|
Thanks Ants posted:I'd start with cross-tenant synchronisation, which is a less high-touch feature building on top of B2B collaboration I'll give this a go, thanks!
|
# ? Jan 11, 2024 04:48 |
|
|
# ? Apr 29, 2024 10:21 |
|
You shouldn't need cross-tenant sync. to go that far. If it was just a single user all they need to do is accept the B2B invitation. Once that's done then they should appear your tenant as a B2B User then you should be able to assign them the appropriate RBAC rights.
|
# ? Jan 11, 2024 05:04 |
|
Gucci Loafers posted:You shouldn't need cross-tenant sync. to go that far. If it was just a single user all they need to do is accept the B2B invitation. Once that's done then they should appear your tenant as a B2B User then you should be able to assign them the appropriate RBAC rights. I got it working! Does anyone work with Intune and Autopilot? That is a domain I have zero experience in but I'd like to learn a little. I don't have any extra hardware but I can do VMs on virtualbox. Can someone suggest a practical scenario that would leverage Intune and Autopilot to onboard my new employee Homer Simpson? How would a competent business leverage that tech for a new employee?
|
# ? Jan 12, 2024 02:36 |
|
A company has an agreement with an OEM to register devices to Autopilot in intune, then purchases a device with that SKU for a remote user. OEM ships to the remote user (at this point you can pretend with your manually registered VM), user goes through OOBE and ends up on the desktop on a managed device. If the user is only using an AAD logon, that’s kind of it. Some additional things to play with; -Apps and profiles with the enrollment status page if they have to be there before the user logs on -Hybrid domain join and always on VPN for the first time logon -Using Graph API to register existing managed devices AreWeDrunkYet fucked around with this message at 03:32 on Jan 12, 2024 |
# ? Jan 12, 2024 03:27 |
|
AreWeDrunkYet posted:A company has an agreement with an OEM to register devices to Autopilot in intune, then purchases a device with that SKU for a remote user. OEM ships to the remote user (at this point you can pretend with your manually registered VM), user goes through OOBE and ends up on the desktop on a managed device. If the user is only using an AAD logon, that’s kind of it. Hmmm. That doesn't sound as thrilling as the product names entail. Thank you for the suggestions. I'm going to walk thru a bit and see what I can figure out.
|
# ? Jan 12, 2024 03:44 |
|
It’s still a very good thing to learn. You can manually add devices if you don’t have an OEM doing it by running the commands in powershell: Install-script get-windowsautopilotinfo Set-executionpolicy bypass Get-windowsautopilotinfo -online One feature you won’t be able to test with a VM is preprovision deployments (aka white glove/oobe) but that’s not a big deal. Getting autopilot up is pretty straight forward. Only gotcha I can remember is that Company Branding must be configured first.
|
# ? Jan 12, 2024 04:39 |
|
The net effect is very cool, you can cut out a lot of device cross-shipping of devices for distributed employees. It's just mostly a black box experience so there's not all that much to code or configure if you already have the MDM infrastructure.
|
# ? Jan 12, 2024 04:54 |
|
There's also a way to autopilot join during the oobe and then bail, leaving it intact without resetting. The autopilot join just registers the device and SN in your Intune environment, so when the oobe checks in with an Internet connection you get a customized experience that does a bunch of neat stuff. Shift+F10 to open a command line and do stuff during oobe.
|
# ? Jan 12, 2024 06:39 |
|
Autopilot is good but Dell still ship Windows images chock full of poo poo so we're just going to switch vendor. Not been impressed with their hardware for a while really.
|
# ? Jan 12, 2024 13:06 |
|
I’m sure the way I do it isn’t the most efficient but we buy like 5-20 laptops at a time and just get much better pricing straight from provantage than any discount Dell has offered us. So we run that script to enroll it in autopilot then run OOBE/predeployment before adding it to our “app and configurations” security group to get it entra joined. About 5 minutes per laptop. We then fresh start it to wipe the Dell bloatware and run OOB/predeployment to load office plus a few extra apps and configuration profiles. Sounds repetitive but it takes about 10 minutes of employee time and we save like $300 bucks per device over ordering a pre-enrolled and clean image from Dell.
|
# ? Jan 12, 2024 13:51 |
|
Cyks posted:
Wow, you guys aren't making more than $1,800 per hour?
|
# ? Jan 12, 2024 14:00 |
|
Potato Salad posted:Wow, you guys aren't making more than $1,800 per hour? I have the CEO doing the imaging so really we break about even.
|
# ? Jan 12, 2024 14:09 |
|
Thanks Ants posted:Autopilot is good but Dell still ship Windows images chock full of poo poo so we're just going to switch vendor. Not been impressed with their hardware for a while really. Microsoft recommendation is to send a remote wipe command (fresh start), even for surfaces. This gives you fresh off the iso install build with factory drivers. I've got the auto-provisioning for Entra ID devices process and my guys either do the shift+F10 and do the enroll or it was added before shipping. Then completes to a login. Absolutely game changer in our onboarding.
|
# ? Jan 12, 2024 22:30 |
|
This is an overly broad question but do you all feel there is money to be made specializing in Intune + Autopilot, or are you looking for the door?
|
# ? Jan 12, 2024 22:32 |
|
Second post for the absolute poo poo show KB5034441 is. A much-needed security update to the windows PE, but, it will increase the size of windows PE by 200 megs. Oh, but it doesn't do that for you. Nor does it tell you what to do on fail. You're just going to get a failed update forever.
|
# ? Jan 12, 2024 22:34 |
|
Hughmoris posted:This is an overly broad question but do you all feel there is money to be made specializing in Intune + Autopilot, or are you looking for the door? No, there isn't any money there. Autopilot is just one (but big) step in your onboarding and offboarding lifecycle. You've still got to manage application lifecycles, identity, and informational governance. Autopilot just took the bullshit of golden images for physical device off your plate. (This very much goes for macs now. you don't have to be afraid of them no mo') Your company probably has like 7 SaSS not talking to each other or poorly. Pivoting to owning your idP with your devices and conditionally access devices are where you'll be going in the next decade.
|
# ? Jan 12, 2024 22:39 |
|
Hughmoris posted:This is an overly broad question but do you all feel there is money to be made specializing in Intune + Autopilot, or are you looking for the door? Autopilot is just a very small piece of intune and intune is just a small piece of M365. There’s definitely jobs out there in large enough organizations that just handles intune but I still recommend doing the greater picture of M365. Great money and very WFH friendly technology.
|
# ? Jan 12, 2024 22:42 |
|
incoherent posted:No, there isn't any money there. Autopilot is just one (but big) step in your onboarding and offboarding lifecycle. You've still got to manage application lifecycles, identity, and informational governance. Autopilot just took the bullshit of golden images for physical device off your plate. (This very much goes for macs now. you don't have to be afraid of them no mo') Cyks posted:Autopilot is just a very small piece of intune and intune is just a small piece of M365. There’s definitely jobs out there in large enough organizations that just handles intune but I still recommend doing the greater picture of M365. Thanks for the insights. I'm diving deep into Entra ID in my free time, and trying to find another piece of the Microsoft stack to pair it with. My current gig is security-adjacent, so maybe Microsoft Defender and/or Sentinel? The end goal being interesting work and lots of money.
|
# ? Jan 12, 2024 22:57 |
|
Intune is part of the Modern Workplace loose branding that MS use to describe all their cloud-only endpoint stuff, there's definitely money there if you also get very good with Entra, so things like the SSO integration, provisioning accounts into other applications, conditional access etc.
|
# ? Jan 12, 2024 23:04 |
|
It was intune before, and then endpoint manager, and now intune is back as an umbrella over endpoint manager, i think. We give our MS rep about the constant rebranding all the time.
|
# ? Jan 12, 2024 23:10 |
|
Hughmoris posted:This is an overly broad question but do you all feel there is money to be made specializing in Intune + Autopilot, or are you looking for the door? The relevant job listing search string is probably “end user computing”, but that’s rarely broken out except at large enterprises and compensation is typically going to lag behind other systems specializations.
|
# ? Jan 13, 2024 01:44 |
|
incoherent posted:Your company probably has like 7 SaSS not talking to each other or poorly. Pivoting to owning your idP with your devices and conditionally access devices are where you'll be going in the next decade. Do you consider using Entra ID "owning is your own idp"
|
# ? Jan 13, 2024 05:09 |
|
Cyks posted:Autopilot is just a very small piece of intune and intune is just a small piece of M365. There’s definitely jobs out there in large enough organizations that just handles intune but I still recommend doing the greater picture of M365. Others already touched on this but your ability to autoprovision and really seamlessly tune the end user experience from first user handoff will be greatly boosted by your skills in entra and your understanding of the azure way of handling identity
|
# ? Jan 13, 2024 05:13 |
|
Potato Salad posted:Do you consider using Entra ID "owning is your own idp" There are very real organizations where silos depts may have their own idP for their identity needs for their SaSS apps. Entra is just one of many. My main argument is to get there first (it) with yours.
|
# ? Jan 14, 2024 21:14 |
|
What kind of bloatware are you all seeing from Dell? Ours come with Command Update, which isn't bad, and Office, that's it. We also have a CTG agreement so that might put us in a different sales and delivery department. I give them under $500k/yr, but my sales team and support is pretty great.
|
# ? Jan 15, 2024 04:56 |
|
Silly Newbie posted:What kind of bloatware are you all seeing from Dell? Ours come with Command Update, which isn't bad, and Office, that's it. Dell Optimizer, which is well documented for causing issues with m365 products staying connected/syncing. It’s more malware than bloatware. I also replace the preinstalled Microsoft 365 with Microsoft 365 apps for business/enterprise.
|
# ? Jan 15, 2024 13:25 |
|
, Dell Optimiser is poo poo, all it does it break networking and audio by trying to be helpful. The latest batch of business machines we've had in also had Dell Digital Delivery popping up to remind people to check if they had software purchases with the machine, and 30 day trials of McAfee. The OEMs really do try their hardest to ruin the Windows experience more than Microsoft are capable of.
|
# ? Jan 15, 2024 14:50 |
|
Silly Newbie posted:What kind of bloatware are you all seeing from Dell? Ours come with Command Update, which isn't bad, and Office, that's it. Cyks posted:Dell Optimizer, which is well documented for causing issues with m365 products staying connected/syncing. It’s more malware than bloatware. Thanks Ants posted:, Dell Optimiser is poo poo, all it does it break networking and audio by trying to be helpful. The latest batch of business machines we've had in also had Dell Digital Delivery popping up to remind people to check if they had software purchases with the machine, and 30 day trials of McAfee. Oh yeah, Dell Optimizer is well documented around the internet to break many, many things. I created an automation in our RMM to uninstall when it detects it on one of our managed machines.
|
# ? Jan 15, 2024 17:01 |
|
Edit: Meh, my complaints are boring
|
# ? Jan 16, 2024 02:13 |
|
Oh yeah, our poo poo quit coming with Optimizer thank God. Took me like a loving week the first time to figure out why my tester laptop kept locking after 5 seconds (when I was out of frame for the webcam).
|
# ? Jan 16, 2024 06:17 |
|
Silly Newbie posted:Oh yeah, our poo poo quit coming with Optimizer thank God. Took me like a loving week the first time to figure out why my tester laptop kept locking after 5 seconds (when I was out of frame for the webcam). Lmaoooo this was actually a ticket at my place last year, I remember seeing it pop up in the helpdesk queue. Luckily I'm not on helpdesk so I got to see all the techs take a stab at it one by one until someone finally figured out it was Dell Optimizer
|
# ? Jan 16, 2024 21:27 |
|
"Your audio quality is low, do you want me to keep reminding you that for the rest of the call?"
|
# ? Jan 17, 2024 00:17 |
|
Glad I caught up on this thread. We have a couple of new laptops which have Optimizer and people were wondering why some Youtube videos sounded strange. Turns out it's Optimizer's "Remove others' background noise" setting. Thanks Dell!
|
# ? Jan 17, 2024 22:56 |
|
It's very rare I encounter software and my reaction is "did this ever get tested" but Optimizer is one of them
|
# ? Jan 17, 2024 22:57 |
I have a question about Conditional Access and MAM/App Protection Policy, I'm not sure if I have understood this properly so here is a ton of detail; -I've got a APP configured in Endpoint Manager - targeted to Android platform, all apps on all devices. Quite basic, forces encryption and a PIN, prevents data egress. Assigned to a usergroup - test.user.CAfuckery - containing only my account. This works - The policy applies when I install Outlook Mobile on a phone and sign into it with my corp account, I have to install (but not configure/sign in to) Company Portal, the restrictions are in place. Great, something worked. -I've got a CA policy configured in Entra - targets the same test.user.cafuckery group, All Cloud apps, Any device/Any location/All client apps. Three Controls apply - Require MFA, Require device to be marked as compliant, Require app protection policy - require one of the controls. Sign-in frequency is set to one day (I hate myself). Edit; I have tried 'Require authentication strength:mutlifactor' instead of 'Require MFA', same outcome. This almost works. On my laptop (entra-joined, intune managed) I am not prompted to sign in every day because it is compliant, but on my phone(s) I am prompted daily for my password. It does not prompt me for second factor (ie; MS Authenticator) and in the sign-in logs (which are very easy to work with thanks Microsoft) I can see the CA policy marked success because of the App Protection Policy being applied. What I am missing here? My guess is that Entra can't test for the APP being applied without using the Company Portal framework on the phone, and so it prompts for password just to initiate a call via the management framework. Is that nonsense? My ambition is to let people use managed solutions (compliant laptops, MAM protected apps on phones) with minimal password/MFA prompting, while enforcing daily (maybe, we will see what I can get away with) MFA challenges on people trying to use their own equipment - over time we want to block this but gently gently. tldr why does APP not satisfy conditional access without prompting for password am I stupid kyojin fucked around with this message at 13:30 on Jan 29, 2024 |
|
# ? Jan 29, 2024 13:28 |
|
Conditional access policies aren’t actually checked until after you’ve successfully signed in, which in your case is by using a username and password. I recommend breaking out conditional access policies into multiple policies whenever possible. My MAM and MFA policies are separate. Cyks fucked around with this message at 13:44 on Jan 29, 2024 |
# ? Jan 29, 2024 13:37 |
Cyks posted:Conditional access policies aren’t actually checked until after you’ve successfully signed in, which in your case is by using a username and password. Thanks - do you therefore have a working MAM CA policy, and is it satisfied by an APP policy being applied without prompting the user each sign-in frequency period? I should add - if I complete my daily sign in on Outlook on my phone then the Teams app is also satisfied (and vice versa), so it surely has to be something being brokered by Company Portal. Also on one of my test devices I've signed into CP but it behaves no differently to the others where I have not. The only alternative I can see is using CA to block all apps except APP-capable apps, and then relying on the enforcement from Intune to apply the APP rather than require it in Conditional Access. The issue here is that I can't see a way to match the list of target apps I get in Intune>App Protection Policy>Apps to entries in the CA policy>Target Resources>Exclude Apps list. A random example would be 'RICOH Spaces V2' - listed in Intune as a APP-targeted app, but not available to exclude from the theoretical blanket block CA policy. I haven't bothered testing with 'require approved client app' as this is apparently being retired in place of 'require App Proteciton Policy' which would make sense if the replacement worked. I feel like I must have misunderstood something fundamental with my approach. I suppose the goal is to treat a MAM/APP connection in the same way as a compliant-device connection, so I can then apply a higher authentication burden to everything else.
|
|
# ? Jan 29, 2024 15:15 |
|
~Coxy posted:Is there any way to get rid of an account in this list? I finally got sick enough of this to write a userscript. code:
|
# ? Feb 1, 2024 02:24 |
|
Is it possible to make a group in Entra and have a non-admin user add/remove members? I know that I can assign the user as an owner and have them approve membership requests, but I need to have the user add the members without having the members request membership if that makes sense. Dang I used the word 'member' a lot in that sentence.
|
# ? Feb 6, 2024 05:00 |
|
|
# ? Apr 29, 2024 10:21 |
|
there's a whole bunch of fine grained permissions you can use in a custom role https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-group-permissions
|
# ? Feb 6, 2024 05:17 |