Intune: How to MDM enroll iOS/iPadOS devices

When it comes to managing iOS and iPadOS devices within the organization, Microsoft Intune (aka Microsoft Endpoint Manager) has the capability to manage these devices via Mobile Device Management (MDM). This allows the operating system (OS) to be managed, fully customizing the device to the organization’s requirements.

Background

For Apple iOS/iPadOS devices specifically (excluding Mac and Apple TV, although can be managed), there are two methods that can be used to manage them:

  1. Intune MDM. Through device configuration profiles, Intune can manage settings within the OS, push apps, ensure device compliance is met, remote wipe all data or just business data, etc. The device is typically enrolled by downloading the Company Portal app and the user self-enrolls.
  2. The device can be managed through Apple’s deployment programs (formerly known as Device Enrollment Program (DEP): Apple School Manager or Apple Business Manager which allows it to be “supervised“. This enables additional functionality like GPS tracking when the device is entered into “lost mode” among other (really cool) managed features. For more information see Deployment Reference for iPhone and iPad

IMPORTANT: MDM and Apple Deployment Programs can be combined to provide even greater management of a device, and even fully automate the provisioning of a device such as a “Zero Touch” approach. For more information see Deployment Models. However, I need to stress, majority of scenarios can be accomplished through just normal MDM enrollment. Review your business requirements to determine which path to go down.

Note: For purposes of this blog, we will only be discussing Intune MDM enrollment for iOS/iPadOS. As much as I would love to show you DEP and Supervision – and even Zero Touch, I don’t have the means neccessary to lab this up (It requires a company’s DUN, TaxID and Purchase Order to complete the process with Apple to obtain a business account).

See my blog Intune: How to MDM Enroll Android Devices (Personal w/ Work Profile) for how to MDM manage Android devices.

Setup Intune for Apple Device Enrollment & Management

To allow for Apple devices to be enrolled, we need to configure Intune so that it can properly manage an Apple device. Before we begin I recommend you review this documentation so you have a good understanding of what this entails. Let’s walk through it together.

Note: I will be using Microsoft Endpoint Manager (MEM), which Intune is built into, for this blog. It can be accessed at https://endpoint.microsoft.com

Configure Apple MDM Push Certificate

This starts with setting up the Apple MDM Push Certificate. Within MEM navigate to Devices -> Enroll Devices -> Apple Enrollment and click on Apple MDM Push Certificate:

I have already performed this step in my lab. Simply follow the 5 steps in the wizard to setup the certificate.

IMPORTANT: You do not need a Certificate Authority or worry about creating a certificate. This is a special certificate that Apple will generate for you. Simply download the Certificate Signing Request from the portal, upload it to the Apple tool and then download the certificate.

Once the certificate has been uploaded, you are ready to start managing Apple devices! Note, the other methods we called out using Apple Device Enrollment Program and Apple Configurator can also be setup on this screen – but for purposes of this blog we will not go into those.

MDM Enroll the Device using Company Portal

Now it’s time to start the MDM enrollment process. For this blog, we will use the Company Portal app to “self enroll”, meaning the end-user will download the Company Portal app from the Apple App Store and will manually enroll the device into Intune MDM.

  1. From the Home Screen, launch the App Store app:

2. Download the Company Portal app from the App Store:

3. Launch the Company Portal app:

4. Sign in with your Azure AD credentials

5. Once signed in, you will be presented with the steps required to complete enrollment, tap Begin.

6. At the Device management and your privacy screen, carefully review what the employer can see and not see on a device, and tap Continue

7. Tap Continue on the Setup Contoso Access screen:

8. Tap Allow on the dialog box This website is trying to download a configuration profile. Do you want to allow this?

9. Tap Close on the dialog box Profile Downloaded: Review the profile in Settings app if you want to install it.

Note: This downloaded the MDM profile from Intune and we will not install that profile on the device.

10. Tap Continue Now on the Download management profile screen

11. On the Setup Contoso access screen, tab Continue

12. On the How to install Management Profile screen, goto the Home Screen on the device.

13. On the home screen, tap Settings

14. Within Settings tap General

15. Tap Profile

16. Tap Management Profile

17. Tap Install

18. Enter your device’s passcode

19. Tap Install to install the profile

20. On Warning tap Install

21. On Remote Management dialog box tap Trust

22. On Profile Installed tap Done

23. Go back to the Company Portal app and on the Allow “Comp Portal” to use your location? dialog box tab Allow while using app

24. At this point the device is now enrolled into Intune MDM, and if there are any apps that are required to be installed – they will start to be pushed down. (note, we have not configured those yet in this blog)

25. On Set up Contoso access tap Continue

26. Intune will now check to see if the device adheres to any compliance policies (note, we have not configured those yet in this blog)

27. From here you can navigate the Company Portal app and see apps that are available for download:

28. Tapping on Devices at the bottom of the screen shows all devices under MDM management for the user:

Here is a PowerPoint or “Click Thru” deck of these screenshots, feel free to download and reuse.

Govern, Audit and Control G Suite with Microsoft! (Google Apps + Cloud App Security)

Does your organization use G Suite or Google Apps? Do you have these requirements?

  • Audit activity occurring in G Suite (user logons/logoffs, settings changed, files modified, etc)
  • Audit file activity? (what files are being accessed, from where, how they are being accessed, etc)
  • Govern how G Suite is accessed? (Only from a managed device? Only from a managed network? Don’t allow download from a non-managed computer?)
  • Scan files in G Suite for sensitive data?
  • And more!

In this blog we will explore how Microsoft Cloud App Security (CAS) part of Microsoft 365, can help you meet these requirements. For more information on connecting G Suite to CAS see this article. Let’s get started!

Note: Microsoft nor Matt Soseman nor this blog assumes no responsibilities and offers no warranties as a result of following the instructions in this blog. This requires enabling and modifying APIs. Use at your own risk.

Configure G Suite within Microsoft Cloud App Security:

From within Cloud App Security, click Investigate then select Connected Apps:


 

Click the + sign and select G Suite:


Type in a name and click Connect G Suite:


We need to pull the appropriate details from G Suite. Open a new browser instance and navigate to your G Suite admin portal using your admin credentials:

Once signed in, navigate to https://cloud.google.com/console/project
and click Create Project:


Give the project a name and click Create Project


Click Google Cloud Platform then click Go To APIs Overview:


Click API Library and enable the following APIs:





Back on the APIs and Services screen, click Credentials click the OAuth Consent Screen then in Application Name type Microsoft Cloud App Security and click Save:


Back on the Credentials tab click Create Credentials and select Service Account Key:


Configure the Service Account Key and click Create. Copy the secret to a scratchpad area. Download the certificate.


Back on the Credentials screen click Manage Service Accounts


Edit the Service Account:


Check the box next to Enable G Suite Domain Wide Delegation and click Save:


In the search box at the top type Google Drive API and press Enter


Click on Drive UI Integration, and configure using the following parameters (you can get the icons from here) and click Save Changes when finished:



In the search box type G Suite Marketplace
SDK and press Enter


On the Configuration tab, copy the Project Number to a scratch pad area:


Upload the same icons you used previously, and configure the following URLs:


Configure the following URL scopes:

https://www.googleapis.com/auth/admin.reports.audit.readonly

https://www.googleapis.com/auth/admin.reports.usage.readonly

https://www.googleapis.com/auth/drive

https://www.googleapis.com/auth/drive.appdata

https://www.googleapis.com/auth/drive.apps.readonly

https://www.googleapis.com/auth/drive.file

https://www.googleapis.com/auth/drive.metadata.readonly

https://www.googleapis.com/auth/drive.readonly

https://www.googleapis.com/auth/drive.scripts

https://www.googleapis.com/auth/admin.directory.user.readonly

https://www.googleapis.com/auth/admin.directory.user.security

https://www.googleapis.com/auth/admin.directory.user.alias

https://www.googleapis.com/auth/admin.directory.orgunit

https://www.googleapis.com/auth/admin.directory.notifications

https://www.googleapis.com/auth/admin.directory.group.member

https://www.googleapis.com/auth/admin.directory.group

https://www.googleapis.com/auth/admin.directory.device.mobile.action

https://www.googleapis.com/auth/admin.directory.device.mobile

https://www.googleapis.com/auth/admin.directory.user

 


 

Under Visibility select My Domain and click Save Changes:

 


 

Browse back to

AzureAD: Setup SSO to G-Suite for free, and govern access! (Google Apps)

Did you know Azure Active Directory can provide Single Sign-On (SSO) to G-Suite (Google Apps)? In this blog, we will explore how to set this up from both the Azure AD side and also the G-Suite side.

Once SSO is configured, consider creating policies for Conditional Access to govern how G-Suite is accessed (e.g. only from a managed device, specific network, monitor for threats of the credentials such as for sale on the dark web, etc). For more information on G-Suite and Azure AD integration for SSO, see Tutorial: Azure Active Directory integration with G Suite

Note: SSO for up to 10 apps comes with the free version of AzureAD. For additional capability, P1 or P2 may be required. See Azure Active Directory pricing for more information.

Important: Chromebooks can sign-in with Azure AD credentials, see this video! (and here for more information)

Also Important: Once SSO is enabled in G-Suite only Azure AD credentials will be authorized and all legacy credentials (i.e. G-Suite credentials) will not be authorized for sign-in. If the user is using a Windows 10 device that is AADJ, then they will not need to type in their password to access G-Suite, SSO from Win 10 will automatically be available.

Let’s begin!

Add G-Suite to Azure AD and configure it:

From within the Azure portal navigate to Azure Active Directory -> Enterprise Applications -> New Application and search for G Suite then click Add:


Once added, click Single Sign-on and click SAML

Edit the Basic SAML Configuration by clicking the pencil icon:

Configure using the following parameters:



Click Save. For User Attributes & Claims click the pencil icon:

 

Add a new claim:

Go back to the main SAML SSO configuration page, and download the base64 certificate for SAML Signing Certificate:

Copy the following URLs to a scratch pad, we’ll use these to configure G-Suite:

 

Setup G-Suite for SSO:

See this article for more information on configuring G-Suite for SSO. From within G-Suite navigate to Admin –> Security -> Setup SSO. Paste the URLs you copied in the last step, into the SSO configuration, upload the certificate you downloaded previously, check the box for use a domain specific issuer and then click Save:

 


Assign the user to G Suite

Back in the Azure portal, click Users & Groups from within the G-Suite Enterprise Application:


Add a new user to G-Suite:


Turn on Provisioning:

Click on Provisioning and go through the steps on the blade. Starting with changing Provisioning Mode to Automatic.


Then click Authorize and type in your G-Suite credentials to go through the authorization process. Grant consent:

Back in the Azure portal, click Save to save your provisioning configuration. Once saved, you can opt to enable automatic synchronization of identities from Azure AD to G-Suite by clicking On for Provisioning Status:

 

Side bar, I could configure self service for end-users!


 

Back in G-Suite, you will notice the assigned users will start to sync:

 

Time to test!

I’m going to navigate to http://mail.google.com/a/soseman.org:


Notice this will redirect to Azure Active Directory:


Notice it challenges me for multi-factor authentication!


And I respond to the challenge using my Apple Watch 🙂


Once authenticated, accept the terms and conditions:


Now, I’m logged in and ready to use G-Suite!


Browsing to myapps.microsoft.com – G-Suite is added to the launcher!

 


 

Conclusion:

As you can see, configuring Single Sign On for G-Suite using Azure Active Directory is a rather easy and simple process – and probably can be completed within 15 minutes or less. Once configured, don’t forget using Azure AD Conditional Access to govern how G-Suite is accessed, such as requiring a managed device (mobile or PC), monitoring the credentials for being compromised (impossible travel, up for sale on dark web, coming from atypical locations,etc), requiring MFA, and more!

Push apps to iPhone/Android using Microsoft Intune

You may have the need to push an app to iOS (iPhone/iPad) or Android devices that are enrolled into and being managed by Microsoft Intune Mobile Device Management (MDM). For more information about the types of apps supported, and the details please see this article. For more information about Microsoft Intune, please see this article. Remember, MDM is one component of Intune, it can also perform Mobile Application Management (MAM) or app sandboxing, depending upon the needs of the business.

I want to take a look at how do we push apps that are already in the app store (public facing or deep linked) to an end-user’s device that is enrolled into MDM.

First, from within the Azure Portal, I’m going to navigate to Intune -> Client Apps -> Apps and click Add:


 

From here I will choose iOS as the App type:

Next, clicking Search the App Store I will search for Microsoft Teams and click on Microsoft Teams and choose Select:

 

For App Information, I will leave the defaults and click OK

When finished I will click Add:


Now that the app has been added, it still needs to be assigned. I will next click on Assignments:

 

Next click on Add Group:


Choose the appropriate Assignment Type based on your business scenario. For demo purposes, I will choose Required as this will force the app to be installed when the device is enrolled into Microsoft Intune MDM. More information on Assignment Types can be found here


Clicking on Included Groups, I will select Make this app required for all devices and select Yes. Note, I could assign to just a security group of users if I wish. Then click OK on the Assign blade, and again on the Add Group blade.


Back on the Assignments blade, click Save. Wait 30 minutes for the changes to propagate before proceeding.

Now, let’s enroll the device into Microsoft Intune MDM using the Company Portal app on the iPhone. For more information on enrollment, see this article, or using Apple Device Enrollment Program click here for mass provisioning devices. Once the device is enrolled into MDM, using the Company Portal App, in a few moments the app will start to be pushed down to the device:

Here we can see the app being pushed down, and prompting the user for permissions to install the app.

When the user taps Install we can see the app starting to be installed on the home screen:

Next, is when the magic happens. If the user is terminated, and a remote wipe (aka Retire) command is issued to the device – all corporate data (anywhere you are signed in with Azure AD credentials) and any required apps, will be removed. From the Intune portal, I am going to Retire this device as the user has been terminated from employment:

 

Wait a few moments for the retire command to be sent to the device:

Here we can see the Microsoft Teams app was removed as a result:

And the Company Portal app is now reverted back to the pre-enrollment state, asking the user to enroll the device into MDM:

 

Conclusion:

As you can see, it’s simple to push an app to a mobile device, and based on the scenario many configurations can exist to accommodate that scenario to help you meet your requirements.

Microsoft Teams: Protect against Phishing & Malware

Pretend for a moment that I am a marketing agency you just hired, and invite me as a guest to a team in Microsoft Teams to collaborate. What happens if that guest’s account gets compromised and a bad actor gains access to your team in Microsoft Teams? Your organization is having sensitive conversations there, uploading sensitive files, and if that data were to be publicly disclosed, could do damage to the organization. More importantly, a bad actor can post hyperlinks to “phishing” web sites, and upload malicious files into Microsoft Teams – from there users can open the links or run the files, posing a serious threat to your organization’s security.

How do we help to protect against phishing attacks and malicious files in Microsoft Teams? Office 365 Advanced Threat Protection is here to help. In fact, Office 365 ATP can also help to protect against phishing and malware in not just Microsoft Teams, but Exchange Online, SharePoint, and OneDrive! More information in the Service Description here.

To configure, once the appropriate licenses have been purchased and assigned to each user, open the Office 365 Security & Compliance Center (protection.office.com) -> Threat Management -> Policy and click on ATP Safe Attachments:

Check the box Turn on ATP for SharePoint, OneDrive and Microsoft Teams and click Save:

 


Now, when a malicious file is uploaded to Microsoft Teams, Office 365 ATP will perform a detonation of the file (following this process). Here we have files in Microsoft Teams, are they malicious?

If the file is indeed malicious, when the user attempts to execute the file in Microsoft Teams, they will receive the following message:

Safe Attachments stops the user in their tracks, and never gives them the opportunity to launch the file. This same behavior also occurs when the file is executed directly from SharePoint. If using Office 365 Alerts (in the Security & Compliance center), and alert can be configured to notify the admin that malware was uploaded to Microsoft Teams:

Here’s what the alert looks like:

(Note, if using Microsoft Cloud App Security an SMS notification can be sent, and MCAS also offers integration into your SIEM.)

What about phishing links in Microsoft Teams? If the ATP Safe Links policy is correctly configured (more information here), then when a phishing hyperlink is posted, the user will receive a blocking message when attempting to click on the hyperlink. Let’s take a loot at this below, here’s a hyperlink in a team conversation in Microsoft Teams:

When the user clicks on the link, ATP Safe Links and the Intelligent Security Graph goes into action to provide protection. ATP recognized the website is malicious, and stops the user in their tracks, not giving them the opportunity to click through to the original website. (Although, that can be changed in the policy).

Conclusion:

Office 365 Advanced Threat Protection provides protection against advanced thread such as phishing and malware for not only your email in Office 365, but also Microsoft Teams! What if everyone had this enabled? The world might just be a safer place! Enjoy!

Leaving the org? Wipe Only Corporate Data from Native Mail App in iOS (Microsoft 365)

Wouldn’t it be nice if an employee leaves the organization, that you can remove only your corporate data from their iPad or iPhone, but yet leave all their personal data alone? It absolutely would, especially if that employee was using the native (built-in) mail app in iOS. Look no further, because Microsoft 365 has the capability to perform a selective wipe on the device and remove corporate data, including data from the native mail app.

So how is this possible?

Intune will remove data that is tied to your Azure Active Directory identity. So, if I am logged into the native mail app on my iPhone with my Azure AD credentials for my Office 365 mailbox, Intune associates that as “corporate data”. If the device is enrolled into Intune Mobile Device Management (MDM) and the selective wipe command is issued (or the user manually performs a selective wipe via the Company Portal App) then the Office 365 data will be removed from the native ail app.

What are the requirements for this to work?

  1. The iOS device is enrolled into Intune MDM.
  2. An Intune iOS Device Configuration Profile is configured and assigned to the user or device, that is pushing a mail profile.
  3. The user is signed into the native mail app using their Azure AD credentials to access their Office 365 Mailbox.
  4. iOS Enrollment has been properly configured in Intune and a iOS device compliance policy has been configured and assigned.
  5. User has an Office 365 Exchange Online Mailbox

How do I configure it?

This is really made possible by having a mail profile configured in the Device Configuration Profile in Microsoft Intune. Let’s take a look at how to do that. From within the Intune blade in the Azure Portal, select Device Configuration -> Profiles -> and create a new Profile for iOS platform with a profile type of Email:

Next, click Settings and configure the email profile. See my screenshot below of how I setup my email profile for Office 365 based on my organization’s requirements (note, your configuration parameters may be different). When finished click OK.

 

 

Click Save to save the email profile. Next, click Assignments and assign the new profile to All Users, or All Devices, or Selected Groups. For my environment, I am going to assign to a security group that sales and marketing employees belong to. When finished, click Save:

 

 

 

How do I test it?

Using my iPhone test device, I am going to enroll it into Intune MDM using the Company Portal App from the App Store. If you aren’t familiar with this process, see my blog: Intune: MDM Enrollment Experience (complete device management)

Important: Make sure the user or device that is enrolling, is a member of the security group above! Or the Device Configuration Policy was assigned to that user or device!

You may be prompted to enter the password for the Exchange account (Office 365):

 

After tapping Edit Settings and entering my password, I’m going to launch the native mail app, and notice my email profile is now configured and my mailbox is visible in the app:

 

 

Now, we need to perform the selective wipe and only remove the corporate data. This can be performed two ways either from the Azure portal or from the Company Portal App on the iOS device.

Important: Selective Wipe in Intune is referred to as Retire. More information on differences between Wipe and Retire can be found here.

From within Intune I am going to click my iOS device (Megan’s iPod Touch):

Then I will choose Retire and click Yes at the warning:

The Retire request will be submitted and the status will change to Pending:

Wait a few moments for the Retire command to be sent to the device, then on the iOS device launch the native mail app:

 

The corporate data (Office 365 mailbox) and cached email will be removed, and the app will be returned to the sign in screen:

 

Conclusion:

That’s it! While this is simple to setup, ensure you have met the requirements and that your mail profile in Intune has been properly configured and assigned. Note, if you are looking to perform the selective wipe or Retire on Android – this will require Android Enterprise. More information here.

Next time you present to a room of people, try this! (and look like a Rockstar…)

Can you see the projection screen in a meeting? If you can’t would you agree it encourages multi-tasking?

(This was originally posted to my LinkedIn Blog)

Have you ever sat through a training class, a sales presentation, or just a regular business meeting and struggled trying to see the content on the projector or TV screen? If you have (like me) you probably are more apt to multi-task like check email, browse social media or work on another project. Why is this? Because if you can’t see the screen, you aren’t able to focus your attention and will probably lose interest.

I can’t see the projection screen clearly, so my interest is elsewhere. Sorry.

Have you presented to a room of people and had this happen? During your presentation you notice people on their laptop or smartphone and it immediately makes you feel that what you have to say isn’t important to them and it takes a hit on your self-confidence. I’ve had this happen to me one too many times (of course, don’t take it personally), but I have found the secret sauce to aid in (hopefully) preventing this from happening and immediately add value to your presentation. You want your attendees to walk away thinking that was a good use of their time.

The next time you give a presentation to a room full of people, plug into the projector or TV screen as you normally would. However, consider adding one more step to that process and start a new meeting using your favorite virtual meetings application (i.e. Microsoft Teams, Skype for Business, WebEx, GoToMeeting, etc). Of course, I recommend Microsoft Teams as it’s the easiest method – and I’ll use that in my example below.

Share your desktop over Microsoft Teams in addition to showing on the projector/TV -your attendees will appreciate it…

By sharing your screen over a virtual meeting app, all of the meeting attendees will be able to see your content (PowerPoint, desktop,etc) with absolute clarity because it’s right in front of them on their computer screen (or smartphone/tablet…). Your attendees will appreciate it, especially those who are far from the projection screen such as the back row or end of the boardroom table.

So why do this?

  1. The main reason: your attendees, no matter where they are sitting, can see whatever you are sharing on your computer (PowerPoint, web browser, app, etc). They don’t have to squint at the projector. They will appreciate this (wouldn’t you?)
    1. It discourages your attendees from multi-tasking! (You can check this by walking around the room during your presentation/speaking and glancing down at computers. If you don’t walk around the room while presenting, consider it.)
    2. The attendees can take screen shots and add them to OneNote or their note taking application!
    3. Utilize the chat feature in Teams or the meeting app. Toss links to websites in there, document attachments and other content.
    4. Have attendees put questions in the chat – that becomes your parking lot for questions to follow up on later!
    5. You can now record the meeting and have full content in the recording (along with audio if you choose). Give to the attendees afterwards.
    6. It gets people talking about Microsoft Teams!

    WARNING: Don’t advertise ahead of time you are doing this, because people will not come to the meeting and will want to join at their desk or from home.

    It discourages multi-tasking, easier to see content, and adds immediate value to the presentation

    So how do I do this? Well, as mentioned before I use Microsoft Teams (hey, it’s included in Office 365 and there’s even a free version.) Consider it as it works PERFECT in a web browser for this). Let’s explore the process:

    Step 1, create the Teams meeting give it a name and invite one person (it can be a fake email, doesn’t matter). I’ll call mine “Screen Sharing for Meeting” and invite johndoe@contoso.com.

     


    Step 2, Create a short URL using bit.ly or other service This way, it will be super easy for your attendees to access the meeting. Right click on the Join Microsoft Teams Meeting hyperlink inside the body of the Teams meeting (blue text above in the picture) and select Copy. Browse to bit.ly and create a new short URL by pasting the Teams url in the box. Copy the shortened URL.

     


    Step 3, put the shortened
    URL in your PowerPoint deck as an intro slide. Create a new slide in your PowerPoint deck and right after your title slide, drop a slide in with the new shortened URL, like so the image below. Be sure to show this slide while your attendees are walking into the room.

 

 


Step 4, Join the Teams meeting and share your desktop or content. As you join the meeting, be sure to mute your mic! Also be sure to mute your speakers.

 


Step 5, have your attendees join the meeting. Remember, you DO NOT have to be on Teams to join a Teams meeting. The attendees will join as a guest, and takes seconds to do so. (no, you don’t need to invite them as a guest to your tenant/team) Instruct them to just use the web browser as it’s usually the easiest method (if they already have the Teams desktop app installed, fine). Remember, they can also do this on an Android, iPhone or iPad. As they join, mute their microphone or select Mute All in the meeting.

Now, just run the meeting as you normally would. Laptop plugged into projector and desktop shared over Microsoft Teams!

I’m curious, what are your thoughts on this? Have you tried this? Have you sat through one of my meetings where I did this (if so, what did you think)? Give this a try in your next meeting, you might be really surprised in the level of interest and interaction!