Now we can use PowerBI and use the Microsoft intune data warehouse to build reports for the entire organization to foresee the intune analytics and the status. PowerBI being a very potential platform for data gathering and analysis this intune data warehouse can help in terms of analyzing the Microsoft intune statistics and provide us the overall metrics.
When we look into the get data from the PowerBI desktop version, we do see the option Intune Data WareHouse Beta Preview connector. Once authenticated with the account we can select this connector
At this point of writing this blog , we could see that this connector is integrated with a 3rd party service as of now and it in the progress of full mature version and can expect more improvements in the future.
On further progress we have an option to pull data up to 60 days as of now.
Once connected we can see there are 48 datasets that can be helpful in building the required reports and the dashboard for Microsoft Intune.
Here just for an example have loaded few datasets that might be helpful for us in creating a reporting for the intune statistics.
For instance we could measure how many users have intune licensed , jailbroken devices , azure ad registered devices , trends of OS versions getting enrolled in intune and even see the amount if MAM getting enforced on devices.
Once the data is segregated and creating the report we can go ahead and publish them to the Workspace.
On a successful operation we get this below message. There is an option to create a portrait view of the report which is compatible for mobile phones.
We could publish this report to dashboard and share them to users which can provide insights to enterprise mobile environment.
Finally below is an sample overview of the shared dashboard view.
There are lot of benefits in using the Data Warehouse when compared to the Azure Portal. The Data WareHouse is like accessing the raw data from the backend where the delta is refreshed in the daily fashion and we have option to pull the historical intune data.
One important point to note here is that the Intune Data Warehouse only contains Intune data. Just in case if co-management is utilized then additional steps to retrieve the data from configuration manager is required.
Power Bi desktop is used to create the reports and this can be done with the free version of the PowerBI. PowerBI Pro license is required for publishing the reports and share them for collaboration.
Microsoft Teams have been the highly adopted collaborative platform in few months time.It has been helping a ton worldwide and the new features that is been released every now and then makes us stay connected and expands the efficiency in every organization who have been using them.
By default Microsoft Certified Room systems are forward compatible with the new Skype for Business or Teams services while maintaining the same client user experience.Usually when any organization has only Skype then these meeting rooms will have the options only Skype enabled on them.
In this article we will be looking at how to enable the existing Skype room systems to have the capacity to host Teams Meetings in them.
Example screen of a Skype room system panel where we have the below options on the supported meeting mode while configuring them at the initial stage .
These devices are basically on KIOSK mode running on recommended versions of Windows 10 currently supported one being 1909 at the time of writing this blog.
Ideally when a Skype room system account have been migrated to Teams with all the prerequisites this mode on the meeting room devices needs to be changed to support Skype for Business and Microsoft Teams.
This can be done by using the local admin credentials of this Skype room system , logging into the system context and change the mode to support both Teams and Skype. In a real scenario for a small scale deployment for lesser than 10 rooms changing them manually from the local IT support is possible. But in a huge deployments where there are 100 plus systems deployed across the globe and making them change manually will be a uncomfortable experience.
This supported meeting mode on the Skype room systems is controlled via an XML file present on below location. This location is standard for all the meeting rooms running on KIOSK mode and have a file named skypesettings.xml
At startup these devices looks up for this XML file named SkypeSettings.xml on the above location. If it finds them it applies the configuration settings indicated by the XML file then deletes the XML file. The best thing is that we can mention only the changes that we require on the system on the XML file and it will update the delta changes and keep the other settings as same.
In order to enable Teams, Skype and have Teams as default client we can use the below XML
Now this XML can be easily pushed to all the Skype Room Systems via Intune Scripting Profile.
Below are the prerequisites before performing this action:
The Skype Room Systems accounts must have thee Teams license assigned to them. This offers an easy migration path from Skype for Business to Teams by just enabling Teams on the device.
The Skype Room Systems must have been registered on Microsoft Intune to target this intune scripting profile to them.
Login to Microsoft Intune- Navigate to Device Configuration – Create the Scripts as below. Ensure the script settings have all the default settings. Target them to the meeting room devices which requires this change.
Copy save them as ps1 and Use the below script on the script settings page.
After the next azure AD sync is completed on the targeted devices we can see the XML file to be successfully deployed on the below location.
Also we can see the overview of assigned and failed devices on the intune script profile. In our case it was successful since it deployed to targeted system without any issue.
Once the Skype room systems gets this XML and usually these systems reboots every night to check for the system updates install them as a maintenance window. During that time this XML will be updated since the device will be rebooted. Once this change has been applied to all the systems the Intune Script profile can be removed since it is a one time configuration change on the systems after the user accounts have the teams enabled.
Create storage container in Azure , store the XML file and make intune to pull the xml file from there. Keeping this option is beneficial just in case if we need to modify the XML file frequently for device settings.
Microsoft Teams being the best collaborative solution there are lots of smart devices which are equipped with Microsoft teams for providing the smart meeting room systems with modern cameras, microphones and smart display screens. The best part on Teams application is it can function well in all ranges of devices with a support of basic hardware and running on a windows 10 operating system.
While there are numerous approaches to monitor the Microsoft Teams room systems this article we will go through the steps to monitor them through Azure Log Analytics.Like other applications Microsoft Teams App running on room devices will write all the events on the event logs.Through the Microsoft Monitoring agent in Microsoft Teams it allows these events to be collected in Azure log Analytics.
Subscription with Azure to configure log analytics workspace.
Teams meeting room system with internet connectivity. There are other methods to collect the logs without internet through Log Analytics gateway in this approach we are going with direct agent method.
The Teams devices must be running on a windows operating system on all meeting rooms on a KIOSK mode or probably on a full operating system mode based on the requirements.
Create Azure Log Analytics and integrate with Microsoft windows agent.
Log into log analytics workspace
Create new log analytics workspaces. We can use the existing workspace as well and it purely depends on the requirement.
Choose the required subscription
Once the Log analytics workspace is created , we need to go ahead and download the windows agent. The agent can be downloaded by navigating to Log Analytics Workspaces – Workspace name – Advanced Settings – Connected sources – Windows servers – Download the windows agent.
Install the MMA agent on Teams Skype room system device –
Select only the option connect the agent to azure log analytics (OMS) because in our case we are not monitoring them via a local monitoring agent SCOM.
Enter the workspace ID and the key from the log analytics workspace and select Azure Commercial. If the network is going through proxy then click advanced and provide the proxy configuration. If the device is not having connection to the internet then the agent cannot send the logs to log analytics workspace.
Once installed we can see the Microsoft Monitoring Agent present on the control panel.
Once opened can see the Azure log analytics (OMS) and see the status to be successful.
On editing the workspace we can see the workspace ID and the Workspace Key.
Usually it takes a while to collect the logs to Azure Monitoring agent.
Configure the required logs to monitor:
Once the log analytics workspace is being collected we need to configure the data sources so that the log analytics workspace can start collecting the required data for monitoring the Teams Room Systems.
In our case for monitoring the teams device, we need to collect teams app logs and few hardware related events. We will look into configuring them now.
Note: We have to be very choosy here on collecting only the required events, since dumping logs to azure log analytics involves cost in it and best recommended to choose only the required events.
In order to collect the logs navigate to advanced settings – Choose data sources – select windows event logs
The key primary log that needs to be collected is Skype Room System (we have to type them completely and click add as this log entry will not autocomplete)
There are few more log events that can be added, but added these logs which might be helping on monitoring the Teams room devices.
Having added the windows event logs, we can navigate to windows performance counters and there are few events which can be added and useful for us to notify when the devices are having any of the below issues on them.
Querying the logs:
Once we have configured the required log sources it’s the time for us to run some queries and see if the logs are been collected. The azure log analytics workspace works well with Kusto Query Language and SQL Query Language.
There are default queries like Computers availability today , list heartbeats and unavailable computers.
Once selecting on the default templates list heart beats and can click on run the below results is obtained.
To see only the Application Event logs we can run the below query
search * | where Type == "Event" | where EventLog == "Application"
To see only the Errors generated in the application event logs
search * | where Type == "Event" | where EventLog == "Application" | where EventLevelName == "Error"
To drill down more and look into the perfmon logs ran the below query to check the system up time.
Perf| where CounterName == "System Up Time"|summarize avg(CounterValue) by bin(TimeGenerated, 1h)
There are lot of queries which can be built from these collected events. Having collected these events , we can configure them to display as dashboards and collect alerting mechanisms for the critical events. In the next post we will have a look at how to configure the alerting systems for critical events that’s happening on the meeting room devices.
In a huge enterprise scale deployments there will be various teams who handles the services with multiple administrator accounts.These executives must be furnished with administrator accounts which are appropriate to their boundaries.Microsoft intune being a device,apps and office 365 administration management there are high prospects that this element may be used over various departments,applications,devices and from various areas. Microsoft Intune having lots of features and capabilities now most of the organizations are moving as managed tenant with Microsoft intune.
For instance there can be multiple app protection policies, device compliance policies, app configuration policies ,etc., are created for multiple services one for meeting room management, another for BYOD devices and for corporate windows devices. In these situations we need to create customized role based access control for each users.
With the default intune admin role assignments, we cannot manage to provide custom permissions and hence need to take little bit different approach in order to deploy in a decentralized environment.
We shall consider a scenario where there are 2 different cases of leveraging Microsoft Intune as a managment authority one for Meeting rooms and another one for managing office 365 and Line of business apps in BYOD devices.
Ideally in this scenario we must be having two sets of policies ,intune services with different role sets and visibility of policies to the administrators.
Below policies forBYOD devices were created –
App Protection Policies
App Configuration Policies
Below Policies for Meeting rooms were created –
App Protection Policies
App Configuration Policies
Having the policies created now we need to segregate them by tagging to associated admin groups, device groups and scope tags.
Created Admin Groups –
Group 1: MRM Admins – To manage only the Meeting room intune policies.
Group 2: Pilot Mobile Admins – To manage only the Andriod/IOS Intune device policies.
Created Device Groups –
Group 1: Meeting Rooms – Created to add the meeting room devices and service accounts. This is required to scope this group in the custom RBAC role that we are creating and targeting for meeting room systems and their service accounts.
Group 2: IntuneMobileDevices – Created to add the BYOD users accounts . This is required to scope this group in the custom RBAC role that we are creating and targeting for byod users.
Created Scope Tags –
ScopeTag 1: Mobile-Admin – To tag all the BYOD mobile IOS/Andriod policies, users and devices. We have added the created group for intune users. One important point to note here is that all new users who needs to be part of intune policies needs to be added to this group.
The policies can be tagged to their related scope tags from the properties page.
Scope Tag 2:SRS-Admin – To tag all the meeting room devices and the service accounts.
In the same way we did for BYOD devices meeting room policies were tagged to this scope tag.
Scope tags are very much required and they are the basic benchmarks which are used to segregate the roles, permissions, devices and users. In this case we have created two scope tags and associated them to their corresponding policies,users,devices and admins.
Created 2 Custom RBAC roles –
Role 1: Meeting Room Admin – Clone copy of policy and profile manager role scoped only to MRM admins group. Tagged this role to SRS-Admin scope tag.
Role 2: Mobile Administrators – Clone copy of policy and profile manager role scoped only to Pilot Mobile Admins admins group. Tagged this role to Mobile-Admin Scope tag.
The default RBAC roles will provide visibility to all the policies and hence we need to create new roles.Here we have created two clones of the default policy (policy and profile manager). Tagging these two roles to the appropriate scope tags is very important. Ideally scope tags are the components which seperates the role segregation based on policies and users defined on them.
Finally created few policies and tagged them separately for Mobile devices and meeting rooms.
Admin log in experience:
Policies visibility from Global Admin account where we could see all the policies in the intune portal.
When logging in from mobile admin we see only mobile device policies for byod associated with him.
Only BYOD device compliance policies are present.
In the same way when logging from SRS admin we see only the meeting room policies associated with him.
Only meeting room app protection policies are found.
For custom RBAC role it is requesting an EMS license to be assigned mandatorily for the admin accounts. I attempted the admin accounts without the licenses and it is not working.
Once the policy is applied to admin accounts it is taking almost 24 hours’ time to be in effect.
We can utilize role based access control in combination with scope tags to ensure that the privilege administrator accounts have the correct access and perceivability to the right Intune objects. Scope tags figure out which objects administrators can see from their admin portal.
Following features can be enabled :
We have 4 options at this moment:
Now we need to select this option to Microsoft Intune device enrollment.
After this is enabled we can run the what if and see if its working for the targeted user. In our case we can see the policy that we enforced is getting applied below.
Client User Behavior- Android Device Enrollment through conditional access policy.
On expanding we can see that the term detail as per the company policy.
Its always better to roll out this policy to pilot users at the initial stage, verify the behavior and later plan this roll out in a phased approach for remaining users
The IT policy terms can be added for different languages as well based on the different geographic locations.
We have an option to review the users who have accepted the policy and rejected from the policy tab.
End user accounts consuming this service will require Azure AD Premium P1, P2, EMS E3, or EMS E5 subscription inorder to activate this service to them.
Microsoft intune is a cloud service which was introduced in office365. This intune service is charged per user license. It can be configured for cloud only users as well as hybrid users.
Intune can be used for end users end point protection, MDM ,MAM ,application distributed storage, software license inventory reports , hardware inventory reports , mobile device app publishing, security monitoring.
This blog focuses only on configuring the in tune MDM\MAM for cloud only users to secure the office 365 services configured in mobile devices.Using this we would be able to enroll Mobile devices, manage devices and applications, protect the corporate data and retire them when required.
First thing is to see the license required for intune to assign them to end users.
We need to see the MDM user Scope set in the azure portal.
By default it is not set to any users. We can create a group and assign the scope to the group. This will perform the MDM enrollment for Android, iOS devices.
Here we have three URL’s:
MDM/MAM discovery URL – This is the device enrollment URL.By default it is set to office 365 enrollment url and can leave them as it is if you are using only intune as MDM/MAM service.
MDM/MAM Compliance URL– URL to be used to give more information to users on why the device is non-compliant if it doesn’t meet the standards.
We need to create compliance policy for Android and IOS devices.Example below for Android where the minimum version is 7.1 and blocking rooted devices can be done.
Compliance policies conditions and actions can be created based on the requirement.
Create Configuration Policy:
Configuration policies can be created for Android, Android Enterprise and IOS in our case , since we are focusing only on configuring the MDM for mobile devices.
Example of creating one configuration policy for Android devices and restrictions that can be applied to secure corporate data like disable screen capture, copy paste.
App Protection Policy:.
The app protection policy can be used to protect and enforce policy only on selective apps. This helps the admins to control only the corporate data even on BYOD devices.
Targeted apps can be selected here we can select only required corporate apps.
We have policy settings which can be controlled for the apps installed on the mobile phone.
Example we have an option to choose which storage can be enforced to end users to save the data. These restrictions are applicable only for the targeted apps which we have selected in the previous section.
Further sign in security requirements can be controlled based on Device Manufacturers, Pin Attempts etc..,
Create Client Apps:
Also Intune Client apps can be assigned Android/IOS to end users through intune company portal.
Example one created for publishing VLC player in the Intune Company portal for Android Users.
Once applied end user can see this apps from the android device from the Intune Company Portal App.
Conditional Access Policy for MDM can be created like below:
Select apps – Create one only for Exchange Online
Login location can be set from where the user access can be controlled based on physical location.
Required approved client app only can be selected.
List of Intune enrolled devices can be seen.
When drill down further it would show all the installed apps in the discovered apps section.
Further we can see the device compliance status. In below case my device is compliant except for the password which i did not configure as per the password policy set for Android devices.
From the client side in Android device user needs to download the company portal to access all Intune features.
Example VLC app which we published from Client apps for end users.
If the device is not meeting the compliance requirements we get the alert on devices tab.
We get the user warning when the user configures the email.
This blog gives an overview of how to start enrolling mobile devices through Intune for Office 365 Apps. There are more options available in intune for MDM\MAM and these have to be configured based on the requirement.
If there are currently any MDM solution in place we need to analyze the current user experience provided to the end users and provide the same or enhance more than the current one.
Its always recommended to test all these features in staging domain evaluate the results before moving into production
Best recommended to roll out the MDM intune only for few pilot test users in beginning and later perform a staged roll outs based on the end user responses.