When the pandemic hit last year, IT admins scrambled to keep their systems and businesses running as employees transitioned to a work-from-home model. For some admins, it meant wielding tools they had available but had seldom used. Microsoft Intune is one of these tools that has grown in popularity as the pandemic continues in its second year. (Because of the pandemic, Microsoft has combined Microsoft Intune and Configuration Manager into a single solution it calls Microsoft Endpoint Manager.) With Microsoft Intune, you can manage the mobile devices and apps of your employees as well as their access to your company data. You can even use Intune to manage their privately-owned devices. This updated article will walk you through the basics of using Microsoft Intune.
To use this mobile device management (MDM) system, devices must first be registered for the Intune service. However, there are several ways to register your employees’ devices. Each method depends on the type of device ownership (private or business), device type (iOS, Windows, Android), and management requirements (resets, affinity, lockout). By default, devices for all platforms can be registered with Intune. However, you can restrict devices by platform.
Device lifecycle management
Mobile device management, like most IT management activities, follows a lifecycle. The mobile device management lifecycle consists of four phases:
- Registration phase: Devices are registered with the mobile device management solution. Intune allows you to register both mobile devices such as smartphones and Windows PCs.
- Configure phase: Make sure that the registered devices are secure and comply with all configuration and security policies. You can also automate common administrative tasks, such as configuring WLAN.
- Protect phase: The mobile device management solution allows you to continuously monitor the settings set in the Configuration phase. In this phase, you also use the mobile management solution to keep devices compliant by monitoring and deploying software updates.
- Final phase: When a device is no longer needed, lost, or stolen, you should protect the data on the device. You can remove data by resetting the device and performing a full or selective reset that only removes enterprise data from the device.
Automatic mobile device management registration
Automatic registration allows users to register their Windows 10 devices with Intune without IT support. Administrators can use the Azure Active Directory (AAD) portal to enable automatic registration for all users or specific groups.
To register your devices, users add your business account to their personal devices or incorporate their corporate account into Azure Active Directory. In the background, the device is registered and integrated into Azure Active Directory and can be managed via the AAD portal via Intune.
Registering Windows 10 devices
There are many ways to register Windows 10 devices with Microsoft Intune for device management. Some are controlled by the user and others by IT administrators. Some are designed to support BYOD programs and others to improve modern deployment scenarios and the management of corporate devices. Each registration method may have different deployment requirements and behaviors.
The methods that can be used to register in Intune are as follows:
|1. Add business or school account||This registration method integrates the device into Azure AD. If you have Azure AD Premium licenses and your Azure AD client is configured for automatic registration with Intune, your device will also be registered in Intune. This method is preferable when autopilot is not used in the environment.|
|2. Register only in MDM (user controlled)||This registration method registers the device only in Intune and does not include the device in Azure AD. You use this type of registration only in environments without Azure AD Premium licenses that are required to enable automatic registration of devices in Intune.|
|3. Azure AD Integration (OOBE)||This registration method is essentially the same as method 1, with one exception: The device is registered during the out-of-box experience (OOBE). If you have Azure AD Premium licenses and your Azure AD client is configured for automatic registration with Intune, your device will also be registered in Intune.|
|4. Azure AD Integration (Autopilot User-Controlled Deployment Mode)||This registration method is essentially the same as method 2, with some exceptions. The device is registered during a custom out-of-box experience. Many of the OOBE screens can be skipped for a smoother end-user setup experience. This method is preferred for registering devices in Intune, but this requires Azure AD Premium licenses, and your Azure AD client must be configured to automatically register with Intune.|
|5. Azure AD integration (Autopilot in self-deploying mode)||This registration method is essentially the same as method 4, with one exception. It allows all OOBE screens to be skipped after the unit is turned on for the first time. Azure AD integration and Intune registration are fully automated, with no user interaction. This type of registration is primarily for userless devices such as kiosks, but can also be used by normal users. You can pre-assign a user to a device so that the user only needs to enter a password. This is the most efficient setup compared to the other methods.|
|6. Register only in device registration manager (MDM)||This registration method is very similar to method 3, except that it is run by IT administrators using a special account type, a device enrollment manager (DEM) account. The DEM registers the device, logs on to the enterprise portal, and installs the apps the user needs.|
|7. Co-management of the System Center Configuration Manager||Shared management allows you to manage Windows 10 devices simultaneously using configuration manager and Microsoft Intune. This is a solution that takes you from traditional to modern management and gives you a way to make the transition with a phased approach. Shared management is the preferred method for registering existing devices that are already managed by System Center Configuration Manager (SCCM). Once activated, the device can be managed by SCCM and Intune so that the best features of both can be used.|
|8. Azure AD integration (mass registration)||Mass registration is an efficient way to set up a large number of devices to be managed by Intune without having to rebuild the devices. You enable bulk enrollment by creating a deployment package using the Windows configuration designer app from the Microsoft app store.|
Device and user profiles
Microsoft Intune includes settings and features that you can enable or disable on different devices within your organization. These settings and features are managed using profiles. Examples of profiles include:
- A wireless profile that provides different devices with access to your corporate wireless network.
