User Profile

MoZZa

Iron Contributor

Joined Nov 27, 2018

120 Posts35 LikesLikes received1 Solution

View All Badges

User Widgets

Recent Discussions

Re: Allowing Users to Remove/Uninstall Available iOS Apps
Hi Moe_Kinani The issue here is the apps in question have always been set as Available and not Required. As with our Android apps/devices, Uses cannot uninstall Required apps, but can uninstall apps they have installed themselves from the Managed Play Store. I want our iOS users to have the same experience. So all Required apps are only removable from the MEMAC console (as expected) and apps that are available to them via the Company Portal for enrolled devices, the users are able to install and uninstall them whenever they choose to do so.
Jan 20, 2021 Place Microsoft Intune
5.7KViews
0likes
1Comment
Re: Intune Android & iOS enrollment - need some guidance
Hi WarreVlieghe , I have just (95%) completed a rollout of Corp Android devices (COFM) and iOS Supervised Devcies. We also have enabled staff to enroll their personal devices in order to install M365 apps (only the ones we can cover with App Protection Policies) on them. This has been very successful. The most important parts are. 1. Enrollment Restrictions - Block users from enrolling Personal devices. 2. Comms and documentation showing them how to do it. Obviously you have the policies to sort, but once in place your users will be able to Register their devices to use the apps you make available to them. In both the 'Droid and iOS steps, the users will HAVE to Postpone enrollement. But when they do this, the apps you make available will be shown in the company portal. For Android they need to install the Company Portal app. This acts as a Broker app and for iOS devices, they will have to install MS Authenticator & Company Portal, but there is no need to even open the Authenticator app as it will be their broker app. Hope that helps.
Jan 18, 2021 Place Microsoft Intune
1.7KViews
1like
0Comments
Allowing Users to Remove/Uninstall Available iOS Apps
Hi All, Quick query. I have been creating a Fully Managed/ Supervised iOS build. Quite successfully, much smoother build than prior to iOS 14.x. But there is one thing I am trying to do but not even sure it is possible as yet. I have most of the M365 Apps as Required for the iOS devices. and there are a number of Available apps on offer too. The one thing that is totally different (or appears to be ) is that if an Android user installs an app available from the Corporate Android Play Store, they can uninstall it if they find they no longer require it, or for any other other reason. However, on iOS devices if a user installs an app from the Company Portal (VPP) then once it is installed there is no 'local' option to Uninstall or Remove it. In the image, Fig 1 is a personal registered iPhone 7 as you can see the BBC News app, when long pressed gives you the option to Remove App. Where in Fig 2 is a Corporate Managed/Supervised iPhone 7, the option Remove App is not available. I have gone through the Restriction and Features Configuration Profiles and enabled or disabled the obvious; but no joy. Obviously I can create uninstall groups for each app and then add users to these groups when they need something uninstalled, but that is a major overhead and I have not included that in the cost model going forward. Any ideas?
Jan 18, 2021 Place Microsoft Intune
Intune Company Portal
iOS 14
Managed Apps
6.1KViews
1like
3Comments
Re: Modifying NTFS Permissions Using the NTFSSecurity Module
Hi farismalaeb, I have tested your script and with a few modifications to suite our environment IT WORKS!!! Thank you so much , just 4 or 5 lines added to my script and its works. Here is a sample of the script that just does the top layer where it is a root inheritance parent folder. Import-Module ActiveDirectory $ExcludedPaths = @() $ForUser = "MoZZa" $AnalysePath = "\\Contoso\X$\Shared\Some\Data\Here" $ExcludedPaths = @('\\Contoso\X$\Shared\Some\Data\Here\Dont\Change\This\Path','\\Contoso\X$\Shared\Some\Data\Here\Dont\Change\This\Path\Either') #Place excluded paths here '\\path1','path2' format $MasterACL=Get-Acl -Path $AnalysePath ForEach($Master in $MasterACL.Access){ if ($Master.IdentityReference -notlike "BUILTIN\Administrators" -and $Master.IdentityReference -notlike "Contoso\Domain Admins" -and $Master.IdentityReference -notlike "Contoso\Domain Users" -and $Master.IdentityReference -notlike "CREATOR OWNER" -and $Master.IdentityReference -notlike "NT AUTHORITY\SYSTEM" -and $Master.IdentityReference -notlike "BUILTIN\Users" -and $Master.IdentityReference -notlike "Contoso\Backup Users" -and $Master.IdentityReference -notlike "Contoso\SCCM Blah Blah" -and $Master.IdentityReference -notlike "S-1-5-21-*" -and $Master.FileSystemRights -notlike "Delete, ReadAndExecute, Synchronize" -and $Master.FileSystemRights -notlike "ReadData, ExecuteFile, Synchronize" -and $Master.FileSystemRights -notlike "ListDirectory, Traverse, Synchronize" -and $Master.FileSystemRights -notlike "Delete, Read, Synchronize" -and $Master.FileSystemRights -notlike "ReadAndExecute, Synchronize" -and $Master.AccessRights -notlike "ListDirectory, Delete, Synchronize" -and $Master.FileSystemRights -notlike "ListDirectory, ReadExtendedAttributes, Traverse, ReadAttributes, Synchronize" -and $Master.IsInherited -like $False -and $Master.FullName -notin $ExcludedPaths){ $FileSystemRights=@("Delete, ReadAndExecute, Synchronize") $AccessControlType=$Master.AccessControlType $IdentityReference=$Master.IdentityReference $InheritanceFlags=$Master.InheritanceFlags $PropagationFlags=$Master.PropagationFlags $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReference, $FileSystemRights,$InheritanceFlags, $PropagationFlags, $AccessControlType) # This folder only $MasterACL.SetAccessRule($rule) Set-Acl -Path $AnalysePath -AclObject $MasterACL } I have also created a GUI version. I will upload those tomorrow. They make it easier for the 1st support team to run the analysis script without having any PS knowledge. Many thanks again!!!!!
Dec 11, 2020 Place Windows PowerShell
24KViews
0likes
1Comment
Re: Modifying NTFS Permissions Using the NTFSSecurity Module
Hi farismalaeb , Many thanks for thanks, I will give it a go in my test environment and get back to you. Thank you so much for your feedback!!!!!
Dec 07, 2020 Place Windows PowerShell
24KViews
0likes
0Comments
Re: Modifying NTFS Permissions Using the NTFSSecurity Module
Hi farismalaeb , Thank you for your reply. I can set the folders to the various options, but what I really trying to achieve is to read the current ACL Rule, reading them directly from a variable/array or csv Account Access Rights Applies to Type IsInherited InheritedFrom Contoso\TestAccount1 FullControl ThisFolderSubfoldersAndFiles Allow False Contoso\TestAccount2 Modify, Synchronize ThisFolderOnly Allow False Contoso\TestAccount3 Traverse ThisFolderAndFiles Allow False Modify any Access rights with the ability to create or modify existing files/folders and set them to ReadandExecute,Delete. BUT not to change the Applies To values, but read them straight from the existing variable/array or csv and but to reapply them exactly as they were prior to changing the Access Rights. eg Account Access Rights Applies to Type IsInherited InheritedFrom Contoso\TestAccount1 ReadAndExecute,Delete ThisFolderSubfoldersAndFiles Allow False Contoso\TestAccount2 ReadAndExecute,Delete ThisFolderOnly Allow False Contoso\TestAccount3 Traverse ThisFolderAndFiles Allow False Hope that makes it a little clearer, I basically want to feed back into the ACL rule exactly what is there, but only modify the level of access rights. Kind Regards MoZZa
Dec 02, 2020 Place Windows PowerShell
24KViews
0likes
4Comments
Modifying NTFS Permissions Using the NTFSSecurity Module
Hi All, I am hoping someone can help me crack this issue. I have been tasked with changing the Access Rights on millions of files and folders for each user/group that has access to them currently. These will be set to Read,Execute,Delete as the highest access permissions granted. Anything less than that like List or Traverse will left as is. This I can do ok with 'where-object' etc. I am using the NTFSSecurity PowerShell module. My biggest issue is that when I use Get-NTFSAccess -Path \\Folder\I\am\Checking and output to the console or OGV, I get the following headers. Account Access Rights Applies to Type IsInherited InheritedFrom Contoso\TestAccount1 FullControl ThisFolderSubfoldersAndFiles Allow False Contoso\TestAccount2 Modify, Synchronize ThisFolderOnly Allow False Contoso\TestAccount3 Traverse ThisFolderAndFiles Allow False However, if I export to csv, I get the following headers. AccountType, Name, FullName, InheritanceEnabled, InheritedFrom, AccessControlType, AccessRights, Account, InheritanceFlags, IsInherited, PropagationFlags I know the InheritanceFlags refer to the Access Rights, but is it possible when using Add-NTFSAccess to read the InheritanceFlags values as I am doing with the other values and set them so that the “applies to this folder only, this folder and files, List”, etc are not changed from their current settings. So, this: AccessControlType AccessRights Account InheritanceFlags IsInherited PropagationFlags Allow FullControl Contoso\TestAccount1 ContainerInherit, ObjectInherit FALSE None Allow Modify, Synchronize Contoso\TestAccount2 ObjectInherit FALSE None Allow Traverse Contoso\TestAccount3 ContainerInherit FALSE None Would become this: AccessControlType AccessRights Account InheritanceFlags IsInherited PropagationFlags Allow Delete, ReadAndExecute, Synchronize Contoso\TestAccount1 ContainerInherit, ObjectInherit FALSE None Allow Delete, ReadAndExecute, Synchronize Contoso\TestAccount2 ObjectInherit FALSE None Allow Traverse Contoso\TestAccount3 ContainerInherit FALSE None Or This: Account Access Rights Applies to Type IsInherited InheritedFrom Contoso\TestAccount1 Delete, ReadAndExecute, Synchronize ThisFolderSubfoldersAndFiles Allow False Contoso\TestAccount2 Delete, ReadAndExecute, Synchronize ThisFolderOnly Allow False Contoso\TestAccount3 Traverse ThisFolderAndFiles Allow False And the "Applies to" settings would not change. If I create variables from the csv for each value required At the moment when I run the script that includes Add-NTFSAccess -Path $Fullname -Account $Account -AccessRights 'ReadAndExecute,Delete' -AccessType Allow -InheritanceFlags $InheritanceFlags Everything is set to ThisFolderSubFoldersAndFiles. If I could use the -AppliesTo instead of -InheritanceFlags and feed in exactly what is already present when displaying get-NTFSAccess in the console or OGV, I think this would resolve 99% of my issues. I have looked at apps like NTFS Permission Reporter, but I am sure this should be achievable with PS. I know there must be a simple solution, (Arrays, iCacls?) but I just cannot see how to do it. Any help would be awesome!
Solved
Dec 02, 2020 Place Windows PowerShell
powershell script
27KViews
0likes
6Comments
Re: Corporate-Owned Dedicated Devices ~Android Kiosk Devices
MoZZa Hi All, I raised a call with MSFT and we have found a solution. There was an inadvertent change in the default state of the Managed Setting Icon. The previous state, when not configured' was 'False'. After the last update to the Managed Home Screen app; the default Boolean state was set to 'True' if left in a non-configured state. So now, even if you do not make use of any of the Managed Setting's options, you must add the Managed Setting to your config and then set the Boolean value to 'False', this then removes the unwanted icon from the Home Screen.
Oct 18, 2019 Place Microsoft Intune
2.1KViews
0likes
0Comments
Corporate-Owned Dedicated Devices ~Android Kiosk Devices
Hi All, Following an Android System update on a number of Samsung J6's and an update to the Managed Home Screen app. I am experiencing some "odd" results. The appearance of shortcut icons at the bottom of the screen. After another update, these disappeared, but now another icon has appeared. During the build process, towards the end, one usually gets a pop-up to request granting the Managed Home Screen app to appear on-top. tapping a sliding radio button to grant these permissions. After the Managed Home Screen update, these permissions are triggered after tapping on a Managed Setting icon on the Home Screen. This has a red dot next to it until you tap it and grant the permissions. Unfortunately it leaves the icon behind. Initially I thought it was down to the Android update as stated earlier, but 3 Android 8.0.0 devices are now displaying the icon. Has anyone else come across this, and found a solution. Cheers
Solved
Sep 20, 2019 Place Microsoft Intune
Intune
Mobile Application Management (MAM)
mobile device management (mdm)
Software Management
2.2KViews
0likes
1Comment
Re: Managed Home Screen settings for Multi-Mode Kiosk Android Enterprise
Hi andrewbk I received an update from MS informing that the issue has now been resolved! So, I restarted one of my devices and after the first reboot, the Power UI did appear..ONCE. And never again thereafter! I have replied back saying that it does not work. On a slightly related issue. Quick question, although this may just affect Kiosk devices. One of my Samsung J6's has just done a fairly lengthy system update. This has changed the Home Screen appearance, as far as adding shortcut icons to the bottom of the screen! I am about to rebuild it as a Fully Managed device to see if the same issuette appears there too. Both devices are on Android 9.0, built by KME method, System apps disabled. *****************UPDATE******************** I have rebuilt the same updated device as a Fully-Managed device and the 3 standard/default icons, Phone - Contacts - Messaging appear. So, it appears this is only affecting Kiosk devices. The icons are not active, apart from the Settings and Apps icon. Hopefully, I can hide this using a policy or config .......
Sep 20, 2019 Place Microsoft Intune
14KViews
0likes
0Comments
Re: Managed Home Screen settings for Multi-Mode Kiosk Android Enterprise
Hi andrewbk Had another update from MS, they seem to have got a step closer to resolving this, Google have a big part to play in this too.
Sep 16, 2019 Place Microsoft Intune
14KViews
0likes
0Comments
Re: Managed Home Screen settings for Multi-Mode Kiosk Android Enterprise
Hi andrewbk Cheers Andrewbk
Aug 05, 2019 Place Microsoft Intune
14KViews
0likes
3Comments
Re: Managed Home Screen settings for Multi-Mode Kiosk Android Enterprise
Hi snarkshark That definitely looks like the issue. I pointed that out to MS but the call is now nearly 4 weeks old. They have updated the Managed Home Screen app, but it is still has a non-configured LOCK_TASK_FEATURE_GLOBAL_ACTIONS. If they actually set that in the app to true, I think the power button UI should be able to appear on top of the Managed Home Screen. Thansk for the pointers SnarkShark.
Aug 05, 2019 Place Microsoft Intune
14KViews
0likes
5Comments
Re: Managed Home Screen settings for Multi-Mode Kiosk Android Enterprise
Hi All, With our older Android devices upgrading to Android 9.0 and new devices being delivered with the same. i have noticed that the power button no longer offers Power Off/on and Restart options. I cannot tell if it is just the notification pop-up that is blocked or the functionality is blocked at source. The only way, so far, to power off or restart the device; is to exit Kiosk Mode first. Has anyone found a way around this; preferably from the Intune console. Cheers
Jun 24, 2019 Place Microsoft Intune
15KViews
0likes
7Comments
Re: Managed Home Screen settings for Multi-Mode Kiosk Android Enterprise
Hi All, You can configure the Managed Home Screen from the Intune console. Go to Client Apps->App Configuration Policies-> Add a new policy, Use the Configuration Designer of JSON scripting and you will see all the available options as shown in the attachment. Some really useful settings here. After saving the policy. Assign it to the same dynamic group that the devices are added to automatically when you first created the Kiosk Enrolment Profile. Use this same method for all your apps. Not all apps will offer the same level of control/configuration; but many do. Chrome is a good example. Locking down options is very easy using the Configuration Designer. You can then export the JSON script. Hope that helps.
Jan 29, 2019 Place Microsoft Intune
16KViews
1like
0Comments
Re: Kiosk mode 1803 version, allow user to change wifi password
Hi Daniel, Thanks for the info. I will definitely try that later today. MoZZa
Nov 27, 2018 Place Microsoft Intune
13KViews
0likes
0Comments
Re: Kiosk mode 1803 version, allow user to change wifi password
Hi Daniel, What was the solution for this issue. I have just come across the same situation. Thanks
Nov 27, 2018 Place Microsoft Intune
13KViews
0likes
10Comments

Recent Blog Articles

No content to show