When it comes to which tech products and services to use, businesses certainly have plenty of choices. There are so many players in the tech landscape that winning over new clients is often a huge challenge. With this in mind, tech companies need to go above and beyond to retain the customers they already have. For Microsoft, this means ensuring its Windows 365 and Intune offerings continuously update and offer new features.
Doing this helps these services continue to deliver the exceptional quality that customers expect. But more importantly, these services want to enhance the experience even more so that they remain the best in class. With that said, what can we expect from these products in the near future?
What’s coming to Microsoft Intune?
Intune is one of the leading endpoint management platforms available. It is constantly pushing the boundaries of what it can offer to customers. Especially now, with the growing interest in hybrid and remote workforces.
Microsoft Intune is helping companies better manage access to organizational resources. It’s also simplifying app and device management across various devices. With this in mind, new features are consistently in development to improve management. And some of those upcoming features to be excited about include:
Microsoft Intune: On-Demand remediations – single device
We should expect the rollout for this one to begin in December 2024. Remediations are excellent tools that help you address problems a lot faster. These script packages will detect and resolve common support issues on a user’s device. And they’ll do so before they even realize there’s a problem. By running remediations on-demand on a single device, you can immediately start resolving issues. Find resolution without waiting for the predetermined remediation schedule.
Microsoft Intune: Enrollment time grouping for iOS/iPadOS automated device enrollment
Enrollment time grouping (ETG) for iOS/iPadOS automated device enrollment (ADE) is another feature. It will support targeted apps and policies in reaching devices faster. This helps minimize delays, common with device setup.
However, it’s only going to be part of the new iOS/iPadOS enrollment policies. For devices to be part of that group upon enrollment, admins need to add a static Entra ID group into the enrollment policy. This will also reduce the latency of targeted apps and policies. The rollout is on the schedule for October 2024.
Microsoft Intune: Scoped and targeted device clean-up rule
The preview will be available in November 2024, with the rollout starting the following month. With this rollout, admins will be able to clean up inactive devices from their tenant by providing capabilities of running these rules at a platform level. I’m sure we can all attest to the need for a clean environment.
Microsoft Intune: Security Baselines for HoloLens 2
To get the best level of security for your organizational resources, it is advisable to use the security baselines that Microsoft considers the best practice guidelines. This should enhance your security and improve the experience in deploying and supporting HoloLens 2 devices to customers in various industries. The rollout will be coming in October 2024.
Microsoft Intune: SCEP certificate delivery
With the rollout scheduled to begin in October 2024, Microsoft Intune is offering this solution to its customers as well as other external partners. This feature’s design can deliver SCEP certificates with all the necessary security requirements to devices to mitigate the KFC issue.
Microsoft Intune: Enhanced device inventory for Windows devices
Few things can increase work efficiency the way that easily having access to all the information you need when you need it can. This is what businesses will get when this service rolls out in October 2024. And it will enable them to obtain more inventory information about their Windows devices. You get to specify which device properties you need to collect as well as from which devices. With this done, you can view that information for your devices.
Microsoft Intune: Simplified App Control policy creation experience (curated workflow)
In keeping in line with the need to increase efficiency, this solution’s upcoming October 2024 update rollout will do a lot to make life easier for IT admins. This capability will help you configure App Control policies with built-in toggles in the console that expose all App Control for Business capabilities.
Microsoft Intune: Work-hour access controls for Front-Line Workers
This solution can contribute significantly to simplifying workforce management as well as enhancing your overall security posture. Coming in October 2024, this feature will help IT admins with work-hour access controls for front-line workers. Once workers have clocked out, admins can swiftly put in place measures to prevent Teams access or notifications.
Microsoft Intune: Endpoint Privilege Management on single session Azure Virtual Desktop
Anything that can simplify user management will be a welcome addition to the tools that IT admins already have. With this in mind, admins will be happy, as it enables them to use Privilege Management elevation rules and policies to simplify how they manage standard users on Azure Virtual Desktop. The rollout for this one is on the schedule for September 2024.
Microsoft Intune: Endpoint Privilege Management rules support specifying allowable command arguments
Similar to the previous solution, this one is also coming to market in September 2024. This will give admins Endpoint Privilege Management rules support that can specify a list of allowable command parameters. Consequently, this will restrict elevation to only the allowed or mandatory arguments.
Microsoft Intune: New design for Windows Company Portal app
This new and updated design should give users a platform that is easier to use and streamline workflow. You should expect to see changes in the Home, Devices, and Downloads & updates pages. These intend to enhance the overall user experience. Additionally, this updated design will be very simple to understand and thus use. It will clearly highlight any areas that require action from the user.
Windows 365 features in development
For Windows 365, Microsoft has provided us with information about the exciting new features that are currently in development but not yet released. These should help improve the security posture of organizations and enhance the end-user experience. We haven’t found any release dates as of yet. It would be useful for planning purposes to look at what we could soon see coming to our Cloud PCs.
DEVICE MANAGEMENT
Features
What to expect
Support for symmetric NAT with RDP Shortpath
The goal is to develop an RDP Short path in Windows 365 such that it can support setting up an indirect UDP connection using Traversal Using Relays around NAT (TURN) for symmetric NAT. Most are probably aware that TURN is a widely accepted standard for device-to-device networking for low latency, high-throughput data transmission.
Chroma subsampling default change to 4:2:0
Both Intune and Windows 365 want to help enterprises operate more efficiently. And in this case, that can be achieved by reducing monitor support issues. The Windows 365 service will be able to do so by defaulting the chroma subsampling at 4:2:0 (instead of the previous 4:4:4).
Cloud PC gallery images update to Microsoft Teams 2.1
Another feature that we should expect to see in the future is Windows 365 Cloud PC gallery images with Microsoft 365 applications being updated to use Microsoft Teams 2.1. These images will include: Windows 11 Enterprise + Microsoft 365 Apps 21H2Windows 10 Enterprise + Microsoft 365 Apps 22H2Windows 10 Enterprise + Microsoft 365 Apps 21H2
Windows 365 support for HEVC video coding
Windows 365 is also working on providing support for Hardware High Efficiency Video Coding (HEVC) h.265 4:2:0 on compatible GPU-enabled Cloud PCs.
Azure network connections inactive state
In the future, some Azure network connections will start getting marked as inactive under some conditions. These conditions are as follows: ANCs not associated with provisioning policies for more than four weeks, ANCs with provisioning policies that have no Cloud PCs associated with them for more than four weeks. IT administrators need to be aware that inactive ANCs will be skipped during health checks and cannot be assigned to provisioning policies. However, if need be, you can reactivate these ANCs.
DEVICE SECURITY
Features
What to expect
Cloud PC support for FIDO devices and passkeys on macOS and iOS
Many consider Fast Identity Online (FIDO) to be the future of authentication measures. These protocols allow you to swiftly and securely authenticate to various services without the need for a password. Because of the ease of deployment, convenience, and extremely high security, it’s no surprise that FIDO is now widely supported and used. Therefore, macOS and iOS users will be glad to know that Windows 365 is working on enabling Cloud PCs to support FIDO devices and passkeys for Microsoft Entra ID sign-in on their devices.
MONITOR AND TROUBLESHOOT
Features
What to expect
End user manual connectivity check
I’m sure we’ve all experienced the frustrations that always come with faulty connections. All one wants in that instance is to quickly figure out what’s wrong and resolve it. Currently, connectivity health checks are run on individual Cloud PCs, but in the future, end-users will have the tools to manually run connectivity checks on their Cloud PCs from windows365.microsoft.com.
Update to Cloud PC action status report
The Cloud PC action status report officially allows you to view the actions that admins have taken as well as on which Cloud PCs these actions have been taken. In addition, you get to see the status of these actions. To access this report, you need to sign in to the Microsoft Intune admin center. Once there, select Devices > Monitor > Cloud PC actions (preview). With the update that is soon to come to the Cloud PC action status report, you will be able to view batches of devices in which actions have been activated. Furthermore, customers will be able to see the batch current progress.
PROVISIONING
Features
What to expect
New health check: UDP TURN (preview)
The Azure network connection (ANC) health checks are one of the more unique features that Windows 365 provides. These health checks, which are run regularly, help to ensure that the provisioning of Cloud PCs is successful in addition to verifying that end-users are getting the best possible Cloud PC experience. The update that Windows 365 has mentioned, will see a new UDP TURN being added to the Azure Network Connections health checks.
SECURITY
Features
What to expect
New settings for Windows 365 security baselines
In the near future, customers should expect to receive new configuration settings for the Windows 365 security baseline. These Windows 365 security baselines provide customers with a set of policy templates that are founded on security best practices and experience from real-life situations. By using these baselines, customers can obtain security recommendations that will improve their cyber security and reduce the risks facing their networks. With these security baselines, security configurations for Windows 11, Windows 10, Microsoft Edge, and Microsoft Defender for Endpoint will be enabled. Before fully implementing any Configuration changes, however, it’s always safer to first test the security baseline on a pilot group of Cloud PCs.
Wrap up
Getting updates and new features is always an important part of keeping our apps and devices performing at optimum levels. Technology is constantly evolving. And without regular updates, the user experience can suffer negative impacts within a short space of time. Devices can slow down, apps can develop issues that hinder productivity, and security can become compromised.
This is why Microsoft works hard to stay ahead of the issues with a stream of new features and services frequently released to Microsoft Intune and Windows 365. These upgrades guarantee end-users that they will continue to receive industry-leading quality of service, enabling their user experience to improve even further.
As technology continues to evolve, businesses like yours are constantly looking for solutions that can give them that little bit extra. What may appear to be small innovations will eventually add up to give you significant advantages over other organizations.
One area where businesses stand to gain massively concerns cloud-based management solutions. The potential benefits of using solutions like Microsoft Intune include getting access to excellent features, enhanced security, and improved endpoint management among others.
IT admins will get to work better because they have the flexibility to oversee users and their various devices, even if they are personally owned. Considering all there is to gain, we need to take a look at why and how your organization should be migrating to the cloud.
Why Microsoft Intune?
If your organization has a well-run IT infrastructure, why should you even consider Microsoft Intune? What do you stand to gain? The most obvious answer would be that if your organization wants the best in endpoint management, then you would be hard-pressed to find a better solution than Intune.
Over time, Intune has firmly established itself as a leading device management solution that will offer you seamless application integration for all your various devices. It gives your IT admins the capability to ensure that all the devices and apps that employees are using are fully compliant with your organization’s security requirements.
Mobile devices have evolved to the point where they are now very much capable of performing most and in some cases all of the functions needed to do our jobs. This has inevitably created the need for the mobile device management features that Intune can offer. IT admins can monitor these devices and thus enforce organizational security policies.
This gives businesses the flexibility to empower their employees to use their respective mobile devices for work-related purposes without compromising the security of their networks. Such policies can potentially increase productivity by enabling employees to use the devices of their choice as well as work remotely.
It would be hard to advocate for Microsoft Intune without mentioning the issue of cost-effectiveness. We can go on and on about all the benefits that Intune can offer, but cost can ultimately decide for you.
Fortunately, choosing Intune is a decision that could help you reduce IT costs. Switching to a cloud-native management system will mean your business spends less on physical hardware as well as on-premises IT management systems.
This reduction in physical infrastructure will allow your organization to reallocate resources elsewhere and therefore operate with even greater efficiency.
Preparing for the future
Considering the changes we have witnessed in the tech landscape in just the last fifteen years alone, we should always be looking to future innovations. Organizations need to be in a position to take full advantage as each next big innovation rolls out.
To do that, going cloud-native would offer you the best approach. By fully transitioning to the cloud, you can put your organization in a position to fully benefit from better insights, AI analytics, as well as the multitude of other capabilities that AI can deliver.
Furthermore, using a cloud-native approach can help you centralize data which in turn will make it easier for AI to manage this data and produce actionable insights. This may help organizations enhance their security by getting a better grasp of potential future threats.
Considering new possibilities
Getting someone to change the way they do things can often be an incredibly difficult challenge. And this applies to both personal and professional life. Regardless of the benefits to gain from migrating to the cloud, it may be difficult to inspire change. If an IT team has put in the effort to create a well-designed and efficient IT infrastructure, it’s going to be hard to convince them to consider alternative solutions.
At this point, businesses will need to evangelize users who can truly highlight the beauty of the changing tech landscape and encourage their IT teams to expand their visions.
It’s going to take more than a simple presentation to convince people that they are potentially missing out on some significant innovations. Rather than simply forcing change on people, proving to them how they stand to benefit from the changes a solution like Microsoft Intune can bring, may work a lot better.
As individuals grow more familiar with the amazing endpoint management capabilities that Intune can offer, you may start to see a greater willingness to change their mindset.
Of great importance, however, is to exercise patience and not expect to see an immediate change in how people approach things. Let them experience for themselves the value that going cloud-native will give them.
Implementing changes
Once you get the ball rolling concerning changing the mindset, it’s important to start looking at how exactly you can start making the necessary changes. Even as more and more recognize the benefits of making the transition, the pathway to achieving that may still cause some trepidation.
Fortunately, the feedback that Intune receives from its clients will go a long way in helping others move forward. IT professionals need to realize that the dependable key information flow processes they use will remain intact.
According to those who have successfully migrated, one of the best ways to smoothen the transition is by establishing small pilot programs and then rolling out changes incrementally. With that done, you can place at the forefront of the project individuals who have fully bought in and are willing to help bring others to a similar vision.
Doing it this way enables you to minimize any negative outcomes while simultaneously maximizing the effect that the small wins give your organization. As long as your advocates continue to communicate clearly every step of the way, you should have a much easier time implementing changes.
Working together
An important reason why Microsoft Intune has taken its capabilities to another level over the last decade can probably tie to the constant back and forth with clients. The team at Intune embarked on a process of trying to simplify things for users. They did so after discovering the challenges presented by the power and flexibility of Intune.
The various options and configurations available may be difficult for clients to master and what they often want are simple instructions telling them exactly what they need to do.
To address the concerns that clients have raised, the support team has offered what they are calling a one-size-fits-most guidance. This system provides organizations with the necessary tools to configure the basic settings required to make endpoints more secure and productive with Intune.
Clients will also be happy to discover that the Microsoft Intune documentation hub has been streamlined. There is a focus on highlighting the guidance system thereby further simplifying the implementation process.
Additionally, even more support is available from the Intune Tech Community. This team consists of fellow IT admins and support professionals.
Integration with other services
Microsoft offers its clients a wide array of products and services that enable organizations to provide their employees with the best possible tools. Having such an ecosystem means that end-users can produce to the best of their abilities with everything they need availed to them. Microsoft Intune plays a key role in this through its integration with other products and services that aim to help in endpoint management such as:
Configuration manager
This platform is ideal for on-premises end-point management and Windows Server. It’s a service that will help you increase the productivity and efficiency of your IT teams, maximize both software and hardware investments, and empower your end-users by ensuring they get what they need when they need it.
Configuration Manager offers you a powerful management application that will help you better manage every device in your organization. Using both Intune and Configuration Manager together can be a great way for those who are still hesitant about going fully cloud-native to gradually make the transition at their own pace.
Windows autopilot
Windows Autopilot gives you a service developed to eliminate the provisioning challenges that have plagued organizations in the past. With Autopilot, you can provision new devices and send them directly to users from an OEM or device provider.
Thus, what you will get is a greatly simplified deployment and provisioning process that can deliver a custom out-of-the-box experience with an easy self-service configuration process. Not to mention how features like zero-touch, self-service deployments can make life easier for IT admins.
Endpoint analytics
Endpoint Analytics delivers valuable insights that enable your business to assess how it is operating as well as evaluate the quality of the experience that users are getting. By going over this data, your organization can quickly identify policies or hardware issues that are negatively impacting end-users. Doing this allows you to be proactive in dealing with problem areas and thus maintain consistent productivity levels.
Additionally, this service will give your organization better visibility concerning frequently encountered problems such as long boot times. Often, these issues tend to persist unnecessarily simply because IT doesn’t have the necessary insights.
Microsoft 365
Microsoft 365 is undoubtedly one of the best cloud-powered productivity platforms that you can get. Signing up for this service will give you excellent end-user productivity Office apps such as Outlook, Teams, Sharepoint, OneDrive, and more. And one of its most attractive features is that you can use it anywhere.
You can easily install it on PCs, Macs, tablets, and phones. You can easily use Microsoft Intune to deploy Microsoft 365 apps to the users and devices in your organization. Furthermore, the continuous support that you get means that you will always have the most up-to-date modern productivity tools that Microsoft offers.
Microsoft defender for Endpoint
All of the services we have gone over in this section will require excellent security features and that is what Defender for Endpoint offers. It gives your organization the capabilities to prevent, detect, investigate, and respond to threats. By going through Intune, you get the option of creating a service-to-service connection between Intune and Defender for Endpoint. Each organization can customize the compliance policies it uses to ensure that it establishes what it considers to be an appropriate level of risk. And when you combine this with Conditional Access features, you can prevent access to organizational resources by any devices that fall short of your compliance regulations.
Expanding the vision
As we’ve already discussed, there are plenty of benefits that you can gain from using Microsoft Intune. But, what’s even better is that within the Microsoft ecosystem, there is so much that your organization can take advantage of. And one of the solutions that has been growing in popularity over the last few years is the Windows 365 Cloud PC.
Clients will be able to leverage the Microsoft Intune admin center to use their Cloud PCs. The latter provides the opportunity to stream Windows 10 or Windows 11 onto almost any device, thereby offering users the ability to take their desktops anywhere.
In a world where the attraction of remote work is constantly growing, having the option of the Windows 365 Cloud PC can be key to bringing in top talent to your organization. Following the pandemic a few years ago, once business operations started to normalize, there were plenty of people who realized that they would actually prefer having the option to work part-time or even full-time from home.
For organizations that have decided that this is something they can do, leveraging Microsoft Intune to go cloud-native would offer arguably the best way to do it. From there, you can tap into the Cloud PC environment and offer your employees powerful, secure desktops they can use from anywhere.
What does the Cloud PC do for your organization?
We’ve talked a bit about Intune and why your organization should consider going for a cloud-native approach. But, what about the Windows 365 Cloud PC? In addition to what you get with Intune, the Cloud PC offers plenty of benefits that will enhance work solutions in the cloud.
One that most businesses will appreciate is the flexibility that is provided allowing organizations to select a plan that is most ideal for them. Not only that, but you are not permanently stuck with the option that you pick. Depending on the needs of end-users, you’ll be able to scale your operations up or down as you see fit.
ENHANCED SECURITY
Whenever the issue of remote work comes up, security is going to be a massive concern for businesses. This is why the Windows 365 team has gone to great lengths to ensure maximum data protection for end-users and their organizations.
The Cloud PC takes full advantage of Zero Trust principles to assure clients that their data will have very high-level security. To further strengthen the security of the platform, clients are recommended Conditional Access as well as Azure AD Multi-Factor Authentication.
FEW TO NO COMPATIBILITY ISSUES
Another concern that clients would understandably have has to do with integrating specific applications with the Cloud PC. For IT admins in particular, losing control over how they manage devices is a real concern. Fortunately, when it comes to Windows 365, compatibility with your existing applications should not be a problem.
It’s because the Cloud PC’s design supports any apps you may have been using on Windows 7, Windows 8.1, and Windows 10, should work on Windows 365 as well. And in case you encounter any challenges, you will be able to get assistance via the Fast Track App Assure program.
EASE-OF-USE
If you’re trying to convince people about a new service, your job will be significantly harder if the platform is complex and therefore difficult to navigate. With the Windows 365 Cloud PC, however, the platform aims to ensure simplicity. Even from the initial setting up, organizations won’t need to bring in specialist IT personnel to configure their Cloud PCs.
And once that’s done, IT admins can continue to manage and deploy endpoints similarly to how they’ve been doing all along. End-users as well won’t face any huge challenges because they will continue using the same applications.
Enrolling devices in Microsoft Intune
Having looked at what Intune can offer your organization, the next step is to go over what you need to know about enrolling devices. Together with Microsoft Entra ID, Intune will facilitate a secure, streamlined process for the registration and enrolment of all devices that require access to your organization’s resources. You can start using Intune for endpoint management once users and devices have been registered within your Microsoft Entra ID (tenant).
During the enrolment process, Intune will install a Mobile Device Management (MDM) certificate on the enrolling device. It’s this certificate that will handle communication with the Intune service and thus enable Intune to begin enforcing organizational policies such as:
Compliance policies designed to help users and devices meet the organization’s rules.
Enrollment policies that determine the number or types of devices someone can enroll.
Configuration profiles that configure work-appropriate features and settings on the devices.
Policy details
Generally, you should expect policies to deploy during the enrolment process. However, certain groups that may have more sensitive roles within the organization will often require stricter policies.
So, what a lot of organizations will first do is create a baseline of required policies for users and devices. Once you’ve established this baseline, you can start building on it depending on the use cases as well as the needs of various groups.
Devices running Android, iOS/iPadOS, Linux, MacOS, and Windows will all be eligible for enrolment in Intune as long they are running a supported version of the OS. By default, you’ll find that enrolment is enabled for all platforms.
But, if the need arises, you can use an Intune enrolment restriction policy to restrict certain platforms. Microsoft Intune enables mobile device management for both personal devices and corporate-owned devices.
Personal devices
In this category, the devices being referred to are personally owned PCs, tablets, and mobile phones. In bring-your-own-device (BYOD) scenarios, these personal devices can be MDM enrolled in Intune. Because of the supported enrollment methods, employees or students can use personal devices for work or school tasks.
IT admins will need to add device users in the Microsoft Intune admin center, configure their enrollment experience, and then set up Intune policies. Once that’s done, the device user needs to navigate to the Intune Company Portal app to start and complete the enrolment.
Corporate-owned devices
This category includes the same type of devices – PCs, tablets, and mobile phones. Except in this case, these devices are owned by the organization and then given out to employees or students for use at work or school.
For these types of devices, Intune offers organizations more granular settings and policies. You should expect to find more password settings for corporate-owned devices thus enabling you to enforce stricter password requirements. Devices that meet specific criteria will be automatically marked by Intune as corporate-owned.
Wrap up
At this point, we have all witnessed the increase in cloud usage by companies of all sizes. The various platforms available have been able to offer businesses an increasing array of capabilities that are constantly improving.
Solutions like Microsoft Intune can now provide powerful endpoint management systems that allow organizations exceptional flexibility and scalability. These capabilities will allow businesses to operate their IT infrastructure more efficiently and provide end-users with the tools to thrive.
To cater to different businesses and where they may be on their journey, Intune gives you pathways that you can take as you migrate to the cloud. You can choose what works for you from co-management until you get to full cloud-native. There is much to be gained from leveraging the cloud not only right now but as we look at all the future innovations currently in development.
All the devices and applications that we use need both security and feature updates now and again to ensure that we always get the best possible performance. Whether these are personal or work devices, without regular improvements, the performances will eventually not be good enough to meet our requirements.
One of the platforms that helps to optimize the user experience is Managed Home Screen. Using this feature can deliver a better experience. Within the Intune environment, all users with enrolled devices as Android Enterprise dedicated devices can benefit.
In this article, we’ll be taking a look at what Managed Home Screen is and how it can improve workflows.
What is Managed Home Screen?
With Managed Home Screen, users get an Android application that is compatible on devices enrolled into Intune as Android Enterprise dedicated devices. The application means to cover corporate-owned devices that are running in multi-app kiosk mode.
On these devices, Managed Home Screen acts as the launcher for other approved apps to run on top of it. The benefit to IT admins is greater control over the customization of devices, as well as being able to restrict the capabilities that the end user can access. The availability of these features means that your business can:
Easily maintain control over how these devices work. The customization and control you have over the Android devices allows you to determine specifically what users can access.
Enhance the user experience by establishing a consistent and simplified experience across device types and OEMs that makes it significantly easier to perform all tasks to a high standard.
Gain access to all the relevant troubleshooting workflows that one would need to fix issues on-device. Or provide Microsoft support with the necessary tools to troubleshoot issues on-device.
Utilize an improved sign-in and sign-out experience with a device configured with Shared device mode.
Customization benefits
Additionally, the availability of customization will allow you to completely modify the overall appearance and feel of your home screen.
You can do things such as:
Set a custom wallpaper that can truly bring your branding to the fore. Or, you could use the custom wallpaper as a visual indicator to distinguish various devices.
You can relocate applications to the home screen so you have your important and most frequently used apps in a place that facilitates easy access. Not only that, but this can help you design a setup that is consistent across devices for your users.
Those who may have plenty of apps on the home screen can easily simplify things by categorizing apps into specific folders.
Because devices can have varying screen sizes, you’ll also get the option to modify the size of apps and folders appearing on the home screen.
To get even quicker access to vital app data, you can add custom widgets to the home screen.
When a device is inactive, you can set a screen saver to hide the home screen.
Dedicated devices
We just mentioned that Managed Home Screen is usable on devices enrolled into Intune as Android Enterprise dedicated devices. But, what exactly are ‘dedicated devices’? This term simply refers to corporate-owned devices not associated with a particular user. Additionally, these devices will normally be in use for performing specific tasks.
So, if you want to enroll Android devices with no user-affinity then this option will suit you. However, it’s also important to note that Intune’s Android Enterprise dedicated device solution will require that the devices run Android OS 8+ and be able to connect to Google Mobile Services (GMS).
Setting up Managed Home Screen
Setting up your device with Managed Home Screen is a process that will take several steps. But, once you have a device that meets the requirements, you can begin.
Setting up an Intune enrollment profile and device group
Start by creating an enrollment profile to generate an enrollment token first, and attach it to a device group. In the Endpoint Manager admin center, navigate over to Devices > Android > Android enrollment > Corporate-owned dedicated devices. You’ll need to fill in the Name but filling in the Description is optional. After this, select Type. Be sure to select Corporate owned dedicated device with Azure AD shared mode if you expect that your devices may require users to access M365 applications, other App Protection Policies, or Conditional Access policies. When everything’s done, click Create.
CREATING A DEVICE GROUP
Head over to Groups > All groups > New group. You’ll need to fill in the Group Name but filling in the Group Description is optional. Make sure that the Group type is set to “security”. Then, proceed to change Membership type to Dynamic device, after which you need to Add a dynamic query. By using dynamic queries, you can have your device automatically added to a group based on the property of your choice.
Approve and assign Managed Home Screen and MORE Managed Google Play apps
This next step will ensure that the Managed Home Screen successful downloads and installs on your enrolled devices. It should also automatically launch. You’ll find Managed Home Screen already synced in the console when you venture over to navigate Apps > All apps as soon as you have linked your Intune and Managed Google Play accounts. After that, you can:
Click Managed Home Screen.
Select Properties>Assignments (edit).
Add your device group from Step 2 officially to the Required assignments.
Save.
If you want to add public, private, or web applications, go ahead and stay in Apps > All apps and choose “add.” Navigate to Select app type and choose Managed Google Play app.
Manage Android Enterprise system apps
One thing that you will notice is that system applications will often disable by default upon enrollment. To enable these applications and show the icon on the device, you start by heading back to Apps > All apps in Intune and selecting Add in the top left corner. After choosing Select, proceed to fill out the App information, and assign it as “Required” or “Uninstall” to the group that you created in Step 2. At this point, you can select “Required” if you want the application to be available on the device or “Uninstall” if you prefer that it remain hidden on the device.
