Categories
exchange exchange online iOS Outlook

iOS and Outlook Mobile and Duplicate Contacts

Of the back of a few conversations recently on having duplicate contacts in the iOS platform because of syncing via multiple different routes or devices I decided to try to reproduce the issues and see what I could work out.

I looked on my test iPhone to see if I could see any duplicates and to try and resolve – and given the conversations I was not suprised to find there were already a number of duplicates. So I have eight contacts and some of those where duplicates, some were missing on the device (only in iCloud) and some where different in Outlook Mobile from Contacts etc.

Here are some things I did to resolve these duplicates.

  1. I made the assumption that all my contacts where mastered in Exchange. So I was willing to delete everything on the phone as Exchange would put it back. I did find one contact in iCloud that was not on the phone and that was myself! So I did not delete that one.
  2. I have multiple test devices, two iPhones and one iPad. Each are signed into with the same Apple iCloud account, but each at any time could be synced to different tenants. This is probably a unique scenario to a consultant, but do ensure that each iOS device a user has under the same iCloud account is synced to the same tenant. Different tenants? Maybe try different iCloud accounts or be prepared for duplicates (see last paragraph for more info on this).
  3. Outlook Mobile > Settings > for each Email Account > Save Contacts – Turn Off > Delete from my iPhone
  4. Device Settings > Contacts > Accounts > iCloud > iCloud (yes, twice) > turn off Contacts > Delete from my iPhone
  5. Settings > Contacts > Accounts > other accounts > repeat above to delete.
  6. Open Contacts app on phone – it should be empty. On my device it now says “No Contacts”.
  7. Login to iCloud
  8. View Contacts from iCloud Contacts
  9. Delete them all (or at least those in Exchange). You can select more than one here at a time. So it is easy to tidy up contacts from here whereas on the phone it is delete one by one!

Then its time to restore the contacts to the phone.

  1. Open Outlook Mobile and Settings > for each Email Account > Save Contacts to On > Save to my iPhone
  2. Contacts app should list these (more will take longer, but they should start to sync shortly)
  3. Settings > Contacts > Accounts > iCloud > iCloud (yes, twice) > turn ON Contacts > Merge (there is nothing to merge if you deleted them all in #9 above)
  4. Your contacts now appear in iCloud (again, quite quickly but I guess this depends upon the number of them)
iCloud Contacts
iCloud Contacts – Duplicates Removed

If you have multiple iOS devices and you are signed into each of them with the same Outlook Mobile account AND you enable Save Contacts on more than one device, then you will get duplicates. You need to turn off Save Contacts on all but one device. This will remove the duplicates but it might take 24 hours for Microsoft to reconcile this duplicate state for you. I found this was instant though (but I only have a few intentional contacts and duplicates).

If you later on try to enabled Save Contacts on a second Outlook Mobile device you will get told that sync is already happening on a different device and that to sync from the current device will require contact deletion and sync to start. This will happen to attempt to ensure no duplicates across multiple devices.

Outlook Mobile (iPad) and Save Contacts being turned back on again (second device)

If you have more than one email account in Outlook Mobile then ensure that iCloud is the default for Contact Sync in Settings > Contacts > Accounts to give the best experience.

If you have multiple tenants in use but a single iCloud account then you will see the correct contacts in the Outlook Mobile for each device, but the Contacts app will show all the contacts from all the tenants. If the same contact is created in multiple tenants then you will have a duplicate. The Outlook link in each contact will only work on the device that is logged into that source tenant.

Categories
android Apple ATP Defender email EOP exchange exchange online Exchange Online Protection EXO iOS iPhone Office 365 Advanced Threat Protection phish phishing spam

Exchange Online Warning On Receipt Of New Email Sender

Released recently to no fanfare at all, Microsoft now has a SafetyTip that appears if you receive email from a first time recipient.

Most often phish emails will come from an address you have never received email from before, and sometimes this email will try to impersonate people you communicate with or are internal to your organization. Warning for attempted spoofed domains or users is part of Microsoft Defender for Office 365 (previously known as Advanced Threat Protection for Office 365) and the functionality to warn based on similar sender is also part of this product if you enable the “mailbox intelligence” option. But the option to warning for a new sender is available for all Exchange Online users without ATP licences.

The user sees the SafetyTip above the email body as shown below once this new feature is enabled:

New Sender Safety Tip

To turn on this option you enable a custom message header in a transport rule and then within 30 minutes or so, every new sender under the scope of the rule is warned when they receive email from a new sender. This also includes senders that have not send a lot of message to you, as I see that this Safety Tip appear on subsequent messages from the same sender. Not sure yet when this stops appearing for slightly less new senders!

To enable this feature create the following transport rule, restricting the scope of the rule to some users only to start with and then when happy with the functionality changing the rule to apply to all users.

First Contact Safety Tip Transport Rule

Open Exchange Online Control Panel (at the time of writing this is in the old UX for this, so these screenshots represent the classic view – this will change at some point in the future) and select Mail Flow > Rules

Click the + icon > Modify Messages and fill in the name “Enable First Contact Safety Tip”

Select under Apply this rule if… The sender is located > Outside the organization

Select under Do the following… Set the message header to this value and click the first option for Enter text and copy and paste the following string X-MS-Exchange-EnableFirstContactSafetyTip

Click the second option for Enter text and enter any value you like. I have had reports that only “enable” works but that is not my experience and I had this working with the value AnythingYouLike!

I turn off the audit option and then save the rule as shown:

New Transport Rule for First Contact Safety Tip

To set the rule for a pilot program, click More options and then the newly displayed add condition button and then select that the rule should only apply if the recipient is and select a few names from your global address list.

Pilot Program for First Contact Safety Tip

Within 30 minutes and then the next new sender and Outlook, Outlook Web Access and Outlook Mobile will display the new safety tip

Categories
android Apple AutoPilot Deployment Endpoint Manager Graph Intune iOS

What Is The Value of enrollmentProfileName

In Microsoft EndPoint Manager there are a few different device registration scenarios that make use of a property called device.enrollmentProfileName. To find and apply other settings (apps, config, etc) to these devices later on you need to have a Dynamic Device Group based on this property. The problem is the value of the property is not available to view in PowerShell or the Endpoint Manager portal.

This value is used by AutoPilot, Apple Business Manager devices (aka DEP) and Android Fully Managed device profiles.

So how can I see what a devices value is so I can create a group to contain that device. I need to use the Graph Explorer.

In the Graph Explorer, using the Beta endpoint, I can get data for my device using the query https://graph.microsoft.com/beta/devices/{objectId}

This gets BETA endpoint graph data, which includes enrollmentProfileName. The version 1.0 endpoint does not return enrollmentProfileName in the response.

If you have never used the Graph Explorer before, here are the steps to get this info:

Open the Graph Explorer from https://developer.microsoft.com/en-us/graph/graph-explorer

Click Sign In button to the left, and once signed in, select Beta (highlighted) and paste in the query replacing /me with /devices/{objectID}

Graph Explorer to look for a device properties (beta endpoint)

You may not have permissions (consent) to view the data you need, so you might need to click on Modify Permissions tab (also highlighted above) to request and approve consent to access the data. This consent may need administrator approval depending upon your security settings in Azure AD.

Click Run Query button and view the results in the Response Preview section below:

Response to a Device query in the Graph

The value of enrollmentProfileName will be the profile the device was enrolled under, at the time of enrollment. Its possible that the profile was renamed or deleted since the device was enrolled, or that you have many profiles, and so actually working out which profile the device is under can be tricky.

Also a top tip – don’t name your profiles all starting with “Test”. In the tenant where the above screenshots where taken from we found DEP profiles called “Test…” and AutoPilot profiles called “Test…”, so creating dynamic device groups where the device.enrollmentProfileName -contains “Test” was returning too many devices!

