Push apps to iPhone/Android using Microsoft Intune

You may have the need to push an app to iOS (iPhone/iPad) or Android devices that are enrolled into and being managed by Microsoft Intune Mobile Device Management (MDM). For more information about the types of apps supported, and the details please see this article. For more information about Microsoft Intune, please see this article. Remember, MDM is one component of Intune, it can also perform Mobile Application Management (MAM) or app sandboxing, depending upon the needs of the business.

I want to take a look at how do we push apps that are already in the app store (public facing or deep linked) to an end-user’s device that is enrolled into MDM.

First, from within the Azure Portal, I’m going to navigate to Intune -> Client Apps -> Apps and click Add:


 

From here I will choose iOS as the App type:

Next, clicking Search the App Store I will search for Microsoft Teams and click on Microsoft Teams and choose Select:

 

For App Information, I will leave the defaults and click OK

When finished I will click Add:


Now that the app has been added, it still needs to be assigned. I will next click on Assignments:

 

Next click on Add Group:


Choose the appropriate Assignment Type based on your business scenario. For demo purposes, I will choose Required as this will force the app to be installed when the device is enrolled into Microsoft Intune MDM. More information on Assignment Types can be found here


Clicking on Included Groups, I will select Make this app required for all devices and select Yes. Note, I could assign to just a security group of users if I wish. Then click OK on the Assign blade, and again on the Add Group blade.


Back on the Assignments blade, click Save. Wait 30 minutes for the changes to propagate before proceeding.

Now, let’s enroll the device into Microsoft Intune MDM using the Company Portal app on the iPhone. For more information on enrollment, see this article, or using Apple Device Enrollment Program click here for mass provisioning devices. Once the device is enrolled into MDM, using the Company Portal App, in a few moments the app will start to be pushed down to the device:

Here we can see the app being pushed down, and prompting the user for permissions to install the app.

When the user taps Install we can see the app starting to be installed on the home screen:

Next, is when the magic happens. If the user is terminated, and a remote wipe (aka Retire) command is issued to the device – all corporate data (anywhere you are signed in with Azure AD credentials) and any required apps, will be removed. From the Intune portal, I am going to Retire this device as the user has been terminated from employment:

 

Wait a few moments for the retire command to be sent to the device:

Here we can see the Microsoft Teams app was removed as a result:

And the Company Portal app is now reverted back to the pre-enrollment state, asking the user to enroll the device into MDM:

 

Conclusion:

As you can see, it’s simple to push an app to a mobile device, and based on the scenario many configurations can exist to accommodate that scenario to help you meet your requirements.

Microsoft Teams: Share my iPhone/iPad screen in a meeting! (While on the beach…)

You’re in a conference call while at the airport on your iPhone, and the meeting starts to discuss that important PowerPoint slide or document. You say “I’ll have to show you when I get back to my desk”. It would be really nice if you could share it from your iPhone while in the meeting. Well – now you can, with Microsoft Teams!

Teams enables you to share the entire screen of your iOS device when in a Microsoft Teams meeting! Watch the below video to learn more! Enjoy!

Intune: Protecting your data in the user’s device, not the device itself.

With the growing trend of employees bringing their own smartphones and tablets to work to access company email and other corporate data, this presents a challenge for IT to ensure that data is well protected. With Microsoft Intune, you can enroll the device into Mobile Device Management (MDM) to manage the complete device – but that might be too much overhead or too much complexity for your organization and it’s business needs. Well, Microsoft Intune also has Mobile Application Management (MAM) capabilities, that enable you to manage just the app and the corporate data inside it, while leaving the rest of the device untouched. This is known as “sandboxing” and provides a great experience for not only the end-user but for IT as well. In this blog we’ll explore how this works.

Note:
I will not be discussing Intune MAM in-depth. Please refer to the technical documentation for more information.

From my personal iOS device, I wish to access my company email on it. To do this my company has instructed me to use the Outlook app as it’s the approved app. So I’ll download that from the App Store:

I’ll tap get started:

 

I’ll type in my credentials:

Next, my company’s sign-in page will be displayed and I will type in my password to finish the sign in process:

Upon signing in I will be prompted that my organization is now protecting it’s data in this app and that I need to restart the app to continue.

When the app restarts, it looks like my company requires a passcode each time I open the app – so I’ll create a new passcode now:

My mailbox will now be displayed:

 

If I wish to download an attachment and maybe save it locally, it looks like my company prevents me from doing that. Here I’ll bring up the message for you to see:

Upon opening the attachment and tapping the share icon, there’s no options to download or open with another app. My company wants it’s data to stay within the Outlook app:

Another example of how the app is locked down, is it looks like I cannot copy and paste data out of the app and into another app. Here I’ll try to copy data out of a sensitive email:

And then attempt to paste it into the Notes app. Notice the text that is pasted says “Your organization’s data cannot be pasted here”:

 

 

Now if I leave the company or get terminated, they can remotely remove any company data from the Outlook app. Here’s an example, I went to launch the Outlook app and was presented with this error:

When I tap OK and relaunch Outlook, it looks like I have to sign in again and have no access to my mailbox:

 

 

Now let’s step behind the scenes and into Intune to understand how to configure this capability, starting with configuring Intune Mobile Application Management. I’m going to start by launching Intune Application Management in the Azure portal, and then select App Policy:

I’m going to click on the policy I created, then click Policy Settings. Here you can see the configuration I specified. I’m preventing iTunes and iCloud from backing up data in the app. I’m not allowing data to transfer outbound/inbound to other apps. Preventing Save As. Requiring a Passcode,etc.

Here’s more of the policy:

As for user scope of the policy, I have it applied to a security group of MAM Users:

Clicking on Targeted Apps, it is only targeting the Outlook app (on iOS):

To remove just the company data from the app, I’m going to navigate to Wipe Requests and submit a new wipe request

Note: If I had a personal email account in the Outlook app and my company email was also in the app, this wipe will ONLY remove the company email data. My personal email data will remain untouched.

Next I’ll select the user and her device:

The wipe request will be sent to the device:

 

Conclusion: It’s fairly easy to setup MAM for your end-users. I encourage you to test this and see how it can enable new business outcomes for your organization. Enjoy!

Microsoft Teams: Limit access to only managed devices and reduce risk!

It’s amazing watching the adoption journey of Microsoft teams among organizations and how it is quickly becoming a mission critical tool. For me, it’s mission critical because of the collaboration and teamwork that’s occurring inside, and the data that is being stored is quickly becoming the heartbeat of many organizations and their project teams. There is one challenge however with storing proprietary and sensitive data in Microsoft Teams, as users are accessing the data using the Teams app on not just their PC or laptop, but mobile devices and other (even unmanaged) computers as they perform their job – if that data is leaked/spilled/exposed or compromised, it could put the organization at risk, and as IT Professionals we need to help protect against this risk.

Not to worry – Azure Active Directory Conditional Access to the rescue! Using AzureAD Conditional Access, we will ensure Microsoft Teams is only accessed on devices that are managed, whether they are Active Directory domain joined, Azure AD joined or managed by Intune. This is very easy and straight forward to setup, let’s take a look together.

Important: Conditional Access requires AzureAD Premium. I won’t be discussing licensing requirements in this blog post, please reference this article for more information.

In the Azure Portal, I am going to create a new AzureAD Conditional Access policy with the following configuration:

  • Users and Groups: “All Users”
  • Cloud apps: (Include) “Microsoft Teams”
  • Conditions: Client Apps -> Configure “Yes” -> Select Client Apps -> check “Browser” and “Mobile apps and desktop clients”


  • Access Controls: Grant Access -> Check “Require Domain Joined” and “Require device to be marked as compliant”


Important: If you check “Require device to be marked as compliant” you must create a device compliance policy in Intune. This will ensure devices such as iOS, Android, Windows, Mac that try to access Microsoft Teams using either the app, client or website must be Intune MDM enrolled (which requires an Intune subscription). If accessed from a Windows PC and is Active Directory domain joined or Azure AD joined, require MDM enrollment will not apply. Here’s what an example Device Compliance policy looks like in Intune:


Back to Conditional Access…

 
 

  • Enable Policy: “On”


     
     

    Now the policy is created, let’s test this out. It should deny access to Microsoft Teams.

     
     

    From a Windows PC that is unmanaged (not joined to Azure AD, Active Directory, or MDM enrolled):

     
     

    From a Web browser:


    Notice the error reads “Windows device is not in required device state: compliant”

     
     

    From the Microsoft Teams Windows Desktop Application:


    Next, from an iPad Pro (iOS) that is unmanaged (not MDM enrolled):

     
     


Notice it gives me the option to enroll in MDM (Intune), pretty cool!

This is a quick and easy way to ensure that users are using Microsoft Teams on managed devices, where IT can control the configuration of the device and ensure the device is healthy and compliant. What’s more is this policy can be reversed and disallow users from using the Teams web client if that becomes a requirement. For additional fun, check out Microsoft Teams: Manage it using Mobile Application Management (MAM) and Microsoft Teams: Restrict Usage with Azure AD Conditional Access

If you have questions or feedback, let me know in the comments below. Enjoy and have fun!