Androids in the Enterprise, a blessing or nightmare? – part 1

Many people who know me know that I am not the fan boy of Android devices. It can be a nightmare when managing those devices, but is that still a valid statement or is it getting better? In this series of blogs, I want to try to get a clear view if Android devices in an Enterprise are a blessing or a nightmare. That there are Android devices connecting to most environments to get access to corporate data is a fact. When looking at Microsoft Intune we can block the ability that Android devices can be enrolled into Intune, but [...]

By |2017-12-01T15:57:46+01:00december 4th, 2017|Enterprise Mobility Suite (EMS), Security|4 Comments

Manage your Windows 10 devices via PowerShell and Microsoft Intune

A big wish of the community and companies using Microsoft Intune was the ability to manage Windows 10 devices that are managed with Microsoft Intune via PowerShell. Since the MDM channel is not supporting deployment and the execution of PowerShell scripts, Microsoft announced today at Ignite the Microsoft Intune Management Extension. Meet the Microsoft Intune Management Extension The Microsoft Intune Management Extension is an addition to the current Windows 10 MDM capabilities and allows us now to deploy and execute PowerShell scripts. The Microsoft Intune Management Extension is automatically deployed and installed on Azure AD joined devices. The Microsoft Intune [...]

Windows 10: Upgrade the edition with Intune in the new Azure Portal

Most professional PC’s delivered today is delivered with Windows 10 Pro (out of the box) which is a really good Operating System, covering most use-cases. However in the world of BYOD and CYOD (Bring your Own / Choose your Own Device) companies, enterprises, goverments, schools etc. often want to upgrade to either Enterprise or Education since these editions of Windows 10 are more feature rich and has a couple of enhancements compared to Pro. Luckly, changeing the SKU does not involve a reinstallation or an major upgrade of the OS. And from Windows 10 1607 (Anniversary Update) you could go [...]

Windows 10 1703 Creators Update: First impressions

Windows 10 creators update is out and I wanted to create a quick blog of the initial experience installing and enrolling it into one of my Azure Active Directory (AAD) test tenants. The initial installation is more or less the same as before, but we know for a while that Microsoft will improve the OoBE (Out of Box Experience) where it now has a new nicer flow and UI. It’s very interesting to see how Microsoft is investing in these types of features and it tells us (in my opinion) how Microsoft looks at the future of Device/Windows deployment and [...]

By |2017-04-06T11:47:03+01:00april 6th, 2017|Configuration Manager (SCCM), Enterprise Mobility Suite (EMS), Windows Client|Kommentarer lukket til Windows 10 1703 Creators Update: First impressions

Android for Work in Configuration Manager 1702

Android for Work support was introduced in Intune standalone in late 2016. With the latest release of Configuration Manager current branch we also have AFW support in hybrid environments. In order to configure AFW a few things to you need to ensure first: Have a couple of Android devices with Android 5.0 or higher Create a Google account to be used as the Android for work admin account Configure Android for Work In the ConfigMgr console navigate to Administration workspace / Overview / Cloud Services / Microsoft Intune Subscriptions and click Configure Platforms / Android For Work. Notice the dialog [...]

By |2017-03-27T08:38:21+01:00marts 27th, 2017|Configuration Manager (SCCM)|2 Comments

The Impact of introducing the Microsoft Enterprise Mobility + Security in the organization

The Impact of introducing the Microsoft Enterprise Mobility + Security in the organization In my work as an advisor and consultant I see organizations adapting to the emerging IT landscape, where user behavior is changing and security risks are increasing. In the midst of this change, I encounter frustrated IT professionals trying to keep up with everything and not having enough time to do so. I encourage my customers to be on top of changes and make sure they stay on top. That message goes beyond IT pros and extends to business owners and managers who can no longer afford [...]

Conditional access with ConfigMgr+Intune and On-Premises Exchange

Conditional Access in either a Cloud-only or Hybrid scenario is a great way to control data by saying we do not allow you to access Corporate Email without enrolling the device to a Corporate MDM solution where Data Protection Policies will be applied. This is in my opinion the best compromise where we let the user be productive where they get the ability to access corporate data on any device, anywhere, where we at the same time have control over the device, forcing security and compliance policies, encrypting data, deploy (LoB) apps and las but not least have the ability [...]

