Quick tip: Location services required for enhanced jailbreak detection

This week a short blog post about an end-user experience that might be slightly unexpected when using an iOS device. That experience is the “Turn on location services” compliance message in the Company Portal app. That message is caused by the Enhanced jailbreak detection compliance policy setting, as  that setting uses the location services of the iOS device for the enhanced detection, In this post I’ll first show the mentioned end-user experience, as that’s the trigger for this post, followed by the configuration that triggers the experience. End-user experience Let’s start this time by looking at the end-user experience. The user will notice that the iOS device is non-complaint and after opening the Company Portal app, the user will get the message “Turn on location …

Read more

Default device compliance status

This week I’m going to look at the recent introduction of the feature to configure the default compliance state for devices when no compliance policies are targeted. This enables additional security for all devices, as it enables administrators to mark devices as non compliant when no compliance policies are targeted to the device. In this post I’ll start with a short introduction about this security feature, followed by a walk through the configuration. I’ll end this post by looking at the end-user experience. Introduction As should be known by now, compliance policies are basically rules, such as requiring a device PIN, or requiring encryption. These device compliance policies define rules and settings that a device must follow to be considered compliant. The recently introduced security …

Read more

Create a WQL query setting for a Configuration Item in ConfigMgr 2012 via PowerShell

Before I start with this blog post I have to give some (read: a lot) of credits to Dexter. He helped me a lot with understanding the SDMPackageXML of a Configuration Item (CI) and also blogged about that experience. Also, this blog post won’t go into the details he already mentioned about modifying the XML and writing it to a CI. Now let’s really start with this blog post. This blog post will be about creating a WQL query setting for a CI and more specifically the road to creating a WQL query setting for a CI. Step 1: Locate the method to create the WqlQuerySetting The first step is to locate the method that can be used to create the WqlQuerySetting. During the installation …

Read more

Verify SQL version via Compliance Settings in ConfigMgr 2012

This time I will do a short post about verifying the SQL version(s) via Compliance Settings. I think everybody knows the inventory post for SQL version by Sherry Kissinger, but what if you simply want to know if all your devices are compliant with the company standard (of for example SQL Server 2012 SP1 CU5). Well, this blog post will provide a simple answer to that question, by providing a SQL query –type Configuration Item. Configuration Item The configuration is actually quite simple, as I can simply take advantage of the SELECT @@VERSION query statement. One small thing to take into account, is the fact that the configuration item requires a column to be specified and this queries doesn’t use/ create a named column. The …

Read more

Verify SSL Configurations of Site Roles via Compliance Settings in ConfigMgr 2012

This will be a short blog post about the locations in the registry where the SSL configurations are stored for the different site roles. This can be very useful in larger environments, with many sites, site systems and multiple administrators. These registry keys can be used as Configuration Items in a Configuration Baseline. This makes it easier to keep track of the SSL configuration of the environment. Registry Before providing the different locations, I think it’s good to note that the most site roles simply use 0 or 1 as values for a SSL configuration. Exceptions on this are the management point and the distribution point. These site roles can have different values based on the connection configuration (intranet and Internet, intranet-only, Internet-only) and CRL …

Read more

Verify local administrators via PowerShell and Compliance Settings in ConfigMgr 2012

Everybody probably knows the inventory posts for local administrators by Sherry Kissinger, but what if you want to know the compliance of your devices. What if you “just” want to know if a device is compliant to company defaults for the local administrators. This blog post will provide an answer to that question. It will provide a script, including explanation, that can be used for compliance checks. This blog post won’t go into details about creating the Configuration Item and the additional Configuration Baseline. Script The script that will be the core of this Configuration Item consists of three key parts. Basically, it first finds the members of the local administrators group on the device, then verifies these members and in the end it returns …

Read more

Installing Windows Features via Compliance Settings in ConfigMgr 2012

This weeks’ post will be about Installing Windows Features via Compliance Settings. In most cases the normal route for installing Windows Features will be the application model But what if checking for the installation of a Windows Feature is part of a Configuration Baseline, is it than possible to make the installation of a Windows Feature also part of the baseline? The answer to this question is, yes. In my case, I have a Windows 8.1 Configuration Baseline and one of the Configuration Items in the baseline checks for the installation of the Telnet Client. When the Telnet Client is not installed a script will start to remediate that by installing the Telnet Client. This way I get the complete compliance of a device, to …

Read more

Go to Desktop on Sign In on Windows 8.1 via Compliance Settings in ConfigMgr 2012

This weeks’ post will be about Going to the desktop, instead of Start, when signing on Windows 8.1 via Compliance Settings. I will write about the scripts for discovering and remediating this setting, either on a user based, or a computer based configuration, via a Configuration Item. Keep in mind that it won’t be a walkthrough. For a complete step-by-step example, about using scripts in Compliance Settings, take a look at my post about Allowing Direct Installation of Windows 8 Apps via Compliance Settings in ConfigMgr 2012. Of course, in the most situations, the preferable way for configuring this settings is via a Group Policy (as described in this great post of Sander Berkouwer). There are a only a few reason not to use a …

Read more

Allow Direct Installation of Windows 8 Apps via Compliance Settings in ConfigMgr 2012

This weeks’ post will be about Allowing Direct Installation of Windows 8 Apps via Compliance Settings and can be seen as either a stand-alone post as well as a follow-up on my last post about Deploying Certificate Profiles with ConfigMgr 2012 . As there are two real requirements to deploy Windows 8 Apps: The Certification Authority (CA), that is used to sign the App, is trusted by the Windows 8 device. Allow Direct Installation of Windows 8 Apps is configured on the Windows 8 device. Of course these settings are configurable via Group Policies (as described in this post ), but, to use Group Policies, the device needs to be a member of the domain. So when either the device isn’t domain joined, or the …

Read more

Deploying Certificate Profiles with ConfigMgr 2012

This week I want to devote a post to something new in ConfigMgr 2012 R2, which is still in a preview state, called Certificate Profiles. These profiles integrate directly with Active Directory Certificate Services (ADCS), and the Network Device Enrollment Service (NDES) role, to provision managed devices with authentication certificates. This means that another Group Policy setting is coming to ConfigMgr AND, maybe even bigger, this creates a possibility to automatically deploy certificates to non-domain devices.  Prerequisites Even though this sounds, to me, really promising for the future of ConfigMgr, there is a small catch. That small catch is the third bullet of the prerequisites, following now: Configuration Manager 2012 Service Pack 1 R2 Install and configure the Certificate Registration Point (which requires the NDES …

Read more