Windows 10 AlwaysOn VPN with Conditional Access – Part 2

Standard

This is the second part of the series about the Windows 10 AlwaysOn VPN solution. In the first part, which you can find here, I described how to set up the infrastructure for the AlwaysOn VPN solution. The infrastructure which is described in that blogpost is a prerequisite for this blogpost. This blogpost will focus on the configuration needed to add AzureAD Conditional Access to the solution. With AzureAD Conditional Access we add a great set of capabilities to control who can connect to the VPN solution and which conditions the user must meet before the connection can be made. In this blogpost I configure the first scenario and that is enforcing a Multi-Factor authentication request before the VPN connection can be activated.
Continue reading

Windows 10 AlwaysOn VPN with Conditional Access – Part 1

Standard

In this series of blogposts I want to show you how you can use AzureAD Conditional Access to protect your Windows 10 / Server 2016 AlwaysOn VPN solution (deployed with Intune). This first part of the series will describe the initial requirements and setup of the infrastructure which is needed for the AlwaysOn VPN solution. The second part will focus on the configuration needed to add AzureAD Conditional Access for VPN connections to the flow and the last part of the series will focus on testing the Conditional Access features against AlwaysOn VPN connections. But let’s start with the description of the needed components and the initial configuration of those components.

Continue reading

Office365 ProPlus can’t open files on SMB Share protected by WIP

Standard

The last 2 weeks I was working on an issue where users were unable to open Office files with Office365 ProPlus on SMB shares protected by Windows Information Protection. If the SMB share was part of the enterprise context the user was not able to open or change files with Office applications. Other applications which were part of the WIP configuration were able to open the same files without any issues. Together with Microsoft Support and the PG we’ve found a solution and a workaround (which I will describe in this blogpost). Unfortunately the root cause of the issue is not known at this moment. Not all of the users have this issue but the majority of the customers user population had the issue.
Continue reading

Creating a Intune Application Deployment Overview – Part 2

Standard

Last week I posted the first version of my Intune Application Deployment Overview script. This script exported device deployment information from Intune through the Graph API to a CSV file and a HTML file. The CSV file contained all the device deployment details and the HTML contained a summary of the deployment status for all applications. You can find this first post here. This blogpost is build on top of this first blogpost, this blogpost describes the next version of this script. In this version I’ve added the user deployment information of Intune Application deployments. Before you continue I want to advise you to first read the first blogpost.

Continue reading

Creating a Intune Application Deployment Overview

Standard

The last couple of weeks I toke some time to investigate the possibilities of the Microsoft Graph API with Intune and AzureAD. In this blogpost I want to share my results of these investigations. One of the big advantages of having Microsoft Intune on the ‘new’ platform is the availability of Microsoft Graph API. Through the Graph API you easily control Microsoft Intune. In this blogpost I want to focus on creating an Application Deployment overview for applications deployed with Microsoft Intune to your Windows 10 workstations. My goal was to create an overview of the applications with the following information: Number of deployments to devices and if they are successful or failed. And based on those numbers I wanted to have the percentage of successful and failed deployments.
Continue reading

Windows Store Apps as available App in Company Portal

Standard

This week a short blogpost about a recent change in Intune and the Company Portal. In the July What’s new documentation I found the following new feature: ‘With this release, admins can now assign the Microsoft Store for Business as available. When set as available, end-users can install the app from the Company Portal app or website without being redirected to the Microsoft Store.’ It looks like a tiny small feature but it has a great user experience improvement. Before this feature a user had two software portals: In the Company Portal were the applications visible from Intune and in the Windows Store for Business were the application visible from private business store. With this change we can combine those two and make the Company Portal the one-stop-shop for software on a Windows 10 MDM managed workstation.

Continue reading

Allow or Block Windows 10 versions accessing corporate data

Standard

With this blogpost I want to focus on controlling which Windows 10 versions can access corporate date and which versions will be blocked when accessing corporate date. To achieve this I’m using AzureAD Conditional Access together with Compliance Policies configured in Microsoft Intune. In this blogpost I want to focus on the scenario to only allow Windows 10 versions which are receiving updates and are supported by Microsoft. The second scenario is about allowing your users to run Insider Builds for testing purposes but block them to connect to corporate services and data.

Continue reading

Controlling Office365 ProPlus channels during Installation with Intune

Standard

A couple of weeks ago Microsoft added a new app type in Intune. With this new App type we can deploy Office365 ProPlus very easy to our MDM Managed workstations. My colleague Peter van der Woude has written a great blogpost about how you can configure this new App type and how this works for the admin and the user. You can find his blogpost here. With this blogpost I want to focus on controlling the Office365 channels with this new app type. I’ve multiple customers where we want to configure and have control over the Office365 ProPlus update channels during the installation of Office365 ProPlus.
Continue reading

Scenario: Using both Intune Device and App Based Conditional Access – Part 3

Standard

In this part of the series around using both Device and App Conditional Access for securing Exchange Online I’m focusing on providing a user self-service solution to choose between ActiveSync or MAM Managed Exchange Online access. In the first part of the series I focused on securing Exchange Online Browser and ActiveSync access and in the second part I focused on securing App access to Exchange Online. After both blogposts the conclusion was that Device and App Conditional Access cannot co-exists in the scenario where we want to secure ActiveSync connections and provide Outlook App access to not-MDM enrolled mobile devices. Based on the tests and the documentation the user need to choose between using ActiveSync or using the Outlook App (not-enrolled). In this blogpost I want to share a solution where the user can choose between the scenarios using self-service.
Continue reading

Scenario: Using both Intune Device and App Based Conditional Access – Part 2

Standard

In Part 1 I described the Conditional Access scenario where you want to combine both Device and App Conditional Access for a single user. This series of blog posts is focusing on the Exchange Online. The first post of the series described how to configure Conditional Access to enforce MFA on accessing Exchange Online through for browser access and how to enforce a compliant device for Exchange Online ActiveSync. In this part I want to focus on configuring Conditional Access for the Exchange Online Apps. I want to achieve the following: when the device is MDM enrolled MAM with Enrollment should be applied on MAM capable apps and on these devices the user should be able to configure apps which are using ActiveSync (like the Inbox mailapps on Android and iOS). On devices which are not MDM enrolled the user should only be able to configure the Outlook App for Exchange Online. When the device is not MDM enrolled the user is not allowed to use and configure non-MAM capable apps. My ultimate goal is to provide these scenarios for each of the platforms: Windows, Android and iOS.
Continue reading