I had the privilege of speaking in an event which focused for enthusiastic individuals about Microsoft EMS+S, Azure and System Center stack event held on 29th September 2017 in Myanmar (backed by Microsoft Myanmar). I spoke about the EMS+S and Microsoft System Center stack in two separate sessions. The Azure IaaS topic has covered by Microsoft Myanmar. There were about 20 attendees on that day.
If you are managing your iOS devices through Microsoft Intune, the Apple push Certification renewal is something which you need to keep in mind. In the new intune portal, there is no way where we can set warning or alert generation same as the intune old portal. The only way is we have to keep an eye on the new portal for the warnings. However, in terms of keep the certificate valid is something very critical and this blog going to show you how to do it. On the very first screen, you can see that “Push Certificate Expiring on 35 days”. Therefore, we must renew this certificate for continuous work using Apple devices.
Screen clipping taken: 12/03/2018 12:03
Step 1- Lets start to renew the certificate. As the first step, Download the CSR file which you have to upload to Apple push certificate creation portal.
Step 2- After you download the CSR file, you have to upload it to the Apple Push Certificate Portal. You have to use your Apple ID and Password for the certificate creation/renewal.
Apple Push Certificate Portal – https://identity.apple.com/pushcert/
Step 3- Enter the user name and Password and hit Enter
Screen clipping taken: 12/03/2018 12:03
Step 4- Once you logged in to the Apple Portal, you will be able to see the Apple MDM certificate which you need to renew and on the other hand going to expire in 35 days. Therefore, since we are going to renew the card. Jsyt click the Renew button.
Step 5- Once you Click the Renew Button, it will ask you to upload the downloaded .csr file. Just Choose the .CSR file from the downloaded location on previous step and Click Upload.
Screen clipping taken: 12/03/2018 12:08
Step 6- Once .CSR file upload process completes just Click Upload button as below.
Screen clipping taken: 12/03/2018 12:08
Step 7-Once upload finish, you will get a confirmation page as below and it is the time to Download the renewed Apple Push Certificate which we have to upload back to Intune Portal.
Screen clipping taken: 12/03/2018 12:09
Step 8- Once the renewal completes in Apple Portal, you can see the Expiry date of the certificate extended until March, 19, 2019.
Screen clipping taken: 12/03/2018 12:11
Step 9- On this step, as highlighted in the below screen (In Option 3) enter the Apple ID which you used to renew the Apple Certificate. Once that is done, Just upload the downloaded renewed Apple Push Certificate and Click Upload.
Screen clipping taken: 12/03/2018 12:13
Step 10- Once the Upload completes, Just got back to the Intune and check the certificate status .
Screen clipping taken: 12/03/2018 12:14
Recent past, Microsoft announced a set of pretty much new Information Protection features specially focusing on GDPR compliance. This will be on preview form.
Here are the various blogs that went out yesterday:
·Some of the coolest features they announced were as below:
- General availability of Azure Information Protection scanner
- Private Preview of native labeling of Word, PowerPoint, and Excel files on Mac
- Private Preview of unified labeling and protection schema in Office 365 and Azure Information Protection
- Private Preview of Information Protection SDK for labeling and protection
- Preview on native labeling of files in SaaS apps with integration of Azure Information Protection and Microsoft Cloud App Security
- Office 365 Message Encryption Encrypt Only functionality
- Preview of Information Protection administrator role
Further additional information you can refer using he below link.
Basically why we need to enable Azure RMS Super User Role ? Very Highlevel answer is as follows; For instance, if you want to access protected document which some one has already protected and that employee is no more in the office but still management needs to access all the documents which that user protected with certain permissions. In such cases, the best option for this is use the Super User Role. Therefore, lets see how we Active this User Role and assign users under Super User Role.
Step 1– First You must Install the Azure Rights Management PowerShell Module in to your PC. Installing the Azure PowerShell Module steps are already published in my previous post. Click HERE to access that post.
Step 2– Next you need to connect to Azure Rights Management Services as follows;
Step 3– Once the Azure RMS service is opened, the PowerShell will indicate the results as follows;
Step 4– Next we must Enable the Super User Feature. Use the below command for that.
Step 5– In this step, we will assign a user to Super User Role.
Add-AadrmSuperUser -EmailAddress email@example.com
Based on the new options added in to the Azure RMS portal, Under the settings menu in Scoped and Global Policies, You can do certain customization. For example Showing the Information Protection Bar In office app.
Below screen show you the settings for the above mentioned one.
If you OFF the Do Not Forward button, it will remove the below option from the Outlook ribbon; So this is kind of Shortcut rather than going through Options tab in the New Email menu tab.
Below Screen will indicates you what happens when you put the option to OFF Mode.
The results will be as follows;
On the Final one is about the Custom Permission. As you know in AIP Tool, we have a option where we can allow users to select Custom Permissions when sharing documents. In case if you don’t want your users to have this option in AIP Tool, you can basically remove it from the AIP Tool menu.
