Initial setup of Microsoft Intune MAM/MDM

What is Microsoft Intune ?

Microsoft Intune which was previously known as Windows Intune is a part of Microsoft Cloud based Mobile device Management (MDM), Mobile Application Management (MAM) and Windows 10 PC Management Solution. No on-Premise Infrastructure is required for using this service from Microsoft and it can be easily managed using Microsoft Intune admin center URL: https://intune.microsoft.com.

Intune is included in Microsoft Enterprise Mobility + Security (EMS) and Integrates with Microsoft 365, Azure AD and Azure Information Protection (AIP).

Features and Benefits of Using Microsoft Intune

  • Manage Mobile Devices (Corporate and BYOD Devices).
  • Manage and Protect Applications using App Protection Policies (APP).
  • Manage Windows 10 machines.
  • Easy to use Management Portal.
  • No On-Premise Infrastructure Requirements.
  • Can be used as Intune Standalone (100% cloud) or co-manage Intune and Configuration Manager.
  • Can be used along with MDM for Office365.
  • Reporting and Logging.
  • Deploy Custom In-house Applications to Windows 10 and Mobile Devices.
  • Protection of the Apps and Users via Conditional Access Policies.
  • Integrate with Third Party Mobile Threat Defense Systems (MTD) e.g. Better Mobile, Zimperium and Lookout for Work.

License Requirements

Microsoft Intune is included in the following licenses:

Microsoft 365 E5    ► Microsoft 365 E3    ►Enterprise Mobility + Security E5    ► Enterprise Mobility + Security E3    ►Microsoft 365 Business     ►Microsoft 365 F3     ►Microsoft 365 Government G5    ►Microsoft 365 Government G3

Supported OS and Browsers In Intune

Before you start setting up Intune for your Client, please check the Supported OS and Browsers in Intune.

Initial Configuration

a) Sign-up On the below Intune Portal (you can get 30 days free trial of Intune when you sign-up)

Sign-up for Intune

Sign up for Intune Plan 1
Sign up for Intune Plan 1

b) Add-Users (Create In-Cloud Users or Sync from On-Premise Active Directory using Azure AD Connect) and Assign Licenses.

c) Intune Admin Portal URLs

1. Configure MDM Authority

First, you must configure mobile device management (MDM) authority. How and where you manage your devices is determined by a setting called MDM Authority. Its a pre-requisite and a part of initial configuration to set the MDM Authority before you can enroll any device to Intune.

Once you have set the MDM Authority, you can check its status as shown below:

Intune MDM Authority

2. Configure Device Enrollment

After setting up MDM Authority, we will setup Device Enrollment. I will first go through the Apple enrollment then android enrollment and Windows enrollment. These do not have to be in order, you can configure enrollment of devices in any order you like. However, for the purpose of this blog post, we will configure Apple enrollment first.

2.1 Apple enrollment

Configure Apple MDM Push Certificate which is required to enroll Apple devices into Intune. You can refer to the step by step guide on How To Configure Apple MDM Push Certificate Using Intune.

2.2 Android Enrollment

For configuration of Android Enrollment, we must first link organization’s Google Play account to Intune. You can refer to the step by step guide on how to Configure Android Enrollment On Intune Admin Center.

2.3 Windows enrollment

To manage windows devices using Intune, devices must first be enrolled into Intune. Both personally owned and corporate-owned devices can be enrolled. Let’s check the steps:

Steps to configure Windows enrollment

CNAME Validation

You will see many options on the windows enrollment page. One of the option is CNAME Validation. To simplify enrollment process, create CNAME record in domain’s external DNS server. This will redirects enrollment requests to Intune servers. Otherwise, users trying to connect to Intune must enter the Intune server name during enrollment.

We will login on our Domain registrar where my DNS Zone is also hosted / managed and create below CNAME record:

TypeNamePoints toTTL
CNAMEenterpriseenrollment.cloudinfra.netenterpriseenrollment-s.manage.microsoft.com
3600

Screenshot from DNS Zone Editor:

Windows Enrollment - CNAME Record

Once you add this record in your DNS Zone, it may take upto 24 hours for DNS Propagation. After this, go back to the Microsoft Intune Admin Center -> Devices -> Enroll Devices -> Windows enrollment -> CNAME Validation, Enter your domain name and click Test to validate. If you get an error, it may be because of the DNS CNAME record is not propagated yet, Please wait for couple of hours and try again. It should show a Green tick with a message saying CNAME for <domain name> is configured correctly.

Important
If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com.
Windows Enrollment - CNAME Record
CNAME Validation Intune
Automatic enrollment

After a device joins or registers with Azure AD, it will be enrolled into Intune automatically. To configure Automatic Enrollment, please follow below steps:

Intune Windows Enrollment Automatic Enrollment

Configure MDM User scope and / or MAM user scope. Please note these settings only apply to Windows 10/11 devices and not applicable for iOS and Android devices.

  • None – MDM automatic enrollment disabled.
  • Some – Select the Groups that can automatically enroll their Windows 10 devices
  • All – All users can automatically enroll their Windows 10 devices

Below shows MDM user scope set to All and MAM user scope to None which means that only corporate owned devices will automatically enrolled into intune. Please visit the URL To identify the devices as corporate-owned.

If you are starting with test users for Windows MDM enrollment, select Some and provide test user group.

Intune MDM User Scope and MAM User Scope

3. Enrollment Restrictions

You can restrict devices from enrolling into Intune based on Platform, OS version, Personal devices etc. by using Enrollment restriction policy in Intune. To configure enrollment restriction policy, follow below steps:

On the Enrollment restrictions page, you will see a default policy already created for you which will be applied to All Users. Either you can modify the existing default policy or create a new one. We are going to create a new Enrollment restriction policy called CloudInfra – Device Access Policy – MDM that will block Personally owned devices (BYOD devices) enrollment into Intune (except Android Enterprise Work Profile) and allow only corporate devices.

How a device is classified as Corporate Device in Intune
At the time of enrollment, Intune automatically assigns corporate-owned status to devices that are:

>> Enrolled with a device enrollment manager account (all platforms)
>> Enrolled with the Apple Device Enrollment ProgramApple School Manager, or Apple Configurator (iOS/iPadOS only)
>> Identified as corporate-owned before enrollment with an international mobile equipment identifier (IMEI) numbers (all platforms with IMEI numbers) or serial number (iOS/iPadOS and Android)
>> Joined to Azure Active Directory with work or school credentials. Devices that are Azure Active Directory registered will be marked as personal.
>> Set as corporate in the device’s properties list

After enrollment, you can change the ownership setting between Personal and Corporate.
Source:Microsoft

Lets create an Enrollment Restriction Policy.

Create a new Device type restriction policy by going to Devices -> Enroll Devices -> Enrollment restrictions -> Create restriction -> Device type restriction.

Provide a Name and Description to the Policy.

Cloudinfra - Device Access Policy - MDM

In Platform settings tab, Select the Platforms which you want to allow / manage with Intune along with the minimum and maximum OS version.

  • Android Personally owned devices – Selecting this to Allow for BYOD Android device enrollment using Android work profile. If you do not have any android devices being used in your organization, you can select Block. Introduction to Android Work Profile
  • iOS/iPadOS – Selecting this to Block to block the Enrollment of BYOD iOS devices. Only application management is required for iOS/iPad devices using MAM / App protection policies.
  • macOS, Windows (MDM) – Selecting this to Block. Its recommended to not allow personal macOS and windows devices to be joined to Azure. When this setting is blocked, there would be certain ways in which you can enroll a Windows or macOS device. For example: Autopilot for windows, Device enrollment managers for mac etc.
Enrollment Restrictions - Cloudinfra.net
Enrollment Restriction Policy

4. Create Device Compliance Policy

Create one Device compliance policies for each platform Android, iOS, macOS and Windows devices. Assign it to either devices or users based on the enrollment of devices. For example, for managed windows devices, you can create a dynamic group which contains all windows OS devices and assign a Device compliance policy to this group.

Login on Microsoft intune admin center > Devices > Compliance Policies

Device Compliance Policy Intune

You can go through compliance policy for each platform and customize the settings as per your requirement.

Device Compliance Policy Intune

5. Create Device Configuration Profiles

You can create Device configuration profile for configuration changes on Intune managed devices. Below are some of the examples of device configuration profiles:

Microsoft Intune Manager admin center -> Click on Devices -> Configuration Profiles
Microsoft Intune Manager admin center -> Click on Devices -> Configuration Profiles

6. Create App Protection Policies

Application protection policies are created to protect the applications and organization data within those apps. Its a part of Intune Mobile Application Management (MAM). You can create App Protection Policy for iOS, Android and Windows devices.

Some of the use cases of App protection policies:

  • Block Copy paste to and from Organization managed app.
  • Set a PIN for managed App etc.

To Create App protection policy login on Microsoft Intune admin center -> Apps -> App Protection policies.

As you can see in below screenshot, I have created two app protection policies one for Android and one for iOS. Please go through each setting of the app protection policies for each platform and configure it as per your organizational requirement. Once the Policies are created, Assign it to an Azure AD group containing all MAM users.

App Protection Policies Intune

7. Customization Policy / Company Branding

You can customize the end user experience by customizing the appearance of the company portal and include your company logo, theme color, theme background, provide contact information of your helpdesk number and company website info etc.

Login on Microsoft Intune admin center > Tenant administration > Customization. There is a default policy which exists out of the box, you can only modify this policy but cannot delete it. As you can see in below screenshot, I have modified the Theme color, uploaded Company Logo and added Support Information.

Customization Policy / Company Branding Intune

For Customization Configuration and best practices you can check below article on Microsoft website: https://docs.microsoft.com/en-us/mem/intune/apps/company-portal-app#customizing-the-user-experience

8. Add Applications to Microsoft Intune

For deploying and managing the applications using Microsoft Intune. You need to first add the application and then assign it to the users via Azure AD Security Group. You can add the Apps from iOS Store, Managed Google Play or Create a custom Windows app (Win32) for deployment . Lets see how to add, assign, delete and monitor the apps on Microsoft Intune.

8.1 Add iOS Store Apps

You can add iOS Store apps and manage it by Intune admin center. Here’s a step by step guide which will show you How To Manage IOS Store Apps Using Intune.

8.2 Add Managed Google Play store apps

You can add Google Play store apps and manage it by Intune admin center. Here’s a step by step guide which will show you How To Manage Google Play Store Apps Using Intune.

9. Setup work profile on Android devices

Work Profile is a great way for managing BYOD type Android devices. Here’s is step by step guide which will show you How To Setup Work Profile On An Android Phone.

10. How to Enroll macOS devices into Intune

You can easily enroll BYOD type / Personally owned user’s macOS devices into Intune. This requires a company portal app installation on macOS first. Here’s a step by step guide on How To Enroll MacOS In Intune.

Conclusion

In this blog post, we have seen the Initial setup of Intune from scratch. All the policies and configuration policies are customizable according to your requirement. Make sure to test all the policies on couple of devices. I hope your setup goes smooth without any issues. But if there are any issues, you can check my other blog posts on macOS enrollment Issues and macOS troubleshooting.

READ NEXT