Categories
android Apple AutoPilot Deployment Endpoint Manager Graph Intune iOS

What Is The Value of enrollmentProfileName

In Microsoft EndPoint Manager there are a few different device registration scenarios that make use of a property called device.enrollmentProfileName. To find and apply other settings (apps, config, etc) to these devices later on you need to have a Dynamic Device Group based on this property. The problem is the value of the property is not available to view in PowerShell or the Endpoint Manager portal.

This value is used by AutoPilot, Apple Business Manager devices (aka DEP) and Android Fully Managed device profiles.

So how can I see what a devices value is so I can create a group to contain that device. I need to use the Graph Explorer.

In the Graph Explorer, using the Beta endpoint, I can get data for my device using the query https://graph.microsoft.com/beta/devices/{objectId}

This gets BETA endpoint graph data, which includes enrollmentProfileName. The version 1.0 endpoint does not return enrollmentProfileName in the response.

If you have never used the Graph Explorer before, here are the steps to get this info:

Open the Graph Explorer from https://developer.microsoft.com/en-us/graph/graph-explorer

Click Sign In button to the left, and once signed in, select Beta (highlighted) and paste in the query replacing /me with /devices/{objectID}

Graph Explorer to look for a device properties (beta endpoint)

You may not have permissions (consent) to view the data you need, so you might need to click on Modify Permissions tab (also highlighted above) to request and approve consent to access the data. This consent may need administrator approval depending upon your security settings in Azure AD.

Click Run Query button and view the results in the Response Preview section below:

Response to a Device query in the Graph

The value of enrollmentProfileName will be the profile the device was enrolled under, at the time of enrollment. Its possible that the profile was renamed or deleted since the device was enrolled, or that you have many profiles, and so actually working out which profile the device is under can be tricky.

Also a top tip – don’t name your profiles all starting with “Test”. In the tenant where the above screenshots where taken from we found DEP profiles called “Test…” and AutoPilot profiles called “Test…”, so creating dynamic device groups where the device.enrollmentProfileName -contains “Test” was returning too many devices!

Categories
exchange online iOS iPad iPhone MDM Mobile Device Management mobile phones Office 365

Renewing Apple APN for Office 365 Mobile Device Management

Office 365 MDM (Mobile Device Management) allows you to manage iOS based Apple devices. Once you have had Office 365 Mobile Device Management is use for a year, the Apple APN certificate that you would have created a year ago for this purpose will expire. If you did not add this renewal date to your calendar when you set up Office 365 MDM, or if you have taken over as administrator from someone else since then you had best check for your renewal dates, as Apple will email the address they have for the certificate at 30 days, 10 days and the day before it expires. Here is the day before it expires email warning – and I got this yesterday. So I had better renew the certificate now then. You of course will not leave it so late!

image

To check your renewal date, login as a Global Admin to the Office 365 Portal. On the old portal visit the Mobile Management tab on the left and the renewal date is shown on the right:

SNAGHTMLe083076

The above is for one of my clients, and the 30 day warning arrived for them today – so I will do them in a few days time.

If you are using the new Office 365 admin portal, then expand Resources > Mobile Management on the left navigation bar (note, at the time of writing, you cannot renew your APNs from the new portal and must use the old – the new portal redirects you back to your starting page all the time and does not start the correct wizard). This opens the same window as shown above. Later versions of the new portal might integrate the page with the portal, but that is not currently active (April 2016):

SNAGHTMLe0b34ae

To renew your certificate click the Manage settings link under the APNs Certificate for iOS devices message to the top right.

You will see the “Set up mobile device management” page:

image

Click Set up to the right of the “Configure an APNs Certificate for iOS devices”. This takes you to the “Install Apple Push Notification Certificate” page. On one of my tenants (possibly with the APNs expired already) clicking Set up took me back to the “Mobile Device Management for Office 365” and I could never get past it. That tenant needed a support call raised to fix.

On the “Install Apple Push Notification Certificate” page click “Download your CSR file” and save the file somewhere you can find shortly.

SNAGHTMLe183115

Click Next once file saved to disk.

SNAGHTMLe1a0325

On the second page of the wizard, click the “Apple APNS Portal” link. As this is a renewal, you need to login to the Apple Developer site with the same credentials used last time. If you have lost these and cannot reset them, then I suspect uploading a new certificate issued to a new ID will work, but I have not tested this.

SNAGHTMLe1cb6db

Once signed in click Renew. If changing issuer account and you have access to the old account, then click Revoke and login with the new account to https://identity.apple.com/pushcert to generate the new APNs certificate.

SNAGHTMLe1eb134

On the Renewal page, upload the saved CSR file from step 1 into the “Vendor-Signed Certificate Signing Request” and click Upload:

SNAGHTMLe1fdded

If you get a prompt about opening or saving a file called renew.json then cancel it and refresh the web browser page to continue the CSR file upload. The Apple web site often issues a JSON file as a download, but that should not happen and is not the file you need. Once the APNs is ready the browser will change back to the Apple Push Certificates Portal home page with a new certificate present (confirm this as the date will be a year from today). Click Download to get the APNs file.

SNAGHTMLe27d904

Upon clicking download you are offered to save a .pem file. This file will be called “MDM_ Microsoft Corporation_Certificate.pem”. If you are a Microsoft Partner and are doing this for multiple customers then rename it to suit the end client.

Close the Apple Push Certificates Portal page and in the previous tab you will find yourself back at step 2. Click Next.

SNAGHTMLe2a4532

In the file upload field, browse for MDM_ Microsoft Corporation_Certificate.pem (or whatever you renamed it to) and upload it to Office 365. The certificate is automatically uploaded. Click Finish and you are done.

Don’t forget to add a calendar appointment for this time next year just in case the reminders from Apple don’t reach you.