Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
1
Microsoft Intune in the Azure portal First Look
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
2
Table of Contents
Approving the Company Portal app for Android for Work device management ......................................... 3
How to approve the Company Portal app ................................................................................................ 4
Error Page: ................................................................................................................................................ 6
Cause .................................................................................................................................................... 6
Resolution ............................................................................................................................................ 6
Android for Work devices ........................................................................................................................... 10
Create terms and conditions ....................................................................................................................... 18
Device End ............................................................................................................................................... 20
Device Enrollment Manager Scenario ........................................................................................................ 20
Deploy a new App ....................................................................................................................................... 24
How to add Android line-of-business (LOB) apps to Microsoft Intune....................................................... 29
Device End:.............................................................................................................................................. 31
App protection policies, .............................................................................................................................. 32
Dynamic Group Membership in Azure Active Directory ............................................................................. 36
RBAC With Intune: ...................................................................................................................................... 39
Intune Mobile Policy Trigger ....................................................................................................................... 40
How to Configure Intune Company Portal Branding .................................................................................. 42
Android oreo With Intune ........................................................................................................................... 44
Device End ............................................................................................................................................... 45
WIP .............................................................................................................................................................. 45
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
3
Approving the Company Portal app for Android for Work device
management
If you are managing Android devices with a work profile (AfW), there is a specific, one-time task that
IT admins need to perform in order to ensure that the Intune Company Portal app continues to
receive automatic updates from the managed Google Play store. If this is not done, the Company
Portal app itself may not receive updates.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
4
How to approve the Company Portal app You will need to manually approve the Company Portal app in the managed Google Play store. This
needs to be done only one time, by following these steps:
1. Browse to the Intune Company Portal in the managed Play Store by following this
URL: https://play.google.com/work/apps/details?id=com.microsoft.windowsintune.companyportal
2. Sign in to the managed Google Play store using the same Google account you used to configure
your Android for Work binding. If you forget what account you used, you can view it in the Intune
admin page on the device enrollment > Android for Work enrollment blade under "Google Account."
3. In the Intune Company Portal listing in the managed Google Play store, click Approve.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
5
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
6
Error Page:
Cause The Google account provided is already associated with my another Azure Intune.
Back to top ↑
Resolution Note: Following the below steps will render all Android for Work users inoperable.
1. Navigate to Google Play for Work 2. Login with your Google account 3. Select Admin Settings 4. Click the 3 dots or More Options menu 5. Click Delete Organization 6. Read and understand the Delete Organization prompt 7. Click Delete
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
7
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
8
I would recommend selecting "Keep approved when app requests new permissions" so that the app
will stay approved in the event that permissions change. You can optionally sign up for email
notifications of permissions changes on the "Notifications" tab. Click Save.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
9
You can now close the managed Google Play store browser window.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
10
Android for Work devices
Intune now supports managing enrollment of Android for Work (AFW) devices independently from
the Android platform, with no change in the end user experience.
I’ll show you what will change in the enrollment flow, after your enrollment settings are migrated to
the new AFW management experience
Android for work settings that were previously managed under Device Enrollment > Android for
Work Enrollment > Android for Work Enrollment Settings will now be managed from Device
Enrollment > Enrollment restrictions> Device Type Restrictions. Here’s a screenshot of what the AFW
Enrollment blade will look like.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
11
Clicking on ‘Enrollment Restrictions’ in the AFW Enrollment blade will take you to the new Enrollment
Restrictions blade, shown below.
By default, your Android for Work devices settings will be the same as your settings for your Android
devices. However, after you change your Android for Work settings that will no longer be the case. If
you block personal Android for Work enrollment, only corporate Android devices can enroll as
Android for Work.
If you have never previously enrolled Android for Work devices, The new Android for Work
platform is blocked in the default Device Type Restrictions. After the feature update, you can allow
devices to enroll with Android for Work. To do so, change the default or create a new Device Type
Restriction to supersede the default Device Type Restriction.
If you have enrolled Android for Work devices
Manage all device as Android – AFW default device type restriction blocked – In this case all
android must enroll without AFW
Managed supported device as AFW – by default its allowed -all android device that support
AFW must enroll with AFW
Managed supported device user only in this group as AFW by default its blocked you need to
create a separate device restriction policy created to override the default one.
User with in the group allowed continuedly to enroll android for Work.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
12
How to create Enrollment Restriction Policy
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
13
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
14
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
15
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
16
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
17
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
18
Create terms and conditions
As an Intune admin, you can require that users accept your company's terms and
conditions before they can use the Company Portal to enroll their devices and access
resources like company apps and email. Configuration of terms and conditions is
optional.
