Sunday, 17 September 2017

Block Android Screen Capture with ConfigMgr 1706

Version 1706 of System Center Configuration Manager (Current Branch) was recently released and one the new features made one of my customers very happy.

See details of the new 1706 features here

This customer uses the hybrid solution of ConfigMgr and Intune to manage their fleet of Android devices. They use MAM policies to protect against corporate data leakage and they were "almost" 100% happy with the solution.



The felt that they were a little exposed as users could still capture a screen containing sensitive data using a simple button combination (Home and Power in the case of many Android devices). Now, with ConfigMgr 1706, we can disable the ability to capture the screen. Even cooler, we can configure this on a per-managed app basis.

I've just tested this in advance of configuring in the customers environment. It works so well that I wanted to share the experience.

Navigate to Software Library > Application Management > Application Management Policies



Right click to Create Application Management Policy (or alternatively edit an existing policy).



Enter a name and description for the policy.



Choose Android as the platform and General as the policy type.



We are presented with the MAM options for Android. See Block screen capture. It is enabled by default.

Finish the wizard to create the MAM policy.

For this test I want to block screen capture for Adobe Reader (this is an Intune managed app). The app is added to ConfigMgr as normal.



When deploying the app we are asked which MAM policy should apply. I've chosen my test policy containing the "Block screen capture".



So, what does that look like on a device? I'm using a Samsung Galaxy Tab3 (Android version 4.4.2). I've opened a PDF file using Adobe Reader. See what happens when I try to capture the screen.

"Couldn't save screenshot. Content is protected by DRM".

It's these little hidden gems that make me happy. 

Hope this helps, until next time....

Wednesday, 30 August 2017

Intune - upcoming changes to device support

This is a short blog post to warn about upcoming changes to device support in Intune.

iOS
iOS 8.0 devices will no longer be supported from September 2017.  They will no longer be able to access the Company Portal or managed apps. iOS 9.0 or later will be required to access corporate resources.

Android
Android 4.3 devices will no longer be supported from October 2017.  They will no longer be able to access the Company Portal or managed apps. Android 4.4 or later will be required to access corporate resources.

Windows Phone
Windows Phone 8.1 platform reached end of mainstream support in July 2017 but Intune still supports their management. However there will be no improvements to Intune service management for these devices.

More details can be found in the Intune docs

Until next time.....

Sunday, 27 August 2017

Team Toni

Normally I would only publish technical blog posts but I'll make an exception in this case to share Chelsea's story. My wife's friend Chelsea lost her 15 year old daughter Toni in May, after a year-long battle with cancer.


Today Team Toni competed in the Longford Marathon to raise funds for Aoibheanns Pink Tie. This wonderful charity supports the families of children who are suffering from terminal cancer.

This is what Chelsea had to say this morning, no other words are necessary:


......" today is a very emotional day  for me.....really emotional....

....I'm taking part  the Longford Marathon in memory of my lovely daughter Toni Louise....she was diagnosed with leukemia   when she was just 14 .......she sadly  died  in May of this year.. she was just 15......so yea..... I'm very emotional.....

.....a great group of friends and family ....about 40 of us....are doing the Longford Marathon in tribute to Toni Louise and to raise some funds for Aoibheann's Pink Tie which does so much work for children with cancer.....

.....the people of all of Longford are incredibly supportive and we expect to raise a lot of much needed funds....we also want to raise some awareness about children's cancer.....it's something a lot of people don't know about....

.....Toni Louise in her too short life touched so many people....everyone she met....I feel so proud of her......she'll be with me every inch of the way today......she's with me every single day and will be with me forever ......and I've a tattoo of her on my leg now so she's running with me......

......I've only been training for 9 weeks .....but Toni Louise only passed away  12 weeks ago.......the training was good for me....it was good for the head.......

....Aoibheann's Pink Tie is  a fantastic charity.....they do all sorts of special  things for children suffering from cancer....from limo trips to concerts,  Christmas and birthday parties to just sitting down and chatting over a cup of coffee.....they're so supportive...

....it's uplifting being here today...so many people supporting so many......the people of Longford.....so , so good....

....I've had great family and friends but since Toni Louise's passing.....I've realised just how great  the support network I have.......

......friends and family are just so, so important......

...thanks, thanks...."

Chelsea Harte


Some scenes from the day:











 

Tuesday, 8 August 2017

See Intune Data Warehouse in action


We've heard a little about this feature recently but the Intune Data Warehouse is finally in public preview. It will give us powerful custom reporting with a dataset spanning up to 90 days of historical data. You can use Power BI or Excel to connect to the warehouse, or indeed any other tool that supports OData feeds.

There is a good blog post describing the feature but I wanted to see it in action with my own data. It is very easy to configure and get started.


Open the Intune admin console on your Azure Portal


Click on the Intune Data Warehouse tile on the bottom right of the screen. This opens the Intune Data Warehouse blade.


The blade gives us the instructions we need.
  • Download and install the Power BI desktop app
  • Download the Power BI template file
  • Open the Power BI template with the Power BI desktop app
  • Authenticate with your tenant

This is the Power BI app......


....and the Power BI template file. It contains a set of custom reports to get you started.


Install the app.


When the app installs select File -> Open.


Browse to the template file.


Select to Apply changes.


You will see the changes being applied.


The OData feed dialog box open. Select the Organizational account section. Sign in with an a global admin account on your tenant. Click Connect.....


.....and we can see the reports have been populated with our own data.



New ConfigMgr video training series

After months of work I'm very pleased to say that the second in this two-part series has been published by Packt Publishing. This involved a lot of weekends and late nights so thanks a lot to my wife for having a good sense of humour. Thanks also to Paul Winstanley (MVP and WMUG colleague) for reviewing the course.

The course is titled "Implementing Configuration Manager features" and is available here

The course contents are as follows:

Software Deployment
  • Configuration Manager Applications
  • Packages and Programs
Software Updates
  • Introduction to software updates
  • Deploy a software updates solution
  • Automatic Deployment rules
Operating System Deployment
  • Introduction to Operating System Deployment
  • Build and Capture a Windows 10 image
  • Deploying a Windows 10 image
  • Working with device drivers
Endpoint Protection
  • Endpoint Protection in Configuration Manager
  • Implementing Endpoint Protection
  • Protecting Endpoints
Intune hybrid
  • Integrating Configuration Manager with Microsoft Intune
  • Managing mobile devices
  • Advanced hybrid features




Monday, 7 August 2017

ConfigMgr 1706 - Azure Services wizard

ConfigMgr 1706 Current Branch was recently released and I got a chance to install it in my lab this weekend. The ConfigMgr product group have done an amazing job and I'm impressed with some of the new features, making it easier to deploy Windows 10, Office 365 and Surface drivers. However my favourite feature has to be the Azure Services wizard. We were given an advance preview of this feature under NDA months ago and it's great to see it in production.

So what is that all about?

The Azure Services Wizard provides a common configuration experience to set up Azure services in ConfigMgr. You can use it for configuring Cloud Management (Azure AD authentication and user discovery), OMS Connector, Upgrade Readiness and Windows Store for Business.


Look back at the 1610 console. See that the Windows Store for Business and the Upgrade Analytics Connector were separate nodes under Cloud Services. Remember that the OMS Connector wasn't available until 1702.


WSfB was configured independently of any other service.


Now look at the 1706 console. See the new Azure Services node. You will see that my WSfB configuration has already been migrated.

So how do we configure this? We'll need Azure tenant details and credentials to complete the process. We'll also create some web apps along the way and grant the required permissions to the web apps (thanks to Nick Hogarth who figured this out).


Right click on the Azure Services node and select Configure Azure Services.


The Azure Services Wizard is launched. Enter a suitable name and select an Azure service. You'll see that Windows Update for Business is missing as it's already configured in this environment. We'll select Cloud Management to allow clients to authenticate with the hierarchy using Azure AD


In the App Properties dialog box we see that we're going to have to create some apps - web app and Native Client app. Browse in the web app section.


Select Create in the Server app dialog box.


Enter the following information in the Create Server Application box.
  • Application name (suitable friendly name)
  • Home page URL (this does not have to exist - max 200 characters)
  • App ID URI  (this does not have to exist - max 200 characters)
  • Secret key validity period (2 years max)
Sign in to Microsoft Azure AD.


Enter your Azure AD credentials when prompted.


Your Azure AD Tenant Name is automatically detected.


The server app has been configured and can be selected.


Now browse in the Native Client app section.


Enter the following information in the Create Client Application box.
  • Application name (suitable friendly name)
  • Reply URL (this does not have to exist - max 200 characters)
Sign in to Microsoft Azure AD.


Your Azure AD Tenant Name is automatically detected.


The client app has been configured and can be selected.


Click Next to continue with the wizard when all the App Properties have been configured.


Now we can optionally choose to enable Azure AD Discovery. It allows you to add cloud-only users to your ConfigMgr environment.


Review the summary.


The Azure Services wizard has completed.

Some of my colleagues have discovered that you have to grant permissions to the web apps in Azure so that the solution can authenticate correctly (Nick Hogarth, Peter van der Woude).


In the Azure Portal, choose More Services -> App registrations


See the newly created server and client apps. Select each one in turn.


Select Required Permissions and choose Grant Permissions.

Review the SMS_AZUREAD_DISCOVERY_AGENT.log file for any errors.


So we've now completed the following:
  1. Added the Cloud Management Service
  2. Enabled Azure AD Discovery
How is that helpful?

Check this out. We won't need so much information the next time we need to add an Azure service.


This time I'll choose Upgrade Readiness.


This time I just need to choose a web app and I don't have to sign in to Azure.

I hope this blog post has been helpful. Until next time.....