Thursday, 1 September 2016

Real world tips for implementing mobile application management without enrollment

MAM without enrollment is a really cool way of protecting corporate data on BYOD devices. Some users simply do not want to enrol their devices in Intune so this gives us IT Pros an alternative management method.

MAM policies can be configured for apps in these scenarios:
  • On devices enrolled in Microsoft Intune: These devices are typically corporate owned devices.
  • On devices enrolled in a third-party Mobile device management (MDM) solution: These devices are typically corporate owned devices.
  • On devices not enrolled in any mobile device management solution: These devices are typically employee owned devices that are not managed or enrolled in Intune or other MDM solutions.
I will walkthrough the solution and offer some real world tips along the way.

Tip #1: MAM policies should not be used in conjunction with third party mobile app management or secure container solutions.

Administrator configuration

Configuration of this solution is carried out in the Azure Portal

Select More Services.

Start to type Intune and select Intune.

The Intune mobile application management blade opens. Select App Policy.

Select Add a policy.

Give the policy a name and choose a platform. I'm choosing Android for now. Highlight Select Required Apps.

Choose the apps that you want to deploy a MAM policy to. Click Select to choose the apps.

Notice that only Microsoft apps are currently available. So how do I allow my users to securely open email attachments - PDFs for example?

Tip #2: No special considerations are required for iOS. Outlook for iOS has an in-app viewer built in.

Tip #3: The RMS Sharing App must be used for opening secure PDFs on Android devices.

Now highlight Configure required settings. There are a number of options to choose from. The default options are sufficient unless you specifically need to change a setting.

Tip #4: If you are familiar with Intune Mobile Application Management you will know that you must create a MAM policy and a Managed Browser policy. In MAM without enrolment they are integrated and there is no Managed Browser policy. There is one setting "Restrict web content to display in the Managed Browser".

Click OK to save your settings.

Click Create to create the policy.

Select App Policy again.

Highlight the policy that you have created.

Select User Groups.

Select Add Users Group to deploy the MAM policy.

User experience (Android)

Download and install the required apps from the Google Play store. Don't forget the RMS Sharing app as discussed above.

I got this error when I tried to open Outlook (now a protected MAM app).

"Before you can use your work account with this app, you must install the free Intune Company Portal app. Tap "Go to store" to continue".

Tip #5: You must install the Company Portal app on an Android device in order to use MAM without enrolment (even though you will not be enrolling the device). This is not the case with iOS.

Click Go to store and install the Company portal app. No further action is required with this app.

Corporate data is now secured by MAM policy. Try it out.

I hope this information was useful. Until next time......

Saturday, 27 August 2016

ConfigMgr Current Branch - native integration with Windows Store for Business

System Center Configuration Manager landing page

The eagerly awaited 1606 version of ConfigMgr Current Branch was recently released. As we have come to expect from the ConfigMgr team this version is full of enhancements and new features. There are changes in the following areas and you can find full details on TechNet
  • Updates and servicing
  • Accessibility
  • Administration
  • On premises Mobile Device Management
  • Application Management
  • Software Updates
  • Operating System Deployment
  • Compliance Settings
  • Device Configuration and Protection
  • Remote Control
I really like the subtle change in the Updates and Servicing node. The clutter of previous versions has been removed.

Only the latest version (and hotfix) is now listed.

Click on the History button on the ribbon to see the previous versions.

My two favourite features of this version continue the trend of "cloud integration".
  • Sync data from Configuration Manager to the Microsoft Operations Management Suite
  • Windows Store for Business integration
In this blog I'll concentrate on the WSfb integration. In a previous blog I described the WSfB and explained how to set up a store account so I won't repeat that here. Follow the steps below to integrate WSfB with ConfigMgr. At the end of the blog I list the issues encountered by me and some colleagues in configuring the solution.

Turn on Windows Store for Business integration

WSfB integration is a pre-release feature (even though it doesn't say so in the ConfigMgr console). You must first give you consent to use pre-release features.

Navigate to Administration > Site Configuration > Sites. Select your site and choose Hierarchy Settings in the ribbon above.

Tick the box Consent to use Pre-Release features.

Navigate to Administration > Cloud Services > Updates and Servicing > Features. Right click Windows Store for Business Integration and select Turn on.

Accept the warning to turn on the feature. Close and re-open the Configuration Manager console. The Windows Store for Business node is now available under Cloud Services.

Register ConfigMgr as a management tool in WSfB

For this step we are going to need access to the Azure and WSfB portals for the tenant.

Open the Azure Portal. Select your Azure Active Directory and click Applications > Add

Select Add an application my organization is developing.

Choose a suitable name for the application and select Web application and/or Web API. Click the arrow to continue.

Enter a URL for the Sign-on URL and App ID URI. The URL needs to be the same for both but doesn't have to exist. Click on the tick to complete the wizard.

The app has been added. Click on Configure from the menu at the top.

Note the Client ID (copy it as we'll need it later).

Under Keys select a duration and then click Save. This will create a new client key. You will only be able to copy the client key while on this page so don't navigate away until you have completely finished the process.

Copy the client key. We'll need it later.

Now log into the WSfB to add Configuration Manager as the store management tool. Select Settings > Management tools.

Click Add a management tool.

Search for the application you just created in AAD and click Add.

Activate the management tool (I missed this step first time round - see "Issues encountered" below).

Only one management tool can be active at a time.

If you are going to use offline-licensed apps navigate to the Manage > Account Information page.

Select Show offline licensed apps.

Add WSfB store account in Configuration Manager console.

Navigate to Administration > Cloud Services > Windows Store for Business.

Right click and choose Add Windows Store for Business account.

Read the instructions and verify that you have already carried out the steps.

Enter your tenant name. Enter the Client ID and Client key that you copied earlier. Click Verify. This verifies that the Client ID and Key are correct. It doesn't check that you have correctly added a management tool.

Add a location to store the content.

Select Application Catalog languages.

WSfB integration has been configured.

First sync has succeeded.

See WsfbSyncWorker.log file for progress.

Apps are available in Software Library > Application Management > License Information for Store Apps.

Application content has been downloaded.

Create application.

Create a ConfigMgr application as normal. Right click an app in Software Library > Application Management > License Information for Store Apps.

Select Create Application.

Review the information and click Next.

Application information was imported from the appx package.

Enter a suitable name and details.

The application has been created.

See the application and deployment types. The app can now be distributed and deployed as normal.

Issues encountered.

I just wanted to share some issues encountered by me and some of my colleagues while configuring the solution.

1. Unauthorized - this one happened to me.

The first sync failed and the error below appeared in the WsfbSyncWorker.log file.

Error occured making http request calling 'GET' method on '': (Unauthorized) 'Unauthorized'.

This was caused by the fact that I had added my app as a management tool for WSfB but I had missed the step the activate the tool. This meant that ConfigMgr was not authorized as a client to manage the WSfB. Once I activated the app and restarted the SMS_CloudConnection component the sync started and I could see the apps downloading to the content share (and could see them in the Software Library).

2. Proxy authentication

The error below appeared in the WsfbSyncWorker.log file.

                          ErrorCode: unknown_error
                          StatusCode: 407
[24, PID:9024][08/22/2016 14:20:04] :Failed authenticate with the Windows Store for Business.

The correct proxy credentials had been configured and the Software Update Point on the same server was able to authenticate.

Proxy support for WSfB has not yet been implemented. It is planned for a future release. As a workaround, set the proxy in the system level IE proxy settings on the server where the SCP is installed.

3. Delete and re-create the WSfB account

You've made a mistake and you want to start again. Try it. You can't remove the WSfB account in the console. This has not yet been exposed but you can get out of trouble using WMI.

I believe my colleague will be posting a blog post shortly on how to do this so I don't want to interfere with that.

I hope this information in this blog post will be of use to you.

Until next time..... 

Sunday, 7 August 2016

ConfigMgr Current Branch - real world migration from ConfigMgr 2012R2

System Center Configuration Manager landing page

ConfigMgr Current Branch 1606 was released to GA this week and there has been a lot of excitement about the in-place upgrade to the latest version. I've done quite a number of upgrades from ConfigMgr 2012R2 to Current Branch so I thought that this would be a good time to describe some of the real world issues associated with this operation. Many of the ConfigMgr 2012R2 implementations we encounter are installed on Windows 2008R2 servers. This was ok at the time. However if we want to configure Windows 10 servicing we now require Windows Server 2012R2 on the Primary Site Server and Software Update Points.