You can create multiple sets of terms and assign them to different groups, such as to
support different languages.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
19
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
20
Device End
Device Enrollment Manager Scenario
For Example a restaurant wants to provide 50 point-of-sale tablets for its wait staff, and
order monitors for its kitchen staff. The employees never need to access company data
or sign in as users. The Intune admin creates a device enrollment manager account and
adds a restaurant supervisor to the DEM account, in effect giving that supervisor DEM
capabilities. The supervisor can now enroll the 50 tablets devices by using the DEM
credentials.
Only users in the Intune console can be device enrollment managers. The device
enrollment manager user cannot be an Intune admin.
The DEM user can:
• Enroll up to 1000 devices in Intune
• Use the Company Portal app to get company apps
• Configure access to company data by deploying role-specific apps to the tablets
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
21
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
22
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
23
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
24
Deploy a new App From now, you can deploy a new application on all devices. I ll show how to do it.
You can deploy applications from:
• Windows Store
• App Store
• Play Store
• MSI Files
• Custom applications (apk)
Below Screen shot walkthrough the App creation in Mobile App category..
Click ADD button to choose your application.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
25
I am going to deploy application to Android device using Store APP
Enter the necessary details about app information
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
26
Now A new APP has been created
Now we need to assign AdobeReader app to specific Group, which contain user.
Here there is a option how the deployment should be. The Type of assignment you need to select.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
27
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
28
Below is the deployment status dashboard – By default it take some hours to reflect here.
Client Device End:
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
29
How to add Android line-of-business (LOB) apps to Microsoft Intune
1. On the Intune blade, choose Manage apps.
2. In the Mobile apps workload, choose Manage > Apps.
3. Above the list of apps, choose Add.
4. In the Add App blade, choose Line-of-business app.
1. Add app blade, choose App package file.
2. On the App package file blade, choose the browse button, and select an Android
installation file with the extension .apk.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
30
3. When you are finished, choose OK.
the App information blade, add the details for app. Depending on the app you have chosen,
some of the values in this blade might have been automatically filled-in:
• Name - Enter the name of the app to display in the company portal. Make sure all app
names that you use are unique. If the same app name exists twice, only one of the apps
will be displayed to users in the company portal.
• Description - Enter the description of the app to be displayed to users in the company
portal.
• Publisher - Enter the name of the publisher of the app.
• Minimum Operating System - From the list, choose the minimum operating system
version on which the app can be installed. If you assign the app to a device with an earlier
operating system, it will not be installed.
• Category - Select one or more of the built-in app categories, or a category you created.
This makes it easier for users to find the app when they browse the company portal.
• Display this as a featured app in the Company Portal - Display the app prominently on
the main page of the company portal when users browse for apps.
• Information URL - Optionally, enter the URL of a website that contains information about
this app. The URL is displayed to users in the company portal.
• Privacy URL - Optionally, enter the URL of a website that contains privacy information for
this app. The URL is displayed to users in the company portal.
• Developer - Optionally, enter the name of the app developer.
• Owner - Optionally, enter a name for the owner of this app, for example, HR department.
• Notes - Enter any notes you would like to associate with this app.
• Logo - Upload an icon that is associated with the app. This is the icon that is displayed
with the app when users browse the company portal.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
31
Device End:
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
32
App protection policies, Previously, the most common model for securing and managing mobile devices (either COD
or BYOD) was to require the device to enroll into an MDM solution. After enrollment, IT
policies are applied to the device and apps, and then end users are allowed to access
corporate data from those devices. With the new Intune MAM without enrollment feature,
there is now a choice.
With APP we don’t need to enroll the device we can just apply policy to the application for
example Outlook. When the user is using Outlook for personal email then we leave them
alone when they go into their corporate email though that is when we apply policy rules
around what they can do. This could be anything from making them enter a pin to access
the data (2 factor or MFA), checking their device isn’t jail broken or stopping them copying
that corporate email to their personal email.
(You can block settings like Save As in apps that have been selected in the menu
configuration.)
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
33
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
34
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
35
Device End:
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
36
Dynamic Group Membership in Azure Active Directory
I will describe the different types of Dynamic Groups that you can create, then assign these Groups
to Applications and Licenses. If a user or device satisfies a rule on a group, they are added as a
member of that group. If they no longer satisfy the rule, they are removed. This is very useful for
dynamically provisioning Users into the proper group where they will automatically get the assigned
Licenses and Applications based on attributes.
I will first create a Dynamic User Group:
Two Type of Group :
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
37
For O365 you can set the criteria for user or assigned device where they have O365 product access given
to the user
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
38
The Above I have created the simple query based on Android version search.
Now that my group is dynamically populated,
Now, all Devices in Azure Active Directory that are Android Devices 6.0 will automatically be added
to this group. I choose deviceOSType, but you can choose any of the attributes that are registered
with each device.
