Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.

You can check out HTMD Community Intune Training from Free Intune Training 2023 blog post.  Let’s learn about Intune Exam MD 102 Study Guide Starter Kit – Microsoft Intune Certification. Also, check out the Top 75 Latest Intune Interview Questions.

Microsoft Intune Architecture Diagram
Microsoft Intune Architecture Diagram

This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

Software Update Policy Rings in Intune MEM 1

Software Update Policy Rings in Intune MEM

Let’s see how to configure Software Update Policy Rings in Intune MEM. How do you set up Windows 10 Software Update Policy Rings in the Intune?

Managing software updates for Windows 10 with Intune is straightforward, but there is a catch: you can’t expect the granular controls you have with SCCM/ConfigMgr. We must configure the Windows Software update policy and deploy that policy to Windows 10 devices.

I have an updated post on Intune monthly patching guide, troubleshooting, etc. Cloud PC Monthly Patching Process Using Intune. Another guide on Intune patching – Software Update Patching Options With Intune Setup Guide (anoopcnair.com)

Windows 10 devices will receive software updates directly from Microsoft Update services. Unlike SCCM, there is no need to download the updates, create a package, and deploy them to the devices (as seen in this video post here).

Windows Update for Business will give us more options to configure and control the behavior of Windows 10 updates and Servicing. Update:- FIX CBB Ring Devices are Getting Windows 10 CB (SAC-T) Updates Intune Windows 10 Update Rings.

Intune Video Software Update Rings Setup Design Decisions

This video guide is about Software Update Policy Rings in Intune MEM. It explains how to set up and manage these policy rings to control when and how updates are applied to your devices. This guide will teach you to update and secure your devices using Intune MEM.

Software Update Policy Rings in Intune MEM – Video 1

Software Update Policy Rings in Intune MEM

We have an out-of-the-box Software Update (Automatic Update) policy as part of the Intune Silverlight portal configuration policy. However, I have noticed that this policy has stopped working in the last few months. Now, there are two options to control the behavior of Windows 10 updates and Windows servicing.

If your Silverlight portal has not yet been migrated to the MEM portal, the first choice is to use custom policies in the Intune Silverlight portal. I have a post here about Intune Silverlight migration blockers.

The second choice is to control Windows Update for business via the Software Updates button in the Intune blade in the MEM portal. We will cover this in this post.

Software Update Policy Rings in Intune MEM
Software Update Policy Rings in Intune MEM – Fig.1

Basic Test Rings for Windows 10 Software Update

As a fundamental requirement, we may need to create at least two Windows 10 Software Update Policy Rings for your organization. One Windows 10 Update ring is for Windows 10 machines in the Current Branch (CB).

The second Windows 10 update ring is for Windows 10 machines in the Current Branch for Business (CBB). Windows 10 update rings evolve as you progress with your organization’s testing and development. But this is the first stage of your testing of Software update deployments.

Windows 10 CBB Update Ring - All the devices in Current Branch
Windows 10 CB Update Ring - All the device in Current Branch for Business

Pilot and Production Rings for Windows 10 or Windows 11 Servicing

Another recommendation is to create different Windows 10 Software Update Policy Rings for deferrals of Windows 10 servicing branches CB and CBB. The rings can be delayed for a maximum of 30 days.

These two update rings would help with the latest Windows 10 CB/CBB servicing updates (e.g., upgrading from 1607 to 1703) with some pilot devices rather than simultaneously deploying servicing updates to all the devices.

During the CB pilot testing, if you find any problems with the upgrade and don’t want to deploy the update to the CBB ring, you can PAUSE the updates for the production ring.

Pilot Windows 10 CBB Updates Ring - Pilot Servicing Ring for CBB 
Production Windows 10 CBB Updates Ring - Production Servicing Ring for CBB  
Pilot Windows 10 CB Updates Ring - Pilot Servicing Ring for CB
Production Windows 10 CB Updates Ring - Production Servicing Ring for CB

Pilot and Production Rings for Windows 10 or Windows 11 Monthly Security Patches

I would also recommend creating different Windows 10 Software Update Policy Rings for Windows 10 CBB  and Windows 10 CB quality updates (monthly security and other patches). So, Windows 10 CBB machines will have a minimum of 2 rings.

One ring is for the pilot machines running Windows 10 CBB, and the second ring is for the production machines running Windows 10 CBB. The same applies to Windows 10 CB devices, and the CB machines should also have two rings.

Pilot Windows 10 CB Quality Updates Ring - Monthly patch pilot ring
Production Windows 10 CB Quality Updates Ring - Monthly patch production ring
Pilot Windows 10 CBB Quality Updates Ring - Monthly patch pilot ring
Production Windows 10 CBB Quality Updates Ring - Monthly patch production ring
Software Update Policy Rings in Intune MEM - Fig.2
Software Update Policy Rings in Intune MEM – Fig.2

How to Create Advanced Windows 10 Software Update Rings?

There could be other complex scenarios of Windows 10 Software Update Policy Rings. These rings could depend purely on the requirements of your organisation’s region or business group. Some of the other essential options you have in Windows 10 Software Update Policy Rings are.

  • Windows 10 Automatic update behavior – How do you want to perform scan, download, and install updates? Scheduling options for Windows updates.
  • Do you want to update Windows 10 drivers as part of your patch deployment rings?
  • What kind of Delivery optimization (Build a caching solution with Windows 10) do you want to use?
Delivery Optimization Download Mode
HTTP blended with peering behind same NAT
Software Update Policy Rings in Intune MEM – Table 1
Software Update Policy Rings in Intune MEM - Fig.3
Software Update Policy Rings in Intune MEM – Fig.3

Deployment – Assignment of Windows 10 Software Update Rings

Windows 10 Software Update Policy Ring deployments/assignments are critical decisions. I recommend using dynamic device groups wherever possible, but at the moment, this is not possible for all scenarios. In some scenarios, we need to use static device/user groups. I hope Microsoft will develop assignment exclusion group options (similar to AAD Conditional Access policies).

Exclusion groups would be instrumental in Software Update ring deployment scenarios. For example, you want to exclude pilot devices from the production software update ring deployments, which is impossible without exclusion options.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and leader of the Local User Group HTMD Community. His main focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Plan Design Intune Compliance Policy for Android Devices 2

How to Plan Design Intune Compliance Policy for Android Devices

Let’s discuss planning and designing an Intune Compliance Policy for Android Devices. This post will provide more details about planning and implementing the policy.

Intune compliance policies are the first step of the protection before giving access to corporate apps and data. Planning and designing compliance policies for Android devices is essential as Android is more vulnerable than other operating systems

Compliance policies and rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

Update: When you use or support Android for work enrollment, select a platform like Android for Work that complies with a policy. Otherwise, the compliance policies will evaluate your Android devices and say this policy does not apply to Android for Work-enrolled devices.

How to Setup Intune Compliance Policies for Android

This video guide shows you how to set up Intune compliance policies for Android devices. It provides easy-to-follow instructions for creating policies that ensure your devices meet security standards before accessing company apps and data.

How to Plan Design Intune Compliance Policy for Android Devices – Video 1

How to Setup Windows 10 Device Compliance Policy – How to Plan Design Intune Compliance Policy for Android Devices

Sign in to the Endpoint Manager portal with an Intune admin access account. Select More services, enter Intune in the text box, and then select Enter.

Select Intune—Device ComplianceCompliancePolicies and click on the +Create policy button to create a new compliance policy. Select the platform “Android.” Settings configurations are significant for compliance policies.

  • There are some improvements in Azure portal Android compliance policies.
  • There are three categories in Android compliance policies: Device Health, Device Properties, and System Security.
How to Plan Design Intune Compliance Policy for Android Devices - Fig.1
How to Plan Design Intune Compliance Policy for Android Devices – Fig.1

Sign in to the Intune portal with an Intune admin access account. Select More services, enter Intune in the text box, and select Enter.

  • Select Intune Device ComplianceCompliancePolicies –  and click the +Create policy button to create a new compliance policy. Select the platform “Android”.
  • Settings configurations are significant for compliance policy. There are some improvements in Azure portal Android compliance policies. Android compliance policies have three categories: Device Health, Device Properties, and System Security.
  • Device Health is where the compliance engine checks whether Android devices should be reported. The device health attestation service has many checks, including TPM 2.0 and BitLocker encryption.
  • Device Properties is where Intune Admins define minimum and maximum versions of operating system details for corporate application access. I would keep the minimum version as Android version 6 wherever possible.
    • Operating System Version
    • Minimum Android OS version
    • Maximum Android OS version
  • System Security is the setting where Intune Admins define password policies for Windows devices. These settings have three sections: Password, Encryption, and Device Security.
How to Plan Design Intune Compliance Policy for Android Devices - Fig.2
How to Plan Design Intune Compliance Policy for Android Devices – Fig.2

Password Compliance Policy for Android – I would create a complex Alphanumeric password for Android devices and all the above configurations.

Password Compliance Policy for Android
Require a password to unlock mobile devices.
Minimum password length
Required password type
Maximum minutes of inactivity before the password is required
Password expiration (days)
Number of previous passwords to prevent reuse
How to Plan Design Intune Compliance Policy for Android Devices – Table 1

Encryption Compliance Policy for Android – Encryption should be a must in your Android compliance policy for Android devices. Encryption of data storage on the device Device Security Compliance policy for Android: Block apps from unknown sources and Block USB debugging on Android devices. These policies are essential and should be enabled.

  • Block apps from unknown sources
  • Require threat scan on apps
  • Block USB debugging on the device
  • Minimum security patch level

Deploy Android Compliance Policy to all Android devices’ dynamic device groups (Update Device Groups are not supported for compliance policies; hence, use user groups for Intune compliance policies). Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups rather than AAD user groups to deploy compliance policies.

How to Plan Design Intune Compliance Policy for Android Devices - Fig.3
How to Plan Design Intune Compliance Policy for Android Devices – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Setup Intune Compliance Policy for Windows 10 Devices 3

How to Setup Intune Compliance Policy for Windows 10 Devices

Let’s discuss Setting up an Intune Compliance Policy for Windows 10 Devices. This post will show how to do so. Managing Windows 10 devices is critical in modern device management.

Intune compliance policies are the initial safeguard in securing access to corporate applications. These policies help ensure that devices meet predefined security and compliance standards, preventing unauthorized or non-compliant devices from accessing sensitive corporate resources.

The Intune Compliance Policy for Windows 10 helps protect company data. The organization must ensure that the devices that access company apps and data comply with specific rules. These rules might include using a password/PIN to access devices and encrypting data stored on devices.

This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

How to Setup Intune Compliance Policies for Windows10

This video guide shows you how to set up Intune compliance policies for Windows 10. It walks you through each step clearly and simply, making it easy to follow.

How to Setup Intune Compliance Policy for Windows 10 Devices – Video 1

How to Setup Intune Compliance Policy for Windows 10 Devices

Sign in to the MEM portal with an Intune admin access account. Select More services, enter Intune in the text box, and then select Enter.

How to Setup Intune Compliance Policy for Windows 10 Devices - Fig.1
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.1

Select Intune—Device ComplianceCompliancePolicies and click on the +Create policy button to create a new compliance policy. Select the platform as “Windows 10.” Settings configurations are really important for compliance policies. There have been some improvements in Azure portal Windows 10 compliance policies.

The 3 categories in Windows 10 compliance policies are shown in the table below.

Windows 10 Compliance Policies
Device Health
Device Properties
System Security
How to Setup Intune Compliance Policy for Windows 10 Devices – Table 1
How to Setup Intune Compliance Policy for Windows 10 Devices - Fig.2
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.2

Device Health is the setting where the compliance engine will check whether Windows 10 devices are reported as healthy by the Windows device Health Attestation Service (HAS). The device health attestation service includes loads of checks, such as TPM 2.0 (the requirement for the latest build of Windows 10 is TPM 1.0), BitLocker encryption, etc.

  • Device Properties is the setting where Intune Admins define the minimum and the maximum versions of operating system details for the corporate application access. Operating System Version.
    • Minimum OS version
    • Maximum OS version
    • Minimum OS version for mobile devices
    • Maximum OS version for mobile devices

System Security is the setting where Intune Admins define password policies for Windows devices. These settings have two sections: Password and Encryption. Password Policy—We don’t need to set the Windows password policy here if you already use “Windows Hello for Business.”

