Friday, 31 July 2015

Multi-Identity in Microsoft Intune Managed Apps

EMS Landing page

Mobile Application Management with Microsoft Intune is a really cool technology and it is improving very rapidly as new apps are released and new features are added. I previously published a series of MAM blog posts and you can find them here

Mobile Application Management with Microsoft Intune

I've just tested the latest new feature and it works really well. Multi-Identity with MAM apps was released in June 2015. Arianna Schwartz Moshary published a blog post on the Intune Team Blog introducing the feature. You can see that blog post here

Multi-Identity and Mobile App Management with Microsoft Intune

This is an extract from that blog post:

"In June, we released an update to the Microsoft Intune mobile application management (MAM) capabilities for iOS and Android that enables coexistence of policy-managed (corporate) and unmanaged (personal) accounts in a single app – this new feature is known as multi-identity".

I really liked the sound of that. Currently quite a few Intune managed apps support this feature. They are listed in this TechNet library article

For iOS: Word, Excel, PowerPoint, OneDrive, Outlook
For Android: Outlook

I couldn't resist trying it out so I deployed Outlook to a test Android device.


This is my Managed Application policy. See that I am only allowing data transfer to other managed apps (eg cut and paste).


I installed Outlook and added two email accounts - corporate and personal. It may seem pretty obvious what the difference is between corporate and personal. However, in this case, corporate specifically refers to the email account that has the same username as the account that enrolled the device in Intune.


See when we launch the managed app with the corporate account configured. Outlook calls on the Intune Company Portal to verify the policy. See "Broker is processing". 


 Let's start with the personal email account. I can highlight some text and copy to the clipboard......


...and I'm able to paste that text into an unmanaged app. 

Now let's switch to the corporate email account (within the same app of course).


We have to enter a PIN as we are now entering the managed container.


Same action - I can highlight the text and copy to the clipboard.


However, no matter how hard I try, I cannot paste the data to the unmanged app.  

This is seriously cool - multiple management possibilities within a managed app based on user identity.

Update - difference in behaviour between Outlook for Android and Outlook for iOS
(4th August 2015)

My colleague @pvanderwoude has pointed out to me that the container behaviour is slightly different between these two apps. I've now verified this behaviour.

Android
If you install Outlook for Android and configure a personal account the app is not treated as a Managed App. You are not prompted for a PIN to enter the managed container. The app only seems to become managed when you configure the corporate email. At that time you are prompted to enter the PIN.

iOS
Outlook for iOS is a managed app as soon as it is installed. You are prompted to enter a PIN even if no accounts are configured (personal or corporate).


Azure Cloud App Discovery Endpoint Agent setup failed with error 0x80070643

EMS Landing page

Cloud App Discovery is really cool and I've done a couple of previous blogs describing the solution.

How to use Cloud App Discovery

Azure Cloud App Discovery now generally available 

However I had a problem this morning installing the Endpoint Agent at a customer site. The installation failed on all test computers with an error 0x80070643


The log file was of no use


The log contained just generic errors:

Could not create system restore point, error: 0x800704ec. Continuing…

Error 0x80070643: Failed to install MSI package.

Error 0x80070643: Failed to configure per-machine MSI package.

I found that this problem was caused by Websense Proxy. Those of you familiar with this product will know that it opens and analyses outbound http and https packets and may give the false impression that the packets were interfered with. Microsoft services will always reject such packets.

There is a good explanation of this behaviour on the Websense web site

The article describes the issue and lists the vendors affected - Microsoft, Citrix etc. The Microsoft Updates URLs, for example, are whitelisted by default to avoid the problem. However Azure services are NOT whitelisted by default.The Cloud App Discovery Endpoint Agent must be able to contact Azure during the installation.

Adding *.azure.com to the proxy whitelist solved the problem and the installations could continue.


 

WMUG Event - Enterprise Client Management for the Modern World - 24th August 2015


My colleagues and I at Windows Management User Group will be hosting a full day of sessions at Microsoft, Cardinal Place, London on 24th August 2015. This event is free and there is an exciting schedule of sessions (listed below). We hope that you can join us.

I will present two sessions:
  • Getting Started with Enterprise Mobility Suite
  • Mobile Device Management with Microsoft Intune (Co-presenting with Rob Marshall)

The day is being sponsored by Secunia www.secunia.com

Please register for this free event here




Wednesday, 22 July 2015

Deploying apps to Android devices with Intune - what you need to know

EMS Landing page

I've noticed a lot of confusion lately regarding app deployment to mobile devices with Microsoft Intune. There have been several threads on TechNet forum and the My IT Forum mailing list about this. People are confused by the different behaviours of apps on the Android and iOS platforms. I decided to publish some posts describing the expected end user behaviour for the various scenarios.

This is the second of a pair of blog posts about app deployment to mobile devices. I hope you find them useful.

You can find the first post here.

Deploying apps to iOS devices with Intune - what you need to know


The table above shows the user experience for all app deployments to Android devices. You can find this information in the TechNet library:
End user app experience 


There are some major differences between this experience and that of app deployment to iOS devices.
  • The end user experience for managed and unmanaged apps is the same
  • There is no “Company Apps” tile on the home page of the Intune Company Portal for Android
  • For Android, users must add the Intune Company portal widget to the home screen

What is a widget?
  
Android widgets are mini apps that run on your Android Home screen. Your Android device comes with several by default, including a Home screen tips widget and a clock. The Intune Company Portal adds the Intune Company Portal widget when it is installed, but you must move it to the Home Screen - more about that later.

I've deployed the following to a test device:
 
#1 Managed/Deep-Linked - Required (Excel for Android) - Expected behaviour: user will receive notification that the app is required. The notification will stay until the user installs the app. The app will not be installed automatically.

#2 Managed/Deep Linked - Available (Word for Android) - Expected behaviour: app available in Apps tab of Company Portal

#3 Unmanaged/Deep linked - Required (OneNote for Android) - Expected behaviour: user will receive notification that the app is required. The notification will stay until the user installs the app. The app will not be installed automatically.

#4 Unmanaged/Deep linked - Available (Lync for Android) - Expected behaviour: app available in Apps tab of Company Portal

#5 Web Link -  Required (Intune Team Blog) - Expected behaviour: user receives notification that the required web link has been installed. This link will be available in the Intune Company Portal widget on the Home Screen. The user must add the widget.
#6 Web link -  Available (ConfigMgr Team Blog) - Expected behaviour: link available in Apps tab of Company Portal. When the user installs the link it will be available in the Intune Company Portal widget on the Home Screen. The user must add the widget.
(I don't have an LOB app for testing).

So let's have a look at the behaviour on the device.



Android notifications show that there are two required applications to be installed (Excel - managed, OneNote - unmanaged). They will not be installed automatically and require user intervention.

Also, see the notification that the required web link has been installed. Expected behaviour #1, #3 & #5


Now open the Intune Company Portal. Word is available in the Apps tab. Expected behaviour #2.


Word actually appears as a "Featured App" as we selected that option while publishing the app to Intune.


Now select All Apps. We see Word again. We also see Lync (Unmanaged/Available) and the ConfigMgr Team Blog (Web link/Available). Expected behaviour #2, #4 & #6

So, now let's have a look at the Intune Company Portal widget (this is specific to Android).


Select Apps on the Home Screen.


Select the Widgets tab. 


Locate the Company Portal widget. Press and hold the widget and move it to the Home Screen.


This is the Intune Company Portal widget on the Home Screen. It already contains the Intune Team Blog web link (Required). Expected behaviour #5.

When we install the available web link it will be seen here in the widget. Expected behaviour #6.

I hope these blog posts have been helpful to get a clear understanding of the end user experience of app deployment to iOS and Android devices via Intune.


 

Friday, 17 July 2015

Deploying apps to iOS devices with Intune - what you need to know

EMS Landing page

I've noticed a lot of confusion lately regarding app deployment to mobile devices with Microsoft Intune. There have been several threads on TechNet forum and the My IT Forum mailing list about this. People are confused by the different behaviours of apps on the Android and iOS platforms. There is even confusion about the different types of apps when deployed to the iOS platform. Jason Sandys explained it very well on one of those threads:

"Microsoft has no control over this behavior. You must always remember that this is not the Windows OS that we’ve all grown up with in which we can do pretty much anything that we want to. These OSes are locked down and designed for consumer use".

This makes perfect sense. We apply a definite logic to desktop and server management and we want to standardise this management across the platforms. It's pretty straightforward in this case - we can implement a lot of the same features on Windows 7 and Windows 8 for example. We can do the same in the server world - Windows Server 2008 (R2) and Windows Server 2012(R2) can be managed in much the same way. We can use the same System Center Configuration Manager client across all these operating systems. However, now consider Linux and Unix servers. Now we're introducing some variety and we cannot apply the same logic to the management of these devices. We need to install different Configuration Manager clients and the management features that we can implement very much depend on what the platform allows us to do.

Let's now apply this thinking to mobile devices. The platforms are designed very differently by the respective vendors. We can't even install the same Intune Portal on all the devices. How then can we expect to be able to standardise management across the devices? It's simply not possible. Intune can only deliver what the vendors permit.

This is the first of a pair of blog posts about app deployment to mobile devices. I hope you find them useful.

  • Deploying apps to iOS devices with Intune - what you need to know.
  • Deploying apps to Android devices with Intune - what you need to know.
Four types of apps can be deployed to iOS devices via Intune.
  1. Internal line-of-business apps (IPA app packages - side-loaded apps)
  2. Managed App Store apps (Intune Managed apps)
  3. Unmanaged App Store apps (external deep-links to the App Store)
  4. Web Apps (URL bookmarks that appear on the home screen, called Web Clip for iOS 
As we know apps can be deployed to iOS devices in two ways: Required or Available. The user experience for a deployed app is not only dependent on the deployment action but also the app type.

Note that items 1 & 2 above (Internal line-of-business apps & Managed App Store apps) are also deemed to be Corporate Apps.


The table above shows the user experience for all scenarios. There is one odd situation (which caused some of the confusion that I described earlier). Currently, end users cannot install corporate apps (types 1 & 2 above) from the Intune Company Portal app for iOS. This is due to restrictions placed on apps that are published in the iOS App Store. I've previously read this excellent description of the situation:

"Due to the Apple App Store submission guidelines, line-of-business apps deployed through Windows Intune cannot be viewed from the Intune Company Portal app for iOS. When these types of apps are deployed as an optional install, they are only visible from the Mobile Web Portal (MWP) on an iOS device".

You can see all this information in this ConfigMgr Team Blog:

Tutorial: Deploy a web clip on iOS devices that links to the Mobile Web Portal

Also:

"Currently, end users cannot install corporate apps from the Intune Company Portal app for iOS. This is due to restrictions placed on apps that are published in the iOS App Store (see App Store Review Guidelines). Users can access corporate apps (including managed App Store apps and line-of-business app packages) by launching the Company Portal app on their device and tapping the Company Apps tile, which will open the browser and redirect them to the Intune Web Portal".
 
You can find this information on TechNet library:


On 29th June 2015 Microsoft announced the release of an update (version 2.1.0) to the Intune Company Portal for iOS. Read the full release here 

http://blogs.technet.com/b/microsoftintune/archive/2015/06/29/improved-app-catalog-experience-on-ios-for-microsoft-intune-company-portal-users.aspx

Two enhancements have been referenced:

  • Improved app catalog experience for discovering and installing company apps
  • Bug fixes to improve security

What is the first of these enhancements about?
 

There is a brand new “Company Apps” tile on the home page of the Intune Company Portal. Users can now easily access corporate apps by tapping the “Company Apps” tile which will launch the Safari browser and automatically navigate to the Apps browse page of the Company Portal website (portal.manage.microsoft.com). On this page, end-users can view all of the apps available for install on their enrolled iOS device, including line-of-business apps and managed apps from the App Store (such as Microsoft Word and Microsoft OneDrive). Users now do not have to re-authenticate when the Company Portal website is launched in Safari.

So what is the user experience?

I've deployed the following to a test device.

#1: Web App - Required (Gerry Hampson Blog) - Expected behavior: app should be on home screen

#2: Web App - Available (Microsoft Intune Team Blog) - Expected behavior: app should be seen in Company and Web Portals 
#3: Unmanaged App - Available (Skype) - Expected behavior: app should be seen in Company and Web Portals 
#4: Managed App - Available (Excel) - Expected behavior: app should be seen only in Web Portal 
#5: Managed App - Required (Word) - Expected behavior: app should be installed on device and also seen in Web Portal

(I don't have an LOB app for testing).
Note that you cannot deploy an Unmanaged App as "Required".

So let's have a look at the behaviour on the device.

 

See a shortcut for my blog on the Home Screen, accompanied by a very nice logo - perfect. Expected behaviour #1


Now launch the Intune Company Portal. See the Web App (Intune Team blog) and Unmanaged App (Skype) available. Expected behaviour #2 & #3



Now click on Company Apps to open the Intune Web Portal. There is no requirement for further authentication. See all the Apps that have been deployed as "Available" plus the Managed App that has been deployed as "Required". Expected behaviour #2, #3, #4 and #5.


Here comes the Required Managed App. Click to Install.


You have to sign in to the Apple Store with your Apple ID.


The App is installed. Expected behaviour #5

Next time I'll be looking at deploying apps to Android devices with Intune.


Edit: you can find the second blog post here

Deploying apps to Android devices with Intune - what you need to know  




Monday, 6 July 2015

Microsoft Intune - Custom User Terms & Conditions

EMS Landing page

This is an extract from the Microsoft TechNet Library document Enable mobile device enrollment with the Microsoft Intune Account Portal 

About Terms and Conditions

You can publish terms and conditions that your users will see when they first use the company portal from any device, whether or not that device is already enrolled. Users will have to accept those terms to access the portal. When you update the terms and conditions significantly and want users to see and accept them, you can mark the new terms and conditions as a new version, and users will go through the same process the next time they visit the portal.

Terms and conditions apply to users, not to devices, so users will only have to accept each version once to visit the company portal from any of their devices.
 

Terms and conditions reports

Terms and Conditions reports show which users accepted your terms and conditions, the most recent version number they accepted, and the date they accepted that version. Export the report to keep an archive of when users accepted previous versions.  


So let's see that in action. 


Navigate to Admin > Company Portal > Terms and Conditions. 

Check the box to "Require users to accept company terms and conditions before using the Company Portal".

Enter the following information:
  • Title
  • Text for terms
  • Text to explain what it means if the user accepts
Also, see the options you have if you make changes to the terms.
  • Increase the version to require all users to accept the updated terms
  • Keep the current version - only new users are required to accept the terms
Save the policy. Note that this is "all or nothing". You cannot choose which users are required to accept the terms. Now lets see what happens when we enrol a device.


The Terms and Conditions are displayed directly after the user authenticates. Select to read the terms.


These are the terms (with my deliberate typo). What happens if I decline?


I'm not allowed to decline. I accept the terms.......


.....and the device is enrolled.


Navigate to "Terms and Conditions Reports". Choose "View Report".


I can see that Gerry has accepted the terms - good man.


Note that changes will be made to this feature during the August scheduled maintenance. We have already been alerted about this upcoming event.



Wednesday, 1 July 2015

Microsoft MVP

I got a lovely surprise from Microsoft today as I was awarded MVP in Enterprise Client Management. I'd really like to thank everyone that has supported me and I hope that this will continue. There are a few people I have to thank for helping me to get to this point and I'll be doing so privately over the next few days. Thanks again.

Gerry













Edit 13th July

Great gift arrived in the post today