Microsoft Intune Mobile Application Management (MAM) policy changes not working

The following blog describes the solution to a scenario I encountered whereby changes to a Microsoft Intune mobile application management (MAM) policy would not take effect

Environment

In preparation for rolling out an MS Intune Mobile Application Management (MAM) policy to Outlook for iOS clients I created a test policy to enable pin protection and applied it to a test user account.  The steps used can be found here

In summary

  1. Create a test user and assign a Microsoft Intune license via portal.office.com
  2. SummaryStep1
  3. Create a user group to apply the app protection policy to, and assign the test user to the group, again via portal.office.com
  4. SummaryStep2
  5. Create an App protection policy via portal.azure.com
  6. SummaryStep3
  7. Configure the policy settings (e.g. Require PIN access)
  8. SummaryStep4
  9. Choose Apps to associate with policy (e.g. Outlook)
  10. SummaryStep5
  11. Deploy policy to test group
  12. SummaryStep6

This worked well.  After the policy applied, when I opened Outlook for iOS as the test user I was prompted to enter a pin

PinPrompt

Note:  It can take up to 8 hours for a newly deployed app protection policy to be applied.

Problem

The problem arose when I removed the test MAM policy (or more specifically, removed the test user from the group “Test – MAM Policy”). I expected that the pin protection settings would no longer apply.  However, the test user continued to be prompted to enter a pin, even after waiting sufficient time for the changes to take effect.

Solution

It was the “Common IT administrator issues” section of the Troubleshoot Mobile Application Management guide that pointed me in the right direction.  Specifically, this section which indicated that I may need to force a sync of the Outlook for iOS client for the changes to take effect

Guide1

I used the following steps to force a sync of the Outlook for iOS client:

  1. From the Outlook app, click on settings
  2. Settings
  3. Select the test Office 365 account and then choose “Reset Account”
  4. ResetAccount

This forced a sync of the Outlook client.  Next time I opened the Outlook app, the pin protection policy had been removed.

Microsoft Intune Useful Links & Information

Microsoft Intune Useful Links & Information

The following is a collection of links to Microsoft Intune resources that may be useful to anyone looking to get started with Intune

Training Guides

  1. Microsoft Virtual Academy Intune Training
  2. Intune documentation
  3. What to tell your end users about using Microsoft Intune

Blogs, Videos & Customer Stories

  1. Whats New
    1. Intune Standalone & General Product Updates
      1. https://aka.ms/intunenew
    2. Intune Hybrid What’s New
      1. https://aka.ms/hybridwhatsnew
    3. Blogs
      1. Brad Anderson’s Blog http://aka.ms/bradsblog
      2. Simon May’s Blog http://simon-may.com
      3. Enterprise Mobility & Security Blog http://aka.ms/mobsecblog
      4. Intune Support Blog http://aka.ms//intunesupportblog
    4. Forums
      1. Microsoft Intune UserVoice
        1. https://microsoftintune.uservoice.com
      2. Microsoft Intune Forums
        1. https://aka.ms/intuneforum

Useful Tools

  1. System Centre Configuration Manager Hybrid Diagnostic Tool
    1. https://www.microsoft.com/en-us/download/details.aspx?id=53306

Support Information

  1. Engage the Intune FastTrack Centre for deployment assistance
    1. https://fasttrack.microsoft.com/
  2. How to engage Premier Support for technical help and troubleshooting
    1. https://aka.ms/intunesupport

How to get a detailed list of all your Configuration Manager Deployments using Powershell

In this blog I will show you step by step how to quickly get a detailed list of all your Configuration Manager deployments, output in Excel table format, including the following details

  • Application Name
  • Assignment ID
  • CI_ID
  • Collection
  • Collection Name
  • DeploymentID
  • Creation Time
  • Deployment Time
  • Enforcement Deadline
  • PackageID

You can also download this guide from the Technet Gallery here

First, open the System Center Configuration Manager Console

SCCMDeployments1

Click on the down arrow in the upper right hand corner and choose “Connect via Windows Powershell”.  This opens PowerShell with the Configuration Manager module loaded.  Type the following command (use whatever path you want to save the output)

Get-CMDeployment | Export-csv -NoTypeInformation c:\temp\Deployments.CSV

SCCMDeployments13

 

Next, open the Deployments.CSV file using Microsoft Excel.

