Enjoy Sharing

Latest

Pass-through Authentication Agent Duplicate–Status Inactive

If you’re one of the early adopters of Azure AD Pass-through Authentication, you may face a problem with a duplicate authentication agent in your Azure portal which is displaying as ‘Inactive’ in its Status. This can happen when you’re upgrading the Authentication Agent or reinstalling it because of some possible fault. You may ask, how do I remove this duplicate/inactive agent?

The answer is trivial. Don’t worry, this is a normal behaviour and the Inactive entry will be automatically removed from the portal after several days. So don’t sweat, leave it and it will go away soon.

 

image

 

 

Enjoy!!!

Advertisements

Setting Up Microsoft Intune with Android for Work

In my previous post I’ve covered Microsoft Intune and Android for Work at a high level to give you an understanding of what it is from Intune standpoint. In this post I will cover the initial setup of Intune to get Android for Work started.

One thing to note is that Android for Work support is currently only available in Intune standalone at the time of writing. I will expect this capability to come to the hybrid MDM with Configuration Manager but it is currently not. If you’ve got Microsoft Intune already running or you’ve just set your Mobile Device Management Authority,  you will notice you could manage Android devices almost right away. This is the traditional/conventional method of Android management. To setup Android for Work you will find the Android for Work node on the left pane in the console.

Another thing to remember is that Microsoft Intune only supports Android for Work on devices running Android version 6.0 and above. Although Google officially supports version 5.0 and above but from Microsoft’s standpoint they are only supporting version 6.0 and above based on their internal testing.

image

 

Once you click on that you will see that Android for Work is not configured. So you need to click the Configure button to start with the binding with Android for Work.

image

 

As soon as you click on the Configure button you will be brought to the Android for Word page in a new tab. There, click SIGN IN.

image

 

Here you will be asked to either log in with a google account or create one. This is similar to the Apple ID for your organisation when managing iOS devices. Preferably this account will be accessible to a team in IT and not only just a single individual just in case this employee leaves the organisation. Click Create account if you choose to create a new one.image

 

In this page, fill in all the details to create a new account then click Next Step. Remember not to use a personal email address but rather use a email address accessible by a team in IT e.g. IT@company.com.

SNAGHTML24146f5

 

Agree to the terms and conditions.

image

 

And you’re done. Click Continue to Google Play.

image

 

You will be brought to the Android for Work page already signed in to the user you just created. Click GET STARTED.

image

 

Here configure you organisation’s details and then click CONFIRM.

image

 

Once setup is complete click COMPLETE REGISTRATION.

image

 

This is how it looks like after the binding is completed with Android for Work.

image

 

You’ve got an option to either manage your Android devices through the conventional method, Android for Work or a combination of the two methods. You basically need to target Android for work to a user group that have a supported device; that Android version 6.0 and above. To target Android for Work to a group of users, ensure you create a security group and synced with Azure AD if you don’t already have it. Choose the third option then click the Modify button.

image

 

Select the group that you want to target Android for Work to, click the Add button then click OK.

image

 

Now you’ve added a group, click Save. Time to rock and roll with enroling a device with a user account that is a member of that group you just added.

image

 

 

 

Enjoy!!!

Microsoft Intune and Android for Work

You may or may not have come across Android for Work. What it is and what does it do? Android for Work is Google’s enterprise device management initiative that allows IT to manage and secure corporate information (apps and data) in a separate ‘work profile’. Warning: Marketing fluff. Android for Work separates business apps from personal apps so you can use your favourite Android device for both work and play. A dedicated profile for business content that never mixes with your personal stuff so that IT can’t see or erase your photos, emails or other personal data.  Read more about it here.

The Problem Child

You would have pretty much noticed the pain of managing Android devices if you’re the administrator responsible for managing devices in your organisation. This comes down to the level of fragmentation the Android ecosystem and because of the fact that the Android operating system is open source. What this means is that OEMs take this piece of operating system and modify it for their devices whilst providing extensions on top of it to provide added features to users. This is great for the everyday user because there are so many choices out there for them but for the systems admin, this is a huge nightmare to manage and secure. This is one of the goals Android for Work is set out to achieve; a more unified management experience for IT as well as for the end user – much like how managing iOS devices look like.

What You Need to Know

Here are several things you may want to know about Android for Work.

Work Profiles – Android for Work uses the concept of a separate profile similar to a logical container to discriminate between work and personal. Enabling a work profile allows organizations to manage the business data and applications they care about, but leave everything else on a device under the user’s control. Administrators control work profiles, which are kept separate from personal accounts, apps, and data. This means a clear boundary of what IT can and cannot do. In this model IT no longer can perform a full device wipe or factory reset but is only limited to wipe data that is in the work profile. What this also means is that most device information remains invisible to IT other than what is exposed within the work profile.

Applications – Contrary to how apps are deployed to Android devices today; .apk / Google Play, in Android for Work apps are delivered only from one source – the Google Play Store. The immediate question will be “what about my LOB apps?”. Google is moving everyone to deploy business apps through their enterprise multi-tenant version of Play Store called, you guessed it – Google Play for Work! This is an isolated section of the store but only accessible to the organisation that owns it. Nobody else can see it. This increases security and eliminates the need to enable the allow installations for unknown sources option in the operating system which is considered the No. 1 malware threat that exist on Android today. What it also means is that there is now the ability to silently push required applications to the devices rather than taking them to a link in the Play Store through the conventional MDM.

Encryption – is no longer an option when managing devices with Android for Work. Even if the device is not currently encrypted, it will be at the point when the device is enrolled and a work profile created.

Permissions – Remember those annoying prompts to allow/deny access to parts of the devices like contacts, camera and storage? That’s gone now within the context of the work profile because now the administrators determines that for you when an app is pushed out so that the end user doesn’t need to. However on the personal side of the profile this is not affected and will continue to work as it was before.

Mode of Management – Microsoft Intune can concurrently support both methods of Android management; conventional MDM method and Android for Work. Intune considers this to be an entirely different device platform so you will see in the Intune console Android for Work devices alongside managed iOS devices and traditionally managed Android devices. The two modes of management for Androids are available for the administrator to target different groups of users on supported devices mainly because Android for Work is only available for Android version 6.0 and above.

 

In my following posts I will cover various topics in getting Android for Work running in your Microsoft Intune tenant so stay tuned for that shortly.

 

 

 

Enjoy!!!

Upgrading Configuration Manager to 1610

Okay, Configuration Manager 1610 has been released for some weeks now and only recently I have got the chance to upgrade my lab environment. Microsoft is rolling out the update progressively so you may not yet see it available in your console. If you don’t see it in your console and want to upgrade your ConfigMgr environment to 1610, you can actually force this upgrade to be available in your console by enabling the fast update ring for 1610. How you do it? Download a simple executable zip file from here and then run the PowerShell script after you’ve extracted it from the zip. https://gallery.technet.microsoft.com/ConfigMgr-1610-Enable-046cc0e9

image

 

You may be asked to change your execution policy if you haven’t. Enter Y for Yes to proceed.

image

 

Next you will be asked to enter your Site Server. I won’t tell you what it is because you should already know if but if you don’t, can easily find out.

image

 

Next, you would want to force ConfigMgr to check for updates by right-clicking on Updates and Servicing, then selecting Check for updates.

image

 

Give it some time and then the 1610 update should appear in your console shortly.

image

 

To install ConfigMgr 1610, right-click on the update and then select Install Update Pack.

image

 

In the General screen, except the defaults and then click Next. Optionally you can select the checkbox to Ignore any prerequisites check warnings and install this update regardless of missing requirements.

image

 

In the Features screen, you can leave the defaults and click Next, or if you want to test out some pre-release features that come with the 1610 update you can go ahead and select them. You will be able to turn them on after the update is complete too.

image

 

In the Client Update Options screen, choose whether you want to first go through your validation process of the new version of the client or just go ahead and roll the new version out to your organization. You would normally want to validate it first on your pre-production computers. Click Next after that.

image

 

In the License Terms screen, you know what to do Smile, then click Next.

image

 

In the Summary screen, click Next.

image

 

And in the Completion screen, click Close.

image

 

You’ll realise that it is now installing. Give it some time for it to complete.

image

 

Reminders:

Treat this update just like any upgrade where you may want to first perform a /testdbupgrade on your ConfigMgr database first before you upgrade your production environment. Other precautions still applies like verifying your backups beforehand etc. You know the drill Smile.

 

 

 

Enjoy!!!

Setting Up An EMS Lab in ARM (Azure Resource Manager) Step-By-Step – Part 7

Quick links to the other parts of the post:-

 

What is an EMS lab without an EMS subscription, right? So now we’re gonna add an EMS subscription. We do this from the Office 365 portal https://portal.office.com. Once logged in, go to Billing > Subscriptions. There you will see that you can add subscriptions at the top right corner of the screen. Click + Add subscriptions.

SNAGHTML23204c52

 

Here you’ll see heaps of different subscriptions you can add to your tenant. Scroll through the page and look for Enterprise Mobility Suite Direct and hover over it then click Start free trial.

image

 

You’ll be asked to confirm your order then click Try now.

image

 

In the order receipt page, click Continue.

image

 

Now, this trial subscription will give you up to 100 users for up to 30 days. Now most of you do not want your lab to last only for 30 days, right? The good news is, from my experience you will be able to extend your EMS trial to 180 days. That’s 6 months…not too bad at all.

How you do this is to call up the Microsoft Online Services Support. I know this can be very difficult to find the right number to call so I’m gonna save you some misery. For Australia the number is 1800 197 503. For other countries look up the link below for your respective number to call. Look under the “Microsoft Dynamics CRM Online, Microsoft Dynamics Marketing, Microsoft Social Engagement and Parature, from Microsoft” section. Honestly I am not sure why it is under that section. In some other pages, this number is called the “Global Office 365 support phone numbers for admins”.

https://mbs.microsoft.com/customersource/Global/CRM/support/support-news/Support_Telephone

SNAGHTML238615b1

 

After the trial extension, you’ll it reflected in the portal page.

SNAGHTML2386a5bc

 

It is a good thing to also now assign a license to the Global Administrator account as of the requirement from Microsoft since November 2015. Basically, go to Active users, highlight your admin user then click on the Edit link beside Product license.

image

 

Click on the flip switch for Enterprise Mobility Suite, and then click Save.

image

 

Click Close.

image

 

If you don’t already know, EMS is a licensing construct that includes basically 4 products; Azure Active Directory Premium, Intune, Azure Rights Management and Advanced Threat Analysis. So once you’ve got the EMS subscription added you should be able to log on to the Intune portal at https://manage.microsoft.com. Remember to use another browser other than Microsoft Edge for this as currently the portal is still built on Silverlight. HTML5 to come soon.

SNAGHTML23891fa5

 

Once you’ve confirmed that you’ve got an Intune tenant, it is time to set up hybrid connection with Configuration Manager that we’ve installed for this lab. Back in the Configuration Manager console, navigate to Overview > Microsoft Intune Subscriptions. Right-click on it and the select Add Microsoft Intune Subscriptions.

image

 

In the Introduction page, click Next.

image

 

In the Subscription page, click Sign In.

image

 

Select the checkbox for I understand that after I complete the sign-in process, the mobile device management authority is permanently set to Configuration Manager and cannot be changed. Then click OK.

image

 

Log in with an administrator account to the Intune tenant, then click Sign in.

Note: If you do get an error after signing in, make sure you have Silverlight installed.

image

 

Back to the Subscription page, click Next.

image

 

In the General page, click the Browse button for the collection.

image

 

Here you have an option of choosing a user collection that will allow its members to enroll devices to Intune. You can choose to create a custom collection to control the users who are allowed to enroll their phones to Intune or in my case, I’ve selected the default All Users and User Groups collection which allows basically every user in the domain to enroll the phones to Intune.

image

 

Back in the General page, fill in the information for Company name, URL and the Configuration Manager site that you want Intune to be connected to. Typically this will be your CAS server if you have one, if not, this will be your Primary Site. Click Next.

image

 

Fill in the information as needed then click Next.

image

 

In the Company Logo page, you can browse for a company logo image or leave it for now and you can configure it later. Click Next.

image

 

In the Device Enrollment Manager page, leave the default if you want to configure this later or add users as Device Enrollment Managers. Click Next.

image

 

You can select to enable multi-factor authentication if you want to initiate a MFA request when a user enrolls a device. I’m gonna leave it for now as I can enable it later if I want to. Click Next.

image

 

In the Summary page, click Next.

image

 

In the Completion page, click Close.

image

 

 

 

Enjoy!!!

Cannot Turn On Features in Configuration Manager Current Branch

 

If this is your first time seeing a bunch of feature that are turned on or turned off in the Administration > Cloud Services > Updates and Servicing > Features node of the console and wondering why the option to Turn On a particular feature is greyed out. This is because it has to be turned on in the Hierarchy Settings.

image

 

The exact place to do it in the console is to browse to Overview > Site Configuration > Sites. Once there, click the Hierarchy Settings button at the ribbon.

image

 

At the General tab of the Hierarchy Settings, select the checkbox for Consent to use Pre-Release features, then click OK.

image

 

Back to the features node in the console and now, you have the option to Turn On a feature enabled.

image

 

 

 

Enjoy!!!

Automating Start/Stop Azure VMs (Resource Manager)

This is part of what I was doing setting up my lab environment entirely in Azure cloud. To save some credits in my subscription I want to make sure my VMs shutdown everyday because we all know a running VM consumes credits. I’m gonna show you one really easy way of doing it without writing any codes.

Once you have logged into your subscription, browse to Automation Accounts and then add a new Automation Account. Here you will be asked for a name, subscription and resource group. Note: I should have named it with something to identify it as an Automation Account, perhaps with a “AA-“ prefix? Click Create.

image

 

Once the Automation Account has been created, click on it and then click Runbooks.

image

 

At the Runbooks blade, click Browse gallery. Then on the new blade, click Stop Azure V2 VMs. This runbook is created by the SC Automation Product Team.

image

 

Click Import.

image

 

Pretty simple here. Give it a name then click OK.

image

 

Here, click the Edit button.

image

 

All you need to do here is click Publish.

image

 

At this point you’re almost done except that now you should tell it to run. Without it you would have to kick the runbook off manually. On the runbook, click Schedules, then click Add a schedule.

image

 

Here, click Schedule – Link a schedule to your runbook, click Create a new schedule, give it a name, a time and date, click Recurring, set how frequent to run, then click Create.

image

 

These settings are totally optional. This is to specify a specific Resource Group, a specific VM and to use a specific Connection Asset. Click OK twice.

image

 

Now that you’ve created and configured an automated task to stop all VMs at a specific time of the day, you can now do a similar thing to start all VMs at a specific tome of the day. I normally do this to keep my AD Connect server in sync with Azure AD. So what I normally do as a daily task is to start my VMs up let’s say at 1am everyday and stop all my VMs at 3am everyday to just get everything in sync at the same time saving precious credits when not in use.

image

 

You may encounter that your runbooks are not running anymore in the middle of the billing cycle. That’s basically because each Automation Account is configured to use the free tier which will give you 500 job minutes for free. If you do run out of those free minutes, go to the Automation Account > Pricing tier and usage, then click Pricing tier. This way your credits will be consumed to run your runbooks. Don’t worry, from experience it doesn’t cost very much.

image

 

 

 

Enjoy!!!