Search This Blog

Tuesday, April 2, 2019

Intune App Protection Policies and iOS Exemptions

Hello Everyone!

No amount of searching has been very helpful for me personally when trying to find iOS application identifier URLs. 

A URL identifier is a unique name that each iOS application must have. Using this name an existing application on an iOS device can call upon that app to perform actions, such as open a file. 

To my knowledge there is no list out there for such identifiers. What I would like to do is start that list here. 

My only methods to finding out this URL identifier are to either ask the developer or to take a guess and test it inside of safari. If you open safari and type the following into the address bar

guessedappname:// 

You should get a result of either app not found, or something that asks if you would like to allow an app to open the webpage. See screen shots below.




Without further ado here is the very short list of ones I have used in the past. Please, please, please if you know any additional ones leave a comment below and lets get them added to the list.


  • Salesforce - salesforce1
  • Go To Meeting - gotomeeting
  • AutoCAD DWG Viewer and Editor - autocad
  • Webex - wbx
  • Zoom Cloud Meetings - zoomus
  • Slack - slack
  • Apple Maps - maps
  • Google Maps - googlemaps

The items on this list were generated by myself and the community. I have not verified the accuracy of most of them. I am asking for the communities help in either adding to the list or for a more foolproof way of finding out the applications URL identifier.

Thanks everyone!

Tuesday, March 12, 2019

The Intune Exchange Connector Workflow and Gotchas

Hello readers!

In this post I want to talk about some of the Intune on-premise Exchange Connector gotchas and how the communication flow works. 

What is the Exchange Connector?





The Intune Exchange Connector is a piece of software that you download from the Intune portal and install on your Exchange server. Specifically the CAS role if you still have seperated roles. Installation instructions can be found here.

https://docs.microsoft.com/en-us/intune/exchange-service-connector-configure

Please note that the section on the 'Service to Service' connector should be ignored. That feature is being deprecated and was honestly never needed in the first place.

I dont want to go over installation, the Microsoft document does a decent job of that and its fairly self explanatory. I do want to touch on the communication flow. It looks something like this,

For iOS, and Knox devices there are 2 routes. Either you install the company portal first, or you try to add an EAS account first. We will go over the adding an EAS account scenario.

1. End user adds thier EAS account to their mobile device
2. After some time the Intune connector will sync the EAS record up to Intune
3. If the EAS record gets synced up and there is no corresponding MDM record the Intune Connector will set the device from allowed to blocked
4. The end user will recieve an email asking them to enroll into Intune
5. The end user enrolls the device into Intune and creates an MDM record
6. The EAS record and MDM record merge to become a EAS/MDM record in the Intune console
7. The connector will do another sync and check that the record is merged. If so it will remove the device from blocked back to allow

Where this process gets tricky though is for non-Samsung Androids. For some reason, and this may change with Android Enterprise, when a regular Android device enrolls into Intune it does not report its Active-Sync ID. They way we get around this is by using the link in the email notification we receive on the device that says we've been blocked. This link contains our EAS ID and will communicate that to the Intune Service. Without this link our EAS record will never merge with the MDM record when enrolled.

This also makes it tricky to use any type of non native email client as these clients create their own EAS record but can never create an MDM record to match to. The MDM record is always owned by the device not by the email clients on it, if that makes sense. Long story short you have to use the native mail clients when doing this or you have to create an exception for certain platforms.

I will say it again, non-Samsung Android devices have to enroll via the email notification!!! Just going to the app store and getting the company portal app will not work. Enrolling using the app before you receive the email notification will not work.

Here is where the gotchas come in to play. There are two main ones that I want to cover. 

When setting up the connector it asks you to enter a notification account. You need to enable that and MAKE SURE THAT ACCOUNT HAS A MAILBOX!







Without a mailbox the end user will never receive the email asking them to enroll with the link that contains their EAS ID. 

Second gotcha is that this service relies heavily on the Autodiscover service. Very heavily. If your Autodiscover is not healthy then this process will fail. One specific example of this when working through this in my lab was that I did not have an internal DNS record for Autodiscover.rollerlabs.com. This is because internal Outlook clients do not use the DNS record to find AutoD, they use the internal URI that is set within Exchange. I never had a need for an actual internal DNS record before. 

The connector was reliant upon that to find the Exchange server, even though you specify in the connector what your server name is, it will still look at AutoD.





Once I added the internal AutoD record I was able to receive the enroll now email.




This is just an image pulled out of a search but it lets you see the format of the expected email. Please note that the activate/enroll email with link that contains your EAS ID is not the same as the email generated by the exchange server that tells you your device has been blocked. The activate link will come from the Notification account.




Hope this is helpful to someone out there. Is anyone still using Exchange on premise anymore? Hello? Bueller?



Thursday, February 28, 2019

SSPR Note From The Field

Hello Everyone!

Today I want to talk about a little issue I found when deploying SSPR at a customer. We enabled write back in AAD Connect, used a test group to start with in Azure AD, set all of our options up, created a new test user on prem and synced it up into the group. 

Everything appeared to be working. 

When we rolled it out to the general population (without forcing enrollment so most of production never even knew something was wrong when it broke) we started seeing some weird behavior on our existing users. When they would go to reset thier password we would get this error in the portal




Except everything did meet the policy. We then traced it back using a few various logs. One place where nothing showed up was in the Synchronization Service app on the AAD Connect server. Where we did see something was in the Azure AD Audit Logs




And the Event Viewer on the AAD Connect server as well


Come to find out most existing accounts had the restriction of 'User cannot change password' set in their account options in Active Directory from some past project that the current admin was not aware of. 



If your running into a similar situation maybe take a look there. This can be fixed either manually, with PowerShell, or as luck would have it this is one of the options you can set when you select multiple user objects in ADUC.

Good luck!