I am trying to use InTune to manage devices joined to Azure AD, there is no on-premise Active Directory so no access to group policy. I need to be able to completely lock down Windows 10 PC's so that the user cannot access things such as command prompt (CMD) or Regedit or anything like this that would allow them to cause any problems on the PC.
I can see in InTune where I can restrict access to the "Settings" section etc but there doesn't seem to be anything for restricting the applications mentioned above.
Imagine the PC's being in a school for example where they need to be completely restricted so that no troublesome users can mess about with them.
Does anyone know if this is possible using InTune and if so how, otherwise what are the alternatives, is there a better MDM to be using?
Applocker is the only way I have found to do this.
Create Custom OMA-URI
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/000000001/EXE/Policy
Value String
Use XML file to detail what you want to restrict.
See https://www.petervanderwoude.nl/post/managing-applocker-on-windows-10-via-oma-dm/ for fill details. Can do the same for CMD and regedit.
IE this example blocks Powershell and python
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="e16ce5e4-67f2-4ebf-ad01-c81fc8f28cd5" Name="All Files" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="9eb15b2e-f9c2-42d4-8692-ad1a0f6a0722" Name="All files" Description="Allows user to run files execpt powershell" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
<Exceptions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="POWERSHELL.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="POWERSHELL_ISE.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Exceptions>
</FilePathRule> <!-- This is a test to block python from running --> <FilePublisherRule Id="3d6ce594-1cc7-4870-b839-48c43a8954c0" Name="Signed by O=PYTHON SOFTWARE FOUNDATION, L=WOLFEBORO, S=NEW HAMPSHIRE, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=PYTHON SOFTWARE FOUNDATION, L=WOLFEBORO, S=NEW HAMPSHIRE, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule> </RuleCollection>
Related
Could anyone let me know if one publisher can be used for passing different parameters (Data Types), like integer, float, string, char etc...
Does Open Splice DDS Community edition have any limitations for publishers? If so how many publishers can it accommodate?
<OpenSplice>
<Domain>
<Name>ospl_sp_ddsi</Name>
<Id>0</Id>
<SingleProcess>true</SingleProcess>
<Service name="ddsi2">
<Command>ddsi2</Command>
</Service>
<Service name="durability">
<Command>durability</Command>
</Service>
<Service enabled="false" name="cmsoap">
<Command>cmsoap</Command>
</Service>
</Domain>
<DDSI2Service name="ddsi2">
<General>
<NetworkInterfaceAddress>192.168.147.179</NetworkInterfaceAddress>
<AllowMulticast>true</AllowMulticast>
<EnableMulticastLoopback>true</EnableMulticastLoopback>
<CoexistWithNativeNetworking>false</CoexistWithNativeNetworking>
</General>
<Compatibility>
<!-- see the release notes and/or the OpenSplice configurator on DDSI interoperability -->
<StandardsConformance>lax</StandardsConformance>
<!-- the following one is necessary only for TwinOaks CoreDX DDS compatibility -->
<!-- <ExplicitlyPublishQosSetToDefault>true</ExplicitlyPublishQosSetToDefault> -->
</Compatibility>
</DDSI2Service>
<DurabilityService name="durability">
<Network>
<Alignment>
<TimeAlignment>false</TimeAlignment>
<RequestCombinePeriod>
<Initial>2.5</Initial>
<Operational>0.1</Operational>
</RequestCombinePeriod>
</Alignment>
<WaitForAttachment maxWaitCount="10">
<ServiceName>ddsi2</ServiceName>
</WaitForAttachment>
</Network>
<NameSpaces>
<NameSpace name="defaultNamespace">
<Partition>*</Partition>
</NameSpace>
<Policy alignee="Initial" aligner="true" durability="Durable" nameSpace="defaultNamespace"/>
</NameSpaces>
</DurabilityService>
<TunerService name="cmsoap">
<Server>
<PortNr>none</PortNr>
</Server>
</TunerService>
</OpenSplice>
A DDS-publisher can have multiple writers of different topics where each topic-type can include various parameters of various types (including bounded and unbounded types such as arrays and sequences).
