Saturday, 3 August 2019

Using Azure AD credentials with RDP.

As schools start to deploy InTune managed Windows10 desktop with an Azure based user directory a few interesting challenges emerge.

One of these is remote support of Azure joined Windows10 desktops using the RDP client. Using the default settings, the Azure AD (AAD) account credentials are rejected by the client dialog which stops the process in its tracks.

So how can you RDP into an Azure joined Windows10 device using your AAD user permissions?

The first job is to disable Network Level Authentication (NLA) for Remote Desktop Connection on the target Windows 10 computer.

Open System Properties and navigate to the Remote tab. Under Remote Desktop make sure Allow remote connections to this computer is enabled, and that Allow connections only from computers running Remote Desktop with Network Level Authentication is unchecked.

The second task is to edit the .rdp file you are using for the connection so it looks like this

full address:s:<ip address>:3389
authentication level:i:2

These settings disable any credentials being sent to the host computer.  As a result the host will be forced to present the logon screen rather trying to create the session prior to connection. This way you have the opportunity to present your AAD account details.

Now you will find that entering the AAD details in the logon box will open up a desktop.  This works fine with all accounts that have local admin rights but what if you try with a standard user account. You’ll find you get a rejection notice informing you that the user does not have the rights to a remote session which is expected as they are not a member of the Remote Desktop Users local group.

Opening up Local Users and Group MMC console on the console doesn't help you as there’s no way of selecting Azure AD as a source. Fortunately you can add users from Powershell.

Open up a powershell session with admin privileges and type.

net localgroup “Remote Desktop Users” /add "AZUREAD\"

You should get a “Command successful” and the user account will be listed as a member in the Local Users and Group MMC console. The next RDP session will work as expected. The same technique works for any local group that needs to transfer Azure AD account rights.

Sunday, 7 July 2019

Using Google to authenticate Microsoft (p2).

This is the second part of an extended post that describes how to use Google as an identity source for Microsoft Azure Active Directory (Office 365).

The next stage involves configuring Azure to pass authentication requests through to Google rather than handling them locally. Using technical terms we are creating a federation between the two platforms with Google acting as the identity provider (idP) and Azure the service provider. As before we’ll work through this example using which is a custom domain in a Azure AD  tenancy.

Note: Each federation object acts on a single domain so it’s possible to have many custom domains within an Azure AD  tenancy, some federated to Google (or some other idP) and some locally authenticated.

All of the work is done from the powershell console so the first job is to install the modules listed below within a session running with local admin permission. You’ll also need details of an admin account for Azure AD.

Microsoft Online Services Sign-In Assistant for IT Professionals RTW
Microsoft Azure Active Directory Module for Windows Powershell.

The first module is a simple download. Once installed it’s loaded with the command.

PS C\:> Import-Module MSOnline

Then login to Azure AD using an admin account using the commands.

PS C\:> $Msolcred = Get-credential
PS C\:> Connect-MsolService -Credential $MsolCred

Creating the federation is a one line powershell command Set-MsolDomainAuthentication Unfortunately the number and complexity of the arguments turns it into a bit of a monster.

To get round this problem the input variables are read from an xml file and since most of the values are standardised you only need to update two elements before running the command.

The template xml file (dfs-pf-samlp.xml) can be downloaded from the original GitHub repository or from here.

Before using the file you need to replace the string GOOGLESAMLID with your domains unique idpid recorded when setting up SSO in G Suite. The input  line should be similar to this:

Note that GOOGLESAMLID occurs three times in the file and needs to be replaced in each location.

Lastly you need to carefully copy the certificate string from the IDP metadata file saved from the SSO setup process and paste it into the location below.

<S N="SigningCertificate"> YOUR CERTIFICATE GOES HERE </S>

A shortened version will look like this.

<S N="SigningCertificate">MIIDdHCCAly…...BAkTD0dv</S>

Make sure you paste as a single line and do not introduce any line breaks or extra characters.

Once that’s done we can create the federation using the command below, substituting for your domain. The command is shown with line breaks but needs to be issued as a single line command.

Set-MsolDomainAuthentication -DomainName ""
 -FederationBrandName $wsfed.FederationBrandName
-Authentication Federated
-PassiveLogOnUri $wsfed.PassiveLogOnUri
-ActiveLogOnUri $wsfed.ActiveLogonUri
-SigningCertificate $wsfed.SigningCertificate
-IssuerUri $wsfed.IssuerUri
-LogOffUri $wsfed.LogOffUri
-PreferredAuthenticationProtocol "SAMLP"

A couple of other useful commands:

Get-MsolDomainFederationSettings -DomainName "" | Format-List
    Shows the federation settings for the domain in the  console.

Get-MsolDomainFederationSettings -DomainName "" | Export-Clixml dfs-pf-samlp.xml
   Dumps the settings back into the config file.

Set-MsolDomainAuthentication -DomainName ""  -Authentication Managed

   This command switches the authentication back to locally managed and effectively turns federation off. This is particularly useful as a fall back option but it also allows you to update the settings as the values cannot be changed while the federation is active.

