 6 and later (6 supports the token method only, 7, 8 and 9 support both token and QR code, 9 negates the need to download a QR scanner saving deployment time slightly). Android 5.1 is supported but requires an NFC tag to be create. I will be using an Android 8 Samsung Galaxy A5 2017 for this post.<br />
A dynamic device group is then created referencing the profile. You can create multiple groups of devices populated by different profiles and can target you app and config deployments accordingly<br />
<br />
Log in to the Intune portal and navigate to Device Enrolment > Android Enrolment > Kiosk and task device enrolment<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEpLnY9tRJGwTknZBqKvVXVhisrW5bndWIukFaZkkhZ0N-d0Pu_I9lofe1B2bYottKlbc-RlYfaO3FW3Tv8d3CIcEIegFS_Ur7l9_HtrYMSY2Ew81g3q-PfNmaq5JVsPSUP9RjscRRam4/s1600/KioskAndTaskDeviceAndroid.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="785" data-original-width="1519" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEpLnY9tRJGwTknZBqKvVXVhisrW5bndWIukFaZkkhZ0N-d0Pu_I9lofe1B2bYottKlbc-RlYfaO3FW3Tv8d3CIcEIegFS_Ur7l9_HtrYMSY2Ew81g3q-PfNmaq5JVsPSUP9RjscRRam4/s400/KioskAndTaskDeviceAndroid.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Create a profile with a suitable name and select an expiration date</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhZ13_hp2rtsVx8bHM-7-x12Jv1DjCIT5djn9FmbHZx54dCgEnLGHc0sQtLPvvIOGMDitQYAC02A1SEhN4bRi4w-iI2ZbMAllyvrAuKRufonDmME0JknLHwmSWGtlkFC-vB9la4Or93IU/s1600/CreateAndroidKioskProfile.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="737" data-original-width="450" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhZ13_hp2rtsVx8bHM-7-x12Jv1DjCIT5djn9FmbHZx54dCgEnLGHc0sQtLPvvIOGMDitQYAC02A1SEhN4bRi4w-iI2ZbMAllyvrAuKRufonDmME0JknLHwmSWGtlkFC-vB9la4Or93IU/s400/CreateAndroidKioskProfile.PNG" width="243" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: left;">
Navigate now to Intune > Groups then create a security group with the following settings, giving it a suitable name for your environment</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-tIWEClDjl5QfiLcK_Tq6HArKWziLUNzCxyKw2oItUMLEETZw14p5HdUT9D4Ak7Ahuq4U57MJol9A3g3CJ0XWxEXFFWqFHeGnL54AEIzriDmNDf0a1Ss4ysHO1Z_pCvGPPCeMw2nXdJA/s1600/DynamicGroupSettings.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="774" data-original-width="1338" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-tIWEClDjl5QfiLcK_Tq6HArKWziLUNzCxyKw2oItUMLEETZw14p5HdUT9D4Ak7Ahuq4U57MJol9A3g3CJ0XWxEXFFWqFHeGnL54AEIzriDmNDf0a1Ss4ysHO1Z_pCvGPPCeMw2nXdJA/s400/DynamicGroupSettings.PNG" width="400" /></a></div>
<div style="text-align: center;">
<u></u><br /></div>
<div style="text-align: left;">
<u>Create the config and deploy to the group</u></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
There are ultimately various settings that can be configured within this profile, however this combination I feel is suitable for the kiosk browser device scenario, it prevents the user from accessing the status bar, including the quick settings, as well as preventing use of the home, back and task manager buttons (On this particular device)</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Navigate to Device configuration > Profiles then create device restrictions profile, ensuring that this is selected under the "Device Owner Only" menu. I should probably explain here that this should be selected because COSU is a subset of the Device Owner Android Enterprise Solution set</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrPzd5b9aUHnJTPFhg_mB5K63lM2KcrhmTe07WBCsE9Fwc-M4Q18ldxRrsNupjQ6xef71rZEnRjPW5fUuYgjPajn_Bq3sHvrPZ_Rv4OdOuz7qEvT_GSzBAch-YfjdlLp2CVzPaUaj1kj4/s1600/Device+RestrictionsDeviceOwner.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="621" data-original-width="498" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrPzd5b9aUHnJTPFhg_mB5K63lM2KcrhmTe07WBCsE9Fwc-M4Q18ldxRrsNupjQ6xef71rZEnRjPW5fUuYgjPajn_Bq3sHvrPZ_Rv4OdOuz7qEvT_GSzBAch-YfjdlLp2CVzPaUaj1kj4/s400/Device+RestrictionsDeviceOwner.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Under "General" block "safe boot" and "status bar"</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA8mrEsh5UcuvAwtFRA8be5LGBeBTI1lv_4-KWg6SSK3CYiqOBxaTeIvUWn6cmkbCEcRhbbDncNcTgZ5i4GaBNlCxV0jqQ70J7txjRee9NgwtnjVlt2XvNyUj3ZP2R_w0hRHe7b8o5IHQ/s1600/SafeBootStatusBar.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="586" data-original-width="1286" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA8mrEsh5UcuvAwtFRA8be5LGBeBTI1lv_4-KWg6SSK3CYiqOBxaTeIvUWn6cmkbCEcRhbbDncNcTgZ5i4GaBNlCxV0jqQ70J7txjRee9NgwtnjVlt2XvNyUj3ZP2R_w0hRHe7b8o5IHQ/s400/SafeBootStatusBar.