Tuesday, 22 November 2016

Microsoft Intune - enterprise enrollment CNAME best practice

I was asked this question recently and I didn't know the answer so I did some research.

What is the correct DNS CNAME record to configure for Enterprise Enrollment of mobile devices with Intune?

First, I should explain that this CNAME is only required if you are enrolling Windows devices. It is not required for iOS and Android.

There are three options:
  1. Redirect enterpriseenrollment.yourdomain.com to manage.microsoft.com
  2. Redirect enterpriseenrollment-s.yourdomain.com to manage.microsoft.com
  3. Don't configure a CNAME at all
So this is the scoop on the three options:
  1. This is a throwback to the early stages of this technology. It still works but is now deemed to be less secure and not recommended by Microsoft. You will still find this referenced on many online blog posts simply because they have not been updated.
  2. This is now the recommended configuration. It uses a secure channel (hence the -s).
  3. This will also work but means that the user has to enter "manage.microsoft.com" as the server name during the enrollment process. This would be #2 in terms of preference.

I hope this clears up any confusion. Until next time.......

Monday, 21 November 2016

Microsoft are listening to feedback?? - my experience

My favourite part of the being in the MVP Program is being able to provide feedback directly to the product group. The cynical view is that they just don't listen so there is no point in providing feedback. However this is simply not the case. I have a little story I would like to share.

Last year I deployed an Intune Proof of Concept for one of my customers. We carried out intensive testing of the various elements, one of which was mobile application management. We created MAM policies to restrict the integration between managed and unmanaged apps. This worked very well and data could not be transferred between managed and unmanaged apps. Unfortunately, it worked a little too well. If I clicked on a telephone number in Outlook or the managed browser I was unable to launch the phone dialer app on the device (as it was unmanaged) and I couldn't make a phone call. This just didn't make sense to me.

I filed a DCR (bug) on Microsoft Connect (you will need a Microsoft Live to access this) to allow special access to specific unmanaged apps (eg. phone dialer).


"While using Intune Managed Applications it would be good if users could integrate with specific device components eg phone dialer. Users should be able to make a telephone call by selecting the number in the Managed App. They currently can't - I've tested it. The operation is not permitted".

The DCR was actioned and closed. I'm pleased to say that ALL MAM-aware Office apps and the Intune Managed Browsers (for both iOS and Android) have now been upgraded to incorporate this request. I've just successfully tested with Outlook and Managed Browser.

If a feature doesn't make sense to you or doesn't work the way you think it should then let Microsoft know. The products will only improve with user feedback.

For bugs use Microsoft Connect:


For feature suggestions use UserVoice.

ConfigMgr CB 1610 delivers features I've been waiting for

System Center Configuration Manager Current Branch 1610 was released on 18th November. You must opt in to fast ring to see 1610 in the ConfigMgr console early. Full details can be found here

Many new features are available such as:
  • Windows 10 Upgrade Analytics
  • Office 365 Servicing Dashboard and app deployment
  • Software Updates Compliance Dashboard
  • Cloud Management Gateway
  • Client Peer Cache
  • Enhancements in Software Center
  • New remote control features
However I've been looking at the less publicized enhancements. In particular there are two very simple improvements that I have been waiting for.

1. Windows Store for Business integration

I previously published a blog post on configuring native integration with ConfigMgr and Windows Store for Business. You can read that here

This feature was delivered as "pre-release" in 1606. It was very useful but a little limited in terms of troubleshooting. Synchronization failed in my lab environment and I couldn't do anything about it.

WsfbSyncWorker.log file displayed the synchronization error.

However I was very limited on what I could do in the console. I could only view the Properties of the WSfB account......

....and everything was grayed out. This wasn't that helpful. Kim Oppalfens figured out a way to remove the account using WMI but I'm pretty sure that it wouldn't be supported.

Enhancements have been added in 1610.

Now we can easily delete the account and add a new one.

We can also edit the account settings.

I've now been able to fix my synchronization problem.

2. Send a Sync Request to Intune enrolled device

Previously synchronization had to be initiated using the Intune Company Portal on the mobile device itself.

Now we can send a sync request to the device directly from the ConfigMgr console. This is a huge improvement. We no longer have to guide users to do this for themselves.

Until next time.......

Thursday, 6 October 2016

Use REST APIs to access Microsoft Intune data

Microsoft recently published information on using REST API calls to communicate with Intune to retrieve management data. This is really cool. It uses Microsoft Graph which exposes multiple API’s from Microsoft cloud services. The data retrieved can be very useful in troubleshooting.

So how do we get started?

Navigate to Graph Explorer https://graph.microsoft.io/en-us/graph-explorer

See the Graph Explorer interface. Click Sign in to access the Intune service. A new page opens and you are prompted to log in.

You are then warned that the API Explorer needs permission to the following (it's a lot but remember this is also for Office 365, not just Intune):

  • Sign you in and read your profile  
  • Read and write access to your mail   
  • Read directory data  
  • Access the directory as you  
  • Read your files  
  • View your basic profile  
  • Read and write selected files  
  • Have full access to your calendars   
  • Read and write all users' full profiles  
  • Read items in all site collections  
  • Create, read, update and delete your tasks and projects (preview)  
  • View your OneNote notebooks (preview)  
  • Sign in as you  
  • Read your calendars   
  • Read and write all groups  
  • Read selected files  
  • Read your mail   
  • Have full access to your files  
  • Read all groups  
  • View and modify your OneNote notebooks (preview)  
  • View your email address  
  • View and modify OneNote notebooks that you can access (preview)  
  • Access your data anytime  
  • Have full access to the application's folder  
  • Read and write to your mailbox settings (preview)  
  • Have full access to all files you have access to  
  • Read identity risk event information  
  • Create pages in your OneNote notebooks (preview)  
  • Read all users' full profiles  
  • Read all users' basic profiles  
  • Read and update your profile  
  • Read your relevant people list (preview)  
  • Read and write directory data  
  • Have full access of your contacts   
  • Read all files that you have access to  
  • View OneNote notebooks that you can access (preview)  
  • Sign you in and read your profile  
  • Send mail as you   
  • Limited access to your OneNote notebooks for this app (preview)  
  • Read your tasks  
  • Read your contacts
You have to accept this to continue.....

....and now you're ready to query for information.

So how does it work?

The interface uses GET and POST REST APIs to communicate with the service backend to retrieve data for various items. The commands are URLs but they won’t work in a browser, you must use them in the Graph Explorer URL bar.

So what kind of information can we get?

Here are some examples:

1. Get data relating to all devices for a specific user (replace the user UPN in the URL)

In my case the URL is:

See the output for a specific device. Useful troubleshooting information is returned.

"approximateLastSignInDateTime": "2016-04-25T12:25:58Z",
"deviceId": "85a9e8e4-21cb-45cc-87f5-8c2056a3c18e",
"deviceMetadata": null,
"deviceVersion": 2,
"displayName": "gerry_Android_4/25/2016_12:26 PM",
"isCompliant": false,
"isManaged": true,
"onPremisesLastSyncDateTime": null,
"onPremisesSyncEnabled": null,
"operatingSystem": "Android",
"operatingSystemVersion": "4.4.2",
"physicalIds": [],
"trustType": "Workplace"

2. Get data for a specific user

In my case the URL is:

See the output for a specific user

"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id": "c5ab8188-7124-4a97-bdfe-66bda5f634a0",
"businessPhones": [],
"displayName": "Gerry",
"givenName": "Gerry",
"jobTitle": null,
"mail": "gerry@gerryhampson.onmicrosoft.com",
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null,
"surname": null,
"userPrincipalName": "gerry@emslab.ie"

See the full Microsoft article here

I hope this is useful. Until next time.....

Wednesday, 5 October 2016

Improvements in app blacklisting with Intune

The August update of the Intune service has introduced major improvements in mobile app management. Previously you could create app blacklists but these policies would only block apps on Windows devices. They would not prevent the installation or use of apps on Android or iOS devices. For these devices you could only report non-compliance if a blacklisted app was installed.

So what are these improvements?

We can now create custom policies to allow and block apps for Samsung KNOX enabled Android devices.

  • Once an app is blocked, it cannot be activated or run on the device, even if it is already installed.
  • Specifying which apps are allowed designates which apps can be installed from the Google Play store. When a list of allowed apps is defined, no other apps can be installed from the store.
On iOS 9.3 and later (supervised devices only) we can add a list of hidden and shown apps to the iOS general configuration policy.
  • Apps that are specified as hidden can’t be viewed or launched by users.
  • When you specify a list of apps to be shown, no other apps can be viewed or launched.

Let's have a look at the custom Android policy and then we'll see the behaviour on a device.

In the Microsoft Intune administration console, choose Policy > Configuration Policies > Add.

In the Create a New Policy dialog box, expand Android, choose Custom Configuration, and then choose Create Policy.

Provide a name and optional description for the policy and then, in the OMA-URI Settings section, choose Add.

We want to specify the allowed apps so that all other apps will be blocked.

Note: You can find the package ID of an app by browsing to the app on the Google Play store. The package ID is contained in the URL of the app's page.

For example, the package ID of the Microsoft Word app is com.microsoft.office.word as the URL is

The package ID of the Adobe Reader app is com.adobe.reader as the URL is

In the Add or Edit OMA-URI Setting dialog box, specify the following:

  • Setting name - Enter AllowInstallPackages.
  • Setting description - List of apps that users can install from Google Play.
  • Data type - String.
  • OMA-URI - ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowInstallPackages
  • Value - List of the Package IDs you want to allow. Use ; : , as delimiter. (Example: packageID1,packageID2). In my case this is com.adobe.reader,com.microsoft.office.word

Click OK.

Save Policy.

In the Policy workspace, select the policy and click Manage Deployment.
In the Manage Deployment dialog box, select one or more groups to which you want to deploy the policy, then click Add > OK.

User experience

So what happens on the device. I'm using an Android device with Samsung Knox enabled (Samsung Galaxy S4 phone).
I've tried to install an app that isn't on the allowed list.

I can't install the app and get the notification that "Security policy prevents installation of this application".

Then I tried to install Adobe Reader which is on the allowed list.

No problem.

This is very straightforward to configure and works instantly.

It's worth mentioning the supported devices again.
  • Samsung Knox enabled Android devices (must be Samsung Knox - I was unable to get this working on an Android without Samsung Knox) 
  • Supervised iOS devices 9.3 and later (supervised mode can be enabled on iOS devices using the Apple Device Enrolment Program or the Apple Configurator Tool) 

I hope this was useful. Until next time.......