Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.
This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.
This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.
This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.
Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.
Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.
Let’s discuss the Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices. Intune configuration restriction policies are critical in modern device management strategy. Intune device restriction policy is the security settings applied on your Windows 10 CYOD device.
As part of your organization’s security policies, you may need to lock down mobile or Windows devices with corporate data and app access. Yes, Intune configuration restriction policies help you lock down Windows devices as per your organization’s security requirements.
In this post, you will learn everything you need to createdevice restriction policy profiles in Intune and deploy security policies to Windows 10 devices. We will guide you step-by-step through setting up these policies to ensure your devices are secure and comply with your organization’s requirements.
Whether you’re new to Intune or looking to enhance your device management skills, this guide will provide clear and straightforward instructions to help you effectively manage and protect your Windows 10 devices.
Intune Configuration Restriction Policy Deployment with Windows 10
In this video, you’ll learn all about deploying Intune Configuration Restriction Policies on Windows 10. We’ll show you each process step, making it easy to follow. Whether setting up new policies or adjusting existing ones, this video will help you understand how to use Intune to keep your Windows 10 devices secure and well-managed.
Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices – Video 1
Create Intune Device Restriction Policy for Windows 10 Devices
You can create an Intune device restriction policy for Windows 10 from Microsoft Intune—Device Configuration—Profiles—Create New Profile. I selected Windows 10 as the platform, and platform Selection is essential.
Also, it would be best to select the profile type while creating an Intune Configuration Restriction policy. In my scenario, the Device restriction policy is named “Windows 10 CYOD Restrictions.”
Platform
Profile Type
Windows 10 and Later
Device Restrictions
Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices – Table 1
Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices – Fig.1
As shown below, the Windows platform Intune device restriction policy for out-of-box settings is segregated into 16 sections. This list is comprehensive, and we can lock down Windows 10 machines as required.
Is this Intune device restriction policy a replacement for group policies? No, it’s still not a replacement for AD group policies.
General
Password
Personalization
Locked screen experience
App Store
Edge Browser
Search
Cloud and Storage
Cellular and Connectivity
Control Panel and Settings
Defender
Defender Exclusions
Network Proxy
Windows Spotlight
Display
Start
Deploy Windows 10 Intune Device Restriction Policy
You can deploy the Windows 10 Intune Device Restriction Policy to either Windows 10 CYOD dynamic devices or Windows 10 user groups. Dynamic device groups are still in preview, and the group typos are not always stable. So, at least for the next two months, I will prefer to deploy policies to user groups rather than dynamic device groups.
Windows 10 End-user Experience of Intune Device Restriction Policy
As you can see in the video tutorial at the top of this post, I’ve enabled the time settings to disable the option as part of the initial Windows 10 device restriction policy. The end-user logged in to the Windows 10 machine can’t change the time on the system.
After that, I changed the Windows time setting policy again, and after applying the new policy, the user can change the time on the Windows 10 system.
Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices – Fig.2
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss how to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web apps. I have been testing and developing a solution for Android device management with Intune. I have shared my Android for Work learning experiences in my previous posts – Android.
In this post, we will see and learn how to enable Intune Company Portal Browser Access for Android devices. What is the need for enabling company portal browser access?.
To put it in simple words, if your organization is using Azure AD Conditional Access (CA) enabled internal web applications, then we need to enable the Company portal browser access option.
This post will provide a comprehensive guide on enabling Intune Company Portal browser access for conditional access-enabled web apps. We will walk you through the necessary steps to configure your settings, ensuring easy access control and security compliance.
How to Enable Intune Company Portal Browser Access
The above video recording gives you the same user experience when you have CA access-enabled web applications and you have not enabled company portal browser access. As you can see in the video, the managed browser for Android devices gives an error stating that the device is not enrolled.
Yes, the managed browser application can’t understand whether the device is already enrolled. When you perform an action like “Intune Company Portal Browser Access, ” the app will try to install the Microsoft work account certificate on an Android device. There is a known issue with the previous version of the Company Portal application on Android devices.
How to Enable Intune Company Portal Browser Access
Open the Company Portal app.
Go to the Settings page from the ellipsis (…) or hardware menu button.
Press the Enable Browser Access button.
How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web Apps – Table 1
Microsoft Work Account Certificate Installation Error
Allow the Company portal and Intune-managed apps to record future actions in greater detail, which may help your IT administrator better identify and solve issues.
How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web Apps – Fig.1
End-User Experience of ENROLL Device Error
The solution to the Microsoft mentioned above “work account certificate installation” error is to update the company portal application for Android devices. Are you getting an ENROL error on your device (as you can see in the following screen capture)?
Does this error appear when you try to access Conditional Access-enabled web applications through the managed browser? The web apps without CA are working fine? If so, you must perform the following action from your Android device: “Intune Company Portal Browser Access.”
How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web Apps – Fig.2
Microsoft Work Account Certificate Installation
Now, it’s time to update the company portal application on Android for work-enabled devices. Once the device is updated with the latest version of the company portal app, then open up the company portal app and go to settings – tap on the button “Enable Browser Settings.”
This action opens a popup for installing a Microsoft Work Account certificate. The user must select the cert and tap on the ALLOW button. The video tutorial at the top of this post explains this process.
How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web Apps – Fig.3
End USER Experience of CA-enabled Web Application Access
Once the managed browser has a certificate, the web applications opened in the Managed browser can use the Microsoft Work account cert. This will allow the managed browser to securely open conditional access-enabled internal web applications. In my experience, the user doesn’t require a tap on the INSTALL button; rather, the user must tap on the ALLOW button to complete this configuration.
How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web Apps – Fig.4
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with over 20 years of IT experience (calculation done in 2021). He is a Blogger, Speaker, and leader of the Local User Group HTMD Community. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss how to Deploy Microsoft Store for Business Apps using Intune. Microsoft Store for business apps is part of your organization’s private store apps.
Only one way to deploy Store apps using Intune is required deployment. Microsoft Store for business apps can be deployed as “Available,” “Required,” or “Uninstall” apps to Windows 10 or Windows 11 devices.
On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device will remain until intentionally removed.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.1
The logic behind NOT having an “available” deployment option is very understandable. The user doesn’t need an available deployment via Intune because the user always has private store access to install the apps manually.
Let’s check how to deploy the WhatsApp application from the Microsoft store to Windows 10/11 devices, which Microsoft Intune manages.
Devices must be registered with Azure AD or joined to the same Azure AD tenant where you registered the MSfB for online app deployment.
Azure AD Global admin (or appropriate) access to create Applications to connect ConfigMgr site to Azure AD and MSfB
Decide Offline or Online Applicationsusing Intune
The MSfB supports two types of application licenses, and you should be very careful with the license type of application you want to add. You don’t need devices Hybrid Azure AD registered or joined for Offline apps.
Online: Windows 10 devices must be joined to Azure Active Directory (Azure AD) or hybrid Azure AD-joined.
Offline: Devices don’t need to connect to the store or have a connection to the internet.
Search Store Applications from MSfB for Intune App Deployment
Let’s log in to the Microsoft Store for Business and search for the apps you want to add to Configuration Manager. Try to add WhatsApp to the private store and deploy it to managed Intune Windows 10/11 devices.
NOTE! – Microsoft Store for Business will retire in the first quarter 2023.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.2
Add Apps to Private Store
You have already found the required app (above section): WhatsApp. Now, let’s add it to the organization’s private store.
Click on any application – WhatsApp
Select License type: Offline
Click on Get the app
How to Deploy Microsoft Store for Business Apps using Intune – Fig.3
Once you click the Get the App button, the WhatsApp application will be purchased and added to your Microsoft private store.
You have successfully added the WhatsApp Beta app to the private store.
This app will be available in the admin console after the next MSfB sync with Intune.
Click Close to continue.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.4
Initiate a Manual Sync between Intune Portal and Microsoft Store for Business
Let’s Initiate a Manual Sync between Intune Portal and Microsoft Store for Business. If I’m not mistaken, the schedule sync will happen every 24 hours.
Login to Endpoint.Microsoft.com
Navigate to Tenant Administration – Connectors and Tokens.
Enabling Microsoft Store for Business sync lets you access volume-purchased apps with Intune. Two options must always be enabled for this scenario.
First, you must sign up and associate your Microsoft Store for Business account with Intune. Open the business store
Choose the language in which apps from the Microsoft Store for Business will be displayed in the Intune console Language:
Enable
Disable
Sync the apps you’ve purchased from the store with Intune. To reflect the newly purchased application WhatsApp, click the SYNC button on the client and wait for the sync to complete.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.5
Deploy Microsoft Store App to Windows 11/10 using Intune
Let’s check how to Deploy the Microsoft Store App to Windows 11/10 using Intune. Let’s head over to Apps and check for the WhatsApp Beta application.
Deploy Microsoft Store App to Windows 11/10 using Intune
Open Intune portal.
Navigate to All Apps and Search for WhatsApp.
How to Deploy Microsoft Store for Business Apps using Intune – Table 1
How to Deploy Microsoft Store for Business Apps using Intune – Fig.6
Click on the WhatsApp application to start the deployment process. This is the typical deployment process for the Intune application. The application is created automatically when you sync Intune and Microsoft Store for Business.
You can assign applications to at least one group. Click ‘Properties‘ and edit ‘Assignments‘ to start the assignment.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.7
I have deployed this as an available application to an Azure AD group of USERS.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.8
End-User Experience of App installation on Windows 10 device
How to Deploy Microsoft Store for Business Apps using Intune – Video 1
Enable and Configure Microsoft Store for Business
First, we must sign up and associate the Microsoft Store for Business (MSfB) account with Intune. Then, we must accept the agreement and consent for Windows Store for Business.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.9
Intune and Microsoft Store for Business Connection
You must open the Intune portal (Azure) to enable and configure Microsoft Store for Business. Microsoft Intune – Mobile Apps- Windows Store for Business. Choose the language in which Windows Store for Business apps will be displayed in the Intune console.
Once you sign up for the Windows Store for Business, you need to connect Intune with the store. This is required to Deploy Windows Store Apps via Intune. Click on the Manage tab and select Store Settings.
Once you are in store settings, you can see three out-of-box connections configured to deploy Windows Store for business apps via MDM solutions. Airwatch, MobileIron Cloud, and Microsoft Intune were the three connections created. Click on the Intune activate button to set up the connection between the store and Intune.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.10
Sync the Applications and Deploy Applications via Intune
Once the Intune connection is activated, we must shop the apps and add them to your organization’s private store. It could take 24 hours (it’s pretty fast nowadays. Within minutes, it will be available) to reflect the newly added apps appearing in the private store. You can sync Intune to get the newly added apps into Intune.
We need to save the settings after the app syncs successfully.
Updated NOTE! You can now log in to the Microsoft Endpoint Manager Admin center and head to Tenant Administration—Connectors and Tokens. Then, click the SYNC button to make the application available in Intune applications.
Login to Endpoint.Microsoft.com and Navigate to Tenant Administration – Connectors and Tokens.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.11
After a successful connection, you can see the following settings in Microsoft Store for Business.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.12
How to Deploy Microsoft Store for Business App from Intune
Learn How to Deploy Microsoft Store for Business Apps from Intune. It would help if you headed to Apps – Windows node in the MEM Admin center portal (Intune) to search for application availability there. After the successful sync between Intune and Microsoft Store for Business, the Firefox browser app will be available in the MEM Intune portal.
Select the Windows Store apps you want to deploy to AAD user groups. We only have two options when deploying the Windows Store app via Intune. And those are REQUIRED and UNINSTALL.
So, there is no option to deploy the Windows Store app as an available deployment via Intune because the users already have access to the Windows Private Store.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.12
End-User Experience of App Installation on Windows 10 Device
The end-user experience for Windows 10 1703 users is flawless. The deployment of the Windows Store app via Intune happened in the background, and the user’s name came to know about the installation on their Windows 10 device.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.13
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the Microsoft Intune Android Work Apps User Experience Explained. The android operating system has several variants, and fragmentation is very high. What are the reasons for this? With the open standards, every smartphone manufacturer has the freedom and option to customize the operating system according to their preference.
So, all the Android mobile device manufacturers grabbed the opportunity to push their apps and tweak their versions of Android. So, what is the biggest problem with the Intune Android Work app’s user experience? I will see the details in this post. Also, I have explained the same in the below video.
There is no standard user experience, and different mobile manufacturers, like Samsung, Sony, and LetV, have their own way of arranging Android Work applications. Once you have enabled Android for Work support, you can enrol the Android devices into Intune for management, as I explained in the post “How to Enroll Android for Work Supported Devices into Intune.”
In this post, we explain the user experience of Microsoft Intune Android Work Apps in all its details. This comprehensive guide delves into the user experience of Microsoft Intune Android Work Apps.
In this post, we will examine the difference between a good and a bad Intune Android for Work user experience. I wanted to make it clear that Intune cannot do much to improve the user experience because this is a necessary OS capability.
Microsoft Intune Android Work Apps User Experience Explained – Fig.1
I have tested Intune Android for Work enrollment with devices like Nexus 6P, Sony, Samsung, etc. The Intune Android Work Apps user experience is good for all the tested devices. However, the problem is the placement of badged applications on the devices.
Each Android mobile manufacturer has its own way of placing badged Android Work applications.
I like how a manufacturer places all the badged apps into a folder.
This is very useful for the user to switch from work applications to personal ones. In my testing, if the manufacturer does not create a group for work applications after Intune Android for Work enrollment, it does not provide a good user experience.
Per my testing on several Android devices, I liked the Intune Android for the Work user experience of Samsung and Google Nexus the most.
Intune Android for Work End User Device Experience Video LetV Samsung Nexus Sony
Initially, the Intune Android for Work enrollment experience with the company portal was not flawless. However, the enrollment process has greatly improved with the latest version of the Intune company portal. Suppose you enroll the device with the latest company portal app. You don’t have to close the existing company portal app and open the company portal app for the work app (with a badge/briefcase symbol) to continue the enrollment process.
Microsoft Intune Android Work Apps User Experience Explained – Video 1
Intune Android for Work Nexus 6s Enrollment Experience
In this video, we’ll walk you through the comprehensive enrollment experience of Intune Android for Work on the Nexus 6s. From the initial setup to the final configuration, we’ll guide you step-by-step to ensure a smooth and efficient process.
Microsoft Intune Android Work Apps User Experience Explained – Video 2
I like the Samsung and Google Nexus user experience because all the Android work applications are placed or stored in a separate WORK folder. The work folder helps users better segregate their apps from work apps.
That user experience is excellent. Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? The Android work apps’ user experience of Sony and LetV Android devices is not so good if you compare the UX of Samsung and Nexus.
The bad user experience is that those devices won’t create a separate folder for WORK apps. The video tutorial in the first part of this project explains the more detailed experience. Intune Android Work Apps User Experience Explained in the above video.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the Windows 10 Azure AD Join Automatic Intune Enrollment. In this post, I will provide you with the experience of Windows 10 1703 (RS2) Azure AD join and automatic MDM (Intune) enrollment.
As you can see in the above video tutorial, this is a real-time experience of Windows 10 1703 Azure AD join and Intune auto-enrollment.
Windows 10 1703 is the latest version of the Windows 10 production build, also known as the Red Stone 2(RS2) release. The Windows team has done great work to improve the Out-of-Box Experience(OOBE) of Windows 10 1703. A previous post explains the in-depth process of AADJ and MDM auto-enrollment: “How to Join Windows 10 1607 Machines to Domain or Azure AD.”
Signing in with a Microsoft School or Work account is the first screen in the Windows 10 1703 Azure AD join OOBE. A note on the same screen helps users select the account they want to use “Sign in with the username and password you use with Office 365 or business services from Microsoft”.
Yes, this is a generic kind of message. It would be more helpful if Microsoft could explain to the user how to use their corporate account rather than using technical terms like Office 365 and Business Services from Microsoft.
How to Perform Windows 10 1703 AAD Join and Intune Enrollment
The video below offers a comprehensive, step-by-step guide on performing a Windows 10 1703 Azure Active Directory (AAD) join and enroll your device in Microsoft Intune. It covers all the necessary steps, from initiating the AAD join process to successfully completing the Intune enrollment, ensuring that your device is properly managed and secured within your organization’s network.
Windows 10 Azure AD Join Automatic Intune Enrollment – Video 1
Windows 10 Azure AD Join Automatic Intune Enrollment
This is the sign-in screen. Please sign in using the username and password associated with your Office 365 account or any other Microsoft business services.
Windows 10 Azure AD Join Automatic Intune Enrollment – Fig.1
The Windows 10 1703 OOBE screen allows the user to choose a traditional domain join option. It also allows the user to create a local user account and log in with that account. The Windows 10 1703 OOBE experience has been greatly improved.
It will ask to connect to a Wi-Fi network and allow the user to connect to web-based authenticated Wi-Fi routers (not all? I need to test this further). Once connected to the internet, it will check for the latestsoftware updates available and install them.
Windows 10 Azure AD Join Automatic Intune Enrollment – Fig.2
Windows 10 Azure AD Join Experience?
Windows 10 1703 Azure AD join is almost fully automated once users enter their user name and password in the OOBE mentioned above screen. However, user input is required on one particular screen: the screen for privacy settings.
Once the user has Windows 10 1703 privacy settings, the device will automatically log in with the user name and password. Is this a new SSO for Windows 10 1703 Azure AD join? You can confirm the AAD Join from the Settings—Accounts section in Windows 10 1703.
Your Informations
Email and App Accounts
Sign in Options
Access work or school
Other people
Sync your Settings
Windows 10 Azure AD Join Automatic Intune Enrollment – Table 1
Windows 10 Azure AD Join Automatic Intune Enrollment – Fig.3
Windows 10 MDM Intune Auto Enrollment Experience
Once the Windows device is joined to Azure AD, it should automatically enroll in Intune management. To get this experience, you should have enabled the MDM auto-enrollment option in your Azure AD. In my experience with Windows 10 1703, I got the encryption policy popup from the Intune compliance policy within a few minutes of the first login to the device.
The user can also check the Intune enrollment from the School or Work Account section in the Windows 10 settings menu. The Windows 10 MDM stack’s GUI has changed regarding School or Work account settings. The Windows 10 work account added to the device does not have a manage tab. Don’t worry about that because that is a new design for Windows 10 1703. The Windows 10 work/school account setting has only two tabs: Info and Disconnect.
How do you manually sync or check for the new Intune policies in a Windows 10 1703 device? The option is to click on Settings—Accounts—Access Work or School Account—Info—Sync. This will initiate an immediate policy sync with Intune services in the cloud. Afterwards, the user’s Windows 10 device will receive the latest policies from Intune.
Windows 10 Azure AD Join Automatic Intune Enrollment – Fig.4
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s see how to configure Software Update Policy Rings in Intune MEM. How do you set up Windows 10 Software Update Policy Rings in the Intune?
Managing software updates for Windows 10 with Intune is straightforward, but there is a catch: you can’t expect the granular controls you have with SCCM/ConfigMgr. We must configure the Windows Software update policy and deploy that policy to Windows 10 devices.
Windows 10 devices will receive software updates directly from Microsoft Update services. Unlike SCCM, there is no need to download the updates, create a package, and deploy them to the devices (as seen in this video post here).
Intune Video Software Update Rings Setup Design Decisions
This video guide is about Software Update Policy Rings in Intune MEM. It explains how to set up and manage these policy rings to control when and how updates are applied to your devices. This guide will teach you to update and secure your devices using Intune MEM.
Software Update Policy Rings in Intune MEM – Video 1
Software Update Policy Rings in Intune MEM
We have an out-of-the-box Software Update (Automatic Update) policy as part of the Intune Silverlight portal configuration policy. However, I have noticed that this policy has stopped working in the last few months. Now, there are two options to control the behavior of Windows 10 updates and Windows servicing.
If your Silverlight portal has not yet been migrated to the MEM portal, the first choice is to use custom policies in the Intune Silverlight portal. I have a post here about Intune Silverlight migration blockers.
The second choice is to control Windows Update for business via the Software Updates button in the Intune blade in the MEM portal. We will cover this in this post.
Software Update Policy Rings in Intune MEM – Fig.1
Basic Test Rings for Windows 10 Software Update
As a fundamental requirement, we may need to create at least two Windows 10 Software Update Policy Rings for your organization. One Windows 10 Update ring is for Windows 10 machines in the Current Branch (CB).
The second Windows 10 update ring is for Windows 10 machines in the Current Branch for Business (CBB). Windows 10 update rings evolve as you progress with your organization’s testing and development. But this is the first stage of your testing of Software update deployments.
Windows 10 CBB Update Ring - All the devices in Current BranchWindows 10 CB Update Ring - All the device in Current Branch for Business
Pilot and Production Rings for Windows 10 or Windows 11 Servicing
Another recommendation is to create different Windows 10 Software Update Policy Rings for deferrals of Windows 10 servicing branches CB and CBB. The rings can be delayed for a maximum of 30 days.
These two update rings would help with the latest Windows 10 CB/CBB servicing updates (e.g., upgrading from 1607 to 1703) with some pilot devices rather than simultaneously deploying servicing updates to all the devices.
During the CB pilot testing, if you find any problems with the upgrade and don’t want to deploy the update to the CBB ring, you can PAUSE the updates for the production ring.
Pilot Windows 10 CBB Updates Ring - Pilot Servicing Ring for CBB Production Windows 10 CBB Updates Ring - Production Servicing Ring for CBB Pilot Windows 10 CB Updates Ring - Pilot Servicing Ring for CBProduction Windows 10 CB Updates Ring - Production Servicing Ring for CB
Pilot and Production Rings for Windows 10 or Windows 11 Monthly Security Patches
I would also recommend creating different Windows 10 Software Update Policy Rings for Windows 10 CBB and Windows 10 CB quality updates (monthly security and other patches). So, Windows 10 CBB machines will have a minimum of 2 rings.
One ring is for the pilot machines running Windows 10 CBB, and the second ring is for the production machines running Windows 10 CBB. The same applies to Windows 10 CB devices, and the CB machines should also have two rings.
Pilot Windows 10 CB Quality Updates Ring - Monthly patch pilot ringProduction Windows 10 CB Quality Updates Ring - Monthly patch production ringPilot Windows 10 CBB Quality Updates Ring - Monthly patch pilot ringProduction Windows 10 CBB Quality Updates Ring - Monthly patch production ring
Software Update Policy Rings in Intune MEM – Fig.2
How to Create Advanced Windows 10 Software Update Rings?
There could be other complex scenarios of Windows 10 Software Update Policy Rings. These rings could depend purely on the requirements of your organisation’s region or business group. Some of the other essential options you have in Windows 10 Software Update Policy Rings are.
Windows 10 Automatic update behavior – How do you want to perform scan, download, and install updates? Scheduling options for Windows updates.
Do you want to update Windows 10 drivers as part of your patch deployment rings?
What kind of Delivery optimization (Build a caching solution with Windows 10) do you want to use?
Delivery Optimization Download Mode
HTTP blended with peering behind same NAT
Software Update Policy Rings in Intune MEM – Table 1
Software Update Policy Rings in Intune MEM – Fig.3
Deployment – Assignment of Windows 10 Software Update Rings
Windows 10 Software Update Policy Ring deployments/assignments are critical decisions. I recommend using dynamic device groups wherever possible, but at the moment, this is not possible for all scenarios. In some scenarios, we need to use static device/user groups. I hope Microsoft will develop assignment exclusion group options (similar to AAD Conditional Access policies).
Exclusion groups would be instrumental in Software Update ring deployment scenarios. For example, you want to exclude pilot devices from the production software update ring deployments, which is impossible without exclusion options.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and leader of the Local User Group HTMD Community. His main focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss planning and designing an Intune Compliance Policy for Android Devices. This post will provide more details about planning and implementing the policy.
Intune compliance policies are the first step of the protection before giving access to corporate apps and data. Planning and designing compliance policies for Android devices is essential as Android is more vulnerable than other operating systems.
Compliance policies and rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.
Update: When you use or support Android for work enrollment, select a platform like Android for Work that complies with a policy. Otherwise, the compliance policies will evaluate your Android devices and say this policy does not apply to Android for Work-enrolled devices.
How to Setup Intune Compliance Policies for Android
This video guide shows you how to set up Intune compliance policies for Android devices. It provides easy-to-follow instructions for creating policies that ensure your devices meet security standards before accessing company apps and data.
How to Plan Design Intune Compliance Policy for Android Devices – Video 1
How to Setup Windows 10 Device Compliance Policy– How to Plan Design Intune Compliance Policy for Android Devices
Sign in to the Endpoint Manager portal with an Intune admin access account. Select More services, enter Intune in the text box, and then select Enter.
Select Intune—Device Compliance—Compliance—Policies and click on the +Create policy button to create a new compliance policy. Select the platform “Android.” Settings configurations are significant for compliance policies.
There are some improvements in Azure portal Android compliance policies.
There are three categories in Android compliance policies: Device Health, Device Properties, and System Security.
How to Plan Design Intune Compliance Policy for Android Devices – Fig.1
Sign in to the Intune portal with an Intune admin access account. Select More services, enter Intune in the text box, and select Enter.
Select Intune – Device Compliance – Compliance – Policies – and click the +Create policy button to create a new compliance policy. Select the platform “Android”.
Settings configurations are significant for compliance policy. There are some improvements in Azure portal Android compliance policies. Android compliance policies have three categories: Device Health, Device Properties, and System Security.
Device Health is where the compliance engine checks whether Android devices should be reported. The device health attestation service has many checks, including TPM 2.0 and BitLocker encryption.
Device Properties is where Intune Admins define minimum and maximum versions of operating system details for corporate application access. I would keep the minimum version as Android version 6 wherever possible.
Operating System Version
Minimum Android OS version
Maximum Android OS version
System Security is the setting where Intune Admins define password policies for Windows devices. These settings have three sections: Password, Encryption, and Device Security.
How to Plan Design Intune Compliance Policy for Android Devices – Fig.2
Password Compliance Policy for Android – I would create a complex Alphanumeric password for Android devices and all the above configurations.
Password Compliance Policy for Android
Require a password to unlock mobile devices.
Minimum password length
Required password type
Maximum minutes of inactivity before the password is required
Password expiration (days)
Number of previous passwords to prevent reuse
How to Plan Design Intune Compliance Policy for Android Devices – Table 1
Encryption Compliance Policy for Android – Encryption should be a must in your Android compliance policy for Android devices. Encryption of data storage on the device Device Security Compliance policy for Android: Block apps from unknown sources and Block USB debugging on Android devices. These policies are essential and should be enabled.
Block apps from unknown sources
Require threat scan on apps
Block USB debugging on the device
Minimum security patch level
Deploy Android Compliance Policy to all Android devices’ dynamic device groups (Update Device Groups are not supported for compliance policies; hence, use user groups for Intune compliance policies). Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups rather than AAD user groups to deploy compliance policies.
How to Plan Design Intune Compliance Policy for Android Devices – Fig.3
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss Setting up an Intune Compliance Policy for Windows 10 Devices. This post will show how to do so. Managing Windows 10 devices is critical in modern device management.
Intune compliance policies are the initial safeguard in securing access to corporate applications. These policies help ensure that devices meet predefined security and compliance standards, preventing unauthorized or non-compliant devices from accessing sensitive corporate resources.
The Intune Compliance Policy for Windows 10 helps protect company data. The organization must ensure that the devices that access company apps and data comply with specific rules. These rules might include using a password/PIN to access devices and encrypting data stored on devices.
This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.
How to Setup Intune Compliance Policies for Windows10
This video guide shows you how to set up Intune compliance policies for Windows 10. It walks you through each step clearly and simply, making it easy to follow.
How to Setup Intune Compliance Policy for Windows 10 Devices – Video 1
How to Setup Intune Compliance Policy for Windows 10 Devices
Sign in to the MEM portal with an Intune admin access account. Select More services, enter Intune in the text box, and then select Enter.
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.1
Select Intune—Device Compliance—Compliance—Policies and click on the +Create policy button to create a new compliance policy. Select the platform as “Windows 10.” Settings configurations are really important for compliance policies. There have been some improvements in Azure portal Windows 10 compliance policies.
The 3 categories in Windows 10 compliance policies are shown in the table below.
Windows 10 Compliance Policies
Device Health
Device Properties
System Security
How to Setup Intune Compliance Policy for Windows 10 Devices – Table 1
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.2
Device Health is the setting where the compliance engine will check whether Windows 10 devices are reported as healthy by the Windows device Health Attestation Service (HAS). The device health attestation service includes loads of checks, such as TPM 2.0 (the requirement for the latest build of Windows 10 is TPM 1.0), BitLocker encryption, etc.
Device Properties is the setting where Intune Admins define the minimum and the maximum versions of operating system details for the corporate application access. Operating System Version.
Minimum OS version
Maximum OS version
Minimum OS version for mobile devices
Maximum OS version for mobile devices
System Security is the setting where Intune Admins define password policies for Windows devices. These settings have two sections: Password and Encryption. Password Policy—We don’t need to set the Windows password policy here if you already use “Windows Hello for Business.”
Require a password to unlock mobile devices. Simple passwords
Password type
Device default device defaultAlphanumericNumeric
Minimum password length
Maximum minutes of inactivity before the password is required
Password expiration (days)
Number of previous passwords to prevent reuse
A password is required when the device returns from an idle state (mobile only). Encryption – If you have enabled HAS in the above policy, you don’t need to enable this encryption policy.
Encryption of data storage on a device.
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.3
Deploy Windows 10 compliance to All Windows devices’ dynamic device groups. (Update Device Groups are not supported for Compliance policies—hence, use user groups for Intune compliance policies.)
Click on Assignment and select the dynamic device group.
I would use AAD dynamic device groups rather than user groups to deploy compliance policies.
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.4
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss setting up an Intune Compliance Policy for iOS Devices. This post will explain how to do so. An Intune Compliance Policy ensures that iOS devices accessing company data meet specific security standards.
Enforcing these policies can help protect your organization’s data from unauthorized access and potential security threats. The organization must ensure that the devices that access company apps and data comply with specific rules.
These rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.
A compliance policy is a set of guidelines that devices must meet to access organizational resources. It ensures that only secure and compliant devices can access company data, reducing the risk of data breaches or unauthorized access.
In this video, you will learn all the details on how to set up Intune compliance policies for iOS devices. We’ll guide you through creating and configuring these policies to ensure your company’s data remains secure.
How to Setup Intune Compliance Policy for iOS Devices – Video 1
How Do you Set up the Intune Compliance Policy for iOS?
Sign in to the Azure portal with an Intune admin access account. Select More services, enter Intune in the text box, and select Enter. Select Intune – Device Compliance – Compliance – Policies – and click the +Create policy button to create a new compliance policy. Select the platform “iOS”.
Settings configurations are significant for compliance policy. In terms of password settings, Azure portal iOS compliance policies have improved.
iOS compliance policies have four categories: Email, Device Health, Device Properties, and System Security.
Email settings require mobile devices to have a managed email profile to access corporate resources.
The device Health setting will check whether the device is jailbroken or not. If the iOS device is Jailbroken, it won’t provide mail access to that device.
The device Properties setting will check the OS version of the device and the minimum version of the iOS OS.
The System Security setting is based mainly on password settings. There are some improvements over the Intune Silverlight portal here. We can have the option not to configure some of the settings, like “Number of non-alphanumeric characters in password.” This was not possible with the Intune Silverlight portal.
How to Setup Intune Compliance Policy for iOS?
Require a password to unlock mobile devices.
Simple passwords
Minimum password length
Not ConfiguredAlphanumericNumeric
Number of non-alphanumeric characters in the password
Maximum minutes of inactivity before a password is required
Password expiration (days)
Number of previous passwords to prevent reuse
How to Setup Intune Compliance Policy for iOS Devices – Table 1
10. Deploy the Intune Compliance Policy for iOS for all iOS devices in the dynamic device group. Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups rather than AAD user groups to deploy compliance policies.
(Update Device Groups are not supported for Compliance policies – hence, use user groups for Intune compliance policies)/ How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM.
How to Setup Intune Compliance Policy for iOS Devices – Fig.1
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss Intune Android Device Support for Google Android for Work Enrollment. Google has a list of supported devices with its Android for Work program. But does Google’s list contain all supported devices?
I don’t think the list is exclusive and lists all the supported devices. I have tested 2 devices not listed as part of Android for work-supported devices. And surprisingly, both devices can enrol in Intune via the Android for Work program.
The article Intune Android Device Support for Google Android for Work Enrollmentshows you how to configure the Android Enterprise platform for use with Intune Device Management. We will walk through the steps to set up Intune Enrollment for Android Enterprise Device Management, enabling you to manage corporate-owned devices efficiently with Microsoft Intune.
In this post, you will find all the details about Intune Android Device support for Google Android for Work enrollment. We’ll cover everything you need to know to get started and manage your Android devices effectively using Intune.
Intune Enrollment via Android for Work with Cheap and Affordable Devices
In this video, you will learn all the details about Intune enrollment through Android for Work using cheap and affordable devices. We’ll guide you on how to set up and manage these devices efficiently with Intune.
Intune Android Device Support for Google Android for Work Enrollment – Video 1
Video Tutorials for Android for Work Management via Intune
I tried Samsung Galaxy J7 and LetV Android devices. These devices are not very costly. Instead, the cost is less than 150 USD. Organizations always struggle to find cost-effective and affordable Android for Work devices from Google’s new list.
After testing two fundamental Android devices, I found that we need to perform trial and error to understand whether the low-cost Android devices support Android for Work.
Android for Work management via Intune
Enterprise Devices
Affordable work Devices
Featured Device
Intune Android Device Support for Google Android for Work Enrollment – Table 1
Intune Android Device Support for Google Android for Work Enrollment – Fig.1
Android – Intune Android Device Support for Google Android for Work Enrollment
Google recently rebranded, and now the name of Android for Work has changed to just “Android” management. Google announced that they are simplifying the names of Android for Work and Play for Work, directly calling Android and Google Play.
According to Google, there are 3 categories of Android devices. The new list also does not cover Samsung S7 and LetV devices.
Enterprise Devices – Premium productivity devices
Affordable work devices – Cost-effective devices ready for work
Featured devices
I successfully enrolled low-cost (cheap) Android devices with Android for Work. Intune managed Samsung S7 and LetV devices with the Google Work profile. Both these devices are running Android version 6.
Conclusion – Intune Android Device Support for Google Android for Work Enrollment
Android for Work is supported for devices not listed in the Google portal. I recommend performing thorough testing before approving Android for Work-supported devices within your organization. Maintaining a recommended list of “Android for Work” supported devices within your organization is always better.
I hope Google will remove support for pain Android management and allow only “Android for Work” to manage Android devices. Also, we need to remember that Android for Support is available only for specific countries or regions. For example, in China, we don’t have any support for Android for Work.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss how to Resolve Intune Android for Work Configuration Refresh Error. Android for Work configuration is straightforward in most scenarios.
I have configured “Android for Work” for several tenants without any issues. Recently, however, I encountered an issue while configuring this in the Intune Silverlight console.
When I click on the configure button to “add Android for Work Binding” on the “Android for Work Mobile Device Management Setup” page in the Intune Silverlight console, it initiates the process. Still, Intune cannot launch the Android for Work binding wizard (webpage).
In one of our posts, we will show you how to configure the Android Enterprise platform for use with Intune Device Management. You can efficiently manage Android Enterprise corporate-owned devices with Microsoft Intune.
Android for Work Refresh Error in Intune SilverLight Console
The video below demonstrates resolving the Intune Android for Work Configuration Refresh Error. Generally, configuring Android for Work is straightforward in most scenarios. I have successfully set up “Android for Work” for several tenants without issues.
How to Resolve Intune Android for Work Configuration Refresh Error – Video 1
Introduction – How to Resolve Intune Android for Work Configuration Refresh Error
I have already posted about Android for Work configuration and set it up in a different post (How to Enroll Android for Work Supported Devices into Intune). This post and video tutorial will provide a step-by-step process to enable Android for Work management.
As I explained in the first paragraph, theIntune consolecould not complete Android for Work binding. When I checked the Intune console, there was an Intune console page loading error: “Microsoft Intune was not able to retrieve all data. REFRESH.“
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.1
I tried clicking on the Refresh button several times to see if it worked, but nothing did. There was another button on the Intune Silverlight page, and that was the Save Error Log.
I clicked on the button, and it asked me to save the text log file. For this, I could not retrieve all data errors for the Intune console. I opened the text file, which contains details about the error and possibly the root cause of this issue as well.
Error Message
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
How to Resolve Intune Android for Work Configuration Refresh Error – Table 1
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.2
As per the Intune Save Error LOG file, the Intune Silverlight error occurred while retrieving the JWT token, and the error log suggests we check whether the current user has an Intune license and try again. Following is the snippet of the log file.
2017-03-31 05:37:56Z Silverlight Error:
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
ParameterType: Unknown
OperationType: Unknown
Current URL: https://admin.manage.microsoft.com/MicrosoftIntune/Home?accountid=a8f58f04-e279-44ff-95b9-5e81532915e6#Workspace/administration/index%23?P=//administration/MobileAndroidManagement/&A=%7BGID=23363773-6797-4c777-b3c2-01b06e207b74%7D&S=7sh74c9-7bf5-45ac-9fbb-67369263b9
Console Version: 5.0.17411.0
Service address: https://msua02.manage.microsoft.com/
Last 50 Log Entries:
00CCE 03/31/2017 05:37:37 429 Z MainThread 0001 Page instantiated successfully
Resolution
I have added an Intune/EMS license to the Intune Administrator from the new Azure Active Directory portal. It might not work straight away after assigning the license. You may need to wait 3-4 minutes before configuring “Android for Work.” I recommend logging off and logging back into the Intune Silverlight console before configuring “Android for Work.”
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.3
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s check how to enable Intune App Protection Policies for Android and iOS devices. The video below provides more details and an end-user experience. The latest post is available for MAM policies: Step-by-Step Procedure to Create App Protection Policies for iOS/iPadOS in Intune.
Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. With Intune, there are two types of management options for Android devices.
The first is the traditional way of MDM management, and the second is the light management of apps installed on Android devices via Intune. The previous post discussed the Android MDM management options and end-user experience.
In this post, you will find all the details about Intune App Protection Policies for Android and iOS devices. These policies are essential for managing and securing apps on mobile devices, ensuring that corporate data remains protected even when accessed from personal devices.
Intune MAM without Enrollment along with CA Android Devices
To apply Intune App Protection Policies (APP) effectively, the applications must support these policies. Most Microsoft 365 (M365) applications, such as Outlook, Word, and OneDrive, are compatible with App Protection Policies. These policies help ensure that corporate data accessed through these apps remains secure.
Intune App Protection Policies for Android iOS Devices – Video 1
Intune App Protection Policies for Android iOS Devices
Mobile Application Management (MAM) Without Enrollment (WE) is a lightweight management option for Android devices. This option has some advantages over full MDM management options.
For example, if a consultant’s device has already enrolled in a 3rd part EMM solution, but he wants to have access to the client’s corporate mail access on his mobile device for a very short period, then The “MAM WE” is the best option for that consultant. With MAM WE, Intune and Azure AD will ensure that corporate mail and other MAM-enabled applications are protected with MAM policies.
Intune—Mobile Apps—Apps—Skype for Business—Properties: In the following example, you can see that Android’s Skype for Business application has been deployed with a deployment type called “Available with or without enrollment.” So, the deployment type without enrollment is for MAM WE management.
Intune App Protection Policies for Android iOS Devices – Fig.1
The Intune “MAM WE” has a separate set of conditional access policies that differ from the MDM conditional access policy. So, you must take extra care when deploying both CA policies to the same user groups. I would avoid using the same user group for both policies, or you could use the exclude groups options.
I would avoid deploying the MDM CA policy to user groups whenever possible and deploy it to device groups. Otherwise, we should have a different MDM CA user group and a MAM WE CA user group with unique users in both groups, which will be tricky.
Intune App Protection Policies for Android iOS Devices – Fig.2
Each MAM-enabled application comes with application protection policies (MAM app protection). We need to deploy these app protection policies to MAM WE user groups. Remember, these types (MAM WE) of policies can’t be deployed to Device Groups.
With an app protection policy, you can restrict corporate data relocation and App data encryption. Creating app protection policies and deploying them to MAM WE user groups is critical.
Intune App Protection Policies for Android iOS Devices – Fig.3
End-User Experience – How to Enable Intune MAM without Enrollment
The video here will provide the Intune MAM WE real-time end-user experience. How do you enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager?
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
How to Get Intune Environment Ready for iOS Mac OS Devices? The first requirement for iOS and MAC OS device enrollment is the Apple MDM push cert setup. You need to download a unique certificate signing request (CSR) from the Intune tenant and upload it to the Apple portal.
Once uploaded successfully, you can download the Apple MDM push cert from the Apple portal. MDM push cert has to be uploaded to Intune portal so that you can enroll iOS and MAC OS devices via Intune. This process is explained in the video above.
I assumed that the Intune MDM authority setting had already been completed before setting up the Apple MDM push cert and configuring Enrollment restriction policies.
One of our articles explains how to configure the iOS and macOS platforms for use with Intune. Managing iOS and macOS devices with Intune is crucial for enhancing productivity and protecting enterprise resources. As mobile and remote work environments become more prevalent, employees increasingly rely on their iPhones, iPads, and Mac computers to access important work applications and data.
How to Get Intune Environment Ready for iOS and Mac OS Device Enrollment
Let’s discuss how to Get Intune Environment Ready for iOS and Mac OS Device Enrollment. Preparing your Intune environment for iOS and macOS device enrollment involves several key steps to ensure a smooth and secure setup.
This process helps organizations manage Apple devices effectively, providing both security and ease of use for employees accessing corporate resources.
How to Get Intune Environment Ready for iOS Mac OS Devices – Video 1
How to Get Intune Environment Ready for iOS Mac OS Devices
Once the Apple MDM push cert setup has been completed, we can proceed with the following configurations related to iOS and macOS management. As the next step, I would configure the Enrollment Restriction rules for iOS devices.
Suppose your organization has decided not to allow (block) personal iOS devices from enrolling into Intune. In that case, you must set up an enrollment restriction type based on the platform configurations. I have a detailed post about restricting personal iOS devices.
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.1
The next step is to set up Conditional Access policiesfor iOS devices (while we are still waiting for the Mac OS conditional Access policy). I recommend doing this during Intune’s initial setup. As you can see in the following screen capture, you have a couple of options.
You can select either individual supported platforms for the Conditional Access policy or “All platforms(including unsupported).” Somehow, I recommend using the latter one, “All platforms (including unsupported).”
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.2
Azure AD Conditional Access policies can be deployed either combined with compliance policies or without compliance policies. I recommend deploying conditional access policies with compliance policies. The next step is to set compliance policies for iOS devices. Are you wondering why there is no encryption option/compliance policy for iOS devices?
If so, there is no need for an encryption policy for iOS devices because those devices will get encrypted once the password has been enforced for devices.
System Security
Settings
Require a password to unlock mobile devices
Require
Simple passwords
Block
Required password type
Alphanumeric
Number of non-alphanumeric characters in password
1
Maximum minutes of inactivity before password is required
15 Minutes
How to Get Intune Environment Ready for iOS Mac OS Devices – Table 1
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.3
After compliance policy settings, it’s time to set up configuration policies for iOS and MAC OS devices. Intune Configuration policies deploy security settings for the devices and can be used to enable or disable their features.
My previous video blog post discussed the different types of Intune configuration profiles. Device restriction policies are security configuration policies in the Intune Azure portal.
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.4
Conclusion – How to Get Intune Environment Ready for iOS Mac OS
The above-mentioned policies are very basic policies you want to configure if your organization has decided to manage iOS and MAC OS devices via Intune. There are loads of advanced MDM policy management options available with Microsoft Intune.
You can also create custom configuration policies for iOS devices if some of your security requirements are not available with Intune configuration policies. In addition, you can deploy Wi-Fi profiles, VPN profiles,s, and Certs to iOS devices using Intune MDM.
Another option with Intune MAM WE (without enrollment) is to manage corporate applications via MAM policies and MAM WE Conditional Access policies.
In this scenario, your users don’t need to enroll in Intune MDM management. Therefore, each organization must decide whether to use MAM WE or the MDM channel of iOS management.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Bangalore IT Pro Full Day User Group Event on Intune and SCCM? On March 18th, 2017, the BLR IT Pro group conducted a free full-day Bangalore IT Pro User Group event. At this event, we covered Intune’s new Azure portal features.
We also covered the newest additions to SCCM/ConfigMgr CB 1702 TP. Ninety per cent of the sessions were demos, and attendees had some hands-on experience with Android for Work devices.
Bangalore IT Pro Full Day User Group Event on Intune and SCCM?
Join the SCCM/ConfigMgr Professional Group for updates about future events – here.
Follow the Facebook page to get notified about similar events – here
I had a great experience interacting with and sharing knowledge with more than 40 attendees. Most of them are SCCM admins planning to move to the Intune world. Some already have significant experience with Intune iOS management, Application wrapping, the Apple DEP program, etc. Some others are Airwatch admins and have had good new experiences with Intune features.
I have created a quick video of some lively moments of the event. The Full Day BLR ITPro Device Management UG Meet is an engaging event for IT professionals specializing in device management. This comprehensive gathering allows attendees to immerse themselves in the latest industry trends, best practices, and emerging technologies.
Bangalore IT Pro Full Day User Group Event on Intune and SCCM – Video 1
Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager
The full-day free event covered a wide range of topics relevant to IT professionals and device management. These topics included the latest advancements in device management technologies, best practices for ensuring security and compliance, and strategies for optimizing device performance and lifecycle management.
Topics
The following are the topics I covered during the free full-day event. You can get the presentation link below.
Modern Device Management (MDM) is an advanced approach to managing and securing devices within an organization. It uses cloud-based technologies to provide comprehensive management of a wide range of devices, including desktops, laptops, tablets, and smartphones.
Bangalore IT Pro Full Day User Group Event on Intune and SCCM – Table 1
What is Modern Device Management? Basic Understanding Intune Azure Active Directory AAD Overview Create AAD Dynamic Device/User Groups Intune Silverlight Portal Overview Intune Azure Portal Overview What is Conditional Access? Configure Conditional Access Configure Compliance, Configuration Policies Table - Compliance Policies – Remediated/Quarantined Windows 10 Modern Device Management iOS/MAC OS Management Android for Work Management Troubleshooting? SCCM CB 1702 TP New Features
Bangalore IT Pro Full Day User Group Event on Intune and SCCM – Fig.1
You can Download the Presentation to Get the Reference Links from the PowerPoint Notes!
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
How can I restrict Personal Android Devices from Enrolling in Intune? Are you still waiting to migrate from Intune Silverlight to the Azure portal?
The video post provides a quick overview and comparison between the Intune Azure and Intune Silverlight portals. It highlights the differences and improvements in the new Intune experience within the Microsoft Endpoint Manager (MEM) portal, showcasing the enhanced features and user interface of the Azure-based Intune portal compared to the older Silverlight version.
The new Intune portal allows for more granular restrictions for MDM enrollments. It’s amazing to see new features in the MEM Intune portal. One month ago, I blogged about restricting personal iOS devices from enrolling in Intune via enrollment restriction rules.
This post provides detailed instructions on restricting personal Android devices from enrolling into Intune using Endpoint Manager (MEM). It covers the steps necessary to configure enrollment restrictions, ensuring that only corporate-owned devices can be enrolled and managed through Intune.
How to Restrict Personal Android Devices from Intune Enrollment
Let’s discuss how to restrict personal Android devices from enrolling in Intune. This video provides a detailed guide on configuring Intune settings to ensure that only corporate-owned devices can be enrolled, helping you maintain control over device management within your organization.
How to Restrict Personal Android Devices from Enrolling into Intune – Video 1
How to Restrict Personal Android Devices from Enrolling into Intune
iOS personal devices can be restricted from enrolling in Intune MDM. However, there was no option to restrict personal Android devices from enrolling into Intune MDM. The Intune team has lighted up the feature to restrict personal Android devices from enrolling into Intune.
This was one of the features I was looking for to appear in the Azure portal. So, can we allow only Android devices for work-supported enrollment in Intune MDM? With this enrollment or device type restriction option, the answer is NO. So, what is the difference between company-owned Android devices and personally-owned Android devices?
Features
Company-owned device
Personal device
Opt-out of Device Owner mode
No
Yes
With device approvals enabled, the administrator must approve the device
No
Yes
Administrators can receive an inactivity report every 30 days
Yes
No
Factory resets that users initiate block device re-enrollment
Yes
No
Account wipe available
No
Yes
How to Restrict Personal Android Devices from Enrolling into Intune – Table 1
All personal Android devices will be blocked from enrollment when you turn on the “Block Android Personal Device” option from Intune Blade in the Azure portal. Personal Android devices can be Android for Work (AfW) supported devices and non-Android for Work devices.
Initially, I thought Android for Work would not be treated as a personal device but as a corporate-owned device. But I was wrong. For corporate-owned devices, Android for Work can be deployed in a Work Managed mode, which provides full device management.
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.1
The Enroll Devices node is the place in the Intune Azure portal where you can set up a restriction policy for personally owned Android devices. Within enrolment restrictions rules, we can have two types of restrictions: Device Type restrictions and Device Limit restrictions.
In this scenario, we want to restrict personal Android devices. We need to create an enrollment type policy to allow the Android platform to enroll in Intune. Once the Android platform has enabled enrollment, go to Platform Configurations and then BLOCK personally owned iOS devices.
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.2
Conclusion
Ideally, when you block personally owned Android devices from enrollment, all the Android devices enrolled via a non-corporate method should also be blocked.
As per my testing, this is not working. After enabling the “block Android personally owned devices” policy, I enrolled a couple of Android devices, and those devices got enrolled without any issues.
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.3
In the screenshot below, I have enrolled two Android devices into Intune and the Intune console, and Intune detects those as personal devices. I’m not sure why they are not blocked.
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.4
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
How to Remove Work Profile from Intune Managed Android Devices? This quick post will help you understand how to remove a work profile from an Android device.
The work profile is created when theAndroid for Work (A4W) supported device is enrolled in the Intune environment, which is enabled to support A4W. There are more than two ways to remove the Work profile from Android devices. We will cover three of them in this post.
This post will show you how to remove the work profile from Intune-managed Android devices using Endpoint Manager. The detailed steps are explained below.
Intune Android for Work – How to Remove Work profile -Post with Android Device Admin Method
This video clearly demonstrates how to remove the work profile from Intune-managed Android devices using the Android Device Admin method. The step-by-step process is explained thoroughly, making it easy to follow along and understand.
How to Remove Work Profile from Intune Managed Android Devices – Video 1
How to Remove Work Profile from Intune Managed Android Devices
As per Google documentation, the following is the method to remove the work profile, but I won’t recommend this approach if your device has enrolled in Intune. On Android 5.0+ devices, you can delete your work profile in Settings > Accounts > Remove work profile. Touch Delete to confirm the removal of all apps and data within the work profile.
The first proper way to remove a work profile or unenroll a device is to go to the Intune portal -> Devices and groups -> All devices.
Select the device you want to remove or unenroll, then click the “Remove Company Data” button. This will initiate the unenrollment process from Intune.
Remove a Work Profile or Unenroll a Device
Go to the Intune portal
Click on the “Devices and Groups” section in the Intune portal
Choose “All devices” to view a list of enrolled devices
Locate and select the device that you wish to remove or unenroll from Intune
After selecting the device, find and click on the “Remove Company Data” button. This initiates the unenrollment process from Intune
How to Remove Work Profile from Intune Managed Android Devices – Table 1
How to Remove Work Profile from Intune Managed Android Devices – Fig.1
How to Remove Work Profile from Intune Managed Android Devices
Another option is to remove the work profile or unenroll the Android device. You can also go to your user profile and choose the device you want to delete/remove from the following blade path from the Azure portal “Users and Groups – All users – Anoop Nair (username) – Devices – Device.”
As you can see in the following picture, click on the delete button to remove the device from Intune or to remove the work profile.
How to Remove Work Profile from Intune Managed Android Devices – Fig.2
Launch the company portal app from your Android device, tap on the “My Devices” tab, and select the user’s device. In the following picture, tap on the recycle bin button to remove the device’s work profile.
The Android device unenrollment process will remove company data from your mobile, the work profile created during A4W enrollment, and all the applications deployed through the work profile.
However, as shown in the above picture (#5), the company portal application will stay on the device.
It won’t allow you to enroll the device again with the same instance of the company portal.
If you want to re-enrol the Android device for Intune management, you need to uninstall the existing company portal and install it again.
How to Remove Work Profile from Intune Managed Android Devices – Fig.3
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