Azure will now pass all authentication requests to Google for any non-admin account in the domain “”.  So what does that look like ?

Open up a Chrome session in incognito mode, navigate to and select Sign In. When asked for a user account enter an Azure username from your federated domain. After a short pause you’ll be directed to the standard Google dialog which will grant access to

So what happens if you try and login to an Azure joined Windows 10 device with the same Google user account. You might expect the same behaviour but that’s not what you see. The Windows logon box remains and the Google password is refused. Nothing has changed. So why is that ?

By default the conversation between the Windows 10 device and Azure doesn’t use SAML but WS-Fed (WS-Federation), a protocol supported by IBM and Microsoft but not Google, therefore the hand-off falls at first hurdle.

What you need is a Windows logon process that understands SAML not WS-Fed and with Windows 10 1809 edition you have exactly that.

The feature is off by default but can be turned on using a custom policy in InTune.


After deployment you are offered an additional option on a globe icon - Web Sign-In.

Select this option and sign in using your federated account. This time you will see the redirection and you’ll be presented with the familiar  Google login dialog which will grant access to the Windows desktop.

You have to enter the logon account name twice because Azure needs to know the username before it can offer the redirection. In the future it will be slicker and remember this is still a preview feature.

In an earlier blog post I predicted it would be a while before we saw a Windows device using a Google account to authenticate.

A year later, here we are.
This could be used as an example of how wrong I can be but I’d prefer to think it reflects the pace of change and the general move towards open standards.

The new framework is becoming clearer by the day.

Cloud based user directories controlling MDM managed devices that host SaaS applications delivered through a store model backed by subscription licencing.

Google, Microsoft take your pick - they both offer the same vision. You can even mix and match.

The only thing you can be sure of is the fact that not a single element will require a local server.

Thursday, 4 July 2019

Using Google to authenticate Microsoft (p1).

In a previous series of posts we examined how you could defer Google logons to Azure Active Directory (Office 365).  In this scenario a user logging onto a chromebook would be presented with a logon dialog from Microsoft and any subsequent actions accessing SaaS resources would be checked against the Microsoft user database rather than Google.  Using specific terminology the Google database was using Azure as the identity provider (idP) and was federated to that service to allow single-sign-on (SSO). This setup is ideal for organizations that have established Azure directory system and use the service with other SaaS providers. In this case Google is just another SaaS client for the Azure identity service.

While this suits some enterprises it’s not always the best solution for a new school ‘Going Google’.

Consider a school that has made a big investment in chromebooks and uses G Suite and Classroom for learning but still requires a Microsoft platform for front desk administration. These admin users will need an Azure AD account to authenticate with their new Azure joined Windows 10 workstations. You could operate two separate directories but this is messy especially if you plan to link both directories to a MIS system. You could also fall back to the first approach, using Google to defer to Azure and maintain all the user accounts in Azure but his seems to be the wrong way round when the majority of the users access Google resources. It’s a bit like the tail wagging the dog.

What you really want to do is make Azure use Google as it’s idP and maintain all the accounts using the G Suite admin console. You can then setup user provisioning for just the administration team and link the MIS system to directly Google. Much simpler.

The secret to all of this is SAML (Security Assertion Markup Language) an open standard for exchanging authentication and authorization data between an identity provider and a service provider.

In this case Azure is the service provider and Google the identity provider. It’s always been technically possible to configure Azure as a service provider. There are a number of commercial platforms such as Ping Identity and Okta that depend on that fact. The problem with using Google as the idP is the procedure isn’t well documented or even widely deployed. The Google documentation explains the Google side but stops short at explaining how you prepare Azure which, not surprisingly, turns out to be the tricky bit.

In this two part post we’ll walk through the process step by step. The end game will be the administration and provisioning of Azure AD accounts via the G Suite console and controlling access to Office 365 using the Google accounts database. Finally we show a Windows 10 device presenting a Google logon screen on boot which is a bit mind-bender when you first see it.

It’s a bit a long haul but stick with it. It should be noted that information has been drawn from a number of sources with a few blanks filled in and a deeper explanation provided. There’s also quite a few prerequisites that need to be in place before that Google login box appears so if you are planning to try this out please read this first.

Lastly credit must go to Roger Nixon who had the nerve to test the setup at his site (Wheatley Park School) and then place it at the centre of a new school opening this summer. That means it's already in the wild  - so let’s get started.

Domains. Organisations and Tenancies.
If you’d like to try this out you will need an Office 365 tenancy, a Google G Suite organization and a spare DNS domain. This example uses as a secondary domain on the Google organization and a custom domain added to a Office 365 tenancy. The status of the domain is not significant so long as both platforms have it verified. Both platforms must use the same domain and the same form of the user logon address.

A couple of points worth noting at this stage.

The action operates at the domain level within Azure so once it’s turned on all non-admin accounts using are passed to Google for verification. You can’t isolate a sub-set of accounts for local authentication.  If you need Azure service accounts you can always fall back to another custom domain or the built-in domain.

You can only have a single instance of the SAML object for Office 365 in the Google admin console. Once the service is up and running it will accept requests from multiple Azure tenants so long as they have the correct authentication. However the associated user provisioning object only connects to a single AD tenant.  Therefore while GSuite could act as an idP for many Office 365 tenancies it can only provision users into one.  Therefore if you need auto-provisioning it’s best to keep to a simple one-to-one relationship between the Google organisation and the Office 365 tenancy.

Note: This is unlike the action of Microsoft Azure. Because you can create multiple instances of the provisioning object each with its own login details and scope functions you can auto-provision users into many different G Suite domains.

Setting up Google.
When a user attempts to logon to Microsoft the request has to be passed to Google for authentication.  Therefore there are two parts to the solution. The first involves setting up Google to handle the request from Microsoft and the second is making Microsoft hand the request to Google instead of just checking with the local Azure database. The first task is fairly straightforward, the second no so.

Creating the SAML object.
The process uses Security Assertion Markup Language (SAML) to handle the authentication request so the configuration is managed using the SAML apps section of the Apps Marketplace in the console.

This section contains templates that allow Google to accept authentication requests from a whole range of SaaS providers including Office 365.

Because most of the information is already filled in setting one up is pretty easy.

Enter Office 365 in  the filter input box and select the object returned.

The details are presented as shown in the example below. They will unique for your domain.

You need to do two things at this stage. Make a note of the idpid that is at the end of the SSO URL. It will be unique to your domain and we’ll need it later. Also download the IDP metadata as we require some information from that file.

Click through the next step.

In Step 4 of 5 check in the signed response as shown below. Keep all other entries as default.

In step 5 of 5 use the drop down list boxes to set the fields as shown below.

Step through the last dialog and select finish. That’s it. You will now find an Office 365 object in the SAML section of the apps that you can update and assign to users.

The Microsoft SAML app is assigned in the same way you manage any other app in the console by setting it to ON against elements of the OU tree.

This part of the process is quite important as it defines the applications ‘scope’ within G Suite. Once it’s assigned to an OU users will find the Office 365 icon appearing in their waffle menu in Chrome. It also defines the subset of users that Google will respond to when prompted by an SSO request from Office 365. In our original scenario we would assign the SAML app to the OU containing the user accounts for the administration team and be confident that no other users would be allocated the Office 365 icon or the SSO service.

User Auto-provisioning.
At this stage you are also given option to set-up user auto-provisioning. This feature will create a user account in Azure AD to match a new account in Google. There are also rules to delete or suspend an account that shadows the same action in Google.

I don’t intend to describe user provisioning in detail as the process hasn’t changed much since it was documented in an earlier post. A couple of points are worth noting.

First, the user account that is created in Azure has no licences attached. To make it productive you will need to allocate licences manually and update Azure groups as they are not part of the process either.

Second, auto-provisioning had a tendency to suspend Office 365 accounts if they weren’t recognized. Thankfully this annoying characteristic is now fixed. If you manually create a user account in Office 365 within the same domain the service doesn’t automatically suspend it just because it can’t find the same account in Google.  This feature made the earlier version almost unusable except for the most basic situations.

Lastly, if you choose to deploy user auto-provision you have the option to use a Google group to control the user set. This feature is very useful.

The scoping rule now extends to users who are under the OU structure AND members of the provisioning group. If the user is removed from either the group or the OU the deprovisioning rules apply. This gives the admin close control over which users have access to Office 365 and will be authenticated by Google. In our example we would probably create a Google group (Office 365 Users) that only contains members of the Admin team that need an Azure logon. That way you could create accounts under the Admin OU without creating a user account in Azure. Similarly you could suspend an Azure user by removing the account from the group while still keeping the Google account active. Nice.

To conclude, we now have an Office 365 SAML app created in Google that will accept requests from Office 365 for authentication on any domain hosted by the organization. However Google will only return a positive response to a user account covered by the OU that has the Office 365 SAML app turned on AND is a member of the provisioning group.

Any new Google account placed in the OU and the provisioning group will automatically be created in Office 365 and suspended if removed. For a single account the update action seems to act on a back-end trigger rather than a schedule and can take place in under a minute.

What’s left to do.
We still have to persuade Azure to pass logon requests to Google rather than handling them locally which does involve a few tricks. After setting an InTune device policy and we should have a Windows 10 device displaying a Google logon screen.

We'll cover all of that in the follow-up post.

For those who can't wait here's a preview provided by Roger Nixon.

Monday, 10 June 2019

Microsoft Licencing for a serverless school.

Going serverless challenges every preconception regarding networking and application delivery and that includes Microsoft licencing.  Working on the premise that nobody really understands this subject let’s try and keep things simple.

First we must assume that the adoption of Office 365 or G Suite for Education and associated SaaS applications has removed the requirements for SQL Server, Exchange and Remote Desktop Service (RDS).  It’s hard to believe that in 2019 a school would still be licencing a local Exchange server rather than the free Office 365 A1 tier for faculty and students. There’s really no excuse for this capital crime against the school finances.

However, while the school still runs Windows OS with local file and print services and MS Office 2019 installed on the desktop you still require a base set of licences.
  • A licence to install and update the Windows desktop OS.
  • A licence to install and upgrade the Microsoft Office suite.
  • A licence to install and upgrade the Windows Server OS.
  • Client Access Licences (CALS) for either devices or users to access resources on the server(s).
While it’s possible to licence each item individually most schools choose to purchase a ‘bundle’ under one of the Microsoft educational plans such as Open Value Subscription Agreement for Education Solutions (OVS-ES).

This approach has one major advantage. In addition to simplifying ordering, the bundled set carries a ‘student benefit’ option. This means that if the school buys licences for all staff members (defined as Full Time Employees or FTE’s) the same licence covers the student body as well.

Clearly this scheme has the potential for significant cost savings. In fact for any school operating a shared deployment of Windows devices, a Mac OS ICT suites running Office, a teaching and administrative department embedded with Microsoft Office and a multi-node Hyper-V Server farm it’s a deal not to be missed but what if you’ve gone serverless ?

In this situation the annual renewal cost for the bundle can look pretty steep, especially if the school needs to purchase a licence for each staff member regardless of whether they even have a network logon.  If the school derives value from the licence bundle that’s fine but with a serverless school that's unlikely to be true

For example the bundle includes a server user CAL which is not much use to a school that doesn’t run file and print services or host local Active Directory.

Similarly if pupils access a large shared pool of Windows 10 devices with Office 2019 installed the student benefit option makes financial sense but if they using Chromebooks or iPads to access G Suite or Office 365 web apps you're paying for something you don't need.

So what would Microsoft licensing look like for a serverless school that still needs to maintain a Windows 10 environment ?

This will vary from school to school but there are some pointers.

Manage Windows devices using InTune.
Schools need to move towards Windows 10 by January 2020 as support for Windows 7 depreciates.  Take this opportunity to place the new image under InTune control rather than falling back to a legacy process that requires local licensing. InTune offers a simple device licensing model which can factored into the price of the device. Alternatively InTune licences can be allocated to individual users.

Only licence what you need.
Why purchase Office 2019 licences for every staff (and student) member when only the SLT team actually need it to fulfill their duties. Office can be licenced as an add-on subscription to the free A1 tier and then allocated to those member of staff who need it. Everybody else can use the Office web apps which covers most situations.

If you ask a member of staff if they need Office 2019 the answer will be always be yes. If you then ask for a contribution towards the licencing costs you’ll probably find that, after due consideration the Office365 web apps will be fine after all.

Google has recently announced a new facility that allows the native editing of Office documents directly from G Drive. This may not meet the needs of the office macro ninja but it could reduce the need to licence Office for ad-hoc access and will certainly allow students to edit legacy document sets.

Make use of the new initiatives.
Microsoft is aware that the current EDU licence model is not ideal for the SaaS based school and is working hard to make it more attractive. One of these initiatives is the Shape the Future K-12 education program.

The major benefit of this scheme is the ability to order devices from Microsoft Partners with Windows 10 Pro preloaded. Units can then be manually enrolled into InTune without requiring an additional upgrade licence (Home -> Pro) or delivered direct to the user in a ready to run state through the AutoPilot scheme.

Schools with new hardware stock not covered by the scheme can still purchase an upgrade licence through OVS-ES but it’s far easier to absorb the discounted cost in the initial purchase price and enjoy the benefits of a more streamlined deployment process.

Run an appliance not a server
If your students and staff are taking resources from the cloud (including directory services) your local appliance should be reduced to running network support processes (DHCP, DNS). File storage will be managed using OneDrive/ Teams / Google Drive / Shared Drives while the print server role moves to a SaaS platform such as as Printix that integrates closely with both InTune and G Suite.

If you are running Windows Server you still need to licence the server cores but so long as your clients are not accessing local resources (application/file/print) there is no requirement for CALS. And of course you don't have to run Windows Server 2019 to provide basic network support.

Microsoft licencing becomes simple again. If you need a Windows device the total six year cost** is

Cost of device + Cost of the InTune device license + Cost of upgrade licence (if required).

       ** An InTune device licence is valid for six years.

A new staff member becomes

Cost of an annual Office Pro subscription licence (if required for role) otherwise use the free A1 Faculty.

The Office Pro licence, like the InTune user licence is transferable so you can work with a small free pool to make it more flexible.

Reevaluating Microsoft licensing in this way can bring substantial savings. There may be good operational reasons why this might not be immediately possible but in the future the serverless school shouldn’t be bundling up.

Friday, 10 May 2019

Managed Chrome from the Cloud (p2)

A first look at the Chrome Cloud managed browser.

Once enrolled the Chrome browser turns up as fully managed object in the G Suite admin console and shares with users and chromebooks the ability to take policy based on a position in the organisational structure. Like Chromebooks, managed browsers get a dedicated section in the Chrome management dialog joining an ever increasing list of devices types.

Opening the new Managed Browsers section displays a page layout similar to Chromebooks but without the filter options.  Each machine hosting a Chrome creates an inventory entry with the Machine name as the key.

Selecting the Machine Name open a dialog that presents a wealth of information about the browser and the device hosting the browser.

If your dialog looks a little empty it might be because the data collection feature needs to be enabled for the device. Under the User and browser setting for the OU controlling the browser object you need to set Cloud Reporting to Enable managed browser cloud reporting.

This policy pushes out a small Chrome extension that handles the data collection and reports back to the console. Once enabled you can see the extension load on the browser.

There’s little point listing all the reporting elements as they are well documented by Google and fairly obvious but some of the actions are worth a mention.

In the Installed apps and extensions card you get the option to select an element that has been reported and then Block the object from all other browser.

The option allows you to select the root OU object for the action and remove the extension from all browsers in scope, blocking all future installs. This may be of limited use in schools where the policy  is restrictive by default but for organizations with a loser structure this could be a useful feature.

The machine policy section gives a centralised view of the information you would see on the local chrome policy page which is very useful. As you might expect CloudManagementEnrollmentToken shows up as the only Local Machine Policy but for other policies the status flag seems a bit misleading. The fault code is

“More than one source is present for this policy, but the values are the same” 

which is hardly surprising as most of the policies will have two sources, one taken from the user OU and one from the browser OU. Since the policy is actually applied it hardly seems to merit a large red exclamation mark and an Invalid status.

User Profile policies are broken out in the section below and list those policies that override the browser settings by being Locally applied for the user object. If you don’t see this section it’s because you have no valid user policies set.

Policy information is updated by a reboot of the device but there doesn’t seem to be a way to control it directly through the extension directory.

Browser Extension List.
For the curious admins that scroll all the way down to the bottom of the Chrome Management dialog they will be rewarded with a new option Browser extension list.

This allows the admin to view an aggregated list of all Chrome browser extensions organised by extension rather than device.

Apart from selecting the extension name and moving directly to the Chrome Store page there’s also the same Block / Force install feature that you can access from the action menu at the end of each entry.

What might not be so obvious is the fact that the data items themselves are selectable.

This action creates a pull-out from the right hand side that contains extended information including the rights granted to the extension and the extension ID:

This seems to be a new navigation type in the console that we might see in other locations in the future.

Saturday, 27 April 2019

Managed Chrome from the Cloud (p1)

A first look at the Chrome Cloud managed browser.

In a previous series of posts we looked at how you could manage Chrome and other Google products such as File Stream using Microsoft InTune in a school that has no servers.

At Next 19 Google announced a cloud managed browser capability which makes the whole process much simpler.  The two approaches are not mutually exclusive and using both together can bring dividends to the network admin.

In this post we’ll take a look at what the new managed browser feature brings to the table, show how the technology integrates with InTune and then follow up with a more in-depth look at the G Suite management console in a later post.

The introduction of a managed Chrome browser is a big event for the Google administrator.

Up until now the G Suite organizational structure could only contain two types of object, a user or a chromebook. Now it has a third - a instance of Chrome running on a Windows, MacOS or Linux platform The Chrome browser has finally taken its rightful place as a fully managed object within the console.

In the past it was possible to manage Chrome on the desktop but it always involved a third party system such as Microsoft Active Directory, Managed Preferences on Mac or, as we have seen, an MDM like InTune.

This approach has two major weaknesses.

First, there isn’t a unified policy set for the Chrome browser. For organisations adopting Chromebooks the user environment is governed through the G Suite admin console while the Windows/MacOS Chrome desktop experience is controlled through an entirely different mechanism.

Second, there isn’t a single reporting console for Chrome. The G Suite admin console can access Chromebook information but it’s completely blind to Chrome browser metrics. Tasks like examining what extensions are installed or reporting on the versions of Chrome deployed across various platforms was simply not possible.

For schools this might be an irritation but for enterprise it can be a deal breaker so Google have solved the problem in a pretty elegant fashion. There are no licencing implications and the feature is free across all recent G Suite offerings. It’s also very easy to get started and there are only a couple of prerequisites.
  • The admin console must have the feature pushed out.  More than likely you already have the update. If your Chrome management tab reads User and browser instead of just User and you can see the new group icon shown above you’re good to go.
  • You must have Chrome V73 or later running on Windows, Mac and Linux computers. Android and iOS are not currently supported.

Preparing the Console.
Managed Chrome needs to be turned ON as it’s OFF by default. It’s important to realise that none of these actions will affect Chromebooks. User-level policies apply to Chrome devices even if Managed Chrome is turned off. Also you can turn this on at the root without any immediate effect as the browser has to be enrolled before anything happens.

Note: If you’d like to play around first, create an OU  called “Managed Browsers” and set it here.

From the G Suite admin console Home page, go to Device management and then Chrome management.  Click on User and browser settings.

Go to the Chrome Management for Signed-in Users section and change the setting to Apply all user policies when users sign into Chrome.

This policy is little misleading. It should really read Chrome Management for Signed-in users and managed browsers. As we'll see quite a few of the console policies descriptions need to be updated to reflect the new responsibility.

