How-to guide: Getting started with Microsoft Intune (part 3)
In this blog, we’re going to talk about how to set up a configuration policy, Company portal and application management in Microsoft Intune. We’ve already discussed how to start with Microsoft Intune, user and group management in Microsoft Intune, assigning licenses. Create a Compliance policy The next step is to create device compliance policies for all the devices. Compliance policy in Intune defines the rules and settings that a device must comply with to be considered compliant by conditional access. To create a new Compliance policy in Microsoft Endpoint Manager admin center, go to Devices -> Compliance policies on the pane. Then, click Create policy and specify Name, Platform and Settings. Once you’ve configured all the settings, click OK to save the policy. Once the policy is created, you can assign this policy to devices or users. Company portal configuration Intune Company Portal allows company employees access to internal applications, resources, and data. As an administrator, you can customize the appearance of your Company Portal app, edit default settings, and create group-targeted policies. To do this, go to Microsoft Endpoint Manager admin center, select Tenant Administration -> Customization. It’s possible to add branding customization elements to the Company portal as follows: Organization name. Color. Theme. Add Organization logo and name in the header, etc. Application management in Microsoft Intune In Company Portal administrator, you can push, install, uninstall, and make available applications for all the users in the organization. The Company Portal will only display applications relevant to the type of device they’re on or the platform they’re using. Company portal supports Office 365 apps, Microsoft Store apps, iOS apps, or creating a custom Win32 app for deployment. There are five types of apps supported with Intune to add and manage. App type Installation process Update Store apps (Microsoft Store, AppStore, Android Store) Intune installs the app on the device Automatic Custom app (line-of-business – LOB) You must supply the installation file and then Intune installs the app on the device You must update the app by yourself Built-in apps Intune installs the app on the device Automatic Web-apps A shortcut of the app is created on the device home screen Automatic Apps from other Microsoft services (Azure AD, Office Online) Intune creates a shortcut to the app in the Company portal Automatic In Microsoft Intune, you can modify deployable applications to align them with your organization’s compliance and security policies. Modification options include Restricting copy-and-paste and save-as functions. Configuring web links to open inside the Microsoft Edge app. Enabling multi-identity use and app-level Conditional Access. In this way, you can protect your company’s data. Pro Tip: To save your time, Scappman automates the process of packaging and deploying custom apps ? Intune provides 2GB of cloud-based storage during the trial. With a full subscription, storage is unlimited. Important: LOB apps have a maximum size limit of 8GB per app. Pro Tip: With Scappman, you can deploy applications of any size Add application To add the application to your Intune portal, log in to your Endpoint Manager Admin Center. Go to Apps on the pane, then All apps. In the All apps menu, select Add and select App type. In this example, we’re going to add a custom LOB app. In Select app type, choose App package file. .msi, .appx, .appxbundle, .msix, and msixbundle are supported. When the package is uploaded, click OK to add the app. On the App information page, you can enter the following: Name Description Publisher App install context Commands Category Information URL (optional) Privacy URL (optional) Developer (optional) Owner (optional) Notes (optional) Logo When you’ve finished, click Next. On the Scope screen, you can determine who can see the app information in Intune. The Assignment tab allows you to assign the app to the group. With the Review + Create tab, you can review all your settings, then click Create at the bottom. When created, you’ll see the confirmation banner. To know more about how to manage applications in Microsoft Intune and how Scappman can make this process easier read the article “How to manage private applications in Microsoft Intune?” .
How-to guide: Getting started with Microsoft Intune (part 2)
How to sign up for Microsoft Intune, configure MDM authority to Intune, and create a custom domain read here. User and group management in Microsoft Intune To manage devices using Intune, you first need to create users who will utilize these credentials to connect to Intune. You can create users in Microsoft 365 admin center or Microsoft Endpoint Manager admin center. In this example, we’ll create users in Microsoft Endpoint Manager. After signing into Azure portal, on the pane, choose Users -> All users -> New user -> Create user. While creating a new user, indicate the Username (the name used to sign in to Azure AD), Name (user’s given name), the Job title, Department, Company name, and Location. Here, the user’s password can be auto-generated, or you can choose your own. If you want to assign a user to groups, go to Groups on the pane and select the group you’re assigning to the user. Click Select. By default, the role of the newly created user is User. To assign a new role to the user, select User -> Assigned roles -> Add assignments. In the Directory roles menu select a role you want to assign to the user and click Select. Following all these steps, click Select to create the new user in Microsoft Intune. Creating a new group You can create groups in Microsoft Endpoint Manager admin center to organize users and devices by different criteria, such as location, department, hardware characteristics. To create a group in Microsoft Endpoint Manager admin center, go to Groups on the pane and select New Group. There are two types of groups in Microsoft Intune: Security group defines who can access the resources in Intune (recommended). Security groups can contain users (excl. financial department employees) and devices (excl. All Windows 10 devices). Microsoft 365 group provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, etc. It’s used for collaboration between users, both inside and outside your company. Enter a Group name and Group description. Select one of three Membership types for the group. There are three types of Group Membership: Assigned: You can manually assign/remove users and devices to/from the group. Dynamic user: You can assign the user to the group based on the assignment rules (e.g., department or location) that automatically add or remove the user. Dynamic device: The user will be added or removed automatically based on the device type, OS, etc. Group type Membership Types Assigned Security group Dynamic user Dynamic device Microsoft 365 Group Assigned Dynamic user In this menu, you can add the group owner and group members. Except for the authority to add and remove group members, Group owners have special permissions to manage the group, such as changing group settings, renaming the group, updating its profile image and description, etc. Members have access to everything in the group, but they cannot change the group settings. To create the group, click Create. Now you can see your group on the list. Assigning licenses to users in Microsoft Intune The next step is to assign each user an Intune license (and other licenses if needed) before enrolling their devices. In this example we’ll explain how to assign an Intune license to the user in Microsoft Endpoint Manager admin center. On the pane, select Users -> All Users -> pick a user -> Licenses -> Assignments. Select the box Intune (and other desired licenses) and click Save. Now you can enrol users’ devices into Intune.
Why companies don’t patch
It sounds so simple: always install the latest updates on all operating systems and third-party applications over the entire IT infrastructure. So why is keeping OSs& software up to date one of the most common weak points in companies? Unfortunately, for many IT admins, manual patching has turned into an endless ever-growing task and missing one application update can create a large security hole that affects the entire organization. According to a recent study by the Ponemon Institute, nearly 60% of companies don’t patch their systems on a regular basis. These security holes in your IT system can result in a loss of critical data, violate privacy policies, and eventually lead to security breaches. Just think of all the times when you or your employees postpone the update notifications on their devices. These notifications are important updates that keep your business’s information safe. Ignoring these updates leaves your business vulnerable to data breaches and other security breaches. CVEs in OSs and third-party applications are always being discovered. For example, more than 50 CVEs a day were discovered in 2021. In response software vendors regularly issue patches to cover the security gaps. But patching matters not only for security reasons but also, to increase stability, add new features, change UI, and fix bugs. To know more about patches read our blog “What is Patch Management: stages, best practices, challenges, automated patch management” For all these reasons, patching remains the single most important thing you can do to secure technology in your organization and is why applying patches is often described as the basics. But still, implementation of proper patch management for most companies is easier said than done. We highlighted the top 5 reasons why companies do not patch. Top 5 reasons why companies don’t patch their software Patching can break everything. The most common reason is that there’s a real fear that the solution could become the problem. In some cases, a patch can break something vital in an unpredicted manner. This can be explained by the big number of patches that you have to deploy. Patching takes time. Patching is repetitive, unrewarding task – IT professionals have to regularly check for updates and then install them, which can be a drain on resources. Ideally, they must test the patches before rolling them out fully – which can help uncover any problems they may cause, but which also takes more time and money. Furthermore, some patches can be more difficult to install than others. This can cause delays in getting the updates installed, which can impact business operations. You can only patch something if you know it exists. As it’s hard to maintain accurate, up-to-date asset inventories across big IT systems, many organizations don’t have a clear overview of applications installed, endpoints and other assets. Consequently, if you don’t know which applications you have installed on which devices, you don’t know what to patch. Too many patches to keep up with. Even if companies are able to manage OS updates, third-party application vulnerabilities are often overlooked, leaving endpoints at risk. To illustrate this challenge, we always use this example. Google Chrome releases a full OS update once a week. To package and test the update, an IT specialist spends 3-8 hours. Thus, only for patching Google Chrome, an IT specialist must spend an enormous amount of time, going through the patching cycle 3-4 times a month. An average company uses 110 applications, which means you have to monitor 110 applications for updates. It’s not hard to see how the number of outstanding patches can quickly overwhelm an already busy IT department. End user resistance. Who can relate: you have received an update notification and clicked the “remind me later”? Users just want to get their work done and rarely consider security during their day-to-day operations. The last thing they want is to spend time waiting for the update to be installed or be forced to reboot the laptop. What they do is:“I’ll do it later,” or “it’s probably not important” *click Postpone*. This seemingly innocent event can have serious consequences for the entire business. None of the reasons above (the excuses, we would say) is the actual reasons, that allow you not to patch as much you can. The only solution is automated patch management. Experts say patch automation is critical for easing operational burdens on IT staff and minimizing errors. According to the Ponemon Institute survey (2019), only 44% of organizations used automated solutions for patch management. Automated patch management solutions can help organizations keep track of all of the patches that need to be applied, and they can automate the process of deploying patches and updates. That’s why Scappman should be implemented into patch management in your company. Scappman is a 100%-cloud solution that automatically installs all the necessary updates for your applications. Scappman automates the whole process of uploading the application and updating it in the Microsoft Intune environment. There are more than 800 third-party applications in Scappman App Store, that are always up to date and secure to use. We’ll make sure that hackers can’t use vulnerabilities in outdated applications to steal or encrypt your data. To know more about Scappman and automated third-party patch management book a demo with our team.
What is RMM and why is it still not enough for efficient third-party patching?
As a managed service provider, your main task is to protect and manage the IT systems of various clients. That’s why having a solution that helps you to manage, monitor, support and secure the computer networks and systems of your clients is crucial. By that solution, we mean Remote Monitoring and Management tool (RMM). Although the RMM solution is vital for your customer’s security, it is not enough on its own. Third-party patching is also essential for efficient security IT system. Exactly what is RMM? In short, it’s a tool that makes the work of modern MSPs possible. Read along with us to know more about this technology, the benefits & drawbacks of using RMM, and how you can optimize third-party patching. Definition of RMM: what is remote monitoring & management? RMM (short for remote monitoring and management) is a type of software that allows IT professionals to monitor and manage their client’s IT systems, such as servers, devices, endpoints, and software from anywhere. To make RMM work, it requires to install an agent – a lightweight software installed on clients’ endpoints. This agent allows you to: get real-time insights on the health of the client’s IT environment. see all the data gathered on the RMM’s dashboard, from which you are able to monitor and control all the processes. proactively stay ahead of issues. If the agent detects a problem on one of the managed machines, it creates an alert or “ticket” and delivers it to you, prompting you to take action to resolve a problem before customers even notice it. RMM classifies these tickets based on importance or problem type, helping you prioritize issues. With the growing trend of remote work, however, it’s also becoming more and more common to see internal IT departments also utilizing RMM tools. What is RMM used for? Here are a few core functions of any RMM software: Automating IT management routine. RMM software lets MSPs automate a range of common IT tasks, such as installing software patches, running scripts, asset tracking, monitoring, alerting and remediation of IT incidents. Real-time remote monitoring. RMM solutions can monitor the health of the entire IT system 24/7. IT specialists can be alerted when potential issues arise so that they are addressed in a timely manner. RMM software can also provide real-time reports on network activity, asset inventory, compliance, and system performance. Performing tasks for maintenance and remediation remotely. With RMM, IT specialists can not only monitor the IT system but also deploy software, troubleshoot, and fix problems without interrupting the end user. RMM tools have advanced and become feature-rich, allowing MSPs to do more than just monitoring. With RMM it is possible to secure endpoints and automate a lot of routine tasks, making their life easier. Benefits of RMM Under the right conditions and management, RMM software can help IT providers completely transform their operations, making them more efficient, more effective, and more profitable: No more Break-fix Cycle Previously, MSPs had to physically go to their client’s offices in order to manage their IT systems and infrastructure. It created what was known as the “break-fix cycle”: when something broke, an MSP would fix it, leave, and then come back again when something else broke. This cycle is costly and can be avoided with the help of cloud solutions and remote monitoring and management (RMM). RMM allows you to proactively monitor your IT infrastructure and identify potential issues before they cause downtime. This proactive approach can help keep your business running smoothly. And instead of going to their offices physically, RMM allows MSPs to cut down on time spent on the road, giving them time to manage more clients. Saves time and money RMM can save businesses time by automating tasks that would otherwise need to be done manually. This can free up you to focus on more important tasks, such as problem solving and user support. RMM can also save businesses money by reducing the need for on-site support. With RMM, IT problems can often be fixed remotely, without the need for IT specialists to come to the office. This can save on travel costs and boost productivity. Improves Security An RMM can help identify potential security threats and vulnerabilities early on before they have a chance to do any damage. By constantly monitoring your network and systems, an RMM can quickly spot any suspicious activity and raise an alert. This means that you can take steps to fix the problem before it becomes a serious issue. RMM and third-party patching As the use of third-party applications continues to grow, so do the challenges for patching these applications. While most RMMs support third-party patching, the application list is not broad enough to cover the business needs of your customers. This can pose a challenge for you, as an MSP, who is responsible for patching these applications. One of the biggest challenges is keeping up with the constantly changing versions of these applications. With new versions being released on a regular basis, it can be difficult to ensure that all of the necessary patches are installed. Another challenge is ensuring that the patches are working properly and can’t break anything. That’s why patching third-party applications is an important part of keeping systems up-to-date and secure. How to optimize third-party patch management for RMM Scappman is a 100%-cloud solution that automatically installs all the necessary updates for your applications. Being fully integrated with Microsoft Intune, Scappman doesn’t require any servers or agents to install and keep your applications up to date. For MSPs, Scappman provides a complete third-party patch management solution, that allows you to manage all your customers’ apps from one platform: All customers in one platform. Partner portal (invoicing, inviting customers, pop-up customization…) Advanced application management (app sets, users & group assignments…). Furthermore, there are more than 800 third-party applications in Scappman App Store, that are always up to date and secure to use. You can also upload your own application to the platform and manage
Feature requests
[simple-feature-requests]
Roadmap
How to keep your available Intune apps up to date
Available apps in the Company Portal is one of those features you really want to use, but can’t, because you lose control. Until now. From a user’s perspective, available apps in the Company Portal are awesome! Your computer isn’t bloated with unnecessary apps, but at the same time you do have the freedom and flexibility to install apps that have been approved by your IT-department, without having to create a ticket and waiting a week or two to get the app. And it’s super easy, you just open the Company Portal app, select the app you want to install and a short while later you’re good to go! But there’s a catch. Available apps are just that, available to be installed. That means that when it’s time to update that app, the new version is also just available. It won’t update itself for the users that have already installed it. Add a few versions and you end up with an application landscape that is completely out of control and super insecure. There are some complex workarounds out there with adding users to groups and using different types of assignments, but none of those are really reliable. So, how can you keep available installations in check? Create a PowerShell script that will detect if the application is installed and returns true or false. This can be as simple as testing if a registry key exists: Test-Path ‘HKLM:\SOFTWARE\Scappman’ Create your application as you would otherwise, but on the Requirements page, click Add in the scripts section. Upload your freshly created requirement script. In our example, the script would return true if the key is found, so we configure it as a boolean that equals yes. The next time a device checks in, the requirement script will run and if it returns true the application will automatically be updated, if the detection rules are not present. In the status overview the devices that have been updated will be reported as installed, while the devices on which the application was not detected will be reported as Not Applicable. The easy way Don’t want to spend time on creating all those scripts, but you do want the awesome Available apps feature in Intune? Check out Scappman! Not only does Scappman enable you to use Available apps for the predefined apps in the App Store, it also allows you to upload your own app, provide the name that it uses in the “Apps & Features” settings page and keep your own custom apps in check. Find out here how we do it for you
Everything you need to know about Log4Shell and how keeping apps up to date can save your data
If you still haven’t heard of the discovered Apache Log4j vulnerability, you are at big risk now – MUST-READ! Last Tuesday, on December 9, 2021, a high-level vulnerability that affects the core function of Log4j – CVE-2021-44228, aka Log4Shell or LogJam, was discovered by the Alibaba Cloud Security Team. Since then, the number of attacks exploiting the flaw has exceeded one million. What is Log4j and why its vulnerability can affect the security of your data? Log4j is an open-source Apache logging library that is commonly used in many applications to keep track of user activity within an application. A lot of Java-based applications and cloud services use Log4j logging library, like Apple iCloud, Amazon, Cisco, Cloudflare, Red Hat, Steam, Twitter. And now all these services are vulnerable. The discovered vulnerability – Log4Shell – gives attackers the ability to run remote code execution (RCE) on vulnerable applications, which basically means that they can perform ANY action with your data with no authentication: the data can be stolen, deleted, encrypted, or hold for ransom! According to the CVSS scale, Log4Shell is rated with a score of 10 out of 10. It’s been already thousands of confirmed attacks on companies’ data using CVE-2021-44228, which is not a surprise. What makes Log4shell especially dangerous is that Log4j library is used by millions of application vendors and the ease of attack executions with this vulnerability. So, experts expect even more attacks in the coming weeks. Patching is the only option! But the main question is – what can companies do to prevent the vulnerability of their data? Patching and keeping your applications up to date! Patching a single application isn’t that difficult, but each application must be tested to be sure that the updated app works properly. While patching applications is extremely time-consuming, it’s a top priority for all organizations to keep their data secure. How Scappman can help to protect data in your company? If you still haven’t heard of Scappman – now it’s the time! Scappman is a must to prevent damage from Log4j vulnerability because we update third-party and private apps for you, so you can be sure that the latest versions of apps are installed on every computer and your data is secure. No need to spend days patching a single application! P.S. A non-exhaustive list of vulnerable software you can find here: https://github.com/NCSC-NL/log4shell/tree/main/software
Trends for Microsoft Intune in 2022
Trend 1: Further integration of Apple products in Microsoft Intune One thing that was on the roadmap for already December 2021 was Management of user-installed apps on iOS. Intune can manage previously installed iOS applications in this update once they’re synced with Intune. As a result, previously installed applications do not need to be deleted and re-issued onto devices enrolled in Intune using device enrollment. These applications might have been distributed using different MDM’s previously, or they might have been personally installed. This feature simplifies the configuration management process for both required and available applications when enrolling devices to Intune. The second integration is getting the defender for MacOS policies in Settings Catalog, also previewed in the release of Jan 2022. The third thing on the roadmap and where Microsoft is working is enrolling BYOD or personally owned devices by Apple. This was already possible for Android devices in the Microsoft Intune environment since April 2021. In 2022 it will be possible if Microsoft sticks to the roadmap, of course, to “Enroll devices into Intune through Apple account management.” The last thing in this trend is adding DMG type app management for MacOS and extending app deployment and management to include the exe-version of Apple apps – DMG for MacOS. The cool thing is that if Microsoft continues this way, there should be no reason for companies not to accept Apple products/devices in their Microsoft Intune environment. Trend 2: Microsoft Intune and Microsoft Endpoint Manager also integrate on the server-side of things Linux Ubuntu still has the highest percentage of servers running in the world. There’s even an article about it, “Can the Internet exist without Linux”? In the enterprise world, this means that they will be able to register and manage and secure Linux Ubuntu desktops and laptops and use conditional access for compliance. Microsoft will start with “Ubuntu,” but support is on its way towards Redhat, Centos, and Fedora. As part of that move, IT administrators will now be allowed to create Azure Active Directory conditional access policies for Linux machines, just like they do for other Windows, mobile, and Mac machines, to ensure that only Linux equipment that isn’t in violation of the policy can gain access to corporate resources such as Microsoft Office 365 applications. Microsoft Endpoint Manager’s team said that in addition to adding custom management and security capabilities to the platform, these additional features would be beneficial for verifying the encryption status for detecting any issues that result from BitLocker and Windows Defender Firewall settings or regularly comparing the security score in Defender for Endpoint to guarantee that any security flaws are detected and fixed. Trend 3: Moving from SCCM to Microsoft Intune or doing Co-Management We even wrote an article, “From SCCM to Microsoft Intune.” Many companies with SCCM, better known as System center configuration Manager, formerly known as SMS, Systems Management Server, are moving towards Microsoft Intune. The most significant difference between these traditional methods and the new Microsoft Intune is that SCCM is image-based management and Microsoft Intune is profile-based management. Brad Anderson, CVP Microsoft, predicted that the penetration of Intune in the market would be 50% of Intune on January 1st, 2022. Still, a lot has changed in the last two years, especially in security and the modern workspace. We’re not going down that road, but Covid-19 kickstarted the adoption of Microsoft Intune. Because during Covid-19, we saw an increase of Bring-Your-Own-Device or Use-of-own-Device, working from home, etc., all with the necessary critical security flaws. These reasons meant Intune rapidly got more market share. In August of last year, Gartner acknowledged that Microsoft was the ultimate leader For Unified Endpoint Management Tools. We don’t know the exact number of companies using Microsoft Intune, but some internal sources say it has increased by 240%. This means that Chris probably didn’t undersell the 50% adoption of the software. The problem is that Microsoft Intune can’t do all the things that SCCM can do and that SCCM, even with Microsoft Intune, can’t do all the things that the full Microsoft Intune manager can do. So, some companies that are switching from SCCM are doing the CO-Management. We will explain CO-Management in a different blog post. What you need to remember is the following image. Sidenote by Microsoft: When you manage devices with both Configuration Manager and Microsoft Intune, this configuration is called co-management. When you contain devices with Configuration Manager and enroll in a third-party MDM service, this configuration is called coexistence. So, unless you have co-management, Configuration Manager, and Intune in place, you can’t balance the workloads, resulting in conflicts. This interaction is not available with third-party integrations, and therefore there are restrictions on the management capabilities of coexistence.
How Scappman manages Multi-tenancy
Managed Service Providers (MSP’s) are always looking for automation in recurring tasks. To change some settings for 1 customer and doing this same action for 1000 other customers is a very time consuming job. The same counts for application patch management. MSP’s want to make sure all of their customers are secured with the latest software patches. If your customers are using Microsoft Endpoint Manager and you would like them to be up-to-date with all applications, you’ll need to monitor new versions, package these versions and wrap them in an Intunewin file. Then you’ll need to upload the packages to all tenants of your customers. Already have done that? Than you probably know that you can start all over again as by the time you got finished, a new update is available. At Scappman we’ve implemented an easy solution to switch between your customers, you’ll be able to see what your customers can see (If you allowed them to access the portal). No need to sign out or sign in into multiple tenants. We have a reseller – customer relation defined so you can have a good overview about your customers patch status.