I used Azure AD Graph Explorer to view the Device information:
1. Goto https://graphexplorer.azurewebsites.net/
2. Login with Tenant Account
3. Run the following query https://graph.windows.net/myorganization/devices
4. Results:
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
39
"deviceId": "37d6b344-0234-469f-967f-98c975e8d355",
"deviceMetadata": null,
"deviceObjectVersion": 2,
"deviceOSType": "Android",
"deviceOSVersion": "6.0.1",
"devicePhysicalIds": [],
"deviceTrustType": "Workplace",
"dirSyncEnabled": null,
"displayName": "samsungSM-G900M",
"isCompliant": null,
"isManaged": null,
"lastDirSyncTime": null
The information displayed will depend on if the device is Azure AD Joined, Workplace Joined, Intune
MDM, etc...
You can also use multiple attributes and operators:
• (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone") - this will include
all iOS Devices (pictured below)
• (device.deviceOSType -eq "Windows") - this will include all Windows devices
• (device.deviceOSType -eq "Android") -and (device.deviceOSVersion -eq "6.0.1") - this will
include all Android devices running version 6.0.1
• Now that we have created Dynamic Groups, we can use these groups with Azure Active
Directory, Intune and Application Deployments.
• You can create a dynamic group for devices or users, but you cannot create a rule that
contains both user and device objects.
• Device membership rules can only reference immediate attributes of device objects in the
directory.
RBAC With Intune:
RBAC helps you control who can perform various Intune tasks within your organization.
Intune Service Administrator: Users with this role have global permissions within Intune when
the service is present. The Intune Service Administrator role does not provide the ability to
manage Azure AD’s conditional access settings..
Global Administrator who can have access ADFS,AAD,Intune Etc.
ByDefault below Intune Built in roles are available. Still we have a option to create custom one.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
40
Intune Mobile Policy Trigger
There are two Method We can sync compliance policy as soon as possible from
end user devices. The First method is when you have to test the policy changes
on the test devices ASAP. The second scenario is when you need to troubleshoot
an issue on a user’s device. Different OS platforms have different default policy
sync timings. The policy refresh intervals for Devices managed by Microsoft
Intune are...The default Intune policy refresh intervals :-
• Android: Every 8 hours.
• Windows Phone: Every 8 hours.
• iOS and Mac OS X: Every 6 hours.
• Windows 8.1 and Windows 10 PCs enrolled as devices: Every 8 hours.
When the devices have just enrolled, the Intune policy check-in frequency are: -
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
41
• Android: Every 3 minutes for 15 minutes, then every 15 minutes for 2
hours.
• iOS and Mac OS X: Every 15 minutes for 6 hours, and then every 6
hours.
• Windows PCs enrolled as devices: Every 3 minutes for 30 minutes.
• Windows Phone: Every 5 minutes for 15 minutes, then every 15
minutes for 2 hours.
Still we can use the below website to sync policy for enrolled device
http://portal.manage.microsoft.com/
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
42
How to Configure Intune Company Portal Branding
Let’s look at all the details that we can specify.
• Company Name – Name of the company portal with max length of 40.
• IT department contact name – Contact name of IT department with max length of
40.
• IT department phone number – Phone number of IT dept.
• Additional information – Some more info in case if you want to display.
• IT department email address – Specify email address of IT dept.
• Company privacy statement URL – URL that specifies company privacy terms.
• Support website URL – Allows users to use the support website for help.
• Support website name – The name of the support website for display.
• Theme Color – Choose the theme color that applies to company portal.
Further you can also display the company logo.
• Show company logo – Upload the company logo.
• Select a logo to use on dark backgrounds – Upload the logo for dark
backgrounds.
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
43
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
44
Android oreo With Intune Android 8.0 (named "O")
Once I have upgrade to the released version of Android O, Intially it not working for mw. I have
upgraded to V 5.xx company portal Intune's device and app management features will continue to
work as it is. This applies to all facets of Android management with Intune including work profile
management, non-work profile management, and App Protection Policies.
If you are managing MDM-enrolled Android devices but you are not using a work profile AFW, then
you need to enable Installation from Unknown Sources in order to install line-of-business APKs. In
an effort to increase security, Google has introduced a behavior change in Android O which red in
good site. On prior versions, it used to be a device-wide setting. On O, each individual app has its
own "Install unknown apps" permission. You can still successfully install line-of-business APKs just as
you did before, you just need to go to a different place to turn it on. End users will be guided
through the flow of enabling this permission for Company Portal if they try to install a line-of-
business APK that you deploy to them.
Where it is in Android O, under Settings > Apps & notifications > Special app access > Install
unknown apps > Company Portal
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
45
Device End
Block app from unknown sources setting has been moved from a device setting to a per-app
permission, it’s no longer possible for Company Portal to detect whether this permission has been
granted at the device level. As a result, this compliance policy will not work on Android O
WIP
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
46
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
47
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
48
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
49
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
50
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
51
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
52
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
53
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
54
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
55
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
56
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
57
MS Intune Overview Gokulnath sccmgeekblog.wordpress.com Twitter @gokularvind05
58