What are /r/Intune's favorite Products & Services?

From 3.5 billion Reddit comments

I have case with Microsoft on this. We have found that with app protection policies turned on the link has to be in the gmeet://xxx-xxxx-xxx format. So the work around is educate anyone sending the link out to send it in 2 formats. meet.google.com/xxx-xxxx-xxx and also gmeet://xxx-xxxx-xxx . This is not ideal. I'm pushing back on Microsoft to fix this since it works without APP enabled. Also to note the gmeet://xxx-xxxx-xxx format only work on IOS...it doesn't work in Android or Web/Desktop access. If I get any further I'll share.

I got started with this, it is a great book.

MDM: Fundamentals, Security, and the Modern Desktop: Using Intune, Autopilot, and Azure to Manage, Deploy, and Secure Windows 10 https://www.amazon.com/dp/1119564328/ref=cm_sw_r_apan_glt_fabc_H5RTPXYAPQJWME0KZ07Y

Scott Duffey was our guest for this episode. He recently released a new book and is giving away 3 free copies. Comment on the video by June 30, 2021 to be entered to win. We will randomly select 3 winners from the comments.

His book: Learning Microsoft Endpoint Manager: Unified Endpoint Management with Intune and the Enterprise Mobility + Security Suite https://www.amazon.com/dp/0645127906

Also, check out the new Filters feature in Intune. It’s a game changer!

https://docs.microsoft.com/en-us/mem/intune/fundamentals/filters

Buy this book. Scott Duffey is a Microsoft employee and this is a great book. NOTE: I'm not him and I make no cash from this. I'm an M365 consultant who used this book and it's really easy to work through.

Remarkable seem cool, esp now that they'd dialed back their subscription policy. Have you compared to the new Kindle Scribe? We assign iPad and Apple Pencil, but a few users have expressed interest in Remarkable.

Download package name viewer 2.0 (app store) on each different device and search for camera and gallery. The name is different based on the model. Struggled with a TCL device on kiosk mode.

Link: https://play.google.com/store/apps/details?id=com.csdroid.pkg

Hope this help

Thanks,
After enabling the configuration profile I could search for contacts in the work profile from the personal profile.

But a disadvantage is that I have to search for contacts, I cannot get a list of contacts and scroll.

I tried this app that seems to fix that, but it's only one way sync.
https://play.google.com/store/apps/details?id=com.zaanweg.synccontacts

It happened to us where a batch of HP laptops came with ExpressVPN installed, and something happened with that and after autopilot deployment and first logon all networking stopped - LAN and Wi-Fi both broken.

go to the web based playstore and search for the app.

at the address bar, after "id=" is the package name.

https://play.google.com/store/apps/details?id=com.x8bit.bitwarden

package name: com.x8bit.bitwarden

I can't speak to what may be your issue but I just finished deploying AOVPN and found this book invaluable.

​

https://www.amazon.com/Implementing-Always-VPN-Mobility-Microsoft/dp/1484277406

https://blueos.tech/backup-and-restore-google-chrome-offline/how-to-backup-and-restore-google-chrome-profiles-settings-extensions-bookmarks-passwords-logged-websites/

Download Backup and Restore Google Chrome Offline from [ Microsoft Store Website -https://www.microsoft.com/store/apps/9N0LRCXDW2ZM ] [ Microsoft Store Store App - ms-windows-store://pdp/?productid=9N0LRCXDW2ZM]

You just need to create a backup file on the old computer and restore the backup on the new computer. The following shows the advanced features of Backup and Restore Google Chrome Offline

- Backup and restore all bookmarks, cached, cookies, history, settings, etc.

- Backup and restore all Accounts and Passwords

- Backup and restore all Profiles

- Backup and restore all Extensions

- Backup and restore all logged in website and extension includes Facebook, Google Account, Metamask wallet

- Backup and restore your latest working sessions

- Work Offline, No Internet requirement, Keep it in your way.

I’ve never used Intune for mobile device management, outside of laptops - so take my suggestion with a grain of salt, but have a look at ScaleFusion . I used to setup tablets to be used in prisons and this was my go-to

Yeah I changed it to run from the WindowsApps folder because some apps like 7-zip won't install if they're run from a user context which is what winget defaults to. I found a comment from rothgecw in this thread where she explains how to call winget using the system account. If you install it using the system account then all users can use it, and so far it seems that apps that are user profile specific, like Slack, also seem to install under the system context.

The detection script is where I ran into some issues. I wasn't able to use winget in the system context to detect whether a program was installed. So I have it checking the uninstall registry folder, and the Installer registry folder. Most apps seem to have some data stored in one of those two places but I've only tested the 21 programs we have deployed through winget.

For the deployment failure it might be a bit of a cascading failure from those weird spaces from winget show. I'm still pretty new to powershell so I'm struggling a bit to clean up the results from winget show and get them into a usable format. Right now I'm creating a custom psobject and adding the output to that, but I might look into a different way of porting that information into the form.

Hey I wanted to follow up on this and say we ended up running into the same issue. rothgecw ended up finding the solution that worked for us

https://github.com/microsoft/winget-cli/discussions/962#discussioncomment-1561274

I deploy using a script:

# start logging to TEMP in file "scriptname".log
Start-Transcript -Path "$env:TEMP\$($(Split-Path $PSCommandPath -Leaf).ToLower().Replace(".ps1", ".log"))" | Out-Null
###Code goes here

#CptHost.exe runs when meeting is running
Wait-Process -Name CptHost -ErrorAction SilentlyContinue
$zoommsi = "https://zoom.us/client/latest/ZoomInstallerFull.msi"
$outFile = "$env:TEMP\ZoomInstallerFull.msi"
$msilog = "$env:TEMP\ZoomMSI.log"
    (New-Object System.Net.WebClient).DownloadFile($zoommsi, $outFile)
Start-Sleep -Seconds 20
if (Test-Path $outFile)
    {
Write-Host "Zoom installer present"
$arguments = @(
"/package"
"\"$outFile`"" "/norestart" "/quiet" 'ZSSOHOST="zoomhostname"' 'ZoomAutoUpdate="true"' 'ZSILENTSTART="true"' 'ZConfig="nogoogle=1;nofacebook=1;login_domain=domain.com;AddFWException=1"'         ) Start-Process msiexec -ArgumentList $arguments -wait -PassThru Start-Sleep -Seconds 20 Remove-Item $outFile Write-Host "Removed zoom installer."     } else     { Write-Host "zoom installer failed to download"     }`

Stop-Transcript | Out-Null

Yeah, I've posted it in like every second post I make on r/Intune or r/macsysadmin. 🙂

I use iMazing Profile Editor to make macOS or iOS/iPadOS config files that I then upload as custom device configurations into Intune. iPE also supports making config profiles for third-party macOS apps like Web browsers and other utilities.

Since iPE is on both the Microsoft and Mac App Stores, I added both versions to my Intune app list so my colleagues can get the app from Company Portal.

In iPE, or Apple Configurator 2, you'll see that every setting is part of a category, or payload. Even if 2 config profiles don't touch the same individual setting but do use the same payload, Intune will fail to apply both profiles. So, I recommend one or two payloads per config file tops.

My biggest issue with Intune and Apple devices is just the lack of user documentation. You can find previous posts of mine where I'm just running into errors that have so few results online. It's pretty clear that the Apple die hards are using Jamf, and most Intune Apple users are using it because their company won't shell out for another tool. That said, I've whipped my Intune environment into pretty good shape.

here are two books I found quite useful. both are written by current Program Managers at Microsoft. and I see people have already mentioned the Intune.Training YouTube channel - an absolute must for anyone gettint started with Intune.

https://www.amazon.com/Learning-Microsoft-Endpoint-Manager-Management/dp/0645127906

https://www.amazon.com/Mastering-Microsoft-Endpoint-Manager-physical/dp/1801078998

This is the app you want - https://play.google.com/store/apps/details?id=com.microsoft.launcher.enterprise

Once you have that in your app list in Intune, assign it as required to your kiosk devices. If you've already configured your kiosk profile with the apps then you'll see those apps in the managed home screen and nothing else.

Based as I know, when "Enable Firewall" is set as "Not configured", it will keep using the default value on the device. As in previous, the firewall is already enable. So when we change the setting to not configured, it is still enabled on the device side. So I think we need to manually turn off the Firewall or maybe we can try to do it via script:

https://www.hexnode.com/mobile-device-management/help/script-to-enable-disable-firewall-in-macos-devices/

If you want to move devices to full AAD without a wipe, I recommend using http://www.forensit.com/domain-migration.html. I've used it to migrate machines in a number of scenarios where wiping machines wasn't feasible.

Why don't you use a custom configuration profile for this, I've shared this before as I think it's an amazing resource made for free. It lets you configure mobileconfig profiles that you can then deploy via Intune:

https://imazing.com/guides/how-to-create-or-edit-apple-configuration-profiles

You'll need to make a custom profile with an external tool rather than Intune because yeah, Intune's macOS and iOS policies are very limited. Most of my iOS and macOS policies are configuration profiles made with another tool and uploaded to Intune as a custom profile. The downside of a custom profile is that you don't get per setting fail/success reports, and if two custom profiles attempt to change the same setting, both profiles will fail to apply until it's resolved. I recommend one payload set per configuration profile.

If you don't have a Mac with Apple Configurator 2, then download iMazing Profile Editor and make a VPN profile with that, then upload the .mobileconfig file to Intune as a custom profile type.

Veeam Endpoint Backup 1.1 is quite old, it seems that it has been replaced by the Veeam Agent for Windows?

If you switch to Veeam Agent, maybe use https://chocolatey.org/packages/veeam-agent/#files to determine command line options of:

VeeamAgentWindows_4.0.1.2169.exe /silent /accepteula /acceptthirdpartylicenses

Until iOS13.3, I always had the problem ''Profile Installation Failed, The Microsoft.Profiles.MDM must be installed interactively''. A lot of times.

​

So I called Apple, they told me that the problem is solved with iOS.13.3.1.

​

I haven't had the opportunity to test with iOS 13.3.1

​

Has anyone experienced a problem with iOS 13.3.1?

​

I expect a migration of 1400 devices. I really hope that this problem will be officially fixed.

​

Thank you

​

Translated with www.DeepL.com/Translator (free version)

Slack offers MSI packages for user or machine wide deployment. Give that a shot if you have no objection.

https://slack.com/help/articles/212475728-Deploy-Slack-via-Microsoft-Installer

You cannot be enrolled in two different MDMs at the same time. However, you need not be enrolled in Intune in order to avail conditional access.

Intune’s MAM supports two configurations. One with the native MDM and the other where the devices could be enrolled using third-party EMM providers and yet implement Intune’s MAM functionalities. This way, you can use Intune’s MAM feature and protect sensitive corporate data by treating the devices like BYOD and also use MobileIron’s MDM to manage the devices. However, it is always advisable to pick the best single solution for your organization.

PS: Conditional access requires an Azure AD Premium P1 license. Multiple sources are giving me conflicting answers on whether an EMS E3 license includes a P1 license. So, it would be better to check on that too.

Unfortunately, I don’t think silent migration is really possible.

However, I found this IBM MaaS360 migration doc by Hexnode. It is pretty well written and detailed, and I hope it answers all your queries.

Alternately, if your devices are DEP enrolled, you can switch the device management server directly from the ABM portal.

It is worth noting that the server to which the devices are to be assigned or reassigned should be already linked with ABM using a secure token for this method to be feasible.

PS: The devices still need to be wiped.

Reading the conversation, Intune seems to complicate things a bit. Hexnode UEM too supports Windows kiosk modes. To answer your questions-

1. You can use the Quick Assist app to remotely view and control the Windows device from kiosk mode. You won't be able to switch between accounts, but you can remotely administer using the CMD prompt and admin privilege. Once you give the admin password, you can successfully launch tasks in administrator mode from the user account.
   Hexnode too supports ‘remote view’ feature on Windows devices that lets IT admins remotely view the device screen from the MDM portal.
2. All you need to do to deploy an app like TeamViewer and Quick Assist in multi app kiosk mode is ensure that the app is pre-installed on the device and add it in a kiosk policy with the user account name and the .xml start layout.

Hexnode UEM seems like a viable option. It is an enterprise-grade device management solution that can fully manage your devices with Android Enterprise. It has a device tracking feature that scans the device location periodically and updates it in the devices’ location report. The location can also be pinpointed on a map within the console. IT admins can perform an immediate location scan if needed. The users themselves can also check-in with their location from the Hexnode MDM app. It also supports geofencing and location-based policies.

If the fully managed device is lost, IT admins can make it remotely ring and lock it into lost mode. The lost mode displays a custom message and contact information on the screen. It denies access to other device functionalities unless the lost mode is disabled from the portal.

Hexnode lets you manage multi-platform devices (Android, iOS, macOS, tvOS, FireOS, and Windows) from a single unified console. It provides device lists and filters to simplify the search.

A similar solution, Hexnode UEM, offers an option to group devices in bulk by uploading a CSV file. The file contains all the necessary information such as group name, group description, and the serial number/device ID/UDID of the member devices. The member devices can be added to an existing group or form a new group based on the group name. You can then deploy group-specific policies and configurations to the member devices.

The Apple Push Notifications certificate (APNs) is absolutely free. It is simply an authorization step to allow communication between your Apple devices and third-party servers like MDM servers. To create an APNs certificate, you need an Apple ID and the CSR request from the third-party server with whom you want to establish communication. Keep in mind that the certificate needs to be renewed every 365 days following the same process as creating one.

You can backdoor iPhone and iPads into DEP. there’s just a 30 day opt out window. https://www.hexnode.com/mobile-device-management/help/add-ios-11-devices-to-dep-using-apple-configurator/

On mobile but there should be an MDM setting to block using Apple ID. Then you can push apps from Apps and Books in ABM

Personally I prefer Desktop Info over BGInfo, but similar idea - you can create a scheduled task to start it at user login https://www.glenn.delahoy.com/desktopinfo/

The last time I looked into this, the problem was that the winget command could not be executed as system-account (the way intune and sccm deploy their stuff).

So if MS didnt change something, the command needs to be run as the user with administrative rights.

https://github.com/microsoft/winget-cli/issues/548

Welp, nvm. I think I've found an answer! For anyone who stumbles upon this, you can use the following PS script to create a shortcut from the AppUserModeId:

$TargetPath = "shell:AppsFolder\Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUi" $ShortcutFile = "$Home\Desktop\Cortana.lnk" $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutFile) $Shortcut.TargetPath = $TargetPath $Shortcut.Save()

And you can find that code via this method.

Once you have that, plug into the $TargetPath field and change the $ShortcutFile to your desired destination. Push that script to your users via Intune, then add the new DestktopApplicationLinkPath line to your Start/Taskbar layout XML file and update it within your device configuration policy in Intune.

Viola! 😃

i found this on Chocolatey's FAQ.

• Binary Packages – Installable/portable applications – This is 98% of the Chocolatey packages – most are pointers to the real deal native installers and/or zipped software.
• PowerShell Command Packages – Packages that have the suffix .powershell will install PowerShell scripts as commands for you to call from anywhere.
• Development Packages – Packages that have the suffix .dev. For instance dropkick.dev.
• Roadmap – Virtual Packages – Packages that are like a category, and you just want one package from that category.

​

We use Office 365 Business, which doesn't have a built in option to deploy by Intune. I've been using Chocolatey to deploy it through a Powershell script. It does take a little while to install in the background, but it will just pop up in the Start menu when it finishes.

Obviously, test this before deploying it in production since there is a (small) chance of malicious code, but it looks like there is a ProPlus package already built in their library: https://chocolatey.org/packages/Office365ProPlus/

Just for the fun of it I downloaded Wireshark https://www.wireshark.org/download.html

and tried deploying it in my test tenant and it worked fine. Let me know if you want to go through the settings I used vs yours.

Thanks for the tip. I see I can type gmeet:// into Edge and it will open in Google Meet so the exemption works. However users still can't click on the actual link to join a meeting as it doesn't start with gmeet:// .

This is an example of the URL that you need to press in Edge to join a meeting in Google Meet. There's no gmeet:// in there.

https://meet.app.goo.gl/?link=https://meet.google.com/ctk-qmmj-iee?hs%3D151&apn=com.google.android.apps.meetings&isi=1013231476&ibi=com.google.meetings&cid=2310732297897419741

I'll try adding "com.google.android.apps.meetings" into the exempt apps later today.

Long term - don't let your users use the personal OneDrive. It's not as secure and can't be transferred between users when you offboard someone. It would make more sense for you to move their personal accounts to their business accounts using the free Microsoft tool at https://mover.io. Then you can silently enable OneDrive for Business from Intune with no URLs, it will just magically move them from one to the other. You get the added admin control.

There isn't really an option from what I know, I have a drawer of semi working Ipads and Iphones to test with. But If you have an apple around to run as the build host you can use Visual Studio on windows and use Xamerain. https://docs.microsoft.com/en-us/xamarin/tools/ios-simulator/ but I'm pretty sure you still need to be runing xcode on a apple somewhere. https://developer.apple.com/xcode/

The other option is to extract the MSI. https://github.com/Bioruebe/UniExtract2
In the manual it looks like it is trying to install very old flash plugins which should be making alarm bells ring considering Flash is no longer getting updated..

Thanks, I have attempted this, and the PS script runs locally, but again it does not install after being converted to an intunewin package.

Logs in here don't appear to show any error but company portal just says "install failed"

My PS script contains
Invoke-WebRequest -Uri "<code>https://</code>fileurl" -OutFile "filename.exe"

./filename.exe

&#x200B;

And the Intune win32 app install command =

powershell.exe -executionpolicy Bypass -file .\mypowershellscript.ps1

Should my PS script be start-process -FilePath ./filename.exe ?

&#x200B;

cheers

Printers I handle with PrinterLogic, although I am eagerly awaiting Microsoft's version of Printer Management to come out of Preview.

For scanning from old scanners, you can scan to email and use Power Apps to get it into Sharepoint: https://flow.microsoft.com/en-us/galleries/public/templates/f7a46809e53c42108034e56acf83bb79/save-my-email-attachments-to-a-sharepoint-document-library/

For newer scanners, a lot of them have the feature to scan to Sharepoint baked in.

Thanks! I found it and mentioned it in my ticket. I also included a link to Google reviews where others are complaining about it.
https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal&amp;showAllReviews=true

I know these are books but they do have a significant focus on walking the reader through hands-on exercises to understand the concepts. highly recommend.

https://www.amazon.com/Learning-Microsoft-Endpoint-Manager-Management/dp/0645127906

https://www.amazon.com/Mastering-Microsoft-Endpoint-Manager-physical/dp/1801078998

Yeah, I have. My trick is to do it in the portal while monitoring

I don't have a managed store connected to my tenant but I created a regular android app store app in the portal while monitoring network traffic in DevTools. You can do that by opening DevTools with F12, selecting the Network tab, filter by "XHR", and put "graph" as your search term.

This will show all requests that go to graph, where you'll see mobileApps/ as one of the requests. Click on that and scroll to the bottom of the Headers page and you'll see the request payload.

When I created my app, the following was the payload:

{
"@odata.type": "#microsoft.graph.androidStoreApp",
"appStoreUrl": "https://play.google.com/store/apps/details?id=com.microsoft.office.outlook\\u0026hl=en-CA",
"categories": [],
"description": "Description value",
"developer": "",
"displayName": "Microsoft Outlook",
"informationUrl": "https://play.google.com/store/apps/details?id=com.microsoft.office.outlook\\u0026hl=en-CA",
"isFeatured": true,
"roleScopeTagIds": [],
"minimumSupportedOperatingSystem": {
"v4_0": true
    },
"notes": "",
"owner": "",
"privacyInformationUrl": "",
"publisher": "Microsoft Corporation"
}

I didn't include an icon when I created it so that was left out but I copied that, deleted the app, and ran the request in Graph Explorer and it worked. Maybe the minimumSupportedOperatingSystem value is what's missing.

I tried it with the following app:

https://play.google.com/store/apps/details?id=com.wesbunton.projects.mycertificates&amp;hl=de

Somehow it doesn’t display anything. Maybe it’s not supported on an Android 10 device...

Use the Azure Information Protection application to play media files from protected containers. https://play.google.com/store/apps/details?id=com.microsoft.ipviewer&amp;hl=en_US

And make sure you add it as a protected app in your app protection policy.

This book is pretty good. It's for MDM in general, but they focus mostly on Intune and the content is fairly current:

https://www.amazon.com/gp/product/B07X4K9CTW/ref=ppx_yo_dt_b_d_asin_title_o06?ie=UTF8&amp;psc=1

No, we did not get to the bottom of this. I simply forced the available Samsung Apps from Play Store that wasn't installed.

https://play.google.com/store/apps/details?id=com.sec.android.gallery3d

^ The gallery app

The OEM-camera was not available so we ran for OpenCamera and Samsung Gallery (to be able to view pictures taken).