How to remove a policy settings from a user/device managed by Intune

As you all know, Intune can deploy all kind of settings and profiles (security settings, WiFi, Certificate, Mail and VPN profiles) to your users and devices. But what if you want to remove one of the settings/profiles.

Until now this hasn’t been possible (expect if you did a selective wipe/full wipe). With the updates delivered in the November and December release of Microsoft Intune backend, the policy will be removed when:

  • User or device leaves a collection / Group where policy was targeted to
  • Admin removes the deployment
  • Admin removes the policy itself

Note that this feature is available in both if you use Microsoft Intune Standalone and SCCM UDM with Intune.

As with all things we do with the device, we are dependent of underlying management platform. Below you see what’s can remove per platform.

Type of settings

Windows

Android

WP8.1 (There is no support for WP8)

IOS

Resource access Profiles (WiFi, VPN, Email, Certificate etc)

Yes

Yes

Yes

Yes

Configuration Items

No

No

Supported settings:
./Vendor/MSFT/PolicyManager/My/DeviceLock/AllowIdleReturnWithoutPassword
./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordEnabled”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/AllowSimpleDevicePassword”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordLength”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/AlphanumericDevicePasswordRequired”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordExpiration”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordHistory”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MaxDevicePasswordFailedAttempts”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MaxInactivityTimeDeviceLock”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordComplexCharacters”;
./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
./Vendor/MSFT/PolicyManager/My/Camera/AllowCamera
./Vendor/MSFT/PolicyManager/My/Security/RequireDeviceEncryption
./Vendor/MSFT/PolicyManager/My/System/AllowStorageCard
./Vendor/MSFT/PolicyManager/My/Browser/AllowBrowser
./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowStore
./Vendor/MSFT/PolicyManager/My/Experience/AllowScreenCapture
./Vendor/MSFT/PolicyManager/My/System/AllowTelemetry
./Vendor/MSFT/PolicyManager/My/System/AllowLocation
./Vendor/MSFT/PolicyManager/My/Accounts/AllowMicrosoftAccountConnection
./Vendor/MSFT/PolicyManager/My/Accounts/AllowAddingNonMicrosoftAccountsManually
./Vendor/MSFT/PolicyManager/My/Experience/AllowCopyPaste
./Vendor/MSFT/PolicyManager/My/WiFi/AllowInternetSharing
./Vendor/MSFT/PolicyManager/My/WiFi/AllowAutoConnectToWiFiSenseHotspots
./Vendor/MSFT/PolicyManager/My/WiFi/AllowWiFiHotSpotReporting
./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment
./Vendor/MSFT/PolicyManager/My/System/AllowUserToResetPhone
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowUSBConnection
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowBluetooth
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowCellularDataRoaming
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowNFC
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowCellularData
/Vendor/MSFT/PolicyManager/My/WiFi/AllowWiFi

All settings except roaming settings

The list of policies can also be found at http://technet.microsoft.com/en-us/library/dn743712.aspx under “What happens when a policy is deleted, or no longer applicable”

To illustrate how this can look like I have recorded a short video describing how this looks like.

If you have any questions or feedback, please add into the comments below

Windows Intune + Samsung KNOX = True

Last week Samsung announced that Samsung KNOX will support Windows Intune. Except for this, they also announced that they will add “Workplace Join” functionality into the Samsung Androids devices so the will be able to workplace join an Active Directory (this can be done on IOS and Windows 8.x today).

This is very good news for all Windows Intune customers that uses Samsung Android devices, really looking forward to the update

Read the full Samsung Press Release

What’s new in the Jan/Feb 2014 Intune update

The Jan/Feb 2014 update to Windows Intune has now been out for a couple of weeks. This was the first  update that was released through the SCCM “Extensions for Windows Intune”

image

So what did the update actually include:

  • Ability for the administrator to configure email profiles, which can automatically configure (IOS and WP8) the device with the appropriate email server information and related policies, as well as the ability to remove the profile along with the email itself via a remote wipe if needed (Only IOS).
  • Support for new configuration settings in iOS 7, including the "Managed open in" capability to protect corporate data by controlling which apps and accounts are used to open documents and attachments, and disabling the fingerprint unlock feature.
  • Ability for the administrator to remotely lock the device if it is lost or stolen, and reset the password if the user forgets it (as of now, this this feature only exist in the Intune standalone cloud service).

If you would like to see a good demo of some of the new features, please look at the interview on Channel9 with Martin Booth

http://channel9.msdn.com/Shows/Edge/Edge-Show-90-System-Center-Configuration-Manager-and-Windows-Intune-and-Managing-iOS-What-s-New-

Updated version of the Support Tool for Windows Intune Trial Management of Window Phone 8 is now avalable

Today a revision to the Support Tool for Windows Intune Trial Management of Window Phone 8 has been released. This tool facilitates Microsoft System Center 2012 Configuration Manager admins and Windows Intune standalone admins to try out Windows Phone 8 enrollment and software distribution scenarios during the Trial period.

The new revisions include:

· The new Windows Intune Company Portal for Windows Phone 8 released on Oct 18.

· A bug fix to address the ‘UBound’ error in the vbscript. [This script is needed only for Configuration Manager and not Intune standalone]

Download Support Tool for Windows Intune Trial Management of Window Phone 8

Windows Intune Company Portals now available for Windows, IOS and Android

Company Portal Downloads

Company Portal

URL

Installation Method

Windows Intune Company Portal

Windows 8.x (x86/x64 and RT)

Windows Store

http://apps.microsoft.com/windows/en-us/app/company-portal/4b1dff1a-e76f-4fdd-a993-9c59048c3768

Microsoft Download Center

http://www.microsoft.com/downloads/details.aspx?FamilyID=08a4f9d8-9c4d-4667-8bb2-fe8bbcbe694a

Direct User Installation

 

 

 

IT Deployment

System Center Configuration Manager Company Portal

Windows 8.x

(x86/x64 only)

Microsoft Download Center Only

http://www.microsoft.com/downloads/details.aspx?FamilyID=da9f6820-d399-4847-b3d7-aacf5cbf75c7

IT Deployment

Windows Intune Company Portal for Windows Phone 8

Microsoft Download Center Only

http://www.microsoft.com/en-us/download/details.aspx?id=36060

IT Deployment

Windows Intune Company Portal for iOS

App Store

https://itunes.apple.com/us/app/windows-intune-company-portal/id719171358?mt=8

Direct User Installation

 

Windows Intune Company Portal for Android

Google Play

https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal

Direct User Installation

 

Support Tool for Windows Intune is now avalable for both SCCM+Intune AND Intune Standalone service

If you are a Windows Intune user you probably know that to be able to test managing Windows Phone 8 you need a special certificate from Symantec and to get this you also need to have a special Windows Phone developer account. This has been a lot of hassle for people that just want to test the functionally or to demo it. In May Microsoft released a “Support tool” that included a presigned Company Portal that you could install and upload in SCCM and you were all set to start testing enrolling Windows Phones. The problem were that this support tool only worked if you used SCCM+Intune, not if you were a user of the Standalone Window Intune service. The good news is that from today, the Support Tools also work for everyone that want to test Windows Phone 8 management in Windows Intune Standalone service.

Update 2013-12-10 – New version of the “Support Tool for Windows Intune Trial Management of Window Phone 8

Here is the basic steps

  • Log in to your Windows Intune Trial account via http://manage.microsoft.com
  • Install the MSI that you download from Microsoft Download Center It will extract the sample SSP.xap and other sample xap files included in the MSI. The default location for the files is “C:\Program Files (x86)\Microsoft\Support Tool for Windows Intune Trial management of Windows Phone 8\” Note: The support tool included in the package is not needed for Windows Intune administrators. It is required for only Microsoft System Center 2012 Configuration Manager Administrators.
  • Navigate to "Administration -> Mobile Device Management -> Windows Phone 8". As stated in the text (see below, go directly to step 5

image

  • Upload the SSP.xap. Windows Intune Software Publisher will be launched.

 image

  • In Software Setup page, leave the checkbox “Use the Company Portal App file signed by the sample Symantec code-signing certificate” checked.

image

  • Specify the location of software setup files by pointing to the SSP.xap that you’ve downloaded and extracted on your local machine
  • Click on next to complete the rest of the steps to publish the app
  • After completion of the steps above, Windows Intune Windows Phone Trial account enrollment is enabled and you should be able to start enrolling your Windows Phone devices through your trial account.
  • Deploy the sample apps provided in this package as appropriate

image

  • Users will now be able to enroll their WP8 device and could browse the deployed sample apps in their SSP.

To  enroll a Windows Phone 8, follow the below steps

  • On the Phone, go to Settings and select “Company Portal”
  • Click “Add account”

image

  • Add your account name and password

image

  • If everything works you should get a confirmation that the account has been added. Make sure to select to install the company portal

image

  • Your device is now added and can be managed from Windows Intune (can take a couple of minutes until you can see it in the console

image

Best of MMS 2013 – Stockholm, Sweden

On the 16th of May Best of MMS 2013 will take place in Stockholm,Sweden (in Swedish). 16 sessions and three different tracks will be available!!

It is being arranged by Truesec, Microsoft and Lumagate, you can find all the details and registration information here: http://events.truesec.se/Event/Best_of_MMS_2013

 

I gotten the opportunity to do one presentation:

Managing IOS, WP8, WIN RT using CM and Intune, together with Jörgen Nilsson from Onevinn

I am really looking forward to it!
Don’t miss it!

Best-of-MMS-1000x120

SCCM 2012 SP1+Intune=True

Today Microsoft announced that System Center Configurations Manager 2012 SP1 will include interoperability with Windows Intune vNext.

Expect the interoperability of Windows Intune and System Center Configuration Manager Console, Windows Intune will add support for Windows Phone 8 and Windows RT devices (current Intune version support Windows Phone 7, IPhone and Android)

I’m glad to see that these two products starts to grow together and I hope to see even more integration in the feature.

 

Read the whole announced from Microsoft

Windows Intune v2 released

As promised, yesterday Microsoft released version 2 of Windows Intune. Compared to standard software that require you to plan your upgrade etc. you will not have to do anything to get your Intune infrastructure upgraded. In the upcoming weeks, Intune customers will reciew an mail informing them that their account will be upgraded.

Intune v2 has the following new features:

  • Software distribution
  • Third Party License Management
  • Enhanced Hardware Reporting
  • Improved Policy Conflict Handling
  • Remote Tasks
  • User Interface enhancements
  • Read-only Access:

For more information, visit the Intune team blog at – http://blogs.technet.com/b/windowsintune/archive/2011/10/17/the-next-release-of-windows-intune-is-now-available.aspx

 

Want to test Intune v2 now – Sign up for a free 30 trial today