Category Archives: Intune

PowerBI – Microsoft Intune Data WareHouse Beta connector

Now we can use PowerBI and use the Microsoft intune data warehouse to build reports for the entire organization to foresee the intune analytics and the status. PowerBI being a very potential platform for data gathering and analysis this intune data warehouse can help in terms of analyzing the Microsoft intune statistics and provide us the overall metrics.

When we look into the get data from the PowerBI desktop version, we do see the option Intune Data WareHouse Beta Preview connector. Once authenticated with the account we can select this connector

At this point of writing this blog , we could see that this connector is integrated with a 3rd party service as of now and it in the progress of full mature version and can expect more improvements in the future.

Continue reading

Microsoft Teams – Change the Supported Meeting Mode on existing Skype Room Systems to Teams Mode by leveraging Intune Scripts

Microsoft Teams have been the highly adopted collaborative platform in few months time.It has been helping a ton worldwide and the new features that is been released every now and then makes us stay connected and expands the efficiency in every organization who have been using them.

By default Microsoft Certified Room systems are forward compatible with the new Skype for Business or Teams services while maintaining the same client user experience.Usually when any organization has only Skype then these meeting rooms will have the options only Skype enabled on them.

In this article we will be looking at how to enable the existing Skype room systems to have the capacity to host Teams Meetings in them.

Example screen of a Skype room system panel where we have the below options on the supported meeting mode while configuring them at the initial stage .

These devices are basically on KIOSK mode running on recommended versions of Windows 10 currently supported one being 1909 at the time of writing this blog.

Continue reading

Microsoft Teams – Configure Azure Log Analytics for Monitoring Teams Room Systems

Microsoft Teams being the best collaborative solution there are lots of smart devices which are equipped with Microsoft teams for providing the smart meeting room systems with modern cameras, microphones and smart display screens. The best part on Teams application is it can function well in all ranges of devices with a support of basic hardware and running on a windows 10 operating system.

While there are numerous approaches to monitor the Microsoft Teams room systems this article we will go through the steps to monitor them through Azure Log Analytics.Like other applications Microsoft Teams App running on room devices will write all the events on the event logs.Through the Microsoft Monitoring agent in Microsoft Teams it allows these events to be collected in Azure log Analytics.

Prerequisites:

  1. Subscription with Azure to configure log analytics workspace.
  2. Teams meeting room system with internet connectivity. There are other methods to collect the logs without internet through  Log Analytics gateway in this approach we are going with direct agent method.
  3. The Teams devices must be running on a windows operating system on all meeting rooms on a KIOSK mode or probably on a full operating system mode based on the requirements.

Create Azure Log Analytics and integrate with Microsoft windows agent.

Continue reading

Microsoft Intune – Configure customized role based access control in a redistributed IT environment.

In a huge enterprise scale deployments there will be various teams who handles the services with multiple administrator accounts.These executives must be furnished with administrator accounts which are appropriate to their boundaries.Microsoft intune being a device,apps and office 365 administration management there are high prospects that this element may be used over various departments,applications,devices and from various areas. Microsoft Intune having lots of features and capabilities now most of the organizations are moving as managed tenant with Microsoft intune.

For instance there can be multiple app protection policies, device compliance policies, app configuration policies ,etc., are created for multiple services one for meeting room management, another for BYOD devices and for corporate windows devices. In these situations we need to create customized role based access control for each users.

Continue reading

Configure Azure AD Terms of Use functionality within conditional access in Microsoft Intune

The Azure AD terms of use functionality have been recently upgraded. In this article we will have a look at configuring the Azure Azure AD terms of use functionality for Microsoft Intune while enrolling the devices.

Navigate to Terms of use at https://aka.ms/catou

Search for Conditional Access – Terms of Use – Click on terms of use – Select New Terms

Create a new terms of use. Here we have an option to upload our own company terms of use PDF. There is an option to choose the language format for the terms of use.

Continue reading

Configure Microsoft Intune to secure office 365 apps in Mobile Devices

Microsoft intune is a  cloud service which was introduced in office365. This intune service is charged per user license. It can be configured for cloud only users as well as hybrid users.

Intune can be used for end users end point protection, MDM ,MAM ,application distributed storage, software license inventory reports , hardware inventory reports , mobile device app publishing, security monitoring.

This blog focuses only  on configuring the in tune  MDM\MAM for cloud only users to secure the office 365 services configured in mobile devices.Using this we would be able to enroll Mobile devices, manage devices and applications, protect the corporate data and retire them when required.