Community Web page to help corporate users enroll their devices!

Guidence on how you can enroll your device and gain access to your corporate data and applications: This web page is created by the community for the community to help corporate users to efficiently enroll their devices into an Microsoft Enterprise Mobility Solution. Businesses can use this webpage as an How-To for their users and link it to their existing documentation. The site covers: Microsoft Windows 10 Devices Apple iOS Devices Google Android Devices Visit the page by going clickin here: www.enrollyourdevice.com Also check out the Microsoft EMS Resources App https://www.microsoft.com/store/apps/9nblggh6j3fq and YouTube page https://www.youtube.com/channel/UCbf6dOWcNhRgLHDEXJWqiNw for more information about Microsoft [...]

By |2016-04-04T15:03:56+01:00april 4th, 2016|Configuration Manager (SCCM), Enterprise Mobility Suite (EMS)|Kommentarer lukket til Community Web page to help corporate users enroll their devices!

December 11: Microsoft Enterprise Mobility Suite (EMS) Resources at your fingertips

I know it's a pompous title, but that still the idea behind what I want to show next. As an IT-Pro I am used to staying up to date on the latest technology that I am working with. And with On-premises solutions like traditional ConfigMgr implementations, staying up to date is not too hard with a little bit of effort since new features and updates are not added daily as opposed to what is going on in the Cloud. Now for some time now I have been working with Cloud services like Microsoft Intune and eventually EMS after the suite [...]

Microsoft EMS News App for Windows 10 and Windows Phone 10

Update: The app has now changed name and is published to the Microsoft store under the name Microsoft EMS Resources An updated blog post is published here: https://blog.ctglobalservices.com/mas/december-11-microsoft-enterprise-mobility-suite-ems-resources-at-your-fingertips/ As an IT-Pro I am used to staying up to date on the latest technology that I am working with. And with On-premises solutions like traditional ConfigMgr implementations, staying up to to date is not too hard with a little bit of effort since new features and updates are not added daily as opposed to what is going on in the Cloud. The cloud is evolving so fast with new features and services added daily [...]

IT Devconnections Enterprise Mobility and Identity BOF

During the BOF last week @ #ITDevCon i briefly talked about creating a couple of managed apps using PowerShell in ConfigMgr. Below are a few examples, open PowerShell ISE aas administrator and magic happens #Import Module Import-Module $env:SMS_ADMIN_UI_PATH.Replace("\bin\i386","\bin\configurationmanager.psd1") $SiteCode = Get-PSDrive -PSProvider CMSITE Set-Location "$($SiteCode.Name):\" #Create the Word Application New-CMApplication -Name "Word" #To create a iOS deployment type for the application Add-CMDeploymentType -ApplicationName "Word" -AutoIdentifyFromInstallationFile -IosDeepLinkInstaller -DeploymentTypeName "Word iOS" -InstallationFileLocation "https://itunes.apple.com/us/app/microsoft-word/id586447913?mt=8" -ForceForUnknownPublisher $True #Create the OneNote Application New-CMApplication -Name "OneNote" #To create a iOS deployment type for the application Add-CMDeploymentType -ApplicationName "OneNote" -AutoIdentifyFromInstallationFile -IosDeepLinkInstaller -DeploymentTypeName "OneNote iPhone" -InstallationFileLocation "https://itunes.apple.com/us/app/microsoft-onenote-for-iphone/id410395246?mt=8" -ForceForUnknownPublisher [...]

By |2015-09-22T23:54:47+01:00september 22nd, 2015|Configuration Manager (SCCM), Enterprise Mobility Suite (EMS), Events|Kommentarer lukket til IT Devconnections Enterprise Mobility and Identity BOF

Install and Configure on-prem mobile device management (MDM) with ConfigMgr vNext TP3

This guide is written by Panu Saukko and Kent Agerlund (both Microsoft Enterprise Client MVP’s). These are the steps we used in our demo environments to configure the new on-prem MDM feature in system Center Configuration Manager vNext Technical Preview 3. In the article you will notice that we used two different environments and you will see screenshots from both environments. Don’t let that confuse you, happy reading and enrolling. The environments we used are: Configuration Manager site: vn3, Site Server: vnext.corp.viamonstra.com, Domain: corp.viamonstra.com, PKI server: dc.corp.viamonstra.com Configuration Manager site: C15, Domain: cmdemo.local, PKI server: cm-dc1.cmdemo.local System Center 2012 Configuration [...]

Managing Windows 10 using On-premises MDM in System Center Configuration Manager vNext

There is a new management agent in town…. the built-in Windows 10 management agent. With that agent you are able to deploy applications (with some limitations in TP3), gather inventory data and deploy configuration items.  in this post I will describe how to you can create configuration items to control various settings. If you want to play around with the complete list of Windows Defender settings you can download the full list of CI’s here (I didn’t have time to test all of them……just saying). The MDM requirements are a little tricky in the sense that you need the following [...]

By |2015-09-06T20:58:34+01:00september 6th, 2015|Configuration Manager (SCCM), Windows Client|1 Kommentar

Deploying WIFI profiles with pre-shared secret to Android devices using ConfigMgr

Today I have spend some time creating and deploying WIFI profiles to Android devices and would like to share my experiences. To get started with Android and WiFi profiles I used this TechNet article https://technet.microsoft.com/en-us/library/dn705842.aspx is almost correct, but there a few bugs in the XML example (as I see it, authentication and encryption). To get me all the way I combined the knowledge from the article with information from MSDN https://technet.microsoft.com/en-us/library/dn705842.aspx and finally this super nice Android PSK Generator community tool - http://johnathonb.com/2015/05/intune-android-pre-shared-key-generator/  The Android XML configuration is really easy,just add the WiFI information into the Configurator and click [...]

Windows Mobile Phone 8.1 support gone after upgrading to Configuration Manager 2012 R2 SP1

One of the many changes in the newly released SP1 is support for Windows Phone 8.1 After the upgrade only there will only be support for Windows Phone 8.0. Navigate to the Administration workspace, select Cloud Services, right click your Intune connector, Configure Platforms, Windows Phone. Notice that Windows Phone 8.1 is not enabled.   In our environment we only support Windows Phone 8.1 and we do not deploy any custom signed Windows Phone LOB applications. Enable Windows Phone 8.1 support and click OK. Wait until the next synchronization and you will have Windows Phone 8.1 support back. Another “setting” [...]

By |2015-05-21T17:43:13+01:00maj 21st, 2015|Configuration Manager (SCCM), Enterprise Mobility Suite (EMS)|Kommentarer lukket til Windows Mobile Phone 8.1 support gone after upgrading to Configuration Manager 2012 R2 SP1

Slides and links from my Welcome to your new life as an Enterprise Client Hybrid Management expert session @NIC 2015

Thanks for attending my Hybrid Management session @NIC 2015. Slide deck Deploy wifi profiles with shared secret - https://blog.ctglobalservices.com/kea/deploying-wpa-2-personal-wifi-profiles-using-configmgr-intune/ Change device ownership in configmgr - https://blog.ctglobalservices.com/kaj/change-device-ownership-in-configuration-manager-with-powershell/ Intune Extensions fail to install - https://blog.ctglobalservices.com/kea/intune-extensions-will-not-install/ and http://scug.be/sccm/2014/02/11/cm12-extensions-for-windows-intune-resources-and-gotchas/ Device based vs User based policies - https://blog.ctglobalservices.com/kea/device-based-vs-user-based-mdm-policies-in-configmgr-2012-r2/ Troubleshooting iOS certificate deployments - https://blog.ctglobalservices.com/kea/troubleshooting-certificate-deployment-on-ios-devices-with-configmgr-intune/ Deny Apps on Windows Phone - http://scug.be/nico/2014/05/22/deny-windows-phone-apps-with-configuration-manager-intune/

By |2015-02-14T15:06:32+01:00februar 14th, 2015|Configuration Manager (SCCM)|Kommentarer lukket til Slides and links from my Welcome to your new life as an Enterprise Client Hybrid Management expert session @NIC 2015

Deploying WPA-2 personal WIFI profiles using ConfigMgr & Intune

For hybrid environments (that being ConfigMgr integrated with Microsoft Intune), it’s not possible to deploy a WIFI profile using a pre-shared secret in the UI. This will however not prevent you from creating and deploying WPA-2 Personal security WIFI profiles in the console. You will just be deploying the WIFI profile without the WIFI password.  Windows Phone 8.1 will re-apply the same profile over and over again When users receive the WIFI profile all they have to do is add the password and they will have WIFI connection. This works great for Android and iOS, but not for Windows Phone [...]

