Deploy the SCCM Client using Microsoft Intune and the Cloud Management Gateway (CMG without PKI certificates)

November 1, 2018October 25, 2018 by Martin Bengtsson

Introduction

Last week I blogged about how to get properly started with Windows AutoPilot. This week I’m continuing on the topic, and going into details on how you can deploy the SCCM (System Center Configuration Manager) client as a part of the Windows AutoPilot enrollment and thus achieve Co-management with SCCM and Microsoft Intune.

I have previously blogged a lot about Co-management. Focus here has been enrolling devices already managed by SCCM into Intune MDM.

This post is the opposite. This time we are deploying a device through Windows AutoPilot, enrolling it into Microsoft Intune and then deploying the SCCM client through the Cloud Management Gateway. Sounds interesting? Read on 🙂

Find all my Co-management posts here: https://www.imab.dk/category/co-mgmt/
- My post about setting up the Cloud Management Gateway without PKI certificates is especially of interest if pursuing Co-management

How to get properly started with Windows AutoPilot: Everything you initially need to know!

October 21, 2018October 20, 2018 by Martin Bengtsson

Introduction

It’s time for me to take on a new topic on the blog. I have been experimenting, working and blogging a lot about SCCM, Intune and Co-management, but never really touched base with Windows AutoPilot. Time is due and this will be the first in a series of posts about Windows AutoPilot and how to eventually reach Co-management with SCCM and Microsoft Intune through Windows AutoPilot.

First things first though. This post will give you everything you need to know on how to properly get started with Windows AutoPilot. Curious? Read on 🙂

A peek into my AutoPilot devices in my test tenant 🙂

Deploy Outlook for iOS with a Managed Exchange Account using Microsoft Intune

October 11, 2018October 10, 2018 by Martin Bengtsson

Introduction

More good news! Microsoft Intune now provides us with an even easier way to pre-configure an e-mail account for Outlook on iOS (and android). This is done with the use of an App Configuration Policy and the additions to the configuration designer when configuring the Outlook app. Let’s walk through the process.

A peek into the Microsoft 365 device management portal

Block access to company resources if running an out-of-date iOS version using Microsoft Intune and Conditional Access

August 14, 2018 by Martin Bengtsson

Introduction

Do you need a simple, but yet effective way of forcing people into updating iOS on their company enrolled Apple devices? Simply block access to company resources if iOS is not up to date. Here is how you can do that using Microsoft Intune and Conditional Access in Microsoft Azure.

Peek into Microsoft Intune and the device compliance policies

Enable UE-V (User Experience Virtualization) during OSD with SCCM and use OneDrive as storage path

August 13, 2018 by Martin Bengtsson

Introduction

UE-V is not something new, but when combined with OneDrive Known Folder Move, Enterprise State Roaming in Azure and OneDrive as the storage path for UE-V, you will find yourself with a very solid solution ensuring roaming of end users data and settings.

I have previously shown you how you can enable OneDrive KFM with SCCM. This time, I’m going to show you how you can enable UE-V during OSD with Configuration Manager, and how you make sure those settings are stored in OneDrive. I hope you can see the pattern here: No on-premise file share for UE-V settings – everything stored in the users OneDrive.

A peek at the UE-V configuration when OneDrive is set as storage path

Introduction

More Configuration Manager 1806 and more awesomeness. 1806 gives us additional improvements to the Cloud Management Gateway and removes the need for PKI in your environment. With these improvements, it has never been easier to setup the CMG. In this post I will walk you through the exact steps I went through in order to successfully deploy the CMG in a HTTP only environment.

A ready Cloud Management Gateway displayed in the console

Receive an e-mail alert if an Office 365 Administrator repeatedly fails to provide correct credentials

August 6, 2019July 23, 2018 by Martin Bengtsson

Introduction

Users with Office 365 administrator roles are very much sensitive users, and besides protecting them with various features such as Conditional Access and MFA, it might be interesting to know if someone tries to brute force or guess their credentials.

In this post I will walk you through how you can setup a policy in Cloud App Security, that automatically sends you an e-mail, if someone fails to provide the correct credentials for users with any Office 365 administrator role assigned.

Sneak peek at the Cloud App Security portal displaying the alert created during this guide

Conditional Access: Restrict access to company resources and only grant access to trusted IPs

September 6, 2021July 10, 2018 by Martin Bengtsson

Introduction

I have previously given a few examples on use cases for Conditional Access, and I admit, for the Conditional Access newbie, the options available can seem daunting. So how about a very simple scenario, where access to company resources are blocked, if not coming from a trusted IP?

Imagine service accounts running some Powershell scripts for automation in your Azure/O365 tenant or other accounts who are never meant to be used outside of your organization. Simply block those from authenticating in Azure/O365 if not coming from your headquarter public IP. This is how you can do just that, using Conditional Access.

Illustration of the conditions of a Conditional Access rule. In this scenario, location is in focus

Microsoft Intune and Conditional Access in a Co-management scenario

June 5, 2018June 5, 2018 by Martin Bengtsson

Introduction

Last week I gave an example on how to leverage Microsoft Intune and Conditional Access to restrict access to Exchange Online for iOS devices. This week, I’m continuing the use of Microsoft Intune and Conditional Access, and will give an example on how to restrict access to company e-mail if not using a Windows 10 1803 device. All of this based on a computer co-managed with both Microsoft Intune and Configuration Manager.

So basically; no e-mails if not running on the latest and greatest version of Windows 10 on my co-managed device.

Conditional Access: Restrict access to Exchange Online and only grant access to company enrolled devices using the Outlook app

July 25, 2018June 1, 2018 by Martin Bengtsson

Introduction

Long title, but that’s actually what this post is going to cover; how you can secure the access to company e-mail accounts and only allow access to such, if coming from an enrolled (compliant) Intune device and that device uses the Outlook app.

In this scenario, we only uses iOS devices and of such only allow enrollment of iOS devices, but this can of course be android and Windows as well. Everything in this post is achievable with the use of Microsoft Intune and Conditional Access in Azure. Curious? Read on 🙂