Getting started with just-in-time registration and compliance remediation

This week is all about just-in-time (JIT) registration and compliance remediation. Not something completely new, but it’s new that it’s now available for all iOS and iPadOS enrollments. In a way this post is a follow-up, or deeper dive, to this post about getting started with web-based device enrollment. While that post was really focused on the web-based device enrollment, this post is focused more on a specific feature that’s also used for web-based device enrollment. That feature is JIT registration. JIT registration, however, can be used for more than just the registration of the device. It can also be used for the compliance remediation of the device. This post will start with a short introduction to JIT registration and JIT compliance remediation, followed with …

Read more

Temporarily removing apps and configurations from mobile devices

This week is all about a new feature that is specifically for mobile devices, and that feature is the ability to remove, reinstall, and re-apply specific configuration policies, configuration profiles, and apps. The best part is that it can be achieved without changing the assignments of those apps and configurations. That can be really useful to help with resolving specific challenges and to quickly restore the productivity of the user. The apps and configurations that were removed will automatically be restored within 8-24 hours. Alternatively, the IT administrator can also manually initiate an action to restore the removed apps and configurations earlier. So, in the end, the focus remains on ensuring that the devices remain consistent with the assigned apps and configurations. This post will …

Read more

Getting started with web-based device enrollment for iOS devices

This week is all about a new enrollment feature for iOS/iPadOS devices. That feature is web-based device enrollment. Web-based device enrollment is now one of the two device enrollment methods that is available for personal iOS/iPadOS devices. The other method is the already existing device enrollment with the Company Portal app. The main differentiator for web-based device enrollment is that it provides a faster and more user-friendly enrollment experience. It’s no longer required to first download the Company Portal app. Instead the user can just go to the Company Portal website, or start the new enrollment experience via an app that requires a compliant device. More user-friendly and accessible via the favorite browser of the user. Besides that, web-based device enrollment can be used in …

Read more

Getting started with Microsoft Tunnel for Mobile Application Management for iOS/iPadOS

This week is all about one of the new Intune Suite add-on capabilities. The capability of focus is Microsoft Tunnel for Mobile Application Management (Tunnel for MAM) for iOS/iPadOS devices. The Intune Suite add-ons were released at the beginning of March, including a new licensing model, and including Tunnel for MAM. That capability on itself, is available as part of the new Microsoft Intune Plan 2 license. Tunnel for MAM makes it possible to provide access to on-premises resources, on unmanaged devices. Often unmanaged devices are equal to personal-owned devices. So, that provides IT with the flexibility to make that app, with on-premises interaction, available on personal-owned devices. Without requiring the user to enroll that specific device, but still enforcing secure access and guaranteeing full …

Read more

Replacing the TLS certificate for Microsoft Tunnel

This week is a relatively short post that is focused on replacing the Transport Layer Security (TLS) certificate that is used for Microsoft Tunnel. That TLS certificate is used for securing the connection between the mobile devices and the Microsoft Tunnel Gateway and should contain the public name or IP address in its Subject Alternative Name (SAN). Replacing that TLS certificate can be required when the certificate is expired, or when the public name of the Microsoft Tunnel Gateway is changed. Those are a couple of good reasons to replace the TLS certificate. Luckily, those things don’t happen that often, but sadly that also means that it’s always searching for the right actions to perform. This post will walk through the steps that should be …

Read more

Using Microsoft Tunnel for per-app VPN

This week is another mobile focused blog post. This week is al around Microsoft Tunnel. More specifically, this week is all about using Microsoft Tunnel for providing per-app VPN on iOS/iPadOS devices and Android devices. Per-app VPN enables organizations to only allow specifically configured apps to use the configured VPN tunnel. So, not simply pushing all traffice through the VPN tunnel, but only the traffic of specific apps. That provides a solid method for providing access to on-premises resources for only the apps that really need it. This post will start with a quick summary of what should be in place, followed by going through the important per-app VPN specific configurations. Those configurations slightly differ per platform. This post will end by showing the user …

Read more

Simplifying targetting groups of apps with app protection policies

This week is all about the simplification in targetting groups of apps with app protection policies and a followup on my tweet of last week. That tweet provided a quick peak at the new targetting options of app protection policies for Android and iOS/iPadOS devices. The great thing about that simplification is that app protection policies can now be targeted at different categories (or groups) of apps. Those categories of apps are All apps, All Microsoft apps and Core Microsoft apps, and are dynamically updated to include the appropriate apps. That dynamic update will make sure that the already created app protection policies are automatically updated with the latest apps that are available for the different categories and will also make sure that newly created …

Read more

Getting new users quickly up-and-running with Temporary Access Pass

This week is a little follow-up on a post of a couple of months ago and about connecting pieces of the puzzle. That post was around Temporary Access Pass (TAP). Even though that post was focused on Windows devices, it did provide some hints for using TAP on mobile devices (Android, iOS) also. An often seen and heard challenge is related to getting new user up-and-running. Especially when requiring Multi-Factor Authentication (MFA) for device enrollment, or when trying to work completely passwordless. Those scenarios introduce chicken-and-egg situations as a device must be registered for usage with MFA and the registration requires MFA, or when trying to work passwordless and an authentication method must be registered to be able to work passwordless. So, to get a …

Read more

App protection policies and managed iOS devices

This week is all about app protection policies for managed iOS devices. More specifically, about some default behavior that might be a little bit confusing when not known. When creating app protection policies, those policies can be configured for managed devices or managed apps. That sounds simple. By default, however, when creating and assigning separate policies for managed devices and managed apps, every iOS device will apply app protection policies that are assigned to managed apps. That behavior is caused by the fact that the device will only be identified as a managed device when a specific configuration is in place. That configuration is the user UPN setting. Even better, the user UPN setting opens even more use cases for managed devices. This post will …

Read more

Getting started with Shared Device Mode for iOS devices

This week is all about Shared Device Mode for iOS (and iPadOS) devices. Shared Device Mode is based on Azure AD and is the Microsoft solution for shared iOS devices. Those shared iOS devices are company-owned multi-user devices. Shared Device Mode is provided for iOS (and iPadOS) 13 and later devices and enables multiple users to use the same Apple device and to sign in and out of apps by using an Azure AD account. When those apps support Shared Device Mode, those apps provide the global sign in and global sign out functionality. That enables a user to sign in to an app, at the start of a shift, and automatically be globally signed in to all apps that support Shared Device Mode. That’s …

Read more