Hello everyone!

We use Google Workspace for corporate email and Microsoft Intune for managing corporate devices. Management has tasked us with restricting access to Google Workspace applications for all devices that are not managed (not enrolled in Intune). I know that Conditional Access exists, but it works well if you have a unified Microsoft ecosystem. I also know there's a product called Google BeyondCorp Enterprise, which is now apparently called Chrome Enterprise Premium, but the documentation doesn't mention mobile devices (iOS/Android) or Linux, only macOS and Windows.

Is there any solution that would allow us to block access to Google Workspace applications for devices that are not registered in Intune?

Thank you!

Hey folks, got a strange one. All of our iPhones have suddenly started failing Intune enrollments after about 30 problem-free ones. We're in the middle of moving from Invanti's MDM and the process until about a week ago has been extremely easy: Retire device from old MDM, wipe, swap to Intune in ABM, sync it over, sign in, done. Now all of them, regardless of what network you use, what device you use, who's trying to sign in, etc., hit an error message saying the profile couldn't be applied, service is unavailable. They get to the Microsoft sign in without issues, MFA prompt is just fine, then it soft locks them at the error screen. Can't start over, can't try again, they have to be restored.

Nothing has changed as far as the policies for enrolling them, and the security team says they haven't changed anything in conditional access. Microsoft support wanted console logs from a phone plugged into a Mac during the sign in process, but it absolutely stopped generating logs as soon as the MS sign in part started. Anyone have any thoughts or ideas? Searching for the error online (service unavailable) comes up with nothing.

I have 4 machines showing in entra as registered and joined. The joined version of the device is joined with a package, the registered version is by a user. However, none of these devices receive updates via Intune whether it's apps or configurations. Is the best way to get them properly joined to remove the current account off of the computer and then join properly or is there another way? Also want to make sure there is no data loss is it ok to backup appdata to retrieve things like chrome cache etc?

Is endpoint analytics the only way to accomplish this in Intune? If someone has a better idea or better way please share?

I know the real answer to this question is 'don't let users install webservers on clients' but I really want to know what can be achieved with policies and firewall rules.

Imagine a situation where an employee installs software on a client that runs a webserver. It takes HTTP requests on a port unknown to the administrator. Some will listen on default port 80, but others will move to 8080 and in reality the person installing the webserver will usually be able to pick the listen port.

Is it possible to make a rule in Windows Defender firewall or a policy or configuration profile that says something like 'block all incoming HTTP requests for new connections (we don't want to block outgoing requests) regardless of port.'?

If you don't know the port that users are running a server on but you don't want to allow clients to accept new incoming HTTP requests, how can you handle it?

I've been on Autopilot (hehe) when performing these offboarding tasks. I even recently went through the process, gave a fresh start signal, took away the license and finalized the process. Afterwards, I checked Intune and our RMM tool to confirm the device was offline.

Now, there's another user I've had to offboard but the fresh start will occur at a later point in time and I've already taken away the license and deallocated it. I wonder if I should've kept it assigned?

I guess I'll see this week, but if someone already has the answer for me I'd be happy to hear it. When it comes to the first situation, I cannot for the life of me remember in what order I did my tasks. All I can remember is that I did not wait for the reset to be completed to finalize the offboarding.

My guess at this time would be that it would need to be attached to receive the signal but then I'm free to take it away immediately as the process starts?

I need to be clear, this is not all or every but some. I am straining my brain understanding why mdm is strictly, strictly unremovable without going to the source installer. I understand ownership of device, thefts from employers -ok.

But who believed that there would never be a problem with this? It allows the sysadmin to carry alot of power when it comes to provisioning and releasing, especially on personally owned devices.

What if you have a personal device that was provisioned and the employee leaves under difficult circumstances and the device is not taken off of Intune? No matter what the employee does he can never remove it, because of the tension between them the device is forever stuck with management on it? Seems pretty unprofessional to me. But who decided that every admin would be professional? There are rogue employees, and to be given that control over someone and a device they paid for, seems like teasing a monkey with a banana that they went up in the tree and picked themselves.