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Under "Kiosk" select "single app kiosk" and select edge as the managed Intune app to use for kiosk mode</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDqVGNAqwiB-QCHTPQY8USPrkca-Y9YVPFP_KqmNnr8hSJStZCFTVLShAD6BE6oLkIgqRWUXuNVdxAeDjOv46DPp8OeDTJvClhBs3EoXVGnF_yMVM2CnY9RYpHkr3-qRDh1K4_FbiU5_k/s1600/KioskSingleAppEdge.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="746" data-original-width="877" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDqVGNAqwiB-QCHTPQY8USPrkca-Y9YVPFP_KqmNnr8hSJStZCFTVLShAD6BE6oLkIgqRWUXuNVdxAeDjOv46DPp8OeDTJvClhBs3EoXVGnF_yMVM2CnY9RYpHkr3-qRDh1K4_FbiU5_k/s400/KioskSingleAppEdge.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now select any required password and power settings for the lock screen timeout, I am going to skip them for the purpose of this demo</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Assign the profile to the dynamic device group you created earlier</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9297b4N_OzTuioVEjeGKerZZGZiD9SWBqbN8Oq6O9IAH1XI7H8HkElfZKRaQCMD1oQYBJhX3e9oH_3dlLf25q_VAsyCPVQCX4jBBhJShY_z4u9p9Wl2aNW8ILZnVdNOOSA1KvtaceFuo/s1600/SamsugKiosksAssign.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="715" data-original-width="1275" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9297b4N_OzTuioVEjeGKerZZGZiD9SWBqbN8Oq6O9IAH1XI7H8HkElfZKRaQCMD1oQYBJhX3e9oH_3dlLf25q_VAsyCPVQCX4jBBhJShY_z4u9p9Wl2aNW8ILZnVdNOOSA1KvtaceFuo/s400/SamsugKiosksAssign.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Navigate to Mobile apps > Apps then assign the edge app to the device group as "required" (note that only required and uninstall are supported for COSU)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFGdZsRKXkRmPeSNpIUKDVBi3gfBDOMM1PBU9RB9YLLcXv0dMgiCxTlyTs4gHj4HAs7r-XOsV3hbm7P2LvicltYRdTgwgL51x0YFdReq2HdXIFoC8yW_riBZyxluz9E_ZMIoe1i-y67N0/s1600/AssignEdge.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="731" data-original-width="1327" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFGdZsRKXkRmPeSNpIUKDVBi3gfBDOMM1PBU9RB9YLLcXv0dMgiCxTlyTs4gHj4HAs7r-XOsV3hbm7P2LvicltYRdTgwgL51x0YFdReq2HdXIFoC8yW_riBZyxluz9E_ZMIoe1i-y67N0/s400/AssignEdge.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<u>Enrol the device</u></div>
<div class="separator" style="clear: both; text-align: left;">
<u><br /></u></div>
<div class="separator" style="clear: both; text-align: left;">
I will be enrolling the device using the QR reader. The following requires a minimum of Android 7</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Tap on the first screen you see multiple times on a device that has been factory reset, you will then see the following</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgndbG8nGs-9gSC_q2lR7ZbxapsTPypq38vzlqh2kp6PhnXDYoSFXf_1uY5cPTfBRCp1odbwXKdN5-_ZIgC6cROVldoTVePwTdIJmPzWON2RmXr5T8XRXg5Z7ORggQPKVE2GL1VSU1sxp0/s1600/WizardStart.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgndbG8nGs-9gSC_q2lR7ZbxapsTPypq38vzlqh2kp6PhnXDYoSFXf_1uY5cPTfBRCp1odbwXKdN5-_ZIgC6cROVldoTVePwTdIJmPzWON2RmXr5T8XRXg5Z7ORggQPKVE2GL1VSU1sxp0/s400/WizardStart.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Connect to Wifi</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTNCVb2W_CTQloxQTpfm5_G5rfCxjONDpmHvbHBXintV8LmMR_2Jj-4Z3YTHqjUnzfUrhbohAQlW4uJqj97tmqw_3hubkMvsgcjhaQ1hzeojGGBNyQGvpPmy6av4YngYg2R8p7Zm2NvBg/s1600/Wifi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTNCVb2W_CTQloxQTpfm5_G5rfCxjONDpmHvbHBXintV8LmMR_2Jj-4Z3YTHqjUnzfUrhbohAQlW4uJqj97tmqw_3hubkMvsgcjhaQ1hzeojGGBNyQGvpPmy6av4YngYg2R8p7Zm2NvBg/s400/Wifi.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The QR reader will then install</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvhZ_TBiyoPQ5tupWIRoKtA4OQW1PJuPTTYZA7G6vnUIg9CD2S7drp-Vo4oe729S-87v27La8Iq5wFuhEmHCQpH-9x1iEu_n5UEl8mLz1yLeRcbc4YblhL4SZ-ZOzLDiSfrcAq_xdDsz0/s1600/WizardStart.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvhZ_TBiyoPQ5tupWIRoKtA4OQW1PJuPTTYZA7G6vnUIg9CD2S7drp-Vo4oe729S-87v27La8Iq5wFuhEmHCQpH-9x1iEu_n5UEl8mLz1yLeRcbc4YblhL4SZ-ZOzLDiSfrcAq_xdDsz0/s400/WizardStart.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Scan the QR code found within the enrolment profile in the Intune portal</div>
<div class="separator" style="clear: both; text-align: center;">
<u></u><u></u><br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJF4sVTPlolptbrlL4sC3s9GXBNM1e7LaU3EqIfCoCBMJ0mAuM6-gAYTNaZouspti9vnIU4m3kFKTwIz5SKdzRiQvxjosXP2qDfQzRlGhGMKnrD255sQR98P2KvF8WRzrBeRgHuGhMYM8/s1600/QRCode.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="761" data-original-width="1096" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJF4sVTPlolptbrlL4sC3s9GXBNM1e7LaU3EqIfCoCBMJ0mAuM6-gAYTNaZouspti9vnIU4m3kFKTwIz5SKdzRiQvxjosXP2qDfQzRlGhGMKnrD255sQR98P2KvF8WRzrBeRgHuGhMYM8/s400/QRCode.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Agree the terms and select "Next"</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj-rfb11Qv-YSokVORZ9vdK139BheGesVxlI6srIYewoMAnNBr36m3kwY-hlWKEUHRE-NY3-I8xa-evzKU0NopdMQVLbHFJExg7Ylfn2n9bkTGqV5rAILk4tVbGXOoN0JjJypgGa0jqp8/s1600/terms1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj-rfb11Qv-YSokVORZ9vdK139BheGesVxlI6srIYewoMAnNBr36m3kwY-hlWKEUHRE-NY3-I8xa-evzKU0NopdMQVLbHFJExg7Ylfn2n9bkTGqV5rAILk4tVbGXOoN0JjJypgGa0jqp8/s400/terms1.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The device will begin to enrol</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN_fyGnOYidb1bu6zJ5Bj25zqWBhTBz2uWnCVEFAT4ipI0lBEp_UECclD46Aho68WX8_zNP3CKpukmM7nnP2EeBuPBTn1WzjgsMzx8pmSiFRUA17SJ0XJTU1Yxg7cwY8UkyncBwxgD4Zc/s1600/Setup.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN_fyGnOYidb1bu6zJ5Bj25zqWBhTBz2uWnCVEFAT4ipI0lBEp_UECclD46Aho68WX8_zNP3CKpukmM7nnP2EeBuPBTn1WzjgsMzx8pmSiFRUA17SJ0XJTU1Yxg7cwY8UkyncBwxgD4Zc/s400/Setup.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Agree more terms</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlCf8kljWMxsbxZMKwfb7EVLPM0yv42ZTiBBbg5QsIIchB06Wu0TU_OQ8OvUXyS1TLrom0mJy-LyrvMUeCNpQAx2ClATDEN7l-JQfp-zOmLnxQ-MbtQ0cTbWR3E15lt5Ph31MIC8_JJDA/s1600/terms2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlCf8kljWMxsbxZMKwfb7EVLPM0yv42ZTiBBbg5QsIIchB06Wu0TU_OQ8OvUXyS1TLrom0mJy-LyrvMUeCNpQAx2ClATDEN7l-JQfp-zOmLnxQ-MbtQ0cTbWR3E15lt5Ph31MIC8_JJDA/s400/terms2.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The device will now download some updates for Google Play services</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYbzfqzcFvwYA_DAo_Srzg2Kwplra7PFM7Mitj-i3AwuOL8clDJlv2fB8zN5jnqiN2Gc8c2mYcBsf0KoRba0pgvwKHM2wnh2zqd0XKaFNTrwXQ6rBB2aqt9AzkTblMeqSVJehNOWqqxF8/s1600/DeviceUpdates.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYbzfqzcFvwYA_DAo_Srzg2Kwplra7PFM7Mitj-i3AwuOL8clDJlv2fB8zN5jnqiN2Gc8c2mYcBsf0KoRba0pgvwKHM2wnh2zqd0XKaFNTrwXQ6rBB2aqt9AzkTblMeqSVJehNOWqqxF8/s400/DeviceUpdates.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: left;">
If you encounter any issues at this stage you will need to reset the device from here</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhynqUXQjJDsL9EE5sZKGDj3QeNNI5v8tPHYl9P7BOVU37Ozw3kUl9-GapqpfkujFQi2wRoZ5FQtpSRjoga9Tb4KQoXcbnzV1RncECz3ZOD2bzEbzzkcmjNR0ZMr1CkC1gLlaHz5JoVXAQ/s1600/20180713_221643.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhynqUXQjJDsL9EE5sZKGDj3QeNNI5v8tPHYl9P7BOVU37Ozw3kUl9-GapqpfkujFQi2wRoZ5FQtpSRjoga9Tb4KQoXcbnzV1RncECz3ZOD2bzEbzzkcmjNR0ZMr1CkC1gLlaHz5JoVXAQ/s400/20180713_221643.jpg" width="225" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
Or you can opt to retry without a factory reset here (I have found that more often than not this resolves any issues)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyREOoK-zGS4lNqZkcQ2cx9oaBDy82V13EM47OQmhESZQpVvh9eBlamA8GcuIF0OHQAzrQMJbb5ZaflJOUwwLve1zYnDMbp33AlzOTiYVwwhc9R9thkweOX_P38SmTizLYrwrHmF9sf-4/s1600/20180713_221737.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyREOoK-zGS4lNqZkcQ2cx9oaBDy82V13EM47OQmhESZQpVvh9eBlamA8GcuIF0OHQAzrQMJbb5ZaflJOUwwLve1zYnDMbp33AlzOTiYVwwhc9R9thkweOX_P38SmTizLYrwrHmF9sf-4/s400/20180713_221737.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now the device is enrolled</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi59QptWgh03fkOqNG86FODlLIRspVpUdlJGaaETcvX-bFjxc-tRbKJ3UTIfTBekPBO1WGynPodhGJWXEc_4QjyhoS7LHDF9OVJmTA-JiSGVTrru-Bo3ebADUMOQm8xZHmJMR7Vc-P2hCs/s1600/HomeScreenEnrolled.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi59QptWgh03fkOqNG86FODlLIRspVpUdlJGaaETcvX-bFjxc-tRbKJ3UTIfTBekPBO1WGynPodhGJWXEc_4QjyhoS7LHDF9OVJmTA-JiSGVTrru-Bo3ebADUMOQm8xZHmJMR7Vc-P2hCs/s400/HomeScreenEnrolled.PNG" width="225" /></a></div>
<br /><div class="separator" style="clear: both; text-align: center;">
</div>
You will notice that when you access the Google Play store it is fully managed and the only mechanism for apps to install on the device<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLKo1_6obHO4KYLoCPKPX7C8f4xPgsS4g1NGgg8zb5H0uAKVLHYqzWH1KsDzfsVltjw9IJHGmL9_j90-BFw2MPYYTQqNqUjV3XUjnBTcWUl6EwfSW4alB5eDjhNp8_nESpnYspKJYhVYI/s1600/Screenshot_20180713-223137_Google+Play+Store.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLKo1_6obHO4KYLoCPKPX7C8f4xPgsS4g1NGgg8zb5H0uAKVLHYqzWH1KsDzfsVltjw9IJHGmL9_j90-BFw2MPYYTQqNqUjV3XUjnBTcWUl6EwfSW4alB5eDjhNp8_nESpnYspKJYhVYI/s400/Screenshot_20180713-223137_Google+Play+Store.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Wait for the Edge app to be installed</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigyviGJ4FxCUi1kIY84xL3gsD9yHyiZB49Zt_AiMZ7xBHdzEPW9_eKacrChcqaZw2t1SkqKIFCy1YpCQcDhnYssZCCS18PVvXemVeFnGjlSUWnzS2GxEQaHDzzkpq5jNoWNmB23-qgsI0/s1600/Screenshot_20180713-223434_Device+Policy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigyviGJ4FxCUi1kIY84xL3gsD9yHyiZB49Zt_AiMZ7xBHdzEPW9_eKacrChcqaZw2t1SkqKIFCy1YpCQcDhnYssZCCS18PVvXemVeFnGjlSUWnzS2GxEQaHDzzkpq5jNoWNmB23-qgsI0/s400/Screenshot_20180713-223434_Device+Policy.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Launch Edge and once the device restrictions are applied you will notice that you cannot access the status bar and hence the settings of the device</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx_1S_g-F5u8uPDx-L6Qj3TmfgWtwp_nc2YhKsPULwGFpXXtl984Lre672YRpNgjMWSYLSwfXFB2bmo4u1BDHcyo46Ght6jJ_-8FQJx3Ai0dx5FSA0VnbtuE8vfWt3STErHHbgysFVnLI/s1600/Screenshot_20180713-225057_Edge.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx_1S_g-F5u8uPDx-L6Qj3TmfgWtwp_nc2YhKsPULwGFpXXtl984Lre672YRpNgjMWSYLSwfXFB2bmo4u1BDHcyo46Ght6jJ_-8FQJx3Ai0dx5FSA0VnbtuE8vfWt3STErHHbgysFVnLI/s400/Screenshot_20180713-225057_Edge.jpg" width="225" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
And that completes the setup! Many thanks for reading!</div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com8tag:blogger.com,1999:blog-3145837469179315622.post-3713568340200392972018-06-27T20:39:00.000+01:002019-07-22T19:47:16.813+01:00Intune Windows 10 Kiosk Mode<div>
I have been tasked to start looking at a Kiosk solution for our organisation and noticed that in the "what's new in Intune" documentation a new configuration profile for Windows 10 1803 devices was announced as available as of the week of 8th June. I am unsure of the specific requirements for the project at this stage but typically in the solution we would need to provide a locked down web browser that can only access specific sites so that is what I have decided to configure;</div>
<div>
<br /></div>
<div>
First of all, log in to the Microsoft Store for Business and search for the Kiosk Browser app. Select "Get the app"</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHBpE5KhZYr42VXEzW9R4FNzQ-xwiJy6gOL5if4zXitQTI4GrbfArF4S_qKaHcUG35M0RkbuockBYT3jKQhyphenhyphenFHylfT8BoB9U9Vc5u-M1eMZJzHwJ2l5gCw5P3a-1Hej3nr6n70I2jDHk8/s1600/KioskApp.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="786" data-original-width="1289" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHBpE5KhZYr42VXEzW9R4FNzQ-xwiJy6gOL5if4zXitQTI4GrbfArF4S_qKaHcUG35M0RkbuockBYT3jKQhyphenhyphenFHylfT8BoB9U9Vc5u-M1eMZJzHwJ2l5gCw5P3a-1Hej3nr6n70I2jDHk8/s400/KioskApp.PNG" width="400" /></a></div>
<div style="text-align: center;">
<br /></div>
<div>
<br /></div>
<div>
Log in to the Intune portal and navigate to Mobile Apps > Microsoft Store for Business. Select "Sync"</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPqEgOlgrBf-XDkJ3bJ5yuUxGAsOLRvRaP_juqZggla6SUW8KVyNAcsdj0kRMT7Bpa7xKGvUenwNUWq6eUNHhlglSng5omxVCVRp8eUEmLER7wrGUaJnKEHgtC201aJTKPtjxZ4unsjsM/s1600/MSFBSync.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="677" data-original-width="1600" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPqEgOlgrBf-XDkJ3bJ5yuUxGAsOLRvRaP_juqZggla6SUW8KVyNAcsdj0kRMT7Bpa7xKGvUenwNUWq6eUNHhlglSng5omxVCVRp8eUEmLER7wrGUaJnKEHgtC201aJTKPtjxZ4unsjsM/s400/MSFBSync.PNG" width="400" /></a></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Wait a few moments for the app to sync then assign it to a device group containing the kiosk devices</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixubVKTeGudp7DW8ZTI1RAaR8dzkWzvLYalCnLUjwU3b0rX6esLy0hvr3k_2FsKmOzxbrcUOLxl6KvtCpkwhJmO6I_fENKAHdiTCVCLxAGlE7k5QBCWJwXmkc2SgD7NoaEkXlcH5CLzFg/s1600/KioskAssignment.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="717" data-original-width="1600" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixubVKTeGudp7DW8ZTI1RAaR8dzkWzvLYalCnLUjwU3b0rX6esLy0hvr3k_2FsKmOzxbrcUOLxl6KvtCpkwhJmO6I_fENKAHdiTCVCLxAGlE7k5QBCWJwXmkc2SgD7NoaEkXlcH5CLzFg/s400/KioskAssignment.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Log in to the device and confirm that the Kiosk Browser has been deployed, carry out a sync on the device from the Intune portal if required</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now navigate to Device configuration - profiles and select "Create Profile"</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxvm54j361QGJMzlVNqVGHBv4GLlQgilQJpuH-Ahm9AV-8HJsaUD2letLdmasFT-xbf1xkAHnucEcnCo1FiPZ93vS1KDD4cJdwnKp-pA4jebjIt6SKw6XvioaNgIUqJ3nIpvY6qboQTj0/s1600/CreateProfile.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="679" data-original-width="1600" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxvm54j361QGJMzlVNqVGHBv4GLlQgilQJpuH-Ahm9AV-8HJsaUD2letLdmasFT-xbf1xkAHnucEcnCo1FiPZ93vS1KDD4cJdwnKp-pA4jebjIt6SKw6XvioaNgIUqJ3nIpvY6qboQTj0/s400/CreateProfile.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Enter an appropriate profile name, select the correct platform and select "Kiosk (Preview)" as the profile type.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwBMfKvC444Z5IjIZli6yE08M5yTCRBNlrd7AEFNk5v5hxSw4qdSoogr4PXAwVlI-QhdItrHNvmK2pw43X_Dh9Gt0_5dzy2O7qw4Npvht37aCCDX1_RCiYc6gibHYNO_fsX016gZDjB0M/s1600/CreateKioskPreview.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="690" data-original-width="1600" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwBMfKvC444Z5IjIZli6yE08M5yTCRBNlrd7AEFNk5v5hxSw4qdSoogr4PXAwVlI-QhdItrHNvmK2pw43X_Dh9Gt0_5dzy2O7qw4Npvht37aCCDX1_RCiYc6gibHYNO_fsX016gZDjB0M/s400/CreateKioskPreview.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select the "Configure" option then add a Kiosk setting</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4GzIA57O0levxPgpsUD_Fhm016CdpKjSPyChNH9mCtOZ-RukdnFdppuzwN0gO24mQQCJCI8WmlN9uKdoCADd3o47X5rH4Ko4Egy6YjYiODOv6MuWSEFmiu7QAjNG-nzc8PYaYkdk-YSs/s1600/KioskSetting.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="839" data-original-width="1354" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4GzIA57O0levxPgpsUD_Fhm016CdpKjSPyChNH9mCtOZ-RukdnFdppuzwN0gO24mQQCJCI8WmlN9uKdoCADd3o47X5rH4Ko4Egy6YjYiODOv6MuWSEFmiu7QAjNG-nzc8PYaYkdk-YSs/s400/KioskSetting.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Specify a suitable name for the configuration, set the mode as "Single full-screen app kiosk", select the Kiosk browser as the app to use for kiosk mode and specify the account type as "Autologon"</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIzQDt3TClQXG2e6KfBxTBDblOalmSMrQlW70noiVQYaIcEBT9s-gAeRdAeW0ms7CkTOqE_cEvzUjth5yptYtAenSmt7s7GqWU93UBrfA8uGhwGuAWW48dSGNNQDIeYDDyj4um9-eVISo/s1600/KioskSettingDetail.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="730" data-original-width="876" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIzQDt3TClQXG2e6KfBxTBDblOalmSMrQlW70noiVQYaIcEBT9s-gAeRdAeW0ms7CkTOqE_cEvzUjth5yptYtAenSmt7s7GqWU93UBrfA8uGhwGuAWW48dSGNNQDIeYDDyj4um9-eVISo/s400/KioskSettingDetail.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select "Ok" twice. Now access the kiosk web browser settings menu. In this example I have set the home page, allowed the home button and allowed the navigation buttons. Select "Ok" twice to save the settings.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilJqDZeR0Gk11QII42TQHKbfUcqXZPyhRLHYHFtLXxravQiuawVK6V9e5_GElUILbrRDDuwL-WvxXUtigDF-aLeFGC7Eud1QTcdDuJXxTVhwnTgxiaK6phCNWWDWfYAx9HwjOoBWDEbPc/s1600/WebBrowserSettings.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="735" data-original-width="875" height="335" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilJqDZeR0Gk11QII42TQHKbfUcqXZPyhRLHYHFtLXxravQiuawVK6V9e5_GElUILbrRDDuwL-WvxXUtigDF-aLeFGC7Eud1QTcdDuJXxTVhwnTgxiaK6phCNWWDWfYAx9HwjOoBWDEbPc/s400/WebBrowserSettings.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Assign the profile to the required device group</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMN3cT8ocG5jayBySTOz4fri9rWPq2OtsF0NnXpdAXfsD_eY1KDp-LYDPvn4w3h81p0bQknA_hXU5tb3XKcLUctKXaZTbAcsOt0D118Yl8Cbk6kj36cJ7uo9UYWYHczyeWhuio0PTHS-4/s1600/KioskAssignment.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="717" data-original-width="1600" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMN3cT8ocG5jayBySTOz4fri9rWPq2OtsF0NnXpdAXfsD_eY1KDp-LYDPvn4w3h81p0bQknA_hXU5tb3XKcLUctKXaZTbAcsOt0D118Yl8Cbk6kj36cJ7uo9UYWYHczyeWhuio0PTHS-4/s400/KioskAssignment.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Ensure that the profile has deployed to the device by selecting the "Device Install Status" option</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHfSjhjUhrEk33HoThvALYYmG6UYRRPzwiEHwL2MnyGbExImN5JXCbdRci_3s8vCBpbmhBULyaoe9p4cNFGnB0ezCXPTxNyiqrYJmBe5yIdyES9VoH6qPrdbHwnHV6VaquVc1PJTc6MUE/s1600/KioskProfileDeploymentStatus.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="451" data-original-width="1016" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHfSjhjUhrEk33HoThvALYYmG6UYRRPzwiEHwL2MnyGbExImN5JXCbdRci_3s8vCBpbmhBULyaoe9p4cNFGnB0ezCXPTxNyiqrYJmBe5yIdyES9VoH6qPrdbHwnHV6VaquVc1PJTc6MUE/s400/KioskProfileDeploymentStatus.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Restart the device and you will see it automatically log on using a KioskUser account and then launch the Kiosk browser.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u>Please note</u> </b></div>
<div class="separator" style="clear: both; text-align: left;">
I have only been able to achieve the above on a Surface Pro 4 at this stage. I attempted this procedure on a Windows 10 1803 VM in order to be able to take some accurate screenshots of this last step and was unable to get the device to enrol into MDM. Rather than delay this post any longer (It has been in my drafts for weeks!) I will update this part when I find out what is causing the issue.</div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-16357955435451451542018-06-08T15:04:00.001+01:002019-07-22T19:44:17.261+01:00Samsung Oreo Android Enterprise Work Profile ChangesThought I would post on this as it could have the potential to cause headaches for enterprises with Android Samsung devices due to the variation in end user experiences that are introduced.<br />
<br />
As per the announcement <a href="https://www.samsungknox.com/en/blog/android-enterprise-and-samsung-knox-your-questions-answered-here" target="_blank">here</a> it would appear that Samsung have taken it upon themselves to provide a "unified" experience, combining their Knox Workspace solution with the Android Enterprise (AE) Work profile. These changes take effect as of the Oreo operating system. I felt that the previous article explained this poorly and my perception was that this would simply be an experience that was "available". Any extra security features that could be leveraged within the Knox Workspace as far as I am aware are not currently supported within Intune so I intended on waiting before deciding on whether we switch to Workspaces as a business.<br />
<br />
So I completely misunderstood this and was directed to <a href="https://seap.samsung.com/sdk/knox-android/unification" target="_blank">here</a> which does indicate that this unification is a forced change<br />
<br />
This means that if you are running Samsung devices within your enterprise you could see 3 different experiences in your environment at one time;<br />
<br />
<u><b>1. Pre-Oreo</b></u><br />
<div>
The Workspace is not unified and you will see the standard AE Work Profile experience;</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTNkfYr44RCQtq0egWA0kT66w0aSHWulYqIecS5Tv885HeHR3KS8gJQQXI4bybfHzBZxlIFLFyr66pa6jbqgm7ytuRI_MenC5-uPijuuPpjfhpOhRNfeCjUwfDMsCDGrj7PH0RshJsI6c/s1600/PreOreoSamsungPNG.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="783" data-original-width="443" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTNkfYr44RCQtq0egWA0kT66w0aSHWulYqIecS5Tv885HeHR3KS8gJQQXI4bybfHzBZxlIFLFyr66pa6jbqgm7ytuRI_MenC5-uPijuuPpjfhpOhRNfeCjUwfDMsCDGrj7PH0RshJsI6c/s320/PreOreoSamsungPNG.PNG" width="181" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<u><b>2. Oreo upgrade</b></u></div>
<div class="separator" style="clear: both; text-align: left;">
This is for a device which already has an AE profile and is upgraded to Oreo. Any existing shortcuts will have an orange key badge;</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWBqcoWF1_zrhWj0GI9KJC5ZWHJ8UT66oRqeR0074ZL8CjlzcfvALe_llSLDH1QbkQJu0ZjnK2uJRXAahhCPpxrF3v4CzpvMlKKo_e1Y3ESO8gP2vx82Ki6Xg6lAM1f6FmPjxv4rdSx2c/s1600/ExistingProfileOreoSamsungPNG.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="785" data-original-width="442" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWBqcoWF1_zrhWj0GI9KJC5ZWHJ8UT66oRqeR0074ZL8CjlzcfvALe_llSLDH1QbkQJu0ZjnK2uJRXAahhCPpxrF3v4CzpvMlKKo_e1Y3ESO8gP2vx82Ki6Xg6lAM1f6FmPjxv4rdSx2c/s320/ExistingProfileOreoSamsungPNG.PNG" width="180" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Note that you can see as of Oreo the Gmail app now has an improved experience for showing unread email notifications;</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd3Ug8ByyJwb_HXK86jtMCKKqcafJnoyfGW_PMqrELIaUJF8nYhWruo1PTZeu_WvAn2kkDVSGmevD80EKn7EvqdaJDIMkTcvmuWQ9bR0sFk5BtbrNYfBFCOh8xwdL7uuIc2SL5RzskiRc/s1600/ImprovedNotifications.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="120" data-original-width="103" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd3Ug8ByyJwb_HXK86jtMCKKqcafJnoyfGW_PMqrELIaUJF8nYhWruo1PTZeu_WvAn2kkDVSGmevD80EKn7EvqdaJDIMkTcvmuWQ9bR0sFk5BtbrNYfBFCOh8xwdL7uuIc2SL5RzskiRc/s1600/ImprovedNotifications.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Also the content for notifications is hidden both within the lock screen and home screen;</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggg2RgjHqYJt5Mw39AyRfr-w9-oVWY6taORl9seXTU5ZcXWtecMiEm2gQZex-jdIoYpHmzx5pkK5VOFuqIcclxgpzFnm0X5NdJ80c8Pn4oIe6w2lr9xTGlywE6WmXTl-Pb1Xa6b-C2RMY/s1600/LockScreenNotificationHidden.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="783" data-original-width="441" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggg2RgjHqYJt5Mw39AyRfr-w9-oVWY6taORl9seXTU5ZcXWtecMiEm2gQZex-jdIoYpHmzx5pkK5VOFuqIcclxgpzFnm0X5NdJ80c8Pn4oIe6w2lr9xTGlywE6WmXTl-Pb1Xa6b-C2RMY/s320/LockScreenNotificationHidden.PNG" width="179" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcgIL88zflAXdAEe9UCZUKVZwvmTVbC4xCdyQhy8UDh12q6SwRnuG1Hj7iiLFs8lo2pa6nbtvbqo1RyYjRGqBvijsrXTjC1j8mpc1UnAwcyRm7qRPddrTspvs42xP_STl8QDj32_wT7fE/s1600/HomeScreenNotificationHidden.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="665" data-original-width="443" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcgIL88zflAXdAEe9UCZUKVZwvmTVbC4xCdyQhy8UDh12q6SwRnuG1Hj7iiLFs8lo2pa6nbtvbqo1RyYjRGqBvijsrXTjC1j8mpc1UnAwcyRm7qRPddrTspvs42xP_STl8QDj32_wT7fE/s320/HomeScreenNotificationHidden.PNG" width="212" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The only setting available within Intune turns this feature off therefore it needs to be configured on every device;</div>
