Tuning into Intune, the 101
The world of our workspace is in full development and the way we are using devices is fastly changing from notebook to tablet and phone. To give companies a good way to manage and control their company owned (and BOYD) devices Microsoft is giving them a product called Microsoft Intune.
With Intune you are able to manage your devices remotely, being Windows 10 (and Phone), iOS and Android devices. You will be able to:
- Enroll devices into your organizations Intune (MDM) solution, with AutoPilot or with Apple DEP devices this can even happen automatically if the device is bought from a certified reseller
- Check devices on being compliant with company policy and let the state of the device be a condition to allow access to company (cloud) resources
- Apply policies on the device such as requiring a PIN code or fingerprint sign-in (Windows Hello for Business!)
- Create device configuration policies to change settings in the OS
- Deploy applications to devices, these can be Modern (Store) Apps, Win32 apps (MSI, MSIX or intunewin)
- Encrypt the data on the device with Bitlocker (Windows) or integrated OS encryption
- Define an update policy for the devices and apps
As you can see Intune will be a replacement for your Mobile Device Management (MDM) tool, Active Directory GPO’s (including software installations) and Bitlocker management.
To be backwards compatible Microsoft will give you the opportunity to install the Intune Connector for Active Directory so you can pre-provision the devices in the local Active Directory. This is necessary when you want to use the Hybrid Azure AD join option in Intune to join your device to an on-premise Active Directory.
Windows deployment lifecycle
OK so you want to deploy a Windows 10 device, what would be a recommended deployment path for this?
- We would start off with Autopilot as the preferred deployment method.
First you should allow your CSP to be (at least) a OEM PC Partner. You can do this by asking your reseller to send you a partner request from the Microsoft Partner Portal (click).
If you sign in as a global administrator while following this link you are able to accept this request and the reseller will be added as a OEM PC Partner. This will allow the reseller to add the hardware ID’s to your Store for Business.
- Then enable Store For Business to sync the devices to Intune by going to https://businessstore.microsoft.com. Here you will find the tab Manage, then go to Settings>Distribute and choose Add management tool. Then enter and select Microsoft Intune.
This will sync you devices with Intune.
- Next up is configuring Autopilot in Azure where you can create deployment profiles and look up which devices have been synced from the WSfB. The profiles contain the deployment settings for the Autopilot devices which will be used as soon as the device connects to the internet.
When you select a user driven provisioning method the device will not be forced to join your organisation opposed to self-deploying which forces the device to join Azure AD/Intune.
Note that Hybrid Azure AD Join requires the User-Driven method.
Device compliance will give you the option to create policies which define a baseline for a device to be able to join Intune/Azure AD.
You will of course be able to monitor these compliance policies and also add notifications to users and selected mail groups when a device is non-compliant.
These settings will not be covered in detail in this 101 but speak for themselves when you go through them in the Azure Portal.
The main thing you will be focusing on is setting up device configuration profiles. There is a long list of profile types which make up the possibilities to manage your device, from e-mail setup (Outlook) to WiFi and VPN.
I would like to specifically point out the options to use administrative templates which are 1-on-1 copies of the template options available in Group Policies. Currently there are 111 pages (!) filled with options.
If you want to use ADMX files there is a workaround which contains using OMA-URI’s and ingesting the XML content of the ADMX into a URI as a String value.
PowerShell scripts are also possible which of course hugely extend the options to deliver customized settings to a device.
The client apps section allows you to add both the Store For Business apps, LOB apps (MSI/MSIX or other) as well as Windows apps (Win32 “exe”).
You can then target these installations to specific users and devices or to all.
The LOB apps option is extremely useful to deploy MSI installations with custom options, also the removal process is automatically added as this uses the msiexec /x option with the MSI package GUID to delete the application when needed. Aside from this option Microsoft also published two apps to make deployment easier:
- MSIX packaging tool which transforms your installer into an interactive capture process which can than be deployed to users:
- The Win32 Content Prep Tool which will give you the option to convert an installer accompanied by support files to a supported .intunewin application installer:
The last step would be to wipe the device in case it gets stolen or reset it via the Wipe, Fresh Start or Autopilot Reset options which are all possible in the Devices pane.
As you can see Intune is a complete management tool for your devices and a great way to make the setup process for your employees workspace a completely effortless task!