Preparing Desktop Chrome.
Just like Chromebooks, desktop browsers have to be enrolled into G Suite and to do that you need to create an enrollment key.

From the Admin console home page, go to Device management and select Managed Browsers.

At the bottom, click  +  to generate an enrollment token.

A couple of important points to note about the key.

It’s only useful at the point of enrollment and has no function after the event. Once the key is presented to the browser (we’ll come to that later) and the browser taken under management the key can be deleted or updated without affecting devices already enrolled. In some respect it works like the joiners code in Google Classroom.

The generated key is specific to the OU level. Any chromebook enrolled with this key will be placed at the same point in the tree and take policy from that level. In this case the analogy would be the ‘follow the user’ feature for chromebook enrollment.

Note: If you are just testing at this stage create the key for the new “Managed Browser” OU and set your policies here.

A browser under management will display a new information tag at the base of the About dialog.

Managed Chrome Browser Policies.

For organisations running Chromebooks it’s worth noting that none of the policies under the Device section have any bearing on Managed Chrome. Device policies are strictly limited to Chromebooks, no red line has been crossed.  All policies relating to Managed Chrome are to be found in the User and browser section, hence the change of name.

So how does Managed Chrome differ from a simple synchronised Chrome user session ?

Put simply, once enrolled a user policy can be applied to the Chrome browser without the user having to authenticate with Google. The policies are set in the Chrome User and Browser OU that the browser object lives in.

If user attempts to access a resource such as GMail they will be presented with a logon box in the normal way but at this point the browser is already under cloud user policy control so you’re able define things such as valid logon domains - but not using the policy you might expect.
The domain filter for Chromebook authentication is set in the Device policy but as we know Device policies have nothing to do with managed browsers. Therefore the policy you need to set is User and Browser - Sign-in Within the Browser in the OU that the managed Chrome browser resides in.

Using the settings shown above the user will only be able to authenticate using a account, the value being controlled by a Google cloud policy and not local platform policy.

Note: Clearly the description of this policy isn’t entirely accurate and neither is the little light bulb which says the policy only applies to Chrome devices.  Some housekeeping is required on the console to bring everything into line.

Policy Precedence.
You now have three policy sets for the Chrome user experience. Using Google's own terminology they are ;
  • Platform Policy - These are the old policies pushed out locally through GPO or MDM.
  • Cloud Policy - Managed Browser.  User and Browser set at the browser OU.
  • Cloud Policy - Authenticated User. User and Browser set at the user OU

So what happens if you set the same policy in all three areas - which one applies ?

The rule is (pretty) simple.

The Cloud Policy - Managed Browser policy will always apply except for two situations.
  1. A policy set at the Platform level will trump any Cloud Policy.
  2. Any policy explicitly set at the User level and not explicitly set at Managed Browser level will be applied.
In plain English what happens is this.

The browser takes the full user policy set from the Cloud Policy - Managed Browser OU with the understanding that any Local Platform Policies will overwrite individual settings.

When a user logs onto Chrome any policies that are locally applied on the user OU will override policies inherited at the Managed Browser level so long as they don’t clash with a Local Platform Policy which always wins out.

If a Cloud and Managed Browser policy is Locally applied in both areas the Managed Browser version is used. At no stage are list based policies merged.

You can clearly see the effect of the policy interactions if you run chrome://policy

First thing to note is the enrollment token is now shown as part of the machine policy. The only platform policy is the one that applies the Cloud Management Enrollment Key, all the others are set directly from the cloud from the User and browser policy of the OU that holds the browser object.

The only exception is one policy that has come down as part of the user sync process because it’s set as ‘Locally applied’ in the user OU but only ‘Inherited’ in browser OU and so it has precedence.

Enrolling a Chrome browser.
As mentioned earlier enrolling a Chrome browser is very straightforward - you just need to present the enrollment key either as a platform policy or through the execution of a .reg file.

In our serverless school the platform policy will be delivered by InTune so let’s see how easy this is.

Note: If need you need a refresher on using InTune to push policies to Chrome please refer to the earlier posts.

Managing Chrome on Windows is now reduced to the deployment of a single platform policy which tells Chrome to look to your Google organization for all other settings.

In this case the OMA-URI value is;


with the value set to ;

<enabled/> <data id="CloudManagementEnrollmentToken" value="1f5e6ab4-3ebe-4e0c-b959-86a3eeb4e0c"/>

Obviously you need you insert your own value for the Enrollment Token but after that you can manage Chrome using G Suite using the same policy set that controls Chromebooks.

Now you have Chrome on a Windows 10 desktop, fully managed from the cloud using an unified policy set within G Suite. Cool or what!

Next we’ll take a closer look at the features of the admin console that relate to managed browsers and see how the story gets even better for the serverless school.


Taking feedback from other early users (Kim Nilsson and Roger Nixon) I've checked back on the policy application logic and there's one point that needs clarifying.

As described the process does indeed 'loopback' on the user policy looking for the Locally Applied status but only if the policy for the User OU has

Chrome Management for Signed in Users set to Apply all user policies when users sign into Chrome.

This has to be set at the browser and user account OU.  If not you only ever see browser policies.

>>>  Managed Chrome from the Cloud (p2)

Friday, 12 April 2019

Managing Chrome in a serverless school (p2)

Deploying Google File Stream.

Anybody following this sequence of posts and expecting a simple deployment procedure along the lines of the Chrome browser is in for a bit of a surprise.

Unfortunately Intune for Education only recognises three native deployment types (web link, Windows Store item and packaged msi) and Google Drive Stream doesn’t fall into any of those categories so it’s time to roll up your sleeves and log into the Azure InTune portal.

The Azure InTune portal supports a wider range of application types including generic Win32 apps but these need to be converted to a specialised file format (.intunewin) before they can be used. As it turns out converting the Drive Stream executable into a .intunewin file is very straightforward.

The first step is to use the Microsoft Intune Win32 App Packaging Tool to pre-process the Google File Stream executable. The packaging tool wraps the application installation files into the .intunewin format and detects the parameters required by Intune to determine the application installation state.

Although this post references File Stream the process is much the same for any .exe installer.

Download the packaging tool and extract the executable (IntuneWinAppUtil.exe) onto a local subdirectory  - C:\Intune for example.

Download and copy the Google File stream exe installer file into the same directory.

Open a Command Prompt as administrator, navigate to C:\InTune, run IntuneWinAppUtil.exe and provide the following information when requested.

Please specify the source folder: C:\InTune
Please specify the setup file: googledrivefilestream.exe
Please specify the output folder: C:\InTune

Once the process is complete a file named googledrivefilestream.intunewin is created alongside the original file. This is your new “InTune friendly” install package for File Stream.

In Azure InTune navigate to Client Apps - Apps  - Add.

From the App Type dropdown select Windows app (Win32).

In the next section select the googledrivefilestream.intunewin file you have just created. In the App Information section fill out the relevant fields. Load up a logo file, it has no purpose but it looks nice in the console.

The Program section requires an install and uninstall command. Fortunately these are listed on the Google support site.

GoogleDriveFSSetup --silent --desktop_shortcut

%PROGRAMFILES%\Google\Drive File Stream\<VERSION>\uninstall.exe --silent --force_stop

In the requirements section check in both 16 bit and 32 bit operating system architectures and a minimum OS version of 1607 or whatever suits your deployment plan.

The detection rule is the only tricky thing left. This is the logic that InTune uses to determine if the software is installed. In this case we’ll look for a registry entry.

Select Rule Format - Manually Configure... and then Add.

Rule Type: Registry

Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6BBAE539-2232-434A-A4E5-9A33560C6283}

Value Name: <blank>

Detection Method: Key Exists

The Tag section is not required. Select Save when complete and the installer file will be uploaded and the application prepared for deployment.

This normally takes a few minutes after which Google File Stream will be presented in the list of applications (type Win32) to be allocated in the same manner as the other apps.

It's important to realise that this process can only be managed using Azure InTune. Even after the app is created don’t expect it to appear within the InTune for Education portal.

In the next post we'll take a look at the new Chrome Managed Browser feature in G Suite and explain why things are about to get a whole lot easier for the serverless school.

Acknowledgements to Roger Nixon at Wheatley Park School UK for working through this example.

Tuesday, 9 April 2019

Managing Chrome in a serverless school (p1)

Deploying and managing Chrome.

In a series of three posts we’ll examine some of the challenges a school IT admin might face managing elements of the Google ecosystem in a school that has Microsoft Windows... but no servers.

In particular we’ll take a close look at installing and managing the Chrome browser and follow that up by deploying Google File Stream to Windows 10 clients. In the last post we’ll take an early look at the new Managed Browser feature of G Suite and see how this is set to make life a whole lot easier.

To adopt a true serverless strategy that includes Microsoft you need to manage your Windows 10 laptops and desktops using the InTune MDM rather than the Active Directory + GPO + SCCM combination that has been the de-facto standard for the last two decades.

It sure was fun but goodbye and happy retirement.

As we have noted in previous posts schools can access two versions of the management console. InTune for Education simplifies the user interface and streamlines some of the common workflows while Azure InTune exposes all of the working parts. At each stage we’ll point out what's possible in the schools version and when you might need to drop down into Tune ‘classic’.

Deploying Chrome.
This is easiest task and can be managed entirely within InTune for Education console . As we have seen in earlier posts InTune has a native workflow to deploy files in the Microsoft installer format (.msi) and fortunately Google provides the Chrome browser in just such a package.

Therefore the first task to download the Chrome msi installer file from the enterprise site. Once that's done it’s a simple job to work through the wizard.

Navigate to Apps - Desktops apps and + New app.

It’s worth noting that InTune for Education apps deployed in the .msi format are classified as Desktops apps but in Azure InTune the same apps are termed (LOB) Line-Of-Business apps.

The dialog allows you to select the Chrome installer msi file which includes metadata that fills out the app name field. All the other fields are optional. No command line is required for Chrome as InTune imposes a silent install. It’s worth creating and uploading an icon just because it makes Chrome easy to identify in the console and it looks cool. When installing Chrome make sure the “Don’t check version” option is enabled. Enabling means Intune won't try to install an older version of this app if a newer version is already found on the device.

Once accepted the install package is uploaded to the Azure repository and Chrome added to the list of desktop apps available to users or devices. Pretty straightforward.

Once the app is assigned to a user or device group don’t expect it to be available immediately. The installer file is downloaded on a trickle feed and then installed as a background task. So long as you remain patient the process is pretty reliable.

Managing Chrome.
Google admins who manage Chrome in a Windows environment will be familiar with the chrome.admx template file that's used to extend the standard Windows GPO policy set to include the Chrome browser. However when you open up InTune for the first time there's no sign of the Chrome policies in either of the two platforms.

Therefore before you can manage Chrome there is a separate process to ‘ingest’ the chrome.admx template file into inTune. Once Intune has the full listing, each setting has to be individually entered using a fairly arcane format but the end result is that the Chrome controls are pushed out in the same way as the established GPO model.

It’s important to note that this procedure can only be managed through the Azure InTune portal. The InTune for Education console has no visibility of this process at all.

The first step is to download the chrome.admx file from the enterprise support site.

Using Azure InTune open Device Configuration - Policies - Create Profile.

The new profile dialog needs to be filled out as shown below. It’s important that the profile type is set to Custom. Also note that this process is for Window 10 devices only.

The settings section allows you to add a configuration to the profile. Windows 10 custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings to configure different features. The first one loads the entire chrome.admx template into InTune. Subsequent entries are used to set specific policies within the template.

To import the chrome.admx template select the Add option.

Update the dialog with the values below.

The OMA-URI value is:


Setting the Data type to String presents a list box.  Paste the entire contents of the chrome.admx file into the input field and save the dialog. This action provides InTune with enough information to understand the Chrome policy group but doesn’t set anything - that’s the next task.

Let's take a simple example, Forcing Safe Search.

Within the same policy add a second custom OMA-URI setting.

In this case the OMA-URI value is;


with the value set to ;


Setting each policy requires you to know the appropriate OMA-URI (the registry entry) and the contents of the Value field (the registry setting). Fortunately, Google has provided a sheet and some examples that run through some of the common policies but it’s not a comprehensive list.

What happens if the policy you require is not on the list?

If you look closely each policy has a fixed pattern and with a bit of detective work and using the existing policies as templates you can work them out.

The simple on/off policies are controlled by the value=<enable/> field with the final OMA-URL suffix replaced by the string identifier for the policy. The string identifiers can be found by typing chrome://policy from Chrome or by referencing the Chromium developers site.

It gets a bit tricky when the value field is not simply on/off but requires a data list. A good example is the  PluginsAllowedForUrls which requires a list of URL’s.

In this case the values are separated by the Unicode character 0xF000 which corresponds to the encoded version: &#xF000 which is what you see in the string examples.

Unfortunately two of the most popular Chrome policies are not on the Google list.

Chrome – ADMX – BrowserSignin
Chrome – ADMX – RestrictSigninToPattern

The first policy forces users to sign in and ensures that the Chrome policies and settings are applied on users’ computers. The second limits user logins to organisational accounts.

An amended version of the Google sheet includes these policies and will be extended as other policies are assessed.

In the next post we’ll take a look at using InTune to deploy Google File Stream.

Acknowledgements to Roger Nixon at Wheatley Park School UK for authoring the additional Chrome policies and testing the settings.

Saturday, 23 March 2019

Using cloud identities to access local resources

When considering the move towards a cloud (SaaS) based solution one irritating problem always remains - local file shares.

The concept of data sharing from a local server has been around for so long it’s hard to recall a time when it wasn’t possible and for organisations attempting to shift resources to the cloud it creates a real challenge.

Anybody following Microsoft roadmap towards a modern subscription service will have noted some limitations when dealing with local resources  If I take a Windows 10 laptop and place it under management with Azure Domain join and InTune I have a fully functioning device that works brilliantly within the context of modern web based services using authentication mechanisms like SAML but when I ask my cloud based Office 365 account to access a local file share or send to a printer that is protected by a local AD account and a Kerberos token things don’t work so well.

However a recent announcement on the Microsoft forums may have made things a little easier.

Any Windows 10 device that is Azure Active Directory joined can now access local resources so long as they are running Azure AD Connect to provide the link between the two account systems. No other software (ADFS) or configuration is required as the magic is baked directly into Windows 10. Although the post references Office 365 for Business I’m assured that the feature does extend into the education offerings.

The requirement to run Azure AD Connect is unlikely to be much of a barrier. Most schools using Office 365 already use Azure AD Connect to push account information out from Active Directory. This means schools can start to adopt modern management practices and transition data into OneDrive and Teams while continuing to use SMB shares until the day when last server is turned off. Hopefully that day will come very soon.

Of course clients need to be running Windows 10 and the latest version of Azure AD Connect but with the end-of-support date for Windows 7 under a year away this is an issue schools are facing anyway. This welcome feature just gives them one more reason to make the move.