Category Archives: Intune Hybrid

Intune Hyrbid – Setting Edge homepage on Windows 10 machine using configuration baseline

This post will show how to set the Edge browser homepage on a Windows 10 machine enrolled in an Intune Hybrid environment with ConfigMgr 1610. I will create a configuration item, add it to a baseline, and then deploy the baseline to my Intune user collection. For a guide on setting up hyrbrid MDM with ConfigMgr, see Setup hybrid mobile device management (MDM) with System Center Configuration Manager and Microsoft Intune

In the ConfigMgr console, right click Configuration Items and select Create Configuration Item

edge01

Give the configuration item a name, and select Windows 8.1 and Windows 10 under Settings for devices managed without the Configuration Manager client and click Next.

edge02

In the Supported Platforms section, select Windows 10 as the supported platform and click Next.

On the Device Settings section, select Configure additional settings that are not in the default settings groups and select Next.

edge03

In the Additional Settings section, click on Add.

In the Available Settings search bar, search for “home” then select Homepages and click Select.

edge04

I have given the name a rule and given the Homepages value of “nhogarth.net” – you can make this any site you like then click OK.

edge05

Now click Select to select the setting you created.

On the Additional Settings page, click Next.

edge06

Click on Close to close the Completion screen.

Now we will create the Configuration Baseline and add the Configuration Item we created.

edge07

Give the baseline a name, and then click on Add, then Configuration Items.

edge08

Select the Available configuration item, then click on Add then click on OK.

Once the Configuration Item is added to the baseline, click on OK.

Now we will Deploy the baseline to our Intune user group. Right click on the baseline and click on Deploy.

edge09

With the selected configuration baseline (top right), select the Remediate non compliant rules when supported, and select your Intune user collection.

edge10

Now on our enrolled Windows 10 machine, we can check the compliance in the Company Portal to speed things up.

edge11

Now we can see that it has set our Edge browser to use the specified homepage from our Configuration Item.

edge12

Intune Hybrid – Deploy Office 365 click-to-run and enroll Windows 10 computer

This post will cover how to deploy Office 365 click-to-run to an enrolled Windows 10 machine using a Hybrid ConfigMgr 1610 environment with an Intune subscription. I will generate the .msi for Office 365 ProPlus and deploy it using ConfigMgr, enroll a Windows 10 machine, then install Office 365 ProPlus from the Comapany Portal using Click-to-Run.

My hybrid environment is already set up, and PC enrollment is already enabled. For this see https://docs.microsoft.com/en-us/sccm/mdm/understand/hybrid-mobile-device-management

First to create the Office 365 click-to-run msi which we will deploy from ConfigMgr to our Intune user group, download and install “Microsoft Office ProPlus Install Toolkit” from http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html

microsoft-office-proplus-install-toolkit

Install it and open it up. I have configured the options to what suits my environment. Have a good look through the options and customize it to your needs.

mdmoffice3651

mdmoffice362

mdmoffice363

You can choose to exclude certain products if you like.

mdmoffice3654

mdmoffice3655

I have enabled updates.

mdmoffice3656

I have set the Display Level to none, and accepted the EULA.

mdmoffice3657

Make sure the install type is MSI and select the file path to output the msi.

mdmoffice3658

Once you click Generate, you will be left with a 2mb msi which we will deploy through ConfigMgr to our Intune user group.

mdmoffice3659

mdmoffice36510

Now we will create the application in the ConfigMgr console

mdmoffice36511

Make sure to specify the type as Windows Installer through MDM (*.msi) and also specify the UNC path to the earlier generated msi.

mdmoffice36512

Click Yes.

mdmoffice36513

Click Next.

mdmoffice36514

Specify the information you would like here such as Name.

mdmoffice36515

I have left all other options as default and clicked Next.

mdmoffice36516

Now we will go to the properties of the application we created and choose to use a logo to display in the Company Portal.

mdmoffice36517

Click on the Application Catalog tab and browse and select an icon you would like to use. I searched the web for an icon for Office 365 and made sure its 250×250 in size or smaller.

mdmoffice36518

Now we will deploy the application to our Intune user group.

mdmoffice36519

mdmoffice36520

Make sure to distribute the msi to the Intune distribution point. Select Add then Distribution Point, then select the manage.microsoft.com distribution point.

mdmoffice36522

mdmoffice36523

Click Next

mdmoffice36524

I am deploying this Appliction as Available so the user can install it from the Company Portal.

mdmoffice36525

mdmoffice36526

Now I will enroll my Windows 10 Pro 1607 machine. The prerequisites are here https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/enroll-hybrid-windows

Click on Start, then Settings.

enrollwin10-01

Select Accounts

enrollwin10-02

Click on Access work or school then click on Connect.

enrollwin10-03

Enter in your details for an account with an Intune license.

enrollwin10-04

enrollwin10-05

enrollwin10-06

enrollwin10-07

Now the device is enrolled. If we take a look in the ConfigMgr console, we can see the Windows 10 machine is enrolled as a mobile device.

enrollwin10-08

I have installed the Company Portal application from the Windows Store. Once opened, I can see the Microsoft Office 365 ProPlus. Click on it, then click on Install.

o365-01

If you load up task manager, you can see the set up files running.

o365-02

After a while you can see the programs in the program list on the Windows 10 machine.

o365-03

Intune Hybrid – Deploy msi to enrolled Windows 10 machine with ConfigMgr

This post will show how to deploy an MSI application to a Windows 10 machine enrolled as a mobile device in a ConfigMgr Current Branch 1610 environment with an Intune subscription. The Windows 10 machine has already been enrolled and has the Company Portal installed. For details on how to configure hybrid MDM and how to enroll devices, see Setup hybrid mobile device management (MDM) with System Center Configuration Manager and Microsoft Intune

Right click Applications, select Create Application.

intunewin10dep1

Make sure to specify the type as Windows Installer through MDM (*.msi) and specify the location of the .msi file. In my example I am using the 32bit 7zip msi.

intunewin10dep2

I have clicked Yes.

intunewin10dep3

intunewin10dep4

I have changed the name and left it as all default information.

intunewin10dep5

intunewin10dep6

intunewin10dep7

Now I will deploy the application as an available application for the user to download and install from the Company Portal. Right click on the application and click Deploy.

intunewin10dep8

I have selected a user collection and clicked Next.

intunewin10dep9

Click on Add then select distribution point, then I will distribute the package to the cloud based intune DP.

intunewin10dep10

I am deploying this as Available in this example and have left all other options as default and clicked Next on each screen.

intunewin10dep11

Now the application is deployed.

intunewin10dep12

In the content status section of the ConfigMgr console, I have made sure that the application has been successfully distributed to the Intune distribution point.

intunewin10dep13

Now on my enrolled Windows 10 (1607) machine I have opened up Company Portal and can see the 7zip application available.

intunewin10dep14

I have clicked on the application and then clicked on Install.

intunewin10dep15

Now 7zip has installed successfully.

intunewin10dep16

Intune Hybrid – Creating compliance setting for iOS device in the ConfigMgr console

In this post, I will be using hybrid Intune with ConfigMgr to create a compliance policy to control the security settings on iOS device, in particular, iPhones. It will also show the user experience on the iPhone. First I will create the Configuration Item for iOS, then I will add the Configuration Item to a Baseline, and then deploy the Baseline to a collection where my Intune enrolled users are located.

I am using ConfigMgr Current Branch 1610 with an Intune subscription and have an iPhone 6 enrolled.

Right click on Configuration Items and select Create Configuration Item

intunecomp1

Give the configuration item a name first, then under Settings for devices without the Configuration Manager client, select iOS and Mac OS X

intunecomp2

I am only using this for iPhones so I have selected iPhone as the platform.

intunecomp3

A list of groups for the device settings are displayed. In this example I have only selected Password. You can select the other groups to view which settings you can control.

intunecomp4

In this example, I have selected the Minimum password length (characters) to be 6. Currently the iPhone has a passcode of 4 characters. I have selected the Number of failed logon attempts before device is wiped to 4. I have also selected Password complexity to be Strong and Number of complex Characters required in password to be 2.

intunecomp5

intunecomp6

Now that the configuration item has been created, it needs to be added to a Baseline.Right click on Configuration Baselines and select Create Configuration Baseline.

intunecomp7

Give the baseline a name and click on Add, then Configuration Items.

intunecomp8

Select the Configuration Item that was created before and click Add.