<div class="separator" style="clear: both; text-align: left;">
Open the "Workspace Settings" App</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbRMHsBeEX6Irwo-Yii-5v6VBQbdUJZfiH-UeXEW0H0651xgXxiKIGLWXVbiCQmuDGUaFYy3BNJPlm78EEz5LxJkxEWqG7yIU1_HVskAQlCkY-b9jFk7Y6AmP-vTthbH3bL42su6b8_RY/s1600/WorkspaceSettings.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="770" data-original-width="442" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbRMHsBeEX6Irwo-Yii-5v6VBQbdUJZfiH-UeXEW0H0651xgXxiKIGLWXVbiCQmuDGUaFYy3BNJPlm78EEz5LxJkxEWqG7yIU1_HVskAQlCkY-b9jFk7Y6AmP-vTthbH3bL42su6b8_RY/s320/WorkspaceSettings.PNG" width="183" /></a></div>
<div>
<br /></div>
<div>
Notifications and Data > Turn on "Show notification content"</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjblIYYIntgnRBGL3naG0_9jgrrFqyaRVUy0HM_KIa1_mexKrxHp224LNh4VNpI9zqhNvW_9NFT0M-62CUOMgcMatYzAN4Axe41nppNbYxOzmCZJCc4O5c36-4WQhBDbkGpRBSV24p_tR0/s1600/ShowNotificationContent.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="783" data-original-width="439" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjblIYYIntgnRBGL3naG0_9jgrrFqyaRVUy0HM_KIa1_mexKrxHp224LNh4VNpI9zqhNvW_9NFT0M-62CUOMgcMatYzAN4Axe41nppNbYxOzmCZJCc4O5c36-4WQhBDbkGpRBSV24p_tR0/s320/ShowNotificationContent.PNG" width="179" /></a></div>
<div>
<br /></div>
<div>
Notifications on lock screen > Show notification content</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEgYvcbaHs5iF5sWVrh10WvIEMHGc8bDh3GBmrpPxeXtmm-FhXWUvWdLJ8oUKvvyzmM-xeA4K1D7YO-CbdiYAkulwh5Q6JsKYB4MEYeDlhDLlljXGEKneNsu2JDOJG_26cTvegWOhC-1I/s1600/ShowNotificationContentLockScreen.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="785" data-original-width="442" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEgYvcbaHs5iF5sWVrh10WvIEMHGc8bDh3GBmrpPxeXtmm-FhXWUvWdLJ8oUKvvyzmM-xeA4K1D7YO-CbdiYAkulwh5Q6JsKYB4MEYeDlhDLlljXGEKneNsu2JDOJG_26cTvegWOhC-1I/s320/ShowNotificationContentLockScreen.PNG" width="180" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<u><b>3. Oreo new enrollment</b></u></div>
<div class="separator" style="clear: both; text-align: left;">
This gives the new unified experience. Initially, badged apps will only be available by accessing the Workspace directly and you will not be able to add them from there to the home screen;</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSXwCVveSp6CUsztxC5LYgM-L7LrqM-oEdD7tbXKk0etBiwQPSdvcCPJU0pkSqh9KfluWMa7y-oVDVMhN-XHrAY0X2cOqjB2R0ksvdwVbJVNU3kNFLaA9XnBpAczVJmsRfKmkRlZfLnOQ/s1600/WorkspaceIcon.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="120" data-original-width="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSXwCVveSp6CUsztxC5LYgM-L7LrqM-oEdD7tbXKk0etBiwQPSdvcCPJU0pkSqh9KfluWMa7y-oVDVMhN-XHrAY0X2cOqjB2R0ksvdwVbJVNU3kNFLaA9XnBpAczVJmsRfKmkRlZfLnOQ/s1600/WorkspaceIcon.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0w60ARkWM0v-54knPfkru1Dj8N-TlPxKcef9Tk0a63RW5GbiM7mfUsNznqNX6k8oQuhtkLPRGOrRTzTgVskzJfA76Tepfls8YgHdcN8Ntxs3WROG2YmvyqGMEZtNHbdfM2PBL9oYwuos/s1600/WorkspaceApps.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="703" data-original-width="408" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0w60ARkWM0v-54knPfkru1Dj8N-TlPxKcef9Tk0a63RW5GbiM7mfUsNznqNX6k8oQuhtkLPRGOrRTzTgVskzJfA76Tepfls8YgHdcN8Ntxs3WROG2YmvyqGMEZtNHbdfM2PBL9oYwuos/s320/WorkspaceApps.PNG" width="185" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In order to be able to add these apps to the home screen you will need to do the following;</div>
<div class="separator" style="clear: both; text-align: left;">
Access the Workspace settings from within the "more options" menu in the top right of the Workspace;</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs9_zvszw3UMeCnbOlrdJaVLov_hXj2AAPiImY59sa_CujqURWb7e24_zXGyKI9koTuLSrsFeHJVdoJUWslNRif6YO7n4Q85s4AS_7WjU9HySI21N59Ng1OH5RpnQ0vgIEJJUe_Z8wln4/s1600/WorkspaceSettingsInWorkspace.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="742" data-original-width="419" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs9_zvszw3UMeCnbOlrdJaVLov_hXj2AAPiImY59sa_CujqURWb7e24_zXGyKI9koTuLSrsFeHJVdoJUWslNRif6YO7n4Q85s4AS_7WjU9HySI21N59Ng1OH5RpnQ0vgIEJJUe_Z8wln4/s320/WorkspaceSettingsInWorkspace.PNG" width="180" /></a></div>
<div>
<br /></div>
<div>
Workspace style > Turn off "Hide Workspace apps"</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6wLPGNuxOZ96H43IBkQ1Ho3sUp1XLYNKY4Hp3Zcx1iGjnEX7gM6EsNW6vhRdiiASj1oIUyUkrq3jNDa-4h-G-oAHjhtLtVWwAWqoUJtxGTtmNtufue6L65abHzvh8UXIUt-J5RS23qxw/s1600/HideWorkspaceApps.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="741" data-original-width="415" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6wLPGNuxOZ96H43IBkQ1Ho3sUp1XLYNKY4Hp3Zcx1iGjnEX7gM6EsNW6vhRdiiASj1oIUyUkrq3jNDa-4h-G-oAHjhtLtVWwAWqoUJtxGTtmNtufue6L65abHzvh8UXIUt-J5RS23qxw/s320/HideWorkspaceApps.PNG" width="179" /></a></div>
