Initial setup of Microsoft Intune MAM/MDM

Initial setup of Microsoft Intune MAM/MDM

---

Microsoft Intune, previously known as Windows Intune, is a part of Microsoft Cloud-based Mobile Device Management (MDM), Mobile Application Management (MAM), and Windows PC Management Solution. No on-premise infrastructure is required for using this service from Microsoft, and it can be easily managed using Microsoft Intune’s admin center URL: https://intune.microsoft.com.

Intune is included in Microsoft Enterprise Mobility + Security (EMS) and Integrates with Microsoft 365, Entra ID, and Azure Information Protection (AIP).

Features and Benefits of Using Microsoft Intune

• Manage Mobile Devices (Corporate and BYOD Devices).
• Manage and Protect Applications using App Protection Policies (APP).
• Manage Windows 10/11, MacOS, and Linux devices.
• No On-Premise Infrastructure Requirements.
• It can be used as an Intune Standalone (100% cloud) or co-manage Intune and Configuration Manager.
• It can be used along with MDM for Microsoft 365.
• Reporting and Logging.
• Deploy Custom In-house Applications to Windows 10/11 and Mobile Devices.
• Protection of the Apps and Users via Conditional Access Policies.
• Integrate with Third Party Mobile Threat Defense Systems (MTD), e.g., Better Mobile, Zimperium, and Lookout for Work.

License Requirements

Microsoft Intune is included in the following licenses:

►Microsoft 365 E5    ► Microsoft 365 E3    ►Enterprise Mobility + Security E5    ► Enterprise Mobility + Security E3    ►Microsoft 365 Business     ►Microsoft 365 F3     ►Microsoft 365 Government G5    ►Microsoft 365 Government G3

Supported OS and Browsers In Intune

Before setting up Intune for your Client, please check the Supported OS and Browsers in Intune.

1. Sign up for Intune

Sign up On the below Intune Portal (you can get a 30-day free trial of Intune when you sign up) Sign-up for Intune.

• Add-Users (Create In-Cloud Users or Sync from On-Premise Active Directory using Azure AD Connect) and Assign Licenses.

• Intune Admin Portal URL(s):
  • Microsoft Intune admin center (https://intune.microsoft.com).
  • https://intuneeducation.portal.azure.com/ (Intune for Education)

2. Configure MDM Authority

First, you must configure mobile device management (MDM) authority. A setting called MDM Authority determines how and where you manage your devices. It is a pre-requisite and a part of the initial configuration to set the MDM Authority before you can enroll any device to Intune.

• Sign in to the Intune admin center.
• Select Tenant Administration -> MDM Authority to set the MDM Authority to Microsoft Intune.

Once you have set the MDM Authority, you can check its status as shown below:

3. Configure Device Enrollment

After setting up MDM Authority, you can setup Device Enrollment. I will first go through the Apple enrollment process, Android enrollment, and Windows enrollment.

These do not have to be in order; you can configure enrollment of devices in any order you like. However, for this configuration, we will start with Apple enrollment first.

3.1 – Apple enrollment

Configure Apple MDM Push Certificate to enroll Apple devices into Intune. You can refer to the step-by-step guide on Create Apple MDM Push Certificate for Intune.

3.2 – Android Enrollment

For the configuration of Android Enrollment, we must first link organization’s Google Play account to Intune. You can refer to the step-by-step guide on configuring Android Enrollment On Intune Admin Center.

3.3 – Windows enrollment

To manage Windows devices using Intune, devices must first be enrolled into Intune. Both personally-owned and corporate-owned devices can be enrolled. Let’s check the steps:

CNAME Validation

• Sign in to the Intune admin center.
• Go to Devices > Enrollment > Windows.
• Click on CNAME Validation under Enrollment options.

• Sign in to your domain’s DNS server (External) and create below CNAME record. It will redirect enrollment requests to Intune servers. If you do not configure CNAME Validation, users trying to connect their devices to Intune must enter Intune server name during enrollment.

