With Android Enterprise Device Owner enrollments, have you ever wondered where all the system apps go when enrolling with Android Enterprise Device Owner? Well they’re there, however they’re not whitelisted and only apps whitelisted by your admin are available (depending on the device OEM, there may be some system apps that are automatically whitelisted, e.g. phone dialer app).
The good news is with the Intune 1909 release, system apps may be whitelisted as well! An example of a system app is the dialer or some OEM specific app such as a battery monitoring app or barcode scanner app.
To bring back System Apps individually, you’ll need to know the package ID. For example, on my Zebra device I’d like to whitelist the battery manager app and the desktop clock. The package IDs for those are: com.symbol.batterymanager and com.android.deskclock
System apps may be whitelisted and assigned by navigating to the Intune admin portal, selecting Client apps > Add > App type = Android Enterprise system app
Provide a Name, publisher and package name and save.
Under Assignments, assign the app to the device group where the device lives. In my case I use a dynamic Azure AD group to assign Zebra devices that are enrolled as Device Owner Dedicated (aka kiosk).
If you’re utilizing the Managed Home Screen, for the app populate so user can launch it you’ll also need to publish the app to the Managed Home Screen profile under device configuration as shown below.
Search for the app name, e.g. battery, and add it.
Policy sync should only take a few seconds and on the device the battery manager is whitelisted and is available for users to access from the Managed Home Screen.
That’s it, it’s that simple. Again, system apps can be whitelisted now using Intune.
Additionally, Line of Business (LOB) apps and Web app links may also be published right from the console.
I work with a lot of organizations who manage a wide range of devices including organizations who manage rugged devices.
Rugged devices are utilized in a variety of scenarios, including warehouses, big box stores, field engineering, logistics, emergency services, government, and so on. Typically, these devices are locked down in modes where it’s dedicated to a specific use case, such as inventory scanning. Some organizations deploy multiple apps to a locked down screen where those apps are used in specific scenarios such as inventory look up and/or data entry.
For this month’s post I’m focusing on a specific scenario I run into quite a bit with rugged devices and an app called Velocity (powered by Wavelink) by Ivanti.
According to the Ivanti Velocity user guide:
Ivanti Velocity is an Android client that can connect to Telnet hosts (including IBM 5250/3270 and VT100/220), web apps, and Oracle SIM hosts. For Telnet and Oracle SIM hosts, it can present applications to your users in a modern touch interface, either with automatic, predictive reformatting or with a customized experience.
Select Apps > Add > App type > Managed Google Play and search for “Ivanti Velocity” and should look something like the image below. Go ahead and approve the app and chose your approval settings when prompted, then save.
After the app info has synchronized to Intune, assign the app to the device group you created you went through the device enrollment steps above. This will ensure the app is deployed to the device.
Intune Managed Home Screen config After the Ivanti Velocity app is assigned, if it is a dedicated device, you’ll most likely be utilizing the Intune Managed Home Screen. Whether it’s a single- or multi-app add the app to the list so it’s available on the Managed Home Screen. Note: I covered this in the post I referenced above…
Once the apps are deployed to the Managed Home Screen you’ll see them populate. Again, assign the apps to device for installation purposes under “Client apps” and in addition, add the apps to the Managed Home Screen under device configuration, as shown above, so they’re available for users to launch and interact with.
Ivanti Velocity app configuration deployment Next, we need to create an Intune profile to push the Ivanti Velocity deployment bundle to the device. For this I utilize Zebra OEMConfig, Zebra StageNow, and an FTP server to push the Ivanti Velocity deployment bundle to the device.
Oct 2019 UPDATE Zebra OEMConfig now supports File Management. Simply add the path to the source to the Source URI (ftp-p://username:firstname.lastname@example.org:21/Velocity_Demo.wldep) and the Destination Path and File Name will be /sdcard/com.wavelink.velocity/Your_Velocity_Bundle.wldep
Open StageNow and create a new profile, select the proper MX version (e.g. MX 8.2) for your Zebra device, then select Xpert Mode and then Create.
Give the profile a name and select Start
From the Settings tab select FileMgr and select the + sign to add it under the CONFIG tab and select Add as shown in the example screenshot below.
In the StageNow Config under File Action select Transfer/Copy File.
Under Target Path and File Name add the following: /sdcard/com.wavelink.velocity/Your_Velocity_Bundle.wldep, this will add the .wldep file in a folder named com.wafelink.velocity on the device. The Velocity app knows to automatically look in that folder and apply the profile info in the bundle.
Note: you can rename the .wldep bundle to .zip to peek at the files if needed.
Select File on a remote server if not already selected and select the … to open the dialog.
Under Staging Server select “External” and for the Source Path and File Name add the ftp server info, Zebra has documented this well and can be viewed by visiting: http://techdocs.zebra.com/mx/filemgr/
The source path to my FTP server looks like the following: ftp-p://username:email@example.com:21/Velocity_Demo.wldep
Once we’re finished with entering all the parameters select “Continue” until you see “Complete Profiles”.
Select “Complete Profiles” and then select “Export for MDM” and save the .xml file.
Locate where you saved the .xml file and open it and it will look similar to xml output below. Copy the data beginning with <characteristic… to the last </characteristic> as outlined in red in the image below.
<End of Optional Steps>
Intune OEMConfig Configuration Frist we need to add the Zebra OEMConfig app from Managed Google Play; to do that, from the Intune admin portal, select Client Apps > Apps > Add > App type > Managed Google Play and search for “Zebra oemconfig”. It will look something like the images below.
Go ahead and approve the app and chose your approval settings when prompted, then save.
Note: Intune also supports Datalogic, Honeywell, and Samsung OEMCOnfig. If you’d like to test settings for OEMConfig with other OEMS, search Managed Google Play from Intune and add their specific OEMConfig apps. Stay tuned for Intune expanding support of additional vendors who offer OEMConfig.
Create OEMConfig profile in Intune We now need to create an OEMConfig profile in Intune. Do this by selecting “Device configuration” in the Intune portal > Profiles > Create profile.
Give the profile a name, from Platform select Android Enterprise, from Profile Type select OEMConfig. From here select “Zebra OEMConfig powered by MX” app.
Select Configure > select the three dots next to Transaction Steps > and then select Add setting.
From the list of settings select, Device Administration Configuration.
Under Device Administration Configuration only two settings are required.
Action = SubmitXML
Submit XML = the .xml data we copied above. Paste it into this field.
Note: If needed, switch to the JSON view to see what the full JSON looks like. JSON view is really helpful when troubleshooting as well.
Select OK and Save.
When the device syncs with Intune the apps and the OEMConfig settings will deploy to the file and push the Velocity app config file to the directory we specified.
The following video displays the profile I deployed using Zebra OEMConfig from Microsoft Intune in the Velocity app.
The Velocity profile was populated on the device in a folder called com.wavelink.velocity.
Finally, the Velocity app automatically knows to look there so it’s added when the app is launched.
Next I scan some bar codes using the app to show inventory and other data. You can’t see it, however I’m actualy scanning those barcodes in the video.
Couple if items to be aware of:
In the Intune admin console, device sync status for app deployment, policies, etc. will show as “pending”, this is known.
At this time, only one OEMConfig profile may be assigned to a device.
That’s it! This is incredible… the Intune team has made monumental investments across device platforms supporting a variety of different scenarios, from rugged devices, information workers, and bring your own.
Stay tuned for future updates and posts about Intune right here on UEM4all.com!
The purpose of this post is to create a method to signal and/or alert that there is a new pending security task in Intune. Currently admins need to access the Intune console and check for tasks which is a manual process. I prefer automation and I created a Flow to post a message in a Teams channel and send an email about new, pending Intune tasks sent from WDATP. If you’re thinking, “I’m not a developer…” well the good news is, neither am I! I love Microsoft Flow because it makes creating workflows and automation easy (and I create a lot of Flows to automate tasks).
Let’s get started
Microsoft Defender ATP
A Windows 10 device enrolled with Intune and managed by Microsoft Defender ATP
Viewing a security recommendation and sending a task to remediate to Intune
In the header I utilize the authorization info compiled in previous steps.
The next three Flow actions take the information from the graph call and parse it out based on the JSON schema
Search for and add a Compose action and as the “Input” add the Body from the Http action above.
Search for an add a Initialize variable action, Name = JSONObject, Type = Object, Value is the Value from the Compose 2 output in the previous action.
Next we need to parse the JSON so we can select JSON fields to be added to an email and Teams posts. Search for an add a Parse JSON action, Content = JSONObject from the variable above the Parse action. The Schema is generated easily by going to Graph Explorer and querying Graph as shown below. Copy the JSON returned from the response preview pane and in the Parse JSON action, select “Use sample payload to generate schema” and past the JSON output and select done. This will construct your schema.
Send to Teams and/or email
Here I walkthrough sending to Microsoft Teams; however, an email trigger is roughly the same process.
Search for and add a “Apply to each” trigger, Select an output from previous steps = the value from the Parse JSON action above.
I only want task with a status of “Pending” so I added a Condition trigger where search for a status equal to “pending”. The Status object comes from the JSON we parsed above.
If status of pending = yes, I send an email and post to Teams, if status is anything other than pending, the Flow terminates.
Search for and add “Post a message” action. Search for the Team site, Channel, and then craft your message. More on this below.
The reason we need to add a schema and parse the JSON returned from the Graph call is so we can select the variables returned individually. Below is an example of the fields I selected for my messages sent to Teams.
Viewing Teams posts
The following is an example of an Intune Task sent to teams with the Flow constructed above. If there is more than one pending task, the Flow will post individual messages for each pending task (same goes for emails). As shown below, I happen to have two tasks that are pending, one to Update Chrome and the other to Update Windows 10, lucky me!
That’s it! If you’re utilizing Microsoft Defender ATP and Intune, integrate the two and start sending tasks to Intune today. Use Flow to schedule notifications and send to Microsoft Teams, email, or whatever method Microsoft Flow supports.
I work with organizations who have 100’s to 1000’s of managed devices in Intune. When it comes to Android there may be various Android OEMs and OS versions organizations are managing and a variety of use cases for those devices. With more organizations migrating to Android Enterprise they must choose an enrollment method based on the scenario. With Android Enterprise there are several methods of enrollment, Dedicated, Work Only, and Personally-Enabled. For more details on Android enrollment options please visit: https://www.android.com/enterprise/management/
For digital signage, kiosks, barcode scanners, etc. those devices are typically enrolled as a “Dedicated” device where a single or multiple apps are the only apps accessible by the end user. In addition, dedicated devices do not have user affinity, meaning the device isn’t linked in an MDM to a specific user unless there some sort of tagging associated which identifies the user or location of the device.
Because there’s no user affinity assiated with dedicated devices, I’m often asked, “what’s the best method to identify an Android device enrolled as a dedicated device (e.g. kiosk) in the Intune admin portal with a physical device in hand?”
There’s a simple method of doing this and it’s identifying the device by serial number. Here’s how to do it without removing the battery:
1. With the device turned on tap on the arrow key on the bottom left about 15 times to launch the options (btw, the screen with the app(s) you’re accessing is called the Microsoft Managed Home Screen). Depending on the app configuration for the managed home screen you may see “Logs” and/or “Exit Kiosk”.
2. Select “Logs” and slide up on the Logs banner to expand
3. Find the “deviceInfo” and tap the + until it expands
4. Locate “serialNumber” and match it to the device serial number under “All devices” in the Intune admin portal. If you don’t see the “Serial Number” column select “Columns” at the top of the page and add “Serial Number” to the list.
Here’s a video showing the process in action:
In summary whether your organization manages 10 or even 1000’s of devices, having a simple method of identifying a physical device will save a lot of time during the process of troubleshooting.
Use a QR code to point users to the Intune Company Portal app for enrollment
Quick post here, ever wonder how you can create a QR code that points to the Intune Company Portal in the iOS app store (or any app store), and paste it in an email and send it to your end users? Well it’s super easy to do. Simply search online for a QR code generator. Example: https://www.bing.com/search?q=qr%20code%20generator
When I searched for a QR code generator, a result came up inline of my search results and I pasted the URL that points to the Intune Company Portal in the Apple app store and it generated the QR code below.
If you’re interested, here’s the raw data behind the QR code:
Even better, the Intune Company Portal has 4.5 stars, hey that’s awesome! Ok shameless plug, however it’s really cool to have such a high rating.
Anyway, theoretically you can do this for any app in an app store, whether they’re Microsoft Office apps, 3rd party apps, one of your published apps, etc.
To save you time, I generated QR codes that point to the Intune Company Portal (or enrollment URL in MacOS case) for all the platforms supported by Microsoft Intune:
Here’s an example email I manually created. Create your own by copying a QR code and generating your own custom emails using your corporate email application such as Outlook. Your users will love it! Plus it streamlines their enrollment process.
Here an example of using the built-in camera in iOS to scan the QR code. As you can see it took me directly to the Intune Company Portal app in the Apple app store.
Back in 2015 I wrote a blog about Mac management with Intune, however it’s been a few years and I feel it’s time we re-visit Mac management with Intune to learn more about what’s changed. You’ll soon learn there’s been a significant amount of progress and since my first post Intune now has a lot of native Mac management capabilities built in.
First let’s look at MacOS enrollment options with Intune.
MacOS enrollment options
There are two methods to enroll MacOS with Intune, user driven or using Device Enrollment Program.
If the user already had a device registered it will show on the screen, if the Mac is the first device being enrolled, they will see the following:
Once the user selects “Add this one by tapping here” they’ll be prompted to download the Intune Company Portal app.
After the Company Portal is downloaded and installed, open it up and you’ll be asked to sign-in using your corporate credentials. These are the same credentials used to sign into Office 365 (derived from Azure AD).
After sign-in is complete the device will begin the enrollment process.
The concept of the Apple DEP is to associate devices with an organization and to streamline the enrollment process, similar to enrolling Apple iOS devices. However, enrollment requires a different process by associating an Apple enrollment token with Intune. After the enrollment token is added and enrollment profile is created in Intune and associated with the enrollment token.
During the enrollment profile creation process you’ll be asked to select user affinity (i.e. userless or user associated). Once user affinity is selected, you’ll also select whether or not you’ll allow users to remove the enrollment profile via the “Locked enrollment” setting. Finally, you’ll customize the setup assistance which allows for hiding setup screen, e.g. Apple Pay, Siri, Registration, etc.
Note: as of this post only .pkg files are supported nor are conversions from .dmg to .pkg
Microsoft + Jamf partnership
Microsoft has also has a partnership with Jamf. Jamf also provides MacOS management and if your organization currently utilizes Jamf and would like to receive the benefits of integrating Jamf with Intune you can do this today with Jamf Pro. So, what does this mean?
MacOS devices managed by Jamf remain managed by Jamf when Intune comes into the picture (thus are only registered with Intune not enrolled) and integrating Jamf Pro with Intune provides a path for Jamf to send signals in the form of inventory to Intune. Intune will use compliance policies to evaluate the Jamf signals and in turn send signals over to Azure AD stating whether the device is compliant or not. The Azure AD conditional access policy will kick in and based on your configuration of the conditional access policy, will either block or further challenge the user to remediate before access company resources.
As I meet with organizations, I learn what their business goals are, what their end user goals are, and what their budgetary guidelines are. I also learn a lot about their endpoint management goals. What I’ve discovered is endpoint management has different meanings for each customer with a few common themes, user experience, simplification, and cost reduction.
The pace of change with technology is extremely rapid and organizations often struggle to keep up with all the updates across deployed technologies. When IT teams deploy technologies to help secure and simplify administration, they must provide evidence to the organization about the short- and long-term benefits of shifting to newer technologies, especially if they are duplicative of existing technologies. The evidence to rip and release a working solution is typically prioritized and is provided in the forms of cost reduction, end user benefits, and administrative simplification. Looking back in history, many would argue managing Windows in the enterprise has been a priority for most organizations. Many of these organizations today continue to manage Windows with a variety of technologies with one, (based on my interaction with hundreds of organizations) standing out the most, System Center Configuration Manager (ConfigMgr).
Configuration Manager has been around for a couple decades and for good reason, in my opinion it manages Windows best. For those familiar with ConfigMgr, you’re probably familiar with its history and the changes to the product over time. What I’ve seen is a blend of enhancing the client, infrastructure, and administrative experiences, including enhancements to reporting, management techniques, bandwidth controls, scale, performance, and more recently attaching Configuration Manager to the cloud. These advancements are critical to an ever-changing landscape of Windows computing and resource access.
Why write about this now?
There are a couple reasons:
Organizations are going through digital transformation and taking a hard look at existing endpoint management solutions.
Configuration Manager remains one of the most widely utilized endpoint management technologies across organizations today and I articulate the ongoing value of ConfigMgr in the content below.
Recently organizations have asked me the question if ConfigMgr is “dead” and my consistent answer is “no” is it not, ConfigMgr as of this post manages over 150 million endpoints, in fact there’s been continued investment in ConfigMgr year-over-year. Take a look at “What’s New in Configuration Manager” over the past several releases and you’ll see a growing list of exciting enhancements over each release.
You’ll also notice ConfigMgr has a release roughly every four months which provides a predicable release schedule for organizations needing to plan updates. Speaking of ConfigMgr updates, in console notifications of new releases provides an easy and informative method to update ConfigMgr to the next release by a click of a button. In addition, ConfigMgr technical previews allow organizations to test new features ahead of upgrading to the next service release of ConfigMgr. The servicing of ConfigMgr and technical previews are a win/win in my opinion.
I also receive questions such as “why stay with Configuration Manager, when I see Microsoft doubling down on efforts to enhance Intune toward feature parity?“. While partially true, there are clear advantages to continue utilizing ConfigMgr and leverage the cloud by cloud attaching ConfigMgr.
Preparing your infrastructure for cloud attach by extending ConfigMgr to Azure enables organizations to manage devices off the corporate network by utilizing Cloud Management Gateway . By attaching ConfigMgr to the cloud, it allows organizations to simplify management of Windows devices and administrators will have the advantage of leveraging current processes built around endpoint management with ConfigMgr.
Organizations needing high availability in ConfigMgr can take advantage of site server high availability and SQL Always On.
Cloud attach Windows 10 clients to Intune by enabling co-management in ConfigMgr allows organizations to utilize ConfigMgr and Intune to manage Windows devices. By enabling co-management, the organization benefits from the currently unparalleled strength of Configuration Manager as well as additional benefits cloud services such as Microsoft Intune and Azure Active Directory provide. For example, ConfigMgr client health will be reported directly to the device stats in Intune (shown below), remote actions may be initiated directly from the Intune admin console, as well as utilizing conditional access policies with Azure Active Directory to control access to company resources.
So why not move from ConfigMgr and manage all Windows devices with Intune?
Although managing devices may be viable for many modern management scenarios, there are scenarios where ConfigMgr remains as the preferred solution including:
Network controls for locations with low bandwidth
Down-level Windows 7/8 client management
Windows Server management
Devices that are network Air Gapped (isolated) and have no Internet access
OS deployment through network boot options
Complex application deployment scenarios
Third-party software updates
Co-management provides methods for organizations running ConfigMgr to decide where they manage certain workloads. Currently, there are a number of workloads that may be managed by Intune when devices are co-managed, including:
Resource access policies
Office Click-to-Run apps
Windows Update Policies
When utilizing co-management there are several advantages to utilizing Intune, for example in a co-managed scenario when moving “compliance policies” workload over to Intune, organizations can take advantage of Azure Active Directory Conditional Access. There are also immediate benefits of co-management such as executing remote actions directly from Intune including: Factory Reset, Selective Wipe, Device Restart, Fresh Start, etc. Intune compliance policies also play a significate role in controlling device health and access via Azure AD conditional access, for example Windows 10 compliance policies may require one or more of the following before accessing corporate resources:
Use a password to access devices
Encryption (e.g. BitLocker)
Windows Defender version and signature is up-to-date
Traditionally, setting up device health posture for an on-premises requires additional services and hardware such as a Network Access Control (NAC) solution. Whereas selecting workloads by enabling co-management for Intune to manage, organizations can take advantage of access controls delivered from Azure AD and Intune, including for on-premises web applications published through Azure AD Application Proxy. Not only is device health posture evaluated, additional access controls may be enabled including multi-factor authentication.
Below is an example of a device managed with ConfigMgr and Intune where compliance is reported back and shows in the ConfigMgr Software Center.
Intune Portal – shows compliant
Software Center – shows compliant (reported back from Intune)
Now let’s talk about Windows deployment options. Traditional deployment techniques for Windows typically involves an image that requires updating and then a system to publish those images so when a bare-metal boot takes place an image can be accessed, downloaded, and installed. OS image management can be a time-consuming process as it requires a human resource to manage and update the OS, drivers, apps, agents, etc. Some organizations offload OS image management to an OEM where the OEM preloads the image on the device, however the images still need to be maintained, and offloading to the OEM comes at a cost.
By leveraging Microsoft Intune and Azure Active Directory, organizations can take advantage of Windows Autopilot. Autopilot is very exciting as it eliminates the OS image management process which in turn can reduce IT costs. By pre-registering devices with Microsoft Intune when a user receives a device from the OEM, upon boot and connecting to the internet, the device will see that it’s registered with Microsoft Intune and go through the Autopilot process.
When organizations continue to utilize ConfigMgr, the CM agent can be pushed from Intune and the device now connects directly to ConfigMgr (when on corporate network) or through the Cloud Management Gateway giving your organization the confidence of maintaining current processes. Additionally, utilizing task sequences in ConfigMgr, Windows 7/8 devices may be upgraded to Windows 10 and automatically enabled for AutoPilot thereafter. The Windows 7/8 to 10 upgrade process may be pushed automatically or manually executed by end users (see screenshot below).
What about running scripts and installing software?
Both ConfigMgr and Intune support running PowerShell scripts and deploying Win32 applications, however for complex scripting scenarios such as running in task sequences and complex application deployments (i.e. deep app dependencies, etc.), ConfigMgr is unparalleled in this space.
My colleague Danny Guillory (who is also a PM on the Intune team) provided the following comments about Win32 applications and Intune:
“Win32 App Deployment in Intune is a great way to get those .exe applications deployed and installed on those Windows Devices. The Win32 Wrapping Tool wraps all the files within that folder (think of a zipped folder), then distributes and deploys those files to the endpoints. The addition of detection method and delivery optimization makes Win32 app deployment more robust, simplifies distribution of content, and makes Win32 apps a must to explore with Intune Application Deployment.”
Additionally, MSIX is a new app packaging format that can take existing Win32 applications such as APP-V, MSI, .exe, etc. and package them in the new MSIX format. Many partners already support MSIX as well and for more details on MSIX packaging please visit: https://docs.microsoft.com/en-us/windows/msix/
If you’re looking to simplify application deployment both ConfigMgr and Intune provide the tools needed to deploy applications.
Monitoring and Reporting
Finally let’s talk about monitoring and reporting. ConfigMgr comes with hundreds of built-in reports, in addition there are newer monitoring and reporting capabilities with co-managed devices and a new reporting feature called CMPivot that provides real-time state of devices (see screenshot below). If you’re looking to creating dashboards based on ConfigMgr data, look into the Power BI template for ConfigMgr.
There are many Ignite sessions covering the topics in this post as well, to watch videos and learn more about the services and features discussed in this post please visit: https://www.microsoft.com/en-us/ignite search for “configuration manager”, “MSIX”, “Intune”
In conclusion, as organizations plan for the future of modernizing Windows management processes, my message to those organizations is to continue to leverage your current investments in ConfigMgr and keep current with releases. In parallel, begin to look at the benefits of cloud attaching ConfigMgr and/or managing workloads with Intune.