User Profile
r0bu
Brass Contributor
Joined Apr 12, 2019
User Widgets
Recent Discussions
Re: Intune Enrollment and App mgt for company iOS devices even if user is not in Active Directory
Hi Hollis255 To use dynamic groups you need Azure AD P1 (or a qualifying license such as M365 Business Premium, M365 E3 or EMS E3 - best to check https://github.com/AaronDinnage/Licensing as this will give you a great idea of where licenses sit). MS documentation on rules for devices is here: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership#rules-for-devices This is what my dynamic device group (Azure AD, Groups, New Group) looks like; and the query would be; iPhones would simply be (device.deviceOSType -eq "iPhone") Hope this helps?Re: Intune iOS App deployment confusion
Hi Bryan Hall, I've since received this response from MS support The reason that the application is not updating is due to the VPP handling the deployment of the Company Portal application in the profile and not Endpoint/Intune. To remedy this issue, simply deploy the VPP version of the Company portal to the devices using Device licensing in the assignment. Doing so allows Endpoint to take over update control and will force the Company portal application to update to the latest version on the devices. The assignment won't deploy the company portal to the device as it will already be deployed by the Enrollment profile/VPP, it will just handle the update. I hope this helps? RobRe: Intune Enrollment and App mgt for company iOS devices even if user is not in Active Directory
Hi, you can absolutely mange device without user affinity. How are you currently enrolling device? I would suggest using Apple Business (or School) manager, combined with ADE(DEP) and device assigned VPP apps. Depending on your Azure AD licensing level, you can also configure dynamic groups for devices so all iPads fall onto one group and all iPhones fall into another. Let me know if this sounds like something that would be of interest and we can chat furtherRe: Intune iOS App deployment confusion
Bryan Hall yeah, you're pretty much spot on there. User affinity is where the device is allocated to a particular user, shared devices (no user affinity) do not need to be set to kiosk (single-app) mode, this is ideal where devices are shared between multiple individuals, such as students, that require a host of applications. No idea, currently having the same problem with Company Portal, assigning it as a required (VPP) app appears to cause a conflict/issue (check under Device-Managed Apps or Apps-Monitor-App Install Status) it does actually get the app to update. Still trying to figure out where the blame lies for this 'issue' at the moment. Technically it's a VPP app, issued from a token that is set to automatically update yet seems to be stuck at the version that was installed when the device was provisioned. This is subjective, however I prefer to assign (to devices) any apps that are required, such as Teams or Office suite. This negates the need to issue a managed apple ID, and removes any reliance on the end user to operate an Apple ID. I don't believe you can assign non-VPP (or LoB apps) to a device...? App protection policies (APP) apply to (Intune-licensed) users, these apply to MAM-aware apps regardless of app ownership. APP can be split between BYOD or Managed devices, with app configuration policies (containing the IntuneMAMUPN) being applied to managed devices. Under App assignment use Available for enrolled devices and then (separately) implement device restrictions that would prevent users from enrolling personal devices maybe? Hopefully these help, please feel free to ask if anything's not clear, and I'll update this if I find anything else on the company portal issue.Microsoft Teams screen sharing issue on iOS
Hi all! Would really appreciate some input on an issue I'm currently dealing with, this has been logged with MS support but I'm not getting very far with that at the moment. The issue involves a specific set of circumstances that prevent a meeting organiser, and other M365 (work or school account) attendees, from being able to screen share during Teams meetings, when they, and a user with a personal Teams account have joined the meeting via the Teams app on iPadOS or iOS. The personal account, is however, still able to share their screen (from their iOS device) to all attendees. If the presenter was sharing their screen prior to the personal account joining then this is not interrupted and works fine too. This does not affect (M365) attendees on the Windows 10 Teams app or when using a web browser, and they can still perform screen sharing as normal This has been tested on the current version of Teams available from the app store (version 2.0.18 build 1.077.2020072902) and has been tested across iOS 12.4.8, 13.6 and iOS 14.0 beta (18A5342e) This issue can be replicated consistently and requires the use of at least 2 iOS devices.KQL to query web browsing
Hi all! My customer is looking to use MDATP for web content filtering (combination of web content filtering & CNIs, powered by MCAS (unsanctioned apps) but has a requirement to investigate web browsing (in this example, for a particular device) and return a full URL path. I'm hoping we can achieve this without using a full on proxy solution but I'm struggling to get the information out of MDATP (or MTP). For example I can use ; DeviceNetworkEvents | where DeviceName == "client-name" | where InitiatingProcessFileName contains "msedge.exe" | project Timestamp, RemoteUrl, RemoteIP | sort by Timestamp desc but RemoteURL does not show the full path. This query does show full paths, but it only appears to work for downloads; DeviceFileEvents | where isnotempty(FileOriginUrl) and InitiatingProcessFileName == "msedge.exe" and DeviceName == "client-name" | project Timestamp, FileName, FileOriginUrl, FileOriginReferrerUrl, SHA1 | sort by Timestamp desc I think I'm asking for functionality that doesn't exist, but just wondering if I can get a sanity check or some guidance? Thanks in advance!
