Remotely collecting diagnostic logs for managed Microsoft 365 apps

This week is sort of a follow-up on a post of more then 5 years ago, about checking diagnostic logs for managed apps on iOS and Android devices. That post was focussed on how to achieve that locally on the device. Since recently, a lot has changed. The local option is still available, but it’s now also possible to remotely collect those diagnostic logs for managed Microsoft 365 apps. That make the troubleshooting of app protection and app configuration policies a lot easier. Without really difficult, or challenging, activities from an user perspective. The main thing that is left for the user, is accepting the remote collections of the diagnostics logs. There are, however, some other details to keep in mind. This post will focus …

Read more

Using a BYOCA with Microsoft Cloud PKI

This week is a follow-up on the post of last week about getting started with Microsoft Cloud PKI (Cloud PKI). This time it’s all about using a bring your own certificate authority (BYOCA) with Cloud PKI. BYOCA is focused on providing organizations with the ability to rely on an existing private CA. That can for example be an existing on-premises PKI infrastructure based on Active Directory Certificate Services (ADCS). BYOCA enables the IT administrator to create an issuing CA in Cloud PKI that is anchored to that existing private CA. By doing that, the issuing CA becomes an extension of the already existing (on-premises) PKI infrastructure. That might take some of the previously mentioned benefits away, as this won’t takeaway all the need to maintain …

Read more

Getting started with Microsoft Cloud PKI

This week is sort of another follow-up on the earlier posts about new Microsoft Intune Suite add-on capabilities. This time it’s all about the latest addition, Microsoft Cloud PKI (Cloud PKI). Cloud PKI provides organizations with a cloud-based service that simplifies and automates the certificate lifecycle management for Intune managed devices. It literally provides a public key infrastructure (PKI) from the cloud. That PKI environment can be built within a few minutes, by simply going through a couple of wizards. Even when relying on at least a two-tier hierarchy, with a root certificate authority (CA) and an issuing CA. There is no longer a need to maintain on-premises servers, connectors, or hardware. Cloud PKI handles the certificate issuance, renewal, and revocation for Intune managed devices. …

Read more

Getting started with web-based device enrollment for iOS devices

This week is all about a new enrollment feature for iOS/iPadOS devices. That feature is web-based device enrollment. Web-based device enrollment is now one of the two device enrollment methods that is available for personal iOS/iPadOS devices. The other method is the already existing device enrollment with the Company Portal app. The main differentiator for web-based device enrollment is that it provides a faster and more user-friendly enrollment experience. It’s no longer required to first download the Company Portal app. Instead the user can just go to the Company Portal website, or start the new enrollment experience via an app that requires a compliant device. More user-friendly and accessible via the favorite browser of the user. Besides that, web-based device enrollment can be used in …

Read more

Getting started with Microsoft Tunnel for Mobile Application Management for iOS/iPadOS

This week is all about one of the new Intune Suite add-on capabilities. The capability of focus is Microsoft Tunnel for Mobile Application Management (Tunnel for MAM) for iOS/iPadOS devices. The Intune Suite add-ons were released at the beginning of March, including a new licensing model, and including Tunnel for MAM. That capability on itself, is available as part of the new Microsoft Intune Plan 2 license. Tunnel for MAM makes it possible to provide access to on-premises resources, on unmanaged devices. Often unmanaged devices are equal to personal-owned devices. So, that provides IT with the flexibility to make that app, with on-premises interaction, available on personal-owned devices. Without requiring the user to enroll that specific device, but still enforcing secure access and guaranteeing full …

Read more

Informing users of newly enrolled devices

This week is all about a nice small new feature that became general available with the latest service release of Microsoft Intune (2301). That feature is enrollment notification. Enrollment notifications provide organizations with an easy method to notify users when a new device is enrolled. That provides organizations with more grip on the devices that are enrolled within the environment, as users will be informed when a new device was enrolled using their credentials. Besides that, it also provides organizations with an alternative method to welcome employees. In other words, a great way to trigger users. Enrollment notifications can be used for Windows, Android, iOS/iPadOS, and MacOS devices that are enrolled by using the user-driven enrollment methods. The notifications can be email notifications and push …

Read more

Managing privacy controls for Office products

This week is all about managing privacy controls for Office products. That includes Office on Android devices, Office on iOS devices, Office for Mac devices, Office for the web, and Microsoft 365 apps for enterprise on Windows devices. Most organizations often already have a good look at the required configurations options for the privacy controls on Windows devices. Office for other platforms, however, are often forgotten. Just like Office for the web. Good thing, though, is that there are nowadays multiple privacy controls available that can be configured for Office on all platforms. For some platforms there are even multiple configurations options. Best part of those configuration options is that there is also an option to configure the privacy controls cross platforms. This post will …

Read more

Creating the path for mobile devices to on-premises resources: A summary

This week a few shorter posts, as my posts this week are extensions of my sessions at the Workplace Ninja Summit 2022. At the summit I did my first session about Creating the path for mobile devices to on-premises resources. During that session I shared information around the architecture and flow of Microsoft Tunnel, I zoomed in on getting up-and-running with Microsoft Tunnel and showed getting insight of Microsoft Tunnel. This post will provide a quick summary of that session by quickly showing the architecture and flow of Microsoft Tunnel and by showing the summary and reminders. The slides (PDF) of that session are available for download here. Architecting Microsoft Tunnel An important part of creating the Microsoft Tunnel infrastructure is a solid architecture. In most cases that …

Read more

Addressing the need for multiple Microsoft Tunnel Gateway servers

This week will focus on addressing the need for multiple Microsoft Tunnel Gateway servers. A single server is easy to setup, and easy to discuss and to describe, but that just a starting point. Often there is a need for multiple Microsoft Tunnel Gateway servers. That could be for providing high availabilty, for supporting the right amount of users and even for providing access to resources on different remote locations. So, it can be multiple servers on the same location and multiple servers on different locations. This post will go through the main scenarios for multiple servers and will focus on the main configurations that should be in place to support and configure those scenarios. No detailed configurations this time. Only descriptions of the main …

Read more

Replacing the TLS certificate for Microsoft Tunnel

This week is a relatively short post that is focused on replacing the Transport Layer Security (TLS) certificate that is used for Microsoft Tunnel. That TLS certificate is used for securing the connection between the mobile devices and the Microsoft Tunnel Gateway and should contain the public name or IP address in its Subject Alternative Name (SAN). Replacing that TLS certificate can be required when the certificate is expired, or when the public name of the Microsoft Tunnel Gateway is changed. Those are a couple of good reasons to replace the TLS certificate. Luckily, those things don’t happen that often, but sadly that also means that it’s always searching for the right actions to perform. This post will walk through the steps that should be …

Read more