Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide

Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide? How to upload and deploy MSI applications to Windows 10 machines with Intune via Azure console?  MSI application deployment could be one of the most used features in Intune (at least for a couple of years).

In this video post, we will see the step-by-step MSI application deployment (Intune LOB application deployment) process.

NOTE! – Do not include the msiexec command or arguments, such as /i or /x, as they are automatically used. For more information, see Command-Line Options. If the .MSI file needs additional command-line options, consider using Win32 app management.

Introduction – Intune MSI Application Deployment

This post is also an end-to-end guide to creating MSI applications in Intune via the Azure portal. I already blogged about MSI MDM deployment via the MDM channel in the following post, “How to Deploy MSI App to Intune MDM Using SCCM CB and Intune“. This will include:-

  • Uploading the MSI LOB app to Intune
  • Deployment or Assignment options
  • End-User Experience on Windows 10 machine
  • How to Troubleshooting with event logs and Pending Sync
  • How to get application installation status messages back to Intune console

Upload MSI LOB application to Intune

Uploading the MSI LOB app to Intune is a very straightforward process. Login to Azure portal and navigate via Microsoft Intune -> Mobile Apps -> Apps -> + Add button and select app type as “Line-of-Business app”. Click on “App package file,” browse to the MSI source file location and click on the OK button, as you can see in the video here.

Intune LOB application deployment
Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide

You have to complete/fill the “App information” section before you can proceed with uploading the MSI to Intune. There are a couple of mandatory fields which you need to fill in. Command-line options are also available in this section. But, as per my experience, you can see in the video as well.

I have not used any silent switch for MSI, but by default, Intune/MDM on Windows 10 will install the app as silent (without any user interaction or input). Click on the ADD button to complete the MSI app creation process in Intune on the Azure portal.

Deployment or Assignment options of MSI Intune LOB application deployment

It would be best to wait until the application is successfully uploaded to Intune before you can create an assignment (or deployment). An assignment is a method that we use to deploy MSI applications to Windows 10 devices. You can deploy applications to Azure AD dynamic user groups or device groups. In this video/scenario, I used the AAD dynamic user group to target the MSI LOB apps. More details are available in the video here. There are different deployment types available in Intune.

Available – The user needs to go into the company portal and trigger the installation
Not applicable – Won’t get installed
Required – Forcefully get installed without any user interaction
Uninstall – Remove the application from the device
Available with or Without enrollment  – Mobile Application Management (MAM) without MDM enrollment scenarios.

Intune LOB application deployment Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide
Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide

End-User Experience on Windows 10 machine

Windows 10 machines will get the new application deployment policy once the assigned user is logged into that machine. What is the option to speed up the application deployment to the machines?  You need to sync with Intune services using the following method (manually).

You can go to “Settings – Access Work or School – Work or School Account – Info (click on this button)” and click on  Sync. This will initiate Windows 10 machine sync with Intune services, and after a successful sync, the machine will get the latest application policies.

How to Troubleshooting with event logs and Pending Sync

Unlike SCCM/ConfigMgr deployments, we don’t have log files to look at the application installation status via the MDM channel on Windows 10 machines. So, you need to rely on the Company portal for troubleshooting the MSI application troubleshooting.

As you can see in the following pic, the installation is waiting for “Pending Sync“. In this scenario, you can immediately initiate a manual sync to kick start the installation process, as I mentioned above.

Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide
Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide

Event logs – Windows Logs – Applications are where you can get the status of MSI application installation via MDM or Intune channel on to Windows 10 machine.

How to get application installation status messages back to Intune console

To get the installation status of the MSI LOB apps to Intune on the Azure portal, you need to sync your work or school accounts with Intune services. The installation status will be blank in Intune blade unless the device is not synced with Intune after installing the application on the Windows 10 machine.

Initiate the sync via “Settings – Access Work or School – Work or School Account – Info (click on this button)” and click on  Sync. Once the sync is completed successfully, you can try to check the Intune Device Install Status in Intune to check the status.

Intune LOB application deployment Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide
Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide

Reference:- 

  • How to add an app to Microsoft Intune – here
  • How to add Windows line-of-business (LOB) apps to Microsoft Intune – here

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Differences Between Intune Enrollment Restriction Device Restriction Profile

Difference Between Intune Enrollment Restriction Device Restriction Profile? I was going through one of the TechNet documentation and got confused with enrollment restriction policies and device restriction policies. I have posted about both of these policies.

