Combining MAM-WE and app configuration

This blog post is about a potentially really great feature, which is a combination of MAM-WE and app configuration policies. This enables the administrator to provide a preconfigured app, once the end-users signs in to the app with company credentials. I named it a potentially really great feature, because the availability of apps that support this combination of features will make or break the use of this feature. In this post I’ll provide a quick introduction to this feature, followed by a configuration example with the Intune Managed Browser.I’ll end this post with the end-user experience.

Introduction

Let’s start with a quick introduction. MAM-WE with app configuration, also known as MAM targeted configuration, allows an app to receive configuration data through the Intune App SDK. The format and variants of this data (the keys and values) must be defined and communicated by the application owner/developer. The Microsoft Intune administrators can target and deploy the configuration data via the Intune Azure console. The app configuration data is pushed through the MAM Service directly to the app, instead of through the MDM channel.

Configuration

The configuration in this post will be based on the Intune Managed Browser, which is, to my knowledge, currently the only app that works with this great combination of features. At this moment, MAM targeted configuration is available on iOS and Android. For iOS, the app must have incorporated Intune APP SDK for iOS (v 7.0.1) and be participating in app configuration settings.

Available settings

Before starting with the actual configuration, let’s start by looking at the available configuration settings. The nice thing is that very recently a few configuration keys have been released by Microsoft. The Intune Managed Browser can now be preconfigured for Azure AD App Proxy redirection, with a specific homepage, with a list of bookmarks and with a list of allowed or block websites. That provides  us with the following list of keys and example values. The name of the keys provide a clear indication of their configuration usage.

Key Example value
com.microsoft.intune.mam.managedbrowser.AppProxyRedirection true
com.microsoft.intune.mam.managedbrowser.homepage https://www.petervanderwoude.nl
com.microsoft.intune.mam.managedbrowser.bookmarks Search|https://www.google.nl
com.microsoft.intune.mam.managedbrowser.AllowListURLs https://*.petervanderwoude.nl/*
com.microsoft.intune.mam.managedbrowser.BlockListURLs https://*.facebook.com/*

Note: The separation character for multiple bookmarks is || and the separation characters for multiple allow/block URLs is |.

Configure app configuration policy

After looking at the available settings, let’s have a look at the actual configuration. The configuration of MAM targeted configuration, can be done by using the Azure portal and following the steps below. After creating the app configuration policy, don’t forget to assign it to an user group.

1 Open the Azure portal and navigate to Intune App Protection > App configuration;
2 Select Add Config to open the Add app configuration blade;
3 AAC_NameOn the Add app configuration blade, provide a unique name for the app configuration policy and select App to open the Targeted apps blade;
4 AAC_AppsOn the Targeted apps blade, select the Managed Browser (Android), the Managed Browser (iOS) and click OK to return to the Add app configuration blade;
5 Back on the Add app configuration blade, select Configuration to open the Configuration blade;
6

ACC_ConfigOn the Configuration blade, provide similar information as the earlier mentioned NAME and VALUE (examples) pairs and click OK to return to the Add app configuration blade;

7 Back on the Add app configuration blade, click Create;

End-user experience

Let’s end this post by looking at the end-user experience. I created an app configuration, as mentioned in this post, but added a couple more bookmarks. Below are a couple of examples of the Intune Managed Browser on an iOS device. On the left is an example of an app configuration including a homepage, and on the right is an example of an app configuration excluding a homepage.

IMG_0108 IMG_0109

More information

For more information about configuring the Intune Managed Browser, please refer to this article about Manage Internet access using Managed browser policies with Microsoft Intune.

Quick tip: Available token types for app configuration policies

This is a quick and short blog post to create awareness about the existence of token types. Token types are basically just variables that can be used within a property list of an app configuration policy in Microsoft Intune hybrid and Microsoft Intune standalone. This blog post will provide a quick overview about the available token types with example values.

Overview

The following table contains the currently available token types for Microsoft Intune hybrid and Microsoft Intune standalone. Before going through this table, it’s good to know that the {{ and }} characters are used by token types only and should not be used for other purposes.

Token type Example value
{{userprincipalname}} pvanderwoude@petervanderwoude.nl
{{mail}} pvanderwoude@petervanderwoude.nl
{{partialupn}} pvanderwoude
{{accountid}} fcc00012-123e-f479-aabe-abe2a1123b45
{{deviceid}} c7d01dd3-136f-40c5-b843-711e958c4eef
{{userid}} 2dda638e-28b7-4bdc-a4fd-70faaa811010
{{username}} Peter van der Woude
{{serialnumber}} F9FPVD86FCM5
{{serialnumberlast4digits}} FCM5

More information

For more information about iOS apps with mobile app configuration policies, in Microsoft Intune standalone and Microsoft Intune hybrid, please refer to:

Microsoft Intune and the AppConfig Community

This week I would like to write about Microsoft Intune and the AppConfig Community. I want to create some awareness about what the AppConfig Community is and I want to show how even Microsoft Intune can, and will, benefit of that great alliance.

What is the AppConfig Community?

Let’s start with what the AppConfig Community actually is. I could do that by providing my own explanation about the AppConfig Community, but to prevent any possible misinterpretation from my side, I will provide the good and clear explanation as provided on the AppConfig Community website.

The AppConfig Community is a collection of industry leading Enterprise Mobility Management (EMM) solution providers and app developers that have come together to make it easier for developers and customers to drive mobility in business. The community’s mission is to streamline the adoption and deployment of mobile enterprise applications by providing a standard approach to app configuration and management, building upon the extensive app security and configuration frameworks available in the OS. Working together, the members of the AppConfig Community are making it simpler for developers to implement a consistent set of controls so that enterprise IT administrators can easily configure and manage apps according to their business policies and requirements.

Historically, developers used proprietary software development kits (SDKs) to enable configuration and management features of their apps through EMM. This required app developers to build different versions of their apps for each EMM vendor. Now, with the AppConfig Community tools and best practices, developers do not require EMM-specific integrations for many enterprise use cases. End users also benefit from automated features such as an out-of-the-box experience to give the users instant app access without requiring cumbersome setup flows or user credentials.

Microsoft Intune and the AppConfig Community

Let’s continue with how Microsoft Intune works with the AppConfig Community. Well, it’s good to know that, at this moment, Microsoft Intune is not part of the collection of industry leading EMM solution providers that started the AppConfig Community. However, that doesn’t mean that the apps, created with the AppConfig Community standards, won’t work with Microsoft Intune. The XML format used by the AppConfig Community is similar to the XML format used by Microsoft and the Microsoft Intune app partners. In other words, the apps created by the partners, of the AppConfig Community, should also work with Microsoft Intune.

Microsoft Intune example

Now I want to show how Microsoft Intune works with an app, of a partner, of the AppConfig Community, to proof my previous statement. As an example app I use the amazing Nacho Mail app. Not only is it a great email app, it also has a great support team and some awesome configuration options. The support team is more than willing to help with providing the required information to apply app configurations to the Nacho Mail app.

Configuration

As I’m currently looking at multiple mail apps, with one of my customers, I’m also looking at the Nacho Mail app. One of the big pros, of the Nacho Mail app, is the fact that it allows the configuration of the app. It has the ability to configure a mail profile and it even has the ability to apply custom branding to the app. After contacting the support team, of the Nacho Mail app, they provided me with the following configuration key-value-pairs.

Type Key Description
String AppServiceHost Name of server
Integer AppServicePort Port number
String UserName User name
String UserDomain Domain name
String UserEmail User email address
String BrandingName Name of app to be displayed
String BrandingLogo Link to image to be displayed with app

I could use those key-value-pairs to create a mail profile for Office365, including custom branding. It’s not required to specify AppServiceHost with outlook.office365.com, as the Nacho Mail app is intelligent enough to figure it out based on the provided mail address. However, I noticed that it would save me a certificate warning. Below is the configuration that I’ve created and to use this configuration, please refer to my post about App Configuration Policies for iOS.

<dict>
   <key>AppServiceHost</key>
   <string>outlook.office365.com</string>
   <key>BrandingName</key>
   <string>petervanderwoude.nl</string>
   <key>BrandingLogo</key>
   <string>[Specify URL to logo]</string>
   <key>UserEmail</key>
   <string>{{userprincipalname}}</string>
</dict>

Note: I used the {{userprincipalname}} token type that is supported by Microsoft Intune to provide the user principal name of the end-user. However, at this moment Microsoft Intune hybrid seems to be having problems with the supported token types. Microsoft Intune standalone works like a charm.

End-user experience

After creating the app configuration, it’s time to look at the end-user experience. This time I will show the first two screens of the Nacho Mail app, after installation. That will provide a clear picture about how app configuration policies can be helpful for an end-user. The screenshots on the left show the default start of the Nacho Mail app and the screenshots on the right show the start of the Nacho Mail app after deploying the app together with the app configuration policy.

On the second screenshot, on the right, it clearly shows the complete configuration of the mail profile and my custom branding. I love it!