- A VPN profile that gives multiple devices access to the VPN server on your corporate network.
The following profiles are available in Intune:
|Device functions (iOS and macOS)||Control functions for iOS and macOS devices, such as AirPrint, notifications, and approved device configurations.|
|Device restrictions||Device restrictions control security, hardware, data sharing, and other settings on the devices. For example, create a device restriction profile that prevents users of iOS devices from using the device camera.|
|Endpoint protection||Configure endpoint protection settings for Windows 10 BitLocker and Windows Defender settings for Windows 10 devices.|
|Identity protection||Identity Protection controls the usability of Windows Hello for Business on devices running Windows 10 and Windows 10 Mobile. Configure these settings to make Windows Hello for Business available to users and devices and set requirements for device PINs and gestures.|
|Kiosk||The kiosk setting profile configures a device so that one or more apps can be executed. You can also customize other features of your kiosk device, including the start menu and web browser.|
|In the email preference profile, email settings for Exchange ActiveSync are created, assigned, and monitored on the devices. You can use email profiles to ensure consistency, reduce support calls, and allow end-users to access the corporate email account on your personal devices without having to set them up.|
|VPN||Assign VPN profiles to users and devices in your organization so they can easily and securely connect to the network. VPNs (virtual private networks) allow users secure remote access to your corporate network. Devices use a VPN connection profile to connect to your VPN server.|
|WLAN||WLAN settings assign wireless network settings to users and devices. Assigning a wireless profile gives users access to your corporate wireless network without having to configure it themselves.|
|eSIM mobile (currently public preview state)||eSIM mobile profiles provide the ability to configure mobile connections for Internet and data access on your managed devices. After receiving activation codes from your mobile operator, you can import these activation codes using Intune and then assign them to your eSIM-enabled devices.|
|Education: Windows 10||Configure options for the Windows Take a Test app. If you configure these options, the device will not be able to run other apps until the test is complete.|
|Education: iOS||iOS uses the iOS Classroom app to guide learning and control student devices in the classroom. You can configure iPad devices to allow multiple students to share a single device.|
|Editions upgrade||Editions upgrades for Windows 10 automatically update some versions of Windows 10 to a newer edition.|
|Update guidelines||iOS update policies show you how to create and assign iOS policies to install software updates on your iOS devices. You can also check the installation status.|
|Certificates||Certificates configure trusted Simple Certificate Enrollment (SCE) protocol and Public Key Cryptography Standards (PKCS) certificates that can be assigned to devices and used to authenticate WLAN, VPN, and email profiles.|
|Windows Information Protection profile||Windows Information Protection protects you from data leaks without compromising the employee experience. It also protects corporate apps and data on corporate and private devices that employees use at work from accidental data leaks. No changes to your environment or other apps are required.|
|User-defined profile||Custom settings include the ability to assign device settings that are not integrated with Intune. On Android devices, for example, you can enter Open Mobile Alliance Uniform Resource Identifier (OMA-URI) values. For iOS devices, you can import a configuration file that you created in the Apple Configurator. Custom profiles are explained in detail in the topic below.|
The Windows 10 operating system requires that each user has a user profile. User profiles are created when a user logs in for the first time and stored in the Users folder. User profiles are created based on the content in the default profile in the Users folder. There are three different types of user profiles:
- Local: This type is only available on a single computer.
- Roaming: This type can move between computers that are domain members.
- Mandatory: This is a special type of pre-configured user profile that does not store user changes between logins.
- Temporary: A temporary profile is output each time an error condition prevents the user’s profile from being loaded.
Mobile device management and Intune: Just scratching the surface
As we can see, Intune is a great and powerful Microsoft tool that has become even more important as work-from-home goes from an emergency response to an everyday norm. This article is intended to serve as an introduction to this world. For IT admins, the more you know about Intune and its uses, the better you will be able to do your job.
Featured image: Shutterstock