User Profile
NielsScheffers
Iron Contributor
Joined Dec 24, 2021
User Widgets
Recent Discussions
Re: DLP
Hi sanjay_senapati95! Let's see if we can put you on the right track here. Let's start with your point b): to restrict access to OneDrive (and other cloud apps, like Exchange Online, for that matter) you will need to employ https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/. That looks like it's user-based, but don't be fooled. The https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices option is immensely powerful and will let you include (or exclude) the policy based on device properties (including device ownership). Now, I don't really understand what you mean with point a). Could you elaborate?Re: Exclude some Android devices from Intune
Hi TompaB! Am I right to assume what you're really looking for is to deny access to Teams for unmanaged (i.e. not Intune-enrolled) Android devices? If so, you will need to apply Conditional Access. For instance, a policy like below: Users or workload identities: include "All users", or select a group that suits your needs. Make sure you don't lock yourself out by accident, so exclude your admin account while testing. Cloud apps or actions: include "Microsoft Teams", or all Office 365 apps if you want to deny access to things like Exchange Online as well. Conditions: Device platforms: select "Yes" to enable this, and then include "Android". Client apps: select "Yes" to enable this, and then include all client apps, assuming you want to block access in browsers and such as well. Filter for devices: select "Yes" to enable this, and then use a filter to exclude managed devices, like "(device.mdmAppId -in ["0000000a-0000-0000-c000-000000000000"])". This is the most important bit as this is where we make sure that devices managed by Intune (which is what that mdmAppID GUID means) will be excluded from this policy. See also: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices. Grant: select "Block access". Now, to complete your configuration, you may want to explicitly configure a minimal OS-version required for Intune enrollment (and not depend on it not being available). To do this, take a look under Devices > Enroll devices > Enrollment device platform restrictions. You can either change the base, catch-all "Default" policy, or create a new one with a higher priority. Please note, this will still require the Conditional Access policy above to block access to cloud apps, like Teams. Finally, I'd like to add that keeping these Android 4.4 devices in your environment (even though you are blocking them like above) expands your attack surface. It's better to get rid of them completely, if at all possible.Re: Intune Android app - Location permission
I assume you're pushing out a WiFi profile? Android Enterprise then requests the "Location" permission as the information exposed by this API could be used to determine an approximate location for the device. Please note that the "Use precise location" item is left unchecked, meaning a GPS-location is not part of the request.Re: How to block certain apps in intune?
Hi BUBCEN! You're resurrecting a four-year-old thread here. More importantly: I don't think any of the answers here are aimed towards blacklisting (as in preventing the use and/or installation of) apps. The "Conditional Access" route mainly allows you to determine which apps are allowed to connect to a web service (like Exchange Online). If you really want to prevent the use (and, once again, installation) of certain apps, you'll want to have a look at Application Control/AppLocker. I recommend this post by Rudy_Ooms_MVP: https://call4cloud.nl/2021/06/wdac-or-the-unexpected-virtue-of-ignorance/.Re: Autopilot Windows 11 (Host Process for Windows Services) constantly notification
Maybe you can use "ProcessTokenElevation" in the "DeviceProcessEvents" table to find processes with elevation, but I doubt that'll give you an answer. Isn't it easier to just exclude the device/user from the app and test if the UAC-prompt disappears?Re: Disk Encryption
Hi ElieAT! My answer would be: it depends. That's not very helpful, though :). In my opinion, disk encryption is a configuration that is tied to a device, so I would assign it to a device. Should you, however, have a use case where this configuration should apply to any (enrolled) device the user logs on to: assign it to users. I just really can't think of any reason you'd want that.Re: Forms for Private App on Google Play Console
Hi AdamA85! You can use https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-android#preconfigure-the-permissions-grant-state-for-apps for auto-granting permissions. It's only available for https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview#apps-that-support-app-configuration as they have to support this capability. Is that what you were looking for?Re: Hybrid Azure AD joined Devices WITHOUT Intune show up as Non Compliant
Hi ErikVet! As your Azure AD shows these devices as "MDM: None", we would indeed expect "Compliant: N/A". Were these devices ever enrolled in Intune (accidentally, or for testing)? If so, check if there's a "Manage" button in the Azure AD device page. If there is, there's will be a Managed Device object (Intune) linked to the Azure AD Device object, which is probably marked non-compliant.Re: Setup School PC user rights problem
You are aware that only disabling Windows Installer (msiexec) doesn't block all installation options? If you're looking to prevent any software from being installed, your best bet would be something like https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview. To address your specific question: is anything logged to your DeviceManagement-Enterprise-Diagnostics-Provider event log?Re: User Assignment Autopilot Issue
Unfortunately, there's no way this will work with ADFS. The only ADFS authentication method available in OOBE is form-based, which means it simply shows the authentication page hosted by your ADFS-platform. As Autopilot has no control over your ADFS-platform, it can't be personalized with this option.Re: Intune with Autopilot, Kiosk Mode and device only licenses
I think your looking to https://docs.microsoft.com/en-us/mem/autopilot/add-devices (with the hardware hash)? That, indeed, needs to be done first to 'link' your device(s) to your tenant. Without it, Windows has no way of knowing that it needs to get an Autopilot profile from your tenant.
