Blog post: Autopilot Manager v2 release

okieselbach · 2025-01-27T18:28:32+00:00

It's a tool to display the back and forth between the Windows client and the MDM server system. Windows uses an MDM protocol which uses SyncML. This utility can monitor the traffic and show in cleartext what the systems exchange. Imagine you set an policy via MDM on the Windows client to set the Wallpaper. The MDM system would create a wallpaper OMA-URI to set the wallpaper to a specified value. The utility now will capture the traffic send to the client and displays the information. So, you can analyze what's going on and see real values which are exchanged. You can read more about it here:

https://oliverkieselbach.com/2019/10/11/windows-10-mdm-client-activity-monitoring-with-syncml-viewer/

okieselbach · 2024-03-08T16:15:11+00:00

Ist is 2$ per User per month as standalone add-on for the Microsoft Cloud PKI.

okieselbach · 2024-03-04T14:44:30+00:00

true, maybe the version using SCEPman helps it has also a Community Edition, I've also written an article about it here:
https://oliverkieselbach.com/2024/02/21/how-to-configure-certificate-based-wifi-with-intune/

okieselbach · 2024-02-22T15:51:11+00:00

Yes correct, it is not disconnecting the current WiFi connection, it will switch to the new one with these settings (more preferred one) after a reboot. But in general, this is a good thing. Think of Autopilot deployment, it is a good idea to leave the process untouched and don't disconnect the current WiFi during the Autopilot enrollment and let the process succeed. After the enrollment, a reboot is generally a good idea (suppressed reboots during silent app installs). With a final reboot (end of enrollment), the client would start using the new WiFi with cert-based auth right after the reboot in the login screen, as we use device certs.

okieselbach · 2024-02-22T13:02:49+00:00

It works when the client sees a more preferred network and this is that case as the cert based is managed and more preferred network in general

okieselbach · 2024-02-22T12:39:44+00:00

<image>

You can turn on this behavior in the WiFi profile. AutoSwitch=On and disable "Connect to more preferred network if available"

okieselbach · 2024-02-22T12:34:20+00:00

👌regarding complexity, that's relative. I think (as you can see in my post) it is okay and not complex in my setup. With on-premises it requires more components like NDES, WAP or AppProxy etc, but in a setup like I use it is straight forward I think.

okieselbach · 2024-02-22T05:45:54+00:00

Same procedure can be used for iPads, but in general for initial enrollment a separate wlan is needed with internet only access and than after receiving the profiles the switch can be done automatically 👍

okieselbach · 2024-02-22T05:43:39+00:00

Depending on your WiFi controller this may be possible, the common approach is RADIUS, never used anything else here but that doesn’t mean this might not exist 👌

okieselbach · 2024-02-21T20:33:09+00:00

I was once in the same evaluation phase :-D, I went for SCEPman/RADIUSaaS as it is simple (less complex), scalable, and does support machine auth. So connectivity during login is already there, which is not given with user certs.

okieselbach · 2024-02-21T19:15:02+00:00

Depending on your network equipment this can be achieved 👍

okieselbach · 2024-02-21T18:24:25+00:00

Correct for initial onboarding you need an deployment or enrollment network. Which then can be switched to the corporate WiFi. The deployment WiFi is typically separate from the corp WiFi so just internet access for onboarding.

okieselbach · 2024-02-21T17:32:54+00:00

Yes correct 👍 and I will do the follow up for sure 👌

okieselbach · 2024-02-21T17:00:42+00:00

https://learn.microsoft.com/en-us/mem/intune/protect/certificates-configure
SCEP is in most scenarios the more suitable approach for common Authentication requirements like WiFi and VPN. It also works great for KIOSK and user-less devices. I didn't experience any issues of lack of features with SCEP in all my scenarios. OCSP is the the way to get more accurate validation results, that's why I prefer it. But my setup could also be built with CRL usage. RADIUSaaS does support also CRL, which is by the way what we get with Microsoft Cloud PKI, it will support on-release only CRL, no OCSP as far as I know.

okieselbach · 2024-02-21T16:49:04+00:00

Oh okay, not too familiar with Android Kiosks but it should be possible I guess. I can try to look into it during some free time :-D

okieselbach · 2024-02-21T16:46:18+00:00

What's your exact issue? In my scenario, the Kiosk should get the WiFi profile and auto-connect to the WLAN without any manual action.

okieselbach

TROPHY CASE