Microsoft Endpoint Manager, Debugging Android Devices

When managing devices at some point there will be some sort of issue that requires a deeper level of troubleshooting. Additionally, learning how to debug a device is not a bad thing, in fact anyone can do this. In this months post I dig into logging and debugging Android devices enrolled with Microsoft Endpoint Manager. There are several tools that can be utilized to troubleshoot Android devices and as with most troubleshooting, it’s a process of peeling back the layers until the issue is found and remediated.

Let’s get started!

Debugging Tools

For devices enrolled with Microsoft Endpoint Manager (MEM) I recommend starting with the Troubleshooting section within the MEM Intune console. It provides a consolidated view of policies, apps, compliance, and much more. Start with the troubleshooting console and work forward. If the troubleshooting information doesn’t reveal what you’re looking for we can head over to the device for direct troubleshooting.

Device Policy Controller (DPC)

There are various enrollment methods Goole offers for Android devices, such as Device Admin, Work Profile, and Device Owner. For the purposes of this post, I’m going to focus on Device Owner (Android Enterprise), however these methods may be applied to other enrollments as well.

When devices are enrolled with MEM they utilized what is called a Device Policy Controller (DPC). The DPC is automatically installed on the device during enrollment. Once enrolled, locate the DPC app by navigating to Google Play and selecting and opening the Android Device Policy app. From there you can sync the device and view which apps were installed and policy settings.

If you’re using the Managed Home Screen (as shown below), tap on the back arrow several times (ok 15 times) and on the menu select “Launch Android Device Policy app” which takes you to the DPC app where we can view and sync policy.

Note: the process above may not work (and probably doesn’t) for other EMMs who create their own DPCs.  The process is specifically for the CloudDPC Google provides for EMMs utilizing the Android Management API (which MEM does).  As such, contact Google to provide feedback about other debug features you may need in the CloudDPC.

Enable debugging in the DPC

I was poking around settings and I discovered a really helpful option for devices enrolled with MEM. Open the Android Device Policy app and select the three dots in the upper right hand corner > select device details > scroll down and look for “Model” and tap until debug items is enabled. Back arrow to the Device Policy screen and select the three dots in the upper right hand corner again, then check the box next to “All policies“.

You’ll now see all the policies deployed to the device from MEM including policy version, apps, settings, etc. This may be enough to work through issues, however if deeper investigation required read through the sections below.


Device debugging

We will need to do a few things to set up debugging, first we’ll need to enable debugging on the device and then install some tools provided by Google.

Enable developer options and USB debugging

  1. Under Settings search for “About phone” and tap > now find and tap “Build number” until is says “You are now a developer!”
  2. Next under Settings search for Developer and select developer options (System > Developer options) and is should show as On.
  3. Find and enable “USB debugging”
  4. Enable/disable settings you need to under the settings then connect to USB.


Android Debug Bridge (adb)

On a Windows, Mac, or Linux device navigate to https://developer.android.com/studio/command-line/adb and install the Android SDK Platform-Tools package.

Direct download link: https://developer.android.com/studio/releases/platform-tools.html


Log collection and debugging devices

Connect your device via USB (you can also connect via WiFi as well), open a cmd.exe window (I’m using Windows btw), navigate to the directory where the SDK was installed and type in adb.exe devices -l

If you receive an error, run the following commands:

adb kill-server

adb start-server

This should kick things off, assuming the device is enabled for debugging.

Another issue is debugging authorizations, if you run into issue here, do the following: Revoke USB debugging authorizations – when you attach this will prompt for authorization again otherwise you may receive “unathorized” in the command line

Run adb.exe devices -l again and you will see the following (in my case I have a Zebra attached):

List of devices attached

18359522505742 device product:TC57 model:TC57 device:TC57 transport_id:1

 

Collecting logs

Run the following commands to collect logs to be utilized in troubleshooting:

Logcat https://developer.android.com/studio/command-line/logcat

According to Google developer docs: “Logcat is a command-line tool that dumps a log of system messages, including stack traces when the device throws an error and messages that you have written from your app with the Log class.” Google also has a tool that developers may build to read app logs: https://developer.android.com/studio/debug/am-logcat

  • From the command line run: adb.exe logcat -v threadtime [device ID] > C:\temp\android.log

Bugreport https://developer.android.com/studio/debug/bug-report

According to Google developer docs: “A bug report contains device logs, stack traces, and other diagnostic information to help you find and fix bugs in your app.”

  • From the command line run: adb.exe bugreport c:\temp\bugreport.zip – open the file named “bugreport…….txt”   

    e.g. bugreport-TC57-01-12-01.00-OG-U16-STD-2020-02-18-07-39-37.txt

    I find the bugreport really useful, including when looking for device management settings.

     

Running queries using adb.exe

When devices are enrolled via Device Owner (Android Enterprise) most system and preinstalled apps will be hidden, however there are occasions where systems apps are critical to business functions, e.g. Zebra datawedge, so bringing those back is necessary.

Fortunately, you can whitelist system apps with MEM Intune by following the instructions listed here: https://docs.microsoft.com/en-us/intune/apps/apps-ae-system, however you may not know the app package name so having a way to look those up is necessary.

To list all apps installed on the device (hidden or not) run: adb shell pm list packages -s

Truncated example output:

package:com.android.calculator2

package:com.android.chrome

package:com.android.contacts

package:com.android.deskclock

package:com.android.dialer

package:com.android.providers.calendar

package:com.android.providers.contacts

package:com.symbol.batterymanager

package:com.symbol.rxlogger

package:com.symbol.rxloggerutility

package:com.symbol.scannerfirmwareupdate

package:com.symbol.ScreenShot

package:com.symbol.service

package:com.symbol.simulscan.res

package:com.symbol.tool.stagenow

package:com.symbol.zebrafolders

package:com.symbol.zebravolumecontrol

package:com.zebra.licensemgrservice

package:com.zebra.locationprerun

package:com.zebra.oemconfig

package:com.zebra.oeminfo

package:com.zebra.server

package:com.zebra.smartmu.service

package:com.zebra.zebracontentprovider

 

Use adb shell to interactively query

There may be situation where you will need to do some real-time queries and Google documents these here: https://developer.android.com/studio/command-line/dumpsys

For example, I can investigate the battery details by running: adb shell dumpsys battery – with the output I can see the date the battery was manufactured, which is useful in determining if a battery needs to be replaced.

According to Zebra docs, “A battery is considered to be decommissioned if the Health percentage of the battery is less than or equal to Percent Decommission Threshold.” Looking at the highlighted values below, looks like my battery is still good to go.

Current Battery Service state:

AC powered: false

USB powered: true

Wireless powered: false

Max charging current: 500000

Max charging voltage: 5000000

Charge counter: 6396244

status: 5

health: 2

present: true

level: 100

scale: 100

voltage: 4042

temperature: 210

technology: Li-ion

low temp shutdown level: -140

high temp shutdown level: 600

low battery level: 18

critical level: 10

shutdown level: 4

adjust shutdown level: 100

battery Type: 201

battery part number: BT-000314-01 R.E

battery serial number: T0738

battery Manufacture Date: 2018-11-17

rate capacity in mAh: 4050

decommission status of the battery: 0

base cumulative charge: 34079

battery error status: 0

battery charge cycle: 8

battery total cumulative charge in mAh: 35212

battery seconds since first use in secs: 31269629

battery present capacity: 3824

battery health percentage: 100

battery time to empty in secs: 65535

battery time to full in secs: 65535

battery present charge in mAh: 3821

battery percent decommission threshold: 80

SOC from external: 100

SOC from internal: 100

Temperature from external: 21

Temperature from internal: 210


Troubleshooting OEMConfig settings

If you’re interested in going deeper we can utilize the debug output (adb.exe bugreport c:\temp\bugreport.zip) to look at memory usage, apps status, settings, etc. For example, I set the time on my Zebra device using OEMConfig settings, however if there was an issue, I (or support) could use these logs to troubleshoot settings.

The following is the setting I pulled from a very long list of settings in the debug file where my policy successfully applied. Again, if there was an issue, I would simply find the setting and verify if it is set or not.

DUMP OF SERVICE settings:

_id:55 name:time_12_24 pkg:com.symbol.mxmf.csp.clock value:24 default:24 defaultSystemSet:true

Note: some Device OEM OEMConfig apps have policy/debug info builtin so you may not need to look at the logs, e.g. Samsung Knox Service Plugin.

Application troubleshooting

If you have an app that you’d like to test via Device Owner and Work Profile enrollments, using the Test DPC is helpful.

According to Google:
We provide the Test DPC app to help Android developers test their apps in an enterprise environment. Using Test DPC, you can set EMM policies or managed configuration values on a device—as if an organization managed the device using an EMM. Source https://developer.android.com/work/guide#testing

  • Connect the debugger and sideload the apps then install Test DPC to test app functionality.
  • Sideload app and see if it installs successfully
  • For app updates, the version code must be sequential and the signing cert must match

Google walks through how to provision devices using Test DPC here: https://developer.android.com/work/guide

Wrapping up

Debugging devices isn’t something you may do every day, however it’s useful to know and if needed the option is available.  Additionally, the MEM Intune app with Android Enterprise Device Owner enrollments has a button to send logs to Microsoft support so you may not need to do any debugging.  However if there is systemic issue occurring across multiple devices, debugging is a good in-house path to go down.

Intune, Android Enterprise Device Owner enrollments & system apps

With Android Enterprise Device Owner enrollments, have you ever wondered where all the system apps go when enrolling with Android Enterprise Device Owner? Well they’re there, however they’re not whitelisted and only apps whitelisted by your admin are available (depending on the device OEM, there may be some system apps that are automatically whitelisted, e.g. phone dialer app).

The good news is with the Intune 1909 release, system apps may be whitelisted as well! An example of a system app is the dialer or some OEM specific app such as a battery monitoring app or barcode scanner app.

To bring back System Apps individually, you’ll need to know the package ID. For example, on my Zebra device I’d like to whitelist the battery manager app and the desktop clock. The package IDs for those are: com.symbol.batterymanager and com.android.deskclock

System apps may be whitelisted and assigned by navigating to the Intune admin portal, selecting Client apps > Add > App type = Android Enterprise system app

Provide a Name, publisher and package name and save.

Under Assignments, assign the app to the device group where the device lives. In my case I use a dynamic Azure AD group to assign Zebra devices that are enrolled as Device Owner Dedicated (aka kiosk).

If you’re utilizing the Managed Home Screen, for the app populate so user can launch it you’ll also need to publish the app to the Managed Home Screen profile under device configuration as shown below.

Search for the app name, e.g. battery, and add it.

Policy sync should only take a few seconds and on the device the battery manager is whitelisted and is available for users to access from the Managed Home Screen.

That’s it, it’s that simple. Again, system apps can be whitelisted now using Intune.

Additionally, Line of Business (LOB) apps and Web app links may also be published right from the console.

To learn more about managing Android devices with Intune by visiting: https://docs.microsoft.com/en-us/intune/

Zebra, OEMConfig, Ivanti Velocity, and Microsoft Intune

I work with a lot of organizations who manage a wide range of devices including organizations who manage rugged devices.

Rugged devices are utilized in a variety of scenarios, including warehouses, big box stores, field engineering, logistics, emergency services, government, and so on.  Typically, these devices are locked down in modes where it’s dedicated to a specific use case, such as inventory scanning. Some organizations deploy multiple apps to a locked down screen where those apps are used in specific scenarios such as inventory look up and/or data entry.

For this month’s post I’m focusing on a specific scenario I run into quite a bit with rugged devices and an app called Velocity (powered by Wavelink) by Ivanti.

According to the Ivanti Velocity user guide:

Ivanti Velocity is an Android client that can connect to Telnet hosts (including IBM 5250/3270 and VT100/220), web apps, and Oracle SIM hosts. For Telnet and Oracle SIM hosts, it can present applications to your users in a modern touch interface, either with automatic, predictive reformatting or with a customized experience.

Source: https://help.ivanti.com/wl/help/en_US/Velocity/2.0.0/admin/velocityConsoleHelp.htm

The Velocity app may downloaded directly from Ivanti and is found on Google Play: https://play.google.com/store/apps/details?id=com.wavelink.velocity

So naturally I was curious about managing the Ivanti Velocity app on an Android device managed with Microsoft Intune. For the device, I chose to utilize a Zebra TC-57 rugged device.

Requirements for this scenario

  • Microsoft Intune
  • Zebra device
  • Zebra OEMConfig powered by MX app from Google Play
  • Ivanti Velocity app from Google Play
  • Ivanti Velocity deployment bundle (.wldep file)

Special thanks to Alex Evans from Ivanti who supplied me with a demo deployment bundle, thanks Alex!

Let’s get started

Device enrollment
I chose to enroll my Zebra device as a dedicated device under Android Enterprise Device Owner enrollment. Fortunately, I posted on this already, so I don’t have to re-create the steps. To learn more about enrolling a device as a Dedicated (kiosk) device please visit: https://uem4all.com/2018/08/06/android-kiosk-enrollment-and-microsoft-intune/

Ivanti Velocity app deployment
Let’s add the Velocity app to Intune.

  1. Navigate to the Intune admin portal via https://devicemanagement.microsoft.com and select Client apps from the left hand navigation.
  2. Select Apps > Add > App type > Managed Google Play and search for “Ivanti Velocity” and should look something like the image below. Go ahead and approve the app and chose your approval settings when prompted, then save.
  3. After the app info has synchronized to Intune, assign the app to the device group you created you went through the device enrollment steps above. This will ensure the app is deployed to the device.

 

Intune Managed Home Screen config
After the Ivanti Velocity app is assigned, if it is a dedicated device, you’ll most likely be utilizing the Intune Managed Home Screen. Whether it’s a single- or multi-app add the app to the list so it’s available on the Managed Home Screen. Note: I covered this in the post I referenced above…

Once the apps are deployed to the Managed Home Screen you’ll see them populate. Again, assign the apps to device for installation purposes under “Client apps” and in addition, add the apps to the Managed Home Screen under device configuration, as shown above, so they’re available for users to launch and interact with.


Ivanti Velocity app configuration deployment
Next, we need to create an Intune profile to push the Ivanti Velocity deployment bundle to the device. For this I utilize Zebra OEMConfig, Zebra StageNow, and an FTP server to push the Ivanti Velocity deployment bundle to the device.

Oct 2019 UPDATE
Zebra OEMConfig now supports File Management.  Simply add the path to the source to the Source URI (ftp-p://username:password@0.0.0.0:21/Velocity_Demo.wldep) and the Destination Path and File Name will be /sdcard/com.wavelink.velocity/Your_Velocity_Bundle.wldep

2019-10-23_14-07-32

If you’re not familiar with OEMConfig please review my earlier post on the topic: https://uem4all.com/2019/07/09/intune-oemconfig/


With the Zebra OEMConfig now supporting File Management, the step below using StageNow is now optional and you would either use the step above or the one below, not both.

<Begin optional steps>
Let’s start with Zebra StageNow…

  1. Zebra StageNow is a Windows application and may be downloaded by visiting: https://www.zebra.com/us/en/products/software/mobile-computers/mobile-app-utilities/stagenow.html
  2. Open StageNow and create a new profile, select the proper MX version (e.g. MX 8.2) for your Zebra device, then select Xpert Mode and then Create.
  3. Give the profile a name and select Start
  4. From the Settings tab select FileMgr and select the + sign to add it under the CONFIG tab and select Add as shown in the example screenshot below.

  1. In the StageNow Config under File Action select Transfer/Copy File.
  2. Under Target Path and File Name add the following: /sdcard/com.wavelink.velocity/Your_Velocity_Bundle.wldep, this will add the .wldep file in a folder named com.wafelink.velocity on the device. The Velocity app knows to automatically look in that folder and apply the profile info in the bundle.

Note: you can rename the .wldep bundle to .zip to peek at the files if needed.

  1. Select File on a remote server if not already selected and select the … to open the dialog.
  2. Under Staging Server select “External” and for the Source Path and File Name add the ftp server info, Zebra has documented this well and can be viewed by visiting: http://techdocs.zebra.com/mx/filemgr/

The source path to my FTP server looks like the following: ftp-p://username:password@0.0.0.0:21/Velocity_Demo.wldep

  1. Once we’re finished with entering all the parameters select “Continue” until you see “Complete Profiles”.
  2. Select “Complete Profiles” and then select “Export for MDM” and save the .xml file.

Locate where you saved the .xml file and open it and it will look similar to xml output below. Copy the data beginning with <characteristic… to the last </characteristic> as outlined in red in the image below.

<End of Optional Steps>


Intune OEMConfig Configuration
Frist we need to add the Zebra OEMConfig app from Managed Google Play; to do that, from the Intune admin portal, select Client Apps > Apps > Add > App type > Managed Google Play and search for “Zebra oemconfig”.  It will look something like the images below.

Go ahead and approve the app and chose your approval settings when prompted, then save.

Note: Intune also supports Datalogic, Honeywell, and Samsung OEMCOnfig. If you’d like to test settings for OEMConfig with other OEMS, search Managed Google Play from Intune and add their specific OEMConfig apps. Stay tuned for Intune expanding support of additional vendors who offer OEMConfig.

Create OEMConfig profile in Intune
We now need to create an OEMConfig profile in Intune. Do this by selecting “Device configuration” in the Intune portal > Profiles > Create profile.

Give the profile a name, from Platform select Android Enterprise, from Profile Type select OEMConfig. From here select “Zebra OEMConfig powered by MX” app.

Intune_OEMConfig

Select Configure > select the three dots next to Transaction Steps > and then select Add setting.

From the list of settings select, Device Administration Configuration.


  1. Under Device Administration Configuration only two settings are required.
  2. Action = SubmitXML
  3. Submit XML = the .xml data we copied above. Paste it into this field.

     

    Note: If needed, switch to the JSON view to see what the full JSON looks like. JSON view is really helpful when troubleshooting as well.

     

  4. Select OK and Save.

When the device syncs with Intune the apps and the OEMConfig settings will deploy to the file and push the Velocity app config file to the directory we specified.


 

The following video displays the profile I deployed using Zebra OEMConfig from Microsoft Intune in the Velocity app.

 The Velocity profile was populated on the device in a folder called com.wavelink.velocity.  

Finally, the Velocity app automatically knows to look there so it’s added when the app is launched.  

Next I scan some bar codes using the app to show inventory and other data.  You can’t see it, however I’m actualy scanning those barcodes in the video.

2019-09-09_14-57-23

 

Couple if items to be aware of:

  • In the Intune admin console, device sync status for app deployment, policies, etc. will show as “pending”, this is known.
  • At this time, only one OEMConfig profile may be assigned to a device.

That’s it!  This is incredible… the Intune team has made monumental investments across device platforms supporting a variety of different scenarios, from rugged devices, information workers, and bring your own.

Stay tuned for future updates and posts about Intune right here on UEM4all.com!

 

Send Intune security task notifications to Microsoft Teams, email, etc. using Microsoft Flow

There’s a feature within Microsoft Defender Advanced Threat Protection (MDATP) and Microsoft Intune where MDATP security recommendations can be sent to Intune as a security task. This is helpful if security admins and MDM admins are separate and need to pass information for endpoint management teams to work on. Even if you work on a small team or are a one-person shop, sending security tasks to Intune provides a work item, so if you’re forgetful or get pulled in many directions, you’ll have a task sitting for you. For more details on this feature please visit: https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-Intune-security-tasks-extend-Microsoft-Defender-ATP-s/ba-p/369857

The purpose of this post is to create a method to signal and/or alert that there is a new pending security task in Intune. Currently admins need to access the Intune console and check for tasks which is a manual process. I prefer automation and I created a Flow to post a message in a Teams channel and send an email about new, pending Intune tasks sent from WDATP. If you’re thinking, “I’m not a developer…” well the good news is, neither am I! I love Microsoft Flow because it makes creating workflows and automation easy (and I create a lot of Flows to automate tasks).

Let’s get started

Requirements

  • Microsoft Defender ATP
  • Microsoft Intune
  • Microsoft Flow
  • Microsoft Teams
  • A Windows 10 device enrolled with Intune and managed by Microsoft Defender ATP

Viewing a security recommendation and sending a task to remediate to Intune

Navigate to https://securitycenter.windows.com/tvm_dashboard (note if you don’t have a subscription or haven’t set up MDATP, you’ll need to do this first). Look at the Top security recommendation on the right and select one.

Here I see a list of security recommendations.

When “Update Chrome” is selected we can see the number of devices exposed and CVEs (Common Vulnerabilities and Exposures) the update will address.

Select “Remediation options”

Check the box next to “Open a ticket in Intune (for AAD joined devices)”, select a due date, and add notes if necessary.

When finished, select “Submit request”

Head over the devicemanagement.microsoft.com > Security baselines > Security tasks and there should be a pending task. In this case I have two that have a status = Pending.

Select a task and Assign or Reject it, however, don’t do this yet, because we want to get a notification of pending security task in Intune.

Notifications of new pending tasks

Now we know how to send a task from MDATP to Intune, however what would be better is to be informed a task is waiting for us to address, and to set up notifications I use Microsoft Flow.

Creating a new Flow

Navigate to https://flow.microsoft.com, select My flows from the left hand navigation and select New -> Instant-from blank. Give the Flow a name and select create.

Schedule the Flow to run

Search for the “Recurrence” trigger and add it to the beginning of the Flow. Populate the fields to meet your requirements. I set my schedule to kick off everyday at 8 AM mountain time.

Azure AD Authorization to call Graph

This process requires multiple steps so I’ll refer you to a couple sources that may be utilized to configure the authorization steps:

Query Graph

Search for and add the HTTP Flow action. Method = GET, URI = https://graph.microsoft.com/beta/deviceAppManagement/deviceAppManagementTasks

In the header I utilize the authorization info compiled in previous steps.

The next three Flow actions take the information from the graph call and parse it out based on the JSON schema

  1. Search for and add a Compose action and as the “Input” add the Body from the Http action above.
  2. Search for an add a Initialize variable action, Name = JSONObject, Type = Object, Value is the Value from the Compose 2 output in the previous action.
  1. Next we need to parse the JSON so we can select JSON fields to be added to an email and Teams posts. Search for an add a Parse JSON action, Content = JSONObject from the variable above the Parse action. The Schema is generated easily by going to Graph Explorer and querying Graph as shown below. Copy the JSON returned from the response preview pane and in the Parse JSON action, select “Use sample payload to generate schema” and past the JSON output and select done. This will construct your schema.
Use the JSON output from graph explorer (as shown below) to populate the sample payload to generate the schema.

Send to Teams and/or email

Here I walkthrough sending to Microsoft Teams; however, an email trigger is roughly the same process.

  1. Search for and add a “Apply to each” trigger, Select an output from previous steps = the value from the Parse JSON action above.
  2. I only want task with a status of “Pending” so I added a Condition trigger where search for a status equal to “pending”. The Status object comes from the JSON we parsed above.
    • If status of pending = yes, I send an email and post to Teams, if status is anything other than pending, the Flow terminates.
  3. Search for and add “Post a message” action. Search for the Team site, Channel, and then craft your message. More on this below.

The reason we need to add a schema and parse the JSON returned from the Graph call is so we can select the variables returned individually. Below is an example of the fields I selected for my messages sent to Teams.

Viewing Teams posts

The following is an example of an Intune Task sent to teams with the Flow constructed above. If there is more than one pending task, the Flow will post individual messages for each pending task (same goes for emails). As shown below, I happen to have two tasks that are pending, one to Update Chrome and the other to Update Windows 10, lucky me!

That’s it! If you’re utilizing Microsoft Defender ATP and Intune, integrate the two and start sending tasks to Intune today. Use Flow to schedule notifications and send to Microsoft Teams, email, or whatever method Microsoft Flow supports.

Additional References

Logic apps docs: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-perform-data-operations#join-action

Use data operations with Microsoft Flow: https://docs.microsoft.com/en-us/flow/data-operations

Follow me on Twitter @mscloudinfa

Entire Flow

Android Enterprise Dedicated device – matching a physical device to a device record in Intune

I work with organizations who have 100’s to 1000’s of managed devices in Intune.  When it comes to Android there may be various Android OEMs and OS versions organizations are managing and a variety of use cases for those devices.  With more organizations migrating to Android Enterprise they must choose an enrollment method based on the scenario.  With Android Enterprise there are several methods of enrollment, Dedicated, Work Only, and Personally-Enabled.  For more details on Android enrollment options please visit: https://www.android.com/enterprise/management/

For digital signage, kiosks, barcode scanners, etc. those devices are typically enrolled as a “Dedicated” device where a single or multiple apps are the only apps accessible by the end user. In addition, dedicated devices do not have user affinity, meaning the device isn’t linked in an MDM to a specific user unless there some sort of tagging associated which identifies the user or location of the device.

Because there’s no user affinity assiated with dedicated devices, I’m often asked, “what’s the best method to identify an Android device enrolled as a dedicated device (e.g. kiosk) in the Intune admin portal with a physical device in hand?”

There’s a simple method of doing this and it’s identifying the device by serial number. Here’s how to do it without removing the battery:

1.  With the device turned on tap on the arrow key on the bottom left about 15 times to launch the options (btw, the screen with the app(s) you’re accessing is called the Microsoft Managed Home Screen). Depending on the app configuration for the managed home screen you may see “Logs” and/or “Exit Kiosk”.

2.  Select “Logs” and slide up on the Logs banner to expand

3.  Find the “deviceInfo” and tap the + until it expands

4.  Locate “serialNumber” and match it to the device serial number under “All devices” in the Intune admin portal. If you don’t see the “Serial Number” column select “Columns” at the top of the page and add “Serial Number” to the list.

Here’s a video showing the process in action:

7068B017-43B0-4070-BA94-3F8AD24A918F

In summary whether your organization manages 10 or even 1000’s of devices, having a simple method of identifying a physical device will save a lot of time during the process of troubleshooting.

To learn more about Android device enrollment with Intune please visit: https://docs.microsoft.com/en-us/intune/android-enroll

Use a QR code to point users to the Intune Company Portal app for enrollment

Use a QR code to point users to the Intune Company Portal app for enrollment

Quick post here, ever wonder how you can create a QR code that points to the Intune Company Portal in the iOS app store (or any app store), and paste it in an email and send it to your end users? Well it’s super easy to do. Simply search online for a QR code generator. Example: https://www.bing.com/search?q=qr%20code%20generator

When I searched for a QR code generator, a result came up inline of my search results and I pasted the URL that points to the Intune Company Portal in the Apple app store and it generated the QR code below.

If you’re interested, here’s the raw data behind the QR code:

Even better, the Intune Company Portal has 4.5 stars, hey that’s awesome!  Ok shameless plug, however it’s really cool to have such a high rating.

Anyway, theoretically you can do this for any app in an app store, whether they’re Microsoft Office apps, 3rd party apps, one of your published apps, etc.

To save you time, I generated QR codes that point to the Intune Company Portal (or enrollment URL in MacOS case) for all the platforms supported by Microsoft Intune:

iOS                                 Android

        

Windows Store            MacOS

        

Note: MacOS points to https://portal.manage.microsoft.com

Here’s an example email I manually created. Create your own by copying a QR code and generating your own custom emails using your corporate email application such as Outlook.  Your users will love it!  Plus it streamlines their enrollment process.

Here an example of using the built-in camera in iOS to scan the QR code.  As you can see it took me directly to the Intune Company Portal app in the Apple app store.

Intune_iOS_QRCode

 

If you’re intersted, for coporate owned devices Intune supports NFC, QR, and Zero Touch for Android Enterprise already, for more information please visit: https://docs.microsoft.com/en-us/intune/android-enroll

That’s it, I hope you find this valuable when directing your end users to enroll their devices with Microsoft Intune.

Intune MacOS management capabilities

Back in 2015 I wrote a blog about Mac management with Intune, however it’s been a few years and I feel it’s time we re-visit Mac management with Intune to learn more about what’s changed. You’ll soon learn there’s been a significant amount of progress and since my first post Intune now has a lot of native Mac management capabilities built in.

First let’s look at MacOS enrollment options with Intune.

MacOS enrollment options

There are two methods to enroll MacOS with Intune, user driven or using Device Enrollment Program.

User driven enrollment

For user driven enrollment the end user will need to sign into the web based version of the company portal via https://portal.manage.microsoft.com

If the user already had a device registered it will show on the screen, if the Mac is the first device being enrolled, they will see the following:

Once the user selects “Add this one by tapping here” they’ll be prompted to download the Intune Company Portal app.

After the Company Portal is downloaded and installed, open it up and you’ll be asked to sign-in using your corporate credentials. These are the same credentials used to sign into Office 365 (derived from Azure AD).

After sign-in is complete the device will begin the enrollment process.

For more details on user driven Mac enrollment please visit: https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp

Apple Device Enrollment Program

The concept of the Apple DEP is to associate devices with an organization and to streamline the enrollment process, similar to enrolling Apple iOS devices. However, enrollment requires a different process by associating an Apple enrollment token with Intune. After the enrollment token is added and enrollment profile is created in Intune and associated with the enrollment token.

During the enrollment profile creation process you’ll be asked to select user affinity (i.e. userless or user associated). Once user affinity is selected, you’ll also select whether or not you’ll allow users to remove the enrollment profile via the “Locked enrollment” setting.  Finally, you’ll customize the setup assistance which allows for hiding setup screen, e.g. Apple Pay, Siri, Registration, etc.

For more details on the Apple enrollment token process with Intune please visit: https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-macos

Conditional access

An exciting feature of Azure AD is the ability to target certain device platforms (e.g. MacOS) and set a series of conditions for access by creating conditional access policies in Azure AD.

Compliance

Azure AD and Intune compliance policies also play a role in access. Step through the compliance policies below to view the restrictions that may be enabled for the device to be compliant.

Device Health

System integrity protection prevents malicious apps from modifying protected files and folders.

Device Properties

Specify which OS version and builds you’ll allow before accessing corporate resources.

System Security

Configured password and password integrity, storage encryption, firewall, and gatekeeper to project against malware.

Actions to take for non-compliance

Take action when devices are not compliant with the compliance policy by sending the user a mail and/or locking the device.

Associating an Intune compliance policy with Azure AD conditional access policy

Create an Azure AD conditional access policy to require the device be compliant to access corporate resources.

Looking at device configuration for MacOS there are a number of settings, and in my opinion, those settings address a lot of organizations requirements for Apple Mac management.

Device features

Device restrictions








Endpoint protection

Looking to protect the device further by configuring the firewall and controlling where apps are installed from? Gatekeep will help with those requirements.


Further configure firewall settings to device what you’ll allow in and which apps are allowed and/or blocked.


Certificates

Intune supports PKCS certificates for general and S/MIME purposes.



Device and user-based certificates are both supported via SCEP


VPN

Many VPN settings are available including 3rd party VPN support.


Make note of On-demand and per-app VPN


Use a proxy server? No problem!


Wi-Fi

Both Basic and Enterprise Wi-Fi profiles are supported with various auth types.


Customize with Apple Configurator

Don’t see a setting in the UI, not to worry as you can create a custom profile using Apple Profile Manager and/or Apple Configurator and upload the payload for delivery through Intune.


App deployment

Both line of business and Office apps are supported right from the UI.


When selecting “Line-of-business app” the MacOS app must be wrapped using the app wrapping tool for Mac which will wrap the app and give it an extension of .intuneMac.

The tool is available on GitHub: https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac

To learn more about Mac app deployment with Intune please visit: https://docs.microsoft.com/en-us/intune/lob-apps-macos

One of my peers Scott Duffey @Scottduf has a great post on this topic: https://blogs.technet.microsoft.com/microscott/deploying-apps-to-macs-using-microsoft-intune/

Note: as of this post only .pkg files are supported nor are conversions from .dmg to .pkg

Microsoft + Jamf partnership

Microsoft has also has a partnership with Jamf. Jamf also provides MacOS management and if your organization currently utilizes Jamf and would like to receive the benefits of integrating Jamf with Intune you can do this today with Jamf Pro. So, what does this mean?

MacOS devices managed by Jamf remain managed by Jamf when Intune comes into the picture (thus are only registered with Intune not enrolled) and integrating Jamf Pro with Intune provides a path for Jamf to send signals in the form of inventory to Intune. Intune will use compliance policies to evaluate the Jamf signals and in turn send signals over to Azure AD stating whether the device is compliant or not. The Azure AD conditional access policy will kick in and based on your configuration of the conditional access policy, will either block or further challenge the user to remediate before access company resources.

For more details about Intune and Jamf integration please visit: https://docs.microsoft.com/en-us/intune/conditional-access-integrate-jamf

Jamf also has a whitepaper about Intune integration: https://www.jamf.com/resources/technical-papers/integrating-with-microsoft-intune-to-enforce-compliance-on-macs/

That’s it for now, however Microsoft is always releasing updates for Intune.  Check back monthly with What’s new in Microsoft Intune and be sure to check which Intune features are under development by visiting: https://docs.microsoft.com/en-us/intune/in-development