Monthly Archives: March 2017

SCCM Current Branch 1702 – Automatically close executable files before installation

A new nice feature in SCCM Current Branch 1702 is the ability to set the “Install Behaviour” on a deployment type to either automatically close specified .exe’s if the deployment is required, or to advise the user that the installation has failed because of the running .exe’s. This is useful for some deployments where certain processed cannot be running. For example if you are deploying an add-in for Outlook and you would like Outlook to not be running, or other Office applications.

One thing to note is that you need to have your client upgraded to the 1702 version otherwise it will not work. This post will quickly show how you can configure the Install Behaviour and the user experience for an Available application.

After upgrading the client to the latest version, in an existing Application (7Zip) I have right clicked on the Deployment Type and clicked on the Install Behavior tab. Click on Add and type in the executable file name and give it a display name.

autoclose01

This application is deployed as Available, not required. So you can see below I have the .exe open on the right hand side, I will then install 7-Zip.

autoclose02

Now you can see it has failed because the executable filename I specified earlier is running. If the deployment was Required, it should automatically close the specified exe’s.

autoclose03

Advertisements

SCCM Current Branch 1702 – Office 365 Installer

SCCM Current Branch 1702 introduces “Office 365 ProPlus Installer” (this feature was seen in technical previews).The Office 365 ProPlus installer allows you to specify your Office 365 ProPlus settings (exclude apps, update channels etc), download the Office 365 ProPlus files, create the Application, Deployment Type, and deploy the application if you choose to.

Before this feature was released, you needed to use the Office Deployment Tool (ODT) to download the Office 365 ProPlus and create an XML with the Office 365 configuration settings, then create an Application in SCCM.

This post will show how you can leverage the new Office 365 Installer in SCCM Current Branch version 1702 to create, download and deploy an Office 365 ProPlus package without having to use the Office Deployment Tool.

Open the SCCM console go to Software Library node, then expand Office 365 Client Management folder, click on the Office 365 Installer

Office365Deploy1

Give it a name and content location:

Office365Deploy2

You can use an existing XML with the Office 365 ProPlus configuration you have created, or manually create one using this wizard. I have chosen to manually create the XML:

Office365Deploy3

Specify your settings. I have chosen the Office 365 ProPlus suite, and have chosen to exclude the old Groove OneDrive for Business client.

Office365Deploy4

Select your architecture. I am using 32bit, and have chosen to use the Deferred channel.

Office365Deploy5

I have said Yes to deploy the application.

Office365Deploy6

Chosen my collection to deploy it to

Office365Deploy7

Added my distribution point

Office365Deploy8

I am deploying mine as Available

Office365Deploy9

Settings here are left as default.

Office365Deploy10

Default again

Office365Deploy11

Default again

Office365Deploy12

Click next to start downloading the Office 365 ProPlus files

Office365Deploy13

After it has finished, you can now see there is now an Application created with a deployment type and deployed to the collection specified earlier.

Office365Deploy15

Intune App Protection Policies

Intune App Policies can be used to protect company data whether the mobile device is enrolled in Intune, or another MDM solution, or not enrolled at all. As long as the users have an Intune license and the App Policy is deployed to the user, the App Policies will work for managed apps. If you have an Intune license, you can login to the Azure Portal (portal.azure.com), click More Services, and search for Intune App Protection to start deploying App Policies.

intuneapp1

From my testing, if a user does not have an Intune license, or the App Policy is not deployed to them, they can still use the app as normal without any protection using their work account. You can use the new Azure AD group-based license  in portal.azure.com to license users with Intune (group), and deploy the Intune App Policies to the same group. More can be read here.

At the moment you can create App Policies for iOS and Android devices. If you have an Android you will need to install the Company Portal App, but you do not need to be enrolled or configure it.

When creating an App Policy you are able to select the following apps to protect:

intuneapp2

Some of the settings you can configure on the apps include, preventing save as, encrypting app data, requiring PIN for access, preventing copy and paste from non-managed apps and so on. A full list of settings can be seen when you create the policy. In order to create the App Policies see Create and deploy app protection policies with Microsoft Intune. Don’t forget to deploy the policy once you have created it.

End User Experience:

The following screenshots will show the end user experience on an Android Device (with Company Portal installed but not configured or enrolled). iOS is very similar as well:

The policy I set included the Microsoft Word app. When opening it, it says that the organization now protects it, and I must set a 4 digit PIN. One thing to note is that these policies are only enforced when using apps in a Work context, not in a personal context.

intuneapp3

Another setting I chose was to not allow cut/copy/paste outside of a managed app. When I try and copy out of Word (managed app) into the Android memo app (non managed app) and paste, I get the following:

intuneapp4

You can also view the built-in dashboards in the Intune App Protection section in the Azure portal to view more information about your users. For example the dashboard below shows that I have checked in on my iPhone for Word and OneDrive but not others.

intuneapp5