In this post I want to go through some steps that I think is quickest method to get started with Microsoft Endpoint Manager. This will not cover ALL the features but it will give you an quickstart to the service.
For instance, what shold you start with?
To be honest, start with something easy and creates quick ROI (Return of investment) and that could be more than just how to get my money back – rather it could mean that your infrastructure is getting more secure.
So to start with something “easy” let`s kick it of with mobile devices. Many companies does not have any Mobile device management in place and their Cloud services is available for EVERYONE to attache to. So let`s start with demanding compliant devices and closing the door for others!
Requirements:
Microsoft 365 E3 / E5
or
EMS E3 / E5
or
Intune licenses
Devices
Android devices will work straight “out of the box” with Intune but to be able to join iOS/iPadOS Devices to Intune we need to generate and apply a “Apple MDM Push certificate”.
Let`s start with the Certificate for Apple devices (this certificate is also needed for MacOS devices). The only thing you need here is an Apple ID and follow the guide from “Devices -> iOS enrollment -> Apple MDM Push Certificate”. When this is in plnace we can procede.
When it`s created you have a valid Certificate for the next 365 days. That means that you need to remind your self to renew the certificate every year! When the certificate expires your intune services will stop against Apple devices.
So what is a compliant device?
A compliant device is a device registred to Intune and has passed the Compliance policy that you have created.
The policy can contain several “settings” that must be enabled or set on your device for it to be marked as “Compliant Device”. For iOS/iPadOS we have at the moment (04.04.2020) 17 settings we can check to validate the device and for Android 19 settings (04.04.2020).
Here is a simple set of compliant device policies for Android and iOS.
iOS/iPadOS Comliance.
Navigate to “Devices -> iOS -> Compliance policies” and create a new policy. Give it a name, set some settings and click create. In this policy i have just put on two settings, “block Jailbroken devices” and “Require password to unlock device”
Hit Create and go to “Assignments”, in this menu we will assign the policy to all users so that everyone that tries to enroll their device will get the policy. (this is the same step for both iOS and Android).
Android Compliance
Navigate to “Devices -> Android -> Compliance policies” and create a new policy. Give it a name, set some settings and click create. In this policy i have just put on two settings, “block Rooted devices” and “Require password to unlock device”
And like the iOS policy we need to assign it to all users, so head in to Assignents after creating the policy and assign it to all users.
Block devices that are not compliant
To block users from connecting with other devices we will use Conditional Access to prevent devices that are not enrolled in your organization. The policy is created from the Microsoft Endpoint Manager portal under “Endpoint security -> Conditional Access. Create a new policy and name it “Require compliant devices”
The policy looks like this and will of course not block the Intune enrollment portal 😊
- Users and groups
- Include all users and create exclution for users you want to exclude from the policy
- Cloud Apps or actions
- Include “All cloud apps” and click on “Exclude” and search after “Microsoft Intune Enrollment”
- Conditions
- Device platforms, configure it and choose Android and iOS from the list.
- Access controls
- Grant access and choose “Require device to be marked as compliant”
Now you can enroll your first device, i`ll show it with an iPad her, but first you need to downlod the Company Portal to your iPad.
Then you stat the application and sign in – then starts the enrollment of the device.
Sign-in
setup device
Apply profile
Enrolled!
When that`s completed the device is registred in the Device pane in Microsoft Endpoint Manager Admin Center and you`ll see complance status on it.
That`s it! Now you have a new requirement for all users, they need to enroll their devices (mobile devices) within Microsoft Endpoint Manager to gain access to cloud resources!
Until next time – stay safe and secure!
