News

Azure Active Directory Groups Coming to Intune

• By Kurt Mackie
• 08/31/2016

Starting in September, Intune mobile management service for its Azure Active Directory Group will be making a switch.

However, the switchover to Azure Active Directory Groups, or "security groups" as Microsoft also calls it, is just for Microsoft Intune "standalone" implementations. That is, it's for subscribers to the purely online Intune service. It's not described as affecting so-called "hybrid" Intune users. Hybrid users run the Intune service integrated with System Center Configuration Manager, a management tool that runs on an organization's infrastructure.

Organizations typically use the Groups capability to specify policies for users or devices. Apparently, there's somewhat of functional overlap right now between two approaches, and Microsoft has decided to deprecate the Intune version.

Single Groups Tool
Microsoft indicated that it is changing over to Azure AD security groups management in Intune in response to customer feedback. Organizations want "one grouping and targeting experience across Enterprise Mobility + Security," Microsoft explained in a notice. Enterprise Mobility + Security, or "EMS," is Microsoft's new name for its Enterprise Mobility Suite licensing bundle that includes Microsoft Intune, Windows Azure Rights Management Services and Azure Active Directory Premium. Microsoft made that product name change back in July.

Some new capabilities will be available with Azure AD security groups. Microsoft suggested there will be some PowerShell scripting benefits and better extensibility with Microsoft Graph, which surfaces organizational information.

"The new experience will keep you from having to duplicate groups between services, and provides extensibility using PowerShell and Graph," Microsoft's notice explained.

One of the new capabilities coming with Azure AD Security Groups will be the ability to "dynamically group devices based on platform." For instance, under this scheme, new iOS devices will be automatically enrolled into an iOS device group when added.

Organizations also will lose some functionality with the switchover. For instance, they won't be able "to exclude members or groups when you create a new group." Instead, they can use "advanced rules" for the purpose. Also, there won't be support for any "Ungrouped Users" and "Ungrouped Devices" that an organization may have created. Additionally, organizations "won't be able to group Exchange ActiveSync devices" with the new approach.

The new Azure AD security groups management capability, when available for Intune subscribers, will simply show up. It will appear in a "new Azure-based Intune admin portal," according to a "What's new" Microsoft announcement. The switch will happen in phases. Only new Intune customers will be affected when the transition kicks off in September. Existing Intune customers will migrate over to the new Azure AD security groups approach starting in November. Here's how Microsoft's notice characterized the migration:

All user and device groups in Intune today will be migrated to Azure AD security groups. Migration will be done in batches starting in November. We won't start migrations until we can minimize any impact to your day-to-day work and expect no end-user impact. We will also provide you a notice prior to your account's migration.

Trident iOS Security Flaw
Microsoft last week highlighted its partnership with Lookout on a so-called "Trident" security flaw in iOS devices.

Trident refers to three zero-day iOS vulnerabilities that were used by the NSO Group in a spying tool called "Pegasus." Israel-based NSO Group, acquired in 2010 by U.S.-based Francisco Partners Management, makes spying tools for governments. The Trident flaw was uncovered by Lookout and Citizen Lab, part of the Munk School of Global Affairs at University of Toronto, after Pegasus was used to target human rights advocate Ahmed Mansoor. Presumably, United Arab Emirate authorities were using Pegasus to jailbreak Mansoor's mobile device to collect spying information.

An announcement by Lookout last week stated that the Trident flaws are patched in Apple's iOS 9.3.5 release, so staying up to date is one way to avoid such security breaches. Microsoft also touted Intune's capability to compel updates on mobile devices as a security measure.

Mobile Changes
Microsoft also announced a bunch of Intune mobile management changes last week in its "What's new" post. For instance, Intune now includes mobile application management policies for Yammer apps, both for Android and iOS devices, Microsoft announced. In September, Microsoft is planning to start deprecating company portal apps for Windows 8 and Windows Phone 8, so those devices using the company portal apps will have to be upgraded to Windows 8.1 and Windows Phone 8.1.

On the Android side, Intune supported Android 7.0 on Day 1 of its release, Microsoft has noted. However, Google also removed the ability of IT pros to remotely reset the passwords of Android 7.0 users. Apparently, there's no workaround, so remote password reset capability is gone with Android 7.0.

Going away from the Google Play store this month will be Viewer apps. Instead, there will be a single Rights Management app for Android devices. This RMS sharing app should be used instead of Intune AV Viewer, Intune PDF Viewer and Intune Image Viewer, Microsoft indicated.

IT pros can now list apps in Intune that are blocked from running on Samsung KNOX devices. They can also specify which apps can be installed from the Google Play store in a white-list type of approach.

In September, users of the Android company portal will see a new Notifications icon. It will show items that need attention, "such as device non-compliance, enrollment update, and enrollment activation," Microsoft indicated.

On the Apple iOS side, Microsoft plans to release a new "Microsoft Intune Managed Browser app for iOS" devices this month that will only support iOS 8.0 or later devices.

Organizations using iOS 9.3 or later versions now have new policy choices this month. IT pros can specific applications to be hidden from users, which can't be launched by end users. Alternatively, IT pros can specify only the apps that users can launch.

iOS users of the Microsoft Intune Company Portal app will be required to use the latest version, starting in September, Microsoft announced. This version requires iOS 8.0 or later. The Company Portal app will get some user interface changes, too, but organizations will also get some restrictions.

"Currently, Apple restrictions prohibit line-of-business and managed app store apps from being listed in the Company Portal app, and require users to visit different views to find all of their apps," Microsoft's announcement explained.