Sunday, 1 October 2017

Comanagement and migrating from ConfigMgr hybrid to standalone Intune

Comanagement has arrived. It was announced by Microsoft last week at Ignite so we can finally talk about it publicly. This is one of the most important features to be delivered by Microsoft in recent years and will eventually cause a shift in the way that enterprises manage their devices. It is inevitable.

So, what is comanagement?
Quite simply, it is the ability to manage Windows 10 devices with ConfigMgr and Intune AT THE SAME TIME.

Why is comanagement important?
The majority of organizations use Active Directory (with GPO) and ConfgMgr to manage their on premise devices. The Microsoft vision is to manage Windows 10 devices using modern management with Intune. It is expected that comanagement will create a bridge between the two to simplify and reduce the risk of transition to modern management. The expectation is that organizations will transition in a phased manner as they move workloads one at a time (e.g. device compliance).

Some additional jargon: 

Modern management: managing Windows 10 devices using Intune MDM and Configuration Service Providers (CSPs).

Intune Management Extensions: codename Sidecar, these will add to Intune's MDM capability. The first extensions expected will allow administrators to run PowerShell scripts on managed devices and also manage Win32 and .exe applications.

Microsoft 365 Powered devices: these are Windows 10 devices running Office 365 Proplus which are managed by Enterprise Mobility + Security. This is a complete integrated solution and is the future direction for Microsoft.

Windows 10 Autopilot: could replace traditional imaging methods. Users will be able to self-provision their devices simply by authenticating with Azure Active Directory. Intune policies will then be automatically deployed to the devices during provisioning.

Note that comanagement is only supported for organizations that use standalone Intune. Therefore, to avail of this feature, organizations that have a ConfigMgr hybrid must first migrate to standalone Intune. I was very curious to test how much was involved in this.

Migrating from ConfigMgr hybrid to standalone Intune

Step 1 - import ConfigMgr data to Intune.

The Data Importer Tool is an awesome tool that collects data about the objects in your ConfigMgr hierarchy (1610 or later). It then allows you to import your selected objects to Microsoft Intune.
  • Configuration items
  • Certificate profiles
  • Email profiles
  • VPN profiles
  • Wi-Fi profiles
  • Compliance policies
  • Apps
  • Deployments
Download the tool (Microsoft Intune Data Importer.exe, it's less than 5MB) and extract the files.

The first task is to give the Data Importer tool permission in Azure to access resources.

Execute "intunedataimporter.exe -GlobalConsent"

Enter your Global Admin credentials.

Accept the resources that the tool needs access to.

Now launch the tool (intunedataimporter.exe). Start the process.

Review the information that you should be aware of when using the tool.

Enter the ConfigMgr details.

The ConfigMgr objects data is collected.

There are some errors. It will not be possible to import some objects. You can choose to fix the issues or ignore these objects.

This is a summary of the objects to be imported.

Sign in to Intune.

The objects are imported into Intune.

Step 2 - prepare Intune for user migration

This includes-
  • fixing issues discovered during the data collection and import
  • verify the imported objects
  • assigning Intune licenses to migrated users
  • verifying Intune user groups
  • configuring RBAC
  • configuring Exchange Connectors (if required)
Step 3 - change MDM authority to Intune standalone

(Note: before you change the MDM authority for the tenant you should test the process for a subset of users. Follow this process to exclude users from the ConfigMgr collection for testing).

Navigate to Administration > Overview > Cloud Services > Microsoft Intune Subscription

Right click your subscription and select Delete.

Select to Change the MDM Authority to Microsoft Intune.

Accept the warning.

Sign in to Intune.

The subscription has been removed and the MDM Authority has been changed to Intune. Note that it can take up to eight hours for a device to connect to the service after you change to the new MDM authority.

I hope this information was helpful. Until next time.....

Sunday, 17 September 2017

Block Android Screen Capture with ConfigMgr 1706

Version 1706 of System Center Configuration Manager (Current Branch) was recently released and one the new features made one of my customers very happy.

See details of the new 1706 features here

This customer uses the hybrid solution of ConfigMgr and Intune to manage their fleet of Android devices. They use MAM policies to protect against corporate data leakage and they were "almost" 100% happy with the solution.

The felt that they were a little exposed as users could still capture a screen containing sensitive data using a simple button combination (Home and Power in the case of many Android devices). Now, with ConfigMgr 1706, we can disable the ability to capture the screen. Even cooler, we can configure this on a per-managed app basis.

I've just tested this in advance of configuring in the customers environment. It works so well that I wanted to share the experience.

Navigate to Software Library > Application Management > Application Management Policies

Right click to Create Application Management Policy (or alternatively edit an existing policy).

Enter a name and description for the policy.

Choose Android as the platform and General as the policy type.

We are presented with the MAM options for Android. See Block screen capture. It is enabled by default.

Finish the wizard to create the MAM policy.

For this test I want to block screen capture for Adobe Reader (this is an Intune managed app). The app is added to ConfigMgr as normal.

When deploying the app we are asked which MAM policy should apply. I've chosen my test policy containing the "Block screen capture".

So, what does that look like on a device? I'm using a Samsung Galaxy Tab3 (Android version 4.4.2). I've opened a PDF file using Adobe Reader. See what happens when I try to capture the screen.

"Couldn't save screenshot. Content is protected by DRM".

It's these little hidden gems that make me happy. 

Hope this helps, until next time....

Wednesday, 30 August 2017

Intune - upcoming changes to device support

This is a short blog post to warn about upcoming changes to device support in Intune.

iOS 8.0 devices will no longer be supported from September 2017.  They will no longer be able to access the Company Portal or managed apps. iOS 9.0 or later will be required to access corporate resources.

Android 4.3 devices will no longer be supported from October 2017.  They will no longer be able to access the Company Portal or managed apps. Android 4.4 or later will be required to access corporate resources.

Windows Phone
Windows Phone 8.1 platform reached end of mainstream support in July 2017 but Intune still supports their management. However there will be no improvements to Intune service management for these devices.

More details can be found in the Intune docs

Until next time.....

Sunday, 27 August 2017

Team Toni

Normally I would only publish technical blog posts but I'll make an exception in this case to share Chelsea's story. My wife's friend Chelsea lost her 15 year old daughter Toni in May, after a year-long battle with cancer.

Today Team Toni competed in the Longford Marathon to raise funds for Aoibheanns Pink Tie. This wonderful charity supports the families of children who are suffering from terminal cancer.

This is what Chelsea had to say this morning, no other words are necessary:

......" today is a very emotional day  for me.....really emotional....

....I'm taking part  the Longford Marathon in memory of my lovely daughter Toni Louise....she was diagnosed with leukemia   when she was just 14 .......she sadly  died  in May of this year.. she was just yea..... I'm very emotional.....

.....a great group of friends and family ....about 40 of us....are doing the Longford Marathon in tribute to Toni Louise and to raise some funds for Aoibheann's Pink Tie which does so much work for children with cancer.....

.....the people of all of Longford are incredibly supportive and we expect to raise a lot of much needed funds....we also want to raise some awareness about children's's something a lot of people don't know about....

.....Toni Louise in her too short life touched so many people....everyone she met....I feel so proud of her......she'll be with me every inch of the way today......she's with me every single day and will be with me forever ......and I've a tattoo of her on my leg now so she's running with me......

......I've only been training for 9 weeks .....but Toni Louise only passed away  12 weeks ago.......the training was good for was good for the head.......

....Aoibheann's Pink Tie is  a fantastic charity.....they do all sorts of special  things for children suffering from cancer....from limo trips to concerts,  Christmas and birthday parties to just sitting down and chatting over a cup of coffee.....they're so supportive...'s uplifting being here many people supporting so many......the people of , so good....

....I've had great family and friends but since Toni Louise's passing.....I've realised just how great  the support network I have.......

......friends and family are just so, so important......

...thanks, thanks...."

Chelsea Harte

Some scenes from the day:


Tuesday, 8 August 2017

See Intune Data Warehouse in action

We've heard a little about this feature recently but the Intune Data Warehouse is finally in public preview. It will give us powerful custom reporting with a dataset spanning up to 90 days of historical data. You can use Power BI or Excel to connect to the warehouse, or indeed any other tool that supports OData feeds.

There is a good blog post describing the feature but I wanted to see it in action with my own data. It is very easy to configure and get started.

Open the Intune admin console on your Azure Portal

Click on the Intune Data Warehouse tile on the bottom right of the screen. This opens the Intune Data Warehouse blade.

The blade gives us the instructions we need.
  • Download and install the Power BI desktop app
  • Download the Power BI template file
  • Open the Power BI template with the Power BI desktop app
  • Authenticate with your tenant

This is the Power BI app......

....and the Power BI template file. It contains a set of custom reports to get you started.

Install the app.

When the app installs select File -> Open.

Browse to the template file.

Select to Apply changes.

You will see the changes being applied.

The OData feed dialog box open. Select the Organizational account section. Sign in with an a global admin account on your tenant. Click Connect.....

.....and we can see the reports have been populated with our own data.