Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.

You can check out HTMD Community Intune Training from Free Intune Training 2023 blog post.  Let’s learn about Intune Exam MD 102 Study Guide Starter Kit – Microsoft Intune Certification. Also, check out the Top 75 Latest Intune Interview Questions.

Microsoft Intune Architecture Diagram
Microsoft Intune Architecture Diagram

This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

How to Deploy Microsoft Store for Business Apps using Intune

How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 or Windows 11 Devices Endpoint Manager? Microsoft Store for business apps is part of your organization’s private store apps.

Only one way to deploy Store apps using Intune is required deployment. Microsoft Store for business apps can be deployed as “Available,” “Required,” or “Uninstall” apps to Windows 10 or Windows 11 devices.

On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device will remain until intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will no longer be available about a month later. Use New Store to Deploy New Microsoft Store Apps Type From Intune with Winget.

How to Deploy Microsoft Store for Business Apps using Intune Fig. 1.0
How to Deploy Microsoft Store for Business Apps using Intune Fig. 1.0

The logic behind NOT having an “available” deployment option is very understandable because the user doesn’t need an available deployment via Intune because the user always has private store access to install the apps manually.

Let’s check how to deploy the WhatsApp application from the Microsoft store to Windows 10/11 devices which are managed by Microsoft Endpoint Manager Intune.

NOTE! – Microsoft Store for Business retirement is announced and Microsoft Store will be retired by early 2023. Read More Use Winget Windows Package Manager Tool To Install Microsoft Store Apps Using Intune.

Requirements – Microsoft Store for Business Application Deployment using Intune

Let’s have a quick look at the requirements for Microsoft Store for Business Application Deployment using Intune.

  • Browser compatible with Microsoft Store for Business
  • The administrator account needed to integrate MSfB with SCCM
  • Employees need Azure AD accounts when they access the content from MSfB
  • Proxy configuration requirements for MSfB
  • Devices must be Azure AD Registered, or Azure AD joined to the same Azure AD tenant where you registered the MSfB for online app deployment.
  • Azure AD Global admin (or appropriate) access to create Applications to connect ConfigMgr site to Azure AD and MSfB

Decide Offline or Online Applications using Intune

The MSfB supports two types of application licenses, and you should be very careful with the license type of application you want to add. For Offline apps, you don’t need devices Hybrid Azure AD registered or joined.

  • Online: Windows 10 devices must be Azure Active Directory (Azure AD)-joined or hybrid Azure AD-joined.
  • Offline: Devices don’t need to connect to the store or have a connection to the internet.

Read More -> Offline Application deployment example – Install Windows Company Portal Offline Version Using Intune

Search Store Applications from MSfB for Intune App Deployment

Let’s log in to the Microsoft Store for Business and start searching for the apps you want to add to Configuration Manager. Try to add Whatsapp to the private store and deploy it to managed Intune managed Windows 10/11 devices.

NOTE! – Microsoft Store for Business will be retiring in the first quarter of 2023.

  • Login to MSfB with Azure AD admin account https://businessstore.microsoft.com/
  • Search for the Microsoft Store application “WhatsApp” that you want to add.
  • Search URL https://businessstore.microsoft.com/en-us/store/search?q=whatsapp
Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 1
Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 1

Add Apps to Private Store

You have already found the required app (above section) – WhatsApp. Now let’s add those to the organization’s private store.

  • Click on any application – WhatsApp
  • Select License type: Offline
  • Click on Get the app
Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 2
Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 2

Once you click on Get the app button, the WhatsApp application has been purchased and added to your Microsoft private store.

  • Successfully added the app WhatsApp Beta to the private store.
  • This app will be available in the admin console after the next MSfB sync with Intune.
  • Click Close to continue.
Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 3
Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 3

Initiate a Manual Sync between Intune Portal and Microsoft Store for Business

Let’s Initiate a Manual Sync between Intune Portal and Microsoft Store for Business. The schedule sync will happen every 24 hours if I’m not mistaken.

  • Login to Endpoint.Microsoft.com
  • Navigate to Tenant Administration – Connectors and Tokens.

Enabling Microsoft Store for Business sync lets you access volume-purchased apps with Intune. There are two options and this must be always ENABLED for this scenario.

  1. First, you’ll need to sign up and associate your Microsoft Store for Business account with Intune Open the business store
  2. Choose the language in which apps from the Microsoft Store for Business will be displayed in the Intune console Language:
  • Enable
  • Disable

Sync the apps you’ve purchased from the store with Intune. To reflect the newly purchased application called WhatsApp, you need to the client on the SYNC button and wait for the sync to complete.

Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 4
Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 4

Deploy Microsoft Store App to Windows 11/10 using Intune

Let’s check how to Deploy Microsoft Store App to Windows 11/10 using Intune. Let’s head over to Apps and check for the WhatsApp Beta application.

  • Open Endpoint.Microsoft.com portal.
  • Navigate to All Apps and Search for WhatsApp.
Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 5
Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 5

Click on the WhatsApp application to start the deployment process. This is the normal deployment Intune application deployment process. The application is already created automatically when you sync Intune and Microsoft Store for Business.

You can assign applications to at least one group. You can Click ‘Properties’ and then edit ‘Assignments’ to start the assignment.

Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 6
Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 6

I have deployed this as an available application to an Azure AD group of USERS.

Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 7
Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 7

Video Tutorial (Outdated one)

There are 3 sections in this post and the video tutorial here:-

  1. Enable and Configure Windows Store for Business
  2. Sync the applications and Deploy applications
  3. End-User Experience of App installation on Windows 10 device

Enable and Configure Microsoft Store for Business

First, we need to sign up and associate the Microsoft Store for Business (MSfB) account with Intune. Accept the agreement and consent for Windows Store for Business.

https://businessstore.microsoft.com/en-us/store

How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager
How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager

Intune and Microsoft Store for Business Connection

To enable and configure Microsoft Store for Business, you need to open up Intune portal (Azure). Microsoft Intune – Mobile Apps- Windows Store for Business. Choose the language in which apps from the Windows Store for Business will be displayed in the Intune console.

