Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.

You can check out HTMD Community Intune Training from Free Intune Training 2023 blog post.  Let’s learn about Intune Exam MD 102 Study Guide Starter Kit – Microsoft Intune Certification. Also, check out the Top 75 Latest Intune Interview Questions.

Microsoft Intune Architecture Diagram
Microsoft Intune Architecture Diagram

This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

How to Get Intune Environment Ready for iOS Mac OS Devices 1

How to Get Intune Environment Ready for iOS Mac OS Devices

How to Get Intune Environment Ready for iOS Mac OS Devices? The first requirement for iOS and MAC OS device enrollment is the Apple MDM push cert setup. You need to download a unique certificate signing request (CSR) from the Intune tenant and upload it to the Apple portal.

Once uploaded successfully, you can download the Apple MDM push cert from the Apple portal. MDM push cert has to be uploaded to Intune portal so that you can enroll iOS and MAC OS devices via Intune. This process is explained in the video above.

I assumed that the Intune MDM authority setting had already been completed before setting up the Apple MDM push cert and configuring Enrollment restriction policies.

One of our articles explains how to configure the iOS and macOS platforms for use with Intune. Managing iOS and macOS devices with Intune is crucial for enhancing productivity and protecting enterprise resources. As mobile and remote work environments become more prevalent, employees increasingly rely on their iPhones, iPads, and Mac computers to access important work applications and data.

How to Get Intune Environment Ready for iOS and Mac OS Device Enrollment

Let’s discuss how to Get Intune Environment Ready for iOS and Mac OS Device Enrollment. Preparing your Intune environment for iOS and macOS device enrollment involves several key steps to ensure a smooth and secure setup.

  • This process helps organizations manage Apple devices effectively, providing both security and ease of use for employees accessing corporate resources.
How to Get Intune Environment Ready for iOS Mac OS Devices – Video 1

How to Get Intune Environment Ready for iOS Mac OS Devices

Once the Apple MDM push cert setup has been completed, we can proceed with the following configurations related to iOS and macOS management. As the next step, I would configure the Enrollment Restriction rules for iOS devices.

Suppose your organization has decided not to allow (block) personal iOS devices from enrolling into Intune. In that case, you must set up an enrollment restriction type based on the platform configurations. I have a detailed post about restricting personal iOS devices.

Read more – How to Restrict Personal iOS Devices from Enrolling on Intune Endpoint Manager

How to Get Intune Environment Ready for iOS Mac OS Devices - Fig.1
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.1

The next step is to set up Conditional Access policies for iOS devices (while we are still waiting for the Mac OS conditional Access policy). I recommend doing this during Intune’s initial setup. As you can see in the following screen capture, you have a couple of options.

You can select either individual supported platforms for the Conditional Access policy or “All platforms (including unsupported).” Somehow, I recommend using the latter one, “All platforms (including unsupported).”

How to Get Intune Environment Ready for iOS Mac OS Devices - Fig.2
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.2

Azure AD Conditional Access policies can be deployed either combined with compliance policies or without compliance policies. I recommend deploying conditional access policies with compliance policies. The next step is to set compliance policies for iOS devices. Are you wondering why there is no encryption option/compliance policy for iOS devices?

If so, there is no need for an encryption policy for iOS devices because those devices will get encrypted once the password has been enforced for devices.

System SecuritySettings
Require a password to unlock mobile devicesRequire
Simple passwordsBlock
Required password typeAlphanumeric
Number of non-alphanumeric characters in password1
Maximum minutes of inactivity before password is required15 Minutes
How to Get Intune Environment Ready for iOS Mac OS Devices – Table 1
How to Get Intune Environment Ready for iOS Mac OS Devices - Fig.3
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.3

After compliance policy settings, it’s time to set up configuration policies for iOS and MAC OS devices. Intune Configuration policies deploy security settings for the devices and can be used to enable or disable their features.

My previous video blog post discussed the different types of Intune configuration profiles. Device restriction policies are security configuration policies in the Intune Azure portal.

How to Get Intune Environment Ready for iOS Mac OS Devices - Fig.4
How to Get Intune Environment Ready for iOS Mac OS Devices – Fig.4

Conclusion – How to Get Intune Environment Ready for iOS Mac OS

The above-mentioned policies are very basic policies you want to configure if your organization has decided to manage iOS and MAC OS devices via Intune. There are loads of advanced MDM policy management options available with Microsoft Intune.

You can also create custom configuration policies for iOS devices if some of your security requirements are not available with Intune configuration policies. In addition, you can deploy Wi-Fi profiles, VPN profiles,s, and Certs to iOS devices using Intune MDM.

Another option with Intune MAM WE (without enrollment) is to manage corporate applications via MAM policies and MAM WE Conditional Access policies.

In this scenario, your users don’t need to enroll in Intune MDM management. Therefore, each organization must decide whether to use MAM WE or the MDM channel of iOS management.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Bangalore IT Pro Full Day User Group Event on Intune and SCCM 2

Bangalore IT Pro Full Day User Group Event on Intune and SCCM

Bangalore IT Pro Full Day User Group Event on Intune and SCCM? On March 18th, 2017, the BLR IT Pro group conducted a free full-day Bangalore IT Pro User Group event. At this event, we covered Intune’s new Azure portal features.

We also covered the newest additions to SCCM/ConfigMgr CB 1702 TP. Ninety per cent of the sessions were demos, and attendees had some hands-on experience with Android for Work devices.

Bangalore IT Pro Full Day User Group Event on Intune and SCCM?

  • Join the SCCM/ConfigMgr Professional Group for updates about future events – here.
  • Follow the Facebook page to get notified about similar events – here

I had a great experience interacting with and sharing knowledge with more than 40 attendees. Most of them are SCCM admins planning to move to the Intune world. Some already have significant experience with Intune iOS management, Application wrapping, the Apple DEP program, etc. Some others are Airwatch admins and have had good new experiences with Intune features.

Full Day BLR ITPro Device Management UG Meet

I have created a quick video of some lively moments of the event. The Full Day BLR ITPro Device Management UG Meet is an engaging event for IT professionals specializing in device management. This comprehensive gathering allows attendees to immerse themselves in the latest industry trends, best practices, and emerging technologies.

Bangalore IT Pro Full Day User Group Event on Intune and SCCM – Video 1

Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager

The full-day free event covered a wide range of topics relevant to IT professionals and device management. These topics included the latest advancements in device management technologies, best practices for ensuring security and compliance, and strategies for optimizing device performance and lifecycle management.

Topics

The following are the topics I covered during the free full-day event. You can get the presentation link below.

Modern Device Management (MDM) is an advanced approach to managing and securing devices within an organization. It uses cloud-based technologies to provide comprehensive management of a wide range of devices, including desktops, laptops, tablets, and smartphones.

Key Components of Modern Device Management
Cloud-Based Management
Unified Endpoint Management (UEM)
Security and Compliance
Device Enrollment and Configuration
Application Management
Monitoring and Reporting
Bangalore IT Pro Full Day User Group Event on Intune and SCCM – Table 1
What is Modern Device Management?
 Basic Understanding Intune
 Azure Active Directory AAD Overview
 Create AAD Dynamic Device/User Groups
 Intune Silverlight Portal Overview
 Intune Azure Portal Overview
 What is Conditional Access?
 Configure Conditional Access
 Configure Compliance, Configuration Policies
 Table - Compliance Policies – Remediated/Quarantined
 Windows 10 Modern Device Management
 iOS/MAC OS Management
 Android for Work Management 
 Troubleshooting?
 SCCM CB 1702 TP New Features
Bangalore IT Pro Full Day User Group Event on Intune and SCCM Configuration Manager Endpoint Manager
Bangalore IT Pro Full Day User Group Event on Intune and SCCM – Fig.1

https://www.slideshare.net/slideshow/embed_code/key/4t1BmahfsEu3Tc

Bangalore IT Pro Full Day Event on Intune and SCCM from Anoop Nair

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Restrict Personal Android Devices from Enrolling into Intune 3

How to Restrict Personal Android Devices from Enrolling into Intune

How can I restrict Personal Android Devices from Enrolling in Intune? Are you still waiting to migrate from Intune Silverlight to the Azure portal?

The video post provides a quick overview and comparison between the Intune Azure and Intune Silverlight portals. It highlights the differences and improvements in the new Intune experience within the Microsoft Endpoint Manager (MEM) portal, showcasing the enhanced features and user interface of the Azure-based Intune portal compared to the older Silverlight version.

The new Intune portal allows for more granular restrictions for MDM enrollments. It’s amazing to see new features in the MEM Intune portal. One month ago, I blogged about restricting personal iOS devices from enrolling in Intune via enrollment restriction rules.

This post provides detailed instructions on restricting personal Android devices from enrolling into Intune using Endpoint Manager (MEM). It covers the steps necessary to configure enrollment restrictions, ensuring that only corporate-owned devices can be enrolled and managed through Intune.

How to Restrict Personal Android Devices from Intune Enrollment

Let’s discuss how to restrict personal Android devices from enrolling in Intune. This video provides a detailed guide on configuring Intune settings to ensure that only corporate-owned devices can be enrolled, helping you maintain control over device management within your organization.

How to Restrict Personal Android Devices from Enrolling into Intune – Video 1

How to Restrict Personal Android Devices from Enrolling into Intune

iOS personal devices can be restricted from enrolling in Intune MDM. However, there was no option to restrict personal Android devices from enrolling into Intune MDM. The Intune team has lighted up the feature to restrict personal Android devices from enrolling into Intune.

This was one of the features I was looking for to appear in the Azure portal. So, can we allow only Android devices for work-supported enrollment in Intune MDM? With this enrollment or device type restriction option, the answer is NO. So, what is the difference between company-owned Android devices and personally-owned Android devices?

FeaturesCompany-owned devicePersonal device
Opt-out of Device Owner modeNoYes
With device approvals enabled, the administrator must approve the deviceNoYes
Administrators can receive an inactivity report every 30 daysYesNo
Factory resets that users initiate block device re-enrollmentYesNo
Account wipe availableNoYes
How to Restrict Personal Android Devices from Enrolling into Intune – Table 1

All personal Android devices will be blocked from enrollment when you turn on the “Block Android Personal Device” option from Intune Blade in the Azure portal. Personal Android devices can be Android for Work (AfW) supported devices and non-Android for Work devices.

Initially, I thought Android for Work would not be treated as a personal device but as a corporate-owned device. But I was wrong. For corporate-owned devices, Android for Work can be deployed in a Work Managed mode, which provides full device management.

How to Restrict Personal Android Devices from Enrolling into Intune - Fig.1
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.1

The Enroll Devices node is the place in the Intune Azure portal where you can set up a restriction policy for personally owned Android devices. Within enrolment restrictions rules, we can have two types of restrictions: Device Type restrictions and Device Limit restrictions.

In this scenario, we want to restrict personal Android devices. We need to create an enrollment type policy to allow the Android platform to enroll in Intune. Once the Android platform has enabled enrollment, go to Platform Configurations and then BLOCK personally owned iOS devices.

How to Restrict Personal Android Devices from Enrolling into Intune - Fig.2
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.2

Conclusion

Ideally, when you block personally owned Android devices from enrollment, all the Android devices enrolled via a non-corporate method should also be blocked

As per my testing, this is not working. After enabling the “block Android personally owned devices” policy, I enrolled a couple of Android devices, and those devices got enrolled without any issues.

How to Restrict Personal Android Devices from Enrolling into Intune - Fig.3
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.3

In the screenshot below, I have enrolled two Android devices into Intune and the Intune console, and Intune detects those as personal devices. I’m not sure why they are not blocked.

How to Restrict Personal Android Devices from Enrolling into Intune - Fig.4
How to Restrict Personal Android Devices from Enrolling into Intune – Fig.4

References:-

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Remove Work Profile from Intune Managed Android Devices 4

How to Remove Work Profile from Intune Managed Android Devices

How to Remove Work Profile from Intune Managed Android Devices? This quick post will help you understand how to remove a work profile from an Android device.

If you’re curious about how work profiles are created, my previous post, “Intune: How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work,” provides a comprehensive guide.

The work profile is created when the Android for Work (A4W) supported device is enrolled in the Intune environment, which is enabled to support A4W. There are more than two ways to remove the Work profile from Android devices. We will cover three of them in this post.

This post will show you how to remove the work profile from Intune-managed Android devices using Endpoint Manager. The detailed steps are explained below.

Intune Android for Work How to Remove Work profile -Post with Android Device Admin Method

This video clearly demonstrates how to remove the work profile from Intune-managed Android devices using the Android Device Admin method. The step-by-step process is explained thoroughly, making it easy to follow along and understand.

How to Remove Work Profile from Intune Managed Android Devices – Video 1

How to Remove Work Profile from Intune Managed Android Devices

As per Google documentation, the following is the method to remove the work profile, but I won’t recommend this approach if your device has enrolled in Intune. On Android 5.0+ devices, you can delete your work profile in Settings > Accounts > Remove work profile. Touch Delete to confirm the removal of all apps and data within the work profile. 

  • The first proper way to remove a work profile or unenroll a device is to go to the Intune portal -> Devices and groups -> All devices.
  • Select the device you want to remove or unenroll, then click the “Remove Company Data” button. This will initiate the unenrollment process from Intune.
Remove a Work Profile or Unenroll a Device
Go to the Intune portal
Click on the “Devices and Groups” section in the Intune portal
Choose “All devices” to view a list of enrolled devices
Locate and select the device that you wish to remove or unenroll from Intune
After selecting the device, find and click on the “Remove Company Data” button. This initiates the unenrollment process from Intune
How to Remove Work Profile from Intune Managed Android Devices – Table 1
How to Remove Work Profile from Intune Managed Android Devices - Fig.1
How to Remove Work Profile from Intune Managed Android Devices – Fig.1

How to Remove Work Profile from Intune Managed Android Devices

Another option is to remove the work profile or unenroll the Android device. You can also go to your user profile and choose the device you want to delete/remove from the following blade path from the Azure portal “Users and Groups – All users – Anoop Nair (username) – Devices – Device.”

As you can see in the following picture, click on the delete button to remove the device from Intune or to remove the work profile.

How to Remove Work Profile from Intune Managed Android Devices - Fig.2
How to Remove Work Profile from Intune Managed Android Devices – Fig.2

The second option to remove the work profile must be initiated from the end-user device. The user must initiate this process from the Intune company portal application (for more details about the company portal, read my previous post – Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work.

Launch the company portal app from your Android device, tap on the “My Devices” tab, and select the user’s device. In the following picture, tap on the recycle bin button to remove the device’s work profile.

  • The Android device unenrollment process will remove company data from your mobile, the work profile created during A4W enrollment, and all the applications deployed through the work profile.
  • However, as shown in the above picture (#5), the company portal application will stay on the device.
  • It won’t allow you to enroll the device again with the same instance of the company portal.
  • If you want to re-enrol the Android device for Intune management, you need to uninstall the existing company portal and install it again.
How to Remove Work Profile from Intune Managed Android Devices - Fig.3
How to Remove Work Profile from Intune Managed Android Devices – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Why Available Action is Disabled from Android for Work App Deployment in Intune 6

Why Available Action is Disabled from Android for Work App Deployment in Intune

Why is the available action disabled from Android for Work App Deployment in Intune? Configuring Android for Work in Intune is not very difficult. However, there are some restrictions when you deploy a volume-purchased application to Android for Work devices.

Microsoft recently announced support for Android for Work (A4W) in Intune, and I’ve been eagerly anticipating the arrival of an A4W-supported device. However, it’s important to note that not all Android devices are compatible with A4W. For those interested, Google has provided a comprehensive list of devices supported by Android for Work.

The Android work profile feature enables users to use a single device for personal and work purposes. Our guide breaks down the steps to help you efficiently manage these devices through Intune, ensuring seamless work and personal data integration.

We can deploy Android for Work Volume Licensed apps only to user groups. The ONLY deployment actions/options enabled in the drop-down list are Not Applicable, Required, and Uninstall actions. The “available” deployment Action/option is DISABLE for Android for Work applications.

Android For Work App Deployment Options Available Required

Let’s explore the possibilities for deploying Android for Work apps, including “Available” and “Required” deployment types. The following video provides a detailed overview of these deployment options, demonstrating how to manage app distribution within your organization effectively.

Why Available Action is Disabled from Android for Work App Deployment in Intune – Video 1

Why Available Action is Disabled from Android for Work App Deployment in Intune

In the screenshot below, you need to specify the type of deployment you want to execute for this software and review the corresponding deployment settings. Choose the appropriate deployment settings for the software. Note that the “Available” install option is disabled, as shown in the window.

Why Available Action is Disabled from Android for Work App Deployment in Intune - Fig.1
Why Available Action is Disabled from Android for Work App Deployment in Intune – Fig.1

Recently, I noticed that the Android for Work Volume-Purchased App deployment action called “Available” has been enabled for some of the tenants. These “Google Play for Work” applications can be deployed to user/device groups in those tenants where the available action is enabled.

Details Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager

Android for Work Volume-Purchased application deployment option is called “Available,” and volume-purchased app deployment to device groups is ONLY available with new grouping experience in the Azure portal. Hence, this feature is tied to Azure AD group targeting, requiring migration from the Intune Silver Light portal to Azure.

  • You can’t see all the Android for Work apps even when you go to the Google Play for Work app store from your Android for Work-supported devices.
  • It will only list the apps that are deployed from the Intune console. Why Available Action is Disabled from Android for Work App Deployment in Intune Endpoint Manager
  • App deployment action details are well documented in the TechNet article here. When the app is displayed in the Volume-Purchased Apps node of the Apps workspace, you can deploy it just like any other app.
  • You can deploy the app to groups of users only. Currently, you can only select the Required and Uninstall actions. Starting in October 2016, we will begin adding the available deployment action for new tenants.
Why Available Action is Disabled from Android for Work App Deployment in Intune - Fig.2
Why Available Action is Disabled from Android for Work App Deployment in Intune – Fig.2

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work 7

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work

Intune: How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work? Android for Work enrollment to an Enterprise Mobility Management (EMM) solution or Intune is slightly different from enrollment for iOS and Windows devices.

This difference is not because of your EMM solution rather. This is the process/framework Google implemented to complete Android for Work enrollment. We need to configure Intune to support Android for Work, and I have a post that explains the prerequisites.

Microsoft announced Intune’s supportability for Android for Work (A4W) a few months back. Since then, I have been waiting for an A4W-supported device. Yes, that means A4W does not support all Android devices. Here is Google’s list of A4W-supported devices.

Our article guides you through configuring the Android Enterprise platform for use with Intune Device Management. You can easily set up Intune Enrollment to manage Android Enterprise devices, and you can easily manage corporate-owned Android Enterprise devices with Microsoft Endpoint Manager Intune.

Intune Android for Work Nexus 6s Enrollment Experience

Let’s talk about the video showing the Intune Android for Work Nexus 6s enrollment experience. This video provides a detailed look at how to enrol a Nexus 6s using Intune for Android for Work, making the process clear and easy to understand.

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Video 1

Details Google Play Store for Work

First, we need to ensure that Android for Work (A4W) is enabled for your Intune tenant, and then we need to configure Intune to support A4W. Do you want to allow only Android for Work-supported devices to enrol in Intune? This option is not available out of the box in Intune.

I’m sure Microsoft will develop a new option in the new Azure portal, as I noted in the previous blog post about the enrollment restriction rule in Intune. Android for Work is currently supported on devices running Android 5.0 Lollipop, which later supports a work profile.

The second step is to ensure you have configured Android for Work configuration policies in Intune and Android configuration policies. Different sets of policies in Intune only support Android for Work.

Intune Compliance policies are the same for “Classic” Android management and Android for Work management. Suppose you plan to deploy VPN and Wi-Fi profiles to Android for Work-supported devices. In that case, Intune supports some custom configuration policies (OMA-URI).

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work - Fig.1
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Fig.1

Android for Work?

As a third step, you need to confirm whether your device supports “Android for Work” or not. Where is the list of Android-supported Work devices? OK, no worries, Google has already published the list here.

Android for Work?
If your device has not been supported, Intune will automatically enroll it for “classic” Android management.
So you won’t be able to see any work profile being created on your phone.
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Table 1
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work - Fig.2
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Fig.2

More Details

Once you have identified that the device you are trying to enroll in is supported, you should open the “Google Play Store” and Install the Intune company portal. Once the company portal is installed, you can log in with your corporate credentials, and the first phase of the setup will start, creating a Work profile for Android.

Once the Work profile has been created, the company portal application will ask you to go to the Work profile and launch the company portal from the work profile to continue setting up. So, you need to log in to the company portal twice as part of Android for work enrollment.

The work profile will be controlled by an organization you have enrolled in, and the Company Portal app will have access to Work profile-related data.

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work - Fig.3
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Fig.3

The above step completed half of the enrollment process. The Intune company portal application initiated the creation of the work profile. Once the work profile has been created, you must log in to another instance of the company portal app, which resides in the work profile.

The company portal app in the work profile does the 2nd half of the enrollment process. The company portal helps the device complete Work Place Join, Azure AD Join, and Intune enrollment, as seen in the above video.

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work - Fig.4
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Fig.4

Google Play Store for Work

Once you complete the Company access setup, you can access company resources and apps depending on the Conditional access, compliance, and configuration policies. The Android device must comply with compliance policies and meet the conditions mentioned in the conditional access policies by the Intune Admin.

Once everything is okay, you can browse the applications from “Google Play Store for Work“. Browse and install applications from the Google Play Store for work. I will cover the Android application deployment scenarios in an upcoming blog here (coming soon).

Outlook is one of the applications you can directly deploy as “available” or “required” from the Intune portal. Once the Outlook app has been installed, you can directly configure your official mail without any particular configuration. Email profile deployment via Intune is not required for automatic corporate mail configuration.

You need to put in the email ID. No other configuration is required; instead, everything is automatically configured. As I mentioned in the blog post here, you can add applications to the Google Play Store for work with the existing Gmail account. Once these apps are synced with Intune, you can deploy them to groups.

Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work - Fig.5
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work – Fig.5

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access 9

Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access

Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access? We will discuss the access rights of the built-in Intune RBA role, Intune Application Manager.

Ideally, this role should have access to Manage mobile apps and read device information, depending on the scope of users/devices assigned to it.

Do you know what the scope is? “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin, the SCOPE option is already in SCCM 2012 and the CB console. I have another post that discusses the details of Configuration Manager RBAC.

This post will examine the permissions associated with the Intune application manager build-in role. According to Microsoft documentation, this role ” Manages and deploys applications and profiles.”

Intune Application Policy Manager RBA Controls In MEM Portal

We will dive deeply into this topic and explain the actions an Intune app admin can perform from the MEM portal. Following are the access permissions given to the Intune APP Manager RBAC role.

Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access - Fig.1
Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access – Fig.1

Managed Apps – Intune Application Policy Manager RBA Controls In MEM Portal

Managing your organization‘s IT infrastructure is essential to effectively controlling access to various resources. Here’s a breakdown of permissions for managing apps, devices, and mobile apps.

  • Assign managed apps to a security group
  • Create managed apps
  • Delete managed apps
  • Read managed apps
  • Update managed apps
  • Wipe Managed apps Managed Devices
  • No Access to delete devices
  • Access to read device information
  • No Access to update device properties Mobile Apps
  • Assign mobile apps to a security group
  • Create mobile apps
  • Delete mobile apps
  • Read mobile apps
  • Update mobile apps
Mobile Apps
Assign mobile apps to a security group
Create mobile apps
Delete mobile apps
Read mobile apps
Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access – Table 1

Overall Access Rights of Intune Tiles – Intune Application Policy Manager RBA Controls In MEM Portal

It can administrate some actions in managing apps and configuring device tiles. Access is denied to perform any activities in Conditional Access, Device Enrollment, Access control, and Set device compliance tiles.

  1. You are allowed to set up certificate authority in the Configure devices tile. However, you do not have access to view profiles.
  2. You are allowed to view the device information in the Device and Groups tile.
  3. Access is denied to create/delete new or existing groups or user profiles. It doesn’t matter whether the Intune policy manager is editing the groups in SCOPE. In many places, save and add buttons are enabled, but when we try to save, we get an error.
  4. Access is denied to change device and user settings in the Manage user tile.
  5. Access is denied to the Intune Silverlight console.
  6. Access is denied to the Intune App Protection section, and Intune mobile application management is not allowed for Intune App Managers. These app protection options are probably part of the Azure portal’s Intune—Manage Apps tab.

Access Rights – Manage Apps (Manage Apps and Mobile Apps) – Intune Application Policy Manager RBA Controls

You can create new mobile apps and edit mobile apps uploaded by admins. Access is Denied to edit the managed apps, which are automatically uploaded.

  1. Access is denied to remove assignments/deployments to a group outside the Intune application manager’s scope.
  2. Access is denied to remove assignments/deployments from a group in the Intune application manager’s scope. This should be allowed!
  3. If the user group is within the scope of the Intune application manager, you can add an assignment to the mobile/manage app.
  4. Access Denied adding an assignment to mobile/manage app if the user group is out of the scope of Intune application manager.
  5. App Protection Policies are getting hung while trying to edit (or create) existing (or new) app protection policies from the Intune App Manager account.
  6. Allowed to perform App Selective wipe option from Intune app manager account. Allowed to perform app selective wipe only on “in scope users/devices”.
  7. Access is denied to edit Company portal Branding from the Intune app manager account.
Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access - Fig.2
Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access – Fig.2

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Beginners Guide Intune Android for Work Google Play for Work Setup 10

Beginners Guide Intune Android for Work Google Play for Work Setup

Beginners Guide Intune Android for Work Google Play for Work Setup? Android for work has always been an exciting topic for me. I’m a fanboy of Android devices 🙂 I started testing Intune + SCCM MDM management with Android devices in 2014. I was eagerly waiting for “Android for Work” support with Intune.

Microsoft announced Intune’s supportability for Android for Work (A4W) a few months back. Since then, I have been waiting for an A4W-supported device. Yes, that means all Android devices are not supported by A4W. Here is Google’s list of A4W-supported devices.

In our article, we guide you through configuring the Android Enterprise platform for use with Intune Device Management. You can easily set up Intune Enrollment to manage Android Enterprise devices. With Microsoft Endpoint Manager Intune, you can manage corporate-owned Android Enterprise devices easily.

The Android work profile feature allows users to have a single device for personal and work purposes. Our guide simplifies the process so that you can efficiently manage these devices using Intune.

Intune Android for Work MDM – Admin Config Enrollment Removal

Let’s talk about managing Intune Android for Work MDM (Mobile Device Management) and how to configure enrollment removal for administrators. The video below explains all the details about Intune Android for Work MDM.

Beginners Guide Intune Android for Work Google Play for Work Setup – Video 1

Beginners Guide Intune Android for Work Google Play for Work Setup

In this post, I will try to cover the prerequisites of Android for Work, Intune portal admin configurations, Adding Google Play apps to Google for Work, Android for Work Device enrollment, Work profile creation, and Removal of Android for the work profile.

First of all, you need to create a baseline of Android devices that you want to support in your environment. Following are some of the points that we need to take care of as part of the Android for Work implementation:-

Beginners Guide Intune Android for Work Google Play for Work Setup - Fig.1
Beginners Guide Intune Android for Work Google Play for Work Setup – Fig.1

Preparation Work – Android for Work Admin Configurations

Devices with Android 5.0 Lollipop will later only have a work profile and Android for work support as per Google. This has nothing to do with Microsoft and Intune. Some Android for Work settings are available only for Android 6.0 and later.

  • It’s essential to understand Android for Work does NOT support all android devices in the market- a list of supported devices -is here.
  • Bind your Intune and Google for Work accounts from the Silverlight Intune portal because this feature is not yet enabled in the Azure Intune blade.
  • Create a Google account or use an existing account to sign up for Android for Work with the EMM provider.
  • Add applications from Google Play to the Google for Work store and then sync these apps to Intune. To initiate a new sync between Intune and the Google for Work store, click on the Sync button in the Intune console.
  • Sync the apps from the Intune console – Admin > Mobile Device Management > Android for Work. After Sync, the apps will be visible under – Intune console – Apps – Volume Purchased app
  • I recommend using the following option after the pilot testing in your production environment. Enable the option “Manage supported devices as Android for Work – (Enabled) All devices that support Android for Work are enrolled as Android for Work devices. Any Android device not supporting Android for Work is enrolled as a conventional Android device”.
  • The only caveat is that we don’t have the option to restrict the devices that are NOT supported by Android for Work from enrolling into Intune. Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM?
Beginners Guide Intune Android for Work Google Play for Work Setup - Fig.2
Beginners Guide Intune Android for Work Google Play for Work Setup – Fig.2

Notes from the Field – Android for Work Security Policies

As an initial release, Intune is out of the box: “Security and Work profile policies are very limited for A4W”. I suppose you have to combine A4W and Android policies to support Android devices in your organization.

  • OMA URI custom policies are supported with A4W. However, custom policies, along with Intune, support only a few options. I know only 2 policies supported by this feature, which are WiFi and VPN profiles.
  • To upload LOB apps to Google Store for Work – we need to have access to the developer console $25 – https://play.google.com/apps/publish/signup/
Beginners Guide Intune Android for Work Google Play for Work Setup - Fig.3
Beginners Guide Intune Android for Work Google Play for Work Setup – Fig.3

End-User Experience – Android for Work

Enrollment of Android for work devices is as straightforward as the normal Android device enrollment for the first part of it. The second part is more towards logging into the Intune company portal from the Android for Work context and continuing the enrollment process.

End-User Experience – Android for Work
Work profiles on Android devices will get be created via Intune company portal enrollment.
This will happen only for Android for Work supported devices.
If you have a device that is not supported for Android for Work by Google, then the enrollment won’t create a work profile, etc… it will be normal enrollment.
Beginners Guide Intune Android for Work Google Play for Work Setup – Table 1

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune RBAC Roles Permissions in the Intune Admin Center Portal 11

Intune RBAC Roles Permissions in the Intune Admin Center Portal

This post explains Intune RBAC roles and permissions in the Intune Admin Center Portal. We will discuss the access rights of the built-in Intune RBAC role and Configuration policy manager.

Ideally, this role should have access to Manage and deploy configuration settings and profiles, depending on the scope. Before going into details, let me explain the scope.

Intune RBAC (Role-Based Access Controls) is the workflow that helps organizations segregate the roles and responsibilities of different support teams by providing them with limited access to specific resources. “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin, the SCOPE option exists in SCCM 2012 and the CB console.

Granular control delegates permissions to Level 1, 2, and 3 Intune teams from different operating groups (entities/opcos). Intune admins’ assigned permissions are limited to specific user or device groups. View permissions of Intune objects can be controlled/managed using RBAC.

Intune RBAC Strategic Options – Video

This video will explain Intune RBAC Strategic Options, Role-Based Access Controls, Scope Groups, Intune Objects, and Roles.

Intune RBAC Roles Permissions in the Intune Admin Center Portal – Video 1

What is Intune RBAC?

RBAC helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are nine (9) built-in Intune roles (RBAC roles). The list of Intune RBAC built-in roles is updated in the table.

In this post, I will explain the access rights of Intune’s default role, Configuration Policy Manager. I have created a user named Kaith in the Azure Active Directory. This user is assigned Configuration policy manager access, and the scope is set to the group “All Bangalore Users.”

The Intune configuration policy manager can access Assign, Create, Delete, Read, and Update profiles. However, we will conduct a deep dive to understand more details about the access rights for this role.

  • Configuration Policy Manager – Permissions:-
  • Assign Device settings to AAD security groups
  • Create Device Settings
  • Delete Device Settings
  • Read Device Settings
  • Update Device Settings

Read More -> Intune Read-Only Experience Learn To Create Read-Only Operators Roles

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 1
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 1

Intune RBAC – Tired Hierarchy

Azure AD is the primary identity repository for Intune! The Intune Full Admin permissions—Azure AD. This means that user identities and access rights are managed through Azure AD, which integrates easily with Intune. For Intune Full Admin permissions, users need corresponding permissions in Azure AD.

  • Global Admin Role (Tier 1)
  • Intune Service Admin Role (Tier 2)
  • Intune RBAC Permissions – Intune Portal
  • Tier 3 Roles – App Admin, Helpdesk Admin, etc…

Updated Built-In Inutune RBAC Roles

Let’s check the built-in Intune RABC roles (endpoint manager roles) available in the MEM admin center portal. The permissions in Azure AD are crucial for managing users, devices, and policies effectively within Intune.

Updated Built-In Inutune RBAC RolesDetails
Application ManagerBuilt-in Role
Endpoint Security ManagerBuilt-in Role
Read-Only OperatorBuilt-in Role
School AdministratorBuilt-in Role
Policy and Profile managerBuilt-in Role
Help Desk OperatorBuilt-in Role
Intune Role AdministratorBuilt-in Role
Cloud PC AdministratorBuilt-in Role
Cloud PC ReaderBuilt-in Role
Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 1

Endpoint Manager Roles

Let’s understand the different types of roles available within Intune RBAC workflow. There are built-in roles and custom roles, which I have given examples of in previous posts.

Read More -> Create Custom Intune Helpdesk Operator Role

Intune RBAC Policy and Profile Manager

Assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles. You are allowed to edit the Intune Policy and Profile Manager.

  • Even the profile is ONLY deployed to out-of-scope users/groups.
  • Intune Role-Based Access (RBA) rules don’t respect the scope of the editing profile.

This should NOT be allowed. Editing should be allowed only to profiles assigned ONLY to the Intune policy manager’s scope of users or devices (Intune policy manager = Kaith). Intune RBAC roles are still in development.

Access is denied to remove and add assignments to a profile already deployed to users outside the scope. However, if the admin tries to deploy profiles to users in the scope, the addition and removal of assignments should be allowed.

  • Access is denied to remove assignments to profiles targeted to the users or groups in scope. This should be allowed!

They can delete all the profiles, even if they target out-of-scope users. This should NOT be allowed! If the profile is assigned only to in-scope users, then the deletion of the profile should be allowed.

They can enable/disable certificate authority connectors for SCEP or PFX profile deployment. Intune RBAC roles are still in development.

  • Login to MEM Admin Center (Intune).
  • Navigate to tenant admin -> Roles -> Endpoint Manager Roles.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 2
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 2

Intune RBAC Access Rights – Application Manager

It is allowed to remove assignments of applications that are already targeted to users outside the scope of an Intune Application Manager. This should NOT be allowed. If the application is deployed/assigned to users who are in scope, then removal of the assignment should be allowed.

Allowed to add assignments to the application, even if the user’s Intune application manager is targeting is out of scope for them. This should NOT be allowed. Assign administrators to Endpoint Manager Roles and Create and configure custom Endpoint Manager Roles.

Assignments should be added to the Application policy only when the targeted users are within the scope of an Intune application manager.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 3
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 3

Intune RBAC – Endpoint Security Manager

Let’s discuss Intune RBAC—Endpoint Security Manager. You can assign administrators to Endpoint Manager Roles and create and configure custom Endpoint Manager Roles.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 4
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 4

Intune Read-Only Operator

Name – Read-Only Operator. Description – Read-Only Operators view user, device, enrollment, configuration, and application information and cannot change Intune.

More details -> Intune Read-Only Admin Experience After RBAC Solution

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 5
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 5

Intune School Administrator

Name—School Administrator. Description—School Administrators can manage apps and settings for their groups. They can also remotely manage devices, including locking, restarting, and retiring them from management.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 6
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 6

Intune RBAC – Help Desk Operator

Name – Help Desk Operator. Description – Help Desk Operators perform remote tasks on users and devices and can assign applications or policies to users or devices.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 7
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 7

Intune Role Administrator

Name – Intune Role Administrator. Description – Intune Role Administrators manage custom Intune roles and add assignments for built-in Intune roles. It is the only Intune role that can assign permissions to Administrators.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 8
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 8

Cloud PC Administrator

Name: Cloud PC Administrator. Description: The Cloud PC Administrator has read and write access to all Cloud PC features within the Cloud PC blade.

More Details on Cloud PC (Windows 365) Provisioning -> Windows 365 Cloud PC Deployment Provisioning Process Step By Step Guide.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 9
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 9

Intune RBAC – Cloud PC Reader

Name: Cloud PC Reader. Description: The Cloud PC Reader has read access to all Cloud PC features within the blade.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 10
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 10

Intune Admin Configuration Policy Manager Intune RBA Permissions Issues

Discuss the Intune Admin Configuration Policy Manager and Intune RBA Permissions Issues. The video below explains all the details about these topics.

Intune RBAC Roles Permissions in the Intune Admin Center Portal – Video 2

Overall Access Rights of Intune Tiles

Allowed to perform administrative activities in configuring devices and Setting device compliance tiles. Allowed to view details about users and groups in managing users’ tile.

  • Access is denied to perform any activities in Manage Apps, Conditional Access, Device Enrollment, Device and Groups, and Access control tiles.
  • You can view objects in the Manage Users tile – Users and Groups.
  • Access is denied to create/delete new or existing groups. It doesn’t matter if the Intune policy manager is editing the groups in SCOPE.
  • Access is denied to change device and user settings in the Manage user tile.
  • Access is denied to the Intune Silverlight console.

Intune Administrator Role Permissions

Let’s check Intune administrator Role permissions from the following table. The table below helps you show the Actions and their corresponding details. Read, Delete, Wipe, Assign, Create, and Update are Intune permissions that can be assigned for each Intune object.

  • Admin Groups – Admin group users are the administrators assigned to this role
  • Scope Groups – Administrators in this role assignment can target policies, applications, and remote tasks to Azure AD Device/User Groups
  • Scope tags – Who all can view this RBAC Role
ActionsDescription
microsoft.directory/bitlockerKeys/key/readRead bitlocker metadata and key on devices
microsoft.directory/contacts/createCreate contacts
microsoft.directory/contacts/deleteDelete contacts
microsoft.directory/contacts/basic/updateUpdate basic properties on contacts
microsoft.directory/devices/createCreate devices (enroll in Azure AD)
microsoft.directory/devices/deleteDelete devices from Azure AD
microsoft.directory/devices/disableDisable devices in Azure AD
microsoft.directory/devices/enableEnable devices in Azure AD
microsoft.directory/devices/basic/updateUpdate basic properties on devices
microsoft.directory/devices/extensionAttributeSet1/updateUpdate the extensionAttribute1 to extensionAttribute5 properties on devices
microsoft.directory/devices/extensionAttributeSet2/updateUpdate the extensionAttribute6 to extensionAttribute10 properties on devices
microsoft.directory/devices/extensionAttributeSet3/updateUpdate the extensionAttribute11 to extensionAttribute15 properties on devices
microsoft.directory/devices/registeredOwners/updateUpdate registered owners of devices
microsoft.directory/devices/registeredUsers/updateUpdate registered users of devices
microsoft.directory/deviceManagementPolicies/standard/readRead standard properties on device management application policies
microsoft.directory/deviceRegistrationPolicy/standard/readRead standard properties on device registration policies
microsoft.directory/groups/hiddenMembers/readRead hidden members of Security groups and Microsoft 365 groups, including role-assignable groups
microsoft.directory/groups.security/createCreate Security groups, excluding role-assignable groups
microsoft.directory/groups.security/deleteDelete Security groups, excluding role-assignable groups
microsoft.directory/groups.security/basic/updateUpdate basic properties on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/classification/updateUpdate the classification property on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/dynamicMembershipRule/updateUpdate the dynamic membership rule on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/members/updateUpdate members of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/owners/updateUpdate owners of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/visibility/updateUpdate the visibility property on Security groups, excluding role-assignable groups
microsoft.directory/users/basic/updateUpdate basic properties on users
microsoft.directory/users/manager/updateUpdate manager for users
microsoft.directory/users/photo/updateUpdate photo of users
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets
microsoft.cloudPC/allEntities/allProperties/allTasksManage all aspects of Windows 365
microsoft.intune/allEntities/allTasksManage all aspects of Microsoft Intune
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readRead basic properties on all resources in the Microsoft 365 admin center
Table 2 – Intune RBAC Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 2

41 Intune Objects List

Let’s check the list of 41 Intune Objects from the Intune RBAC perspective. The list includes Android FOTA, Android for work, Audit data, etc.

  • Android FOTA
  • Android for work
  • Audit data
  • Certificate Connector
  • Chrome Enterprise (preview)
  • Cloud attached devices
  • Corporate device identifiers
  • Customization
  • Derived Credentials
  • Device compliance policies
  • Device configurations
  • Device enrollment managers
  • Endpoint Analytics
  • Endpoint protection reports
  • Enrollment programs
  • Filters
  • Intune data warehouse
  • Managed Device Cleanup Settings
  • Managed Google Play
  • Managed apps
  • Managed devices
  • Microsoft Defender ATP
  • Microsoft Store For Business
  • Microsoft Tunnel Gateway
  • Mobile Threat Defense
  • Mobile apps
  • Multi Admin Approval
  • Organization
  • Organizational Messages
  • Partner Device Management
  • Policy Sets
  • Quiet Time policies
  • Remote Help app
  • Remote assistance connectors
  • Remote tasks
  • Roles
  • Security baselines
  • Security tasks
  • Telecom expenses
  • Terms and conditions
  • Windows Enterprise Certificate

References:-

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts 12

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts

Let’s discuss how to Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts. Now, Microsoft Graph API is the buzzword. How can Microsoft Graph API fetch the details from Azure Active Directory (Azure AD/AAD) and Microsoft Intune? And a list of Intune PowerShell Scripts samples. I won’t provide any Graph API scripts to fetch details in this post.

APIs have always been an alien term for me. The rest of the API was everywhere; now it’s Graph API. Have you ever tried Facebook Graph API? So, the entire industry is taking the path of Graph API!

In one of our articles, we provide a detailed guide on using Microsoft Graph Explorer, emphasizing its utility for beginners. This tool is pivotal for understanding Graph API queries, particularly for those starting. We walk users through the initial steps of accessing and utilizing the Graph Explorer, focusing on its simplicity and user-friendly interface.

The blog post “Configuring Intune Bitlocker grace period illustrates a real-world example of using Intune Graph Explorer. This scenario involves setting up a grace period for BitLocker, a feature not configurable through the MEM Admin Center portal.

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts

Microsoft Graph is a versatile Application Programming Interface (API) offering a unified endpoint, https://graph.microsoft.com, to access a wealth of data, intelligence, and insights across Microsoft 365 and other Microsoft Cloud services.

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts - Fig.1
Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Fig.1

NOTE! – Intune PowerShell Script Samples with Microsoft Graph – https://github.com/microsoftgraph/powershell-intune-samples

In this post, I would like to help by providing basic details of the Microsoft Graph API. I will explain how to start using Graph API graphically (not programmatically) and how Graph API would be helpful for IT Pros in their day-to-day lives. Microsoft Intune admins can analyze a device’s or user’s details from Graph API.

We can only get limited details of objects from the Azure AD portal; however, loads of more information can be fetched from Graph API via Web browsers. You can perform all the GET and other supported operations from the following URL. Remember to sign in to the tenant.

Intune Graph API Query | Sample Queries | Easiest Method | Tips | Tricks

This video guide teaches you how to use Intune Graph Query and some sample queries. It’s a beginner’s guide, so it starts with the basics. Microsoft Graph Explorer is a special tool for system admins and developers. With it, you can talk to Intune and ask it to fetch, change, or remove information.

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Video 1

Microsoft Graph

Graph Explorer is one way to fetch, change, or remove data or configurations from Intune services. You can quickly sign in to the graph—microsoft portal with Intune Admin credentials.

Launch Microsoft Graph - URL --> https://graph.microsoft.io/en-us/graph-explorer

https://developer.microsoft.com/en-us/graph/graph-explorer
Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts - Fig.2
Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Fig.2

When you sign in for the first time, you need to agree to give Graph Explorer the following permissions. Click on the Agree button to proceed.

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts - Fig.3
Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Fig.3

There are two versions of Graph Explorer available at the moment: 1.0 and Beta. I was having a hard time connecting to the Graph API, but it was okay when I wanted to retrieve my user information.

But when I tried to fetch the details for the entire tenant, it was asked to agree or accept new Admin consent, as you can see in the following paragraph.

This query requires additional permissions. If you are an administrator, you can click here to grant them for your entire organization. You can also try the same request against your tenant by creating a free Office 365 developer account.

When I tried to click on the “HERE” button to accept the consent, it gave me an odd error: “AADSTS90002: No service namespace named ‘organizations‘ was found in the data store.” Ryan and Panu helped me get rid of this error.

To accept this admin consent, you don’t have to create manual applications or run any PowerShell scripts! It’s already available in your enterprise applications blade in the Azure console.

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts - Fig.4
Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Fig.4

The following are some samples of graph API GET queries to retrieve details from Intune and Azure Active Directory (AAD). Graph API also allows for the following three types of actions: POST, PATCH, and DELETE.  

