Microsoft 365 learnings

As a Microsoft Intune expert, I can confidently say that Apple and Microsoft are better together when it comes to managing Apple iOS or macOS devices using Microsoft Intune. What is Microsoft Intune? Microsoft Intune is a powerful solution that can help secure iOS, Android, Windows, and macOS devices. With Intune, you can deploy devices with company-defined security standards, secure corporate data on devices, and improve the user experience by automating apps, configurations, and updates installations, Wi-Fi, VPN, security policies, and enforcing configuration policies. Intune can also help maintain the end-to-end device lifecycle. It is the only solution that can protect Office 365 data on devices using Application Protection Policies with or without device enrollment. What is Apple Business Manager? Apple Business Manager (ABM) is a new portal that integrates Device Enrollment Program (DEP) and Volume Purchase Programs (VPP). ABM can be beneficial in managing company-owne

You have MAM Policies for Managed and Unmanaged Devices, Intune managed devices are receiving MAM policies configured for Unmanaged devices As a rule, if you didn't configure IntuneMAMUPN for each targeted app on the managed device, App protection policy will apply to all devices whether it's managed or unmanaged. In the easy words, the target app will not understand whether it's installed on managed device or unmanaged device. After i deploy a configuration policy towards managed apps to configure the IntuneMAMUPN, issue got resolved. Add caption I have also noticed the profile is not applicable for some of the devices. As confirmed, the pre-request for app configuration policy is: ·          For iOS: the app must be downloaded via Company portal (store app or LOB app) ·          For android: the app must be downloaded via managed Google play store Workaround is to deploy the app as required or re-install from company portal app, app configurat

We have commenced  Intune Hybrid to Intune Standalone migration. We had configured iOS feature configuration - Web Content Filter for Safari browser. However, these settings were removed from the profile due to the undesired impact i.e. Unable to run Safari private mode. However, these settings were not removed from some of the devices. Policies are applied immediately but the Tattoo removal is disabled for the first 7 days of Device migration from Hybrid to Standalone.  e.g. Create a new policy to change wallpaper or Web Content Filter - It will be applied immediately. Untarget an existing policy, it will not be removed from the device until 7 days. After 7 days have passed, if Admin untargets a policy, it will be removed immediately. The intention of the delay is to keep protecting device before the device sign-in and fully managed by new Standalone MDM authority. In nutshell, please ensure policies are thoroughly tested and be mindful that policy changes may take up to 7

The contacts saved in Exchange is considered managed contacts. with iOS 12 onwards managed contacts are not visible from unmanaged Apps. As stated in Apple Article (https://support.apple.com/en-au/HT208749)  iOS 12, you can use MDM to make the following exceptions to this policy: Allow unmanaged apps to access managed contacts Allow managed apps to save contacts to the local Contacts app Microsoft Intune have introduced new feature, but it has pre-requisite to "Viewing corporate documents in unmanaged apps" to write contact to unmanaged app and "Viewing non-corporate documents in corporate apps" to read managed contacts in unmanaged app.  This can be security issue for many organisations. However, you can enable this without changing the parent policy by following trick! Go to iOS restriction settings in Intune, go to 'App Store, Doc Viewing, Gaming controls'. As highlighted above 'Allow managed apps to write contacts

Following query will give you list of the mobile device managed by Intune and its user from Configmgr. SELECT        dbo.v_R_System.Name0, dbo.v_GS_DEVICE_COMPUTERSYSTEM.IMEI0, dbo.v_GS_DEVICE_COMPUTERSYSTEM.PhoneNumber0, dbo.v_GS_DEVICE_COMPUTERSYSTEM.DeviceManufacturer0,                           dbo.v_GS_DEVICE_COMPUTERSYSTEM.DeviceModel0, dbo.v_GS_DEVICE_COMPUTERSYSTEM.SerialNumber0, dbo.v_GS_DEVICE_COMPUTERSYSTEM.TimeStamp AS Expr1,                           dbo.v_GS_DEVICE_COMPUTERSYSTEM.FirmwareVersion0, dbo.v_GS_DEVICE_COMPUTERSYSTEM.SoftwareVersion0, dbo.v_R_User.Full_User_Name0, dbo.v_R_User.Name0 AS UserID,                           dbo.v_R_User.User_Principal_Name0 FROM            dbo.v_GS_DEVICE_COMPUTERSYSTEM RIGHT OUTER JOIN                          dbo.v_R_System INNER JOIN                          dbo.v_UsersPrimaryMachines INNER JOIN                          dbo.v_R_User ON dbo.v_UsersPrimaryMachines.UserResourceID = dbo.v_R_User.ResourceID ON dbo.v_R_Sys

Issue :  Unable to add device to Apple DEP Program Manually using Apple Configurator 2 Error :  Apple Configurator 2 was showing following error message: Provisional Enrollment failed. Network Communication error MCCloudConfigErrorDomain – 0x80EF (33007), The Error screenshot is shown below.  Fix: Connect ipad to wifi or mobile network and restart the enrollment process.

Unable to sync the Apple DEP devices from Microsoft Intune Portal  while Intune is running in Hybrid mode. If you are victim to the same limitation, please provide the feedback to the product group about the migration process and ask them to consider the improvement.  I have  come across the issue with the hybrid Intune environment while migrating to Intune Standalone. Intune does not allow to sync Apple DEP devices with Intune standalone as a result new user with Apple DEP device must be enrolled with Hybrid Intune. They cannot leverage Intune standalone directly until the Intune MDM authority is changed from ConfigMgr to Intune Standalone. Apple DEP have capabilities to add multiple MDM and Intune should provide capabilities  to sync devices with Apple DEP. However Microsoft support have suggested this could create conflict.(I do not thinks so since it is different MDM server !) Besides, here is the document of the MDM authority change for your reference:  https://d