Friday, 28 August 2015

Deploying iOS Custom Profiles with Microsoft Intune

EMS Landing page

Microsoft Intune is an excellent tool for managing mobile devices (Windows Phone, iOS and Android). We are given many options for deploying configuration settings to these devices. However, occasionally, we can encounter a requirement that is not supported natively. I had two such requirements today.
  • deploy WPA2 Personal Wifi profile with password to iOS device
  • deploy Cisco IPSec VPN profile to iOS device
Intune does not give us the options to configure these specific settings but it does give us the capability to import a custom iOS profile and deploy to devices. Great, I could easily create a custom profile using the Apple Configurator tool. This tool can only be used on a Mac device and the current version is only supported on OS X version 10.10.3 or later.

Launch the configurator tool.

"Prepare" is selected by default. We don't need to enter a name here. We are not provisioning a device. We only want to create a custom profile.

Turn "Supervision" on and click the + to "Create New Profile".

This will be our new iOS profile. In the General tab enter a name and description for the profile.

Open the Wi-Fi tab and click to Configure.

Enter the SSID, Security Type and password.

Open the VPN tab and click to Configure.

Enter a name for the connection. Select the "Connection Type". See that there are quite a lot to choose from here.

Enter the Group Identifier and Shared Secret. Save the profile.

This is the saved profile. Select the arrow to export it.

Save the profile and give the file a sensible name.

It is saved with a .mobileconfig extension.

Have a look at the contents of the file. It's just XML.

Now we will import the custom policy in Intune. Navigate to Policy > Configuration Policies. Click to Add a new policy.

Choose iOS > iOS Custom Policy and select "Create Policy".

Enter a name for the policy and a name for the profile which will be displayed to users.

Browse and choose the .mobileconfig file. The XML is displayed.

Choose to deploy the policy now.

Choose the group you want to deploy to.

We can now wait for the policy to get to the device or force a policy sync.

Our policy has been received. Open the policy.

Have a look at "More Details".

We can see the WiFi and VPN profiles.

This is the VPN configuration on the device.

The Apple Configurator tool allows us to deploy configurations to devices via Intune even though these configurations are not natively available with Intune.

Sunday, 9 August 2015

Encourage users to enrol their devices with Microsoft Intune

EMS Landing page

One of the most difficult challenges we face as Intune Administrators is how to get users to enrol their devices.
We hear all the time: What's in it for me? Why should I? It's my personal device and it's private.

We can, of course, force users to enrol by configuring conditional access and preventing access to Exchange and SharePoint services for users that do not enrol. However encouragement and gentle persuasion is often a better strategy. It will certainly make you more popular with your users.

Recently Microsoft published a helping-hand with the "Microsoft Intune End User Enrollment Guide". It's a professional-looking two page document that you can send to your users explaining the importance of protecting corporate data. It explains what may happen on their device and what will not happen on their device, thus alleviating any privacy fears that they may have. The guide also contains high level steps for enrolling the various device types.

The document is really slick and totally customisable. You can change text and add your own company branding.

Download the document here

The zipped package contains Release Notes and the guide in Word, PDF and Adobe InDesign formats.

This is an extract from the guide:

"You are an important part of keeping our corporate data and resources protected. Here’s how you can help: enroll your phone or tablet into Microsoft Intune. Once you enroll, you will be able to continue using your mobile phone or tablet to get your work done, and IT will be able to manage limited aspects of your mobile device to keep us protected. You will not lose access to personal apps and data or need to manually configure company network or email connections. And don’t worry! All your private stuff is still for your eyes only".

This is what it looks like: