From 3096ec2ac8fa97d1be4ecc5d34d1eebee9f13365 Mon Sep 17 00:00:00 2001 From: Lana-Chin Date: Tue, 10 Dec 2024 10:22:23 -0800 Subject: [PATCH 1/4] VMWare -> Omnissa --- microsoft-365/frontline/flw-devices.md | 34 +++++++++++++------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/microsoft-365/frontline/flw-devices.md b/microsoft-365/frontline/flw-devices.md index 062f6c5e830..b1595324370 100644 --- a/microsoft-365/frontline/flw-devices.md +++ b/microsoft-365/frontline/flw-devices.md @@ -32,13 +32,13 @@ Because the workforce is largely mobile and often shift-based, managing the devi - Are company-owned devices shared between workers or assigned to an individual? - Do workers take devices home or leave them at the workplace? -It’s important to set a secure, compliant baseline to manage devices for your workforce, whether they’re shared devices or workers’ own devices. +It's important to set a secure, compliant baseline to manage devices for your workforce, whether they're shared devices or workers' own devices. This article gives you an overview of common frontline worker device scenarios and management capabilities to help empower your workforce while safeguarding company data. Use the information and considerations to help plan your frontline device deployment. ## Device deployment -A key step in planning is to determine how you’ll deploy mobile devices to your frontline and the operating systems to support. Make these decisions up front so that you can evaluate the feasibility of your implementation plan and IT infrastructure with these factors in mind. +A key step in planning is to determine how you'll deploy mobile devices to your frontline and the operating systems to support. Make these decisions up front so that you can evaluate the feasibility of your implementation plan and IT infrastructure with these factors in mind. ### Deployment models @@ -52,7 +52,7 @@ Shared devices and bring-your-own-device (BYOD) are the most commonly adopted de |Kiosk devices2 |Devices owned and managed by your organization. Users don't need to sign in or out. |Device has a dedicated purpose.

Use case doesn't require user authentication.|Collaboration, communication, task, and workflow apps need a user identity to function.

Not possible to audit user activity.

Unable to use some security capabilities including MFA. | 1Dedicated devices are uncommon in frontline deployments primarily due to high cost and effort to manage in the context of high staff turnover.
-2Kiosk device deployments aren’t recommended because they don’t allow user auditing and user-based security capabilities like multifactor authentication. [Learn more about kiosk devices](/windows/configuration/assigned-access). +2Kiosk device deployments aren't recommended because they don't allow user auditing and user-based security capabilities like multifactor authentication. [Learn more about kiosk devices](/windows/configuration/assigned-access). In this article, we focus on shared devices and BYOD, as these are the deployment models that fit the practical needs of most frontline deployments. Read on for an overview of planning considerations and management capabilities. @@ -61,7 +61,7 @@ In this article, we focus on shared devices and BYOD, as these are the deploymen The deployment model you choose partly determines the device operating systems you support. For example: - If you implement a shared devices model, the device operating system you choose determines the capabilities available. For example, Windows devices natively support the ability to store multiple user profiles for automated sign in and easy authentication with Windows Hello. With Android and iOS, more steps and prerequisites apply. -- If you implement a BYOD model, you’ll need to support both Android and iOS devices. +- If you implement a BYOD model, you'll need to support both Android and iOS devices. |Device OS|Considerations| |---------|--------------| @@ -77,10 +77,10 @@ When you're planning your device deployment, there are considerations across mul Mobile device management (MDM) solutions, such as Microsoft Intune, simplify deployment, management, and monitoring of devices. -A device can only be enrolled in one MDM solution, but you can use multiple MDM solutions to manage separate pools of devices. For example, you could use VMware Workspace ONE or SOTI MobiControl for shared devices and Intune for BYOD. If you use multiple MDM solutions, keep in mind that some users might not be able to access shared devices because of a mismatch in +A device can only be enrolled in one MDM solution, but you can use multiple MDM solutions to manage separate pools of devices. For example, you could use Omnissa Workspace ONE or SOTI MobiControl for shared devices and Intune for BYOD. If you use multiple MDM solutions, keep in mind that some users might not be able to access shared devices because of a mismatch in Conditional Access policies or mobile application management (MAM) policies. -If you’re using a third-party MDM solution, you can integrate with [Intune partner compliance](/mem/intune/protect/device-compliance-partners) to take advantage of Conditional Access for devices managed by third-party MDM solutions. +If you're using a third-party MDM solution, you can integrate with [Intune partner compliance](/mem/intune/protect/device-compliance-partners) to take advantage of Conditional Access for devices managed by third-party MDM solutions. ### App launchers for Android devices @@ -92,9 +92,9 @@ The following table lists some of the most common app launchers available today |App launcher |Capabilities| |-------------|------------| -|Microsoft Managed Home Screen |Use Managed Home Screen when you want your users to have access to a specific set of apps on your Intune-enrolled dedicated devices. Because Managed Home Screen can be automatically launched as the default home screen on the device and appears to the user as the only home screen, it’s useful in shared devices scenarios when a locked-down experience is required. [Learn more](/mem/intune/apps/app-configuration-managed-home-screen-app).| -|VMware Workspace ONE Launcher |If you’re using VMware, the Workspace ONE Launcher is a tool to curate a set of apps that your frontline needs to access. VMware Workspace ONE Launcher doesn’t currently support shared device mode. [Learn more](https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2306/Launcher_Publication/GUID-AWLAUNCHERINTRO.html).| -|SOTI|If you’re using SOTI, the SOTI app launcher is the best tool to curate a set of apps that your frontline needs to access. The SOTI app launcher supports shared device mode today.| +|Microsoft Managed Home Screen |Use Managed Home Screen when you want your users to have access to a specific set of apps on your Intune-enrolled dedicated devices. Because Managed Home Screen can be automatically launched as the default home screen on the device and appears to the user as the only home screen, it's useful in shared devices scenarios when a locked-down experience is required. [Learn more](/mem/intune/apps/app-configuration-managed-home-screen-app).| +|Omnissa Workspace ONE Launcher |If you're using Omnissa, the Workspace ONE Launcher is a tool to curate a set of apps that your frontline needs to access. Omnissa Workspace ONE Launcher doesn't currently support shared device mode. [Learn more](https://docs.omnissa.com/bundle/workspaceonelauncherV2306/page/AWLAUNCHERINTRO.html).| +|SOTI|If you're using SOTI, the SOTI app launcher is the best tool to curate a set of apps that your frontline needs to access. The SOTI app launcher supports shared device mode today.| |BlueFletch|[BlueFletch Launcher](https://docs.bluefletch.com/bluefletch-enterprise/product-guides/bluefletch-launcher) can be used on devices, regardless of your MDM solution. BlueFletch supports shared device mode today. [Learn more](https://soti.net/mc/help/v2024.0/en/console/system/microsoft_365_integration/change_device_reg_to_shared_mode_in_azure.html). | |Custom app launcher |If you want a fully customized experience, you can build out your own custom app launcher. You can integrate your launcher with shared device mode so that your users only need to sign in and out once. | @@ -102,7 +102,7 @@ The following table lists some of the most common app launchers available today Microsoft 365 for frontline workers uses Microsoft Entra ID as the underlying identity service for delivering and securing all apps and resources. Users must have an identity that exists in Microsoft Entra ID to access Microsoft 365 apps. -If you choose to manage frontline user identities with Active Directory Domain Services (AD DS) or a third-party identity provider, you’ll need to federate these identities to Microsoft Entra ID. [Learn how to integrate your third-party service with Microsoft Entra ID](flw-setup-microsoft-365.md#provision-users). +If you choose to manage frontline user identities with Active Directory Domain Services (AD DS) or a third-party identity provider, you'll need to federate these identities to Microsoft Entra ID. [Learn how to integrate your third-party service with Microsoft Entra ID](flw-setup-microsoft-365.md#provision-users). The possible implementation patterns for managing frontline identities include: @@ -112,7 +112,7 @@ The possible implementation patterns for managing frontline identities include: #### HR-driven user provisioning -Automating user provisioning is a practical need for organizations that want frontline employees to be able to access apps and resources on day one. From a security perspective, it’s also important to automate deprovisioning during employee offboarding to ensure that previous employees don’t retain access to company resources. +Automating user provisioning is a practical need for organizations that want frontline employees to be able to access apps and resources on day one. From a security perspective, it's also important to automate deprovisioning during employee offboarding to ensure that previous employees don't retain access to company resources. Microsoft Entra user provisioning service integrates with cloud-based and on-premises HR apps, such as Workday and SAP SuccessFactors. You can configure the service to automate user provisioning and deprovisioning when an employee is created or disabled in the HR system. @@ -131,7 +131,7 @@ My Staff also enables frontline managers to register their team members' phone n With the [shared device mode](/entra/identity-platform/msal-shared-devices) feature of Microsoft Entra ID, you can configure devices to be shared by employees. This feature enables single sign-on (SSO) and device-wide sign out for Teams and all other apps that support shared device mode. -Here's how shared device mode works, using Teams as an example. When an employee signs in to Teams at the start of their shift, they’re automatically signed in to all other apps that support shared device mode on the device. When they sign out of Teams at the end of their shift, they're signed out from all other apps that support shared device mode. After sign out, the employee's data and company data in Teams and in all other apps that support shared device mode can no longer be accessed. The device is ready for the next employee to use. +Here's how shared device mode works, using Teams as an example. When an employee signs in to Teams at the start of their shift, they're automatically signed in to all other apps that support shared device mode on the device. When they sign out of Teams at the end of their shift, they're signed out from all other apps that support shared device mode. After sign out, the employee's data and company data in Teams and in all other apps that support shared device mode can no longer be accessed. The device is ready for the next employee to use. You can integrate this capability into your line-of-business (LOB) apps using the [Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview). @@ -157,7 +157,7 @@ If MFA isn't feasible for your organization or deployment model, you should plan #### Passwordless authentication -To further simplify access for your frontline workforce, you can use passwordless authentication methods so that workers don’t need to remember or enter their passwords. Passwordless authentication methods remove the use of a password at sign-in and replaces it with: +To further simplify access for your frontline workforce, you can use passwordless authentication methods so that workers don't need to remember or enter their passwords. Passwordless authentication methods remove the use of a password at sign-in and replaces it with: - Something the user has, like a phone or security key. - Something the user is or knows, like biometrics or a PIN. @@ -181,7 +181,7 @@ To learn more, see [Passwordless authentication options for Microsoft Entra ID]( Authorization features control what an authenticated user can do or access. In Microsoft 365, this is achieved through a combination of Microsoft Entra Conditional Access policies and app protection policies. -Implementing robust authorization controls is a critical component of securing a frontline shared devices deployment, particularly if it isn’t possible to implement strong authentication methods like MFA for cost or practicality reasons. +Implementing robust authorization controls is a critical component of securing a frontline shared devices deployment, particularly if it isn't possible to implement strong authentication methods like MFA for cost or practicality reasons. #### Microsoft Entra Conditional Access @@ -193,7 +193,7 @@ With Conditional Access, you can create rules that limit access based on the fol - App - Real-time and calculated risk detection -Conditional Access policies can be used to block access when a user is on a noncompliant device or while they’re on an untrusted network. For example, you might want to use Conditional Access to prevent users from accessing an inventory app when they aren’t on the work network or are using an unmanaged device, depending on your organization’s analysis of applicable laws. +Conditional Access policies can be used to block access when a user is on a noncompliant device or while they're on an untrusted network. For example, you might want to use Conditional Access to prevent users from accessing an inventory app when they aren't on the work network or are using an unmanaged device, depending on your organization's analysis of applicable laws. For BYOD scenarios where it makes sense to access data outside of work, such as HR-related information, shift management, chat about swapping shifts, or non-business-related apps, you might choose to implement more permissive Conditional Access policies alongside strong authentication methods like MFA. @@ -201,13 +201,13 @@ To learn more, see the [Microsoft Entra Conditional Access documentation](/entra #### App protection policies -With mobile application management (MAM) from Intune, you can use [app protection policies](/mem/intune/apps/app-protection-policy) with apps that are integrated with the [Intune App SDK](/mem/intune/developer/app-sdk-get-started). This allows you to further protect your organization’s data within an app. +With mobile application management (MAM) from Intune, you can use [app protection policies](/mem/intune/apps/app-protection-policy) with apps that are integrated with the [Intune App SDK](/mem/intune/developer/app-sdk-get-started). This allows you to further protect your organization's data within an app. With app protection policies, you can add access control safeguards, such as: - Control the sharing of data between apps. - Prevent the saving of company app data to a personal storage location. -- Ensure the device’s operating system is up to date. +- Ensure the device's operating system is up to date. In a shared devices deployment, you can use app protection policies to ensure that data doesn't leak to apps that don't support shared device mode. In BYOD scenarios, app protection policies are helpful because they allow you to protect your data at the app level without having to manage the entire device. From d3d5c4852378ac3859738f6cab9324fad318615e Mon Sep 17 00:00:00 2001 From: Kelley Vice Date: Tue, 10 Dec 2024 11:58:39 -0800 Subject: [PATCH 2/4] Update m365-dr-workload-exo.md --- .../enterprise/m365-dr-workload-exo.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/microsoft-365/enterprise/m365-dr-workload-exo.md b/microsoft-365/enterprise/m365-dr-workload-exo.md index 7ec3e6289ac..c17f873d235 100644 --- a/microsoft-365/enterprise/m365-dr-workload-exo.md +++ b/microsoft-365/enterprise/m365-dr-workload-exo.md @@ -9,7 +9,7 @@ ms.subservice: advanced-data-residency ms.topic: article f1.keywords: - NOCSH -ms.date: 02/29/2024 +ms.date: 12/10/2024 ms.reviewer: deanw, brianday ms.custom: - it-pro @@ -123,15 +123,15 @@ The following connection instructions work for accounts that are or aren't confi 1. In a Windows PowerShell window, load the EXO V2 module by running the following command: - ```powershell - Import-Module ExchangeOnlineManagement - ``` + ```powershell + Import-Module ExchangeOnlineManagement + ``` 1. In the following example, admin@contoso.onmicrosoft.com is the admin account, and the target geo location is where the mailbox olga@contoso.onmicrosoft.com resides. - ```powershell - Connect-ExchangeOnline -UserPrincipalName admin@contoso.onmicrosoft.com -ConnectionUri https://outlook.office365.com/powershell?email=olga@contoso.onmicrosoft.com - ``` + ```powershell + Connect-ExchangeOnline -UserPrincipalName admin@contoso.onmicrosoft.com -ConnectionUri https://outlook.office365.com/powershell?email=olga@contoso.onmicrosoft.com + ``` 1. Enter the password for the admin@contoso.onmicrosoft.com in the prompt that appears. If the account is configured for MFA, you also need to enter the security code. @@ -261,9 +261,9 @@ You can't move inactive mailboxes that are preserved for compliance purposes (fo 1. Prevent the Managed Folder Assistant from processing the recovered mailbox by replacing \ with the name, alias, account, or email address of the mailbox and running the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell): - ```powershell - Set-Mailbox -ElcProcessingDisabled $true - ``` + ```powershell + Set-Mailbox -ElcProcessingDisabled $true + ``` 1. Assign an **Exchange Online Plan 2** license to the recovered mailbox. This step is required to place the mailbox back on Litigation Hold. For instructions, see [Assign licenses to users](/microsoft-365/admin/manage/assign-licenses-to-users). @@ -273,9 +273,9 @@ You can't move inactive mailboxes that are preserved for compliance purposes (fo 1. After verifying that the Litigation Hold is in place, allow the Managed Folder Assistant to process the mailbox again by replacing \ with the name, alias, account, or email address of the mailbox and running the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell): - ```powershell - Set-Mailbox -ElcProcessingDisabled $false - ``` + ```powershell + Set-Mailbox -ElcProcessingDisabled $false + ``` 1. Make the mailbox inactive again by removing the user account associated with the mailbox. For instructions, see [Delete a user from your organization](/admin/add-users/delete-a-user). This step also releases the Exchange Online Plan 2 license for other uses. @@ -365,15 +365,15 @@ Or, you can use the following steps to onboard mailboxes directly in a specific 1. In Exchange Online PowerShell, store the on-premises administrator credentials used to perform a mailbox migration in a variable by running the following command: - ```powershell - $RC = Get-Credential - ``` + ```powershell + $RC = Get-Credential + ``` 1. In Exchange Online PowerShell, create a new **New-MoveRequest** similar to the following example: - ```powershell - New-MoveRequest -Remote -RemoteHostName mail.contoso.com -RemoteCredential $RC -Identity user@contoso.com -TargetDeliveryDomain - ``` + ```powershell + New-MoveRequest -Remote -RemoteHostName mail.contoso.com -RemoteCredential $RC -Identity user@contoso.com -TargetDeliveryDomain + ``` 1. Repeat step #4 for every mailbox you need to migrate from on-premises Exchange to the satellite geo location you're currently connected to. From 63fe45864f227271afbe25b2bee394c3100e7148 Mon Sep 17 00:00:00 2001 From: Kelley Vice Date: Tue, 10 Dec 2024 12:57:21 -0800 Subject: [PATCH 3/4] Update configure-search-for-multi-geo.md --- .../configure-search-for-multi-geo.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/microsoft-365/enterprise/configure-search-for-multi-geo.md b/microsoft-365/enterprise/configure-search-for-multi-geo.md index b8a88f7b50d..e9be0f97fef 100644 --- a/microsoft-365/enterprise/configure-search-for-multi-geo.md +++ b/microsoft-365/enterprise/configure-search-for-multi-geo.md @@ -1,7 +1,7 @@ --- title: "Configure search for Microsoft 365 Multi-Geo" ms.reviewer: -ms.date: 07/26/2024 +ms.date: 12/10/2024 ms.author: kvice author: kelleyvice-msft manager: scotv @@ -111,14 +111,14 @@ Some search features you might be familiar with, work differently in a multi-geo Promoted results -You can create query rules with promoted results at different levels: for the whole _Tenant_, for a site collection, or for a site. In a Multi-Geo environment, define promoted results at the _Tenant_ level to promote the results to the Search Centers in all _Geography_ locations. If you only want to promote results in the Search Center that's in the _Geography_ location of the site collection or site, define the promoted results at the site collection or site level. These results are not promoted in other _Geography_ locations. -If you don't need different promoted results per _Geography_ location, for example different rules for traveling, we recommend defining promoted results at the _Tenant_ level. +You can create query rules with promoted results at different levels: for the whole Tenant, for a site collection, or for a site. In a Multi-Geo environment, define promoted results at the Tenant level to promote the results to the Search Centers in all Geography locations. If you only want to promote results in the Search Center that's in the Geography location of the site collection or site, define the promoted results at the site collection or site level. These results are not promoted in other Geography locations. +If you don't need different promoted results per Geography location, for example different rules for traveling, we recommend defining promoted results at the Tenant level. Search refiners -Search returns refiners from all the _Geography_ locations of a _Tenant_ and then aggregates them. The aggregation is a best effort, meaning that the refiner counts might not be 100% accurate. For most search-driven scenarios, this accuracy is sufficient. +Search returns refiners from all the Geography locations of a Tenant and then aggregates them. The aggregation is a best effort, meaning that the refiner counts might not be 100% accurate. For most search-driven scenarios, this accuracy is sufficient. -For search-driven applications that depend on refiner completeness, query each _Geography_ location independently. +For search-driven applications that depend on refiner completeness, query each Geography location independently. @@ -127,12 +127,12 @@ Some search features you might be familiar with, work differently in a multi-geo Document IDs -If you're developing a search-driven application that depends on document IDs, note that document IDs in a Multi-Geo environment aren't unique across _Geography_ locations, they are unique per _Geography_ location. -We've added a column that identifies the _Geography_ location. Use this column to achieve uniqueness. This column is named "GeoLocationSource". +If you're developing a search-driven application that depends on document IDs, note that document IDs in a Multi-Geo environment aren't unique across Geography locations, they are unique per Geography location. +We've added a column that identifies the Geography location. Use this column to achieve uniqueness. This column is named "GeoLocationSource". Number of results -The search results page shows combined results from the _Geography_ locations, but it's not possible to page beyond 500 results. +The search results page shows combined results from the Geography locations, but it's not possible to page beyond 500 results. @@ -161,7 +161,7 @@ Some of the search features you might be familiar with, aren't supported in a mu Guests -Guests only get results from the _Geography_ location that they're searching from. +Guests only get results from the Geography location that they're searching from. @@ -231,7 +231,7 @@ MultiGeoSearchConfiguration - This is an optional list of which geo locations in DataLocation -The _Geography_ location, for example NAM. +The Geography location, for example NAM. EndPoint @@ -260,11 +260,11 @@ MultiGeoSearchStatus – This is a property that the SharePoint Search API retur Full -Full results from all the _Geography_ locations. +Full results from all the Geography locations. Partial -Partial results from one or more _Geography_ locations. The results are incomplete due to a transient error. +Partial results from one or more Geography locations. The results are incomplete due to a transient error. From 65a682576e05f2a425ec9fb4aa418f80503229ee Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Tue, 10 Dec 2024 13:09:21 -0800 Subject: [PATCH 4/4] Update apps-purchase-volume.md --- microsoft-365/solutions/apps-purchase-volume.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/microsoft-365/solutions/apps-purchase-volume.md b/microsoft-365/solutions/apps-purchase-volume.md index 1227315ccbf..f1acc10aa11 100644 --- a/microsoft-365/solutions/apps-purchase-volume.md +++ b/microsoft-365/solutions/apps-purchase-volume.md @@ -85,7 +85,7 @@ Follow the Intune guidelines to assign iOS/iPadOS apps: ## Microsoft Store -[Microsoft Store](https://www.microsoft.com/business-store) is a web-based portal that allows you to find apps that can be managed by Intune. Admins can browse, deploy, and monitor Microsoft Store applications inside Intune. Upon deployment, Intune automatically keeps the apps up to date when a new version becomes available. The Microsoft Store supports UWP apps, desktop apps packaged in *.msix*, and now Win32 apps packaged in *.exe* or *.msi* installers. +[Microsoft Store](https://apps.microsoft.com/apps) is a web-based portal that allows you to find apps that can be managed by Intune. Admins can browse, deploy, and monitor Microsoft Store applications inside Intune. Upon deployment, Intune automatically keeps the apps up to date when a new version becomes available. The Microsoft Store supports UWP apps, desktop apps packaged in *.msix*, and now Win32 apps packaged in *.exe* or *.msi* installers. ### Access Microsoft Store @@ -135,4 +135,4 @@ To make it easier for you to configure and use Android Enterprise management, up - **[Microsoft Intune](https://play.google.com/store/apps/details?id=com.microsoft.intune)** - Used for Android Enterprise fully managed scenarios. This app is automatically installed to fully managed devices during the device enrollment process. - **[Microsoft Authenticator](https://play.google.com/store/apps/details?id=com.azure.authenticator)** - Helps you sign-in to your accounts if you use two-factor verification. This app is automatically installed to fully managed devices during the device enrollment process. - **[Intune Company Portal](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)** - Used for App Protection Policies and Android Enterprise personally owned work profile scenarios. This app is automatically installed to fully managed devices during the device enrollment process. -- **[Managed Home Screen](https://play.google.com/store/apps/details?id=com.microsoft.launcher.enterprise)** - Used for Android Enterprise dedicated multi-app kiosk scenarios. IT admins should create an assignment to install this app on dedicated devices that are going to be used in multi-app kiosk scenarios. \ No newline at end of file +- **[Managed Home Screen](https://play.google.com/store/apps/details?id=com.microsoft.launcher.enterprise)** - Used for Android Enterprise dedicated multi-app kiosk scenarios. IT admins should create an assignment to install this app on dedicated devices that are going to be used in multi-app kiosk scenarios.