Categories
exchange online iOS iPad iPhone MDM Mobile Device Management mobile phones Office 365

Renewing Apple APN for Office 365 Mobile Device Management

Office 365 MDM (Mobile Device Management) allows you to manage iOS based Apple devices. Once you have had Office 365 Mobile Device Management is use for a year, the Apple APN certificate that you would have created a year ago for this purpose will expire. If you did not add this renewal date to your calendar when you set up Office 365 MDM, or if you have taken over as administrator from someone else since then you had best check for your renewal dates, as Apple will email the address they have for the certificate at 30 days, 10 days and the day before it expires. Here is the day before it expires email warning – and I got this yesterday. So I had better renew the certificate now then. You of course will not leave it so late!

image

To check your renewal date, login as a Global Admin to the Office 365 Portal. On the old portal visit the Mobile Management tab on the left and the renewal date is shown on the right:

SNAGHTMLe083076

The above is for one of my clients, and the 30 day warning arrived for them today – so I will do them in a few days time.

If you are using the new Office 365 admin portal, then expand Resources > Mobile Management on the left navigation bar (note, at the time of writing, you cannot renew your APNs from the new portal and must use the old – the new portal redirects you back to your starting page all the time and does not start the correct wizard). This opens the same window as shown above. Later versions of the new portal might integrate the page with the portal, but that is not currently active (April 2016):

SNAGHTMLe0b34ae

To renew your certificate click the Manage settings link under the APNs Certificate for iOS devices message to the top right.

You will see the “Set up mobile device management” page:

image

Click Set up to the right of the “Configure an APNs Certificate for iOS devices”. This takes you to the “Install Apple Push Notification Certificate” page. On one of my tenants (possibly with the APNs expired already) clicking Set up took me back to the “Mobile Device Management for Office 365” and I could never get past it. That tenant needed a support call raised to fix.

On the “Install Apple Push Notification Certificate” page click “Download your CSR file” and save the file somewhere you can find shortly.

SNAGHTMLe183115

Click Next once file saved to disk.

SNAGHTMLe1a0325

On the second page of the wizard, click the “Apple APNS Portal” link. As this is a renewal, you need to login to the Apple Developer site with the same credentials used last time. If you have lost these and cannot reset them, then I suspect uploading a new certificate issued to a new ID will work, but I have not tested this.

SNAGHTMLe1cb6db

Once signed in click Renew. If changing issuer account and you have access to the old account, then click Revoke and login with the new account to https://identity.apple.com/pushcert to generate the new APNs certificate.

SNAGHTMLe1eb134

On the Renewal page, upload the saved CSR file from step 1 into the “Vendor-Signed Certificate Signing Request” and click Upload:

SNAGHTMLe1fdded

If you get a prompt about opening or saving a file called renew.json then cancel it and refresh the web browser page to continue the CSR file upload. The Apple web site often issues a JSON file as a download, but that should not happen and is not the file you need. Once the APNs is ready the browser will change back to the Apple Push Certificates Portal home page with a new certificate present (confirm this as the date will be a year from today). Click Download to get the APNs file.

SNAGHTMLe27d904

Upon clicking download you are offered to save a .pem file. This file will be called “MDM_ Microsoft Corporation_Certificate.pem”. If you are a Microsoft Partner and are doing this for multiple customers then rename it to suit the end client.

Close the Apple Push Certificates Portal page and in the previous tab you will find yourself back at step 2. Click Next.

SNAGHTMLe2a4532

In the file upload field, browse for MDM_ Microsoft Corporation_Certificate.pem (or whatever you renamed it to) and upload it to Office 365. The certificate is automatically uploaded. Click Finish and you are done.

Don’t forget to add a calendar appointment for this time next year just in case the reminders from Apple don’t reach you.