How to remove a policy settings from a user/device managed by Intune

As you all know, Intune can deploy all kind of settings and profiles (security settings, WiFi, Certificate, Mail and VPN profiles) to your users and devices. But what if you want to remove one of the settings/profiles.

Until now this hasn’t been possible (expect if you did a selective wipe/full wipe). With the updates delivered in the November and December release of Microsoft Intune backend, the policy will be removed when:

  • User or device leaves a collection / Group where policy was targeted to
  • Admin removes the deployment
  • Admin removes the policy itself

Note that this feature is available in both if you use Microsoft Intune Standalone and SCCM UDM with Intune.

As with all things we do with the device, we are dependent of underlying management platform. Below you see what’s can remove per platform.

Type of settings

Windows

Android

WP8.1 (There is no support for WP8)

IOS

Resource access Profiles (WiFi, VPN, Email, Certificate etc)

Yes

Yes

Yes

Yes

Configuration Items

No

No

Supported settings:
./Vendor/MSFT/PolicyManager/My/DeviceLock/AllowIdleReturnWithoutPassword
./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordEnabled”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/AllowSimpleDevicePassword”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordLength”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/AlphanumericDevicePasswordRequired”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordExpiration”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/DevicePasswordHistory”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MaxDevicePasswordFailedAttempts”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MaxInactivityTimeDeviceLock”;
./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordComplexCharacters”;
./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
./Vendor/MSFT/PolicyManager/My/Camera/AllowCamera
./Vendor/MSFT/PolicyManager/My/Security/RequireDeviceEncryption
./Vendor/MSFT/PolicyManager/My/System/AllowStorageCard
./Vendor/MSFT/PolicyManager/My/Browser/AllowBrowser
./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowStore
./Vendor/MSFT/PolicyManager/My/Experience/AllowScreenCapture
./Vendor/MSFT/PolicyManager/My/System/AllowTelemetry
./Vendor/MSFT/PolicyManager/My/System/AllowLocation
./Vendor/MSFT/PolicyManager/My/Accounts/AllowMicrosoftAccountConnection
./Vendor/MSFT/PolicyManager/My/Accounts/AllowAddingNonMicrosoftAccountsManually
./Vendor/MSFT/PolicyManager/My/Experience/AllowCopyPaste
./Vendor/MSFT/PolicyManager/My/WiFi/AllowInternetSharing
./Vendor/MSFT/PolicyManager/My/WiFi/AllowAutoConnectToWiFiSenseHotspots
./Vendor/MSFT/PolicyManager/My/WiFi/AllowWiFiHotSpotReporting
./Vendor/MSFT/PolicyManager/My/Experience/AllowManualMDMUnenrollment
./Vendor/MSFT/PolicyManager/My/System/AllowUserToResetPhone
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowUSBConnection
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowBluetooth
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowCellularDataRoaming
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowNFC
./Vendor/MSFT/PolicyManager/My/Connectivity/AllowCellularData
/Vendor/MSFT/PolicyManager/My/WiFi/AllowWiFi

All settings except roaming settings

The list of policies can also be found at http://technet.microsoft.com/en-us/library/dn743712.aspx under “What happens when a policy is deleted, or no longer applicable”

To illustrate how this can look like I have recorded a short video describing how this looks like.

If you have any questions or feedback, please add into the comments below

Azure Active Directory now supports shared accounts

One of the feature in Azure Active Directory is the ability to get Single Sign On (SSO) to over 2400 SaaS applications (the number application available in the market place  20141113). Last week the team release a new feature that let you managed so called “shared accounts” in a much better/easier way.

  1. You can now add multiple accounts. For example, a marketing person might need to have access to multiple Twitter accounts
  2. You can assign the application to a group instead of a user

Lets see how this would look like if you would like to add multiple Twitter Accounts.

  1. Sign into the Azure management portal
  2. Under the Active Directory section, select your directory, then select the Applications tab.
  3. Click Add to add the first Twitter app/Account
    image
  4. Select “Add an application from the gallery”
    image
  5. Search for the Twitter app and then click Ok to select it
    image
  6. Click “Assign users
    image
  7. Select Groups and search/look for your group, when you find the one you want to use click Assign
    image
  8. Select “I want to enter the credentials to be shared among all group members
    image
  9. You have now successfully assigned the first account, lets add a second account
  10. Select the Application tab and click Add
    image
  11. Select “Add an application from the gallery”
    image
  12. Search for the Twitter app and then click Ok to select it. Since this is the second Twitter app you now get the option to name the app
    image
  13. Click “Assign users” and repeat the steps 6-8 (except using a new group and another twitter account(
  14. You have now successfully assign two different Twitter accounts to two different groups. Lets see how this looks like for an end user that is a member of both of the groups.
  15. ‘Sign into the My Apps web portal myapps.microsoft.com (or use the native apps for IOS or Android). You will now see both of the Twitter accounts you have permission to use. Not the if you click on them you will be redirected to Twitter without the need to add any password
    image

My Apps app is now available for both IOS and Android

To access user self service feature in Azure Active Directory Premium  the user can use the web portal or the native apps. The first native app Microsoft released was for IOS but last week the team released a Android version for My Apps.

Below you see some print screens of the how they look like on different form factors and for the different platforms.

Web portal

image

Iphone

Iphone

Ipad

Ipad

Samsung Galaxy S4

Samsung GalaxyS4

Nexus 7

Nexus 7

 

Download My Apps from Apple Store

Download My Apps from Google Play

Read more about Azure Active Directory Premium (AADP)

Read more about the EMS Suite where AADP is included