  • https://graph.microsoft.com/beta/users/anp@SCZ.onmicrosoft.com/ownedDeviceshttps://graph.microsoft.com/beta/deviceAppManagement/mobileAppshttps://graph.microsoft.com/beta/users/https://graph.microsoft.com/beta/applications   Following is some of the extracts of device management mobile app.
  • WhatsApp is one of the applications at “https://graph.microsoft.com/beta/deviceAppManagement/mobileApps.” Similarly, we can retrieve a user’s owned devices and device status through Graph API GET commands. Some of these details are available ONLY through Graph API. This will be an excellent help for Intune admins when troubleshooting issues.
Graph AP Actions
POST
PATCH
DELETE
Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Table 1
cache-control: private
content-type: application/json;odata.metadata=minimal;odata.streaming=true;
request-id: 604557b1-409b-4749-8w32d-d754844b2181
client-request-id: 6se357b1-409b-4349-864d-d754844b2181
Status Code: 200
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceAppManagement/mobileApps",
"value": [
{
"@odata.type": "#microsoft.graph.iosStoreApp",
"id": "ab8a5364-887d-44e7-a6cd-9684d2f279c3",
"displayName": "WhatsApp Messenger",
"description": "WhatsApp Messenger is a FREE messaging app available for iPhone and other smartphones. WhatsApp uses your phone's Internet connection (4G/3G/2G/EDGE or Wi-Fi, as available) to let you message and call friends and family. Switch from SMS to WhatsApp to send and receive messages, calls, photos, videos, and Voice Messages. \n\nWHY USE WHATSAPP:  \n\n• NO FEES: WhatsApp uses your phone's
"publisher": "WhatsApp Inc.",
"largeIcon": null,
"createdDateTime": "2017-01-22T06:40:24.696692Z",
"lastModifiedDateTime": "2017-01-22T06:40:24.696692Z",
"isFeatured": false,
"privacyInformationUrl": null,
"informationUrl": null,
"owner": "",
"developer": "",
"notes": "",
"uploadState": 1,
"installSummary": null,
"bundleId": "net.whatsapp.WhatsApp",
"appStoreUrl": "https://itunes.apple.com/us/app/whatsapp-messenger/id310633997?mt=8&uo=4",
"applicableDeviceType": {
"iPad": false,
"iPhoneAndIPod": true
},
"minimumSupportedOperatingSystem": {
"v8_0": true,
"v9_0": false,
"v10_0": false
}
}, 
Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts - Fig.5
Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Fig.5

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune 13

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune

How do you organize the Endpoint Manager Portal Neat Clean for Intune Activities? The MEM portal is a one-stop shop for all the services in the Microsoft cloud. When users log in to a MEM portal for the first time, they can see all these services, which are already selected as favorite services by default.

The selection of favorite services in the MEM portal for individual users is not based on the user’s profile or access rights of the user. This is not good for new users in the Intune portal. They will struggle to find out their role-related services.

One of our articles helps you by showing the Intune Admin Portal walkthrough guide. It is one of the first things you have to learn. From this post, you understand what is where in the Intune admin portal (aka Microsoft Intune Admin Center).

Microsoft recently changed its brand name from MEM (Microsoft Endpoint Manager) to Microsoft Intune. For more information, refer to the Top 50 Latest Intune Interview Questions and Answers, and if you are interested, check out the Top 50 Latest SCCM Interview Questions and Answers.

How to Make Your Azure Intune Console Look Better – Video

The video guide on improving the look of your Azure Intune console is really helpful. It explains all the details step by step and provides easy-to-follow tips for making your console more visually appealing and user-friendly.

It’s an excellent resource for anyone who wants to enhance their Intune console’s visual experience and usability, whether they’re new to Intune or already using it.

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune – Video 1

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities

For example, you are an Intune admin and can only access Intune and Azure AD users and groups. But if you log into the MEM portal, you will see loads of services that make no sense. You will also find it messy, and I’m sure you will get lost in the portal until you find the search button or Intune services.

Microsoft Azure Features
Create a resource
Home
Dashboard
All services
FAVORITES
SOL
All resources
Resource groups
App Services
Function App
SQL databases
Azure Cosmos DB
Virtual machines
Load balancers
Storage accounts
Virtual networks
Microsoft Entra ID
Monitor
Advisor
Microsoft Defender for Cloud
Cost Management + Billing
Help + support
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune – Table 1
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune - Fig.1
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune – Fig.1

Don’t worry—a very friendly search option is available in the Azure portal. If you are an Intune admin, click on more services and type “Intune” in the search menu. You can see two Intune services: one for Intune (MDM) and the second for Intune App Protection (MAM without enrollment).

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune - Fig.2
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune – Fig.2

To keep your Azure portal well organized, you must spend only 2-3 minutes when logging in for the first time. What do we need to do to get a neatly organized Azure portal? You log in to the Azure portal, click on the More services button, and then remove the services that are not relevant to you.

For example, Intune admins have nothing to do with “Virtual Machines,” so you can remove the Virtual machine service from your favorite menu. This will help you remove the Virtual machine shortcut from the left-side menu of the MEM portal.

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune - Fig.3
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune – Fig.3

END Result:- Clean and Tidy Azure portal for Intune Admins. Remove all the services from the Azure portal except Azure Active Directory, Users and Groups, Intune, and Intune protection services.

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune - Fig.4
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune – Fig.4

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune 14

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune? In the previous post on how to Create Azure AD Dynamic Groups for Managing Devices using Intune, you might have seen the basic process for creating Azure AD dynamic user and device groups, along with explanations about the syntax of the queries/rules.

We will also experience performance issues with Azure AD dynamic groups when we don’t design our queries properly. This is similar to performance issues with dynamic collections with bad WQL queries, and SCCM admins are very familiar with this kind of performance issue.

This post will show how to create dynamic device groups for Windows devices with the “Device Ownership” attribute in Azure AD. This attribute is populated only when the devices are enrolled through MDM, and if I understand correctly, it is inhabited by Intune in this case.

If this attribute is not populated, you must ensure the device is correctly enrolled in Intune. Because some of these attributes are available only when the Intune portal is migrated to Azure, you may need to wait for your Intune migration to complete if you are still using the Intune Silverlight portal.

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune

Let’s discuss creating an Azure AD device group for Windows BYOD CYOD devices Microsoft Intune. Creating Azure AD device groups for Windows BYOD and CYOD devices with Microsoft Intune is easy. It is explained in detail below.

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune - Fig.1
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune – Fig.1

Following are the Advanced membership rules that you can use to create Azure AD and dynamic Device groups to segregate BYOD and CYOD devices! All Windows CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “company”) -and (device.deviceOSType -contains “Windows”).

All Windows BYOD Devices Query for Azure Active Directory

(device.deviceOwnership -contains "Personal") -and (device.deviceOSType -contains “Windows”)

All BYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Personal”) All CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Company”).

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune - Fig.2
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune – Fig.2

Auditing Azure Active Directory Dynamic groups is very important from the ops teams’ perspective. These auditing options are available in the new Azure portal, and it’s beneficial to track the changes of a particular Azure AD dynamic group.

As you can see in the table below, the ACTOR performed the activity for that group. For example, when I created this group, “Microsoft Approval Management” (probably an AAD automated process in the background) added 2 devices to the device group.

DateActorActivityTarget
3/2/2017, 1:42:18 PMMicrosoft Approval ManagementAdd member to groupDevice : DESKTOP-FOSD7L3, Group : All Windows CYOD Devices
3/2/2017, 1:42:18 PMMicrosoft Approval ManagementAdd member to groupDevice : DESKTOP-IIRCSUV, Group : All Windows CYOD Devices
3/2/2017, 1:31:42 PManoop@sSDS.onmicrosoft.comAdd owner to groupUser : , Group : All Windows CYOD Devices
3/2/2017, 1:31:42 PManoop@sSDS.onmicrosoft.comAdd groupGroup : All Windows CYOD Devices
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune – Table 1
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune - Fig.3
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune – Fig.3

So, it’s recommended that we look at the best practices when we create dynamic devices or user groups in Azure Active Directory. You may not see performance issues with AAD dynamic groups during testing or POC, but when you migrate all the users into Azure AD, this could undoubtedly impact.

I always try to use -eq rather than -contains in the AAD dynamic rules, but it’s not always possible to use -eq! How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune.

Reference

 https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment 15

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment

Microsoft Intune will automatically enroll CYO or BYO devices. You can scope automatic enrollment to some Azure AD users, all users, or none. This is an old post, but the concepts are still the same.

The old classic Azure portal offers an option to set up Automatic Intune MDM enrollment for Windows 10 devices. A similar option is available in the new Azure portal, which has new names and a new look. This post explains more details about the Windows 10 Intune Auto Enrollment Process.

One of the first things you must learn is how to use the Intune Admin Portal. This post will help you understand where the Intune admin portal is, officially known as the Microsoft Intune Admin Center.

The Intune Auto Enrollment option will help you perform two (2) things, as explained in the video below. It’s an old video now; the patch to configure auto-enrollment has changed a bit, and I have described it in the new Intune portal walkthrough video below.

First, whenever a Windows 10 device is joined to Azure AD, it will automatically enroll in Intune for MDM Management. Second, only the allowed users in the MDM user scope group can enroll devices in Intune.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Intune Portal Walkthrough | MEM Admin Center | Training

The Intune Admin Portal, officially known as the Microsoft Endpoint Manager (MEM) Admin Center, is a crucial tool for managing devices and applications within an organization. IT administrators must effectively navigate this portal to oversee and control various aspects of their endpoints.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Video 1

NOTE! – For Windows 10 BYOD devices, the MAM user scope takes precedence if both the MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configure them) rather than being enrolled by MDM.

Windows 10 Intune Auto Enrollment Process

The following is where you can set the MDM enrollment configuration in the new Azure portal. When your MDM User scope is set to None, none of the enrolled devices get the proper policies, and those devices won’t work as expected.

  • Choose Devices -> Device OnboardingEnrollment -> Windows in the Microsoft Intune admin centre.
  • Click on the Automatic Enrollment button.
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment - Fig.1
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Fig.1

Select the MDM user Scope to All or Custom Azure AD group per your requirement. If it is set to None, users won’t be able to enroll the devices into Intune management.

  • The simplest option is to specify “all users” in the MDM user scope so that all the users in your organization can enroll their devices into Intune. Windows 10 devices will automatically enroll in Intune when the users perform Azure AD Join.
  • User groups can manage this option. When you want to allow a specific group of users to enroll their devices into MDM/Intune, this is the place to configure that user group. Click on the SOME option in the MDM User scope and select the user group to which you want to provide access.
  • From the same place, you can perform a granular or phase-wise approach to moving users to new MDM management from the same place. This blade has 3 URL options; you can configure these URLs according to your MDM vendor.
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment - Fig.2
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Fig.2

Video Windows 10 Intune Auto Enrollment Process

This is an old video recorded using the Azure portal UI. The concept is the same, but the new portal UI has different options.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Video 1

Windows 10 Airwatch Mobileiron Auto Enrollment Process?

If Airwatch or Mobileiron manages your devices, you can specify those. The new Azure portal for Intune automatically configures all the URLs in MDM. This blade has three different URLs.

New Azure Portal for Intune MDMDescriptionLink
MDM Terms of use URLThe URL of the terms of use endpoint of the MDM servicehttps://portal.manage.microsoft.com/TermsofUse.aspx
MDM Discovery URLThis is the URL of the enrollment endpoint of the MDM service. The enrollment endpoint is used to enroll devices for management with the MDM service. The URL given below is the Intune enrollment endpoint URL.https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
MDM Compliance URLThis is the URL of the compliance endpoint of the MDM service. When a user is denied access to a resource from a non-compliance device.URL can navigate to this URL hosted by Intune service in order to understand why their device is considered noncompliant. Users can also initiate self-service remediation so their devices become compliant and they can continue to access resources.https://portal.manage.microsoft.com/?portalAction
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Table 1
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment - Fig.3
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Fig.3

So, where is the option in the new Azure portal to configure the MDM auto-enrollment setting for Windows 10 devices and MDM enrollment for the rest of the devices (Android, iOS, and macOS)? The following is where you can configure the Intune MDM enrollment option: Microsoft Azure—Mobility (MDM and MAM).

  • Windows 10 Intune Auto Enrollment Process Screen capture.
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment - Fig.4
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Fig.4

Sign in to your account (microsoftonline.com)

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How-to-Restrict-Personal-iOS-Devices-from-Enrolling-on-Intune-Endpoint-Manager

How to Restrict Personal iOS Devices from Enrolling on Intune

How can I restrict Personal iOS Devices from Enrolling in Intune? Have you already seen the new Intune options in the MEM portal? If not, I recommend watching the following video post to get an overview of the new Intune portal.

The new Intune portal allows for more granular restrictions for MDM enrollments. On-prem services like ADFS or any federated access management system don’t need tweaking.

Now, we can block personal iOS devices from Intune enrollment. You can set this policy at the Enroll Devices node in the Intune Azure portal. Under “Enrolment restrictions,” you can find details about granular enrollment restriction policies.  

Enrollment restriction policies help us restrict/block a set of devices from enrolling in Intune. This post explains how to Restrict Personal iOS Devices from Enrolling in Intune Endpoint Manager.

How to Restrict Personal iOS Devices from Enrolling on Intune - Fig.1
How to Restrict Personal iOS Devices from Enrolling on Intune – Fig.1

How to Restrict Personal iOS Devices from Enrolling on Intune

There are two types of restrictions within enrolment restriction rules: device type and limit restrictions. Device limit restrictions are already available in the Intune Silverlight portal. In contrast, Device Type Restriction is new in the Intune Azure portal, allowing us to restrict or block specific platform devices from enrolling.

Read more – New Device Restriction Settings Available in macOS
New Device Restriction Settings Available in Apple Settings Catalog

Types of Restrictions
Device Type Restrictions
Device Limit Restrictions
How to Restrict Personal iOS Devices from Enrolling on Intune – Table 1
How to Restrict Personal iOS Devices from Enrolling on Intune - Fig.2
How to Restrict Personal iOS Devices from Enrolling on Intune – Fig.2

You can disable/block Android device enrollment from the new portal to restrict Android devices from enrolling in your Intune MDM enrollment. However, I’m unsure how we can allow ONLY “Android for Work” enabled devices to enrol in Intune.

  • I hope there are some limitations from the Android platform side to restrict the Android devices that are not enabled for the Android Work type of management.
How to Restrict Personal iOS Devices from Enrolling on Intune - Fig.3
How to Restrict Personal iOS Devices from Enrolling on Intune – Fig.3

The device type restriction policy is very helpful if you want to restrict Windows Mobile/Phone devices from enrolling into Intune. At the same time, you can allow Windows devices (desktops, laptops, surfaces, etc..) to enrol on Intune.

  • The most exciting feature, which is very helpful for any organization, is restricting personal iOS devices from enrolling on Intune.
  • Corporate/company-owned iOS devices can be enrolled using the Apple DEP program.
  • In this scenario, you need to create an enrollment type policy with the iOS platform enabled for enrollment via Device Type Restrictions — Platforms. Once the iOS platform is enabled for enrollment, go to Platform Configurations and then BLOCK personally owned iOS devices.

For example, when you try to enrol a device in Intune, the Enrollment restriction policies are checked against that device platform and user. Intune will check the device properties and user restriction limits configured in the enrollment restriction policies and confirm that the device platform and user can enrol. After this positive verification, Intune will allow the user to enrol on the device.

How do you restrict personal iOS devices from enrolling in Intune Endpoint Manager?

How to Restrict Personal iOS Devices from Enrolling on Intune - Fig.4
How to Restrict Personal iOS Devices from Enrolling on Intune – Fig.4

New Intune Home Page Redesign

The newly redesigned Intune Admin Portal Home Page comprehensively reviews the changes and the updated Intune Admin Portal Journey. The dynamic Home Page is used for Intune Administrators, and spotlight options highlight premium features, ensuring easy access to key functionalities.

How to Restrict Personal iOS Devices from Enrolling on Intune – Video 1

MEM Admin Portal

Below is a video on the Intune Admin Center Walkthrough for the latest updates. The Intune Admin Portal is one of the first things you must learn. This post explains where the Intune admin portal (aka Endpoint Manager) is. The official name of the Intune admin portal is the MEM Admin Center.

How to Restrict Personal iOS Devices from Enrolling on Intune – Video 2

Resources

How to Configure Intune Enrollment Setup for iOS macOS Devices

Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com)

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.