featured

SCCM Dynamic Collection Query Update Known Issue 1

SCCM Dynamic Collection Query Update Known Issue

Let’s discuss the SCCM Dynamic Collection Query Update Known Issue. SCCM/ConfigMgr dynamic collection query can be evil in some scenarios. It’s straightforward to make mistakes while editing already existing dynamic queries.

It’s better with device-based dynamic collections (as it gives a warning pop-up, as seen in the above video!) in the SCCM CB environment. Still, it’s not a very good user-based dynamic user collection.

I have created a quick video to demonstrate this issue here. I have Kannan C S to share his experience on this topic. He is a Sr. Infra Architect with several years of SCCM and System Center experience. I will let Kannan C S explain his experience in detail.

I’m Kannan C S, and I work as a Sr. Infra Architect at a leading IT company. I have 15 years of IT experience. I have been with Configuration Manager [Designing, Implementation, Migration, and Support], System Center Orchestrator [Designing and Implementation], and Windows Server support. You can refer to my blog here.

Related Post – SCCM Dynamic Collection – Part 2 | WQL Query | ConfigMgr | Create HTMD Blog (anoopcnair.com)

SCCM CB 1702 Dynamic Collection Query Update is or can be Evil?

The video details the SCCM CB 1702 Dynamic Collection Query Update and explores whether it can have negative consequences. It discusses the potential risks and issues associated with using dynamic queries in this version of SCCM, helping you understand how to manage and mitigate any problems effectively.

SCCM Dynamic Collection Query Update Known Issue – Video 1

SCCM Dynamic Collection Query Update Known Issue

I have seen the dynamic collection query update issues in different organizations, mainly with L1 and L2 teams where we lack real SCCM expertise. I have already created a user voice item. Please vote this up User Voice – Collection Query.

SCCM Dynamic Collection Query Update Known Issue - Fig.1
SCCM Dynamic Collection Query Update Known Issue – Fig.1

Known Issue?

I am looking at the issue/design from SMS 2003 to SCCM 2012 (even SCCM CB) version. I am unsure if any purpose must be behind this design of collection default query select * from sms_r_system/select * from sms_R_User. Suppose a user creates the query-based device or user collection if there is any modification in the query. They should remove the entire query and apply OK.

  • If a user applies OK, it’s automatically selected * from sms_r_system/select * from sms_R_User query will enable.
  • It will target all systems, with “All system”/”All Users” as the limiting collection.
  • It has serious issues in most companies; deployment is performed by L1 or L2 engineers.
  • It is not documented in the MS TechNet or Blog. I strongly recommend having some mechanism to avoid this kind of change in upcoming releases.
  • I have provided the impact screenshots below. When modifying the collection query, Click edit.
Membership Rule NameTypeCollection ID
InstallQueryNot Applicable
SCCM Dynamic Collection Query Update Known Issue – Table 1
SCCM Dynamic Collection Query Update Known Issue - Fig.2
SCCM Dynamic Collection Query Update Known Issue – Fig.2

Click Edit Query Statement. SCCM uses the Windows Management Instrumentation (WMI) Query Language (WQL) to query the site database. The screenshot below shows the Edit query statement.

SCCM Dynamic Collection Query Update Known Issue - Fig.3
SCCM Dynamic Collection Query Update Known Issue – Fig.3

The window below helps you show the General tab of Oracle database 12c Query Statement properties. Click Show Query Language.

SCCM Dynamic Collection Query Update Known Issue - Fig.4
SCCM Dynamic Collection Query Update Known Issue – Fig.4

Select the entire query in the Query Statement dialog box. Click Delete

SCCM Dynamic Collection Query Update Known Issue - Fig.5
SCCM Dynamic Collection Query Update Known Issue – Fig.5

You can see the section for query statements from the below Oracle database 12c Query statement properties,s. You should click OK from the window below.

SCCM Dynamic Collection Query Update Known Issue - Fig.6
SCCM Dynamic Collection Query Update Known Issue – Fig.6

By default, it will return with Select * from SMS_R_System/select * from sms_R_User query. By then, the deployment targeted to a specific collection will be mapped to All devices, including workstations and servers.

SCCM Dynamic Collection Query Update Known Issue - Fig.7
SCCM Dynamic Collection Query Update Known Issue – Fig.7

Resources

SCCM Dynamic Collection – Part 2 | WQL Query | ConfigMgr | Create HTMD Blog (anoopcnair.com)

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune Android Device Support for Google Android for Work Enrollment 4

Intune Android Device Support for Google Android for Work Enrollment

Let’s discuss Intune Android Device Support for Google Android for Work Enrollment. Google has a list of supported devices with its Android for Work program. But does Google’s list contain all supported devices?

I don’t think the list is exclusive and lists all the supported devices. I have tested 2 devices not listed as part of Android for work-supported devices. And surprisingly, both devices can enrol in Intune via the Android for Work program.

The article Intune Android Device Support for Google Android for Work Enrollment shows you how to configure the Android Enterprise platform for use with Intune Device Management. We will walk through the steps to set up Intune Enrollment for Android Enterprise Device Management, enabling you to manage corporate-owned devices efficiently with Microsoft Intune.

In this post, you will find all the details about Intune Android Device support for Google Android for Work enrollment. We’ll cover everything you need to know to get started and manage your Android devices effectively using Intune.

Intune Enrollment via Android for Work with Cheap and Affordable Devices

In this video, you will learn all the details about Intune enrollment through Android for Work using cheap and affordable devices. We’ll guide you on how to set up and manage these devices efficiently with Intune.

Intune Android Device Support for Google Android for Work Enrollment – Video 1

Video Tutorials for Android for Work Management via Intune

I tried Samsung Galaxy J7 and LetV Android devices. These devices are not very costly. Instead, the cost is less than 150 USD. Organizations always struggle to find cost-effective and affordable Android for Work devices from Google’s new list

After testing two fundamental Android devices, I found that we need to perform trial and error to understand whether the low-cost Android devices support Android for Work.

Android for Work management via Intune
Enterprise Devices
Affordable work Devices
Featured Device
Intune Android Device Support for Google Android for Work Enrollment – Table 1
Intune Android Device Support for Google Android for Work Enrollment - Fig.1
Intune Android Device Support for Google Android for Work Enrollment – Fig.1

Android – Intune Android Device Support for Google Android for Work Enrollment

Google recently rebranded, and now the name of Android for Work has changed to just “Android” management. Google announced that they are simplifying the names of Android for Work and Play for Work, directly calling Android and Google Play.

According to Google, there are 3 categories of Android devices. The new list also does not cover Samsung S7 and LetV devices.

  1. Enterprise Devices – Premium productivity devices
  2. Affordable work devices – Cost-effective devices ready for work
  3. Featured devices

I successfully enrolled low-cost (cheap) Android devices with Android for Work. Intune managed Samsung S7 and LetV devices with the Google Work profile. Both these devices are running Android version 6.

Conclusion – Intune Android Device Support for Google Android for Work Enrollment

Android for Work is supported for devices not listed in the Google portal. I recommend performing thorough testing before approving Android for Work-supported devices within your organization. Maintaining a recommended list of “Android for Work” supported devices within your organization is always better.

I hope Google will remove support for pain Android management and allow only “Android for Work” to manage Android devices. Also, we need to remember that Android for Support is available only for specific countries or regions. For example, in China, we don’t have any support for Android for Work.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Resolve Intune Android for Work Configuration Refresh Error 5

How to Resolve Intune Android for Work Configuration Refresh Error

Let’s discuss how to Resolve Intune Android for Work Configuration Refresh Error. Android for Work configuration is straightforward in most scenarios.

I have configured “Android for Work” for several tenants without any issues. Recently, however, I encountered an issue while configuring this in the Intune Silverlight console. 

When I click on the configure button to “add Android for Work Binding” on the “Android for Work Mobile Device Management Setup” page in the Intune Silverlight console, it initiates the process. Still, Intune cannot launch the Android for Work binding wizard (webpage). 

In one of our posts, we will show you how to configure the Android Enterprise platform for use with Intune Device Management. You can efficiently manage Android Enterprise corporate-owned devices with Microsoft Intune.

Android for Work Refresh Error in Intune SilverLight Console

The video below demonstrates resolving the Intune Android for Work Configuration Refresh Error. Generally, configuring Android for Work is straightforward in most scenarios. I have successfully set up “Android for Work” for several tenants without issues.

How to Resolve Intune Android for Work Configuration Refresh Error – Video 1

Introduction – How to Resolve Intune Android for Work Configuration Refresh Error

I have already posted about Android for Work configuration and set it up in a different post (How to Enroll Android for Work Supported Devices into Intune). This post and video tutorial will provide a step-by-step process to enable Android for Work management.

As I explained in the first paragraph, the Intune console could not complete Android for Work binding. When I checked the Intune console, there was an Intune console page loading error: “Microsoft Intune was not able to retrieve all data. REFRESH.

How to Resolve Intune Android for Work Configuration Refresh Error - Fig.1
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.1

I tried clicking on the Refresh button several times to see if it worked, but nothing did. There was another button on the Intune Silverlight page, and that was the Save Error Log.

I clicked on the button, and it asked me to save the text log file. For this, I could not retrieve all data errors for the Intune console. I opened the text file, which contains details about the error and possibly the root cause of this issue as well.

Error Message
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
How to Resolve Intune Android for Work Configuration Refresh Error – Table 1
How to Resolve Intune Android for Work Configuration Refresh Error - Fig.2
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.2

As per the Intune Save Error LOG file, the Intune Silverlight error occurred while retrieving the JWT token, and the error log suggests we check whether the current user has an Intune license and try again. Following is the snippet of the log file.

2017-03-31 05:37:56Z Silverlight Error:
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
ParameterType: Unknown
OperationType: Unknown
Current URL: https://admin.manage.microsoft.com/MicrosoftIntune/Home?accountid=a8f58f04-e279-44ff-95b9-5e81532915e6#Workspace/administration/index%23?P=//administration/MobileAndroidManagement/&A=%7BGID=23363773-6797-4c777-b3c2-01b06e207b74%7D&S=7sh74c9-7bf5-45ac-9fbb-67369263b9
Console Version: 5.0.17411.0
Service address: https://msua02.manage.microsoft.com/
Last 50 Log Entries:
00CCE 03/31/2017 05:37:37 429 Z MainThread 0001    Page instantiated successfully

Resolution

I have added an Intune/EMS license to the Intune Administrator from the new Azure Active Directory portal. It might not work straight away after assigning the license. You may need to wait 3-4 minutes before configuring “Android for Work.” I recommend logging off and logging back into the Intune Silverlight console before configuring “Android for Work.”  

How to Resolve Intune Android for Work Configuration Refresh Error - Fig.3
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager 7

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager

Let’s discuss the Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager. What essential improvement can I see in the SCCM CB 1702 production console? Are Feedback Balloons everywhere? Yeah, SCCM/ConfigMgr is an excellent product for device management, and there is no competition! Why?

This is because of the improvements the product team made and the GREAT SCCM/ConfigMgr community we have for this product.

It’s all about the community’s contributions to improving a software product. The SCCM product team is always open to new ideas and feedback, which is one reason why SCCM is so great.

Software developers can’t make an excellent product without great feedback from real-time users of the applications. So, that is the importance of the SCCM/ConfigMgr IT Pro community.

Feature Comparison SCCM ConfigMgr CB Production 1702 vs 1610

The video below explains the differences between SCCM ConfigMgr CB versions 1702 and 1610. It compares the features of both versions, highlighting what has been improved or added in 1702.

The video also helps you show the benefits of upgrading and what new capabilities they can expect. It is helpful for anyone deciding whether to move from version 1610 to 1702.

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Video 1

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager

If you have yet to download and upgrade to the latest version of SCCM CB, here is my previous post, which will help you upgrade SCCM CB to the newest version, Configuration Manager CB 1702.

Another significant change is repositioning the “Updates and Servicing” node in the SCCM CB console.

The “Updates and Servicing” node is the topmost node in the Administration workspace of the SCCM CB 1702 production version console. In console increased a lot in SCCM CB 1702 console. SCCM CB 1702 onwards SUP (Software Update points) are boundary aware, similar to MPs and DPs. This is an excellent help for SCCM architects in making better decisions to have SUPs.

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager - Fig.1
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Fig.1

The biggest and most awaited feature in the SCCM CB hybrid is feature parity between the Intune Standalone and SCCM CB hybrid versions. The SCCM product team achieved feature parity between Intune SA (StandAlone) and the SCCM CB hybrid version.

I explained this in the above comparison video. If we review the Configuration Policy for iOS and MAC OS devices via the MDM channel without SCCM Client, you can see HUGE improvements! Some of the changes in numbers are given below.

Password - Passcode Modification
 Device - 9 settings in CB 1610 -- 33 settings in 1702
 Store - 3 settings in CB 1610 --6 settings in 1702
 Content Rating - 5 settings in CB 1610 -- 6 settings in CB 1702
 Cloud - 4 settings in CB 1610 -- 8 settings in CB 1702
 Security - 1 settings in CB 1610 -- 2 settings in CB 1702
 System Security - 5 settings in CB 1610 -- 12 settings in CB 1702
 Data Protection - 2 settings in CB 1610 -- 4  settings in CB 1702
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager - Fig.2
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Fig.2

The SCCM CB 1610 version included 17 features, and the SCCM/ConfigMgr Product team added 4 more to the latest release of SCCM CB 1702! Those four new pre-release features are listed below. Only one feature moved from pre-release to production release: Conditional Access for Managed PCS.

Latest Release of SCCM CB 1702
Pre-Release – Install Behaviour of applications
Pre-Release – Data Warehouse Service Point
Pre-Release – Task Sequence content Pre-Caching
Pre-Release –Device Guard
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Table 1
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager - Fig.3
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Fig.3

Feature Comparison Video Between SCCM?

Another excellent news for SCCM CB hybrid customers is that there are some great 5 new additions to Compliance policies! We can’t select the different versions of the Android and iOS platforms anymore while creating a compliance policy or configuration policy with SCCM CB 1702.  Granularity in choosing different Android/iOS versions was removed. New compliance policies are.

Apps that cannot installed
Password expiration
Remember password history
Password Quality
Minimum Android Patch Level
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager - Fig.4
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Fig.4

In SCCM CB 1702, we can create a configuration policy for Android for Work! The configuration policy for AfW (Android for Work) has only 2 policies or configuration settings.

Some improvements or additional settings appeared in ConfigMgr/SCCM CB 1702 regarding Windows 10-related configuration policies in a hybrid environment. Following are some of the high-level changes in Windows 10  Configuration Policies: –

Device - 10 settings in CB 1610 -- 11 settings in CB 1702
System Security - 9 settings in CB 1610 -- 10 settings in CB 1702

The SCCM product team did excellent work in catching up with Intune SA regarding Cloud Services integration with SCCM CB’s latest version. They have added support for “Android for Work” enrollments and improved the Cloud Management Gateway and OMS connector.  

  • Cloud Services
  • Android For Work
  • Cloud Management Gateway
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager - Fig.5
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Fig.5

References

What’s new in version 1702 of SCCM CB System Center Configuration Manager

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager 8

How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager

Let’s discuss how to Perform the SCCM ConfigMgr CB Production upgrade to 1702 Video Tutorial Configuration Manager. Microsoft released a new version of SCCM/ConfigMgr CB 1702 here.

If your SCCM infrastructure runs with an ONLINE “service connection” point and your SCCM CB version is 1602 (and later), you will receive the SCCM CB 1702 update in the console.

For SCCM CB infra with an online service connection point, the SCCM CB 1702 update will automatically appear in the console once Microsoft releases it for the “slow ring. ” Microsoft released SCCM CB 1702 updates only for the “fast ring.” I have upgraded the standalone SCCM CB 1610 primary site to SCCM CB 1702. My experience with this upgrade was very smooth and robust.

I didn’t face any hiccups after automatically downloading the SCCM CB 1702 source files to the primary server. The video below will give a step-by-step walkthrough of the SCCM/ConfigMgr CB 1610 and 1702 upgrade process.

How to Perform SCCM ConfigMgr CB Production Upgrade to 1702

The video tutorial on “How to Perform SCCM ConfigMgr CB Production Upgrade to 1702” provides a comprehensive guide for IT administrators upgrading their SCCM Current Branch (CB) to version 1702. The tutorial helps you to cover all essential steps, from the prerequisites and preparatory tasks to the upgrade process and post-upgrade verification.

How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager – Video 1

How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager

Don’t upgrade to the SCCM/ConfigMgr CB 1702 version if your primary servers/CAS run on a Windows 2008 R2 server. The minimum OS requirement for the SCCM CB 1702 upgrade is Windows Server 2012 and Later.

You must ensure that a supported version of SQL is installed on the primary servers/CAS. SQL 2008 R2 SP3 is not supported, and you should have a minimum of SQL 2012 R2. So, hold on with your SCCM CB 1702 to upgrade if you lack supported SQL and OS versions.

How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager - Fig.1
How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager – Fig.1

Issues with Getting ConfigMgr SCCM 1702 Updates Available in the SCCM CB Console?

Is the SCCM/ConfigMgr CB 1702 update still unavailable in the SCCM CB console? How do you perform the SCCM ConfigMgr CB Production upgrade to 1702 Video Tutorial Configuration Manager?

Following are the steps you need to follow for the FAST RING release of SCCM CB 1702:- More details are available in my previous post, “SCCM ConfigMgr 2012 to CB upgrade Unofficial Checklist

  1. Download the PowerShell script to ENABLE the first wave of customers (The script is available at the above link). SKIP THIS STEP, which is NOT required NOW.
  2. Run the PowerShell Launch from an elevated command prompt (local admin access) PS Command – “EnableFastUpdateRing1702.ps1 <SiteServer_Name | SiteServer_IP>” – SKIP THIS STEP – NOT Required NOW
  3. Force a check for the update.  Go to \Administration\Overview\Cloud Services\Updates and Servicing and click “Check for Updates.”  You may need to try “Check for Updates” more than once if the package is not downloaded on the first try.
  4. Wait for some time. The DMP Downloader component will start the Download via SCCM CB 1606 updates and the Servicing channel (DMPdownloader.log for more details)
  5. SCCM CB 1702 Prerequisites check
  6. Start the installation and wait for the replication of source files to the server in the hierarchy if you have CAS and Primary servers (this is not covered as I don’t have the SCCM CB hierarchy in the lab)
  7. Once installation is completed on the CAS server, the automatic SCCM CB 1702 upgrade process will kick in for child Primary servers per the service windows scheduled on the respective primary server.

As you can see in the above screen capture, the SCCM/ConfigMgr CB 1702 has already been downloaded and is available for the upgrade process on my SCCM primary server. However, the download process still has some challenges, and there is room for improvement.

The SCCM CB 1702 download was stuck in the downloading state for a long time. I had to restart the SMS Executive service to make the “in-console” 1702 update available. Please right-click on the Configuration Manager 1702 update and Install it.

The SCCM/ConfigMgr CB 1702 upgrade experience was very smooth for me. However, the process can take time, depending on factors like server components’ hardware performance and the SQL DB’s size. You can monitor the status of the upgrade from CMUpdate.log.

Also, check the Monitoring workspace for a more standardized status table with the respective log file details for each stage of an upgrade. How do you perform the SCCM ConfigMgr CB Production upgrade to 1702 Video Tutorial Configuration Manager?

Version

The last stage of the ConfigMgr/SCCM CB 1610 to 1702 upgrade process is the SCCM CB console upgrade. Once the console is upgraded successfully, you can see the latest site server version.

Also, the SCCM CB 1702 version details will be updated in the primary servers or CAS server registry key.

Version 1702
Console Version 5.000.8498.1400
Site Version:5.0.8498.1000
How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager - Fig.2
How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager – Fig.2

References

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune App Protection Policies for Android iOS Devices 10

Intune App Protection Policies for Android iOS Devices

Let’s check how to enable Intune App Protection Policies for Android and iOS devices. The video below provides more details and an end-user experience. The latest post is available for MAM policies: Step-by-Step Procedure to Create App Protection Policies for iOS/iPadOS in Intune.

Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. With Intune, there are two types of management options for Android devices.

The first is the traditional way of MDM management, and the second is the light management of apps installed on Android devices via Intune. The previous post discussed the Android MDM management options and end-user experience.

In this post, you will find all the details about Intune App Protection Policies for Android and iOS devices. These policies are essential for managing and securing apps on mobile devices, ensuring that corporate data remains protected even when accessed from personal devices.

Intune MAM without Enrollment along with CA Android Devices

To apply Intune App Protection Policies (APP) effectively, the applications must support these policies. Most Microsoft 365 (M365) applications, such as Outlook, Word, and OneDrive, are compatible with App Protection Policies. These policies help ensure that corporate data accessed through these apps remains secure.

Intune App Protection Policies for Android iOS Devices – Video 1

Intune App Protection Policies for Android iOS Devices

Mobile Application Management (MAM) Without Enrollment (WE) is a lightweight management option for Android devices. This option has some advantages over full MDM management options.

For example, if a consultant’s device has already enrolled in a 3rd part EMM solution, but he wants to have access to the client’s corporate mail access on his mobile device for a very short period, then The “MAM WE” is the best option for that consultant. With MAM WE, Intune and Azure AD will ensure that corporate mail and other MAM-enabled applications are protected with MAM policies.

Intune—Mobile Apps—Apps—Skype for Business—Properties: In the following example, you can see that Android’s Skype for Business application has been deployed with a deployment type called “Available with or without enrollment.” So, the deployment type without enrollment is for MAM WE management.

Intune App Protection Policies for Android iOS Devices - Fig.1
Intune App Protection Policies for Android iOS Devices – Fig.1

The Intune “MAM WE” has a separate set of conditional access policies that differ from the MDM conditional access policy. So, you must take extra care when deploying both CA policies to the same user groups. I would avoid using the same user group for both policies, or you could use the exclude groups options.

I would avoid deploying the MDM CA policy to user groups whenever possible and deploy it to device groups. Otherwise, we should have a different MDM CA user group and a MAM WE CA user group with unique users in both groups, which will be tricky.

Intune App Protection Policies for Android iOS Devices - Fig.2
Intune App Protection Policies for Android iOS Devices – Fig.2

Each MAM-enabled application comes with application protection policies (MAM app protection). We need to deploy these app protection policies to MAM WE user groups. Remember, these types (MAM WE) of policies can’t be deployed to Device Groups. 

With an app protection policy, you can restrict corporate data relocation and App data encryption. Creating app protection policies and deploying them to MAM WE user groups is critical.

Intune App Protection Policies for Android iOS Devices - Fig.3
Intune App Protection Policies for Android iOS Devices – Fig.3

 End-User Experience – How to Enable Intune MAM without Enrollment

The video here will provide the Intune MAM WE real-time end-user experience. How do you enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager?

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Get Intune Environment Ready for iOS Mac OS Devices 11

How to Get Intune Environment Ready for iOS Mac OS Devices

How to Get Intune Environment Ready for iOS Mac OS Devices? The first requirement for iOS and MAC OS device enrollment is the Apple MDM push cert setup. You need to download a unique certificate signing request (CSR) from the Intune tenant and upload it to the Apple portal.

Once uploaded successfully, you can download the Apple MDM push cert from the Apple portal. MDM push cert has to be uploaded to Intune portal so that you can enroll iOS and MAC OS devices via Intune. This process is explained in the video above.

I assumed that the Intune MDM authority setting had already been completed before setting up the Apple MDM push cert and configuring Enrollment restriction policies.

One of our articles explains how to configure the iOS and macOS platforms for use with Intune. Managing iOS and macOS devices with Intune is crucial for enhancing productivity and protecting enterprise resources. As mobile and remote work environments become more prevalent, employees increasingly rely on their iPhones, iPads, and Mac computers to access important work applications and data.

How to Get Intune Environment Ready for iOS and Mac OS Device Enrollment

Let’s discuss how to Get Intune Environment Ready for iOS and Mac OS Device Enrollment. Preparing your Intune environment for iOS and macOS device enrollment involves several key steps to ensure a smooth and secure setup.

  • This process helps organizations manage Apple devices effectively, providing both security and ease of use for employees accessing corporate resources.
How to Get Intune Environment Ready for iOS Mac OS Devices – Video 1

How to Get Intune Environment Ready for iOS Mac OS Devices

Once the Apple MDM push cert setup has been completed, we can proceed with the following configurations related to iOS and macOS management. As the next step, I would configure the Enrollment Restriction rules for iOS devices.

Suppose your organization has decided not to allow (block) personal iOS devices from enrolling into Intune. In that case, you must set up an enrollment restriction type based on the platform configurations. I have a detailed post about restricting personal iOS devices.

Read more – How to Restrict Personal iOS Devices from Enrolling on Intune Endpoint Manager

How to Get Intune Environment Ready for iOS Mac OS Devices - Fig.1
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.1

The next step is to set up Conditional Access policies for iOS devices (while we are still waiting for the Mac OS conditional Access policy). I recommend doing this during Intune’s initial setup. As you can see in the following screen capture, you have a couple of options.

You can select either individual supported platforms for the Conditional Access policy or “All platforms (including unsupported).” Somehow, I recommend using the latter one, “All platforms (including unsupported).”

How to Get Intune Environment Ready for iOS Mac OS Devices - Fig.2
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.2

Azure AD Conditional Access policies can be deployed either combined with compliance policies or without compliance policies. I recommend deploying conditional access policies with compliance policies. The next step is to set compliance policies for iOS devices. Are you wondering why there is no encryption option/compliance policy for iOS devices?

If so, there is no need for an encryption policy for iOS devices because those devices will get encrypted once the password has been enforced for devices.

System SecuritySettings
Require a password to unlock mobile devicesRequire
Simple passwordsBlock
Required password typeAlphanumeric
Number of non-alphanumeric characters in password1
Maximum minutes of inactivity before password is required15 Minutes
How to Get Intune Environment Ready for iOS Mac OS Devices – Table 1
How to Get Intune Environment Ready for iOS Mac OS Devices - Fig.3
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.3

After compliance policy settings, it’s time to set up configuration policies for iOS and MAC OS devices. Intune Configuration policies deploy security settings for the devices and can be used to enable or disable their features.

My previous video blog post discussed the different types of Intune configuration profiles. Device restriction policies are security configuration policies in the Intune Azure portal.

How to Get Intune Environment Ready for iOS Mac OS Devices - Fig.4
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.4

Conclusion – How to Get Intune Environment Ready for iOS Mac OS

The above-mentioned policies are very basic policies you want to configure if your organization has decided to manage iOS and MAC OS devices via Intune. There are loads of advanced MDM policy management options available with Microsoft Intune.

You can also create custom configuration policies for iOS devices if some of your security requirements are not available with Intune configuration policies. In addition, you can deploy Wi-Fi profiles, VPN profiles,s, and Certs to iOS devices using Intune MDM.

Another option with Intune MAM WE (without enrollment) is to manage corporate applications via MAM policies and MAM WE Conditional Access policies.

In this scenario, your users don’t need to enroll in Intune MDM management. Therefore, each organization must decide whether to use MAM WE or the MDM channel of iOS management.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Bangalore IT Pro Full Day User Group Event on Intune and SCCM 12

Bangalore IT Pro Full Day User Group Event on Intune and SCCM

Bangalore IT Pro Full Day User Group Event on Intune and SCCM? On March 18th, 2017, the BLR IT Pro group conducted a free full-day Bangalore IT Pro User Group event. At this event, we covered Intune’s new Azure portal features.

We also covered the newest additions to SCCM/ConfigMgr CB 1702 TP. Ninety per cent of the sessions were demos, and attendees had some hands-on experience with Android for Work devices.

Bangalore IT Pro Full Day User Group Event on Intune and SCCM?

  • Join the SCCM/ConfigMgr Professional Group for updates about future events – here.
  • Follow the Facebook page to get notified about similar events – here

I had a great experience interacting with and sharing knowledge with more than 40 attendees. Most of them are SCCM admins planning to move to the Intune world. Some already have significant experience with Intune iOS management, Application wrapping, the Apple DEP program, etc. Some others are Airwatch admins and have had good new experiences with Intune features.

Full Day BLR ITPro Device Management UG Meet

I have created a quick video of some lively moments of the event. The Full Day BLR ITPro Device Management UG Meet is an engaging event for IT professionals specializing in device management. This comprehensive gathering allows attendees to immerse themselves in the latest industry trends, best practices, and emerging technologies.

Bangalore IT Pro Full Day User Group Event on Intune and SCCM – Video 1

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager

The full-day free event covered a wide range of topics relevant to IT professionals and device management. These topics included the latest advancements in device management technologies, best practices for ensuring security and compliance, and strategies for optimizing device performance and lifecycle management.

Topics

The following are the topics I covered during the free full-day event. You can get the presentation link below.

Modern Device Management (MDM) is an advanced approach to managing and securing devices within an organization. It uses cloud-based technologies to provide comprehensive management of a wide range of devices, including desktops, laptops, tablets, and smartphones.

Key Components of Modern Device Management
Cloud-Based Management
Unified Endpoint Management (UEM)
Security and Compliance
Device Enrollment and Configuration
Application Management
Monitoring and Reporting
Bangalore IT Pro Full Day User Group Event on Intune and SCCM – Table 1
What is Modern Device Management?
 Basic Understanding Intune
 Azure Active Directory AAD Overview
 Create AAD Dynamic Device/User Groups
 Intune Silverlight Portal Overview
 Intune Azure Portal Overview
 What is Conditional Access?
 Configure Conditional Access
 Configure Compliance, Configuration Policies
 Table - Compliance Policies – Remediated/Quarantined
 Windows 10 Modern Device Management
 iOS/MAC OS Management
 Android for Work Management 
 Troubleshooting?
 SCCM CB 1702 TP New Features
Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager
Bangalore IT Pro Full Day User Group Event on Intune and SCCM – Fig.1

https://www.slideshare.net/slideshow/embed_code/key/4t1BmahfsEu3Tc

Bangalore IT Pro Full Day Event on Intune and SCCM from Anoop Nair

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Restrict Personal Android Devices from Enrolling into Intune 13

How to Restrict Personal Android Devices from Enrolling into Intune

How can I restrict Personal Android Devices from Enrolling in Intune? Are you still waiting to migrate from Intune Silverlight to the Azure portal?

The video post provides a quick overview and comparison between the Intune Azure and Intune Silverlight portals. It highlights the differences and improvements in the new Intune experience within the Microsoft Endpoint Manager (MEM) portal, showcasing the enhanced features and user interface of the Azure-based Intune portal compared to the older Silverlight version.

The new Intune portal allows for more granular restrictions for MDM enrollments. It’s amazing to see new features in the MEM Intune portal. One month ago, I blogged about restricting personal iOS devices from enrolling in Intune via enrollment restriction rules.

This post provides detailed instructions on restricting personal Android devices from enrolling into Intune using Endpoint Manager (MEM). It covers the steps necessary to configure enrollment restrictions, ensuring that only corporate-owned devices can be enrolled and managed through Intune.

How to Restrict Personal Android Devices from Intune Enrollment

Let’s discuss how to restrict personal Android devices from enrolling in Intune. This video provides a detailed guide on configuring Intune settings to ensure that only corporate-owned devices can be enrolled, helping you maintain control over device management within your organization.

How to Restrict Personal Android Devices from Enrolling into Intune – Video 1

How to Restrict Personal Android Devices from Enrolling into Intune

iOS personal devices can be restricted from enrolling in Intune MDM. However, there was no option to restrict personal Android devices from enrolling into Intune MDM. The Intune team has lighted up the feature to restrict personal Android devices from enrolling into Intune.

This was one of the features I was looking for to appear in the Azure portal. So, can we allow only Android devices for work-supported enrollment in Intune MDM? With this enrollment or device type restriction option, the answer is NO. So, what is the difference between company-owned Android devices and personally-owned Android devices?

FeaturesCompany-owned devicePersonal device
Opt-out of Device Owner modeNoYes
With device approvals enabled, the administrator must approve the deviceNoYes
Administrators can receive an inactivity report every 30 daysYesNo
Factory resets that users initiate block device re-enrollmentYesNo
Account wipe availableNoYes
How to Restrict Personal Android Devices from Enrolling into Intune – Table 1

All personal Android devices will be blocked from enrollment when you turn on the “Block Android Personal Device” option from Intune Blade in the Azure portal. Personal Android devices can be Android for Work (AfW) supported devices and non-Android for Work devices.

Initially, I thought Android for Work would not be treated as a personal device but as a corporate-owned device. But I was wrong. For corporate-owned devices, Android for Work can be deployed in a Work Managed mode, which provides full device management.

How to Restrict Personal Android Devices from Enrolling into Intune - Fig.1
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.1

The Enroll Devices node is the place in the Intune Azure portal where you can set up a restriction policy for personally owned Android devices. Within enrolment restrictions rules, we can have two types of restrictions: Device Type restrictions and Device Limit restrictions.

In this scenario, we want to restrict personal Android devices. We need to create an enrollment type policy to allow the Android platform to enroll in Intune. Once the Android platform has enabled enrollment, go to Platform Configurations and then BLOCK personally owned iOS devices.

How to Restrict Personal Android Devices from Enrolling into Intune - Fig.2
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.2

Conclusion

Ideally, when you block personally owned Android devices from enrollment, all the Android devices enrolled via a non-corporate method should also be blocked

As per my testing, this is not working. After enabling the “block Android personally owned devices” policy, I enrolled a couple of Android devices, and those devices got enrolled without any issues.

How to Restrict Personal Android Devices from Enrolling into Intune - Fig.3
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.3

In the screenshot below, I have enrolled two Android devices into Intune and the Intune console, and Intune detects those as personal devices. I’m not sure why they are not blocked.

How to Restrict Personal Android Devices from Enrolling into Intune - Fig.4
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.4

References:-

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Integrate ConfigMgr SCCM CB with Azure AD 14

How to Integrate ConfigMgr SCCM CB with Azure AD

How do I integrate ConfigMgr SCCM CB with Azure AD? The SCCM ConfigMgr 1702 Technical Preview version was released a few weeks before.

For more details about the SCCM 1702 Technical Preview version, refer to the article “SCCM ConfigMgr Comes with Azure AD Domain Services Support.” This article provides information on the new features and enhancements in Configuration Manager and Endpoint Manager, including Azure AD Domain Services support.

Last weekend, I got to look at the SCCM 1702 TP version. My SCCM/ConfigMgr TP lab expired as I haven’t upgraded it since last November (1611). The technical preview versions are accumulated, but if you don’t upgrade to the latest version within 90 days, it will expire, and you will need to build one from scratch.

How do we know whether your SCCM CB TP lab has expired? You can see the expiry duration on the top tab of your SCCM console (evaluation 10 days left), or SMS executive and other services will start getting stopped every hour (I’m not sure whether it’s every hour or less).

Apart from the abovementioned points, it won’t get the latest TP updates/build version. If your SCCM TP lab expires, enjoy installing the new one!

How to Integrate ConfigMgr SCCM CB 1702 TP Azure AD Integration

Let’s discuss integrating ConfigMgr SCCM CB 1702 Technical Preview with Azure AD. The video provides detailed instructions on the integration process, showing how to connect ConfigMgr SCCM with Azure AD in this version.

How to Integrate ConfigMgr SCCM CB with Azure AD – Video 1

SCCM CB 1702 TP Console View – Integrate ConfigMgr SCCM CB with Azure AD

In the SCCM CB 1702 Technical Preview console, you can view and manage the integration of ConfigMgr SCCM CB with Azure AD. The console provides a straightforward interface for setting up and configuring the integration, making it easier to manage and secure your devices and applications.

Add Azure Active Directory
Sign in with AAD admin credentials to initiate SCCM onboarding
How to Integrate ConfigMgr SCCM CB with Azure AD – Table 1
How to Integrate ConfigMgr SCCM CB with Azure AD - Fig.1
How to Integrate ConfigMgr SCCM CB with Azure AD – Fig.1

So, returning to the topic “How to integrate Azure AD with SCCM/ConfigMgr?” This is a very straightforward process if you already have an Azure subscription and are a global admin.

The add Azure Active Directory button has been made available in the SCCM CB 1702 TP console ribbon menu under the Cloud services section, as shown in the above picture. Click the sign-in button and enter your Azure subscription (probably with global admin access).

How to Integrate ConfigMgr SCCM CB with Azure AD - Fig.2
How to Integrate ConfigMgr SCCM CB with Azure AD – Fig.2

Once the above step has been completed, two Azure Applications appear in the SCCM console. These apps are registered during the Azure AD integration path SCCM/ConfigMgr CB. The first app you can see is the SCCM server app, and the second is the SCCM client app.

Another option in the SCCM console is to renew the secret key to register the app in Azure. By default, the secret key has one-year validity.

Azure AD – App Registration View

I could see two apps created in the Azure portal as part of AAD integration with SCCM CB 1702 TP. My Azure Active Directory has three apps—App Registration: the SCCM client, the SCCM server, and the P2P server.

I’m unsure whether the P2P server was created during the Azure AD integration process with SCCM CB. I can confirm that it was not made during SCCM and AAD integration. Also, I’ve not tested the end-to-end scenario of Azure AD domain services integration.

With the SCCM CB 1702 technical preview version, you can manage devices joined to an Azure Active Directory (AAD) Domain Services managed domain. You can also discover devices, users, and groups in that domain with various SCCM Discovery methods.

How to Integrate ConfigMgr SCCM CB with Azure AD - Fig.3
How to Integrate ConfigMgr SCCM CB with Azure AD – Fig.3

Conclusion

Is this actual integration with Azure AD and SCCM in all terms? Would SCCM be able to discover the devices and users from Azure AD? The answer to both questions is NO. This feature enables the discovery of Azure AD domain services-managed devices. Azure AD (SaaS identity solution) devices and Azure AD domain services are “Domain Domain Controller installed inside a virtual server hosted in Azure.”

References

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.