Simplifying management of the Google Chrome browser

This week is all about simplifying the management of the Google Chrome browser. I’ve done my fair share of posts about different methods for managing settings for the Google Chrome browser, by using Microsoft Intune, like for example by using ADMX-files or by using PowerShell, but it can be easier. It can also be achieved by using Chrome Browser Cloud Management. Chrome Browser Cloud Management is a cloud-based solution that enables the management of the Google Chrome browser across Windows, Mac and Linux devices. In this post I’ll start with a short introduction about Chrome Browser Cloud Management, followed by the steps to enrol Windows devices by using Microsoft Intune. I’ll end this post by looking at the end-user experience.

Note: Keep in mind that this post is only intended to provide a simple management solution for the Google Chrome browser. Please make your own consideration if this would be added value for your organization.

Introduction to Chrome Browser Cloud Management

Let’s start with a short introduction to Chrome Browser Cloud Management. Chrome Browser Cloud Management provides the IT administrator with a unified managed experience across Windows, Mac and Linux devices via a single cloud-based console. That removes the need to use different management tools for different platforms when managing Google Chrome across the organisation. Besides that, it can even provide benefits when managing a single platform. Even in combination with Microsoft Intune. At this moment, Microsoft Intune can provide some challenges with managing Google Chrome, as it would require the use of either PowerShell scripting or ADMX-files. Both, at this moment, time intensive activities. In that case, using Chrome Browser Cloud Management would add an additional management tool, but would save time in configurations.

Chrome Browser Cloud Management provides a method to enroll Google Chrome browsers by providing an enrollment token to the browser. On Windows devices that can be achieved by applying a simple registry key. Once the Google Chrome browsers are enrolled, the Chrome Browser Cloud Management enables the management over user settings and apps and extensions. Both contain some often used configurations. Below are a couple of examples of often used configurations. Figure 1 shows how to easily configure the Homepage and Page to load on startup setting and Figure 2 shows how to easily add the Windows 10 Accounts extension.

Enroll cloud-managed Google Chrome browsers

Now let’s continue by looking at enrolling Google Chrome browsers. Basically that requires two actions. The first actions is to generate the enrollment token and the second action is to enroll Google Chrome browsers by using the enrollment token.

Action 1: Generate enrollment token

The first action is to generate and enrollment token. That token will be used for enrolling the Google Chrome browsers. The following four steps walk through the process of generating that token.

  1. Open the Google Admin console and navigate to Devices > Chrome management > Managed browsers to open the Managed browsers page
  2. On Managed browsers page, on the right bottom of the screen click on the + button to open the Chrome Browser Cloud Management License Agreement dialog box
  3. On the Chrome Browser Cloud Management License Agreement dialog box, click I ACCEPT to generate an enrollment token and to open the Enrollment token dialog box
  4. On the Enrollment token dialog box, click the copy sign to copy the enrollment token and click DONE.

Note: I’m not downloading the registry file, as I think that it’s easier to deploy the enrollment token by using a PowerShell script.

Action 2: Enroll Google Chrome browsers on Windows devices

The second action is to enroll Google Chrome browsers on Windows devices by using the generated enrollment token. For that purpose I’ve created a small PowerShell script that will be deployed via Microsoft Intune. That means two steps. The first step is to create the PowerShell script and second step is distribute the PowerShell script via Microsoft Intune.

Let’s start with the first step. The following PowerShell script provides a simple example that will create the registry path and key if needed. Simply add the copied enrollment token as the value of the $KeyValue variable.

The second step is to distribute the PowerShell script by using Microsoft Intune. That will make sure that the enrollment token applied to the Windows devices, which will trigger the Google Chrome browser to enroll. The next seven steps walk through the deployment of the PowerShell script.

