tag:blogger.com,1999:blog-61369754145996145402024-03-17T20:03:41.995-07:00A Mobile AttemptAn Enterprise Mobility, Security, Endpoint, and Sometimes Collaboration Blog.amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.comBlogger42125tag:blogger.com,1999:blog-6136975414599614540.post-65345315633916397522022-02-13T17:49:00.009-08:002022-02-13T21:45:03.836-08:00How to Get 'Around' AutoPilot<p><span style="font-family: inherit; font-size: large;"> Hello All!</span></p><p><span style="font-family: inherit; font-size: large;"><br /></span></p><p><span style="font-family: inherit; font-size: large;">Ive been inspired to write this after seeing a thread on Reddit where, or so the story goes, a son had estranged himself from his father and left the household but the father had the family PCs enrolled into an Autopilot / MEM instance and wiped the sons PC. When the son tried to reboot into the PC he was met with the branded Autopilot screen and not wanting to be under his fathers control reached out to Reddit to see how he could avoid Autopilot and re-enrollment. </span></p><p><span style="font-family: inherit; font-size: large;">This got me curious as to all the ways that could be accomplished. Conversely you could follow the opposite of this post to enforce Autopilot in your organization.</span></p><p><span style="font-family: inherit; font-size: large;">It used to be very easy, but MS has patched quite a few of the holes. In 1903 they removed the ability to start the process but hit the go back button to get to the unbranded sign in screen which would allow a local user account. </span></p><p><span style="font-family: inherit; font-size: large;">At some point they added in the control in the Autopilot profile to hide the change account options. </span></p><p><span style="font-family: inherit; font-size: large;"><br /></span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh_2lkLxElmTBeJAmdUJAv58Y_2n1_iXdgXt-H6hhCFogZ3rRC_9tV0RqMJkk8daRTzpxAj6ri58IgNgqpdFBhccsQrXhWNc129g804MYJ0MiMUp-9t0nTxcHKWA9Dzomyq4vRIC6aWXBAvwHO5YE07FoX2Q-4EBgNs-i0QjHTeNO6r_1B4iCYxLrMu=s1642" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit; font-size: large;"><img border="0" data-original-height="102" data-original-width="1642" height="40" src="https://blogger.googleusercontent.com/img/a/AVvXsEh_2lkLxElmTBeJAmdUJAv58Y_2n1_iXdgXt-H6hhCFogZ3rRC_9tV0RqMJkk8daRTzpxAj6ri58IgNgqpdFBhccsQrXhWNc129g804MYJ0MiMUp-9t0nTxcHKWA9Dzomyq4vRIC6aWXBAvwHO5YE07FoX2Q-4EBgNs-i0QjHTeNO6r_1B4iCYxLrMu=w640-h40" width="640" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit; font-size: large;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit; font-size: large;"><br /></span></div><p style="clear: both; text-align: left;"><span style="font-family: inherit; font-size: large;">At some point they also introduced a setting that requires internet connectivity during OOBE to proceed. This CSP flips whats called a UEFI variable and persists through a machine wipe. This means that during first time setup this would not be set, since it's not enrolled at that time, but subsequent wipes would be protected. </span></p><p style="clear: both; text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhvZO9a2nkxC4G813uBMHgBrCRW4AtkezF4PajViNBb07gY2apzLmV47kYtpjF-Zy5cXxeiSmOBoHZt1kGhOlSeBq607nMWFntgMhoQlQMQxMxWO9lu0UEMCRWOIVIhU-awQBVxTzvj_9QRNfiWIhwLLVdi0kIwPASvUvIa2qCVHrIxPnSx0CiE5GeW=s1458" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit; font-size: large;"><img border="0" data-original-height="118" data-original-width="1458" height="52" src="https://blogger.googleusercontent.com/img/a/AVvXsEhvZO9a2nkxC4G813uBMHgBrCRW4AtkezF4PajViNBb07gY2apzLmV47kYtpjF-Zy5cXxeiSmOBoHZt1kGhOlSeBq607nMWFntgMhoQlQMQxMxWO9lu0UEMCRWOIVIhU-awQBVxTzvj_9QRNfiWIhwLLVdi0kIwPASvUvIa2qCVHrIxPnSx0CiE5GeW=w640-h52" width="640" /></span></a></div><span style="font-family: inherit; font-size: large;"><br />With that background info in mind lets get back to our Reddit user. For this initial workaround let's just assume that neither control is deployed. Its default state is not configured so it's not too far of a stretch. </span><p></p><p style="clear: both; text-align: left;"><span style="font-family: inherit; font-size: large;">With the account change options set to 'show' all the end user would have to do would be to choose to "domain join" instead or enter an improper email address / password enough times and they would be presented with the option to create a local user instead, like below. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjd07xLdUEcQT9ZRlMthv2l20gtVwPStONJscHpfSatxZVNCB01YH0j-65XaA1lbrZ0I3b520eBEw4Go0-DqiUCvo-khXGtbEVulleVkGG9CkILFzNTEzZWNtWQ5G0TvmJKdDndBI5S-948YpFE-aMc_6v9LcbPyuf2Jtsi1Wa4JyiBNYE4hyt-ZKAn=s900" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit; font-size: large;"><img border="0" data-original-height="582" data-original-width="900" height="414" src="https://blogger.googleusercontent.com/img/a/AVvXsEjd07xLdUEcQT9ZRlMthv2l20gtVwPStONJscHpfSatxZVNCB01YH0j-65XaA1lbrZ0I3b520eBEw4Go0-DqiUCvo-khXGtbEVulleVkGG9CkILFzNTEzZWNtWQ5G0TvmJKdDndBI5S-948YpFE-aMc_6v9LcbPyuf2Jtsi1Wa4JyiBNYE4hyt-ZKAn=w640-h414" width="640" /></span></a></div><span style="font-family: inherit; font-size: large;"><br /></span><p style="clear: both; text-align: left;"><span style="font-family: inherit; font-size: large;"><br /></span></p><span style="font-family: inherit; font-size: large;">Easy Enough. Now let's move into what if changing accounts was hidden, what then? Well this option only applies to the Autopilot branded welcome screen, not the default screen. We can remove the branded screen by removing the autopilot.json file that is found at C:\Windows\Provisioning\Autopilot. This can be done easily from the logon screen by going into cmd line by hitting shift+F10 and you can even from there just launch explorer.exe to bring up the GUI and navigate to it. Once that has been removed and you give it the ol' reboot you should be met with a local login like so.</span><p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhqs_sr0MlcCSpl5tJVApX2o38P5gU63vUK41QONYGGlmcJPI7D-da2a0dLAjiibGh083hV8Jdht9FCzUpofueVhHEifQfFaM9bnIKILiIhpS3M5KBSAJpjqUb9wyEK_s2Ep3W_rUtw3pMDCpOxserWRr-_MrcOL_-ALaCnyc1cxdirEftTCmuyXCt2" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit; font-size: large;"><img data-original-height="640" data-original-width="904" height="453" src="https://blogger.googleusercontent.com/img/a/AVvXsEhqs_sr0MlcCSpl5tJVApX2o38P5gU63vUK41QONYGGlmcJPI7D-da2a0dLAjiibGh083hV8Jdht9FCzUpofueVhHEifQfFaM9bnIKILiIhpS3M5KBSAJpjqUb9wyEK_s2Ep3W_rUtw3pMDCpOxserWRr-_MrcOL_-ALaCnyc1cxdirEftTCmuyXCt2=w640-h453" width="640" /></span></a></div><span style="font-family: inherit; font-size: large;"><br /><br />Ideally, now with no Autopilot.json file and with a shiny new local admin account thats past the OOBE the machine should be free from management, for now anyways, until the next device reset. </span><p></p><p><span style="font-family: inherit; font-size: large;">As for the additional setting or require network during OOBE that stamps the UEFI variables...we are going to have to wait on that. I do not currently know how to change those but when I figure it out I will update this post. My initial thought is that you can launch powershell and change them in some manner in that way or possibly even from the built in preboot UEFI interface. </span></p><p><span style="font-family: inherit; font-size: large;">For now, remove the .json and don't connect to the internet when you are going through the OOBE....or ya know, just re-image with Windows Home as that doesn't even check into the Autopilot service!</span></p><p><span style="font-family: inherit; font-size: large;">Until next time!</span></p><p><span style="font-family: inherit; font-size: large;"><br /></span></p><p></p><div class="separator" style="clear: both; text-align: center;"><span style="font-family: inherit; font-size: large;"><br /></span></div><span style="font-size: large;"><span style="font-family: inherit;"><br /><br /></span><br /></span><p></p>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com2tag:blogger.com,1999:blog-6136975414599614540.post-41484881267473715702022-01-27T18:27:00.006-08:002022-01-27T18:27:38.763-08:00List Of Possible iOS Identifiers<p> <span style="font-size: large;">Hello Everyone!</span></p><p><span style="font-size: large;"><br /></span></p><p><span style="font-size: large;">In this post I wanted to add in a link to a google doc where I have added a list of possible iOS uri identifiers to exclude some apps from MEMs app protection policies. </span></p><p><span style="font-size: large;">I placed this in a Google Doc because the list was rather long and was taking up the blogs entire front page....which may have been a good thing so people maybe people wouldn't notice how long I go between blog posts haha!</span></p><p><span style="font-size: large;">Anyways, here is a link to the doc</span></p><p><span style="font-size: x-large;"><a href="https://docs.google.com/document/d/1Y71dgb9O3MJXitSJRryPQFjvEYxAWqgwYFxxC--cBoM/edit?usp=sharing">https://docs.google.com/document/d/1Y71dgb9O3MJXitSJRryPQFjvEYxAWqgwYFxxC--cBoM/edit?usp=sharing</a></span></p><p><br /></p><p><span style="font-size: large;">Good luck out there!</span></p>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com1tag:blogger.com,1999:blog-6136975414599614540.post-12207856321753933782021-09-14T13:24:00.001-07:002021-09-20T12:29:23.839-07:00Force the Intune Management Extension to Reinstall/Check-in Applications<p><span style="font-size: large;">Hello!</span></p><p><span style="font-size: large;"><br /></span></p><p><span style="font-size: large;">Long time no write!</span></p><p><span style="font-size: large;"><br /></span></p><p><span style="font-size: large;">I find the more engrained I get into something the harder it is to write about it unless I am writing about new features. There are 100 other bloggers out there that do just that though and do it as good or better than I can (Check out Peter Van Der Woude and his blog). </span></p><p><span style="font-size: large;">So this blog usually ends up being things I find interesting or things that I personally want to keep around to reference. This falls into that latter category. </span></p><p><span style="font-size: large;">When deploying and testing wrapped apps there can be a significant between when you make changes and when it gets to device. You could even be hitting the three try limit on the extension and have to wait a really long time. Today I want to show you, and remind future me, how to clear that out so IME sees the app as a fresh install and trys again right away (relatively).</span></p><p><span style="font-size: large;">First we have to understand how the IME actually logs its attempts for installing apps. </span></p><p><span style="font-size: large;">IME uses a service that runs on the endpoints and creates reg keys for each app for each user. It stores these reg keys using the users and apps unique GUIDs. It stores the retry attempts in these reg keys as well.</span></p><p><span style="font-size: large;">The reg key location is Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps\<User GUID>\<App GUID></span></p><p><span style="font-size: large;">Now if you wanted to wipe everything out you could just delete everything but lets just say you want to precision strike a certain app for a certain user. You first need to identify the users GUID using the console. Their GUID is actually the last part in the web url after userID, see the image below</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-zG_83YU659g/YUEBhRhM0mI/AAAAAAAAQ3Q/2n-pEdHaZdsd25EkfR4e8N3yeGKt5F6XACLcBGAsYHQ/s610/Console%2BUser%2BGUID.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="190" data-original-width="610" src="https://1.bp.blogspot.com/-zG_83YU659g/YUEBhRhM0mI/AAAAAAAAQ3Q/2n-pEdHaZdsd25EkfR4e8N3yeGKt5F6XACLcBGAsYHQ/s16000/Console%2BUser%2BGUID.png" /></a></div><br /><span style="font-size: large;">Once you have the key you want you may want to copy and past that to notepad because next we need to the same thing for the app GUID</span><p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-N1usoQ2SZQo/YUEB4RjJNqI/AAAAAAAAQ34/OKhHpq3P7LUCxZpE_wy4_WsCDeymMfCuwCLcBGAsYHQ/s624/ConsoleAppGUID.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="290" data-original-width="624" src="https://1.bp.blogspot.com/-N1usoQ2SZQo/YUEB4RjJNqI/AAAAAAAAQ34/OKhHpq3P7LUCxZpE_wy4_WsCDeymMfCuwCLcBGAsYHQ/s16000/ConsoleAppGUID.png" /></a></div><br /><span style="font-size: large;">Now that we have the relevent information we can go to the reg key mentioned earlier and just delete the entry for the specific app we want <span style="font-family: inherit;">to force a retry</span> on. Here is a screenshot example from a test machine of mine. Remember to delete the app GUID and not the user GUID if you only want to nuke one app.</span><p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Xo0_sJJxsBU/YUEDeNEAyuI/AAAAAAAAQ4A/WcoaFLPcugERSgiorop3x-fGtDl0xRwlwCLcBGAsYHQ/s433/IMEUserGUID.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="313" data-original-width="433" src="https://1.bp.blogspot.com/-Xo0_sJJxsBU/YUEDeNEAyuI/AAAAAAAAQ4A/WcoaFLPcugERSgiorop3x-fGtDl0xRwlwCLcBGAsYHQ/s16000/IMEUserGUID.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-DX4l9UBCBpY/YUEEAzuLPqI/AAAAAAAAQ4U/sjvoStTtO2U0MY1DzQ_3RniTqpUDCyGYwCLcBGAsYHQ/s710/IMEAppGUID.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="138" data-original-width="710" src="https://1.bp.blogspot.com/-DX4l9UBCBpY/YUEEAzuLPqI/AAAAAAAAQ4U/sjvoStTtO2U0MY1DzQ_3RniTqpUDCyGYwCLcBGAsYHQ/s16000/IMEAppGUID.png" /></a></div><p style="text-align: left;"><br /></p><p style="text-align: left;"><span style="font-size: large;">Once your chosen values are deleted simply restart the IME service and it should reevaluate what apps need tried again shortly after.</span></p><p style="text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-C-aSJjYaTPk/YUEEetKFtSI/AAAAAAAAQ4g/Rn5iGFdRYI8JGbgaXSWx4F4aUHUeVUMGQCLcBGAsYHQ/s583/IMEService.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="275" data-original-width="583" src="https://1.bp.blogspot.com/-C-aSJjYaTPk/YUEEetKFtSI/AAAAAAAAQ4g/Rn5iGFdRYI8JGbgaXSWx4F4aUHUeVUMGQCLcBGAsYHQ/s16000/IMEService.png" /></a></div><br /><span style="font-size: large;">That's it!</span><p></p><p style="text-align: left;"><span style="font-size: large;">Hopefully this speeds up some of your testing.</span></p><p style="text-align: left;"><span style="font-size: large;">Talk to you all next year!</span></p>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com3tag:blogger.com,1999:blog-6136975414599614540.post-18267308336949324592020-12-01T21:39:00.009-08:002020-12-01T21:41:47.415-08:00Another Way to Attach Photos and Files to Work Profile Apps<p><span style="font-size: x-large;">Hello Everyone!</span></p><p><span style="font-size: x-large;">In my previous post I went over one way to share files into the work profile. </span></p><p><span style="font-size: x-large;">After poking around at it a little bit more I realized there is another way to attach files and photos into work profile apps that may be a little easier for everyone. </span></p><p><span style="font-size: x-large;">In this walk through we will go through attaching a file to an existing email thread in the Outlook App but the process should be similar.</span></p><p><span style="font-size: x-large;">It is important to note that this will be done on a Samsung S10 and the process may differ on other device platforms.</span></p><p><span style="font-size: x-large;"><br /></span></p><p><span style="font-size: x-large;">Choose to attach a file from within your application. This should open a file explorer app</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-lATZ2gWaLuY/X8cmT82ZYqI/AAAAAAAAOyk/NXFl-55JXBs-LkeMlNJ1-I6UalHhjKG1gCLcBGAsYHQ/s593/Image%2B37.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="593" data-original-width="467" height="640" src="https://1.bp.blogspot.com/-lATZ2gWaLuY/X8cmT82ZYqI/AAAAAAAAOyk/NXFl-55JXBs-LkeMlNJ1-I6UalHhjKG1gCLcBGAsYHQ/w504-h640/Image%2B37.png" width="504" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-large;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-large;"><br /></span></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-tHkjQAgML-Q/X8cmcBEZs7I/AAAAAAAAOyo/jeg7Ciy5_i4pnsvVmzQTHt70UzyUaP8BgCLcBGAsYHQ/s473/Image%2B38.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="213" data-original-width="473" height="288" src="https://1.bp.blogspot.com/-tHkjQAgML-Q/X8cmcBEZs7I/AAAAAAAAOyo/jeg7Ciy5_i4pnsvVmzQTHt70UzyUaP8BgCLcBGAsYHQ/w640-h288/Image%2B38.png" width="640" /></span></a></div></div><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-EnZ5EgFPEUY/X8cmcQndwbI/AAAAAAAAOys/8Sbzcwxjuz4vJJLIDTHksCT-eRCrsn5lQCLcBGAsYHQ/s465/Image%2B39.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="273" data-original-width="465" height="376" src="https://1.bp.blogspot.com/-EnZ5EgFPEUY/X8cmcQndwbI/AAAAAAAAOys/8Sbzcwxjuz4vJJLIDTHksCT-eRCrsn5lQCLcBGAsYHQ/w640-h376/Image%2B39.png" width="640" /></span></a></div><span style="font-size: x-large;"><br /><br /></span><div><span style="font-size: x-large;">Once you are in your file explorer open the menu, mine is in the top left. Inside the menu you want to choose the 'More Apps' option</span></div><div><span style="font-size: x-large;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-B2C_Ycvd1tY/X8cm7zrWOHI/AAAAAAAAOzA/diTJvZxxbbMZ5MVekDMNmncIMSqt91hEwCLcBGAsYHQ/s468/Image%2B40.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="398" data-original-width="468" height="544" src="https://1.bp.blogspot.com/-B2C_Ycvd1tY/X8cm7zrWOHI/AAAAAAAAOzA/diTJvZxxbbMZ5MVekDMNmncIMSqt91hEwCLcBGAsYHQ/w640-h544/Image%2B40.png" width="640" /></span></a></div><span style="font-size: x-large;"><br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-LeM7Di1c-Sc/X8cm5Ei4UHI/AAAAAAAAOy8/qGn6DymJSgQp6eYyLpaFjRdR10_J3F-agCLcBGAsYHQ/s806/Image%2B41.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="806" data-original-width="438" height="640" src="https://1.bp.blogspot.com/-LeM7Di1c-Sc/X8cm5Ei4UHI/AAAAAAAAOy8/qGn6DymJSgQp6eYyLpaFjRdR10_J3F-agCLcBGAsYHQ/w348-h640/Image%2B41.png" width="348" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-large;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-large;"><br /></span></div><span style="font-size: x-large;"><br />The 'More Apps' options should allow you to choose applications and files that exist outside of the Android Work Profile, if your organization allows it in the settings. Once you are able to see you outside files choose the one you want to insert into your mail, Teams message, Onedrive upload, etc. In our case we are going to choose a picture of this awesome and hilarious custom VW Bug from my local Lowes parking lot.</span></div><div><span style="font-size: x-large;"><br /></span></div><div><span style="font-size: x-large;"><br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-C8a8Kot1oeM/X8coIRIXDvI/AAAAAAAAOzU/gEwATAquL8I88XTlpB6Y_VlWnhrxbzgFwCLcBGAsYHQ/s767/Image%2B42.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="767" data-original-width="466" height="640" src="https://1.bp.blogspot.com/-C8a8Kot1oeM/X8coIRIXDvI/AAAAAAAAOzU/gEwATAquL8I88XTlpB6Y_VlWnhrxbzgFwCLcBGAsYHQ/w388-h640/Image%2B42.png" width="388" /></span></a></div><span style="font-size: x-large;"><br /><br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9RTrBq4lHWs/X8coF7BBo3I/AAAAAAAAOzQ/n6KrGgtLPMMFA0U5R5H7jimObiHAUolBgCLcBGAsYHQ/s714/Image%2B43.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="714" data-original-width="465" height="640" src="https://1.bp.blogspot.com/-9RTrBq4lHWs/X8coF7BBo3I/AAAAAAAAOzQ/n6KrGgtLPMMFA0U5R5H7jimObiHAUolBgCLcBGAsYHQ/w416-h640/Image%2B43.png" width="416" /></span></a></div></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-large;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-large;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: x-large;">Hopefully between this method and the previous post you can continue using your applications as you always have when enrolled with a Work Profile.</span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: x-large;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: x-large;">Have a good one!</span></div>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-51625125875647109362020-08-26T08:47:00.017-07:002020-12-01T21:41:21.575-08:00Share Photos With Android Work Profile<p><span style="font-size: x-large;">Hello again Internet!</span></p><p><span style="font-size: x-large;"> In this post today I would like to do a guide on how to share items with the Android Work Profile. </span></p><p><span style="font-size: x-large;">When we want to share something in Teams, Outlook, etc most people start off in the app that we are creating the communication from. In our example today we will use Teams. </span></p><p><span style="font-size: x-large;">The issue is that, due to the architecture of the Work Profile, it will show an empty gallery usually. More precisely it only shows your 'Work' files to choose from.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-hRe_cKUZ9xo/X0Z_1WQfxpI/AAAAAAAANTc/yJzfK7FZNdwfZNfzYx7GEr6-zwuaCVK1gCLcBGAsYHQ/s2280/Screenshot_20200826-112007.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="2280" data-original-width="1080" height="640" src="https://1.bp.blogspot.com/-hRe_cKUZ9xo/X0Z_1WQfxpI/AAAAAAAANTc/yJzfK7FZNdwfZNfzYx7GEr6-zwuaCVK1gCLcBGAsYHQ/w303-h640/Screenshot_20200826-112007.jpg" width="303" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-large;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: x-large;">In order to get around this and to share you personal items, assuming the Work Profile configuration allows it you need to start off in the photo you want to share. Once there you choose the share icon in the bottom left. Please note I tried to sanatize these images of any personal info so expect some red and white MSPaint skills.</span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: x-large;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: x-large;">EDIT: I just realized the image below may be confusing. The image below is a screen capture of the Outlook App I did earlier. The screenshot below is an image in my phones photos app, not an actual Outlook screen.</span></div><span style="font-size: x-large;"><br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-aJC5_tSTJhg/X0aCTp4i-WI/AAAAAAAANU8/gogLvzr9NuwUtGseFeB8dgZ1ENg3RlpvgCLcBGAsYHQ/s2280/Screenshot_20200826-112139_Photos.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="2280" data-original-width="1080" height="640" src="https://1.bp.blogspot.com/-aJC5_tSTJhg/X0aCTp4i-WI/AAAAAAAANU8/gogLvzr9NuwUtGseFeB8dgZ1ENg3RlpvgCLcBGAsYHQ/w303-h640/Screenshot_20200826-112139_Photos.jpg" width="303" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-large;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: x-large;">Once you have chosen to share the image the share window will come up. This can look different depending on the photo gallery app you have, device manufacturer, and even OS version. What you should see though is an option for the Work Profile. The blue suitcase in the screen grab below.</span></div><span style="font-size: x-large;"><br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-72SRPm29Me0/X0aCTu9SAhI/AAAAAAAANVE/hIsSIbLK-mQS7oBMLbTcfHb4X7QkDXsbQCLcBGAsYHQ/s2280/Screenshot_20200826-112149_Photos.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="2280" data-original-width="1080" height="640" src="https://1.bp.blogspot.com/-72SRPm29Me0/X0aCTu9SAhI/AAAAAAAANVE/hIsSIbLK-mQS7oBMLbTcfHb4X7QkDXsbQCLcBGAsYHQ/w303-h640/Screenshot_20200826-112149_Photos.jpg" width="303" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-large;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: x-large;">Once you choose to share the image to the Work Profile a new menu will pop up and allow you to choose which work badged app to share it to. In our test case I will choose Teams.</span></div><span style="font-size: x-large;"><br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-NtY1L6D3s-U/X0aCTkGyl3I/AAAAAAAANVA/s_QENIpVm4YLMRnPykrj7Lio4z2r-80hACLcBGAsYHQ/s2280/Screenshot_20200826-112201_Android%2BSystem.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="2280" data-original-width="1080" height="640" src="https://1.bp.blogspot.com/-NtY1L6D3s-U/X0aCTkGyl3I/AAAAAAAANVA/s_QENIpVm4YLMRnPykrj7Lio4z2r-80hACLcBGAsYHQ/w303-h640/Screenshot_20200826-112201_Android%2BSystem.jpg" width="303" /></span></a></div><p><span style="font-size: x-large;"><br /></span></p><span style="font-size: x-large;">Once you make your selection it will open your work badged app and allow you to choose which communication channel to share the image to.</span><p></p><p><span style="font-size: x-large;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-O8a8UohlCv8/X0aCT3LYmCI/AAAAAAAANVI/t57Ayzx9fRwmfx9SxpqXr0HZV8zd24RDwCLcBGAsYHQ/s2280/Screenshot_20200826-112209.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="2280" data-original-width="1080" height="640" src="https://1.bp.blogspot.com/-O8a8UohlCv8/X0aCT3LYmCI/AAAAAAAANVI/t57Ayzx9fRwmfx9SxpqXr0HZV8zd24RDwCLcBGAsYHQ/w303-h640/Screenshot_20200826-112209.jpg" width="303" /></span></a></div><p><span style="font-size: x-large;"><br /></span></p><span style="font-size: x-large;">Once you choose your chat, I just chose Joe from my recent chats list, it will upload the image into the chat and you can then send it.<br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-0XHydqdLSgQ/X0aCT19eghI/AAAAAAAANVM/ayicKTUE7N45qzWIn4cuoM9s5k1m7xFxwCLcBGAsYHQ/s2280/Screenshot_20200826-112221.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="2280" data-original-width="1080" height="640" src="https://1.bp.blogspot.com/-0XHydqdLSgQ/X0aCT19eghI/AAAAAAAANVM/ayicKTUE7N45qzWIn4cuoM9s5k1m7xFxwCLcBGAsYHQ/w303-h640/Screenshot_20200826-112221.jpg" width="303" /></span></a></div><span style="font-size: x-large;"><br /></span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><span style="font-size: x-large;"><img border="0" data-original-height="2280" data-original-width="1080" height="640" src="https://1.bp.blogspot.com/-9o1HPTnVrSw/X0aCUF8AhZI/AAAAAAAANVQ/QT95glF8kUsNdsLWQoTDax614bbPoM4AwCLcBGAsYHQ/w303-h640/Screenshot_20200826-112238.jpg" style="margin-left: auto; margin-right: auto;" width="303" /></span></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-large;"><br /></span></td></tr></tbody></table><span style="font-size: x-large;"><br /><br /></span><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-large;"><br /></span></div><span style="font-size: x-large;"><br /></span><div class="separator" style="clear: both; text-align: center;"><span style="font-size: x-large;"><br /></span></div><span style="font-size: x-large;">Hope this quick tutorial helps some of you out there and allows you to continue communicating in the ways you have been in a new Work Profile world.</span><p></p><p><span style="font-size: x-large;"><br /></span></p><p><span style="font-size: x-large;">Have a good one!</span></p>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com3tag:blogger.com,1999:blog-6136975414599614540.post-46091152336917701552020-08-20T20:24:00.008-07:002021-03-26T06:11:05.974-07:00App Protection Policies and Outlook Add-Ins<span style="font-size: x-large;">Hello Everyone!</span><div><span style="font-size: x-large;"><br /></span></div><div><span style="font-size: x-large;">Back to the technical side of the house today.</span></div><div><span style="font-size: x-large;"><br /></span></div><div><span style="font-size: x-large;">In this post I want to talk about a lesser known gap within Intune App Protection Policies, also known as MAM. </span></div><div><span style="font-size: x-large;"><br /></span></div><div><span style="font-size: x-large;">When protecting the Outlook Mobile App there is a small hole that allows corporate data to escape the containerization policies. These are the 'Add-Ins' in the app. These loop in third party services into the Outlook App such as Trello, Wrike, Evernote, etc.</span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-MYmiRNK1ZCY/Xz89bhC7d_I/AAAAAAAANOA/L7QVblqz5ZE6gkxi7HsRoyaf5U2ETkVdwCLcBGAsYHQ/s1236/extensionList.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1236" data-original-width="810" height="640" src="https://1.bp.blogspot.com/-MYmiRNK1ZCY/Xz89bhC7d_I/AAAAAAAANOA/L7QVblqz5ZE6gkxi7HsRoyaf5U2ETkVdwCLcBGAsYHQ/w419-h640/extensionList.jpg" width="419" /></a></div><br /><span style="font-size: x-large;"><br /></span></div><div><span style="font-size: x-large;">The issue is when you add these extensions you can log into them with a personal account. The App Protection Policies can not distinguish data going into this add-in. I suspect, because it is solely contained within the Outlook App itself, the policy views it as data just moving around internally into the app.</span></div><div><span style="font-size: x-large;"><br /></span></div><div><span style="font-size: x-large;">The work around for this is not great either, but its not terrible in my opinion. It really is something that should be disabled anyway for security sake. The fix itself is to remove the ability for end users to allow add-ins. The reason why this is not a 100% great fix is because this permission applies to not just Outlook App, but also OWA and Outlook desktop. </span></div><div><span style="font-size: x-large;"><br /></span></div><div><img border="0" data-original-height="344" data-original-width="1101" height="200" src="https://1.bp.blogspot.com/-vjIBYutucQM/Xz89dgOC0OI/AAAAAAAANOE/MeI_hr5UCss1BV7FG-ZqQPHfG76vAj7VwCLcBGAsYHQ/w640-h200/Exchange%2BOptions.png" width="640" /></div><div><br /></div><div><span style="font-size: x-large;">Once you disable these permissions the user will no longer be able to select add-ins and when they try they receive the message below. </span></div><div><span style="font-size: x-large;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-EaGh0bx3gl8/Xz8-FoVzPNI/AAAAAAAANOQ/aEbBYJZZy8ctUCmNCAftXsewoKC6ff2-ACLcBGAsYHQ/s559/Denied.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="559" data-original-width="516" height="640" src="https://1.bp.blogspot.com/-EaGh0bx3gl8/Xz8-FoVzPNI/AAAAAAAANOQ/aEbBYJZZy8ctUCmNCAftXsewoKC6ff2-ACLcBGAsYHQ/w591-h640/Denied.png" width="591" /></a></div><span style="font-size: x-large;"><br /></span></div><div><span style="font-size: x-large;"><br /></span></div><div><span style="font-size: x-large;">Hopefully this can close a small hole some of you may have in your org today.</span></div><div><span style="font-size: x-large;"><br /></span></div><div><span style="font-size: x-large;">Have a good one!<br /><br />Edit 3/26/2021 I have received this from a Microsoft contact I have<br /><p class="MsoNormal"><span style="mso-fareast-font-family: "Times New Roman";"><i>The
good news is this has got into the roadmap now , we will soon provide a way
through MAM app config to control this so that add ins can be disabled only on
the mobile app. ETA for this is H2CY21 </i><o:p></o:p></span></p><br /></span></div>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-22298391246677478032020-08-13T20:28:00.001-07:002020-08-14T10:25:48.860-07:00Personal Thoughts on Mobility<p><b> <span style="font-size: xx-large;">The quiet side of the cloud evolution</span></b></p><p><span style="font-size: x-large;"><span> </span>For a few years now the next evolution for most businesses has been the cloud. Yes, I know what you are saying, the cloud is old news and people have fully adopted the "cloud" some years ago and are on to bigger and better things like automation, a.i., IoT, and of course DevOps. This is not everyone though, this is not even the majority of businesses I interact with.</span></p><p><span style="font-size: x-large;"><span> When people think of the cloud and the benefits it offers most businesses talk IaaS, PaaS or SaaS. How can we lift and shift our infra, our apps, our business processes? What has caused less of a stir overall is the lift and shift of endpoints and management to cloud enabled, modern management platforms. This, to me, is the quieter side of the cloud.</span></span></p><p><span style="font-size: x-large;"><span> The next evolution of endpoint management has undergone, and will continue to undergo, massive changes. This is all driven by the changes in business functions and the changes to the way employees work. Almost gone, but not quite, are the days of assigned cubicles, restrictive and ineffective policies, and the feeling of needing a body in a seat to have your workforce be productive. These business changes driving the changing technology are only made possible in a cloud platform. <br /></span></span></p><p><span style="font-size: x-large;"><span><span> What do these technology changes try to solve? In short, it is about trying to increase the ability to work anywhere, from any device, while maintaining security. Your office network is no longer the security boundary, you no longer host business critical apps on your hardware with non web based logins, sprawl of shadow IT can overwhelm a business now because if there is an easier way to complete a business process than what IT offers to the end users they will find it and adopt it. </span><br /></span></span></p><p><span style="font-size: x-large;"><span><span><span> How do we address these needs? It all starts with Identity. With the goal of working from anywhere that tosses out the network as the security plane and from any device tosses out traditional device management. Identity is the new security and control plane as that is the common thread between anywhere and any device. This means that a true modern management solution has to have an Identity solution attached to it with deep integration, such as Microsoft Intune or VMWare's Workspace1. Without Identity your cloud enabled endpoint solution is not truly modern management capable.</span><br /></span></span></span></p><p><span style="font-size: x-large;"><span><span><span><br /></span></span></span></span></p><p><span><span style="font-size: xx-large;"><b>Covid-19 and the great experiment</b></span></span></p><p><span><span style="font-size: x-large;"><span> </span>In late 2019, into 2020, and at the time of this writing, Covid-19 is a global pandemic. Many business and workers can not work, have been furloughed, or reduced their hours. This has hit business across all sectors in a meaningful way. </span></span></p><p><span><span style="font-size: x-large;"><span> For some business and workers its as if we have been forced into this grand experiment who's goal is to answer two questions:<br /></span></span></span><span style="font-size: x-large;">1. Can you work remotely?<br /></span><span style="font-size: x-large;">2. Can you do it securely?</span><br /><span style="font-size: x-large;">As the world has come to find out, the answer is a pretty solid yes, we can work remotely and in a meaningful and productive way.</span></p><p><span style="font-size: x-large;"><span> Modern management can make this forced transition so much smoother for the end user and the business. The ability to use mobile platforms such as iOS and Android phones or tablets, the option to do BYOD for not just mobile but Win10 as well, and the ability to do this securely because we have the proper identity controls in place, allow the workforce to be safe and productive while allowing the admin the management and security they require at the same time.</span><br /></span></p><p><span style="font-size: x-large;"><span><span> Is this forced experiment a success? In most ways yes, but there are some challenges. Change is hard, no matter the circumstance, and getting a traditional business to adopt modern management can be difficult in the best of times. Things are not the same in the cloud world. Reporting is different, security is different, some things are actually lacking or missing and we have to find creative solutions to these things. Because we are a cloud platform though we can move with incredible speed, making changes to the system and available controls constantly. While other products have had a handful of decades to mature, where most modern management platforms have only had roughly 5 years give or take, modern solutions are already catching up due to the power of being built on a cloud platform.</span><br /></span></span></p><p><span style="font-size: x-large;"><span><span><span> This is all mostly just me rambling but if you have made it this far I want to leave you with a couple solid take aways. Do not be afraid to change and to adopt a mobile endpoint solution, allow your users a little more freedom in choosing where and how the way that they work, and when someone mentions the cloud remember that includes endpoint management too.</span><br /></span></span></span></p>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com1tag:blogger.com,1999:blog-6136975414599614540.post-53854978361033808872020-08-05T20:14:00.007-07:002020-11-17T14:05:25.131-08:00Azure AD Hybrid Join Over VPN Issues<font size="5">Hello once again! Long time no talk...read?</font><div><font size="5"><br /></font></div><div><font size="5">In this post I wanted to talk about the way Hybrid AAD Join works over VPN and an interesting communication I had with a Microsoft contact of mine recently.</font></div><div><font size="5"><br /></font></div><div><font size="5">I have covered Hybrid AADJ in the past, <a href="https://www.amobileattempt.com/2018/07/hybrid-join-azure-ad-and.html" target="_blank">link here</a>. Adding in the VPN adds a new wrinkle into the equation that is supposed to be solved by one of the HAADJ scheduled tasks. </font></div><div><font size="5"><br /></font></div><div><a href="https://1.bp.blogspot.com/-dVUOGR08moE/Xyt0ZpOrU_I/AAAAAAAANAQ/-FfM7vzEaKQI1GAX44dmFu9YeH5cFQiOQCLcBGAsYHQ/s1203/1.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><span style="font-size: x-large;"><img border="0" data-original-height="226" data-original-width="1203" height="120" src="https://1.bp.blogspot.com/-dVUOGR08moE/Xyt0ZpOrU_I/AAAAAAAANAQ/-FfM7vzEaKQI1GAX44dmFu9YeH5cFQiOQCLcBGAsYHQ/w640-h120/1.png" width="640" /></span></a></div><div><font size="5"><br /></font></div><div><font size="5">HAADJ creates a scheduled task that runs the dsregcmd.exe command. This command is built into the Win10 OS and this task is also built into the OS and have been running since day 1. These are located at Microsoft>Windows>WorkplaceJoin. This task has 2 defined triggers</font></div><div><div class="separator" style="clear: both; text-align: center;"><br /></div></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div><font size="5">The first trigger runs the dsregcmd at the initial logon. This does not help our VPN users at all unless you are deploying a prelogin VPN like Always-On VPN or Direct Access. The second scheduled trigger is supposed to kick off every hour after a reboot and generates a log in event viewer with ID 4096</font></div><div><font size="5"><br /></font></div><div><a href="https://1.bp.blogspot.com/-tWUpIDoV7Bk/Xyt0-Af77pI/AAAAAAAANAo/vrZvlVEaBzU4I_18MyDYFH1H9ataLATugCLcBGAsYHQ/s578/2.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><span style="font-size: x-large;"><img border="0" data-original-height="525" data-original-width="578" height="581" src="https://1.bp.blogspot.com/-tWUpIDoV7Bk/Xyt0-Af77pI/AAAAAAAANAo/vrZvlVEaBzU4I_18MyDYFH1H9ataLATugCLcBGAsYHQ/w640-h581/2.png" width="640" /></span></a></div><div><font size="5"><br /></font></div><div><font size="5"><br /></font></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-QNWNugsS5mE/Xyt1LxqRkrI/AAAAAAAANAs/pb8dSyJ9U5k3ME6_4m5JFS-EbKNo8rxAQCLcBGAsYHQ/s881/3.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="336" data-original-width="881" height="244" src="https://1.bp.blogspot.com/-QNWNugsS5mE/Xyt1LxqRkrI/AAAAAAAANAs/pb8dSyJ9U5k3ME6_4m5JFS-EbKNo8rxAQCLcBGAsYHQ/w640-h244/3.png" width="640" /></span></a></div><font size="5"><br /></font></div><div><font size="5"><br /></font></div><div><font size="5">This would allow a VPN user to reboot, login, and trigger the once an hour request, and if still connected to the VPN in an hour kick off the Hybrid Join process. This was not seeming to happen though. The timings of this event were very sporadic. I brought it up to a contact I have at Microsoft and it appears there was a bug that needed fixed! I have not validated with them what version/when/how this was going to be in place but if you are having issues with VPN+Hybrid Join hopefully it should be fixed in a future build.</font></div><div><font size="5"><br /></font></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-u5YTxVbNZk8/Xyt1Q1ZNlzI/AAAAAAAANA0/6tT5zx4-A6EE_RyaZmHDCQdjfhA2Z5rKACLcBGAsYHQ/s904/4.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: x-large;"><img border="0" data-original-height="98" data-original-width="904" height="69" src="https://1.bp.blogspot.com/-u5YTxVbNZk8/Xyt1Q1ZNlzI/AAAAAAAANA0/6tT5zx4-A6EE_RyaZmHDCQdjfhA2Z5rKACLcBGAsYHQ/w640-h69/4.png" width="640" /></span></a></div><font size="5"><br /></font></div><div><font size="5"><br /></font></div><div><font size="5">Until next time fellow IT explorers</font></div><div><font size="6"><br /></font></div>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com5tag:blogger.com,1999:blog-6136975414599614540.post-28619474280310928482020-01-07T08:03:00.001-08:002020-01-07T08:03:29.244-08:00White Listing Apps on iOS and Still Allow iCloud<span style="font-size: large;">Hello internet people!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Wanted to post about a recent issue that came up at a client. This particular client was using corporate owned Apple Business Manager (new DEP) devices that were being locked down with a white list of applications. This customer also wanted to allow people to sign into iCloud to retrieve their personal contacts and photos and things like that. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The issue was every time we attempted to sign into iCloud it would fail. We narrowed it down to the white list policy by flipping the policy off and trying again, seeing a success, wiping and flipping the policy back on and seeing a failure again. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">After we had narrowed it down I did a little digging and found this gem</span><br />
<span style="font-size: large;"><br /></span>
<a href="https://support.apple.com/en-us/HT209205"><span style="font-size: large;">https://support.apple.com/en-us/HT209205</span></a><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Maybe this was common knowledge, but it wasn't for me or the customer I was working with.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Sure enough after adding com.apple.CoreCDPUI.localsecretprompt to the app white list we were able to log into iCloud without issue. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">If you are wondering what I mean when I say an app "white list" inside of Intune its the show/hide application settings and looks like the image below.</span><br />
<span style="font-size: large;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-RBl6du4Cm08/XhSrZc8u7cI/AAAAAAAALPE/cqLZ1xKzGg4UbP5WNLX70n8h9ET4cItPwCLcBGAsYHQ/s1600/Whitelist.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="630" data-original-width="610" src="https://1.bp.blogspot.com/-RBl6du4Cm08/XhSrZc8u7cI/AAAAAAAALPE/cqLZ1xKzGg4UbP5WNLX70n8h9ET4cItPwCLcBGAsYHQ/s1600/Whitelist.png" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hey, I mean is the word 'secret' is in the app name it cant be that well known right?</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Have a good one!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com4tag:blogger.com,1999:blog-6136975414599614540.post-2949808001334512382019-12-18T10:57:00.000-08:002019-12-18T10:57:27.230-08:00Android Enterprise Dedicated Devices and SCEP<span style="font-size: large;">Hello Everyone! </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Recently SCEP certificate authentication was released for Intune with Android Enterprise devices. This means both COPE and Kiosk devices or whatever they are calling them these days.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I just finished setting this up for a customer and let me tell you there were some challenges. I don't have any screenshots of the issues but I just want to run down a list of gotchas that we ran into to help you do the same. </span><span style="font-size: large;">Once we had all other platforms working (iOS, Android Legacy, Android Work Profile) we thought Android Fully Managed would be a simple reconfig. It was not. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">1.) <b>Deploy the sub cert out with the root</b>, this should always be done in my opinion.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">2.) <b>Make sure the devices have a Compliance Policy assigned</b>. Our kiosk devices originally were marked as non compliant because we did not have one assigned as they were already so locked down (this is just the way the customer had their environment configured). We were seeing the SCEP, Root, and Sub certs stuck as 'Pending'. This went on for a day or so until we got Microsoft Support on the line who suggested the Compliance policy as a general fix. He eluded that this is something he does as a baseline because of, well, just Intune being Intune. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">3.) I have done iOS kiosk devices in the past that are without user affinity and I have used the DNS attribute in the same name historically. You can not do that with Android from what I have found. <b>The WiFi settings on the device itself will not recognize a certificate unless it has the UPN in the SAN name</b>. It will never even attempt a connection if you give it a DNS SAN cert.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">4.) This could be just coincidence but we <b>supplied an external identity in our WiFi profile as well.</b> We just used a generic name of Android Kiosk and once it actually authenticated the identity changed to {{serialnumber}}@domain.com like it was supposed to</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">5.) We had some issues with time outs attempting to fetch the SCEP certs and WiFi policies. We were able to solve this by syncing from both the Intune app and the built in Android Device Policy app. My running theory on this (and im sure I am going to butcher it) is that the Intune certificate connector doesn't look at any Google API syncs from the Device Policy app. So when you sync from there you receive the SCEP profile, you hit IIS, hit the connector, and then it just sits waiting for the Intune sync to validate and eventually times out. <b>Moral of the story is to sync from both the Intune App and the Device Policy App.</b></span><br />
<span style="font-size: large;"><b><br /></b></span>
<span style="font-size: large;">This is all also assuming you have a healthy SCEP and PKI infra underneath everything which can be a task itself!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">These are all just some thoughts from someone who has spent far too long poking at SCEP. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Send help in the form of miniature paints and Chipotle.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Best of luck!</span><br />
<span style="font-size: large;"><b><br /></b></span>
<br />amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com10tag:blogger.com,1999:blog-6136975414599614540.post-20117066093310863712019-10-21T11:07:00.002-07:002020-11-18T05:54:41.988-08:00AAD Connect and Pass Through Auth Possible Gotcha<span style="font-size: large;">Hello again everyone!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Been awhile!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I want to make a quick post about an issue I ran into out in the field in regards to AAD Connect, Pass-Thru Auth, and log on restrictions in local AD. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">**Spoiler Alert** Read your documentation thoroughly and you can avoid stupid mistakes like this one!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Lets start off with a brief explanation on what Pass-Thru Auth is. This method of auth/ssso is similar to ADFS. When you attempt to auth against O365/Azure AD it will send the request back on premise to an agent that is installed on a member server. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">There are certain requirements that this member server needs that we wont go into in this post, such as line of sight to a DC, multiple agents for HA, etc, etc.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Now onto what the issue was.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">At a client we recently had a group of users, well maybe 'users' is not the correct word for it, nor is 'service accounts'. It was a handful of user objects in AD that the security team used to log into a very specific set of workflows on premise and into a couple services in the cloud. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">They just stopped authenticating one day. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">When trying to auth against a cloud service they would receive this error 'Service is currently unavailable, please contact support for further help'</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">When we looked at the sign in logs inside of Azure AD this is what we saw.</span><br />
<span style="font-size: large;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-rfVeqpmo_e0/Xa3vguAHn0I/AAAAAAAAKlg/__duXADGn60wKGGFZ_EVOYBb_a5QlgHUwCLcBGAsYHQ/s1600/signin%2Blog.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="263" data-original-width="772" height="218" src="https://1.bp.blogspot.com/-rfVeqpmo_e0/Xa3vguAHn0I/AAAAAAAAKlg/__duXADGn60wKGGFZ_EVOYBb_a5QlgHUwCLcBGAsYHQ/w640-h218/signin%2Blog.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">We tinkered with the idea that AAD Connect was not syncing the password so we took a look at the health monitor. Everything looked good but thats when I saw they were using Pass-Thru Auth. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">We dug a little deeper and found out that this user account had a log on restriction on it in local AD that was just implemented.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">(this photo from my lab, hence not sanitized. I dont care if you try to compromise Zangief, the red cyclone will pile drive you)</span><br />
<span style="font-size: large;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-JrknJjkJjdE/Xa3wyhujvZI/AAAAAAAAKls/b-ecvZX01M8gSp_ygM74iRiV1Cchgc5bwCLcBGAsYHQ/s1600/Image%2B18.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="572" data-original-width="791" height="463" src="https://1.bp.blogspot.com/-JrknJjkJjdE/Xa3wyhujvZI/AAAAAAAAKls/b-ecvZX01M8gSp_ygM74iRiV1Cchgc5bwCLcBGAsYHQ/w640-h463/Image%2B18.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Well there is our culprit. When using Pass-Thru Auth and you are doing log on locally restrictions you need to add whatever server the agent is on into the log on restrictions</span><br />
<span style="font-size: large;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-lAeXyYLpybw/Xa3xLd2qoeI/AAAAAAAAKl0/rAbtnrppfW4uDZEKqbh2IZn_wmdK2l35ACLcBGAsYHQ/s1600/Image%2B19.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="570" data-original-width="800" height="456" src="https://1.bp.blogspot.com/-lAeXyYLpybw/Xa3xLd2qoeI/AAAAAAAAKl0/rAbtnrppfW4uDZEKqbh2IZn_wmdK2l35ACLcBGAsYHQ/w640-h456/Image%2B19.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once the agent servers are added you should no longer be barred from accessing any other services. If you need to lock down your cloud services for these accounts that is where Conditional Access come into play. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Moral of the story? Check your documentation when you make a change. This is laid out in the Pass-Thru Auth doc, although it is tucked away under the 'troubleshooting' doc and not the main concept or implementation document.</span><br />
<span style="font-size: large;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-f_R_2W78u7E/Xa3yMagIuNI/AAAAAAAAKmA/Bm7M1w4P6hwnPDRDQI1g_1t1pvtc4O2qQCLcBGAsYHQ/s1600/Image%2B20.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="181" data-original-width="948" height="122" src="https://1.bp.blogspot.com/-f_R_2W78u7E/Xa3yMagIuNI/AAAAAAAAKmA/Bm7M1w4P6hwnPDRDQI1g_1t1pvtc4O2qQCLcBGAsYHQ/w640-h122/Image%2B20.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hope this helps someone else out before they waste a few hours trying to figure out what the issue is.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Until next time everyone!</span><br />
<span style="font-size: large;"><br /></span>
<br />
<br />amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-34050475714510494792019-08-13T09:53:00.002-07:002019-08-13T10:35:07.244-07:00Intune GPO Enrollment With MFA Quick Tip<span style="font-size: large;">When enrolling a device that is already Hybrid Joined you may run into an issue when the account that is first logging into the machine has MFA enabled on it. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Depending on how you rolled out MFA, if you did the entire identity option in the classic portal or if you are using CA and you choose all cloud apps as your MFA target you may run into an issue that will require users to complete an MFA challenge to enroll the device into Intune. That prompt usually takes the form of a notification that reads something like 'your account needs attention', 'there is an issue with your account', or 'login to fix your account', etc...</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-v-im7KDHUyA/XVLpz6mW52I/AAAAAAAAKE0/3U0ZI5meyNsNelUaAaBiPOdqutIp8ciJQCLcBGAs/s1600/Image%2B56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="203" data-original-width="456" src="https://1.bp.blogspot.com/-v-im7KDHUyA/XVLpz6mW52I/AAAAAAAAKE0/3U0ZI5meyNsNelUaAaBiPOdqutIp8ciJQCLcBGAs/s1600/Image%2B56.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-size: large;">Once you select this prompt a traditional modern auth window should pop up and ask for an MFA prompt. Once you complete this the device should then enroll after some time has elapsed. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-EkrkrGnIpa4/XVLqay3FaJI/AAAAAAAAKE8/ro7ukha25H4TIgrTbaXiK0XKbOLQ0kXJACLcBGAs/s1600/Image%2B57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="685" data-original-width="544" src="https://1.bp.blogspot.com/-EkrkrGnIpa4/XVLqay3FaJI/AAAAAAAAKE8/ro7ukha25H4TIgrTbaXiK0XKbOLQ0kXJACLcBGAs/s1600/Image%2B57.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-size: large;">To remediate this either complete the prompt, move your MFA to Conditional Access, or exclude Intune Enrollment options from your MFA policy (which sometimes does not work as 'All Cloud Apps' protects some backend services that you can not exclude when included in a CA policy)</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hope this helps some of you out.</span>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-63297958172854894502019-06-18T11:02:00.005-07:002020-11-18T05:56:21.139-08:00Intune GPO Enrollment General Info<span style="font-size: large;">Just a quick note on how to enroll an existing domain joined device.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">If you have not yet, a prerequisite for the GPO enrollment is Azure AD Hybrid Join. You can find directions on how to accomplish this here</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><a href="https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains">https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains</a></span><br />
<br />
<span style="font-family: inherit; font-size: large;">You can also find some more background information on it here</span><br />
<span style="font-family: inherit; font-size: large;"><br /></span>
<span style="font-size: large;"><a href="https://www.amobileattempt.com/2018/07/hybrid-join-azure-ad-and.html">https://www.amobileattempt.com/2018/07/hybrid-join-azure-ad-and.html</a></span><br />
<br />
<span style="font-size: large;">Once you have that completed and are running the correct version of windows, I recommend at least 1803, and have your GPO store updated as such you can create the new GPO and deploy it to your Hybrid Joined Devices. Information on that process can be found here.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><a href="https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy">https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy</a></span><br />
<br />
<span style="font-family: inherit; font-size: large;">What this article from Microsoft doesn't tell you is where you can find the event logs for this process or what the error codes you might find are. The location in the event viewer is </span><br />
<span style="font-family: inherit; font-size: large;"><span style="background-color: white; color: #6b6b6b; font-weight: 700;"><br /></span></span>
<span style="font-family: inherit; font-size: large;"><i><b>Applications and Services Logs/Microsoft/Windows/DeviceManagement-Enterprise-Diagnostics-Provider/Admin</b></i></span><br />
<span style="font-family: inherit; font-size: large;"><span style="background-color: white;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-gHWOiZOHuIo/XOTFzUO2GkI/AAAAAAAAJYA/UbBB21UM_kgVk7BtoXvPmJaC93TsxBQXgCLcBGAs/s1600/Untitled.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="544" data-original-width="675" height="516" src="https://3.bp.blogspot.com/-gHWOiZOHuIo/XOTFzUO2GkI/AAAAAAAAJYA/UbBB21UM_kgVk7BtoXvPmJaC93TsxBQXgCLcBGAs/w640-h516/Untitled.png" width="640" /></a></div>
<span style="font-family: inherit; font-size: large;"><span style="background-color: white;"><br /></span></span>
<br />
<span style="font-family: inherit; font-size: large;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: inherit; font-size: large;">MS does offer additional tshooting help in some tucked away corners of their platform that I want to gather here. Use the below links as a starting point. Good luck!</span><br />
<span style="font-family: inherit; font-size: large;"><span style="background-color: white;"><br /></span></span>
<a href="https://support.microsoft.com/en-us/help/4494359/troubleshoot-intune-windows-10-group-policy-based-auto-enrollment"><span style="font-family: inherit; font-size: large;">https://support.microsoft.com/en-us/help/4494359/troubleshoot-intune-windows-10-group-policy-based-auto-enrollment</span></a><br />
<div>
<span style="font-family: inherit; font-size: large;"><br /></span></div>
<div>
<a href="https://support.microsoft.com/en-us/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune"><span style="font-family: inherit; font-size: large;">https://support.microsoft.com/en-us/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune</span></a><br />
<div 10px="" 14px="" b6b6b="" border-box="" box-sizing:="" color:="" font-family:="" font-size:="" id="MgdyGmz" margin-bottom:="" pen="" quot="" sans-serif="" sans="">
<br /></div>
</div>
amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-31226119396287166162019-04-02T21:41:00.007-07:002022-01-27T18:28:45.246-08:00Intune App Protection Policies and iOS Exemptions<span style="font-size: x-large;"><i><b>Disclaimer: While the below information should be true, it can still be hit or miss getting this to work!</b></i></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hello Everyone!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">No amount of searching has been very helpful for me personally when trying to find iOS application identifier URLs. </span><br />
<br />
<span style="font-size: large;">A URL identifier is a unique name that each iOS application must have. Using this name an existing application on an iOS device can call upon that app to perform actions, such as open a file. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">To my knowledge there is no list out there for such identifiers. What I would like to do is start that list here in this post </span><a href="https://www.amobileattempt.com/2022/01/list-of-possible-ios-identifiers.html"><span style="font-size: large;">A Mobile Attempt: List Of Possible iOS Identifiers</span></a><div><div><span style="font-size: large;"><br /></span></div><div><span style="font-size: large;">Edit: 5/2021 If something is not on that list you can try the simple method below of follow the more in depth method here <a href="https://c7solutions.com/2021/04/intune-mam-exemptions-discovering-url-protocols">https://c7solutions.com/2021/04/intune-mam-exemptions-discovering-url-protocols</a></span></div><div><span style="font-size: large;"><br /></span>
<span style="font-size: large;">My only methods to finding out this URL identifier are to either ask the developer or to take a guess and test it inside of safari. If you open safari and type the following into the address bar</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">guessedappname:// </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">You should get a result of either app not found, or something that asks if you would like to allow an app to open the webpage. For an example using Salesforce (salesforce1://) see screen shots below.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">BAD GUESS</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-guibwz7UtV0/XKQ4Hutv7ZI/AAAAAAAAJEA/3u4F2FVGPn8x4XhPIS-CtoBRk3FC7BrlwCLcBGAs/s1600/Image%2B11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="253" data-original-width="793" src="https://2.bp.blogspot.com/-guibwz7UtV0/XKQ4Hutv7ZI/AAAAAAAAJEA/3u4F2FVGPn8x4XhPIS-CtoBRk3FC7BrlwCLcBGAs/s1600/Image%2B11.png" /></a></div>
<br />
<br />
<span style="font-family: inherit; font-size: large;">CORRECT GUESS</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-ldu_3RooK5s/XKQ4H2N15eI/AAAAAAAAJEE/2hYUeGob1ZISfKjyt8pHFgKkgnmGdz-vwCLcBGAs/s1600/Image%2B12.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="178" data-original-width="772" src="https://3.bp.blogspot.com/-ldu_3RooK5s/XKQ4H2N15eI/AAAAAAAAJEE/2hYUeGob1ZISfKjyt8pHFgKkgnmGdz-vwCLcBGAs/s1600/Image%2B12.png" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Without further ado here is the very short list of ones I have used in the past. If you know any additional ones leave a comment below and lets get them added to the list.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<ul>
<li><span style="font-size: large;">Salesforce - salesforce1</span></li>
<li><span style="font-size: large;">Go To Meeting - gotomeeting</span></li>
<li><span style="font-size: large;">AutoCAD DWG Viewer and Editor - autocad</span></li>
<li><span style="font-size: large;">Webex - wbx</span></li>
<li><span style="font-size: large;">Zoom Cloud Meetings - zoomus</span></li>
<li><span style="font-size: large;">Slack - slack</span></li>
<li><span style="font-size: large;">Apple Maps - maps</span></li>
<li><span style="font-size: large;">Google Maps - googlemaps</span></li>
<li><span style="font-size: large;">Docusign - Docusignit</span></li>
</ul>
<div>
<span style="font-size: large;"><br /></span></div>
<div>
<span style="font-size: large;">The items on this list were generated by myself and the community. I have not verified the accuracy of most of them. I am asking for the communities help in either adding to the list or for a more foolproof way of finding out the applications URL identifier.</span></div>
<div>
<span style="font-size: large;"><br /></span></div>
<div>
<span style="font-size: large;">Thanks everyone!</span></div>
</div></div>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com28tag:blogger.com,1999:blog-6136975414599614540.post-90711127299626975532019-03-12T08:30:00.001-07:002019-03-12T08:49:28.168-07:00The Intune Exchange Connector Workflow and Gotchas<span style="font-size: large;">Hello readers!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">In this post I want to talk about some of the Intune on-premise Exchange Connector gotchas and how the communication flow works. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">What is the Exchange Connector?</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-LDYs9EA1H1M/XIfI4-CPvqI/AAAAAAAAI34/r1x5P_j86EYXEuF0cJQ-FBFZYy8LqNVaQCEwYBhgL/s1600/Image%2B4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="490" data-original-width="633" src="https://3.bp.blogspot.com/-LDYs9EA1H1M/XIfI4-CPvqI/AAAAAAAAI34/r1x5P_j86EYXEuF0cJQ-FBFZYy8LqNVaQCEwYBhgL/s1600/Image%2B4.png" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The Intune Exchange Connector is a piece of software that you download from the Intune portal and install on your Exchange server. Specifically the CAS role if you still have seperated roles. Installation instructions can be found here.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><a href="https://docs.microsoft.com/en-us/intune/exchange-service-connector-configure">https://docs.microsoft.com/en-us/intune/exchange-service-connector-configure</a></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Please note that the section on the 'Service to Service' connector should be ignored. That feature is being deprecated and was honestly never needed in the first place.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I dont want to go over installation, the Microsoft document does a decent job of that and its fairly self explanatory. I do want to touch on the communication flow. It looks something like this,</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">For iOS, and Knox devices there are 2 routes. Either you install the company portal first, or you try to add an EAS account first. We will go over the adding an EAS account scenario.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">1. End user adds thier EAS account to their mobile device</span><br />
<span style="font-size: large;">2. After some time the Intune connector will sync the EAS record up to Intune</span><br />
<span style="font-size: large;">3. If the EAS record gets synced up and there is no corresponding MDM record the Intune Connector will set the device from allowed to blocked</span><br />
<span style="font-size: large;">4. The end user will recieve an email asking them to enroll into Intune</span><br />
<span style="font-size: large;">5. The end user enrolls the device into Intune and creates an MDM record</span><br />
<span style="font-size: large;">6. The EAS record and MDM record merge to become a EAS/MDM record in the Intune console</span><br />
<span style="font-size: large;">7. The connector will do another sync and check that the record is merged. If so it will remove the device from blocked back to allow</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Where this process gets tricky though is for non-Samsung Androids. For some reason, and this may change with Android Enterprise, when a regular Android device enrolls into Intune it does not report its Active-Sync ID. They way we get around this is by using the link in the email notification we receive on the device that says we've been blocked. This link contains our EAS ID and will communicate that to the Intune Service. Without this link our EAS record will never merge with the MDM record when enrolled.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">This also makes it tricky to use any type of non native email client as these clients create their own EAS record but can never create an MDM record to match to. The MDM record is always owned by the device not by the email clients on it, if that makes sense. Long story short you have to use the native mail clients when doing this or you have to create an exception for certain platforms.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I will say it again, non-Samsung Android devices have to enroll via the email notification!!! Just going to the app store and getting the company portal app will not work. Enrolling using the app before you receive the email notification will not work.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Here is where the gotchas come in to play. There are two main ones that I want to cover. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">When setting up the connector it asks you to enter a notification account. You need to enable that and MAKE SURE THAT ACCOUNT HAS A MAILBOX!</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-wwA0xihjw3M/XIfI4y9pEnI/AAAAAAAAI30/G_uWqTFi9Uo2j5Q7kMj09FGssOU4WEjTACLcBGAs/s1600/Image%2B5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="257" data-original-width="591" src="https://1.bp.blogspot.com/-wwA0xihjw3M/XIfI4y9pEnI/AAAAAAAAI30/G_uWqTFi9Uo2j5Q7kMj09FGssOU4WEjTACLcBGAs/s1600/Image%2B5.png" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Without a mailbox the end user will never receive the email asking them to enroll with the link that contains their EAS ID. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Second gotcha is that this service relies heavily on the Autodiscover service. Very heavily. If your Autodiscover is not healthy then this process will fail. One specific example of this when working through this in my lab was that I did not have an internal DNS record for Autodiscover.rollerlabs.com. This is because internal Outlook clients do not use the DNS record to find AutoD, they use the internal URI that is set within Exchange. I never had a need for an actual internal DNS record before. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The connector was reliant upon that to find the Exchange server, even though you specify in the connector what your server name is, it will still look at AutoD.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-8BNmCLY-iAg/XIfKkaMAJ9I/AAAAAAAAI4M/vtpEWuw3tTwSfxl0D4FTvXR6WdQLzUBlQCLcBGAs/s1600/Image%2B6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="486" data-original-width="601" src="https://2.bp.blogspot.com/-8BNmCLY-iAg/XIfKkaMAJ9I/AAAAAAAAI4M/vtpEWuw3tTwSfxl0D4FTvXR6WdQLzUBlQCLcBGAs/s1600/Image%2B6.png" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once I added the internal AutoD record I was able to receive the enroll now email.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-xBouofUJfkA/XIfKkfLs3hI/AAAAAAAAI4I/v1qjRt7Q6Ck8izUFdYtpzA2zMeoietTsQCEwYBhgL/s1600/Image%2B7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="120" data-original-width="665" src="https://4.bp.blogspot.com/-xBouofUJfkA/XIfKkfLs3hI/AAAAAAAAI4I/v1qjRt7Q6Ck8izUFdYtpzA2zMeoietTsQCEwYBhgL/s1600/Image%2B7.png" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">This is just an image pulled out of a search but it lets you see the format of the expected email. Please note that the activate/enroll email with link that contains your EAS ID is not the same as the email generated by the exchange server that tells you your device has been blocked. The activate link will come from the Notification account.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/--K7JX0TOe0s/XIfPzzAyPsI/AAAAAAAAI4c/QRrZBynVX_Mn82lJ3-7oupHbBAeDmSptACLcBGAs/s1600/Image%2B8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="252" data-original-width="390" height="411" src="https://1.bp.blogspot.com/--K7JX0TOe0s/XIfPzzAyPsI/AAAAAAAAI4c/QRrZBynVX_Mn82lJ3-7oupHbBAeDmSptACLcBGAs/s640/Image%2B8.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hope this is helpful to someone out there. Is anyone still using Exchange on premise anymore? Hello? Bueller?</span><br />
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-8200818995466901762019-02-28T20:00:00.001-08:002020-11-18T05:58:17.196-08:00SSPR Note From The Field<span style="font-size: large;">Hello Everyone!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Today I want to talk about a little issue I found when deploying SSPR at a customer. We enabled write back in AAD Connect, used a test group to start with in Azure AD, set all of our options up, created a new test user on prem and synced it up into the group. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Everything appeared to be working. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Whe<span style="font-family: inherit;">n we rolled it out to the general population (without forcing enrollment so most of production never even knew something was wrong when</span> it broke) we started seeing some weird behavior on our existing users. When they would go to reset thier password we would get this error in the portal</span><br />
<span style="font-size: large;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-Wc6q8D13agk/XHirikAPVrI/AAAAAAAAIuI/Qz0ArUMdedAd3Qqu-WKLvOJKSTloUy3iwCLcBGAs/s1600/Image%2B2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="299" data-original-width="373" src="https://4.bp.blogspot.com/-Wc6q8D13agk/XHirikAPVrI/AAAAAAAAIuI/Qz0ArUMdedAd3Qqu-WKLvOJKSTloUy3iwCLcBGAs/s1600/Image%2B2.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="font-family: inherit; font-size: large;">Except everything did meet the policy. We then traced it back using a few various logs. One place where nothing showed up was in the Synchronization Service app on the AAD Connect server. Where we did see something was in the Azure AD Audit Logs</span><br />
<span style="font-family: inherit; font-size: large;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-PtpSs2hojL8/XHisikab_HI/AAAAAAAAIug/UJPZyNjE5zYNJMW3Q4TURXMqHv3Ggtt8gCLcBGAs/s1600/Image%2B5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="542" data-original-width="340" src="https://2.bp.blogspot.com/-PtpSs2hojL8/XHisikab_HI/AAAAAAAAIug/UJPZyNjE5zYNJMW3Q4TURXMqHv3Ggtt8gCLcBGAs/s1600/Image%2B5.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: inherit; font-size: large;"><br /></span></div>
<span style="font-family: inherit; font-size: large;"><br /></span>
<span style="font-family: inherit; font-size: large;">And the Event Viewer on the AAD Connect server as well</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-TOqR5XIgj4c/XHittsFaTpI/AAAAAAAAIus/izL1v6LJ9CUKCvNjf9tSw4WkXXYDBb--gCLcBGAs/s1600/Image%2B4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="449" data-original-width="1073" height="268" src="https://1.bp.blogspot.com/-TOqR5XIgj4c/XHittsFaTpI/AAAAAAAAIus/izL1v6LJ9CUKCvNjf9tSw4WkXXYDBb--gCLcBGAs/w640-h268/Image%2B4.png" width="640" /></a></div>
<span style="font-family: inherit; font-size: large;"><br /></span>
<span style="font-family: inherit; font-size: large;"><br /></span>
<span style="font-family: inherit; font-size: large;">Come to find out most existing accounts had the restriction of 'User cannot change password' set in their account options in Active Directory from some past project that the current admin was not aware of. </span><br />
<span style="font-family: inherit; font-size: large;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-HWj1pJ4DBFM/XHit-hpdJcI/AAAAAAAAIu0/t_OW38GY9sIm3bdnPzQKb4coWLhJN8VtACLcBGAs/s1600/Account%2BOptions.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="494" data-original-width="403" src="https://4.bp.blogspot.com/-HWj1pJ4DBFM/XHit-hpdJcI/AAAAAAAAIu0/t_OW38GY9sIm3bdnPzQKb4coWLhJN8VtACLcBGAs/s1600/Account%2BOptions.png" /></a></div>
<span style="font-family: inherit; font-size: large;"><br /></span>
<span style="font-family: inherit; font-size: large;"><br /></span>
<span style="font-size: large;">If your running into a similar situation maybe take a look there. This can be fixed either manually, with PowerShell, or as luck would have it this is one of the options you can set when you select multiple user objects in ADUC.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Good luck!</span>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-59480309041559185932018-10-08T08:06:00.000-07:002018-10-08T08:11:26.837-07:00Securing Traditional Domain Joins<span style="font-size: large;">Hello Everyone!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">My bread and butter are EMS deployments and some general O365 security talks. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">A lot of my customers really like the option to limit logins to certain cloud services to only Hybrid Joined machines using Conditional Access. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">For those unaware, at a high level, the Hybrid Join process will automatically join a domain joined Windows 10 machine into Azure AD. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">When I help people with setting this up I always check to see if they have modified who is allowed to join a computer to the domain. At the time of this writing (Server 2016) the default is that any authenticaed user can join up to 10 devices to the domain.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Thats right folks, by default you do not have to be a domain admin to join a machine to your domain. Above the obvious issues like clutter in AD, duplicate objects, SID issues, etc there is also the issue that the person who joins the object to the domain becomes the owner of that object in AD and can see some sensetive attributes.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Anyways, in our case this almost invalidates the reason most companies want to do Hybrid Join, which is to prevent personal machines from accessing corporate cloud resources. If the user brings thier laptop in though and decides to join it to the local domain then were back at square one. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The easiest way to fix this is with a GPO on your domain controllers.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The GPO is located at Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments > Add Workstation to Domain</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-U-Ld4fuCXg8/W7tx-CUnemI/AAAAAAAAHwY/IAHuB-e1aoELFDBpe6wV5afkkUHuXTb6gCLcBGAs/s1600/Image%2B3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="374" data-original-width="783" src="https://2.bp.blogspot.com/-U-Ld4fuCXg8/W7tx-CUnemI/AAAAAAAAHwY/IAHuB-e1aoELFDBpe6wV5afkkUHuXTb6gCLcBGAs/s1600/Image%2B3.png" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once you find the GPO you can add whatever group you would like to keep it locked down.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-FoZ7EtZFF-8/W7tx-C-rrUI/AAAAAAAAHwc/BoUMApkERIo9q6ZbcKMaBGZrq2wfVPfQACEwYBhgL/s1600/Image%2B4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="515" data-original-width="423" src="https://4.bp.blogspot.com/-FoZ7EtZFF-8/W7tx-C-rrUI/AAAAAAAAHwc/BoUMApkERIo9q6ZbcKMaBGZrq2wfVPfQACEwYBhgL/s1600/Image%2B4.png" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Just a little tidbit that some people dont realize! I think were all so used to only having an admin join a machine this can slip through the cracks.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Until next time, have a good one.</span>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-23605437517361772252018-07-06T21:38:00.001-07:002020-11-18T05:58:51.648-08:00Azure AD Hybrid Join and the UserCertificate Attribute<span style="font-size: large;">Hello Everyone, </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Today I want to talk about an issue I ran into recently with trying to setup Hybrid Azure AD Join. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">First lets do a little background on the process. Microsoft has a decent guide on how to do it which can be found here.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><a href="https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup">https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup</a></span><br />
<br />
<span style="font-size: large;">The exact situation I ran into, or at least that I thought I ran into, was the fact that the device object was not syncing into Azure AD. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">In order for a Hybrid Join to occur you have to sync the device object with AAD Connect. Inside of AAD Connect there are certain sync rules and settings. One of those rules states if the userCertificate attribute on a machine is $null then do not sync it.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-bUD1stIbGKA/W0A-Bz7W6OI/AAAAAAAAHZQ/FqTXU1EKI18b4iC1mbK6Z1Rqj7Wx-rD5wCLcBGAs/s1600/AAD%2BRule.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="613" data-original-width="921" height="426" src="https://1.bp.blogspot.com/-bUD1stIbGKA/W0A-Bz7W6OI/AAAAAAAAHZQ/FqTXU1EKI18b4iC1mbK6Z1Rqj7Wx-rD5wCLcBGAs/w640-h426/AAD%2BRule.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-bNSXIPFee8Y/W0A-B1xfBeI/AAAAAAAAHZM/1SiOSKtd6cYA-H8msnFlfezvxrXH4dnhACLcBGAs/s1600/Attribute.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="534" data-original-width="467" src="https://2.bp.blogspot.com/-bNSXIPFee8Y/W0A-B1xfBeI/AAAAAAAAHZM/1SiOSKtd6cYA-H8msnFlfezvxrXH4dnhACLcBGAs/s1600/Attribute.png" /></a></div>
<span style="font-size: large;">Now you technically can brute force a fix by either manually putting in literally anything for that attribute (I tried, it accepts a junk value) or changing the rule in AAD Connect to sync the object anyways. <b>Either way I would not recommend as something else is most likely the actual root issue and wont fix the problem.</b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">For awhile I chased down the idea that this attribute was generated upon domain join (due to a tip from an MS rep), spoiler alert, this is not when the attribute is generated on the Active Directory Object. This attribute is generated AFTER the Win10 device probes the SCP you setup in your AD and actually finds something. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">So, at a basic level, this meant that my issue was one of communication. For whatever reason my device was not communicating with Azure AD. This issue was solved two different ways for me when I ran into it across a few customers. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">1.) ADFS. If you have ADFS in place you need to place the claims rules in ADFS correctly. In my specific case the users UPN and the domain that they had federated with O365 was <b><i>user@domainA.com</i> </b>but the real domain name on prem and the name that all the devices used was <i><b>computer.domainB.com</b></i>. The fix in this scenario was to federate domainB.com with ADFS as well and include domainB in our claims rules. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">2.) Scheduled Task. At two of my clients we ran into this without ADFS being in the mix. We were using AAD Connect with SSSO. The fix in this situation came in the form of enabling the scheduled task built into Win10 devices that attempts to do the Hybrid Join. This task can be found at Microsoft>Windows>WorkPlace Join. For some reason this was disabled, it should be enabled by default. I suspect something to do with SCCM but can not verify.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-ci9r9jgkQcg/W0BAWSXvonI/AAAAAAAAHZg/ZRO8wku4JVo_GStN5UjhSK9hZ195vgtagCLcBGAs/s1600/Task.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="576" data-original-width="1080" height="341" src="https://2.bp.blogspot.com/-ci9r9jgkQcg/W0BAWSXvonI/AAAAAAAAHZg/ZRO8wku4JVo_GStN5UjhSK9hZ195vgtagCLcBGAs/w640-h341/Task.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once this was actually enabled the device was able to probe the Azure AD Join service, generate its specific userCertificate attribute and then complete its join after a login or two. If this does not happen for you this task can also be controlled by a GPO that can block the device enrollment. As a test I would move a device into an OU with no policies on it and work off it from there.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-l7vcB2J8Zzw/W0BBePFe5MI/AAAAAAAAHZo/gdzkbja1XvsrUg4NhgN_SNYbI4_k7C21gCLcBGAs/s1600/Cert.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="530" data-original-width="467" src="https://2.bp.blogspot.com/-l7vcB2J8Zzw/W0BBePFe5MI/AAAAAAAAHZo/gdzkbja1XvsrUg4NhgN_SNYbI4_k7C21gCLcBGAs/s1600/Cert.png" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">So, to recap, usually not having a value in the userCertificate attribute is not the actual issue. Something is stopping the communication between your machine and Azure AD. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Event Viewer is also pretty helpful in tracking down some of these issues as well. You can view the logs at Microsoft>Windows>User Device Registration. If the above does not help you I would check here for further info. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-uMx6Y1661yw/W0BDT2SeyUI/AAAAAAAAHZ0/weuaKiztC9QgKNaWL2NP5R_Vn2MPczeiwCLcBGAs/s1600/EventViewer.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="652" data-original-width="920" height="454" src="https://1.bp.blogspot.com/-uMx6Y1661yw/W0BDT2SeyUI/AAAAAAAAHZ0/weuaKiztC9QgKNaWL2NP5R_Vn2MPczeiwCLcBGAs/w640-h454/EventViewer.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hope this can help some of you, see ya around.</span>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com10tag:blogger.com,1999:blog-6136975414599614540.post-3582256037185798662018-06-22T21:46:00.005-07:002020-11-18T06:01:25.728-08:00How To Ingest A Custom .ADMX File For Modern Managment<span style="font-size: large;">Hello everyone!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I am breaking one of my own rules today by posting a straight up guide. I want to do this because </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">A.) There are not a lot of guides out there on this topic</span><br />
<span style="font-size: large;">and</span><br />
<span style="font-size: large;">B.) I feel like I may be able to explain it in a different manner, put my own lazy admin spin on it.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Before we go to far lets talk a little but about Windows 10 and the concept of Modern Managment. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Windows 10 has been built from the ground up to be managed as a mobile device. We are able to accomplish this with a few different protocols, which I myself and not really clear on all the details, but some of those are OMA-DM, SyncML, CSP's, and another OMA-Something,Something. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">What this boils down to is anything that is not exposed through your MDMs GUI you will have to use what is called a 'custom policy' or 'custom profile' depending on your MDM solution. These are lines of pseudo code that you can input as SyncML, which to me looks very much like XML. Dont ask me the difference, I dont know. Im just the messenger here.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">So, Microsoft maintains a list of all the CSPs you can configure here</span><br />
<span style="font-size: large;"><br /></span>
<a href="https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference"><span style="font-size: large;">https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference</span></a><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Most of these will map out to existing legacy GPO settings. There are 2 types of CSPs when you boil it down. Native CSPs and Policy Backed CSPs. It is important to note this because they are constructed differently. All of the Policy CSPs are under the Policy tab in that reference. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">There is a third type of Custom Policy we can push out though, that is third party .ADMX policies. Everything in the above reference website are all first party options from Microsoft, very much built in policies. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">What happens when you want to configure something like Google Chrome or even Microsofts own Office Suite? Well that is where .ADMX Ingestion comes into play. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Before we get into it let me tell you the basic idea of it. You start off by grabbing the actual .ADMX file for the GPOs you need. You then open up the .ADMX and copy the entire contents into a custom policy. Once this is done you can create another rule within that policy to configure the options contained within that .ADMX file. This will all become much clearer.....hopefully.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">In this example we are going to modify an Outlook GPO that determines what authentication type we would use with Exchange. This is what the GPO looks like on the DC</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-pIUyvFh2YZs/WyxPbGtaMeI/AAAAAAAAHPk/w12qRfdJvA4GPnP7DHFqkf0RK7jlDhPFQCLcBGAs/s1600/GPO.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-size: large;"><img border="0" data-original-height="636" data-original-width="684" src="https://4.bp.blogspot.com/-pIUyvFh2YZs/WyxPbGtaMeI/AAAAAAAAHPk/w12qRfdJvA4GPnP7DHFqkf0RK7jlDhPFQCLcBGAs/s1600/GPO.png" /></span></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">As you can see it is not just a enabled/disabled option, it also has a drop down menu. Other GPOs may have a table, a custom value you have to put in, or any other number of options. Those are also all configured differently in our policy. This guide will show you how to do both those basic just enabled/disabled GPOs as well as drop down menu GPOs. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-5rmMLxVJcSc/WyxPbHsQlqI/AAAAAAAAHPo/K6R19OdMEAMsILcgo4ygAaAiAub5KTazACEwYBhgL/s1600/GPO2.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-size: large;"><img border="0" data-original-height="366" data-original-width="288" src="https://2.bp.blogspot.com/-5rmMLxVJcSc/WyxPbHsQlqI/AAAAAAAAHPo/K6R19OdMEAMsILcgo4ygAaAiAub5KTazACEwYBhgL/s1600/GPO2.png" /></span></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">So now that we know the GPO that we want to carry over into Modern Managment we can open up the actual outlook.admx file and begin. The first step is to copy THE ENTIRE .ADMX into our custom policy. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">To do this we want to go into our MDM and create a new custom policy. A custom policy can contain any number of SyncML entries. Our first entry is going to be the entire .ADMX. Lets give it the policy a name, i'm fond of just using the app name. We also need to tell it where to store this .ADMX file.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;">The OMA-URI should look like this <span style="border: 0px; font-weight: 700; margin: 0px; padding: 0px;">./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{AdmxFileName}</span>. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b><i>OMA-URI IS ALWAYS CASE SENSITIVE!!!</i></b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">In this URI the following variables should be provided:</span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;"><span style="border: 0px; font-weight: 700; margin: 0px; padding: 0px;">AppName</span>: This should be the name of the app that will be configured, but can theoretically be anything. In this example I’ll use <b>Outlook16</b></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;"><span style="border: 0px; font-weight: 700; margin: 0px; padding: 0px;">SettingType</span>: This should always be policy with ingesting ADMX-files. So, in this example I’ll use <span style="border: 0px; font-weight: 700; margin: 0px; padding: 0px;">Policy</span></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="border: 0px; font-weight: 700; margin: 0px; padding: 0px;"><span style="font-size: large;"><span style="border: 0px; margin: 0px; padding: 0px;">AdmxFileName</span><span style="font-weight: 400;">: This should be the name of the ADMX-file, but can theoretically be anything. In this example I’ll use </span><span style="border: 0px; margin: 0px; padding: 0px;">outlk16</span></span></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;">So the completed string would look like this</span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-weight: 700;"><span style="font-size: large;">./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Outlook16/Policy/outlk16</span></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="border: 0px; margin: 0px; padding: 0px;"><span style="border: 0px; margin: 0px; padding: 0px;"><span style="font-size: large;">You need to remember the choices you have made here in the name, as it will need to be referenced in your setting config. </span></span></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="border: 0px; margin: 0px; padding: 0px;"><span style="border: 0px; margin: 0px; padding: 0px;"><span style="font-size: large;">For Data type choose String and for Value copy and paste the whole .ADMX file. I like to open the .ADMX in notepad++ and then format it as XML. Then use ctrl+a to select all and ctrl+c to copy it. Then just paste it into your Intune console.</span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-6wGncKOIeRc/WyxTEpDcxAI/AAAAAAAAHPw/vyfPISoWnRgnocqjWdGUoQbA1i0waiT-QCLcBGAs/s1600/Notepad.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-size: large;"><img border="0" data-original-height="600" data-original-width="401" src="https://4.bp.blogspot.com/-6wGncKOIeRc/WyxTEpDcxAI/AAAAAAAAHPw/vyfPISoWnRgnocqjWdGUoQbA1i0waiT-QCLcBGAs/s1600/Notepad.png" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: large;"><br /></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="border: 0px; margin: 0px; padding: 0px;"><span style="border: 0px; margin: 0px; padding: 0px;"><span style="font-size: large;">Here is a pic of my completed setting</span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-I8cTZ1M_fmY/WyxTuDfuvBI/AAAAAAAAHP4/vMSME4dmZR4dWutMlrcmxM2g6u7Zzo_AQCLcBGAs/s1600/Ingestion.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-size: large;"><img border="0" data-original-height="636" data-original-width="644" height="632" src="https://4.bp.blogspot.com/-I8cTZ1M_fmY/WyxTuDfuvBI/AAAAAAAAHP4/vMSME4dmZR4dWutMlrcmxM2g6u7Zzo_AQCLcBGAs/w640-h632/Ingestion.png" width="640" /></span></a></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="border: 0px; margin: 0px; padding: 0px;"><span style="border: 0px; margin: 0px; padding: 0px;"><span style="font-size: large;"><br /></span></span></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;">Once this is completed we now the ability to configure any setting contained withing the ADMX file. For our setting we want to hit the blue add button in our custom policy again and give it an appropriate name and description. Now the hard part starts. For OMA-URI we have to craft a specific string that traces back the parent categories. In order to do this we need to go back into our Notepad++ and do a search for a term that would find our specific setting in this XML mess. I searched for Kerberos. In the screenshot below all of the highlighted text is our 1 policy setting we need to configure.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-Mt4q9BU4Nb4/WyxU7BpeTQI/AAAAAAAAHQI/Gt-qmUfZB9E7JrYTmFr_zVJIGg5ERW1kQCLcBGAs/s1600/XML.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-size: large;"><img border="0" data-original-height="480" data-original-width="1288" height="238" src="https://2.bp.blogspot.com/-Mt4q9BU4Nb4/WyxU7BpeTQI/AAAAAAAAHQI/Gt-qmUfZB9E7JrYTmFr_zVJIGg5ERW1kQCLcBGAs/w640-h238/XML.png" width="640" /></span></a></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;"><br /></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;">At the top of every .ADMX file the first section are all of the parent categories. We need to find these and write these down in notepad. We can see in our highlighted text above that for our setting its parent category is "L_Exchangesettings" if we do a ctrl+f and search the document top down we will find it in the top of the document with a reference to IT'S parent category, we then do a ctrl+f and find that one, that one may also have a parent category, so on and so forth. When you come to the final category its parent will be itself, you will know you are done with this step then. See the screenshot for more detail.</span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-0iOCBwMx0Ec/WyxXHapt00I/AAAAAAAAHQc/phBgLtxggOA1ZXYTfa3Hy6NtcR6mp6wyACLcBGAs/s1600/cata1.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-size: large;"><img border="0" data-original-height="136" data-original-width="1027" height="85" src="https://2.bp.blogspot.com/-0iOCBwMx0Ec/WyxXHapt00I/AAAAAAAAHQc/phBgLtxggOA1ZXYTfa3Hy6NtcR6mp6wyACLcBGAs/w640-h85/cata1.png" width="640" /></span></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-7gvxg6NBQDg/WyxXHaC0VtI/AAAAAAAAHQY/5-lPXUHCsfUutKu1kl25cqXmMrYziU1zACLcBGAs/s1600/cata2.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-size: large;"><img border="0" data-original-height="147" data-original-width="1005" height="94" src="https://4.bp.blogspot.com/-7gvxg6NBQDg/WyxXHaC0VtI/AAAAAAAAHQY/5-lPXUHCsfUutKu1kl25cqXmMrYziU1zACLcBGAs/w640-h94/cata2.png" width="640" /></span></a></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;">Now to create our OMA-URI string we need to create it like the following</span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;">The OMA-URI should look like this <span style="border: 0px; font-weight: 700; margin: 0px; padding: 0px;">./{User or Device}/Vendor/MSFT/Policy/Config/{AppName}~Policy~{CategoryPathFromADMX}/{SettingFromADMX}</span></span><br />
<br />
<span style="font-size: large;"><span style="border: 0px; margin: 0px; padding: 0px;"><i><b>REMEMBER CASE SENSITIVE! USE THE SAME CASE AS THE GPO USES!!!!</b></i></span></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;"><span style="border: 0px; font-weight: 700; margin: 0px; padding: 0px;">User or Device - </span><span style="border: 0px; margin: 0px; padding: 0px;">Here what you would use depends on the GPO, is it a computer setting or user setting. In our example we will be using <b>User</b></span></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;"><span style="border: 0px; font-weight: 700; margin: 0px; padding: 0px;">Appname </span><span style="border: 0px; margin: 0px; padding: 0px;">- This is the same name from our previous ingestion file, we just need to reference where we put it, so for our example we will use <b>Outlook16</b></span></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="border: 0px; margin: 0px; padding: 0px;"><span style="font-size: large;"><b>Policy - </b>This is literally the word <b>Policy</b></span></span></div>
<div style="border: 0px; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;"><span style="border: 0px; margin: 0px; padding: 0px;"><span style="background-color: transparent;"><span face=""open sans" , sans-serif"><b>CategoryPath</b></span></span><b style="font-family: "Open Sans", sans-serif;"> - </b><span face=""open sans" , sans-serif">This is our path we copied down in notepad starting with the top level parent </span><b style="font-family: "Open Sans", sans-serif;">L_MicrosoftOfficeOutlook </b><span face=""open sans" , sans-serif">and going all the way down to the first "parent catagory" in the admx file which would be </span><b style="font-family: "Open Sans", sans-serif;">L_Exchangesettings </b></span><span face=""open sans" , sans-serif">with the tilda ~ between each category</span></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;"><span style="border: 0px; margin: 0px; padding: 0px;"><b>SettingFromADMX - </b>This is our actual<b> </b></span>"policy name" from the screen shot above which is <b>L_AuthenticationwithExchangeServer </b></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="border: 0px; margin: 0px; padding: 0px;"><b><span style="font-size: large;"><br /></span></b></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;">So, in all of its glory, for our example the OMA-URI would be (things in bold are things that are not static and things we have configured) </span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;">./<b>User</b>/vendor/MSFT/Policy/Config/<b>Outlook16</b>~Policy~<b>L_MicrosoftOfficeOutlook~L_ToolsAccounts~L_Exchangesettings/L_AuthenticationwithExchangeServer</b></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;">So in this OMA-URI we have said where the policy is that we want to flip on and off. The next piece is changing the actual values. The next option you will see with Intune is the Data Type box, set this to String. Then in the actual value box we want to put in the following</span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;"><enabled/> <dataid="<b style="background-color: transparent;">L_SelecttheauthenticationwithExchangeServer" </b><span style="background-color: transparent;">value=</span><b style="background-color: transparent;">"9"/</b><span style="background-color: transparent;">></span></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="background-color: transparent;"><span style="font-size: large;"><br /></span></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="background-color: transparent;"><span style="font-size: large;">Let me explain what these are doing, the first piece is obviously turning the policy on.If this was just an on or off policy we could stop here, but this is a multi valued policy.</span></span></div>
<div style="border: 0px; font-family: "Open Sans", sans-serif; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;"><span style="background-color: transparent;">The second piece, well, t</span>he best way to think of this is the name of the drop down box. This is the Enum id from the admx screenshot above.<b style="background-color: transparent;"> </b><b style="background-color: transparent;">L_SelecttheauthenticationwithExchangeServer</b></span></div>
<div style="border: 0px; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;"><span face=""open sans" , sans-serif" style="background-color: transparent;">The value=</span><b style="background-color: transparent; font-family: "Open Sans", sans-serif;">"9" </b><span face=""open sans" , sans-serif" style="background-color: transparent;">part is what sets the policy to allow either NTLM or Kerberos auth. We can tell this because of the display name right above it gives us a small description of what that number means. If we only wanted to say allow smart card authentication we would have done value=</span><b style="background-color: transparent; font-family: "Open Sans", sans-serif;">"</b><span style="background-color: transparent;"><span face=""open sans" , sans-serif"><b>2147545088" </b></span></span></span></div>
<div style="border: 0px; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;">The completed setting looks like the below image.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-GD9fdDOHlu8/Wy3MrSReKmI/AAAAAAAAHQ0/D8Z9Cgr6Lg01TMowK_MIg5kjtEpKNCGhwCLcBGAs/s1600/FinalPolicy.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" data-original-height="400" data-original-width="618" src="https://2.bp.blogspot.com/-GD9fdDOHlu8/Wy3MrSReKmI/AAAAAAAAHQ0/D8Z9Cgr6Lg01TMowK_MIg5kjtEpKNCGhwCLcBGAs/s1600/FinalPolicy.png" /></span></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">If you are having trouble getting this policy to apply you need to triple check your syntax. Some common things I have seen are weird quotation marks when copying and pasting from Notepad++, these policies are also case sensitive, and for this particular policy I could not get it to apply until the device actually had an Outlook profile on it.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">In order to see if your policy has applied you can check 3 places. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">In the Intune console, under device configuration>policy>device status</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-TO7i89ulM4g/Wy3NvNoo5JI/AAAAAAAAHRI/3zsULte7jvEN7mOX1KJH8hKZEkMTwzhcACLcBGAs/s1600/Check3.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" data-original-height="72" data-original-width="810" height="57" src="https://4.bp.blogspot.com/-TO7i89ulM4g/Wy3NvNoo5JI/AAAAAAAAHRI/3zsULte7jvEN7mOX1KJH8hKZEkMTwzhcACLcBGAs/w640-h57/Check3.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: large;">On the machine itself under settings>account>work or school>info</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: large;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-2SeHIv8vudI/Wy3MrdhPYyI/AAAAAAAAHQ8/t_WSGer22XELJm4rK4ApD_yQf-0M_NNHwCEwYBhgL/s1600/Check1.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" data-original-height="332" data-original-width="483" src="https://4.bp.blogspot.com/-2SeHIv8vudI/Wy3MrdhPYyI/AAAAAAAAHQ8/t_WSGer22XELJm4rK4ApD_yQf-0M_NNHwCEwYBhgL/s1600/Check1.png" /></span></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: large;"><br /></span></div>
<br /></div>
<div style="border: 0px; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;">You can also check the registry on that same machine. Remember we are just fundamentally setting registry keys.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-QMN7zP_4oEg/Wy3MrRRZDjI/AAAAAAAAHRE/lzL6otVENZQCTFmeR-byBjzeX50o2pP_wCEwYBhgL/s1600/Check2.png" style="margin-left: 1em; margin-right: 1em;"><span style="color: black;"><img border="0" data-original-height="480" data-original-width="821" height="374" src="https://2.bp.blogspot.com/-QMN7zP_4oEg/Wy3MrRRZDjI/AAAAAAAAHRE/lzL6otVENZQCTFmeR-byBjzeX50o2pP_wCEwYBhgL/w640-h374/Check2.png" width="640" /></span></a></div>
<span style="font-size: large;"><br /></span></div>
<div style="border: 0px; margin-bottom: 1.5em; padding: 0px;">
<span style="font-size: large;">I hope this can help some of you make the jump from the legacy style of management into the not as developed, but way more mobile and growing modern management style.</span>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Thanks for stopping by! Drop a comment below if you have any questions!</span></div>
amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-15823531863973652882018-01-30T19:53:00.001-08:002020-11-18T06:02:47.974-08:00Intune, Outlook App, and the Legacy Conditional Access Changes<span style="font-size: large;">Howdy howdy howdy</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Sorry, been watching a lot of Toy Story.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">In today's post I want to spell out some of the changes that have been made to Conditional Access and the depreciation of the legacy policies, specifically around enforcing the Outlook App through Intune.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Before you were able to use a simple drop down box to enable this option</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-mPeSWO-giHo/WnE8l8mduRI/AAAAAAAAF5k/u5929-icvewBtM0gSFP6l7gXHyMvOVQBACEwYBhgL/s1600/Image%2B1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="206" data-original-width="688" height="192" src="https://4.bp.blogspot.com/-mPeSWO-giHo/WnE8l8mduRI/AAAAAAAAF5k/u5929-icvewBtM0gSFP6l7gXHyMvOVQBACEwYBhgL/w640-h192/Image%2B1.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Apparently this method of blocking access to non approved apps is considered "legacy" now and the functionality has changed</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: large;"><a href="https://1.bp.blogspot.com/-gwUYiSPDayM/WnE8mDNNn1I/AAAAAAAAF5o/xv-rSz3HQM4kuIGqWT6Dnbg6JUkG0aT8gCEwYBhgL/s1600/Image%2B2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="341" data-original-width="1330" height="164" src="https://1.bp.blogspot.com/-gwUYiSPDayM/WnE8mDNNn1I/AAAAAAAAF5o/xv-rSz3HQM4kuIGqWT6Dnbg6JUkG0aT8gCEwYBhgL/w640-h164/Image%2B2.png" width="640" /></a></span></div>
<br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">On the back end this blocked Exchange Active-Sync as well as other client apps with just a flip of the switch. That appears to no longer be the case, at least in my own personal tenant and in a couple customer tenants I've had recently. Moving forward you should use the new condition of "Require approved client app"</span><br />
<span style="font-size: large;"><br /></span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-_XszYwIq4uE/WnE8mOYk7SI/AAAAAAAAF5s/Bok5lGyqti4SUQm2B9jmgKsXIqDVdV_KACEwYBhgL/s1600/Image%2B3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="627" data-original-width="697" height="576" src="https://1.bp.blogspot.com/-_XszYwIq4uE/WnE8mOYk7SI/AAAAAAAAF5s/Bok5lGyqti4SUQm2B9jmgKsXIqDVdV_KACEwYBhgL/w640-h576/Image%2B3.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Not to much of a change so far. The main thing I want to stress here is that you now need to create two policies with this conditional grant, one for EAS and one for all other protocols. This is done by creating one policy with the targeting condition of "Browser" and "Mobile apps and desktop clients" under the "Client Apps" setting</span><br />
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-y0s3OLv0xBc/WnE8maZwT_I/AAAAAAAAF5w/M67RnOfihGIdBC4h6tKCubNhKmVP21bKgCEwYBhgL/s1600/Image%2B4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="683" data-original-width="1062" height="412" src="https://3.bp.blogspot.com/-y0s3OLv0xBc/WnE8maZwT_I/AAAAAAAAF5w/M67RnOfihGIdBC4h6tKCubNhKmVP21bKgCEwYBhgL/w640-h412/Image%2B4.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Then another with the "Client App" setting of Exchange Active-Sync. We also want to make sure the box for applying the policy only to supported platforms is NOT checked. We want this to apply to all platforms ideally, that way no sneaky Blackberrys can find their way in. I also ran into an issue where if this box was checked this rule would not filter down to Android For Work, not sure why on that one but no biggie in the grand scheme of things (I love comparing things to the "Grand Scheme" being everything, no matter how important just seems small! Its like a get outta consulting free card!)</span><br />
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-7JWril9k1NA/WnE8m8W8nAI/AAAAAAAAF6E/r6_PjuOn16cNLjGnsGO9KnUk_MQ4rx_RQCEwYBhgL/s1600/Image%2B5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="561" data-original-width="1033" height="348" src="https://1.bp.blogspot.com/-7JWril9k1NA/WnE8m8W8nAI/AAAAAAAAF6E/r6_PjuOn16cNLjGnsGO9KnUk_MQ4rx_RQCEwYBhgL/w640-h348/Image%2B5.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once this is set users will receive a message in their mailbox explaining that they now need to use the Outlook App moving forward.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hope this helps someone out there.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I feel like I should have a sign off phrase, but I don't. Maybe that is it though</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">"I feel like I should have a sign off phrase, but I don't".</span>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-72858552514960155422017-12-18T09:44:00.000-08:002017-12-18T09:45:32.101-08:00Exchange Online Certificate Based Authentication<span style="font-size: large;">Hey guys!</span><br />
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;">Today I want to build upon the last post surrounding Intune and certificate services. Once we get the certificates onto the devices the next step is to configure our services to accept certs as a form of authentication. </span><br />
<br />
<span style="font-size: large;">I want to talk about configuring Exchange Online in this post and some caveats when setting that up. </span><br />
<br />
<span style="font-size: large;">Per usual I dont want to spell out a guide for everyone. Those can be found in a multitude of places. There is a good one here.</span><br />
<br />
<span style="font-size: large;"><a href="https://blogs.technet.microsoft.com/messagingblogs/2017/02/16/certificate-based-authentication-o365/">https://blogs.technet.microsoft.com/messagingblogs/2017/02/16/certificate-based-authentication-o365/</a></span><br />
<br />
<span style="font-size: large;">What I do want to talk about are some of the gaps that this guide didnt cover. </span><br />
<br />
<span style="font-size: large;">First thing is the intermediary. In a best practice PKI deployment you should have a Root and an Int certificate. I would publish both certificates and CRLs to Azure AD using the guide above. When you deploy the Int cert be sure you change the powershell from this</span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i>Get-AzureADTrustedCertificateAuthority</i></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i><br /></i></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i>$Cert=Get-Content -Encoding byte "Location of Root CA CER file"</i></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i><br /></i></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i>$New_CA=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation</i></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i><br /></i></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i>$New_CA.AuthorityType=0</i></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i><br /></i></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i>$New_CA.TrustedCertificate=$Cert</i></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i><br /></i></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i>$New_CA.crlDistributionPoint="CRL Distribution URL"</i></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i><br /></i></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><i>New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $New_CA</i></span><br />
<span style="font-size: large;"><br /></span>
<br />
<span style="font-size: large;">To this "$New_CA.AuthorityType=1" this will specify the cert we upload as the Int.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I reccomend putting the Int cert on the devices we deploy as well as accepting it for authentication in AzureAD</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The next little gotcha they don't mention is that ADFS certificate based auth goes over a different port. It goes over port 49443 so make sure you aren't blocking that port coming into the WAPS.</span><br />
<br />
<span style="font-size: large;">And last but not least make sure that you configure ADFS to accept cert based auth. In ADFS 2016 its a little checkbox under authentication types.</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-Ud62AuDbUVM/Wjf5gzhKlsI/AAAAAAAAFpA/lLEvfOzxR_sz0wh7L_vp9uwdZD4PtFqXwCEwYBhgL/s1600/cert.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="551" data-original-width="489" src="https://4.bp.blogspot.com/-Ud62AuDbUVM/Wjf5gzhKlsI/AAAAAAAAFpA/lLEvfOzxR_sz0wh7L_vp9uwdZD4PtFqXwCEwYBhgL/s1600/cert.png" /></a></div>
<span style="font-size: large;"><br /></span>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-37360534269951218762017-12-08T07:14:00.001-08:002020-11-18T06:04:22.301-08:00Using a Public Certificate For Intune Certificates<span style="font-size: large;">Hello Everyone, long time no talk!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Today I want to go over an experience I had with a client setting up Certificate Based Authentication (CBA) to Exchange Online. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">To give a brief rundown of how this is accomplished I will put a couple bullett points below</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">1. Have an Internal PKI</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">2. Add and NDES Server to your PKI</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">3. Configure templates</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">4. Configure cert profiles in Intune</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">A great guide on how to accomplish this can be found here</span><br />
<span style="font-size: large;"><br /></span>
<a href="https://www.scconfigmgr.com/2016/04/12/prepare-your-environment-for-scep-certificate-enrollment-with-microsoft-intune/"><span style="font-size: large;">https://www.scconfigmgr.com/2016/04/12/prepare-your-environment-for-scep-certificate-enrollment-with-microsoft-intune/</span></a><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The issue I ran into comes from the use of a trusted public certificate to secure the IIS server and Intune Certificate Connector instead of one from your internal PKI as in the steps Nickolaj provided in his blog. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">By default the NDES Server places its own DNS name in certain registry values that it expects the certificate to have. When using a public cert we need to change those values in the registry. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The keys that need to be changed can be found at</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-zn0-cIz9qfg/Wiqqz2FK3CI/AAAAAAAAFg0/Edhih5X8EfA0E3znjcYvAHMRTDVI2aSpgCLcBGAs/s1600/Capture.JPG" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: large;"><img border="0" data-original-height="27" data-original-width="546" src="https://2.bp.blogspot.com/-zn0-cIz9qfg/Wiqqz2FK3CI/AAAAAAAAFg0/Edhih5X8EfA0E3znjcYvAHMRTDVI2aSpgCLcBGAs/s1600/Capture.JPG" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: large;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: large;">The values that hold the server name should be changed to the namespace on the public cert. See example below. Client information has been removed but you get the idea.</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-EjSvhq6MKog/WiqrpF4AqgI/AAAAAAAAFg8/MlCnww5Ry6kvuOQAwlRIz_SKrkjlQStVACLcBGAs/s1600/Untitled.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: large;"><img border="0" data-original-height="660" data-original-width="1028" height="411" src="https://4.bp.blogspot.com/-EjSvhq6MKog/WiqrpF4AqgI/AAAAAAAAFg8/MlCnww5Ry6kvuOQAwlRIz_SKrkjlQStVACLcBGAs/w640-h411/Untitled.png" width="640" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<span style="font-size: large;">After this change was made our SCEP certificates were getting to the devices. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Hope this helps someone out there that may be hung up on this issue.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Until next time.</span>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-31591241686566970352017-08-01T11:01:00.001-07:002020-11-18T06:05:10.660-08:00Exchange upgrades and forgotten servers<span style="font-size: large;">Hello Everyone! </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Got a guest post from a colleague of mine today. Erick Purkins is a Microsoft consultant out of the Houston Texas area and he did a write up of a recent issue he saw. Enjoy.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">--------------------------------------------------------------------------------------</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="MsoNormal">
<span style="font-size: large;">I just wanted to share an experience and issue with everyone
this morning. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">I am currently working with a customer to upgrade their
Exchange 2010 infrastructure to Exchange 2016. During our discussions, we
talked about correct service pack levels and OS’s required, etc. One thing I
didn’t think to talk about was “FAILED EXCHANGE SERVERS”. Just curious if
anyone brings this up?<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">This is important because during the installation of their
first 2016 server I received a rather odd error. <o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-n4fO4jQN1BE/WYDBIKy3eAI/AAAAAAAAEws/TwTOL_cLO4gV-j_ellLm2cXn5ePS24pIgCLcBGAs/s1600/1.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: large;"><img border="0" data-original-height="522" data-original-width="599" src="https://1.bp.blogspot.com/-n4fO4jQN1BE/WYDBIKy3eAI/AAAAAAAAEws/TwTOL_cLO4gV-j_ellLm2cXn5ePS24pIgCLcBGAs/s1600/1.jpg" /></span></a></div>
<span style="font-size: large;"><br /></span>
<br />
<div class="MsoNormal">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-size: large;">It was the
“Update-RmsSharedIdentity -ServerName $RoIeNetBIOSName was run:
"Microsoft.ExchangeData.DataVaIidationException: Database is mandatory on
UserMaiIbox.” That led me to the issue. <o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-size: large;">Apparently at one time or another
they had an Exchange server go belly up. Instead of fixing the issue they
turned it off and forgot about it, eventually having someone go in and remove
the server through ADSI. <o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-size: large;">Now normally this wouldn’t have
been much cause for alarm, but after reviewing the error message and a little
google-fu I realized they had no arbitration mailboxes and this was what the
error referred to. <o:p></o:p></span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-KYmu98I838w/WYDDgxKCDrI/AAAAAAAAExM/jCoxCbUilqIiE3glGY_2dCC-E9s-mYzxACEwYBhgL/s1600/2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="257" data-original-width="626" src="https://4.bp.blogspot.com/-KYmu98I838w/WYDDgxKCDrI/AAAAAAAAExM/jCoxCbUilqIiE3glGY_2dCC-E9s-mYzxACEwYBhgL/s1600/2.jpg" /></a></div>
<span style="font-size: large;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<ul style="margin-top: 0in;" type="disc">
<li class="MsoNormal"><span style="font-size: large;">So How did I fix this issue?<o:p></o:p></span></li>
</ul>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">First, I reviewed how to recreate Arbitration mailboxes.
Something I have done before but not in a while. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: large;"><a href="https://social.technet.microsoft.com/wiki/contents/articles/5317.recreate-and-enable-missing-arbitration-user-accounts-and-mailboxes-in-exchange-server-2010.aspx">https://social.technet.microsoft.com/wiki/contents/articles/5317.recreate-and-enable-missing-arbitration-user-accounts-and-mailboxes-in-exchange-server-2010.aspx</a><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<ul style="margin-top: 0in;" type="disc">
<li class="MsoNormal"><span style="font-size: large;">OK seems easy, right? Wrong. <o:p></o:p></span></li>
</ul>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">Since I had previously run the Exchange 2016 setup it had
ran /prepareAD and updated the schema. So I could not run the Exchange 2010 SP3
with /PrepareAD to recreate the mailboxes. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<ul style="margin-top: 0in;" type="disc">
<li class="MsoNormal"><span style="font-size: large;">Where to next? I guess I’ll have to use the Exchange
2016 Media. <o:p></o:p></span></li>
</ul>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">I hope you’ll never have to do this but with Setup.exe there
is a /mode switch which you can use to remove a failed Exchange install. This
is the only way, you cannot remove the install through add/remove programs. The
command looks like this “Setup.exe /mode:uninstall
/iacceptexchangeserverlicenseterms” <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">Learn more at: <a href="https://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.InstallWatermark.aspx">https://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.InstallWatermark.aspx</a> </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">or use setup.exe /?<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">After successfully removing the Exchange installation I
removed the AD objects associated with Arbitration mailboxes and re-run
Setup.exe /prepareAD. All the correct mailboxes were recreated in the Default
Users container as they are supposed to. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<ul style="margin-top: 0in;" type="disc">
<li class="MsoNormal"><span style="font-size: large;">Now it’s time to enable those mailboxes… <o:p></o:p></span></li>
</ul>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">After recreating the mailboxes with the Exchange 2016 Media
I followed what I would normally do and re-enable them through the shell. Okay
new error, WTH? You mean to tell me I can only do this through the Exchange
2016 Shell, but I haven’t gotten a server even installed yet. Now we have a
Chicken or the egg situation. <o:p></o:p></span><br />
<span style="font-size: large;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-eNfXih3IzII/WYDBIL3O_LI/AAAAAAAAEw0/cZ0iqmwrKBwVnRZ3y_ZIGxYKSu4l16QqQCEwYBhgL/s1600/3.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: large;"><img border="0" data-original-height="78" data-original-width="964" height="52" src="https://4.bp.blogspot.com/-eNfXih3IzII/WYDBIL3O_LI/AAAAAAAAEw0/cZ0iqmwrKBwVnRZ3y_ZIGxYKSu4l16QqQCEwYBhgL/w640-h52/3.png" width="640" /></span></a></div>
<span style="font-size: large;"><br /></span>
<br />
<div class="MsoNormal">
<br /></div>
<ul style="margin-top: 0in;" type="disc">
<li class="MsoNormal"><span style="font-size: large;">Do we try and install Exchange 2016 again? You Feeling
Lucky?<o:p></o:p></span></li>
</ul>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">That was the only thing I could think of to do and the
internet was no help with that question. So I ran setup again and prayed to the
Microsoft gods while crossing everything and holding every lucky charm I could
find.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">Must have been the lucky rabbits foot, because this time
around we were successful at installing Exchange 2016.<o:p></o:p></span><br />
<span style="font-size: large;"><br /></span></div>
<div class="MsoNormal">
<!--[if gte vml 1]><v:shape id="Picture_x0020_7" o:spid="_x0000_i1028"
type="#_x0000_t75" alt="" style='width:572.25pt;height:126.75pt'>
<v:imagedata src="file:///C:/Users/Charrol/AppData/Local/Temp/msohtmlclip1/01/clip_image005.png"
o:href="cid:image004.png@01D30ABB.2FD22660"/>
</v:shape><![endif]--><!--[if !vml]--><a href="https://3.bp.blogspot.com/-NnGPX0b-BTI/WYDBITfAc1I/AAAAAAAAEw4/ZrC-z8y6DI00ylFyswEn8_taHLHCZwUlACEwYBhgL/s1600/4.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-size: large;"><img border="0" data-original-height="169" data-original-width="763" height="142" src="https://3.bp.blogspot.com/-NnGPX0b-BTI/WYDBITfAc1I/AAAAAAAAEw4/ZrC-z8y6DI00ylFyswEn8_taHLHCZwUlACEwYBhgL/w640-h142/4.png" width="640" /></span></a></div>
<div class="MsoNormal">
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">After rebooting the server all arbitration mailboxes appear
on the new Exchange server. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-U6gPP7xjDYA/WYDDgl2mW0I/AAAAAAAAExI/d5p7OOJ6zX4a2o_cKYLeVV3BD4oPR18JgCEwYBhgL/s1600/5.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="140" data-original-width="737" height="122" src="https://1.bp.blogspot.com/-U6gPP7xjDYA/WYDDgl2mW0I/AAAAAAAAExI/d5p7OOJ6zX4a2o_cKYLeVV3BD4oPR18JgCEwYBhgL/w640-h122/5.png" width="640" /></a></div>
<span style="font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: large;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<ul style="margin-top: 0in;" type="disc">
<li class="MsoNormal"><span style="font-size: large;">Moral of the story<o:p></o:p></span></li>
</ul>
<div class="MsoNormal">
<br /></div>
<br />
<div class="MsoNormal">
<span style="font-size: large;">Talk to your customers about failed or improperly
decommissioned servers. Double check your arbitration mailboxes prior to any
upgrade. It may just save you a few hours of Google-fu. Also, always keep a
lucky rabbits foot close at hand. </span><o:p></o:p></div>
amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0tag:blogger.com,1999:blog-6136975414599614540.post-15417597175269632972017-07-19T17:41:00.003-07:002020-11-18T06:05:39.899-08:00Lets Talk About Azure AD Conditional Access and Automatic Device Registration<span style="font-size: large;">Let's talk about Azure AD Conditional Access for a second. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Its deceiving, like rob you in the night after you thought you were friends deceiving. I say this for two reasons. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">1. In the rules for Conditional Access there is an option that is labeled 'domain joined'. This is misleading. What this is really checking against is if the device is registered within Azure AD and domain joined. If the device is domain joined but not registered then it won't honor the conditional access controls. Registration can happen automatically for domain joined devices once some configuration is done on prem (more on that later).</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">2. Conditional Access only supports applications that use modern auth. This wouldn't be so big a deal if when you enabled Conditional Access it disabled legacy authentication methods. It doesn't. What this means is all your fancy layered rules can be defeated by someone in China firing up Outlook 2010 and using a compromised account. Don't believe me? Take a look here. </span><br />
<br />
<span style="font-size: large;"><a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-supported-apps">https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-supported-apps</a></span><br />
<br />
<span style="font-size: large;">Microsoft's suggested fix is to stand up ADFS and use claims rules to block legacy auth....not much of a fix in my opinion.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I want to circle back around to point number 1 and talk about how to do automatic registration of domain joined devices. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Its not my style to just rehash all the steps in another article unless I had some sort of gotcha moment during it. The steps to enabling this feature can be found here </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup">https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup</a></span><br />
<br />
<span style="font-size: large;">What I do want to touch on is some scenarios I had thought about when doing this. First some background info on how the registration works. Windows 10 devices have the logic to join Azure AD baked into the OS. You configure your SCP point and configure ADFS if you have it and you're off to the races. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">A little caveat that I found out is that my devices would not sync unless I was also syncing their Computer Account Object. I believe this is due to Windows 10 machines not being tied to a user account when they sync (more on that later). I did some testing and what I saw when I stopped syncing the Computer Objects was that it also removed my registered devices out of Azure AD. That is gotcha #1</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Windows 7 devices are a little different. They require a small MSI package to be ran to force a registration since they do not have the baked in logic. What I found when testing these guys is that they are tied to a user, whatever user's login triggers the join gets the device put in their name. This means that only users that are being synced into Azure AD can register. Gotcha #2. If a non synced user tries it will fail silently. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">What is interesting though is that if a synced users stops syncing or gets removed from Azure AD the device will remain and not be associated to any user, like the Windows 10 devices.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">So huge wall of text. Here's a picture of my devices </span><span style="font-size: large;">and the output of dsregcmd /status on a successfully joined Windows 10 machine</span><span style="font-size: large;"> to make it all better.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">See ya later!</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-KOehqksYgBs/WW_7kyo_wBI/AAAAAAAAEvk/iSzQDN917Zofi8LDwSwWScCRwZTr7BmpQCLcBGAs/s1600/devices.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="961" data-original-width="1145" height="537" src="https://3.bp.blogspot.com/-KOehqksYgBs/WW_7kyo_wBI/AAAAAAAAEvk/iSzQDN917Zofi8LDwSwWScCRwZTr7BmpQCLcBGAs/w640-h537/devices.JPG" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-J1GqroYo3Pg/WW_7kwcV-qI/AAAAAAAAEvg/zhkG5mRvym0sCqRVEFxmEBWclAHNxJpTgCLcBGAs/s1600/dsreg.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="516" data-original-width="982" height="336" src="https://3.bp.blogspot.com/-J1GqroYo3Pg/WW_7kwcV-qI/AAAAAAAAEvg/zhkG5mRvym0sCqRVEFxmEBWclAHNxJpTgCLcBGAs/w640-h336/dsreg.JPG" width="640" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com2tag:blogger.com,1999:blog-6136975414599614540.post-58158262770256183512017-07-07T20:02:00.003-07:002017-07-19T17:55:50.047-07:00Adding Additional OUs to AAD Connect Sync Filter<span style="font-size: large;">Hello again internet. Had a quick post I wanted to write up on changing or adding new OUs to your AAD Connect sync filter. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">First lets start off with a little background information. After you install AAD Connect by default it runs what is called a 'Delta' sync every 30 minutes. This sync only syncs changes made to objects since the last sync. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The inverse of this is an 'Initial' sync and runs a full sync against all objects regardless if they have been changed or not. This feature is useful for 2 reason. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">1. Running an Initial sync is like giving AAD Connect the old turn it off and back on. Doing this can actually alleviate certain sync errors. I don't actually believe this is an intended use or feature of the Initial sync but what works in the field isn't always what works on paper.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">2. Running an Initial sync will pick up any changes to your object filtering, such as adding or changing what OUs you are syncing. A regular Delta will not do this. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">------------------------------------------------------------------------------</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Now that we have that out of the way lets get into how to actually change what OUs you are syncing. The easiest and best way to do this is through the 'Synchronization Service' GUI. If you ever messed with AAD Connects predecessor, Dirsync, then this will look familiar. </span><br />
<span style="font-size: large;"><br /></span>
<span id="goog_1310710114"></span><span id="goog_1310710115"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-DyOeqccteN8/WWBK2h9KzGI/AAAAAAAAEs4/wsq9WjDXsFEhgwovMikV-pVtqgDfmvBqQCLcBGAs/s1600/Sync%2BService.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="635" data-original-width="802" src="https://2.bp.blogspot.com/-DyOeqccteN8/WWBK2h9KzGI/AAAAAAAAEs4/wsq9WjDXsFEhgwovMikV-pVtqgDfmvBqQCLcBGAs/s1600/Sync%2BService.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-size: large;">Once you are greeted with the console above you want to go to the Connector button across the top ribbon. When you arrive at this page you want to right click the connector with your local domain name and choose properties. </span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-R4nc76gA2cc/WWBK5GA6fkI/AAAAAAAAEs8/XjQw7mRTBzUj1tmHjXWzcF0T2yCoT8mKQCEwYBhgL/s1600/Connector.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="626" data-original-width="796" src="https://2.bp.blogspot.com/-R4nc76gA2cc/WWBK5GA6fkI/AAAAAAAAEs8/XjQw7mRTBzUj1tmHjXWzcF0T2yCoT8mKQCEwYBhgL/s1600/Connector.png" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once inside of the properties you want to drop down to Configure Directory Partitions and then choose the Containers button.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-qZjKXswsaRk/WWBK5O71HRI/AAAAAAAAEtA/JB5nnApvhF4BC2ZKZtzMY78TRINqlVY3wCEwYBhgL/s1600/OU%2BButton.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="497" data-original-width="662" src="https://2.bp.blogspot.com/-qZjKXswsaRk/WWBK5O71HRI/AAAAAAAAEtA/JB5nnApvhF4BC2ZKZtzMY78TRINqlVY3wCEwYBhgL/s1600/OU%2BButton.png" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">You will then be greeted with a login prompt. Enter admin credentials with the proper permissions, which could vary depending on if you used express or custom setup. Once inside you will see a GUI with your AD layout. A simple check of the box, just like what you did during setup, can remove or add any OU. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once you have done this you will want to run an Initial sync. You can kick these off from the GUI but its messy. I reccomend using powershell. You can use the command</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">start-adsyncsynccycle -policytype Initial</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-yyBa9C3XmKc/WWBK5OPC4VI/AAAAAAAAEtE/_c2GLxS48eMFOk2-aH8rKYozAR5dcnoUACEwYBhgL/s1600/PS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="29" data-original-width="490" src="https://2.bp.blogspot.com/-yyBa9C3XmKc/WWBK5OPC4VI/AAAAAAAAEtE/_c2GLxS48eMFOk2-aH8rKYozAR5dcnoUACEwYBhgL/s1600/PS.png" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Yes that is the word sync in there twice. You can also use this command to do a -policytype Delta switch for those times you want to manually kick off a sync. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Once you run this Initial sync all the objects in your new OUs should start syncing!</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">If anyone stumbles upon this hope it helps you out some.</span>amobileattempthttp://www.blogger.com/profile/12096015794065310499noreply@blogger.com0