Initial setup of Microsoft Intune MAM/MDM

What is Microsoft Intune?

Microsoft Intune which was previously known as Windows Intune is a part of Microsoft Cloud-based Mobile device Management (MDM), Mobile Application Management (MAM), and Windows PC Management Solution. No on-premise Infrastructure is required for using this service from Microsoft and it can be easily managed using Microsoft Intune admin center URL: https://intune.microsoft.com.

Intune is included in Microsoft Enterprise Mobility + Security (EMS) and Integrates with Microsoft 365, Azure AD, and Azure Information Protection (AIP).

Features and Benefits of Using Microsoft Intune

  • Manage Mobile Devices (Corporate and BYOD Devices).
  • Manage and Protect Applications using App Protection Policies (APP).
  • Manage Windows 10 machines.
  • Easy to use Management Portal.
  • No On-Premise Infrastructure Requirements.
  • Can be used as an Intune Standalone (100% cloud) or co-manage Intune and Configuration Manager.
  • Can be used along with MDM for Microsoft 365.
  • Reporting and Logging.
  • Deploy Custom In-house Applications to Windows 10/11 and Mobile Devices.
  • Protection of the Apps and Users via Conditional Access Policies.
  • Integrate with Third Party Mobile Threat Defense Systems (MTD) e.g. Better Mobile, Zimperium and Lookout for Work.

License Requirements

Microsoft Intune is included in the following licenses:

Microsoft 365 E5    ► Microsoft 365 E3    ►Enterprise Mobility + Security E5    ► Enterprise Mobility + Security E3    ►Microsoft 365 Business     ►Microsoft 365 F3     ►Microsoft 365 Government G5    ►Microsoft 365 Government G3

Supported OS and Browsers In Intune

Before you start setting up Intune for your Client, please check the Supported OS and Browsers in Intune.

STEP 1 – Initial Configuration

a) Sign up On the below Intune Portal (you can get 30-day free trial of Intune when you sign up)

Sign-up for Intune

Sign up for Intune Plan 1
Sign up for Intune Plan 1

b) Add-Users (Create In-Cloud Users or Sync from On-Premise Active Directory using Azure AD Connect) and Assign Licenses.

c) Intune Admin Portal URLs

STEP 2 – Configure MDM Authority

First, you must configure mobile device management (MDM) authority. How and where you manage your devices is determined by a setting called MDM Authority. It is a pre-requisite and a part of the initial configuration to set the MDM Authority before you can enroll any device to Intune.

Once you have set the MDM Authority, you can check its status as shown below:

Intune MDM Authority

STEP 3 – Configure Device Enrollment

After setting up MDM Authority, you can setup Device Enrollment. I will first go through the Apple enrollment process then Android enrollment and Windows enrollment.

These do not have to be in order, you can configure enrollment of devices in any order you like. However, for this configuration, we will start with Apple enrollment first.

STEP 3.1 – Apple enrollment

Configure Apple MDM Push Certificate which is required to enroll Apple devices into Intune. You can refer to the step-by-step guide on How To Configure Apple MDM Push Certificate Using Intune.

STEP 3.2 – Android Enrollment

For the configuration of Android Enrollment, we must first link organization’s Google Play account to Intune. You can refer to the step-by-step guide on how to Configure Android Enrollment On Intune Admin Center.

STEP 3.3 – Windows enrollment

To manage Windows devices using Intune, devices must first be enrolled into Intune. Both personally-owned and corporate-owned devices can be enrolled. Let’s check the steps:

1. CNAME Validation

Automatic Enrollment
Automatic Enrollment
  • Login on your domain’s DNS server (External) and create below CNAME record. It will redirect enrollment requests to Intune servers. If you do not configure CNAME Validation, users trying to connect their devices to Intune must enter Intune server name during enrollment.
TypeNamePoints toTTL
CNAMEenterpriseenrollment.cloudinfra.netenterpriseenrollment-s.manage.microsoft.com
3600

Below screenshot shows a CNAME record entry created on one of the DNS servers for CNAME Validation.

Windows Enrollment - CNAME Record
  • After you add a CNAME record on your DNS server, it may take up to 24 hours for DNS Propagation.
  • Go to Microsoft Intune Admin Center > Devices > Enroll Devices > Windows enrollment > CNAME Validation, Enter your domain name, and click Test to validate.
  • If you get an error, it may be because the DNS CNAME record has not been propagated yet, Please wait for a couple of hours and try again. It should show a Green tick with a message saying CNAME for <domain name> is configured correctly.
Important
If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com.
CNAME Validation Intune

2. Configure Automatic Enrollment

To configure Automatic enrollment of Azure AD joined or Azure AD registered Windows devices into Intune, follow below steps:

Intune Windows Enrollment Automatic Enrollment
  • Configure MDM User scope and Windows Information Protection (WIP) user scope. [Applies to Windows 10/11 devices only].

Configure MDM User Scope: Specify which users’ devices should be managed by Microsoft Intune. These Windows 10/11 devices can automatically enroll for management with Microsoft Intune. Select All.

  • None – MDM automatic enrollment disabled.
  • Some – To enable automatic enrollment of devices of an Azure AD group.
  • All -All Windows 10/11 devices will be automatically enrolled into Intune.

Configure Windows Information Protection (WIP) user scope: None

For more Information on Automatic Enrollment: https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#enable-windows-automatic-enrollment
Configure MDM User Scope

STEP 4 – Configure Enrollment Restrictions

You can control which devices can enroll in Intune by setting up device enrollment restrictions in Microsoft Intune. There are two main types of restrictions you can configure:

  1. Device platform restrictions: These let you limit device enrollment based on factors like the device platform (e.g., iOS, Android), its version, manufacturer, or ownership type (personal or corporate).
  2. Device limit restrictions: With these, you can restrict the number of devices a user is allowed to enroll in Intune.

When you go to the Enrollment Restrictions page, you’ll find a default policy already there. This policy applies to all users by default. You can either change this existing policy or create a new one if needed.

We’re creating a rule called “CloudInfra – Device Access Policy – MDM.” This rule will stop regular personal devices from joining Intune, except for Android work-related ones. Only Corporate devices will be allowed.

How a device is classified as Corporate Device in Intune
At the time of enrollment, Intune automatically assigns corporate-owned status to devices that are:

>> Enrolled with a device enrollment manager account (all platforms)
>> Enrolled with the Apple Device Enrollment ProgramApple School Manager, or Apple Configurator (iOS/iPadOS only)
>> Identified as corporate-owned before enrollment with an international mobile equipment identifier (IMEI) numbers (all platforms with IMEI numbers) or serial number (iOS/iPadOS and Android)
>> Joined to Azure Active Directory with work or school credentials. Devices that are Azure Active Directory registered will be marked as personal.
>> Set as corporate in the device’s properties list

After enrollment, you can change the ownership setting between Personal and Corporate.
Source:Microsoft

Let’s check the steps to create an Enrollment Restriction Policy.

  • Create a new Device type restriction policy by going to Devices > Enroll Devices > Enrollment restrictions > Create restriction > Device type restriction.
  • Provide a Name and Description of the Policy.
Device type restriction policy
Device type restriction policy
  • In Platform settings tab, Allow/block platforms and versions.
  • Android Personally owned devices – Select Allow for Android BYOD devices. This will allow you to create an Android work profile on the devices for enrollment. If your organization doesn’t use Android devices, you can choose “Block.” For more Info about Android work profile, please refer to: Introduction to Android Work Profile
  • iOS/iPadOS Personally owned devices– Select “Block” to block the Enrollment of BYOD iOS devices. You can still manage applications on iOS devices by creating App protection policies. This feature is also referred to as Mobile Application Management (MAM).
  • macOS, Windows (MDM) Personally owned devices– Select “Block”. This will make sure that only company-owned devices are enrolled in Intune. I provided an overview of how a device is classified as company-owned earlier. You can also refer to the link here for more details: corporate-identifiers-add
Configure Enrollment Restrictions
Configure Enrollment Restrictions
Configure Enrollment Restrictions
Configure Enrollment Restrictions

STEP 5 – Create a Device Compliance Policy

Create a Device compliance policy for each of the following platforms: Android, iOS, macOS and Windows. Follow below steps to create a Device compliance policy:

  • Login on Microsoft Intune admin center > Devices > Compliance Policies
Device Compliance Policy Intune
  • Click on Create policy and configure a policy for all platforms.
Device Compliance Policy Intune

STEP 6 – Create Device Configuration Profile

For making changes to settings and configuring certain features on managed devices, you can create a device configuration profile. You can either use available Templates or Settings Catalog to create and deploy settings to the devices via Intune admin center.

To create a device configuration profile. Login on Intune admin center > Devices > Configuration Profile > Create Profile. I have created several blog posts for configuring various settings on Windows and macOS devices. You can refer to any of below blog posts to understand the process step-by-step.

Create Device Configuration Profile
Create Device Configuration Profile

STEP 7 – Create App Protection Policies (For MAM/BYOD devices)

You can create App protection policies for BYOD devices to manage applications and protect the organization’s data. Some of the use cases of App protection policies are:

  • Block Copy and paste to and from the organization-managed app. For Example: Outlook, Teams etc.
  • Set a PIN for managed App

To create an App protection policy, Go to Microsoft Intune admin center > Apps > App Protection policies. You can create an App protection policy for each platform and Include the apps that you want to protect on BYOD devices.

App Protection Policies Intune

STEP 8 – Company Branding

You have the option to personalize the user experience by adjusting the look of the company portal. This includes adding your company’s logo, choosing a theme color, setting a background, and providing contact details for your helpdesk and company website.

To configure the Customization policy, follow below steps:

  • Sign in to Microsoft Intune admin center > Tenant administration > Customization.
  • There’s a default policy that comes pre-configured and can’t be removed, but you can make changes to it. In the screenshot below, you can see that I’ve adjusted the theme color, added the company logo, and included support information.
Company Branding
Company Branding

For more details on customizing and best practices, you can refer to the following article on the Microsoft website: Link to Microsoft Article.

STEP 9 – Add Applications to Microsoft Intune

To deploy and manage applications using Microsoft Intune, you follow a two-step process: first, you add the application, and then you assign it to users through Azure AD Security Groups.

You have the option to add apps from the iOS Store, Managed Google Play, or create custom Windows apps (Win32) for deployment. Let’s take a look at how to add, assign, delete, and monitor apps in Microsoft Intune.

9.1 Add iOS Store Apps

You can include iOS Store apps and manage them through the Intune admin center. Follow this step-by-step guide to learn how to manage iOS Store apps using Intune.

9.2 Add Managed Google Play Store apps

You can integrate Google Play Store apps and manage them through the Intune admin center. Here’s a step-by-step guide to assist you in managing Google Play Store apps using Intune.

STEP 10 – Setup work profile on Android devices

Setting up a Work Profile is an effective method for managing Bring Your Own Device (BYOD) Android devices. Follow this step-by-step guide to learn how to set up a Work Profile on an Android phone.

STEP 11 – How to Enroll macOS devices into Intune

You can enroll macOS devices owned by users (BYOD) into Intune with ease. This process begins with installing the company portal app on the macOS. Here’s a step-by-step guide on how to enroll macOS devices in Intune.

STEP 12 – macOS Enrollment Issues

If you encounter any problems during macOS enrollment, you can refer to my additional blog posts that address macOS enrollment issues and macOS Intune Logs collection.

Conclusion

In this blog post, we covered the initial setup of Intune from the ground up. All the policies and configuration settings can be tailored to your specific needs. It’s essential to test these policies on a few devices. I hope your setup goes smoothly without any problems.

Leave a Comment