Previously I've blogged about migrating using ConfigMgr's built-in migration process. See that here This works well and you can migrate from many previous versions (as far back as ConfigMgr 2007 SP2). In this case though you end up with a new site code and this isn't always the required outcome.

In this blog I'll describe the steps required to upgrade from ConfigMgr 2012R2 (installed on Windows Server 2008R2) to Current Branch 1606 (installed on Windows Server 2012R2).

ConfigMgr 1602 supports the in-place upgrade of the Operating System from Windows Server 2008R2 to Windows 2012R2. See the details here However some customers don't like in-place upgrades of the operating system and would like to start off with a freshly installed OS. To achieve this we must back up the site and restore it to a new Windows 2012R2 server. I've listed the high level steps to carry out this operation below:

  1. In this blog I'm referring to the 2008R2 server as "old" and the 2012R2 server as "new"
  2. These steps are based on migrating a standalone Primary Site server configured as a Software Update Point.
Migration steps:
  • If you are using VMs take a snapshot of old
  • Back up the existing environment - I like to back up all the SQL databases with a SQL maintenance plan. It's also easy to back up the ConfigMgr site on old using the native ConfigMgr Site Backup maintenance task. Restart the SMS_Site_Backup component to start the backup immediately and monitor progress in the smsbkup.log file.
  • Deploy new Windows 2012R2 server, fully patch and join domain - use any name for now but use the same drive configuration as old.
  • Install Windowd ADK 10 - you can still use ADK 1511 (download it here) . A new ADK version 1607 has just been been released and can be downloaded here. Official ConfigMgr support for ADK 1607 has not been announced at time of writing.
  • Install ConfigMgr 2012 pre-requisites on new as normal (roles and features)
  • Copy source content, content library, WSUS metadata share from old to new while retaining permissions - if you are using VMs it's easier to detach the VHDs from old and attach them to new.
  • Turn off old.
  • Rename new box to original Primary Site Server name
  • Optionally re-use the static IP address on new. It shouldn't matter as ConfigMgr uses DNS. However it can be useful to avoid recreating firewall rules.
  • Re-delegate permissions on System Management container
  • Install a supported SQL server version
  • Install WSUS (use SQL database) and carry out the initial WSUS metadata share configuration (use a different share name than previously, do not configure WSUS)
  • Stop WSUS services and detach WSUSDB
  • Rename SUSDB.mdf and SUSDB.ldf
  • Restore SUSDB database from old with overwrite option selected
  • Copy WSUS metadata from old share location to new share location
  • Start WSUS services
  • Install WSUS hotfix KB3095113
  • Install ConfigMgr 2012R2 and choose the recover site option, finish the wizard (we can only restore to the same ConfigMgr version)
  • Carry out the ConfigMgr 2012R2 post-recovery tasks as directed - eg update account passwords
  • Re-configure the Software Update Point to use port 8530/8531 instead of 80/443 - examine WCM.log for success
  • Verify ConfigMgr site and component status
  • Test ConfigMgr functionality
  • Run TestDBUpgrade for ConfigMgr Current Branch 1511
  • Perform in-place upgrade to ConfigMgr Current Branch 1511
  • Back up Configuration.mof (it will be overwritten by the upgrade)
  • Perform in-console upgrade to ConfigMgr Current Branch 1602 or 1606
  • Optionally install MDT and re-configure integration
  • Upgrade ConfigMgr clients to 1602/1606

Issues encountered

I encountered a number of issues during the process (mostly WSUS Issues).
  • If there is an existing WSUS GPO you must change the port from 80 to 8530
  • You may have to additionally open port 8530 between VLANs
  • I was unable to open the WSUS console. The following error appeared in the event log "The WSUS administration console has encountered an unexpected error. Index was outside the bounds of the array". This was solved by adding the HTTP Activation feature (I'd forgotten that one).
  • WSUS broke after KB3159706 - see TechNet forum for more details. This was solved by opening an elevated Command Prompt window, and then running "C:\Program Files\Update Services\Tools\wsusutil.exe postinstall /servicing"
  • Reporting was broken - there were duplicates of all reports preceded by an underscore. This was solved by removing and re-adding the reporting point

I hope some of the information here will be helpful for you. Until next time....

Monday, 18 July 2016

ConfigMgr Current Branch - deploy offline apps from Windows Store for Business

System Center Configuration Manager landing page

In 2013 Microsoft first integrated Intune with ConfigMgr 2012 SP1. I remember those days well. I think I was one of the first to implement the solution in production for the management of Windows 8 Phones. That was fun. There were a number of difficulties to overcome back then. Remember the Microsoft Developer account and Symantec Enterprise Code Signing certificate that was required just to enrol those devices. A few short years later, the solution and it's associated technologies has grown into a truly enterprise solution. The difficulties encountered back in the early days are a distant memory. One of the main issues for me at the time was in the area of application deployment to Windows Phones. If I wanted to deploy a free Windows store app to my users I couldn't just download the app and deploy it with ConfigMgr. Believe me I tried everything I could to make it work. Instead I had to deploy a deeplink to the store and the user had to access the store to download the app themselves. This meant that each user had to have their own Microsoft account. This wasn't ideal. Microsoft promised to fix this and they did. You can now download an offline app from the Windows Store for Business and deploy it as a regular application using ConfigMgr.

In this blog I will give an overview of the Windows Store for Business and then walk through how to deploy an appx bundle to Windows 10 mobile devices.
(Note that Configuration Manager Current Branch 1602 was used for this blog post. 1606 has been released and introduces new features in this space. WSfB is now natively integrated with ConfigMgr).

What is the Windows Store for Business?

The Windows Store for Business (WSfB) is a cloud service that now allows organizations to manage volume purchases of Windows apps. It supports apps for Windows 10 desktop and Windows 10 mobile.

The features are listed as follows on TechNet:
  • Scales to fit the size of your business - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate the Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
  • Bulk app acquisition - Acquire apps in volume from the Store for Business.
  • Private store - Curate a private store for your business that’s easily available from any Windows 10 device.
  • Flexible distribution options - Flexible options for distributing content and apps to your employee devices:
  • Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
  • Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
  • Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
  • Line-of-business apps - Privately add and distribute your internal line-of-business apps using any of the distribution options.
  • App license management: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
  • Up-to-date apps - The Store for Business manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.

Sign up for Windows Store for Business

Navigate to to sign up for the store.

Enter your Azure User ID and click Next.

You are notified that your account can now be used to sign into the Windows Store for Business. Select "Sign In".

Sign in with your Azure ID.

Accept the services agreement.

Welcome to the Windows Store for Business. Let's have a look around.

See some recommended Microsoft apps. Let's have a look at Sway.

That doesn't look quite right. I can't see an offline version of the app.

I need to configure the store so that I can see offline versions. Click on Settings > Account Information.

Scroll to the bottom of the page and check the box to see offline licensed apps.

Now we can see the offline version.

Clicking on the offline button adds the app to inventory. Click Close.

You can now download the app. Note that there will often be a different versions depending on the platform and architecture.

Deploy an app

There is a lot to discover about the WSfB and I hope to blog more about it in the future. For now though, I'm only interested in deploying offline apps to my Windows 10 mobile using ConfigMgr Current Branch.

I've chosen the Bing Translator app as an example.

Clicking on the offline button adds the app to my inventory.

Now I can download the app. Note that there is only a single app for all devices in this case. Download the apps bundle to a local folder.

Also download the license file and all the required prerequisites to the same folder.

See the downloaded files.

Now we create a ConfigMgr app as normal.

Select "Windows app package" and enter the location of the downloaded files. Click Next.

ConfigMgr interrogates the files and lists the content. It mistakenly suggests that we have missing prerequisites. This is normal for now. Click Next to continue.

Verify the app details.

Review the summary and click Next to create the app.

Distribute the app to the cloud distribution point and deploy the app to a collection containing Windows 10 mobile devices.

ConfigMgr reports a successful deployment.

End User Experience

Perhaps the heading "End User Experience" is not suitable here as there is none. The deployment is seamless to the user (which was my goal in the first place).

I've also successfully tested the same deployment to a domain joined device with full ConfigMgr client. I'll test with on-premise MDM next.

I hope this blog was useful. Until next time.....