u/workaccountandshit

▲ 12 r/BMWI4

Future i4 owner here: what are your tips and tricks regarding 'hidden' options, stuff you really should know, ..?

My lease is coming up and I finally got the chance to choose one for myself instead of inheriting the crap my predecessor ordered. BMW i4 eDrive35 with the Harman Kardon speakers, holy shit am I looking forward to that!

But I'd like to know from you experienced drivers if there were things you wish you'd known sooner. Hidden options buried far away in the menus, hidden compartiments that you had no idea of (I actually found one or two in my Q3 but maybe I'm just an idiot), things to keep in mind when using Adaptive Cruise Control start stop, ..?

Thanks for the info!

reddit.com
u/workaccountandshit — 7 days ago
▲ 1 r/Intune

EPM: is there a way to get the requests in e.g. Slack for approval?

I'm looking into EPM, as most of us are doing now I guess, and I like everything except the request feature. I don't want my helpdesk to constantly have to check out the request page. Is anybody aware of some integration into Teams/Slack that alerts when a new request comes in?

I guess it might be doable via Powershell (get requests via Graph, use Slack API to send message) but is anybody aware of some already-made integration?

reddit.com
u/workaccountandshit — 12 days ago

Silly question: how are my devices being onboarded in Defender?

So I inherited an environment with 0 documentation. I can see the devices are all onboarded into Defender just fine (E5 licenses for all users).

My question is: how? I thought via GPO using an onboarding package but 50 % of our devices are Entra joined and don't get GPO's. There's also no config profile for Defender onboarding in Intune.

Defender is linked with Intune but all of the switches are off (Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint , this one too).

There is a platform script in Intune using the package, but that's assigned to a test group from a few years ago and definitely does not hit new devices.

HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection shows me that a packageGUID is present so I guess that was the method used, but I cannot for the life of me find out where this is coming from. We don't use any third party MDM, it's all Microsoft.

Any help? I'd like to switch it over to using Intune but I need to disable that legacy shit first.

reddit.com
u/workaccountandshit — 14 days ago
▲ 3 r/Intune+1 crossposts

CA with device group as target (so not via device filter)?

Alright, so our shit setup is like this:

We've transitioned from just handing out phones to anyone to actually managing them in Intune via Samsung Knox. We now use Corporate owned - fully managed enrollment so we basically manage everything on the phone.

Cool, cool, but now our CISO is saying 'yeah no, we want to provide a personal profile too' so I am now testing with COPE (corporate owned, personal enabled). The issue I have is the fact that we now have three separate phone management models in place:

- not managed at all

- fully managed by us

- fully managed but allow personal use using a work profile

For those last ones, I was tasked with blocking corporate access in the user's Personal profile but allow it in the Work one. I was able to do this via CA by blocking access to M365, except when the Android OS is AndroidEnterprise. This works fine as the personal Outlook app cannot login but the work one can.

My main issue is the targeting of this CA. If I set it to all users, they won't be able to use their personal phone anymore to log on, hitting about 900 users. I am also not allowed to create an App Protection Policy as that has yet to be approved by the board.

So I created a dynamic group for devices based on the enrollmentProfile attribute. This seems to work as I am blocked on the personal profile Outlook app but the Work one still works. My own personal phone also still works as it's not being targeted since it doesn't have the profile. But when I look in the sign-in logs for that Work Outlook login, it doesn't show any CA policy being targeted, even though MFA was prompted and shit. I'm also very much aware that CA is meant for users, not for devices, and that we should use the Device Filters for this. But I'm already using them for the OS and not sure if mixing rules would be a good idea.

I'm not sure if I'm looking at this the right way but my hands are tied in many ways thanks to the company. Any tips on if I'm doing something wrong?

reddit.com
u/workaccountandshit — 20 days ago
▲ 1 r/Intune

Android COPE: stop corporate account logon in personal Outlook, only allow in Work profile

I see this question has been asked here a few times now. Some said 'use the approved apps option in Conditional Access' but that has since then been deprecated.

I also see other people say 'just use CA' but .. don't offer any extra info. So I'm looking into it now.

At the moment, I am able to log on in Outlook in the personal profile with my corporate account. I could use an app protection policy but how would Entra distinguish between the work and personal profile? Outlook = Outlook, no?

Any tips for me and future adventurers?

Edit: So I tried using the EnrollmentProfileName attribute to filter on in the CA, but Entra cannot read that attribute if the end user does not fully register the phone using the Intune app. That's something I was trying to avoid, so that sucks.

All I need is an APP with a setting like 'is this a managed device/profile'? Fuck me, can't get this shit to work.

reddit.com
u/workaccountandshit — 26 days ago