Highlight / select all the rows and columns with data, select the “Insert” Tab, click on “Table”

SCCMDeployments16

Make sure to tick “My table has headers”, the click OK

SCCMDeployments11

You now have an excel spreadsheet, in table format, with detailed information about all your deployments including

  • Application Name
  • Software Name
  • Assignment ID
  • CI_ID
  • Collection
  • Collection Name
  • DeploymentID
  • Creation Time
  • Deployment Time
  • Enforcement Deadline
  • PackageID

SCCMDeployments12

 

Unable to run Office 365 / Exchange Hybrid Wizard – “Content was blocked because it was not signed by a valid security certificate”

Unable to run Office 365 / Exchange Hybrid Wizard – “Content was blocked because it was not signed by a valid security certificate”

Problem

From the Exchange Admin Center you run the Hybrid configuration setup

Hybrid1

You are prompted to login to Office 365

Hybrid2

You enter your credentials

Hybrid3

And then receive this message / warning

 

Hybrid4

You are unable to complete the Hybrid configuration

 

Solution

You can resolve this issue by installing the certificate as follows:

1: Click on the security report icon (the lock symbol in the browser address bar)

2: Click View Certificates

Hybrid5

3: Click “Install Certificate”

Hybrid6

4: Select “Local Machine” and click next

Hybrid7

5: Click Next

Hybrid8

6: Click Finish

Hybrid9

7: Click Ok

Hybrid10

8: Restart Internet Explorer & the Exchange Admin Center.

9: Click enable on the Hybrid setup

10: Log into Office 365 when prompted

You will be returned to the Hybrid setup page

Hybrid1

This time, when you click Enable, the Exchange Hybrid setup wizard will start

Hybrid11

 

How to enable MAC address spoofing on a Hyper-V 2012 R2 Virtual Machine using PowerShell

I recently had to enable MAC address spoofing on the network adapters of two virtual machines deployed on Hyper-V 2012.  Here’s how I did it using PowerShell:

First, use the following command to take a look at the current configuration of our network adapter

Get-VMNetworkAdapter -VMName  VirtualMachineName –ComputerName HyperVHostName |fl Name,MacAddressSpoofing

MAS-1

  • VMName = Virtual Machine Name
  • Computer Name = Hyper-V host name

MAS-2

  • Name = Virtual Network Adapter Name

We can see that MacAddressSpoofing is currently Off

Run the following command to turn MacAddressSpoofing On

Set-VMNetworkAdapter  VMName VirtualMachineName –ComputerName HyperVHostName –VMNetworkAdapter  NetworkAdapterName -MacAddressSpoofing On

MAS-3

Re-run the following command to verify MacAddressSpoofing is On

Get-VMNetworkAdapter -VMName  VirtualMachineName –ComputerName HyperVHostName |fl Name,MacAddressSpoofing

MAS-4

WSUS – The file for this update failed to download

Edit:  I’ve posted this on youtube here 

Problem

During a recent deployment of WSUS on Windows 2012 R2, using WID database, I ran into a problem whereby after I approved updates, they would fail to download.  The WSUS console show the following error “The files for this update failed to download”

WSUS-1

The application log showed the following Event ID 364 error

WSUS-2

And also the following Event ID 10032 error

WSUS-3

With such a specific error description in the Event Id 364 I thought finding a solution would be straight forward.  And indeed I quickly found this following KB article describing the issue I was experiencing

In my environment we were not using a Sonicwall firewall device, so Method 1 applied to my scenario.  Specifically, configure BITS to work in foreground mode.  The KB article details the command to run, and for my scenario (WSUS 3.0 with a Windows Internal Database that was created by a default WSUS installation) the solution described was to run the following command:

%programfiles%\Update Services\Setup\ExecuteSQL.exe -S %Computername%\MICROSOFT##SSEE -d “SUSDB” -Q “update tbConfigurationC set BitsDownloadPriorityForeground=1”

However, I did not have the ExecuteSQL.exe utility anywhere on my WSUS server.  A missing ExecuteSQL.exe utility scenario is also described on this blog, and pointed me in the right direction.

Solution

Firstly, download and install the Microsoft SQL Server 2012 Feature Pack from here.  Specifically, you want to install the Native Client & Command Line Utilities

WSUS-4

Then open an administrative command prompt to C:\Program Files\Microsoft SQL Server\110\Tools\Binn

Run the following command

SQLCMD.exe -S \\.\pipe\Microsoft##WID\tsql\query -d “SUSDB” -Q “update tbConfigurationC set BitsDownloadPriorityForeground=1”

WSUS-5

Once complete, restart the Windows Update service.

After that, my WSUS server was able to download updates successfully from Microsoft Update.