Microsoft Intune in the Azure portal...your Android for Work binding. If you forget what account you used, you can view it in the Intune admin page on the device enrollment > Android

MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05

1

Microsoft Intune in the Azure portal First Look


2

Table of Contents

Approving the Company Portal app for Android for Work device management ......................................... 3

How to approve the Company Portal app ................................................................................................ 4

Error Page: ................................................................................................................................................ 6

Cause .................................................................................................................................................... 6

Resolution ............................................................................................................................................ 6

Android for Work devices ........................................................................................................................... 10

Create terms and conditions ....................................................................................................................... 18

Device End ............................................................................................................................................... 20

Device Enrollment Manager Scenario ........................................................................................................ 20

Deploy a new App ....................................................................................................................................... 24

How to add Android line-of-business (LOB) apps to Microsoft Intune....................................................... 29

Device End:.............................................................................................................................................. 31

App protection policies, .............................................................................................................................. 32

Dynamic Group Membership in Azure Active Directory ............................................................................. 36

RBAC With Intune: ...................................................................................................................................... 39

Intune Mobile Policy Trigger ....................................................................................................................... 40

How to Configure Intune Company Portal Branding .................................................................................. 42

Android oreo With Intune ........................................................................................................................... 44

Device End ............................................................................................................................................... 45

WIP .............................................................................................................................................................. 45


3

Approving the Company Portal app for Android for Work device

management

If you are managing Android devices with a work profile (AfW), there is a specific, one-time task that

IT admins need to perform in order to ensure that the Intune Company Portal app continues to

receive automatic updates from the managed Google Play store. If this is not done, the Company

Portal app itself may not receive updates.


4

How to approve the Company Portal app You will need to manually approve the Company Portal app in the managed Google Play store. This

needs to be done only one time, by following these steps:

1. Browse to the Intune Company Portal in the managed Play Store by following this

URL: https://play.google.com/work/apps/details?id=com.microsoft.windowsintune.companyportal

2. Sign in to the managed Google Play store using the same Google account you used to configure

your Android for Work binding. If you forget what account you used, you can view it in the Intune

admin page on the device enrollment > Android for Work enrollment blade under "Google Account."

3. In the Intune Company Portal listing in the managed Google Play store, click Approve.

https://play.google.com/work/apps/details?id=com.microsoft.windowsintune.companyportal


5


6

Error Page:

Cause The Google account provided is already associated with my another Azure Intune.

Back to top ↑

Resolution Note: Following the below steps will render all Android for Work users inoperable.

1. Navigate to Google Play for Work 2. Login with your Google account 3. Select Admin Settings 4. Click the 3 dots or More Options menu 5. Click Delete Organization 6. Read and understand the Delete Organization prompt 7. Click Delete

http://support.blackberry.com/kb/articleDetail?articleNumber=000038957

https://play.google.com/work/


7


8

I would recommend selecting "Keep approved when app requests new permissions" so that the app

will stay approved in the event that permissions change. You can optionally sign up for email

notifications of permissions changes on the "Notifications" tab. Click Save.


9

You can now close the managed Google Play store browser window.


10

Android for Work devices

Intune now supports managing enrollment of Android for Work (AFW) devices independently from

the Android platform, with no change in the end user experience.

I’ll show you what will change in the enrollment flow, after your enrollment settings are migrated to

the new AFW management experience

Android for work settings that were previously managed under Device Enrollment > Android for

Work Enrollment > Android for Work Enrollment Settings will now be managed from Device

Enrollment > Enrollment restrictions> Device Type Restrictions. Here’s a screenshot of what the AFW

Enrollment blade will look like.


11

Clicking on ‘Enrollment Restrictions’ in the AFW Enrollment blade will take you to the new Enrollment

Restrictions blade, shown below.

By default, your Android for Work devices settings will be the same as your settings for your Android

devices. However, after you change your Android for Work settings that will no longer be the case. If

you block personal Android for Work enrollment, only corporate Android devices can enroll as

Android for Work.

If you have never previously enrolled Android for Work devices, The new Android for Work

platform is blocked in the default Device Type Restrictions. After the feature update, you can allow

devices to enroll with Android for Work. To do so, change the default or create a new Device Type

Restriction to supersede the default Device Type Restriction.

If you have enrolled Android for Work devices

Manage all device as Android – AFW default device type restriction blocked – In this case all

android must enroll without AFW

Managed supported device as AFW – by default its allowed -all android device that support

AFW must enroll with AFW

Managed supported device user only in this group as AFW by default its blocked you need to

create a separate device restriction policy created to override the default one.

User with in the group allowed continuedly to enroll android for Work.


12

How to create Enrollment Restriction Policy


13


14


15


16


17


18

Create terms and conditions

As an Intune admin, you can require that users accept your company's terms and

conditions before they can use the Company Portal to enroll their devices and access

resources like company apps and email. Configuration of terms and conditions is

optional.

You can create multiple sets of terms and assign them to different groups, such as to

support different languages.


19


20

Device End

Device Enrollment Manager Scenario

For Example a restaurant wants to provide 50 point-of-sale tablets for its wait staff, and

order monitors for its kitchen staff. The employees never need to access company data

or sign in as users. The Intune admin creates a device enrollment manager account and

adds a restaurant supervisor to the DEM account, in effect giving that supervisor DEM

capabilities. The supervisor can now enroll the 50 tablets devices by using the DEM

credentials.

Only users in the Intune console can be device enrollment managers. The device

enrollment manager user cannot be an Intune admin.

The DEM user can:

• Enroll up to 1000 devices in Intune

• Use the Company Portal app to get company apps

• Configure access to company data by deploying role-specific apps to the tablets


21


22


23


24

Deploy a new App From now, you can deploy a new application on all devices. I ll show how to do it.

You can deploy applications from:

• Windows Store

• App Store

• Play Store

• MSI Files

• Custom applications (apk)

Below Screen shot walkthrough the App creation in Mobile App category..

Click ADD button to choose your application.


25

I am going to deploy application to Android device using Store APP

Enter the necessary details about app information


26

Now A new APP has been created

Now we need to assign AdobeReader app to specific Group, which contain user.

Here there is a option how the deployment should be. The Type of assignment you need to select.


27


28

Below is the deployment status dashboard – By default it take some hours to reflect here.

Client Device End:


29

How to add Android line-of-business (LOB) apps to Microsoft Intune

1. On the Intune blade, choose Manage apps.

2. In the Mobile apps workload, choose Manage > Apps.

3. Above the list of apps, choose Add.

4. In the Add App blade, choose Line-of-business app.

1. Add app blade, choose App package file.

2. On the App package file blade, choose the browse button, and select an Android

installation file with the extension .apk.


30

3. When you are finished, choose OK.

the App information blade, add the details for app. Depending on the app you have chosen,

some of the values in this blade might have been automatically filled-in:

• Name - Enter the name of the app to display in the company portal. Make sure all app

names that you use are unique. If the same app name exists twice, only one of the apps

will be displayed to users in the company portal.

• Description - Enter the description of the app to be displayed to users in the company

portal.

• Publisher - Enter the name of the publisher of the app.

• Minimum Operating System - From the list, choose the minimum operating system

version on which the app can be installed. If you assign the app to a device with an earlier

operating system, it will not be installed.

• Category - Select one or more of the built-in app categories, or a category you created.

This makes it easier for users to find the app when they browse the company portal.

• Display this as a featured app in the Company Portal - Display the app prominently on

the main page of the company portal when users browse for apps.

• Information URL - Optionally, enter the URL of a website that contains information about

this app. The URL is displayed to users in the company portal.

• Privacy URL - Optionally, enter the URL of a website that contains privacy information for

this app. The URL is displayed to users in the company portal.

• Developer - Optionally, enter the name of the app developer.

• Owner - Optionally, enter a name for the owner of this app, for example, HR department.

• Notes - Enter any notes you would like to associate with this app.

• Logo - Upload an icon that is associated with the app. This is the icon that is displayed

with the app when users browse the company portal.


31

Device End:


32

App protection policies, Previously, the most common model for securing and managing mobile devices (either COD

or BYOD) was to require the device to enroll into an MDM solution. After enrollment, IT

policies are applied to the device and apps, and then end users are allowed to access

corporate data from those devices. With the new Intune MAM without enrollment feature,

there is now a choice.

With APP we don’t need to enroll the device we can just apply policy to the application for

example Outlook. When the user is using Outlook for personal email then we leave them

alone when they go into their corporate email though that is when we apply policy rules

around what they can do. This could be anything from making them enter a pin to access

the data (2 factor or MFA), checking their device isn’t jail broken or stopping them copying

that corporate email to their personal email.

(You can block settings like Save As in apps that have been selected in the menu

configuration.)


33


34


35

Device End:


36

Dynamic Group Membership in Azure Active Directory

I will describe the different types of Dynamic Groups that you can create, then assign these Groups

to Applications and Licenses. If a user or device satisfies a rule on a group, they are added as a

member of that group. If they no longer satisfy the rule, they are removed. This is very useful for

dynamically provisioning Users into the proper group where they will automatically get the assigned

Licenses and Applications based on attributes.

I will first create a Dynamic User Group:

Two Type of Group :


37

For O365 you can set the criteria for user or assigned device where they have O365 product access given

to the user


38

The Above I have created the simple query based on Android version search.

Now that my group is dynamically populated,

Now, all Devices in Azure Active Directory that are Android Devices 6.0 will automatically be added

to this group. I choose deviceOSType, but you can choose any of the attributes that are registered

with each device.

I used Azure AD Graph Explorer to view the Device information:

1. Goto https://graphexplorer.azurewebsites.net/

2. Login with Tenant Account

3. Run the following query https://graph.windows.net/myorganization/devices

4. Results:

https://graphexplorer.azurewebsites.net/

https://graph.windows.net/myorganization/devices


39

"deviceId": "37d6b344-0234-469f-967f-98c975e8d355",

"deviceMetadata": null,

"deviceObjectVersion": 2,

"deviceOSType": "Android",

"deviceOSVersion": "6.0.1",

"devicePhysicalIds": [],

"deviceTrustType": "Workplace",

"dirSyncEnabled": null,

"displayName": "samsungSM-G900M",

"isCompliant": null,

"isManaged": null,

"lastDirSyncTime": null

The information displayed will depend on if the device is Azure AD Joined, Workplace Joined, Intune

MDM, etc...

You can also use multiple attributes and operators:

• (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone") - this will include

all iOS Devices (pictured below)

• (device.deviceOSType -eq "Windows") - this will include all Windows devices

• (device.deviceOSType -eq "Android") -and (device.deviceOSVersion -eq "6.0.1") - this will

include all Android devices running version 6.0.1

• Now that we have created Dynamic Groups, we can use these groups with Azure Active

Directory, Intune and Application Deployments.

• You can create a dynamic group for devices or users, but you cannot create a rule that

contains both user and device objects.

• Device membership rules can only reference immediate attributes of device objects in the

directory.

RBAC With Intune:

RBAC helps you control who can perform various Intune tasks within your organization.

Intune Service Administrator: Users with this role have global permissions within Intune when

the service is present. The Intune Service Administrator role does not provide the ability to

manage Azure AD’s conditional access settings..

Global Administrator who can have access ADFS,AAD,Intune Etc.

ByDefault below Intune Built in roles are available. Still we have a option to create custom one.


40

Intune Mobile Policy Trigger

There are two Method We can sync compliance policy as soon as possible from

end user devices. The First method is when you have to test the policy changes

on the test devices ASAP. The second scenario is when you need to troubleshoot

an issue on a user’s device. Different OS platforms have different default policy

sync timings. The policy refresh intervals for Devices managed by Microsoft

Intune are...The default Intune policy refresh intervals :-

• Android: Every 8 hours.

• Windows Phone: Every 8 hours.

• iOS and Mac OS X: Every 6 hours.

• Windows 8.1 and Windows 10 PCs enrolled as devices: Every 8 hours.

When the devices have just enrolled, the Intune policy check-in frequency are: -


41

• Android: Every 3 minutes for 15 minutes, then every 15 minutes for 2

hours.

• iOS and Mac OS X: Every 15 minutes for 6 hours, and then every 6

hours.

• Windows PCs enrolled as devices: Every 3 minutes for 30 minutes.

• Windows Phone: Every 5 minutes for 15 minutes, then every 15

minutes for 2 hours.

Still we can use the below website to sync policy for enrolled device

http://portal.manage.microsoft.com/

http://portal.manage.microsoft.com/


42

How to Configure Intune Company Portal Branding

Let’s look at all the details that we can specify.

• Company Name – Name of the company portal with max length of 40.

• IT department contact name – Contact name of IT department with max length of

40.

• IT department phone number – Phone number of IT dept.

• Additional information – Some more info in case if you want to display.

• IT department email address – Specify email address of IT dept.

• Company privacy statement URL – URL that specifies company privacy terms.

• Support website URL – Allows users to use the support website for help.

• Support website name – The name of the support website for display.

• Theme Color – Choose the theme color that applies to company portal.

Further you can also display the company logo.

• Show company logo – Upload the company logo.

• Select a logo to use on dark backgrounds – Upload the logo for dark

backgrounds.


43


44

Android oreo With Intune Android 8.0 (named "O")

Once I have upgrade to the released version of Android O, Intially it not working for mw. I have

upgraded to V 5.xx company portal Intune's device and app management features will continue to

work as it is. This applies to all facets of Android management with Intune including work profile

management, non-work profile management, and App Protection Policies.

If you are managing MDM-enrolled Android devices but you are not using a work profile AFW, then

you need to enable Installation from Unknown Sources in order to install line-of-business APKs. In

an effort to increase security, Google has introduced a behavior change in Android O which red in

good site. On prior versions, it used to be a device-wide setting. On O, each individual app has its

own "Install unknown apps" permission. You can still successfully install line-of-business APKs just as

you did before, you just need to go to a different place to turn it on. End users will be guided

through the flow of enabling this permission for Company Portal if they try to install a line-of-

business APK that you deploy to them.

Where it is in Android O, under Settings > Apps & notifications > Special app access > Install

unknown apps > Company Portal


45

Device End

Block app from unknown sources setting has been moved from a device setting to a per-app

permission, it’s no longer possible for Company Portal to detect whether this permission has been

granted at the device level. As a result, this compliance policy will not work on Android O

WIP


46


47


48


49


50


51


52


53


54


55


56


57


58

Documents

Microsoft Intune in the Azure portal...your Android for Work binding. If you forget what account you used, you can view it in the Intune admin page on the device enrollment > Android