Retiring non-compliant devices with Azure Logic Apps and Adaptive Cards for Teams

This week is another follow-up on the first few weeks of this year. Those weeks the focus was on monitoring the status of the different connectors, certificates, tokens and deployments, while this week the focus is on more than just monitoring. This week will be about non-compliant devices marked to retire. That means querying information and actually performing an action. When looking at device compliance policies, the IT administrator can configure the actions for non-compliance. One of those actions is to configure Retire the noncompliant device. That action, however, won’t actually retire the device and will only add the device to the Retire Noncompliant Devices view. Once added to that view, there is still a manual action required by the IT administrator to actually retire …

Read more

Microsoft Tunnel Gateway: A quick overview

This week my post is a few days later, as my post is an extension of my session at the Nordic Virtual Summit Second Edition. At the virtual summit I did a session about Getting access to on-premises resources with Microsoft Tunnel. During that session I shared the information around the architecture of Microsoft Tunnel and I zoomed in on getting up-and-running with Microsoft Tunnel and getting insight in Microsoft Tunnel. This post will provide a quick summary of that session about the different important components of Microsoft Tunnel and how to get connected to Microsoft Tunnel. Most of that information will be summarized in tables and slides. The slides (PDF) of that session are available for download here. Main components of Microsoft Tunnel The Microsoft Tunnel …

Read more

Simplifying targetting groups of apps with app protection policies

This week is all about the simplification in targetting groups of apps with app protection policies and a followup on my tweet of last week. That tweet provided a quick peak at the new targetting options of app protection policies for Android and iOS/iPadOS devices. The great thing about that simplification is that app protection policies can now be targeted at different categories (or groups) of apps. Those categories of apps are All apps, All Microsoft apps and Core Microsoft apps, and are dynamically updated to include the appropriate apps. That dynamic update will make sure that the already created app protection policies are automatically updated with the latest apps that are available for the different categories and will also make sure that newly created …

Read more

Getting new users quickly up-and-running with Temporary Access Pass

This week is a little follow-up on a post of a couple of months ago and about connecting pieces of the puzzle. That post was around Temporary Access Pass (TAP). Even though that post was focused on Windows devices, it did provide some hints for using TAP on mobile devices (Android, iOS) also. An often seen and heard challenge is related to getting new user up-and-running. Especially when requiring Multi-Factor Authentication (MFA) for device enrollment, or when trying to work completely passwordless. Those scenarios introduce chicken-and-egg situations as a device must be registered for usage with MFA and the registration requires MFA, or when trying to work passwordless and an authentication method must be registered to be able to work passwordless. So, to get a …

Read more

Using filters for assigning apps, policies and profiles to specific devices

This week is all about filters. Filters are basically a super-set of the functionalities of applicability rules – already available for a while for Windows 10 – and are a great new addition to assigning apps policies and profiles to specific devices. Those specific devices are only the devices that meet the specific properties that are configured in the filters. A great method for specifically targeting apps, policies and profiles. This post starts with a short introduction about filters, followed with information about creating and using filters (including the steps for using and creating filters). This post ends with the administrator experience with filters. Introducing filters For device configuration profiles for Windows 10 devices it was already possible to use applicability rules. Applicability rules would …

Read more

Conditional access and registering or joining devices to Azure AD

This week is all about registering and joining devices to Azure Active Directory (Azure AD). More specifically, about requiring multi-factor authentication (MFA) when registering or joining devices to Azure AD. Starting with March 2021, Azure AD contains a new feature in Conditional Access (CA) that provides more flexibility for requiring MFA when registering or joining devices to Azure AD. That new feature is the Register or join devices user action. This post will start with a short introduction about that new user action, followed with the steps to configure that user action. This post will end with a look at sign-in logs. Important: The Register or join devices user action is also the new recommended method for enforcing MFA when registering or joining a device …

Read more

Using Microsoft Defender for Endpoint in app protection policies for Android and iOS

This week is all about some new and exiting functionality related to Microsoft Defender for Endpoint (MDE) that was announced around Microsoft Ignite. That new and exiting functionality is that MDE risk signals can now be used in app protection policies for Android and iOS. Those signals are based on the protection against phishing, unsafe network connections (on Android and iOS), and malicious apps (on Android only). That enables the usage of MDE on unmanaged devices for even better protection of work data. This behavior can be achieved by configuring an integration between MDE and Microsoft Intune, to send the required signals to Microsoft Intune, and by configuring an app protection policy, to create a conditional launch for the app, based on the signals provided …

Read more

Integrating Samsung Knox E-FOTA One with Microsoft Intune

This week is all about Samsung Knox Enterprise Firmware-Over-The-Air (E-FOTA). Samsung Knox E-FOTA is available in three editions, of which Samsung Knox E-FOTA One is the most advanced edition. That edition is also the subject of this post. Knox E-FOTA enables organizations to manage OS versions and security updates on corporate Samsung Knox devices. That enables organizations to extensively test updates on their devices in combination with their apps to make sure that new OS versions and security updates won’t cause any issues. Together with Microsoft Intune that experience can be even better. Microsoft Intune can be used to configure already managed Samsung Knox devices to use Knox E-FOTA and Microsoft Intune can also be used to synchronize groups with Samsung Knox devices to Knox …

Read more

Using Samsung Knox Mobile Enrollment with Microsoft Intune

This week is all about using Samsung Knox Mobile Enrollment (KME) for automatically enrolling Samsung Knox devices into Microsoft Intune. The idea of Samsung KME is similar to Windows Autopilot and Apple ADE. It’s all about streamlining the enrollment experience for corporate-owned devices. By using Samsung KME in combination with Microsoft Intune, a smooth out-of-the-box experience enables users to be up-and-running in no time. That can be achieved by uploading Samsung Knox devices in Samsung KME and assigning MDM profiles to those devices. This post will start with the important prerequisites, followed with the steps for creating a MDM profile in Samsung KME. This post ends with assigning the MDM profile to devices in Samsung KME and a quick look at the user experience. Note: …

Read more

Quick tip: Enable browser access on Android Enterprise corporate-owned devices

This week a quick tip about enabling browser access on Android Enterprise Corporate-Owned Fully Managed devices and Android Enterprise Corporate-Owned devices with Work Profile, to work with device-based Conditional Access. That will enable the user to eventually use different apps for accessing company data. That includes for example using the Chrome browser app for accessing SharePoint Online or Exchange Online. On the Android Enterprise devices, this requires a configuration in the Microsoft Authenticator app. In this post I’ll simply provide the steps that are required within the Microsoft Authenticator app. Note: Before providing the mentioned steps, a big thank you to Pat Freeman for pointing me in the right direction. Enable browser access in the Microsoft Authenticator app When knowing the availability of the setting, …

Read more