Zebra, OEMConfig, Ivanti Velocity, and Microsoft Intune

I work with a lot of organizations who manage a wide range of devices including organizations who manage rugged devices.

Rugged devices are utilized in a variety of scenarios, including warehouses, big box stores, field engineering, logistics, emergency services, government, and so on.  Typically, these devices are locked down in modes where it’s dedicated to a specific use case, such as inventory scanning. Some organizations deploy multiple apps to a locked down screen where those apps are used in specific scenarios such as inventory look up and/or data entry.

For this month’s post I’m focusing on a specific scenario I run into quite a bit with rugged devices and an app called Velocity (powered by Wavelink) by Ivanti.

According to the Ivanti Velocity user guide:

Ivanti Velocity is an Android client that can connect to Telnet hosts (including IBM 5250/3270 and VT100/220), web apps, and Oracle SIM hosts. For Telnet and Oracle SIM hosts, it can present applications to your users in a modern touch interface, either with automatic, predictive reformatting or with a customized experience.

Source: https://help.ivanti.com/wl/help/en_US/Velocity/2.0.0/admin/velocityConsoleHelp.htm

The Velocity app may downloaded directly from Ivanti and is found on Google Play: https://play.google.com/store/apps/details?id=com.wavelink.velocity

So naturally I was curious about managing the Ivanti Velocity app on an Android device managed with Microsoft Intune. For the device, I chose to utilize a Zebra TC-57 rugged device.

Requirements for this scenario

  • Microsoft Intune
  • Zebra device
  • Zebra OEMConfig powered by MX app from Google Play
  • Ivanti Velocity app from Google Play
  • Ivanti Velocity deployment bundle (.wldep file)

Special thanks to Alex Evans from Ivanti who supplied me with a demo deployment bundle, thanks Alex!

Let’s get started

Device enrollment
I chose to enroll my Zebra device as a dedicated device under Android Enterprise Device Owner enrollment. Fortunately, I posted on this already, so I don’t have to re-create the steps. To learn more about enrolling a device as a Dedicated (kiosk) device please visit: https://uem4all.com/2018/08/06/android-kiosk-enrollment-and-microsoft-intune/

Ivanti Velocity app deployment
Let’s add the Velocity app to Intune.

  1. Navigate to the Intune admin portal via https://devicemanagement.microsoft.com and select Client apps from the left hand navigation.
  2. Select Apps > Add > App type > Managed Google Play and search for “Ivanti Velocity” and should look something like the image below. Go ahead and approve the app and chose your approval settings when prompted, then save.
  3. After the app info has synchronized to Intune, assign the app to the device group you created you went through the device enrollment steps above. This will ensure the app is deployed to the device.

 

Intune Managed Home Screen config
After the Ivanti Velocity app is assigned, if it is a dedicated device, you’ll most likely be utilizing the Intune Managed Home Screen. Whether it’s a single- or multi-app add the app to the list so it’s available on the Managed Home Screen. Note: I covered this in the post I referenced above…

Once the apps are deployed to the Managed Home Screen you’ll see them populate. Again, assign the apps to device for installation purposes under “Client apps” and in addition, add the apps to the Managed Home Screen under device configuration, as shown above, so they’re available for users to launch and interact with.


Ivanti Velocity app configuration deployment
Next, we need to create an Intune profile to push the Ivanti Velocity deployment bundle to the device. For this I utilize Zebra OEMConfig, Zebra StageNow, and an FTP server to push the Ivanti Velocity deployment bundle to the device.

Oct 2019 UPDATE
Zebra OEMConfig now supports File Management.  Simply add the path to the source to the Source URI (ftp-p://username:password@0.0.0.0:21/Velocity_Demo.wldep) and the Destination Path and File Name will be /sdcard/com.wavelink.velocity/Your_Velocity_Bundle.wldep

2019-10-23_14-07-32

If you’re not familiar with OEMConfig please review my earlier post on the topic: https://uem4all.com/2019/07/09/intune-oemconfig/


With the Zebra OEMConfig now supporting File Management, the step below using StageNow is now optional and you would either use the step above or the one below, not both.

<Begin optional steps>
Let’s start with Zebra StageNow…

  1. Zebra StageNow is a Windows application and may be downloaded by visiting: https://www.zebra.com/us/en/products/software/mobile-computers/mobile-app-utilities/stagenow.html
  2. Open StageNow and create a new profile, select the proper MX version (e.g. MX 8.2) for your Zebra device, then select Xpert Mode and then Create.
  3. Give the profile a name and select Start
  4. From the Settings tab select FileMgr and select the + sign to add it under the CONFIG tab and select Add as shown in the example screenshot below.

  1. In the StageNow Config under File Action select Transfer/Copy File.
  2. Under Target Path and File Name add the following: /sdcard/com.wavelink.velocity/Your_Velocity_Bundle.wldep, this will add the .wldep file in a folder named com.wafelink.velocity on the device. The Velocity app knows to automatically look in that folder and apply the profile info in the bundle.

Note: you can rename the .wldep bundle to .zip to peek at the files if needed.

  1. Select File on a remote server if not already selected and select the … to open the dialog.
  2. Under Staging Server select “External” and for the Source Path and File Name add the ftp server info, Zebra has documented this well and can be viewed by visiting: http://techdocs.zebra.com/mx/filemgr/

The source path to my FTP server looks like the following: ftp-p://username:password@0.0.0.0:21/Velocity_Demo.wldep

  1. Once we’re finished with entering all the parameters select “Continue” until you see “Complete Profiles”.
  2. Select “Complete Profiles” and then select “Export for MDM” and save the .xml file.

Locate where you saved the .xml file and open it and it will look similar to xml output below. Copy the data beginning with <characteristic… to the last </characteristic> as outlined in red in the image below.

<End of Optional Steps>


Intune OEMConfig Configuration
Frist we need to add the Zebra OEMConfig app from Managed Google Play; to do that, from the Intune admin portal, select Client Apps > Apps > Add > App type > Managed Google Play and search for “Zebra oemconfig”.  It will look something like the images below.

Go ahead and approve the app and chose your approval settings when prompted, then save.

Note: Intune also supports Datalogic, Honeywell, and Samsung OEMCOnfig. If you’d like to test settings for OEMConfig with other OEMS, search Managed Google Play from Intune and add their specific OEMConfig apps. Stay tuned for Intune expanding support of additional vendors who offer OEMConfig.

Create OEMConfig profile in Intune
We now need to create an OEMConfig profile in Intune. Do this by selecting “Device configuration” in the Intune portal > Profiles > Create profile.

Give the profile a name, from Platform select Android Enterprise, from Profile Type select OEMConfig. From here select “Zebra OEMConfig powered by MX” app.

Intune_OEMConfig

Select Configure > select the three dots next to Transaction Steps > and then select Add setting.

From the list of settings select, Device Administration Configuration.


  1. Under Device Administration Configuration only two settings are required.
  2. Action = SubmitXML
  3. Submit XML = the .xml data we copied above. Paste it into this field.

     

    Note: If needed, switch to the JSON view to see what the full JSON looks like. JSON view is really helpful when troubleshooting as well.

     

  4. Select OK and Save.

When the device syncs with Intune the apps and the OEMConfig settings will deploy to the file and push the Velocity app config file to the directory we specified.


 

The following video displays the profile I deployed using Zebra OEMConfig from Microsoft Intune in the Velocity app.

 The Velocity profile was populated on the device in a folder called com.wavelink.velocity.  

Finally, the Velocity app automatically knows to look there so it’s added when the app is launched.  

Next I scan some bar codes using the app to show inventory and other data.  You can’t see it, however I’m actualy scanning those barcodes in the video.

2019-09-09_14-57-23

 

Couple if items to be aware of:

  • In the Intune admin console, device sync status for app deployment, policies, etc. will show as “pending”, this is known.
  • At this time, only one OEMConfig profile may be assigned to a device.

That’s it!  This is incredible… the Intune team has made monumental investments across device platforms supporting a variety of different scenarios, from rugged devices, information workers, and bring your own.

Stay tuned for future updates and posts about Intune right here on UEM4all.com!

 

Intune, Samsung Knox, and OEMConfig

I work with many organizations who are beginning to migrate from Android device admin enrollments to device owner (i.e. Android Enterprise). While migration to device owner requires a factory reset on the device, once enrolled with device owner, devices have a more standardized approach to management and consistency vs. the fragmented management experience device admin enrollments exhibit when multiple OEMs are being managed.

Realizing there was a need to standardize and secure devices beyond the device admin APIs, years back Samsung introduced Knox. Samsung Knox provides an additional set of security and management APIs built on top of Android and is included with many Samsung devices. EMMs, including Microsoft Intune, also took steps to integrate with Samsung Knox to provide a rich set of management capabilities where the device admin APIs didn’t cover (e.g. email profiles).

Google requires device OEMs wanting their devices to be Android Enterprise Recommended (AER) to meet certain requirements thus standardizing and provide consistency across the Android Enterprise device ecosystem.  However, Samsung Knox remains available and continues to provide security and management features, in some cases, beyond what Android Enterprise offers with their current set of APIs.  Although Android continues to update/add security and management features with every API version.

With Android device owner enrollments, Samsung and other OEMs support OEMConfig.  OEMConfig provides a set of OEM specific features EMMs can configure along with standard device settings.

What is OEMConfig?

“OEMConfig policies are a special type of device configuration policy very similar to app configuration policy. OEMConfig is a standard defined by the AppConfig community (opens another web site) that allows OEMs (original equipment manufacturers) and EMMs (enterprise mobility management) to build and support OEM-specific features in a standardized way. Historically, EMMs, such as Intune, manually build support for OEM-specific features after they’re introduced by the OEM. This approach leads to duplicated efforts and slow adoption.

With OEMConfig, an OEM creates a schema that defines OEM-specific management features. The OEM embeds the schema into an app, and then puts this app on Google Play. The EMM reads the schema from the app, and exposes the schema in the EMM administrator console. The console allows Intune administrators to configure the settings in the schema.

When the OEMConfig app is installed on a device, it can use the settings configured in the EMM administrator console to manage the device. Settings on the device are executed by the OEMConfig app, instead of an MDM agent built by the EMM.

When the OEM adds and improves management features, the OEM also updates the app in Google Play. As an administrator, you get these new features and updates (including fixes) without waiting for EMMs to include these updates.”

Source: https://docs.microsoft.com/en-us/intune/android-oem-configuration-overview

Although Samsung offers OEMConfig settings, some Samsung features/settings require a Samsung license, for more details please visit: https://www.samsungknox.com/en/blog/knox-platform-and-android-enterprise

Intune documention on OEMConfig may be found here: https://docs.microsoft.com/en-us/intune/android-oem-configuration-overview

Let’s get started with OEMConfig with Intune and a Samsung device

Samsung Knox Service Plugin

First, let’s add the Knox Service Plugin from the Managed Google Play store which is required to deploy OEMConfig policies to Samsung devices.

Assumptions: Intune is already connected to Managed Google Play, if it’s not you can find details on how to do this by visiting: https://docs.microsoft.com/en-us/intune/connect-intune-android-enterprise

We’ll do this by navigating to https://devicemanagement.microsoft.com -> Client apps -> Apps -> Add -> App type = “Managed Google Play” -> select Managed Google Play Approve

To learn more about Samsung OEMConfig settings, browse through the Knox Service Plugin (KSP) admin guide: https://docs.samsungknox.com/knox-service-plugin/admin-guide/welcome.htm

Creating an OEMConfig profile for Samsung in Intune

Navigate to Device configuration -> Profiles -> Create profile -> add a name -> Platform = Android Enterprise -> Profile type = OEMConfig

Associated app = Knox Service Plugin – this is the app added in the previous step.

Select OK after selecting Knox Service Plugin.

After selecting OK we’re taken to Settings where we’ll see a full page of JSON. Don’t be intimidated it’s straight forward once you understand the structure which are just key/value pairs.

Update: as of the Intune 1907 release there is now a configuration designer with a UI, so no need to edit JSON.

2019-07-30_10-28-52

Continue reading for additional details about these settings and details about JSON if you prefer to edit manually:

Either select all and copy or select Download JSON template and open in your favorite text editor.

There are a couple values I want to point out in the JSON:

I mentioned at the beginning some Knox features/settings may require an additional Samsung license, this is where the license key would be set:

We want to turn on the policies, do this by setting doPoliciesIsControlled to “true

Troubleshooting – everyone likes an easy method to troubleshoot a device and by setting verboseMode to “true” will enable you to view the policies deployed to the device via the Knox Service Plugin app. More on this later in the post.

There many settings that are controlled with OEMConfig, however for the purposes of this post I’m going to turn off face recognition and only allow fingerprint. Disable face recognition by setting doPasswordBioFace to “false“.

Note: blocking the ability to use Face unlock to unlock the phone doesn’t prevent the device user from adding their face recognition. They just won’t be able to log in with face recognition as password and fingerprint are allowed in the OEMConfig.

Once you’ve completed filling out the JSON, copy and paste into Intune where you originally copied the JSON from and select OK then Save.

Note: you don’t have to have every key/value in the profile present, feel free to delete key/values from the JSON, just make sure the formatting is correct.

Device view

Once the policy is targeted to device it should only be a few seconds or so before the policy gets pushed to the device through Google services.

We can check if the policy deployed by opening the Knox Service Plugin app and selecting “Configuration on yyyy/mm/dd” (e.g. “Configuration on 2019/07/08”)

Select the “Configuration results” dropdown and select “Policies received” and from here we see the same JSON that was deployed from Intune.

Look for the password policy in the JSON as shown below:

On the same Samsung device navigate to Settings -> Biometrics and security -> Face recognition -> enter your password if prompted and we see “Face unlock” is disabled.  Again, we can add face recognition, however we can’t use it to unlock the device, so it’s essentially benign.

Here’s a video of the process above:

C02937BC-C8ED-4E0A-A3B2-3915A014D37A

Use a QR code to point users to the Intune Company Portal app for enrollment

Use a QR code to point users to the Intune Company Portal app for enrollment

Quick post here, ever wonder how you can create a QR code that points to the Intune Company Portal in the iOS app store (or any app store), and paste it in an email and send it to your end users? Well it’s super easy to do. Simply search online for a QR code generator. Example: https://www.bing.com/search?q=qr%20code%20generator

When I searched for a QR code generator, a result came up inline of my search results and I pasted the URL that points to the Intune Company Portal in the Apple app store and it generated the QR code below.

