MDM & GP Tips Blog

Mar 2020
01

Block CMD prompt with Intune

Group Policy admins have been blocking access to command prompt for standard users since the beginning.  That is why it is frustrating for MDM admins having no native way in Intune to block it in the same fashion of Group Policy.  Well in actuality, you can block the cmd prompt, it just takes a custom profile, which is something that not everyone likes to do much.  Below is how you set it up so feel free to use the settings.  

OMA-URI:  ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/IntuneEdu/EXE/Policy

Data Type:  String (XML file)

Here is the XML code to paste in:

<RuleCollection Type="Exe" EnforcementMode="NotConfigured">

        <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">

          <Conditions>

            <FilePathCondition Path="*" />

          Conditions>

        FilePathRule>

        <FilePathRule Id="ce9d9fd5-d765-48df-b87b-e1bafd5653ed" Name="All files" Description="Allows members of the Everyone group to run applications that are located in any folder." UserOrGroupSid="S-1-1-0" Action="Allow">

          <Conditions>

            <FilePathCondition Path="*" />

          Conditions>

                        <Exceptions>

                    <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="CMD.EXE">

          <BinaryVersionRange LowSection="*" HighSection="*" />

        FilePublisherCondition>

                Exceptions>

        FilePathRule>

     RuleCollection>

Jan 2020
02

Two Worlds Unite to Form Microsoft Endpoint Manager

It is a wonderful thing when new initiatives benefit both the company behind the implementation and the customers they serve.  Such is the case with the announcement at Ignite 2019 that ConfigMgr and Intune are melding together to become one.  Together, the idea is that they will form a single management conglomerate tool called Microsoft Endpoint Manager. 

The MEM console will show a single view of all devices managed by either product through a single interface.  Here's an example.

So the idea is that you can now manage ConfigMgr devices through the MEM interface.  Of course, you can still manage through one or the other if you wish and there are some features that cannot be replicated amongst the two.  Separately, the two tools will be known as:

  • Microsoft Endpoint Manager Microsoft Intune (MEMMI)
  • Microsoft Endpoint Manager Configuration Manager (MEMCM)

The merging of these two management systems now forms a new modern device management system that is exactly what internal IT needs to manage the modern workplace of today.  Modern management for the modern workspace.  That was a common theme at Ignite.

Branding and Licensing Simplification

Some may say that the merging is a recognition by Microsoft that vast majority of companies continue to stick to ConfigMgr and Group Policy to manage enterprise desktop devices.  While Intune is capable of managing your entire Windows 10 environment, many companies continue to limit its management scope to mobile devices. 

For Microsoft, bringing the two management systems together under one roof allows them to simplify their branding under one incorporated name.  By integrating ConfigMgr into the Intune Portal itself, Microsoft is undoubtedly hoping that enterprises can better amalgamate themselves with the capabilities and functionality of MEMMI. 

Users will enjoy the simplification of both licensing and experience.  Those enterprises that currently have ConfigMgr licenses will automatically have Intune licenses too, allowing them to co-manage their desktop devices with both tools.  From a product perspective, admins will be able to view their mobile devices and ConfigMgr controlled PC’s from a single interface.  No more having to bounce repeatedly back and forth between interfaces throughout the course of the day.  Says Brad Anderson, Corporate Vice President at Microsoft, “It’s all about simplifying — and we’re taking that simplifying deep and broad from a branding, licensing and product perspective,”

By implementing the new co-existing licensing model, Microsoft is encouraging those companies that need to need leave existing systems in place to provision new machines as cloud-managed devices.  Regardless of how the device managed however, MEM provides a single view of all devices managed by either product.

Examining the Licensing Structure

So when you think of the new licensing model, think of the management scope of ConfigMgr.  ConfigMgr specializes in PC desktop management, so your PC devices are now automatically licensed for Intune as well so you can go ahead and enable co-management if you want. Note: Phones and non-Microsoft devices are still the exclusive domain of Intune (MEMMI) so those devices are not applicable to receive dual licensing.   Note you will still need Azure Active Directory P1 licensing for your users.  Mobile devices, iOS and Linux machines will remain exclusively licensed under MEMMI.

Intelligence Driven

Modern management systems must be intelligence based in order to maximize the user experience.  There are currently 190 million devices managed by either ConfigMgr or Intune.  The convergence of ConfigMgr and Intune greatly scales the potential use of telemetry power that Internal IT can utilize in its PC deployments and problem solving.  MEM will be introducing an array of intelligent actions that will give admins granular analysis as well as new comparative insights to their environments versus others. 

One example of this is Productivity Score.  Productivity Score will allow organizations to evaluate their employee and technology experiences into measurable metrics that Internal IT can use to justify the value that it brings to the organization.  From the perspective of the user experience, it will quantify how people are collaborating on content, developing a meeting culture and communicating with one another.  Real measured results concerning these types of user experiences can offer insights into how to enhance the user experience and increase productivity.    The technology experience will provide insights into assessing policies, device settings, device boot times, application performance and adherence to security compliances

MEM is an Endpoint

Many of us predicted this would happen one day.  As companies strive towards digitally transforming their organizations from the ground up, it was only a matter of time until something was done to streamline the management of on-premise and mobile desktops in scale.   One point that Anderson emphasized his Intune presentation MEM is that the merging of these two management system giants is not a temporary arrangement.  Says Anderson,

"Let me be very clear -- this vision includes both ConfigMgr and Intune.  Co-management isn't a bridge; it's a destination."

MEM allows you to start utilizing cloud intelligence without making a single change to your ConfigMgr policies.  Working collaboratively together, yet visible and accessible through a single interface, MEM provides the modern management system that Windows enterprises need. End-to-end management and automation is now available in a converged license package.  Look for the MEM transformation to emerge within your Intune environment. 

     

Jul 2019
10

Two (not Jeremy) blog posts about Windows Update for Business' Rings

Windows Update for Business is the method where you can use Group Policy, SCCM or Intune to describe "rings" for your business. In these rings, you express "who is going to go first" to get updates.

Then, who will go next, and so on.

I explain these rings in details in my new MDM book.

But I wanted to share two Microsoft blog entries on this important topic, since it comes up from time to time. These are good extra sources of information.

https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Deployment-rings-The-hidden-strategic-gem-of-Windows-as-a/bc-p/664595

-https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979

Hope these help you out!

Nov 2018
05

What can I get from Office 365’s MDM versus Intune?

When it comes to Mobile Device Management, it can be a little confusing keeping all the various MDM offerings straight.  For many organizations that utilize Office 365 for their email and/or other office suite applications, O365 MDM may be quite appealing due to one captivating detail…its free!  Yes, MDM for O365 is included with many Office 365 commercial subscriptions.  Free is indeed a good thing.

Free of course usually denotes some limitations and shortcomings.  This is the case with O365 MDM as it does not have near the feature rich options nor device coverability of Intune.  Intune either requires a paid subscription or can be purchased with Enterprise Mobility Suite.  Cost is one of the main differences between the two.

Mobile Device Management for Office 365 is designed for securing and managing mobile devices.  This includes such things as iPhones, iPads, Android devices, Windows Phones and tablets that are connected to Exchange Online.  You can create MDM policies to secure these devices by remotely wiping them or removing sensitive information.  This is one of the most important security management features for corporate mobile devices.  Other functions of O365 MDM include:

  • Remotely wipe emails from any device
  • Set up device policies like password requirements and security settings
  • Ensure email and documents can only be accessed by company managed mobile devices
  • Access reports and alerts concerning the jailbreaking of devices
  • Review reports concerning which devices are not compliant

O365 MDM is a good fit for a company that fully utilizes domain joined services to manage their traditional workstations and laptops and need to manage and secure mobile devices as well.  For those organizations that want to go all in and manage all of their Windows 10 computer devices (including traditional PCs) using an MDM solution, Intune is the only choice between the two.  With Intune, it is possible to manage your devices without any on premise infrastructure as long as they are all Azure joined.

Another key difference is how you access each of the CSP interfaces.  O365 MDM is accessed using the Security and Compliance Center as is shown below.

 

Intune on the other hand is accessed through the Azure portal.

 

Intune has a lot more functionality than O365 MDM such as the following:

  • You can integrate Intune with System Center Configuration Manager to coincidingly manage both on and off prem devices
  • Supports Mac OS X as well as Linux and Unix servers
  • Deploy your internal line-of-business apps and apps in stores to users
  • Provide additional security for web browsing
  • Implement Mobile Application Management policies for all your users

Which one is best depends on the needs of your organization. 

Nov 2018
01

What is Intune for Education?

Microsoft puts a lot of emphasis on the education market.  In an effort to cater to the K12 educational organizations, Microsoft offers a separate product called Intune for Education.  While large metro school districts that have students numbering in the tens of thousands or more will most likely opt for the full Intune Console, Intune for Education is a very attractive alternative for private schools and public schools with a student body of less than 10,000 students. 

First off, Intune for Education is simpler.  Smaller school systems often lack high level fulltime inhouse IT staff with the knowledge base to granularly administer advanced settings for their enterprise.  Often a single staff member is assigned the duty of supporting everything.  In some cases, schools may rely on teachers themselves to manage their classroom students and devices.  This is where Intune for Education comes in.  It has a simplified management interface that is inviting and extremely user.  Task creation is wizard driven so that the user is guided through the setup process.  The interface makes use of graphical icons that make it less intimidating for teachers and non-technical staff.  Below is an example of the Express Configuration area that is designed to quickly achieve a desired task.

 

Simplicity does come at a cost.  Intune for Education lacks the advanced configuration functionality that the full console version boasts.  It does do a great job of the essentials however such as the basic management of users and devices (both Windows 10 and iOS), deploying mobile apps and ensuring basic security compliance.  It is a simplified Windows 10 experience, but for many schools, that is all that is needed.

Intune for Education is designed for the modern day educational organizations.  For instance, teachers can create “Take a Test” profiles.  These test profiles secure the browser during an online testing experience.  These secure testing profiles prevent students from using other computer or internet resources during a test.  Intune for Education also integrates with other Microsoft products such as School Data Sync and Minecraft Education Edition.

 

Screenshot originally from: https://docs.microsoft.com/en-us/education/windows/take-tests-in-windows-10

And then of course, there is cost.  Intune for Education is affordable for smaller school systems that face challenging budgets.  Currently, educational customers have two options.  The first is a “one and done” per device fee at the time of the device’s enrollment.  This license is good for the life cycle of the product.  The other option is to license it per user on an annual basis.  The good news here is that student account are free.  School administrators will have to run the numbers to decide which option is best for them.

Keep in mind that Intune for Education is for “schools” only and Microsoft does verify this.  While Intune for Education isn’t for everyone in education, it certainly makes sense for some.