Simon May

Client and cloud

Simon May

  • Azure Remote App Questions Answered

    The Azure Remote App Jump Start that we ran a few weeks ago generated lots of really great questions just like they always do. As promised here are the questions that we received during the Jump Start answered for your reading pleasure. If you’d like to read questions from the Azure AD, Microsoft Intune or Azure RMS Jump Starts you can and coming up in just a couple of weeks’ time we have the Windows 10 As A Service Jump Start, which will heavily lean on some of the core skills developed over the past few months, during these jump starts. You can also view the jump starts for Azure AD, Microsoft Intune and online now, and Azure RMS and Remote App episodes are just days away!

    Let’s get to the questions and answers…

    Question: Can a user only be assigned to one RemoteApp collection and can collection only have one template image? How can user access two different template images? I have a scenario where I have two applications that cannot be installed to same computer. Is my only choice to try App-V virtualization?

    You can contact support and ask them to enable the user to be assigned to multiple collections. You may want to consider using App-V regardless so that you can reduce your monthly cost.

    Question: The hybrid collection requires a vNET. Can we use our existing vNET?

    Yes, you can use an existing Azure VNet

    Question: Are there any criteria I must meet to use the cloud and my existing network equipment simultaneously?

    There are two deployment types in Azure Remote App: Cloud and Hybrid. Hybrid can connect to an existing AD DS and apps that authenticate with Kerberos using Azure VPN or Express Route. Of course in both “Cloud” and “Hybrid” you are using the cloud for your remote apps.

    Question: I would like to know please how would you handle Azure RemoteApp app collection with MySQLDB. Can I do this with a cloud deployment or it has to be a hybrid deployment?

    You should be able to use cloud deployment. You will need to enable the appropriate endpoints for your MySQL VM, of course this assumes that your MySQL VM is in the cloud and being connected to over HTTP.

    Question: Utilizing external data for RemoteApp – for something like Sage50 which needs a file share, where would we store that data in Azure?

    You could store that for example in a Azure VM in IaaS, and have that connected to the same Azure vNet as your Azure RemoteApp Collection or you could connect that same vNet to your existing on-prem deployment for the file server using Azure VPN or Express Route

    Question: Can we use web based application using Azure?

    If you mean publishing a web based application as a RemoteApp? Yes, you can. Simply publish Internet Exploring as a RemoteApp and provide the URL as a parameter.

    Question: Can we publish multiple Internet explorer with diff URLs?

    Yes, that is possible.

    Question: Is there a possible solution for 16 bit or 32bit application publishing solution?

    16-bit applications are not supported. 32-bit applications normally will work fine, provided they are compatible with 2012 R2 RDSH multi-user environment.

    Question: Can we deploy Hybrid Remote App and access our on-premises network folders as well?

    Yes, that is definitely possible!

    Question: Can you have a hybrid deployment, and an in-cloud only deployment in the same tenant?

    Yes, you can create multiple Azure RemoteApp Collections of different types within the same Azure Subscription.

    Question: Do you support Linux in Azure RemoteApp?

    Currently there is no Linux client. But we have seen this request come up. It’s an actively voted item on the Azure RemoteApp feedback site. It’s under review now. Also see: http://feedback.azure.com/forums/247748azure-remoteapp/suggestions/5950717-add-linux-support

    Question: How many users assigned to a VM instance for a remote App?

    There is a maximum of 16 concurrent users per RD Session Host in case of the basic plan and a maximum of 10 concurrent users per RD Session Host in case of the standard plan.

    Question: How we can upgrade our application in Azure RemoteApp once published?

    To upgrade the application, you upgrade the application in the Template Image and update the Azure RemoteApp Collection based on the new template image.

    Question: can we integrate Microsoft App-v with this solution for stream application and publish through remote app?

    Yes, App-V is supported on the Hybrid Azure RemoteApp collection.

    Question: Can I use a cloud or existing virtual machine as the template for my RemoteApp collection?

    Yes, Please see this article: https://azure.microsoft.com/en-us/documentation/articles/remoteapp-image-onazurevm

    Question: Is it possible to use GPO’s with the remote apps. i.e. from an azure hosted AD or on-premises

    Yes, in a Hybrid Scenario the RD Session Host servers that Azure RemoteApp provision will become member servers of you on-premises domain, so you can re-use your existing GPO, login scripts etc.

    Question: If the user closes the application, will this go to disconnected session or log off?

    It will go to disconnected and stay there for 4 hours.

    The post Azure Remote App Questions Answered appeared first on Enterprise Devices + Infrastructure.

  • Upcoming Jump Start: Azure RMS Core Skills

    Protecting your organizations data is something that should be top-of-mind for every IT person out there. It’s not something that is just the job of the CSO or the folks in the security team, but if you are in that team it is absolutely something you should be thinking about. It’s what I would term a “core skill” that you need on your resume for the future.

    That’s why I’m really excited to bring you the third installment of our Enterprise Mobility Core Skills Jump Start series this week, focused on Azure RMS.

    This Jump Start will focus on the following key areas:

    • Activating Azure RMS
    • Protecting the files your users share
    • Tacking and revoking usage of protected files
    • Building and managing templates
    • Integrating with on-premises services

    Of course I won’t be delivering this alone, Dan Plastina (@theRMSguy) will first help me to help you understand why Azure RMS is so important to your organization. Then, for the rest of the session, Carol Bailey, the amazing technical writer behind the Azure RMS documentation, and I will help you get the core skills you need to start protecting your organization’s information.

    You can sign up for the event, running Thursday, May 21st at 9am PST right here. You can watch the previous episodes in the series on the same page too.

    Thanks and we look forward to hearing your questions on the live Q&A!

    The post Upcoming Jump Start: Azure RMS Core Skills appeared first on Enterprise Devices + Infrastructure.

  • Your questions answered from the Azure RMS Core Skills Jumpstart

    Last week we broadcast the Azure RMS Core Skills Jump Start live on Microsoft Virtual Academy. The on-demand version will be up soon. As always there were lots of questions and we have lots of answers! Here’s a summary of those questions (answered by Dan Plastina, Carol and myself).

    Question: I have experimented with Exchange transport rules (office 365) to apply RMS policies automatically to messages as they are sent externally. Unfortunately they aren’t able to be a opened by @gmail @outlook.com, etc. because of a requirement for Outlook desktop. Am I doing something wrong?

    Answer: no. Social ISPs like gmail and Outlook.com are not supported currently.

    Question: What are the benefits of Azure RMS in SMB environment and what is the best way for a business to deep its toe in the technology?

    Answer: You can just create a small test environment and create a 30 day Office 365 test tenant here: http://office365.com

    Question: another one! If I RMS protect a SharePoint document library, then I share a link to a document in the library, what RMS rules apply? (I haven’t experimented with this one yet).

    Answer: The document library applies whatever you define as policy for that library. Access to the library is based on SharePoint permissions to that library. We also cover this specifically in the Jumpstart in module 3.

    Question: SharePoint Online with O365 E3 license: Before I turn on RMS on a document library I can create documents in the library using the browser. After I turn on RMS on the document library the only thing I can do in the browser is upload a file., is this correct behavior?

    Answer: The Office Web Apps don’t currently support Rights Management, so when you enable it for a library it’s intelligent enough not to let you create a document that you’ll not be able to edit later in the browser.

    Question: Can I use Office 365 email encryption (via a transport rule) along with RMS when sending to external users but it doesn’t seem to work for me.

    Answer: You can either use OME or RMS, they cannot be used in Addition of each other currently.

    Question: Where do I find a comparison between the Azure RMS features provided by the different subscription options (Office 365, EMS, and Azure RMS standalone)?

    Answer: https://technet.microsoft.com/en-us/library/dn655136.aspx

    Question: What is the difference if I click on “share protected” based on the Sharing App or choose protection from the Word File menu?

    Answer: No difference it’s just a plugin to file explorer to make it easy to go through the process without having to open up each document.

    Question: Can RMS also be used to protect documents sent to users that are not part of my organizations? What are the limitations?

    Answer: If you use Azure RMS, yes. as Long as the outside users are not using gmail, yahoo or Outlook.com or other social IDENTITY providers.

    Question: A client has 4 users on O365 E3 and 2 users on E1. Can I add an RMS product licence to the 2 users, or, do they have to be given E3?

    Answer: Only E3 users can protect Content. All other can read for free. If they want to protect Content as well, they Need a license. You could assign an Azure RMS license to them.

    Question: So what credentials does the outside user need to authenticate?

    Answer: Either an organization ID that is already enrolled in Azure AD or if the organization doesn’t have an Azure AD created we will seamlessly create one (IT at the “shared to” organization can take this over later).

    Question: Is the Document Tracking Feature already available in Germany?

    Answer: Currently the preview is only available in the US. For Germany there will have to be done some modifications to follow German work law

    Question: If a document is protected with a template where an Azure AD contact had permission. What happens if the admin removed the external contact from the template permission? Can the external still open old documents that were created while he had permission on the template? Does the behavior depend on the configured offline setting for the template?

    Answer: The permissions depend on when he opened the document and how long the use license is valid. Group membership and permissions is granted based on the time you Access it first. If it worked first, the use license expires after 7 days (unless you set this to less in the template), and on the 5th day the admin removes any user from the template, that user will not be able to open it after his use license expires.

    Question: What account will the RMS connector use to connect to Azure RMS? Is it the admin account specified during the setup? If this is the case what happens if the admin changes his password?

    Answer: There will be a Special account created during Installation. so the normal admin can Change his pw whenever he wants

    Question: Can you provide information/link on how to setup O365 E1 to work with Azure RMS standalone

    Answer: https://technet.microsoft.com/en-us/library/jj658941.aspx

    Question: Is it possible to make the documents only openable, from computers authenticated? I mean, if a user grabs a flash drive, copies files, and get them out for “Snowden like use”, the files wont “show” the contents?

    Answer: You Need to authenticate to the RMS Server in order to Access Content. So the user Needs to authenticate, no matter on what device he is or the data is stored. So in this case you would revoke his permission making every place he stored the file useless.

    Question: Can you access a document that has been protected when you are off line (say in an airplane)?

    Answer: If you want to access a document you need to authenticate against the Azure RM service. When the document was protected it was given an expiration period (set by the user or the template). When this expires the document will become inaccessible. Secondly a use license was issued to the document, this includes how long the document can be access for offline before another authentication is required.

    Question: When the key is managed by Microsoft, how is it protected? Software only or HSM?

    Answer: HSM

    Question: Is there more RMS functionality in the EMS Suite vs E3 Office 365?

    Answer: Yes. The ‘Document tracking’ is EMS only.

    Question: Can I expire a shared file?

    Answer: Yes, using the ‘doc tracking’ feature you can remote kill a file. You can also set an expiration time on the file when you publish it.

    Question: Any specific reason the RMS Connector only allows Exchange and SharePoint (and not FCI) for the Office 365 SKU?

    Answer: Hi Tom. FCI is used on premises and generally users of O365 don’t cross over that much with the FCI use case. That’s why we licensed it the way we did.

    Question: Can I use Thales nShield Edge with RMS BYOK or do I need one of the bigger ones?

    Answer: Yes, the small USB unit if fine. You will be using it for BYOK and then locking in up in a safe afterwards. We’re handling all your actual processing with our HSMs hosted all over the world.

    Question: what about mobile devices?

    Answer: Mobile devices that currently support RMS, Windows Mobile, iOS 6+, Samsung KNOX enabled Android

    Question: We have seen documents referencing a SuperUser that can remove or change permissions when the account that protected the document is removed from the organization.

    Answer: Yes, there are a few ways to explain this. First, the OWNER is a key role. Any document that you protect you can unprotect. The SUPERUSER role is one where an RMS Admin can unprotect content. This same role is used for services like Exchange that perform anti-malware, DLP, archival, and eDiscovery.

    Question: RMS For Individuals can be used to protect without paying “for evaluation”. Any upcoming technical limitations for this (other than not getting logging, custom templates, Super User etc)?

    Answer: Nope. We’re intentionally very generous with RMS for Individuals for the users. The ‘catch’ is that we’re the holder of the root key so the IT Pros don’t have the ability to manage the content. When an organization licenses RMS they have the right to fully manage it.

    Question: Is company confidential for all domains in your tenant or for people who have the same email address as you?

    Answer: It’s whomever you place in the template. You can even put external partners by name e.g.: alice@contoso.com

    Question: Thanks, Anthony. I’m more interested in restarting RMS after a trial has expired. So, do a POC and then plan a full deployment. But that deployment will happen after the trial has expired. So, are there any challenges with restarting RMS?

    Answer: Here’s a simplifying view… RMS is $2/user/mth. Keep one paying user around and you’re using a paid service. Don’t fret with lifecycle changes for such a low price.

    Question: Does RMS contain any us government enforced backdoors?

    Answer: No is the simple answer. Our commercial services are built for you. I’d encourage you to review Brad’s posts on these topics here: http://blogs.microsoft.com/blog/author/bradsmith/

    Question: Is there a way to set flags for admin actions or stream the data to a SIEM for alerting?

    Answer: Azure RMS give you, the ITPro, a raw log of all RMS activity in near real-time. You can inject this into your SIEM.

    The post Your questions answered from the Azure RMS Core Skills Jumpstart appeared first on Enterprise Devices + Infrastructure.

  • FAQ ME! Microsoft Intune Jump Start FAQ!

    Last week I ran the Microsoft Intune Core Skills Jump Start and as promised multiple times during the event here’s the questions, and the answers to those questions, that folks on the Jump Start asked:

    Q: Do we have option to have Intune in [my / the] customer[‘s] DC than on Cloud?

    A: No, Microsoft Intune has been architected from the ground up to run at scales in the Microsoft Cloud and on Microsoft Azure. We did this in part because it means you get fantastic levels of scale, without the need for everything to come back to on-prem infrastructure. As the number of devices users have grows, your ability to manage those devices shouldn’t be constrained by an inability to grow the management infrastructure.

    Q: Can Intune integrate with SCCM?

    A: Absolutely! It’s designed that way, there’s documentation here on how to connect SCCM to Microsoft Intune.

    Q: What is the unique feature that Intune has to coexist with SCCM for an organization that already have SCCM 2012?

    A: Microsoft Intune when connected to Configuration Manager 2012 makes it possible to manage mobile devices via Microsoft Intune from SCCM. You can see a full list of features on Microsoft TechNet, check out the “Which Configuration is for Me?” section.

    Q: Does Intune have capability of Digital Rights Management or Which DRM solution it can integrate with?

    A: Azure RMS is part of the Enterprise Mobility Suite and can be used to protect your data

    Q: Intune can work through Azure but is it possible to have a ADFS, ADFS Proxy and [Microsoft] Federated Identity manager?

    A: Yes, it is fully supported. This would enable you to have authentication for Azure AD flow through the on-premises AD FS infrastructure.

    Q: Is it possible to clarify on what is happening in the background when a mobile device is enrolled to Intune?

    A: When the device is enrolled into Intune, three things happen primarily. First the device is configured to trust Microsoft Intune as an MDM authority (iOS, Windows) or device administrator (Android). Second the device and its information is added to Microsoft Intune and also to Azure AD as a device object tracking to the user who enrolled the device. Thirdly the device requests policy from Microsoft Intune.

    The actual blow by blow process varies per device.

    Q: Can Intune stand-alone and Intune/SCCM live together side by side?

    A: Not really. You could setup two tenants, have one configured in Hybrid and the other in standalone. You’d then need to think about where users are coming from. You could create cloud only users for the stand alone tenant and deal with them individually. You could also sync a specific set of users with a different User Principle Name (UPN) Suffix to your standalone tenant and users with another UPN suffix to the Hybrid tenant. I’m not really sure what the use case would be here though?

    Q: Can I migrate from Standard to Hybrid?

    A: Not on your own. You’ll need to call support and we need to clear data from the standalone tenant before migration to hybrid.

    Q: Can we use office 365 MDM and Intune on the same tenant

    A: That is the intent but at time of writing it’s not possible. There is a need to manually set the MDM authority which is something that Microsoft must do for you.

    Q: Is Conditional Access for Exchange on-premises with SCCM/Intune is already available?

    A: Conditional Access for Exchange on-premises is currently only available with Microsoft Intune stand alone.

    Q: Do we need the exchange connector for conditional access to Exchange on-premises?

    A: Yes

    Q: Is Apple iPad supported by Intune standalone?

    A: Yes

    Q: If you sync your on “on-prem” accounts with Intune and you already had some existing Office 365 user accounts that are cloud-only. Will this create an issue?

    A: No. If you already have Azure D Sync/AFDS in place you can just use the same. Nothing to configure. Just make sure that you create the Intune Account using the same account as you use for Office 365.

    Q: What can I do, when a phone is lost with corp data, and phone does not have an internet and mobile connection?

    A: You can’t do anything. It’s like having the phone turned off. But you can wipe the device, and when/if the device is online, it will be wiped.

    Q: Does the Intune client include Endpoint protection, or is that only with SCCM?

    A: That’s available in both scenarios.

    Q: Can I manage all or at least most aspects of Intune through SCCM or are some management features split between SCCM and the Intune portal?

    A: Today there are some limitations. But check this article out for what can be managed where.

    Q: Is Conditional Access available in O365 MDM?

    A: Yes, MDM in Office 365 include the ability to manage conditional access to Exchange Online and SharePoint online.

    Q: If I do a change in the policy is that pushed out our does the users need to reenroll the devices. For example if I decides to change the demand of password?

    A: No, they will just be asked to change the password to be compliant. However some policies could lead to tattooing, for example if you set an assigned access policy on Windows and delete the policy from Intune then there is nothing to re-enable the apps that are outside of the Assigned Access policy.

    OR to put it another way: If you set a policy to push a “1” to a device and the device is currently set to “0” the policy will set the device to “1”, deleting the policy won’t make the device automatically revert since it needs something to overwrite the policy.

    At its core OMA-DM can do 3 things on a device, Get, Set and Execute.

    Q: With the emphasis on BYOD and mobile devices, should we anticipate treating desktops as just another flavor of a BYOD scenario?

    Possibly but probably not with desktops. There will be a class of devices that will be BYO, a class that will be Company Owned and a class that will be task worker based. Those last two categories are probably going to require deeper management than BYO. Of course you will need to be able to manage the mix.

    Q: If I add a setting that only works on iOS and Windows Phone, what will happen if an Android user tried to enroll?

    A: The agent won’t know what to do with the setting so it will ignore the setting on that type of device.

    Q: Where can we find a manageable list of the Windows CSPs? Not an exhaustive List!

    A: This is the exhaustive list for Windows 10 (that is still subject to change).

     

    The post FAQ ME! Microsoft Intune Jump Start FAQ! appeared first on Enterprise Devices + Infrastructure.

  • Enable Office 365 Built-In MDM (Mobile Device Management)

    Do you have company owned mobile devices or employee-owned mobile devices that receive email? Of course, you do everyone does. Do you have a Mobile Device Management solution that you’re paying lots for but only using little of? Have you got or are you looking at getting Office 365? If the answer to any of these questions is yes then you need to be aware of Mobile Device Management in  which Microsoft announced on March 30 on the Office Blog. In this post, I’m going take you through enabling MDM management of a device but first, why is MDM in Office 365 important?

    Why is MDM in Office 365 important?

    The Exchange Active Sync (EAS) protocol has had some mobile device management like capabilities for some time, but as mobile devices and their use has evolved EAS hasn’t been the go-to management solution beyond email. OS manufacturers have invested in Mobile Device Management protocols and deeply instrumented those in their OS allowing MDM to apply policies far beyond email.

    I’ll give you a prime example of that evolution: The BYOD movement has led to people using their personal devices for work. It’s not clear legally how much control over such a device an employer has and it can vary dramatically even in one country. As a result wiping everything on a device that is personally owned could be worrisome to an employer.

    With AES, it’s only been possible to fully wipe a device. One of the capabilities that Office 365 built-in MDM brings is the ability to selectively wipe business data from the device. This is huge because if remote wipe is your only need, Office 365’s built-in MDM has you covered. More of you need to specify basic device policies (that still go beyond AES) to control device capabilities, such as encryption, password requirements, app (age) restrictions and the like. A full list of the policies enabled through Office 365 MDM is on TechNet.

    Conditional Access to Office 365 is also available through the built-in MDM. If you aren’t familiar with the principle of Conditional Access yet, it asks a simple question: Does the device meet the minimum bar for entry. You define the minimum bar. So you can set a policy that says that a device must be managed by Office 365, so you can wipe it, for example, before its allowed access to critical information. Frankly it’s ground-breaking that this ability is in an MDM offering that costs nothing extra.

    With all that in mind, what’s the answer to the question: Why is MDM in Office 365 important? The Answer: It gives you another option for management.

    For some customers, it might be the only MDM they need. Indeed I surveyed my Twitter followers and I found out something interesting (I do this regularly, you should follow me to participate and be heard). 14% of respondents to one poll were paying for MDM (which is probably about $100 per user or $51 per device per month* they could cut this from their expenditure immediately…that would probably make the boss happy!)

    How about if you still need MDM for some users that need capabilities beyond what’s built into Office 365 such as Mobile Application Management or Company Resource provisioning?

    There are people or groups of devices that need capabilities beyond what’s available built into Office 365 MDM and that is fine. Just license them for Microsoft Intune and the on-ramp is simple. Users with a Microsoft Intune license are managed through Microsoft Intune, users without are managed through Office 365 MDM! With Microsoft Intune, you get capabilities such as being able to automatically provision company resources (certificates, VPN, WiFi) and being able to distribute and manage apps.

    Ok, looks useful, let’s try this…

    That’s the why over with and hopefully you want to start taking a look. Let’s take a look through my Office 365 tenant and see what we need to do to get setup.

    Enable Office 365 MDM

    First we go to the Mobile Devices option in the Office 365 Admin portal and click Get Started to start the activation process, this will take some time to complete. If you’re using a custom domain (such as contoso.com and not .onmicrosoft.com )to set up Office 365 as a mobile device management authority you will need to set up the correct DNS settings and exchange a certificate request from Office 365 for a certificate from Apple to work with the Apple Push Notification Network (APN) to support iOS. You’ll need to add the following two DNS entries if you’re using a custom DNS:

    Host name Record type Address TTL
    EnterpriseEnrollment CNAME EnterpriseEnrollment.manage.microsoft.com 3600
    EnterpriseRegistration CNAME EnterpriseRegistration.windows.net 3600

     

    REALLY neat feature. These are the same DNS entries you need to add if you’re using Microsoft Intune for MDM, which is why moving some or all users to Intune from Office 365 MDM is possible or put another way: Office 365 and Microsoft Intune co-exist for MDM.

