Friday, 29 May 2015

Microsoft Intune - Create WiFi profiles with pre-shared keys for Android devices

EMS Landing page

I've just tested one of the new Intune features that was added in April's service update and it works really well. You can find full details of those features here

We have now been given the ability to create WiFi profiles with pre-shared keys (PSK) for Android devices. 

Previously when we created an Android WiFi policy the only available authentication options were Certificates or Username/Password. Now we can configure a WiFi profile with pre-shared keys using Android Custom Policies. 

So how do we do that. You can find a full description in this TechNet Library article

Use Android custom policies to manage device settings with Microsoft Intune

Lets have a go at this.

In the Intune Portal navigate to Policy > Configuration Policies. Click to Add a new policy.

Open the Android templates but, instead of choosing WiFi Profile, select Android Custom Policy.

Enter a name and description for the policy. See the section for OMA-URI (Add one or more OMA-URI settings that control functionality on Android devices). Those of us that work with ConfigMgr are already familiar with this concept on Windows Phone devices.

Click on Add - now the fun starts.

What is this all about? OK we have to enter a name and description for this setting. but what about the rest. We are given some guidance in the TechNet article.

Have a look at the data types. We will be using XML so we choose "String XML". 

The OMA-URI (which is case sensitive) must be the following format:

./Vendor/MSFT/WiFi/Profile/<Wi-Fi profile>/Settings

where <Wi-Fi profile> is a unique name for the profile.

What about the value? Microsoft have given us a template in the TechNet article. However we don't need it. We can generate our own XML file.

Here's a good tip from the field:

On your laptop navigate to


where {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} corresponds to the network adapter GUID. 

For every wireless configuration, there is a separate XML file with a random GUID as its name. 

 Open them up and have a look.

Here's one of mine. Find a profile that you want to deploy and open the XML file.

See the section:


This is the encrypted shared key. All you have to do is replace between the brackets with your shared key.....

....and paste the xml into the Value window. Click OK to save the setting.

Edit 29th May 2015:  

Johnathon Biersack has created a really cool XML Generator that we can use to create the XML file.

Download and read about this tool here

This is what is looks like:


 End of edit.

Save the Policy (Gerry WiFi Profile).

Choose Yes to deploy the policy now......

....and deploy to your Android devices. 

In time we get notification from the Intune Company Portal on the Android device that networks have been configured for the workplace.

There it is. Gerry WiFi profile is available for use. This is very slick.

Friday, 22 May 2015

An Overview of Azure RMS including custom templates

EMS Landing page

Simon May presented an excellent Microsoft Virtual Academy session yesterday. The session described and demonstrated Azure Rights Management Services. You can find the video in the Enterprise Mobility Core Skills section.

Azure Rights Management Services Core Skills Jump Start

The following areas were discussed:
  • Activating Azure RMS
  • Protecting the files your users share
  • Tacking and revoking usage of protected files
  • Building and managing templates
  • Integrating with on-premises services

This is the Microsoft description of that particular session:

Learn how to protect your organization's data with Azure Rights Management Services (RMS), and share securely inside and outside your organization. Plus, find out why information protection is a 100-percent "must have" for your organization, and get hands-on experience and technical know-how from Microsoft experts. 

Azure RMS looks like a really exciting technology. Have a look at some TechNet Library documents for some RMS details.

What is RMS

Activating RMS

As soon as the service is activated, you have two default templates that administrators and users can select to quickly and easily apply information protection to files. But you can also create your own custom templates for additional options and settings.

After I watched the session I dived right in to test the technology and it's really cool. Let's see what it looks like. It's so easy to configure and use. I've separated this blog into the following sections:

  • Activate RMS
  • Assign Licenses to user
  • Create RMS template
  • Use RMS template to protect email 

Activate RMS

Launch your Azure Portal and open Azure Active Directory.

Select "Rights Management".

Select "Activate". I have already Activated in the screenshot above. Note that you can also "deactivate" RMS if you wish. You are now ready to assign RMS licenses to users.

Assign RMS Licenses to users

There are two ways to do this.

Assign licenses associated with your Office 365 subscription...... or..... can assign your Enterprise Mobility Suite (EMS licenses). Just drill into the EMS license.....

.....and add the required users.

Create RMS Template

OK. let's get started. Open Rights Management again and select your organization.

 The "Getting Started with Rights Management" wizard is launched. Choose to create a new template.

Choose your language and enter a name and description.

The template has been created. Now choose to "Manage templates". 

See the default templates and the custom template that we created. Select the new template for configuration.

Choose "Configure rights for users and groups".

Click "Get Started Now".

Select the users or groups that will be allowed to use the template. Note that Groups must be mail-enabled to be available for selection.

I've chosen some test users.

Now we must assign the required RMS rights to our users. You can choose one of the pre-configured roles (or create a custom role) 

Viewer: View, Reply, Reply All

Reviewer: View, Edit, Reply, Reply All, Forward

Co-Author: View, Edit, Copy, Print, Reply, Reply All, Forward

Co-Owner: All Rights

Custom: Assign Right Individually

I've chosen Custom this time as I want to see how securely I can send emails. 

I've chosen the very minimum here. I just want the recipient to be able to "View Content".

Now select Configure so that we can publish the template. Click to Publish.

We can configure other options like "Content Expiration" and "Offline Access".


The template status is now "Published". We're not quite finished yet. I have to refresh the templates so that my users can see them. I'm testing with Outlook Web App so I need to use PowerShell.