intunecomp9intunecomp10

Now I will deploy the Baseline. Right click the Baseline and select Deploy.

intunecomp11

The configuration baseline is already selected. I have selected Remediate noncompliant rules when supported. I have also selected a user collection I would like to deploy the baseline to.

intunecomp12

This iPhone had a 4 digit passcode originally. The configuration item I configured said the iPhone needs a 6 character passcode length. Because the iPhone is not compliant, a Passcode Requirement prompt is on the iPhone giving the user 60 minutes to configure the new passcode. Once the user presses continue, the user is forced to set a 6 character passcode with 2 special characters.

intunecomp13intunecomp14

Intune Hybrid with ConfigMgr – Deploying required app to iOS from App Store

This post will show how to deploy a required application to an iPhone (or iOS device) from the App Store (Microsoft Excel) and also create a Mobile Application Management (MAM) Policy as Microsoft Excel requires it. My environment below is ConfigMgr Current Branch 1610 with an Intune subscription.

In the ConfigMgr console, go into Software Library, right click Applications and select Create Application

iosapp1

Select the type App Package for iOS from App Store. Paste the link of the app from the App Store. In this example, I have pasted the link for Microsoft Excel. You can browse the other apps from https://itunes.apple.com and get the link  and paste it in. Click Next.

iosapp2

iosapp3

You can add the required information here and click Next.

iosapp4

Click Next

iosapp5

iosapp6

Now we will create our MAM (mobile application management) policy for Microsoft Excel, as it is required before we deploy the application. Right click on Application Management Policies and select Create Application Management Policies.

iosapp7

Select the platform as iOS.

iosapp8

I have left the options as default.

iosapp9

iosapp10

Now we can deploy our Microsoft Excel application we created before. Select the Application, right click and select Deploy.

iosapp11

I will be deploying it to my Intune Users collection

iosapp12

In my example, I am deploying it as Required. Alternatively you can deploy it as Available and then download it from the Company Portal app.

iosapp13

All other options have been left as default. Now on the Application Management section I have selected the MAM policy I created before. If you didn’t create this MAM policy then you will not be able to proceed (For Microsoft Excel anyway)

iosapp14

Now I am going to initiate a Send Sync Request to my iPhone.

iosapp15

Once the iPhone receives the policy, because it was a required application I deployed, the iPhone is presented with this screen. Microsoft Excel will begin to install.

intuneapp16

Intune Hybrid MDM – Remote Wipe iPhone

This post will show how you can use ConfigMgr (I am using ConfigMgr Current Branch 1610) with an Intune subscription (hybrid MDM) to completely wipe an iPhone if it has been lost or stolen. When doing a full wipe, it will restore the iPhone to its factory settings (removing all company and user data).

In the ConfigMgr console, select the device and right click and select Remote Device Actions, then select Retire/Wipe

iphonewipe1

The warning below will be displayed where you can either do a selective wipe, or a full wipe. In my example, I will be doing a full wipe.

iphonewipe2

Another warning is displayed

iphonewipe3

I will send a sync request from the console to save time (new feature in ConfigMgr Current Brach 1610)

iphonewipe4

Once the iPhone has received the sync request, you can see it is now doing a full factory restore, removing all company and user data.

iphonewipe5   iphonewipe6

 

 

Intune Hybrid MDM – Reset iPhone Passcode from ConfigMgr console

When an iPhone is enrolled with Intune (or other devices such as iOS/Android/Windows Phone 8 and Windows Phone 8.1) using Hybrid MDM, ConfigMgr provides the ability to be able to reset the passcode. This is very helpful if a user has forgotten their passcode.

This post will show how to clear the iPhone passcode using ConfigMgr Current Branch 1610 with an Intune subscription. When clearing the passcode on an iOS device, the passcode is actually cleared. A temporary passcode is not created.

Select the iPhone in the ConfigMgr console and right click, select Remote Device Actions, then select Reset Passcode.

iphonepasscode1

The following warning will be displayed

iphonepasscode2

One of the nice new features in ConfigMgr Current Branch 1610 in a hybrid deployment is the ability to request a policy sync for a device enrolled with Intune rather than having to do it from the Company Portal. 

Right click on the device, select Remote Device Actions, then select Send Sync Request

iphonepasscode3

You see that the Passcode Reset state is set to Pending.

iphonepasscode4

Once the passcode has been reset, you can see that the reset state is Succeeded.

iphonepasscode5

From the iPhone now, previously if there was a passcode set, the passcode is now removed. On my device, I would usually need the passcode to unlock the device. Now I can unlock the device without a passcode and set a new passcode.

 

Intune Conditional Access with Exchange Online for Windows PC’s – User Experience

This post will show the end user experience for when Conditional Access is configured to prevent non-domain joined Windows 7 and Windows 10 PC’s from accessing Exchange Online either from the Outlook client, or OWA web mail.If you would like more information on how to configure Conditional Access and for different scenario’s, see Use conditional access with Intune and Configuration Manager

In a ConfigMgr Current Branch 1610 Intune Hybrid environment, I have configured the Conditional Access in the ConfigMgr console which will then open up the Intune admin console

condacc1

I have enabled conditional access policy.

condacc3

Now on a non-domain joined Windows 7 machine when trying to access OWA, the user is presented with the “You can’t get there from here” screen below

nondomainjoined

And on the same Windows 7 machine, if a user tries to configure their Exchange Online account in Outlook application, they will get the same “You can’t get there from here” screen

nondomainjoined2

This looks the same on Windows 10

nondomainjoined3

The same screen when accessing OWA on a Windows 10 machine

nondomainjoined4

What happens if a machine had Outlook configured and working before the Conditional Access policies were put in place? In my testing, when opening the Outlook app, the same screen was displayed when it tried to connect to Exchange Online

condacc2

Adding Intune subscription to ConfigMgr for Hyrbid MDM

This post will show you how to add an Intune subscription to ConfigMgr  for Hybrid MDM and enable enrollment for iOS devices.

To see the benefits of using Intune with ConfigMgr rather than standalone, Microsoft has a good post Choose between Microsoft Intune standalone and hybrid mobile device management with System Center Configuration Manager

My current on-prem environment looks like this:

  • ConfigMgr Current Branch version 1606.
  • User collection created with users whose devices can be enrolled
  • Custom domain add and verified in Office 365 admin portal
  • Azure AD Connect set up to synchronize my user accounts to Azure AD. Steps to set this up are here
  • Intune subscription (You can get a 30 day trial subscription here)

First step to add the Intune subscription is to go into Cloud Services then right click Microsoft Intune Subscriptions and select Add Microsoft Intune Subscription

intune1

Have a read of the Getting Started and click Next.

intune2

Sign in with your Intune account

intune3

Have a read and if you agree, click the checkbox. Note that you can’t change this back unless you contact Microsoft Support.

intune4

Enter in your Intune username and password

intune5

Once you’re signed in, click on Next

intune6

Select the user collection with users whose devices can be enrolled. You can configure your company name and any other settings you like and click Next

intune7

Fill in any other information you would like and click Next

intune8

Specify a company logo if you like and click Next.

intune9

Select the user that you would like to be the Device Enrollment Manager. You can see more info here

intune10

If you would like to use MFA, select the enable checkbox and Next.

intune11

Confirm your settings and click Next.

intune12

Once its finished click Close. You can view the Cloudusersync.log to make sure the role was set up successfully and look out for any errors.

intune13

Next we will create an APN. The Apple Push Notification service (APNs) certificate is used to establish a trust relationship between the management service, Intune, and enrolled iOS mobile devices

intune14

intune15

intune16

Next we will login to the APN certificate portal with an Apple ID. The link is here

intune17

Click on Create Certificate

intune18

Click Accept if you accept the terms and conditions.

intune19

Upload the certificate you created earlier.

intune20

Now Download the certificate

intune21

Now we will configure the iOS platform.

intune22

Click Enable and browse to the certificate you downloaded before and click Ok.

intune23

ConfigMgr Intune enrolled device – send sync request

One of the new features of the recently released 1610 update for ConfigMgr current branch is the ability for an admin to initiate a policy sync from the ConfigMgr console for an Intune enrolled device. Previously this had to be done from the Company Portal on the device.

This can be done by right clicking on the device, in my example an enrolled iPhone, clicking on Remote Device Actions, then Send Sync Request.

intunesyncrequest