  1. Open Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows > PowerShell scripts to open the Windows | PowerShell scripts blade
  2. On the Windows | PowerShell scripts blade, click Add to open the Add PowerShell script wizard
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name for the PowerShell script
  • Description: (Optional) Provide a description for the PowerShell script
  1. On the Script settings page, provide the following configuration and click Next
  • Script location: Select the PowerShell script
  • Run the script using the logged on credentials: Select No to run the script in SYSTEM context
  • Enforce script signature check: Select No
  • Run script in 64-bit PowerShell Host: Select Yes
  1. On the Scope tags page, configure any additional scope tags for this PowerShell script and click Next
  2. On the Assignments page, configure the assignment of this PowerShell script and click Next
  3. On the Review + add page, review the settings and click Add

End-user experience

Let’s end this post by having a look at the end-user experience. Below I’ve provided a few examples of the experience for the end-user. Figure 5 provides an overview of the applied registry key and its value and Figure 6 provides an overview of the Google Chrome browser and the applied policies. The latter shows the managed state of the Google Chrome browser and the applied Chrome policies. With those Chrome policies it provides the source of the policy, which is Platform for the cloud management enrollment token configured via Microsoft Intune and Cloud for all policies configured via Chrome Browser Cloud Management, and the policy name and value. The shown Chrome policies – and their results – are the examples provided in the introduction.

Note: An administrator can also look at the enrolled browsers in the Google Admin console by navigating to Devices > Chrome management > Managed browsers.

More information

For more information about cloud-management of the Google Chrome browser, refer to the documentation about Cloud-managed Chrome Browser.

Simplifying the migration of Android device administrator to Android Enterprise work profile management

This week is all about a recently introduced feature that will help organizations with their move away from Android device administrator managed devices to Android Enterprise work profile management. That is a very welcome feature as Google is decreasing device administrator support in new Android releases, which makes difficult for Microsoft Intune (and any other MDM-solution) to adequately manage Android device administrator managed devices starting with Android 10. The feature in Microsoft Intune that will help with moving away from Android device administrator managed devices is a compliance setting that will enable organizations to block devices in a structured manner and to provide a direct migration path to Android Enterprise work profile management.

In this post I’ll show how to create and configure a device compliancy policy that will slowly trigger end-users to start the migration to Android Enterprise work profile management, followed by the steps to block the enrollment of Android device administrator managed devices. Together that should help organizations to fully move away from Android device administrator managed devices. I’ll end this post by having a look at the end-user experience.

Configuring the device compliance policy

The first step is preparing a good migration experience, from Android device administrator managed devices to Android Enterprise work profile management, for the end-users. That can be achieved by creating a device compliance policy that eventually will block Android device administrator managed devices. To make sure that the end-user is not immediately being blocked from accessing company resources, I advise to use at least two levels of noncompliance. The first level would be that the end-user receives an email message with the advise to start the migration and the second level would be to actually block access to company resources. That can be after a longer period of noncompliance. The following seven steps walk through the steps for configuring a device compliance policy and provide some guidance for the different configurations. After the creation of the device compliance policy, assign the policy like any other policy.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices Android > Compliance policies to open the Android | Compliance policies blade
  2. On the Android | Compliance policies blade, click Create Policy to open the Create Policy blade
  3. On the Create Policy blade, provide the following information and click Create
  • Name: Provide a valid name for the device compliance policy
  • Description: (Optional) Provide a description for the device compliance policy
  • Platform: Select Android device administrator
  • Settings: See step 4 and 5
  • Locations: Leave default (for this post)
  • Actions for noncompliance: See step 6
  • Scope (Tags): Leave default (for this post)
  1. On the Android compliance policy blade, select Device Health to open the Device Health blade
  2. On the Device Health blade, select Block with Devices managed with device administrator and click OK to return to the Android compliance policy blade and click OK to return to the Create Policy blade
  3. On the Create Policy blade, select Actions for noncompliance to open the Actions blade
  4. On the Actions blade, add an action to first notify the user via email and make sure to adjust the default action to not mark a device as noncompliant immediately. That will provide the end-user with time to perform the migration before completely being blocked.

Note: The url https://portal.manage.microsoft.com/UpdateSettings.aspx can be used in the email message to launch the Company Portal app directly in the Update device settings page.

For automation purposes, automating the device compliance policy configuration can be achieved by using the deviceCompliancePolicies object in the Graph API.

https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies

Configuring the device enrollment restrictions

The second step is making sure that new Android device administrator managed devices can no longer be enrolled into Microsoft Intune. That can be achieved by using device enrollment restrictions. The device enrollment restrictions can be used for blocking the enrollment of Android device administrator devices. The following five steps walk through the adjustment of the default enrollment restrictions. Something similar, and often more flexible, can be achieved by using custom enrollment restrictions.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Enroll devices > Enrollment restrictions to open the Enroll devices | Enrollment restrictions blade
  2. On the Enroll devices | Enrollment restrictions blade, select the Default device type restriction and navigate to Properties to open the All Users | Properties blade
  3. On the All Users | Properties blade, navigate to the Platform settings section and click Edit to open the Platform settings page on the Edit restriction blade
  4. On the Platform settings page, select Block with Android device administrator (see example below) and click Review + save to continue to the Review + save page
  5. On the Review + save page, click Save

For automation purposes, automating the device type restriction configuration can be achieved by using the deviceEnrollmentConfigurations object in the Graph API.

https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations

End-user experience

Now let’s end this post by having a look at the end-user experience, which is the most important part of everything in this post. The end-user experience determines whether this migration process will be adopted by the end-user and whether this migration process is intuitive enough to walk the end-user through this migration process. My personal experience, after performing multiple of these migrations, is very positive. It catches problems and brings the end-user back to the progress in the Company Portal app. Even on an older device, which wasn’t encrypted, I eventually ended up in the Company Portal app.

Figure 4 to Figure 14 below, walk through the migration steps for the end-user when starting with an Android device administrator managed device and moving to Android Enterprise work profile management. Figure 5 is also the starting point when the end-user would click on the provided link in an email and Figure 15 provides an overview of the end result.

Note: In Figure 4 it already shows that the device status is “Not in Compliance“, while in fact the device can still be “In grace period“. Also, in Figure 5 the end-user will receive the message “Unable to resolve” when the enrollment of Android Enterprise (work profile) devices is restricted for the specific end-user.

More information

For more information about moving to Android Enterprise work profile management and enrollment restrictions, refer to the following docs:

Enable device upload when already using co-management

This week is all about the recently introduced functionality of Microsoft Endpoint Manager tenant attach. More specifically, the device sync and the device action functionalities that become available via the Microsoft Endpoint Manager admin center for Configuration Manager managed devices. This is the first big step into creating an integrated solution for managing all devices. This brings Configuration Manager and Microsoft Intune together into a single console. In this post I’ll start with an introduction to the different cloud integration options, followed by the step for enabling the device upload. I’ll end this post by having a look at what this integration brings from an administrator perspective.

Introduction to cloud integration

Let’s start with a quick introduction to all the different cloud integration terminologies that are currently used in combination with Configuration Manager. The main reason for that is that I often hear a lot of confusion about the terminologies in regards to what it is and what it is used for and a new term – tenant attach – will not make that a lot easier.

  • Co-management – Co-management (sometimes even referred to as client attach) is about enrolling Configuration Manager managed devices into Microsoft Intune for additional cloud value. In other words, managing Windows 10 devices by using both Configuration Manager and Microsoft Intune. That enables the administrator to configure specific workloads for Configuration Manager or Microsoft Intune, to enable a smooth transition to the cloud. These products balance the workloads to make sure that there are no conflicts. For a complete overview of the benefits and these workloads, please refer to this doc about what co-management is.
  • Coexistence – Coexistence is about enrolling Configuration Manager managed devices into a third-party MDM solution. In other words, managing Windows 10 devices by using both Configuration Manager and a third-party MDM. That creates two management authorities on a device that don’t integrate with each other, which might create conflicts. To prevent these conflicts the Configuration Manager client detects when a third-party MDM service is also managing the device. When detected, it automatically deactivates certain workloads in Configuration Manager. For a complete list of these workloads, please refer to this doc about third-party MDM coexistence with Configuration Manager.
  • Tenant attach – Tenant attach (the new kid) is about attaching a Configuration Manager environment to the Microsoft Intune tenant for instant cloud value. That will bring all devices to single console and that console is Microsoft Endpoint Manager admin center. Bringing all the devices to that single console will enable the administrator (at first mainly focussed on the helpdesk) to perform basic actions on all devices, either managed by Configuration Manager or managed by Microsoft Intune.
  • Cloud hosted – Cloud hosted is about hosting Configuration Manager components in Microsoft Azure. That will bring the reliability and flexibility of Microsoft Azure to Configuration Manager for managing for example Internet clients by using a Cloud Management Gateway (CMG).
  • Cloud attach – Cloud attach is about attaching different cloud components to a Configuration Manager environment. That is a more generic term that is often used when attaching any cloud functionality to a Configuration Manager environment. That can be about co-management (client attach), tenant attach, and cloud hosted. Basically any cloud service that is attached to the on-premises environment for providing more and better functionalities for managing devices by using cloud functionality.
  • Hybrid MDM – Previously there was even hybrid MDM (or Microsoft Intune hybrid) that would integrate Microsoft Intune with Configuration Manager to provide cloud MDM-capabilities to Configuration Manager. That would enable customers to use Configuration Manager as a single pane of glass for managing all devices within the environment. That feature is retired as of September 1, 2019.

