Thursday, 22 January 2015

Microsoft EMS - what is it all about?

Microsoft EMS - what is it all about? First let's examine a couple of modern IT trends.

Many employees are now requesting (or demanding) that their employers allow them to use devices they've chosen and are comfortable using.The consumerization of IT refers to a trend in which employees expect to be able to use personal devices to connect to corporate networks. This has led to the phenomenon "bring your own device (BYOD)", in which companies allow employees to access corporate resources using their own personal devices.

Software as a service (or SaaS) is a method of delivering applications over the Internet - as a service, so to speak. IT departments no longer have the expense of installing and maintaining software, freeing up personnel and hardware resources for other tasks. This has the added benefit that software upgrades are handled seamlessly by the vendor at the back end and companies are free to concentrate on their core business.

There are a number of challenges along the way in order to embrace these modern trends.

1. How do we secure these personal devices?
2. How do we manage applications on the devices?
3. How do we secure company data and
prevent data leakage?
4. How do we provide a cloud identity allowing users to seamlessly access their SaaS applications with single sign-on?

Enter Microsoft Enterprise Mobility Suite (EMS), which addresses all these challenges (.....and more). 

What is EMS? 

It is simply a Microsoft Licensing suite consisting of three products and is the most economical and efficient way to purchase the products.

  • Microsoft Azure Active Directory Premium – identity in the cloud
  • Microsoft Intune – Mobile Device Management (MDM) and Mobile Application Management (MAM)
  • Microsoft Azure RMS – rights management, securing and protecting documents 

EMS will be my focus for 2015. This will be the EMS landing page and I will add any EMS blogs that I write. I hope that they will be useful.


How to purchase EMS (NEW)
What Azure services do I get with my EMS licenses? (NEW)
Install the Azure Active Directory Sync Service (AAD Sync) (NEW)

Azure Active Directory Premium

Activate AAD Premium (coming soon)
AAD Premium additional features (coming soon)
Using Groups (coming soon)
Company Branding (coming soon)
Password self-service (coming soon) 
Microsoft Azure App Access Panel (NEW)
How to use Cloud App Discovery (NEW)
Azure Cloud App Discovery now generally available (NEW)
Azure AD Privileged Identity Management (NEW)
Multi-factor authentication (coming soon)
Activity and Security Reports (coming soon)
Externally publish an internal web app with Azure Application Proxy (NEW)

Microsoft Intune

Mobile Device Management in SCCM 2012 R2
Windows Intune configuration
Extend Windows Intune trial

Microsoft Intune - Create an online support request 
Microsoft Intune - from trial to production 
User Configuration
Windows Azure Active Directory Sync (DirSync)
Install the Azure Active Directory Sync Service (AAD Sync)
Intune Subscription and Connector
Compliance Settings
Windows 8 Phone 
Windows 8.1 Phone 
Windows RT
Legacy Devices 
Device Ownership (Company or Personal)
Device Collection queries
Upcoming New Features 
Collecting IMEI from mobile devices
Mobile Device Management in SCCM 2012 R2 (Full PDF)
Conditional access to email with Microsoft Intune
See "Microsoft Intune Conditional Access" in action (NEW)  
Microsoft Intune Kiosk mode (NEW)
Blacklist applications on mobile devices with Microsoft Intune (NEW)
Mobile Application Managment with Microsoft Intune (NEW)
Microsoft Intune Mobile Application Management now a complete solution  (NEW)
Multi-Identity in Microsoft Intune Managed Apps (NEW)
Microsoft Intune - restrict the number of devices a user can enroll  (NEW)
Device Enrollment Managers in Microsoft Intune  (NEW)
Corporate Device Enrollment of iOS devices in Microsoft Intune  (NEW)
Microsoft Intune - Create WiFi profiles with pre-shared keys for Android devices (NEW)
Microsoft Intune App Wrapping Tool for Android (New)
Role Based Access to Microsoft Intune  (NEW)
Cloud storage with Microsoft Intune (New)
Alerts and Notifications in Microsoft Intune (New)
Microsoft Intune - Custom User Terms & Conditions  (NEW)
Deploying apps to iOS devices with Intune - what you need to know (NEW)
Deploying apps to Android devices with Intune - what you need to know  (NEW)
Encourage users to enrol their devices with Microsoft Intune (NEW)
Deploying iOS Custom Profiles with Microsoft Intune (NEW)
Conditional Access with Intune just got better (NEW)
Microsoft Intune - one less portal to manage (NEW)
Microsoft Intune policy refresh intervals (NEW)
Microsoft Intune - renew Apple APN certificate
DirSync installation issues
Windows Intune Step by Step Guide (earlier wave)
Part 10: Uninstall Intune Client

Microsoft RMS

An Overview of Azure RMS including custom templates (New)
Azure RMS Sharing App & RMS Document Tracking (New)
Azure RMS and SharePoint Online (New)
RMS Protection Tool (New)

Microsoft EMS issues

"Oops" error when you try to activate EMS licenses (NEW)
"Could not verify the domain" in Azure (NEW)
Microsoft Intune Exchange Connector Error (NEW)
Microsoft Intune Console - an unexpected error has occurred
Cloud App Discovery Endpoint Agent setup failed with error 0x80070643  
Top tip when resetting Mobile Device Management Authority (NEW)

Tuesday, 20 January 2015

Mobile Application Management with Microsoft Intune - available managed apps

MAM with Intune main menu 

This is seriously cool technology with only a single drawback. The availability of managed apps is quite limited.

Edit 1st Feb 2015: No more drawbacks. Microsoft have released more apps which now make MAM a very good feasible solution.

Android Apps
Managed Browser 
PDF Viewer
AV Player
Image Viewer 

Microsoft Word
Microsoft Excel
Microsoft PowerPoint 
Microsoft OneNote 
Microsoft Outlook 

Even thought we have a Managed Browser for Android we are a little lacking with Apps here - no Office for Android. I believe that the release of this software is imminent.

(Edit 1st Feb 2015 - My view has changed now with the release of Office apps for Android)

iOS Apps
Microsoft Word for iPad 
Microsoft Excel for iPad 
Microsoft PowerPoint for iPad 
Microsoft OneNote for iPad 

Microsoft Outlook for iPad 

There are more useful apps for iOS. However the Managed Browser has not yet been released. It is currently pending store approval.

Also Microsoft have released an iOS Wrapping tool with which you can enable your own apps to be managed without any software development. I'll investigate this tool shortly.

Mobile Application Management with Microsoft Intune - Install Managed Apps and test MAM functionality

MAM with Intune main menu 

OK, we've finished the Intune configuration for now. So what does Mobile Application Management look like on the device? Let's see.

Remember that we deployed the Intune Managed Browser as "Available". Now we must install it. Open the Intune Company Portal on the device.

Browse to Apps to see the Managed Browser and the PDF Viewer. Let's just install the browser for now. Click on the software.

"View in Google Play".

This takes us to the location of the software in the Google Store. Click to Install.

Now open the App.

We are prompted to set a PIN for the managed container.

The Managed Browser is installed. Now the fun starts. Launch the browser.

I use a mirroring software to display my Android device on screen. The screen goes dark when the Managed Browser opens. How cool is that? - no chance to take a screenshot of any data. I've taken photographs of the rest of the process.

This is the Intune Managed Browser for Android. It is based on Chrome and has much of the same functionality you would expect from a browser - see where you can bookmark URLs.

Try to access a URL that you have not configured.

Access is blocked.

We can only access the allowed URLs.

This is a list of documents from the allowed SharePoint site. Remember that we have not yet installed any other Managed Apps. Therefore we should not be allowed to open any content.

......and we can't.

Now lets install the PDF Viewer.

Now I have better success opening my managed PDFs.

This is cracking technology.

Monday, 19 January 2015

Mobile Application Management with Microsoft Intune - Add and deploy PDF Viewer

MAM with Intune main menu 

We've added and deployed the Managed Browser. Now we need an managed app that will open the managed content. Enter the Intune PDF Viewer. This was added to the Google Store in December 2015.

The process to add and deploy the PDF viewer is the same as before.

Add the software.


Manage the deployment.

Select the target group.

Must be "Available".

Select the MAM Policy.

Mobile Application Management with Microsoft Intune - Add and Deploy Managed Browser

MAM with Intune main menu 

The Intune Managed Browser for Android was added to the Google Store in December 2014.

Open the Intune console and browse to Software > Managed Software. 

Click to "Add" software.

Enter your Intune credentials to open the Microsoft Intune Software Publisher.

Select "Add Software".

Choose "External Link" and enter the URL for the Managed Browser in the Google Store.

Enter the app details and add an icon if you wish.

Click "Upload" to finish.

The Managed Browser is now available in Intune. Now we must deploy the browser.

Select the software and choose "Manage Deployment".

Select the Group to which you want to deploy (pre-created group of users or devices).

Note that "Available" is the only option (Required is greyed out).

Associate with the previously created MAM Policy.

Associate with the Managed Browser Policy.

Mobile Application Management with Microsoft Intune - Create Policies

MAM with Intune main menu 

Ok, so lets launch the Intune console and create the policies to introduce the concept of containerisation. We can configure a MAM container so that data can only be shared between managed apps.

We are only interested in Android devices for the moment but we will see that we can also create policies for iOS devices.

Open Policy > Configuration Policies.

Click to Add a new configuration policy. Browse to the Software Section.

See our choices:

Managed Browser Policy for iOS or Android
Mobile Application Management Policy for iOS or Android.

We'll choose Mobile Application Management Policy for Android this time. Click to "Create a custom policy". Now see the available options. Note that I have chosen all default settings.

Give the policy a name. It makes sense to choose Yes for "Restrict web content to display in the Managed Browser" (when this setting is enabled, any links in the app will be opened in the Managed Browser).

See options for preventing data leakage.

Require a PIN for access to the containerised area.

I like to disable screenshots of the managed area (makes sense if you are securing data).

The Android Mobile Application Management Policy has been created. See that this policy can not be deployed directly. It must be associated with the software that it will manage.

OK, now let's create the Managed Browser Policy.

Name the policy and configure the URLs that you want to secure. I only have one.

Policy has been created. See again that this policy must be associated with the software which it will manage.