Type	Name	Points to	TTL
CNAME	enterpriseenrollment.cloudinfra.net	enterpriseenrollment-s.manage.microsoft.com	3600

• Below screenshot shows a CNAME record entry created on one of the DNS servers for CNAME Validation.

• After you add a CNAME record to your DNS server, DNS Propagation may take up to 24 hours.

• Go to Intune Admin Center > Devices > Enrollment > Windows > CNAME Validation, Enter your domain name, and click Test to validate.

• If you get an error, it could be because the DNS CNAME record has not been propagated yet; wait for a couple of hours and try again. It should show a Green tick with a message saying CNAME for <domain name> is configured correctly.

Important
If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and point each to EnterpriseEnrollment-s.manage.microsoft.com.

Configure Automatic Enrollment

To configure Automatic enrollment of Entra joined devices into Intune, follow below steps:

• Sign in to the Intune admin center.
• Go to Devices > Enrollment > Windows > Automatic Enrollment.

• Configure MDM User scope and Windows Information Protection (WIP) user scope. [Applies to Windows 10/11 devices only].

Configure MDM User Scope: Specify which users devices should be managed by Intune. These Windows 10/11 devices can automatically enroll for management with Microsoft Intune. Select All.

• None – MDM automatic enrollment disabled.
• Some – To enable automatic enrollment of devices of an Entra ID group.
• All -All Windows 10/11 devices will be automatically enrolled into Intune.

Configure Windows Information Protection (WIP) user scope: None

For more Information on Automatic Enrollment: https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#enable-windows-automatic-enrollment

4. Configure Enrollment Restrictions

You can control which devices can enroll in Intune by setting up device enrollment restrictions. There are two main types of restrictions you can configure:

1. Device platform restrictions: These limit device enrollment based on factors like the device platform (e.g., iOS, Android), its version, manufacturer, or ownership type (personal or corporate).
2. Device limit restrictions: With these, you can restrict the number of devices a user can enroll in Intune.

• Sign in to the Intune admin center.
• Go to Devices > Enrollment > Device platform restriction.

You’ll find a default policy already there when you go to the Device Platform restrictions page. This policy applies to All users. You can change this default policy or create a new one if needed.

We will modify and configure the default policy according to the business requirements. Overall, we will be blocking iOS, macOS and Windows Personal devices, Only Corporate devices will be allowed.

You can also create a custom device platform restriction policy for each platform and assign it to All users. To create a custom device platform restriction policy, Go to Intune admin center > Devices > Enrollment > Device type restriction > Create restriction.

How a device is classified as Corporate Device in Intune
At the time of enrollment, Intune automatically assigns corporate-owned status to devices that are: >> Enrolled with a device enrollment manager account (all platforms) >> Enrolled with the Apple Device Enrollment Program, Apple School Manager, or Apple Configurator (iOS/iPadOS only) >> Identified as corporate-owned before enrollment with an international mobile equipment identifier (IMEI) numbers (all platforms with IMEI numbers) or serial number (iOS/iPadOS and Android) >> Joined to Entra ID with work or school credentials. Devices that are Entra registered will be marked as personal. >> Set as corporate in the device’s properties list. After enrollment, you can change the ownership setting between Personal and Corporate.
Source: Microsoft

Modify the Existing Default Device platform restriction policy

Go to Intune admin center > Devices > Enrollment > Device type restriction > Click on All Users to open Default policy settings.

• Click on Properties and then click Edit next to Platform settings.

• Android Enterprise (work profile) – You can Allow or Block Android platform device enrollment based on your organization’s requirements. If your organization does not use any Android device (personal and corporate), then block this platform.
  • If you Allow Personally owned Android devices, you can create a Work profile and manage the work app/approved apps. For more information, refer to the link: Introduction to Android Work Profile.

• Android device administrator – It’s a legacy way of managing Android devices. Google has deprecated Android device administrator management in 2020, and Intune will end support for device administrator devices with access to Google Mobile Services at the end of 2024. I would recommend keeping it blocked.

• iOS/iPadOS – Similar to the Android platform, If you want to Allow iOS/iPadOS device enrollment, then select Allow. If you do not want Personal iOS/iPadOS device enrollment, select Block under the Personally owned column.

• macOS – Allow or Block the macOS device platform. Under the Personally Owned column, if you select Block, the enrollment of personally owned Mac devices will be blocked into Intune.

• Windows (MDM) – Allow this platform and select Block under the Personally owned column. This will ensure that only company-owned devices are enrolled in Intune. I provided an overview of how a device is classified as company-owned earlier. You can also refer to the link here for more details: corporate-identifiers-add

5. Create a Device Compliance Policy

Create a Device compliance policy for each platform: Android, iOS, macOS, and Windows. Follow below steps to create a Device compliance policy:

• Sign in to the Intune admin center > Devices > Compliance Policies.

• Click on Create policy and configure a policy for all platforms.

6. Create Device Configuration Profile

You can create a device configuration profile to make changes to device settings and configure certain features on managed devices. You can use available Templates or Settings Catalog to configure and deploy device settings via the Intune admin center.

To create a device configuration profile. Sign in to the Intune admin center > Devices > Configuration > Create > New Policy. I have created several blog posts to configure various settings on Windows and macOS devices. You can refer to any blog posts below to understand the process step-by-step.

• How To Set Desktop And Lock Screen Wallpaper Using Intune.
• How To Set Desktop Wallpaper On MacOS Using Intune.
• How To Configure Time Zone Using Intune.

7. Create App Protection Policies (For MAM/BYOD devices)

You can create App protection policies for BYOD devices to manage applications and protect the organization’s data. Some of the use cases of App protection policies are:

• Block Copy and paste to and from the organization-managed app. For Example: Outlook, Teams etc.
• Set a PIN for managed App.

To create an App protection policy, Go to Intune admin center > Apps > App Protection policies > Create policy. You can create an App protection policy for each platform and Include the apps you want to protect on BYOD devices.

8. Company Branding

You can personalize the user experience by adjusting the look of the company portal. This includes adding your company’s logo, choosing a theme color, setting a background, and providing contact details for your helpdesk and company website.

To configure the Customization policy, follow below steps:

• Sign in to Intune admin center > Tenant administration > Customization.
• There’s a default policy that comes pre-configured and can’t be removed, but you can make changes to it. The screenshot below shows that I’ve adjusted the theme color, added the company logo, and included support information.

For more details on customizing and best practices, refer to the following article on the Microsoft website: Link to Microsoft Article.

9. Add Applications to Intune

You can add apps from the iOS Store, Managed Google Play, or create custom Windows apps (Win32) for deployment. Let’s look at how to add, assign, delete, and monitor apps in Microsoft Intune. Below are some application deployment examples:

• Deploy Bitwarden App on Windows using Intune.
• Deploy Citrix Workspace App on macOS using Intune.

9.1 Add iOS Store Apps

You can include iOS Store apps and manage them through the Intune admin center. Follow this step-by-step guide to learn how to manage iOS Store apps using Intune.

9.2 Add Managed Google Play Store apps

You can integrate and manage Google Play Store apps through the Intune admin center. Here’s a step-by-step guide to help you manage Google Play Store apps using Intune.

10. Setup Work profile on Android devices

Setting up a Work Profile effectively manages Bring Your Own Device (BYOD) Android devices. Follow this step-by-step guide to learn how to set up a Work Profile on an Android phone.

11. Enroll macOS devices into Intune

You can enroll macOS devices owned by users (BYOD) into Intune with ease. This process begins with installing the company portal app on the macOS. Here’s a step-by-step guide on how to enroll macOS devices in Intune.

12. macOS Enrollment Issues

If you encounter any problems during macOS enrollment, refer to my blog posts that address macOS enrollment issues and macOS Intune Logs collection.

Conclusion

In this blog post, we covered the initial setup of Intune from the ground up. All the policies and configuration settings can be tailored to your specific needs. It’s essential to test these policies on a few devices. I hope your setup goes smoothly without any problems.