I think Microsoft should provide an option for people in this situation where your past employer just will not remove their ties to you and allow you to remove the device.. such as having a receipt of purchase or some other route for proof, but I think it's a big flaw in the management capabilities that it's permanently glued to the current Intune tenant unless they themselves remove it.

I have about 50 phones that my predecessor ingested as Personally Owned Work Profile in his infinite wisdom. As such we have basic management on these phones and I require the ability to Wipe them. Is there any way that does not require a reset of the phone to convert these to other management/enrollment types?

With the release of attestation for passkeys in Authenticator for mobile, I wanted to get this out today because people are trying to figure it out. We are going to dig deep into how attestation works on iOS, the code behind the BT connectivity and more!

https://mobile-jon.com/2024/11/01/deep-dive-into-microsoft-authenticator-passkeys-for-ios

I know this is anti typical security. But in our use case it is a requirement. Is there a way to deploy a policy that would bypass the login screen when the computer boots up?

We want to land right on the desktop and startup apps without touching the computer/using the GUI

Thanks in advance

Looking for options here.

Org is primary Google Workspace, they federated with Entra ID so that they don't maintain two identities (best practices and fair ask)

Autopilot fails because after the initial sign in via GWS, no local account is created. User will get kicked out to a lock screen 'Other User' after autopilot and can go no further

Windows 11 Edu can have web fed for sign in, but no other SKU can do that currently.

What are my options for autopilot? Breaking idP federation is not an option.

Hi all,

I was thinking to package different iterations of office for users:

• office standard - includes word/excel/ppt/outlook/access
• office standard + Visio for the Visio people
• office standard + project for the project people
• office standard + project + Visio for the people that require it both

I feel like this is a dumb way to do it but I’m keen to hear your thoughts.

I’ve inherited a previous MSP’s configurations and we are having failed office deployments that is slowing down the device build/autopilot process.

Also how would you package it? Using config.office.com to do so or using m365 apps?

Thanks heaps

A few weeks ago we enrolled a few dozen Android phones to Intune. They're all reporting successfully and working correctly.

We have a compliance policy assigned to the devices and we've confirmed that the group it is assigned to contains the correct devices, but it's not applying to any of them and they're all remaining non-compliant.

I am completely at a loss on how to correct this.

Hi all, our org is migrating Entra joined Autopilot devices to a new tenant using Intune Device Migration. This has been working well, but occasionally the user’s profile gets corrupted post-migration. Our users are synced from on-prem AD (same on-prem domain, different M365 tenant).

Symptoms include a black screen after login for several minutes, and the Start Menu and Windows/MS apps are no longer functional. Attempting to recreate the user profile by renaming the user folder and deleting the SID from registry locations (ProfileList, IdentityStore, etc.) results in the same issue after rebooting and logging in with the same user account again.

Local accounts and other Entra accounts can log in just fine, and can even be recreated using the method described above. Only the original user account is unable to log in or be recreated on the device, and wiping has been our only option. This is happening on both Windows 10 and 11 physical devices and VMs, and also happened with a couple of different migration tools we tried (ProfWiz and Quest On Demand).

I know this isn't really an Intune issue, just curious if anyone else has run into a similar situation...

Hi, newbie to intune here and having an issue with deploying 3rd party apps to Surface SE devices, Apps such as Google Chrome, Zoom, VLC etc. Apps were working fine up until last week I now receive the error "This app won't run on your PC" no changes were made to the system. We have 22 devices and the issue is on all devices and all user accounts.

Thanks

We have 10 different Rings to control rate and for testing. Of course those systems in the early rings are also in a later/last rinr. The last ring includes a group of ALL systems, sort of a catch all. So many of our systems show a Conflict as it knows it's in multiple Rings. Does this break anything? Does the system know to grab updates in the early rings>

Hello all. Two parts to this.

1. I've been asked to block saving passwords on the following platforms and browsers. The goal is that passwords will be saved to a password manager (not yet selected).

Platforms:

Windows, macOS, IOS and Android

Browsers:

Edge, Chrome and Firefox

2. Clearing existing passwords already saved in the password managers of the above supported platforms and browsers. Also note, that some browsers will cloud sync meaning that clearing out the password may work but can be pulled down again from the cloud.

Fully loaded post i know but just trying to capture it all. thank you.

I have successfully set up Microsoft Tunnel and everything seems to be functioning well. It works perfectly with iOS. However, I am encountering an issue with Android devices. While the tunnel connects successfully, the DNS does not function as expected.

If I use an IP address, the webpage loads without a problem, but when using a fully qualified domain name, it fails to do so. Furthermore, once the tunnel is up and running, the DNS does not work for other webpages either.

We only utilize IPv4 in our operations, but I've noticed from the logs that IPv6 is being selected instead. The ocserv logs state: "Enabling IPv6 routes/DNS although the agent is unknown."

Upon doing a tcpdump, I observed the server requesting DNS resolution for both IPv6 and IPv4.

Has anyone encountered this issue before? If so, could you possibly propose a solution?

Hybrid setup with 40 users and about a dozen VM's/servers. We've done autopilot, defender, config policies, WHfB, app deployment, mfa, CA policies, windows updates. I'm trying to find something relatively easy or with good documentation that can benefit everyone or our overall security.

Has anyone done a lift and shift out of scalefusion? Wondering if there is any way to copy/export device profiles and save to upload into Intune

So, we use Intune at work, and we want to manage BYOD iphones. We also use Google Workspace for Docs, Sheets etc. With that in mind, I want to manage the Google Drive App on the individuls iphone. BUT the user already has drive installed for personal stuff. How can we manage the corporate side, and not the personal side. So when we manage the app, it works as we want to, you can't download files to the phone, but because we manage the whole app, you can't do that with personal stuff either.

The same is true with the GMail App, we can manage the app, but if a user has that app set up for their personal email, we don't want to manage that. Any thoughts?

thanks in advance

Andy

Hi.

I have a user which has our general HQ printer deployed to his PC, like his other 400 colleagues. The printer status is installed, but do not work. At this point i have tried a lot of stuff to fix it, deleted reg keys, drivers, ports etc. and nothing seems to work. The Printer is installed on our print server with the connector and deployed with an Intune policy.

Does anyone have an idea on how to remove the printer so it can be reinstalled?

So Microsoft just dropped standalone Connected Cache requiring E3/E5 + WSL. How are you handling this in your device management setup? Reactions? Tips?

Hi all,

I want to create a group with people who have a laptop that is enrolled in InTune.

We are migrating to managed devices but still have 600+ laptops that are unmanaged.
I want to create the group so the users with a managed device get additional apps and a different Conditional acces policy.

We already have a Dynamic device group with all enrolled laptops. Is it possible to make a query to read all the UPN's from those laptops or is there a better way to do this?

Hi All,

Totally inexperienced with Intune. Just want to know if we can deploy multiple configuration profile to the same machine?

In my case, I have a profile that are currently running and pushed to our MacOS endpoints that have the needed policy and specific PPPC payload granting some permission for our current endpoint management application to run.

We are looking to migrate our endpoint management solution and testing a new solution and it will require the setting up of a new PPPC for it as well.

In your opinion and the correct behaviour of how macOS Intune policy works, what the best way to achieved this without disturbing the old profile. Do I just add the new PPPC for my new solution to work into the current profile?

Or its possible to create a new profile and have its pushed to the endpoint to work along with the old profile? Appreciate all the helps here.

PS: I work as an MSP for my client and did not have access to their Intune administration, just want to correctly understand the bahaviour before I stupidly ask things out over for them to configure. lol.

Current Setup while trying to get MAM to work

CA policy setup: iOS and android included

Grant access and require app protection policy

Targeting Office 365

App Protection policy for iOS

There is no longer an option to do unmanaged devices

We have lots of managed device which I do not want to get this policy as they are already managed by us

When I got to add groups(have a group for all users), I did setup a filter for all devices with corporate tag or personal tag in tenant administration but it does not show up under filters when I go to filter app protection policy. Trying to filter any devices that are personal or corporate as we do not want restrictions on them as we want on unmanaged ones.

Personal ones are not really personal devices they are almost completely managed by us they are in a diff country and we do not have ABM setup for it.

Please let me know what is the best way to handle this and if App protection policy is not best case scenario then can someone direct me to an article for BYOD personal devices for both android and iPhones that I can go through once. We do not mind managing it as we do not have that many users

Hello fellow sysadmins!

I'm tying to get some Honeywell CT60 scanners setup in Intune and the only thing I can't get done is to auto-deploy the wifi. Am I just trying to accomplish something impossible?

I have an enrollment policy for Corporate-owned dedicated devices, a configuration profile for device restrictions and one for wifi, and a compliance policy. A dynamic group where the devices appropriately get placed into is also present. And I've verified that these devices are running at least Android 8 and are GMS capable.

My brain says: since the wifi isn't in the QR code, you'll need a manual wifi connection to finish the enrollment. (But my brain is also cooked as it is late in the day.)

Thanks in advance fellow sysadmins!

I never noticed it until today, but my first device I enrolled to be Entra Joined doesn't look to be setup correctly. I should mention the user hasn't had any issues on his machine accessing apps, on-premise shares, etc.

I only noticed this because "Recovery keys" was greyed out. I then was finding in Entra it would say it's not N/A for not compliant and no owner. The list goes on. One page says there is no Recovery Key for Bitlocker and another shows me the key (same goes for the Local Administrator password).

When looking at the device in Intune the Intune Device ID and Entra Device ID are identical.

Is there a process to remediate this without having to start anew?

Hey all,

I’m having a problem with distributed IT units deploying Apps to devices they do not manage. Apologize in advance if this is confusing.

I belong to an organization that has multiple IT units that manage their own devices but everything is housed under one EntraID tenant and a single Itune tenant. 

We have a custom role for each department that includes the IT admins as members of the admin group (e.g. DeptB-Admins) with the proper scope tags (DeptB), and includes the ‘Scope(Groups)’ for their associated device groups and their custom made groups:

• ‘DeptB - All Devices’ 
• ‘DeptB - Groups’

The two groups are the following:

• ‘DeptB - All Devices’ == Dynamic Group that contains all devices with the computer name with a “B”. These devices are managed by DeptB.
• ‘DeptB - Groups’ == Assigned group that contains any group created by the Departmental IT administrator. This allows the IT Departmental Administrator to create their own collections of devices they can manage within Intune.

Departmental IT can create/deploy Applications with their department tag (e.g. DeptB). Departmental IT can ALSO deploy applications that are distributed from central IT that have a special scope tag called ‘Common’. These are applications that are managed by central IT but we allow departmental It to distribute where necessary (e.g. 7zip, etc).

We assigned each Department Technician the ability to only view the devices within their Department (e.g. DeptA or DeptB).

We know all the devices are being properly tagged with the correct scope tag since we can view that under the properties of the device.

What is working properly:

• An administrator can only see the devices that have their associated TAG within Intune.
• A departmental IT can view and assign Applications with the scope tag ‘Common’

What is our problem:

• We allow departments to create their own Security Groups that CAN include devices that they do not manage. For instance DeptA IT Tech can create the following Device Group.
  • DepartmentA-ComputerGroup-1:
    • ComputerA-1 (Scope Tag: Dept A)
    • ComputerB-1 (Scope Tag: Dept B)
• When the technician deploys an application with the ‘Common’ scope tag to the group above (‘DepartmentA-ComputerGroup-1’), the application will be deployed to  ‘ComputerB-1’ - although the user does not have visibility to ‘ComputerB-1’ due to the scope tag.

Question:

• Is there a better way to limit the IT administrators ability to deploy applications (or anything) to devices that do not include their SCOPE tag? Our organization has been slowly using Intune and are still trying to determine the best path forward to allow each department to manage their own devices.