Before After
IMG_0034 IMG_0030
IMG_0035 IMG_0033

More information

For more information about the AppConfig Community and mobile app configuration policies, in Microsoft Intune standalone and Microsoft Intune hybrid, please refer to:

App Configuration Policies for iOS apps

This week another blog post that is triggered by a feature that is introduced in ConfigMgr 1602. And again, it’s about a feature that already did exist in Microsoft Intune standalone. This post will be about the App Configuration Policies for iOS apps. These policies can make the life of an end-user a lot easier and are a very welcome addition to Microsoft Intune standalone and Microsoft Intune hybrid.

For now the biggest challenge might be finding the apps that support App Configuration Policies and, maybe even more important, apps that have the settings documented. During the deployment of an app via ConfigMgr, or Microsoft Intune, it’s already visible if  an app could support App Configuration Policies. However, a lot of apps have the potential, but not yet the complete implementation.

Introduction

App Configuration Policies in Microsoft Intune hybrid and Microsoft Intune standalone, can be used to supply settings that might be required when the end-user runs an app. Settings that the end-user would have to specify manually. Think about settings like, a server name, a custom port number, a user name, a password, specific language settings and specific security settings.

If these settings are incorrectly entered by the end-user, this can increase the burden on the service desk, and can also slow the adoption of new apps. App Configuration Policies can help with eliminating these problems by letting the organization deploy these settings to the end-users in a policy before they run the app. The settings are then supplied automatically, and the end-user doesn’t have to perform an action.

These App Configuration Policies are not deployed directly to users and devices. Instead, they are associated with a deployment type during the deployment of the application. The policy settings will be used whenever the app checks for them (typically, the first time it is run).

Configuration

App Configuration Policies are configured per app, because every app supports different settings. In the following configuration examples I’m using the Acronis Access app as an example. During the configuration I will use one specific configuration setting, named enrollmentServerName. For all other supported Acronis Access app configuration settings, please refer to: https://www.acronis.com/en-us/support/documentation/AcronisAccessAdvanced_7.0/index.html#28935.html

Microsoft Intune standalone

The configuration of App Configuration Policies in Microsoft Intune standalone can be achieved by performing the following steps. After the configuration of the App Configuration Policy, it can be used during the deployment of the Acronis Access app.

1 In the Microsoft Intune administration console, navigate to POLICY and click Add..;
2 In the Create a New Policy dialog box, select iOS > Mobile App Configuration Policy and click Create Policy  to open the Create Policy page;
3

On the General section of the Create Policy page, specify the following information.

  • MI_AppConfig_GenName: [Specify a unique name for the app configuration policy];
  • Description: [Specify details that help identifying the app configuration policy].
4

In the Mobile App Configuration Policy section of the Create Policy page, specify the following information and click Verify;

MI_AppConfig_Rule<dict>
   <key>enrollmentServerName</key>
   <string>[Specify an enrollment server name]</string>
</dict>

5 After verifying the created configuration, click Save Policy.

Microsoft Intune hybrid

The configuration of App Configuration Policies in Microsoft Intune standalone can be achieved by performing the following steps. After the configuration of the App Configuration Policy, it can be used during the deployment of the Acronis Access app.

1 In the Configuration Manager administration console, navigate to Software Library > Overview > Application Management > App Configuration Policies;
2 On the Home tab, click Create new Application Configuration Policy to open the Create App Configuration Policy Wizard;
3

CM_AppConfig_GenOn the General page, provide the following information and click Next.

  • Name: [Specify a unique name for the app configuration policy];
  • Description: [Specify details that help identifying the app configuration policy].
4

CM_AppConfig_PolOn the iOS Policy page, select Specify name and value pairs (for simple property list files without nesting) and click New to open the Edit Name/Value Pair dialog box.

Note: Select Browse to a property list file (for more complex property list files with nesting) for adding more advanced configurations, or for adding the configuration in an XML format (like with the Microsoft Intune standalone configuration).

5

CM_AppConfig_RuleIn the Edit Name/Value Pair dialog box, provide the following information and click Ok to return to the iOS Policy page.

  • Type: String;
  • Name: enrollmentServerName;
  • Value: [Specify an enrollment server name].
6 CM_AppConfig_ConfBack on the iOS Policy page, verify the created configuration and click Next.
7 On the Summary page, click Next.
8 On the Completion page, click Close.

End-user experience

Now it’s time to look at the end-user experience. This time I will show the first start of the Acronis Access app after installation. The first screenshots shows the default start of the Acronis Access app and the second screenshot shows the start of the Acronis Access app after deploying the app together with the App Configuration Policy. As I don’t really have a server to connect to, it stops at the connection screen in which it did configure my custom server URL.

Before After
IMG_0018 IMG_0017

More information

For more information about iOS with mobile app configuration policies, in Microsoft Intune standalone and Microsoft Intune hybrid, please refer to: