You are browsing the archive for 2014 December.

Microsoft Intune Mobile Application Management

9:18 am in Uncategorized by nsienaert

Hi All,


Containerization is one of the typical terms that are coming back all the time when talking about Mobile Device Management.

Competitors of Microsoft are working with these typical containers where they collect all Corporate Data and Applications into a separate container.

A user has to log into that container and needs to work as from there with for instance email container apps.

This is typically not a very nice experience and that’s why Microsoft has another vision on that. With Intune you will not see that typical container approach. What Microsoft will do is building that “Containerization” intelligence directly in their products.

Coincidently Microsoft Office is one of the most used piece of Software on the world, so by adding this intelligence into the Suite Microsoft is covering already quite some scenarios.

This is also aligned with Microsoft’s strategy to deliver Office to iOS and Android.

Further they have also released Secured Browsers (my next blog), AVI Players and PDF Readers.

OK so let’s have a look how this works as this new feature is added in the latest December release.

Microsoft Intune Console:

If you go to “Policies” you will see new Software Templates


If you select one for iOS you can configure the typical MAM settings like Data Relocation and Access behavior.


Once you created such a policy you will see that these kind of policies differ from other policies. You cannot really deploy the polices directly, you need to link them to a managed Application.


So let’s create a Deep Link to the iOS store, in this case to Microsoft Word and link the appropriate policy.


Now deploy the policy to the user or device of your choice.

The experience:

If you open your Self-Service Portal on an iOS after the December release you will see the following message.

An update of your SSP will be installed (you don’t need to do anything for this) to make sure you have the latest bits and bytes regarding MAM.

Photo 17-12-14 15 45 22  Photo 17-12-14 15 46 01

Also notice the new Sync button, to force a policy lookup.

Photo 17-12-14 16 00 45

As explained before I have deployed Word (with the policy linked to it), so let’s install it.

Photo 17-12-14 16 04 54

Thanks to my policy Word gets considered as a Managed App where I decided to use a PIN

Photo 17-12-14 16 12 10

Let’s open a document and try to copy\paste some text…

Photo 17-12-14 16 14 27

… to an Application outside the Office Suite

Photo 17-12-14 16 13 58

That is not working as expected. Let’s Paste it now into Excel…

Photo 17-12-14 16 46 07

That works!


This is again a major feature released into the service to control your corporate data. If you extend this with Azure RMS (part of the Enterprise Mobility Suite) you have a high enterprise-grade security solution delivered by One Vendor, Microsoft.

If you look into competitors you will end-up in a multiple vendor-approach.

Till next time!

Nico Sienaert (@nsienaert)


Assigned Access \ Kiosk Mode with Microsoft Intune

8:54 am in Uncategorized by nsienaert

Hi All,

Let’s talk today about Assigned Access, Kiosk Mode, Device LockDown,… whatever you want to call it.

This scenario will be typically used in scenarios where devices are located in a public spot (Kiosk) or for certain Task Work scenarios where only specific Settings or Application(s) are required to be available.

Let’s have a look how this reflects within the Intune Console en let’s discuss per Platform.


Start an “iOS Configuration Policy”, and go to the “Kiosk” section. Notice that you have choice between a “Managed” or a “Store” App.

You can also set a bunch of Device Settings.


Important to realize before you start deploying these kind of policies is the following:

– Make sure your device is in Supervised Mode otherwise Kiosk Policies will be rejected. This prevents a personal device from getting these kind of restrictions. To put an iOS in Supervised Mode you need Apple Configurator which you can only install on a MAC. This is immediately the reason why I cannot show you the experience as I currently don’t have a MAC. :-)

– Make sure the particular Application that you want to allow is installed BEFORE you apply the Kiosk settings.

– To get the device out of the Kiosk state put it back through the Apple Configurator.

Android (KNOX):

Start an “Android Configuration Policy”, and go to the “Kiosk” section. Notice that you have NO choice between a “Managed” or a “Store” App.

You can also set some policies but with compared to iOS you have less choice.


Important to realize before you start deploying these kind of policies is the following:

-KNOX does not know a concept of Supervised Mode, so you have to be careful when deploying Kiosk policies. The danger exists that you can lock down a personal device through Kiosk mode. For that it’s important that consider well the way how you will deploy these kind of policies for instance by creating a Device Enrollment Manager and add it to a User Group which has been created specifically for Kiosk policies.

– Make sure the the particular Application that you want to allow is installed BEFORE you apply the Kiosk settings.

-By retiring from management you can take an Android device out of Kiosk mode.

Windows Phone:

For similar settings Windows Phones works with OMA-URI, as I mentioned in my previous blog this will be supported in the December release.

How that will look like in the console cannot be demonstrated yet but the OMA-URI XML piece you will need for sure. Hereby an example of controlling “Settings”.

<?xml version=”1.0″ encoding=”utf-8″?> <HandheldLockdown version=”1.0″ > <Default> <Buttons> <ButtonLockdownList> <!– Lockdown all buttons –> <Button name=”Search”> </Button> <Button name=”Camera”> <ButtonEvent name=”Press” /> <ButtonEvent name=”PressAndHold” /> </Button> </ButtonLockdownList> <ButtonRemapList> <Button name=”Search”> <ButtonEvent name=”Press”> <!– Settings –> <Application productId=”{5B04B775-356B-4AA0-AAF8-6491FFEA5601}” parameters=”” /> </ButtonEvent> </Button> </ButtonRemapList> </Buttons> </Default> </HandheldLockdown>

More you can find in the PDF.

The result might look like something like this:


Important to realize before you start deploying these kind of policies is the following:

– Windows Phone does not know a concept of Supervised Mode, so be careful! Certainly if you will read the 3rd bullet.

– Make sure your Apps are deployed first

– Once an Assigned Access has been provisioned to a device, the only way to remove this functionality will    be to Factory Reset the device.

– Look into the PDF for more interesting “Notes” about Assigned Access & Windows Phone


Kiosk Mode is a cool feature which can help you in typical scenarios. When starting to use this, it’s very important to realize that provisioning and de-provisioning are differing from OS platform. This is not caused by Microsoft Intune, this is just how these OS’es are designed. And yes currently only support in the Cloud-Only mode except for Windows Phone, because of the OMA-URI you can use that already in the Hybrid Solution.

Till next time!

Nico Sienaert (Twitter: @nsienaert)

8637_Microsoft_MVP_logo .

Allow \ Deny of iOS and Android Applications

1:13 pm in Uncategorized by nsienaert


Hi All,

Earlier this year I wrote a blog about Allow and Deny applications on Windows Phone Devices, we can do this by leveraging OMA-URI.

In that particular blog I wrote about the Hybrid mode (integration with ConfigMgr) but since the new Intune releases of last week you have also similar capabilities in the Cloud-Only, standalone mode. Actually today there is support for iOS and Android. Windows Phone support (with OMA-URI) will come in the release of December (if I’m not mistaken).

Allow and Deny Application support for iOS and Android in the Hybrid model will be something for 2015.

So back to the Cloud-Only model, let’s discover how Black and White Listing is possible today on iOS and Android.

Like any other feature within the Intune console most features are fairly simple to configure. This also applies for this subject.

Under policies you select an iOS or Android Configuration Policy and in this wizard you can Allow or Deny Applications based on their URL.

Let’s take Flappy World again as an example. :-)


Deploy this to the required Users or Devices.


After a few minutes go to your Reports and open the “non-compliance” report.


The Result should look like this.


Important 1: Yes indeed, today Allow & Deny App for iOS and Android is a reporting feature. In the future this will probably change meaning you will able to real block an App from installation OR usage on a device like you can do already today with Windows Phone (cf other Blog that was mentioned before).

So today there is no experience on the device.

Important 2: Notice the App Name in the report. That is not really user friendly right? The list of installed apps comes from issuing an InstalledApplicationList command, which then responds back with a list of entries that includes BundleID, Version, App Name, … It seems that only the BundleID in the reporting gets showed. This is not really nice to read as there is no mapping between the BundleID and the App Name. I have discussed this with the Prod Team and a DCR is filed for that.

Important 3: Windows Phone will be supported soon. The way you will do it is very similar as with the Hybrid model (with OMA-URI) but I’ll write a blog about that once that is released.

Till next time!

Nico Sienaert (Twitter: @nsienaert)


Required install of iOS Store Apps

8:24 am in Uncategorized by nsienaert


Hi All,

Hereby another post where we discover a new Microsoft Intune capability.

One of these new features in the November release is the possibility to create a Required Deployment for iOS Store Apps.

Store Apps were already supported in the past but only by making them “Available” meaning provision them via the Self-Service Portal.

This is also called “deep-links”, supported for iOS, Android and Windows Phone.

In the Intune console (Standalone-mode) you will see a new “Deployment Type” called, “Managed iOS App from the App Store”.

Today the “Required” part is not supported for Android and WP yet.

But it’s clear that Microsoft will introduce a lot of new capabilities with the new Store that will ship with Windows 10 so certainly more to come.

Before we have look into the experience, just note that this feature only works for FREE apps from the Apple Store AND an Apple ID is still required to start the installation.

Let’s have a look.

Start the “Add Software” wizard and select the new Deployment Type which we have discussed before.

Copy \ Paste the URL of your App and finish the wizard.


Start the “Manage Deployment” wizard and mark the deployment as a “Required Install”.


Within a few minutes you will see the following on your iOS device.

Lock Screen:


The typical Information Message + a pop-up to enter the password of your Apple ID.


So in case you have some favorite Store Apps that you want to provision to your users you have now the capability to push the installation instead of making it available in the Self-Service Portal.

Till next time!

Nico Sienaert (@nsienaert)