If you’re interested, here’s the raw data behind the QR code:

Even better, the Intune Company Portal has 4.5 stars, hey that’s awesome!  Ok shameless plug, however it’s really cool to have such a high rating.

Anyway, theoretically you can do this for any app in an app store, whether they’re Microsoft Office apps, 3rd party apps, one of your published apps, etc.

To save you time, I generated QR codes that point to the Intune Company Portal (or enrollment URL in MacOS case) for all the platforms supported by Microsoft Intune:

iOS                                 Android

        

Windows Store            MacOS

        

Note: MacOS points to https://portal.manage.microsoft.com

Here’s an example email I manually created. Create your own by copying a QR code and generating your own custom emails using your corporate email application such as Outlook.  Your users will love it!  Plus it streamlines their enrollment process.

Here an example of using the built-in camera in iOS to scan the QR code.  As you can see it took me directly to the Intune Company Portal app in the Apple app store.

Intune_iOS_QRCode

 

If you’re intersted, for coporate owned devices Intune supports NFC, QR, and Zero Touch for Android Enterprise already, for more information please visit: https://docs.microsoft.com/en-us/intune/android-enroll

That’s it, I hope you find this valuable when directing your end users to enroll their devices with Microsoft Intune.

Intune MacOS management capabilities

Back in 2015 I wrote a blog about Mac management with Intune, however it’s been a few years and I feel it’s time we re-visit Mac management with Intune to learn more about what’s changed. You’ll soon learn there’s been a significant amount of progress and since my first post Intune now has a lot of native Mac management capabilities built in.

First let’s look at MacOS enrollment options with Intune.

MacOS enrollment options

There are two methods to enroll MacOS with Intune, user driven or using Device Enrollment Program.

User driven enrollment

For user driven enrollment the end user will need to sign into the web based version of the company portal via https://portal.manage.microsoft.com

If the user already had a device registered it will show on the screen, if the Mac is the first device being enrolled, they will see the following:

Once the user selects “Add this one by tapping here” they’ll be prompted to download the Intune Company Portal app.

After the Company Portal is downloaded and installed, open it up and you’ll be asked to sign-in using your corporate credentials. These are the same credentials used to sign into Office 365 (derived from Azure AD).

After sign-in is complete the device will begin the enrollment process.

For more details on user driven Mac enrollment please visit: https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp

Apple Device Enrollment Program

The concept of the Apple DEP is to associate devices with an organization and to streamline the enrollment process, similar to enrolling Apple iOS devices. However, enrollment requires a different process by associating an Apple enrollment token with Intune. After the enrollment token is added and enrollment profile is created in Intune and associated with the enrollment token.

During the enrollment profile creation process you’ll be asked to select user affinity (i.e. userless or user associated). Once user affinity is selected, you’ll also select whether or not you’ll allow users to remove the enrollment profile via the “Locked enrollment” setting.  Finally, you’ll customize the setup assistance which allows for hiding setup screen, e.g. Apple Pay, Siri, Registration, etc.

For more details on the Apple enrollment token process with Intune please visit: https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-macos

Conditional access

An exciting feature of Azure AD is the ability to target certain device platforms (e.g. MacOS) and set a series of conditions for access by creating conditional access policies in Azure AD.

Compliance

Azure AD and Intune compliance policies also play a role in access. Step through the compliance policies below to view the restrictions that may be enabled for the device to be compliant.

Device Health

System integrity protection prevents malicious apps from modifying protected files and folders.

Device Properties

Specify which OS version and builds you’ll allow before accessing corporate resources.

System Security

Configured password and password integrity, storage encryption, firewall, and gatekeeper to project against malware.

Actions to take for non-compliance

Take action when devices are not compliant with the compliance policy by sending the user a mail and/or locking the device.

Associating an Intune compliance policy with Azure AD conditional access policy

Create an Azure AD conditional access policy to require the device be compliant to access corporate resources.

Looking at device configuration for MacOS there are a number of settings, and in my opinion, those settings address a lot of organizations requirements for Apple Mac management.

Device features

Device restrictions








Endpoint protection

Looking to protect the device further by configuring the firewall and controlling where apps are installed from? Gatekeep will help with those requirements.


Further configure firewall settings to device what you’ll allow in and which apps are allowed and/or blocked.


Certificates

Intune supports PKCS certificates for general and S/MIME purposes.



Device and user-based certificates are both supported via SCEP


VPN

Many VPN settings are available including 3rd party VPN support.


Make note of On-demand and per-app VPN


Use a proxy server? No problem!


Wi-Fi

Both Basic and Enterprise Wi-Fi profiles are supported with various auth types.


Customize with Apple Configurator

Don’t see a setting in the UI, not to worry as you can create a custom profile using Apple Profile Manager and/or Apple Configurator and upload the payload for delivery through Intune.


App deployment

Both line of business and Office apps are supported right from the UI.


When selecting “Line-of-business app” the MacOS app must be wrapped using the app wrapping tool for Mac which will wrap the app and give it an extension of .intuneMac.

The tool is available on GitHub: https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac

To learn more about Mac app deployment with Intune please visit: https://docs.microsoft.com/en-us/intune/lob-apps-macos

One of my peers Scott Duffey @Scottduf has a great post on this topic: https://blogs.technet.microsoft.com/microscott/deploying-apps-to-macs-using-microsoft-intune/

Note: as of this post only .pkg files are supported nor are conversions from .dmg to .pkg

Microsoft + Jamf partnership

Microsoft has also has a partnership with Jamf. Jamf also provides MacOS management and if your organization currently utilizes Jamf and would like to receive the benefits of integrating Jamf with Intune you can do this today with Jamf Pro. So, what does this mean?

MacOS devices managed by Jamf remain managed by Jamf when Intune comes into the picture (thus are only registered with Intune not enrolled) and integrating Jamf Pro with Intune provides a path for Jamf to send signals in the form of inventory to Intune. Intune will use compliance policies to evaluate the Jamf signals and in turn send signals over to Azure AD stating whether the device is compliant or not. The Azure AD conditional access policy will kick in and based on your configuration of the conditional access policy, will either block or further challenge the user to remediate before access company resources.

For more details about Intune and Jamf integration please visit: https://docs.microsoft.com/en-us/intune/conditional-access-integrate-jamf

Jamf also has a whitepaper about Intune integration: https://www.jamf.com/resources/technical-papers/integrating-with-microsoft-intune-to-enforce-compliance-on-macs/

That’s it for now, however Microsoft is always releasing updates for Intune.  Check back monthly with What’s new in Microsoft Intune and be sure to check which Intune features are under development by visiting: https://docs.microsoft.com/en-us/intune/in-development

Outlook app configuration – contact field export control

Organizations utilizing the Outlook app on iOS and Android may desire granular control of app behavior such as only allowing certain contact fields to be sync’d with the native contacts app on iOS. Fortunately, Outlook settings are available to further control the Outlook app on iOS and Android.

I’ve worked with organizations who have strict data protection and GDPR requirements and utilizing Intune we were able to protect data from leaking from users’ corporate email to unmanaged apps and storage while allowing limited contact attributes sync’d to the local contacts app so caller ID will show for callers residing in contacts. Some of the restrictions are enforced by the platform (i.e. iOS/Android) while other restrictions are controlled at the app and device layer by Intune.

To learn more about app config with Outlook please visit: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune#configure-contact-field-sync-to-native-contacts-for-outlook-for-ios-and-android

As you walk through the settings make note of the “Device Enrollment Type” for each configuration setting, e.g. “Managed devices”, “Managed apps”. The device enrollment type corresponds to the Intune “Device enrollment type” setting when adding a configuration policy (see screenshot below). It’s important to understand the differences as there are different settings for different types of profiles and if settings are used for an unsupported profile type, they simply will not deploy to the app. In addition to the contacts settings, there are also account configuration, wearable, and iOS notification settings that can be configured as well.

Let get started

The following example demonstrates syncing only certain contact fields to the local contacts app so the end user will see the caller ID for a contacts for phone numbers when calls are received.

Navigate to the Intune admin portal and select “Client Apps > App configuration policies > Add”

Give the configuration policy a name and select “Managed apps” as the Device enrollment type as I’m pushing this policy via an App Protection Policy.

Select “Associated app” and select Outlook for the platform(s) you’re interested in configuring Outlook for. For “Managed Apps” I recommend using a single policy for iOS and Android to maintain consistency across platforms.

Add configuration settings to configure the app configuration settings for contacts in Outlook as shown below. These are key/value pairs and are documented here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune#configure-contact-field-sync-to-native-contacts-for-outlook-for-ios-and-android

I’m only allowing first name, last name, and mobile phone number. If other phone fields are required such as home, office, other, you may want to allow those as well. Note: these fields match up to the existing fields in Outlook contacts and the native contacts app.

Assign the policy to a group of users:

Syncing contacts to the native contacts app

For contacts to show up in the native contacts app, users need to manually select “Save Contacts” in Outlook settings to sync contacts to their device.

Note: if you don’t see “Save Contacts” an Intune App Protection Policy may be blocking contacts sync. To check APP settings install and open the Edge browser and type in: about:intunehelp in the search box and view Intune app status for Outlook. If block contact sync is enabled, it will be set to “1” disabled will be set to “0”. Also, the “Save Contacts” setting cannot be set by policy at this time.

As shown below, only the fields specified in the Outlook configuration policy show up when the contact is accessed from the native contacts app. All other fields are blanked out. Even if I add the additional data to the fields, such as a phone number, the field will show up populated in the native contacts app then disappear when the policy refreshes (the update to the field will retain in Outlook though).

If you continue to see the fields that are blocked, try waiting a few minutes and disabling and re-enabling contact sync in Outlook.

Finally, when the email profile is removed from Outlook so are the sync’d contacts from the native contacts app.

Additional info

For MDM enrolled iOS devices, if contacts do not sync with the native contacts app after going through the steps above, because of certain Apple restrictions, you may need to toggle these settings to “Not configured”. There is a support post on this topic that is worth reading with additional tips: https://blogs.technet.microsoft.com/intunesupport/2018/04/17/support-tip-ios-11-3-and-native-contacts-app/

Microsoft Flow and Azure AD – let’s automate!

 

When I speak with organizations we often discuss scenarios such as having an onboarding process that is in need of a front-end utility and automation.  Many organizations have cloud services and on premises applications where the user onboarding process in some cases is still a manual procedure.  To assist with these processes and many others, Microsoft offers as service called Microsoft Flow.  I’m always looking for creative uses of applications and Microsoft Flow offers just what we need to help automate processes such as account management across applications and services.  In addition, Microsoft Flow goes well beyond just automating a user management processes (e.g. onboarding) as discussed below.

 

What is Microsoft Flow?

“Microsoft Flow is a service that helps you create automated workflows between your favorite apps and services to synchronize files, get notifications, collect data, and more.”

Source: https://docs.microsoft.com/en-us/flow/getting-started

Microsoft Flow allows you to create workflows to automate tasks, for example, when files are added to a folder in a cloud storage environment such as OneDrive or Box, notify a user. Or create an approval workflow process to manage tweets before they’re posted to Twitter.

 

Microsoft Flow offers connectors to connect to either cloud applications or on premises environments.

To view a list of Microsoft Flow connectors, please visit: https://us.flow.microsoft.com/en-us/connectors/

 

In addition, there are many pre-defined templates that may be utilized such as starting an approval process when a new item is added to SharePoint or save tweets to an Excel file or sync files between cloud drives or a file server via FTP.  The list goes on and on…

To view a list of Microsoft Flow templates, please visit: https://us.flow.microsoft.com/en-us/templates/

 

Microsoft Flow Licensing

Some features are free and require premium Flow sku.  For more details about Microsoft Flow licensing please visit: https://flow.microsoft.com/en-us/pricing/

Microsoft Flow FAQ: https://docs.microsoft.com/en-us/flow/frequently-asked-questions

 

For this post, I will utilize Microsoft Flow to create users in Azure AD as well as provide custom bonus flows! so let’s get started…

As an administrator, the first thing we need to do is access Microsoft Flow and create a new workflow.

Navigate to https://flow.microsoft.com and sign-in.

Search for Azure AD in the search box provided as shown below:

image

 

From the results page, locate and select “Create Azure AD User From Button”

image

 

From there select “Continue” to add the template:

image

 

For more details about the Microsoft Flow Azure AD connector and templates, please visit: https://us.flow.microsoft.com/en-us/connectors/shared_azuread/azure-ad/

 

From here you can use the template as is and select Create flow, or you change the name and edit the steps in the template provided:

image

 

I chose to edit the “Send an email” step in the flow as I wanted a little more detail, I began the editing process by selecting “Send an email”:

image

 

The default template only offers a one-line sentence of info, however I changed it to add information the manager and the end user would need:

image

 

We can also edit each flow step or add more if necessary by deleting or adding fields (if the field is used downstream in the flow you’ll need to delete the field first downstream):

image

image

 

“Adding an Azure AD User” Flow in action

The great thing about Microsoft Flow is a flow may be run on a schedule, via an event or trigger, or manually from the web or the Mobile app. 

Additionally, Flow templates may be shared out to other users to access as well, so administrators don’t always need to be in the process.  Ultimately a Flow template configuration is up to you and what works best for your processes within your organization

 

Flow Web App

To manually start the newly created Flow template, when in the Flow template select “More” from the top and then select “Run now”

image

 

From there the template with a list of fields will open for a user to manually fill in:

image

 

Once all the fields are filled in properly, select “Run flow” and a new user will be created in Azure AD.  I show more details and results below using the mobile app.

 

Mobile App

I find the Microsoft Flow mobile app very easy to use, especially when on the go.  In fact, flows may be created and edited directly from the Microsoft Flow app.

Download the Microsoft Flow app from your favorite app store, in my case I have the iOS app installed on my device.  The first time Microsoft Flow app is launched you’ll need to sign into your Azure AD tenant (be sure that user has rights to create users, groups, access apps, etc.).

 

Select “Buttons” at the bottom of the app:

SNAGHTML4c3e814e

 

Locate the the button that will create the Azure AD User:

image

 

Fill out the form and submit:

image

 

Here are my inputs from my Flow template process, when finished select “Done” at the top of the app and the Flow will run:

imageimage

 

Once the Flow has completed, we can look at the run history and the details of each flow process (great for troubleshooting as well):

imageimage

 

Expanding the “Send an email” flow we see the following:

image

 

Below is the customized email received by a user or manager after the user is created (including a randomly generated password):

image

 

Lastly, below is the user that was created by the Flow process in the Azure AD admin portal:

image

 

Dynamic groups

Once users are created, dynamic group memberships may be used to automatically assign users to group, for example, any user may be dynamically assigned to Group A. Group A can also be assigned to licenses, SaaS applications or assigned to SharePoint Online/OneDrive, so as soon as a user is assigned to a group they’ll have access to the licenses and apps assigned to it.

Dynamic group membership eases the management process of adding and removing users to applications. Simply assign a group to the application permission and use dynamic group rules to automatically assign and remove users. You can even use attributes such as employeeId, mail, or companyName as attributes to look for, however there are many more attributes to choose from and depending where the users originates from, you may want to get creative.  Finally, for applications that support provisioning, users may be automatically provisioned and provisioned to SaaS applications which provides full user lifecycle management.

For more details about Azure AD Dynamic Groups please visit: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal

 

BONUS FLOWS 

Need to disable or enable sign-on for a user quickly in Azure AD (i.e. O365, Dynamics365, etc.) from your mobile device?  I created Flows to do that.

 

Current sign-in state of the user shown in Azure AD and O365 Portals (it’s the same setting btw) shown below:

imageSNAGHTML13b5bc02

 

I created a button in Microsoft Flow and filling out the following fields in red:

image

 

When the flow is run, type in the UPN (email address) of the users and flow will disable sign-on for that user.

image

image

 

New sign-in state of the user shown in Azure AD and O365 Portals (it’s the same setting btw) now blocked shown below:

imageimage

 

Enable sign-on for an Azure AD user

Follow the Flow creation process above to create a Flow to enable a user to sign-on, however change the “Account Enabled” setting to “Yes”.  Note: Flows may be copied, to copy a flow select Save As for the flow you’d like to copy in the Flow portal and modify from there.

As a result we’ll end up with two flow as shown below:

image

 

And the flow buttons on my mobile device:

SNAGHTML14328189

 

Delete Azure AD Users

Now a question you may have is “can we delete Azure AD Users using a button?”  You could, however there is nothing built in with Flow or connectors today.  A custom app would need to be developed with the proper permissions to the Microsoft Graph to delete an account then added to flow.  So this would be more of a custom development approach that what I demonstrated in this post.  As a result, using Microsoft Flow we can create a custom connector that will call into the app registered with Azure AD to make calls to delete users using a button flow in Microsoft Flow.  Same holds true for resetting user passwords.

With Microsoft Flow, the possibilities are endless with the predefined templates and built-in connectors to services, you don’t have to be a developer to automate processes and workflows!

Windows Information Protection Explained – Windows 10 Creators Update

 

With the release of Windows 10 Creators Update there have been many enhancements to Windows 10. For this post, I’ll focus on an expanded feature that is only available in version 1703 (i.e. Creators Update).

In Windows 10 version 1607 we released Windows Information Protection where devices that are enrolled with Microsoft Intune (or SCCM) may receive policies that protect corporate application content from data leaks. In Windows 10 1703 (i.e. Creators Update) a new feature called Mobile Application Management or MAM is available. If you’re familiar with MAM policies for Intune for iOS and Android we’ve brought similar functionality to Windows 10 Creators Update for non-managed devices. This means that non-managed devices such a home user PC with Creators Update can access corporate data without risking data leakage because the MAM policy will prevent cutting and copying data to unmanaged applications.


Requirements

  • Intune licenses
  • Global Admin for Azure Active Directory
  • Windows 10 Creators Update (any version)

Getting started

Service setup

  1. Navigate to portal.azure.com from a browser
  2. Select Azure Active Directory
  3. Select Mobility (MDM and MAM)
  4. Add or select Microsoft Intune

 

clip_image002

 

Verify the settings look similar to those in the image below. Add a group as well to make sure the policies flow to the proper individuals:

Note: if the MAM Discovery URL is missing, select “Restore default MAM URLs”

clip_image004

Policy setup

From the Azure portal locate the Intune Mobile Application Management (MAM) service. It will look similar to the following:

clip_image006

 

Select “App Policy” and “Add a policy” at the top. Give the policy a name and select Windows 10 under Platform.

clip_image008

 

Now we need to configure what apps the MAM policy will apply to. Do this by selecting “Allowed apps” and then “Add app” at the top of the blade:

clip_image010

Fortunately, many Microsoft applications are already published to select from, for the purposes of this post I’m going to select Microsoft Edge, Notepad, and IE11. The apps in this list are what we call “enlightened apps” where they know about MAM policies. Refer to the links at the end of this post for how non-enlightened apps are supported.

Note: For custom apps, desktop apps, etc. that need to be added, information about these apps is easily found using App Locker via the local policy editor on the device where the apps are installed. More details: https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/app-behavior-with-wip

clip_image012

 

Data Protection

After selecting apps from the list, in my case Notepad, Edge, and IE11 we now need to configure the behavior of when protected data is moved from those apps to non-protected environments (e.g. WordPad).

Select “Required settings” from the policy. The only change I made is to select “Allow Overrides” which means the user will be prompted when they attempt to relocate corporate data outside of the managed app (very similar to how MAM works with iOS and Android):

clip_image014

 

Now move to “Advanced settings” where there are a number of options to further restrict and identify boundaries.  For this post I’ll keep it simple by adding a cloud resource as a network boundary, in this case SharePoint Online and turn on “Show the enterprise data protection icon” for the protected enlightened apps:

clip_image016

Note: Once service and client are configured, you may encounter site access issues, to remediate, add the Value “|/*AppCompat*/” (no quotes) string to the end of the URL string, more details here: https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/app-behavior-with-wip

 

Once the boundaries are set and saved, we need to assign the policy to a group of users.  Feel free to create any group you want in Azure AD, I created one called MAM-WE_Users:

Note: users may be dynamically assigned to Azure AD groups as well for auto assignment to apps, licenses, etc., more details here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-groups-with-advanced-rules

clip_image018

Client setup

The end user will need to attach their non-managed (e.g. personal) Windows device with Creator Update to their workplace by selecting “Settings” then “Access work or school” and then “Connect” as shown below.

Note: Non admin users may enroll in MAM.

clip_image020

 

The user will then be prompted to sign on to their corporate account (i.e. O365, Azure AD, Intune, etc. if available) account as shown below (do not join Azure AD or local AD, typically this is performed only for corporate issued/owned devices).

To summarize, there are two steps, add your email and select next.

clip_image022

 

Once the account is verified, and the device is registered, select the account and the Info:

clip_image024

 

The “Info” button will show the last time the device had a successful sync. Also make sure the Management Server Address is populated. Keep this in mind as we’ll refer to this process after we have the MAM policy set up.

clip_image026

End User Experience

Because I’m protecting “.cbenterprisemobility.sharepoint.com” and selected both IE11 and Edge (they’re both enlightened apps) when I navigate to them we see a little briefcase icon show up.  When I navigate away from this site, the briefcase will go away.

clip_image028

clip_image030

 

For example, when I download a file from SharePoint Online, it will contain a little briefcase on the file icon as well as state the ownership of the file in “File ownership” column.  Additionally, the MAM policy can use either a custom EFS certificate or and Azure Information Protection template (RMS) to protect files.

clip_image032

 

When I open the file in a managed app (i.e. Notepad) and because the file is protected by policy, the app shows it’s managed by displaying a briefcase icon on the app itself:

clip_image034

Clicking on the briefcase icon we see the following:

clip_image036

 

When I attempt to cut, copy, and even open the file in an unmanaged app such as WordPad I receive the following prompt.  I can choose to give access in which case that action is logged to event viewer or cancel.  This prompt may be hidden from the user completely by changing the policy in Intune.  Separate policies may also be created and targeted at specific groups of users as well.  For example maybe you want to allow Executives to override as shown below and block certain users such as contractors, etc.

clip_image038

 

Closer look at the prompt:

clip_image040

 

If you need to change the file ownership, I right click on a file and change the file ownership to Personal if needed:

clip_image042

 

That’s all, we configured Mobile Application Management for a non-managed or domain enrolled Windows 10 client and successfully protected corporate content from leaking outside of corporate sanctioned applications.

Troubleshooting

  • First place to look is to make sure the settings are correct and sync’s are successful under Windows 10 Settings/Accounts/Access work or school
  • Next steps are to look in event viewer under: Application and Services Logs/Microsoft/Windows/Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
  • MAM policies also land under: c:windowssystem32AppLocker folder and you can open the “policy” files in notepad.
  • You’ll also find the MAM policy settings populated under the following registry keys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftPolicyManagercurrentdevice
  • When adding apps to protect, the prepopulated apps should be adequate, however if you’re adding protected apps by hand make sure the format is correct or the MAM policy will not take effect on that app.
  • When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On the Home edition, we do not recommend pushing MDM policies to enable users to upgrade.  More details here: https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management

Closing thoughts

With all the data theft that happens daily, it’s better to have increased security for non-managed devices than simply guessing if your data is secure from those devices.  Whether your users have iOS, Android, or Windows devices, Intune MAM will protect all three.

Another option is to block unmanaged devices completely and Azure Active Directory Premium with or without Intune will address this scenario via Conditional Access.

For additional details about MAM with and without MDM as well as supporting desktop and custom apps, please refer to: