Thursday, 6 October 2016

Use REST APIs to access Microsoft Intune data

Microsoft recently published information on using REST API calls to communicate with Intune to retrieve management data. This is really cool. It uses Microsoft Graph which exposes multiple API’s from Microsoft cloud services. The data retrieved can be very useful in troubleshooting.

So how do we get started?

Navigate to Graph Explorer

See the Graph Explorer interface. Click Sign in to access the Intune service. A new page opens and you are prompted to log in.

You are then warned that the API Explorer needs permission to the following (it's a lot but remember this is also for Office 365, not just Intune):

  • Sign you in and read your profile  
  • Read and write access to your mail   
  • Read directory data  
  • Access the directory as you  
  • Read your files  
  • View your basic profile  
  • Read and write selected files  
  • Have full access to your calendars   
  • Read and write all users' full profiles  
  • Read items in all site collections  
  • Create, read, update and delete your tasks and projects (preview)  
  • View your OneNote notebooks (preview)  
  • Sign in as you  
  • Read your calendars   
  • Read and write all groups  
  • Read selected files  
  • Read your mail   
  • Have full access to your files  
  • Read all groups  
  • View and modify your OneNote notebooks (preview)  
  • View your email address  
  • View and modify OneNote notebooks that you can access (preview)  
  • Access your data anytime  
  • Have full access to the application's folder  
  • Read and write to your mailbox settings (preview)  
  • Have full access to all files you have access to  
  • Read identity risk event information  
  • Create pages in your OneNote notebooks (preview)  
  • Read all users' full profiles  
  • Read all users' basic profiles  
  • Read and update your profile  
  • Read your relevant people list (preview)  
  • Read and write directory data  
  • Have full access of your contacts   
  • Read all files that you have access to  
  • View OneNote notebooks that you can access (preview)  
  • Sign you in and read your profile  
  • Send mail as you   
  • Limited access to your OneNote notebooks for this app (preview)  
  • Read your tasks  
  • Read your contacts
You have to accept this to continue.....

....and now you're ready to query for information.

So how does it work?

The interface uses GET and POST REST APIs to communicate with the service backend to retrieve data for various items. The commands are URLs but they won’t work in a browser, you must use them in the Graph Explorer URL bar.

So what kind of information can we get?

Here are some examples:

1. Get data relating to all devices for a specific user (replace the user UPN in the URL)

In my case the URL is:

See the output for a specific device. Useful troubleshooting information is returned.

"approximateLastSignInDateTime": "2016-04-25T12:25:58Z",
"deviceId": "85a9e8e4-21cb-45cc-87f5-8c2056a3c18e",
"deviceMetadata": null,
"deviceVersion": 2,
"displayName": "gerry_Android_4/25/2016_12:26 PM",
"isCompliant": false,
"isManaged": true,
"onPremisesLastSyncDateTime": null,
"onPremisesSyncEnabled": null,
"operatingSystem": "Android",
"operatingSystemVersion": "4.4.2",
"physicalIds": [],
"trustType": "Workplace"

2. Get data for a specific user

In my case the URL is:

See the output for a specific user

"@odata.context": "$metadata#users/$entity",
"id": "c5ab8188-7124-4a97-bdfe-66bda5f634a0",
"businessPhones": [],
"displayName": "Gerry",
"givenName": "Gerry",
"jobTitle": null,
"mail": "",
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null,
"surname": null,
"userPrincipalName": ""

See the full Microsoft article here

I hope this is useful. Until next time.....

Wednesday, 5 October 2016

Improvements in app blacklisting with Intune

The August update of the Intune service has introduced major improvements in mobile app management. Previously you could create app blacklists but these policies would only block apps on Windows devices. They would not prevent the installation or use of apps on Android or iOS devices. For these devices you could only report non-compliance if a blacklisted app was installed.

So what are these improvements?

We can now create custom policies to allow and block apps for Samsung KNOX enabled Android devices.

  • Once an app is blocked, it cannot be activated or run on the device, even if it is already installed.
  • Specifying which apps are allowed designates which apps can be installed from the Google Play store. When a list of allowed apps is defined, no other apps can be installed from the store.
On iOS 9.3 and later (supervised devices only) we can add a list of hidden and shown apps to the iOS general configuration policy.
  • Apps that are specified as hidden can’t be viewed or launched by users.
  • When you specify a list of apps to be shown, no other apps can be viewed or launched.

Let's have a look at the custom Android policy and then we'll see the behaviour on a device.

In the Microsoft Intune administration console, choose Policy > Configuration Policies > Add.

In the Create a New Policy dialog box, expand Android, choose Custom Configuration, and then choose Create Policy.

Provide a name and optional description for the policy and then, in the OMA-URI Settings section, choose Add.

We want to specify the allowed apps so that all other apps will be blocked.

Note: You can find the package ID of an app by browsing to the app on the Google Play store. The package ID is contained in the URL of the app's page.

For example, the package ID of the Microsoft Word app is as the URL is

The package ID of the Adobe Reader app is com.adobe.reader as the URL is

In the Add or Edit OMA-URI Setting dialog box, specify the following:

  • Setting name - Enter AllowInstallPackages.
  • Setting description - List of apps that users can install from Google Play.
  • Data type - String.
  • OMA-URI - ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowInstallPackages
  • Value - List of the Package IDs you want to allow. Use ; : , as delimiter. (Example: packageID1,packageID2). In my case this is com.adobe.reader,

Click OK.

Save Policy.

In the Policy workspace, select the policy and click Manage Deployment.
In the Manage Deployment dialog box, select one or more groups to which you want to deploy the policy, then click Add > OK.

User experience

So what happens on the device. I'm using an Android device with Samsung Knox enabled (Samsung Galaxy S4 phone).
I've tried to install an app that isn't on the allowed list.

I can't install the app and get the notification that "Security policy prevents installation of this application".

Then I tried to install Adobe Reader which is on the allowed list.

No problem.

This is very straightforward to configure and works instantly.

It's worth mentioning the supported devices again.
  • Samsung Knox enabled Android devices (must be Samsung Knox - I was unable to get this working on an Android without Samsung Knox) 
  • Supervised iOS devices 9.3 and later (supervised mode can be enabled on iOS devices using the Apple Device Enrolment Program or the Apple Configurator Tool) 

I hope this was useful. Until next time.......

Thursday, 29 September 2016

My second book

I am very pleased to be co-author for the latest book in the System Center Configuration Manager Unleashed series (published by Sams). The book is titled  "System Center Configuration Manager Current Branch Unleashed".

The author list is:
  • Kerrie Meyler (MVP) (Co-author)
  • Greg Ramsey (MVP) (Co-author)
  • Kenneth van Surksum (MVP) (Co-author)
  • Michael Wiles (Dell) (Co-author)
  • Gerry Hampson (MVP) (Co-author)
  • Saud Al-Mishari (Microsoft) (Co-author)
  • Garth Jones (MVP) (Contributing author)
  • Byron Holt (MVP) (Contributing author)

The chapter list is as follows:
  1. Configuration Management Basics
  2. Configuration Manager Overview
  3. Looking Inside Configuration Manager
  4. Architecture Design Planning
  5. Network Design
  6. Installing System Center Configuration Manager
  7. Migrating to System Center Configuration Manager
  8. Using the Configuration Manager Console
  9. Client Management
  10. Managing Compliance
  11. Creating and Managing Applications and Deployment Types
  12. Creating and Managing Packages and Programs
  13. Distributing and Deploying Applications and Packages
  14. Managing Software Updates
  15. Integrating Intune Hybrid into Your Configuration Manager Environment
  16. Managing Mobile Devices
  17. Conditional Access
  18. Endpoint Protection
  19. Configuration Manager Queries
  20. Configuration Manager Reporting
  21. Operating System Deployment
  22. Security and Delegation in Configuration Manager
  23. Backup, Recovery, and Maintenance
Writing a book can be a very time-consuming process. However I've submitted my four chapters ahead of schedule after several re-writes (Kerrie is a tough taskmaster). The chapters will then undergo technical and editorial reviews (probably more re-writes). The book is scheduled to be published in early 2017 and will be available on Amazon.

Currently it is available for pre-order

Thursday, 1 September 2016

Real world tips for implementing mobile application management without enrollment

MAM without enrollment is a really cool way of protecting corporate data on BYOD devices. Some users simply do not want to enrol their devices in Intune so this gives us IT Pros an alternative management method.

MAM policies can be configured for apps in these scenarios:
  • On devices enrolled in Microsoft Intune: These devices are typically corporate owned devices.
  • On devices enrolled in a third-party Mobile device management (MDM) solution: These devices are typically corporate owned devices.
  • On devices not enrolled in any mobile device management solution: These devices are typically employee owned devices that are not managed or enrolled in Intune or other MDM solutions.
I will walkthrough the solution and offer some real world tips along the way.

Tip #1: MAM policies should not be used in conjunction with third party mobile app management or secure container solutions.

Administrator configuration

Configuration of this solution is carried out in the Azure Portal

Select More Services.

Start to type Intune and select Intune.

The Intune mobile application management blade opens. Select App Policy.

Select Add a policy.

Give the policy a name and choose a platform. I'm choosing Android for now. Highlight Select Required Apps.

Choose the apps that you want to deploy a MAM policy to. Click Select to choose the apps.

Notice that only Microsoft apps are currently available. So how do I allow my users to securely open email attachments - PDFs for example?

Tip #2: No special considerations are required for iOS. Outlook for iOS has an in-app viewer built in.

Tip #3: The RMS Sharing App must be used for opening secure PDFs on Android devices.

Now highlight Configure required settings. There are a number of options to choose from. The default options are sufficient unless you specifically need to change a setting.

Tip #4: If you are familiar with Intune Mobile Application Management you will know that you must create a MAM policy and a Managed Browser policy. In MAM without enrolment they are integrated and there is no Managed Browser policy. There is one setting "Restrict web content to display in the Managed Browser".

Click OK to save your settings.

Click Create to create the policy.

Select App Policy again.

Highlight the policy that you have created.

Select User Groups.

Select Add Users Group to deploy the MAM policy.

User experience (Android)

Download and install the required apps from the Google Play store. Don't forget the RMS Sharing app as discussed above.

I got this error when I tried to open Outlook (now a protected MAM app).

"Before you can use your work account with this app, you must install the free Intune Company Portal app. Tap "Go to store" to continue".

Tip #5: You must install the Company Portal app on an Android device in order to use MAM without enrolment (even though you will not be enrolling the device). This is not the case with iOS.

Click Go to store and install the Company portal app. No further action is required with this app.

Corporate data is now secured by MAM policy. Try it out.

I hope this information was useful. Until next time......

Saturday, 27 August 2016

ConfigMgr Current Branch - native integration with Windows Store for Business

System Center Configuration Manager landing page

The eagerly awaited 1606 version of ConfigMgr Current Branch was recently released. As we have come to expect from the ConfigMgr team this version is full of enhancements and new features. There are changes in the following areas and you can find full details on TechNet
  • Updates and servicing
  • Accessibility
  • Administration
  • On premises Mobile Device Management
  • Application Management
  • Software Updates
  • Operating System Deployment
  • Compliance Settings
  • Device Configuration and Protection
  • Remote Control
I really like the subtle change in the Updates and Servicing node. The clutter of previous versions has been removed.

Only the latest version (and hotfix) is now listed.

Click on the History button on the ribbon to see the previous versions.

My two favourite features of this version continue the trend of "cloud integration".
  • Sync data from Configuration Manager to the Microsoft Operations Management Suite
  • Windows Store for Business integration
In this blog I'll concentrate on the WSfb integration. In a previous blog I described the WSfB and explained how to set up a store account so I won't repeat that here. Follow the steps below to integrate WSfB with ConfigMgr. At the end of the blog I list the issues encountered by me and some colleagues in configuring the solution.

Turn on Windows Store for Business integration

WSfB integration is a pre-release feature (even though it doesn't say so in the ConfigMgr console). You must first give you consent to use pre-release features.

Navigate to Administration > Site Configuration > Sites. Select your site and choose Hierarchy Settings in the ribbon above.

Tick the box Consent to use Pre-Release features.

Navigate to Administration > Cloud Services > Updates and Servicing > Features. Right click Windows Store for Business Integration and select Turn on.

Accept the warning to turn on the feature. Close and re-open the Configuration Manager console. The Windows Store for Business node is now available under Cloud Services.

Register ConfigMgr as a management tool in WSfB

For this step we are going to need access to the Azure and WSfB portals for the tenant.

Open the Azure Portal. Select your Azure Active Directory and click Applications > Add

Select Add an application my organization is developing.

Choose a suitable name for the application and select Web application and/or Web API. Click the arrow to continue.

Enter a URL for the Sign-on URL and App ID URI. The URL needs to be the same for both but doesn't have to exist. Click on the tick to complete the wizard.

The app has been added. Click on Configure from the menu at the top.

Note the Client ID (copy it as we'll need it later).

Under Keys select a duration and then click Save. This will create a new client key. You will only be able to copy the client key while on this page so don't navigate away until you have completely finished the process.

Copy the client key. We'll need it later.

Now log into the WSfB to add Configuration Manager as the store management tool. Select Settings > Management tools.

Click Add a management tool.

Search for the application you just created in AAD and click Add.

Activate the management tool (I missed this step first time round - see "Issues encountered" below).

Only one management tool can be active at a time.

If you are going to use offline-licensed apps navigate to the Manage > Account Information page.

Select Show offline licensed apps.

Add WSfB store account in Configuration Manager console.

Navigate to Administration > Cloud Services > Windows Store for Business.

Right click and choose Add Windows Store for Business account.

Read the instructions and verify that you have already carried out the steps.

Enter your tenant name. Enter the Client ID and Client key that you copied earlier. Click Verify. This verifies that the Client ID and Key are correct. It doesn't check that you have correctly added a management tool.

Add a location to store the content.

Select Application Catalog languages.

WSfB integration has been configured.

First sync has succeeded.

See WsfbSyncWorker.log file for progress.

Apps are available in Software Library > Application Management > License Information for Store Apps.

Application content has been downloaded.

Create application.

Create a ConfigMgr application as normal. Right click an app in Software Library > Application Management > License Information for Store Apps.

Select Create Application.

Review the information and click Next.

Application information was imported from the appx package.

Enter a suitable name and details.

The application has been created.

See the application and deployment types. The app can now be distributed and deployed as normal.

Issues encountered.

I just wanted to share some issues encountered by me and some of my colleagues while configuring the solution.

1. Unauthorized - this one happened to me.

The first sync failed and the error below appeared in the WsfbSyncWorker.log file.

Error occured making http request calling 'GET' method on '': (Unauthorized) 'Unauthorized'.

This was caused by the fact that I had added my app as a management tool for WSfB but I had missed the step the activate the tool. This meant that ConfigMgr was not authorized as a client to manage the WSfB. Once I activated the app and restarted the SMS_CloudConnection component the sync started and I could see the apps downloading to the content share (and could see them in the Software Library).

2. Proxy authentication

The error below appeared in the WsfbSyncWorker.log file.

                          ErrorCode: unknown_error
                          StatusCode: 407
[24, PID:9024][08/22/2016 14:20:04] :Failed authenticate with the Windows Store for Business.

The correct proxy credentials had been configured and the Software Update Point on the same server was able to authenticate.

Proxy support for WSfB has not yet been implemented. It is planned for a future release. As a workaround, set the proxy in the system level IE proxy settings on the server where the SCP is installed.

3. Delete and re-create the WSfB account

You've made a mistake and you want to start again. Try it. You can't remove the WSfB account in the console. This has not yet been exposed but you can get out of trouble using WMI.

I believe my colleague will be posting a blog post shortly on how to do this so I don't want to interfere with that.

I hope this information in this blog post will be of use to you.

Until next time.....