Modern Device Management

Just like Microsoft provides security benchmark for Edge, Google does the same for Chrome. Well sort of. While Microsoft provides .admx templates along with readily importable GPO xml files, Google just provides admx templates. Unless you manage chrome browser settings using Google's own browser cloud management service , you are pretty much left with the task of configuring these settings manually. I recently configured the settings as part of security hardening process for browsers in general and thought of sharing the details here to make it convenient for others. Let's see how you can configure these settings using Intune. ADMX template in Intune Ever since Microsoft added Google's admx templates in Intune settings catalog in March 2022, things have never been simpler. If you are unfamiliar with this addition then you can head over to one of my previous blog  posts to know more about it. Chrome Browser Enterprise Security Controls Google has shared an enterprise securi...

Recently, a customer asked me if there was a way to restrict access to corporate data on Azure AD joined Windows 11 devices only. They didn't want the existing conditional access policy to apply which required a Hybrid joined device to be compliant as they were moving away from Hybrid join identity for good. This intrigued me as there is actually no direct setting in the conditional access conditions & grant controls which covers Windows 11 & Azure AD joined states explicitly. So how do you grant access just to Azure AD joined Windows 11 devices? The answer is by using Filter for devices and specific grant controls.  In case you are unfamiliar with Filter for devices feature then you should know that Azure AD uses device authentication to evaluate device filter rules. For a device that is unregistered with Azure AD, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory. Therefore,...

Back in May 2021, I had published a blog post on setting local admin account using different options available in Intune . While the methods covered in the post still hold up, there is another option available natively in Azure that can be used to setup additional local administrators on Azure AD joined devices. The option involves using Additional local administrators on all Azure AD joined devices  feature in Azure which I didn't cover at the time because of its limitations. Primary limitation being that the user accounts added as additional local admin, also get added to all AAD joined devices. However, while exploring alternatives to a LAPS like solution for a customer recently, I stumbled upon Azure AD role  Azure AD Joined Device Local Administrator. The possibility of using it together with Privileged Identity Management (PIM) within  Additional local administrators on all Azure AD joined devices  feature intrigued me and I just had to try it out. Why Azu...