Quick tip: Troubleshooting device management failures on Windows 10

This is a short and quick blog post to point out where to start with troubleshooting Windows 10 device enrollment issues and Windows 10 device management issues. To start with troubleshooting, it’s important to know where to find the information about the device enrollment issues and the device management issues. This short and quick post will show the location of that information, starting with Windows 10 build 1511.

Event Viewer

To find the information about the device enrollment issues and device management issues, starting with Windows 10 build 1511, simply perform the following steps:

  • DM_EventViewerOpen the Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider;
  • Select the Admin node to show the available events;
  • (Optional) Select View > Show Analytic and Debug Logs to enable the ability to generate debug logging;
  • (Optional) Right-click the Debug node and select Enable Log to enable detailed logging.

Note: When automatic device enrollment is configured with an Azure AD join, the User Device Registration node will provide helpful information for everything before the device enrollment.

More information

For more information about troubleshooting mobile device management failures on Windows 10 devices, please refer to Diagnose MDM failures in Windows 10.

Managing the Configuration Manager console language

Let’s start this new year with a blog post about the Configuration Manager console language. I have to admit that it doesn’t really sound like an exiting subject, but it can be very useful with troubleshooting. Most issues can easily be found, on the Internet, when using the English language, while many other languages can be a lot more challenging. In this blog post I’ll go through an overview of the Configuration Manager console language behavior, the installation of the English-only Configuration Manager console and the possibility of disabling any additional Configuration Manager console languages.

Note: This activities and theories in this blog post are successfully tested on ConfigMgr 2012 and ConfigMgr 1511.

Configuration Manager console language behavior

Now let’s start with an overview of the behavior of the Configuration Manager console language. During the site server installation, the Configuration Manager console installation files, and configured language packs, are copied to the <ConfigMgrInstallationPath>\Tools\ConsoleSetup subfolder on the site server.

When the installation of the Configuration Manager console is started from that folder, on the site server, the Configuration Manager console, and configured language pack files, are copied to the device. That will make sure that when a language pack is available for the currently configured language on the device, the Configuration Manager console opens in that language. If the associated language pack is not available, the Configuration Manager console will open in English.

Each time the Configuration Manager console opens, it determines the currently configured language on the device, verifies whether an associated language pack is available for the Configuration Manager console, and then opens the console by using the appropriate language pack.

Install English-only Configuration Manager console

After going through the standard behavior of the Configuration Manager console language. it is time to look at some minor adjustments. In case multiple languages were configured during the site server installation, it might be useful to know that it’s still fairly easy to only install the Configuration Manager console with the English language, regardless of the configured language on the device. To do this, simply perform the following steps and install the Configuration Manager console, on any device, in English-only.

  • DisableLanguageCentralOn the site server, navigate to <ConfigMgrInstallationPath>\ Tools\ConsoleSetup\LanguagePack;
  • Rename the .msp and .mst files of the languages that should not be installed. In this example, I configured the Dutch language during the site server installation, which means that I should rename the following files.
    • ALP1043.msp to ALP1043.msp.disabled;
    • ALP1043.mst to ALP1043.mst.disabled.

Note: Keep in mind that when a new language is configured on the site server, the .msp and .mst files are recopied to the LanguagePack folder.

Disable Configuration Manager console language

After going through the installation of the Configuration Manager console in English-only, it might be good to know that it’s also possible to temporarily switch a Configuration Manager console to English. That can be very useful when the Configuration Manager console is installed with the currently configured language on the device and it must be opened in English for easier troubleshooting. To do this, simply perform the following steps and open the Configuration Manager console in English.

  • DisableLanguageLocalOn the device that is running the Configuration Manager console, navigate to <ConsoleInstallationPath>\Bin\;
  • Rename the language folder of the language that is currently configured on the device. In this example, I installed en configured the Dutch language on the device, which means that I should rename the nl folder to nl.disabled.

Note: Keep in mind that when a repair is performed of the Configuration Manager console, the language folder is recopied to the Bin folder.

More information

For more information about managing the Configuration Manager console language, please refer to the following article: https://technet.microsoft.com/en-US/library/mt605315.aspx#BKMK_ManageConsoleLanguages

Reset passcode via the Company Portal website

This week a blog post about the new ability in the Company Portal website to reset the passcode of a mobile device. Before only the administrator could reset the end-users’ passcode, but this has changed. Starting with the November update, of Microsoft Intune, a new option Reset Passcode is added to the Company Portal website. This option is available when the end-user is looking at the information of a specific mobile device.

In this blog post I will go through the complete end-user experience. Starting with the end-user experience in the Company Portal website, followed by the end-user experience on the mobile device. I will end this post with a summarization per platform that will show the behavior of the (new) passcode.

Also, a bit of topic, but this blog post was a good reason to verify my Remote Mobile Device Manager with the latest version of ConfigMgr and I can say that my Remote Mobile Device Manager fully works with ConfigMgr 1511!

End-user experience in the portal

Now, lets start with the end-user experience in the Company Portal website. The end-user can logon to any device and use a web browser to navigate to the Company Portal website. After that the end-user can select the device of which the password must be reset and simply following the step.

Step Action
1 Step1_ResetPasscodeIn the Company Portal website the end-user must select the mobile device and select Reset Passcode.
2 Step2_SignOutAfter selecting Reset Passcode, the end-user will be prompted to sign out and sign in again. Select Sign out.
3 Step3_ResetPasscodeAfter signing out and signing in again, within 5 minutes, the end-user will be prompted to reset the passcode. Select Reset Passcode.
4 Step4_PendingAfter selecting Reset Passcode, the end-user will be notified that a Passcode reset is pending.
5a Step5_Success_iOS_HSOn an iOS device, managed by Microsoft Intune standalone or Microsoft Intune hybrid, the end-user will be prompted within a few minutes with Passcode successfully reset.
5b Step5_Success_WP_SOn a Windows Phone 8.1 device, managed by Microsoft Intune standalone, the end-user will be prompted within a few minutes with Passcode successfully reset and New Passcode: <Passcode>.
5c

Step5_Success_WP_HOn a Windows Phone 8.1 device, managed by Microsoft Intune hybrid, the end-user will be prompted within a few minutes with Passcode successfully reset.

5d Step5_Success_Android_HSOn an Android device, managed by Microsoft Intune standalone or Microsoft Intune hybrid, the end-user will be prompted within a few minutes with Passcode successfully reset and New Passcode: <Passcode>.

End-user experience on the mobile device

After looking at the end-user experience in the Company Portal website its interesting to look at the end-user experience on the mobile device. Like with almost everything, the end-user experience is completely different on every platform. Below is the behavior shown, per platform, after the end-user has performed the reset passcode procedure.

iOS Windows Phone 8.1 Android
20151210_201907000_iOS wp_ss_20151210_0001 IMG-20151212-WA0001
On an iOS device, the end-user will receive a message to change the passcode within 60 minutes. On a Windows Phone 8.1 device, the end-user will receive a message that the password was reset. On an Android device, the end-user will receive a notification that a new temporary passcode was set.

End-user experience summarization

The last thing that I want to provide is an overview, per platform and per scenario, about the passcode behavior. In the table below I will show what happens to the passcode and where the new passcode can be found. The scenario refers to Microsft Intune standalone and Microsoft Intune hybrid.

Platform Scenario Behavior
iOS Standalone and hybrid Removes the passcode from the device and gives the end-user 60 minutes to see a new passcode.
Windows Phone 8.1 Standalone Creates a new numeric passcode that is shown to the end-user in the Company Portal website.
Windows Phone 8.1 Hybrid Creates a new numeric passcode that is currently only available through the ConfigMgr console.*
Android Standalone and hybrid Creates a new alphanumeric passcode, which is shown to the end-user in the Company Portal website.

*At this moment the end-user experience on a Windows Phone 8.1 device, in a Microsoft Intune hybrid environment, is not working how it should be. The end-user has to contact the administrator to get the new passcode. Also, the administrator will only see the new passcode when a passcode reset has been performed before. If this is not the case, the administrator will have to perform another passcode reset to get the required new passcode for the end-user.

More information

For more information about the latest additions to Microsoft Intune, about the Company Portal website, or about my Remote Mobile Device Manager, please refer to:

Enable modern authentication for Exchange Online

ExchangeOnline_OauthThis blog post is about enabling modern authentication on Exchange Online. Modern authentication is a requirement for conditional access for PCs. For SharePoint Online that’s enabled by default and for Exchange Online that’s disabled by default. However, that configuration is now available via PowerShell. This post is meant to show how easy this can be achieved now. Before this had to be done by enrolling in to the preview program. Now it’s publically available.

Why I’m posting about Exchange Online? Well, actually that’s quite simple, I can’t get around it. If I want to configure conditional access in Microsoft Intune standalone or hybrid, I often need to use Exchange Online. In this post I’ll go through five simple steps to connect, verify and configure modern authentication on Exchange Online.

Connect to Exchange Online

The first thing that is required is to connect to Exchange Online. The good thing about connecting to Exchange Online via PowerShell is that it doesn’t require the installation of any additional modules. Simply walkthrough the following three steps to get connected with Exchange Online.

Step 1: Provide credentials

The first step is to provide the admin credentials for the Office 365 tenant. This can be achieved fairly easy by using the Get-Credential cmdlet. That will show a Windows PowerShell credential request dialog box that can be used for providing these credentials.

$O365Credential = Get-Credential

Step 2: Create a new session

The second step is to create a new remote session to Exchange Online. This can be achieved by using the New-PSSession cmdlet. The session can be created by using the provided credentials and by providing the URI mentioned below.

$EOSession = New-PSSession -ConfigurationName Microsoft.Exchange ` -ConnectionUri https://outlook.office365.com/powershell-liveid/ ` -Credential $O365Credential -Authentication Basic -AllowRedirection

Step 3: Import the new session

The third step is to import the remote session. This can be achieved by using the Import-PSSesion cmdlet. That will import the remote commands to the current session by using providing the new session information. To connect the remote session again, simply use the Remove-PSSession cmdlet.

Import-PSSession $EOSession

Enable modern authentication

The next thing is what this post is actually about, enabling modern authentication on Exchange Online. In two relatively simple steps it’s possible to verify the configuration and to enable modern authentication.

Step 4: Verify the configuration

The fourth step is to verify the current configuration of modern authentication. This can be achieved by using the Get-OrganizationConfig cmdlet. That will get the configuration data for the Exchange organization. In this case simply use a specific select to only get the OAuth* configuration.

Get-OrganizationConfig | Select Name, OAuth*

Step 5: Enable modern authentication

The fifth step is to truly enable modern authentication. This can be achieved by using the Set-OrganizationConfig cmdlet. That can configure the various settings for the Exchange organization. One of the parameters OAuth2ClientProfileEnabled can be used to enable or disable modern authentication on Exchange Online.

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true

More information

For more information about modern authentication, Exchange Online and PowerShell please refer to the following links:

The new ability on iOS devices to send diagnostic information

This week a short blog post about the new ability in the updated Microsoft Intune Company Portal app, for iOS, to send diagnostic information. Before it was always fun to explain somebody the method to get the Company Portal Diagnostic Information, as it would require the end-user to open the Microsoft Intune Company Portal app and simply start shaking the device. Actually, this is still a possibility to get the Company Portal Diagnostic Information.

New in the latest update of the Microsoft Intune Company Portal app, for iOS, is the ability to send the Company Portal Diagnostic Information via the menu of the Microsoft Intune Company Portal app. This is a new Microsoft Intune Company Portal app ability and is not related to the iOS version.

End-user experience

Now let’s have a look at what the new end-user experience looks like. The end-user has to open the Microsoft Intune Company Portal app and simply walkthrough the following two steps.

Step 1 Step 2
IMG_0017 IMG_0018
The first step is to click on the username and to select About. The second step is to click on Send Diagnostic Report.

Note: After selecting Send Diagnostic Report an email will open, like with shaking the device, that includes the Company Portal-Log.log.

More information

For more information about the new features released in November, please refer to the following article: http://blogs.technet.com/b/microsoftintune/archive/2015/10/28/coming-soon-new-intune-features-including-windows-10-edp-policies.aspx

My Experts Live session and content

ExpertsLive2015November has been a crazy month for me so far. The frequent visitors of my blog might have noticed a complete silence the last couple of weeks. Well, it’s time to break that silence again! This month started with my first MVP Summit and I have to say that it would be awesome to be there again next year!

After that I had the great opportunity to present on Experts Live 2015. I had a session about conditional access and mobile application management. This post will contain the slide deck of that session and the movies of the demos. The sessions were not recorded, but as I always create movies of my demos, as a backup scenario, I thought lets post those movies instead.

Slide deck

ExpertsLive_SlideLet’s start with the slide deck of my session. The PDF of my slide deck will be made available on the site of Experts Live and is available for download on my own site by clicking on picture of my slide deck here on the side. This will start a direct download.

Demos

Let’s continue with the bigger part of this post, the movies of my demos. These movies were created as a backup scenario, in case there would be a problem with the Internet connection. Even to those that attended my session, these movies will include new information. During my session I could only show the Microsoft Intune hybrid configurations, due to time considerations. These movies also include the Microsoft Intune standalone configurations.

Demo – Conditional access on Exchange Online and SharePoint Online

During this demo I’ll walkthrough the end-user experience for conditional access. This provides a clear overview of what conditional access is and what it will be for the end-user. During this demo I’ll go through the following actions, on a Dutch iPad:

  • Go to Settings > General and show the missing Management Profile;
  • Go to Settings > Mail and add <user>@petervanderwoude.nl;
  • Open the native mail app and show the conditional access email;
  • Open the Microsoft Outlook app and show the enrollment message for <user>@petervanderwoude.nl;
  • Open the Microsoft Intune Company Portal app and walkthrough the steps to enroll the device;
  • During the enrollment solve the issue with the configured mail profile;
  • Open the native mail app and show the access to <user>@petervanderwoude.nl;
  • Open the Microsoft Outlook app and show the access to <user>@petervanderwoude.nl.

Demo – Configuring conditional access on Exchange Online and SharePoint Online

During this demo I’ll walkthrough the settings that are available for configuring compliance policies and conditional access on Exchange Online and SharePoint Online for Microsoft Intune standalone and hybrid. This demo is cut in four parts, one for conditional access on Exchange Online, one for conditional access SharePoint Online, one for compliance policies in Microsoft Intune hybrid and one for compliance policies in Microsoft Intune standalone. During the first part I’ll go through the following actions:

  • Open the Configuration Manager console and navigate to Assets and Compliance;
  • Navigate to Compliance Settings > Conditional Access > Exchange Online;
  • Select Configure conditional access policy in the Intune console;
  • Select Enable conditional access policy for Exchange Online;
  • Walkthrough the settings for apps using modern authentication;
  • Walkthrough the settings for apps using basic authentication;
  • Walkthrough the targeted and exempted groups;
  • (Additional) Show the Service to Service Connector.

During the second part I’ll go through the following actions:

  • Open the Configuration Manager console and navigate to Assets and Compliance;
  • Navigate to Compliance Settings > Conditional Access > SharePoint Online;
  • Select Configure conditional access policy in the Intune console;
  • Select Enable conditional access policy for SharePoint Online;
  • Walkthrough the settings for apps using modern authentication;
  • Walkthrough the targeted and exempted groups.

During the third part I’ll go through the following actions:

  • Open the Configuration Manager console and navigate to Assets and Compliance;
  • Navigate to Compliance Settings > Compliance Policies;
  • Select Create Compliance Policy;
  • Walkthrough the available Rules and the impact of the selected Platform;
  • Walkthrough the Deployment Settings.

During the fourth part I’ll go through the following actions:

  • Open the Microsoft Intune console and navigate to POLICY > Configuration Policies;
  • Select Add…;
  • Walkthrough the available Policies Settings;
  • Walkthrough the Deployment options.

Demo – Mobile application management

During this demo I’ll walkthrough the end-user experience for mobile application management. This provides a clear overview of what can be achieved with mobile application management and what the experience will be for the end-user. This demo is cut in two parts, one for starting to manage an app and one for the managed app experience. During the first part of this demo I’ll go through the following actions, on a Dutch iPad:

  • Go to Settings > General and show the missing apps in the Management Profile;
  • Open the Microsoft Intune Company Portal app;
  • Install, configure and allow management of the Microsoft Outlook app;
  • Go to Settings > General and show the Microsoft Outlook app in the Management Profile.

During the second part of this demo I’ll go through the following actions, on an English iPad:

  • Open the Microsoft Outlook app;
  • Walkthrough the behavior of blocked and allowed URLs from company email;
  • Walkthrough the behavior of copying and pasting content from company email;
  • Walkthrough the behavior of attachments in company email.

Demo – Configuring mobile application management

During this demo I’ll walkthrough the settings that are available for configuring mobile application management for Microsoft Intune standalone and hybrid. This demo is cut in two parts, one for Microsoft Intune hybrid and one for Microsoft Intune standalone. During the first part I’ll go through the following actions:

  • Open the Configuration Manager console and navigate to Software Library;
  • Navigate to Application Management > Application Management Policies;
  • Select Create Application Management Policy;
  • Walkthrough the Policy Types and the impact on the Policy Settings;
  • Walkthrough the Deployment options.

During the second part I’ll go through the following actions:

  • Open the Microsoft Intune console and navigate to POLICY > Configuration Policies;
  • Select Add…;
  • Select Software > Mobile Application Management (iOS 7.1 and later);
  • Select Create a Custom Policy;
  • Walkthrough the available Policies Settings;
  • Walkthrough the Deployment options.

Demo – Retire mobile device

The last demo showed the impact of retiring a mobile device. This is the only demo that I didn’t record, simply because I made it up at the last moment and I didn’t decide until the end of the session how I was going to retire the mobile device. Depending on the available time I would pick between the Configuration Manager console, PowerShell, or the iPad.

Role-based administration: The advanced case of no read resource rights in any collection

ProblemRBAThis week a pure ConfigMgr post and I have to admit that it’s been a long time since the last. This blog post will be about the role-based administration model and a really specific issue that I ran in to. This post will contain the scenario, the problem and a PowerShell script to get the complete solution.

Scenario

CollectionsRBALets start with a short description of the scenario that I’m dealing with. The environment has a lot of different administrators, all with different collections of devices that they’re managing. As an example of the structure see the screenshot on the right that shows different collection structures that are limited to the All Systems collections. In this example every administrator would be limited to their own top-level collection and, by that, automatically inherit permissions to the collections limited to that collection.

Problem

There is no problem with a collection structure like this, in fact the role-based administration model is build for structures like this. However, the problem that we were suddenly seeing was that administrators were not able to remove or edit collection membership rules of some collections that were limited to their top-level collection. Looking at the same scenario we were seeing that an administrator that was limited to the PTCLOUD_Level 2 collection was not able to edit the collection membership rules of the PTCLOUD_Level 2.1 collection. The very cryptic error message of User \”PTCLOUD\\lvanderwoude\” has no read resource rights in any collection for this ResourceID”; would show.

After digging in to this I suddenly noticed that for some reason the PTCLOUD_Level 2.1 collection contained a direct membership rule of a device that did not exist in the PTCLOUD_Level 2 collection. That can happen when an administrator with permissions on a level higher added that direct membership rule.

Solution

The solution for this problem is easy, simply remove that direct membership rule, with an administrator with permissions on a level higher, and everything will work as designed again. However, when that collection has a lot of direct membership rules it might be hard to determine which direct membership rule is causing the problem. That’s why I created a small, but effective, PowerShell script. Let’s quickly go through the highlights of the script.

Step 1: Get the required information

The first step that I need is to get information. I need to get the resources that the administrator has permissions to, which means the resources in the top-level collection, and I need the collection membership rules of the problematic collection. Keep in mind that I need the collection membership rules and not the collection members. That’s a big difference. To get the required information I used the Get-CMDevice and the Get-CMDeviceCollection cmdlets.

$AllResourceIDs = (Get-CMDevice ` -CollectionName $TopCollection).ResourceId $ProblemCollectionRules = (Get-CMDeviceCollection ` -Name $ProblemCollection).CollectionRules

Step 2: Get the device direct membership rules

The second step that I need to do is to filter the collection membership rules of the problematic collection. In this case I’m only interested in the direct membership rules for devices. To filter that information I looked for the collection membership rules with the ResourceClassName of SMS_R_System.

foreach ($ProblemCollectionRule in $ProblemCollectionRules) { if ($ProblemCollectionRule.ResourceClassName -eq "SMS_R_System") { $DirectResourceIDs += $ProblemCollectionRule.ResourceID } }

Step 3: Compare the two lists with resources

The third step that I need to do is to compare the two lists with resources that I created. To compare the two lists I used the Compare-Object cmdlet and to eventually get a readable device name I went back to the Get-CMDevice cmdlet.

$ResultList = Compare-Object $AllResourceIDs $DirectResourceIDs if ($ResultList.SideIndicator -eq "=>") { Write-Output (Get-CMDevice -ResourceId $ResultList.InputObject).Name }

Step 4: Final notes

The fourth and last step is more about some notes for completion. To use the above lines of code, make sure to import the ConfigurationManager module and make sure to provide the following variables. Keep in mind that I’ve set the values to match my example.

$AllResourceIDs = @() $DirectResourceIDs = @() $TopCollection = "PTCLOUD_Level 2" $ProblemCollection = "PTCLOUD_Level 2.1"

The conditional access flow of the other Office apps

Microsoft_WordThis week something similar to last week, this week I’ll be looking at the conditional access flow of the other Office apps. By that I basically mean every Microsoft app, connecting to Office 365, using modern authentication, except for the Outlook app for iOS and Android. Like last week I’ll be looking at a high-level from a component perspective. It will be like a what-happens-when-and-where flow. The biggest difference with the Outlook app for iOS and Android is that the other Office apps don’t use the Outlook Cloud Service and instead go directly, with their access token, to Office 365.

Before I’ll start with the what-happens-when-and-where flow, I think it’s important to again first provide a bit of information about Active Directory Authentication Library (ADAL)-based authentication and the Open Authentication (OAuth) protocol in combination with Office 365. These components make the what-happens-when-and-where flow. During this post I’ll use the Word app as an example for the other Office apps.

ADAL-based authentication

The Word app uses ADAL-based authentication to access Office 365. ADAL-based authentication enables the Word app to use browser-based authentication with Office 365 and facilitates a sign-in with Azure AD. This allows the end-user to sign in directly to the Office 365 identity provider, which can be Azure AD, or a federated identity provider like AD FS, instead of providing credentials directly to the Word app.

OAuth for Office 365

The ADAL-based sign-in enables OAuth for Office 365 accounts. By enabling OAuth it provides the Word app with a secure mechanism to access email without requiring access to end-user credentials. At sign-in, the end-user authenticates directly with the Office 365 identity provider, which can be Azure AD, or a federated identity provider like AD FS, and receives an access token in return. That token grants the Word app access to the appropriate content in Office 365.

Conditional access flow

Now let’s have a look at how everything fits together in the what-happens-when-and-where flow for conditional access of the Word app.

WordApp_CA

1. Authenticate user and device – The Word app uses ADAL-based authentication to authenticate the end-user with Azure AD.
A. Not compliant/ registered – When the device of the end-user is not compliant, or not registered, the end-user will receive a message to enroll the device including a link to the Company Portal app.
B. Register device | Enroll device – When the end-user performs the required activities, the device will be registered in Azure AD and the device will be enrolled in Microsoft Intune.
C. Set device management/ compliance status – After the device is enrolled it has to be evaluated by Microsoft Intune to see if it’s compliant with the company policies. When the device is considered compliant, the required properties in Azure AD will be set (DeviceId, isManaged and MDMStatus).
2. Issue access token – When the device is registered and compliant, the Word app gets the access token and the refresh token that are required for accessing the Office 365.
3. Access with AAD token – The Word app provides the access token to Office 365.
4. Access to content provided – Based on the access token Office 365 will provide the end-user with access to the company content in the Word app.

More information

For more information about the Office apps, conditional access and SharePoint Online, please refer to the following links:

The conditional access flow of the Outlook app for iOS and Android

Microsoft_OutlookThis week something completely different, this week I’ll be looking at the conditional access flow of the Outlook app for iOS and Android. By that I don’t mean that I’ll be looking at the high-level decision flow, which is available on TechNet, but more from a component perspective. It will be more of a what-happens-when-and-where flow.

Before I’ll start with the what-happens-when-and-where flow, I think it’s important to first provide a bit of information about Active Directory Authentication Library (ADAL)-based authentication, the Open Authentication (OAuth) protocol and the Outlook Cloud Service in combination with Office 365. These components make the what-happens-when-and-where flow.

ADAL-based authentication

The Outlook app for iOS and Android uses ADAL-based authentication to access Office 365. ADAL-based authentication enables the Outlook app for iOS and Android to use browser-based authentication with Office 365 and facilitates a sign-in with Azure AD. This allows the end-user to sign in directly to the Office 365 identity provider, which can be Azure AD, or a federated identity provider like AD FS, instead of providing credentials directly to the Outlook app for iOS and Android.

OAuth for Office 365

The ADAL-based sign-in enables OAuth for Office 365 accounts. By enabling OAuth it provides the Outlook app for iOS and Android with a secure mechanism to access email without requiring access to end-user credentials. At sign-in, the end-user authenticates directly with the Office 365 identity provider, which can be Azure AD, or a federated identity provider like AD FS, and receives an access token in return. That token grants the Outlook app for iOS and Android access to the appropriate mailbox, in Office 365, of the end-user (via the Outlook Cloud Service).

Outlook Cloud Service

The Outlook app for iOS and Android also uses the Outlook Cloud Service, which is an aggregation service to help the end-user with grabbing email. The Outlook app for iOS and Android uses OAuth for all accounts that support it, which includes Office 365. OAuth provides the Outlook app for iOS and Android with a secure mechanism to access Office 365 and the Outlook Cloud Service without needing the end-user credentials.

Conditional access flow

Now let’s have a look at how everything fits together in the what-happens-when-and-where flow for conditional access of the Outlook app for iOS and Android.

OutlookApp_CA

1. Authenticate user and device – The Outlook app for iOS and Android uses ADAL-based authentication to authenticate the end-user with Azure AD.
A. Not compliant/ registered – When the device of the end-user is not compliant, or not registered, the end-user will receive a message, or an email describing the steps to enroll, or to get compliant.
B. Register device | Enroll device – When the end-user performs the required activities, the device will be registered in Azure AD and the device will be enrolled in Microsoft Intune.
C. Set device management/ compliance status – After the device is enrolled it has to be evaluated by Microsoft Intune to see if it’s compliant with the company policies. When the device is considered compliant, the required properties in Azure AD will be set (DeviceId, isManaged and MDMStatus).
2. Issue access token – When the device is registered and compliant, the Outlook app for iOS and Android gets the access token and refresh token that are required for accessing the Office 365.
3. Access with AAD token – The Outlook app for iOS and Android  will provide the required access token to the Outlook Cloud Service.
4. Verify access token – The Outlook Cloud Service will verify with Azure AD to see if it’s a valid access token. When the access token is valid, the Outlook Cloud Service will get a second level of security token that allows the Outlook Cloud Service to say that it wants to get email on behalf of the end-user.
5. Get company email – The Outlook Cloud Service will get the company email for the end-user from Office 365.
6. Email delivered – The Outlook Cloud Service delivers the company email for the end-user in the Outlook app for iOS and Android.

More information

For more information about the Outlook app for iOS and Android, conditional access and Exchange Online, please refer to the following links:

The new managed app installation experience on iOS 9 devices

This week a short blog post about the new managed apps installation experience for end-users on iOS 9 devices, as it was a huge pain. One of the most heard complaints with managed apps, on iOS, was about the fact that the end-user would have to manually uninstall their personally-installed apps. After that the managed app could be installed and it would really work and act like a managed app.

New in iOS 9 is the ability to convert a personally-installed app to a managed app. This allows Microsoft Intune (standalone and hybrid) to take the management of a personally-installed app and turn it into a managed app. Of course, only after the users’ permission. This is really an iOS 9 ability and does not affect devices with iOS 8 and earlier.

End-user experience

Now let’s have a look at what the new end-user experience looks like. This experience is the same for required and available deployed managed apps. At the moment of the installation of the managed app, the end-user will get the following behavior depending on their situation. When the app is not yet installed the Install managed app behavior is applicable and when the app is already personally-installed the Manage managed app behavior is applicable.

Install managed app Manage managed app
InstallWord ManageWord
“i.manage.microsoft.com” is about to install and manage the app “Word” from the App Store. Your iTunes account will not be charged for this app. Would you like to let “i.manage.microsoft.com” take management of the app “Microsoft Word”? Your app data will become managed.

Note: Keep in mind that after allowing the management of the personally-installed app, the app will be a fully managed app. That also means that the app and its data will be removed after the removal of the management profile.

More information

For more information about the new iOS 9 features, please refer to the following article about the Day Zero Support for iOS 9 with Intune.