MAM without enrollment and Outlook mobile app

It has been a long time that I have posted a blog on my blogsite. So, it is time to do a blogpost. It was for me confusing about the Outlook for iOS and Android app and that’s why I made this post to clarify this.  Maybe you ran to a problem with Mobile Application Management (MAM) in Microsoft Intune for the Outlook for iOS and Android app. I was one of them and could can’t get the correct information from the Internet how about the support within the Outlook app and the Native mail app on iOS, Android and Window 10.

We got 2 different scenarios at this moment. We got an Exchange 2016 version which running on-premise. The second one is that we got have an Exchange Online which is running in the Cloud.  So how do you manage a BYOD as in MAM based on these 2 different scenarios?

App protection policies for Office Mobile apps will work only if they are connected to Office 365 services. App protection policies will not work in the Office Mobile apps if you are using a on-premise Exchange, Skype for Business or SharePoint.

With an Exchange on-premise you got less functionality than if you are using a Exchange Online environment. Within Microsoft Intune you have the option to choose for Conditional Access (CA), App Protection policies (MAM) and Email Profiles.

Then you got 2 different apps to get your email on your mobile device (BYOD) You got the Outlook App (which is available for iOS and Android) and you have got the system app, called the native mail app. The functionality is 1-on-1 not the same with the Outlook app and the native mail app. Of course is this depending on which kind of Exchange version you are using at the moment.

Microsoft Intune has an Exchange Connector to connect your Exchange on-premise with Microsoft Intune. This is required if you want to use Conditional Access (CA). I’m not going further with the configuration of the Exchange connector in this blogpost.

App Protection Policies

Outlook app will support these policies. Native mail app doesn’t support the App Protection Policies, only the managed apps which are compatible with Mobile Application Management (Intune SDK has to be integrated in the app). With App Protection policies you can limit some functions within the app, like copy/paste to an un-managed app. Save the attachments to a local storage and so on.

This function can be done without enrollment of the device into Microsoft Intune. The only thing is required for this function is, for IOS is that you have to install the Microsoft Authenticator App and for Android you have to install Microsoft Intune Company App. You don’t have to login in the app.

Outlook for iOS and Android app: Only if you have Office 365/Exchange Online the policies will work on the BYOD device based on Mobile Application Management.

Native mail app: App Protection Policies doesn’t support native mail apps. Mobile Application Management will not work for native mail apps.

Email profile auto-setup: 

Email profile auto-setup will not work in Outlook app, but works only in the native mail app. Except for the older versions of Android and based on with is enrolled. In Android you got 2 different type of MDM, the traditional and Android for Work. Email profile will work only if you Android devices are managed with Android for Work and not on the traditional way of managing.  The only way to use email profiles is, is to enroll your device in MDM. MAM will not work.

NOTE: Since January (2018) the Outlook for iOS and Android app supports email profile push from Microsoft Intune.  Link:

Outlook for iOS and Android app: Email profile will work, but only if the device is enrolled in Microsoft Intune. This will be MDM and not MAM (without enrollment) if you are using Office365 account push is not needed. The account information will be discovered automatically.

Native mail app: Only if the device is enrolled. Based on MAM will it not work.

Conditional Access: 

If you want to use CA you have to enroll your devices into Microsoft Intune and your Microsoft Intune must have a connection with your Exchange on-premise environment. Based on the condition of the device CA you can grant access to the sources.  With Exchange Online you can force the user to use the Outlook App in place the Native mail app. If the user is setting up his mail account in the native mail app, the user will get a message that he must download and use the Outlook App to get his mail. This can be done with MAM without Enrollment, but only for Exchange Online and you have to use modern authentication( is enabled by default)

Outlook for iOS and Android app: Only if you are using Office 365 then you can use Conditional Access in MAM without enrollment. This is only available if Microsoft Intune is connected to Exchange online environment.

Native mail app: It will only work if the device is enrolled in Microsoft Intune. This will not work with MAM without enrollment.

Selective Wipe:

Within Microsoft Intune you have the option to do a (remote) wipe on a device. There are 2 different wipes. You got a selective wipe and a full wipe. Selective wipe means that Microsoft Intune will only remove corporate data (the personal data will be intact) from the device and full wipe means that Microsoft Intune will reset the device to his factory defaults. To use selective wipe you have to setup email profile in Microsoft Intune. You have just read the email profile section above. Selective wipe in MAM without enrollment will not work. You have to enroll the device into Microsoft Intune. This means also that you can’t use the Outlook app, but only the Native mail app.

I have read on Microsoft Docs that all managed apps  will support selective wipes based on MAM without Enrollment. If you have send the request to do a wipe, the data will be wiped if the user opens the app.

Outlook for iOS and Android app: Based on MAM without enrollment you can do a selective wipe for the app. The data will be wiped from that specific app. For Outlook only the corporate mail will be removed and the personal mailbox will be intact on the device.

Native mail app: only if the device is enrolled. Then you can do a selective wipe or full wipe. The selective wipe will not remove only the mail but everything with corporate related will be removed from the device.

Best of both worlds is that you have to use MDM with MAM policies if you are not using Exchange Online but only the on-premise version. 


OpsMgr 2012 R2 – PSScript: Automate Config Failover Gateway for SCOM agents

It’s an easy way to monitor servers in an untrusted domain. With a gateway is SCOM able to monitor the servers in a untrusted domain. Mostly and normally, you planned to implement 2 gateways per untrusted domain for high availability of monitoring the untrusted domain. Unfortunately, if you discover a new server in that untrusted domain the second gateway is not configured as failover automatically. The agent has only a connection with the primary gateway, which you gave up in the installation or discovery.

To set the failover you have to use PowerShell. With some Cmdlets you could set the primary and the failover gateway per agent. I’m not a fan of manual actions. So, I made a PowerShell script for a monitor and one script for setting the failover on SCOM agents. The reason for automate this process is; if you add a new server into SCOM, you will forget this manual action to set the failover and that’s not good for the availability of the servers, if the primary gateway goes down for a restart or whatsoever. So it’s was time to build a script to automate this process..

I have basic PowerShell skills. If you have another, better and efficient idea or you have a comment. Please let me know, I appreciate that..

I have to skip some standard steps, otherwise the blog will be too big..

What I did:

  • Made a new monitor (rule is also possible) Unfortunately, you have to use Authoring Console or MPAuthor to make a PowerShell based monitor or rule, instead the SCOM console himself.
  • Made a PowerShell script to set the failover for the SCOM agent.
  • Made a notification based on the alert from the new monitor. Rule is also possible, but I will only explain the monitor in this blogpost.
  • The notification start the script.
  • The script update the alert, closed the alert later and reset the monitor.

I have worked with System Center Authoring Console to build the monitor. That’s why this blogpost is based on Authoring Console only.

Before you build a monitor you have to make a Probe action. This Probe contains the PowershellPropertyBagProbe, like this:

Click on the Edit button to edit the Probe. You have to choose which editor you want to edit. (you have to hit 2 times on Edit for editing the XML file)

Then, you have to add the PowerShell script into the XML file between <SCRIPTBODY> </SCRIPTBODY> We are not using Arguments (is for VBScript) and Parameters. Please use also the <![CDATA[ at the beginning of the PowerShell Script and ]]> at the end of the script. This one is needed if you are using strange characters which are illegal in XML elements, like & and <

Like this:

<Configuration p1:noNamespaceSchemaLocation=”C:\Users\albert.neef\AppData\Local\Temp\Script – Microsoft.Windows.PowerShellPropertyBagProbe.xsd” xmlns:p1=””&gt;


<Arguments />

<ScriptBody> <![CDATA[

#SCOM settings

$api = New-Object -ComObject “MOM.ScriptAPI”

$bag = $api.CreatePropertyBag()

[xml]$XML = Get-Content “C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Connector Configuration Cache\SystemCenterTest\OpsMgrConnector.Config.xml”

$Parents = $XML.Message.State.Parents.Added.Item

$api.LogScriptEvent(“GetFailoverConfig.ps1”, 451, 0, “Script is reading the XML file “)

if($error) {

$bag.AddValue(“Result”, “GOOD”)

$bag.AddValue(“Info”, “o OpsMgrConnector.Config.xml found. Maybe this is a gateway”)


$api.LogScriptEvent(“GetFailoverConfig.ps1”, 451, 0, “No OpsMgrConnector.Config.xml found. Maybe this is a gateway”)



if($Parents.Count -gt 1) {

$bag.Addvalue(“Result”, “GOOD”)

$bag.Addvalue(“Info”, “Failovergateway has been set”)


$bag.AddValue(“Result”, “ERROR”)

$bag.AddValue(“Info”, “No failover gateway found in OpsMgrConnector.Config.xml”)



$api.LogScriptEvent(“GetFailoverConfig.ps1”, 451, 0, “Script is done with reading”)

]]> </ScriptBody>



The script is reading the XML file from the SCOM agent. This file is located in the Health Service State. This XML has the information about the connection with the gateway. If the agent is connected with more than 1 gateways you should see more gateways in the XML.

An example of the OpsMgrConnector.Config.xml file:



It’s a very simple and basic PowerShell script. What it does is; get the gateway information and count how much gateways are in the XML. If one then it’s an error. If there are more than 1 gateways, it gets a Good status. Save this and close the editor. You should see that the textboxes are refreshed into the information from the editor.

Click on Apply and Ok or only Ok . You have to add a DataSource into the Management Pack.

You have to add the new created Probe and SimpleScheduler. The scheduler is needed for running the script in XX seconds. I have set this scheduler on 60 seconds for testing the script, but this is temporarily . once a day is ok for monitoring. But first you have to promote IntervalSeconds for using overrides. With override you could change the intervals for running the script. Click on the ‘triangle’ icon/button and choose for Promote…

SyncTime must be empty. Click on Ok and go to Configuration Schema tab.

Here you have to change the Type for IntervalSeconds. Default is String but IntervalSeconds is Integer, so changed that into Integer. Go to the next tab, Overridable Paremeters.

This one is empty and you should add intervalSeconds as an override. So, click on Add and choose $Config/IntervalSeconds$ You have to name it. I always use the same name as from the Configuration Scheme. Change the Configuration Element into Integer. Click on Apply and Ok. Next step is to make a MonitorType . MonitorType is only for a monitor, thus not for a Rule.

You have to add 3 things and that are the created DataSource and 2 ExpressionFilter. With ExpressionFilter you can link the healthy and unhealthy with the results from the PropertyBag out the script. Because of this the monitor knows which result is bad or good.

Like this:

Parameter Name is: Property[@Name=’Result’] Result is the name of the PropertyBag in the PowerShell. Use this setting also for the ERROR result. The parameter is case sensitive.

This is DataSource. You have to promote also the IntervalSeconds. Repeat also the steps for Configuration Schema and Overridable Parameters. Click Apply and Ok. Next step create a monitor.

We will use the Windows Server class, so the target is Microsoft.Windows.Server.Computer. Parent Monitor is System.Health.ConfigurationHealth. Go to the Configuration Tab and browse to the created monitortype. You have the edit the IntervalSeconds for the monitor.

Also Health and Alerting must be configured. Choose which unhealthy(critical or warning) you want to choose and add some text into the Alert, with automatically close if you object is healthy.

Best practices is to disable the monitor by default and use overrides for enabling to monitor for a specific server. So change Enabled from true to false. Save the management pack and import this management pack in SCOM. Error handling is because of this a lot easier. I skip the override step, this is a default step in the SCOM console.

This is the PowerShell script for setting the failover on the SCOM agent.

Param($ComputerName, $alertid)

#Function GetGatewayServers is a function that’s searching for gateways in a specific untrusted domain.

