Joe's Tech Blog

Just another Tech Blog

How 2 Docs

Blog How 2 Docs WorkSpace One

How to Disable Windows Recall in Workspace ONE: A Step-by-Step Guide

Joseph Klimczak No Comments

Here is the updated blog post with the custom XML code:

Securing Your Windows PCs Against Recall Using Workspace ONE UEM

With the introduction of Windows 11 Copilot+ machines, Microsoft introduced a feature called Recall, designed to create an explorable timeline of your PC’s past actions. While useful for users, Recall has raised privacy concerns, particularly due to its ability to capture sensitive data like passwords and MFA codes.

Why Disable Recall?

Recall captures screenshots of a user’s activity, posing security risks. If malicious actors exploit this, sensitive information could be exposed. This poses a substantial concern for IT admins responsible for securing corporate networks and personal data.

Disabling Recall in Workspace ONE UEM

Step 1: Create a Windows Profile

• Navigate to Devices > Profiles & Resources.

• Select Add Profile, choose Windows Desktop, and configure general settings like profile name and target devices.

Step 2: Add Custom XML to Disable Recall

You will need to create a custom XML profile using SyncML commands that disable the Recall feature on managed Windows devices. Insert the following SyncML commands:

To Disable Recall:

<Replace>
  <CmdID>34e7f8c0-1dd4-42ed-bbcc-07da966bc0e0</CmdID>
  <Item>
    <Target>
        <LocURI>./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis</LocURI>
      </Target>
    <Meta>
      <Format xmlns="syncml:metinf">int</Format>
    </Meta>
    <Data>1</Data>
  </Item>
</Replace>

To Re-enable Recall on Profile Removal:

<Delete>
  <CmdID>34e7f8c0-1dd4-42ed-bbcc-07da966bc0e0</CmdID>
  <Item>
    <Target>
        <LocURI>./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis</LocURI>
      </Target>
    <Meta>
      <Format xmlns="syncml:metinf">int</Format>
    </Meta>
    <Data>1</Data>
  </Item>
</Delete>

These commands ensure that Recall is disabled on the initial profile installation and that it will revert to default behavior if the profile is removed.

Step 3: Publish the Profile

Save and publish the profile to all applicable devices. Ensure the affected devices are listed as expected. A reboot might be necessary for the changes to take full effect.

Conclusion

Until Microsoft addresses Recall’s security flaws, disabling this feature using Workspace ONE UEM is a crucial step for organizations prioritizing privacy and security. By following the steps outlined here, IT administrators can ensure their managed devices are protected from potential security risks posed by Recall.

Blog How 2 Docs Sec Ops WorkSpace One

Session Management IS BACK

Joseph Klimczak No Comments

Optimizing Admin Experience: Changing the Timeout Time on Workspace ONE

In today’s fast-paced digital landscape, ensuring a seamless and efficient user experience is paramount. Workspace ONE, a comprehensive digital workspace platform, allows organizations to manage and secure any app on any device. One critical aspect of user experience in Workspace ONE is the session timeout setting. By customizing the timeout duration, administrators can strike a balance between security and convenience. Here’s how you can change the timeout time on Workspace ONE to optimize your organization’s workflow.

Why Adjust the Timeout Time?

  1. Enhanced Security: Shorter timeout periods can help protect sensitive information by ensuring that unattended sessions are automatically logged out, reducing the risk of unauthorized access.
  2. User Convenience: On the flip side, longer timeout periods can enhance user productivity by minimizing disruptions and the need to frequently log back in.
  3. Compliance: Adjusting the timeout duration can also help meet specific compliance requirements that mandate certain session management practices.

Steps to Change the Timeout Time in Workspace ONE

Changing the session timeout setting in Workspace ONE is a straightforward process. Follow these steps to configure the timeout duration according to your organization’s needs:

  1. Access the Workspace ONE UEM Console:
    Log in to your Workspace ONE UEM console with administrative credentials.
  2. Navigate to the Appropriate Settings:
    Go to Groups & Settings > All Settings > Admin > Console Security > Session Management
  3. Modify Session Timeout:
    Locate the Idle Session Timeout. This setting controls the duration of inactivity before a session is automatically logged out.
  4. Set the Desired Timeout Duration:
    Enter the desired timeout duration in minutes. For example, setting it to 15 minutes will log users out after 15 minutes of inactivity.
  5. Save the Changes:
    Click Save to apply the changes. The new timeout setting will be enforced across all devices managed by Workspace ONE.

Best Practices for Setting Timeout Duration

  1. Assess User Needs:
    Consider the typical workflow and needs of your users. For instance, customer-facing roles might benefit from longer timeout periods, while roles dealing with highly sensitive data might require shorter durations.
  2. Balance Security and Convenience:
    Aim for a timeout period that provides a reasonable balance between security and user convenience. Common timeout durations range from 5 to 30 minutes.
  3. Regular Review:
    Periodically review and adjust the timeout settings as needed to ensure they remain aligned with evolving security policies and user requirements.

Conclusion

Customizing the timeout time in Workspace ONE is a simple yet effective way to enhance both security and admin experience.

How 2 Docs VMware WorkSpace One

Creating a Workspace ONE Sensor to Check Mac Warranty

Joseph Klimczak No Comments

Creating a Workspace ONE Sensor to Check Mac Warranty

Managing your organization’s IT assets efficiently includes keeping track of warranty information for devices such as Mac computers. Workspace ONE, a comprehensive, unified endpoint management (UEM) solution by VMware, allows you to create custom sensors to monitor various aspects of your endpoints, including warranty status. In this blog post, we’ll guide you through creating a Workspace ONE sensor to check the warranty status of Mac devices.

Prerequisites

Before we begin, ensure that you have the following prerequisites in place:

  1. Workspace ONE UEM Console: Access to the Workspace ONE UEM console with the necessary permissions to create sensors.
  2. Mac Serial Number: The serial number of the Mac computer for which you want to check the warranty status.

Step 1: Log In to Workspace ONE UEM Console

  1. Log in to your Workspace ONE UEM console using your administrator credentials.

Step 2: Create a New Sensor

2.1. Navigate to “Devices & Users” > “Sensors” in the Workspace ONE UEM console.

2.2. Click on the “+Add” button to create a new sensor.

Add Sensor

Step 3: Configure the Sensor

3.1. Give your sensor a descriptive name, such as “Mac Warranty Check.”

3.2. In the “Sensor Type” field, select “Script.”

3.3. In the “Script” field, enter the following script (Python script to check Mac warranty):

#!/bin/bash

currentUser=$(stat -f%Su /dev/console)
ACEplist="/Users/$currentUser/Library/Application Support/com.apple.NewDeviceOutreach/Warranty.plist"
if [ -f "$ACEplist" ];  then
  endDate=$(/usr/libexec/PlistBuddy -c "Print :coverageEndDate" "$ACEplist")
  date=$(date -j -f %s $endDate +%F)
  echo "$date"
else
  echo "Not Found"
fi

Step 4: Assign the Sensor to Mac Devices

4.1. After saving the sensor, go to “Devices & Users” > “Device List View” in the Workspace ONE UEM console.

4.2. Select the Mac devices you want to assign the sensor to.

4.3. Click on “Actions” and choose “More Actions” > “Sensors.”

4.4. select the “Mac Warranty Check” sensor from the list of available sensors.

4.5. Click “Save” to assign the sensor to the selected Mac devices.

Assign Sensor

Step 5: View Warranty Status

Now that you’ve assigned the sensor to Mac devices, it will run according to the configured frequency. To view the warranty status:

5.1. Navigate to “Devices & Users” > “Device List View.”

5.2. Select a Mac device from the list.

5.3. go to the “Sensors” tab in the device details.

5.4. You will see the “Mac Warranty Check” sensor listed with its status.

The sensor will regularly check the warranty status of the assigned Mac devices and provide updates in the Workspace ONE UEM console.

By following these steps, you can efficiently monitor the warranty status of Mac devices within your organization using Workspace ONE. This proactive approach to device management helps ensure that devices are under warranty, reducing the risk of unexpected repair costs and downtime.

How 2 Docs

How to Disable Copilot in Windows 11 for Enhanced System Performance

Joseph Klimczak No Comments

Windows 11 introduces several new features aimed at enhancing user experience and productivity. One such feature is Copilot, which offers assistance and suggestions while using the operating system. While Copilot can be helpful, some users may prefer to disable it to free up system resources or for other reasons. In this guide, we’ll walk you through the steps to disable Copilot in Windows 11, either using the Group Policy Editor or the Registry Editor.

Note: The Group Policy Editor method is available in Windows 11 Pro, Enterprise, or Education editions. If you are running one of these editions, you can follow the steps below. If you have a different edition of Windows 11, you can use the Registry Editor method.

Method 1: Using the Group Policy Editor

  1. Press Win + S to open the Windows Search bar.
  2. Type gpedit.msc and press Enter. This will open the Group Policy Editor.
  3. In the Group Policy Editor, navigate to User Configuration > Administrative Templates > Windows Components > Windows Copilot.
  4. Locate the policy named Turn off Windows Copilot. Double-click on it to open its settings.
  5. Select the Enabled option to disable Copilot.
  6. Click Apply and then click OK to save the changes.
  7. Restart your PC to apply the new settings.

Method 2: Using the Registry Editor

  1. Press Win + S to open the Windows Search bar.
  2. Type regedit and press Enter. This will open the Registry Editor.
  3. In the Registry Editor, navigate to the following path:
   HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsCopilot
  1. If you don’t see the WindowsCopilot key, you’ll need to create it. To do this: a. Right-click on the Windows key (folder) in the left pane. b. Select New > Key and name it WindowsCopilot.
  2. With the WindowsCopilot key selected, right-click in the right pane.
  3. Choose New > DWORD (32-bit) Value and name it TurnOffWindowsCopilot.
  4. Double-click the TurnOffWindowsCopilot entry and set its value to 1.
  5. Click OK to save the value.
  6. Close the Registry Editor.
  7. Restart your PC to apply the changes.

Conclusion:

Whether you want to reclaim system resources or simply prefer not to use Copilot, disabling this feature in Windows 11 is a straightforward process. Follow the method that corresponds to your Windows 11 edition, and you’ll be able to turn off Copilot and enjoy a more customized computing experience.