Results of the OFF Mode will remove the following Highlighted option;
Microsoft’s Enterprise Mobility + Security (EMS) is a combination of products under Microsoft’s portfolio. At first glance, it is basically can relate to modern work space. Right now, when we talk about Modern work space, the first thing which come to our mind is all about how secure we are and is this work space is really comfortable for our users. Considering all these, Microsoft has bundle below five components to Microsoft EMS+S.
- Azure Active Directory Premium
- Microsoft Intune
- Azure Rights Management
- Microsoft Advanced Threat Analytics (ATA)
- Cloud App Security (CAS)
All in all, you can think of Microsoft EMS+S as a device-management and virtual-identity-management suite. However, in a cloud-based world where employees want to work from all of their devices, Microsoft EMS+S allows your IT team to gain the maximum security and control.
Azure Active Directory Premium edition is a paid offering of Azure Active Directory and it includes the following features:
- Self-service password reset
- Company branding
- Group-based application access
- Self-service group management
- Advanced security reports and alerts
- Multi-Factor Authentication
- Forefront Identity Manager (FIM)
As a Part one of the EMS+S, today, I am going to enable one feature which is falling under Azure Active Directory Premium (AAD) which is Password Reset.
So lets see how we enable the Password reset for you users.
Set Up Self Service Password Reset in Office 365 (Cloud Identities)
Set up SSPR
- Sign in to Azure Portal https://portal.azure.com/
- Choose More Services -> Azure Active Directory
3. Select Password reset
4. From Properties, select All for Self service password reset enabled.
5. [OPTIONAL] Selecting Selected for Self service password reset enable helps you control the set of users who can reset their passwords. Users’ group membership controls this restriction. (If you chose to restrict access to password reset, Please move to step 6. Otherwise, skip to step 7.)
6.[OPTIONAL] From the Select groups, pick the security or distribution groups that contain users who will have access to SSPR
7.Next, from Authentication Methods, select the alternate identity verification methods available to users.
8.Number of methods required to reset, will configures the minimum number of alternative identity verification methods a user must have in order to reset the password.
9.Next in the Registration, Select Yes or No for Require users to register when signing in? (Selecting the option Yes will force users to register alternative identity verification methods when they sign in. Otherwise the administrator will have to set identity verification options for users manually or will have to direct users to https://account.activedirectory.windowsazure.com/PasswordReset/Register.aspx to set this information. If you choose Yes for this, then move to step 10 or otherwise skip to step 11.)
10. Enter a value for Number of days before users are asked to re-confirm their authentication information. (This value controls the number of days before the service prompts users to verify/update their alternative identity verification information. You can specify a number between 1-730. Setting 0 here will not ask users to verify/update their alternate identity verification methods.)
11. From the Notification, you can enable notifications to be sent to users when they reset their own passwords through SSPR.
12. Selecting Yes to Customize helpdesk link will allow you to set a custom email address or a URL for Contact your administrator link in password reset wizard.
13. Enter the desired URL or the email address for the help desk if you select Yes to above option.
Users Registering for SSPR
14. If you enabled registration while sign in, users will be asked to setup the alternate identity verification methods. (This will be the same screen users see when they access the self service password reset registration URL manually as well.)
15. To setup the authentication phone, click on Set it up now. Select the country and enter the phone number and select either text me or call me.
16. If you choose to have Microsoft called you, you will need to answer the call and press # key to verify the number. If you choose to receive a text message, as seen below, you will have to enter the verification code that it sends.
17. To set up the authentication email address, click on set it up now. Enter the email address and click email me. Once you receive the email with the verification code in the mail, enter it and verify.
18. Once you have set up the minimum number of authentication methods required by the administrator or more, you can click Finish.
When we are talking about data classification and data protection, one of the major concern which customer are asking is, can we have a audit if they want to identify who has done the classification changes to the documents. The reason for this is in case of a audit requirement, they might need to check who has done the changes to the documents. However, so far the log files are storing in respective individual machines and not in a central data base or in a cloud. Therefore, we have to grab the details in the individual machines for this matter. Therefore, there are few log files which you need to go through. All these log can be seen in Event viewer.
There are few log files which you will need in case of a Administration or Auditing.
The events include the following information:
· Date, client version, policy ID
· Signed in user name, computer name
· File name and location
o Set Label: Information ID 101
o Set Label (lower): Information ID 102
o Set Label (higher): Information ID 103
o Remove label: Information ID 104
o Recommended tip: Information 105
o Apply custom protection: Information ID 201
o Remove custom protection: Information ID 202
o Sign in (operational): Information ID 902
o Download policy (operational): Information ID 901
Further the Azure Information Protection Client Files are located in 3 locations as below;
For 64-bit operating systems: \ProgramFiles (x86)\Microsoft Azure Information Protection
- For 32-bit operating systems: \Program Files\Microsoft Azure Information Protection
Client logs files and currently installed policy file:
- For 64-bit and 32-bit operating systems: %localappdata%\Microsoft\MSIP
On my Next Blog I will show you how you can collect all these logs in to one location and do the auditing rather than finding through individual machines. For the moment the configurations are still going on and in this manner, I am trying to use OMS and SysLog server for this process. Let’s hope for the best and let’s wait for the outcome.