Jens Du Four

Tag: Intune

  • Adding a language pack using Proactive remediations

    One of the features of Intune is Proactive Remediation. This allows administrators to create scripts that automatically fix issues on devices before users even notice them. Adding a language pack using Proactive Remediation script is a straightforward process. I will guide you through the steps in this article.

    I have been using this method to add additional language packs to my Windows 365 deployments. This is from great use to organizations that are multi-geographical.

    Creating the scripts

    First, we will create a language pack installation script. This is split into two parts. One should be designed to detect the language currently in use on the device. The other installs the appropriate language pack.

    The first script here uses some basic PowerShell to detect what languages are installed on a system and verifies if the one required is installed. 

    $OSInfo = Get-WmiObject -Class Win32_OperatingSystem
$languagePacks = $OSInfo.MUILanguages

if ($languagePacks -contains "de-DE")
    {
    write-output "Installed"
     Exit 0
    }
    else
    {
    write-output "Not installed"
     Exit 1
    }

    We will leverage the LanguagePackManagement Module to install the required languages. This downloads and installs the language components for the specified language. 

    Install-Language de-DE

    Additionally, you have the option to directly enable the new language pack by using the following command:

    Install-Language de-DE -CopyToSettings

    Warning! Please verify that these scripts we created earlier are saved in UTF-8 encoding.

    Creating the script package

    After we created the language pack installation script , we should create the Proactive Remediation script in Microsoft Intune. To do this, log in to the Intune portal and navigate to Reports. Click on “Endpoint Analytics” and select “Proactive remediations”.

    After clicking on “Create script package”, give the script a name and a description and Publisher.

    The next step is to select the installation script that we created in the initial step. We do this for both the “Detection script file” and the “Remediation script file”.

    Make sure to set the slider for “Run script in 64-bit PowerShell” to “Yes”.

    Finally, we should assign the policy. To do this, navigate to the Assignments section of the policy and select the group that the policy should apply to.

    Additionally, you can also change the schedule and filter for specific devices.

    Conclusion

    Adding a language pack using a Proactive Remediation script is a straightforward process that can save administrators time and ensure that devices are always running in the correct language.

    By following the steps outlined in this article, administrators can easily create a language pack installation script and create a Proactive Remediation script to automate the installation process.

  • Enroll an Android device in Microsoft Intune

    The newly created AVD, from our last post, should be managed within Microsoft Intune. Microsoft Intune provides a range of options for managing and securing Android devices. Some of the key features include:

    • Device enrollment: Allows users to easily enroll their Android devices in Microsoft Intune and access corporate data.
    • Policy management: Enables administrators to configure policies that control how devices can be used. E.g. password policies and enforcing encryption.
    • Compliance monitoring: Provides the ability to monitor compliance with corporate policies and take action if any devices are not compliant.
    • Mobile application management: Allows organizations to securely distribute and manage corporate apps on Android devices.
    • Remote actions: Provides the ability to remotely wipe data from a device or perform other actions if necessary.

    There will be more in-depth guides on the capabilities of Microsoft Intune. In this article we will keep it simple and start with how to enroll an Android device.

    Android Device Management

    Enrolling an Android device into Microsoft Intune is a simple process. This will directly enable you to manage and secure mobile devices.
    There are three main methods of enrolling a device:

    • Android Enterprise (AE): Most up-to-date and secure method
    • Android Device Administrator (DA): It is encouraged to migrate to AE
    • AOSP: Method for devices that aren’t integrated with Google Mobile services

    The focus here will be on Android Enterprise. Because this is the most versatile method with applications for BYOD, personal- and corporate-owned devices.

    Android Enterprise

    Android Enterprise is a set of features and services provided by Google. This will enable organizations to manage and secure Android devices used by their employees. This can include features such as the ability to remotely lock or wipe a device, enforce password policies, or restrict access to certain apps or data. With Intune, you can take advantage of these features to manage and secure their Android devices. Additionally, you ensure that they are used in a way that aligns with the security and compliance policies. This can help organizations protect their data and prevent unauthorized access to sensitive information. Next to this, it allows employees to use their own Android devices for work purposes. When using Android Enterprise, there are two main modes of deployment: fully managed devices and work profiles.

    Fully Managed

    This method allows users to enroll their Android device as a fully managed device. This gives the organization complete control over the device and access to all of its features and functions.

    Fully managed devices are completely owned and controlled by the organization. This means that the organization can install any app, configure any settings, and enforce any policies on the device. This is typically used for devices that are provided by the organization and used exclusively for work purposes.

    Work Profile

    A work profile is a separate, secure profile on the device used for work purposes. In this mode, the employee still has their own personal space on the device. The organization can only manage and control the work profile. It cannot access or modify the personal space on the device. This is typically used for employee-owned devices. Enabling them to use their own device for both work and personal purposes.

    The main difference between the two modes is the level of control the organization has over the device. With fully managed devices, the organization has complete control over the device. With a work profile, the organization only has control over the work profile. Allowing employees to maintain their privacy on their own devices. In the meantime, still allowing the organization to manage and secure their work data.

    Microsoft Intune

    Android Enterprise

    Prerequisites

    Before starting with an enrollment profile, you must link a “Managed Google Play” account to Microsoft Intune. For this, you must have set up a managed Google Play account.

    Afterwards, you can use Intune to manage and distribute apps from Managed Google Play to your Android devices.

    Enrollment Profiles

    By default the “Personally-owned devices with work profile”-option is enabled. We need no additional configuration for this.

    Android Device Enrollment

    User-Drive Enrollment

    To enroll an Android device using the Intune Company Portal app, users simply need to download the app from the Google Play Store and sign in with their organizational credentials. Once logged in, the app will guide users through the enrollment process. Afterwards, allowing them to enroll their device in a matter of minutes.

    Automated Enrollment

    Zero-touch enrollment is a method of automated enrollment that allows organizations to enroll Android devices in Intune directly from the manufacturer or reseller. In this method, the organization provides the manufacturer or reseller with their enrollment configuration. You can automatically enroll devices in your mobile device management (MDM) solution when shipped to the user. This pre-configures the devices with their desired settings and policies. This ensures that they are ready for use as soon as received.

    In conclusion, enrolling an Android device into Microsoft Intune is a simple process. It can be done using user-driven or automated enrollment. Each of these methods provides organizations with the ability to manage and secure their mobile devices. Ensuring that sensitive data is protected and that employees have access to the tools they need to be productive.

  • Creating an Android Virtual Devices (AVD)

    I am a fond believer of the concept “Seeing is believing”. Does that mean that I will test everything? No, probably not. But I will at least try to! Today the goal is to be creating an Android Virtual Device (AVD).
    Further down the road, we will enroll these in Microsoft Intune.

    For those of you that don’t know Microsoft Intune yet, it is a cloud-based unified endpoint management solution. Intune provides a central console for monitoring, configuring, and managing mobile devices and applications across multiple platforms, including iOS, Android, Linux, Chrome OS and Windows. It also provides a comprehensive set of tools for managing mobile applications, such as managing the distribution, installation, and usage of apps. All of this helps to improve productivity and reduce costs.

    Creating an Android Virtual Device (AVD)

    First of all, we will be creating an Android Virtual Device (AVD). AVD is an emulator that is part of the Android Studio. It is a great tool for developers to test their apps on different versions of Android. With AVD different versions of Android and different hardware configurations can be simulated.

    However, that is not how we are intending to use it. In this article we will create an Android Virtual Device. This is helpful for those who don’t have access to physical Android devices. The AVD can be used to test out Intune policies and apps.

    Creating an Android Virtual Device (AVD)

    The process of creating an AVD is fairly straightforward within Android Studio. In addition, this software is freely available and has the following pre-requisites:

    • 16GB RAM
    • 64-bit Windows, macOS, Linux, or Chrome OS operating system
    • 16GB disk space

    After installing and verifying the prerequisite, we will be configuring the AVD in Android Studio:

    • Open Android Studio and select “Virtual Device Manager” from the “More Actions” drop-down menu.
    • Click the “Create device” button
    • Select a device definition, with or without Play Store
    • Select the system image for the preferred Android version
    • Configure the AVD hardware settings.
    • Click the “Finish” button to create the AVD.

    Select the AVD you created and click the “Start” button to launch the AVD.

    Configure hardware acceleration in Windows


    Lastly, some configuration changes should be made to Windows. This will enable hardware acceleration of the emulator. However, this is an optional step, you can still use the emulator without it, but it will be slower and may not perform as well.

    First, you must ensure that your computer has a processor that supports virtualization and that the feature is enabled in the BIOS. Then, you can follow these steps:

    1. Open the Start menu and type “Turn Windows features on or off” into the search box.
    2. Click on the “Turn Windows features on or off” option that appears in the search results.
    3. In the Windows Features window, scroll down and check the box next to “Hyper-V”.
    4. Click on the “OK” button to enable Hyper-V on your computer.

    This will enable Hyper-V acceleration for the Android emulator, which can improve its performance. Make sure that the AVD you are creating is using an x86_64 or x86-based system image.

    In conclusion, we are left with an Android Virtual Device (AVD) on Windows with all the necessities in-place to have hardware acceleration and still be able to use Hyper-V.
    Our next step will be to enroll this device in Microsoft Intune, just as described in my next post.