Microsoft Intune

Accessing SharePoint and OneDrive content on unmanaged devices

by

This week is all about accessing SharePoint sites and OneDrive accounts on unmanaged devices. More specifically, limiting access to SharePoint and OneDrive content on unmanaged devices. Configuring (limited) access to SharePoint sites and OneDrive accounts starts by using conditional access. For applying conditional access to SharePoint sites and OneDrive accounts, the Office 365 SharePoint Online cloud app, or the recently introduced Office 365 (preview) cloud app can be used. The first cloud app is applicable to all services that depend on SharePoint Online (including OneDrive and Teams). The second cloud app is applicable to all productivity and collaboration services of Office 365. An all-in-one app. However, both of these cloud apps don’t provide really granularity to only apply specific behavior for accessing specific SharePoint sites, …

Read more

Android Enterprise and Microsoft Intune

by

This week is all about the device management jungle of Android Enterprise. I should have discussed this subject a long time ago, but better late than never. Especially when I’m still seeing many question marks when discussing Android Enterprise. With the release of Android 10.0 coming to the different existing Android devices now, the purpose of this post is to create an overview of the different enterprise deployment scenarios of Android Enterprise, including the Microsoft Intune specific additions, and the different related enrollment methods. Everything focussed on providing a good starting point for managing Android devices. The main trigger is the nearing end of Android device administrator with the release of Android 10.0. Earlier I provided the steps for simplifying the migration of Android device …

Read more

Simplifying management of the Google Chrome browser

by

This week is all about simplifying the management of the Google Chrome browser. I’ve done my fair share of posts about different methods for managing settings for the Google Chrome browser, by using Microsoft Intune, like for example by using ADMX-files or by using PowerShell, but it can be easier. It can also be achieved by using Chrome Browser Cloud Management. Chrome Browser Cloud Management is a cloud-based solution that enables the management of the Google Chrome browser across Windows, Mac and Linux devices. In this post I’ll start with a short introduction about Chrome Browser Cloud Management, followed by the steps to enrol Windows devices by using Microsoft Intune. I’ll end this post by looking at the end-user experience. Note: Keep in mind that …

Read more

Simplifying the migration of Android device administrator to Android Enterprise work profile management

by

This week is all about a recently introduced feature that will help organizations with their move away from Android device administrator managed devices to Android Enterprise work profile management. That is a very welcome feature as Google is decreasing device administrator support in new Android releases, which makes difficult for Microsoft Intune (and any other MDM-solution) to adequately manage Android device administrator managed devices starting with Android 10. The feature in Microsoft Intune that will help with moving away from Android device administrator managed devices is a compliance setting that will enable organizations to block devices in a structured manner and to provide a direct migration path to Android Enterprise work profile management. In this post I’ll show how to create and configure a device …

Read more

Enable device upload when already using co-management

by

This week is all about the recently introduced functionality of Microsoft Endpoint Manager tenant attach. More specifically, the device sync and the device action functionalities that become available via the Microsoft Endpoint Manager admin center for Configuration Manager managed devices. This is the first big step into creating an integrated solution for managing all devices. This brings Configuration Manager and Microsoft Intune together into a single console. In this post I’ll start with an introduction to the different cloud integration options, followed by the step for enabling the device upload. I’ll end this post by having a look at what this integration brings from an administrator perspective. Introduction to cloud integration Let’s start with a quick introduction to all the different cloud integration terminologies that …

Read more

Changing the primary user of Windows devices

by

This week is all about the primary user of a Windows device. More specifically about the recently introduced functionality to change or remove the primary user of a Windows device. The primary user is used within Microsoft Intune to map a licensed user to a device. Changing the primary user enables the administrator to switch the primary user of a device from one user to another user, or to switch a device without an assigned primary user (shared device) to a specific user. Besides that, removing the primary user enables the administrator to switch a device from a specific user to a shared device. In this post I’ll start with a short introduction about the primary user (and shared devices), followed by actually changing the …

Read more

Managing local administrators via Windows 10 MDM

by

This week is all about managing local administrators via Windows 10 MDM by using restricted groups. There has been many requests for a post like this after I wrote this post about creating local user accounts. And I have to admit that this post has been on my backlog for a long time. Better late than never, I think. Also, I’m definitely not the first to write about this subject, but I do think that I have some new insights that can be really helpfull. In this post I’ll start with an overview of the options for configuring local administrators on Azure AD joined (and Microsoft Inune managed) devices and reasons for using restricted groups, followed by the steps for configuring restricted groups. I’ll end …

Read more

Using bulk actions for renaming Windows devices

by

A few months ago, I did a blog post about the different ways of renaming Windows 10 devices. This week is a follow-up on that post, as it will also be about renaming Windows devices. This time it’s about using the recently introduced functionality to perform Bulk actions on devices. Those Bulk actions include the action to rename Windows 10 devices in bulk. That Bulk action is also available as a single action on a device and is currently not available for hybrid Azure Active Directory joined devices, nor available for co-managed devices. In this post I’ll show how to perform this action by using the Microsoft Endpoint Manager admin center, followed by using the Microsoft Graph Explorer. I’ll end this post by showing an …

Read more

Using policy sets to group objects

by

This week is all about Policy sets in Microsoft Intune. Policy sets are introduced a few months ago and enable administrators to group management objects that need to be identified and assigned as a single object. That can help with simplifying the administration of the environment. A Policy sets can be a group of almost all different object that are available within Microsoft Intune. That includes objects for different platforms within the same Policy sets. This enables an administrator to use Policy sets for a lot of different use case, from creating a standard for a specific user type to creating a standard set of apps for all users. In this post I’ll walk through the configuration steps and through the different steps I’ll describe …

Read more

Configure FIDO2 security key restrictions

by

This week is all about FIDO2 security keys. More specifically about configuring FIDO2 security key restrictions to make sure that users can only use specific FIDO2 security keys, or to prevent users from using specific FIDO2 security keys. That makes this blog post a follow up on this post about enabling password-less sign-in with security keys. In this post I’ll provide a short introduction about the FIDO2 security key AAGUID (and how to find it), followed by the steps to configure the FIDO2 security key restrictions. I’ll end this post by looking at the end-user experience. FIDO2 security key AAGUID According to the FIDO2 specification each authenticator should provide an Authenticator Attestation GUID (AAGUID) during attestation. An AAGUID is a 128-bit identifier that indicates the …

Read more