Thursday, 6 October 2016

Use REST APIs to access Microsoft Intune data

Microsoft recently published information on using REST API calls to communicate with Intune to retrieve management data. This is really cool. It uses Microsoft Graph which exposes multiple API’s from Microsoft cloud services. The data retrieved can be very useful in troubleshooting.

So how do we get started?

Navigate to Graph Explorer

See the Graph Explorer interface. Click Sign in to access the Intune service. A new page opens and you are prompted to log in.

You are then warned that the API Explorer needs permission to the following (it's a lot but remember this is also for Office 365, not just Intune):

  • Sign you in and read your profile  
  • Read and write access to your mail   
  • Read directory data  
  • Access the directory as you  
  • Read your files  
  • View your basic profile  
  • Read and write selected files  
  • Have full access to your calendars   
  • Read and write all users' full profiles  
  • Read items in all site collections  
  • Create, read, update and delete your tasks and projects (preview)  
  • View your OneNote notebooks (preview)  
  • Sign in as you  
  • Read your calendars   
  • Read and write all groups  
  • Read selected files  
  • Read your mail   
  • Have full access to your files  
  • Read all groups  
  • View and modify your OneNote notebooks (preview)  
  • View your email address  
  • View and modify OneNote notebooks that you can access (preview)  
  • Access your data anytime  
  • Have full access to the application's folder  
  • Read and write to your mailbox settings (preview)  
  • Have full access to all files you have access to  
  • Read identity risk event information  
  • Create pages in your OneNote notebooks (preview)  
  • Read all users' full profiles  
  • Read all users' basic profiles  
  • Read and update your profile  
  • Read your relevant people list (preview)  
  • Read and write directory data  
  • Have full access of your contacts   
  • Read all files that you have access to  
  • View OneNote notebooks that you can access (preview)  
  • Sign you in and read your profile  
  • Send mail as you   
  • Limited access to your OneNote notebooks for this app (preview)  
  • Read your tasks  
  • Read your contacts
You have to accept this to continue.....

....and now you're ready to query for information.

So how does it work?

The interface uses GET and POST REST APIs to communicate with the service backend to retrieve data for various items. The commands are URLs but they won’t work in a browser, you must use them in the Graph Explorer URL bar.

So what kind of information can we get?

Here are some examples:

1. Get data relating to all devices for a specific user (replace the user UPN in the URL)

In my case the URL is:

See the output for a specific device. Useful troubleshooting information is returned.

"approximateLastSignInDateTime": "2016-04-25T12:25:58Z",
"deviceId": "85a9e8e4-21cb-45cc-87f5-8c2056a3c18e",
"deviceMetadata": null,
"deviceVersion": 2,
"displayName": "gerry_Android_4/25/2016_12:26 PM",
"isCompliant": false,
"isManaged": true,
"onPremisesLastSyncDateTime": null,
"onPremisesSyncEnabled": null,
"operatingSystem": "Android",
"operatingSystemVersion": "4.4.2",
"physicalIds": [],
"trustType": "Workplace"

2. Get data for a specific user

In my case the URL is:

See the output for a specific user

"@odata.context": "$metadata#users/$entity",
"id": "c5ab8188-7124-4a97-bdfe-66bda5f634a0",
"businessPhones": [],
"displayName": "Gerry",
"givenName": "Gerry",
"jobTitle": null,
"mail": "",
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null,
"surname": null,
"userPrincipalName": ""

See the full Microsoft article here

I hope this is useful. Until next time.....

Wednesday, 5 October 2016

Improvements in app blacklisting with Intune

The August update of the Intune service has introduced major improvements in mobile app management. Previously you could create app blacklists but these policies would only block apps on Windows devices. They would not prevent the installation or use of apps on Android or iOS devices. For these devices you could only report non-compliance if a blacklisted app was installed.

So what are these improvements?

We can now create custom policies to allow and block apps for Samsung KNOX enabled Android devices.

  • Once an app is blocked, it cannot be activated or run on the device, even if it is already installed.
  • Specifying which apps are allowed designates which apps can be installed from the Google Play store. When a list of allowed apps is defined, no other apps can be installed from the store.
On iOS 9.3 and later (supervised devices only) we can add a list of hidden and shown apps to the iOS general configuration policy.
  • Apps that are specified as hidden can’t be viewed or launched by users.
  • When you specify a list of apps to be shown, no other apps can be viewed or launched.

Let's have a look at the custom Android policy and then we'll see the behaviour on a device.

In the Microsoft Intune administration console, choose Policy > Configuration Policies > Add.

In the Create a New Policy dialog box, expand Android, choose Custom Configuration, and then choose Create Policy.

Provide a name and optional description for the policy and then, in the OMA-URI Settings section, choose Add.

We want to specify the allowed apps so that all other apps will be blocked.

Note: You can find the package ID of an app by browsing to the app on the Google Play store. The package ID is contained in the URL of the app's page.

For example, the package ID of the Microsoft Word app is as the URL is

The package ID of the Adobe Reader app is com.adobe.reader as the URL is

In the Add or Edit OMA-URI Setting dialog box, specify the following:

  • Setting name - Enter AllowInstallPackages.
  • Setting description - List of apps that users can install from Google Play.
  • Data type - String.
  • OMA-URI - ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowInstallPackages
  • Value - List of the Package IDs you want to allow. Use ; : , as delimiter. (Example: packageID1,packageID2). In my case this is com.adobe.reader,

Click OK.

Save Policy.

In the Policy workspace, select the policy and click Manage Deployment.
In the Manage Deployment dialog box, select one or more groups to which you want to deploy the policy, then click Add > OK.

User experience

So what happens on the device. I'm using an Android device with Samsung Knox enabled (Samsung Galaxy S4 phone).
I've tried to install an app that isn't on the allowed list.

I can't install the app and get the notification that "Security policy prevents installation of this application".

Then I tried to install Adobe Reader which is on the allowed list.

No problem.

This is very straightforward to configure and works instantly.

It's worth mentioning the supported devices again.
  • Samsung Knox enabled Android devices (must be Samsung Knox - I was unable to get this working on an Android without Samsung Knox) 
  • Supervised iOS devices 9.3 and later (supervised mode can be enabled on iOS devices using the Apple Device Enrolment Program or the Apple Configurator Tool) 

I hope this was useful. Until next time.......