First thing is to see the license required for intune to assign them to end users.

Get-MsolAccountSku

Untitled

We need to see the MDM user Scope set in the azure portal.

https://portal.azure.com

By default it is not set to any users. We can create a group and assign the scope to the group. This will perform the MDM enrollment for Android, iOS devices.

Here we have three URL’s:

  1. MDM/MAM Terms of use – Can be used to set company terms of use.
  2. MDM/MAM discovery URL – This is the device enrollment URL.By default it is set to office 365 enrollment url and can leave them as it is if you are using only intune as MDM/MAM service.
  3. MDM/MAM Compliance URL– URL to be used to give more information to users on why the device  is non-compliant if it doesn’t meet the standards.

All the above options can be customized based or left blank based on the current MDM/MAM setup. If we are rolling out the MDM/MAM first time for all users then we can leave these url’s as default and can update only the terms of use and compliance url as per the company’s security policy.

Untitled2

Now we need to create  below policies:

  1. Device Compliance Policy –To manage compliance for IOS & Android devices.
  2. Device Management policy- for IOS and Android device management.
  3. App Protection policy-Can be created to protect targeted apps only.
  4. Client Apps – Can be used to assign curated managed apps, such as Office 365 apps, to iOS and Android devices
  5. Create one Conditional Access Policy for MDM (Optional)–  Can be enforced to use only Outlook for IOS Andriod, restrict logins from geo locations.

Create Device Compliance Policy-

We need to navigate to the https://portal.office.com – Admin – Select Microsoft Intune and navigate to intune blade

Untitled5

We need to create compliance policy for Android and IOS devices.Example below for Android where the minimum version is 7.1 and blocking rooted devices can be done.

Untitled6

Compliance policies conditions and actions can be created based on the requirement.

Create Configuration Policy:

Configuration policies can be created for Android, Android Enterprise and IOS  in our case , since we are focusing only on configuring the MDM for mobile devices.

Untitled4

Example of creating one configuration  policy for Android devices and restrictions that can be applied to secure corporate data like disable  screen capture, copy paste.

Untitled3

App Protection Policy:.

The app protection policy can be used to protect  and enforce policy only on selective apps. This helps the admins to control only the corporate data even on BYOD devices.

Untitled7

 

Targeted apps can be selected here we can select only required corporate apps.

Untitled8

We have policy settings which can be controlled for the apps installed on the mobile phone.

Example we have an option to choose which storage can be enforced to end users to save the data. These restrictions are applicable only for the targeted apps which we have selected in the previous section.

 

Untitled9

Further sign in security requirements can be controlled based on Device Manufacturers, Pin Attempts etc..,

Untitled10.png

 

Create Client Apps:

Also Intune Client apps can be assigned Android/IOS to end users through intune company portal.

Example one created for publishing VLC player in the Intune Company portal for Android Users.

Untitled21.png

Once applied end user can see this apps  from the android device from the Intune Company Portal App.

Conditional Access Policy  for MDM can be created like below:

Select apps – Create one only for Exchange Online

Untitled19

Login location can be set from where the user access can be controlled based on physical location.

Untitled18

Required approved client app only can be selected.

Untitled20

List of Intune enrolled devices can be seen.

Untitled17

When drill down further it would show all the installed apps in  the discovered apps section.

Untitled16

Further we can see the device compliance status. In below case my device is compliant except for the password which i did not configure as per the password policy set for Android devices.

Untitled23

From the client side in Android device user needs to download the company portal to access all Intune features.

  1. Example VLC app which we published from Client apps for end users.
  2. If the device is not meeting the compliance requirements we get the alert on devices tab.
  3. We get the user warning when the user configures the email.

WhatsApp Image 2018-10-25 at 14.29.37WhatsApp Image 2018-10-25 at 14.33.34WhatsApp Image 2018-10-25 at 14.33.34 (1)

Notes:

  1. This blog gives an overview of how to start enrolling mobile devices through Intune for Office 365 Apps. There are more options available in intune for MDM\MAM and these have to be configured based on the  requirement.
  2. If there are currently any MDM solution in place we need to analyze the current user experience provided to the end users and provide the same or enhance more than the current one.
  3. Its always recommended to test all these features in staging domain evaluate the results before moving into production
  4. Best recommended to roll out the MDM intune only for few pilot test users in beginning and later perform a staged roll outs  based on the  end user  responses.

Continue reading

%d bloggers like this: