Loads of people requested for an Intune starter kit as I have one for SCCM. I think SCCM starter kit page was useful for the community. Mobile device management is new for most of the IT Pros in device management world.Hopefully, this post would also be useful for Intune newbies. In this post, we will see more details about “Newbies Intune Bible to Learn Mobile Device Management.”
This post, I will be concentrating on Intune standalone. I won’t cover SCCM Hybrid/Mixed Intune and Office 365 Intune MDM. In most of the scenarios (for Intune Standalone), no need/very minimal need for on-premises infrastructure. Intune standalone is the way to go when you want to take the path of modern management. Most of the Intune components are hosted in Microsoft Azure. I’ll try to keep this post updated with new Intune features.
Topics Covered in this post :-
Intune Very High Level Architecture Flow Why Learn Intune Mobile Device Management? What is Microsoft Intune and how it's different? How to Start Working with Intune? What are the Management Options in Intune? How to Start Using Intune Console? What is Intune Team's Role & Responsibility? What is MDM Authority? How to Start Managing Devices with Intune? Intune Windows 10 MDM YouTube Playlist Videos Android Devices Management via Intune Intune step by step Video Tutorials for iOS Intune Automatic Policy Refresh Update? The Sequence of Intune Policy Creation? Deploy Enrollment Restriction Policies Deploy Compliance Policies Intune Compliance Policy Support Details Deploy Intune Device Restriction Policy Deploy Resource Policies (Wi-Fi Profile) Deploy Applications to Devices using Intune Mobile Application Mgmt without Enrolment Learn to Troubleshoot Intune Issues
Intune Very High Level Architecture Flow
We already have a Facebook group for Intune Professionals. If you would like to join the Facebook community of Intune Professionals, click here. You can also subscribe the YouTube channel here where you have loads of Intune tutorial.
Why Learn Intune Mobile Device Management
When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for last one year, you could see the mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning Intune is very important for SCCM admins.
I don’t think SCCM will go away for another 5-6 years. I know some SCCM 2007 environments are managing more than 40K devices. So, it’s going to a take long time to migrate corporate organizations to move to modern device management solutions. But, I also agree that we need to learn Mobile Device Management (MDM), Mobile Application Management (MAM) technologies, etc. This is why learning Microsoft Intune is important for SCCM admins.
Mobile Device Management (MDM) is not a term used only for managing or administrating mobile devices. Rather, MDM also includes administration of a wide range of new laptops, desktops etc. For example, with Windows 10 all desktops, and laptops can be managed through MDM channel.
What is Microsoft Intune and how it’s different?
Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. Microsoft Intune is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software) and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in Cloud.
Additionally, Azure AD has a feature where admins can create a “Conditional Access (CA)” policy to get access to company resources. This Azure AD CA policy can be combined with Intune compliance policies. When the devices meet those conditions then, only the Intune will provide access to company or corporate resources (corporate email, Share point, etc…).
Previously, I used to mention Microsoft Intune as lighter Version of SCCM or ConfigMgr in the cloud. However, I don’t want to make the comparison so simple this time. Intune architecture is entirely cloud-based and agile. Get more details idea about Microsoft Intune in the below video. Yes, this video is old and outdated but, very well explained.
How to Start Working with Intune
Download Microsoft EMS step by step setup guide from here. This guide will help you to get a trial version of Office 365, Azure AD and Intune subscription for free. If you already have an Azure AD (Azure AD premium) subscription, then things are very straightforward as I posted on the blog here.
If you don’t have Azure AD subscription then better to start with Enterprise Mobility Suite (EMS) trial account, Azure Free Trial Account and Office 365 free trial subscription. The Azure trial account is already created EMS trail account. It’s better to create NEW outlook.com account and get ready with Credit Card details to activate the Azure trial subscription.
Getting a trial version of Azure AD, Office 365 and Intune is very straightforward process if you have never done this same process with your credit card and mobile number. Azure AD and Office 365 are prerequisites for Intune if you want to test/trial all the features of Intune.
Note :- Intune can be signed up separately as well from here. If you feel, you are interested in testing only Intune now then this is the way.
What are the Management Options in Intune?
Intune can manage Mac-OS, Android, iOS and Windows devices via MDM (Mobile Device Management) channel. I cover MAM (Mobile Application Management) in the below section.
We can manage devices (via MDM) with an Intune client agent, and arguably without Intune client agent. To manage iOS, Android, and Mac-OS devices, Intune needs an agent to be present in the device. Intune company portal application is the Intune agent. You can see the details in different app stores like Google Play and Apple Store.
So, when you install Intune company portal onto your Android or iOS devices, then you are doing an Intune agent-based management. There is an Intune MSI client available to download for Windows 7, Windows 8 devices. For Windows 10, Intune uses in build MDM stack of Windows 10 operating system itself.
