Windows Intune is a Cloud SAAS solution from Microsoft, which can manage PC’s and mobile devices either connected or not connected to the corporate network. When organizations moving to mobility, there should be mechanism to manage and provide security to employee devices. Windows Intune is a MDM (Mobile device management) solution which can used to deploy corporate applications, updates, malware protection, device security, and a contingency plan if the device was stolen or destroyed. Such as device wipe out or corporate data wipe. You can get more information and overview of Intune with Enterprise mobility suite, Intune features and its licensing model (here)
Prerequisites which not covered from this post.
- Purchasing or subscribing to Intune evaluation portal
- Configuring Office 365
- Configuring Active Directory Sync
Windows Intune has two Implementation models, Intune Hybrid deployment and Intune standalone deployment. In standard deployment, all the MDM work is done through the Intune web console. There is no on premise connectivity, pure cloud. In Hybrid model, Intune is connecting to the on premise System center configurations environment. Single management console to manage on premise devices and Mobile devices.
In both scenarios each device should be enrolled to Intune before manage, Up to today Intune supports following devices.
- Apple iOS 7.1 and later
- Google Android 4.0 and later (including Samsung KNOX SDK 4.0 and higher)
- Windows Phone 8.0 and later
- Windows RT and Windows 8.1 RT
- PCs running Windows 8.1
- PCs running Windows 10 (Home, Pro, Education, and Enterprise versions)
- Mac OS X 10.9 and later
Before enrolling devices following key points need to be configured first
- Set a mobile device management (MDM) authority
- Configure the Intune Company Portal
- Enable device enrolment according to the device platform
- Assign licenses
Set a Mobile Device Management (MDM) Authority
Mobile device management authority is the service that have permission to manage the mobile devices. You can select Intune or Configuration manager with Intune. It’s all depend on the implementation model that you follow which is Intune standard or Intune Hybrid with on premise SCCM. Changing the MDM authority is almost impossible. TechNet describe it as cannot changed, but you can change it by opening a support request which will reset the Intune portal. So it’s better run pros and cons of two implementation models and select the best option for your company.
- Open Intune portal – http://manage.microsoft.com
- Admin – Mobile Device Management
- Click Set Mobile Device Management Authority, here I’m selecting Intune
Enable Device Enrollment – Apple iPhone Devices
To manage iOS devices, Intune portal and device should be trusted. This is archived by adding Apple Push notification certificate to the Intune portal. This is a straight forward configuration.
Note – when creating an Apple account, create a general account for the organization. This account credentials should be kept in filed for future references and certificate renewal.
- Create an Apple account,
Login to the www.apple.com, sign in page and select I don’t have an apple ID, create one now
- Fill the required details and create the account.
- Next login to the Intune Portal
- Browse Admin – iOS and Mac OS – Upload an APN certificate
- Click the first step Download APN certificate and save it to the PC
- Then click Apple push certificate portal
- Browse the certificate request and click upload
- Once the certificate has created, click download and save it to the local computer.
- Go back to the Intune portal and click Upload the APN certificate. Browse the certificate and fill the Apple ID to complete the task.|
- iOS and Mac OS should be ready to enroll
Android devices and Windows 8.1 and above devices does not require any additional configurations to enroll. But if you are enrolling Windows 8 devices you need to upload a code sighing certificate from Symantec.
Assign Licenses
You can assign Intune licenses from the Office 365 portal or if you have EMS licenses you can use Azure active directory.
- Office 365
Login to the admin portal, select the user, Assign licenses, select the license and save.
- Azure active directory
Select the Active directory, licensing tab and click the Assign licenses to select the users
Configure Company Portal
To enroll the device users have to download the Intune Company portal from their device manufactures app store. This app will connect with the Intune and provide apps, polices and security profiles to the end user device. Looks of this portal can be customized according to the company branding. It will helps to provide a familiar and helpful experience for your end users.
Login to the Intune portal – Admin – Company portal
How to Enroll Devices – Android
Intune company app need to be installed to enroll the device to Intune. Company app is available in Google play store for android and other devices for their apps stores. First you need to download and install this in your Android mobile. It will ask for the credentials, provide the Office 365 company credentials and it will enroll the device. Device need to be compliance according to the compliance policy. (In example setting a PIN code)
Note – This article does not cover implementing Compliance and Configuration policies.
I’m using Samsung galaxy Android phone for this demo
- Browse Google Play Store for Intune company app and Install
- After installation, Open the Company portal, it will ask for the credentials, Provide Office 365 username and password.
- Continue on next screens complete the enrollment.
- After completing the enrolment you can access the Company apps and Polices which deployed.
From my next posts I’m hoping to describe on creating Email Profiles, Conditional Access and Compliance policy’s with Windows Intune
Hope this post is useful
Asitha De Silva
References
https://docs.microsoft.com/en-us/intune/deploy-use/get-ready-to-enroll-devices-in-microsoft-intune
https://docs.microsoft.com/en-us/intune/deploy-use/set-up-ios-and-mac-management-with-microsoft-intune