  • Require a password to unlock mobile devices. Simple passwords
  • Password type
  • Device default device defaultAlphanumericNumeric
  • Minimum password length
  • Maximum minutes of inactivity before the password is required
  • Password expiration (days)
  • Number of previous passwords to prevent reuse
  • A password is required when the device returns from an idle state (mobile only). Encryption – If you have enabled HAS in the above policy, you don’t need to enable this encryption policy.  
  • Encryption of data storage on a device.
How to Setup Intune Compliance Policy for Windows 10 Devices - Fig.3
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.3

Deploy Windows 10 compliance to All Windows devices’ dynamic device groups. (Update Device Groups are not supported for Compliance policies—hence, use user groups for Intune compliance policies.)

  • Click on Assignment and select the dynamic device group.
  • I would use AAD dynamic device groups rather than user groups to deploy compliance policies.
How to Setup Intune Compliance Policy for Windows 10 Devices - Fig.4
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.4

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Setup Intune Compliance Policy for iOS Devices 4

How to Setup Intune Compliance Policy for iOS Devices

Let’s discuss setting up an Intune Compliance Policy for iOS Devices. This post will explain how to do so. An Intune Compliance Policy ensures that iOS devices accessing company data meet specific security standards.

Enforcing these policies can help protect your organization’s data from unauthorized access and potential security threats. The organization must ensure that the devices that access company apps and data comply with specific rules.

These rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

A compliance policy is a set of guidelines that devices must meet to access organizational resources. It ensures that only secure and compliant devices can access company data, reducing the risk of data breaches or unauthorized access.

How to Setup Intune Compliance Policies for iOS

In this video, you will learn all the details on how to set up Intune compliance policies for iOS devices. We’ll guide you through creating and configuring these policies to ensure your company’s data remains secure.

How to Setup Intune Compliance Policy for iOS Devices – Video 1

How Do you Set up the Intune Compliance Policy for iOS?

Sign in to the Azure portal with an Intune admin access account. Select More services, enter Intune in the text box, and select Enter. Select Intune – Device Compliance – Compliance – Policies –  and click the +Create policy button to create a new compliance policy. Select the platform “iOS”.

  1. Settings configurations are significant for compliance policy. In terms of password settings, Azure portal iOS compliance policies have improved.
  2. iOS compliance policies have four categories: Email, Device Health, Device Properties, and System Security.
  3. Email settings require mobile devices to have a managed email profile to access corporate resources.
  4. The device Health setting will check whether the device is jailbroken or not. If the iOS device is Jailbroken, it won’t provide mail access to that device.
  5. The device Properties setting will check the OS version of the device and the minimum version of the iOS OS.
  6. The System Security setting is based mainly on password settings. There are some improvements over the Intune Silverlight portal here. We can have the option not to configure some of the settings, like “Number of non-alphanumeric characters in password.” This was not possible with the Intune Silverlight portal.
How to Setup Intune Compliance Policy for iOS?
Require a password to unlock mobile devices.
Simple passwords
Minimum password length
Not ConfiguredAlphanumericNumeric
Number of non-alphanumeric characters in the password
Maximum minutes of inactivity before a password is required
Password expiration (days)
Number of previous passwords to prevent reuse
How to Setup Intune Compliance Policy for iOS Devices – Table 1

10. Deploy the Intune Compliance Policy for iOS for all iOS devices in the dynamic device group. Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups rather than AAD user groups to deploy compliance policies.

(Update Device Groups are not supported for Compliance policies – hence, use user groups for Intune compliance policies)/ How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM.

How to Setup Intune Compliance Policy for iOS Devices - Fig.1
How to Setup Intune Compliance Policy for iOS Devices – Fig.1

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune Android Device Support for Google Android for Work Enrollment 5

Intune Android Device Support for Google Android for Work Enrollment

Let’s discuss Intune Android Device Support for Google Android for Work Enrollment. Google has a list of supported devices with its Android for Work program. But does Google’s list contain all supported devices?

I don’t think the list is exclusive and lists all the supported devices. I have tested 2 devices not listed as part of Android for work-supported devices. And surprisingly, both devices can enrol in Intune via the Android for Work program.

The article Intune Android Device Support for Google Android for Work Enrollment shows you how to configure the Android Enterprise platform for use with Intune Device Management. We will walk through the steps to set up Intune Enrollment for Android Enterprise Device Management, enabling you to manage corporate-owned devices efficiently with Microsoft Intune.

In this post, you will find all the details about Intune Android Device support for Google Android for Work enrollment. We’ll cover everything you need to know to get started and manage your Android devices effectively using Intune.

Intune Enrollment via Android for Work with Cheap and Affordable Devices

In this video, you will learn all the details about Intune enrollment through Android for Work using cheap and affordable devices. We’ll guide you on how to set up and manage these devices efficiently with Intune.

Intune Android Device Support for Google Android for Work Enrollment – Video 1

Video Tutorials for Android for Work Management via Intune

I tried Samsung Galaxy J7 and LetV Android devices. These devices are not very costly. Instead, the cost is less than 150 USD. Organizations always struggle to find cost-effective and affordable Android for Work devices from Google’s new list

After testing two fundamental Android devices, I found that we need to perform trial and error to understand whether the low-cost Android devices support Android for Work.

Android for Work management via Intune
Enterprise Devices
Affordable work Devices
Featured Device
Intune Android Device Support for Google Android for Work Enrollment – Table 1
Intune Android Device Support for Google Android for Work Enrollment - Fig.1
Intune Android Device Support for Google Android for Work Enrollment – Fig.1

Android – Intune Android Device Support for Google Android for Work Enrollment

Google recently rebranded, and now the name of Android for Work has changed to just “Android” management. Google announced that they are simplifying the names of Android for Work and Play for Work, directly calling Android and Google Play.

According to Google, there are 3 categories of Android devices. The new list also does not cover Samsung S7 and LetV devices.

  1. Enterprise Devices – Premium productivity devices
  2. Affordable work devices – Cost-effective devices ready for work
  3. Featured devices

I successfully enrolled low-cost (cheap) Android devices with Android for Work. Intune managed Samsung S7 and LetV devices with the Google Work profile. Both these devices are running Android version 6.

Conclusion – Intune Android Device Support for Google Android for Work Enrollment

Android for Work is supported for devices not listed in the Google portal. I recommend performing thorough testing before approving Android for Work-supported devices within your organization. Maintaining a recommended list of “Android for Work” supported devices within your organization is always better.

I hope Google will remove support for pain Android management and allow only “Android for Work” to manage Android devices. Also, we need to remember that Android for Support is available only for specific countries or regions. For example, in China, we don’t have any support for Android for Work.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Resolve Intune Android for Work Configuration Refresh Error 6

How to Resolve Intune Android for Work Configuration Refresh Error

Let’s discuss how to Resolve Intune Android for Work Configuration Refresh Error. Android for Work configuration is straightforward in most scenarios.

I have configured “Android for Work” for several tenants without any issues. Recently, however, I encountered an issue while configuring this in the Intune Silverlight console. 

When I click on the configure button to “add Android for Work Binding” on the “Android for Work Mobile Device Management Setup” page in the Intune Silverlight console, it initiates the process. Still, Intune cannot launch the Android for Work binding wizard (webpage). 

In one of our posts, we will show you how to configure the Android Enterprise platform for use with Intune Device Management. You can efficiently manage Android Enterprise corporate-owned devices with Microsoft Intune.

Android for Work Refresh Error in Intune SilverLight Console

The video below demonstrates resolving the Intune Android for Work Configuration Refresh Error. Generally, configuring Android for Work is straightforward in most scenarios. I have successfully set up “Android for Work” for several tenants without issues.

How to Resolve Intune Android for Work Configuration Refresh Error – Video 1

Introduction – How to Resolve Intune Android for Work Configuration Refresh Error

I have already posted about Android for Work configuration and set it up in a different post (How to Enroll Android for Work Supported Devices into Intune). This post and video tutorial will provide a step-by-step process to enable Android for Work management.

As I explained in the first paragraph, the Intune console could not complete Android for Work binding. When I checked the Intune console, there was an Intune console page loading error: “Microsoft Intune was not able to retrieve all data. REFRESH.

How to Resolve Intune Android for Work Configuration Refresh Error - Fig.1
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.1

I tried clicking on the Refresh button several times to see if it worked, but nothing did. There was another button on the Intune Silverlight page, and that was the Save Error Log.

I clicked on the button, and it asked me to save the text log file. For this, I could not retrieve all data errors for the Intune console. I opened the text file, which contains details about the error and possibly the root cause of this issue as well.

Error Message
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
How to Resolve Intune Android for Work Configuration Refresh Error – Table 1
How to Resolve Intune Android for Work Configuration Refresh Error - Fig.2
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.2

As per the Intune Save Error LOG file, the Intune Silverlight error occurred while retrieving the JWT token, and the error log suggests we check whether the current user has an Intune license and try again. Following is the snippet of the log file.

2017-03-31 05:37:56Z Silverlight Error:
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
ParameterType: Unknown
OperationType: Unknown
Current URL: https://admin.manage.microsoft.com/MicrosoftIntune/Home?accountid=a8f58f04-e279-44ff-95b9-5e81532915e6#Workspace/administration/index%23?P=//administration/MobileAndroidManagement/&A=%7BGID=23363773-6797-4c777-b3c2-01b06e207b74%7D&S=7sh74c9-7bf5-45ac-9fbb-67369263b9
Console Version: 5.0.17411.0
Service address: https://msua02.manage.microsoft.com/
Last 50 Log Entries:
00CCE 03/31/2017 05:37:37 429 Z MainThread 0001    Page instantiated successfully

Resolution

I have added an Intune/EMS license to the Intune Administrator from the new Azure Active Directory portal. It might not work straight away after assigning the license. You may need to wait 3-4 minutes before configuring “Android for Work.” I recommend logging off and logging back into the Intune Silverlight console before configuring “Android for Work.”  

How to Resolve Intune Android for Work Configuration Refresh Error - Fig.3
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune App Protection Policies for Android iOS Devices 7

Intune App Protection Policies for Android iOS Devices

Let’s check how to enable Intune App Protection Policies for Android and iOS devices. The video below provides more details and an end-user experience. The latest post is available for MAM policies: Step-by-Step Procedure to Create App Protection Policies for iOS/iPadOS in Intune.

Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. With Intune, there are two types of management options for Android devices.

The first is the traditional way of MDM management, and the second is the light management of apps installed on Android devices via Intune. The previous post discussed the Android MDM management options and end-user experience.

In this post, you will find all the details about Intune App Protection Policies for Android and iOS devices. These policies are essential for managing and securing apps on mobile devices, ensuring that corporate data remains protected even when accessed from personal devices.

Intune MAM without Enrollment along with CA Android Devices

To apply Intune App Protection Policies (APP) effectively, the applications must support these policies. Most Microsoft 365 (M365) applications, such as Outlook, Word, and OneDrive, are compatible with App Protection Policies. These policies help ensure that corporate data accessed through these apps remains secure.

Intune App Protection Policies for Android iOS Devices – Video 1

Intune App Protection Policies for Android iOS Devices

Mobile Application Management (MAM) Without Enrollment (WE) is a lightweight management option for Android devices. This option has some advantages over full MDM management options.

For example, if a consultant’s device has already enrolled in a 3rd part EMM solution, but he wants to have access to the client’s corporate mail access on his mobile device for a very short period, then The “MAM WE” is the best option for that consultant. With MAM WE, Intune and Azure AD will ensure that corporate mail and other MAM-enabled applications are protected with MAM policies.

Intune—Mobile Apps—Apps—Skype for Business—Properties: In the following example, you can see that Android’s Skype for Business application has been deployed with a deployment type called “Available with or without enrollment.” So, the deployment type without enrollment is for MAM WE management.

Intune App Protection Policies for Android iOS Devices - Fig.1
Intune App Protection Policies for Android iOS Devices – Fig.1

The Intune “MAM WE” has a separate set of conditional access policies that differ from the MDM conditional access policy. So, you must take extra care when deploying both CA policies to the same user groups. I would avoid using the same user group for both policies, or you could use the exclude groups options.

I would avoid deploying the MDM CA policy to user groups whenever possible and deploy it to device groups. Otherwise, we should have a different MDM CA user group and a MAM WE CA user group with unique users in both groups, which will be tricky.

Intune App Protection Policies for Android iOS Devices - Fig.2
Intune App Protection Policies for Android iOS Devices – Fig.2

Each MAM-enabled application comes with application protection policies (MAM app protection). We need to deploy these app protection policies to MAM WE user groups. Remember, these types (MAM WE) of policies can’t be deployed to Device Groups. 

With an app protection policy, you can restrict corporate data relocation and App data encryption. Creating app protection policies and deploying them to MAM WE user groups is critical.

Intune App Protection Policies for Android iOS Devices - Fig.3
Intune App Protection Policies for Android iOS Devices – Fig.3

 End-User Experience – How to Enable Intune MAM without Enrollment

The video here will provide the Intune MAM WE real-time end-user experience. How do you enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager?

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Get Intune Environment Ready for iOS Mac OS Devices 8

How to Get Intune Environment Ready for iOS Mac OS Devices

How to Get Intune Environment Ready for iOS Mac OS Devices? The first requirement for iOS and MAC OS device enrollment is the Apple MDM push cert setup. You need to download a unique certificate signing request (CSR) from the Intune tenant and upload it to the Apple portal.

Once uploaded successfully, you can download the Apple MDM push cert from the Apple portal. MDM push cert has to be uploaded to Intune portal so that you can enroll iOS and MAC OS devices via Intune. This process is explained in the video above.

I assumed that the Intune MDM authority setting had already been completed before setting up the Apple MDM push cert and configuring Enrollment restriction policies.

One of our articles explains how to configure the iOS and macOS platforms for use with Intune. Managing iOS and macOS devices with Intune is crucial for enhancing productivity and protecting enterprise resources. As mobile and remote work environments become more prevalent, employees increasingly rely on their iPhones, iPads, and Mac computers to access important work applications and data.

How to Get Intune Environment Ready for iOS and Mac OS Device Enrollment

Let’s discuss how to Get Intune Environment Ready for iOS and Mac OS Device Enrollment. Preparing your Intune environment for iOS and macOS device enrollment involves several key steps to ensure a smooth and secure setup.

  • This process helps organizations manage Apple devices effectively, providing both security and ease of use for employees accessing corporate resources.
How to Get Intune Environment Ready for iOS Mac OS Devices – Video 1

How to Get Intune Environment Ready for iOS Mac OS Devices

Once the Apple MDM push cert setup has been completed, we can proceed with the following configurations related to iOS and macOS management. As the next step, I would configure the Enrollment Restriction rules for iOS devices.

Suppose your organization has decided not to allow (block) personal iOS devices from enrolling into Intune. In that case, you must set up an enrollment restriction type based on the platform configurations. I have a detailed post about restricting personal iOS devices.

Read more – How to Restrict Personal iOS Devices from Enrolling on Intune Endpoint Manager

How to Get Intune Environment Ready for iOS Mac OS Devices - Fig.1
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.1

The next step is to set up Conditional Access policies for iOS devices (while we are still waiting for the Mac OS conditional Access policy). I recommend doing this during Intune’s initial setup. As you can see in the following screen capture, you have a couple of options.

You can select either individual supported platforms for the Conditional Access policy or “All platforms (including unsupported).” Somehow, I recommend using the latter one, “All platforms (including unsupported).”

How to Get Intune Environment Ready for iOS Mac OS Devices - Fig.2
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.2

Azure AD Conditional Access policies can be deployed either combined with compliance policies or without compliance policies. I recommend deploying conditional access policies with compliance policies. The next step is to set compliance policies for iOS devices. Are you wondering why there is no encryption option/compliance policy for iOS devices?

If so, there is no need for an encryption policy for iOS devices because those devices will get encrypted once the password has been enforced for devices.

System SecuritySettings
Require a password to unlock mobile devicesRequire
Simple passwordsBlock
Required password typeAlphanumeric
Number of non-alphanumeric characters in password1
Maximum minutes of inactivity before password is required15 Minutes
How to Get Intune Environment Ready for iOS Mac OS Devices – Table 1
How to Get Intune Environment Ready for iOS Mac OS Devices - Fig.3
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.3

After compliance policy settings, it’s time to set up configuration policies for iOS and MAC OS devices. Intune Configuration policies deploy security settings for the devices and can be used to enable or disable their features.

My previous video blog post discussed the different types of Intune configuration profiles. Device restriction policies are security configuration policies in the Intune Azure portal.

How to Get Intune Environment Ready for iOS Mac OS Devices - Fig.4
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.4

Conclusion – How to Get Intune Environment Ready for iOS Mac OS

The above-mentioned policies are very basic policies you want to configure if your organization has decided to manage iOS and MAC OS devices via Intune. There are loads of advanced MDM policy management options available with Microsoft Intune.

You can also create custom configuration policies for iOS devices if some of your security requirements are not available with Intune configuration policies. In addition, you can deploy Wi-Fi profiles, VPN profiles,s, and Certs to iOS devices using Intune MDM.

Another option with Intune MAM WE (without enrollment) is to manage corporate applications via MAM policies and MAM WE Conditional Access policies.

In this scenario, your users don’t need to enroll in Intune MDM management. Therefore, each organization must decide whether to use MAM WE or the MDM channel of iOS management.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Bangalore IT Pro Full Day User Group Event on Intune and SCCM 9

Bangalore IT Pro Full Day User Group Event on Intune and SCCM

Bangalore IT Pro Full Day User Group Event on Intune and SCCM? On March 18th, 2017, the BLR IT Pro group conducted a free full-day Bangalore IT Pro User Group event. At this event, we covered Intune’s new Azure portal features.

We also covered the newest additions to SCCM/ConfigMgr CB 1702 TP. Ninety per cent of the sessions were demos, and attendees had some hands-on experience with Android for Work devices.

Bangalore IT Pro Full Day User Group Event on Intune and SCCM?

  • Join the SCCM/ConfigMgr Professional Group for updates about future events – here.
  • Follow the Facebook page to get notified about similar events – here

I had a great experience interacting with and sharing knowledge with more than 40 attendees. Most of them are SCCM admins planning to move to the Intune world. Some already have significant experience with Intune iOS management, Application wrapping, the Apple DEP program, etc. Some others are Airwatch admins and have had good new experiences with Intune features.

Full Day BLR ITPro Device Management UG Meet

I have created a quick video of some lively moments of the event. The Full Day BLR ITPro Device Management UG Meet is an engaging event for IT professionals specializing in device management. This comprehensive gathering allows attendees to immerse themselves in the latest industry trends, best practices, and emerging technologies.

Bangalore IT Pro Full Day User Group Event on Intune and SCCM – Video 1

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager

The full-day free event covered a wide range of topics relevant to IT professionals and device management. These topics included the latest advancements in device management technologies, best practices for ensuring security and compliance, and strategies for optimizing device performance and lifecycle management.

Topics

The following are the topics I covered during the free full-day event. You can get the presentation link below.

Modern Device Management (MDM) is an advanced approach to managing and securing devices within an organization. It uses cloud-based technologies to provide comprehensive management of a wide range of devices, including desktops, laptops, tablets, and smartphones.

Key Components of Modern Device Management
Cloud-Based Management
Unified Endpoint Management (UEM)
Security and Compliance
Device Enrollment and Configuration
Application Management
Monitoring and Reporting
Bangalore IT Pro Full Day User Group Event on Intune and SCCM – Table 1
What is Modern Device Management?
 Basic Understanding Intune
 Azure Active Directory AAD Overview
 Create AAD Dynamic Device/User Groups
 Intune Silverlight Portal Overview
 Intune Azure Portal Overview
 What is Conditional Access?
 Configure Conditional Access
 Configure Compliance, Configuration Policies
 Table - Compliance Policies – Remediated/Quarantined
 Windows 10 Modern Device Management
 iOS/MAC OS Management
 Android for Work Management 
 Troubleshooting?
 SCCM CB 1702 TP New Features
Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager
Bangalore IT Pro Full Day User Group Event on Intune and SCCM – Fig.1

https://www.slideshare.net/slideshow/embed_code/key/4t1BmahfsEu3Tc

Bangalore IT Pro Full Day Event on Intune and SCCM from Anoop Nair

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Restrict Personal Android Devices from Enrolling into Intune 10

How to Restrict Personal Android Devices from Enrolling into Intune

How can I restrict Personal Android Devices from Enrolling in Intune? Are you still waiting to migrate from Intune Silverlight to the Azure portal?

The video post provides a quick overview and comparison between the Intune Azure and Intune Silverlight portals. It highlights the differences and improvements in the new Intune experience within the Microsoft Endpoint Manager (MEM) portal, showcasing the enhanced features and user interface of the Azure-based Intune portal compared to the older Silverlight version.

The new Intune portal allows for more granular restrictions for MDM enrollments. It’s amazing to see new features in the MEM Intune portal. One month ago, I blogged about restricting personal iOS devices from enrolling in Intune via enrollment restriction rules.

This post provides detailed instructions on restricting personal Android devices from enrolling into Intune using Endpoint Manager (MEM). It covers the steps necessary to configure enrollment restrictions, ensuring that only corporate-owned devices can be enrolled and managed through Intune.

How to Restrict Personal Android Devices from Intune Enrollment

Let’s discuss how to restrict personal Android devices from enrolling in Intune. This video provides a detailed guide on configuring Intune settings to ensure that only corporate-owned devices can be enrolled, helping you maintain control over device management within your organization.

How to Restrict Personal Android Devices from Enrolling into Intune – Video 1

How to Restrict Personal Android Devices from Enrolling into Intune

iOS personal devices can be restricted from enrolling in Intune MDM. However, there was no option to restrict personal Android devices from enrolling into Intune MDM. The Intune team has lighted up the feature to restrict personal Android devices from enrolling into Intune.

This was one of the features I was looking for to appear in the Azure portal. So, can we allow only Android devices for work-supported enrollment in Intune MDM? With this enrollment or device type restriction option, the answer is NO. So, what is the difference between company-owned Android devices and personally-owned Android devices?

FeaturesCompany-owned devicePersonal device
Opt-out of Device Owner modeNoYes
With device approvals enabled, the administrator must approve the deviceNoYes
Administrators can receive an inactivity report every 30 daysYesNo
Factory resets that users initiate block device re-enrollmentYesNo
Account wipe availableNoYes
How to Restrict Personal Android Devices from Enrolling into Intune – Table 1

All personal Android devices will be blocked from enrollment when you turn on the “Block Android Personal Device” option from Intune Blade in the Azure portal. Personal Android devices can be Android for Work (AfW) supported devices and non-Android for Work devices.

Initially, I thought Android for Work would not be treated as a personal device but as a corporate-owned device. But I was wrong. For corporate-owned devices, Android for Work can be deployed in a Work Managed mode, which provides full device management.

How to Restrict Personal Android Devices from Enrolling into Intune - Fig.1
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.1

The Enroll Devices node is the place in the Intune Azure portal where you can set up a restriction policy for personally owned Android devices. Within enrolment restrictions rules, we can have two types of restrictions: Device Type restrictions and Device Limit restrictions.

In this scenario, we want to restrict personal Android devices. We need to create an enrollment type policy to allow the Android platform to enroll in Intune. Once the Android platform has enabled enrollment, go to Platform Configurations and then BLOCK personally owned iOS devices.

How to Restrict Personal Android Devices from Enrolling into Intune - Fig.2
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.2

Conclusion

Ideally, when you block personally owned Android devices from enrollment, all the Android devices enrolled via a non-corporate method should also be blocked

As per my testing, this is not working. After enabling the “block Android personally owned devices” policy, I enrolled a couple of Android devices, and those devices got enrolled without any issues.

How to Restrict Personal Android Devices from Enrolling into Intune - Fig.3
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.3

In the screenshot below, I have enrolled two Android devices into Intune and the Intune console, and Intune detects those as personal devices. I’m not sure why they are not blocked.

How to Restrict Personal Android Devices from Enrolling into Intune - Fig.4
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.4

References:-

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Remove Work Profile from Intune Managed Android Devices 11

How to Remove Work Profile from Intune Managed Android Devices

How to Remove Work Profile from Intune Managed Android Devices? This quick post will help you understand how to remove a work profile from an Android device.

If you’re curious about how work profiles are created, my previous post, “Intune: How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work,” provides a comprehensive guide.

The work profile is created when the Android for Work (A4W) supported device is enrolled in the Intune environment, which is enabled to support A4W. There are more than two ways to remove the Work profile from Android devices. We will cover three of them in this post.

This post will show you how to remove the work profile from Intune-managed Android devices using Endpoint Manager. The detailed steps are explained below.

Intune Android for Work How to Remove Work profile -Post with Android Device Admin Method

This video clearly demonstrates how to remove the work profile from Intune-managed Android devices using the Android Device Admin method. The step-by-step process is explained thoroughly, making it easy to follow along and understand.

How to Remove Work Profile from Intune Managed Android Devices – Video 1

How to Remove Work Profile from Intune Managed Android Devices

As per Google documentation, the following is the method to remove the work profile, but I won’t recommend this approach if your device has enrolled in Intune. On Android 5.0+ devices, you can delete your work profile in Settings > Accounts > Remove work profile. Touch Delete to confirm the removal of all apps and data within the work profile. 

  • The first proper way to remove a work profile or unenroll a device is to go to the Intune portal -> Devices and groups -> All devices.
  • Select the device you want to remove or unenroll, then click the “Remove Company Data” button. This will initiate the unenrollment process from Intune.
Remove a Work Profile or Unenroll a Device
Go to the Intune portal
Click on the “Devices and Groups” section in the Intune portal
Choose “All devices” to view a list of enrolled devices
Locate and select the device that you wish to remove or unenroll from Intune
After selecting the device, find and click on the “Remove Company Data” button. This initiates the unenrollment process from Intune
How to Remove Work Profile from Intune Managed Android Devices – Table 1
How to Remove Work Profile from Intune Managed Android Devices - Fig.1
How to Remove Work Profile from Intune Managed Android Devices – Fig.1

How to Remove Work Profile from Intune Managed Android Devices

Another option is to remove the work profile or unenroll the Android device. You can also go to your user profile and choose the device you want to delete/remove from the following blade path from the Azure portal “Users and Groups – All users – Anoop Nair (username) – Devices – Device.”

As you can see in the following picture, click on the delete button to remove the device from Intune or to remove the work profile.

How to Remove Work Profile from Intune Managed Android Devices - Fig.2
How to Remove Work Profile from Intune Managed Android Devices – Fig.2

The second option to remove the work profile must be initiated from the end-user device. The user must initiate this process from the Intune company portal application (for more details about the company portal, read my previous post – Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work.

Launch the company portal app from your Android device, tap on the “My Devices” tab, and select the user’s device. In the following picture, tap on the recycle bin button to remove the device’s work profile.

  • The Android device unenrollment process will remove company data from your mobile, the work profile created during A4W enrollment, and all the applications deployed through the work profile.
  • However, as shown in the above picture (#5), the company portal application will stay on the device.
  • It won’t allow you to enroll the device again with the same instance of the company portal.
  • If you want to re-enrol the Android device for Intune management, you need to uninstall the existing company portal and install it again.
How to Remove Work Profile from Intune Managed Android Devices - Fig.3
How to Remove Work Profile from Intune Managed Android Devices – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Why Available Action is Disabled from Android for Work App Deployment in Intune 13

Why Available Action is Disabled from Android for Work App Deployment in Intune

Why is the available action disabled from Android for Work App Deployment in Intune? Configuring Android for Work in Intune is not very difficult. However, there are some restrictions when you deploy a volume-purchased application to Android for Work devices.

Microsoft recently announced support for Android for Work (A4W) in Intune, and I’ve been eagerly anticipating the arrival of an A4W-supported device. However, it’s important to note that not all Android devices are compatible with A4W. For those interested, Google has provided a comprehensive list of devices supported by Android for Work.

The Android work profile feature enables users to use a single device for personal and work purposes. Our guide breaks down the steps to help you efficiently manage these devices through Intune, ensuring seamless work and personal data integration.

We can deploy Android for Work Volume Licensed apps only to user groups. The ONLY deployment actions/options enabled in the drop-down list are Not Applicable, Required, and Uninstall actions. The “available” deployment Action/option is DISABLE for Android for Work applications.

Android For Work App Deployment Options Available Required

Let’s explore the possibilities for deploying Android for Work apps, including “Available” and “Required” deployment types. The following video provides a detailed overview of these deployment options, demonstrating how to manage app distribution within your organization effectively.

Why Available Action is Disabled from Android for Work App Deployment in Intune – Video 1

Why Available Action is Disabled from Android for Work App Deployment in Intune

In the screenshot below, you need to specify the type of deployment you want to execute for this software and review the corresponding deployment settings. Choose the appropriate deployment settings for the software. Note that the “Available” install option is disabled, as shown in the window.

Why Available Action is Disabled from Android for Work App Deployment in Intune - Fig.1
Why Available Action is Disabled from Android for Work App Deployment in Intune – Fig.1

Recently, I noticed that the Android for Work Volume-Purchased App deployment action called “Available” has been enabled for some of the tenants. These “Google Play for Work” applications can be deployed to user/device groups in those tenants where the available action is enabled.

Details Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager

Android for Work Volume-Purchased application deployment option is called “Available,” and volume-purchased app deployment to device groups is ONLY available with new grouping experience in the Azure portal. Hence, this feature is tied to Azure AD group targeting, requiring migration from the Intune Silver Light portal to Azure.

  • You can’t see all the Android for Work apps even when you go to the Google Play for Work app store from your Android for Work-supported devices.
  • It will only list the apps that are deployed from the Intune console. Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager
  • App deployment action details are well documented in the TechNet article here. When the app is displayed in the Volume-Purchased Apps node of the Apps workspace, you can deploy it just like any other app.
  • You can deploy the app to groups of users only. Currently, you can only select the Required and Uninstall actions. Starting in October 2016, we will begin adding the available deployment action for new tenants.
Why Available Action is Disabled from Android for Work App Deployment in Intune - Fig.2
Why Available Action is Disabled from Android for Work App Deployment in Intune – Fig.2

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work 14

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work

Intune: How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work? Android for Work enrollment to an Enterprise Mobility Management (EMM) solution or Intune is slightly different from enrollment for iOS and Windows devices.

This difference is not because of your EMM solution rather. This is the process/framework Google implemented to complete Android for Work enrollment. We need to configure Intune to support Android for Work, and I have a post that explains the prerequisites.

Microsoft announced Intune’s supportability for Android for Work (A4W) a few months back. Since then, I have been waiting for an A4W-supported device. Yes, that means A4W does not support all Android devices. Here is Google’s list of A4W-supported devices.

Our article guides you through configuring the Android Enterprise platform for use with Intune Device Management. You can easily set up Intune Enrollment to manage Android Enterprise devices, and you can easily manage corporate-owned Android Enterprise devices with Microsoft Endpoint Manager Intune.

Intune Android for Work Nexus 6s Enrollment Experience

Let’s talk about the video showing the Intune Android for Work Nexus 6s enrollment experience. This video provides a detailed look at how to enrol a Nexus 6s using Intune for Android for Work, making the process clear and easy to understand.

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Video 1

Details Google Play Store for Work

First, we need to ensure that Android for Work (A4W) is enabled for your Intune tenant, and then we need to configure Intune to support A4W. Do you want to allow only Android for Work-supported devices to enrol in Intune? This option is not available out of the box in Intune.

I’m sure Microsoft will develop a new option in the new Azure portal, as I noted in the previous blog post about the enrollment restriction rule in Intune. Android for Work is currently supported on devices running Android 5.0 Lollipop, which later supports a work profile.

The second step is to ensure you have configured Android for Work configuration policies in Intune and Android configuration policies. Different sets of policies in Intune only support Android for Work.

Intune Compliance policies are the same for “Classic” Android management and Android for Work management. Suppose you plan to deploy VPN and Wi-Fi profiles to Android for Work-supported devices. In that case, Intune supports some custom configuration policies (OMA-URI).

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work - Fig.1
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Fig.1

Android for Work?

As a third step, you need to confirm whether your device supports “Android for Work” or not. Where is the list of Android-supported Work devices? OK, no worries, Google has already published the list here.

Android for Work?
If your device has not been supported, Intune will automatically enroll it for “classic” Android management.
So you won’t be able to see any work profile being created on your phone.
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Table 1
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work - Fig.2
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Fig.2

More Details

Once you have identified that the device you are trying to enroll in is supported, you should open the “Google Play Store” and Install the Intune company portal. Once the company portal is installed, you can log in with your corporate credentials, and the first phase of the setup will start, creating a Work profile for Android.

Once the Work profile has been created, the company portal application will ask you to go to the Work profile and launch the company portal from the work profile to continue setting up. So, you need to log in to the company portal twice as part of Android for work enrollment.

The work profile will be controlled by an organization you have enrolled in, and the Company Portal app will have access to Work profile-related data.

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work - Fig.3
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Fig.3

The above step completed half of the enrollment process. The Intune company portal application initiated the creation of the work profile. Once the work profile has been created, you must log in to another instance of the company portal app, which resides in the work profile.

The company portal app in the work profile does the 2nd half of the enrollment process. The company portal helps the device complete Work Place Join, Azure AD Join, and Intune enrollment, as seen in the above video.

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work - Fig.4
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Fig.4

Google Play Store for Work

Once you complete the Company access setup, you can access company resources and apps depending on the Conditional access, compliance, and configuration policies. The Android device must comply with compliance policies and meet the conditions mentioned in the conditional access policies by the Intune Admin.

Once everything is okay, you can browse the applications from “Google Play Store for Work“. Browse and install applications from the Google Play Store for work. I will cover the Android application deployment scenarios in an upcoming blog here (coming soon).

Outlook is one of the applications you can directly deploy as “available” or “required” from the Intune portal. Once the Outlook app has been installed, you can directly configure your official mail without any particular configuration. Email profile deployment via Intune is not required for automatic corporate mail configuration.

You need to put in the email ID. No other configuration is required; instead, everything is automatically configured. As I mentioned in the blog post here, you can add applications to the Google Play Store for work with the existing Gmail account. Once these apps are synced with Intune, you can deploy them to groups.

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work - Fig.5
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Fig.5

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access 16

Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access

Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access? We will discuss the access rights of the built-in Intune RBA role, Intune Application Manager.

Ideally, this role should have access to Manage mobile apps and read device information, depending on the scope of users/devices assigned to it.

Do you know what the scope is? “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin, the SCOPE option is already in SCCM 2012 and the CB console. I have another post that discusses the details of Configuration Manager RBAC.

This post will examine the permissions associated with the Intune application manager build-in role. According to Microsoft documentation, this role ” Manages and deploys applications and profiles.”

Intune Application Policy Manager RBA Controls In MEM Portal

We will dive deeply into this topic and explain the actions an Intune app admin can perform from the MEM portal. Following are the access permissions given to the Intune APP Manager RBAC role.

Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access - Fig.1
Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access – Fig.1

Managed Apps – Intune Application Policy Manager RBA Controls In MEM Portal

Managing your organization‘s IT infrastructure is essential to effectively controlling access to various resources. Here’s a breakdown of permissions for managing apps, devices, and mobile apps.

  • Assign managed apps to a security group
  • Create managed apps
  • Delete managed apps
  • Read managed apps
  • Update managed apps
  • Wipe Managed apps Managed Devices
  • No Access to delete devices
  • Access to read device information
  • No Access to update device properties Mobile Apps
  • Assign mobile apps to a security group
  • Create mobile apps
  • Delete mobile apps
  • Read mobile apps
  • Update mobile apps
Mobile Apps
Assign mobile apps to a security group
Create mobile apps
Delete mobile apps
Read mobile apps
Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access – Table 1

Overall Access Rights of Intune Tiles – Intune Application Policy Manager RBA Controls In MEM Portal

It can administrate some actions in managing apps and configuring device tiles. Access is denied to perform any activities in Conditional Access, Device Enrollment, Access control, and Set device compliance tiles.

  1. You are allowed to set up certificate authority in the Configure devices tile. However, you do not have access to view profiles.
  2. You are allowed to view the device information in the Device and Groups tile.
  3. Access is denied to create/delete new or existing groups or user profiles. It doesn’t matter whether the Intune policy manager is editing the groups in SCOPE. In many places, save and add buttons are enabled, but when we try to save, we get an error.
  4. Access is denied to change device and user settings in the Manage user tile.
  5. Access is denied to the Intune Silverlight console.
  6. Access is denied to the Intune App Protection section, and Intune mobile application management is not allowed for Intune App Managers. These app protection options are probably part of the Azure portal’s Intune—Manage Apps tab.

Access Rights – Manage Apps (Manage Apps and Mobile Apps) – Intune Application Policy Manager RBA Controls

You can create new mobile apps and edit mobile apps uploaded by admins. Access is Denied to edit the managed apps, which are automatically uploaded.

  1. Access is denied to remove assignments/deployments to a group outside the Intune application manager’s scope.
  2. Access is denied to remove assignments/deployments from a group in the Intune application manager’s scope. This should be allowed!
  3. If the user group is within the scope of the Intune application manager, you can add an assignment to the mobile/manage app.
  4. Access Denied adding an assignment to mobile/manage app if the user group is out of the scope of Intune application manager.
  5. App Protection Policies are getting hung while trying to edit (or create) existing (or new) app protection policies from the Intune App Manager account.
  6. Allowed to perform App Selective wipe option from Intune app manager account. Allowed to perform app selective wipe only on “in scope users/devices”.
  7. Access is denied to edit Company portal Branding from the Intune app manager account.
Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access - Fig.2
Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access – Fig.2

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.