Modern Device Management

Credits: Adobe Stock While working on a MDM migration project, I came across an interesting issue in Intune that almost had me heading down a rabbit hole. As part of the migration, the existing mobile devices were to be un-enrolled from a non Microsoft MDM solution and then enrolled into Intune using the Company Portal method. Nothing fancy, but when this process didn't work, I obviously got into an investigation mode and started looking at some of the obvious things. The obvious items that I looked at - 1. Network requirements for Intune, Android and Apple services. I must state that in this customer's tenant they had ADFS setup, so that added to the complexity. However, since the enrolment was taking place outside the customer's network, none of the network requirements really played a factor. 2. Intune device platform restrictions. Normally when a device is not allowed to enrol in Intune, more often than not it is due to device platform restriction policies. Especially ...

For the last few days I have been working on Android and iOS device management configuration in Microsoft Intune and as part of it I came across Organize apps feature aka Collections in Managed Google Play.  So what are Collections?  Collections are displayed on the front page of the managed Play Store app, allowing easy access to apps of your choice. For example, Organizations can make IT approved essential apps like Microsoft apps for quick access in the managed play store. However, as easy as this may sound, there are some caveats attached to this configuration. Tips from the field - 1. Creating a collection changes the Play Store layout type which requires that all apps must be added to a collection to be visible.  2. Deleting collections doesn't automatically revert to the basic layout. 3. Only approved apps can be added to a collection. 4. The managed Play Store app automatically displays a collection if it contains at least one app that's been made available to the...

While working on some web links for Android Enterprise enrolled devices, I stumbled upon the following message in Intune suggesting that Web apps aren't supported on Android Enterprise devices. So what is the alternative then? Well, it is still a web link but only in form of a published web app through the Managed Google Play. Managed Google Play web links are installable and manageable just like other Android apps. When selected, they will launch in the device's browser. One thing to note is that while Web links published through Managed Google Play Web apps will open with Microsoft Edge or any other browser for that matter, the complete support, particularly for all the display options available for web links (full screen, standalone, and minimal UI), will only work with the Chrome browser. So it is imperative to push a browser for the web links to open correctly. How to create Managed Google Play web link? 1. Sign in to the Microsoft Intune admin center . 2. Select Apps >...

When a device is enrolled in Intune as a corporate device then Intune can collect full phone hardware and app inventory, but only partially for devices enrolled as personal. The benefit of managing devices  as corporate is the unlocking of additional device management capabilities as compared to personal devices. At the time of writing this blog, Intune automatically assigns corporate-owned status to devices that join to Microsoft Entra via: - Device enrollment manager account (all platforms) - An Apple device enrollment program such as Apple School Manager, Apple Business Manager, or Apple Configurator (iOS/iPadOS only) - Windows Autopilot - Co-management with Microsoft Intune and group policy (GPO) - Azure Virtual Desktop - Automatic mobile device management (MDM) enrollment via provisioning package - Knox Mobile Enrollment - Android Corporate-owned devices with work profile - Android Fully managed devices - Android Dedicated devices. - Android Open Source Project (AOSP) Corporat...

Source:Microsoft While going through the Defender for Endpoint configuration in my tenant, I realized that I had Vulnerability management partially configured for iOS devices and therefore, decided to put things in order. Before I dive into the specifics, here is a little something on what MDE Vulnerability assessment of apps is really all about. As part of MDE, Vulnerability management helps in identifying, assessing, remediating vulnerabilities across all onboarded devices. It delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. With the help of capabilities like Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk. In case of iOS specifically, vulnerability assessments sup...

The background.. Just a while back, Merill Fernando  (Product Manager at Microsoft) shared a post on LinkedIn about disabling SSPR for admin accounts. This was based off the recommendation on Maester  that  "Administrators with sensitive roles should use phishing-resistant authentication methods only and therefore not able to reset their password using SSPR." Now, with phishing-resistant authentication enabled, one may argue that there shouldn't be a need to disable SSPR for administrators, however, in my honest opinion it is still a good idea to disable SSPR for administrators as this will also align with both least privilege and zero trust model. But first, we are going to cover what all is involved in configuring Phishing resistant MFA. Enabling Phishing resistant MFA for Windows devices which uses Windows Hello for Business is pretty much an out of box functionality, but what about Apple devices like Macbooks that run on macOS? Let's find out.. Platform credentia...