<div>
<br /></div>
<div>
As with the previous experience you will also need to follow the steps to show home screen and lock screen notifications if that is a requirement. Staying in the same menu;</div>
<div>
Notifications and data > Turn on "Show notification content"</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfrZSJGHN0Eo4IVOP3WnBeo3jfvuWk0FCiEX5mEEjNXryMeEymM34xH1FD9b074_xCujBP9t9trd-2YDkrZ7u3KL67MxbyMdahknPRJw4DYmMScSo28N7TvstdUtRtabO-v4WHndwvYRk/s1600/ShowNotificationContentLockScreenBlue.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="745" data-original-width="418" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfrZSJGHN0Eo4IVOP3WnBeo3jfvuWk0FCiEX5mEEjNXryMeEymM34xH1FD9b074_xCujBP9t9trd-2YDkrZ7u3KL67MxbyMdahknPRJw4DYmMScSo28N7TvstdUtRtabO-v4WHndwvYRk/s320/ShowNotificationContentLockScreenBlue.PNG" width="179" /></a></div>
<div align="center">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br /></div>
<div>
Notifications on lock screen > Show notification content</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU4Dz0uUYmBikT9i9Uv-b4CgFMJ6-EjCTYQ86BaY-va44_c-LZb64M4iF27HBOjiFxg2sMYGA-iH5TTFe06aSQYLjDoaa9btxGJFoTZ9EIrpIATGanU3dLVqBpD1tUdfbY2i6HqZdOEJ8/s1600/ShowNotificationContentBlue.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="743" data-original-width="418" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU4Dz0uUYmBikT9i9Uv-b4CgFMJ6-EjCTYQ86BaY-va44_c-LZb64M4iF27HBOjiFxg2sMYGA-iH5TTFe06aSQYLjDoaa9btxGJFoTZ9EIrpIATGanU3dLVqBpD1tUdfbY2i6HqZdOEJ8/s320/ShowNotificationContentBlue.PNG" width="180" /></a></div>
<div>
<br /></div>
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com1tag:blogger.com,1999:blog-3145837469179315622.post-72432657565329616732017-10-20T16:47:00.002+01:002019-07-22T19:48:39.291+01:00Intune iOS Office Apps Crashing - ResolvedFurther to my previous post <a href="https://leonashtonleatherland.blogspot.com/b/post-preview?token=sP8qPF8BAAA.ZUPlh4rlE0Ll9bqNopSc0E1sfNAqGLIOBWz8t1O10l1BM1oLEmHmQ-0_X4YQLLmekBlNG24vgifmLUCRz2Mhxw.8r61Z5-Bx_8UPa2tCDuYXA&postId=4117746978504722508&type=POST">here</a> I can confirm that version 2.6 of the Excel and Word apps that were released on 9th October have resolved the crashing issue. Yes I know literally a day after blogging it and I have only just sent out this update! No rest for the wicked hey.<br />
Stay tuned for some bettter quality "non-bug-reporting" blog posts - I promise!Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-41177469785047225082017-10-08T09:11:00.003+01:002019-07-22T19:48:39.224+01:00Intune iOS Office Apps crashingIt would appear that version 2.5 of the office apps for iOS are having issues launching when deployed with a MAM policy. The app launches and if it fails to fully load within 20 seconds it simply closes again. This is more prevalent in older devices. I have tested and confirmed this with the Word, Excel and OneDrive apps.<br />
Tech support have confirmed that Apple are aware of the issue and is a default timeout within the code which cannot be amended. Expect an update to be released within the App Store within the next few weeks.<br />
Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-24377077014506827502017-09-17T07:58:00.000+01:002019-07-22T19:48:38.961+01:00Android for Work play store crashing bug - resolvedAs per my previous blog post <a href="https://leonashtonleatherland.blogspot.co.uk/2017/08/android-for-work-play-store-crashing.html" target="_blank">here</a> there was a bug where Android for Work devices experienced an issue in that the managed play store was frequently crashing during enrolment. This has now been resolved and the issue was due to a timeout between Intune and the managed Google play app on enrolment. Microsoft and Google worked together to resolve this but unfortunately I have not been able to get any more information. I can confirm now though that I have removed the workaround and we are deploying all apps to the user on initial enrolment which seems to be working as expected.Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com0tag:blogger.com,1999:blog-3145837469179315622.post-77190712784888158662017-09-12T13:23:00.000+01:002019-07-22T19:48:39.357+01:00Android for Work Exchange conditional access bug - resolvedI can confirm that as per my previous post <a href="https://leonashtonleatherland.blogspot.co.uk/2017/08/intune-android-for-work-exchange_9.html" target="_blank">here</a> the Exchange conditional access issue was only affecting 1st wave builds of SCCM 1706 and the update released on 31st August includes the fix required to resolve this issue.Leon Ashton-Leatherlandhttp://www.blogger.com/profile/17593394415382066306noreply@blogger.com2