Note: For a nice overview see also this session about Supercharging PC and mobile device management: Attach Configuration Manager to Microsoft Intune and the Microsoft 365 cloud (starting at about 6:38) of Microsoft Ignite 2019.

Enable device upload

After processing the terminology for all the different cloud (and management) integration options for a Configuration Manager environment, it’s time to look at the new tenant attach functionality. When assuming that co-management is already being used within the environment, the following five steps will walk through also configuring the device upload functionality.

  1. Open the Microsoft Endpoint Configuration Manager administration console and navigate to Administration > Overview > Cloud Services Co-management
  2. Select the CoMgmtSettingsProd policy and click Properties in the Home tab to open the Properties dialog box
  3. In the Properties dialog box, navigate to the Configure upload tab, perform the following configuration and click OK
  • Select Upload to Microsoft Endpoint Manager admin center to enable this site to upload devices to Microsoft Endpoint Manager admin center
  • Select All my devices managed by Microsoft Endpoint Configuration Manager (recommended) to enable this site to upload all devices to Microsoft Endpoint Manager admin center, or select A collection I select to enable this site to only upload specific devices to Microsoft Endpoint Manager admin center
  1. In the authentication prompt, provide credentials of a global administrator
  2. In the Create AAD Application dialog box, click Yes to register an application in AAD

Administrator experience

The most interesting part of this post – in my opinion – is the administrator experience. New objects that are created and the relation between the different new objects and activities that an administrator can see. Below is an overview of a those objects and activities from a Configuration Manager perspective. Figure 2 and Figure 3 provide an overview of the new objects in the Configuration Manager administration console. The Cloud Attach Azure service and the application registration with the Azure Active Directory Tenants. Both of these objects are created when enabling device upload. The latter is a reference to the created app registration in Azure Active Directory.

Figure 4 and Figure 5 provide an overview of the objects that are being synchronized to Microsoft Endpoint Manager admin center. As I’ve selected that all device are synchronized, those figures show that my All Systems collections (9 members) relates to the number (6) found in CMGatewaySyncUploadWorker.log. That’s 9 objects minus the default objects of the unknown computer objects (2) and the provisioning device object.

Figure 6 provides an overview of the devices that are synchronized in the Microsoft Endpoint Manager admin center. In green it shows the ConfigMgr only devices (4) and in red it shows the co-managed devices (2). That brings the total the the 6 device objects that were synchronized.

Figure 7 and Figure 8 provide an overview of the device actions that become available for the synchronized devices. It shows the different locations of these actions for co-managed devices as well as for ConfigMgr only devices. At this moment the device actions of Sync machine policy, Sync user policy and App evaluation cycle are available.

Note: The user performing the actions via the Microsoft Endpoint Manager admin console need to have the appropriate permissions within Configuration Manager.

More information

For more information about enabling device upload in Configuration Manager, please refer to the documentation about Microsoft Endpoint Manager tenant attach: Device sync and device actions.

Changing the primary user of Windows devices

This week is all about the primary user of a Windows device. More specifically about the recently introduced functionality to change or remove the primary user of a Windows device. The primary user is used within Microsoft Intune to map a licensed user to a device. Changing the primary user enables the administrator to switch the primary user of a device from one user to another user, or to switch a device without an assigned primary user (shared device) to a specific user. Besides that, removing the primary user enables the administrator to switch a device from a specific user to a shared device. In this post I’ll start with a short introduction about the primary user (and shared devices), followed by actually changing the primary user. The steps for changing the primary user manually and the places to look at in the Microsoft Graph API for automating the steps.

Introduction to the primary user

Before looking at the possibilities of changing or removing a primary user, it’s good to understand the usage and default configuration of the primary user of a Windows device. That’s why it’s good to start with a short introduction. The primary user is used within Microsoft Intune to map a licensed user to a device. That enables the user to see the device in the Company Portal app and the Company Portal website, and also enables the user to perform self-service actions on that device. Besides that, it helps the administrator when troubleshooting and supporting users.

When a device has no primary user assigned, the Company Portal app detects it as a shared device. Shared devices can be identified with a “shared” label appearing on the device tile in the Company Portal app. On a shared device, the Company Portal app can still be used to request and install available apps. However, self-service actions aren’t available. By removing the primary user of a device, the device is configured to operate in shared mode.

Microsoft Intune automatically adds the primary user to the Windows device during, or soon after, the enrollment of the device. The table below, based on the table in my post about Windows 10 enrollment methods, provides an overview of the user that is added as primary user to the device. When the user performs the enrollment, the primary user is added during enrollment, and when the device is automatically enrolled, the primary user is added during sign in.

Enrollment methodOwnershipPrimary user
Bring Your Own DevicePersonalUser that performs enrollment
Azure AD joinCorporateUser that performs enrollment
Windows AutopilotCorporateUser that performs enrollment
Device Enrollment ManagerCorporateNone
Provisioning packageCorporateNone
Co-managementCorporateFirst user that signs in
Group PolicyCorporateFirst user that signs in

Note: Keep in mind that Windows Autopilot contains multiple scenarios, including a scenario without user interaction. In that case no primary user is assigned.

Changing the primary user

Just before looking at the actual steps of changing the primary user of a Windows device, it’s good to go through a few notes about changing the primary user.

  1. Changing the primary user can take up to 10 minutes to be reflected.
  2. Changing the primary user is currently not possible on co-managed devices.
  3. Changing the primary user does not make any changes on the local device (the local group membership are not adjusted).
  4. Changing the primary user doesn’t change the “Enrolled by” user.
  5. Changing the primary user doesn’t affect the assigned user in Windows Autopilot.

Now let’s have a look at the steps for changing the primary user of a Windows device in the Microsoft Endpoint Manager admin center portal. After looking at the manual steps, I’ll also have a quick look at the Graph API for automating these steps. The steps for removing the primary user are similar and just one click away. When following the four steps below for changing the primary user of the Windows device, the steps for removing the primary user will also become clear (during step 2).

Note: To change the primary user of a Windows device, the administrators should be at least Intune Administrator, Help Desk Operator, School Administrator, or Endpoint Security Manager.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows devices > {DeviceName} > Properties to open the {DeviceName}|Properties blade
  2. On the {DeviceName}|Properties blade, select Change primary user to open the Select primary user blade
  1. On the Select primary user blade, select a user and click Select to return to the {DeviceName}|Properties blade
  2. On the {DeviceName}|Properties blade, click Save

For automation purposes, it might be better to know how to automate the primary user configuration. That can be achieved by using the managedDevices object in the Graph API.

https://graph.microsoft.com/beta/deviceManagement/managedDevices('{managedDeviceId}')/users/$ref

Below is an example of a JSON that should be used for adding a primary user. To create the relationship between the mangedDeviceId and the userId, the JSON contains OData data.

@odata.id: "https://graph.microsoft.com/beta/users/{userId}"

Keep in mind that at the moment of writing this article the required properties are only available in the BETA version of the API and production use is not supported.

More information

For more information about primary users of Windows devices, refer to the following articles: