Can we get an option to use an App Registration to send emails rather than SMTP with a username and password
From a security standpoint, I hear you. The issue here is that sending email via Graph has the same limitations that an actual licensed user has in M365. The daily sending limit is 10K emails. See here.
If you think about an email for detection and maintenance, that means you could only run maintenance on 5K computers per day. This isn’t scalable.
I agree with your points - however I think the option would still be worthwhile. Not everyone is exceeding that limit. It needs to be put as a disclaimer for those who do want to use it.
If you (the MSP) think you’re gonna exceed the limit, thats on you to acknowledge the disclaimer and use another relay. But personally im already using 365 smtp auth, id rather use App Registration.
The last thing I’d want to do is set up that feature and worry about having to “count/calculate emails.” It just doesn’t make sense even for the smaller shops because emails will just quit and no one will know why without someone digging into it, and will most likely generate a support ticket that support can’t do anything about. I totally agree with you @Anthony_Birone .
If ImmyBot had a desktop client that could popup a message to the user then this would all but remove the need to send emails. And allow user to do like “do your maintenance now, i’m going to lunch” or “not now, i’m about to step into a meeting”, or “Install this software please”.
Or maybe leverage the DeskDirector or CW Automate or other desktop clients that MSP’s may already have?
Couldn’t agree more. I’ve been wanting a popup/notification on the endpoint forever!
I’ve been working on a custom version of the existing maintenance consent deployment.
If you have access to our tenant - cast your eyes of “MIT Maintenance Consent From Logged In User”
Its built in powershell using Windows Forms, so it allows for more customisation that the existing one.
The functionality effectively mirrors the existing one at the moment, but the idea is I will embed our logo so it doesnt look like spam, and maybe even add in delay buttons. Not quite sure yet. It would need a version of “Stop-ImmySession” like “Postpone-ImmySession” where you can specify time to postpone in minutes.
My biggest gripe with it at the moment is the taskbar shows up with a powershell icon rather than our logo. Im sure I’ll get that solved.
I’ve been testing a few things too. My plan is:
- Toast notification asking user what they want to do. Advantage of toast notifications is that they respect if the user is in a call etc
– Ask me tomorrow (only can do this for maybe 3 days)
– Ask me again in an hour
– I will reboot my computer some time today, do it then
– I will leave my computer on tonight, do it then
– Do it now
- If there is no user logged in then instead pop up a full screen notification over the login screen with something like a 10 minute countdown to “Do it now?”
- When maintenance starts, put up a full screen “Your computer is performing maintenance and will reboot several times” etc message. Can use esc to close it if something broke and the user needed to log in even though maintenance was ongoing.
– ImmyBot Task at the start of maintenance installs a scheduled task to run at startup
– Scheduled task would pop up the maintenance screen
– ImmyBot Task at the end of maintenance removes the scheduled task
– Maintenance screen would monitor ImmyBot logs and detect if the session had actually started, and if nothing had happened after (say) 5 minutes, it would declare maintenance complete and remove the scheduled task itself
With the exception of the Toast notification I think I have all the items above solved in PowerShell. BurntToast can’t take the required level of interaction from the user, and I haven’t explorered any other Toast solutions yet. Without using a Toast notification i’d need to pop up a window but also detect if the user was presenting in a meeting or on a call etc. This should be doable but not as elegent.
I like these ideas - the main issue I have is how we manage this at scale. Presently ImmyBot will count the “consent popup” task as a running session, even though its technically waiting approval.
Now imagine we have 400 devices to run this on at 5 minutes automatic time-out per device, with a device active session limit that 5 minutes waiting really adds up.
It would be nice if the Postpone email functionality was a bit clearer, and if we could somehow leverage it over Metascript rather than having to jerry-rig a solution.
Additionally it would be nice for this to be a thing that runs as part of the schedule like the email does, rather than a maintenance item. If i want to run consent popup for a specific update (e.g BIOS Updates), i would have to incorporate that into the task.
Yeah you’re right it’s not going to scale.
I think I can do the user side of things in CW Automate, which is built to scale like this. Then Automate can trigger the Maintenance session in ImmyBot, and ImmyBot can do what it does best.
Alternative solution here would be to tap into Azure Comms service for emailer api