How to setup Microsoft Intune (MAM and MDM Configuration) – Step by Step Guide

What is Microsoft Intune ?

Microsoft Intune which was previously known as Windows Intune is a part of Microsoft Cloud based Mobile device Management (MDM), Mobile Application Management (MAM) and Windows 10 PC Management Solution. No On-Premise Infrastructure is required for using this service from Microsoft and it can be easily managed using Microsoft Endpoint Manager Console https://endpoint.microsoft.com/.

Intune is included in Microsoft Enterprise Mobility + Security (EMS) and Integrates with Microsoft 365, Azure AD and Azure Information Protection (AIP).

Features and Benefits of Using Microsoft Intune

  • Manage Mobile Devices (Corporate and BYOD Devices).
  • Manage and Protect Applications using App Protection Policies (APP).
  • Manage Windows 10 machines.
  • Easy to use Management Portal.
  • No On-Premise Infrastructure Requirements.
  • Can be used as Intune Standalone (100% cloud) or co-manage Intune and Configuration Manager.
  • Can be used along with MDM for Office365.
  • Reporting and Logging.
  • Deploy Custom In-house Applications to Windows 10 and Mobile Devices.
  • Protection of the Apps and Users via Conditional Access Policies.
  • Integrate with Third Party Mobile Threat Defense Systems (MTD) e.g. Better Mobile, Zimperium and Lookout for Work.

License Requirements

Microsoft Intune is included in the following licenses:

Microsoft 365 E5    ► Microsoft 365 E3    ►Enterprise Mobility + Security E5    ► Enterprise Mobility + Security E3    ►Microsoft 365 Business     ►Microsoft 365 F3     ►Microsoft 365 Government G5    ►Microsoft 365 Government G3

Supported OS and Browsers In Intune

Before you start setting up Intune for your Client, please check the Supported OS and Browsers in Intune.

Initial Configuration

a) Sign-up On the below Intune Portal (you can get 30 days free trial of Intune when you sign-up)

Sign-up for Intune

Microsoft Intune Trial

b) Add-Users (Create In-Cloud Users or Sync from On-Premise Active Directory using Azure AD Connect) and Assign Licenses.

c) Intune Admin Portal URLs

Configure MDM Authority

First, you must configure mobile device management (MDM) authority. How and where you manage your devices is determined by a setting called MDM Authority. Its a pre-requisite and a part of initial configuration to set the MDM Authority before you can enroll any device to Intune.

  • Login to Microsoft EndPoint Admin Console https://endpoint.microsoft.com.
  • Select Tenant Administration -> MDM Authority to Set the MDM Authority to Microsoft Intune.

Once you have set the MDM Authority, you can check its status as shown below:

Intune MDM Authority

Azure AD Groups

We will create two Azure AD Security Groups which will be used for Intune configuration, assigning apps, device compliance policy, device configuration policy and conditional access policy.

Intune – MDM Users

Intune – MAM Users

Device Enrollment

After setting up MDM Authority, we will setup Device Enrollment. I will first go through the Apple enrollment and then android enrollment and Windows enrollment. These do not have to be in order, you can configure enrollment of devices in any order you like. However, for the purpose of this blog post, we will configure Apple enrollment first.

Apple enrollment

For configuration of Apple enrollment, Login on Endpoint Manager admin center and follow below steps.

First Configure Apple MDM Push Certificate which is required for management of Apple devices. I have created a blog post specifically for showing you how to configure Apple MDM Push Certificate. Please follow below article for the same, once you have configured Apple MDM Push Certificate, come back to this post and complete rest of the Intune configuration.

  • Go to Devices -> Enroll Devices -> Apple enrollment -> Apple MDM Push certificate.

Android Enrollment

For configuration of Android Enterprise solution, we must first link organization’s Google Play account to Intune before anything else. I have created a blog post specifically for showing you step-by-step on how you can link Google Play account to Intune for Android enrollment. Please follow below article for the same and come back to this section to complete the rest of the Intune configuration.

Windows enrollment

To manage devices in Intune, devices must first be enrolled in the Intune service. Both personally owned and corporate-owned devices can be enrolled for Intune management. In this section, we will see how you can configure windows enrollment for managing windows 10 devices using Microsoft intune.

Steps to configure Windows enrollment

CNAME VALIDATION

You will see many options on the windows enrollment page. One of the option is CNAME Validation. To simplify enrollment, create a domain name server (DNS) alias (CNAME record type) that redirects enrollment requests to Intune servers. Otherwise, users trying to connect to Intune must enter the Intune server name during enrollment.

We will login on our Domain registrar where my DNS Zone is also hosted / managed. I will create below CNAME record:

TypeNamePoints toTTL
CNAMEenterpriseenrollment.cloudinfra.netenterpriseenrollment-s.manage.microsoft.com
3600

Screenshot from DNS Zone Editor:

Windows Enrollment - CNAME Record

Once you add this record in your DNS Zone, it may take upto 24 hours for DNS Propagation. After this, go back to the Microsoft Endpoint Admin Center -> Devices -> Enroll Devices -> Windows enrollment -> CNAME Validation, Enter your domain name and click Test to validate. If you get an error, it may be because of the DNS CNAME record is not propagated yet, Please wait for couple of hours and try again. It should show a Green tick with a message saying CNAME for <domain name> is configured correctly.

Important
If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com.
Windows Enrollment - CNAME Record
CNAME Validation Intune
ENABLE AUTOMATIC ENROLLMENT (Azure AD Premium required)

Automatic enrollment lets users enroll their Windows 10 devices in Intune. To enroll, users add their work account to their personally owned devices or join corporate-owned devices to Azure Active Directory. In the background, the device registers and joins Azure Active Directory. Once registered, the device is managed with Intune.

To enable automatic enrollment, follow below steps:

Intune Windows Enrollment Automatic Enrollment

Configure MDM User scope and / or MAM user scope. Please note these settings only apply to Windows 10 devices and not applicable for iOS and Android devices.

  • None – MDM automatic enrollment disabled.
  • Some – Select the Groups that can automatically enroll their Windows 10 devices
  • All – All users can automatically enroll their Windows 10 devices

Below shows MDM user scope set to All and MAM user scope to None which means that only corporate owned devices will automatically enrolled into intune. Please visit the URL To identify the devices as corporate-owned.

If you are starting with Pilot users for windows 10 MDM enrollment, select Some and provide Pilot User group. Only the devices of Pilot User group users will be automatically enrolled. You can adapt this approach for Phased rollout of Intune for Windows 10 devices.

Intune MDM User Scope and MAM User Scope

Enrollment Restrictions

For the configuraiton of Enrollment, Please follow below steps:

On the Enrollment restrictions page, you will see a default policy already existing. Either you can modify the default policy or create a new one. We are going to create a new Enrollment restriction policy called CloudInfra – Device Access Policy – MDM. We will block all Personally owned devices to get enrolled into Intune (except Android Enterprise Work Profile) and allow only corporate devices.

How the device is classified as Corporate Device in Microsoft Intune
At the time of enrollment, Intune automatically assigns corporate-owned status to devices that are:

>> Enrolled with a device enrollment manager account (all platforms)
>> Enrolled with the Apple Device Enrollment ProgramApple School Manager, or Apple Configurator (iOS/iPadOS only)
>> Identified as corporate-owned before enrollment with an international mobile equipment identifier (IMEI) numbers (all platforms with IMEI numbers) or serial number (iOS/iPadOS and Android)
>> Joined to Azure Active Directory with work or school credentials. Devices that are Azure Active Directory registered will be marked as personal.
>> Set as corporate in the device’s properties list

After enrollment, you can change the ownership setting between Personal and Corporate.
Source:Microsoft

Lets create Enrollment Restriction Policy.

Create a new Device type restriction policy by going to Devices -> Enroll Devices -> Enrollment restrictions -> Create restriction -> Device type restriction.

Provide a Name and Description to the Policy

Cloudinfra - Device Access Policy - MDM

In Platform settings tab, Select the Platforms which you want to allow / manage with Intune along with the minimum and maximum OS version. As you can see in the below screenshots, I have allowed Android Personally owned devices because I want to create android work profile on android phones and rest of the Personally owned devices are blocked this is because for iOS we will only be managing the apps with app protection policies and for Windows / mac OS – only corporate devices are allowed.

You can customize these restrictions as per your organization requirements. The idea here is to provide you with what basic understanding of the configuration. If you Block Android Enterprise Personally Owned devices, android work profile creation will fail. To know more about Android work profile, Check Introduction to Android Work Profile link.

Enrollment Restrictions - Cloudinfra.net

Policy has been created.

Enrollment Restriction Policy

Device Compliance Policy

Next one will be to create device compliance policies for Android, iOS, macOS and Windows 10 devices. Assign these compliance policies to Intune – MDM Users group.

To Create Device Compliance Policies:

  • After logging on to Microsoft Endpoint Manager admin center -> Click on Devices -> Compliance Policies.
Device Compliance Policy Intune

Compliance Policies are very specific to the organizations, therefore I will have to leave this with you to go through each setting of the Compliance policies which are created below.

Device Compliance Policy Intune

Device Configuration Profiles

Once the Devices Compliance Policies are all set, you can create device configuration profiles. This is only valid for MDM Devices that means for managed devices. If you are just managing the Applications using app protection policies then Device Configuration Policies will not be applied.

To Create Device Configuration profiles:

  • After logging on to Microsoft Endpoint Manager admin center -> Click on Devices -> Configuration Profiles.
Device Configuration Profiles Intune

App Protection Policies

App Protection Policies (APP) ensures that the corporate data is safe and secure. MAM is an Mobile Application management solution where the data is protected using APP on BYOD devices.

You can create App Protection Policy for iOS, Android and Windows 10 or later devices. For example, using app protection policy you can block copying organization information to unmanaged app, set a PIN for app and define a timeout value for PIN requirement etc.

Create App Protection Policy for each platform type and add all managed apps to protect the data in those apps.

To Create App Protection Policies (APP):

  • After logging on to Microsoft Endpoint Manager admin center -> Click on Apps -> App Protection policies.

As you can see in below screenshot, I have created two app protection policies one for Android and one for iOS. Please go through each setting of the app protection policies for each platform and configure it as per your organizational requirement.

Once the Policies are created, Assign it to Intune – MDM Users and Intune – MAM Users Azure AD security groups.

App Protection Policies Intune

Customization Policy / Company Branding

You can customize the end user experience by customizing the appearance of the company portal and include your company logo, theme color, theme background, provide contact information of your helpdesk number and company website info etc.

To Create App Protection Policies (APP):

  • After logging on to Microsoft Endpoint Manager admin center -> Click on Tenant administration -> Customization.

There is a default policy which exists out of the box, you can modify this policy but it cannot be deleted. As you can see in below screenshot, i have modifed the Theme color, uploaded Company Logo and added Support Information.

Customization Policy / Company Branding Intune

For Customization Configuration and best practices you can check below article on Microsoft website:

https://docs.microsoft.com/en-us/mem/intune/apps/company-portal-app#customizing-the-user-experience

Add Applications to Microsoft Intune

For deploying and managing the applications using Microsoft Intune. You need to first add the application and then assign it to the users via Azure AD Security Group. You can add the Apps from iOS Store, Managed Google Play or Create a custom Windows app (Win32) for deployment . Lets see how to add, assign, delete and monitor the apps on Microsoft Intune.

Add iOS Store Apps

I have created a step-by-step article to show you how you can add, assign, delete and monitor iOS store apps on Microsoft Intune. Please follow below article and come back to this blog post and continue to follow the rest of the configuration steps.

Add Managed Google Play store apps

I have created a step-by-step article to show you how you can add, assign, delete and monitor Managed Google Play store apps on Microsoft Intune. Please follow below article and come back to this blog post and continue to follow the rest of the configuration steps.

Setup work profile on Android devices

For creating a work profile on android devices, end user has to go through some steps for example installation of company portal app and then signing in to it and following the process there. I have created a step by step guide on how to setup work profile on android phone. Please follow below link for the same: