Mac Schemas.microsoft.com Contact

2020-4-2  Connect to the latest conferences, trainings, and blog posts for Office 365, Office client, and SharePoint developers. Join the Office 365 Developer Program. Outlook 2016 contacts 'contact cannot be found in directory' Looking for a pointer on this - Outlook 2016 for Mac with O365 account Could be an O365 issue, but thought I'd try here first.

  1. Interaction
  2. Mac Schemas.microsoft.com Contact Number
  3. Mac Schemas.microsoft.com Contact Lens
-->

Merry Christmas everyone!!

Today is Christmas and finally got some time to focus on a new article I wanted to write for a while.

A lot of my Microsoft Intune customers in Japan are asking me the same question over and over again: how can I restrict the applications which can connect to Office 365? and that’s a question with lot of sense. Why? Because in Intune, we offer the MAM capacity for data loss prevention (DLP). As you might know, when you open a corporate document in a MAM enabled app like Microsoft Word, you can't paste the content of that document in a non-managed app.

Those customer are basically asking me if it is possible to restrict access to Office 365 to only Microsoft MAM enabled apps like Microsoft Outlook, Word, Excel, PowerPoint, OneDrive or Intune Managed Browser (check this TechNet link to see all the MAM enabled apps in Intune).

The answer in short is: with only Intune, you can’t but if you have a federated domain with ADFS, then there is a solution (not a perfect one) to the problem.

If you have already used ADFS and its claim rules, you know that you can create conditions based of parameters (claims) that the client presents to ADFS. Within the available claims, there’s only one which can help you identify the application which tries to authenticate to ADFS services: user agent (x-ms-client-user-agent). Btw I have done all my testing with ADFS 3.0 (Windows Server 2012 R2) but it should work the same on ADFS 2.0.

Disclaimer: I’m not an ADFS nor a security expert but I do know that it’s not a perfect solution. User agent can change and are not unique to a software vendor. Even though Microsoft apps are all using the same user agent, other non-Microsoft apps could in the future use the same user agent or even spoof the same user agent to be seen as a Microsoft apps. So if you implement this solution in production, you should know the risk you are taking.

If you want to restrict Office 365 access based on location of the client, you should take a look at the excellent TechNet article describing the ADFS rules needed to implement that.

Coming back to my user agent story, every app has an user agent. For Microsoft apps like Outlook, Word, Excel PowerPoint, OneDrive and Intune Managed Browser on iOS, they are all sharing the same user agent.

Here’s the user agent of Microsoft Outlook/Word/Excel/PowerPoint/OneDrive/Intune Managed Browser on an iOS 8.4.1 device.

Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H321

And this is an example of user agent of Safari browser on iOS 8.4.1:

Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4

Last example is the user agent of Chrome browser on iOS 8.4.1:

Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H321 Safari/600.1.4

You can notice the slight differences between those user agents, right? So an easy way to allow MS apps’ user agent to access Office 365 would be the following claim rule (whitelist way):

exists([Type 'http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent', Value 'Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H321'])
=> issue(Type = '
http://schemas.microsoft.com/authorization/claims/permit', Value = 'true');

As you might notice, there’s many variable characters and numbers in the above user agent: form factor of the phone (iPhone/iPod/iPad), iOS version, webkit version, iOS build number. And all of these numbers will change when iOS will be updated or when the app itself will be updated.

To ensure that we are not affected by any of these variable in the user agent, I used regex (regular expression) to only match the other characters. Here’s an example of what an ADFS claim rule looks like with regex:

exists([Type 'http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent', Value =~ '^Mozilla/5.0 ((iPhone iPad iPod); (CPU CPU iPhone) (?:OSs*d+_d+(?:_d+)?s*)? like Mac OS X) (?:AppleWebKit/d+(?:.d+(?:.d+)? s*+)?s*)? (KHTML, like Gecko) (?:Mobile/w+s*)?$'])
=> issue(Type = '
http://schemas.microsoft.com/authorization/claims/permit', Value = 'true');

Again I repeat, this is not a perfect solution but it can help limiting potential access to Office 365 from unwanted applications. Implement this at your own risk.

PS: To find the user agent of an app, I recommend setting the default ADFS rule to deny all access in a lab environment. You also need to enable auditing of ADFS access (follow that article to enabled auditing on ADFS). Then when trying to authenticate to ADFS from an app, you will be denied (as expected) and in the security logs of your ADFS server, you will find the user agent of the application!

Additional notes for Android:

It works the same way for Android apps but there’s a difference between Office apps user agent and Intune Managed Browser user agent on this platform.

Microsoft Word for Android user agent:

Mozilla/5.0 (Linux; Android 5.0.1; GT-I9505 Build/LRX22C; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/46.0.2490.76 Mobile Safari/537.36 PKeyAuth/1.0

Intune Managed Browser for Android user agent:

Mozilla/5.0 (Linux; Android 5.0.1; GT-I9505 Build/LRX22C; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/46.0.2490.76 Mobile Safari/537.36

-->

Provider name

WSMan

Drives

WSMan:

Short description

Provides access to Web Services for Management (WS-Management) configurationinformation.

Detailed description

The WSMan provider for PowerShell lets you add, change, clear, anddelete WS-Management configuration data on local or remote computers.

The WSMan provider exposes a PowerShell drive with a directorystructure that corresponds to a logical grouping of WS-Management configurationsettings. These groupings are known as containers.

Beginning in Windows PowerShell 3.0, the WSMan provider has beenupdated to support new properties for session configurations, such asOutputBufferingMode. The session configurations appear as items in thePlugin directory of the WSMan: drive and the properties appear as items ineach session configuration.

The WSMan provider supports the following cmdlets, which are coveredin this article.

Note

You can use commands in the WSMan: drive to change the values of the newproperties. However, you cannot use the WSMan: drive in PowerShell 2.0to change properties that are introduced in Windows PowerShell 3.0.Although no error is generated, the commands are not effective To change thesesettings, use the WSMan drive in Windows PowerShell 3.0.

Organization of the WSMan: Drive

  • Client: You can configure various aspects of the WS-Management client. Theconfiguration information is stored in the registry.

  • Service: You can configure various aspects of the WS-Management service.The configuration information is stored in the registry.

    Note

    Service configuration is sometimes referred to as Server configuration.

  • Shell: You can configure various aspects of the WS-Management shell, suchas the setting to allow remote shell access (AllowRemoteShellAccess) andthe maximum number of concurrent users allowed (MaxConcurrentUsers).

  • Listener: You can create and configure a listener. A listener is amanagement service that implements the WS-Management protocol to send and toreceive messages.

  • Plugin: Plug-ins are loaded and used by the WS-Management service toprovide various functions. By default, PowerShell provides three plug-ins:

    • The Event Forwarding plug-in.
    • The Microsoft.PowerShell plug-in.
    • The Windows Management Instrumentation (WMI) Provider plug-in.These three plug-ins support event forwarding, configuration, and WMI access.
  • ClientCertificate: You can create and configure a client certificate.A client certificate is used when the WS-Management client is configured touse certificate authentication.

Directory Hierarchy of the WSMan Provider

The directory hierarchy of the WSMan provider for the local computer is asfollows.

The directory hierarchy of the WSMan provider for a remote computer is the sameas a local computer. However, in order to access the configuration settings ofa remote computer, you need to make a connection to the remote computer usingConnect-WSMan. Once a connection is made to a remotecomputer, the name of the remote computer shows up in the provider.

Navigating the WSMan: Drive

This command uses the Set-Location cmdlet to change the current location tothe WSMan: drive.

To return to a file system drive, type the drive name. For example, type.

Navigating to a remote system store location

This command uses the Set-Location command to change the current locationto the root location in the remote system store location. Use a backslash or forward slash / to indicate a level of the WSMan: drive.

Note

The above command assume that a connection to the remote system alreadyexists.

Displaying the Contents of the WSMan: Drive

This command uses the Get-Childitem cmdlet to display the WS-Management storesin the Localhost store location.

If you are in the WSMan: drive, you can omit the drive name.

This command uses the Get-Childitem cmdlet to display the WS-Managementstores in the remote computer 'SERVER01' store location.

Note

The above command assume that a connection to the remote system alreadyexists.

Setting the value of items in the WSMAN: drive

You can use the Set-Item cmdlet to change configuration settings in theWSMAN drive. The following example sets the TrustedHosts value toaccept all hosts with the suffix 'contoso.com'.

The Set-Item cmdlet supports an additional parameter -Concatenate thatappends a value instead of changing it. The following example will append anew value '*.domain2.com' to the old value stored in TrustedHost:

Creating items in the WSMAN: drive

Creating a new listener

The New-Item cmdlet creates items within a provider drive. Each providerhas different item types that you can create. In the WSMAN: drive, you cancreate Listeners which you configure to receive and respond to remoterequests. The following command creates a new HTTP listener using the New-Itemcmdlet.

Creating a new plug-in

This command creates (registers) a plug-in for the WS-Management service.

Creating a new resource entry

This command creates a resource entry in the Resources directory ofa TestPlugin. This command assumes that a TestPlugin has been created usinga separate command.

Creating a new security entry for a resource

This command creates a security entry in the Security directory ofResource_5967683 (a specific resource). This command assumes that the resourceentry has been created using a separate command.

Creating a new Client Certificate

This command creates ClientCertificate entry that can be used by theWS-Management client. The new ClientCertificate will show up under theClientCertificate directory as 'ClientCertificate_1234567890'. All of theparameters are mandatory. The Issuer needs to be thumbprint of the issuerscertificate.

Creating a new Initialization Parameter

This command creates an Initialization parameter named 'testparametername'in the 'InitializationParameters' directory. This command assumes that the'TestPlugin' has been created using a separate command.

Dynamic parameters

Dynamic parameters are cmdlet parameters that are added by a PowerShellprovider and are available only when the cmdlet is being used in theprovider-enabled drive.

Address <String>

Specifies the address for which this listener was created. The value can be oneof the following:

  • The literal string '*'. (The wildcard character (*) makes the command bindall the IP addresses on all the network adapters.)
  • The literal string 'IP:' followed by a valid IP address in either IPv4dotted-decimal format or in IPv6 cloned-hexadecimal format.
  • The literal string 'MAC:' followed by the MAC address of an adapter.For example: MAC:32-a3-58-90-be-cc.

Note

The Address value is set when creating a Listener.

Cmdlets supported

Capability <Enumeration>

When working with Plug-ins this parameter specifies an operation that issupported on this Uniform Resource Identifier (URI). You have to create oneentry for each type of operation that the URI supports. You can specifyany valid attributes for a given operation, if the operation supports it.

These attributes include SupportsFiltering and SupportsFragment. Microsoft office 2011 mac eol.

  • Create: Create operations are supported on the URI.
    • The SupportFragment attribute is used if the Create operationsupports the concept.
    • The SupportFiltering attribute is NOT valid for Create operations andshould be set to 'False'.

    Note

    This operation is not valid for a URI if Shell operations are alsosupported.

  • Delete: Delete operations are supported on the URI.
    • The SupportFragment attribute is used if the Delete operation supportsthe concept.
    • The SupportFiltering attribute is NOT valid for Delete operations andshould be set to 'False'.

    Note

    This operation is not valid for a URI if Shell operations are alsosupported.

  • Enumerate: Enumerate operations are supported on the URI.
    • The SupportFragment attribute is NOT supported for Enumerate operationsand should be set to False.
    • The SupportFiltering attribute is valid, and if the plug-in supportsfiltering, this attribute should be set to 'True'.

    Note

    This operation is not valid for a URI if Shell operations are alsosupported.

  • Get: Get operations are supported on the URI.
    • The SupportFragment attribute is used if the Get operation supports theconcept.
    • The SupportFiltering attribute is NOT valid for Get operations andshould be set to 'False'.

    Note

    This operation is not valid for a URI if Shell operations are alsosupported.

  • Invoke: Invoke operations are supported on the URI.
    • The SupportFragment attribute is not supported for Invoke operationsand should be set to False.
    • The SupportFiltering attribute is not valid and should be set to'False'.

    Note

    This operation is not valid for a URI if Shell operations are alsosupported.

  • Put: Put operations are supported on the URI.
    • The SupportFragment attribute is used if the Put operation supports theconcept.
    • The SupportFiltering attribute is not valid for Put operations andshould be set to 'False'.

    Note

    This operation is not valid for a URI if Shell operations are alsosupported.

  • Subscribe: Subscribe operations are supported on the URI.
    • The SupportFragment attribute is not supported for Subscribe operationsand should be set to False.
    • The SupportFiltering attribute is not valid for Subscribe operations andshould be set to 'False'.

    Note

    This operation is not valid for a URI if Shell operations are alsosupported.

  • Shell: Shell operations are supported on the URI.
    • The SupportFragment attribute is not supported for Shell operations andshould be set to 'False'.
    • The SupportFiltering attribute is not valid for Shell operations andshould be set to 'False'.

    Note

    This operation is not valid for a URI if ANY other operation is alsosupported.

    Note

    If a Shell operation is configured for a URI, Get, Put, Create, Delete,Invoke, and Enumerate operations are processed internally within theWS-Management (WinRM) service to manage shells. As a result, the plug-incannot handle the operations.

Cmdlets supported

CertificateThumbprint <String>

Specifies the thumbprint of the service certificate.

This value represents the string of two-digit hexadecimal values in theThumbprint field of the certificate. It specifies the digital public keycertificate (X509) of a user account that has permission to perform thisaction. Certificates are used in client certificate-based authentication. Theycan be mapped only to local user accounts, and they do not work with domainaccounts. To get a certificate thumbprint, use the Get-Item or Get-ChildItemcmdlets in the PowerShell Cert: drive.

