Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.

You can check out HTMD Community Intune Training from Free Intune Training 2023 blog post.  Let’s learn about Intune Exam MD 102 Study Guide Starter Kit – Microsoft Intune Certification. Also, check out the Top 75 Latest Intune Interview Questions.

Microsoft Intune Architecture Diagram
Microsoft Intune Architecture Diagram

This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access

Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access. Role-Based Access Controls (RBAC) are one of my favorite features in Microsoft Intune.

The lack of RBAC was why people chose Intune hybrid instead of Intune standalone. Intune team introduced RBAC features into their product back in 2017. In this post, we will learn how to provide read-only access to Intune console.

I have two (2) posts covering Intune role-based access controls in detail. I recommend reading through those two posts to get more about Intune RBAC.

But Intune team did excellent work to include scope features into Intune RBAC. Now it’s getting close to SCCM RBAC features. Following are my previous posts about Intune RBAC.

How to Provide Read-Only Access to Intune

RBAC helps Intune Admins control who can perform various Intune tasks within your enterprise. There are six (6) built-in Intune roles (RBAC roles). I use Intune default role called “Read Only Operator” to provide read-only access to Intune console.

  1. Navigate Azure PortalMicrosoft Intune blade – Intune rolesAll roles Read-Only Operator – Assignments  – Click on + Assign.
  2. Once you click on the “+ Assign” button, a new Read-Only Operator – Role assignments blade will get displayed.
  3. Enter the following information in the blade                                                  Assignment Name = Read-Only Intune Users
    Assignment Description = Details of Read-Only Assignment Group
    Members (Groups)# = Click on the + Add button and select the Azure AD User Group, including Intune Read-Only users (my example – Intune ReadOnly Users). Scope (Groups)* = Click on + Add and select the Azure AD User or/and Device group. Read Only operator would be able to manage the resources in this group. More details are below.
  4. Save the Intune Role assignment by clicking the OK button

Administrators in Scope Groups Role Assignment can target policies, applications, or small
tasks to these Scope Groups. So the Intune ReadOnly user group members (in my
example screenshot) would be able to target procedures, applications, or small functions
for the users/devices in my scoping group Intune ReadOnly. This is as per the design.

  •  Member Group users are the administrators assigned to this role.
Read Only Access to Intune Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access. Role-Based Access Controls (RBAC) are one of my favorite features in Microsoft Intune.
Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access. Role-Based Access Controls (RBAC) are one of my favorite features in Microsoft Intune.

Do you know what Intune scope group is?

Do you know what Intune scope group is? “The users or devices that a specified person (the member) can manage.” In the above example, Intune ReadOnly users can manage devices or parts of their Scope Groups.

If you are an SCCM admin, then the SCOPE option is already there in SCCM 2012 and CB console. I’ve another post that talks about Configuration manager RBAC detail.

Intune Read-Only User Experience

In this scenario, the Intune read-only user is a regular user in Azure Active Directory (without any other access). But the user has a valid Intune (EMS) license assigned.

I will cover all the following scenarios with Intune read-only user experience. More details are available in the video tutorial called read-only access to Intune.

Device enrollment Experience for Read-Only User

The user has read or view access to all the blades of device enrollment. I have noticed that Configure MDM Push Certificate blade doesn’t provide any option to download the CSR file.

Android work enrollment experience is different from Apple. I can see the following error while trying to signup with Intune read-only account – An error occurred requesting Android for Work signup Url.

Windows enrollment, Terms and conditions, Enrollment restrictions, Device categories, Corporate device identifiers, and Device enrollment managers also work as expected for Intune read-only users.

Device Compliance Experience for Read-Only Users

The device compliance experience is different than the device enrollment experience. Read-only user has access to change the compliance policy schedule time for action for non compliance, but it never gets saved. Instead, it gives an error while trying to save the configuration. So we are fine!

As per my testing, the read-only user doesn’t have access to assign the compliance policy to any group. You can refer to the video tutorial called read-only access to Intune for more details. However, the read-only user has access to check the status of the compliance policy on devices.

Devices Blade Experience  for Intune Read-Only User

The view access is intact for the device’s blade. The user can view the properties of all the devices. Azure AD scope option may provide some opportunities to limit read only users from checking out the properties of the devices which are not in read-only users’ scope.

Also, read only users can’t not any remote actions (Remove company data, Factory reset, Delete, and Remote Lock) on devices.

Device Configuration Experience  for Intune Read-Only User

Configuration profiles blade provides a classic view experience for Intune read-only users. The read-only users have view access to Overview, Properties, Assignments, Device status, User status, and Per-setting status.

Configuration PowerShell Scripts blade provides a different experience for Intune read only users.  Similar to compliance policy experience (explained above), PowerShell scripts blade offers the option to edit or rename PowerShell script name. But we are fine as Intune won’t allow read only users to save those changes.

Similar experience with PowerShell Script assignment. It allows assigning PowerShell script to change the assignments. But it won’t allow the read-only user to save the changes.

Mobile Apps (Applications) Experience  for Intune Read-Only User

The mobile apps experience for Intune read only user is similar to devise enrollment. Mobile apps Manage options provides standard view access to read only users for Apps, App configuration policies, App protection policies, App selective wipe, and iOS app provisioning profiles.

Monitor options under mobile apps give a similar view experience for App licenses, Discovered apps, App install status, App protection status, and Audit logs.

SETUP options also give a similar view experience for iOS VPP tokens, Windows enterprise certificate, Windows Symantec certificate, Microsoft Store for Business, Windows sideloading keys, Company Portal branding, App categories, and Android for Work.

Conditional Access Experience  for Intune Read-Only User

Conditional Access blade provides view access to read-only operators. I love to see Azure AD Conditional Access What If works fine for read-only users. This would be very helpful from a learning perspective.

All the following items work fine as expected to provide standard view access.

  • On-premises access
  • Users
  • Groups
  • Intune roles
  • Software Updates

Useful Links

Learn to Fix Microsoft SCCM Intune Documentation Configuration Manager ConfigMgr

Let us learn about Learn to Fix Microsoft SCCM Intune Documentation Configuration Manager ConfigMgr. How many of us complaint about SCCM Intune documentation?

The documentation is not updated and not relevant etc.. Here is the real opportunity to help yourself and update SCCM and Intune documentation.

But don’t get worried about the quality of the SCCM Intune documentation, as there are several steps of validation before your edits/changes get published. Hack a doc is the theme of this post 😉

Check out the Video “Learn How to Help Fixing SCCM Intune Documentation Issues

We had a great MVPHackaDoc session with Aaron during the MVP Summit 2018. All the credits to Aaron taught me how to start updating SCCM/Intune documentation. I don’t recommend going around and editing or updating all the documentation. But start small before you leap.

Start Small

What is changed?

Microsoft documentation service (https://docs.microsoft.com) is hosted on the GitHub platform, and this helps to get a better user experience while reading the documentation.

Even SCCM and Intune documents have been migrated to a new platform. Following is my list of key features of new docs—Microsoft platform.

  • Readability
  • Estimated Reading Time
  • Content and Site Navigation
  • Shortened Article Length
  • Responsive Design
  • Community Contributions
  • Social Sharing
  • Friendly URLs

How to Start Updating SCCM Intune Documentation?

I hope you have gone through a lot of Microsoft documentation every day. Find out the wrong article, and you wanted to let the Microsoft doc team know about this incorrect info.

  • Create a GitHub account if you don’t have one. Creating a GitHub account took me one and 2 minutes for me.
  • Select the GitHub Free plan as part of the signup process, and Tailor your experience should be filled with a short intro about yourself.
  • Open the article you identified and click on the EDIT button, as I showed in the video tutorial. You should open the article from the same browser you already logged in from your GitHub account.
  • Once you click on the EDIT button on that article, it will redirect to the GitHub editor.
  • GitHub editor is the place where you will perform all the updates.

Identify Article and Start Contributing

How to Contribute to SCCM Intune Documentation

As Aaron mentioned in his “MVP Hack a Doc” session, start small. Standard GitHub accounts may not have any access to edit the code of live documents. And you will get the following error when you try to edit or update an article.

  • You’re editing a file in a project you don’t have write access to.
  • Submitting a change to this file will write it to a new branch in your fork.
  • AnoopCNair/SCCMdocs, so you can send a pull request.

As I have shown in the “Hack A Doc video, A perfect example of raising an issue from Jason. He raised a problem, and a documentation BUG is filed to fix this issue. 

Creating a PULL request is another option that I tried. But I think that needs more access to edit the master file. A normal GitHub account may not have access to proceed with a pull request.

Another interesting learning for me was tipping about selecting the best title, title suffix, description, ms. Custom, ms. Date, and ms. prod for technical articles. As Aaron suggested, we can start doing the following things:-

  • Clarifications
  • Examples
  • SDK, PowerShell
  • Guidance tips
  • Translations
  • See something, fix something

I have tried raising an issue with documentation, and that is the best and easy part that I learned during the MVPHackaDoc session. I have more details about the problems raised in Hack A Doc’s video tutorial.

Another useful option trying to try to track the documentation issues with th GitHub account. So we can rest assured that Microsoft is aware of this bug, and they will fix it soon. Following is the file structure of GitHub article (for example) SCCMdocs/sccm/core/plan-design/hierarchy/accounts.md .

Start Contributing = Raising an Issue

Resources

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………