Once signed up for the Windows store for business then, we need to set up a connection between Intune and Windows store for business. This is required to Deploy Windows Store Apps via Intune. Click on the Manage tab and select store setting.

Once you are in store settings, you could see there are three out-of-box connections already configured for deploying Windows store for business apps via MDM solutions. Airwatch, MobileIron Cloud, and Microsoft Intune are the three connections created. Click on Intune activate button to set up the connection between the store and Intune.

Windows_Store_App_via_Intune How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager
How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager

Sync the applications and Deploy applications via Intune

Once Intune connection is activated then, we need to shop the apps and add them to the private store for your organization. It could take 24 hours (it’s pretty fast nowadays within minutes it will be available) to reflect the newly added apps to appear in the private store. You can sync Intune to get the newly added apps into Intune.

We need to save the settings after the successful app sync.

Updated NOTE! – You can now login to the Microsoft Endpoint Manager Admin center and head over to Tenant Administration – Connectors and Tokens. You can click on the SYNC button to make the application available in Intune applications.

  • Login to Endpoint.Microsoft.com and Navigate to Tenant Administration – Connectors and Tokens.
How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager
How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager

After a successful connection, you would be able to see the following settings in Microsoft Store for Business.

How to Deploy Microsoft Store for Business Apps using Intune 2
How to Deploy Microsoft Store for Business Apps using Intune 16

How to Deploy Microsoft Store for Business App from Intune

Learn How to Deploy Microsoft Store for Business App from Intune. You will need to head over to Apps – Windows node in MEM Admin center portal (Intune) to search for application availability there. After the successful sync between Intune and Microsoft Store for Business, the Firefox browser app will be available in the MEM Intune portal

Now you will need to head over to Select the Windows Store apps that you want to deploy to AAD user groups. We have only two options while deploying the Windows Store app via Intune. And those are REQUIRED and UNINSTALL.

So, there is no option to deploy Windows Store app as available deployment via Intune because the users already have access to Windows Private store.

Setup_Windows_Store_App_via_Intune_Deployment_Options
How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager

End-User Experience of App installation on Windows 10 device

The end-user experience for Windows 10 1703 users is flawless. The deployment of the Windows Store app via Intune happened in the background, and the user’s name came to know about the installation on his/her Windows 10 device.

How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager
How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained

Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? The android operating system has several variants, and fragmentation is very high. What are the reasons for this?  With the open standards, every smartphone manufacturer has the freedom and option to customize the operating system according to their preference.

Related Posts – How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com)

So all the Android mobile device manufacturers grabbed the opportunity to push their apps and tweaked versions of Android. So, what is the biggest problem I see with Intune Android Work app’s user experience? I will see the details in this post. Also, I have explained the same in the above video.

There is no standard user experience for different mobile manufacturers like Samsung, Sony, and LetV have their way of arranging Android Work applications. Once you have enabled Android for Work support, you can enroll the Android devices into Intune for management, as I explained in the post “How to Enroll Android for Work Supported Devices into Intune“.

Intune Android Work Apps User Experience

In this post, we will see what the Intune Android for Work good user experience is and a bad user experience. I wanted to make it clear that there is nothing much Intune can do to improve the user experience because this is a necessary OS capability.

Intune Android Work Apps User Experience
Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained

I have tested Intune Android for Work enrollment with the following devices like Nexus 6P, Sony, Samsung, etc. Intune Android Work Apps user experience is good for all the tested devices. However, the problem is the placement of badged applications on the devices.

Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? Each Android mobile manufacturers have its way of placing badged Android Work applications. I like how a manufacturer places all the badged apps into a folder.

This is very useful for the user to switch from work applications to personal ones. If the manufacturer does not create a group for work application after Intune Android for Work enrollment, it’s not a good user experience from my testing.

Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? As per my testing on several Android devices, I liked the Intune Android for the Work user experience of Samsung and Google Nexus the most.

Initially, Intune Android for Work enrollment experience with the company portal was not flawless. But with the latest version of Intune company portal, the enrollment process is improved a lot.  Suppose you enroll the device with the latest company portal app. You don’t have to close the existing company portal app and open the company portal app for the work app (with badge/briefcase symbol) to continue the enrollment process.

This previous Android for Work Enrollment process experience has explained in the video here.

Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained

I like Samsung and Google Nexus user experience because all the Android work applications are placed or stored in a separate WORK folder. The work folder helps users segregate their apps from work apps better.

That user experience is excellent. Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? The Android work apps user experience of Sony and LetV Android devices is not so good if you compare the UX of Samsung and Nexus.

The bad user experience is that those devices won’t create a separate folder for WORK apps. You can see the more detailed experience in the video tutorial in the first part of this project. Intune Android Work Apps User Experience Explained in the above video.

Resources

Intune SCEP HTTP Errors Troubleshooting Made Easy With Joy – #5 (anoopcnair.com)

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD

Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD? In this post, I will provide you with the experience of Windows 10 1703 (RS2) Azure AD join and automatic MDM (Intune) enrollment.

As you see in the above video tutorial, the real-time experience of Windows 10 1703 Azure AD join and Intune auto-enrollment.

Latest Posts Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com) & Intune Company Portal Setup for Personal Windows 10 Device Intune Enrollment Options

Windows 10 1703 is the latest version of the Windows 10 production build. This is also called as Red Stone 2(RS2) release. The Windows team has done great work to improve the Out Of Box Experience(OOBE) of Windows 10 1703. I have a previous post that explains the in-depth process of AADJ and MDM auto-enrollment, “How to Join Windows 10 1607 Machines to Domain or Azure AD“.

Sign in with Microsoft School or Work account is the first screen you will get in the Windows 10 1703 Azure AD join OOBE. There is also a note on the same screen that helps users select the account they want to use “Sign in with the username and password you use with Office 365 or business services from Microsoft”.

Yes, this is a generic kind of message. I think it would be more helpful if Microsoft could explain to the user to use their corporate account rather than using technical terms like office 365 and Business services from Microsoft.

Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD?

Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD 5
Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD

Windows 10 1703 OOBE screen will give the user an option to choose a traditional domain join option. This will also allow the user to create a local user account and log in with that account. The Windows 10 1703 OOBE experience is improved a lot. Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD?

It will ask to connect to a Wi-Fi network, and it allows the user to connect to web-based authenticated Wi-Fi routers (Not all? Need to test this further). Once connected to the internet, it will check for the latest software updates available and install it.

Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD 6
Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD

Windows 10 Azure AD Join Experience?

Windows 10 1703 Azure AD join is an almost fully automated process once users enter their user name and password in the OOBE mentioned above screen. The user input is required on one particular screen, which is the screen for privacy settings.

Once the user is done with Windows 10 1703 privacy settings, the device will get automatically logged with the user name and password. Is it a new SSO for Windows 10 1703 Azure AD join? You can confirm the AAD Join from the Settings – Accounts section in Windows 10 1703.

Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD
Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD

Windows 10 MDM Intune Auto Enrollment Experience

Once the Windows device is Azure AD joined, it should automatically get enrolled in Intune management. You should have enabled the MDM auto-enrollment option in your Azure AD to get this experience. In my experience with Windows 10 1703, I got the encryption policy popup from Intune compliance policy within a few minutes of the first login to the device.

The user can also check the Intune enrollment from School or Work Account section in Windows 10 settings menu. There is a change in the GUI of the Windows 10 MDM stack with respect to School or Work account settings. There is no manage tab in the Windows 10 work account added to the device. Don’t worry about that because that is a new design for Windows 10 1703. Windows 10 work/school account setting has only two tabs: Info and Disconnect.

How do you manually sync or check for the new Intune policies in Windows 10 1703 device? The option is to click on Settings – Accounts – Access Work or School Account – Info – Sync. This will initiate an immediate policy sync with Intune services in the cloud. And intern, the user’s Windows 10 device will receive the latest policies from Intune.

Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD
Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Software Update Policy Rings in Intune MEM

Let’s see how to configure Software Update Policy Rings in Intune MEM. How to Setup Windows 10 Software Update Policy Rings in Intune Endpoint Manager Portal?

Managing software updates for Windows 10 with Intune is straightforward, but there is a catch you can’t expect the granular controls you have with SCCM/ConfigMgr. We need to configure the Windows Software update policy and deploy that policy to Windows 10 devices.

I have an updated post on Intune monthly patching guide and troubleshooting, etc. Cloud PC Monthly Patching Process Using Intune. Another guide on Intune patching – Software Update Patching Options With Intune Setup Guide (anoopcnair.com)

Related PostDifference Between Windows Patch Management Using Intune Vs ConfigMgr | SCCM | Software Updates

Windows 10 devices will take the software updates directly from Microsoft Update services. Unlike SCCM, no need to download the software updates, create a package, and deploy it to the devices (as you can see in this video post here).

Windows Update for Business will give us more options to configure and control the behavior of Windows 10 updates and Servicing. Update:- FIX CBB Ring Devices are Getting Windows 10 CB (SAC-T) Updates Intune Windows 10 Update Rings.

Intune Video tutorial to help to create Software updates rings for Windows 10

We have an out of box Software Update (Automatic Update) policy as part of Intune Silverlight portal configuration policy. I have noticed that this Out of box configuration policy stopped working in the last few months. Now, there are two options to control the behavior of Windows 10 updates and Windows servicing.

The first choice is to use custom policies in Intune Silverlight portal if your Silverlight portal is not yet migrated to the MEM portal. I have a post that talks about Intune Silverlight migration blockers here.

The second choice is to control Windows Update for business via the Software Updates button in Intune blade in the MEM portal. We will cover this in this post.

Software Update Policy Rings in Intune MEM
Software Update Policy Rings in Intune MEM

Basic Test Rings for Windows 10 Software Update

We may need to create at least two Windows 10 Software Update Policy Rings for your organization as a very basic requirement. One Windows 10 Update ring is for Windows 10 machines that are in the Current Branch (CB).

The second Windows 10 update ring is for Windows 10 machines that are in the Current Branch for Business (CBB). Windows 10 update rings would evolve as you progress with the testing and development for your organization. But this is the first stage of your testing of Software update deployments.

Windows 10 CBB Update Ring - All the devices in Current Branch
Windows 10 CB Update Ring - All the device in Current Branch for Business

Pilot and Production Rings for Windows 10 or Windows 11 Servicing

Another recommendation would be to create different Windows 10 Software Update Policy Rings for deferrals of Windows 10 servicing branches CB and CBB. We can put a maximum of 30 days delay in Windows 10 software update rings. These two update rings would help with the latest Windows 10 CB/CBB servicing updates (e.g. upgrade from 1607 to 1703) with some pilot devices rather than deploy servicing updates to all the devices at the same time.

During the pilot testing of CB, if you find any problem with the upgrade and you don’t want to deploy the update to the CBB ring then, you have the option to PAUSE the updates for the production ring.

Pilot Windows 10 CBB Updates Ring - Pilot Servicing Ring for CBB 
Production Windows 10 CBB Updates Ring - Production Servicing Ring for CBB  
Pilot Windows 10 CB Updates Ring - Pilot Servicing Ring for CB
Production Windows 10 CB Updates Ring - Production Servicing Ring for CB

Pilot and Production Rings for Windows 10 or Windows 11 Monthly Security  Patches

I would also recommend creating different Windows 10 Software Update Policy Rings for Windows 10 CBB  and Windows 10 CB quality updates (monthly security and other patches). So, Windows 10 CBB machines will have a minimum of 2 rings.

One is for the pilot machines which are on Windows 10 CBB and the second ring is for the production machines which are on Windows 10 CBB. The same applies to Windows 10 CB devices, and the CB machines should also have two rings.

Pilot Windows 10 CB Quality Updates Ring - Monthly patch pilot ring
Production Windows 10 CB Quality Updates Ring - Monthly patch production ring
Pilot Windows 10 CBB Quality Updates Ring - Monthly patch pilot ring
Production Windows 10 CBB Quality Updates Ring - Monthly patch production ring
Software Update Policy Rings in Intune MEM 8
Software Update Policy Rings in Intune MEM 28

How to create advanced Windows 10 Software Update Rings?

There could be other complex scenarios of Windows 10 Software Update Policy Rings. These rings could be depending purely on the requirement of each region or business group of your organization. Some of the other important options you have in Windows 10 Software Update Policy Rings are:-

  • Windows 10 Automatic update behavior – How do you want to perform scan, download, and install updates. Scheduling options for windows updates.
  • Do you want to update Windows 10 drivers as part of your patch deployment rings or not.
  • What kind of Delivery optimization (In build caching solution with Windows 10) that you want to use.
Software Update Policy Rings in Intune MEM
Software Update Policy Rings in Intune MEM

Deployment – Assignment of Windows 10 Software Update Rings

Windows 10 Software Update Policy Ring deployments/assignments are very critical decisions to make. I would recommend using dynamic device groups wherever possible, but at the moment this is not possible for all the scenarios. I think, in some scenarios, we need to use static device/user groups. I hope, Microsoft will come up with exclusion group options for assignments (similar to AAD Conditional Access policies).

The exclusion groups would be really useful in Software Update ring deployment scenarios. For example, you want to exclude pilot devices from the production software update ring deployments. At this point, it’s not possible without exclusion options.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune

How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune? This post will provide more details about planning and implementing the Intune compliance policy for Android devices. Intune compliance policies are the first step of the protection before giving access to corporate apps and data.

It’s very important to plan and design compliance policies for Android devices as Android is more vulnerable than other operating systems

Compliance policies rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

Update:- When you use or support Android for Work enrollment, select the platform like Android for Work in a compliance policy. Otherwise, the compliance policies will evaluate your Android devices and say this policy is not applicable for Android for Work enrolled devices.

Video

Check out the video tutorial to setup Intune compliance policies for Android – here

  • Intune Compliance policy setup for Windows 10 Devices here
  • Intune Compliance policy setup for iOS Devices here

How to setup Windows 10 Device compliance policy

How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune
How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune
  • 1.  Sign in to the Endpoint Manager portal with an account that has Intune admin access.
  • 2.  Select More services, enter Intune in the text box, and then select Enter.
  • 3. Select Intune Device ComplianceCompliancePolicies –  and Click on the +Create policy button to create a new compliance policy and select the platform as “Android”.
  • 4. Settings configurations are really important for compliance policy. There are some improvements in Azure portal Android compliance policies. There are three categories in Android compliance policies and those are Device Health, Device Properties, and System Security.
  • 5. Device Health is the setting where the compliance engine will check whether Android devices are to be reported. The device health attestation service has loads of checks, including TPM 2.0, BitLocker encryption, etc.
  • 6. Device Properties is the setting where Intune Admins define minimum and maximum versions of operating system details for the corporate application access. I would keep the minimum version as Android version 6 wherever possible.
  • Operating System Version
  • Minimum Android OS version
  • Maximum Android OS version
  • 7.  System Security is the setting where Intune Admins define password policies for Windows devices. There are 3 sections in these settings – Password, Encryption, and Device Security.
How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune
How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune

Password Compliance Policy for Android – I would create a complex Alphanumeric password for Android devices and all the above configurations.

Require a password to unlock mobile devices.
Minimum password length
Required password type
Maximum minutes of inactivity before the password is required
Password expiration (days)
Number of previous passwords to prevent reuse

Encryption Compliance policy for Android – Encryption should be enabled as a must in your Android compliance policy for Android devices.

Encryption of data storage on the device

Device Security Compliance policy for Android – Block apps from unknown sources and Block USB debugging on Android devices policies are important and should be enabled.

Block apps from unknown sources
Require threat scan on apps
Block USB debugging on the device
Minimum security patch level

8. Deploy Android Compliance Policy to All Android devices dynamic device group (Update Device Groups are not supported for Compliance policies – hence use user groups for Intune compliance policies). Click on Assignment and select the dynamic device group.

I would use AAD dynamic device groups to deploy compliance policies rather than AAD user groups.

How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune
How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Setup Intune Compliance Policy for Windows 10 Devices | Microsoft Endpoint Manager | MEM Powered

How to Setup Intune Compliance Policy for Windows 10 Devices | Microsoft Endpoint Manager | MEM Powered? In this post, we will see how to set up Intune Compliance Policy for Windows 10. Managing Windows 10 devices are very critical in modern device management.

Intune compliance policies are the first step of the protection before providing access to corporate applications.

Intune Compliance Policy for Windows 10 is to help to protect company data; the organization needs to make sure that the devices used to access company apps and data comply with certain rules. These rules might include using a password/PIN to access devices and encrypting data stored on devices.

This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

Video

Check out the video tutorial to setup Intune compliance policies for Windows 10 – here

  • Intune Compliance policy setup for Android Devices here
  • Intune Compliance policy setup for iOS Devices here 

How to set up Intune Compliance Policy for Windows 10 in the Microsoft endpoint Manager portal?

1.  Sign in to the MEM portal with an account that has Intune admin access.

2.  Select More services, enter Intune in the text box, and then select Enter.

How to Setup Intune Compliance Policy for Windows 10 Devices | Microsoft Endpoint Manager | MEM Powered
How to Setup Intune Compliance Policy for Windows 10 Devices | Microsoft Endpoint Manager | MEM Powered

3. Select IntuneDevice ComplianceCompliancePolicies –  and Click on the +Create policy button to create a new compliance policy and select the platform as “Windows 10”.

4. Settings configurations are really important for compliance policy. There are some improvements in Azure portal Windows 10 compliance policies.

There are 3 categories in Windows 10 compliance policies, and those are Device Health, Device Properties, and System Security.

How to Setup Intune Compliance Policy for Windows 10 Devices | Microsoft Endpoint Manager | MEM Powered
How to Setup Intune Compliance Policy for Windows 10 Devices | Microsoft Endpoint Manager | MEM Powered

5. Device Health is the setting where the compliance engine will check whether Windows 10 devices are reported as healthy by the Windows device Health Attestation Service (HAS). The device health attestation service has loads of checks included like TPM 2.0 (for the latest build of Windows 10 the requirement is TPM 1.0), BitLocker encryption, etc..

6. Device Properties is the setting where Intune Admins define the minimum and the maximum versions of operating system details for the corporate application access. Operating System Version
Minimum OS version
Maximum OS version
Minimum OS version for mobile devices
Maximum OS version for mobile devices

7. System Security is the setting where Intune Admins define password policies for Windows devices. There are 2 sections in these settings- Password and Encryption.   Password Policy – We don’t need to set the Windows password policy here if you are already using “Windows Hello for Business.”

How to Setup Intune Compliance Policy for Windows 10 Devices | Microsoft Endpoint Manager | MEM Powered
How to Setup Intune Compliance Policy for Windows 10 Devices | Microsoft Endpoint Manager | MEM Powered
  • Require a password to unlock mobile devices Simple passwords
  • Password type
  • Device default device defaultAlphanumericNumeric
  • Minimum password length
  • Maximum minutes of inactivity before the password is required
  • Password expiration (days)
  • Number of previous passwords to prevent reuse
  • Require a password when the device returns from an idle state (mobile only)   Encryption – If you have enabled HAS in the above policy you don’t need to enable this encryption policy.  

Encryption of data storage on a device.

8. Deploy Windows 10 compliance to All Windows devices dynamic device group

(Update Device Groups are not supported for Compliance policies – hence use user groups for Intune compliance policies)

Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups to deploy compliance policies rather than AAD user groups.

How to Setup Intune Compliance Policy for Windows 10 Devices | Microsoft Endpoint Manager | MEM Powered
How to Setup Intune Compliance Policy for Windows 10 Devices | Microsoft Endpoint Manager | MEM Powered

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM

How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM? In this post, we will see how to set up Intune Compliance Policy for iOS. Intune Compliance Policy for iOS devices to help to protect company data. The organization needs to ensure that the devices used to access company apps and data comply with certain rules.

These rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

Video Tutorial to setup Intune Compliance Policy for iOS

Video tutorial How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM?

here

  • Intune Compliance policy setup for Windows 10 Devices here
  • Intune Compliance policy setup for Android Devices here

How to setup Intune Compliance Policy for iOS?

Let’s see How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM.

  1. Sign in to the Azure portal with an account that has Intune admin access.
  2. Select More services, enter Intune in the text box, and select Enter.
  3. Select Intune – Device Compliance – Compliance – Policies –  and Click on the +Create policy button to create a new compliance policy and select the platform as “iOS”.
  4. Settings configurations are really important for compliance policy. There are some improvements in Azure portal iOS compliance policies in terms of password settings.
  5. There are 4 categories in iOS compliance policies those are Email, Device Health, Device Properties, and System Security.
  6. Email setting requires mobile devices to have a managed email profile to access corporate resources.
  7. The device Health setting will check whether the device is jailbroken or not. If the iOS device is Jailbroken, it won’t provide mail access to that device.
  8. The device Properties setting will check the OS version of the device and the minimum version of the iOS OS.
  9. System Security setting is basally on password settings. There are some improvements over Intune Silverlight portal here. We can have the option not to configure some of the settings like “Number of non-alphanumeric characters in password”. This was not possible with Intune Silverlight portal.

Require a password to unlock mobile devices.
Simple passwords
Minimum password length
AlphanumericNot ConfiguredAlphanumericNumeric
Number of non-alphanumeric characters in the password
Maximum minutes of inactivity before a password is required
Password expiration (days)
Number of previous passwords to prevent reuse

10. Deploy Intune Compliance Policy for iOS to All iOS devices dynamic device group. Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups to deploy compliance policies rather than AAD user groups.

(Update Device Groups are not supported for Compliance policies – hence use user groups for Intune compliance policies)/ How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM.

How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM
How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager

Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager? Google has a list of supported devices with their Android for Work program. But the question is whether Google’s list contains all the devices which are supported.

I don’t think the list is exclusive and listed down all the supported devices.

I have tested 2 devices that are NOT listed as part of Android for Work supported devices. And surprisingly both the devices can enroll in Intune via the Android for Work program. More details are covered in the above video.

How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com)

Video tutorials for Android for Work management via Intune

I tried Samsung Galaxy J7 and LetV Android devices. These devices are not very costly rather the cost is less than 150 USD. It’s always a challenge for organizations to try and find out cost-effective and affordable Android for Work devices from Google’s new list here

After testing two very basic Android devices, I found that we need to perform trial and error to understand whether the low-cost Android devices support Android for Work or not. Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager?

Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager
Intune Android Device Support for Google Android for Work Enrollment | Microsoft Endpoint Manager

Android – Intune Android Device Support for Google Android for Work Enrollment

Google recently did some rebranding, and now the name of Android for Work has changed to just “Android” management. Google announced that they are simplifying the names of Android for Work and Play for Work, calling them directly: Android and Google Play.

There are 3 categories of Android devices as per Google. Samsung S7 and LetV devices are not covered in the new list as well.

  1. Enterprise Devices – Premium productivity devices
  2. Affordable work devices – Cost-effective devices ready for work
  3. Featured devices

I was successfully able to enroll Android low-cost (cheap) devices with Android for Work. Intune was able to manage Samsung S7 and LetV devices with the Google Work profile. Both these devices are on the Android version 6.

Conclusion – Intune Android Device Support for Google Android for Work Enrollment

Android for Work is supported for the devices which are not listed in the Google portal.  My recommendation would be to perform thorough testing before approving the Android for Work-supported devices within your organization. It’s always better to maintain a recommended list of “Android for Work” supported devices within your organization.

I hope, Google will remove the support for pain Android management, and the only allowed way of management of Android devices will be “Android for Work.” Also, we need to remember that Android for Support is available only for specific countries or regions. For example, in China, we don’t have any support for Android for Work.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix

How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix? Android for Work configuration is very straightforward in most of the scenarios.

I have configured “Android for Work” for several tenants without any issue. Recently, I faced an issue while configuring this in Intune Silverlight console. 

When I click on configure button to “add Android for Work Binding” on the “Android for Work Mobile Device Management Setup” page in Intune Silverlight console then, it initiates the process, but the Intune is not able to launch the Android for Work binding wizard (webpage). 

We will see how to resolve this issue in this post, and I explained the same in the above video.

How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com)

Introduction – Intune Android for Work Configuration

I have already posted about Android for Work configuration and set it up in a different post here (How to Enroll Android for Work Supported Devices into Intune). This post and video tutorial will provide you step by step process to enable Android for Work management.

As I explained in the first paragraph, the Intune console was not able to complete Android for Work binding. When I checked the Intune console then, there was an Intune console page loading error “Microsoft Intune was not able to retrieve all data. REFRESH.

How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix
How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix

I tried to click on the Refresh button a couple of times to check my luck, but nothing worked. There was another button on the Intune Silverlight page, and that was Save Error Log.

I clicked on the button, and it asked me to save the text log file for this unable to retrieve all data errors for Intune console. Opened the text file which contains the details about the error and possibly the root cause of this issue as well.

How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix
How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix

As per the Intune Save Error LOG file, the Intune Silverlight error occurred while retrieving the JWT token, and the error log suggests we check whether the current user has an Intune license and try again. Following is the snippet of the log file:-

2017-03-31 05:37:56Z Silverlight Error:
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
ParameterType: Unknown
OperationType: Unknown
Current URL: https://admin.manage.microsoft.com/MicrosoftIntune/Home?accountid=a8f58f04-e279-44ff-95b9-5e81532915e6#Workspace/administration/index%23?P=//administration/MobileAndroidManagement/&A=%7BGID=23363773-6797-4c777-b3c2-01b06e207b74%7D&S=7sh74c9-7bf5-45ac-9fbb-67369263b9
Console Version: 5.0.17411.0
Service address: https://msua02.manage.microsoft.com/
Last 50 Log Entries:
00CCE 03/31/2017 05:37:37 429 Z MainThread 0001    Page instantiated successfully

Resolution  

I have added Intune/EMS license to the Intune Administrator from the new Azure Active Directory portal. It might not work straight away after assigning the license. You may need to wait for 3-4 minutes before trying to configure “Android for Work.” I would recommend logging off and login back to Intune Silverlight console before configuring “Android for Work.”  

How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix
How to Resolve Intune Android for Work Configuration Refresh Error | Microsoft Endpoint Manager Fix

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Intune App Protection Policies for Android iOS Devices

Let’s check how to enable Intune App Protection Policies for Android and iOS devices. You can get more details and end-user experience from the video given below. The latest post is available for MAM policies are available – Step by Step procedure to create App Protection policies for iOS/iPadOS in Intune.

How to Enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager? Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. There are two types of management options for Android devices with Intune.

The first one is the traditional way of MDM management, and the second way is the light management of apps installed on Android devices via Intune. The previous post discussed the Android MDM management options and end-user experience.

Video – End-user experience of Android Device MAM WE

Please check the video link

Intune App Protection Policies

Mobile Application Management (MAM) Without Enrollment (WE) is a lightweight management option for Android devices. This option has some advantages over full MDM management options.

For example, if a consultant’s device has already enrolled in a 3rd part EMM solution, but he wants to have access to the client’s corporate mail access on his mobile device for a very short period, then, The “MAM WE” is the best option for that consultant. With MAM WE, Intune and Azure AD will ensure that corporate mail and other MAM-enabled applications are protected with MAM policies.

Intune – Mobile Apps – Apps – Skype for Business – Properties: – In the following example, you can see that Skype for Business application for Android has deployed with a deployment type called “Available with or Without enrollment.” So without enrollment deployment type is for MAM WE management.

How to Enable Intune MAM without Enrollment along with Intune App Protection Policies How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager
How to Enable Intune MAM without Enrollment along with Intune App Protection Policies

The Intune “MAM WE” comes with a separate set of Conditional Access policies. This conditional access policy is different from MDM conditional access policy. So, you need to take little extra care when you deploy both CA policies to the same user groups. I would avoid using the same user group for both policies, or you could use the exclude groups options.

I would avoid deploying MDM CA policy to user groups whenever possible rather. I would deploy the MDM CA policy to device groups. Otherwise, we should have a different MDM CA user group and a MAM WE CA user group with unique users in both groups, which will be tricky.

How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager
Intune App Protection Policies How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager

Each MAM-enabled application comes with application protection policies (MAM app protection). We need to deploy these app protection policies to MAM WE user groups. Remember, these types (MAM WE) of policies can’t be deployed to Device Groups. 

With an app protection policy, you will get an option to restrict corporate data relocation and App data encryption options. It’s very critical that you should create app protection policies and deploy them to MAM WE user groups.

Intune App Protection Policies -How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager
Intune App Protection Policies -How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager

 End-User Experience – How to Enable Intune MAM without Enrollment

The video here will provide you with the Intune MAM WE real-time end-user experience. How to Enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager?

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager? The first requirement for iOS and MAC OS device enrollment is the Apple MDM push cert setup. You need to download a unique certificate signing request (CSR) from Intune tenant and upload the same to the Apple portal.

Once uploaded successfully, you will get an option to download the Apple MDM push cert from the Apple portal. MDM push cert has to be uploaded to Intune portal so that you can enroll iOS and MAC OS devices via Intune. This process has been explained in the above video.

I assumed that Intune MDM authority setting had already been completed before setting up the Apple MDM push cert and configuring Enrollment restriction policies.

Latest Post How to Configure Intune Enrollment Setup for iOS macOS Devices

Video about the setting up iOS/MAC OS MDM management via Intune

Please check the video link here.

Once the Apple MDM push cert setup has been completed then, we could proceed with the following configurations related to iOS and macOS management. As the next step, I would configure the Enrollment Restriction rules for iOS devices.

Suppose your organization has decided not to allow (block) personal iOS devices from enrolling into Intune. In that case, you need to set up an enrollment restriction type based on the platform configurations. I have a detailed post about restricting personal iOS devices here.

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager
How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager

The next step is to set up Conditional Access policies for iOS devices (while we are still waiting for Mac OS conditional Access policy). I would recommend doing this at the time of the initial setup of Intune. As you can see in the following screen capture, you have a couple of options.

Either you can select individual supported platforms for the Conditional Access policy, or you can select “All platforms (including unsupported).” Somehow my recommendation is  to use the latter one, “All platforms (including unsupported).”

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager
How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager

Azure AD Conditional Access policies can be deployed either combined with compliance policies or without compliance policies. I would recommend deploying conditional access policies with compliance policies. So, the next step is to set compliance policies for iOS devices. Are you wondering why there is no encryption option/compliance policy for iOS devices?

If so, there is no need for an encryption policy for iOS devices because those devices will get encrypted once the password has been enforced for devices.

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager
How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager

After compliance policy settings, it’s time to set up configuration policies for iOS and MAC OS devices. Intune Configuration policies are there to deploy security settings for the devices. Also, these types of policies can be used to enable or disable features of devices.

Details about different types of Intune configuration profiles are discussed here in my previous video blog post. Device restriction policies are nothing but security configuration policies in Intune Azure portal.

How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager 16
How to Get Intune Environment Ready for iOS Mac OS Devices Microsoft Endpoint Manager

 Conclusion – How to Get Intune Environment Ready for iOS Mac OS

Above mentioned policies are very basic policies that you want to configure if your organization has decided to manage iOS and MAC Os devices via Intune. There are loads of advanced MDM policy management options available with Microsoft Intune.

You can also create custom configuration policies for iOS devices if some of your security requirements are not available out of the box with Intune configuration policies. Apart from that, you can deploy Wi-Fi profiles, VPN profiles,s and Certs to iOS devices using Intune MDM.

Another option with Intune MAM WE (without enrollment) is to manage corporate applications via MAM policies and MAM WE Conditional Access policies.

In this scenario, your users don’t need to enroll in Intune MDM management. So, this is another decision point for each organization whether they should use MAM WE or the MDM channel of iOS management.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager? We had a full-day free Bangalore IT Pro User Group event on 18th March 2017. This was a free event conducted by the BLR IT Pro group. In this event, we covered Intune’s new Azure portal features.

Also, we covered the newest additions to SCCM/ConfigMgr CB 1702 TP. 90% of the sessions were covered with demos and attendees had some hands-on experience with Android for Work devices. I have created a quick video of some lively moments of the event here.

Introduction

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager?

  • Join SCCM/ConfigMgr Professional Group o get updates about future events – here
  • Follow the Facebook page to get notified about similar events – here

I had a great experience interacting, and knowledge sharing with more than 40 attendees. Most of them are SCCM admins and planning to move to Intune world. Some of them are already got a great experience with Intune iOS management, Application wrapping, Apple DEP program, etc. Some others are Airwatch admins, so they have had a good new experience with Intune features.

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager
Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager

Topics

Following are the topics I covered in the full-day free event. You can get the presentation link below.

What is Modern Device Management?
 Basic Understanding Intune
 Azure Active Directory AAD Overview
 Create AAD Dynamic Device/User Groups
 Intune Silverlight Portal Overview
 Intune Azure Portal Overview
 What is Conditional Access?
 Configure Conditional Access
 Configure Compliance, Configuration Policies
 Table - Compliance Policies – Remediated/Quarantined
 Windows 10 Modern Device Management
 iOS/MAC OS Management
 Android for Work Management 
 Troubleshooting?
 SCCM CB 1702 TP New Features

You can download the Presentation to get the reference links from the PowerPoint notes!

https://www.slideshare.net/slideshow/embed_code/key/4t1BmahfsEu3Tc

Bangalore IT Pro Full Day Event on Intune and SCCM from Anoop Nair

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM? Are you still waiting for the migration from Intune Silverlight to the Azure portal? I would recommend watching the following video post to get an overview of the new Intune blade in the MEM portal here.

We can have more granular restrictions for MDM enrollments in the new Intune portal. It’s amazing to see new features in the MEM Intune portal. One month before, I blogged about restricting personal iOS devices from enrolling in Intune via enrollment restriction rules here.

More detailed explanation in the video tutorial

Please go through the video here.

iOS personal devices can be restricted from enrolling in Intune MDM. However, there was no option to restrict personal Android devices from enrolling into Intune MDM. Intune team has lighted up the feature to restrict personal Android devices from enrolling into Intune.

This was one of the features I was looking for to appear in the Azure portal. So, can we allow only Android for work-supported devices to enroll in Intune MDM? With this enrollment or device type restriction option, the answer is NO. So what is the difference between company-owned Android devices and personally owned Android devices?

FeaturesCompany-owned devicePersonal device
Opt-out of Device Owner modeNoYes
With device approvals enabled, the administrator must approve the deviceNoYes
Administrators can receive an inactivity report every 30 daysYesNo
Factory resets that users initiate block device re-enrollmentYesNo
Account wipe availableNoYes
How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM

When you turn on the “Block Android Personal Device” option from Intune blade in the Azure portal, all the personal Android devices will be blocked from enrollment. Personal android devices can be Android for Work (AfW) supported devices and non-Android for Work devices.

Initially, I thought Android for Work would not be treated as a personal device. Rather it would be treated as a corporate Owned device. But I was wrong. For corporate-owned devices, Android for Work can be deployed in a Work Managed mode which provides full device management.

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM
How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM

Enroll Devices node is the place in Intune Azure portal where you can set up a personally owned Android devices restriction policy. Within enrolment restrictions rules, we can have two types of restrictions  Device Type restrictions and Device Limit restrictions.

In this scenario where we want to restrict personal Android devices, we need to create an enrollment type policy to allow the Android platform to enroll in Intune. Once the Android platform has enabled enrollment, go to Platform Configurations and then BLOCK personally owned iOS devices.

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM
How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM

Conclusion

Ideally, when you block personally owned Android devices from enrollment, all the Android devices enrolled via a non-corporate way should get blocked. 

As per my testing, this is not working. After enabling the “block Android personally owned devices” policy, I enrolled a couple of Android devices, and those devices got enrolled without any issues.

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM 19
How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM?

How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM
How to Restrict Personal Android Devices from Enrolling into Intune | Endpoint Manager | MEM

In the below screen capture, I have enrolled two Android devices into Intune and Intune console, and Intune detects those as personal devices. I’m not sure why is it not getting blocked?

References:-

  • Android Management Experience setup guide – Evaluate Android enterprise features – here
  • Add management for company-owned devices here
  • Manage your business’s mobile devices – here

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune

How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune? This post is a quick one that will help you understand the process of removing a work profile from an Android device. So, if you are wondering how the work profiles have been created, you should read my previous post here.

The work profile is created when the Android for Work (A4W) supported device is enrolled in Intune environment, which is enabled to support A4W. There are more than two ways to remove the Work profile from Android devices. We will cover three of them in this post.

Video – Android for Work Un-enrollment

Android for Work Un-enrollment process experience has explained in the video here

How to Remove Work Profile from Intune Managed Android Devices

As per Google documentation following is the method to remove the work profile, but I won’t recommend this approach if your device has enrolled to Intune. On Android 5.0+ devices, you can delete your work profile in Settings > Accounts > Remove work profile. Touch Delete to confirm the removal of all apps and data within the work profile. 

The first proper way to remove a work profile or unenroll a device is to go to Intune portal -> Devices and groups -> All devices – select the device that you want to remove or unenroll, then click on the “Remove Company Data” button that will initiate the un-enrollment process from Intune.

How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune
How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune

How to Remove Work Profile from Intune Managed Android Devices

Following is another option to remove the work profile or unenroll the Android device. You can also go to your user profile and choose the device you want to delete/remove from the following blade path from the Azure portal “Users and Groups – All users – Anoop Nair (username) – Devices – Device.”

As you can see in the following picture, click on the delete button to remove the device from Intune or to remove the work profile.

How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune
How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune

The second option to remove the work profile has to be initiated from the end-user device. The user has to initiate this process from Intune company portal application (more details about the company portal – read my previous post here).

Launch the company portal app from your Android device and tap on the tab called “My Devices” and select the user’s device. In the following picture, tap on the recycle bin button to remove the device’s work profile.

How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune
How to Remove Work Profile from Intune Managed Android Devices | Endpoint Manager Intune

The Android device un-enrollment process will remove company data from your mobile; it will also remove the work profile created during A4W enrollment. It will also remove all the applications deployed through the work profile.

However, the company portal application will stay there on the device, as you can see in the above picture (#5). It won’t allow you to enroll the device again with the same instance of the company portal. If you want to re-enroll the Android device for Intune management, you need to uninstall the existing company portal and install it again.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager

Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager? Android for Work configuration for Intune is not very difficult. I have published a post about “How to set up Android for Work management in Intune” here.

There are some restrictions when you deploy a volume purchased an application to Android for Work devices.

We can deploy Android for Work Volume Licensed apps only to user groups. The ONLY deployment actions/options enabled in the drop-down list are Not Applicable, Required, and Uninstall actions. The “available” deployment Action/option is DISABLE for Android for Work applications.

Android for Work Application Deployment experience

Android for Work Application Deployment experience as explained in the video here

Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager
Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager

Recently, it came to my notice that the Android for Work Volume-Purchased App deployment action called “Available” has been enabled for some of the tenants. These “Google play for Work” applications can be deployed to user/device groups in those tenants where the available action is enabled.

I have a more detailed explanation in the above video, and you can watch it here. So what does that mean?

Details Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager

Android for Work Volume-Purchased application deployment option called “Available” and volume purchased app deployment to device groups are ONLY available with new grouping experience in the Azure portal. Hence, this feature is tied to Azure AD group targeting, requiring migration from Intune silver light portal to Azure.

Even when you go to the “Google Play for Work” app store from your “Android for work” supported devices, you can’t see all the Android for Work apps. It will only list the apps which are deployed from Intune console. Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager

Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager
Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager

App deployment action details are well documented in the TechNet article here. When the app is displayed in the Volume-Purchased Apps node of the Apps workspace, you can deploy it just like any other app.

You can deploy the app to groups of users only. Currently, you can only select the Required and Uninstall actions. From October 2016, we will begin adding the Available deployment action to new tenants.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…