By |2015-01-28T14:28:20+01:00januar 28th, 2015|Configuration Manager (SCCM)|4 Comments

Intune Extensions will not install

It’s a common issue, but still worth mentioning. Being a Full Administrator is NOT the same as having full control of all features in the ConfigMgr console. An example is enabling new Intune Extensions like the one released in late December. As usual you are prompted when new Extensions are available. In this example I’m logged in as Full Administrator and trying to enable the extension in the Administration workspace. All looks good, right until the point where I accept the License Terms, And boom! I do not have the required permissions even though I’m a Full Administrator! Rule #7 [...]

By |2015-01-02T10:36:21+01:00januar 2nd, 2015|Configuration Manager (SCCM)|Kommentarer lukket til Intune Extensions will not install

Managing WIFI certificates for iOS devices with ConfigMgr MDM

This will be the last Christmas blog post from Coretech in 2014. A huge thanks to all of you who followed our Christmas blogs in December. @Coretech we wish you and your loved ones a Merry Christmas and a Happy New Year – We look forward to service you again in 2015 with knowledge, inspiration and best practices on Microsoft technologies One of the many need features offered by ConfigMgr & Intune is the ability to deploy certificates and WIFI profiles. Both are essential when implementing a MDM/BYOD strategy. Creating the required SCEP certificate for iOS As mentioned in a [...]

By |2014-12-23T14:09:31+01:00december 23rd, 2014|Configuration Manager (SCCM), General info|3 Comments

Device based vs User based MDM policies in ConfigMgr 2012 R2

With ConfigMgr and Intune you have long been able to manage devices like Android, iOS and Windows with mail profiles, security settings, Wi-Fi profiles and VPN profiles. Deployment of those profiles has undergone a fundamental change with the release of ConfigMgr R2 and CU3. To understand those changes you first to understand how policies were deployed in the past. Back in the old days “prior to R2 CU3” On the ConfigMgr side, even if you deployed policies to a user it would always be deployed to the device. What happened in the background the policy generated would not be generated [...]

By |2014-11-26T15:02:42+01:00november 26th, 2014|Configuration Manager (SCCM)|1 Kommentar

Troubleshooting Certificate deployment on iOS devices with ConfigMgr & Intune

Last week I had an issue trying to enroll certificates thru ConfigMgr/Intune via NDES on iOS devices. The enrollment worked like a charm on Windows Phone 8.1 devices. The error I got in the crp.log file (Certificate Reqistration Point component) was key usage in CSR 160 and challenge 224 do not match To fix the issue you have to modify the certificate NDES General Purpose certificate template and remove Signature in proof of origin. You will find the property in Extensions After that iOS devices started appying the certificates.

By |2014-11-11T15:29:49+01:00november 11th, 2014|Configuration Manager (SCCM)|Kommentarer lukket til Troubleshooting Certificate deployment on iOS devices with ConfigMgr & Intune

Dealing with Jailbroken/Roted devices in ConfigMgr 2012 R2 & Intune

As you enroll a mobile device into Intune/ConfigMgr 2012 R2, inventory data will automatically be uploaded to the ConfigMgr database. One of the data being collected is the Jailbroken/rooted condition. In the below example the device is being detected as a jailbroken device. One of the many benefits of using Intune as the MDM solution is the integration with System Center 2012 R2 Configuration Manager. Once data is in the database we can use the entire ConfigMgr engine to manage the device. MDM devices in ConfigMgr can be managed using the Application Model and the Compliance Management feature. Especially the [...]

By |2014-04-10T10:18:04+01:00april 10th, 2014|Configuration Manager (SCCM), General info|Kommentarer lukket til Dealing with Jailbroken/Roted devices in ConfigMgr 2012 R2 & Intune