I have an old post (published on Dec 2012) here to help you understand the basic stuff about Intune MSI agent installation. Once you install Intune MSI agent on Windows machines, those machines are “fully managed” by Intune. Following are the different ways to enroll devices into Intune for management.
Enrolled via Intune company portal Enrolled via Installation of Intune MSI client Enrolled via Windows 10 1607 and later in build Azure AD join and MDM enrolment MAM without MDM enrolment
How to Start Using Intune Console?
Intune blade (console) is part of part of the Azure portal. Intune blade in Azure portal has loads of new features and the functionalities. In this section, we will a see an overview of New Azure Intune Portal. Try this out https://portal.azure.com
The following documentation is the place where you can start reading about all the Intune topics:- Microsoft documentation Intune quick start guide here. I have another post which gives a “Quick Overview New Intune Azure.” Also, you can have a look at the video tutorial to understand the Intune Azure console here.
What is Intune Team’s R & R?
In a high-level following are the roles and responsibilities of Intune team. Some parts of it have involvement of Azure AD and other teams of the organization. Understanding the roles and responsibilities will help the IT Pros to understand, How Intune works? And How Intune will be deployed within the organization? More details available in my previous post “Intune Team’s Roles and Responsibilities.”
User Management Application Creation and Deployment/Assignment Service Administration Mobile Application Management Device/Profile Management Conditional Access Company Resource Access Software Update Management
What is Intune MDM Authority?
Setting up mobile device management authority is an important and first step before start working with Intune. The Mobile Device Management (MDM) authority determines where you will perform mobile device management tasks. Microsoft provides 3 options to set the MDM authority. Microsoft Intune by using the Intune Azure console, or to SCCM by using the SCCM CB console.
- Microsoft Intune
- Configuration Manager (SCCM)
- Office 365 (lightweight Intune)
In my perspective, the best design decision is to set Mobile Device Management (MDM) authority as Intune. You can set MDM authority Microsoft_Intune_Enrollment / OverviewBlade /overview section from Azure Portal.
How to Start Managing Devices with Intune?
Windows 10 device management is straightforward with Intune. It’s 10 minutes work to your sync your Windows Store for Business and Microsoft Intune. More details in the post “Integrate Windows Store for business.”
If you want to install store apps with the corporate account then, we can sync the Windows store for Business with Intune. Once the store apps are synced with Intune then, we can deploy it to Windows 10 devices. Read following blog post for more details “How to Add Apps to Business Store and Install Intune Company Portal without Using MS Account.”
Intune Windows 10 MDM YouTube Playlist
Google provides two channels of management for Android devices. The first channel of management is part of general Android device management and the second channel of management is Android Work (Android for Work) device management.
Android (General) Android for Work
Intune supports both channels of management. Google’s strategic approach is to support management via only via Android Work channel.
I have explained the process how to setup Android Work from Intune Azure Portal in one of my previous post here. You need to have a Google account to complete the setup of Android for Work in Intune console. More details about Android for Work Enrolment readiness is available in the following post. Step by Step Video Guide Intune Azure Portal How to Setup Android Work Support.
Videos Android Devices Management via Intune
iOS\MAC OS device management has certificate requirements, and we need to go to apple portal, upload your cert for the tenant and get the certificate for your Intune tenant. Similar to Android iOS and Mac-OS has two channels of management. One is traditional management, and another one is advanced management via Apple DEP management.
The first requirement for iOS and MAC OS device enrollment is the setup of Apple MDM push cert. You need to download different certificate signing request (CSR) from Intune tenant and upload the same to the Apple portal. Once uploaded successfully, you will get an option to download the Apple MDM push cert from Apple portal.
I have explained iOS/MacOS on-boarding process in the following post “How to Get Intune Environment Ready for iOS and Mac OS Devices.”
Intune step by step Video Tutorials for iOS
Intune Automatic Policy Refresh Update?
Intune Policy Sync Time details here
When any type policy or an app is deployed, Intune immediately begins attempting to notify the device that it should check in with the Intune service. This typically takes less than five minutes.
If a device doesn’t check in to get the policy after the first notification is sent, Intune makes three more attempts. If the device is offline (for example, it is turned off or not connected to a network), it might not receive the notifications.
Sequence of Intune Policy Creation
There are different types of policies in Intune. All these policies are used for managing and securing the mobile devices. In my opinion, we need to start creating Intune policies in the following sequence. We will see more details about each type of Intune policies in the below sections of this post.
1. Enrollment Restriction Policy 2. Conditional Access Policy (Azure AD) 3. Compliance Policy 4. Configuration Policy (Device Restriction Policy) 5. Resource Policy (Wi-Fi, VPN profiles)
Why Set Enrollment Restriction Policies
Device Enrollment is the first step of Mobile Device Management (MDM). When a device is enrolled into Intune, they have issued an MDM certificate, which that device then uses to communicate with the Intune service. So, it’s a best practice from the security perspective to restrict devices from enrolling into Intune environment. This can be achieved through Enrolment restriction policies.
Difference Between Intune Enrollment Restriction Vs Device Restriction Profile
Why Deploy Intune Compliance Policies?
Compliance policy rules might include using a password/PIN to access devices and encrypting data stored on devices. These set of such rules is called a compliance policy. The best option is to use compliance policy with Azure AD Conditional Access. Intune compliance policies are the first step of the protection before providing access to corporate apps and data. I have a post which explains about “How to Plan and Design Intune Compliance Policy.”
The following table lists the device types that compliance policies support. Intune can automatically remediate or quarantine. The table also describes how non-compliant settings are managed when a compliance policy is used with a conditional access policy. More details here.
Deploy Intune Device Restriction Policy
Intune Device restriction profiles are the policies similar to GPO from traditional device management world. Most of the enterprise organizations use GPO to restrict corporate-owned devices with these policies.
Restriction policies are security policies which need to apply on devices. Intune Device restriction policies control a wide range of settings and features of mobile devices (iOS, Android and Windows 10). More details in my previous blog “How to Restrict Personal Android Devices from Enrolling into Intune.”
Deploy Resource Policies (Wi-Fi Profile)
Intune Resource policies help devices to connect to corporate resources. Deployment of SCEP profiles to devices helps to get connected to corporate resources through Wi-Fi and VPN profiles etc. Before creating iOS SCEP profile in Intune, you need to create and deploy certificate chain.
More details about the Intune resource policy are available in my previous post. How to Create and Deploy SCEP Profile to iOS Devices via Intune.
Deploy Applications to Devices using Intune
One of the important use cases of Intune is to deploy applications to different flavors of devices. The types of applications which Intune supports now are EXE, MSI (Windows Installer and Windows Installer through MDM), APK, IPA, XAP, APPX – APPXBUNDLE for Windows app package and Windows Phone app package.
Also, you can deploy store applications from Windows Store, Google Store and Apple store using Intune Azure Portal. More details about deploying the application via Intune is given in the following links here and here. MSI application deployment is one of the best use cases of Intune for enterprise customers. More details are available in my previous post. Intune Azure Step by Step MSI Application Deployment Video Guide.
Mobile App Mgmt without Enrolment (MAM)
Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. There are two types of management options for Windows, Android and iOS devices with Intune. First one is the traditional way of MDM management and the second method of management is the light management of apps which are installed on Android, iOS and Windows devices via Intune.
BYOD devices are suitable for MAM WE type of Intune management. Intune can also have Conditional Access policies assigned to MAM users. For example, if a consultant’s device has already enrolled to a 3rd part EMM solution, but he wanted to have access to client’s corporate email access on his mobile device for a very short period then, The “MAM WE” is the best option for that consultant.
I have a post about MAM WE “How to Enable Intune MAM without Enrollment along with Conditional Access.”
Learn to Troubleshoot Intune Issues
Intune troubleshooting made easy in the Azure portal. It’s recommended to start with “Microsoft Intune – Help and support” page in Azure portal whenever you face issue with Intune.
I have a post where I discussed “Start Troubleshooting Intune Policy Deployment Issues from Intune (new Azure) portal.” More details in the Video experience here.
How to Troubleshoot Android Device for Intune Issue
Open the Company Portal app Menu > Help and Feedback
CompanyPortalX.log. This log file contains a lot of information about the communication between the device and Microsoft Intune.
Omadmlog.log. OMA-DM is an open mobile standard for managing mobile devices.
com.microsoft.intune.mam.managedAppName.log. For each managed application, you have a log file with the name of the managed application.
How to Troubleshoot iOS Device for Intune Issue
Intune Company portal – User Profile – About – Send Diagnostic Report
How to Troubleshoot Windows Device for Intune Issues
Ignite 2017 Videos Intune
- Mobile device and app management overview with Microsoft Intune
- Conduct a successful pilot deployment of Microsoft Intune
- Manage and secure Android, iOS, and MacOS devices and apps with Microsoft Intune
- Learn how to use Microsoft Intune with the new admin console and Microsoft Graph API
- Secure access to Office 365, SaaS and on-premises apps with EMS
- Manage and protect Office 365 mobile apps with Microsoft Intune
- Deploying and using Outlook mobile in the Enterprise
- Manage mobile productivity with EMS
Ignite 2017 Video Windows 10 & Office 365 ProPlus:
- Microsoft 365: Modern management and deployment (general session with Brad and Rob)
- Overview: Modern Windows 10 and Office 365 ProPlus management with EMS
- Transition to cloud-based management of Windows 10 and Office 365 ProPlus with EMS
- Modernize deployment & servicing of Windows 10 & Office 365 ProPlus with EMS
- Secure Windows 10 with Intune, Azure AD and System Center Configuration Manager
All PPT decks can be found here.