How to remove a policy settings from a user/device managed by Intune

Posted on December 18, 2014 by Björn Axell

As you all know, Intune can deploy all kind of settings and profiles (security settings, WiFi, Certificate, Mail and VPN profiles) to your users and devices. But what if you want to remove one of the settings/profiles.

Until now this hasn’t been possible (expect if you did a selective wipe/full wipe). With the updates delivered in the November and December release of Microsoft Intune backend, the policy will be removed when:

User or device leaves a collection / Group where policy was targeted to
Admin removes the deployment
Admin removes the policy itself

Note that this feature is available in both if you use Microsoft Intune Standalone and SCCM UDM with Intune.

As with all things we do with the device, we are dependent of underlying management platform. Below you see what’s can remove per platform.

Type of settings	Windows	Android	WP8.1 (There is no support for WP8)	IOS
Resource access Profiles (WiFi, VPN, Email, Certificate etc)	Yes	Yes	Yes	Yes
Configuration Items	No	No	Supported settings: ./Vendor/MSFT/PolicyManager/My/DeviceLock/AllowIdleReturnWithoutPassword ./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordEnabled”; ./Vendor/MSFT/PolicyManager/My/DeviceLock/AllowSimpleDevicePassword”; ./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordLength”; ./Vendor/MSFT/PolicyManager/My/DeviceLock/AlphanumericDevicePasswordRequired”; ./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordExpiration”; ./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordHistory”; ./Vendor/MSFT/PolicyManager/My/DeviceLock/MaxDevicePasswordFailedAttempts”; ./Vendor/MSFT/PolicyManager/My/DeviceLock/MaxInactivityTimeDeviceLock”; ./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordComplexCharacters”; ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions ./Vendor/MSFT/PolicyManager/My/Camera/AllowCamera ./Vendor/MSFT/PolicyManager/My/Security/RequireDeviceEncryption ./Vendor/MSFT/PolicyManager/My/System/AllowStorageCard ./Vendor/MSFT/PolicyManager/My/Browser/AllowBrowser ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowStore ./Vendor/MSFT/PolicyManager/My/Experience/AllowScreenCapture ./Vendor/MSFT/PolicyManager/My/System/AllowTelemetry ./Vendor/MSFT/PolicyManager/My/System/AllowLocation ./Vendor/MSFT/PolicyManager/My/Accounts/AllowMicrosoftAccountConnection ./Vendor/MSFT/PolicyManager/My/Accounts/AllowAddingNonMicrosoftAccountsManually ./Vendor/MSFT/PolicyManager/My/Experience/AllowCopyPaste ./Vendor/MSFT/PolicyManager/My/WiFi/AllowInternetSharing ./Vendor/MSFT/PolicyManager/My/WiFi/AllowAutoConnectToWiFiSenseHotspots ./Vendor/MSFT/PolicyManager/My/WiFi/AllowWiFiHotSpotReporting ./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment ./Vendor/MSFT/PolicyManager/My/System/AllowUserToResetPhone ./Vendor/MSFT/PolicyManager/My/Connectivity/AllowUSBConnection ./Vendor/MSFT/PolicyManager/My/Connectivity/AllowBluetooth ./Vendor/MSFT/PolicyManager/My/Connectivity/AllowCellularDataRoaming ./Vendor/MSFT/PolicyManager/My/Connectivity/AllowNFC ./Vendor/MSFT/PolicyManager/My/Connectivity/AllowCellularData /Vendor/MSFT/PolicyManager/My/WiFi/AllowWiFi	All settings except roaming settings

The list of policies can also be found at http://technet.microsoft.com/en-us/library/dn743712.aspx under “What happens when a policy is deleted, or no longer applicable”

To illustrate how this can look like I have recorded a short video describing how this looks like.

If you have any questions or feedback, please add into the comments below

Azure Active Directory now supports shared accounts

Posted on November 13, 2014 by Björn Axell

One of the feature in Azure Active Directory is the ability to get Single Sign On (SSO) to over 2400 SaaS applications (the number application available in the market place 20141113). Last week the team release a new feature that let you managed so called “shared accounts” in a much better/easier way.

You can now add multiple accounts. For example, a marketing person might need to have access to multiple Twitter accounts
You can assign the application to a group instead of a user

Lets see how this would look like if you would like to add multiple Twitter Accounts.

Sign into the Azure management portal
Under the Active Directory section, select your directory, then select the Applications tab.
Click Add to add the first Twitter app/Account
Select “Add an application from the gallery”
Search for the Twitter app and then click Ok to select it
Click “Assign users”
Select Groups and search/look for your group, when you find the one you want to use click Assign
Select “I want to enter the credentials to be shared among all group members”
You have now successfully assigned the first account, lets add a second account
Select the Application tab and click Add
Select “Add an application from the gallery”
Search for the Twitter app and then click Ok to select it. Since this is the second Twitter app you now get the option to name the app
Click “Assign users” and repeat the steps 6-8 (except using a new group and another twitter account(
You have now successfully assign two different Twitter accounts to two different groups. Lets see how this looks like for an end user that is a member of both of the groups.
‘Sign into the My Apps web portal myapps.microsoft.com (or use the native apps for IOS or Android). You will now see both of the Twitter accounts you have permission to use. Not the if you click on them you will be redirected to Twitter without the need to add any password

My Apps app is now available for both IOS and Android

Posted on November 13, 2014 by Björn Axell

To access user self service feature in Azure Active Directory Premium the user can use the web portal or the native apps. The first native app Microsoft released was for IOS but last week the team released a Android version for My Apps.

Below you see some print screens of the how they look like on different form factors and for the different platforms.

Web portal

Iphone

Ipad

Samsung Galaxy S4

Nexus 7

Download My Apps from Apple Store

Download My Apps from Google Play

Read more about Azure Active Directory Premium (AADP)

Read more about the EMS Suite where AADP is included

Intune will power the new MDM feature in Office 365

Posted on October 28, 2014 by Björn Axell

Today at Teched Europe, Microsoft announced a new feature in Office 365 – built-in mobile device management for Office 365. What cool about this is that you will actually be using the Intune backend and if you want to get more feature there will be an easy way to “upgrade” to Intune

To get a better understanding on what will be included in the Office 365 SKUs and what will be included in EMS/Intune, please visit http://blogs.office.com/2014/10/28/introducing-built-mobile-device-management-office-365/

To see some of the feature in action, below you have a short video explaining the features.

Which hotfixes should I apply to get the most of EMS

Posted on October 24, 2014 by Björn Axell

Hotfixes includes as we all know fixes to things that doesn’t work as expected but it also sometimes includes improvements and this is why I decided to write this blog post. This list is nothing official, I will list the updates that will/can impact EMS products (stability and improvements)

Note! This post will be updated as soon as I find any new hotfixes. Last update 2015-02-17

System Center 2012 R2 + Intune (also called Intune UDM)

Hotfix	Resolves	Comments	Replace
KB3026739 (CU4)	A lot of things, please look at KB to see the whole list	All CU’s are cumulative so all fixes that were in CU1 +CU2 +CU3 is also included	This update replaces Cumulative Update 3 for System Center 2012 R2 Configuration Manager (http://support2.microsoft.com/kb/2994331/en-us)
KB3002291	In Microsoft SystemCenter 2012 R2 Configuration Manager, when a user becomes a cloud-managed user, a settings policy may not target the assignment for the user.	The original fix for this was included in CU2+CU3 but was broken by the installer process (script was overwritten and function reverted back to original state). The effect of this is that users that are included in an collection will get the “fast download of a polices” but for any users added after applying CU2 or CU3 will not get the policies. Note 1 -There is one version of the fix for a CU2 installation and one for CU3. Note 2 – If you installed the CU2 version and then install CU3 you need to install the CU3 version of this fix Note 3 – After installing the hotfix, please run the script (that you can copy from the KB), this script will fix all existing deployments	This update is included in CU4
KB2990658	Greatly reduces the time that’s required to execute a successful retire or wipe of a Mobile Device Management (MDM) device. These operations now run on the device in a matter of seconds, assuming the device is reachable by Windows Intune.	To apply this hotfix, you must have Cumulative Update 3 (http://support.microsoft.com/kb/2994331/ )	This update is included in CU4
KB2994331 (CU3)	A lot of things, please look at KB to see the whole list.	All CU’s are cumulative so all fixes that were in CU1 +CU2 is also included	This update replaces Cumulative Update 2 for System Center 2012 R2 Configuration Manager (http://support.microsoft.com/kb/2970177/ ) .
Kb2970177 (CU2)	The main improvement in this update is Speed. If you been working with device enrollment you probably noticed that it can take a wile for the device to receive all the profiles/policies you deployed to it.With the CU2 for SCCM 2012 R2 and the May update for the Intune backend, this has been improved a lot.	See http://blog.advisec.com/?p=694 for more information and step by step how to install it	This update replaces Cumulative Update 1 (http://support.microsoft.com/kb/2938441/ ) for System Center 2012 R2 Configuration Manager.
KB2938441	Enrolling an Android device in both Exchange Active Sync (EAS) and Mobile Device Management causes a duplicate device to be created in the Administrator Console.

Windows Server 2012 R2 WAP Server role

Hotfix	Resolves	Comments	Replace
KB3011135	Large URI request in Web Application Proxy fails in Windows Server 2012 R2	For more information on how to use WAP in front of a NDES server see Pieter Wigleven blog http://aka.ms/ndes3. Note that this is still a “privat” fix and you need to call support to get it (no cost). This hotfix is now included in the December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

Windows Server 2008 R2 CA Server role

Hotfix	Resolves	Comments	Replace
KB2483564	Renewal request for an SCEP certificate fails in Windows Server 2008 R2 if the certificate is managed by using NDES	This update is only needed if you want to implement certificate deployment with SCEP and your CA is running on Windows Server 2008R2	If it is possible, I would recommend to upgrade to a newer server OS

CU2 for SCCM 2012 R2 is now released–Does it improve/impact Intune customers?

Posted on June 30, 2014 by Björn Axell

The CU2 update for System Center Configuration Manager 2012 R2 was just release. As with all CU’s, they include both fixes and improvements. With this blog post I want to highlight the things that are included in CU2 and will improve/impact Intune customers.

If you read the Kb2970177 you will se the following:

Mobile device management / Intune

Policies that apply to devices that are used together with Windows Intune may take 10 minutes or more to apply. Additionally, policies that are created before enrollment may not appear on the new device.
The Policy Request and Management Point fields for mobile devices may be missing from the Client Activity Details tab on the summary page for a given device.

Except for the two bug fixes it also includes one other major thing and that’s – Speed. If you been working with device enrollment you probably noticed that it can take a wile for the device to receive all the profiles/policies you deployed to it.With the CU2 for SCCM 2012 R2 and the May update for the Intune backend, this has been improved a lot.

So, if you use User Collection targeted Polices and Profiles they will be delivered to the User’s devices immediately after enrolling the devices.

The start benefit from this feature, install SCCM 2012 R2 CU 2 and test to enroll. Below you see a demonstration on the steps and the result.

Install SCCM 2012 CU2
Verify that your profiles/policy’s is deployed to a user collection
Enroll a device and validate that the profiles/policy’s is deployed immediately

Important links from the videos:

Update 1 – If you have an existing SCEP profile you need to “manually” update it so it can be deployed during enrollment. Easiest way is to open the profile and just change the name or any other “cosmetic” change will also work. This will add a new revision on the profile and it will now work. Note that all SCEP profiles added after you applied CU2 is not affected by this issue

Windows Intune + Samsung KNOX = True

Posted on March 5, 2014 by Björn Axell

Last week Samsung announced that Samsung KNOX will support Windows Intune. Except for this, they also announced that they will add “Workplace Join” functionality into the Samsung Androids devices so the will be able to workplace join an Active Directory (this can be done on IOS and Windows 8.x today).

This is very good news for all Windows Intune customers that uses Samsung Android devices, really looking forward to the update

Read the full Samsung Press Release

What’s new in the Jan/Feb 2014 Intune update

Posted on March 5, 2014 by Björn Axell

The Jan/Feb 2014 update to Windows Intune has now been out for a couple of weeks. This was the first update that was released through the SCCM “Extensions for Windows Intune”

So what did the update actually include:

Ability for the administrator to configure email profiles, which can automatically configure (IOS and WP8) the device with the appropriate email server information and related policies, as well as the ability to remove the profile along with the email itself via a remote wipe if needed (Only IOS).
Support for new configuration settings in iOS 7, including the "Managed open in" capability to protect corporate data by controlling which apps and accounts are used to open documents and attachments, and disabling the fingerprint unlock feature.
Ability for the administrator to remotely lock the device if it is lost or stolen, and reset the password if the user forgets it (as of now, this this feature only exist in the Intune standalone cloud service).

If you would like to see a good demo of some of the new features, please look at the interview on Channel9 with Martin Booth

http://channel9.msdn.com/Shows/Edge/Edge-Show-90-System-Center-Configuration-Manager-and-Windows-Intune-and-Managing-iOS-What-s-New-

TechDays Sweden is back

Posted on December 11, 2013 by Björn Axell

Allot of customer was a bit upset when Microsoft decided to not host the Techdays 2013 in Sweden. The good new is that Microsoft listen to the feedback and Techdays Sweden will be back in 2014 – This time in Kistamässan 19-20 November so make sure to save the date.

Updated version of the Support Tool for Windows Intune Trial Management of Window Phone 8 is now avalable

Posted on December 10, 2013 by Björn Axell

Today a revision to the Support Tool for Windows Intune Trial Management of Window Phone 8 has been released. This tool facilitates Microsoft System Center 2012 Configuration Manager admins and Windows Intune standalone admins to try out Windows Phone 8 enrollment and software distribution scenarios during the Trial period.

The new revisions include:

· The new Windows Intune Company Portal for Windows Phone 8 released on Oct 18.

· A bug fix to address the ‘UBound’ error in the vbscript. [This script is needed only for Configuration Manager and not Intune standalone]

Download Support Tool for Windows Intune Trial Management of Window Phone 8