An easy way to manage your organization with Intune

Next up Intune

Since some time Microsoft has been promoting lots of companies to go with Intune. Most of these companies want to use a solution like Intune but sometime already have a system in place which takes care of their mobile devices. Think about Airwatch or Mobile Iron. Most of the time Intune gets compared with Mobile Iron or Airwatch but what most companies do not know is that Intune is not just about mobile devices. It can do lots more than that.

Where to start with Intune

As mentioned before lots of companies do not know where to start with Intune. One of the most asked question I get at customers is do I start with MDM for mobile devices or do I start with MAM and what is the difference. And how do i make sure i enroll the devices without big impact to my users.

First of all the best thing you can do is start with a simple pilot for Mobile Application Management (MAM). Based on a azureAD group. What MAM does is, it manages the applications you make available within Intune for you mobile devices. If you start with this i recommend to just select all the applications from the Microsoft Office 365 subscription.

You can do this within the App protection policies.

intune apps

As you can see my selection of apps are put in just for Android devices. This comes because i have created two policies. One for Android and One for IOS. The reason for this is that i can manage both type of devices separately. For instance if i want to add apps like Google Maps (Android) or Safari (Apple) you can manage these just for these device types.

*make sure you assign your policies to just a few of you, not for the entire company when testing.

Mobile application management (MAM)

As written above you can implement Mobile application management pretty easy. Just make sure you have the right licenses (EM+S E3 or EM+S E5 or Intune). and you are good to go. But what does Mobile application management actually do.

Basically MAM manages the applications you offer to your users as a service to use. This means that a user which has for example a private device can use Outlook for IOS/Android with corporate email in a safe way. The user just need to install the application from the Google playstore or Itunes. The users will be guided thru the process and will end up with a safe working version of outlook with his corporate email.

With the policies you have created you have set some properties to prevent options like; Copy from email to phone storage, open Urls from email into unmanaged browser, Save attachments to non managed storage.

Mobile Device Management (MDM)

What is mobile device management (MDM), MDM is a way of securing the device a user gets from his company. Most of the time i advise this option when a company has company phones which they give to their employees. In this case the device is owned by the company so there is a possibility that you want to do more with the device then just manage the applications like in MAM. Things you can do more then you can do with MAM  are;

  • Device encryption
  • Push company owned apps
  • Install applications from Itunes or Google playstore
  • Wipe entire device instead of just the managed applications
  • Push certificates and WiFi profiles
  • And lots more

I hope this gives you some insights on MAM and MDM. In my opinion these are the best options to start with when starting with Intune. But you can imagine there are lots more feature you can do with Intune. Think about enrolling Windows 10 devices with autopilot, so you can really give you customers a seamless out-of-the-box-experience (OOBE). Even Co-management is possible these days.  In the following blogs i will guid you thru the implementation of some of these features and possibilities.

If you have some ideas for a blogpost regarding Intune that you needs to be worked out please let me know. And i will try if i can create a tutorial for this.

Also do not forget to check my other blogs @j3rmeyer.nl

 

Please follow and like us:
error

Cheat sheet with all Ports and rules needed for a Exchange Hybrid Infrastructure

Exchange Hybrid Ports Cheat Sheet

When working with Exchange I sometimes come to clients who already have a hybrid exchange configured environment. In many cases this is when the hybrid configuration does not work. To make things easier for myself, I created an overview that eliminates the pain of firewalls and networks.

To help you guys out in these situations i share my ports overview document with you, The document is mentions as a cheat sheet this means that you can adjust it and present it to the customers network team.

Overview

There are always some requirements for a Exchange hybrid environment

  • External IP for a seperate Hybrid flow that resolves to hybrid.domain.nl
  • You need to be sure that the hybrid server is part of the mail environment
  • Make sure autodiscover is set the right way
  • The Exchange server which is used for the Hybrid configuration needs to be in the LAN
  • Do NOT forget the Exchange online and Exchange online protection URL’s
  • If you do not have an external IP use the external IP of the autodiscover.
hybrid exchange ports cheat sheet
hybrid exchange ports cheat sheet

 

Click here to read other posts for more Exchange related posts.

 

Please follow and like us:
error

Where is the Bitlocker Key stored within Microsoft Azure AD

Storing your Bitlocker key

When you enroll your  Windows 10 devices with  Microsoft Intune, you have the posibility to store your Bitlocker recovery keys in Azure AD. There are two ways to store the Bitlocker key the proper way

  1. Store the Bitlocker key into Active Directory (on-premise)
  2. Store the Key Into Azure AD (Cloud)

When you use the Azure AD join and activate Bitlocker, you get the option to store the Recovery Key in Azure AD. When you walk through the Join or register the device wizard.

The Key will be stored in the Cloud/ Azure AD. To get these keys in the Classic Azure Portal follow the steps below

Classic Azure Portal steps

  1. Open Azure AD in the Management Portal https://manage.windowsazure.com
  2. Open the Users tab and search/browse for the account you need to find recovery key for, then open it.
  3. Go to the Devices tab, and in the View box, select Devices.
  4. Select the affected device, and click View Details.

All registed recovery keys should be visible

(New) Azure Portal

Most of you will probably use the (new) azure Portal, to find the keys here is a little different but not to much. Follow the steps bellow to get the recovery keys from Azure AD

  1. Open Azure AD in the Management Portal https://portal.azure.com
  2. Open the Users and Groups blade and find the user involved.
  3. Go to his registred devices of the user.
  4. Click on the Device where you need the key from,

You will find the recovery key at the bottom of the device information

Please follow and like us:
error

Retention Policy and Litigation hold

Most of the times Security is unfamiliar terrain when it comes down to Litigation hold and Retention Policies. In this blog post i will explain when to use Litigation hold and when it is best to use the Retention policy in Office 365.

Litigation Hold

When you search on Technet or Google for litigation hold you will find millions of results. But Actually it is quit simple. Litigation Hold is actually another expression for Legal Hold. When you translate this into Office 365 you will use this function. For instance when a user is leaving the company and you need to preserve the Mailbox for 30 years or even longer.

If you activate or use litigation hold you can already check this from you GDPR Checklist because this is one of the requirement.  Office 365 offers a rich set of in-place eDiscovery capabilities to identify relevant data. in-place Discovery including  for instance, search, hold, analyze and export. These tools will help you quickly to meet the investigative, legal, and regulatory requirements regarding GDPR.

To activate Litigation hold you can simply run the following command from the Exchange online powershell module

Set-Mailbox user@domain.com -LitigationHoldEnabled $true -LitigationHoldDuration Unlimited

*note it can take up to 60 minutes before this function is completely activated.

Retention Policy

Since some time compliance is one of Microsoft’s main focuses in Office 365. You need to know how to use these Office 365 features, so that next time you encounter legal, industry regulations or internal policies, you know what to do.

A retention policy is mainly used to preserve content for a specific period of time or indefinitely. Due to regulatory, legal, or business requirement. You can enable Retention policies on most of the Office 365 services like Onedrive, Exchange and since a short period even Groups and possibly even Teams.

You can configure the retention policies quiet easy using the wizard. You can find this in the Security and Compliance menu of the Office 365 admin Center.

So when do you use Litigation hold and when to use a retention Policy

When use Litigation hold to Legally hold a complete mailbox (it will be stored between the soft deleted mailboxes). You use the Retention Policy when you want to preserve Content of one of the Office 365 services.

And yes the configuration of these compliance settings really depends on the situation of you company or client.

Please follow and like us:
error