Modern Device Management

Enrolment time grouping for Android Enterprise is finally here. I had been using it for Autopilot Device Preparation (APDP) and now that it supports Android OS, I wanted to experience it first hand and capture all the caveats or gotchas. For those who are not familiar with the feature, enrolment time grouping was first introduced for Windows OS as part of Autopilot Device Preparation to speed up app and policy provisioning during device enrollment. The feature allows enrolment time grouping when you can add a Microsoft Entra security group in the enrolment profile so that devices are added to the group during enrolment, rather than after. This pre-knowledge of the security group that the device will become member of after enrollment enables Intune to deliver the configurations to the device quickly on enrollment, not only reduces post-enrolment latency but also improves productivity. If you don't configure enrolment time grouping, then Microsoft Intune can only determine the apps a...

When it comes to capturing BitLocker encryption status, there are multiple options available in the Windows compliance policy in Intune. From  Require BitLocker , Require Secure Boot to be enabled on the device , and Require code integrity under Device Health attestation, to  Require encryption of data storage on device which not only captures the encryption status of the OS drive against BitLocker, but even non-Microsoft encryption solutions. However, it is a known fact that due to delays in getting BitLocker encryption compliance to report in a timely and accurate manner, it can rather be challenging in getting the right compliance settings in place. Especially if the device compliance state is being used in Entra ID conditional access policies. Another issue that I have come across is lack of compliance reporting against BitLocker recovery key escrow. This is especially common in Co-management scenarios when the BitLocker Drive Encryption management has moved to Intune an...

When it comes to configuring Microsoft Edge Enterprise sync, it Is really a no brainer. Not only it allows a seamless browsing experience across multiple supported devices to saved information like bookmarks, browsing history, saved passwords, and other settings on any device where you sign in with the same account, it also enables Single Sign On (SSO) into Microsoft 365 web apps and sessions supporting conditional access policies in the process. So how do you configure it in the modern workplace, especially for cloud native devices? Here are the steps - Enabling Edge enterprise sync using Intune 1. Sign-in to the Microsoft Intune admin center 2. Browse to Devices –> Configuration 3. Click Create Profile 4. Select Platform as Windows 10 and later 5. Select Profile type as Settings catalog 6. Provide a Name and hit next. 7. Click on Add settings. 8. Configure the following - 9. Assign to a device or user group as normal.  With the above configuration in place, you may run into sy...