The OpenSplice CE (Community Edition) doesn't have any limitation for publishers, but when you want to run more than 10 applications on a single machine you have to change the DDSI/Discovery/ParticipantIndex parameter from its default 'auto' value to 'none', see also this post: http://forums.opensp...index#entry4024
Cheers
I've tried to do this a few ways. Here's my latest attempt, which does not work, but should help illustrate what I'm looking to do.
Note: My assumption for the GetSQLServerInstalledInstance Id is that it will return one instance.
My goal is to find the DATA directory path for an instance of SQL Server installed on the machine that will also be installing my companies product.
<util:RegistrySearch Id='GetSQLServerInstalledInstance'
Variable='SQL_SERVER_INSTALLED_INSTANCE'
Root='HKLM'
Key='SOFTWARE\Microsoft\Microsoft SQL Server'
Value="InstalledInstances"
Format="raw" />
<util:RegistrySearch Id='GetSQLServerInstalledInstanceName'
Variable='SQL_SERVER_INSTALLED_INSTANCE_NAME'
Root='HKLM'
Key='SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL'
Value="[SQL_SERVER_INSTALLED_INSTANCE]"
Format="raw"
After="GetSQLServerInstalledInstance" />
<util:RegistrySearch Id='GetSQLServerInstallPath'
Variable='SQL_SERVER_INSTALL_PATH'
Root='HKLM'
Key='SOFTWARE\Microsoft\Microsoft SQL Server\[SQL_SERVER_INSTALLED_INSTANCE_NAME]\Setup'
Value="SQLPath"
Format="raw"
After="GetSQLServerInstalledInstanceName" />
<SetProperty Id='SQL_SERVER_FILE_PATH' Value="[SQL_SERVER_INSTALL_PATH]\DATA" After="CostFinalize" Sequence="first" />
In the end, I'm looking for the SQL_SERVER_FILE_PATH property to contain this path. (e.g. C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA)
It's also important that the calls are sequenced at that subsequent calls can contain information derived from previous calls.
I'm still fairly new to WiX, but I could imagine how to do this pretty easily if the SetProperty element allowed a RegistrySearch child element to set it's value. Can this be handled by a sequence of CustomActions that would act similar to a SetProperty element that allows a RegistrySearch child element to set it's value?
Thanks
I found a simpler method for determining the SQL Server DATA directory path using WiX. For future reference, this was how I solved this:
<Property Id='SQL_SERVER_INSTALL_PATH'>
<RegistrySearch Id='GetSQLServerInstallPath' Root='HKLM'
Key='SOFTWARE\Microsoft\MSSQLServer\Setup'
Name='SQLPath' Type='directory' Win64="yes" />
</Property>
<SetProperty Id='SQL_SERVER_DATA_PATH' Value="[SQL_SERVER_INSTALL_PATH]DATA" After="CostFinalize" Sequence="first" />
Hope this helps others
Let say the Active Directory have Group A, B and C.
How to specified like only Group A sync to Sitecore?
Thanks for any help! :)
If you just want to get the members in a specific group, you can do this using a customFilter.
If for membership, you can add the following under your membership element in the web.config:
<add name="ad"
type="LightLDAP.SitecoreADMembershipProvider"
connectionStringName="ManagersConnString"
applicationName="sitecore"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
connectionUsername="user"
connectionPassword="12345"
attributeMapUsername="sAMAccountName"
enableSearchMethods="true"
customFilter="(memberOf=cn=test role 1,OU=CRM,DC=VM)"
/>
Just ensure that you have a connection string configured for your AD, which would be something like: <add name="ManagersConnString" connectionString="LDAP://testsrv/OU=Managers,DC=testdomain,DC=sitecore,DC=net" />
And ensure that your custom filter gets to the specific group you're trying to allow access for. I used LDAP Browser to navigate to my groups using a simple GUI and then copied the path.
See more in the documentation about customFilters in section 4.1.
Try to specify your group in the connection string:
<connectionStrings>
<add name="ManagersConnString"
connectionString="LDAP://testsrv/OU=Managers,DC=testdomain,DC=sitecore,DC=net" />
</connectionStrings>
This example is copied from the Documentation (see chapter 2.1.3). In this example, Managers is just a sample organization unit. But this is a normal LDAP connection string, so you can insert and filter there whatever you want.
I have C# (WPF) application where I want to display a SSRS report in the ReportViewer control. The local report file has XML datasource embedded in it. The report is displayed correctly when running from SQL Server Business Intelligence Development Studio. But when I run with my app I get the following error:
A data source instance has not been supplied for the data source '...'.
So here is what I'm doing:
I have defined embedded XML data, as explained in this tutorial Defining a Report Dataset from Embedded XML Data. I have a data source called XmlDataSource_TopCustomers and a data set called XmlDataSet_TopCustomers, using that data source. I have referred the data set in a table and a chart. Overall, the RDL looks like this (just the essential, of course):
<Report xmlns="http://schemas.microsoft.com/sqlserver/reporting/2008/01/reportdefinition" xmlns:rd="http://schemas.microsoft.com/SQLServer/reporting/reportdesigner">
<Body>
<ReportItems>
<Tablix Name="Tablix1">
<DataSetName>XmlDataSet_TopCustomers</DataSetName>
</Tablix>
<Chart Name="Chart1">
<DataSetName>XmlDataSet_TopCustomers</DataSetName>
</Chart>
</ReportItems>
</Body>
<DataSources>
<DataSource Name="XmlDataSource_TopCustomers">
<ConnectionProperties>
<DataProvider>XML</DataProvider>
<ConnectString />
</ConnectionProperties>
<rd:SecurityType>None</rd:SecurityType>
<rd:DataSourceID>47833b52-231f-4634-8af4-3c63272b02a7</rd:DataSourceID>
</DataSource>
</DataSources>
<DataSets>
<DataSet Name="XmlDataSet_TopCustomers">
<Query>
<DataSourceName>XmlDataSource_TopCustomers</DataSourceName>
<CommandText><Query>
<ElementPath>Root /CustomerOrder {#CustomerNo, #CustomerName, #OrdersCount (Integer), #Total(Float), #AveragePerOrder(Float)}</ElementPath>
<XmlData>
<Root>
<CustomerOrder CustomerNo="10001" CustomerName="Name 1" OrdersCount="2" Total="5.446740000000000e+003" AveragePerOrder="2.723370000000000e+003" />
<CustomerOrder CustomerNo="10894" CustomerName="Name 2" OrdersCount="5" Total="3.334750000000000e+003" AveragePerOrder="6.669500000000001e+002" />
<CustomerOrder CustomerNo="12980" CustomerName="Name 3" OrdersCount="2" Total="2.003290000000000e+003" AveragePerOrder="1.001645000000000e+003" />
</Root>
</XmlData>
</Query></CommandText>
<rd:UseGenericDesigner>true</rd:UseGenericDesigner>
</Query>
<Fields>...
</DataSets>
<rd:ReportUnitType>Inch</rd:ReportUnitType>
<rd:ReportID>02172db8-2a1d-4c35-9555-b37ee6193544</rd:ReportID>
</Report>
At this point everything works fine from the IDE.
In my C# application, I have a ReportViewer and the following code:
Viewer.LocalReport.ReportPath = #"<actualpath>\TopCustomers.rdl"; // actual path is OK
Viewer.RefreshReport();
And then I get that
A data source instance has not been supplied for the data source 'XmlDataSet_TopCustomers'.
I've seen others having the same problem, but in most of the cases the problem is multiple datasources, which is not the case here, as you can see from the RDL snippet above.
Any suggestions?
The answer to my question can also be found here When to use RDLC over RDL reports? and here http://www.gotreportviewer.com/. It's basically this:
Unlike the Report Server the ReportViewer control does not connect to
databases or execute queries. Also, in local mode the only export
formats available are Excel, Word and PDF. (In remote mode all formats
supported by the Report Server are available.) The ReportViewer
control cannot be extended by adding custom renderers or custom report
items.
More information can be found here http://msdn.microsoft.com/en-us/library/ms252109(v=vs.80).aspx.
The ReportViewer control, which processes .rdlc files, ignores the
element of RDL. If a report definition contains a query, the
control will not process it.
and
When converting a .rdl file to .rdlc format, you must manually replace
the data source and query information in the report definition with
data constructs provided in your application
So you have to fetch the data explicitly and provided for the ReportViewer as a ReportDataSource having the exact same name as the dataset in the RDL file.
I have a small command line app that does something similar, but between defining the report path and doing anything with the report viewer I'm setting a data source for the report to be run against:
report.DataSources.Add(new ReportDataSource("DataSet_for_Distribution", table));
...table is a DataTable.
After that I have no problems programmatically calling the report Render method.
Can you set a break before the render and see what data sources the report actually has?
Another thing to try, and it may just be that you formatted (or stack formatted ) it to post it here, but when I embed an XML data set in a report it is all using a format like this:
<CommandText><Query>
<ElementPath>Root /S {#OrderDate (Date), #TotalDue (Decimal)} /C {#LastName} </ElementPath>
<XmlData>
<Root>
<S OrderDate="2003-07-01T00:00:00" SalesOrderNumber="SO51131" TotalDue="247913.9138">
<C FirstName="Shu" LastName="Ito" />
</S>
<S OrderDate="2003-10-01T00:00:00" SalesOrderNumber="SO55282" TotalDue="227737.7215">
<C FirstName="Shu" LastName="Ito" />
</S>
<S OrderDate="2002-07-01T00:00:00" SalesOrderNumber="SO46616" TotalDue="207058.3754">
<C FirstName="Jae" LastName="Pak" />
</S>
<S OrderDate="2002-08-01T00:00:00" SalesOrderNumber="SO46981" TotalDue="201490.4144">
<C FirstName="Ranjit" LastName="Varkey Chudukatil" />
</S>
<S OrderDate="2002-09-01T00:00:00" SalesOrderNumber="SO47395" TotalDue="198628.3054">
<C FirstName="Michael" LastName="Blythe" />
</S>
</Root>
</XmlData>
</Query></CommandText>
I am not sure from what you have stated if the data source has specified credentials.
This part here:
<ConnectionProperties>
<DataProvider>XML</DataProvider>
<ConnectString />
</ConnectionProperties>
Generally speaking with SQL data sources when reports fail to view for others or from applications it is due to the hosting server assuming a different credential than your IDE building the application. It does not know if my name is Brett, that my credentials are running it when calling it remotely. When you specify the credentials on the server hosting the report you can usually get around this. You go into the server hosting the report, I assume you are doing this as you have an 'rdl' report versus an rdlc report. Find the datasource, click properties, change setting to be 'use these credentials'. Supply credentials that you know work.
This may fix the issue. I am not certain with Sharepoint connections and XML connections but this is common with viewing issues with SQL Server connections.
I am trying to use the ADMembershipProvider to connect to a local ADAM server and I am getting the error in the title. If I remove the enable password reset and the properties it relies on I am able to connect.
I have tried to google it and nothing has come up. Below is my provider config. Any advice would be highly appreciated.
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADService"
connectionUsername="[username]"
connectionPassword="[password]"
connectionProtection="Secure"
enableSearchMethods="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="/"
description="Default AD connection"
requiresUniqueEmail="true"
clientSearchTimeout="30"
serverSearchTimeout="30"
attributeMapPasswordQuestion="department"
attributeMapPasswordAnswer="division"
attributeMapFailedPasswordAnswerCount="badPwdCount"
attributeMapFailedPasswordAnswerTime="badPasswordTime"
attributeMapFailedPasswordAnswerLockoutTime="lockoutTime"
attributeMapEmail = "mail"
attributeMapUsername = "userPrincipalName"
maxInvalidPasswordAttempts = "5"
passwordAttemptWindow = "10"
passwordAnswerAttemptLockoutDuration = "30"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"/>
</providers>
FYI... The closest thing to a similar result was someone who got this error on a similar attribute and he just restarted the machine. That didn't work for me. I did find this article as well http://blogs.msdn.com/b/dansellers/archive/2005/10/20/483272.aspx but I am struggling to get the LDAP admin to make this change. Especially since we already have those properties.
I finally had the LDAP admin perform the steps in the following link an we are up and running.
http://blogs.msdn.com/b/dansellers/archive/2005/10/20/483272.aspx