Wednesday, 16 October 2019

SCCM Current Branch - Updates and Servicing issue

I've been working with a customer this week upgrading ConfigMgr Current Branch to 1906. However I encountered a problem even before I got started.


In the ConfigMgr console. I could see that 1906 was available to download.


However all options were greyed out.


I've had similar problems in the past and the trusty CMUpdateReset tool usually got me out of trouble. However not this time. I ran the tool but the problem persisted. 1906 disappeared from the console but when it reappeared the options were still greyed out. 


There were some fairly catastrophic messages in the dmpdownloader.log file.


WARNING: Failed to find a certificate matching the following thumbprint: .


ERROR: DmpDownloader:GetMessages: Failed to get messages.. Exception: System.AggregateException: One or more errors occurred. ---> Microsoft.Management.Services.Common.NotSupportedException: {~~  "_version": 3,~~  "Message": "An error has occurred - Operation ID (for customer support): 926c3692-bde5-4c8d-a6fa-7297f93d226a - Activity ID: fb69f026-d17f-4bed-8c57-4a7ded103f37 - Url: https://fef.msub03.manage.microsoft.com/Hybrid/StatelessConnectorService/StateMessages?$filter=Mode eq 1&$top=500"


I don't know if there was an easier or less dramatic way to solve this but I fixed it by removing and re-adding the Service Connection Point (this is a perfectly harmless operation).


Normal service was resumed and I could upgrade the site.

I hope this helps. Until next time.....

Monday, 30 September 2019

My experience with iOS user enrollment using Intune

Those of us who manage iOS devices have some new terminology to learn with iOS 13. Automated Device enrollment is new 😀 and what is iOS user enrollment all about?

Automated Device enrollment is the new name for the corporate Device enrollment program (DEP). iOS user enrollment (supported in iOS 13.1) was announced by Apple in June and is designed specifically for the BYOD scenario to address the privacy concerns of users and businesses. The enrolling user can choose between user and device enrollment when they are enrolling the device. iOS user enrollment has been compared to Android Enterprise with Work Profile where the work area of the device is completely separate from the personal area (strange to see Google before Apple with an enterprise solution). In this case the device is not fully managed.

Personally I don't like the terms user and device enrollment. My customers are used to the process being referred to as user-driven enrollment so this could be confusing. I'd much prefer the terms personal and corporate enrollment.

So what do we need for the solution?

Devices

We need iOS 13.1 or later devices. I prepared an iPhone and an iPad for my testing (a little more on this later).

Apple ID

We have to configure the Apple MDM Push certificate in the Intune portal as normal to facilitate the enrollment of Apple devices. However there is an additional requirement for iOS user enrollment. Each user must have a Managed Apple ID. I wasn't familiar with this so I had to do some research. You create Managed Apple Ids using the Apple Business Manager. This is a free tool (a slick new model of the Device Enrollment Program) but you need to be registered to take advantage of it. I don't have access so I won't be abe to create the required IDs. However I still want to see the user experience so I'll take it as far as I can. 

See here for more information on Manged Apple IDs

https://support.apple.com/en-gb/guide/apple-business-manager/mdm1c9622977/web

  • This ID will control access to the corporate area of the device. 
  • It should not be the same as the Apple ID associated with the device itself. That ID controls the personal area of the phone.
  • You must sign in to Intune to start the enrollment using the Managed Apple ID.
  • You will need a Volume Purchase Program token to deploy corporate apps to these devices.
So let's see the solution in action. How do we configure it?


In the Intune portal, navigate to Device enrollment > Apple enrollment. See the new section for Enrollment targeting. Click on Enrollment types, which is a preview feature.

 Click to create a profile.


We are presented with a single choice - iOS. 

Aside: I don't quite understand this. I've read somewhere that this is because iOS 13 differentiates between iOS and iPadOS devices and iPads are not supported for user enrollment. This does make sense but it's not the case in my experience, although I could be wrong. I was able to initiate user enrolment on both my test devices.


Enter a profile name and description.


I want users to have to choose the enrollment type so I'll select Required.


When you choose Required the default enrollment type choices are no longer available. See the note about needing the Azure Authenticator app in order for conditional access to work on devices targeted with user enrollment.


Assign the profile to a group - I've chosen All Users for my test.


Review your choices before you Create and assign the profile.

User experience

Now let's have a look at the user experience when enrolling a device. As usual it starts with the Intune Company Portal. Download from the App Store and Install.


Another corporate account was found on my test device so I chose to Sign in with another account.


I clicked on + to add an account.


This is where you should enter your Managed Apple ID. I don't have one so I'll wing it and see how far I can get.


Enter your password.


We're shown the list of steps that will be followed to complete the enrollment.


Ok, now this is different. I'm going to choose "I own this device".


When I do I am offered the options to secure the entire device or work related content only, cool. 


I chose "Secure work-related apps and data only".


We can see some progress.


We can see the Device management and privacy details - what your organization can't see on the device.....


….and what they can see. I don't quite understand why these dialog screens are exactly the same as those we see for device enrollment. Surely they should be different?


We see further progress.


We have to Allow the company portal website to download a configuration profile.


The management profile has downloaded and we're told to go the Settings to continue. We're familiar with this two-step enrollment with later iOS devices.


We see that we now should "Enrol in "your directory"".


Click "Enrol my iPhone" to continue.


Aside: I was also able to get this far with my test iPad so I'm not sure that it's true to say iPads are not yet supported".


Back to the iPhone - entered the existing passcode to install  the management profile.


Now I have to enter my Managed Apple ID. The ID is prepopulated based on the credentials I previously entered and it can't be changed or removed.

The process will finish and the device will be enrolled as a personal device.

Some thoughts on iOS user enrollment

iOS user enrollment is a really good idea and kudos to Microsoft for quickly integrating it with Intune. However I'm not sure Apple have got this right. Not all organizations will be able to use it. The requirement for DEP/Apple Business Manager and VPP programs can be a little too much for some organizations (not to mention testing in labs for IT Pros like me). Also the programs are not avilable in all countries.

It's certainly not as straightforward as testing Android Enterprise with Work Profile. Ironically it's easier to manage the entire device using device enrollment.

I hope you find this useful. Until next time...….





Monday, 29 July 2019

Intune custom notifications just arrived

This is just a quick post to demonstrate a really cool feature that's just arrived in the Intune console. You can use this feature to quickly notify employees about an important event and messages can be customized for any general communication purpose. Custom notification messages include a short title and a message body of 500 characters or less.

What you should know
  • Supported on managed iOS and Android devices (not Windows)
  • Company Portal is required
  • Messages appear as standard push notifications from the Company Portal
  • Intune doesn't actually save the messages
  • You can send up to 25 messages per hour
  • Intune and the Company Portal app can’t guarantee delivery of a custom notification. Custom notifications might show up after several hours of delay, if at all, so they shouldn't be used for urgent messages
  • Custom notifications can be visible on lock screens on both iOS and Android devices depending on device settings.
Sending a custom notification

So how do we send these notifications. 


Navigate to Devices > Send custom notifications.


Enter a title (max. 50 characters) and a body (max. 500 characters).


Assign the notification to the group you need....



...and create the notification.



Intune processes the message immediately. It doesn't save it so you can't see a list of notifications. This is the only confirmation we can see.


On a device, users see custom notification messages that are sent by Intune as a standard push notification from the Company Portal app. On iOS devices, if the Company Portal app is open when the notification is received, the notification displays in the app instead of being a push notification. This is what happened in my test. The dialog above popped up for me and I couldn't miss it.

The notification remains until the user dismisses it.

This is a cracking little feature and I hope you enjoy it.

Until next time...

Thursday, 11 July 2019

AutoPilot hybrid - issue resetting devices

Issue

I'm implementing an AutoPilot process for a customer at the moment involving hybrid AAD join of Windows 10 1809 devices (Lenovo T480 laptops). In general the AutoPilot process works. However we ran into trouble when we retired or reset a device that had been previously joined to Azure AD. The behaviour was consistent and the devices never joined AD or AAD.


After sign in the devices were stuck on "Please wait while we set up your device". (The screenshot above shows 1809 VM on the left and 1903 on the right).

After about 30 minutes they would fail with:

Something went wrong. Confirm that you are using the correct sign-in information and that your organization uses this feature. You can try to do this again or contact your system administrator with the error code 80070774”



This suggested that there was something preventing the Offline Domain Join from completing and the process timed out. I researched the problem and saw that I wasn't alone. Similar issues were reported in the TechNet forums.


  • I made sure that the devices did not still exist in AD or Azure AD but it did not make any difference.
  • Also I made sure that the ODJ profile was assigned to a dynamic group of my AutoPilot devices. Remember the solution worked perfectly first time around. It only gave trouble when the devices were reset.
  • The AutoPilot device group was based on the presence of the ZTDId attribute.
Workaround

I reached out to the product group and Michael Niehaus gave me some advice. He suggested that only way to get it to reliably work was to remove all the device objects (AAD, Intune, Autopilot) and then re-import the device to Autopilot to start over. He also suggested a possible workaround. Target the Domain Join device configuration policy to "All Devices" instead of AutoPilot devices only as that would help with the ODJ timeout problems. 

That's what I did. I changed the targeting and it worked. The devices joined both AD and Azure AD as normal. Thanks Michael.

I hope this helps you if you find yourself in the same situation. 

Until next time......


Monday, 8 July 2019

AutoPilot CSV file formatting issues

I've been uploading hardware IDs to Intune for my customer so that the devices can be provisioned using AutoPilot and Intune. We create CSV files in batches of 50 and everything has been going well so far. However the process started to fail today.


Intune would not accept the formatting of the CSV files. 

Each row must have a minimum of 3 columns

The formatting looked ok to me though. It was a CSV file of 50 devices created using the -append parameter.

Get-WindowsAutoPilotInfo.ps1 -OutputFile .\batch1.csv -append

The project leverages Microsoft Teams for collaboration and I subsequently discovered that the files had been uploaded to Teams and downloaded again. This must have caused some subtle issue with the formatting. Once I got the original files I was able to continue as normal.

I've also noticed that a simple edit of the CSV file can cause formatting issues. There was a duplicate line in one of the files but simply deleting the line caused an issue.


In the end I uploaded the file with the duplicate and just accepted the import error.

I hope this helps anyone else scratching their head with AutoPilot CSV formatting issues. My advice:
  1. Use the original CSV file only
  2. Keep editing of the CSV file to a minimum
Until next time....