Tuesday, 30 May 2017

Intune app-based conditional access to SharePoint Online

App-based conditional access is a new recent addition to the Intune family and is a really useful feature. Only mobile apps that have Intune app protection policies applied to them can access SharePoint resources. This helps to prevent data leakage and protect our data. Let's see how to configure it and what it looks like in the field.

Sign into the Azure portal (https://portal.azure.com)
Choose More services from the left menu, then type Intune in the text box filter.


Choose Intune App Protection and select All Settings in the Intune mobile application management blade.


Choose the SharePoint Online tile. On the Allowed apps blade, choose Allow apps that support Intune app policies option to allow only apps that are supported by Intune app protection policies.


The Allowed apps are listed. Now open the Restricted user groups blade and choose Add user group.


Select the user groups that should receive the policy.

OK, so what does this look like on a device. For testing I'm using an iPhone and the "SharePlus for Office 365 and SharePoint" app.


SharePlus is an unmanaged app that you can use to work with your SharePoint libraries. I've installed it on the iPhone.


SharePlus cannot have Intune app protection policies applied so it will not be possible to authenticate the app to access SharePoint. An error is encountered. It isn't a very clear or intuitive error message but the functionality is perfect. Access is prevented by the app-based CA policy.


Once I remove the per-app CA policy, SharePlus can successfully authenticate with SharePoint Online. This is very cool.

Until next time.......


Stay secure using Skycure integration with Microsoft Intune

Skycure is one of the industry leaders in Mobile Threat Defense and the platform is very effective at proactively protecting mobile devices from a broad range of known and unknown threats.

Skycure can now integrate with Microsoft Enterprise Mobility + Security, which allows enterprises to secure mobile devices by leveraging data from three dimensions – user identity, device identity and real-time risk. This integration with Intune and Azure Active Directory allows administrators to dynamically control mobile access to corporate resources and data based on Skycure’s real-time risk and compliance analysis. It looks like an exciting partnership for Microsoft.


So, how does it work?

You install the Skycure mobile app on Android and iOS devices. The app captures file system, network stack, device and application telemetry, and sends it to the Skycure cloud service to assess the device's risk for mobile threats.

Intune compliance policies now include a rule for Skycure mobile threat defense, which is based on the Skycure risk assessment. If the device is found to be non-compliant, access to resources like Exchange Online and SharePoint Online are blocked. Users on blocked devices receive guidance from the Skycure mobile app to resolve the issue and regain access to corporate resources.

How can I get started?

The solution is supported on Android 4.1 and later and iOS 8 and later.

You will also need the following subscriptions:
  • Azure Active Directory Premium
  • Microsoft Intune
  • Skycure Mobile Threat Defense subscription (get a trial here)

Steps to configure the solution:
  1. Configure Skycure to use Azure Active Directory Single Sign On (SSO) - enter your Azure tenant ID in the Skycure Management console.
  2. Download Skycure iOS app configuration policy - log in to the Skycure Management Console to download the iOS app configuration policy.
  3. Add Skycure apps, Microsoft Authenticator and iOS app configuration policy - add the apps and the policy in the Intune portal.
  4. Deploy Skycure apps, Microsoft Authenticator and iOS app configuration policy - deploy the apps and policy to your users.
  5. Set up Skycure integration with Intune - add Skycure apps into Azure AD to have Single Sign On capabilities. Configure the Intune connector in the Skycure Management console.
  6. Enable Skycure Mobile Threat Defense in Intune - configure the Skycure and Intune integration in the Intune administrator console
  7. Create Skycure Mobile Threat Defense compliance policy in Intune - create Skycure compliance policy in the Intune console and apply to conditional access policy.
You can read more about this exciting new development in the official documentation

Until next time......

Tuesday, 18 April 2017

Test driving OMS Upgrade Readiness

Last week I advised a smaller customer on their upcoming Windows 10 migration. As a smaller shop (approx. 100 users) they don't have access to the usual tools that I would recommend, although they use MDT for imaging and WSUS for patching. They don't have any tool for hardware and software inventory so we were unable to have a conversation about application compatibility. I thought this would be a good opportunity to test drive Upgrade Readiness, a "free" component of Microsoft Operations Management Suite (OMS). Let me clarify that, I was told it was free but I was unsure what I'd actually get.

This is from the Microsoft TechNet article, looks hopeful:

"You can use Upgrade Readiness to plan and manage your upgrade project end-to-end. Upgrade Readiness works by establishing communications between computers in your organization and Microsoft. Upgrade Readiness collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft".

Getting Started

Upgrade Readiness is a component of OMS and was formerly known as Upgrade Analytics which was previously known as Windows Analytics (I mention this as you'll still see these terms). The first step in this process is to sign up and create an OMS Workspace. This must be linked to an Azure subscription (either new or existing) even though you will not be charged.

Navigate to the following page to sign up for Upgrade Readiness (even though the page still says Windows Analytics).



If you already have an Azure subscription you should sign in with the subscription owner account. This is to allow you to easily link your new OMS Workspace with your existing Azure subscription.

If you are already using OMS you can choose "Existing OMS Customers". Otherwise choose "New Customers". This is the one we need.


This is the "Create New Workspace" page of OMS. 
Choose a workspace name eg. yourdomain

From now you will access your workspace using this link:

https://yourdomain.portal.mms.microsoft.com

Enter the rest of your details (Workspace region, name, contact email address, phone number, company name and country).
Select Create to create your OMS workspace.


The OMS workspace has been created and your Azure subscription is available. Choose Link to link your workspace with your subscription.


If you don't have an Azure subscription (ie the account you have signed in as is not the owner of any Azure subscriptions), you will need to create one before you can continue. Select "Create New" and run through the wizard to create a new Azure subscription. You will need a credit card for this although you will not be charged if you only want the free Upgrade Readiness.


The OMS workspace has been created and linked to your Azure subscription. Now you have to add the Upgrade Readiness solution. Check that box and select Add. (I've also added Update Compliance (Preview) but that is optional).


This is our OMS workspace. See that the Data Plan = Free in the top right corner. We'll have a look at that again later.

Configuring OMS

See that Upgrade Readiness requires configuration. Click on the tile and the Settings dashboard opens. Navigate to the Windows telemetry panel.


Copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Readiness deployment script later so it can be deployed to user computers.


Click Subscribe for Upgrade Readiness. The button changes to Unsubscribe. Unsubscribe from the Upgrade Readiness solution if you no longer want to receive upgrade-readiness information from Microsoft.


Click Overview on the Settings Dashboard to return to your OMS workspace portal. The Upgrade Readiness tile now displays summary data. Click the tile to open Upgrade Readiness.

Proxy Configuration

The following endpoints should be whitelisted. They need to be accessible in order for your clients to send telemetry data to Microsoft. This data will subsequently be displayed in Upgrade Readiness.


Endpoint
Function
  • https://*vortex*.data.microsoft.com/

Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint.
  • https://*settings*.data.microsoft.com/

Enables the compatibility update KB to communicate with Microsoft.
  • https://go.microsoft.com/fwlink/?LinkID=544713
  • https://compatexchange1.trafficmanager.net/
    CompatibilityExchangeService.svc

This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system.
If you are using a Windows Compatibility Update published after February 2017 (appraiser.dll version >= 10.0.14979) you don’t need access to these endpoints

Client configuration - compatibility updates

The compatibility update KB scans your computers and enables application usage tracking. If you don’t already have the KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using WSUS or ConfigMgr. I'm just running a pilot for now so I'll install them manually.

For Windows 7 I need the following

Windows 7 SP1
KB2952664
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see https://support.microsoft.com/kb/2952664

KB 3150513
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see https://support.microsoft.com/kb/3150513
NOTE: KB2952664 must be installed before you can download and install KB3150513.


There are different KB requirements for the various operating systems. You'll find that information here

Client configuration - execute Upgrade Readiness deployment script

The Upgrade Readiness deployment script does the following:
  1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
  2. Verifies that user computers can send data to Microsoft.
  3. Checks whether the computer has a pending restart. 
  4. Verifies that the required KBs are installed.
  5. If enabled, turns on verbose mode for troubleshooting.
  6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
  7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.

Download the script package from here. See here for full script instructions but you have to edit the script with the following information:
  • Location for log information
  • Commercial ID
  • Log behaviour

Executing RunConfig.bat.

In my pilot I copied the script files locally to a folder C:Temp\Pilot. I also used a local log file C:\Windows\Temp.

What does Upgrade Readiness give us?

I onboarded two Windows 7 clients for my pilot.


This is what I could see in my OMS workspace after a few days.


Drill into Upgrade Readiness to see more details.


Scroll over. Now we can see really useful information. We can find applications and drivers with known issues. These are the issues we need to resolve before the Windows 10 deployment.

Note that the information can be exported to Excel and saved locally. That's really cool.

The not-so-good stuff

I have a few little problems with the solution which I felt I should mention:
  • Windows 7 computers require that two KBs are installed for the solution to work. KB2952664 and KB3150513 are required. It's unfortunate that KB2952664 has to be installed already before KB3150513 can be installed. I appreciate that computers should be fully patched but that isn't always the case. I needed multiple reboots for my pilot clients with this customer. It will now be a little awkward to automate this to the remaining clients using a Group Policy computer startup script.
  • This TechNet article contains exit codes for the upgrade readiness script. 0 is the "successful" exit code. However I got a 0 code even though the script could not run and a log file was not created. This was a little confusing.
  • It can take quite a while to onboard devices - up to 3 days for my second pilot client.
  • Windows 10 Version 1703 is not yet available as a target version. Perhaps it's too early, or perhaps it will be available when 1703 is declared business ready.
  • The free data plan is a little restrictive. The daily upload limit is 500MB and the data retention period is 7 days. Note that the initial upload for each client is expected to average 2MB.
  • You can increase this by purchasing an another offering.

Next steps

Integrate Upgrade Readiness with ConfigMgr to access client upgrade compatibility data in the admin console. You'll then be able to target devices for upgrade or remediation from the device list.

Final Verdict

I'm generally quite happy with the solution. It will do exactly what I need for this customer.

Until next time......



Thursday, 13 April 2017

My new ConfigMgr training video series

I'm been very quiet online recently but I've been very busy. I've been adding the finishing touches to my chapters in the upcoming ConfigMgr Current Branch Unleashed book (available for pre-order from Amazon).

Also, I've been working on a training video series for Packt Publishing. It's a lot of work. It's a two-part series of videos.

The contents are as follows:

Course 1 – Introducing the Configuration Manager environment

Section 1. Planning the Configuration Manager environment
1.1 Configuration Manager overview
1.2 Configuration Manager site planning and network design


Section 2. Installing Configuration Manager
2.1 Configuration Manager Prerequisites
2.2 Installing Configuration Manager
2.3 Easy Setup


Section 3. Getting Started with Configuration Manager
3.1 Using the Configuration Manager console
3.2 Configuration Manager and PowerShell
3.3 Discovery and boundaries
3.4 Configuration Manager Client installation
3.5 Create and manage collections
3.6  Configuration Manager Compliance
3.7 Hardware and software inventory


Section 4. Security & Role-Based administration (RBA)
4.1 Configuration Manager security overview
4.2 Role-Based administration
4.3  Securing the Configuration Manager environment


Section 5. Configuration Manager reporting and site maintenance
5.1 Configuration Manager Reporting
5.2 Configuration Manager Backup, Recovery & Maintenance


Course 2 – Implementing Configuration Manager features


Section 6. Software Distribution

6.1 Applications
6.2 Packages


Section 7. Software Updates
7.1 Introduction to software updates in Configuration Manager
7.2 Deploy a software updates solution with Configuration Manager
7.3 Automatic Deployment rules


Section 8. Operating System Deployment
8.1 Introduction to Operating System Deployment in Configuration Manager
8.2 Build and Capture a Windows 10 image with Configuration Manager
8.3 Deploying a Windows 10 image with a Configuration Manager task sequence
8.4 Working with device drivers


Section 9. Endpoint Protection
9.1 Enabling Endpoint Protection with Configuration Manager
9.2 Endpoint Protection client configuration
9.3 Managing Endpoint Protection with Configuration Manager


Section 10. Intune hybrid
10.1 Integrating Intune into Configuration Manager
10.2 Managing mobile devices with Configuration Manager
10.3 Advanced hybrid features of Configuration Manager


I'm very pleased to say that Course 1 is now available for pre-order. I've just started working on Course 2.

https://www.packtpub.com/virtualization-and-cloud/introducing-system-center-configuration-manager-video

The videos average about 10 minutes long and are presentation-driven with lots of demonstrations throughout. I hope you enjoy watching as much as I enjoyed presenting.

Special thanks to Paul Winstanley @SCCMentor who reviewed the course.

Until next time.......

Wednesday, 12 April 2017

WMUG event - Windows 10 and Azure Cloud

I'm very pleased to be involved with the Windows Management User Group in London. We're hosting an event on 21st April in Hotel Xenia (160 Cromwell Rd, London SW5 0TL).

We're a ConfigMgr/Intune-oriented group and this time we'll be discussing Windows 10 and Azure. Please come along it's free.

My session is titled "10 top tips for deploying Windows 10". I've done a lot of work in his area recently, primarily for Microsoft Consultancy Services, so I've picked up some tricks along the way. I'd like my session to be interactive so that we can learn from each other. If you attend please join in and tell us your war stories.


The agenda is as follows

Morning sessions:


Afternoon sessions:


Although the event is free you must register in advance here

Hope to see you there.....