Sunday, February 13, 2022

How to Get 'Around' AutoPilot

 Hello All!

Ive been inspired to write this after seeing a thread on Reddit where, or so the story goes, a son had estranged himself from his father and left the household but the father had the family PCs enrolled into an Autopilot / MEM instance and wiped the sons PC. When the son tried to reboot into the PC he was met with the branded Autopilot screen and not wanting to be under his fathers control reached out to Reddit to see how he could avoid Autopilot and re-enrollment. 

This got me curious as to all the ways that could be accomplished. Conversely you could follow the opposite of this post to enforce Autopilot in your organization.

It used to be very easy, but MS has patched quite a few of the holes. In 1903 they removed the ability to start the process but hit the go back button to get to the unbranded sign in screen which would allow a local user account. 

At some point they added in the control in the Autopilot profile to hide the change account options. 

At some point they also introduced a setting that requires internet connectivity during OOBE to proceed. This CSP flips whats called a UEFI variable and persists through a machine wipe. This means that during first time setup this would not be set, since it's not enrolled at that time, but subsequent wipes would be protected. 

With that background info in mind lets get back to our Reddit user. For this initial workaround let's just assume that neither control is deployed. Its default state is not configured so it's not too far of a stretch. 

With the account change options set to 'show' all the end user would have to do would be to choose to "domain join" instead or enter an improper email address / password enough times and they would be presented with the option to create a local user instead, like below. 

Easy Enough. Now let's move into what if changing accounts was hidden, what then? Well this option only applies to the Autopilot branded welcome screen, not the default screen. We can remove the branded screen by removing the autopilot.json file that is found at C:\Windows\Provisioning\Autopilot. This can be done easily from the logon screen by going into cmd line by hitting shift+F10 and you can even from there just launch explorer.exe to bring up the GUI and navigate to it. Once that has been removed and you give it the ol' reboot you should be met with a local login like so.

Ideally, now with no Autopilot.json file and with a shiny new local admin account thats past the OOBE the machine should be free from management, for now anyways, until the next device reset. 

As for the additional setting or require network during OOBE that stamps the UEFI variables...we are going to have to wait on that. I do not currently know how to change those but when I figure it out I will update this post. My initial thought is that you can launch powershell and change them in some manner in that way or possibly even from the built in preboot UEFI interface. 

For now, remove the .json and don't connect to the internet when you are going through the OOBE....or ya know, just re-image with Windows Home as that doesn't even check into the Autopilot service!

Until next time!

Thursday, January 27, 2022

List Of Possible iOS Identifiers

 Hello Everyone!

In this post I wanted to add in a link to a google doc where I have added a list of possible iOS uri identifiers to exclude some apps from MEMs app protection policies. 

I placed this in a Google Doc because the list was rather long and was taking up the blogs entire front page....which may have been a good thing so people maybe people wouldn't notice how long I go between blog posts haha!

Anyways, here is a link to the doc

Good luck out there!

Tuesday, September 14, 2021

Force the Intune Management Extension to Reinstall/Check-in Applications


Long time no write!

I find the more engrained I get into something the harder it is to write about it unless I am writing about new features. There are 100 other bloggers out there that do just that though and do it as good or better than I can (Check out Peter Van Der Woude and his blog). 

So this blog usually ends up being things I find interesting or things that I personally want to keep around to reference. This falls into that latter category. 

When deploying and testing wrapped apps there can be a significant between when you make changes and when it gets to device. You could even be hitting the three try limit on the extension and have to wait a really long time. Today I want to show you, and remind future me, how to clear that out so IME sees the app as a fresh install and trys again right away (relatively).

First we have to understand how the IME actually logs its attempts for installing apps. 

IME uses a service that runs on the endpoints and creates reg keys for each app for each user. It stores these reg keys using the users and apps unique GUIDs. It stores the retry attempts in these reg keys as well.

The reg key location is Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps\<User GUID>\<App GUID>

Now if you wanted to wipe everything out you could just delete everything but lets just say you want to precision strike a certain app for a certain user. You first need to identify the users GUID using the console. Their GUID is actually the last part in the web url after userID, see the image below

Once you have the key you want you may want to copy and past that to notepad because next we need to the same thing for the app GUID

Now that we have the relevent information we can go to the reg key mentioned earlier and just delete the entry for the specific app we want to force a retry on. Here is a screenshot example from a test machine of mine. Remember to delete the app GUID and not the user GUID if you only want to nuke one app.

Once your chosen values are deleted simply restart the IME service and it should reevaluate what apps need tried again shortly after.

That's it!

Hopefully this speeds up some of your testing.

Talk to you all next year!

Tuesday, December 1, 2020

Another Way to Attach Photos and Files to Work Profile Apps

Hello Everyone!

In my previous post I went over one way to share files into the work profile. 

After poking around at it a little bit more I realized there is another way to attach files and photos into work profile apps that may be a little easier for everyone. 

In this walk through we will go through attaching a file to an existing email thread in the Outlook App but the process should be similar.

It is important to note that this will be done on a Samsung S10 and the process may differ on other device platforms.

Choose to attach a file from within your application. This should open a file explorer app

Once you are in your file explorer open the menu, mine is in the top left. Inside the menu you want to choose the 'More Apps' option

The 'More Apps' options should allow you to choose applications and files that exist outside of the Android Work Profile, if your organization allows it in the settings. Once you are able to see you outside files choose the one you want to insert into your mail, Teams message, Onedrive upload, etc. In our case we are going to choose a picture of this awesome and hilarious custom VW Bug from my local Lowes parking lot.

Hopefully between this method and the previous post you can continue using your applications as you always have when enrolled with a Work Profile.

Have a good one!

Wednesday, August 26, 2020

Share Photos With Android Work Profile

Hello again Internet!

 In this post today I would like to do a guide on how to share items with the Android Work Profile. 

When we want to share something in Teams, Outlook, etc most people start off in the app that we are creating the communication from. In our example today we will use Teams. 

The issue is that, due to the architecture of the Work Profile, it will show an empty gallery usually. More precisely it only shows your 'Work' files to choose from.

In order to get around this and to share you personal items, assuming the Work Profile configuration allows it you need to start off in the photo you want to share. Once there you choose the share icon in the bottom left. Please note I tried to sanatize these images of any personal info so expect some red and white MSPaint skills.

EDIT: I just realized the image below may be confusing. The image below is a screen capture of the Outlook App I did earlier. The screenshot below is an image in my phones photos app, not an actual Outlook screen.

Once you have chosen to share the image the share window will come up. This can look different depending on the photo gallery app you have, device manufacturer, and even OS version. What you should see though is an option for the Work Profile. The blue suitcase in the screen grab below.

Once you choose to share the image to the Work Profile a new menu will pop up and allow you to choose which work badged app to share it to. In our test case I will choose Teams.

Once you make your selection it will open your work badged app and allow you to choose which communication channel to share the image to.

Once you choose your chat, I just chose Joe from my recent chats list, it will upload the image into the chat and you can then send it.

Hope this quick tutorial helps some of you out there and allows you to continue communicating in the ways you have been in a new Work Profile world.

Have a good one!

Thursday, August 20, 2020

App Protection Policies and Outlook Add-Ins

Hello Everyone!

Back to the technical side of the house today.

In this post I want to talk about a lesser known gap within Intune App Protection Policies, also known as MAM. 

When protecting the Outlook Mobile App there is a small hole that allows corporate data to escape the containerization policies. These are the 'Add-Ins' in the app. These loop in third party services into the Outlook App such as Trello, Wrike, Evernote, etc.

The issue is when you add these extensions you can log into them with a personal account. The App Protection Policies can not distinguish data going into this add-in. I suspect, because it is solely contained within the Outlook App itself, the policy views it as data just moving around internally into the app.

