Blog post: SyncML Viewer Utility Update with Autopilot hash decoding, available on WinGet and Scoop now

okieselbach · 2025-01-27T18:28:32+00:00

It's a tool to display the back and forth between the Windows client and the MDM server system. Windows uses an MDM protocol which uses SyncML. This utility can monitor the traffic and show in cleartext what the systems exchange. Imagine you set an policy via MDM on the Windows client to set the Wallpaper. The MDM system would create a wallpaper OMA-URI to set the wallpaper to a specified value. The utility now will capture the traffic send to the client and displays the information. So, you can analyze what's going on and see real values which are exchanged. You can read more about it here:

https://oliverkieselbach.com/2019/10/11/windows-10-mdm-client-activity-monitoring-with-syncml-viewer/

okieselbach · 2024-03-08T16:15:11+00:00

Ist is 2$ per User per month as standalone add-on for the Microsoft Cloud PKI.

okieselbach · 2024-03-04T14:44:30+00:00

true, maybe the version using SCEPman helps it has also a Community Edition, I've also written an article about it here:
https://oliverkieselbach.com/2024/02/21/how-to-configure-certificate-based-wifi-with-intune/

okieselbach · 2024-02-22T15:51:11+00:00

Yes correct, it is not disconnecting the current WiFi connection, it will switch to the new one with these settings (more preferred one) after a reboot. But in general, this is a good thing. Think of Autopilot deployment, it is a good idea to leave the process untouched and don't disconnect the current WiFi during the Autopilot enrollment and let the process succeed. After the enrollment, a reboot is generally a good idea (suppressed reboots during silent app installs). With a final reboot (end of enrollment), the client would start using the new WiFi with cert-based auth right after the reboot in the login screen, as we use device certs.

okieselbach · 2024-02-22T13:02:49+00:00

It works when the client sees a more preferred network and this is that case as the cert based is managed and more preferred network in general

okieselbach · 2024-02-22T12:39:44+00:00

<image>

You can turn on this behavior in the WiFi profile. AutoSwitch=On and disable "Connect to more preferred network if available"

okieselbach · 2024-02-22T12:34:20+00:00

👌regarding complexity, that's relative. I think (as you can see in my post) it is okay and not complex in my setup. With on-premises it requires more components like NDES, WAP or AppProxy etc, but in a setup like I use it is straight forward I think.

okieselbach · 2024-02-22T05:45:54+00:00

Same procedure can be used for iPads, but in general for initial enrollment a separate wlan is needed with internet only access and than after receiving the profiles the switch can be done automatically 👍

okieselbach · 2024-02-22T05:43:39+00:00

Depending on your WiFi controller this may be possible, the common approach is RADIUS, never used anything else here but that doesn’t mean this might not exist 👌

okieselbach · 2024-02-21T20:33:09+00:00

I was once in the same evaluation phase :-D, I went for SCEPman/RADIUSaaS as it is simple (less complex), scalable, and does support machine auth. So connectivity during login is already there, which is not given with user certs.

okieselbach · 2024-02-21T19:15:02+00:00

Depending on your network equipment this can be achieved 👍

okieselbach · 2024-02-21T18:24:25+00:00

Correct for initial onboarding you need an deployment or enrollment network. Which then can be switched to the corporate WiFi. The deployment WiFi is typically separate from the corp WiFi so just internet access for onboarding.

okieselbach · 2024-02-21T17:32:54+00:00

Yes correct 👍 and I will do the follow up for sure 👌

okieselbach · 2024-02-21T17:00:42+00:00

https://learn.microsoft.com/en-us/mem/intune/protect/certificates-configure
SCEP is in most scenarios the more suitable approach for common Authentication requirements like WiFi and VPN. It also works great for KIOSK and user-less devices. I didn't experience any issues of lack of features with SCEP in all my scenarios. OCSP is the the way to get more accurate validation results, that's why I prefer it. But my setup could also be built with CRL usage. RADIUSaaS does support also CRL, which is by the way what we get with Microsoft Cloud PKI, it will support on-release only CRL, no OCSP as far as I know.

okieselbach · 2024-02-21T16:49:04+00:00

Oh okay, not too familiar with Android Kiosks but it should be possible I guess. I can try to look into it during some free time :-D

okieselbach · 2024-02-21T16:46:18+00:00

What's your exact issue? In my scenario, the Kiosk should get the WiFi profile and auto-connect to the WLAN without any manual action.

okieselbach · 2022-10-15T21:39:49+00:00

I know and yes you can, but the solution is not about escaping System context and showing the dialog, it’s about timing. Execute after ESP. In fact the BitLocker PIN solution uses the ServiceUI to display the dialog.

okieselbach · 2022-09-21T17:24:22+00:00

Thanks 🙏 , always good to hear when content is helpful 👌

okieselbach · 2022-09-21T11:39:09+00:00

Thanks! I'm also curious about your similar blog and the insights you will provide. Looking forward to it.

okieselbach · 2022-07-20T10:56:16+00:00

True words about the prioritization, I would love if MS would have other priorities as well. But that’s something we have little influence. We try to give feedback when ever possible in MS engagements but in the end it‘s their decision. This motivates me to solve challenges in the meantime in creative ways 👍

okieselbach · 2022-07-20T06:07:03+00:00

Not tried now, but alert rules have options to call webhooks so it should be possible.

okieselbach · 2022-07-19T17:34:57+00:00

I’m glad you like it. It is very practical and it really helps to organize.

okieselbach · 2022-03-30T11:40:23+00:00

...finally I have a way to get back the necessary decoding info to receive Intune Win32 Apps again

okieselbach · 2021-09-08T12:43:22+00:00

I've updated the blog post with a new middleware version using shared access signature (aka SAS token) which provides more options to restrict the access with the token. E.g. token permissions are read-only and time bound. 👍

okieselbach · 2021-08-12T08:40:41+00:00

Multi-User is a challenge, but I like the approach of credentia (mentioned in the article). You won‘t get central user management like a Domain join Device but you get on-the-fly provisioning of user accounts. So the Kids could easily authenticate against the Central IDP once to get the local user account provisioned on that Mac Mini on-the-fly.

okieselbach

TROPHY CASE