Launch Azure PowerShell and connect to your subscription. Execute the following command to refresh the templates:
Import-RMSTrustedPublishingDomain -Name "RMS Online - 1" -RefreshTemplates -RMSOnline 

Verify that the template has been added:

Get-RMSTemplate -TrustedPublishingDomain "RMS Online - 1" -Type All

Finally, for each imported template that you want to be available in the Outlook Web App, you must use the Set-RMSTemplate cmdlet and set the Type to Distributed

Set-RMSTemplate -Identity "<name of the template>" -Type Distributed 

To refresh templates for Office 2013 users: 

Office 2013 refreshes templates every 7 days by default. You can speed that up by using a registry editor and deleting the data for the LastUpdatedTime value 

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC\<MicrosoftRMS_FQDN>\Template 

Restart your Office applications

Users will see new template immediately. 

To refresh templates for Office 2010 users: 

Just log off and back on again.

Use RMS template to protect email.

Now we come to the business end. What is the experience like for users?

A user creates a new email and chooses Options > Set Permissions. See all the available templates (including my custom template).

I've chosen the custom template and the email can be sent.

The recipient gets the email and can only view the content. This is really cool and highly secure. Note that any attachments would be "rights protected" also. Test some scenarios and see what you think.

Remember that I was testing here using Exchange Online. If you use Exchange On-premise you must install the RMS Connector. I'll be reviewing that shortly.

In my next blog I'll be having a look at the RMS Sharing App and RMS Document Tracking.

Thursday, 21 May 2015

Microsoft Intune App Wrapping Tool for Android

EMS Landing page

The Intune App Wrapping Tool for Android has just been released. It was announced on the Intune Team Blog a few days ago. I've been waiting for this as I manage a lot of Android devices (the Intune App Wrapping Tool for iOS was released way back in December).

Have a look at the blog to see the new features announced.

Summary of new features (some nice new Android items)

  • Ability to extend application protection to your existing line-of-business apps using the Intune App Wrapping Tool for Android
  • Ability to assign help desk permissions to Intune admins, filtering their view of the Intune admin console to only provide access to perform remote tasks (e.g. passcode reset and remote lock)
  • RSS feed notification option added for Intune admin to subscribe to be alerted when new Intune service notifications are available for their service instance
  • Improved end user experience in the Intune Company Portal app for iOS with step-by-step guidance added on how to access corporate email by enrolling for management and validating device compliance
  • Updated Intune Company Portal app for Windows Phone 8.1 to provide enhanced status notifications for app installations
  • New custom policy template for managing new Windows 10 features using OMA-URI
  • New per-platform mobile device security policy templates for Android, iOS, Windows, and Windows Phone, in addition to new Exchange ActiveSync policy template
  • Ability to deploy Google Play store apps that are required/mandatory to install on Android devices

I previously blogged about Mobile Application Management with Microsoft Intune. You can find this blog here

This introduced the concept of Intune Managed Apps and showed that you could create Managed App policies to govern and control your apps to prevent data leakage. You may want to look at that before we start.

So, what's great about this wrapping tool. Up until now we could only deploy Managed Apps for Android that Microsoft made available for us in the Google Store (Word, Excel etc). But what about our own Line of Business Apps? That's what the Intune Wrapping Tool for Android can do for us. It can turn any in-house developed apk file into an Intune Managed App.

Let's see it in action.

This is a typical apk file being uploaded to Intune.

There is very little control. You can select the groups to deploy the app to.....

.......and select the deployment action. Now let's turn this apk file into a Managed App and see the difference.

These are the basic steps. You can find this information in the TechNet Library

Prepare Android apps for mobile application management with the Microsoft Intune App Wrapping Tool
  • Install the latest version of Java Runtime Environment
  • Install the Intune App Wrapping Tool
  • Wrap an app
  • Add the app to Intune and deploy

Install the latest version of Java Runtime Environment

Install latest version of Java Runtime. Download it here

Verify Environment Variable has correct path (C:\ProgramData\Oracle\Java\javapath)

Install the Intune App Wrapping Tool

Download the Wrapping Tool

InstallAWT.exe is the file we need. Install the Tool.

This is the default installation folder. Make a note of it.
(C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool)

Wrap an App

Ok. We have installed the tool. What's next. We will use PowerShell and Import the Wrapping Tool module. Then we will wrap the App. The TechNet library document tells us the commands to use: 

Import-Module "C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool\IntuneAppWrappingTool.psm1"

Invoke-AppWrappingTool –InputPath <input-app.apk> -OutputPath <output-app.apk> -KeyStorePath <path-to-signing.keystore> -KeyAlias <signing-key-name> -ClientID <xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx> -AuthorityURI <http://AzureActivieDirectory.Authority.URL> -SkipBroker<$True|$False> -NonBrokerRedirectURI <urn:xxx:xx:xxxx:xx:xxx>

Wow. The first command looks OK but I don't like the look of the second one. However it's nothing to worry about. Most of the parameters are optional.

This table describes each parameter. We actually only need the Input and Output paths. This is my command 

Invoke-AppWrappingTool –InputPath C:\Ergo\APK\Notepad.apk -OutputPath C:\Ergo\APK\Intune_Notepad.apk

I execute my command........

......and here is the resulting Managed App. This is very easy to do.

Add the Managed App to Intune and deploy

Now let's upload the Wrapped App to Intune and we will see the difference.

It looks the same at this point.

See now though. Intune tells us that this is a Managed App and that we can apply Mobile App Management policies to it.

We have additional options now. We can choose to apply the MAM policy. This is a huge step forward for Android device management with Intune.