    Optionally you can enable Multi-Factor Authentication (MFA) meaning that to enroll their device into Office 365 MDM management they need to give a second factor of authentication, such as receive a phone call or text from the Azure MFA service. Configuring this only requires MFA for device registration from that point forward, because the device is now trusted, it’s a second factor of authentication.

    Create A Device Security Policy

    Now that your Office 365 tenant is enabled for MDM we need to enable some policy. So click the Manage device security policies and access rules link. You’ll be taken to Compliance Center where you’ll click the Manage device access settings link.

    In Organization-wide settings for device access management, you can choose to allow devices that don’t support MDM management to enroll or choose to block them. If you choose block then a device must be MDM capable to be able to add an Office 365 email profile. You might want to do this for your regular users but have some users that you this rule doesn’t apply to (such as your C-level people).

    Finally, let’s create our policy and target it to some users. Click the New icon (the plus sign). Enter a policy name, and click Next. Make some policy settings: I like to set a password policy for testing purposes. The last section of the Device Security Policy determines what to do if a device is non-complaint, this is Conditional Access!

    Conditional Access

    Conditional Access, as previously stated, prevents a non-compliant device from accessing resources. If you select Block access and report violation what happens is that if any of the above policy settings aren’t set on the device (or the device has refused the setting) access to Office 365 Email, SharePoint and OneDrive for Business will be blocked from this device. If you select Allow access and report violation then the violation will just be audited (which you can see in either case in Compliance Center).

    This is simple a cool feature: It means you can definitely stop email flow to a device that isn’t enrolled, or a device that’s jailbroken or rooted, or a device that simply isn’t encrypted.

    In the case of email, all the user will get in their inbox, until they are complaint, is a single email telling them how to get complaint, and nothing more!

    If the device Click Next to set the policy.

    Something Extra Really Cool

    One other thing. If you tick the box that says Require managing email profile then what you’re saying is that if the user added their own email profile that is not good enough for them to access resources. The reason it’s not good enough is that you DO NOT have the right to wipe a non-managed email profile on iOS or Android and therefore you don’t have control over your organization’s email data.

    Ticking Require managing email profile does something really cool though. The user is prompted to remove the organizational email profile they added and, once that’s done, Office 365 will provision the email profile to the users device, making it managed!

    And that [Email Provisioning] takes is just one check box!

    Finally, Deploy the Policy

    The very last thing you’ll do is deploy the policy. Just search for a security group that you want to deploy the policy to, select the group, click Add and Ok. Then you can go to a test device and try out the policy, add an organizational email account manually on the device and (if you selected the Block option for conditional access) you’ll receive an email telling you to enroll your device by getting the Company Portal app from the store.

    Perhaps you’d like to see this in action

    Corporate Vice President, Enterprise Client and Mobility at Microsoft, Brad Anderson and I took a look at this on the latest episode of the Endpoint Zone with Brad Anderson which you can watch below:

    This is cool, I want to try it out how do I do that?

    Firstly, if you have Office 365 you should check to see if MDM is available in your Admin portal yet. If it is you’ll see it just like in the first step above. If it’s not it’s coming, Office 365 MDM is rolling out now, but it’ll take us a few more weeks to complete every Office 365 tenant (there are so many!)

    If you don’t yet have Office 365 you can get a free trial, although the functionality might not be available there yet, but it should be before the trial expires.

    Finally if you want to know even more, you should check out the free Microsoft Intune Jumpstart on Microsoft Virtual Academy next week that is part of our Enterprise Mobility Core Skills Jumpstart series. Since it’s a series you can sign-up for them all and watch them live or binge on the them as they become available on demand!

    * Airwatch Green Management Suite-Cloud as of 3/1/2015.

     

     

     

     

    The post Enable Office 365 Built-In MDM (Mobile Device Management) appeared first on Enterprise Devices + Infrastructure.