Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac-OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool. This MDM solution can be integrated SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is the future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for last one year, you could see the mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software) and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in Cloud.

Additionally, this solution has features called compliance policy which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager

Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager? Google has a list of supported devices with their Android for Work program. But the question is whether Google’s list contains all the devices which are supported.

I don’t think the list is exclusive and listed down all the supported devices.

I have tested 2 devices that are NOT listed as part of Android for Work supported devices. And surprisingly both the devices can enroll in Intune via the Android for Work program. More details are covered in the above video.

How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com)

Video tutorials for Android for Work management via Intune

I tried Samsung Galaxy J7 and LetV Android devices. These devices are not very costly rather the cost is less than 150 USD. It’s always a challenge for organizations to try and find out cost-effective and affordable Android for Work devices from Google’s new list here.

After testing two very basic Android devices, I found that we need to perform trial and error to understand whether the low-cost Android devices support Android for Work or not. Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager?

Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager

Android – Intune Android Device Support for Google Android for Work Enrollment

Google recently did some rebranding, and now the name of Android for Work has changed to just “Android” management. Google announced that they are simplifying the names of Android for Work and Play for Work, calling them directly: Android and Google Play.

There are 3 categories of Android devices as per Google. Samsung S7 and LetV devices are not covered in the new list as well.

Enterprise Devices – Premium productivity devices
Affordable work devices – Cost-effective devices ready for work
Featured devices

I was successfully able to enroll Android low-cost (cheap) devices with Android for Work. Intune was able to manage Samsung S7 and LetV devices with the Google Work profile. Both these devices are on the Android version 6.

Conclusion – Intune Android Device Support for Google Android for Work Enrollment

Android for Work is supported for the devices which are not listed in the Google portal. My recommendation would be to perform thorough testing before approving the Android for Work-supported devices within your organization. It’s always better to maintain a recommended list of “Android for Work” supported devices within your organization.

I hope, Google will remove the support for pain Android management, and the only allowed way of management of Android devices will be “Android for Work.” Also, we need to remember that Android for Support is available only for specific countries or regions. For example, in China, we don’t have any support for Android for Work.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix

How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix? Android for Work configuration is very straightforward in most of the scenarios.

I have configured “Android for Work” for several tenants without any issue. Recently, I faced an issue while configuring this in Intune Silverlight console.

When I click on configure button to “add Android for Work Binding” on the “Android for Work Mobile Device Management Setup” page in Intune Silverlight console then, it initiates the process, but the Intune is not able to launch the Android for Work binding wizard (webpage).

We will see how to resolve this issue in this post, and I explained the same in the above video.

How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com)

Introduction – Intune Android for Work Configuration

I have already posted about Android for Work configuration and set it up in a different post here (How to Enroll Android for Work Supported Devices into Intune). This post and video tutorial will provide you step by step process to enable Android for Work management.

As I explained in the first paragraph, the Intune console was not able to complete Android for Work binding. When I checked the Intune console then, there was an Intune console page loading error “Microsoft Intune was not able to retrieve all data. REFRESH.“

How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix

I tried to click on the Refresh button a couple of times to check my luck, but nothing worked. There was another button on the Intune Silverlight page, and that was Save Error Log.

I clicked on the button, and it asked me to save the text log file for this unable to retrieve all data errors for Intune console. Opened the text file which contains the details about the error and possibly the root cause of this issue as well.

As per the Intune Save Error LOG file, the Intune Silverlight error occurred while retrieving the JWT token, and the error log suggests we check whether the current user has an Intune license and try again. Following is the snippet of the log file:-

2017-03-31 05:37:56Z Silverlight Error:
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
ParameterType: Unknown
OperationType: Unknown
Current URL: https://admin.manage.microsoft.com/MicrosoftIntune/Home?accountid=a8f58f04-e279-44ff-95b9-5e81532915e6#Workspace/administration/index%23?P=//administration/MobileAndroidManagement/&A=%7BGID=23363773-6797-4c777-b3c2-01b06e207b74%7D&S=7sh74c9-7bf5-45ac-9fbb-67369263b9
Console Version: 5.0.17411.0
Service address: https://msua02.manage.microsoft.com/
Last 50 Log Entries:
00CCE 03/31/2017 05:37:37 429 Z MainThread 0001    Page instantiated successfully

Resolution

I have added Intune/EMS license to the Intune Administrator from the new Azure Active Directory portal. It might not work straight away after assigning the license. You may need to wait for 3-4 minutes before trying to configure “Android for Work.” I would recommend logging off and login back to Intune Silverlight console before configuring “Android for Work.”

Author

Intune App Protection Policies for Android iOS Devices

Let’s check how to enable Intune App Protection Policies for Android and iOS devices. You can get more details and end-user experience from the video given below. The latest post is available for MAM policies are available – Step by Step procedure to create App Protection policies for iOS/iPadOS in Intune.

How to Enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager? Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. There are two types of management options for Android devices with Intune.

The first one is the traditional way of MDM management, and the second way is the light management of apps installed on Android devices via Intune. The previous post discussed the Android MDM management options and end-user experience.

Video – End-user experience of Android Device MAM WE

Please check the video link

Intune App Protection Policies

Mobile Application Management (MAM) Without Enrollment (WE) is a lightweight management option for Android devices. This option has some advantages over full MDM management options.

For example, if a consultant’s device has already enrolled in a 3rd part EMM solution, but he wants to have access to the client’s corporate mail access on his mobile device for a very short period, then, The “MAM WE” is the best option for that consultant. With MAM WE, Intune and Azure AD will ensure that corporate mail and other MAM-enabled applications are protected with MAM policies.

Intune – Mobile Apps – Apps – Skype for Business – Properties: – In the following example, you can see that Skype for Business application for Android has deployed with a deployment type called “Available with or Without enrollment.” So without enrollment deployment type is for MAM WE management.

How to Enable Intune MAM without Enrollment along with Intune App Protection Policies How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager — How to Enable Intune MAM without Enrollment along with Intune App Protection Policies

The Intune “MAM WE” comes with a separate set of Conditional Access policies. This conditional access policy is different from MDM conditional access policy. So, you need to take little extra care when you deploy both CA policies to the same user groups. I would avoid using the same user group for both policies, or you could use the exclude groups options.

I would avoid deploying MDM CA policy to user groups whenever possible rather. I would deploy the MDM CA policy to device groups. Otherwise, we should have a different MDM CA user group and a MAM WE CA user group with unique users in both groups, which will be tricky.

Intune App Protection Policies How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager

Each MAM-enabled application comes with application protection policies (MAM app protection). We need to deploy these app protection policies to MAM WE user groups. Remember, these types (MAM WE) of policies can’t be deployed to Device Groups.

With an app protection policy, you will get an option to restrict corporate data relocation and App data encryption options. It’s very critical that you should create app protection policies and deploy them to MAM WE user groups.

Intune App Protection Policies -How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager

End-User Experience – How to Enable Intune MAM without Enrollment

The video here will provide you with the Intune MAM WE real-time end-user experience. How to Enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager?

Author

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager? The first requirement for iOS and MAC OS device enrollment is the Apple MDM push cert setup. You need to download a unique certificate signing request (CSR) from Intune tenant and upload the same to the Apple portal.

Once uploaded successfully, you will get an option to download the Apple MDM push cert from the Apple portal. MDM push cert has to be uploaded to Intune portal so that you can enroll iOS and MAC OS devices via Intune. This process has been explained in the above video.

I assumed that Intune MDM authority setting had already been completed before setting up the Apple MDM push cert and configuring Enrollment restriction policies.

Latest Post How to Configure Intune Enrollment Setup for iOS macOS Devices

Video about the setting up iOS/MAC OS MDM management via Intune

Please check the video link here.

Once the Apple MDM push cert setup has been completed then, we could proceed with the following configurations related to iOS and macOS management. As the next step, I would configure the Enrollment Restriction rules for iOS devices.

Suppose your organization has decided not to allow (block) personal iOS devices from enrolling into Intune. In that case, you need to set up an enrollment restriction type based on the platform configurations. I have a detailed post about restricting personal iOS devices here.

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager

The next step is to set up Conditional Access policies for iOS devices (while we are still waiting for Mac OS conditional Access policy). I would recommend doing this at the time of the initial setup of Intune. As you can see in the following screen capture, you have a couple of options.

Either you can select individual supported platforms for the Conditional Access policy, or you can select “All platforms (including unsupported).” Somehow my recommendation is to use the latter one, “All platforms (including unsupported).”

Azure AD Conditional Access policies can be deployed either combined with compliance policies or without compliance policies. I would recommend deploying conditional access policies with compliance policies. So, the next step is to set compliance policies for iOS devices. Are you wondering why there is no encryption option/compliance policy for iOS devices?

If so, there is no need for an encryption policy for iOS devices because those devices will get encrypted once the password has been enforced for devices.

After compliance policy settings, it’s time to set up configuration policies for iOS and MAC OS devices. Intune Configuration policies are there to deploy security settings for the devices. Also, these types of policies can be used to enable or disable features of devices.

Details about different types of Intune configuration profiles are discussed here in my previous video blog post. Device restriction policies are nothing but security configuration policies in Intune Azure portal.

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager 5 — How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager

Conclusion – How to Get Intune Environment Ready for iOS Mac OS

Above mentioned policies are very basic policies that you want to configure if your organization has decided to manage iOS and MAC Os devices via Intune. There are loads of advanced MDM policy management options available with Microsoft Intune.

You can also create custom configuration policies for iOS devices if some of your security requirements are not available out of the box with Intune configuration policies. Apart from that, you can deploy Wi-Fi profiles, VPN profiles,s and Certs to iOS devices using Intune MDM.

Another option with Intune MAM WE (without enrollment) is to manage corporate applications via MAM policies and MAM WE Conditional Access policies.

In this scenario, your users don’t need to enroll in Intune MDM management. So, this is another decision point for each organization whether they should use MAM WE or the MDM channel of iOS management.

Author

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager? We had a full-day free Bangalore IT Pro User Group event on 18th March 2017. This was a free event conducted by the BLR IT Pro group. In this event, we covered Intune’s new Azure portal features.

Also, we covered the newest additions to SCCM/ConfigMgr CB 1702 TP. 90% of the sessions were covered with demos and attendees had some hands-on experience with Android for Work devices. I have created a quick video of some lively moments of the event here.

Introduction

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager?

Join SCCM/ConfigMgr Professional Group o get updates about future events – here
Follow the Facebook page to get notified about similar events – here

I had a great experience interacting, and knowledge sharing with more than 40 attendees. Most of them are SCCM admins and planning to move to Intune world. Some of them are already got a great experience with Intune iOS management, Application wrapping, Apple DEP program, etc. Some others are Airwatch admins, so they have had a good new experience with Intune features.

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager

Topics

Following are the topics I covered in the full-day free event. You can get the presentation link below.

What is Modern Device Management?
 Basic Understanding Intune
 Azure Active Directory AAD Overview
 Create AAD Dynamic Device/User Groups
 Intune Silverlight Portal Overview
 Intune Azure Portal Overview
 What is Conditional Access?
 Configure Conditional Access
 Configure Compliance, Configuration Policies
 Table - Compliance Policies – Remediated/Quarantined
 Windows 10 Modern Device Management
 iOS/MAC OS Management
 Android for Work Management 
 Troubleshooting?
 SCCM CB 1702 TP New Features

You can download the Presentation to get the reference links from the PowerPoint notes!

https://www.slideshare.net/slideshow/embed_code/key/4t1BmahfsEu3Tc

Bangalore IT Pro Full Day Event on Intune and SCCM from Anoop Nair

Author

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM? Are you still waiting for the migration from Intune Silverlight to the Azure portal? I would recommend watching the following video post to get an overview of the new Intune blade in the MEM portal here.

We can have more granular restrictions for MDM enrollments in the new Intune portal. It’s amazing to see new features in the MEM Intune portal. One month before, I blogged about restricting personal iOS devices from enrolling in Intune via enrollment restriction rules here.

Features	Company-owned device	Personal device
Opt-out of Device Owner mode	No	Yes
With device approvals enabled, the administrator must approve the device	No	Yes
Administrators can receive an inactivity report every 30 days	Yes	No
Factory resets that users initiate block device re-enrollment	Yes	No
Account wipe available	No	Yes

Conclusion

Ideally, when you block personally owned Android devices from enrollment, all the Android devices enrolled via a non-corporate way should get blocked.

As per my testing, this is not working. After enabling the “block Android personally owned devices” policy, I enrolled a couple of Android devices, and those devices got enrolled without any issues.

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM?

In the below screen capture, I have enrolled two Android devices into Intune and Intune console, and Intune detects those as personal devices. I’m not sure why is it not getting blocked?

References:-

Android Management Experience setup guide – Evaluate Android enterprise features – here
Add management for company-owned devices here
Manage your business’s mobile devices – here

Author

How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune

How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune? This post is a quick one that will help you understand the process of removing a work profile from an Android device. So, if you are wondering how the work profiles have been created, you should read my previous post here.

The work profile is created when the Android for Work (A4W) supported device is enrolled in Intune environment, which is enabled to support A4W. There are more than two ways to remove the Work profile from Android devices. We will cover three of them in this post.

Video – Android for Work Un-enrollment

Android for Work Un-enrollment process experience has explained in the video here

How to Remove Work Profile from Intune Managed Android Devices

As per Google documentation following is the method to remove the work profile, but I won’t recommend this approach if your device has enrolled to Intune. On Android 5.0+ devices, you can delete your work profile in Settings > Accounts > Remove work profile. Touch Delete to confirm the removal of all apps and data within the work profile.

The first proper way to remove a work profile or unenroll a device is to go to Intune portal -> Devices and groups -> All devices – select the device that you want to remove or unenroll, then click on the “Remove Company Data” button that will initiate the un-enrollment process from Intune.

How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune

How to Remove Work Profile from Intune Managed Android Devices

Following is another option to remove the work profile or unenroll the Android device. You can also go to your user profile and choose the device you want to delete/remove from the following blade path from the Azure portal “Users and Groups – All users – Anoop Nair (username) – Devices – Device.”

As you can see in the following picture, click on the delete button to remove the device from Intune or to remove the work profile.

How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune

The second option to remove the work profile has to be initiated from the end-user device. The user has to initiate this process from Intune company portal application (more details about the company portal – read my previous post here).

Launch the company portal app from your Android device and tap on the tab called “My Devices” and select the user’s device. In the following picture, tap on the recycle bin button to remove the device’s work profile.

How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune

The Android device un-enrollment process will remove company data from your mobile; it will also remove the work profile created during A4W enrollment. It will also remove all the applications deployed through the work profile.

However, the company portal application will stay there on the device, as you can see in the above picture (#5). It won’t allow you to enroll the device again with the same instance of the company portal. If you want to re-enroll the Android device for Intune management, you need to uninstall the existing company portal and install it again.

Author

How to Manually Sync Intune Policies ASAP Time Intervals from Enrolled Devices Endpoint Manager

Video tutorials for Android for Work management via Intune

Android – Intune Android Device Support for Google Android for Work Enrollment

Conclusion – Intune Android Device Support for Google Android for Work Enrollment

Author

Introduction – Intune Android for Work Configuration

Resolution

Author

Video – End-user experience of Android Device MAM WE

End-User Experience – How to Enable Intune MAM without Enrollment

Author

Video about the setting up iOS/MAC OS MDM management via Intune

Conclusion – How to Get Intune Environment Ready for iOS Mac OS

Author

Introduction

Topics

You can download the Presentation to get the reference links from the PowerPoint notes!

Author

More detailed explanation in the video tutorial

Conclusion

References:-

Author

Video – Android for Work Un-enrollment

How to Remove Work Profile from Intune Managed Android Devices

How to Remove Work Profile from Intune Managed Android Devices

Author