I got a great question from one of my customers Andrew Mazzeo the other day, about where can you get the media for the current release of Current Branch, in case there was a need to recover the environment as the only version that seems to be available for download is 1511. After some research Andrew found the below article which I wanted to share with you all.

The following TechNet article explains that you can grab it from the CD.Latest folder and covers all the supported scenarios and prerequisites.

The CD.Latest folder for System Center Configuration Manager

You can also see the content downloaded during an update under the EasySetupPayload folder

Mac management with Intune is something that I’m asked about fairly regularly. While our support today (at time of post) is limited, it’s very simple to offer this to your users. For those without a Mac handy, I wanted to show you the enrollment process for a Mac device.

Firstly, you need to make sure iOS and Mac enrolment is enabled on your Intune tenant. This means you need a valid APN cert.

You can check via the Admin section of the Intune admin portal.

If you need instructions on how to setup iOS and Mac support, see here for more info

https://docs.microsoft.com/en-us/intune/deploy-use/set-up-ios-and-mac-management-with-microsoft-intune

Now we want to enroll my Mac device.

First, open Safari and browse to https://portal.manage.microsoft.com

Login using your Intune licensed user

You’ll be presented with a list of your enrolled devices. For my user, he doesn’t have any devices yet.

You’ll see a banner at the top of the page that says “Either this device isn’t enrolled, or the Company Portal can’t identify it. Tap Here to select a different device”

Click on the Tap Here link to begin the enrollment

You’ll be presented with an enrollment prompt. Press the Enroll button

Then confirm the enrollment by pressing Install

The Mac will then direct you over to the System Preferences to install the management profile. This workflow is required by Apple to manage the device, and is very similar to the iOS enrollment prompts.

First, you’ll be asked if you want to install the Management Profile. Select Install.

Next, you’ll be asked to confirm, this time with the Intune management URL presented to ensure you trust the management profile source. Press Install.

Once the install is complete, you’ll have a Management Profile applied in your Device Profiles. This means this device is now under the Mobile Device Management of Intune.

And if I come back to my Intune portal (https://portal.manage.microsoft.com) you’ll see that my device is now listed as a managed device.

Now any WiFi, VPN, security settings or .mobileconfig file you deploy to this Mac will receive the configuration and apply to the device.

Until next time.

Matt Shadbolt
Senior Program Manager
Enterprise Client and Mobility – Intune

A very (very) common ask from our customers is whether or not we can whitelist/blacklist apps on iOS devices.

From iOS 9.3, Apple made this option available for all Supervised devices, exposing it via the SDK and Apple Configurator.

Microsoft Intune now supports the ability to allow/block individual apps via the Show or Hide Apps feature!

The feature is very simple to use, requiring just the App name and URL or Bundle ID. You can either configure the policy in two ways:

Hide the listed apps from users, meaning the listed apps are no longer available to the end user.

Show only the listed apps to users, meaning all apps will be hidden except the apps listed.

To configure the setting, open your Intune console and browse to Policy > Configuration Policies > Add > iOS > General Configuration

Then browse to Supervised Mode and turn on the Show or Hide Apps policy.

Add the apps you want to allow/block and deploy the policy.

If users targeted by this policy don’t currently have this app installed, when they attempt to install it they will be blocked.

If users targeted by this policy do currently have the app installed, the app will disappear and will be unavailable to use at all. This includes searching for the app in Spotlight. It’s important to note that the app is not uninstalled, rather hidden from use.

Please also be aware that this feature is ONLY available for Supervised iOS devices. This means the device must be prepared using either Apple Configurator or the Apple Device Enrolment Program. Apple do not make this feature available for non-Supervised devices, so for you BYO devices, you’ll need to continue to report on compliant/non-compliant apps instead of allow/blocking.

Matt Shadbolt
Senior Program Manager
Enterprise Client and Mobility – Intune

This post introduces two topics which are all the rage at the moment – Azure Resource Manager (ARM) templates and Desired State Configuration (DSC). As I get tired of building demo labs for technical preview releases I decided to automate the build of a simple lab in Azure.

You can read more about ARM templates here – but the basic premise is that we declare the state of resources in Azure then press deploy and it goes off and builds to the exact specification. My template involves a number of components – a storage account, virtual network, public IP addresses, network interfaces and two virtual machines. One is the domain controller and one will be a primary site server. I build the template using Visual Studio because with the Azure SDK installed I get a nice JSON viewer which I can easily add resources to and set the dependencies. When I use this process – I can select to deploy a compute object and Visual Studio will also prompt me to create a storage account, a NIC and a virtual network. As the JSON file is text based I can simply copy / paste and change sections of the template to create the rest of the objects.

Using this method is how I get the basic structure of the resources for my environment. (Ignore some of the naming conventions – they need to be tidied up – see the end of this post for how you can contribute via GitHub). This is the view of resources inside the Visual Studio JSON explorer – there are variables and parameters which I use to control certain settings. You can investigate these in the project itself.

So now that I have the basic layout the fun begins – I can deploy this template time and time again with the same repeatable results. If I choose to add a new resource the deployment process will look at what is already deployed and simply add to it.

Of course having two servers that do nothing isn’t really useful – but I can use DSC to declaratively specify the configuration of these servers. DSC works on the premise that we declare what a server should look like (e.g. roles/features, registry, services, packages, 100’s more) and then write a configuration file which is pushed to the server. The way this works in Azure is we add an extension to each server – the extension contains the code and resources to configure the server. (DSC is the future of managing how a system should be created – everyone should be using it and you can read more about it here – think Compliance Settings on steroids.)

The planning process for this environment runs something like this. I need a domain controller – so I have to install some PowerShell tools, change the DNS address, install the AD tools – then promote the server to be a domain controller. There are some built in resources to modify some settings in Windows but for the majority of changes I use the modules at the PowerShell Gallery. For my domain controller I use two resources from the gallery xNetworking and xActiveDirectory. xNetworking allows me to modify the server DNS to point to itself and xActiveDirectory will turn the server into a domain controller. All of these resources are simply PowerShell modules hosted on GitHub – if you are unsure of how something works you can easily view the module contents online – and of course if it isn’t working or you can think of a better way you can contribute as well.

The basic configuration I use is below – it work from top to bottom and I specify some dependencies to make sure things run in order. The DSC engine (Local Configuration Manager – LCM) handles the reboot for me.

Configuration DCConfig

{

Param(

[string]

$NodeName = ‘localhost’,

[PSCredential]$DomainAdminCredentials

)

Import-DscResource -ModuleName PSDesiredStateConfiguration,xActiveDirectory,xNetworking

Node $nodeName

{

LocalConfigurationManager

{

ConfigurationMode = ‘ApplyAndAutoCorrect’

RebootNodeIfNeeded = $true

ActionAfterReboot = ‘ContinueConfiguration’

AllowModuleOverwrite = $true

}

WindowsFeature DNS

{

Ensure = “Present”

Name = “DNS”

}

WindowsFeature ADDS_Install

{

Ensure = ‘Present’

Name = ‘AD-Domain-Services’

}

WindowsFeature RSAT_AD_AdminCenter

{

Ensure = ‘Present’

Name = ‘RSAT-AD-AdminCenter’

}

WindowsFeature RSAT_ADDS

{

Ensure = ‘Present’

Name = ‘RSAT-ADDS’

}

WindowsFeature RSAT_AD_PowerShell

{

Ensure = ‘Present’

Name = ‘RSAT-AD-PowerShell’

}

WindowsFeature RSAT_AD_Tools

{

Ensure = ‘Present’

Name = ‘RSAT-AD-Tools’

}

WindowsFeature RSAT_Role_Tools

{

Ensure = ‘Present’

Name = ‘RSAT-Role-Tools’

}

xDNSServerAddress DnsServer_Address

{

Address = ‘127.0.0.1’

InterfaceAlias = ‘Ethernet’

AddressFamily = ‘IPv4’

DependsOn = ‘[WindowsFeature]RSAT_AD_PowerShell’

}

xADDomain CreateForest

{

DomainName = $Node.DomainName

DomainAdministratorCredential = $DomainAdminCredentials

SafemodeAdministratorPassword = $DomainAdminCredentials

DomainNetbiosName = $Node.DomainNetBiosName

DependsOn = ‘[WindowsFeature]ADDS_Install’, ‘[WindowsFeature]DNS’

}

}

}

It is reasonably easy to follow through what is happening here – I then add a DSC extension to my virtual machine and tell it to run the above configuration. There is some work involved in getting the modules uploaded during deployment however Visual Studio takes care of this for us as well. As you can now tell – using Visual Studio is the easiest way to create and deploy these templates by far!!

When I deploy this – in around 15 minutes I have a functional domain controller in my environment.

Next step is the Configuration Manager configuration. Adding all the prerequisite roles is fairly simple using the WindowsFeature DSC resource. You can view the configuration here. I use come more community resources to join the server to the domain (xComputerManagement), configure DNS (xNetworking) and configure the SQL instance (xSQLPs). For the downloads bit I have cheated a little bit – I have downloaded the ADK, CM prerequisite downloads, technical preview bits and an unattended installation file – then zipped them up and added them to a storage account so I can access them during the configuration. I download them from Azure storage using a Script DSC resource – basically this allows me to execute any PowerShell code within my configuration. Each of these is then unpacked using the Archive DSC resource. I also use this resource to create the System Management container and extend the AD schema. Some other notes about the SQL installation – when you use the SQL marketplace image in Azure it will configure a default instance for you however it can only be accessed by a local administrator account. I use the SQL resource to add a new instance and then stop the default instance so I can add my administrator account as a sysadmin.

The overall process for this configuration is: –

1. Point the DNS settings to my new domain controller
2. Join to the domain
3. Install .NET 3.5 (for SQL)
4. Install the new SQL instance
5. Stop the services for the default instance
6. Configure the SQL TCP ports
7. Install a whole bunch of features (IIS, RDC, BITS, WSUS etc.)
8. Download, unpack and install the ADK
9. Download and unpack the CM technical preview binaries
10. Download and unpack the CM prerequisites files
11. Download the unattended installation file
12. Extend the AD schema
13. Configure WSUS (post installation)
14. Create the System Management container in AD
15. Install Configuration Manager using the unattended installation file.

All I do now is ensure the DSC resources are placed in my staging folder for the Visual Studio project – then right click on the project and deploy it. Visual Studio will prompt me for the parameter entries and also for another storage account to store the project and resources during the build. I have to create a resource group to install the machines into as well.

So clone my project – start deploying and feel free to raise any issues via GitHub and I can work on them. Have fun – using templates and DSC is the future of infrastructure!

Beginning with Configuration Manager current branch, version 1602 it is now possible to see a list of active connected Configuration Manager consoles. At this stage there is no built in way of seeing historical information, but you could archive the information periodically using PowerShell if that is the sort of information you are looking for.

The active list of consoles connected can be viewed by querying the v_CMConsoleUsageData table in SQL.
Select * from v_CMConsoleUsageData

Here is an example of the information provided:

There is a corresponding SMS Provider WMI class called SMS_ConsoleUsageData, but querying this object currently returns no results.

Given the data is available in the database via SQL, you have plenty of options for querying and displaying the information including SQL Management Studio, SQL Reporting Services, or PowerShell. I’ve done up a quick PowerShell script to query and display this information if you are interested. The ConsoleConnectTime attribute is stored in UTC format, so my script adds a new attribute called ConsoleConnectTimeLocal which is converted to the time zone of the computer the script is running from.

Download the script here: Get Configuration Manager Connected Consoles (Script)

Example command line:

Example output:

To MDM enrol a Windows 10 device, the end user must manually run the enrollment wizard. To do this, your users must go

Settings > Accounts > Access Work or School > Enroll only in device management

The alternative option since Windows 1607 is to use a URI.

You can email the following URL as a hyperlink to your end users, and they’ll be taken directly to the enrollment wizard:

ms-device-enrollment:?mode=mdm

For example, I’ve created a hyperlink that you can click and test

Click here to launch Intune enrollment!

You’ll be prompted to enter your work or school credentials, and the MDM enrollment will be initiated.

This should make the enrollment process much easier for your end users!

Until next time.

Matt Shadbolt
Senior Program Manager
Enterprise Client and Mobility – Intune

Back in May, Microsoft started on a journey of simplifying and improving servicing for Operating Systems prior to Windows 10. These changes apply to Windows 7 SP1, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2.

References:

• More on Windows 7 and Windows 8.1 servicing changes
• A Bit About the Windows Servicing Model
• Configuration Manager and Simplified Windows Servicing on Down Level Operating Systems

What’s changing?

Since the original announcement in May up until now, Microsoft has released individual security updates and a monthly rollup pack with non-security updates. Individual security updates allowed organisations to apply only security updates that they believed were applicable based on internal processes. In reality, most organisations applied all security updates to meet compliance requirements.

From Patch Tuesday in October 2016, there will be 3 update types released for each Windows version and architecture. The updates are described in the table below:

Graphically, this is how updates are changing (a lock is a security fix and a settings cog is a reliability or bug fix).

Graphical Representation of Changes to Servicing

The updates will have names of the format:

Here is a screenshot of the updates released this month for Windows 7:

October 2016 Windows 7 Updates

What does this mean for you as a Configuration Manager admin?

There are no updates required for Configuration Manager or WSUS. For organisations or groups within organisations that only want to apply security updates, security-only updates can continue to be applied. As before, if the update causes a problem the update can be removed until the issue is resolved. If the issue is related to the fix itself, a case should be logged with Microsoft.

The Configuration Manager and Simplified Windows Servicing on Down Level Operating Systems post on the Enterprise Mobility + Security blog gives a great explanation of how to modify ADRs to cater for the new update format.

What does the future hold? (Other than consistently patched Windows devices everywhere)

Over the next 18 months, Microsoft will continue to evaluate previous security and non-security updates and include them in then monthly hotfixes. Any update added to the rollups will be documented in the corresponding KB article.

While this all sounds very scary, it’s actually really great. Simplifying servicing is a win for everyone. Less complexity, less updates, faster installation and Operating System build times.

Call to Action

1. Review and change ADRs as relevant.
2. Implement processes to test the new rollup updates and fit them into your patching cycles.
3. Follow Enterprise Mobilty + Security and Windows 10 for IT Pros for updates.

This post provides a summary of the URLs required for Configuration Manager current branch to provide resources that require Internet access. Because Configuration Manager relies on other components, it can be difficult to find a single source of URLs required. Software Updates rely on Windows Server Updates Services (WSUS) and the Service Connection Point uses Intune and other online services.

The features of Configuration Manager that require Internet access are:

• Asset Intelligence Synchronisation Point;
• Configuration Manger Console (pending investigation);
• Cloud Distribution Points (pending investigation, initial URLs added);
• Software Update Point (SUP);
• Windows Store for Business;
• Intune Subscription;
• Service Connection Point.

Configuration Manager URLs

The table below contains a list of URLs required by Configuration Manager components to connect to the Internet. If I’ve missed anything, please let me know by leaving a comment and I’ll update it ASAP!

Information Sources

The information above is collected from the following articles and random experience:

• Configure WSUS
• Network infrastructure requirements for Microsoft Intune
• Manage Office 365 client updates with System Center Configuration Manager
• Service Connection Point Internet Access Requirements
• Proxy server support in System Center Configuration Manager

Last update: 13th October 2016

• 4th May 2016 – Added Cloud Distribution Points
• 23rd May 2016 – Added Office 365 Client Software Updates
• 7th June 2016 – Microsoft has published requirements for a Service Connection Point
• 13th October 2016 – Included Windows Store for Business

One of the most common discussions I have with customers is how does an IT Pro ensure that corporate data is only being accessed by approved, managed applications.

Intune Mobile Application Management (MAM) provides a rich set of Data Loss Prevention (DLP) features that ensures no corporate data is leaked outside of the corporately managed apps. The Outlook app for iOS and Android is by far the most popular MAM enabled app, as it provides the most secure and user-friendly experience for accessing Exchange Online.

But how does an organization restrict access to their Exchange Online data to only the Outlook protected app?

Traditionally, we’ve had some very complex solutions utilizing Exchange Allow/Block/Quarantine (ABQ) rules and ADFS claim rules to ensure users can only use the Outlook app. ABQ rules to restrict the client, and ADFS claims to restrict the authentication method, for example.

This month, we released a new feature which will simplify this ask a whole lot – Conditional Access for MAM.

CA for MAM will allow an IT Pro to restrict Exchange Online to only the MAM enabled apps for iOS and Android. All other third party clients (for example, the native e-mail apps on iOS/Android) will not be able to connect to Exchange Online.

The feature is available for MAM Without enrollment (MAMWE), meaning your devices don’t even need to be enrolled to enable this functionality.

In the new Intune Portal, you’ll see a new blade called Conditional Access

Select the Exchange Online option to expand out the options.

Here you can set up which apps can access the data, and which users are/aren’t targeted by the policy.

Select Allowed apps to configure the policy setting.

Select Allow apps that support Intune app policies and press Save

Then target the Restricted user groups with your desired AAD group

And you’re done! The users in the targeted AAD group will now be required to install the Outlook app to access their Office 365 e-mail.

There are some minor prerequisites you should be aware of. For the MAM CA to work, iOS users must have the Microsoft Authenticator app installed and logged in and Android users must have the Company Portal app installed and logged in. If the users do not have these apps installed, they will be prompted to install them before e-mail access is granted.

Also note that for Device CA targeted users (traditional CA), if a user is targeted for both policies the compliance is determined in a logical OR.

For example, if the device is managed by Intune and CA compliant the device will have full e-mail access, including the native EAS mail apps. OR, if the device is not managed but has the Outlook app it will have full access via the Outlook app only. This is really a very good experience for BYO vs COD scenarios, where we’d enroll a corporate owned device, but require Outlook and MAM for a personally owned device.

Keep your eye on Twitter (@ConfigMgrDogs) for notifications of when MAM CA will be available for SharePoint online too!

Matt Shadbolt

Senior Program Manager
Enterprise Client and Mobility – Intune

After installation of a new Windows 7 machine with the newest version of the Windows Update Agent installed, the Software Updates scan initiated from Configuration Manager would fail with the error 80072ee2 (which translates to Connection Timeout).

Check the Basics

C:\Windows\windowsupdate.log:

WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
WARNING: Send failed with hr = 80072ee2.

First, ensure all your settings are correctly applied to the computer:

• Confirm that your Software Update Point (SUP) is correctly registered in the registry:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Values WUServer and WUStatusServer should both match the correct URL and port of the WSUS web site (eg. http://server.fqdn:port).

• Verify that the client can connect to the WSUS web site by opening a browser and navigating to http://server.fqdn:port/SimpleAuthWebService/SimpleAuth.asmx (replacing server.fqdn with your server fully qualified domain name and replacing port with the port you have WSUS configured to operate on).

In my case, the client configuration was correct and it was successfully able to communicate with the WSUS server web site. The issue was the Application pool for WSUS running out of memory and recycling while the client was waiting for response from the server.

Additional Troubleshooting

Check the event log of the server hosting the Software Update Point (and Windows Server Update Services).

Event 1:

Log Name: Application
Source: ASP.NET 2.0.50727.0
Event ID: 1309
Task Category: Web Event
Event code: 3001
Event message: The request has been aborted.
Exception type: HttpException
Exception message: Request timed out.

Event 2:

 Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5117
Description includes: WsusPool 

Solution

If you are encountering Event ID 1309 in the Application log at around the same time as event ID 5117 in the System log, you most likely need to increase the memory allocated to the WSUS Application Pool in IIS. To do that, follow the steps in http://blogs.technet.com/b/configurationmgr/archive/2015/03/23/configmgr-2012-support-tip-wsus-sync-fails-with-http-503-errors.aspx.

After increasing the memory, the new clients were successfully able to scan for and apply updates!

I can only assume that the existing client I tested was working because it required less information from the WSUS server web application, while the new client required an entire catalog.

The take away of this post: monitor your servers event logs!

Also make sure your clients have up to date Windows Update clients. See Windows 7 Stuck on Checking for Updates for more troubleshooting and solutions.

When creating a Universal Windows Platform (UWP) app, there are three basic dependencies that are included in even the most simplest of apps. If your app is more complex (which it most likely is!), there may be many external dependencies required for the app to run.

If you don’t install these dependencies prior to installing your UWP app, the app install will fail.

I’ve got a UWP app that is literally just an empty UWP project. I’ve created an appxbundle via Visual Studio.

Now, if I attempt to install this package on a new Windows 10 device, I’ll get some dependency errors and the install will fail with

Add-AppxPackage : Deployment failed with HRESULT: 0x80073CF3, Package failed updates, dependency or conflict
 validation.

You can see the dependency is the Microsoft.NET.Native.Framework.1.3 package

If you browse back to your app package source, you’ll find a folder called Dependencies. Inside this folder, you’ll find the appx files that are required for your .appxbundle to run successfully

As you can see, the Microsoft.NET.Native.Framework.1.3.appx file is present. This is the dependency we need for our SimpleApp to run.

So, how do we ensure these dependencies are installed when deploying a UWP app via Microsoft Intune?

Thankfully, it’s quite easy!

The trick is to upload the .appxbundle from the folder that Visual Studio outputs it by default – ensuring the .\Dependencies folder is present too

So, in Microsoft Intune we’re going to add the .appxbundle from exactly this location.

During the upload process, you’ll notice that the upload is much bigger than the .appxbundle created. In fact, its almost 11MB larger than the 849KB .appxbundle file we selected.

I’ve deployed the app and it’s now available in the Company Portal on my Windows 10 test machine.

I’ll run the setup, and a few minutes later the install was successful!

AND, you can see the correct dependencies have been installed

Happy deploying!

Matt Shadbolt

Senior Program Manager
Enterprise Client and Mobility – Intune

Further to my recent post about Changes to Software Updates on Down Level Operating Systems for ConfigMgr Admins there has been some changes to how the updates are superseded based on feedback for Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The official update is explained here More on Windows 7 and Windows 8.1 servicing changes.

UPDATE – there has been some misunderstanding about this post. Note that the way updates are bundled has not changed – simply the way they are superseded which affects the way they can be applied using WSUS or Configuration Manager. See More on Windows 7 and Windows 8.1 servicing changes for details of those changes.

Last month when updates were released, contrary to expectation of organisations using WSUS or Configuration Manager;

• The Security Only Quality Update for October was superseded by the November Security Monthly Quality Rollup for November
• The Security Only Quality Update for November was also superseded by the November Security Monthly Quality Rollup for November

Visually, this was the supersedence relationship for updates last month (red are superseded):

November Update Supersedence Relationships

This resulted in customers using WSUS or Configuration Manager 2007 being unable to deploy Security Only Quality Updates using the built in software update mechanisms without additional workarounds.

• Configuration Manager and Simplified Windows Servicing on Down Level Operating Systems
• Deploying Superseded Down Level Windows Updates with Microsoft Configuration Manager 2007

Based on feedback, the team has updated the supersedence relationship of updates so that Security Only Quality Updates are not superseded. In addition, the logic of the updates has been modified so that if the Monthly Quality update is installed (which contains the security updates), the security update will not be applicable. This allows organisations managing updates via WSUS or Configuration Manager to:

• Selectively install Security Only Quality Updates (bundled by Month) at any time
• Periodically deploy the Security Monthly Quality Rollup and only deploy the Security Only Quality Updates since then, and;
• More easily monitor software update compliance using Configuration Manager or WSUS.

An update to previous Security Only Quality Updates will be released as meta data only for the changes to take effect which will require a Software Update (or WSUS) synchronisation.

Visually, this is the new supersedence relationship as of December (red are superseded):

December Update Supersedence Relationships

A very (very) common ask from our customers is whether or not we can whitelist/blacklist apps on iOS devices.

From iOS 9.3, Apple made this option available for all Supervised devices, exposing it via the SDK and Apple Configurator.

Microsoft Intune now supports the ability to allow/block individual apps via the Show or Hide Apps feature!

The feature is very simple to use, requiring just the App name and URL or Bundle ID. You can either configure the policy in two ways:

Hide the listed apps from users, meaning the listed apps are no longer available to the end user.

Show only the listed apps to users, meaning all apps will be hidden except the apps listed.

To configure the setting, open your Intune console and browse to Policy > Configuration Policies > Add > iOS > General Configuration

Then browse to Supervised Mode and turn on the Show or Hide Apps policy.

Add the apps you want to allow/block and deploy the policy.

If users targeted by this policy don’t currently have this app installed, when they attempt to install it they will be blocked.

If users targeted by this policy do currently have the app installed, the app will disappear and will be unavailable to use at all. This includes searching for the app in Spotlight. It’s important to note that the app is not uninstalled, rather hidden from use.

Please also be aware that this feature is ONLY available for Supervised iOS devices. This means the device must be prepared using either Apple Configurator or the Apple Device Enrolment Program. Apple do not make this feature available for non-Supervised devices, so for you BYO devices, you’ll need to continue to report on compliant/non-compliant apps instead of allow/blocking.

Matt Shadbolt
Senior Program Manager
Enterprise Client and Mobility – Intune

A very (very) common ask from our customers is whether or not we can whitelist/blacklist apps on iOS devices.

From iOS 9.3, Apple made this option available for all Supervised devices, exposing it via the SDK and Apple Configurator.

Microsoft Intune now supports the ability to allow/block individual apps via the Show or Hide Apps feature!

The feature is very simple to use, requiring just the App name and URL or Bundle ID. You can either configure the policy in two ways:

Hide the listed apps from users, meaning the listed apps are no longer available to the end user.

Show only the listed apps to users, meaning all apps will be hidden except the apps listed.

To configure the setting, open your Intune console and browse to Policy > Configuration Policies > Add > iOS > General Configuration

Then browse to Supervised Mode and turn on the Show or Hide Apps policy.

Add the apps you want to allow/block and deploy the policy.

If users targeted by this policy don’t currently have this app installed, when they attempt to install it they will be blocked.

If users targeted by this policy do currently have the app installed, the app will disappear and will be unavailable to use at all. This includes searching for the app in Spotlight. It’s important to note that the app is not uninstalled, rather hidden from use.

Please also be aware that this feature is ONLY available for Supervised iOS devices. This means the device must be prepared using either Apple Configurator or the Apple Device Enrolment Program. Apple do not make this feature available for non-Supervised devices, so for you BYO devices, you’ll need to continue to report on compliant/non-compliant apps instead of allow/blocking.

Matt Shadbolt
Senior Program Manager
Enterprise Client and Mobility – Intune

Hi All

Last week I presented a session at Ignite 2017 (YouTube link) here on Enterprise Automation-Unplugged. In this session I demonstrated how you can still call an Orchestrator Runbook from Azure Automation and get data returned back. This will allow you to start working in Azure Automation and still keep and make use of any complex Runbooks that reside in Orchestrator today.

As promised I have put the script from my demonstration on Github.

https://github.com/sympa18/Start-SCORCHRunbookReturnData

To see it running open the video from my session link above and you can go to

49:30 Explanation of Demo Visual

52:07 Start of Demonstration component and script explanation

1:00:25 Demo completed

Prerequisites

• Import the OrchestratorService.zip PowerShell module into Azure Automation and on any Hybrid Workers you intend to use.
• Create a Variable in Azure Automation with your Orchestrator Server name
• Create a Credential in Azure Automation with appropriate access to Orchestrator

On line 36 replace SERVERNAME with the Variable you created

$SCOserverName = Get-AutomationVariable -Name “SERVERNAME”

On line 37 replace AACREDENTIALNAME with the Credential name you created
$PSCredName = “AACREDENTIALNAME”

As always make sure you test out your scripts in a Dev or Test environment first.

I hope this helps you out

Really quick one for y’all today. Working with Intune, I’ve found myself becoming a bit of an Exchange SME. Blocking email, authentication types, EAS vs EWS, the list goes on.

Anyway, I find myself having to query Exchange Online configuration all the time.

Here’s a three line PowerShell script that will connect you to your Exchange Online tenant and allow you to use any of the Exchange Cmdlets

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

Run this and you can then start working with Exchange Online from the console!

Matt Shadbolt
Senior Program Manager
Enterprise Client and Mobility – Intune