Function GetGatewayServers {

Param($Node, $startTime)

$node = $node.split(“.”)

if($node.Count -eq 3) {

$domain = $node[1]

}elseif($node.Count -eq 4) {

$domain = $node[2]


$Gateway = Get-SCOMGatewayManagementServer -Name “*.$domain.local”


$GatewayNames = $Gateway.DisplayName

“$StartTime : The gateways in $domain are $GatewayNames” | Out-File “Failover.log” -Append

$script:Gateway = $Gateway


#This function is checking the primary and the failover gateway. Only the failovergateway server will be used for this script.

Function SetFailoverForAgent {

Param($ComputerName, $IsFailOver, $startTime, $alertid)

$Agent = Get-SCOMAgent | where {$_.DisplayName -eq $ComputerName}

$Primary = Get-SCOMManagementServer -Name $IsPrimary

$Failover = Get-SCOMManagementServer -Name $IsFailOver

Set-SCOMParentManagementServer -Agent $Agent -FailoverServer $Failover


$FailoverName = $Failover.DisplayName

“$StartTime : The failover has been set. The failover is: $FailoverName.” | Out-File “Failover.log” -Append

#This for logging into the Alert in SCOM.

Get-SCOMAlert -Id “$alertid” | Set-ScomAlert -Comment “Failover has been set. The Failover is $FailoverName”


#this function is getting the primary gateway and will be used later in the ‘body’ script to filter out the primary to get only the failover gateway.

Function GetIsPrimary {

Param($ComputerName, $startTime)

$Agent = $Agent = Get-SCOMAgent | where {$_.DisplayName -eq $ComputerName}

$isPrimary = Get-SCOMParentManagementServer -Agent $Agent


$PrimaryName = $isPrimary.DisplayName

“$StartTime : Function GetIsPrimary has found the primary gatewayserver: $PrimaryName” | Out-File “Failover.log” -Append

$script:isPrimary = $isPrimary


#Reset monitor

Function ResetMonitor {


$Alert = Get-SCOMAlert -Id $AlertId

$Monitor = Get-SCOMMonitor -Id $Alert.MonitoringRuleId

Get-SCOMClassInstance -id $Alert.MonitoringObjectId | foreach { $_.ResetMonitoringState($Monitor) }


“$StartTime : Reset monitor: $Monitor” | Out-File “Failover.log” -Append


#Date and time for the logfile.

$startTime = [DateTime]::Now

Import-Module OperationsManager

#if $ComputerName is empty, stop the script and log into the logfile.

if(!$ComputerName) {

“$StartTime : ERROR No ComputerName: $ComputerName” | Out-File “Failover.log” -Append




“$StartTime : Starting for Agent $ComputerName” | Out-File “Failover.log” -Append

#Logging into the Alert in SCOM

Get-SCOMAlert -Id “$alertid” | Set-ScomAlert -Comment “Starting script SetFailoverOnAgent.ps1”

#Get the gataways from the domain where the agent is located.

GetGatewayServers -Node $ComputerName -StartTime $startTime

#Get the Primary Gateway Server

GetIsPrimary -ComputerName $ComputerName -StartTime $startTime

#Get the failover gatewayname.

foreach($GWnode in $Gateway) {

if($IsPrimary.DisplayName -ne $GWNode.DisplayName) {

$isFailover = $GWNode.DisplayName



#Set failover for the agent

SetFailoverForAgent -ComputerName $ComputerName -IsFailover $IsFailOver -startTime $StartTime -alertid $alertid


“$StartTime : Done..” | Out-File “Failover.log” -Append

#This for logging into the Alert in SCOM.

Get-SCOMAlert -Id “$alertid” | Set-ScomAlert -Comment “Script SetFailoverOnAgent.ps1 has finished”

Get-SCOMAlert -Id “$alertid” | Set-ScomAlert -ResolutionState 255 -Comment “Closed by SetFailoverOnAgent.ps1 Script”

#Call function RestMonitor for resetting the monitor.

“$StartTime : Reset the monitor” | Out-File “Failover.log” -Append

ResetMonitor -AlertId $alertid

Save this script on the Management Servers (all SCOM management servers)

Next step is; we have to make a new Notification. Go to the SCOM console and make a new channel. This channel is a command channel. Give the channel a name and click next.