1. “Video Experience Intune Device Restriction Policy Deployment to Windows 10 Device” 

2. “How to Restrict Personal Android Devices from Enrolling into Intune“.

Device restrictions are entirely different from Enrollment restrictions. Both options have different use cases and that will be explained in this post. These two policies are used in modern device management solutions like Intune and Azure AD.

Enrollment Device Platform Restrictions

Intune Device restriction profiles (Enrollment Device Platform Restrictions) are policies similar to GPO from the traditional device management world. Most enterprise organizations use GPO to restrict corporate-owned devices. These are security policies that need to apply to devices. Intune Device restriction policies control a wide range of settings and features of mobile devices (iOS, Android, macOS, and Windows 10).

  • MDM – Allow or Block
  • Allow – min/max range
  • Personally owned devices – Allow or Block

Device Type Restriction in Intune

Enrollment device platform restrictions make more sense. Navigate to Devices – Enroll Devices – Enrollment Device Platform Restrictions.

Intune Enrollment Restrictions
Enrollment Device Platform Restrictions

This type of policy could be applicable to different categories including security, browser, hardware, and data sharing settings. For example, you could create a device restriction profile policy that prevents users of Windows devices from sharing the internet or using Cortana, etc.

Intune Device Restriction profiles can be deployed to specific users/devices in AAD groups whereas Intune Enrolment restriction policies can’t be deployed to specific user/device groups in Azure AD. More details are available in the following section of this post.

Intune Device Limit Restrictions

Enrollment is the first part of Mobile Device Management (MDM). Why do we need to enroll a mobile device into Intune? Enrollment is the first step for management. When a device is enrolled in Intune, they have issued an MDM certificate, which that device then uses to communicate with the Intune service.

In several scenarios, we need to block employees from enrolling their personal devices into the corporate management platform. You want to block devices that are not secured enough to enroll in Intune. For example, You want to block personal devices from enrolling.

Also, we could be able to block lower OS version devices How is this possible from Intune? Difference Between Intune Enrollment Restriction Device Restriction Profile | Configuration Manager ConfigMgr

Navigate through Microsoft IntuneEnroll DevicesEnrollment device limit restrictions. You would be able to see two Intune enrollment restrictions policies called

1. Device Type Restrictions and 2. Device Limit Restrictions.

Device Type restriction is where we can define which platforms, versions, and management types can enroll. So all other devices are blocked from Intune enrollment.

The only problem with Intune enrollment restrictions that I can think of is: – Device type restrictions in Intune are deployed to “All Users, ” and we can’t deploy or assign Intune enrollment restriction policies to “specific user group”. At the moment, the device type restrictions policies are tenant-wide configurations.

Device Limit Restrictions in Intune

Navigate to Devices – Enroll Devices – Enrollment Device Limit Restrictions to configure the limitation.

Intune Enrollment Restrictions
Device Limit Restrictions in Intune

Difference Between Intune Enrollment Restriction Device Restriction Profile ?

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Intune How to Setup Android Work Support Step by Step Guide Microsoft Endpoint Manager

Intune How to Setup Android Work Support Step by Step Guide Microsoft Endpoint Manager? Google’s strategic approach is to support management only via the Android Work channel, and Microsoft Intune’s strategy is to support Android work. In this post, we will see how to set up Android work support in Intune portal.

Latest Post – How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com)

I have blogged about the enrollment for Android Work management via Intune “Intune How to Enroll Android for Work Supported Devices for Management“. The video embedded in the above post explains the process of enabling Android Work support in Intune Silverlight portal.

As you can see in the embedded video guide attached to this post, we will see how to unbind or change the Gmail/Google account which we used to set up Android work support in Intune Azure portal.

Once the existing Gmail account has been removed, then we can use a different Gmail account to configure, or set up Android Work support in Intune Azure console.

How to Unbind Android Work Account from Intune Azure Portal

Setup Android Work Support

We need to unbind the account from Intune Azure console when we want to change the Setup Android Work Google account. Unbind button in Intune Azure removes support for Android Work enrollment and removes the relationship between the Android work account Gmail and Intune.

I have seen some delay in the process of unbinding the Gmail account from Intune blade in the Azure portal. As you can see in the video here, I removed the Gmail account from the Android work setting in Intune blade in the Azure portal, but it took 2 minutes to reflect these changes. However, the removal of Android Work was immediately reflected on Intune Silverlight portal.

Setup Android Work Support in Intune Azure Portal

The configuration or setup of Android Work support in Intune Azure portal is very similar to the one in the Silverlight portal. You just need to click on the Configure button, and that will open up a pop where you can log in with a new Gmail or Android work account. The Google configuration wizard will help you to set up the connection between Intune and Google API like Google Play for Work, Android Work management, etc…

Android For Work _ Intune Azure Portal-Setup-Configure

Setting up Android Work Enrollment & Management via Intune

Android for Work enrollment settings is also the same as Intune Silverlight console. We get three options for setting up Android work enrollment in Intune Azure portal.

1. Manage all devices as Android – This is opposite to Google’s strategic approach regarding managing the Android devices
2. Manage supported devices as Android for Work – As per my testing, all the Android 6.0 and above devices are supported for Android work enrollment and management via Intune. I have a blog post that explains A4W supportability “Intune Entry Level Low-Cost Device Support for Android for Work Enrollment“. Hence this is my best bet option for enrollment.
3. Manage supported devices for users only in these groups as Android Work – This could be used in case of testing or pilot process if your organization doesn’t have any test Intune environment.

Android For Work _ Intune Azure Portal-SettingUP

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices

Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices? In this post, we will go through creating and deploying SCEP Certificate to Windows 10 Devices (How to Deploy SCEP Certificate to Windows Devices).

We need to take care of some prerequisites before creating SCEP Certificates in Intune. You need to have on-prem infrastructure components available before creating SCEP cert profiles in Intune. Related post > Intune SCEP HTTP Errors Troubleshooting Made Easy With Joy – #5 (anoopcnair.com)

NDES setup for SCEP

NDES connector should be installed on your Data Center, and NDES connector should be able to talk to CA server and with Azure AD App proxy connector if you are using Azure app proxy. I’m not going to cover the setup of NDEs and the Azure AD App proxy connector. Those two configurations are very complex and very well explained in other blogs.

Related Post – https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-How-to-configure-NDES-for-SCEP-certificate/ba-p/455125

All these configurations are explained in the video above or you can watch it here

Deploying SCEP Certificate to Windows10 Devices will help connect corporate resources like Wi-Fi and VPN profiles. Before creating Windows 10 SCEP Certificate in Intune, you need to create and deploy a certificate chain. The certificate chain includes the Root CA certificate and the Intermediate /Issuing CA certificate.

There are 3 certificate profiles available in Intune those are TRUSTED Certificate, SCEP Certificate, and PKCS certificate. We are not going to use the PKCS certificate for SCEP profile deployment.

Deploy SCEP Certificate to Windows Devices Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices
Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices

Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices. Following are the high-level tasks for deploying SCEP Certificate to Windows10 Devices via Intune:-

Create and Deploy iOS Root CA certificate using Intune Azure Portal
Create and Deploy iOS Intermediate/Issuing CA Certificate using Intune Azure Portal
Create and Deploy SCEP Certificate to iOS Devices using Intune Azure Portal

Create and Deploy Windows 10 Root CA, Windows 10 Intermediate/Issuing CA Certificate Profiles

As the first step, we need to create a Root CA cert profile. To create a Root CA cert, navigate through Microsoft Intune – Device Configuration – Profiles – Create profile. Select the platform as Windows 10 and profile type as Trusted Certificate. You need to browse and upload your ROOT CA cert (Name of the cert = ACN-Enterprise-Root-CA.CER)from your CA server.

In Windows 10 Trusted certificate profile, we need to select a destination store. For the root cert profile, we need to select Computer Certificate store -root. Once settings are saved, you need to deploy the root cert profile to the required Windows 10 devices.

SCEP Profile to Windows10 Devices Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices
Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices

We need to follow the same process for Intermediate/Issuing CA certificate profile deployment via Intune. Make sure that you are uploading issuing CA cert (Name of cert = ACN-Issuing-CA-PR1.CER) from your CA server.

Another point we need to take care of is the destination store. We need to select the destination store as Computer Certificate Store – Intermediate. Click OK – Create to finish the creation of Issuing cert profile.

Deploy Windows 10 Root CA and Intermediate/Issuing CA Certificate Profiles to the same group of Windows 10 devices. We can use either AAD User or Device group to deploy these profiles. However, I would prefer to use AAD dynamic device groups wherever possible.

Create and Deploy Windows 10 SCEP profile via Intune – Intune Create SCEP Certificate Profiles

To create and deploy a SCEP profile to Windows 10 devices, navigate through Microsoft Intune – Device Configuration – Profiles – “Create profile“. Select the platform as Windows 10 and profile type as SCEP Certificate.

There is some specific setting you need to put in when you create a SCEP profile for Windows 10 device. Loads of these configurations can differ as per the CA server setup and another on-prem component setup.

SCEP Profile to Windows10 Devices Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices
Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices

The certificate validity period is 1 year, which is the standard in the industry. There are four options for Key storage provider (KSP), and those are Enrol to trusted platform Module(TPM) KSP if present Software KSP, Enrol to Trusted platform module(TPM), otherwise fail, Enrol to passport, otherwise fail and Enrol to Software KSP.

In this scenario, I have selected Enrol to trusted platform Module(TPM) KSP if present Software KSP. We need to select the subject name format value depending on your organizational requirement. In this scenario, I selected a common name as email. Subject alternative name as UPN. Key usage is a digital signature and key encipherment. The key Size value is 2048. Hash algorithm value (SHA-2) should be the latest one if your CA supports the same.

Another important point is to link the SCEP profile with the ROOT cert profile you already created. If you have not created any ROOT cert and intermediate/issuing CA cert profiles in Intune, it won’t allow you to create a SCEP profile. Extended key usage is another setting, and it should automatically get populated. One example here is “Client Authentication – 1.3.6.1.5.5.7.4.3.”

SCEP Profile to Windows10 Devices Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices
Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices

The last set of settings for Windows 10 SCEP profiles in Intune is Enrollment Settings. I would recommend keeping the renewal threshold of certificates as the default value of 20%. SCEP server URLs (e.g., https://acnndes-sccz.msappproxy.net/certsrv/mscep/mscep.dll) are very important. These are the URL/s to which Windows 10 devices will go and request SCEP certs.

So, this should be reachable from the internet. As I mentioned above, you can use Azure AD app proxy URLs here. In this scenario, I will use Azure AD app proxy settings.

SCEP profile cert will be deployed to users’ stores in the following format “ACN-Issuing-CA-PR5“.

End-User Windows 10 Certificate Store Experience – Intune Create SCEP Certificate Profiles

SCEP profile will be deployed to Current User\Personal\Certificates = “ACN-Issuing-CA-PR5”

Root and Intermediate CA cert will be deployed to Local Computer\Intermediate Certification Authorities\Certificates = ACN-Enterprise-Root-CA.CER and ACN-Issuing-CA-PR1.CER

Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices
Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices

Resources

  • Configure and manage SCEP certificates with Intune – New Azure Portal – here
  • How to configure certificates in Microsoft Intune – New Azure Portal – here
  • How to Protect NDES with Azure AD Application Proxy – here

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager

Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager? We need to take care of some prerequisites before creating SCEP Certificate in Intune. You need to have on-prem infrastructure components available before creating SCEP Certificates in Intune.

NDES connector is supposed to be installed on your Data Center, and the NDES connector should be able to talk to the CA server and Azure AD App proxy connector if you are using the Azure app proxy. Related post – Intune SCEP HTTP Errors Troubleshooting Made Easy With Joy – #5 (anoopcnair.com).

I’m not going to cover the setup of NDEs and Azure AD App proxy connectors. Those two configurations are complex and well explained in loads of other blogs. This post will cover how to create and deploy a SCEP Profile to iOS Devices via Intune blade in the Azure portal.

All these configurations are explained in the video above or you can watch it here

Introduction – Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices

Deployment of SCEP Certificate to iOS devices will help connect to corporate Wi-Fi and VPN profiles etc… Before creating iOS SCEP Certificate in Intune, you need to create and deploy a certificate chain. The certificate chain includes the Root CA certificate and the Intermediate/Issuing CA certificate.

There are 3 certificate profiles available in Intune, and those are TRUSTED Certificate, SCEP Certificate, and PKCS certificate. We are not going to use the PKCS certificate for SCEP profile deployment. Following are the high-level tasks list for deploying SCEP Profile to iOS Devices (Deploy SCEP profiles to iOS Devices):-

  1. Create and Deploy iOS Root CA certificate using Intune Azure Portal
  2. Or Create and Deploy an iOS Intermediate CA certificate using Intune Azure Portal
  3. Create and Deploy SCEP Certificate to iOS Devices using Intune Azure Portal
Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager
Intune – Create – Deploy SCEP Certificate to iOS Devices – Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager

Create and Deploy iOS Root CA, iOS Intermediate/Issuing CA Certificate Profiles

As the first step, we need to create a Root CA cert profile. To create Root CA cert, navigate through Microsoft Intune – Device Configuration – Profiles – Create profile (Deploy SCEP profiles to iOS Devices). Select the platform like iOS and profile type as Trusted Certificate. You need to browse and upload your ROOT CA cert (Name of the cert = ACN-Enterprise-Root-CA.CER) from your CA server.

Once settings are saved, you need to deploy the root cert profile to the required iOS devices. The same process needs to follow for Intermediate/Issuing CA certificate profile deployment via Intune. Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager?

Make sure that you are uploading issuing CA cert (Name of cert = ACN-Issuing-CA-PR1.CER) from your CA server. All these configurations are explained in the video above or you can watch them here.

Create and Deploy iOS SCEP Certificate Profile for iOS Devices

To create a SCEP certificate profile, navigate Microsoft Intune – Device Configuration – Profiles – Create a profile. While creating iOS SCEP Certificate, we need to select Profile type as “SCEP certificate” and platform as iOS.

The next step is configuring the settings, these settings are very important, and we need to consult with your CA team when you create a SCEP Certificate. Loads of these configurations can differ as per the CA server setup and another on-prem component setup (Deploy SCEP profiles to iOS Devices).

The certificate validity period is 1 year, which is the standard in the industry. The subject name format is also depending on your organization’s preference. In this scenario, I selected a common name as email. Subject alternative name as UPN. Key usage is a digital signature and key decipherment. The key Size is 2048.

Another important point is to link the SCEP Certificate with the ROOT cert profile you already created. If you have not created any ROOT cert in Intune, it won’t allow you to create a SCEP Certificate. Extended key usage is another setting, and it should automatically get populated.

One example here is Client Authentication – 1.3.6.1.5.5.7.4.3. Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager?

Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager
Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager

The last set of settings for iOS SCEP profiles in Intune is Enrollment Settings. I would recommend keeping the renewal threshold of certificates as the default value of 20%. SCEP server URLs are very important. These are the URLs to which iOS devices will go and request SCEP certs.

So, this should be reachable from the internet. As I mentioned above, you can use Azure AD App proxy URLs here (e.g., https://acnndes-sccz.msappproxy.net/certsrv/mscep/mscep.dll ). In this scenario, I will use Azure AD App proxy settings. All these configuration details are explained in the video here.

SCEP certificate will be in the following format “ACN-Issuing-CA-PR5“.

Resources

  • Configure and manage SCEP certificates with Intune – New Azure Portal – here
  • How to configure certificates in Microsoft Intune – New Azure Portal – here
  • How to Protect NDES with Azure AD Application Proxy – here

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune

Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune? Android for Work Device Restriction Policies Deployment is nothing but the Security Policy for Android Devices. The security policies are important to secure the corporate data and applications in those devices.

In this post, we will how to create and deploy Security Policy for Android Devices via Intune blade in the Azure portal. Intune compliance policies are another set of policies that we need to set up for Android devices’ security.

I have a post about setting up compliance policies for Android devices “How to Plan and Design Intune Compliance Policy for Android Devices“. Latest post – How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com).

How to Create Security Policy for Android Devices

You can create Intune device restriction policy for Android for Work from Microsoft Intune – Device Configuration – Profiles – Create New Profile. I selected Android for Work as the platform and the Selection of the platform is very important.

Also, you need to select the profile type while creating Intune Configuration Restriction policy, in my scenario, it’s the Device restriction policy. The name of the policy is Android Restriction policy as you can see in the video.

Security Policy for Android devices Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune
Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune

There are two categories to configure device restriction settings for Android for Work devices. Work profile settings and Device password are the two settings available. Again, I won’t suggest setting up a device password policy as part of the configuration policy when you have a compliance policy setting for the Device password.

Data sharing between work and personal profiles settings specify whether apps in the work profile can share data with apps in the personal profile. Microsoft Intune recommended value for this setting is to prevent any sharing across the boundaries.

We can block the Work profile notifications while the device is in a locked state. Default app permission is another Android for the Work security setting. I don’t recommend configuring the password settings as part of Intune configuration policies rather password settings should be part of compliance policies for Android for Work devices.

Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune
Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune

Deploy Security Policy for Android Devices

Deploying the Android for Work device restriction policy is straightforward. But it’s important to take care of some of the points before deploying Security Policy for Android devices. Click on assignment after settings up the policy and select the AAD User/Device group.

Click on the Save button and you are done. The best-recommended way is to assign policies to the Azure AD dynamic device group for Android devices. However, the AAD device groups are still in preview; we may better off using user groups for deploying device restriction policies to Android Devices.

One thing to remember is that you can’t apply Android device platform policies to Android for Work devices. You should rather use Android for Work device platform policies for A4W. Another useful option while deploying device restriction policies in Intune is EXCLUDE option.

This is very useful when you want to exclude some of the devices or users from these particular security policies. Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune?

Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune
Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune

User Experience of Security Policy for Android devices

The user experience of Android for Work devices can vary depending upon the manufacturers of the devices. As I mentioned in the previous post here, Samsung and Nexus are the best-experienced devices that I tested till now.

But I would admit the user experience of Android for Work is far better than Android devices! As Android devices have different variants, it’s better to make sure all the Security Policy for Android devices experience is nice for all the manufacturers. Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune?

Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune

Resources

Intune SCEP HTTP Errors Troubleshooting Made Easy With Joy – #5 (anoopcnair.com)

How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com)

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager

Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager? Intune configuration restriction policies are very important in modern device management strategy. Intune device restriction policy is the security settings applied on your Windows 10 CYOD device.

As part of your organization’s security policies, you may need to lock down mobile devices or Windows devices that have access to corporate data and app. yes, Intune configuration restriction policies help you lock down Windows devices as per your organization’s security requirements.

Related post Intune SCEP HTTP Errors Troubleshooting Made Easy With Joy – #5 (anoopcnair.com)

Create Intune Device Restriction Policy for Windows 10 Devices

You can create Intune device restriction policy for Windows 10 from Microsoft Intune – Device Configuration – Profiles – Create New Profile. I selected Windows 10 as the platform, and the Selection of the platform is very important.

Also, it would be best if you had to select the profile type while creating Intune Configuration Restriction policy. In my scenario, it’s the Device restriction policy. The name of the policy is “Windows 10 CYOD Restrictions“. Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager?

Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager
Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager

Windows platform Intune device restriction policy out of box Settings is segregated into 16 sections, as you can see below. This list is very comprehensive, and we can lock down Windows 10 machines as per the requirement.

Is this Intune device restriction policy a replacement for group policies? No, it’s still not a replacement for AD group policies. Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager?

  1. General
  2. Password
  3. Personalization
  4. Locked screen experience
  5. App Store
  6. Edge Browser
  7. Search
  8. Cloud and Storage
  9. Cellular and Connectivity
  10. Control Panel and Settings
  11. Defender
  12. Defender Exclusions
  13. Network proxy
  14. Windows Spotlight
  15. Display
  16. Start

Deploy Windows 10 Intune Device Restriction Policy

You can deploy Windows 10 Intune Device Restriction Policy to either Windows 10 CYOD dynamic devices or Windows 10 users group. Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager?

Dynamic device groups are still in preview, and those typos of groups are not stable at times. So at least for the next two months, I will prefer to deploy policies to user groups rather than dynamic device groups.

Windows 10 End-user experience of Intune Device Restriction Policy

As you can see in the video tutorial at the top of this post or here, I’ve enabled the time settings to disable the option as part of the initial Windows 10 device restriction policy. The end-user logged to Windows 10 machine can’t change the time on the system.

After that, I changed the windows time setting policy again, and after applying the new policy, the user can change the time on Windows 10 system.

Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager
Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…