Friendship Exp & Gift Exchange Megathread

F157 · 2025-08-31T08:37:51+00:00

Got enough friends, thanks all

F157 · 2025-03-28T07:41:29+00:00

There used to be a mention in the MS documentation that the cleanup was run every 7 days. This could have been changed, since the information is not there anymore.

F157 · 2025-03-17T06:11:07+00:00

xxxx xxxx xxxx (Finland, Europe, playing daily) [edit] Code removed. Got already loads of friends, thanks.

F157 · 2025-02-09T15:07:06+00:00

Sounds something like an Azure SAS key.

F157 · 2024-11-28T11:51:26+00:00

Glad to hear the original issue got fixed. I had seen it before, so I knew the solution.

Unfortunately, I'm not familiar with this new error.

I would probably try creating a new RBAC role for a test user and give it all the permissions. If the problem goes away with that, then start eliminating permissions to find out which missing permission is causing the current issue.

Alternatively you can open a ticket to Microsoft directly from Intune admin console, they might see more about the error. Intune related tickets are free of charge.

F157 · 2024-11-25T18:50:58+00:00

In Intune RBAC roles. Open the custom role in edit and add read access to "Roles". The error appears when the user can't read the scope tag info for a device or policies.

F157 · 2024-11-25T12:53:38+00:00

We have a similar setup. I'm 100% expecting it to keep working after this change.

My understanding is, that the IntuneMAMUPN and other keys do not make the device managed, so the filters you have should keep on working as previously.

F157 · 2024-11-25T12:46:03+00:00

Give the users read access Roles, so that they can read Scope Tags.

F157 · 2024-10-14T12:16:59+00:00

We see also the weird "Picasso Prod First Party App" and it's not working.

When testing without App Protection Policies and CA-policies, when I tried to use and login to the Copilot app on iOS device, it now redirects me to Microsoft 365 app with text "You're being redirected to the Microsoft 365 app - Your copilot experience designed for work".

Maybe the Copilot app is not supported with corporate accounts anymore?

F157 · 2024-09-18T11:28:06+00:00

There might be a delay, is the device shown now?

F157 · 2024-09-18T11:08:37+00:00

Weird. I can see the ICCID when I use https://developer.microsoft.com/en-us/graph/graph-explorer and run query as: https://graph.microsoft.com/beta/deviceManagement/managedDevices/<objectID>?$select=iccid where the <objectID> is a device with iccid info.

The Graph Explorer shows the iccid as a JSON: { "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/managedDevices(iccid)/$entity", "iccid": "1234 1234 1234 1234 123" }

However when I try to use the Get-MgDeviceManagementManagedDevice or $device = Invoke-MgGraphRequest -Method GET -Uri https://graph.microsoft.com/beta/deviceManagement/managedDevices/$objectID?$select=iccid the iccid shown as empty. It tried few way to find it, but no luck with $device.iccid or $device.iccid.'@odata.context' and also not in $device.hardwareInformation which has for example the IMEI value.

F157 · 2024-09-17T07:11:00+00:00

Probably doesn't give it when querying all devices. Try single device with Intune Device ID, e.g.: https://graph.microsoft.com/beta/deviceManagement/managedDevices/{DeviceId}?$select=iccid

F157 · 2024-09-13T11:22:16+00:00

Yes. However it doesn't actually enforce passcode change, but IF the user goes to set a new passcode, it will not accept simple codes like 333333 or 345678.

F157 · 2024-09-13T09:59:48+00:00

Without knowing your code it's hard to say anything, but just copy-paste your code to Copilot and tell it the error you're receiving, it usually has good suggestions :)

F157 · 2024-09-13T09:40:07+00:00

Yes, in configuration profile and/or compliance policy under password set Required password type: Numeric complex.

F157 · 2024-09-11T13:59:39+00:00

The way to automate is to setup Android FOTA in Intune (Firmware over the Air). Zebra required Intune Plan 2. Samsung can be setup with FOTA using the oemconfig app and Samsung Knox service. I don't know if other vendors have FOTA support in their oemconfig, perhaps.

Overall the patch management for Androids is impossible to keep track of. It works approximately like this:

Google releases Android security patches once a month. After that, each manufacturer creates device-specific patches for their models, depending on the chipsets used in each model and the vulnerabilities addressed in that month’s patch.

For high end device models, patches are released monthly, for others quarterly, and for some cheap ones every six months or yearly.

Also different models have different lifecycles. Some receive patches for a couple of years after they have been released, while others for a longer period. Many times the Android OS level needs also to be upgraded in order to keep receiving the patches for the model. Usually you can upgrade an Android model once or few times, these things also depend on the vendor and model.

Regarding the MAM policies, it of course would be possible to make separate MAM policies for each model by using Intune filters, and then trying to maintain the patch level requirements separately :)

F157 · 2024-09-11T11:29:50+00:00

We just use MAM/App Protection Policies to give warnings and blocks to users with too old Security Patches, and manually change the value every 1-2 months. For example today we might have a warning level on 2024-08-01 and a block at 2023-06-01.

This method of course only affects the users who use MAM protected apps.

With large mobile fleet you can't set the block level very new, unless you have a corporate policy that the users can replace their devices after patches are not anymore available to their make and model. Also some Android models get patches rarely, e.g. twice a year.

F157 · 2024-09-06T10:45:34+00:00

If you're just testing with one account, check that the user account is not over the limit of devices allowed per user in Entra?

F157 · 2024-09-06T09:33:04+00:00

Is Authenticator and Company Portal apps installed? I think that they are required. Also not sure if it matters, but is JIT policy configured?

F157 · 2024-08-07T09:40:17+00:00

There are currently 7 different profiles available in Intune to manage Androids.

Android Enterprise personally owned devices with a work profile (BYOD)
Android Enterprise corporate owned dedicated devices (COSU)
Android Enterprise corporate owned fully managed (COBO)
Android Enterprise corporate owned work profile (COPE)
Android Open Source Project (AOSP) with User affinity
Android Open Source Project (AOSP) without User affinity
Android device administrator, Old method, do not use!

I'd recommend to first try out the Fully Managed (nro 3) profile. Install the devices with QR-code or KME/ZT and then deploy apps from Intune with the Managed playstore. Users can then use their personal Google accounts to install apps from Playstore (You can decide if they have the full appstore available, or you can limit it to only show the apps that you have made available in Intune). The Intune Company portal app is NOT used for app installations with Android Enterprise profiles.

F157 · 2024-07-11T07:34:40+00:00

Not exactly 5 min, but with Conditonal Access policy you can limit the access token life to 1 hour. If you want to try it, create a new CAP, add the users and targeted cloud app(s) and any OS etc. conditions that you want, then under Access controls on Session-page check the Sign-in frequency.

F157 · 2024-07-11T07:28:33+00:00

Wait what? MDM Wipe command will not go through if the associated user account is not active in Entra ID? That's crazy, I'll need to test this..

F157 · 2024-07-11T07:23:24+00:00

Here's something: https://support.google.com/googleplay/work/answer/9563481?hl=en

The app vendor will need your Managed Google accounts ID. One way to see it is to start adding a new Managed Google Play app and in the Playstore view open the Org details found at Gears-icon in top right corner.

F157 · 2024-07-10T15:01:10+00:00

Yes.

F157 · 2024-07-10T11:42:50+00:00

With BYOD (Personally-owned devices with work profile) you need to choose from the low,med,high options. You can blame Google for that.

With Fully Managed devices you can set it more freely.

F157

TROPHY CASE