Microsoft 365 Device Management otherwise known as InTune, is a very popular and command device management solution you will see in most organizations. The evolution of InTune has moved very quickly with the times and you probably have the correct licenses within your organization but are currently using something like AirWatch. This post is going to dive into my personal tenant where I have configured 365 Device Management for my Android phone. In this post I am going to run through the basics of getting Microsoft 365 Device Management up and running for mobile devices likes phones and tablets. All configuration is based on what is current set within my own environment and may not apply to your organisation.
The Microsoft 365 Device Management dashboard is configurable to your requirements. If there is something on the dashboard you would like to see or not, you can easily edit the page and add in additional tiles as shown below.
You can also create your own Dashboard leaving the defaults as they are;
This section contains all the services that available within the M365 Device Management Portal, as you can some of the options dont know contain a gold star. All this basically means is that the option is not displayed on your left hand panel which is customizable to the options you want to see.
In order to support iOS device Microsoft inTune requires an Apple MDM Push Certificate to manage and support multiple enrollment methods.
Microsoft Intune by default supports all Android devices. Managed Google Play enables management of Work Profile and other Android Enterprise functionality.
Android Enterprise provides 3 additional functions within this selected once Managed Google Play is configured.
Personal devices with work profiles
Corporate-owned dedicated devices
This option allows your corporation to manage manage device owner enrollments for kiosk and task devices using with QR Codes or tokens.
Corporate-owned, fully managed users devices (Preview)
This option is only in Preview currently and more developments are expected. In its current state, end users are able to enroll their corporate-owned devices by sending a company token. You can also use the Zero Touch Portal for auto provisioning deployment, this features apart of the InTune portal but will be coming soon.
In this section we can configure Microsoft Intune enrollment for Windows devices.
This options allows your corporation to configure Automatic Enrollment when a Windows devices join or register with Azure Active Directory. You can configure user scopes for MDM and MAM.
Unsure of the the different between the two?
MDM: addresses lack of control over corporate and personal devices, and lost device security
- Ensures device compliance through user and device registration, configuration on-premises
- Secures devices on the network so you can monitor, report, track and update devices – and even locate, lock and wipe devices, if lost or stolen
MAM: addresses lack of compliance with data and privacy requirements, and lost data retrieval
- User identity policy, single sign-on and conditional access tailored by role and device (with Intune or Active Directory on premises or in the cloud)
- Monitors and pushes app updates, including mobile document management for online or cloud-provisioned apps like SharePoint and OneDrive
Windows Hello for Business
This option allows your corporation to replace password with strong two-factor authentication. Please note: This is a default Windows Hello for Business configuration applied with the lowest priority to all users regardless of group membership. Devices must be Windows 10, Windows 10 Mobile or later to be supported.
This option is a must for all organizations as its removes the need for end user to provide the MDM server address when enrolling this devices.
Enrollment Status Page
This option allows your end user to see the status of how the enrollment process. However, you can also block devices until all apps and profiles are installed.
Windows Autopilot deployment profiles lets you customize the out-of-box experience for your devices
Windows Autopilot lets you customize the out-of-box experience (OOBE) for your users.
Intune connector for Active Directory
This option requires your organisation to download the Intune connector for Active Directory to support the Hybrid connection for Azure AD.
Terms and conditions
This option can be configured with Intune but the look and feel is quite basic as shown below;
However, if you configure Azure AD T&C it gives a better slicker output within your Company Portal.
A device must
Create device categories from which users must choose during device enrollment. You can filter reports and create Azure Active Directory device groups based on device categories
Corporate device identifiers
This option you add devices in based on the IMEI or serial, this can be done manually or via CSV upload.
Device enrollment managers
This option allows certain users to enroll larger quantities of devices. More details can be obtained from https://docs.microsoft.com/en-us/intune/device-enrollment-manager-enroll
This completes Part 1, in Part 2 I will be looking at Device Compliance.
The Author – Blogabout.Cloud