If you’re one of the early adopters of Azure AD Pass-through Authentication, you may face a problem with a duplicate authentication agent in your Azure portal which is displaying as ‘Inactive’ in its Status. This can happen when you’re upgrading the Authentication Agent or reinstalling it because of some possible fault. You may ask, how do I remove this duplicate/inactive agent?
The answer is trivial. Don’t worry, this is a normal behaviour and the Inactive entry will be automatically removed from the portal after several days. So don’t sweat, leave it and it will go away soon.
In my previous post I’ve covered Microsoft Intune and Android for Work at a high level to give you an understanding of what it is from Intune standpoint. In this post I will cover the initial setup of Intune to get Android for Work started.
One thing to note is that Android for Work support is currently only available in Intune standalone at the time of writing. I will expect this capability to come to the hybrid MDM with Configuration Manager but it is currently not. If you’ve got Microsoft Intune already running or you’ve just set your Mobile Device Management Authority, you will notice you could manage Android devices almost right away. This is the traditional/conventional method of Android management. To setup Android for Work you will find the Android for Work node on the left pane in the console.
Another thing to remember is that Microsoft Intune only supports Android for Work on devices running Android version 6.0 and above. Although Google officially supports version 5.0 and above but from Microsoft’s standpoint they are only supporting version 6.0 and above based on their internal testing.
Once you click on that you will see that Android for Work is not configured. So you need to click the Configure button to start with the binding with Android for Work.
As soon as you click on the Configure button you will be brought to the Android for Word page in a new tab. There, click SIGN IN.
Here you will be asked to either log in with a google account or create one. This is similar to the Apple ID for your organisation when managing iOS devices. Preferably this account will be accessible to a team in IT and not only just a single individual just in case this employee leaves the organisation. Click Create account if you choose to create a new one.
In this page, fill in all the details to create a new account then click Next Step. Remember not to use a personal email address but rather use a email address accessible by a team in IT e.g. IT@company.com.
Agree to the terms and conditions.
And you’re done. Click Continue to Google Play.
You will be brought to the Android for Work page already signed in to the user you just created. Click GET STARTED.
Here configure you organisation’s details and then click CONFIRM.
Once setup is complete click COMPLETE REGISTRATION.
This is how it looks like after the binding is completed with Android for Work.
You’ve got an option to either manage your Android devices through the conventional method, Android for Work or a combination of the two methods. You basically need to target Android for work to a user group that have a supported device; that Android version 6.0 and above. To target Android for Work to a group of users, ensure you create a security group and synced with Azure AD if you don’t already have it. Choose the third option then click the Modify button.
Select the group that you want to target Android for Work to, click the Add button then click OK.
Now you’ve added a group, click Save. Time to rock and roll with enroling a device with a user account that is a member of that group you just added.
You may or may not have come across Android for Work. What it is and what does it do? Android for Work is Google’s enterprise device management initiative that allows IT to manage and secure corporate information (apps and data) in a separate ‘work profile’. Warning: Marketing fluff. Android for Work separates business apps from personal apps so you can use your favourite Android device for both work and play. A dedicated profile for business content that never mixes with your personal stuff so that IT can’t see or erase your photos, emails or other personal data. Read more about it here.
The Problem Child
You would have pretty much noticed the pain of managing Android devices if you’re the administrator responsible for managing devices in your organisation. This comes down to the level of fragmentation the Android ecosystem and because of the fact that the Android operating system is open source. What this means is that OEMs take this piece of operating system and modify it for their devices whilst providing extensions on top of it to provide added features to users. This is great for the everyday user because there are so many choices out there for them but for the systems admin, this is a huge nightmare to manage and secure. This is one of the goals Android for Work is set out to achieve; a more unified management experience for IT as well as for the end user – much like how managing iOS devices look like.
What You Need to Know
Here are several things you may want to know about Android for Work.
Work Profiles – Android for Work uses the concept of a separate profile similar to a logical container to discriminate between work and personal. Enabling a work profile allows organizations to manage the business data and applications they care about, but leave everything else on a device under the user’s control. Administrators control work profiles, which are kept separate from personal accounts, apps, and data. This means a clear boundary of what IT can and cannot do. In this model IT no longer can perform a full device wipe or factory reset but is only limited to wipe data that is in the work profile. What this also means is that most device information remains invisible to IT other than what is exposed within the work profile.
Applications – Contrary to how apps are deployed to Android devices today; .apk / Google Play, in Android for Work apps are delivered only from one source – the Google Play Store. The immediate question will be “what about my LOB apps?”. Google is moving everyone to deploy business apps through their enterprise multi-tenant version of Play Store called, you guessed it – Google Play for Work! This is an isolated section of the store but only accessible to the organisation that owns it. Nobody else can see it. This increases security and eliminates the need to enable the allow installations for unknown sources option in the operating system which is considered the No. 1 malware threat that exist on Android today. What it also means is that there is now the ability to silently push required applications to the devices rather than taking them to a link in the Play Store through the conventional MDM.
Encryption – is no longer an option when managing devices with Android for Work. Even if the device is not currently encrypted, it will be at the point when the device is enrolled and a work profile created.
Permissions – Remember those annoying prompts to allow/deny access to parts of the devices like contacts, camera and storage? That’s gone now within the context of the work profile because now the administrators determines that for you when an app is pushed out so that the end user doesn’t need to. However on the personal side of the profile this is not affected and will continue to work as it was before.
Mode of Management – Microsoft Intune can concurrently support both methods of Android management; conventional MDM method and Android for Work. Intune considers this to be an entirely different device platform so you will see in the Intune console Android for Work devices alongside managed iOS devices and traditionally managed Android devices. The two modes of management for Androids are available for the administrator to target different groups of users on supported devices mainly because Android for Work is only available for Android version 6.0 and above.
In my following posts I will cover various topics in getting Android for Work running in your Microsoft Intune tenant so stay tuned for that shortly.
Okay, Configuration Manager 1610 has been released for some weeks now and only recently I have got the chance to upgrade my lab environment. Microsoft is rolling out the update progressively so you may not yet see it available in your console. If you don’t see it in your console and want to upgrade your ConfigMgr environment to 1610, you can actually force this upgrade to be available in your console by enabling the fast update ring for 1610. How you do it? Download a simple executable zip file from here and then run the PowerShell script after you’ve extracted it from the zip. https://gallery.technet.microsoft.com/ConfigMgr-1610-Enable-046cc0e9
You may be asked to change your execution policy if you haven’t. Enter Y for Yes to proceed.
Next you will be asked to enter your Site Server. I won’t tell you what it is because you should already know if but if you don’t, can easily find out.
Next, you would want to force ConfigMgr to check for updates by right-clicking on Updates and Servicing, then selecting Check for updates.
Give it some time and then the 1610 update should appear in your console shortly.
To install ConfigMgr 1610, right-click on the update and then select Install Update Pack.
In the General screen, except the defaults and then click Next. Optionally you can select the checkbox to Ignore any prerequisites check warnings and install this update regardless of missing requirements.
In the Features screen, you can leave the defaults and click Next, or if you want to test out some pre-release features that come with the 1610 update you can go ahead and select them. You will be able to turn them on after the update is complete too.
In the Client Update Options screen, choose whether you want to first go through your validation process of the new version of the client or just go ahead and roll the new version out to your organization. You would normally want to validate it first on your pre-production computers. Click Next after that.
In the License Terms screen, you know what to do , then click Next.
In the Summary screen, click Next.
And in the Completion screen, click Close.
You’ll realise that it is now installing. Give it some time for it to complete.
Treat this update just like any upgrade where you may want to first perform a /testdbupgrade on your ConfigMgr database first before you upgrade your production environment. Other precautions still applies like verifying your backups beforehand etc. You know the drill .
Quick links to the other parts of the post:-
What is an EMS lab without an EMS subscription, right? So now we’re gonna add an EMS subscription. We do this from the Office 365 portal https://portal.office.com. Once logged in, go to Billing > Subscriptions. There you will see that you can add subscriptions at the top right corner of the screen. Click + Add subscriptions.
Here you’ll see heaps of different subscriptions you can add to your tenant. Scroll through the page and look for Enterprise Mobility Suite Direct and hover over it then click Start free trial.
You’ll be asked to confirm your order then click Try now.
In the order receipt page, click Continue.
Now, this trial subscription will give you up to 100 users for up to 30 days. Now most of you do not want your lab to last only for 30 days, right? The good news is, from my experience you will be able to extend your EMS trial to 180 days. That’s 6 months…not too bad at all.
How you do this is to call up the Microsoft Online Services Support. I know this can be very difficult to find the right number to call so I’m gonna save you some misery. For Australia the number is 1800 197 503. For other countries look up the link below for your respective number to call. Look under the “Microsoft Dynamics CRM Online, Microsoft Dynamics Marketing, Microsoft Social Engagement and Parature, from Microsoft” section. Honestly I am not sure why it is under that section. In some other pages, this number is called the “Global Office 365 support phone numbers for admins”.
After the trial extension, you’ll it reflected in the portal page.
It is a good thing to also now assign a license to the Global Administrator account as of the requirement from Microsoft since November 2015. Basically, go to Active users, highlight your admin user then click on the Edit link beside Product license.
Click on the flip switch for Enterprise Mobility Suite, and then click Save.
If you don’t already know, EMS is a licensing construct that includes basically 4 products; Azure Active Directory Premium, Intune, Azure Rights Management and Advanced Threat Analysis. So once you’ve got the EMS subscription added you should be able to log on to the Intune portal at https://manage.microsoft.com. Remember to use another browser other than Microsoft Edge for this as currently the portal is still built on Silverlight. HTML5 to come soon.
Once you’ve confirmed that you’ve got an Intune tenant, it is time to set up hybrid connection with Configuration Manager that we’ve installed for this lab. Back in the Configuration Manager console, navigate to Overview > Microsoft Intune Subscriptions. Right-click on it and the select Add Microsoft Intune Subscriptions.
In the Introduction page, click Next.
In the Subscription page, click Sign In.
Select the checkbox for I understand that after I complete the sign-in process, the mobile device management authority is permanently set to Configuration Manager and cannot be changed. Then click OK.
Log in with an administrator account to the Intune tenant, then click Sign in.
Note: If you do get an error after signing in, make sure you have Silverlight installed.
Back to the Subscription page, click Next.
In the General page, click the Browse button for the collection.
Here you have an option of choosing a user collection that will allow its members to enroll devices to Intune. You can choose to create a custom collection to control the users who are allowed to enroll their phones to Intune or in my case, I’ve selected the default All Users and User Groups collection which allows basically every user in the domain to enroll the phones to Intune.
Back in the General page, fill in the information for Company name, URL and the Configuration Manager site that you want Intune to be connected to. Typically this will be your CAS server if you have one, if not, this will be your Primary Site. Click Next.
Fill in the information as needed then click Next.
In the Company Logo page, you can browse for a company logo image or leave it for now and you can configure it later. Click Next.
In the Device Enrollment Manager page, leave the default if you want to configure this later or add users as Device Enrollment Managers. Click Next.
You can select to enable multi-factor authentication if you want to initiate a MFA request when a user enrolls a device. I’m gonna leave it for now as I can enable it later if I want to. Click Next.
In the Summary page, click Next.
In the Completion page, click Close.
If this is your first time seeing a bunch of feature that are turned on or turned off in the Administration > Cloud Services > Updates and Servicing > Features node of the console and wondering why the option to Turn On a particular feature is greyed out. This is because it has to be turned on in the Hierarchy Settings.
The exact place to do it in the console is to browse to Overview > Site Configuration > Sites. Once there, click the Hierarchy Settings button at the ribbon.
At the General tab of the Hierarchy Settings, select the checkbox for Consent to use Pre-Release features, then click OK.
Back to the features node in the console and now, you have the option to Turn On a feature enabled.
This is part of what I was doing setting up my lab environment entirely in Azure cloud. To save some credits in my subscription I want to make sure my VMs shutdown everyday because we all know a running VM consumes credits. I’m gonna show you one really easy way of doing it without writing any codes.
Once you have logged into your subscription, browse to Automation Accounts and then add a new Automation Account. Here you will be asked for a name, subscription and resource group. Note: I should have named it with something to identify it as an Automation Account, perhaps with a “AA-“ prefix? Click Create.
Once the Automation Account has been created, click on it and then click Runbooks.
At the Runbooks blade, click Browse gallery. Then on the new blade, click Stop Azure V2 VMs. This runbook is created by the SC Automation Product Team.
Pretty simple here. Give it a name then click OK.
Here, click the Edit button.
All you need to do here is click Publish.
At this point you’re almost done except that now you should tell it to run. Without it you would have to kick the runbook off manually. On the runbook, click Schedules, then click Add a schedule.
Here, click Schedule – Link a schedule to your runbook, click Create a new schedule, give it a name, a time and date, click Recurring, set how frequent to run, then click Create.
These settings are totally optional. This is to specify a specific Resource Group, a specific VM and to use a specific Connection Asset. Click OK twice.
Now that you’ve created and configured an automated task to stop all VMs at a specific time of the day, you can now do a similar thing to start all VMs at a specific tome of the day. I normally do this to keep my AD Connect server in sync with Azure AD. So what I normally do as a daily task is to start my VMs up let’s say at 1am everyday and stop all my VMs at 3am everyday to just get everything in sync at the same time saving precious credits when not in use.
You may encounter that your runbooks are not running anymore in the middle of the billing cycle. That’s basically because each Automation Account is configured to use the free tier which will give you 500 job minutes for free. If you do run out of those free minutes, go to the Automation Account > Pricing tier and usage, then click Pricing tier. This way your credits will be consumed to run your runbooks. Don’t worry, from experience it doesn’t cost very much.