Loads of people requested for a starter kit for Intune as I have one for SCCM 2012 starter kit and SCCM 2012 starter kit page was very useful for the community (I think, that is why people are requesting for the Intune starter Kit). In this page we will be mainly concentrating on Intune standalone (not Intune Hybrid and Office 365 Intune MDM). In most of the cases, no need/very minimal need of on prem infrastructure if you are going with Intune standlone and all the other cloud components like Azure Active Directory, Office 365 etc. I’ll keep adding new things to this page. This is just starting 😉
I started working with Intune in later part of 2012 and Microsoft Intune has evolved during the years and it changes a lot. During 2013, I started a post called “Microsoft Intune Wiki” (most of the links in that post are out dated but it’s worth going through if you want to see how Intune was ?).
We already have a Facebook group for Intune Professionals. If you would like to join the Facebook community of Intune Professionals click here.
What is Microsoft Intune ?
Microsoft Intune is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software) and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in Cloud. Additionally, Intune has features where admins can create a “Conditional Access” policy to get access to company resources. If the devices met those conditions then only the Intune will provide access to company or corporate resources (corporate mail, Share point etc…). Previously, I used to mention Microsoft Intune as lighter Version of SCCM or ConfigMgr in cloud. However I don’t want to make it so simple this time. Intune architecture is entirely cloud based and agile. To get more details idea about Intune (Yes, this video is old and out dated in some parts as Intune evolved along with entire Microsoft’s Enterprise Mobility and Security (EMS))
Management Options using Intune?
I’m going to explain in a bit different way. Let me know if this is confusing. We can manage devices with a Intune client agent and arguably without a Intune client agent. For example, Intune company portal application(s) in different app stores like Google Play and Apple Store are Intune client agents. So, when you install Intune company portal on to your Android or iOS devices then you are doing an agent based management. Also, there is Microsoft Intune client MSI available to download once you have a valid Intune subscription. You can download and install it on Windows machines which you wanted to manage. I have an old post (published on Dec 2012) here to help you understand the basic stuff about Intune MSI agent installation. Once you install Intune MSI agent on Windows machines, those machines are “fully managed” by Intune.
So what is arguably agent less Intune management? Within Windows 10, we have “in build – Native” MDM agent as part of operating system. We can enrol Windows 10 devices to Intune using the “in build – Native” MDM agent. In this scenario, we have to use Intune company portal to install applications as shopping cart. So Intune company portal is not acting as Intune agent in native MDM enrolment scenarios. Native MDM managed devices are arguably NOT fully managed devices (at this point of time). I’m sure this will change sooner or later. Windows 10 in build MDM agent can be used to enrol your Windows 10 devices to any other MDM management software VMWare Airwatch, Mobileiron etc…
- Enrolled via Intune company portal
- Enrolled via Installation of Intune MSI client
- Enrolled via Windows 10 1607 and above in build Azure AD join and MDM enrolment
- MAM without MDM enrolment
How to get an Intune account and start working/Testing with Intune ?
Download Microsoft EMS step by step guide from here. This guide will help you to get a trail version of Office 365, Azure AD and Intune subscription for free. If you already have a Azure AD (Azure AD premium) subscription then things are very straight forward as I posted in the blog here. If you don’t have Azure AD subscription then better to start with Enterprise Mobility Suite (EMS) trial account, Azure Free Trail Account (Azure trail account is already created EMS trail account) and Office 365 free trail subscription. To get these trail accounts, it’s better to create NEW outlook.com account and get ready with Credit Card details to activate the Azure trail subscription. Getting a trail version of Azure AD, Office 365 and Intune is very straight forward process if you have never ever done this same process with your credit card and mobile number. Azure AD and Office 365 are prerequisites for Intune if you want to test/trail all the features of Intune.
Note :- Intune can be signed up separately as well from here. If you feel, you are interested to test only Intune now then this is the way.
How to start using Microsoft Intune Console
Once you completed the subscription things and you are able to login to Microsoft Intune (http://manage.microsoft.com/) portal (Silverlight is must for Intune console to work). Internet Explorer with Silverlight plugin is the best internet browser to use Intune console. However Intune console will work on any internet browser which has capability to add Silverlight as plugin. In future, may be, Intune console will work without Silverlight plugin and I would love to see this very soon.
The following documentation is the place where you can start reading about all the Intune topics :- Microsoft documentation Intune quick start guide here.
How to select the MDM authority from Intune console?
For me MDM authority and management option is very important. Please note once you set MDM (Mobile Device Management) authority to Intune in the following place at Intune console then you won’t be able to change it. To change Intune MDM authority, you have to raise a ticket with CSS or service request via Intune/office 365 portal. So be very careful when you click on any links on the following page at Intune console.
What are types of Management Authority we have for Intune?
- Microsoft Intune
- Configuration Manager (SCCM)
- Office 365 (lightweight Intune)
How to start managing Windows/iOS /Android devices with Intune?
Managing Windows devices is very straight forward. Yes, Windows 10 management is very straight forward, earlier we need to have side loading and key SEP certificates to manage/deploy app Windows, Windows phone devices. Now most of these certificates and side loading key requirements have been removed for most of the scenarios. Managing Android devices also very straight forward. It’s 10 minutes work to your sync your Windows Store for Business and Microsoft Intune. More details in the post “Integrate Windows Store for business” here.
If you want to install store apps with out using Microsoft account read the blog post “How to Add Apps to Business Store and Install Intune Company Portal without Using MS Account” here.
However, iOS\MAC OS device management has certificate requirements and we need go to apple portal, upload your cert for the tenant and get the certificate for your Intune tenant. The process for SCCM CB is explained in the following video but the process is similar for Intune as well. More details here Microsoft document specifically for Intune.
How to Deploy MSI applications to Windows PCs using Intune?
Similar to SCCM, Intune can also be used to deploy different kind of applications to different kind of devices. The types of applications which Intune supports now are EXE, MSI (Windows Installer and Windows Installer through MDM), APK, IPA, XAP, APPX – APPXBUNDLE for Windows app package and Windows Phone app package. We can make software or application available to devices via 3 methods.
1. Software Installer – select the type of software you want to install
2. External Link – this can be used for deploying the applications in Google Store via deep linking
3. Managed iOS apps from Apps Store – this can be used to deploy the apps in apple store via deep linking method
Following post will help to understand the process of deploying applications using Intune “How to Deploy Applications and MAM Policies to Mobile Devices Using Intune Part 1” – here. More details about deploying application via Intune is given in the following links here and here.
How to create policies within Intune console?
Creating policies in Intune are one of the other thing important step as part of Intune configuration and device management through Intune. Following are the list of policies which you can create and deploy via Intune. More details in the Microsoft documentation here.
Dynamic CRM Online Conditional Access Policy
Exchange Online Conditional Access Policy
Exchange On-premises Conditional Access Policy
SharePoint Online Conditional Access Policy
Skype for Business Online Conditional Access Policy
MAM Application Policy
MAM Browser Policy
What is the difference between Intune Configuration Policy and Intune Compliance Policy :- In some of the cases you can see similar kind of settings in compliance and configuration policies. So what is the exact difference? Compliance policy works with conditional access policies however configuration policies are independent of conditional access. Compliance policies can deploy ONLY to USERS where as Configuration policy can be deployed to both Devices and Users. Compliance policy won’t force the device for change of configuration at device rather it will wait until device get into compliance stage to provide access to company resources like mail/SharePoint (in case of Conditional access policy is set).Configuration policy forces device or user to change the configuration setting which is mentioned in the policy (arguably not true in all the scenarios).
Following Video will explain you how to create and Deploy Intune Compliance Policies from the console.
What is MAM (Mobile Application Management) policies ?
Mobile Application Management policies are application specific policies which you can setup via Intune. What is the different between configuration, Compliance policies and MAM policies. Configuration and Compliance policies are for entire device it’s applicable for everything in the device. MAM policies will get applied only to the application which it’s associated.
Following post will guide through the process of deploying MAM policies to iOS or Android devices “How to Deploy Applications and MAM Policies to Mobile Devices Using Intune” – here. Microsoft Intune documentation about MAM policy creation here.
What is MAM without MDM enrolment (MAM WE – MAM Less MDM)?
This one another policy type in Intune. What is the difference between MAM with MDM enrolment and MAM without MDM enrolment. This is Mobile Application Management policies without enrolling to Intune. These policies are really helpful in BYOD/personal devices to get the access to corporate mail and SharePoint etc…with securing the corporate data.
Why Intune option is visible in Azure portal (https://portal.azure.com/)? This is good news for SCCM/Intune admins. We are getting new features in Intune. This time it’s Intune MAM (Mobile Application Management) without MDM enrolment. For full management of mobile devices, we need to use the original Intune portal (https://manage.microsoft.com). It was a regular question in forums and others communities that can Intune coexist with other MDM products like Airwatch or Mobile Iron. More details here.
How to Manually Add Users to Intune Console?
How to add users in to Intune console and how to provide permissions to users in Intune console? We don’t have to do this when Intune Silverlight console is migrated to Azure portal?? Before you try to provide service administrator access (Only limited roles available in Intune Silverlight console Full Access, Read-Only access or Helpdesk – Group Node access) to users in Intune, you should make sure the administrator or server administrator user is already available in Intune administrator console. More info here.