Anoop C Nair - HTMD Community Blog #1 Modern Device Management Guides

How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM

How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM? In this post, we will see how to set up Intune Compliance Policy for iOS. Intune Compliance Policy for iOS devices to help to protect company data. The organization needs to ensure that the devices used to access company apps and data comply with certain rules.

These rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

Video Tutorial to setup Intune Compliance Policy for iOS

Video tutorial How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM?

here

Intune Compliance policy setup for Windows 10 Devices here
Intune Compliance policy setup for Android Devices here

How to setup Intune Compliance Policy for iOS?

Let’s see How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM.

Sign in to the Azure portal with an account that has Intune admin access.
Select More services, enter Intune in the text box, and select Enter.
Select Intune – Device Compliance – Compliance – Policies – and Click on the +Create policy button to create a new compliance policy and select the platform as “iOS”.
Settings configurations are really important for compliance policy. There are some improvements in Azure portal iOS compliance policies in terms of password settings.
There are 4 categories in iOS compliance policies those are Email, Device Health, Device Properties, and System Security.
Email setting requires mobile devices to have a managed email profile to access corporate resources.
The device Health setting will check whether the device is jailbroken or not. If the iOS device is Jailbroken, it won’t provide mail access to that device.
The device Properties setting will check the OS version of the device and the minimum version of the iOS OS.
System Security setting is basally on password settings. There are some improvements over Intune Silverlight portal here. We can have the option not to configure some of the settings like “Number of non-alphanumeric characters in password”. This was not possible with Intune Silverlight portal.

Require a password to unlock mobile devices.
Simple passwords
Minimum password length
AlphanumericNot ConfiguredAlphanumericNumeric
Number of non-alphanumeric characters in the password
Maximum minutes of inactivity before a password is required
Password expiration (days)
Number of previous passwords to prevent reuse

10. Deploy Intune Compliance Policy for iOS to All iOS devices dynamic device group. Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups to deploy compliance policies rather than AAD user groups.

(Update Device Groups are not supported for Compliance policies – hence use user groups for Intune compliance policies)/ How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM.

How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

SCCM Dynamic Collection Query Update Known Issue | Configuration Manager | ConfigMgr

SCCM Dynamic Collection Query Update Known Issue | Configuration Manager | ConfigMgr? SCCM/ConfigMgr dynamic collection query can be evil in some scenarios. It’s very easy to make mistakes while editing already existing dynamic queries.

It’s better with device-based dynamic collections (as it gives a warning pop up, as you can see in the above video!) in the SCCM CB environment. Still, it’s not a very good user-based dynamic user collection.

I have created a quick video to demonstrate this issue here. I have Kannan C S to share his experience on this topic. He is a Sr. Infra Architect with several years of SCCM and System Center experience. I will let Kannan C S explain his experience in detail.

Introduction

I’m Kannan C S, and working as Sr. Infra Architect in a leading IT Company having 15 years of IT experience. I have been with Configuration Manager [Designing, Implementation, Migration, and Support], System Center Orchestrator [Designing and Implementation], and Windows Server support. You can refer to my blog here.

SCCM Dynamic Collection Query Update Known Issue | Configuration Manager | ConfigMgr

I have seen the dynamic collection query update issues in different organizations. Mainly with L1 and L2 teams where we don’t have real SCCM expertise.

I have already created a user voice item. Please vote this up User Voice – Collection Query

Known Issue?

I am looking at the issue/design from SMS 2003 to SCCM 2012 (even SCCM CB) version. I am not sure if any purpose must be behind this design of collection default query select * from sms_r_system/select * from sms_R_User. Suppose a user creates the query-based device or user collection if there is any modification in the query. They should remove the entire query and apply OK.

If a user applies ok, it’s automatically select * from sms_r_system/select * from sms_R_User query will enable, it will be targeted to all system which is “All system”/”All Users” as limiting collection. It has serious issues in most companies; deployment is performed by L1 or L2 engineers.

It is nowhere documented in the MS TechNet or Blog. I would strongly recommend having some mechanism to avoid this kind of change in upcoming released.

I have provided the impact below screenshots, When modifying the collection query, Click edit:-

Click Edit Query Statement

Click Show Query Language

Select the entire query in the Query Statement dialog box. Click Delete

SCCM Dynamic Collection Query Update Known Issue | Configuration Manager | ConfigMgr 3 — SCCM Dynamic Collection Query Update Known Issue | Configuration Manager | ConfigMgr

Click OK

SCCM Dynamic Collection Query Update Known Issue | Configuration Manager | ConfigMgr 4 — SCCM Dynamic Collection Query Update Known Issue | Configuration Manager | ConfigMgr

By default it will return with Select * from SMS_R_System/select * from sms_R_User query. By then, the deployment targeted to a specific collection will be mapped to All devices, including workstations and servers.

SCCM Dynamic Collection Query Update Known Issue | Configuration Manager | ConfigMgr 5 — SCCM Dynamic Collection Query Update Known Issue | Configuration Manager | ConfigMgr

Resources

SCCM Dynamic Collection – Part 2 | WQL Query | ConfigMgr | Create HTMD Blog (anoopcnair.com)

Author

SCCM How to Recover Boundaries | Recreate Boundary Groups

SCCM Console Slowness Issues How to Fix SQL Query Timeout Configuration Manager ConfigMgr

Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager

Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager? Google has a list of supported devices with their Android for Work program. But the question is whether Google’s list contains all the devices which are supported.

I don’t think the list is exclusive and listed down all the supported devices.

I have tested 2 devices that are NOT listed as part of Android for Work supported devices. And surprisingly both the devices can enroll in Intune via the Android for Work program. More details are covered in the above video.

How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com)

Video tutorials for Android for Work management via Intune

I tried Samsung Galaxy J7 and LetV Android devices. These devices are not very costly rather the cost is less than 150 USD. It’s always a challenge for organizations to try and find out cost-effective and affordable Android for Work devices from Google’s new list here.

After testing two very basic Android devices, I found that we need to perform trial and error to understand whether the low-cost Android devices support Android for Work or not. Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager?

Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager

Android – Intune Android Device Support for Google Android for Work Enrollment

Google recently did some rebranding, and now the name of Android for Work has changed to just “Android” management. Google announced that they are simplifying the names of Android for Work and Play for Work, calling them directly: Android and Google Play.

There are 3 categories of Android devices as per Google. Samsung S7 and LetV devices are not covered in the new list as well.

Enterprise Devices – Premium productivity devices
Affordable work devices – Cost-effective devices ready for work
Featured devices

I was successfully able to enroll Android low-cost (cheap) devices with Android for Work. Intune was able to manage Samsung S7 and LetV devices with the Google Work profile. Both these devices are on the Android version 6.

Conclusion – Intune Android Device Support for Google Android for Work Enrollment

Android for Work is supported for the devices which are not listed in the Google portal. My recommendation would be to perform thorough testing before approving the Android for Work-supported devices within your organization. It’s always better to maintain a recommended list of “Android for Work” supported devices within your organization.

I hope, Google will remove the support for pain Android management, and the only allowed way of management of Android devices will be “Android for Work.” Also, we need to remember that Android for Support is available only for specific countries or regions. For example, in China, we don’t have any support for Android for Work.

Author

How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix

How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix? Android for Work configuration is very straightforward in most of the scenarios.

I have configured “Android for Work” for several tenants without any issue. Recently, I faced an issue while configuring this in Intune Silverlight console.

When I click on configure button to “add Android for Work Binding” on the “Android for Work Mobile Device Management Setup” page in Intune Silverlight console then, it initiates the process, but the Intune is not able to launch the Android for Work binding wizard (webpage).

We will see how to resolve this issue in this post, and I explained the same in the above video.

How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com)

Introduction – Intune Android for Work Configuration

I have already posted about Android for Work configuration and set it up in a different post here (How to Enroll Android for Work Supported Devices into Intune). This post and video tutorial will provide you step by step process to enable Android for Work management.

As I explained in the first paragraph, the Intune console was not able to complete Android for Work binding. When I checked the Intune console then, there was an Intune console page loading error “Microsoft Intune was not able to retrieve all data. REFRESH.“

How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix

I tried to click on the Refresh button a couple of times to check my luck, but nothing worked. There was another button on the Intune Silverlight page, and that was Save Error Log.

I clicked on the button, and it asked me to save the text log file for this unable to retrieve all data errors for Intune console. Opened the text file which contains the details about the error and possibly the root cause of this issue as well.

As per the Intune Save Error LOG file, the Intune Silverlight error occurred while retrieving the JWT token, and the error log suggests we check whether the current user has an Intune license and try again. Following is the snippet of the log file:-

2017-03-31 05:37:56Z Silverlight Error:
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
ParameterType: Unknown
OperationType: Unknown
Current URL: https://admin.manage.microsoft.com/MicrosoftIntune/Home?accountid=a8f58f04-e279-44ff-95b9-5e81532915e6#Workspace/administration/index%23?P=//administration/MobileAndroidManagement/&A=%7BGID=23363773-6797-4c777-b3c2-01b06e207b74%7D&S=7sh74c9-7bf5-45ac-9fbb-67369263b9
Console Version: 5.0.17411.0
Service address: https://msua02.manage.microsoft.com/
Last 50 Log Entries:
00CCE 03/31/2017 05:37:37 429 Z MainThread 0001    Page instantiated successfully

Resolution

I have added Intune/EMS license to the Intune Administrator from the new Azure Active Directory portal. It might not work straight away after assigning the license. You may need to wait for 3-4 minutes before trying to configure “Android for Work.” I would recommend logging off and login back to Intune Silverlight console before configuring “Android for Work.”

Author

SCCM SCUP Third-Party Application Patching System Center Update Publisher | Configuration Manager

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager ConfigMgr

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager ConfigMgr? What is the very basic improvement that I can see in SCCM CB 1702 production console? Are Feedback Balloons everywhere? Yeah, SCCM/ConfigMgr is a great product for device management, and there is no competition at all! Why?

I would say this is because of the improvements the product team made and the GREAT SCCM/ConfigMgr community we have for this product.

It’s all about the community’s contributions to improving a software product. The SCCM product team is always open to new ideas and feedback, and this is one of the reasons behind the greatness of SCCM as a product.

Software developers can’t make an excellent product without great feedback from real-time users of the applications. So that is the importance of the SCCM/ConfigMgr IT Pro community.

Check out the Video Feature

Comparison between SCCM CB 1610 and 1702 here

If you are yet to download and upgrade to the latest version of SCCM CB, here is my previous post, which will help you upgrade SCCM CB to the latest version called Configuration Manager CB 1702.

Another biggest change I can see is repositioning the “Updates and Servicing” node in the SCCM CB console.

The “Updates and Servicing” node is the topmost node in the Administration workspace of the SCCM CB 1702 production version console. In console increased a lot in SCCM CB 1702 console. SCCM CB 1702 onwards SUP (software Update points) are boundary aware similar to MPs and DPs. This is an excellent help for SCCM architects to make better decisions to have SUPs.

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager ConfigMgr

The biggest and most awaited thing in the SCCM CB hybrid is feature parity between Intune Standalone version and SCCM CB hybrid version. The SCCM product team did a great job to get the feature parity between Intune SA (StandAlone) and SCCM CB hybrid version.

I have explained this in the above comparison video. So, if we go over to Configuration Policy for iOS and MAC OS devices via MDM channel without using SCCM Client, you can see HUGE improvements! Some of the changes in numbers are given below:-

Password - Passcode Modification
 Device - 9 settings in CB 1610 -- 33 settings in 1702
 Store - 3 settings in CB 1610 --6 settings in 1702
 Content Rating - 5 settings in CB 1610 -- 6 settings in CB 1702
 Cloud - 4 settings in CB 1610 -- 8 settings in CB 1702
 Security - 1 settings in CB 1610 -- 2 settings in CB 1702
 System Security - 5 settings in CB 1610 -- 12 settings in CB 1702
 Data Protection - 2 settings in CB 1610 -- 4  settings in CB 1702

There were 17 features included in the SCCM CB 1610 version, and SCCM/ConfigMgr Product team added 4 more new features to the latest release of SCCM CB 1702! Those four new pre-release features added to SCCM CB 1702 are listed down. Only one feature that moved from pre-release to production release is Conditional Access for Managed PCS.