You have to add the path to Powershell.exe and the path where the script is located. As parameters you have to add $Data/Context/DataItem/ManagedEntityDisplayName$ and $Data/Context/DataItem/AlertId$. Startup folder is the same as the path to the script. Then you have to add subscribers and the subscriptions. The subscription must be pointed to the Alert of the created monitor.

For check you could look into the eventvwr of OperationsManager on the server which has the override enabled. The monitor logged ID 451 into the Eventvwr. If you see this event ID, then the monitor is working properly and will reporting to SCOM if the monitor does not find the second/failover gateway.

You will get an alert and that alert will start the subscription that’s linked to the Powershell Script. The script will make a log file in the start-up folder. This whole process will also be logged into the history of the alert itself. You have to run this Powershell Cmdlet to check if the agent has configured failover gateway. Via this CmdLet you know that the script has ran successful.

Get-SCOMParentManagementServer –Agent (Get-SCOMAgent where {$_.DisplayName –eq “YOURHOSTNAMESERVER”} )

If you have any questions, let me know..

Thanks for reading!

ConfigMgr 2012 R2 SP1: Rotating Assinged Management Point

This month I’m working on a new complex infra environment with few untrusted forests. For managing servers and deploying workstations we implemented SCCM 2012 R2 SP1 in the new environment. Unfortunately SCCM is not ‘designed’ for forest without trust relationships. This bug or ‘by-design-thing’ exists from the beginning of SCCM 2012. This bug is still in ConfigMgr 2012 R2 SP1, but Microsoft has released a workaround to solve the rotating assigned management point, if your environment using multiple management points.

Anoop has a nice explanation about this ‘bug\by design thing’. The link:

In CU3 Microsoft has released a workaround. To use this workaround you had to add a multi string in the registry of your client(s). The string (AllowedMPs) has the info of the correct management point for the client. In ConfigMgr 2012 R2 SP1 there is an option in the properties of Sites. You can force the assigning of management points from the console. You have to go Administration -> Site Configuration -> right click on Sites. In the submenu you have the option Hierarchy Settings. Herein you have the option to turn on “Clients prefer to use management points specified in boundary groups” This option replace the AllowedMPs registry multi string workaround.

There is another thing, a tip about boundary. Don’t use IP Subnet but you have to use IP address range. If you are using the forest discovery, ConfigMgr will create the boundary with IP address range for you. The IP Subnets are not working, what it should. The created Subnet IDs are not correct and that’s why IP Subnet boundary will not work. Boundary must have the correct management point for assigning them with the clients. Jason wrote a blog about IP Subnets and IP Address range boundary.

The client uses the correct management point, which is configured in the boundary and it will not rotate with assigning of management points anymore. The client get still the information from the Active Directory. So you will see the management points in the log, but is not rotating.

How to troubleshoot an OSD to a raw disk #OSD troubleshooting / workaround

I was implementing a SCCM 2012 R2 environment at a customer. The customer bought new Lenovo Desktops with a SSD 128GB disks. The disks were not preconfigured. The disks were new and not been used by the vendor. So, the disks were raw. Raw disk can be a problem for the OSD. I had a problem with WinPE that doesn’t recognized the SSD disk. Only the card reader and the DVD drive. This means that the card reader(removable disk) gets automatically the C letter and the DVD drive the D letter.

The workaround for this was trying formatting, partitioning and assigning the SSD before starting the deployment task sequence in WinPE. This means that the SSD has been written, and not raw anymore, before starting the task sequence. So, the solution/workaround for this problem is:

In the properties of the boot image you can use a prestart command. At the launch WinPE will run this command automatically. In this command you can set networksettings or formatting the disk before its launching the task sequence, etc. I have made a txt file within the commands for Diskpart. The commands for Diskpart are:

select disk 0

create partition primary size=300

format quick fs=ntfs label=”TEMP”

assign letter=”C”

Diskpart Scripts and Examples:

Source directory is the directory where SCCM can find the txt file for Diskpart.

