A couple of weeks ago Microsoft added a new app type in Intune. With this new App type we can deploy Office365 ProPlus very easy to our MDM Managed workstations. My colleague Peter van der Woude has written a great blogpost about how you can configure this new App type and how this works for the admin and the user. You can find his blogpost here. With this blogpost I want to focus on controlling the Office365 channels with this new app type. I’ve multiple customers where we want to configure and have control over the Office365 ProPlus update channels during the installation of Office365 ProPlus.
Continue reading
Azure
Scenario: Using both Intune Device and App Based Conditional Access – Part 3
StandardIn this part of the series around using both Device and App Conditional Access for securing Exchange Online I’m focusing on providing a user self-service solution to choose between ActiveSync or MAM Managed Exchange Online access. In the first part of the series I focused on securing Exchange Online Browser and ActiveSync access and in the second part I focused on securing App access to Exchange Online. After both blogposts the conclusion was that Device and App Conditional Access cannot co-exists in the scenario where we want to secure ActiveSync connections and provide Outlook App access to not-MDM enrolled mobile devices. Based on the tests and the documentation the user need to choose between using ActiveSync or using the Outlook App (not-enrolled). In this blogpost I want to share a solution where the user can choose between the scenarios using self-service.
Continue reading
Scenario: Using both Intune Device and App Based Conditional Access – Part 2
StandardIn Part 1 I described the Conditional Access scenario where you want to combine both Device and App Conditional Access for a single user. This series of blog posts is focusing on the Exchange Online. The first post of the series described how to configure Conditional Access to enforce MFA on accessing Exchange Online through for browser access and how to enforce a compliant device for Exchange Online ActiveSync. In this part I want to focus on configuring Conditional Access for the Exchange Online Apps. I want to achieve the following: when the device is MDM enrolled MAM with Enrollment should be applied on MAM capable apps and on these devices the user should be able to configure apps which are using ActiveSync (like the Inbox mailapps on Android and iOS). On devices which are not MDM enrolled the user should only be able to configure the Outlook App for Exchange Online. When the device is not MDM enrolled the user is not allowed to use and configure non-MAM capable apps. My ultimate goal is to provide these scenarios for each of the platforms: Windows, Android and iOS.
Continue reading
Scenario: Using both Intune Device and App Based Conditional Access – Part 1
StandardWith this blogpost I want to look into Conditional Access and the possibilities we have in combining both Device Conditional Access and App Conditional Access. I’ve seen this requirement at multiple customers when doing EM+S deployments. With Device Based Conditional Access we can enforce the device to be compliant before services can be used. With App Conditional Access we can enforce App restrictions on the applications used for services. Device Based Conditional Access can be done for almost all applications in AzureAD. App Based Conditional Access can be configured for Exchange and SharePoint Online. In this blogpost I will focus on a scenario for Exchange Online.
Continue reading
Users cannot join Windows 10 devices to AzureAD
StandardThe last couple of days I’m working on a issue with a customer related to joining Windows 10 workstations to AzureAD. This customer is using Dell Hardware and Windows 10 1703 (Creator’s Update) and a federated Azure AD with Intune MDM. When the failing workstations have installed Windows 10 and the user tries to add the device to AzureAD the user cannot login to ADFS. In the OOBE stage of the deployment the user enters his username and based on that it’s redirected tot the customers ADFS environment. The login form of ADFS loads and after entering the users credentials the login page returns. So the user stays in the ADFS login page (looping). Both on the Windows 10 client and the ADFS environment no errors are logged in the event logs.
Deploy MSI apps through the new Intune Portal
StandardWith Microsoft Intune we can deploy MSI applications to MDM enrolled Windows 10 devices. This functionality is already available within the ‘old’ Microsoft Intune portal. In the early days of the new portal (https://portal.azure.com) it was not possible to add the MSI applications through the new portal. Microsoft has now added this functionality to the new portal. This blogpost shows how you can easily add the application through the new portal. Based on my experience the process is improved and the whole experience is much better than the old portal infrastructure.
Using AzureAD Conditional Access to block a Native App
StandardLast week I was asked to research a scenario where the customer wants to block the use of a native app and only want to allow the browser experience from compliant devices. My first answer was that this was difficult to implement. But after looking into AzureAD Conditional Access it was relative easy to configure. In this series of blogposts I’m using Microsoft Teams as an example. I’m focusing on these scenario’s: The first scenario is blocking the Microsoft Teams Native App and only allow browser access to Microsoft Teams and the second scenario is to only allow the Microsoft Teams app and blocking the browser access.
Prevent a Azure AD MFA User Lockout
StandardWithin Azure Multi-Factor authentication, a user can configure multiple options for the 2nd factor authentication. Beside those options the user can also configure multiple numbers within Azure Multi-Factor authentication which can be used when doing the 2nd factor authentication. But in practice most users will only configure one phone number. When the user than loses his phone or access to his number the user cannot use Azure MFA anymore. The user cannot change his phone number because a 2nd factor authentication is needed to access this information. So, this means that the user is locked out of Azure MFA and the only solution in this scenario is to call the Helpdesk and change the phone number. But there is a solution which prevents a user MFA lockout. This can be achieved by simply configuring a phone number in the user his account in your Active Directory or Azure Active Directory.
Continue reading
Using Azure MFA cloud based protection with the RD Gateway
StandardLast week Microsoft released Azure MFA cloud based protection from your on premise servers/devices. In this blogpost Microsoft announced this functionality and showed how this can be used with a VPN device. Before yesterday you had to install the Azure MFA server to provide MFA to RDS sessions through the RD Gateway. Since the MFA Server and the cloud based MFA were different systems with different settings for users this was not the most ideal situation. But with this new functionality we can use the cloud based MFA for the RD Gateway role. If you’re looking for a detailed description about how to setup the RD Gateway with the on premise MFA servers please check this blogpost.
Continue reading
Creating a Storage Spaces Direct Performance Dashboard
StandardIn this blogpost I want to show you how you can easily create a PowerBI dashboard based on Storage Spaces Direct performance metrics. PowerBI is great in visualizing data and reports are easy to create. Before you can execute the steps in this blogpost you will need to create a PowerBI account on https://www.powerbi.com. I’ve tested the blogpost below with PowerBI Pro account but based on this page it should also work with a PowerBI free account. Looking to Storage Spaces Direct this blogpost is based on Windows Server 2016. I’ve not tested this on earlier versions and I expect that this is only working on 2016 and later. I’ve created this blogpost to monitor my S2D environment hosting the Remote Desktop Service User Profile Disks, so expect that this dashboard is focusing on delivering an overview for that purpose.
Continue reading