Pre-Release - Install Behaviour of applications
Pre-Release - Data Warehouse Service Point
Pre-Release - Task Sequence content Pre-Caching
Pre-Release -Device Guard

Feature Comparison Video Between SCCM?

Another excellent news for SCCM CB hybrid customers is that there are some great 5 new additions to Compliance policies! We can’t select the different versions of the Android and iOS platforms anymore while creating a compliance policy or configuration policy with SCCM CB 1702. Granularity in choosing different Android/iOS versions got removed. New compliance policies are:-

Apps that cannot installed
Password expiration
Remember password history
Password Quality
Minimum Android Patch Level

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager ConfigMgr 12

In SCCM CB 1702, we have options to create a configuration policy for Android for Work! There are only 2 policies or configuration settings available in the Configuration policy for AfW (Android for Work).

Apart from that, some improvements or additional settings appeared in ConfigMgr/SCCM CB 1702 regarding Windows 10 related configuration policies in a hybrid environment. Following are some of the high-level changes in Windows 10 Configuration Policies: –

Device - 10 settings in CB 1610 -- 11 settings in CB 1702
System Security - 9 settings in CB 1610 -- 10 settings in CB 1702

SCCM product team did excellent work to catch up with Intune SA regarding Cloud Services integration with SCCM CB latest version. They have added support for “Android for Work” enrollments, Cloud Management Gateway has improved, and the OMS connector has some improvements.

Cloud Services
Android For Work
Cloud Management Gateway

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager ConfigMgr 13

References

What’s new in version 1702 of SCCM CB System Center Configuration Manager – here

Author

How to Perform SCCM ConfigMgr CB Production upgrade to 1702 Video Tutorial Configuration Manager

How to Perform SCCM ConfigMgr CB Production upgrade to 1702 Video Tutorial Configuration Manager? Microsoft released a new version of SCCM/ConfigMgr CB 1702 here. If your SCCM infrastructure runs with an ONLINE “service connection” point and your SCCM CB version is 1602 (and later), you will receive the SCCM CB 1702 update in the console.

For SCCM CB infra with an online service connection point, the SCCM CB 1702 update will automatically appear in the console once Microsoft release this for “slow ring“. Microsoft released SCCM CB 1702 updates only for the “fast ring.” I have upgraded the standalone SCCM CB 1610 primary site to SCCM CB 1702. My experience with this upgrade was very smooth and robust.

I didn’t face any hiccups after automatically downloading the SCCM CB 1702 source files to the primary server. The above video will give a step-by-step walkthrough of the SCCM/ConfigMgr CB 1610 and 1702 upgrade process! More details about SCCM 1702 release note are here.

Feature Comparison between SCCM CB production version 1610 and 1702 –

Video – Here

Don’t upgrade to SCCM/ConfigMgr CB 1702 version if your primary servers/CAS are running on Windows 2008 R2 server. The minimum OS requirement for SCCM CB 1702 upgrade is Windows Server 2012 and Later. More details here.

You need to ensure that you have a supported version of SQL installed on the primary servers/CAS. SQL 2008 R2 SP3 is not supported, and it should have a minimum SQL 2012 R2. So, hold on with your SCCM CB 1702 to upgrade if you don’t have supported SQL and OS versions.

How to Perform SCCM ConfigMgr CB Production upgrade to 1702 Video Tutorial Configuration Manager

Issues with getting ConfigMgr SCCM 1702 updates available in the SCCM CB console?

Is the SCCM/ConfigMgr CB 1702 update still not available in the SCCM CB console? How to Perform SCCM ConfigMgr CB Production upgrade to 1702 Video Tutorial Configuration Manager?

Following are the steps you need to follow for the FAST RING release of SCCM CB 1702:- More details are available in my previous post, “SCCM ConfigMgr 2012 to CB upgrade Unofficial Checklist“

Download the PowerShell script to ENABLE the first wave of customers (Script is available in the above link) – SKIP THIS STEP – NOT Required NOW.
Run the PowerShell Launch from an elevated command prompt (local admin access) PS Command – “EnableFastUpdateRing1702.ps1 <SiteServer_Name | SiteServer_IP>” – SKIP THIS STEP – NOT Required NOW
Force a check for the update. Go to \Administration\Overview\Cloud Services\Updates and Servicing and click “Check for Updates.” You may need to try “Check for Updates” more than once if the package is not downloaded on the first try.
Wait for some time. DMP Downloader component will start the Download via SCCM CB 1606 updates and Servicing channel (DMPdownloader.log for more details)
SCCM CB 1702 Prerequisites check
Start the installation and wait for the replication of source files to the server in the hierarchy if you have CAS and Primary servers (this is not covered as I don’t have the SCCM CB hierarchy in the lab)
Once installation is completed on the CAS server then, the automatic SCCM CB 1702 upgrade process will kick in for child Primary servers as per the service windows scheduled on the respective primary server.

As you can see in the above screen capture, the SCCM/ConfigMgr CB 1702 is already downloaded and available for the upgrade process on my SCCM primary server. The download process of SCCM CB 1702 still has some challenges, and there is here is some room for improvement.

The SCCM CB 1702 download was stuck in downloading state for a long time. I had to restart the SMS Executive service to make the “in-console” 1702 update to an available state. Right-click on the Configuration Manager 1702 update and Install.

The SCCM/ConfigMgr CB 1702 upgrade experience was very smooth for me. The SCCM/ConfigMgr CB 1702 upgrade process can take time depending on several factors like hardware performance of server components and SQL DB size etc.. You can monitor the status of the upgrade from CMUpdate.log.

Also, check the Monitoring workspace for a more standardized status table with respective log file details of each stage of an upgrade. How to Perform SCCM ConfigMgr CB Production upgrade to 1702 Video Tutorial Configuration Manager?

The last stage of the ConfigMgr/SCCM CB 1610 to 1702 upgrade process is SCCM CB console upgrade. Once the console is upgraded successfully then; you can see the latest version of the site server version.

Also, the SCCM CB 1702 version details will be updated in the primary servers or CAS server registry key.

Version

Version 1702
Console Version 5.000.8498.1400
Site Version:5.0.8498.1000

References:-

Now Available: Update 1702 for System Center Configuration Manager – here
Deprecated operating systems and SQL supports details for SCCM/ConfigMgr CB 1702 – here

Author

How to Improve Overall Health of Windows System along with SCCM Client Configuration Manager ConfigMgr

Intune App Protection Policies for Android iOS Devices

Let’s check how to enable Intune App Protection Policies for Android and iOS devices. You can get more details and end-user experience from the video given below. The latest post is available for MAM policies are available – Step by Step procedure to create App Protection policies for iOS/iPadOS in Intune.

How to Enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager? Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. There are two types of management options for Android devices with Intune.

The first one is the traditional way of MDM management, and the second way is the light management of apps installed on Android devices via Intune. The previous post discussed the Android MDM management options and end-user experience.

Video – End-user experience of Android Device MAM WE

Please check the video link

Intune App Protection Policies

Mobile Application Management (MAM) Without Enrollment (WE) is a lightweight management option for Android devices. This option has some advantages over full MDM management options.

For example, if a consultant’s device has already enrolled in a 3rd part EMM solution, but he wants to have access to the client’s corporate mail access on his mobile device for a very short period, then, The “MAM WE” is the best option for that consultant. With MAM WE, Intune and Azure AD will ensure that corporate mail and other MAM-enabled applications are protected with MAM policies.

Intune – Mobile Apps – Apps – Skype for Business – Properties: – In the following example, you can see that Skype for Business application for Android has deployed with a deployment type called “Available with or Without enrollment.” So without enrollment deployment type is for MAM WE management.

How to Enable Intune MAM without Enrollment along with Intune App Protection Policies How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager — How to Enable Intune MAM without Enrollment along with Intune App Protection Policies

The Intune “MAM WE” comes with a separate set of Conditional Access policies. This conditional access policy is different from MDM conditional access policy. So, you need to take little extra care when you deploy both CA policies to the same user groups. I would avoid using the same user group for both policies, or you could use the exclude groups options.

I would avoid deploying MDM CA policy to user groups whenever possible rather. I would deploy the MDM CA policy to device groups. Otherwise, we should have a different MDM CA user group and a MAM WE CA user group with unique users in both groups, which will be tricky.

Intune App Protection Policies How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager

Each MAM-enabled application comes with application protection policies (MAM app protection). We need to deploy these app protection policies to MAM WE user groups. Remember, these types (MAM WE) of policies can’t be deployed to Device Groups.

With an app protection policy, you will get an option to restrict corporate data relocation and App data encryption options. It’s very critical that you should create app protection policies and deploy them to MAM WE user groups.

Intune App Protection Policies -How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager

End-User Experience – How to Enable Intune MAM without Enrollment

The video here will provide you with the Intune MAM WE real-time end-user experience. How to Enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager?

Author

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager? The first requirement for iOS and MAC OS device enrollment is the Apple MDM push cert setup. You need to download a unique certificate signing request (CSR) from Intune tenant and upload the same to the Apple portal.

Once uploaded successfully, you will get an option to download the Apple MDM push cert from the Apple portal. MDM push cert has to be uploaded to Intune portal so that you can enroll iOS and MAC OS devices via Intune. This process has been explained in the above video.

I assumed that Intune MDM authority setting had already been completed before setting up the Apple MDM push cert and configuring Enrollment restriction policies.

Latest Post How to Configure Intune Enrollment Setup for iOS macOS Devices

Video about the setting up iOS/MAC OS MDM management via Intune

Please check the video link here.

Once the Apple MDM push cert setup has been completed then, we could proceed with the following configurations related to iOS and macOS management. As the next step, I would configure the Enrollment Restriction rules for iOS devices.

Suppose your organization has decided not to allow (block) personal iOS devices from enrolling into Intune. In that case, you need to set up an enrollment restriction type based on the platform configurations. I have a detailed post about restricting personal iOS devices here.

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager

The next step is to set up Conditional Access policies for iOS devices (while we are still waiting for Mac OS conditional Access policy). I would recommend doing this at the time of the initial setup of Intune. As you can see in the following screen capture, you have a couple of options.

Either you can select individual supported platforms for the Conditional Access policy, or you can select “All platforms (including unsupported).” Somehow my recommendation is to use the latter one, “All platforms (including unsupported).”

Azure AD Conditional Access policies can be deployed either combined with compliance policies or without compliance policies. I would recommend deploying conditional access policies with compliance policies. So, the next step is to set compliance policies for iOS devices. Are you wondering why there is no encryption option/compliance policy for iOS devices?

If so, there is no need for an encryption policy for iOS devices because those devices will get encrypted once the password has been enforced for devices.

After compliance policy settings, it’s time to set up configuration policies for iOS and MAC OS devices. Intune Configuration policies are there to deploy security settings for the devices. Also, these types of policies can be used to enable or disable features of devices.

Details about different types of Intune configuration profiles are discussed here in my previous video blog post. Device restriction policies are nothing but security configuration policies in Intune Azure portal.

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager 18 — How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager

Conclusion – How to Get Intune Environment Ready for iOS Mac OS

Above mentioned policies are very basic policies that you want to configure if your organization has decided to manage iOS and MAC Os devices via Intune. There are loads of advanced MDM policy management options available with Microsoft Intune.

You can also create custom configuration policies for iOS devices if some of your security requirements are not available out of the box with Intune configuration policies. Apart from that, you can deploy Wi-Fi profiles, VPN profiles,s and Certs to iOS devices using Intune MDM.

Another option with Intune MAM WE (without enrollment) is to manage corporate applications via MAM policies and MAM WE Conditional Access policies.

In this scenario, your users don’t need to enroll in Intune MDM management. So, this is another decision point for each organization whether they should use MAM WE or the MDM channel of iOS management.

Author

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager? We had a full-day free Bangalore IT Pro User Group event on 18th March 2017. This was a free event conducted by the BLR IT Pro group. In this event, we covered Intune’s new Azure portal features.

Also, we covered the newest additions to SCCM/ConfigMgr CB 1702 TP. 90% of the sessions were covered with demos and attendees had some hands-on experience with Android for Work devices. I have created a quick video of some lively moments of the event here.

Introduction

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager?

Join SCCM/ConfigMgr Professional Group o get updates about future events – here
Follow the Facebook page to get notified about similar events – here

I had a great experience interacting, and knowledge sharing with more than 40 attendees. Most of them are SCCM admins and planning to move to Intune world. Some of them are already got a great experience with Intune iOS management, Application wrapping, Apple DEP program, etc. Some others are Airwatch admins, so they have had a good new experience with Intune features.

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager

Topics

Following are the topics I covered in the full-day free event. You can get the presentation link below.

What is Modern Device Management?
 Basic Understanding Intune
 Azure Active Directory AAD Overview
 Create AAD Dynamic Device/User Groups
 Intune Silverlight Portal Overview
 Intune Azure Portal Overview
 What is Conditional Access?
 Configure Conditional Access
 Configure Compliance, Configuration Policies
 Table - Compliance Policies – Remediated/Quarantined
 Windows 10 Modern Device Management
 iOS/MAC OS Management
 Android for Work Management 
 Troubleshooting?
 SCCM CB 1702 TP New Features

You can download the Presentation to get the reference links from the PowerPoint notes!

https://www.slideshare.net/slideshow/embed_code/key/4t1BmahfsEu3Tc

Bangalore IT Pro Full Day Event on Intune and SCCM from Anoop Nair

Author

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM? Are you still waiting for the migration from Intune Silverlight to the Azure portal? I would recommend watching the following video post to get an overview of the new Intune blade in the MEM portal here.

We can have more granular restrictions for MDM enrollments in the new Intune portal. It’s amazing to see new features in the MEM Intune portal. One month before, I blogged about restricting personal iOS devices from enrolling in Intune via enrollment restriction rules here.

Features	Company-owned device	Personal device
Opt-out of Device Owner mode	No	Yes
With device approvals enabled, the administrator must approve the device	No	Yes
Administrators can receive an inactivity report every 30 days	Yes	No
Factory resets that users initiate block device re-enrollment	Yes	No
Account wipe available	No	Yes

Conclusion

Ideally, when you block personally owned Android devices from enrollment, all the Android devices enrolled via a non-corporate way should get blocked.

As per my testing, this is not working. After enabling the “block Android personally owned devices” policy, I enrolled a couple of Android devices, and those devices got enrolled without any issues.

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM?

In the below screen capture, I have enrolled two Android devices into Intune and Intune console, and Intune detects those as personal devices. I’m not sure why is it not getting blocked?

References:-

Android Management Experience setup guide – Evaluate Android enterprise features – here
Add management for company-owned devices here
Manage your business’s mobile devices – here

Author

How to Integrate ConfigMgr SCCM CB with Azure AD | Configuration Manager | Endpoint Manager

How to Integrate ConfigMgr SCCM CB with Azure AD | Configuration Manager | Endpoint Manager? SCCM ConfigMgr 1702 Technical Preview version has released a few weeks before. More details about SCCM 1702 TP version are available here. Last weekend, I did get a chance to look at SCCM 1702 TP version.

My SCCM/ConfigMgr TP lab expired as I didn’t upgrade the lab since last November (1611 time frame). The technical preview versions are accumulated, but if you don’t upgrade to the latest version within 90 days, it will expire, and you need to build one from scratch.

How do we know whether your SCCM CB TP lab has expired or not? You could either see the expiry duration on the top tab of your SCCM console (evaluation 10 days left), or SMS executive and other services will start getting stopped every hour (I’m not sure whether it’s every hour or less).

Apart from the points mentioned above, it won’t get the latest TP updates/builds version. If your SCCM TP lab expired, then take pleasure in installing the new one!

Video Tutorial How to Integrate ConfigMgr SCCM CB 1702 TP Azure AD Integration – here

SCCM CB 1702 TP Console view – Integrate ConfigMgr SCCM CB with Azure AD

How to Integrate ConfigMgr SCCM CB with Azure AD | Configuration Manager | Endpoint Manager

So, coming back to the topic “How to integrate Azure AD with SCCM/ConfigMgr?” This is a very straightforward process if you already have an Azure subscription and you are a global admin of your Azure subscription.

Add Azure Active Directory button has been made available in SCCM CB 1702 TP console ribbon menu, under the Cloud services section, as you can see in the above picture. Click on the sign-in button and enter your Azure subscription (probably with global admin access).

Once the above step has been completed, two Azure Applications appear in the SCCM console. These apps are registered during the Azure AD integration process with SCCM/ConfigMgr CB. The first app you can see is the SCCM server app, and the second one is the SCCM client app.

Another option available in the SCCM console is to renew the secret key used to register the app in Azure. By default, the secret key has one-year validity.

Azure AD – App Registration View

I could see TWO apps created in the Azure portal as part of AAD integration with SCCM CB 1702 TP. There are three apps in my Azure Active Directory – App Registration, and those are the SCCM client, SCCM server, and P2P server.

~~I’m not sure whether the P2P server got created during the Azure AD integration process with SCCM CB.~~ I can confirm that the P2P server has not been created during SCCM and AAD integration. Also, I’ve not tested the end-to-end scenario of Azure AD domain services integration.

With SCCM CB 1702 technical preview version, you can manage devices joined to an Azure Active Directory (AAD) Domain Services managed domain. You can also discover devices, users, and groups in that domain with various SCCM Discovery methods.

Conclusion

Is this actual integration with Azure AD and SCCM in all terms? Would SCCM be able to discover the devices and users from Azure AD? The answer to both the questions is NO. This feature enables the discovery of Azure AD domain services managed devices. Azure AD (SaaS identity solution) devices and Azure AD domain services are “Domain controller installed inside a virtual server hosted in Azure.”

How to Integrate ConfigMgr SCCM CB with Azure AD | Configuration Manager | Endpoint Manager?

References

Use Azure Active Directory Domain Services to manage devices, users, and groups – here
Get started with Azure AD Domain Services – here

Video Tutorial to setup Intune Compliance Policy for iOS

How to setup Intune Compliance Policy for iOS?

Author

Introduction

Known Issue?

Resources

Author

Video tutorials for Android for Work management via Intune

Android – Intune Android Device Support for Google Android for Work Enrollment

Conclusion – Intune Android Device Support for Google Android for Work Enrollment

Author

Introduction – Intune Android for Work Configuration

Resolution

Author

Check out the Video Feature

Feature Comparison Video Between SCCM?

References

Author

Feature Comparison between SCCM CB production version 1610 and 1702 –

Issues with getting ConfigMgr SCCM 1702 updates available in the SCCM CB console?

Version

References:-

Author

Video – End-user experience of Android Device MAM WE

End-User Experience – How to Enable Intune MAM without Enrollment

Author

Video about the setting up iOS/MAC OS MDM management via Intune

Conclusion – How to Get Intune Environment Ready for iOS Mac OS

Author

Introduction

Topics

You can download the Presentation to get the reference links from the PowerPoint notes!

Author

More detailed explanation in the video tutorial

Conclusion

References:-

Author

SCCM CB 1702 TP Console view – Integrate ConfigMgr SCCM CB with Azure AD

Azure AD – App Registration View

Conclusion

References

Author