If you updated your boot image, you can try this workaround for the OSD. Maybe you have to configure some another settings like the correct disk number. Maybe you disk has number 2. But this workaround should work as a prestart command in WinPE. After running this command successfully, the task sequence or WinPE should recognized the SSD as a C: drive..

Good luck J

Microsoft Intune Announcements #TEE2014

Microsoft has announced new capabilities coming to Microsoft Intune for mobile device and application management.

Microsoft Intune helps organizations provide their employees with access to corporate applications, data, and resources from virtually anywhere on almost any device, while helping secure corporate information.  As a cloud service, we continue to rapidly add new capabilities to Intune, over the next few months we will roll out:

  • Intune-managed Office mobile apps that enable your workforce to securely access corporate data using the apps they know and love while preventing data leakage by restricting actions such as copy/cut/paste/save as and ‘open-in’ between apps in your managed app ecosystem
  • App wrapping capabilities that help secure your existing line-of-business applications, integrating these apps into your managed app ecosystem without further development or code changes
  • Managed browser, PDF viewer, AV player, and Image viewer apps for Intune that allow users to securely view content on their devices within the managed app ecosystem
  • Grant access to corporate resources, including access to Exchange email, based upon device enrollment and compliance policies set by the administrator
  • Bulk enrollment of devices using Apple Configurator or service account, simplifying administration and enabling policies and applications to be deployed at a large scale

These are just a few of the great features coming to Intune over the next two months.

This is a part of a blogpost from Microsoft Enterprise Mobility:

#7 Troubleshoot: OpsMgr VBScript error event ID 21405

At the moment I’m working with OpsMgr 2007 R2 at a customer here in the Netherlands. It was time to troubleshoot the VBScript and PowerShell scripts error or exited codes 🙂  We are monitoring over 600 servers per environment(we got 4) (Windows and Linux) and so often I see some script errors from the Base OS management pack or SQL management pack.There is a view for these events. This view is located in the folder Operations Manager\PowerShell Scripts or Script and Executable Responses.

I had one server that couldn’t run VBscripts for monitoring free space and network bandwidth. I saw this event in the eventlog and in the view.

The process started at 8:55:01 failed to create System.PropertyBagData, no errors detected in the output. The process exited with 1

Command executed: “C:\Windows\system32\cscript.exe” /nologo “Microsoft.Windows.Server.FreeSpace.vbs” HOSTNAME false 500 10 300 5 2000 10 1000 5
Working Directory: D:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 33\136046\

One or more workflows were affected by this.

Workflow name: Microsoft.Windows.Server.2008.LogicalDisk.FreeSpace
Instance name: C:
Instance ID: {946C9D1C-AEAA-3B75-B442-D16701AC4B11}
Management group: MG1

This server has 3 logical disks, C:, D: and E: and for both I got this warning. So for these logical disks the monitoring doesn’t not work properly.

What I did to troubleshoot this warning was; First I copied the vbs file from the Health Service State in the root directory of the SCOM agent. Mostly in C:\Program Files\System Center Operations Manager 2007\Health Service State\ The best way is searching on the name of the vbs file in that directory After that I pasted the file into a temp directory and opened the command prompt.  I tried to run the vbs file and got this message.

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Input Error: There is no script engine for file extension “.vbs”.

Ok, this is odd, because there are more VBScripts that are running for monitoring, but I got especially from freespace en networkbandwidth. So, now I have to troubleshoot this warning because they are, of course, related 😉 I tried to associate the .vbs extension via assoc.vbs, but that didn’t help. I got still the same message after running the vbs file.  So, I had to search on Google and I found this blog;

The problem was; the server was missing the registry key ScriptEngine. After adding the key and edit the default string, I ran the VBscript again. As result I didn’t get the same error message but another message that I’m not using the arguments correctly. This is good and means that the vbs is associated with the script engine again.. 🙂

The server must have these keys and strings in the registry to associate the .vbs extension.

Windows Registry Editor Version 5.00




That’s all folks.. Good luck!