Tag Archives: azuread

Azure, Intune

Tracking Down AzureAD Device Sign-Ins

4 Comments

I recently needed to track down who had recently used a device bound to AzureAD. We don’t tend to make use of the Primary User field, since our devices tend to be handed out in bulk to large groups of people at once, rather than one-at-a-time. This meant I had to track down who was using which device in a more roundabout method.

To accomplish this, you’ll need to use both Microsoft Graph and Microsoft Endpoint Manager.

Lookup the Device ID

First you’ll need Azure’s device ID for the computer.

Go to https://endpoint.microsoft.com

Click Devices on the left then Windows Devices.

Search for the device you are looking for.

Click on it

In the address bar of the browser, the last part of the URL will be the device ID. Select and copy it.

Query Device Sign-In Information

Now that you have the Device ID, you can lookup the login history using Microsoft Graph.

Go to https://developer.microsoft.com/en-us/graph/graph-explorer

Make sure to sign into graph, or you’ll only see the sample data.

Query type: GET

Version: beta

URL: https://graph.microsoft.com/beta/deviceManagement/managedDevices/[device ID here]

Click Run Query

You’ll only see the first several lines, which probably won’t show the logged on users.

Click the Expand button

Scroll down to where it says usersLoggedOn then select and copy the ID inside of the quotes.

Go back to Endpoint Manager

Click Users on the left.

Paste the user ID into the search field. This should tell you the name of the user who logged into that device. If there were multiple people recently signed in, they’ll all be in the usersLoggedOn array.

Cloud

Deploying Team Viewer with Intune

18 Comments

The scenario: you have computers that are only bound to AzureAD and you need to deploy a customized version TeamViewer to those computers. Me too! Here’s what I did.

Create the Custom Module & Policies

Log into to www.teamviewer.com

On the left hand side of the screen, choose Design & Deploy

You’ll see two tabs: Custom Modules and Policies.

The Policies tab has the custom settings used by the client (such as whitelisting, auto-starting, and auto-adding to groups).

Each custom module can only use one “Policy,” but each policy can have all possible settings. If you need to create a new policy, use the “Add policy” button at the top of the screen.

To change a policy, click the edit button next to the one of the policies. (The “enforce” checkbox for each setting prevents the end-user from being able to change that setting). These policies are checked by the client during installation.

Once the policy is setup, go to the Custom Modules tab. Create a new module with the Add Custom Module button or click the edit button on a existing module.

Customize the look of the TeamViewer app however you’d like.

Make sure the TeamViewer policy selected is the correct one from the Policies tab and you’ve selected the group you would like the devices added to under the “Automatically add computers to a group in your Computers list.”


Copy the API token and the Configuration ID. You will need these when creating the app in Intune.

Click the “Download MSI” link as well. Without any options, this MSI will just do a basic TeamViewer Host installation. Only when passed your configuration ID and API token during installation will it give you the customized client and add itself to your TeamViewer groups.

Package the Installer

The MSI file will come in a zip file; unzip it. Inside you will find two more folders: Full and Host. Go into the Host folder and copy the TeamViewer_host.msi file into another folder. I named mine “teamviewer-host”. Make sure there is nothing else in that folder.

If you haven’t already, download a copy of the Microsoft Win32 Content Prep Tool from https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool

Open Windows Terminal or a command prompt and run:

IntuneWinAppUtil.exe -c <folder with the msi it in> -s TeamViewer_Host.msi -o <where you want the package file saved>

So for me, I had IntuneWinAppUtil.exe on the desktop and wanted the package file there as well, so I ran:

.\IntuneWinAppUtil.exe -c .\teamviewer-host\ -s TeamViewer_Host.msi -o .

Once you have done so, you will have a file called TeamViewer_Host.intunewin that can be uploaded to Intune.

Create & Deploy in Intune

Go to https://endpoint.microsoft.com

Choose Apps->All Apps

Click the Add Button

Choose the App Type “Windows app (Win32) then click Select at the bottom of the screen.

Choose the TeamViewer_Host.intunewin file you created (Firefox may have trouble doing the upload. If so, use another browser)

On the Program step change the install command from:

msiexec /i "TeamViewer_Host.msi" /q

To:

msiexec /i "TeamViewer_Host.msi" /qn CUSTOMCONFIGID=[configuration id] APITOKEN=[API Token] ASSIGNMENTOPTIONS="--grant-easy-access"

(Don’t include the brackets [ ])

Choose 64bit Windows 10 under the Requirements

Under Detection Rules choose “Manually configure detection rules”

Click + Add

Choose MSI for rule type. Intune will automatically enter the correct MSI Product code. Keep “MSI Product version check” as “no” so that the app won’t re-install if upgrades are done on the client side.

No Dependencies are needed.

Finally, assign it to whatever device groups you need. Devices in those groups will automatically download the TeamViewer Host app as well as place an icon called TeamViewer on the desktop.

That’s it! Your custom TeamViewer host should install on the selected devices and be ready for remote management.