Conditional Access for PCs – Part I: Requirements

Another new capability that’s added, during the August 2015 update, to Microsoft Intune, is conditional access for PCs that run Office desktop applications to access Exchange Online and SharePoint Online. This nice capability enables us to require that PCs must be either domain joined or compliant. In order to be compliant, the PCs must be enrolled in Microsoft Intune and the PCs must comply with the policies. This capability has more requirements and requires more configurations than the most other Microsoft Intune standalone or Microsoft Intune hybrid capabilities. That’s why I decided to make this another blog series. This blog series will contain three parts: Requirements – This part will list all the requirements and the required configurations to start with the different conditional access …

Read more

Multiple custom terms and conditions for device enrollment and company access

And we’re back in the Company Portal app. Not just because I think that the Company Portal app is awesome, but also because there’s a new Company Portal app related capability added, during the August 2015 update, to Microsoft Intune. That new capability is that it’s now possible to deploy multiple custom Terms and Conditions for enrollment and company access. A while ago I did a blog post about Custom terms and conditions for using the Company Portal of Microsoft Intune and this post will be an updated version of that post. However, this post will not go into as much detail about the use of different versions, of a single custom Terms and Conditions, as that part is still applicable in the same manner. …

Read more

Multi-identity in the managed Outlook app – Part 2

This blog post will show the behavior of the multi identities in the Microsoft Outlook app, as described in my posts about multi-identity in the managed Outlook app – part 1 and the Microsoft Intune Managed Browser. I’ve made four small movies that will show the behavior of the Microsoft Outlook app. A general note with these movies is that they’ll start to blink and act all funny at the moments that a managed app is opened, or a when a PIN is required. Part I – Install and configure the Microsoft Outlook app In this first part I’ll show how the Microsoft Outlook app behaves during the installation and initial configuration. During this movie I’ll go through the following actions: Open the Company Portal …

Read more

The Microsoft Intune Managed Browser

Before I’ll start with the second part of the my blog post about multi-identity in the managed Outlook app, I thought it would be wise to make a side-step to the Microsoft Intune Managed Browser first. The main reason for that is that the Microsoft Intune Managed Browser can also have a managed browser policy configured. That policy can have a direct impact on the end-user experience when opening links from the Outlook app. The good thing, for this blog post, is that the Microsoft Intune Managed Browser doesn’t use multiple identities. It’s either managed, or not. This blog post will describe the behavior of the Microsoft Intune Managed Browser. During the second part, of my post about multi-identity in the managed Outlook app, this …

Read more

Important note about KB3081699

Good news! Microsoft has just released KB3081699 to fix the issue that Windows Phone Apps cannot be deployed or added to Allowed Apps or Blocked Apps lists via ConfigMgr. This hotfix applies to ConfigMgr 2012 R2 SP1 and ConfigMgr SP2. However, it’s important to note that, even though this hotfix was released after CU1, the current version of this hotfix should be installed before CU1. Update August 7, 2015: As expected this update is now available in two flavors. In the hotfix request form it’s now possible to select the one of the following: pre-CU1: ConfigMgr_2012_SP2_R2SP1_CU0_QFE_KB3081699_ENU post-CU1: ConfigMgr_2012_SP2_R2SP1_CU1_QFE_KB3081699_ENU

Whitelist the Microsoft Intune Company Portal app for Windows Phone

This time a short blog post about the Microsoft Intune Company Portal app for Windows Phone. More specifically, about whitelisting the Microsoft Intune Company Portal app for Windows Phone. When whitelists, also known as Allowed Apps lists, are used, for allowing access to applications on a Windows Phone, even the Microsoft Intune Company Portal app has to be added to that list. In that case the Windows Phone Store variant can simply be added, based on the link in the Windows Phone Store, but the Download Center variant is a bit more challenging. In this post I’ll provide the required information to find the app product ID for the Microsoft Intune Company Portal app for Windows Phone. As the app might be updated in the …

Read more

Email profile behavior after retiring a mobile device

This blog post will be a follow-up on my blog post of last week about the three layers of protection with conditional access for Exchange email. During that post I tried to stress the importance of protecting, and being in control of, company email. In this blog post I will go through different scenarios to show the behavior of company email after retiring a mobile device from Microsoft Intune. I will show the results of these scenarios for both the native email app and the Outlook app. Scenarios Before I start with the different scenarios it’s important to mention that, after a mobile device is successfully retired from Microsoft Intune, the user will be able to configure company email on its mobile device. This is …

Read more

The three layers of protection with conditional access for Exchange email

In this blog post I would like to write a little about, what I like to call, the three layers of protection with conditional access for Exchange email. No, I don’t mean that a device has to be 1) enrolled in Microsoft Intune, 2) workplace joined and 3) compliant with any Microsoft Intune compliance policies. What I do mean is related to company data, in this case company email, and the protection of it on mobile devices. That means three different layers of protection for Exchange email on mobile devices. From basic protection to almost complete protection. The first layer of protection The first, basic, layer of protection is simply using an Exchange Online Policy, or an Exchange On-premises Policy. These policies make it possible …

Read more

New tool: Remote Mobile Device Manager

This blog post will be about a new tool, written in PowerShell, to remotely manage mobile devices. This tool is based on the ConfigMgr SDK and contains all the available options for remotely managing mobile devices. That means it can retire, wipe, lock and pin reset mobile devices. Basically, it’s a version 2.0 of the tool I made a couple of months ago. That tool is limited to the ConfigMgr 2012 R2 functionality, of wipe and retire, and this new tool also contains the ConfigMgr 2012 R2 SP1 functionality, of lock and pin reset. The use case for this tool is still the same. In most cases the service desk is responsible for helping end-users with their mobile devices. What if the company rather not …

Read more

Invoke remote device actions via PowerShell

This will be a short blog post about a the newly introduced WMI class, in the latest service pack, called SMS_DeviceAction. As I’m currently working on a new tool to remotely manage mobile devices, which will be released soon, I noticed that the SMS_DeviceAction class is used to invoke and query the Lock and PinReset actions. What’s even more important is the fact that the SMS_DeviceAction class isn’t documented, yet. In this blog post I’ll post the required information to successfully query the SMS_DeviceAction class and to successfully invoke the methods of the SMS_DeviceAction class. Methods The SMS_DeviceAction class contains the method InvokeAction. The InvokeAction method requires the following input parameters. Parameter Data Type Description Action String This parameter is required and should contain the …

Read more