The work around for this is not great either, but its not terrible in my opinion. It really is something that should be disabled anyway for security sake. The fix itself is to remove the ability for end users to allow add-ins. The reason why this is not a 100% great fix is because this permission applies to not just Outlook App, but also OWA and Outlook desktop. 

Once you disable these permissions the user will no longer be able to select add-ins and when they try they receive the message below. 

Hopefully this can close a small hole some of you may have in your org today.

Have a good one!

Edit 3/26/2021 I have received this from a Microsoft contact I have

The good news is this has got into the roadmap now , we will soon provide a way through MAM app config to control this so that add ins can be disabled only on the mobile app. ETA for this is H2CY21 

Thursday, August 13, 2020

Personal Thoughts on Mobility

 The quiet side of the cloud evolution

    For a few years now the next evolution for most businesses has been the cloud. Yes, I know what you are saying, the cloud is old news and people have fully adopted the "cloud" some years ago and are on to bigger and better things like automation, a.i., IoT, and of course DevOps. This is not everyone though, this is not even the majority of businesses I interact with.

    When people think of the cloud and the benefits it offers most businesses talk IaaS, PaaS or SaaS. How can we lift and shift our infra, our apps, our business processes? What has caused less of a stir overall is the lift and shift of endpoints and management to cloud enabled, modern management platforms. This, to me, is the quieter side of the cloud.

    The next evolution of endpoint management has undergone, and will continue to undergo, massive changes. This is all driven by the changes in business functions and the changes to the way employees work. Almost gone, but not quite, are the days of assigned cubicles, restrictive and ineffective policies, and the feeling of needing a body in a seat to have your workforce be productive. These business changes driving the changing technology are only made possible in a cloud platform. 

    What do these technology changes try to solve? In short, it is about trying to increase the ability to work anywhere, from any device, while maintaining security. Your office network is no longer the security boundary, you no longer host business critical apps on your hardware with non web based logins, sprawl of shadow IT can overwhelm a business now because if there is an easier way to complete a business process than what IT offers to the end users they will find it and adopt it. 

    How do we address these needs? It all starts with Identity. With the goal of working from anywhere that tosses out the network as the security plane and from any device tosses out traditional device management. Identity is the new security and control plane as that is the common thread between anywhere and any device. This means that a true modern management solution has to have an Identity solution attached to it with deep integration, such as Microsoft Intune or VMWare's Workspace1. Without Identity your cloud enabled endpoint solution is not truly modern management capable.

Covid-19 and the great experiment

    In late 2019, into 2020, and at the time of this writing, Covid-19 is a global pandemic. Many business and workers can not work, have been furloughed, or reduced their hours. This has hit business across all sectors in a meaningful way. 

    For some business and workers its as if we have been forced into this grand experiment who's goal is to answer two questions:
1. Can you work remotely?
2. Can you do it securely?
As the world has come to find out, the answer is a pretty solid yes, we can work remotely and in a meaningful and productive way.

    Modern management can make this forced transition so much smoother for the end user and the business. The ability to use mobile platforms such as iOS and Android phones or tablets, the option to do BYOD for not just mobile but Win10 as well, and the ability to do this securely because we have the proper identity controls in place, allow the workforce to be safe and productive while allowing the admin the management and security they require at the same time.

    Is this forced experiment a success? In most ways yes, but there are some challenges. Change is hard, no matter the circumstance, and getting a traditional business to adopt modern management can be difficult in the best of times. Things are not the same in the cloud world. Reporting is different, security is different, some things are actually lacking or missing and we have to find creative solutions to these things. Because we are a cloud platform though we can move with incredible speed, making changes to the system and available controls constantly. While other products have had a handful of decades to mature, where most modern management platforms have only had roughly 5 years give or take, modern solutions are already catching up due to the power of being built on a cloud platform.

    This is all mostly just me rambling but if you have made it this far I want to leave you with a couple solid take aways. Do not be afraid to change and to adopt a mobile endpoint solution, allow your users a little more freedom in choosing where and how the way that they work, and when someone mentions the cloud remember that includes endpoint management too.