Thursday, 30 April 2015

Microsoft Azure App Access Panel

EMS Landing page

Microsoft Azure App Access Panel is pretty cool. I really like this technology. It is estimated that 25% of all software will be available on a SaaS (Software as a Service) delivery by 2020 (Forrester Application Adoption Trends: The Rise Of SaaS). Our users will continue to use Cloud Apps and the number will rise sharply. I previously blogged about the Azure Cloud App Discovery Tool. It's currently in Preview and involves installing an Endpoint Agent on user computers. Cloud App information is gathered and collated in a dashboard view by the Discovery Tool. See that blog here

So, as IT Professionals, what do we do with this information? We can use it to decide which Cloud Apps we will manage and deliver back to our users with this SaaS model. We will utilise Azure Active Directory to facilitate a single sign-on experience to these apps. Let's face it - each of us have multiple cloud identities that we have to manage so this is a cracking idea.

So how does it work. We will start in the Azure Portal. Launch the Portal and navigate to your Active Directory. Let's see how easy this is.

Open the Active Directory - "Users" is the default view. Click on the "Applications" tab.

See that we do not have any Application yet. Click to "Add an Application".

You are presented with three choices:
  • Add an application my organization is developing - Microsoft will work closely with you to ensure that you can make your own applications available in the gallery.
  • Add an application from the gallery - 2477 applications have already been added to the gallery and are available for use. This will be our choice in this demo.
  • Publish an application that will be accessible from outside your network - use Azure AD Proxy to publish an on-premise application externally.
Choose "Add an application from the gallery".

See that there are 2477 featured applications in the gallery. I'm just going to use 5 for my demo. Let's start with Twitter - you can use the search function.

Select Twitter and "click the tick" to continue.

Select "Assign Users".

For the purposes of the demo I will assign the app to users. However in production you would assign apps to groups of users. This feature is only available in Azure Active Directory Premium.Select your users and "Assign".

See that you can enter the app credentials on behalf of the user. This is very useful for shared accounts so that the credentials can be protected. "Click the tick" to continue.

I have now added my 5 applications and assigned them to users. What next? 

Your user should navigate to

and log in with their Active Directory credentials (remember they are synced with the Azure AD).......

...... and here we are. Say hello to the Microsoft Azure App Access Panel. See all the applications that have been assigned to this user. Note that Azure Active Directory Premium is required to assign more than 10 applications. Also it enables you to use corporate branding in the Panel.

Launch one of the applications. You will have to log in to each application for the first time only. Also you will be prompted to install the Access Panel Extensions once.

Select Install.

The Access Panel Extension wizard launches. Click Next to continue and install.

You now have to log in to the application for the first and only time.

Repeat this for each app (log in and enter credentials, no need to install the extensions again).
Now each time you open the Access Panel you can launch your apps without any further authentication.

Very cool and what a time saver.....

Remember that you need Azure AD premium licenses to make this technology work well for you. This is included in the Enterprise Mobility Suite.

Microsoft Intune Console - an unexpected error has occurred

EMS Landing page

I had this error today while opening the Microsoft Intune Console. 

"An unexpected error has occurred.
Microsoft Intune experienced an unexpected error. If this error occurs frequently, save the error log on your local computer to help you troubleshooting problems." 

This error occurred as Silverlight was initialising (circling dots in the browser). 

I also knew that the problem wasn't browser specific (I tried Chrome & Firefox also). It was pretty clear to me that this was a Silverlight problem but I still wanted to do a little investigation. I followed the advice and saved the log file. There was a line at the end that confirmed my suspicion.  

"Fatal Silverlight InitializeError:\n2105 An error has occurred" 

As I thought reinstalling Silverlight solved the problem.

Monday, 20 April 2015

Microsoft Intune Mobile Application Management now a complete solution

EMS Landing page

This is another bumper month of new releases for Microsoft Intune. Some Apps have been released already and a long list of Intune features will be released this week. You can find the full list on the Microsoft Intune blog. 

For me the most exciting news is the release of the Intune Managed Browser App for iOS devices. This has been pending approval in the Apple Store for several months and has been eagerly anticipated. I believe that this now completes the Intune Mobile Application Management solution for Android and iOS (although I'm sure that many further enhancements will be made in the future).

Currently the following Managed Apps are available for the Android and iOS platforms. These Apps operate in a "container" on the device to prevent corporate data leakage. You can create policies so that data can only be shared between Managed Apps.


Intune Managed Browser App for Android
Intune Managed PDF Viewer
Intune Managed AV Player 
Intune Managed Image Viewer
Intune Company Portal for Android
Office Mobile for Android Phone
Microsoft Word for Android Tablet
Microsoft Excel for Android Tablet
Microsoft PowerPoint for Android Tablet

Microsoft OneDrive for Android 

Additional Apps for Android (Not Managed)

Microsoft Outlook Preview for Android
Microsoft Lync for Android 
Microsoft OWA for Android (Pre-Release)
Microsoft OneNote for Android

Intune Managed Browser for iOS
Intune Company Portal for iOS 
Microsoft Word for iOS 
Microsoft Excel for iOS 
Microsoft PowerPoint for iOS 
Microsoft OneNote for iPad

Additional Apps for iOS (Not Managed) 

Microsoft Outlook for iOS

Outlook for iOS is soon to be a managed app. See EMS blog:
Ignite: Microsoft’s next chapter in Enterprise Mobility

Have a look at some of my previous blogs where I described how to implement a Mobile Application Management solution for Android

Mobile Application Management with Microsoft Intune 
Create Policies  
Add and deploy Intune Managed Browser 
Add and deploy PDF Viewer  
Install Managed Apps and test MAM functionality

Thursday, 16 April 2015

Corporate Device Enrollment of iOS devices in Microsoft Intune

EMS Landing page

Corporate Device Enrollment is an Intune feature that I've wanted to investigate for quite some time. Have a look in the Intune Console and you will see Policy > Corporate Device Enrollment. What is this all about?

I recently carried out some research and testing of the feature and I've documented what I learned in this blog. I made a few mistakes on the way (one more serious than the others) but we'll get to that. Note that you can read all about Corporate Device Enrollment on TechNet Library

Enroll corporate-owned iOS devices in Microsoft Intune

This is an extract from that document.

Intune supports the enrollment of corporate-owned iOS devices using the Apple Device Enrollment Program (DEP) or the Apple Configurator tool running on a Mac computer. Devices enrolled through DEP cannot be un-enrolled by users.

You can enroll corporate-enrolled iOS devices in two ways:

  • Setup Assistant Enrollment – Factory resets the device and prepares it for setup by the device’s new user. This method supports DEP or Apple Configurator enrollments.
  • Direct Enrollment – Creates an Apple Configurator-compliant file for use during device preparation. The enrolled device isn’t factory reset but has no user affiliation. This method cannot be used for DEP enrollment.
So what is the Apple Device Enrollment Program (DEP). It provides a fast, streamlined way to deploy your corporate-owned Mac or iOS devices, whether purchased directly from Apple or through participating Apple Authorized Resellers. It is available only in the following countries and you must register directly with Apple to participate in the program:
Australia, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom, and United States.

DEP was not available to me so I decided on the Apple Configurator method with Direct Enrollment. Did I tell you that I was testing with my wife's iPhone?

Features of Apple Configurator

The process is very simple and is only a few steps

  1. Create Intune Device Enrollment Profile
  2. Export the Profile 
  3. Copy the Profile to the management computer install the Apple Configurator
  4. Prepare the iOS device

1. Create Intune Device Enrollment Profile

First create an empty Group.

We can apply compliance policies to this Group and will use it when configuring the Profile.

Navigate to Policy > Corporate Device Enrollment / click to Add a Profile.

Enter a name for the Profile and select the Group created earlier.

Save the Profile.

2. Export the Profile

The Profile has now been created. Click Export.

This was my first mistake. I had forgotten to configure Intune with an Apple APN Certificate.

That was easy to solve. I downloaded an APN Certificate Request and subsequently uploaded the APN (you can read about this process here). Then I tried the export again.

Better success this time. See the section for "Setup Assistant enrollment". We're not interested in this at this time. Click to "Download Profile" in the Direct Enrollment section.

This is the Intune profile ready to be used in the Apple Configurator.

3. Copy the Profile to the management computer and install the Apple Configurator

This is the Apple Mac that I borrowed for my testing. I had to upgrade to Yosemite 10.10.3 in order to support the Apple Configurator.

I copied the Intune Profile to the Mac and then it was time to install the Apple Configurator.

Apple Configurator is available from the Apple Store.


4. Prepare the iOS device

The Wrong way (for me)

Great. I had done a lot and was ready to "Prepare my iOS device". Did I tell you that I was testing with my wife's iPhone? Unfortunately I chose the wrong option for me.

I saw "Supervision" and thought - yes, that's what I need. I also imported the previously created Intune profile and started to prepare the device.........

......and performed a Factory Reset on my wife's iPhone. OUCH. She wasn't very happy and wouldn't let me use it again after that (I don't know why, I tried to explain that the damage was already done).

To make matters worse the process didn't even work and the Intune profile was not installed. The device was never enrolled - more on that later.

The Right Way (for me)

OK. So I got myself organised with a new test device (or rather an old iPhone with a broken screen - hence the quality of some of the pictures below).

I carried out the process differently this time and it was really simple. 

I entered a device name and chose to number sequentially. I did NOT choose supervision.

Configured some Organization details.

Now I was ready to add a Profile - "Install Profiles".

I was asked to connect my iPhone via USB. See the blue symbol above Prepare.

My device was detected - see the blue "1" above Prepare > Next.

I chose my Management Profile. I only had one - the Intune Profile.......

.....and I was off.

I was prompted immediately on the iPhone to install the Managment Profile. I did.

The Profile installed and verified. Looked pretty good.

Almost immediately (less than a minute) the device could be seen in the Intune console......

.....and it was in the required Group to get it's compliance policy.

The Right Way to do the Wrong Way (if that makes sense)

My original approach would have been perfectly valid if I wasn't using a device that was already in use and had personal data. For a new device it's perfectly OK and sometimes preferred to perform a Factory Reset. However we want to be able to install the Intune Profile in the same operation so that the device can be enrolled immediately. I found that my problem occured because the Factory Reset removed the wireless settings and an Internet connection is required to activate the device.

This is solved by adding a second profile to the Apple Configurator which configured the wireless networking on the device during the installation.

This blog post pointed me in the right direction.


The combination of the Apple Configurator and the Intune Management Profile produces a very slick process. The device can be configured in a few minutes. It's really great for bulk enrollment of iOS devices. 30 devices can be prepared simultaneously.

The following points should be noted

  • This process is only for iOS devices.
  • An Apple Mac management device is required.
  • Operating System must be Yosemite 10.10.3 to support the Apple Configurator.
  • The process simply enrols the device (by deploying a managment profile) so that it can be managed and receive policies.
  • Intune Company Portal is not installed as part of the process. If you wish to deploy apps to users this must be done separately.
  • An Intune enrollment profile file is only valid for 2 weeks (I don't quite understand the point of that).
  • A SIM card has to be installed in the device so that it can be automatically activated.
  • Only choose "Supervision" if you want to perform a Factory Reset of the device.
  • If you do want to perform a Factory Reset and enrol the device you must add a wireless profile to the Apple Configurator.


Thursday, 9 April 2015

Device Enrollment Managers in Microsoft Intune

EMS Landing page

The Device Enrollment Manager is a really useful concept in Microsoft Intune. You can see full details in the TechNet Library

Enroll corporate-owned devices with the Device Enrollment Manager in Microsoft Intune 

So, what is it all about? 

Essentially the Device Enrollment Manager is a special Intune account that has permission to enroll more than five devices.

When would I use this feature?

You could have a situation whereby a manager has to enroll many mobile devices for his/her team to provide access to certain applications. If there is no requirement for the users to actually log on to the Intune Company Portal then this is the perfect situation for using Device Enrollment Manager.

What can the Device Enrollment Manager do?
  • Enroll devices in Intune (more than the standard 5)
  • Log on to company portal to get company apps
  • Install and uninstall software
  • Configure access to company data

Are there any other considerations?
  • The Device Enrollment Manager user cannot be an Intune administrator
  • Only users that already exist in the Intune console can be Device Enrollment Managers.
  • Device Enrollment Managers cannot reset the device from the company portal.

How do I configure this?

In the Intune console navigate to Administration > Administrator Management > Device Enrollment Managers 

Select to Add

Enter the User ID (note that this user must already exist in the console).

The Device Enrollment Manager has been created and can now mass enroll devices (as normal - there is no special procedure).

Monday, 6 April 2015

Microsoft Intune - restrict the number of devices a user can enroll

EMS Landing page

March was another great month for updates to Microsoft Intune. See the Team Blog for full details.
  • Ability to streamline the enrollment of iOS devices purchased directly from Apple or an authorized reseller with the Device Enrollment Program (DEP) 
  • Ability to restrict access to SharePoint Online and OneDrive for Business based upon device enrollment and compliance policies 
  • Management of OneDrive apps for iOS and Android devices
  • Ability to deploy .appx files to Windows Phone 8.1 devices
  • Ability to restrict the number of devices a user can enroll in Intune
Check out the last item on that list. This was a feature that I and several of my customers have been waiting for. Previously the only limit that was imposed was that a user could enroll 5 devices. This was more a licensing limitation than something an administrator could control. Now we can control this. Let's see what it looks like.

In the Intune Portal navigate to Administration > Mobile Device Management > Enrollment Rules.

5 is the default Device Cap (defined by licensing). See that we can now choose any number we like under 5.

I want to see what the client behaviour will be like so I will choose a Device Cap of 1 for the moment.

See Tom has already enrolled a device. He shouldn't be allowed to enroll another.

OK. Let's get Tom to try to enroll another device (an Android tablet).

As expected he can't. See that he can "Email diagnostic information to the IT Admin". Let's check that box and see what happens.

Log files are created and can be emailed to your IT contact (I've sent this email using web mail).

See that the log files have been delivered.

The CompanyPortal.log file has a lot of errors and information for the IT Admin.

See the OMADMLog.log file. It tells us the a "device admin request" has been declined for that user.

OK. Let's get back to Tom. He can't enroll his device so we better raise the Device Cap again. We'll leave it at the default 5.

Tom tries to enroll his second device..........

...... and he is successful this time.