How-to guide: Getting started with Microsoft Intune (part 4)
In the last part of our guide “Getting started with Microsoft Intune” we’ll walk you through the process of device configuration in Microsoft Intune. Part 1 – How to sign up for Microsoft Intune, configure MDM authority to Intune, and create a custom domain Part 2 – User and Group management in Microsoft Intune, assigning licenses Part 3 – Setting up a configuration policy, Company portal and application management in Microsoft Intune Configuring devices in Microsoft Intune Now everything is ready to enroll a device to Microsoft Intune. As previously stated, it’s possible to enroll corporate and BYOD devices with various OS (Android, iOS, macOS, Windows). Let’s take the enrolling process of the Windows device as an example. There are three ways to enroll a Windows device in Intune: Automatic enrollment. CNAME registration. Windows Autopilot. Automatic enrollment Automatic enrollment lets users enrol their Windows 10, 11 devices in Intune. For this, users must add their work account to their BYOD device or join corporate-owned devices to Azure AD. In the background, the device registers and joins Azure Active Directory. Once registered, Intune manages the device. To enable automatic enrollment, login to Microsoft Endpoint Manager admin center; go to Devices -> Enroll Devices -> Windows enrollment -> Automatic Enrollment. Next, configure MDM User scope and/or MAM user scope: None – MDM automatic enrollment is disabled. Some – groups are selected for automatic enrollment. All – all users can automatically enroll their devices. Once done, click Save. CNAME To enroll a Windows device using this method, you must create a domain name server (DNS) alias (CNAME record type) that redirects enrollment requests to Intune servers. To put it differently: In trying to connect to Intune, users must enter the Intune server name. The first step is to create CNAME DNS resource records for your company’s domain. For example, for the domain contoso.com, we would make a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com. If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and connect each to EnterpriseEnrollment-s.manage.microsoft.com. For example, users at Contoso use these formats as their email/UPN: [email protected]. [email protected]. [email protected]. It might take up to 72 hours to process the changes to DNS records. Once all the changes are processed, you must verify CNAME – go to Devices -> Windows -> Windows enrollment -> CNAME Validation. In the Domain box, enter the company website and then choose Test. Windows Autopilot configuration Windows Autopilot makes enrollment of devices simple. With Microsoft Intune and Autopilot, you can give new devices to the ned users without building, maintaining and applying custom OS images. The enrollment process with Autopilot consists of 3 main steps: adding a device, creating of autopilot device group and autopilot deployment file. 1. Adding a device Firstly, you have to create a CSV file to identify Windows devices and import it into Intune. In the Microsoft Endpoint Manager admin center, go to Devices -> Windows -> Devices (under Windows Autopilot Deployment Program -> Import. Under Add Windows Autopilot devices, import your CSV file. It can take several minutes. Once import is complete, go to Devices -> Windows -> Windows enrollment -> Devices (under Windows Autopilot Deployment Program ) -> Sync. A message displays that the synchronization is in progress. The process might take some time to complete, depending on how many devices you’re synchronizing. 2. Autopilot device group The next step is to create a device group and put the Autopilot devices you just added. In the Microsoft Endpoint Manager admin center, choose Groups > New group. In the Group blade choose Security for Group type, enter Autopilot Group for Group name, and choose Assigned for Membership type. Afterwards, choose Members and add the Autopilot devices to the group and click Create. To know more about Group management in Microsoft Intune read this blog. 3. Create an Autopilot deployment file Now you must create a deployment profile so that you can configure the Autopilot devices. In the Microsoft Endpoint Manager admin center, go to Devices -> Windows -> Windows enrollment -> Deployment Profiles -> Create Profile. On the Basics page, enter Autopilot Profile for Name and Test profile for Autopilot devices for Description. Set Convert all targeted devices to Autopilot to Yes. This makes sure that all devices in the list get registered with the Autopilot deployment service. Allow 48 hours for the registration to be processed. Select Next. On the Out-of-box experience (OOBE) page, for Deployment mode, choose User-driven. Devices with this profile are associated with the user enrolling the device. User credentials are required to enroll the device. In the Join to Azure AD as box, choose Azure AD joined. Configure the following options: End-user license agreement (EULA): Hide Privacy settings: Show User account type: Standard. Click on Next. On the Assignments page, choose Selected groups for Assign to. Choose Select groups to include, choose Autopilot Group. Select Next. On the Review + Create page, choose Create to create the profile. Now you can now distribute the Windows devices to your users. When they sign in for the first time, the Autopilot system will automatically enroll and configure users’ devices.
How-to guide: Getting started with Microsoft Intune (part 3)
In this blog, we’re going to talk about how to set up a configuration policy, Company portal and application management in Microsoft Intune. We’ve already discussed how to start with Microsoft Intune, user and group management in Microsoft Intune, assigning licenses. Create a Compliance policy The next step is to create device compliance policies for all the devices. Compliance policy in Intune defines the rules and settings that a device must comply with to be considered compliant by conditional access. To create a new Compliance policy in Microsoft Endpoint Manager admin center, go to Devices -> Compliance policies on the pane. Then, click Create policy and specify Name, Platform and Settings. Once you’ve configured all the settings, click OK to save the policy. Once the policy is created, you can assign this policy to devices or users. Company portal configuration Intune Company Portal allows company employees access to internal applications, resources, and data. As an administrator, you can customize the appearance of your Company Portal app, edit default settings, and create group-targeted policies. To do this, go to Microsoft Endpoint Manager admin center, select Tenant Administration -> Customization. It’s possible to add branding customization elements to the Company portal as follows: Organization name. Color. Theme. Add Organization logo and name in the header, etc. Application management in Microsoft Intune In Company Portal administrator, you can push, install, uninstall, and make available applications for all the users in the organization. The Company Portal will only display applications relevant to the type of device they’re on or the platform they’re using. Company portal supports Office 365 apps, Microsoft Store apps, iOS apps, or creating a custom Win32 app for deployment. There are five types of apps supported with Intune to add and manage. App type Installation process Update Store apps (Microsoft Store, AppStore, Android Store) Intune installs the app on the device Automatic Custom app (line-of-business – LOB) You must supply the installation file and then Intune installs the app on the device You must update the app by yourself Built-in apps Intune installs the app on the device Automatic Web-apps A shortcut of the app is created on the device home screen Automatic Apps from other Microsoft services (Azure AD, Office Online) Intune creates a shortcut to the app in the Company portal Automatic In Microsoft Intune, you can modify deployable applications to align them with your organization’s compliance and security policies. Modification options include Restricting copy-and-paste and save-as functions. Configuring web links to open inside the Microsoft Edge app. Enabling multi-identity use and app-level Conditional Access. In this way, you can protect your company’s data. Pro Tip: To save your time, Scappman automates the process of packaging and deploying custom apps ? Intune provides 2GB of cloud-based storage during the trial. With a full subscription, storage is unlimited. Important: LOB apps have a maximum size limit of 8GB per app. Pro Tip: With Scappman, you can deploy applications of any size Add application To add the application to your Intune portal, log in to your Endpoint Manager Admin Center. Go to Apps on the pane, then All apps. In the All apps menu, select Add and select App type. In this example, we’re going to add a custom LOB app. In Select app type, choose App package file. .msi, .appx, .appxbundle, .msix, and msixbundle are supported. When the package is uploaded, click OK to add the app. On the App information page, you can enter the following: Name Description Publisher App install context Commands Category Information URL (optional) Privacy URL (optional) Developer (optional) Owner (optional) Notes (optional) Logo When you’ve finished, click Next. On the Scope screen, you can determine who can see the app information in Intune. The Assignment tab allows you to assign the app to the group. With the Review + Create tab, you can review all your settings, then click Create at the bottom. When created, you’ll see the confirmation banner. To know more about how to manage applications in Microsoft Intune and how Scappman can make this process easier read the article “How to manage private applications in Microsoft Intune?” .
How-to guide: Getting started with Microsoft Intune (part 2)
How to sign up for Microsoft Intune, configure MDM authority to Intune, and create a custom domain read here. User and group management in Microsoft Intune To manage devices using Intune, you first need to create users who will utilize these credentials to connect to Intune. You can create users in Microsoft 365 admin center or Microsoft Endpoint Manager admin center. In this example, we’ll create users in Microsoft Endpoint Manager. After signing into Azure portal, on the pane, choose Users -> All users -> New user -> Create user. While creating a new user, indicate the Username (the name used to sign in to Azure AD), Name (user’s given name), the Job title, Department, Company name, and Location. Here, the user’s password can be auto-generated, or you can choose your own. If you want to assign a user to groups, go to Groups on the pane and select the group you’re assigning to the user. Click Select. By default, the role of the newly created user is User. To assign a new role to the user, select User -> Assigned roles -> Add assignments. In the Directory roles menu select a role you want to assign to the user and click Select. Following all these steps, click Select to create the new user in Microsoft Intune. Creating a new group You can create groups in Microsoft Endpoint Manager admin center to organize users and devices by different criteria, such as location, department, hardware characteristics. To create a group in Microsoft Endpoint Manager admin center, go to Groups on the pane and select New Group. There are two types of groups in Microsoft Intune: Security group defines who can access the resources in Intune (recommended). Security groups can contain users (excl. financial department employees) and devices (excl. All Windows 10 devices). Microsoft 365 group provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, etc. It’s used for collaboration between users, both inside and outside your company. Enter a Group name and Group description. Select one of three Membership types for the group. There are three types of Group Membership: Assigned: You can manually assign/remove users and devices to/from the group. Dynamic user: You can assign the user to the group based on the assignment rules (e.g., department or location) that automatically add or remove the user. Dynamic device: The user will be added or removed automatically based on the device type, OS, etc. Group type Membership Types Assigned Security group Dynamic user Dynamic device Microsoft 365 Group Assigned Dynamic user In this menu, you can add the group owner and group members. Except for the authority to add and remove group members, Group owners have special permissions to manage the group, such as changing group settings, renaming the group, updating its profile image and description, etc. Members have access to everything in the group, but they cannot change the group settings. To create the group, click Create. Now you can see your group on the list. Assigning licenses to users in Microsoft Intune The next step is to assign each user an Intune license (and other licenses if needed) before enrolling their devices. In this example we’ll explain how to assign an Intune license to the user in Microsoft Endpoint Manager admin center. On the pane, select Users -> All Users -> pick a user -> Licenses -> Assignments. Select the box Intune (and other desired licenses) and click Save. Now you can enrol users’ devices into Intune.