Thursday, 29 September 2016

My second book

I am very pleased to be co-author for the latest book in the System Center Configuration Manager Unleashed series (published by Sams). The book is titled  "System Center Configuration Manager Current Branch Unleashed".

The author list is:
  • Kerrie Meyler (MVP) (Co-author)
  • Greg Ramsey (MVP) (Co-author)
  • Kenneth van Surksum (MVP) (Co-author)
  • Michael Wiles (Dell) (Co-author)
  • Gerry Hampson (MVP) (Co-author)
  • Saud Al-Mishari (Microsoft) (Co-author)
  • Garth Jones (MVP) (Contributing author)
  • Byron Holt (MVP) (Contributing author)

The chapter list is as follows:
  1. Configuration Management Basics
  2. Configuration Manager Overview
  3. Looking Inside Configuration Manager
  4. Architecture Design Planning
  5. Network Design
  6. Installing System Center Configuration Manager
  7. Migrating to System Center Configuration Manager
  8. Using the Configuration Manager Console
  9. Client Management
  10. Managing Compliance
  11. Creating and Managing Applications and Deployment Types
  12. Creating and Managing Packages and Programs
  13. Distributing and Deploying Applications and Packages
  14. Managing Software Updates
  15. Integrating Intune Hybrid into Your Configuration Manager Environment
  16. Managing Mobile Devices
  17. Conditional Access
  18. Endpoint Protection
  19. Configuration Manager Queries
  20. Configuration Manager Reporting
  21. Operating System Deployment
  22. Security and Delegation in Configuration Manager
  23. Backup, Recovery, and Maintenance
Writing a book can be a very time-consuming process. However I've submitted my four chapters ahead of schedule after several re-writes (Kerrie is a tough taskmaster). The chapters will then undergo technical and editorial reviews (probably more re-writes). The book is scheduled to be published in early 2017 and will be available on Amazon.

Currently it is available for pre-order




Thursday, 1 September 2016

Real world tips for implementing mobile application management without enrollment

MAM without enrollment is a really cool way of protecting corporate data on BYOD devices. Some users simply do not want to enrol their devices in Intune so this gives us IT Pros an alternative management method.

MAM policies can be configured for apps in these scenarios:
  • On devices enrolled in Microsoft Intune: These devices are typically corporate owned devices.
  • On devices enrolled in a third-party Mobile device management (MDM) solution: These devices are typically corporate owned devices.
  • On devices not enrolled in any mobile device management solution: These devices are typically employee owned devices that are not managed or enrolled in Intune or other MDM solutions.
I will walkthrough the solution and offer some real world tips along the way.

Tip #1: MAM policies should not be used in conjunction with third party mobile app management or secure container solutions.

Administrator configuration

Configuration of this solution is carried out in the Azure Portal


Select More Services.


Start to type Intune and select Intune.


The Intune mobile application management blade opens. Select App Policy.


Select Add a policy.


Give the policy a name and choose a platform. I'm choosing Android for now. Highlight Select Required Apps.


Choose the apps that you want to deploy a MAM policy to. Click Select to choose the apps.

Notice that only Microsoft apps are currently available. So how do I allow my users to securely open email attachments - PDFs for example?

Tip #2: No special considerations are required for iOS. Outlook for iOS has an in-app viewer built in.

Tip #3: The RMS Sharing App must be used for opening secure PDFs on Android devices.


Now highlight Configure required settings. There are a number of options to choose from. The default options are sufficient unless you specifically need to change a setting.


Tip #4: If you are familiar with Intune Mobile Application Management you will know that you must create a MAM policy and a Managed Browser policy. In MAM without enrolment they are integrated and there is no Managed Browser policy. There is one setting "Restrict web content to display in the Managed Browser".



Click OK to save your settings.


Click Create to create the policy.


Select App Policy again.


Highlight the policy that you have created.


Select User Groups.


Select Add Users Group to deploy the MAM policy.

User experience (Android)

Download and install the required apps from the Google Play store. Don't forget the RMS Sharing app as discussed above.


I got this error when I tried to open Outlook (now a protected MAM app).

"Before you can use your work account with this app, you must install the free Intune Company Portal app. Tap "Go to store" to continue".

Tip #5: You must install the Company Portal app on an Android device in order to use MAM without enrolment (even though you will not be enrolling the device). This is not the case with iOS.

Click Go to store and install the Company portal app. No further action is required with this app.

Corporate data is now secured by MAM policy. Try it out.

I hope this information was useful. Until next time......