I covered the basic overview and out of the box device management you get with pure Office 365. In this article I want to start digging into the more advanced features you get by using Intune which is part of Microsoft 365 Business Premium.
Microsoft has a service called Endpoint Manager that allows advanced device configuration and management. You access this via:
Intune is now part of Endpoint Manager, so you use that to gain access to the Intune configuration.
Part of the Intune configuration capability is device management, this is more advanced than the basic options in pure Office 365 that were detailed in the previous article.
To have devices managed by Intune they first need to go through a specific Intune enrolment process.
Intune device enrolment can only be achieved once devices have been joined to Azure AD. Both registered and stand alone devices cannot be managed at a device level via Intune, only those devices that have been fully joined to Azure AD can be enrolled in Intune for device management.
If you look at your Azure AD in the Azure portal you’ll see the option Mobility (MDM and MAM). If you select that, you’ll probably see a Microsoft Intune option on the right as shown above.
If you select that Intune option and you don’t have a license for Intune you’ll be greeted with something like the above. What this is telling you is that automatic enrolment of device requires an Intune license.
If you do however have a license for Intune you’ll see the above instead. This allows you to select which groups (None, Some, All) that will automatically be enrolled in both device management (MDM) and application management (MAM). You could still of course, manually enrol if you wished but by adding an Intune license you now get the ability to automatically enrol devices into Intune management once you have joined these devices to Azure AD.
So the, typical steps so far have been:
1. Join device to Azure AD
2. Have it automatically commence device enrolment in Intune
You will find the configuration for Intune enrolment by navigating to Endpoint Manager:
and then go to the Devices option from the menu on the left then Enroll devices as shown above.
The first major difference you’ll now see is that you have enrolment options for Windows, Apple and Android as well as the ability to enforce restrictions and allocate managers. Each operating system will have it’s own enrolment capabilities and options. For example, it is here that you configure Windows Autopilot and Windows Hello for Business if you wanted, as they are considered potentially part of any advanced device enrolment.
I’ll look at covering off many of these different enrolment options in future articles, however I do want to call your attention that to enrol Apple devices you will need to set up a free Apple certificate beforehand. I have detailed that process previously here:
You can get an overview of the device enrolment status in your environment (i.e. successes and failures) via Endpoint Manager | Devices | Overview | Enrollment status as shown above. You’ll also see any Enrollment alerts on the very next tab to the right.
Once devices have successfully completed enrolment, they will commence device compliance.
You can configure device compliance policies via Endpoint Manager | Devices | Compliance policies as shown above.
Here you create as many different Compliance policies as you wish. Typically, you have one per device operating system, however you can have more if you wish. A good example of why you might have two Windows 10 policies is to handle machines that have and those than don’t have TPM capabilities. Disk encryption is a compliance setting you can check for and enforce. However, you may not want to enforce full disk encryption via BitLocker for machines that don’t have inbuilt TPM chips for example. Thus, two separate compliance policies would be required. One to check machines with a TPM capability and one for those without.
If you select the Create Policy option, as shown above, you’ll be able to select from a range of platforms (OS’s).
The compliance options available will vary by device operating system, but an example of some of the Windows 10 options you can configure in the policy are shown above.
The main idea here is to configure appropriate checks via policies for each device operating system. Devices that fail these checks are considered and marked as ‘non-compliant’ and further action can then be taken. An example of an action that can be taken on a device that is ‘non-compliant’ is to exclude it from accessing Microsoft 365 information. A good example of this is a policy that prevents devices that have been jailbroken or have unsupported operating systems from being able to access corporate data.
You can get an overview of the device compliance status in your environment by navigating to Endpoint Manager | Devices | Overview | Compliance status as shown above.
Once compliance policies have been applied to a device, the final part of adding devices to Intune device management is the application of configuration policies.
These policies are found by navigating to Endpoint Manager | Devices | Configuration policies as shown above.
When you create a new policy via the Create profile button from the menu as shown above you again need to select the device operating system and then the profile. The number, types and content of these profile will vary by operating system but for example allow to to do things like control when anti virus scans run, control photo uploads, enforce pin locks and so much more.
Here you will typically have lots of policies including different policies for different groups of users, different operating systems and so on.
Above is an example of the options that are available in an Android Device Restriction configuration policy.
In summary, this article has covered the process of enrolling in advanced device management (MDM) using Intune. The process is:
1. Join devices to Azure AD
2. Devices complete Intune enrolment
3. Devices have Intune compliance policies applied
4. Devices have Intune configuration policies applied
After this process, devices are considered to fully ‘device’ managed by Intune. That is MDM is now done via Intune.
Note, MDM is for devices that are Azure AD joined and require full control of the device down to the operating system. This means the business has full control of the device. That may not be desired for users who bring their own devices (BYOD). Such devices can be managed by application management (MAM) which will be the focus of the next article.