Why Cloud Management Gateway Is So Important Now

With the prevailing global situation requiring more and more people to work from home, businesses need to ensure that productivity does not suffer. And to do that, you need to effectively manage remote devices. Hence the need for technology such as the Cloud Management Gateway (CMG).

By utilizing the CMG, your business has an alternative to IBCM that most would consider a significant upgrade. This creates a favorable environment that allows your organization to eliminate the obstacles of having a remote workforce. Needless to say but the CMG can play a massive role in your organization and its importance is certainly worth discussing.

Requirements

Before you can use the Cloud Management Gateway you need to meet the following requirements:

  • An Azure subscription to host the CMG,
  • You need a Full administrator or Infrastructure administrator user account in Configuration Manager,
  • During the initial creation of certain components, the participation of an Azure admin is needed,
  • You need at least one on-premises Windows server to host the CMG connection point,
  • A server authentication certificate for the CMG,
  • There needs to be an integration of the site with Azure AD to deploy the service with Azure Resource Manager,
  • Depending on your client OS version and authentication model, other certificates may be required,
  • Clients are required to use IPv4.

When is it useful?

There are several scenarios where the CMG could come in handy and they include the following:

  • For management of traditional Windows 10 clients using modern identity which can either be hybrid or pure cloud domain-joined with Azure AD.
  • For management of traditional Windows clients with Active Directory domain-joined identity. The clients included are Windows 8.1 and Windows 10.
  • For installation of the Configuration Manager client on Windows 10 devices over the internet.
  • For new device provisioning with co-management.

Benefits to your business

CMG enables your Enterprise admins to perform several actions. Among the things they can do, they can manage the following over the internet:

  • Push software updates and enable endpoint protection,
  • Inventory and client status,
  • Compliance settings,
  • Software distribution,
  • Windows 10 in-place upgrades,
  • Manage branch office devices over less expensive internet instead of across expensive WAN or VPN connections.

Eliminates complications

Although Internet-based client management (IBCM) has been around for years, a lot of users tend to find it complicated. CMG aims to be a simpler solution. It is an Azure-hosted service that manages internet-based clients through a new role called the cloud management gateway connector point.

By adding the CMG to your environment, you’ll get an intermediary cloud solution. And this can be your bridge to a full cloud management solution of your Windows 10 devices through Microsoft Intune.

Also, your organization doesn’t need to expose on-premises infrastructure to the internet and neither will you require additional infrastructure. So by using the CMG, you get rid of a lot of what users don’t like about IBCM.

Manage internet clients

Cloud Management Gateway helps you to easily and effectively manage clients that are on the internet. Often, there are going to be events in your environment that will require a swift response.

However, previously this was problematic for clients that would not be currently on-premises. By leveraging the CMG, you can manage clients all over the world as long as they have an internet connection.

Furthermore, it doesn’t require you to buy any additional IT infrastructure. So unlike IBCM that would need additional hardware that you need to maintain, for the CMG you just need to have Azure.

Strengthen your security

The moment you have systems that are not directly connected to your IT infrastructure, your data security is at an increased risk. This is particularly evident with remote work.

Although a lot of businesses have responded by using VPNs, you cannot adequately protect workstations through VPN channels. Hence the importance of the Cloud Management Gateway.

With it, you can better manage devices connected to the Internet and thus improve your corporate security posture. This is further enhanced by the fact that you can leverage Microsoft Azure services so that there is no need to expose your infrastructure to the internet.

Cost management

Whenever you use cloud services, you will incur costs associated with your usage. And the Cloud Management Gateway is no exception. Fortunately for clients, Microsoft intends to help you to keep those costs under control. You can do this through client settings, for instance, where you can determine which clients can access the CMG.

Another feature you can leverage is virtual machine configuration. The latter enables you to choose between 1 and 16 virtual machines per instance of Cloud Management Gateway. Also, if you want to, you can stop the CMG so that it’s no longer serving clients.

Therefore, to optimize user experience for all clients, the CMG helps to reduce the unavoidable costs that come with cloud services.

Constantly evolving

Another reason why the CMG is so important is how the technology is constantly evolving. There has been a lot of innovation taking place such as the ability to automatically do a client install through the CMG.

This is a great option to have because it eliminates the need for the client to be on the intranet. In addition, the platform is adaptable to your organization’s needs. So it can handle several scenarios such as:

  • Traditional PC management (Windows 7, 8.1, 10),
  • Modern PC management (Windows 10 with modern identity),
  • Internet client installs.

Wrap up

Every organization should be looking for ways to make the most of its IT investments. Thus from the information available, we can see that every environment that uses ConfigMgr can benefit from using the Cloud Management Gateway. And you can leverage the CMG for clients all across the globe. The convenience that this provides you cannot be overstated. As the world changes and technology evolves, we need platforms that can help organizations to become more efficient and enhance productivity.

Microsoft Intune: 7 Benefits of Remote Device Controls

It goes without saying that the year 2020, in particular, placed a new emphasis on the importance of remote work. Although a lot of organizations had already been exploring bring-your-own-device (BYOD) policies, that need is even greater today.

And so it’s not surprising to see technologies like Microsoft Intune take center stage in these discussions. Management of your remote workforce is a task that can get very complex and put your security at risk. This is why we need to look at what Microsoft Intune can offer and how remote device controls benefit you.

What does Microsoft Intune control?

Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). It can control:

  • How devices such as laptops, tablets, and mobile phones are used within your organization,
  • The configuration of specific policies to control apps,
  • The use of personal devices for school or work, and enhance security by isolating organization data from personal data.

All these controls and more will improve overall device management and data security by employing strict access controls.

Use and secure multiple devices

One of the major benefits that your employees will get from Microsoft Intune is having a choice of device. They can easily enroll and register devices from a choice of several. And then they can install corporate applications on the chosen devices from the organization’s self-service portal.

The key thing, however, is that your IT team retains control over the devices that have access to the corporate network. Administrators are the people responsible for setting up compliance and enrollment policies. Therefore, your organization can maintain high levels of security and control over all devices, especially those of your remote workforce.

Limit employee access

Sometimes, an employee who needs to check their email may decide to do so from a computer in the hotel lobby, for instance. Scenarios like this can cause huge security issues in your network. To counter this, Microsoft Intune will block any devices that are not under its management from accessing corporate resources.

Remote device controls allow you to keep out any device that does not meet the criteria that administrators have put in place. Conditional access will only be granted to corporate-owned devices, BYOD devices that meet compliance regulations, and devices that follow any other criteria that you set up.

Administer mobile devices

In a world where people are always on the go, your employees may inevitably at some point need to use their mobile devices. And Microsoft Endpoint Manager provides you with several options for administering managed devices. These include:

  • Microsoft Teams: a platform that promotes teamwork by chatting, meeting, and collaborating regardless of location.
  • Quick Assist: a Windows 10 app where two people can share a device over a remote connection.
  • TeamViewer: a third-party program that enhances remote access and support.
  • Remote Control: a feature that helps you to remotely administer devices and provide assistance.

By leveraging these tools, you can have remote device controls that give you a secure platform to administer devices.

Leverage Remote Control

Remote Control is a feature of Microsoft Endpoint Configuration Manager that you can use to remotely administer, provide assistance, or view any workgroup computer and domain-joined computer. This is something that enables IT professionals to connect and interact with a customer user session.

In addition to the remote assistance that IT can offer, the remote control viewer is also available on all operating systems that are supported for the Configuration Manager console. So instead of having to wait on someone to come in person and attend to an issue, IT can provide the necessary assistance remotely.

Enhance remote management

Microsoft has a habit of teaming up with great partners that can vastly improve the user experience for their clients. To assist IT in the remote administration of Intune devices, you can use a partner program known as TeamViewer.

The latter is a fast and secure remote management tool that will help your IT team to proactively monitor client endpoints, remote systems, and networks. This comprehensive set of remote access and support capabilities can simplify life for both IT and end-users. With its easy-to-use interface, TeamViewer helps members to remain connected from various locations.

Manage device actions

We all face challenges with our various devices from time to time. We can forget our passwords, lose devices, have them stolen, etc. With Microsoft Intune, however, you have less to worry about from these potential scenarios. And this is because your admins can remotely run device actions. From the Intune portal, it is possible to restart devices, reset passcodes, locate lost or stolen devices, and more.

Remove devices

Following on from the above point, once a device is stolen, goes missing, is no longer needed, or is being repurposed, you’ll need to remove it from Intune. Users can also use the Intune Company Portal to issue the necessary command to Intune-managed devices. You can choose to:

  • Wipe the device: this action restores the device to factory settings and can remove all data, apps, and settings.
  • Retire the device: this action removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune. The device is removed from Intune management.

Being able to perform these actions remotely helps to ensure that the wrong people don’t get access to corporate data and resources.

Wrap up

Remote device controls offer businesses a great degree of convenience that they previously did not have. The ability to access and manage system interfaces and files serves to create a better experience for both IT and end-users. No longer do users need to wait endlessly for assistance or IT to constantly worry about access and compliance. By using the remote control tools that Microsoft Intune delivers, organizations can improve the efficiency of their remote networks and still maintain high levels of security.

What’s New with Windows Autopilot for HoloLens 2

Billedresultat for hololens 2

In early 2020, Microsoft announced that it was going to bring Windows Autopilot to the HoloLens platform. Initially, it was only in private preview on HoloLens 2. However, later on that year, Microsoft made it available for public preview. Windows Autopilot plays a key role in simplifying deployments and reducing the time required to productivity.

As a result, it helps your organization to cut down on costs and enhance efficiency. So if your business needs to introduce new devices, then Autopilot offers you a great solution for that. This announcement from Microsoft expectedly aroused significant interest so we’re going to take a look at what all this could mean for you.

HoloLens 2 overview

HoloLens 2 is the next step in the evolution of Microsoft’s revolutionary mixed reality headset. This device is one that you place over your head and has a visor that goes over your eyes offering users a new way to interact with information.

The technology provides apps and solutions that will enhance communication, learning, collaboration, and much more through the use of mixed reality. The challenge that organizations have had to face is that as this technology has grown in popularity and use, its deployment at scale has become a laborious and costly affair. Hence the need for Windows Autopilot to provide a simpler, more effective, and more streamlined deployment solution.

Device set up

To get started, you’ll need to go through the process of device set up. Fortunately, setting up your devices will only involve a few simple steps. Once a user has started the self-deployment process, Autopilot then proceeds with the following steps:

  • Join the device to Azure AD. However, it’s important to remember that Autopilot for HoloLens does not support Active Directory join or Hybrid Azure AD join.
  • Enroll the device in Microsoft Endpoint Manager (or another MDM) using Azure AD.
  • Download certificates, apps, device-targeted policies, and networking profiles and then apply them.
  • Provision the device.
  • Present the sign-in screen to the user.

With the public preview, Windows Autopilot for HoloLens devices can be configured using Microsoft Endpoint Manager (MEM) controls. And this applies to all customer tenants. To get started, you’ll have to log into the MEM admin center. Once there, select Devices > Windows > Windows enrollment. And then under Windows Autopilot Deployment Program, select Deployment Profiles > Create profile > HoloLens (preview).

Requirements

To use Windows Autopilot, you’ll need to have Windows Holographic, version 2004 (released May 2020) or newer. However, Microsoft only began shipping devices with this version pre-installed in late September 2020.

Fortunately, though, Microsoft allows you to use the Advanced Recovery Companion (ARC) to re-flash your devices to the latest operating system. Using ARC, you can also check the build version that is currently installed on your devices.

The process is not overly complicated and you can find instructions here. Ideally, it would be best to request from your distributor that they supply you with Autopilot-ready devices.

Tenant Lock for HoloLens 2

This feature allows organizations to permanently bind devices to their Tenants and keep them under management after initial enrollment. With this feature, your device will always be deployed by Autopilot and managed by MEM. Even in the event of OS updates, accidental or intentional resets, or wipes.

If your organization deploys HoloLens 2 devices with Autopilot, you can set up a specific policy. This policy which is deployed post-enrollment enforces:

  • the permanent enforcement of Autopilot deployment,
  • the prevention of local user creation during device setup,
  • mandatory network connection,
  • the prevention of all other escape hatches during device setup, and
  • the prevention of device ownership during the device setup process except for the organization Tenant it is registered to with Windows Autopilot.

Using Autopilot with Wi-Fi connection

Microsoft will also allow you to use Windows Autopilot Deployment for HoloLens 2 with a Wi-Fi connection in addition to the regular Ethernet-based connection. This is something that you can get as part of Insider Preview (Build 19041.1364 or above).

What this means is that you do not need to use ethernet to USB C or Wi-Fi to USB C adapter. Instead, all you simply need to do is to connect the device to your available Wi-Fi internet network and deploy the device with Windows Autopilot.

User experience

After the process of configuring Autopilot for HoloLens 2 is complete, you then move on to the provisioning of the HoloLens devices. The Autopilot experience needs internet access and you have several options to choose from. You can connect your device to a Wi-Fi network in OOBE and then let it detect Autopilot experience automatically.

Alternatively, you can use “USB-C to Ethernet” adapters for wired internet connectivity and let HoloLens 2 complete Autopilot experience automatically. And with the third option, you can connect your device with “USB-C to Wifi” adapters for wireless internet connectivity and let HoloLens 2 complete Autopilot experience automatically.

During the next step in the provisioning process, the device will automatically start OOBE and all that is required of you is to let HoloLens 2 detect network connectivity and leave it to complete OOBE automatically. And when the OOBE process is complete, you can then sign in to the device using your user name and password.

Simplifying deployments

Windows Autopilot has provided countless benefits to a lot of organizations by reducing the complex nature of deployments at scale. This cloud-based platform significantly reduces time to productivity and empowers end-users. And so it only makes sense that HoloLens 2 is now able to leverage the capabilities of this fantastic technology. Organizations cannot afford to spend vast amounts of time dealing with deployment scenarios for which fast, cost-effective solutions are available. From medical institutions to academic ones, HoloLens 2 gives you an amazing new way of interacting with information and Autopilot enhances that experience.

Microsoft Intune – New Updates in PowerShell Scripts

Microsoft Intune is one of those brilliant products that has helped to optimize IT infrastructure for many businesses. It’s a platform that can transform your business into a modern workplace. And its capabilities are almost without limit. If you want to upload PowerShell scripts in Intune, there is the Microsoft Intune management extension (IME) that you can use for that. This management extension can enhance Mobile Device Management (MDM) resulting in a simpler move to modern management. With all this done, you can then run these scripts on Windows 10 devices. PowerShell scripts are important in a lot of different use cases and this blog is going to take a look at what this technology can do.

What is PowerShell?

PowerShell is a scripting and automation platform belonging to Microsoft. It’s an amazing product that is both a scripting language as well as an interactive command environment that is built on the .NET framework. Released back in 2006, PowerShell was basically a replacement for Command Prompt as the default method for automation of batch processes and creation of customized system management tools. PowerShell can easily automate laborious admin tasks by combining commands known as cmdlets and creating scripts. Available in all Windows OS starting with Windows 2008R2, PowerShell plays a huge role in helping IT professionals configure systems.

Adopting modern management

Modern workplaces now have plenty of user and business-owned platforms allowing users to work from anywhere. With MDM services like Microsoft Intune, you can manage devices that are running Windows 10. The Windows 10 management client will communicate with Intune to run enterprise management tasks. Windows 10 MDM features will be supplemented by IME. With this in place, you can create PowerShell scripts to run on Windows 10 devices e.g, creating a PowerShell script that does advanced device configurations. Having done this, you can upload the script to Intune and assign the script to an Azure AD group. Then run the script. Moreover, you can monitor the run status of the script from start to finish.

Latest updates from Microsoft

In November 2020, Microsoft announced the general availability of PowerShell 7.1 which is built on the foundation of PowerShell 7.0. The goal was to bring about improvements and fixes to the existing technology. Some of these features, updates, and breaking changes include:

  • PSReadLine 2.1.0, including Predictive IntelliSense
  • PowerShell 7.1 has been published to the Microsoft Store
  • Installer packages have been updated for new operating system versions with support for ARM64
  • 4 new experimental features and 2 experimental features promoted to mainstream
  • A number of breaking changes that improve usability

Using scripts in Intune

Before IME can automatically install when a PowerShell script or Win32 app is assigned to the user or device, a few prerequisites should be met:

  • Windows 10 version 1607 or later, Windows 10 version 1709 or later for devices enrolled using bulk auto-enrollment.
  • Devices joined to Azure AD including Hybrid Azure AD-joined which consists of devices that are joined to Azure AD, and are also joined to on-premises Active Directory (AD).
  • Devices enrolled in Intune namely devices enrolled in a group policy, devices that are manually enrolled in Intune, and co-managed devices that use both Configuration Manager and Intune.

Script policy creation

Start by signing in to the Microsoft Endpoint Manager admin center. From there you’ll select Devices then PowerShell scripts then add. Under Basics, you will then have to provide a name and a description for the PowerShell script. Next, you go to Script settings and you’ll have to enter the required properties. After that, you select Scope tags, however, these are optional. And then select Assignments > Select groups to include and an existing list of Azure AD groups will be shown. Lastly, in Review + add, you’ll see a summary of the settings you configured. Select Add to save the script. When you have done so, the policy is deployed to the groups you chose.

Important considerations

If you have scripts that are set to user context with the end-user having admin rights, by default, the PowerShell script runs under the administrator privilege. Also, end-users don’t need to sign in to the device to execute PowerShell scripts. The IME agent checks with Intune once per hour and after every reboot for any new scripts or changes. In the event of a script failing, the agent attempts to retry the script three times for the next 3 consecutive IME agent check-ins. And as far as shared devices are concerned, the PowerShell script runs for every new user that signs in.

PowerShell scripts limitations

Although with Microsoft Intune you can deploy PowerShell scripts to Windows 10 devices, there are a few limitations worth noting. These include: 

  • You won’t get support for running PowerShell scripts on a scheduled basis.
  • Although you can see whether the PowerShell script execution succeeded or failed, the output generated is only available on the endpoint that executes it and is not returned to the MEM Admin Portal.
  • Since executed PowerShell scripts are visible in the Intune Management Extension log file as plain text, credentials can’t be passed securely.
  • The Intune Management Extension agent responsible for executing PowerShell scripts on the endpoints only checks once an hour for new scripts so there is a delay with execution.

Wrap up

Maximizing the time we have is increasingly a massive concern for most organizations. Technological innovation has made it such that we can have more productive time on our hands. PowerShell is a product that is very useful to IT professionals for overall system management. By being able to automate the administration of Windows OS and other applications, organizations can operate more efficiently. The evolution of this platform since its release fourteen years ago has seen it grow from strength to strength. Undoubtedly, this is a product that can easily boost your productivity.