User Profile
MoZZa
Iron Contributor
Joined Nov 27, 2018
User Widgets
Recent Discussions
Re: Allowing Users to Remove/Uninstall Available iOS Apps
Hi Moe_Kinani The issue here is the apps in question have always been set as Available and not Required. As with our Android apps/devices, Uses cannot uninstall Required apps, but can uninstall apps they have installed themselves from the Managed Play Store. I want our iOS users to have the same experience. So all Required apps are only removable from the MEMAC console (as expected) and apps that are available to them via the Company Portal for enrolled devices, the users are able to install and uninstall them whenever they choose to do so.5.7KViews0likes1CommentRe: Intune Android & iOS enrollment - need some guidance
Hi WarreVlieghe , I have just (95%) completed a rollout of Corp Android devices (COFM) and iOS Supervised Devcies. We also have enabled staff to enroll their personal devices in order to install M365 apps (only the ones we can cover with App Protection Policies) on them. This has been very successful. The most important parts are. 1. Enrollment Restrictions - Block users from enrolling Personal devices. 2. Comms and documentation showing them how to do it. Obviously you have the policies to sort, but once in place your users will be able to Register their devices to use the apps you make available to them. In both the 'Droid and iOS steps, the users will HAVE to Postpone enrollement. But when they do this, the apps you make available will be shown in the company portal. For Android they need to install the Company Portal app. This acts as a Broker app and for iOS devices, they will have to install MS Authenticator & Company Portal, but there is no need to even open the Authenticator app as it will be their broker app. Hope that helps.1.7KViews1like0CommentsAllowing Users to Remove/Uninstall Available iOS Apps
Hi All, Quick query. I have been creating a Fully Managed/ Supervised iOS build. Quite successfully, much smoother build than prior to iOS 14.x. But there is one thing I am trying to do but not even sure it is possible as yet. I have most of the M365 Apps as Required for the iOS devices. and there are a number of Available apps on offer too. The one thing that is totally different (or appears to be ) is that if an Android user installs an app available from the Corporate Android Play Store, they can uninstall it if they find they no longer require it, or for any other other reason. However, on iOS devices if a user installs an app from the Company Portal (VPP) then once it is installed there is no 'local' option to Uninstall or Remove it. In the image, Fig 1 is a personal registered iPhone 7 as you can see the BBC News app, when long pressed gives you the option to Remove App. Where in Fig 2 is a Corporate Managed/Supervised iPhone 7, the option Remove App is not available. I have gone through the Restriction and Features Configuration Profiles and enabled or disabled the obvious; but no joy. Obviously I can create uninstall groups for each app and then add users to these groups when they need something uninstalled, but that is a major overhead and I have not included that in the cost model going forward. Any ideas?6.1KViews1like3CommentsRe: Modifying NTFS Permissions Using the NTFSSecurity Module
Hi farismalaeb, I have tested your script and with a few modifications to suite our environment IT WORKS!!! Thank you so much , just 4 or 5 lines added to my script and its works. Here is a sample of the script that just does the top layer where it is a root inheritance parent folder. Import-Module ActiveDirectory $ExcludedPaths = @() $ForUser = "MoZZa" $AnalysePath = "\\Contoso\X$\Shared\Some\Data\Here" $ExcludedPaths = @('\\Contoso\X$\Shared\Some\Data\Here\Dont\Change\This\Path','\\Contoso\X$\Shared\Some\Data\Here\Dont\Change\This\Path\Either') #Place excluded paths here '\\path1','path2' format $MasterACL=Get-Acl -Path $AnalysePath ForEach($Master in $MasterACL.Access){ if ($Master.IdentityReference -notlike "BUILTIN\Administrators" -and $Master.IdentityReference -notlike "Contoso\Domain Admins" -and $Master.IdentityReference -notlike "Contoso\Domain Users" -and $Master.IdentityReference -notlike "CREATOR OWNER" -and $Master.IdentityReference -notlike "NT AUTHORITY\SYSTEM" -and $Master.IdentityReference -notlike "BUILTIN\Users" -and $Master.IdentityReference -notlike "Contoso\Backup Users" -and $Master.IdentityReference -notlike "Contoso\SCCM Blah Blah" -and $Master.IdentityReference -notlike "S-1-5-21-*" -and $Master.FileSystemRights -notlike "Delete, ReadAndExecute, Synchronize" -and $Master.FileSystemRights -notlike "ReadData, ExecuteFile, Synchronize" -and $Master.FileSystemRights -notlike "ListDirectory, Traverse, Synchronize" -and $Master.FileSystemRights -notlike "Delete, Read, Synchronize" -and $Master.FileSystemRights -notlike "ReadAndExecute, Synchronize" -and $Master.AccessRights -notlike "ListDirectory, Delete, Synchronize" -and $Master.FileSystemRights -notlike "ListDirectory, ReadExtendedAttributes, Traverse, ReadAttributes, Synchronize" -and $Master.IsInherited -like $False -and $Master.FullName -notin $ExcludedPaths){ $FileSystemRights=@("Delete, ReadAndExecute, Synchronize") $AccessControlType=$Master.AccessControlType $IdentityReference=$Master.IdentityReference $InheritanceFlags=$Master.InheritanceFlags $PropagationFlags=$Master.PropagationFlags $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReference, $FileSystemRights,$InheritanceFlags, $PropagationFlags, $AccessControlType) # This folder only $MasterACL.SetAccessRule($rule) Set-Acl -Path $AnalysePath -AclObject $MasterACL } I have also created a GUI version. I will upload those tomorrow. They make it easier for the 1st support team to run the analysis script without having any PS knowledge. Many thanks again!!!!!24KViews0likes1CommentRe: Modifying NTFS Permissions Using the NTFSSecurity Module
Hi farismalaeb , Thank you for your reply. I can set the folders to the various options, but what I really trying to achieve is to read the current ACL Rule, reading them directly from a variable/array or csv Account Access Rights Applies to Type IsInherited InheritedFrom Contoso\TestAccount1 FullControl ThisFolderSubfoldersAndFiles Allow False Contoso\TestAccount2 Modify, Synchronize ThisFolderOnly Allow False Contoso\TestAccount3 Traverse ThisFolderAndFiles Allow False Modify any Access rights with the ability to create or modify existing files/folders and set them to ReadandExecute,Delete. BUT not to change the Applies To values, but read them straight from the existing variable/array or csv and but to reapply them exactly as they were prior to changing the Access Rights. eg Account Access Rights Applies to Type IsInherited InheritedFrom Contoso\TestAccount1 ReadAndExecute,Delete ThisFolderSubfoldersAndFiles Allow False Contoso\TestAccount2 ReadAndExecute,Delete ThisFolderOnly Allow False Contoso\TestAccount3 Traverse ThisFolderAndFiles Allow False Hope that makes it a little clearer, I basically want to feed back into the ACL rule exactly what is there, but only modify the level of access rights. Kind Regards MoZZa24KViews0likes4CommentsModifying NTFS Permissions Using the NTFSSecurity Module
Hi All, I am hoping someone can help me crack this issue. I have been tasked with changing the Access Rights on millions of files and folders for each user/group that has access to them currently. These will be set to Read,Execute,Delete as the highest access permissions granted. Anything less than that like List or Traverse will left as is. This I can do ok with 'where-object' etc. I am using the NTFSSecurity PowerShell module. My biggest issue is that when I use Get-NTFSAccess -Path \\Folder\I\am\Checking and output to the console or OGV, I get the following headers. Account Access Rights Applies to Type IsInherited InheritedFrom Contoso\TestAccount1 FullControl ThisFolderSubfoldersAndFiles Allow False Contoso\TestAccount2 Modify, Synchronize ThisFolderOnly Allow False Contoso\TestAccount3 Traverse ThisFolderAndFiles Allow False However, if I export to csv, I get the following headers. AccountType, Name, FullName, InheritanceEnabled, InheritedFrom, AccessControlType, AccessRights, Account, InheritanceFlags, IsInherited, PropagationFlags I know the InheritanceFlags refer to the Access Rights, but is it possible when using Add-NTFSAccess to read the InheritanceFlags values as I am doing with the other values and set them so that the “applies to this folder only, this folder and files, List”, etc are not changed from their current settings. So, this: AccessControlType AccessRights Account InheritanceFlags IsInherited PropagationFlags Allow FullControl Contoso\TestAccount1 ContainerInherit, ObjectInherit FALSE None Allow Modify, Synchronize Contoso\TestAccount2 ObjectInherit FALSE None Allow Traverse Contoso\TestAccount3 ContainerInherit FALSE None Would become this: AccessControlType AccessRights Account InheritanceFlags IsInherited PropagationFlags Allow Delete, ReadAndExecute, Synchronize Contoso\TestAccount1 ContainerInherit, ObjectInherit FALSE None Allow Delete, ReadAndExecute, Synchronize Contoso\TestAccount2 ObjectInherit FALSE None Allow Traverse Contoso\TestAccount3 ContainerInherit FALSE None Or This: Account Access Rights Applies to Type IsInherited InheritedFrom Contoso\TestAccount1 Delete, ReadAndExecute, Synchronize ThisFolderSubfoldersAndFiles Allow False Contoso\TestAccount2 Delete, ReadAndExecute, Synchronize ThisFolderOnly Allow False Contoso\TestAccount3 Traverse ThisFolderAndFiles Allow False And the "Applies to" settings would not change. If I create variables from the csv for each value required At the moment when I run the script that includes Add-NTFSAccess -Path $Fullname -Account $Account -AccessRights 'ReadAndExecute,Delete' -AccessType Allow -InheritanceFlags $InheritanceFlags Everything is set to ThisFolderSubFoldersAndFiles. If I could use the -AppliesTo instead of -InheritanceFlags and feed in exactly what is already present when displaying get-NTFSAccess in the console or OGV, I think this would resolve 99% of my issues. I have looked at apps like NTFS Permission Reporter, but I am sure this should be achievable with PS. I know there must be a simple solution, (Arrays, iCacls?) but I just cannot see how to do it. Any help would be awesome!Solved27KViews0likes6CommentsRe: Corporate-Owned Dedicated Devices ~Android Kiosk Devices
MoZZa Hi All, I raised a call with MSFT and we have found a solution. There was an inadvertent change in the default state of the Managed Setting Icon. The previous state, when not configured' was 'False'. After the last update to the Managed Home Screen app; the default Boolean state was set to 'True' if left in a non-configured state. So now, even if you do not make use of any of the Managed Setting's options, you must add the Managed Setting to your config and then set the Boolean value to 'False', this then removes the unwanted icon from the Home Screen.2.1KViews0likes0CommentsCorporate-Owned Dedicated Devices ~Android Kiosk Devices
Hi All, Following an Android System update on a number of Samsung J6's and an update to the Managed Home Screen app. I am experiencing some "odd" results. The appearance of shortcut icons at the bottom of the screen. After another update, these disappeared, but now another icon has appeared. During the build process, towards the end, one usually gets a pop-up to request granting the Managed Home Screen app to appear on-top. tapping a sliding radio button to grant these permissions. After the Managed Home Screen update, these permissions are triggered after tapping on a Managed Setting icon on the Home Screen. This has a red dot next to it until you tap it and grant the permissions. Unfortunately it leaves the icon behind. Initially I thought it was down to the Android update as stated earlier, but 3 Android 8.0.0 devices are now displaying the icon. Has anyone else come across this, and found a solution. CheersSolvedRe: Managed Home Screen settings for Multi-Mode Kiosk Android Enterprise
Hi andrewbk I received an update from MS informing that the issue has now been resolved! So, I restarted one of my devices and after the first reboot, the Power UI did appear..ONCE. And never again thereafter! I have replied back saying that it does not work. On a slightly related issue. Quick question, although this may just affect Kiosk devices. One of my Samsung J6's has just done a fairly lengthy system update. This has changed the Home Screen appearance, as far as adding shortcut icons to the bottom of the screen! I am about to rebuild it as a Fully Managed device to see if the same issuette appears there too. Both devices are on Android 9.0, built by KME method, System apps disabled. *****************UPDATE******************** I have rebuilt the same updated device as a Fully-Managed device and the 3 standard/default icons, Phone - Contacts - Messaging appear. So, it appears this is only affecting Kiosk devices. The icons are not active, apart from the Settings and Apps icon. Hopefully, I can hide this using a policy or config .......14KViews0likes0CommentsRe: Managed Home Screen settings for Multi-Mode Kiosk Android Enterprise
Hi snarkshark That definitely looks like the issue. I pointed that out to MS but the call is now nearly 4 weeks old. They have updated the Managed Home Screen app, but it is still has a non-configured LOCK_TASK_FEATURE_GLOBAL_ACTIONS. If they actually set that in the app to true, I think the power button UI should be able to appear on top of the Managed Home Screen. Thansk for the pointers SnarkShark.14KViews0likes5CommentsRe: Managed Home Screen settings for Multi-Mode Kiosk Android Enterprise
Hi All, With our older Android devices upgrading to Android 9.0 and new devices being delivered with the same. i have noticed that the power button no longer offers Power Off/on and Restart options. I cannot tell if it is just the notification pop-up that is blocked or the functionality is blocked at source. The only way, so far, to power off or restart the device; is to exit Kiosk Mode first. Has anyone found a way around this; preferably from the Intune console. Cheers15KViews0likes7CommentsRe: Managed Home Screen settings for Multi-Mode Kiosk Android Enterprise
Hi All, You can configure the Managed Home Screen from the Intune console. Go to Client Apps->App Configuration Policies-> Add a new policy, Use the Configuration Designer of JSON scripting and you will see all the available options as shown in the attachment. Some really useful settings here. After saving the policy. Assign it to the same dynamic group that the devices are added to automatically when you first created the Kiosk Enrolment Profile. Use this same method for all your apps. Not all apps will offer the same level of control/configuration; but many do. Chrome is a good example. Locking down options is very easy using the Configuration Designer. You can then export the JSON script. Hope that helps.16KViews1like0Comments
Recent Blog Articles
No content to show