Cmdlets supported

Enabled <Boolean>

Specifies whether the listener is enabled or disabled. The default is True.

Cmdlets Supported

FileName (Plugin) <String>

Specifies the file name of the operations plug-in. Any environment variablesthat are put in this entry will be expanded in the users' context when arequest is received. Because each user could have a different version of thesame environment variable, each user could have a different plug-in. This entrycannot be blank and must point to a valid plug-in.

Cmdlets Supported

HostName <String>

Specifies the host name of the computer on which the WS-Management (WinRM)service is running.

The value must be a fully qualified domain name, an IPv4 or IPv6 literalstring, or a wildcard character.

Cmdlets Supported

Issuer <String>

Specifies the name of the certification authority that issued the certificate.

Cmdlets Supported

Plugin <> WS-Management plug-ins are native dynamic link libraries (DLLs)

that plug in to and extend the functionality of WS-Management . TheWSW-Management Plug-in API provides functionality that enables a user to writeplug-ins by implementing certain APIs for supported resource URIs andoperations. After the plug-ins are configured for either the WS-Management(WinRM) service or for Internet Information Services (IIS), the plug-ins areloaded in the WS-Management host or in the IIS host, respectively. Remoterequests are routed to these plug-in entry points to perform operations.

Cmdlets Supported

Port <Unsigned Short Integer>

Specifies the TCP port for which this listener is created. You can specify anyvalue from 1 through 65535.

Cmdlets Supported

Resource <String>

Specifies an endpoint that represents a distinct type of management operationor value. A service exposes one or more resources, and some resources can havemore than one instance. A management resource is similar to a WMI class or to adatabase table, and an instance is similar to an instance of the class or to arow in the table. For example, the Win32_LogicalDisk class represents aresource. Win32_LogicalDisk='C:' is a specific instance of the resource.

A Uniform Resource Identifier (URI) contains a prefix and a path to a resource.For example:

https://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_LogicalDisk

http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_NumericSensor

Cmdlets Supported

Resource <String>

Specifies the Uniform Resource Identifier (URI) that identifies a specific typeof resource, such as a disk or a process, on a computer.

A URI consists of a prefix and a path to a resource. For example:

https://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_LogicalDisk

http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_NumericSensor

Cmdlets Supported

SDKVersion <String>

Specifies the version of the WS-Management plug-in SDK. The only valid value is1.

Cmdlets Supported

Subject <String>

Specifies the entity that is identified by the certificate.

Cmdlets Supported

Transport <String>

Specifies the transport to use to send and receive WS-Management protocolrequests and responses. The value must be either HTTP or HTTPS.

Note: The Transport value is set when creating a Listener.

Cmdlets Supported

URI <String>

Identifies the URI for which access is authorized based on the value of theSddl parameter.

Cmdlets Supported

URLPrefix <String>

A URL prefix on which to accept HTTP or HTTPS requests. This is a stringcontaining only the characters [a-z], [A-Z], [9-0],underscore (_) and backslash (/). The string must not start with or endwith a backslash (/). For example, if the computer name is 'SampleComputer',the WS-Management client would specify http://SampleMachine/URLPrefixin the destination address.

Cmdlets Supported

Value <String>

Specifies the value of an initialization parameter, which is a plug-in-specificvalue that is used to specify configuration options.

Cmdlets Supported

XMLRenderingType <String>

Specifies the format in which XML is passed to plug-ins through theWSMAN_DATA object. The following are valid values:

  • Text: Incoming XML data is contained in a WSMAN_DATA_TYPE_TEXT structure,which represents the XML as a PCWSTR memory buffer.
  • XMLReader: Incoming XML data is contained in aWSMAN_DATA_TYPE_WS_XML_READER structure, which represents the XML as anXmlReader object, which is defined in the 'WebServices.h' header file.

Cmdlets Supported

Using the pipeline

Interaction

Provider cmdlets accept pipeline input. You can use the pipeline to simplifytask by sending provider data from one cmdlet to another provider cmdlet.To read more about how to use the pipeline with provider cmdlets, see thecmdlet references provided throughout this article.

Getting help

Mac Schemas.microsoft.com Contact Number

Beginning in Windows PowerShell 3.0, you can get customized help topics forprovider cmdlets that explain how those cmdlets behave in a file system drive.

To get the help topics that are customized for the file system drive, run aGet-Help command in a filesystem drive or use the -Path parameter ofGet-Help to specify a filesystem drive.

Mac Schemas.microsoft.com Contact Lens

See also