Category Archives: intune

Tip – Using Azure AD Monitoring to track Conditional Access failures

If you ever wanted to have an overview of the devices in your environment that have have been blocked from accessing cloud resources due to Conditional Access, then you can use the Monitoring Sign-Ins feature in Azure AD. Using this really simple feature, you can view the user name, the application that the user used, the operating system, and the actual conditional access policy that blocked the user from accessing the cloud resource.

This post will show how you can use Azure AD Monitoring to find devices that failed to meet the needs of the Conditional Access. In my example I have a simple Conditional Access policy for iOS devices that require the device to be compliant to access Exchange Online. I will test accessing Exchange Online using the Outlook mobile app on an iOS device that is not enrolled in Intune.

In Azure Active Directory in either https://devicemanagement.microsoft.com/ or https://portal.azure.com, go to Azure Active Directory and you will see a section called Monitoring. Under Monitoring, you will see Sign-ins.

If you click on Sign-ins, you can then use the drop downs and buttons to view specific information. For example, if you click on Columns you can choose to hide or show certain columns to get the information that you need.

Columns

 

In the example below I have clicked the drop-down under Conditional Access and selected Failure so I can see the devices that have been blocked due to not meeting the Conditional Access policies. In the screenshot below you can see there is an iOS device that used the Outlook Mobile app with a Conditional Access failure.

CAPolicy

 

If you select this, you can then view more information about the device including Username, Application, Client App, and you can also view the Conditional Access policy name that it failed on by clicking on the Conditional Access tab.

In the example below you can see that I have a Conditional Access policy called “Exchange Online iOS Managed Only Devices” with the Grant control of “require compliant device” and that my device failed against this Conditional Access policy.

CADetails

Advertisements

Conditional access – third party apps

This post will show how you can add a third party app to Azure AD that supports SAML, and then create a conditional access policy so that only compliant devices can access the third party cloud resource.

In my example I have signed up for a GoToMeeting trial. I will add GoToMeeting app to Azure AD and configure the single sign-on options to use SAML, and then on the GoToMeeting side I will configure Azure AD to be the Identity Provider. Once this is set up, I will create a Conditional Access policy that will require devices to be compliant in order for them to access GoToMeeting. When logging in with a work account to GoToMeeting, GoToMeeting will then redirect me to sign in through Azure AD, and then the conditional access policy will kick in.

Always test conditional access with test users, and plan thoroughly for any changes in a Production environment. The information below is for testing purposes.

Recommended reading:

Single Sign-On SAML protocol
https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

Single sign-on to applications in Azure Active Directory
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on

Tutorial: Azure Active Directory integration with GoToMeeting
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/citrix-gotomeeting-tutorial

What is conditional access in Azure Active Directory?
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Tutorial: Configure GoToMeeting for automatic user provisioning
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/citrixgotomeeting-provisioning-tutorial

In Azure Active Directory, go to Enterprise applications then click on New application.

01

Search for the application. Note that it says it supports SAML based sign-on for the Single Sign-On Mode. Click on Add.

02

Once the application has been added, I will give access to my test users by clicking on Users and groups, and then Add user.

011

Now I will configure SAML for the single sign-on mode. Click on Single-Sign-On on the left hand side, then select SAML.

04

In the Identifier (Entity ID) I have put in https://authentication.logmeininc.com/saml/sp and Reply URL (Assertion Consumer Service URL) https://authentication.logmeininc.com/saml/acs and Relay State
https://global.gotomeeting.com

05.jpg

Now I am going to download the Federation Metadata XML and upload it to the GoToMeeting site.

06

When logging in with my admin account in https://organization.logmeininc.com/ on the Identity provider section, I have selected to Upload SAML metadata file. This will contain all the Azure AD information and then configure Azure AD as the identity provider.

07

Now with a user I will login to https://www.gotomeeting.com/meeting/sign-in and select My Company ID so it can redirect me to my identity provider (Azure AD)

08

As expected, it has redirected me to Azure AD. I can confirm that the the SAML single sign-on mode has been configured successfully.

09

Next I will add the conditional access policy.

10

For the Cloud apps, you can see that GoToMeeting now appears because we added it earlier. I will select this as the Cloud app.

11

I will configure it to apply to all device platforms.

12

I have configured it to apply to Browser, and mobile apps etc.

13

In this test example, I have configured it to require only Intune enrolled compliant devices to access GoToMeeting.

14

Now lets login to https://www.gotomeeting.com/meeting/sign-in with the My Company ID

08

It will redirect us to Azure AD as we configured Azure AD as the identity provider earlier (and the domain used in my UPN was also added and confirmed in GoToMeeting)

15

Now because my device is not enrolled into Intune, I am blocked from accessing the GoToMeeting cloud resource as expected.

16

I have installed the GoToMeeting app on an Android phone, and it is the same expected user experience.

IMG_1295

On an Intune enrolled compliant device I can login fine as expected (or you can launch the app from myapps.microsoft.com

17

How can I view information, errors and warnings about my Intune tenant?

Intune now has a new Tenant Status section. This new section will give you information about your Intune tenant such as

  • Tenant Name
  • MDM Authority
  • Tenant Location
  • Service Release (the Intune build, this is handy to see if the latest Intune build has been released to your tenant)
  • Total Licensed Users
  • Total Intune Licenses
  • Total Enrolled Devices

You can also view the Connector Status of the Auto Pilot last sync date and Windows Store for Business last sync date and others.

Intune Service Health is on the Tenant Status, this will let you know of any issues or active incidents.

Intune News is also there. This includes categories like Stay Informed where you can see whats new in the later builds of Intune, and Prevent or Fix Issues where you can view known issue and resolved issues.

For more information see https://docs.microsoft.com/en-us/intune/tenant-status#intune-service-health

To get to the Tenant Status screen to view information about your Intune Tenant, you will find it in https://portal.azure.com , under Intune, then Tenant Status. Here is what it looks like:

intunetenantstatus

Prevent Personal Windows 10 devices from enrolling into Intune

This post will show how you can easily configure Enrollment Restrictions in Intune to prevent personal Windows 10 devices from enrolling into Intune. It will also show what Intune authorizes as corporate enrollment, and the end user experience of when a user with a personal device tries to enroll.

The Intune enrollment restrictions support the following platforms:

  • Android
  • Android work profile
  • iOS
  • macOS
  • Windows

However this post will focus on Windows 10.

Further reading: Set enrollment restrictions https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set

Intune will allow the following corporate methods to be enrolled:

  • The enrolling user is using a device enrollment manager account.
  • The device enrolls through Windows AutoPilot.
  • The device is registered with Windows Autopilot but is not an MDM enrollment only option from Windows Settings.
  • The device’s IMEI number is listed in Device enrollment > Corporate device identifiers. (Not supported for Windows Phone 8.1.)
  • The device enrolls through a bulk provisioning package.
  • The device enrolls through automatic enrollment from SCCM for co-management.

These corporate enrollment methods will be blocked:

  • Automatic MDM enrollment with Azure Active Directory join during Windows setup (unless registered with Autopilot)
  • Automatic MDM enrollment with Azure Active Directory join from Windows Settings (unless registered with Autopilot)

These personal enrollment methods will be blocked:

  • Automatic MDM enrollment with Add Work Account from Windows Settings*.
  • MDM enrollment only option from Windows Settings.

How to block the enrollments that aren’t authorized corporate devices:

To block the enrollment of Windows personal devices, inn portal.azure.com or https://devicemanagement.microsoft.com, select Intune, Device Enrollment, Enrollment restrictions, then Create restriction (you can modify the Default restriction if you like, but be careful as it targets all users)

enrollrestrictions01

Give it a name, and select Device Type Restriction, then click select platforms. In my example I have allowed all platforms then clicked OK.

enrollrestrictions02

Click on Configure platforms. Now for Windows (MDM) I am going to block personal enrollments then click OK.

enrollrestrictions14

 

It now needs to be assigned to a group.

enrollrestrictions03.jpg

So what happens if I try to enroll a personal Windows 10 device?

  • Automatic MDM enrollment with Azure Active Directory join during Windows setup (unless registered with Autopilot)

enrollrestrictions04enrollrestrictions05

  • Automatic MDM enrollment with Azure Active Directory join from Windows Settings (unless registered with Autopilot)

enrollrestrictions06enrollrestrictions07

  • Automatic MDM enrollment with Add Work Account from Windows Settings

enrollrestrictions08enrollrestrictions09

  • MDM enrollment only option from Windows Settings.

enrollrestrictions10enrollrestrictions11

You can also view the errors in the Enrollment Status page under Device Enrollment. If I click on the Windows data then I can see the Enrollment failures saying Enrollment restrictions not met.

enrollrestrictions12

enrollrestrictions13

Customizing Windows 10 – Office 365 using Intune Administrative Templates

Microsoft recently released a preview of the Administrative Templates for Windows 10 in Intune. These Administrative Templates can be found in the Windows 10 Device Configuration profiles. In addition to Office settings, you can also customize Internet Explorer, OneDrive, and other Windows settings.

This post will show how we can easily change some Office 2016 settings on a Windows 10 machine with Office 365 installed that is Intune enrolled and Azure AD joined. I will set some example settings, but feel free to check out any other settings that may interest you.

To configure the Administrative Templates, in the Intune portal (portal.azure.com) go into the Intune section, then go to Device configuration, profiles, Create profile.

o365_admintemplates_01

Give the profile a meaningful name, and select Windows 10 and later for the platform. For the profile type, select Administrative Templates (Preview) then click on Create.

o365_admintemplates_02

Now in our new Administrative Templates (Preview) device configuration profile, click on Settings to view all of the settings that we can configure. I would suggest to go through all these settings as there may be other settings that you might want to configure. These will most likely get updated in the future as well with new settings.

In my example I have searched for Office to filter the settings for Microsoft Office.

o365_admintemplates_03

If you click on one of the settings, it will take you to the setting with the description and the option to enable, or disable the setting. For example I have chosen to enable the setting to hide the option to enable or disable updates.

o365_admintemplates_04

I am going to go ahead and enable some other settings. You can see the settings that I have enabled are below.

o365_admintemplates_05

Once the settings are configured, as usual you need to assign the profile to a group. I have chosen to assign this to All Devices in my example.

o365_admintemplates_06

Now on my example Windows 10 machine that is Intune enrolled, Azure AD joined with Office 365 installed after doing a sync:

You can see that enable automatic updates is enabled, Hide option to enable or disable updates is enabled, and the update branch is set to Current as per my settings in the Administrative Templates.

o365_admintemplates_07

As noted in the registry above, you can see that the option to Disable Updates has now been removed as well.

o365_admintemplates_08

 

 

 

 

 

 

Intune – Win32 app Deploying BGInfo

Microsoft released a preview back in October 2018 for deploying Win32 applications through Intune. I wanted to deploy BGInfo to some Windows 10 machines that were enrolled in Intune and joined to Azure AD with a simple method, so I chose to try out the Win32 apps preview in Intune. It turned out to be really easy, and got the job done.

This post will show using the Intune Win32 App Packaging Tool to package up my required files into an .intunewin file, and then in Intune I will run a very basic PowerShell file that will:

  • Copy the BGInfo files (x64 version and config file) to C:\Program Files\BGInfo
  • Copy a shortcut for BGInfo to the StartUp folder so it can start up each time Windows runs
  • Run the BGInfo executable after it has copied everything

Prerequisites for Win32 Apps public preview

  • Windows 10 version 1607 or later (Enterprise, Pro, and Education versions)
  • Windows 10 client needs to be:
    • joined to Azure Active Directory (AAD) or Hybrid Azure Active Directory, and
    • enrolled in Intune (MDM-managed)
  • Windows application size is capped at 8 GB per app in the public preview

My install.ps1 is very simple and contains:

New-item -itemtype directory -force -path “c:\Program Files\BGInfo”

Copy-item -path “$psscriptroot\bginfo64.exe” -destination “C:\Program Files\BGInfo\bginfo64.exe”

Copy-item -path “$psscriptroot\custom.bgi ” -destination “C:\Program Files\BGInfo\custom.bgi”

Copy-item -path “$psscriptroot\bginfo.lnk” -destination “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\bginfo.lnk”

Start-process “C:\Program Files\BGInfo\Bginfo64.exe” -ArgumentList “`”C:\Program Files\BgInfo\custom.bgi`””,”/timer:0″,”/silent”,”/nolicprompt”

Return 0

I have downloaded the Win32 packaging tool from https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool and saved it to my C:\Intune

I have a folder called C:\bginfo that contains my BGinfo files:

  • Bginfo.lnk – This is the BGInfo shortcut that will be copied to the StartUp folder with the target of “”C:\Program Files\BGInfo\Bginfo64.exe” “C:\Program Files\BgInfo\custom.bgi” /timer:0 /silent /nolicprompt”
  • Bginfo64.exe – the executable to run BGInfo
  • custom.bgi – this is just my BGInfo configuration
  • install.ps1 – this contains the commands for copying the files and is mentioned above

win32_1

InTuneWinAppUtil.exe is very easy to run it, and it will prompt you for the source folder (the screenshot above with my Bginfo files and powershell file), the setup file (Bginfo64.exe), and the output folder (of where it will place the .intunewin file to upload to Intune).

win32_2

Once done, it will output the .intunewin file to upload to Intune to deploy.

win32_3

To create the Win32 app in Intune, login to the Azure portal.azure.com and select Intune > Client Apps > Add

win32_4

Select Windows app (Win32) – preview for the App type, and browse to the .intunewin package that was created earlier.

win32_5

Fill in the required information.

win32_6

For my install command, I have entered in “powershell.exe -executionpolicy Bypass .\install.ps1”

The uninstall command is required as well (I have used the same command which won’t work to uninstall, but I am not concerned about that)

win32_7

Fill in the requirements.

win32_8

I have used a detection rule to search for the file Bginfo64.exe in C:\Program Files\BGInfo

win32_9

Once you finish all the steps, the app needs to upload.

win32_10

You can now assign the app.

win32_11

Once the Windows 10 Azure AD Joined and enrolled into Intune device syncs, it will install.

win32_12

For troubleshooting, you can check the following log – C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log

win32_13

Demo of a new machine using Autopilot with the Win32 app deployed.

AutoPilot

Thanks to Steve Hosking for pointing out to me that I could use PowerShell isntead of a cmd file.

Intune – Windows Information Protection without enrollment

This post will show how you can use the Office 365 suite of apps deployed to a Windows 10 Pro 1709 device (with an EMS E3 license assigned), to enroll the device into MAM. This involves deploying a Windows Information Protection policy in Intune using the “without enrollment” setting, which means the device is not enrolled into Intune.

Suggested reading:
Protect your enterprise data using Windows Information Protection (WIP)
Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune

Make sure the MAM groups are configured, in the Intune portal in https://portal.azure.com go to Azure Active Directory > Mobility (MDM and MAM) then Microsoft Intune.

wipmam01

I have an Azure AD group called Intune and an Azure AD group called MAM enrollment. The user I will be using in this demonstration is a member of the MAM enrollment group.

A caution from Microsoft “If both MAM user scope and automatic MDM enrollment (MDM user scope) are enabled for a group, only MAM is enabled. Only MAM is added for users in that group when they workplace join personal device. Devices are not automatically MDM enrolled.”

wipmam02

Now i’ll create the MAM/Windows Information Protection policy. In Intune > Mobileapps > App protection policies, select Add a policy

wipmam03

Give the policy a name and description, select Windows 10 for the platform, and select without enrollment for the enrollment state. Click on Add apps.

wipmam04

I’ll be adding some apps to allow them to access my corporate data.

wipmam05

After clicking OK on the section above, I will add some more apps such as Outlook and Word. For the publisher, make sure you specify “O=Microsoft Corporation, L=Redmond, S=Washington, C=US”

wipmam06

For now, I will skip the Exempt apps. On the required settings, in this demonstration I will select the Block setting, which will prevent users from moving data from an allowed app into a non-allowed app.

wipmam07

In the advanced settings, I will rename the Cloud resources section to Office 365, and also add OneDrive to the list and Office 365 email. In the example I have added “<domain>-my.sharepoint.com for OneDrive, and outlook.office365.com for Exchange Online. Seperate these by a “|”. So my full list is <domain>-my.sharepoint.com|<domain>.sharepoint.com|outlook.office365.com

wipmam08

Click on Create, then assign the policy to a group.

wipmam10

Once the policy has been assigned to a group, on a Windows 10 1709 Pro machine, with Office 365 installed, when adding an account to Microsoft Office product such as Word, it will ask you to sign in. This is where you can register the device in Azure AD and enroll the device into MAM.

Click Sign in

wipmam11

Type in the account that is a member of the group that has the MAM enrollment enabled, and also a member of the group which had the WIP policy assigned

wipmam12

Enter in the password and click Sign in

wipmam13

Make sure you say Yes here. This is where it will register the device in Azure AD, and also enroll it into MAM.

wipmam14wipmam15wipmam16

From the above steps, in the Azure portal, we can see the device now in Azure AD as Azure AD Registered.

wipmam17

Also on the Windows 10 device you can go to Settings > Accounts > Access work or school, and you should see your Azure AD account there. Select it and click Info. You can see the Management Server Address shows its enrolled into MAM now.

wipmam20

Earlier in the policy I set Microsoft Word to be a protected app to access enterprise data. In this demonstration I will save some corporate data, and click the drop down near File name and select Work.

wipmam18

Now if I try and copy and paste text out of the protected document into a non protected app such as Notepad running in personal context, I get the message “Can’t use content here. Your organization doesn’t allow you to use work content here”. This is because I set the Windows Information Protection Mode to Block in the WIP policy above.

wipmam19

What happens if the device is unenrolled from MAM? The encryption key has been revoked and you will get this message when opening a Work protected document

wipmam21