X

Intune and Exchange ActiveSync (Part 3)

If you would like to read the other parts in this article series please go to:

Intune Groups

Groups in Intune give us the flexibility to manage devices and users. We can set up groups to suit our organizational needs (for example, by geographic location, department or hardware/software characteristics). We can use groups to perform a variety of administrative tasks such as assigning policies for a set of users or deploying applications to a set of devices. Additionally, we can filter groups to allow IT admins to only perform operations on the groups we specify.

To create and manage groups, we use the Groups workspace in the Intune administration console. To create a user group:

  1. In the Intune administration console, click Groups > Create Group:


Figure 1

  1. For the Group name, type a name for the new group such as Intune Trial Users, and from the parent group list select All Users, and then click Next;
  2. On the Define Membership Criteria page, next to Exclude members from these security groups, click Browse and then select Company Administrator. This exclusion will let us manage the group without affecting the Company Administrator account (also known as the tenant administrator);
  3. On the Define Direct Membership page, click Next. We do not need to do anything here because we want the group to include all users except the Company Administrator;
  4. On the Summary page, review the actions that will be taken, and then click Finish.

For this article I have created an Intune Trial user group and added the user Nuno to it. This will allow me to target just this user for all my Intune tests but target any device that he might use. This is useful in a production environment but not really for this particular test lab scenario to be fair as only this user has an Intune license anyway.


Figure 2

Creating a device group is very similar to the above:

  1. In the Intune administration console, click Groups > Create Group;
  2. For the Group name, type a name for the new group such as Intune Trial Devices, and from the parent group list, select All Devices, and then click Next;
  3. On the Define Membership Criteria page, select All devices to indicate that the group includes both mobile devices and computers;
  4. On the Define Direct Membership page, click Next. If we had created a group that did not include all devices, and we wanted to add specific devices to our new group, we could do that here;
  5. On the Summary page, review the actions that will be taken, and then click Finish.

We can find the newly created group in the Groups list, in the Groups workspace, under All Devices. From here, we can also edit or delete the group.

Now that we have a group in place, let us have a look at security policies.

Intune Mobile Device Security Policies

Intune policies allows organizations to control the security settings on mobile devices and computers, and to deploy applications. As this article is all about mobile device management, we will look at how Intune mobile device security policies can help us configure a wide range of settings that we can deploy to managed devices in our organization. This way, we can control the functionality and security of our devices.

We can create and deploy mobile device security policies for the following device types:

  • Windows RT, Windows RT 8.1 and enrolled Windows 8.1 devices;
  • Windows Phone 8 and Windows Phone 8.1;
  • iOS devices;
  • Android and Samsung KNOX.

To create and deploy a mobile device security policy:

  1. Open the Intune administration console;
  2. In the left pane, click the POLICY icon:


Figure 3

  1. In the Tasks list on the Policy Overview page, click Add Policy:


Figure 4

  1. Click Common Mobile Device Settings > Mobile Device Security Policy;
  2. Choose whether you want to create a policy that contains recommended settings, or whether you want to create a custom policy. In this case, I will choose to create a policy with recommended settings. Click Create Policy:


Figure 5

  1. Select All Users and click Add. Alternatively, we can target any group(s) we have created, such as the Intune Trial created earlier:


Figure 6

  1. Click OK to create the policy. Once it is created, the new policy is listed:


Figure 7

If we now click on Edit... we can see what the recommended settings are and update them as necessary:


Figure 8

The screen above only shows a fraction of the several options we can configure. For this scenario, I have updated some of the Password requirements to make things easier for testing and demonstration. Obviously, it is always recommended to have a policy in place that meets at least the minimum security requirements for the organization.


Figure 9

Some settings are not applicable to some devices, but Intune does a good job in letting us know which devices support each setting as you can see above (after every setting’s name).

Now that we have a policy created, it is time to deploy it. In this case we already targeted All Users (step 6 above), so we do not need to deploy this particular policy. If, for any reason, you need to, select the policy you want to deploy and click on Manage Deployment:


Figure 10

From here, to deploy the policy select one or more groups to which you want to deploy the policy, click Add and then OK:


Figure 11

A status summary and alerts on the Overview page of the Policy workspace identify issues with the policy that require our attention (please note that it might take a few hours for status information to appear in the Intune admin console). For now, everything is looking good:


Figure 12

Conclusion

In this third part of this article series we had a look at how to create and use Intune groups, and created an Intune Mobile Device Security Policy. In the next part we will start enrolling mobile devices and create an Email Profile to automatically configure mobile devices to connect to our organization.

If you would like to read the other parts in this article series please go to: