Adventures With Microsoft AutoPilot On Education Shared Devices (Part 2)
Last week I posted Part 1 of this blog series, exploring how schools can automate the configuration and deployment of their shared devices using Microsoft AutoPilot and Intune. Again, if AutoPilot is new to you, then I encourage you to watch this very short video explaining how it works:
Since writing Part 1, I also found this great blog post specifically on this topic from January 2019 which included this helpful graphic:
As this blog post will be a little longer (and more technical) I’m going to give you a break down of what is to come so you can skip to the important sections relevant to you:
- Part One (read this blog post here):
- Identity – why use a cloud identity?
- Why use AutoPilot?
- Configuring Autopilot
- Enrolling your device
- Part Two:
- Intune vs Intune for Education
- What are CSP?
- Building a custom CSP Policy
- Using LOB App Deployment in Intune
Now it’s worth stating at this stage that I am not an IT administrator by profession. Whilst I’m probably more technical than many, I’ve got the following working through a combination of relying on the detailed guides in the Microsoft Docs and awesome technical colleagues who have shared some of their expertise with me. Additionally, like you, I read a bunch of blogs to see how people have done this in the past. This blog is a small contribution to the community who like to learn from other’s experiences. If you’re reading this and are more technical than me and see some improvements or corrections in what I’ve done – I’d love to hear from you in the comments section below.
With that said, let’s get started!
Intune vs Intune for Education
Intune as a standalone Mobile Device Management (MDM) tool has been around for a long time, however Intune for Education was only launched in 2017.
A key point to clarify is that both versions use the same backend system to manage the configurations – Intune for Education is really just a simplified interface for educators to leverage. If you make a change in Intune for Education, it’s reflected in the equivalent settings inside of Intune (and vice versa).
I’ve written a more detailed blog about when to decide which version to use that you can read here however I commonly ask the following questions in helping schools decide which version to use:
- Are you only going to be managing Windows10 Devices?
- Yes? Use Intune for Education
- No? Use full Intune for multi-OS management
- Will teachers and other less technical people be wanting to manage settings and push applications?
- Yes? Use Intune for Education if possible (see above re: Win10) as the interface is simplified and very easy for non-technical people to use.
- No? Use either, if you’re more comfortable with a large amount of settings and configuration options then the full version of Intune will be more valuable.
- Do you have advanced configuration settings and policies you want to configure on the devices you’re managing (i.e. replicating Group Policy).
- Yes? Use the full version of Intune standalone as this has significantly more settings and options
- No? Use Intune for Education if dealing only with Windows 10.
Remember, the important thing to get this working is to use AzureAD as your underlying identity management. You can get a lot of assistance from the Microsoft Education Documentation and Resources link.
It is worth pointing out that since Intune for Education was first released, new features have been added to it, including the ability to manage iPads in late 2018– really helpful for schools that are wanting to develop a “single pane of glass” for configuring and deploying all their educational devices.
What Are CSP?
CSP stands for Configuration Service Providers and the best place to get started if you have no knowledge of this is here – CSP For Beginners.
A CSP is an interface in the client operating system between configuration settings specified in a provisioning document and configuration settings on the device. Their function is similar to that of Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files or permissions. Some of these settings are configurable and some are read-only.
The reference to Group Policy client-side extensions above is important and useful because most IT Admins are familiar with these, and when you explain that CSP achieve the same outcome but are managed out of the cloud from an MDM like Intune, they generally get the concept quite quickly.
In essence, a CSP allows you to restrict/allow various functionality on an end device – in this case we will primarily be talking about Windows 10 – such as allowing the Edge web browser to make search recommendations. Some of these settings are enabled via the GUI inside of Intune, others need to be manually created with a Custom CSP Policy (read on below for an example). To return to the Edge search setting example, in Intune the policy to allow search suggestions in the Microsoft Edge address bar uses Browser/AllowSearchSuggestionsinAddressBar in the Policy CSP
The GUI inside of Intune on the left simply configures the CSP on the right to either 0 (not allowed) or 1 (allowed)
Once you understand the concept of what you can do with CSP and are ready to get your training wheels off, reading the full list of Policy CSP available here is a great starting point. In fact, because not all CSP are currently available in Intune’s GUI, you may find some advanced features that can only be deployed using the Custom CSP Policy (again, read on for a good example of this).
It’s worth noting that the full version of Intune has many capabilities to manage iOS devices, often requiring a custom Profile to be created and pushed to the iPad. I’ve written a five part blog series showing how you can do this on iPads that is worth reading here.
Building A Custom CSP Policy
I got tipped off by a friend who is far more technical than me to two CSP that exist in the Authentication section and are designed to speed up the initial login of Windows 10 devices in a shared environment like a school:
- Enable Fast First Sign In
- This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
- OMA-URI = Authentication/EnableFastFirstSignIn
- Preferred AzureAD Tenant Domain Name
Specifies the preferred domain among available domains in the Azure AD tenant.
Example: If your organization is using the “@contoso.com” tenant domain name, the policy value should be “contoso.com”. For the user “firstname.lastname@example.org”, she would then be able to sign in using “abby” in the username field instead of “email@example.com”.
OMA-URI = Authentication/PreferredAadTenantDomainName
Both of these require Windows10 Pro or above to work.
Both Intune and Intune for Education are rapidly adding new features into the GUI and, as indicated in Brad Anderson’s blog post above, Intune for Education recently added the Preferred AzureAD Tenant Domain Name feature to the GUI:
Available in the Settings Blade, an IT admin can rapidly add this setting to Win10 devices now.
However, if you’re wanting to build a Custom CSP Policy for a setting that is not in the GUI yet, such as enabling Fast First Sign In, then the steps would be as follows:
- Click on Profiles
- Click “Create Profile“
Note in the main display you can see existing Profiles I’ve created already, including my example “Fast Signin and UPN Default”
- The “Name” and “Description” Fields are entirely up to you, however make sure you choose “Windows 10 and later” for the Platform and, critically, you choose “Custom” for the “Profile Type”. On the left below is my configured policy, on the right is the options when creating a new one
- Once you have a Profile created, you need to add settings to it so click “Add” – this is where you need the documentation to guide you for the correct CSP e.g. for Authentication CSP
- Again, the “Name” and “Description” fields are largely up to you, but the critical fields are the “OMA-URI” and “Data Type” and “Value” fields are all going to be informed from the CSP documentation
Here are my completed examples:
In this example the Data Type is a string, as I’m putting in my O365 tenant’s domain name. The full OMA-URI in this example is: ./Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName
In this example the Data Type is an Integer with “1” = on and “0” = off. The full OMA-URI in this example is: ./Vendor/MSFT/Policy/Config/Authentication/EnableFastFirstSignIn
- With your custom CSP Policy created, you now need to assign this to devices under the “Assignments” Setting – in my example I’m applying it to All Devices:
At this point, you’re pretty much done and you can sync devices to ensure the policy is pushed to them. Reporting inside of Intune will advise you whether this has been successfully deployed to devices:
In my experience, applying the two policy settings for shared devices in education significantly improves the initial sign in experience in two ways:
- Fast First Sign In – does exactly what it’s name suggests, reducing the time considerably for a student to sign into a Windows 10 device for the first time
- Preferred AzureAD Tenant Domain Name – given many younger students are not great at typing, or remembering relatively complicated text like a school domain name, allowing them to simply type their username e.g. “sam.mcneill” or even “samm” (based on school username policy) reduces the complexity of the sign in process.
- If you’re after a creative way to help younger students remember ‘complex passwords’ then have a look at my blog post on this.
As you can see, you have very high levels of control over devices when you’re using CSP, either through the GUI in Intune itself, or via building custom CSP policies as I did above. If you want even more control, you can even explore using ADMX Templates inside of Intune.
Using LOB App Deployment in Intune
The last feature I’m going to show in here is a trick I learnt from David Kozera to speed up the access to shared applications for users when they first sign in.
Intune for Education initially allowed only apps inside of the Microsoft Store for Education to be deployed to devices, which was great if you were running Windows 10S, but less helpful if you had a need to install apps that were not inside the store. They did eventually add the ability to install .msi packages, and inside of the full version of Intune you can actually install quite a range of different application types, including the recent addition of Win32 apps.
Why is this important? Well, many schools I speak to want to use Intune to push out Minecraft: Education Edition to their student devices, and simply select the app in the MS Store for Education and deploy it using either version of Intune. This works flawlessly, but one of the downsides on a shared computer is that apps deployed from the Store deploy to the user rather than to the device. What this means in practice is when a user signs in for the first time to a shared device they do need to wait a few minutes for apps from the Store to appear on their device.
Using Intune to push Minecraft:EE as an LOB app, rather than a Store app, makes it instantly available to a student when they log into a shared device for the very first time. This means no waiting for apps to appear and no lost teaching time.
This is referenced in this document here.
Let’s get started:
- Overview Line of Business App documentation here.
- Go to the Education Store and find Minecraft:EE under the “Products and Services” that are managed, then select to “Download for offline usage” – this will effectively allow you to download a .appx file:
- Scroll down a little further and download the “Required Frameworks” file as well, as you’re going to need this in Intune shortly:
- With the two files downloaded, you need to return to Intune and click on “Client Apps” and then “Apps”
- You need to click “Add” to start building a new app – see below in my screenshot you can observe the different types of apps that I have available to deploy, and I’ve circled the Minecraft:EE Universal App (.appx) as a Line of Business app, as well as Chrome Browser as a .msi Line of Business App, compared to the standard Microsoft Store apps.
- Make sure you choose a Line of Business App:
- Upload the .aopx version of Minecraft and the dependency framework file you downloaded:
- Configure the app information as it will appear to your users once installed on their device:
- With this done, you can now assign the app for deployment based on your groups of devices – it will automatically install the first time and be instantly available for any user as soon as they sign into the device the first time.
Cloud Identity and Cloud MDM’s make the management of devices easier than ever. For schools, who often have limited funds and resources to manage devices, exploring AutoPilot and Intune for Education makes a lot of sense to simplify the management and deployment of devices, as well as reducing the need for on-premise servers for device provisioning.
As these services become even smarter, remote resets of devices and troubleshooting become easier as well. For many, however, their view of managing Windows is from many years ago and they simply do not have experience with Windows 10 and modern practices around deployment.
IF you’re interested in knowing more, reach out to me on Twitter or if you have your own tips for improving deployment in this way, drop a message in the comments below.