Creating a device configuration profile
Having this profile is crucial because it enables you to not only configure device-level behavior but to configure kiosk mode as well. To begin the process, navigate to Devices>Configuration profiles>Create profile. Next, go to Platform, and select “Android Enterprise.” With that done, head to Profile and select “Device restrictions” beneath “Fully Managed, Dedicated, and Corporate-Owned Work Profile.”
After this, select Create,and then you need to fill in the Name of your profile but filling in the Description is optional. Once everything is ready you can select Next.
Creating an app configuration profile
Be mindful that this step is completely optional. Once you have completed the steps already given above, you will be ready to enroll your devices. So, this step is ideal for those who want to learn how to utilize all the available Managed Home Screen features. Additionally, this step will help you to configure the complete list of features that Managed Home Screen has to offer.
In the Endpoint Management admin center, head over to Apps>App configuration policies>Add>Managed devices. Then, you need to fill in the Name and as with other sections, the Description is optional. Select Android Enterprise for platform, Fully Managed, Dedicated, and Corporate-Owned Work Profile Only for profile type, and Managed Home Screen for targeted app. As soon as you are ready to continue, select Next.
A. Using configuration designer to setup Managed Home Screen features
Choose Use configuration designer from the Configuration settings format drop-down menu. Select Add to open a panel with all the available Managed Home Screen configuration keys. Choose the configuration keys that you want to edit and then click OK. All the configuration keys have default values and if you want to modify a configuration value, hover over and then interact with each row under the “Configuration value” column. Click Next as soon as all the necessary changes have been made.
Navigate to the Assignments page under Included groups, choose Select groups to include, next and pick the device group you created in the second step. You can review by clicking Next, and once set, click Create.
B. Using JSON data to setup Managed Home Screen features
You can complete the configuration of the home screen by using JSON to create your folders, add widgets, and order items. If you need to edit your existing app configuration profile, you can do so by clicking on the policy you just created in Apps > App configuration policies. After that, select Properties > Settings (Edit). Choose Enter JSON data from the Configuration settings format drop-down menu. You should be able to see all your existing configurations in JSON format.
B.1. Add a managed folder to your home screen
You can organize your home screen better by creating a folder that you get to manage. This is something that you can only do using JSON data format in an app configuration policy. You’ll need to add the JSON snippet below in where feature configurations go:
Replace “PLACEHOLDER_FOLDER-NAME” with a name of your choice.
Replace “PLACEHOLDER_APP-PACKAGE-NAME” with the package name of the app that you want to put inside your folder. You have the option to add as many apps as you want.
B.2. Configure custom ordering of items on the home screen
A few things will happen if you want to create a custom ordering of items on the home screen. These include:
Apps, widgets, and folders should already be added to your home screen allow-list.
The home screen should be locked because this ensures that a user cannot make changes by moving things around themselves.
A grid size for all your home screen pages should be set.
App ordering mode should be enabled.
At this point, you can set the position of an item to an assigned grid position. Note that the positions will read from smallest to largest from left to right and then top-to-bottom.
DEVICE ENROLLMENT
As already alluded to earlier, devices should be running Android OS 8+ and run with Google Mobile Services (GMS). As soon as a device is ready, you can enroll from a factory-reset state using:
Near Field Communication
Token entry
QR code scanning
Google’s Zero Touch Enrollment
Samsung’s Knox Mobile Enrollment
User credentials are not necessary during enrollment or provisioning because these dedicated devices are not user-associated. Select the type of enrollment that you want and follow the instructions given in this section.
COMPLETION OF SETUP
After the setup process finalizes, you’ll find yourself on the device’s home screen. Then, the device will proceed to sync policies with Intune after which apps will begin to download and install on the device. And after Managed Home Screen has been installed, it will auto-launch and show you all your configurations.
Improvements to Managed Home Screen
Pursuant to the feedback that Microsoft received from its clients, some eye-catching new design changes have been made to the app to optimize usability. However, these new features are only available on the updated experience.
Although, you can look forward to an improved user experience, Microsoft has not made any intentional changes to feature support and you can expect only minor changes in current functionality such as:
You’ll no longer see the company logo on the Session PIN screen, but you will still have it on the home screen.
Swiping down will no longer give you access to the Managed Home Screen settings.
Addition of the top bar
A top bar is now available to the Managed Home Screen page with the intention of simplifying access as well as to enable quick access to device-identifying information. This top bar can configure as necessary and thus allows for the display of two descriptive elements.
IT administrators can decide between serial number, device name, and tenant name for the top and bottom element in situations where the device is not configured with sign-in. On the other hand, if the device is configured with sign-in, the top element will display the signed in user’s name.
Easily discoverable settings and sign out button
Another benefit of the top bar is that it enables quick navigation to settings as well as the sign-out button. However, for the latter, this is only possible when sign-in is configured. If you go to the upper right-hand corner of the top bar, you’ll now find a settings wheel icon.
When a user taps this icon, they’ll see which settings the IT administrator has selected to reveal to them within MHS settings. One thing to note with the updated experience is that swiping down on the device will no longer give you access to settings.
You can now find the Settings icon located on the top bar by default. IT admins get to decide which settings a user can configure or disable it altogether by enabling or disabling the configuration key “Show managed settings”. There are a couple of situations in which the Settings icon will still display, and these are:
When a user is signed in, the Settings icon is available to view the user’s profile information.
When device permissions are required but no user is signed in, the Settings icon will be available for the user to grant permissions. Moreover, you won’t see any additional settings unless configured.
Updated permissions flow
Updating the permissions granting flow has been necessitated by the desire to ensure that device users do not miss essential permissions. Upon launching MHS initially, a dialogue will appear requesting users to grant any required permissions. Users can get to the settings screen where the required settings will be clearly laid out by tapping either the message or the settings wheel.
By tapping on the message, users will be redirected to the correct page in the Android settings page to grant the permission that is needed for the functionality of all configurations that are set by the IT administrator for Managed Home Screen.
In the event a user rejects the permission, a message will then be displayed on the screen and a red dot will appear on the settings app icon. Ultimately, this update to the permissions flow has been designed to prevent permissions from being missed and to optimize the functions of Managed Home Screen.
Enhanced troubleshooting features
Managed Home Screen is helping to simplify the process of troubleshooting device issues. The new features that have been introduced will give users access to a debug menu, which includes the pages for Get Help, Exit Kiosk Mode, and About.
Users can now go to the Get Help page and easily upload logs. In addition, users can also view Management Resources, allowing them to launch adjacent management apps whenever necessary.
And if you want important information on Managed Home Screen, including the privacy statements, accessibility statements, and third-party configurable compliance links, if enabled, you’ll easily find it on the About page.
The updated debug menu can only appear within settings after an IT admin has configured easy access to the debug menu. Without this action, users will need to tap the back button 15 times to unhide the debug menu.
Start using the updated experience
To begin using the updated experience, you need to follow the steps given below:
Start by verifying that the target devices are running version 2.2.0.91169 or higher of Managed Home Screen.
Within the Intune admin center, head over to Apps > App configuration policies > Add > Managed devices. (And if you already have an app configuration policy in place for the target devices, you can skip the next step)
Filling in the Name will be required, but the Description is optional. Select Android Enterprise for platform, Fully Managed, Dedicated, and Corporate-Owned Work Profile Only for profile type, and Managed Home Screen for targeted app. When everything’s done, click Next.
To configure your settings, you can use either configuration designer or JSON data. Navigate to the Configuration settings format drop-down menu, and select Use configuration designer . Choose Add and this will open the panel with the available Managed Home Screen configuration keys.
Next, you need to choose the configuration key Enable updated user experience and switch it to True. For those using JSON data, they need to add the key and value below:
“key”: “enable_updated_user_experience”,
“valueBool”: true
Lastly, head over to the Assignments page and look under Included groups. Then, you need to choose Select groups to include and select the device group that you want to include in the public preview. You can review by clicking Next, and once all is set, click Create.
Another important thing to note is that this updated experience only works on the newest version of the Managed Home Screen application. So, you need to turn on the updated app experience and then verify that your devices are running the latest version of Managed Home Screen. If everything is in order, you should expect to see the updated workflows on the device.
Wrap up
Technology has been improving at a lightning speed and an ever-increasing pace for a long time now. The devices available to us, the operating systems, as well as the countless applications, have all gotten significantly better. So, it’s not surprising that businesses want platforms that can empower their workers to operate more efficiently and thus be more productive.
With Managed Home Screen, Microsoft offers its clients a tool that will do that and more. Businesses can get a tool with a lot of great features that will help users to get more from the available technology while eliminating time-consuming distractions.
And as updates like the ones we discussed today continue to be developed, MHS users can look forward to even more improvements that will optimize workflows and enhance their interaction with Intune.
Many businesses are increasingly adopting mobile devices, such as phones and tablets, as standard tools for their employees. As these devices become more powerful and technologies like 5G become more available, it makes perfect sense for businesses to take advantage if it makes their employees more productive. That’s where device management comes into play.
This has seen many organizations start to implement bring-your-own-device (BYOD) policies as the changes to traditional workplaces pick up momentum. However, there will be a need for effective device management solutions that can reduce the burden on IT staff while simultaneously enhancing the end-user experience.
Solutions such as Apple’s new approach to device management called Declarative Device Management (DDM). Products like these are heralding the future of device management by offering a great array of new features.
What is Declarative Device Management?
Declarative management represents the future of device management. As a relatively new offering from Apple, Declarative Device Management is a transformative update to the protocol. And it brings policy management to devices.
This solution enables devices to be autonomous and proactive. It can also be used together with the existing MDM protocol capabilities. One of the main advantages of having autonomous devices is that they can react to state changes. They then apply management logic to themselves without needing action from the server.
As a result of all this, you’ll get greater performance and increased scalability, which will help keep your organization’s devices running at optimum levels. The ability for devices to be autonomous as well as proactive are the key elements that make declarative management the ideal solution going forward.
Furthermore, declarative management works in a way that keeps devices in the best possible state. It does so, keeping important data secure, regardless of whether or not you have an internet connection. This allows users to have a more responsive experience that can help improve their efficiency.
And to assuage any concerns customers may have, Apple assures clients that although this may be a new offering, the protocol is not. The declarative functionality that is being offered has been built into existing MDM protocols.
Therefore, customers can expect to have access to a device management service that will streamline all management processes. And it improves the experience not only for end-users but for IT admins as well.
Requirements
As with any product, there are minimum requirements to consider if your organization wants to have access to Declarative Device Management.
Operating System
Versions Supported
macOS
Ventura 13 and later
iOS
15 for user enrollment only and 16 and later for all enrollment types
iPadOS
15 and later
tvOS
16 and later
watchOS
10 and later
Advantages of DDM
Probably the biggest benefit that users stand to gain from DDM is the improvement in device performance. With the main features on offer, devices can act proactively and more autonomously. This means that any actions requiring implementation will execute faster because there is no waiting for the server. Because of this efficiency, you should expect to have far more accurate device information that will also report back much faster.
This improvement in how devices run will also be a welcome change for IT admins. With certain actions being automated, administrators will have more time to prioritize and focus on more productive tasks. And all of this happens in a highly secure environment meaning taking advantage of these benefits will not come at the cost of data and device security.
Core data models
Declarative management comes with three main core data models, and these are as follows:
DECLARATIONS
Declarations refer to the payloads that servers define, forward to devices, and represent the state or behavior that businesses want for their devices. There are four types of declarations:
Declaration Type
Description
Configurations
Not dissimilar to what we’ve already been using for the application of settings and restrictions on devices.
Assets
Refers to the reference data that configurations need for large data items and per-user data.
Activations
Group of configurations that are automatically applied to a device. Activations and configurations have a many-to-many type of relationship. Another thing to note is that activations can support complex predicate expressions using an extended predicate syntax.
Management
The role of management is to transmit to the device key information about the organization as well as details about the MDM solutions.
STATUS CHANNEL
The status channel is a key means of communication in declarative management. And it is responsible for conveying information when the state of the device changes. When these changes occur, the device will proactively update the server via status reports containing details of the update. An important thing to note is that the server can be configured to subscribe only to specific status items meaning it will receive only the updates it considers necessary.
EXTENSIBILITY
Extensibility enables organizations to better tailor declarative management to meet their business needs. This feature gives you the flexibility of integrating with other products so that end-users have the best possible options available. What this gives you is a platform that enables both devices and MDM servers the ability to support new features as and when they release.
Introducing DDM to your organization
How to manage the transition to DDM
One of the goals with tech products and services is that the companies developing them should design them to be relatively easy to use if you want to draw in customers. To that end, the transition to declarative device management is much easier because the MDM protocol has various functions.
For instance, you will be able to embed existing profiles into a legacy profile declaration. Another good example would be how you can have an MDM solution take ownership of a profile that has already been deployed and subsequently migrate it into a legacy configuration declaration. The advantage of this action is that it eliminates the need to remove an existing profile to replace it with a configuration that may not be suitable for the user.
Integration of declarative management within the MDM protocol
Part of what makes Declarative Device Management such a great option is how it integrates into the MDM protocol. Not only that, but existing MDM vendors already have access to the features that are on offer.
The significance of integration within the MDM protocol is that declarative management will leverage it for the management of key areas including both enrollment and unenrollment, HTTP transport, as well as device and user authentication.
Moreover, DDM intends to make the transition from existing MDM products as seamless as possible. This means that you don’t have to worry about dealing with disruptive changes to adopt new protocols.
To add to the convenience, you’ll also find that declarations and the status channel will coexist with your existing MDM commands and profiles. By setting it up this way, DDM gives organizations the flexibility to adopt declarative management features at their own pace.
Because of this, you won’t need to immediately update all of your MDM workflows. Another very important thing to note is that declarative management will not affect existing MDM behaviors. What you’ll actually find is that declarative management utilizes existing MDM behaviors using an MDM command for activation and an MDC CheckIn request for synchronization and status reports.
Activating declarative management
We’ll start with a DeclarativeManagement command addition to MDM. This command has two roles that it will play. Firstly, it will activate the declarative management features on a device. Before proceeding with this, however, you need to know that you won’t be able to turn off declarative management once you’ve turned it on. But, you do get a way out of this if the need arises. By having the server remove all declarations, this action will, for all intents and purposes, disable declarative management.
The second thing the command can do is include a payload containing synchronization tokens that will initiate a synchronization flow if necessary. Additionally, there is a new CheckIn request type that devices use to synchronize declarations and send status reports to the server. And the server will give you a response when you use the CheckIn request to synchronize declarations. You can get two types of responses which are:
A manifest that lists the identifier and server token properties of all declarations defined by the server.
Single declarations for the device to apply.
Improved management enhancesBYOD
Most of us may have noticed over the last few years that Bring-Your-Own-Device (BYOD) policies are growing in popularity across various business sectors. Similar to declarative management, BYOD can help organizations make better use of the technology available to them and improve the efficiency of their employees.
But, one thing you’ll be quick to notice about employees using their personal devices to connect to enterprise networks is that it can drastically reduce an organization’s capital outlay for devices. And as management solutions continue to get better, the security concerns that you might have about personal devices accessing sensitive corporate data are being addressed.
However, even with the potential financial gains, adopting BYOD policies would still be a difficult sell without effective management services available. This is why services such as Microsoft Intune’s web-based device enrolment for iOS/iPadOS are bringing new features to the table.
What this service will do is eliminate the need for the Company Portal app thereby providing a faster enrollment process that also delivers an improved user experience. Your life as an MDM admin should get somewhat more comfortable given that you’ll now be able to enroll personal devices in Microsoft Intune without users having to first install additional apps.
App or web–based enrollment
Microsoft Intune simplifies device enrollment for Apple users through the availability of Apple device enrollment. This service provides key iOS/iPadOS management capabilities for users in the Microsoft Intune admin center without compromising the security of personal data. When it comes to device enrollment, there are two options: app-based enrollment and web-based enrollment. So, if you navigate to the Intune admin center, the device enrollment options you’ll see are:
Device enrollment with the Company Portal
Web-based device enrollment
You’ll need to create an enrollment profile in the admin center to select and configure enrollment types. To do that:
Navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment
Select Enrollment types.
To simplify the process of Microsoft Entra registration within the employee’s work apps and reduce the number of times they have to authenticate, web-based enrollment will leverage just-in-time (JIT) registration with the Apple single sign-on. JIT registration in enrollments can be enabled by creating a device configuration profile with an SSO app extension policy. But, Intune clarifies that using JIT registration with web-based enrollment is not mandatory but it is highly recommended if you want a better experience for end-users.
EXPLAINING JUST-IN-TIME REGISTRATION
According to Microsoft Intune:
“Just in Time registration within the enrollment flow is an improvement to the Setup Assistant with a modern authentication enrollment method since it no longer requires the Company Portal app for Azure Active Directory (Azure AD) registration or compliance checking.”
The overall goal of JIT registration is to streamline the process for users by eliminating the Company Portal requirement which by extension removes some of the complex steps that users have had to deal with. By using JIT registration, all users will need to do to enroll their iOS devices is sign in with their corporate credentials.
To successfully complete the enrollment process, users must sign in with their corporate credentials. Doing this will authenticate them via Entra ID and automatically register their device with Intune. Setting up just-in-time registration requires your business to have an active Apple Business Manager or Apple School Manager account as well as devices that are eligible for JIT registration. Additionally, network settings will need configuration accordingly for enrolled devices and Intune to communicate. In the table below, you’ll find the details concerning web and app enrollment:
Specification
App-based enrollment
Web-based enrollment
Supported version
iOS/iPadOS 14 and later
iOS/iPadOS 15 and later
BYOD and personal devices
Yes
Yes
Device associated with a single user
Yes
Yes
Device reset required
No
No
Enrollment initiated by the device user
Yes
Yes
Supervision
No
No
Just-In-Time registration
No
Yes
Required apps
Intune Company Portal app for iOS Microsoft Authenticator
Microsoft Authenticator
Enrollment location
App-based enrollment takes place in the Company Portal app, Safari, and device settings app.
Web-based enrollment takes place in Safari and the device settings app.
Setting up web-based enrollment
Web-based enrollment is designed to speed up the enrollment process and give users a more user-friendly experience. Because users can do all they need to in Safari and in their device settings, the Company Portal app will no longer be required.
Furthermore, once you have enabled JIT registration, Intune can use it with the Microsoft Authenticator app for registration of the device and SSO thus eliminating the need for users to sign in constantly during enrollment and when accessing work apps. To set up web-based enrollment, you’ll need to follow the steps below:
Set up just-in-time registration
Before proceeding, you’ll need to verify that you meet the requirements:
Apple user enrollment: Account-driven user enrollment
Apple device enrollment: Web-based device enrollment
Apple automated device enrollment: For enrollments that use Setup Assistant with modern authentication as the authentication method.
Once you’ve checked the requirements, you can now proceed to create an SSO app extension policy that uses the Apple SSO extension to enable JIT registration. With that done, follow the steps below:
Sign in to the Microsoft Intune admin center.
Navigate to Device features > Category > Single sign-on app extension. Here you need to create an iOS/iPadOS device configuration policy.
Select Microsoft Entra ID for SSO app extension type.
For any non-Microsoft apps using SSO, you must add the app bundle IDs. Because the SSO extension is automatically applied to all Microsoft apps, it’s better not to add Microsoft apps to your policy. This way you can stay away from authentication issues. Also, note that the Microsoft Authenticator app will be later added in an app policy so you should avoid adding it to the SSO extension as well.
Under Additional configuration, add the required key-value pair. For JIT to work properly, you must eliminate trailing spaces before and after the value and key.
Microsoft Intune also recommends that you add the key-value pair that enables SSO in the Safari browser for all apps in the policy. And similar to the previous step, you’ll need to eliminate trailing spaces before and after the value and key for JIT to work properly.
For Assignments, you must assign the profile to all users (or designate specific groups), then select Next.
You can now go and review your choices on the Review + create page. With everything done, select Create to finish creating the profile.
Lastly, you need to head over to Apps > All apps and assign Microsoft Authenticator to groups as a required app.
Create enrollment profile
An enrollment profile is necessary for all devices enrolling via web-based device enrollment. Once created, this profile will initiate the device user’s enrollment experience thereby allowing them to begin enrollment in Safari.
Navigate to Devices > Enrollment in the Intune admin center. Select the Apple tab.
Select Enrollment types (preview) under Enrollment Options.
Select Create profile > iOS/iPadOS.
Go to the Basics page and type in a name and description for the profile. This allows you to distinguish this profile from others in the admin center. Select Next.
Navigate to the Settings page, for Enrollment type, select Web based device enrollment. Select Next.
Head over to the Assignments page and assign the profile to all users or a group of users. Select Next.
You can now go and review your choices on the Review + create page. With everything done, select Create to finish creating the profile.
PREPARING EMPLOYEES FOR ENROLLMENT
Employees will be alerted by the app as to the enrollment requirements when they try to sign in to work apps on their personal devices. They will then be redirected to the Company Portal website for enrollment. The other option would involve you giving users an URL that opens the Company Portal website. For those not using Conditional Access, you’ll need to remember to share the enrollment link with device users so that they know how to initiate enrollment. The enrollment steps for device users are as follows:
Open Safari and sign in to your Company Portal website with your work or school account.
Next, you should get a prompt to download the management profile and this will be downloaded by the Company Portal while you wait in Safari.
Navigate to your device settings app to view and install the management profile.
Signing in to a work or school app can only happen after the Microsoft Authenticator is installed. The device will only be ready for use after this installation.
Now you can use your work account to sign in to a work app, such as Microsoft Teams.
You’ll then need to wait while the app identifies the required setting updates.
Wrap up
The future of device management lies in the integration of the best products and services that are available to customers. Often, we can get caught up debating which tech company offers the best services to meet our needs. But, as we are seeing with Microsoft Intune and Apple device management solutions, bringing together great products to coexist can deliver far more for the end-users.
Declarative management looks like a brilliant solution that is going to deliver a seamless user experience that could improve productivity. It’s therefore no surprise that when combined with what Microsoft Intune has to offer, businesses can look forward to better, faster, and more efficient device management.
Microsoft has given us countless different products and services over the last few decades. Undoubtedly, we know the important role they have played for individuals and businesses on the journey towards utilizing technology to better our lives. When looking at the Microsoft ecosystem, one of the best examples of undeniable excellence is the Microsoft Intune family of products.
With this product, Microsoft gives you an integrated solution that enables you to seamlessly manage all your devices. Central to this solution is the single console that we know as the Microsoft Intune admin center which brings together Intune and Configuration Manager.
The capabilities of this platform can offer your organization a premium device-management solution like no other. The area that we want to focus on today will have to do with the troubleshooting of tenant attach and device actions.
Comparing Tenant Attach to Co-management
For a lot of people, it may be difficult to distinguish between these two. So, let’s start by looking at where these two options differ. Both of these make up two of the three primary cloud attach features. For a Configuration Manager environment to be cloud-attached, it has to use at least one of the three primary cloud attach features.
Tenant Attach gives you the advantage of having your device records in the cloud as well as the ability to take actions on these devices from the cloud-based console. IT admins can perform remote actions on tenant-attached devices such as sync machine policy, sync user policy, run scripts on clients, deploy applications, and much more.
Furthermore, users will be able to manage endpoint security for the attached devices from the Intune admin center for both Windows Servers and Client devices.
On the other hand, Co-management is going to modify your on-premises Configuration Manager environment without the need for a significant migration effort.
One of the more attractive features of Co-management is how it allows you to easily switch workloads such as compliance policies from SCCM to Intune. By enabling you to manage workloads from the cloud, your organization gets to benefit from a simpler device management experience.
Tenant Attach prerequisites
To make use of Tenant Attach, you will need to meet the following requirements:
When you decide to apply this onboarding change, you’ll need to sign in using an account that is a Global Administrator.
An Azure cloud environment.
With version 2107, United States Government customers will be able to use tenant attach features in the US Government cloud such as account onboarding, tenant sync to Intune, device sync to Intune, and device actions in the Microsoft Intune admin center.
The Azure tenant and the service connection point must have the same geographic location.
To access the Microsoft Intune admin center, there needs to be at least one Intune license for the administrator.
The administration service in Configuration Manager needs to be functional.
If your central administration site has a remote provider, you need to follow the instructions for the CAS has a remote provider scenario in the CMPivot article.
PERMISSIONS
In addition to the above, there will also be a few requirements for the user accounts performing device actions and these include:
The user account should be a synced user object in Microsoft Entra ID (hybrid identity).
The Initiate Configuration Manager action permission under Remote tasks in the Microsoft Intune admin center.
The troubleshooting process
Now and again, all of us will encounter issues with the products and services we use. That’s why it’s important to work with providers that offer great support services so that we avoid downtime. Microsoft puts a lot of effort into ensuring that customers get as much support as they need for the various products in its ecosystem. Understandably, tenant attach is no different.
At this point, most admins should be aware that you can sync Configuration Manager clients to the Microsoft Intune admin center. And from that admin center, some client actions can run on the synchronized clients.
These available actions include the sync user policy, sync machine policy, and app evaluation cycle. After an administrator runs an action from the Microsoft Intune admin center, the notification request will forward to the Configuration Manager site. And from there, it will forward to the client.
LOG FILES
The logs you need to use will be found on the service connection point and these are:
CMGatewaySyncUploadWorker.log
CMGatewayNotificationWorker.log
You should also use the logs located on the management point:
BgbServer.log
Lastly, there are other logs that will be found on the client:
CcmNotificationAgent.log
Review your upload
You’ll need to follow the steps given below:
Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
You will see the next sync time recorded in a log entry similar to this format Next run time will be at approximately: 02/28/2024 10:15:30.
The log entries that you should look at for device uploads should be something like this Batching N Records. In this instance, N represents the number of changed devices uploaded since the last upload.
Admins should expect uploads every 15 minutes for changes. However, once that is done, they will probably need to wait up to 10 minutes to view the client changes appearing in the Microsoft Intune admin center.
Configuration Manager components and log flow
SMS_SERVICE_CONNECTOR: Will utilize the Gateway Notification Worker to process the notification from the Microsoft Intune admin center.
SMS_NOTIFICATION_SERVER: Receives the notification and subsequently creates a client notification.
BgbAgent: The client gets the task and runs the requested action.
SMS SERVICE CONNECTOR
Following the initiation of an action from the Microsoft Intune admin center, the CMGatewayNotificationWorker.log will process the request.
Received new notification. Validating basic notification details…
At this point, you should be expecting a task to be sent from the management point to the corresponding client as soon as the message has been forwarded to the SMS NOTIFICATION SERVER. In the BgbServer.log, which is on the management point, you should see the following:
Get one push message from database.
Starting to send push task (PushID: 7 TaskID: 8 TaskGUID: A43DD1B3-A006-4604-B012-5529380B3B6F TaskType: 1 TaskParam: ) to 1 clients with throttling (strategy: 1 param: 42)
BgbAgent
The last step will occur on the client and you can view it in the CcmNotificationAgent.log. As soon as the task has been received, it will then request the scheduler to carry out the action. And once the action has been carried out, a confirmation message will appear:
Receive task from server with pushid=7, taskid=8, taskguid=A43DD1B3-A006-4604-B012-5529380B3B6F, tasktype=1 and taskParam=
In this section, we’ll take a look at some of the issues that admins may often encounter.
Unauthorized to perform client action
For whatever reason, there may be situations where administrators may not have the required permissions in Configuration Manager. If that happens, you’ll see an Unauthorized response in the CMGatewayNotificationWorker.log.
Received new notification. Validating basic notification details..
Administrators should verify that the user running the action from the Microsoft Intune admin center has all the necessary permissions on the Configuration Manager site.
Known issues
Data synchronization failures
When there are issues with the hierarchy onboarding configuration, you may end up facing challenges with viewing the tenant attach details in the Microsoft Intune admin center. This could potentially happen in situations where onboarding a hierarchy that has already been onboarded occurs. However, you may also detect this issue from entries in the GenericUploadWorker.log and CMGatewayNotificationWorker.log files.
Workaround for data synchronization failures
Resetting the tenant attach configuration will require you to follow the steps below:
Offboard the hierarchy. If the tenant attach is already enabled, you need to disable device upload and offboard by editing the co-management properties.
In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Cloud Attach. (Select the Co-management node if it is version 2103 and earlier)
In the ribbon, select Properties for your co-management production policy.
Next, you need to remove the Upload to Microsoft Endpoint Manager admin center selection from the Configure upload tab.
Once everything’s completed, select Apply.
You need to give the service about 2 hours to clean up the existing record. Once the above has been completed, you can onboard the hierarchy again.
Example errors in log files that require resetting the tenant attach configuration
Errors for AccountOnboardingInfo and DevicePost requests in GenericUploadWorker.log
[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 401 (Unauthorized)
Response status code: 401 (Unauthorized) Activity ID: 4c536a72-fd7f-4d08-948a-3e65d2129e44
The remote server returned an error: (401) Unauthorized. at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d__13.MoveNext()
Response in the web exception: {“Message”:”An error has occurred.”}
Errors for device actions in CMGatewayNotificationWorker.log
[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 401 (Unauthorized)
Response status code: 401 (Unauthorized) Activity ID: 4c536a72-fd7f-4d08-948a-3e65d2129e44
The remote server returned an error: (401) Unauthorized. at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d__13.MoveNext()
Response in the web exception: {“Message”:”An error has occurred.”}
Specific devices don’t synchronize
Another issue that you may need to deal with has to do with specific devices, which also happen to be Configuration Manager clients, not being uploaded to the service. So, what devices should you expect to be potentially affected by this issue?
In scenarios where a device is a distribution point that uses the same PKI certificate for both the distribution point functionality and its client agent, then the device won’t be included in the tenant attach device sync.
Furthermore, administrators should look out for the behavior that is typical in such instances. During the on-boarding phase as you are going through the tenant attach process, a full sync will be carried out the first time.
You should be aware that any other sync cycles after this one will be delta synchronizations. If the impacted devices are updated in any way, that update will result in the device being removed from the sync.
When the Configuration Manager site is configured to require multi-factor authentication, most tenant attach features don’t work
More troubleshooting
If you find yourself in a situation where the SMS provider machine that communicates with the service connection point is configured to use multi-factor authentication, you won’t be able to install applications, run CMPivot queries, and perform other actions from the admin console.
Instead, you will get a 403 error code, forbidden. What you would normally do to address this is to configure the on-premises hierarchy to the default authentication level of Windows authentication.
The platform is designed to enable you to determine what the minimum authentication level should be for admins to access Configuration Manager sites. You should view this as a great feature for enhancing security because it means that admins have to sign in to Windows with the appropriate level before they can access Configuration Manager.
Authentication
Furthermore, this applies to all components that access the SMS provider. Configuration Manager supports a handful of authentication levels and these are as follows:
Windows authentication: Authentication with Active Directory domain credentials is necessary. Note that this setting represents the previous behavior, as well as the current default setting.
Certificate authentication. Authentication with a valid certificate that has been issued by a trusted PKI certificate authority is necessary. You also need to know that you don’t configure this certificate in Configuration Manager. Configuration Manager requires the admin to be signed into Windows using PKI.
Windows Hello for Business authentication: In this case, you need a strong two-factor authentication that’s linked to a device and also uses a PIN or biometrics. Before choosing this particular setting, you need to note that the SMS Provider and administration service will require the user’s authentication token to contain a multi-factor authentication (MFA) claim from Windows Hello for Business. In simple terms, all this means is that users of the console, SDK, PowerShell, or administration service are required to authenticate to Windows with their Windows Hello for Business PIN or biometric. If not done this way, the site rejects the user’s action. Another key thing to also remember is that this behavior is specific to Windows Hello for Business and does not apply to Windows Hello.
What to do when Configuration Manager components for tenant attach fail to connect to the backend cloud service
Another issue that some have encountered concerns the failure of Configuration Manager components for tenant attach to connect to the backend cloud service when you run a client action from the Microsoft Intune admin center. In those instances, you may see the error given below:
Failed to check and load service signing certificate. System.ArgumentException: Mismatch certificate subject name
According to the information available from Microsoft, this problem occurs in versions earlier than the Configuration Manager version 2203 hotfix rollup after a change in public certificates on July 27, 2022. The reason for this has to do with the change that came about in public certificates on July 27, 2022, where OU=Microsoft Corporation was removed from the public certificate.
Even though this change was carried out, the configuration manager database still retained the old subject name and this then caused the load check failure. Below are some example entries in the CMGatewayNotificationWorker.log file in the top-level site in the hierarchy:
Error occured when process notification with notification Id <notification Id>. Ignore the notification. SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker
Failed to check and load service signing certificate. System.ArgumentException: Mismatch certificate subject nameat Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.VerifyCertificate(X509Certificate2 certificate, Boolean crlCheck, X509Chain& certificateChain, X509Certificate2Collection extraStore)
and at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.Reload()
at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.Exists(String thumbprint)
and at Microsoft.ConfigurationManager.ServiceConnector.AccountOnboardingWorker.\<RefreshServiceSigningCertificateIfNotExistsAsync>d__19.MoveNext()
ADDRESSING THE ISSUE
To address this challenge, there are a couple of methods that you can employ. The first thing you can do is to install the Configuration Manager version 2203 hotfix rollup if you happen to be running Configuration Manager version 2203.
However, if your version of Configuration Manager is a previously supported one, you’ll first need to upgrade to Configuration Manager version 2203. After doing that, you can proceed with the installation of the Configuration Manager version 2203 hotfix rollup.
In the update rollup for Microsoft Endpoint Configuration Manager current branch, version 2203, the following issues have been addressed:
Application approvals through email not working with a cloud management gateway due to a missing Microsoft Entra token.
Metadata revisions to previously published metadata-only updates not being synchronized to Windows Server Update Services (WSUS) as expected.
If a window happens to be left open for a few minutes, the task Sequence Editor running on Windows Server 2022 would fail to apply changes to a task sequence. After this happens, you would see the following message:
Error connecting to provider, smsprov.log may show more details.
In situations where the Client checking status frequency (minutes) value has been set below 60, the BitLocker compliance status will be temporarily inaccurate.
Admins have also experienced the incorrect removal of some users and their group memberships by the SMS_AZUREAD_DISCOVERY_AGENT thread of the SMA_Executive service in cases when the site server is configured with a non-US English locale. You’ll have have noticed the removals occurring when the discovery cycle runs after the 12th day of the month. Errors will be recorded in the SMS_AZUREAD_DISCOVERY_AGENT.log file at various times during the discovery cycle and they will be similar to the following:
ERROR: Encountered SqlException The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.
2. ERROR: Exception message: [The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.]
3. ERROR: Group full sync request failed. Exception: System.NullReferenceException: Object reference not set to an instance of an object.
More troubleshooting
When adding a CMPivot query as a favorite, it is split into two lines and characters are removed.
When searching Software Update Groups in the Configuration Manager console, the Name criteria is not an option.
Instead of the value you may have previously noticed, the Browse button for Content location in the properties for a deployment would return an empty location.
The implicit uninstall setting won’t be respected by an application that is targeted to a device collection but deployed in the context of the user.
Typing a Name value in the Create Orchestration Group wizard occurs at a below normal speed.
A misleading error message (false negative) is generated on a target distribution point that is co-located with a site server. You could expect to see this during content distribution from a parent site to a child site. In the distmgr.log, the false negative will appear in this format:
~RDC:Failed to set access security on \\<SiteServerFQDN>\SMSSIG$\<PkgID>.1.tar for package <PkgID> signature file
Conclusion
In some cases, unfortunately, both options involving installation of the Configuration Manager version 2203 hotfix rollup may not work to fix the above issues. For those situations, you’ll need to open a support ticket with the Configuration Manager support team.
From there, you’ll be able to get the appropriate assistance to resolve the problem in the supported version of Configuration Manager in your environment.
So much technological innovation is going on all around us that it can at times be overwhelming to keep up with everything. And mobile device management solutions are no different. Which of the solutions do you pick to ensure that your organization is using the best management solution? Difficult to say.
In fact, plenty of organizations opt for using multiple device management solutions at the same time. Although, there may be advantages to that, finding a single comprehensive solution to provide you with everything you need in a single package offers greater convenience. This is why I’ve decided to write this guide on Microsoft Intune, a solution that can optimize your IT operations to perform at unprecedented levels.
Before you begin
In the first blog of this Microsoft Intune series, I looked at the different stages of planning that you’ll have to go through if you want to have a seamless adoption of Microsoft Intune in your organization. As one would expect, adopting any new technology will bring with it a few teething problems hence the need for a plan that covers as many potential scenarios as possible.
Getting started
Some of the key areas of consideration include:
Have your goals clearly itemized. This includes concerns about data security, device protection, access to organizational resources, and other objectives.
Creating a complete inventory of all the devices in your organization that will have access to company resources. So, this would include both organization-owned and personal devices as well as information about the platforms they are running.
You’ll also need to look at all potential costs and licensing. There will probably be some additional services and programs that you’ll need so all these will need consideration.
You probably already have existing policies and infrastructure that your organization relies on. However, all these will require reviewing when thinking of moving to Intune. This is because you may need to develop some new policies.
With the above in place, you need to determine a rollout plan that has pre-defined objectives and can ensure that the rollout proceeds as smoothly as possible.
As you introduce Intune to your organization, you cannot ignore the value of communicating with your users. People in your organization need to understand what Intune is, what value it will bring to your organization, and what they should expect.
Lastly, it’s crucial that you fully equip your IT support and helpdesk staff. You can do this by involving them in the adoption process from the early stages. Therefore, it enables them to learn more about Intune and gain invaluable experience. With the skills that they acquire, they’ll be able to play important roles in the full rollout of Microsoft Intune as well as help in the swift addressing of any potential issues that arise.
Design creation
After you go through your planning phase, you can start to look at creating a specific design for your organization’s Microsoft Intune setup. Coming up with a design will require you to review all the information already collected throughout the planning phase.
This is going to allow you to put together information on your existing environment. This includes the Intune deployment options, the identity requirements for external dependencies, the various device platform considerations, as well as the delivery requirements. One of the great things about Microsoft Intune is that you don’t need to worry about significant on-premises requirements to use the service.
However, having a design plan is still a good idea because it allows you to have a clear outline of the objectives that you want to achieve so that you can be certain about choosing the management solution.
Assessing your current environment
A logical place for you to begin your planning is with your current environment. Having a record of this environment can help to further clarify where you currently are and what the ultimate vision is. This record can also serve you well during the implementation and testing phases. There you can make numerous changes to the design.
Recording the environment
There are several methods for recording your existing environment such as:
Identity in the cloud – you can note if your environment is federated. Additionally, you can determine MFA enabling. Also, which of Azure AD Connect or DirSync do you use?
Email environment – you need to record what email platform you currently use. Also consider if it is on-premises or on the cloud. And if you’re using Exchange, for instance, are there any plans for migrating to the cloud?
Mobile device management solutions – you’ll need to go over all the mobile device management solutions (MDM) currently in use. Also consider what platforms they support. It’s also important to note down which solutions you’re using for corporate as well as BYOD use-case scenarios. Additionally, it’s useful to have a record of who in your organization is using these solutions, their groups, and even their use patterns.
Certificate solution – note whether or not you have implemented a certificate solution, including the certificate type.
Systems management – have a detailed record of how you manage your PC and server management. This, means you have to note what management platform you are using, whether it’s Microsoft Endpoint Configuration Manager or some other third-party solution.
VPN solution – you should note what you’re currently using as your VPN solution of choice. And if you’re using it for both personal devices and organization-issued devices.
Note to consider
In addition to having a detailed record of your current environment, it’s also important to not forget any other plans in the works. Or consider those on the docket for implementation. Especially if they could affect what you have already noted down in the record of your environment. For instance, your record could show that multi-factor authentication is off. Still, you could be planning to turn it on in the near future so you’ll want to highlight this coming change.
Intune tenant location
The location where your tenant will reside is extremely important to decide before making the decision to subscribe to Microsoft Intune. And this is especially so for organizations that operate across different continents. The reason why it’s so important to carefully think this through, is that you’ll need to choose the country/region when you are signing up for Intune for the first time. After you have made your selection, you won’t have the option to change your decision later on. The regions that are currently available for selection include North America, Europe, the Middle East, Africa, as well as Asia and Pacific.
External dependencies
When we talk about external dependencies, we are referring to products and services that are not part of the Intune package. But they may be part of the prerequisites to use Intune. In addition, they could also be elements that can integrate with Intune. Given how integral external dependencies may be to your use of Intune, you’ll need to have a comprehensive list of any and all requirements. Make sure they’re for these products and services as well as the instructions for their configuration.
Below we’ll look at some of the more common examples of external dependencies that you will encounter:
Identity
Simply put, identity gives us the element through which we can recognize all the various users that belong to your organization as well as those enrolling devices. If you want to use Intune then you’ll need to be using Azure AD as your user identity provider. This comes with several advantages. One such benefit is enabling IT admins to enhance organizational security by controlling access to apps and app resources. Therefore, it’s easier to meet your access governance requirements. App developers will also benefit from the ability to leverage Azure AD APIs for creating personalized experiences using organizational data.
For those that are already using Azure AD, you’ll get the added convenience of continuing with the current identity that you have in the cloud. Not only that, but you also get the added benefit of Azure AD Connect. This happens to be the ideal solution for synchronizing your on-prem user identities with Microsoft cloud services. For organizations that already have an Office 365 subscription, the best scenario would be to ensure that Intune also uses the same Azure AD environment.
User and device groups
These groups play an important role as they are responsible for defining who exactly the target of a deployment will be. This will also include profiles, apps, and policies. It’s therefore important to come up with the user and device groups that your organization will need. And the best way to go about this may be for you to start by creating these groups in the on-premises Active Directory. And then once you have done this you can proceed to synchronize to Azure AD.
Public key infrastructure (PKI)
The role of PKI is to provide users or devices with certificates that will enable secure authentication to various services. So, when considering adopting Microsoft Intune you should be aware that it supports a Microsoft PKI infrastructure. Mobile devices can provide device and user certificates, so you meet all certificate-based authentication requirements. However, before you proceed with the use of certificates, you’ll need to verify a few things first:
Check whether or not you even need the certificates.
Check if certificate-based authentication provides support by the network infrastructure.
Lastly, you need to verify whether there are any certificates already in use in the existing environment.
For some, they may need to use these certificates with VPN, Wi-Fi, or e-mail profiles with Intune. But to do that, you first need to check if you have a supported PKI infrastructure in place. It needs to be ready for the creation and deployment of certificate profiles. Furthermore, when it comes to the use of SCEP certificate profiles, you have to decide how to host the Network Device Enrollment Service feature. Not only that, but you also need to determine how to carry out any communication.
Pre-requisites for devices
As you proceed with your design plan for Microsoft Intune, you’ll also need to turn your focus over to devices and the requirements. Expectedly, as with any management solution, there will be devices to consider. But there will also be platform considerations that will determine suitability for Intune management.
Device platforms and Microsoft Intune
One of the most important parts of the design plan is to consider the device platforms that will be supported by your chosen management solution. Therefore, before making the final decision about whether or not to go with Intune, you should create a complete inventory of the devices that will be in your environment. Then crosscheck whether or not they have proper support by Intune.
Understanding systems
The table below contains the supported configurations.
Operating systems
Android iOS/iPadOS Linux macOS Windows Chrome OS
Apple (For device enrollment scenarios and app configuration that you get via Managed devices app configuration policies, Intune will require iOS 14.x or later. The same requirement also applies to Intune app protection policies and app configuration.)
Apple iOS 14.0 and later Apple iPadOS 14.0 and later macOS 11.0 and later
Android (For device enrollment scenarios and app configuration that you get via Managed devices app configuration policies, Intune will require Android 8.x or later. However, for Microsoft Teams Android devices, support will continue so this requirement does not apply. And then for Intune app protection policies and app configuration delivered via Managed devices app configuration policies, the requirement is for Android 9.0 or higher.)
Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: requirements) Android enterprise: requirements Android open source project devices (AOSP) supported devices RealWear devices (Firmware 11.2 or later)HTC Vive Focus 3
Linux (It’s to be noted that Ubuntu Desktop already has a GNOME graphical desktop environment installed)
Ubuntu Desktop 22.04.1 LTS with a GNOME graphical desktop environment. Ubuntu Desktop 20.04 LTS with a GNOME graphical desktop environment.
Microsoft (Microsoft Endpoint Manager can still be used for the management of devices running Windows 11 the same as with Windows 10. Unless explicitly stated otherwise, assume that feature support that only mentions Windows 10 also extends to Windows 11. In addition, you should also note that configuring the available operating system features through MDM is not something that is supported by all Windows editions.)
Windows 10/11 (Home, S, Pro, Education, Enterprise, and IoT Enterprise editions) Windows 10/11 Cloud PCs on Windows 365 Windows 10 LTSC 2019/2021 (Enterprise and IoT Enterprise editions) Windows 10 version 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode) Windows Holographic for Business Surface Hub Windows 10 Teams (Surface Hub)
MicrosoftIntune-supported web browsers
Microsoft Edge (latest version) Safari (latest version, Mac only) Chrome (latest version) Firefox (latest version)
Devices
By using Microsoft Intune, organizations can manage mobile devices more efficiently in a way that can enhance the security of organizational data. This means that the risk of malicious activity is reduced. And users can thus work from a greater number of locations. One of the greatest benefits of device management solutions such as these is that they can be both cost-efficient and convenient. This is because they support a wide variety of device types and platforms.
As a result of this, organizations are less likely to need to invest in new devices. And users can utilize the personal devices they already own in BYOD scenarios. With all this, however, it’s even more important for you to come up with a comprehensive template detailing what device types, OS platforms, and versions you will allow to have access to your organization’s resources.
Device ownership
As already mentioned, Microsoft Intune offers support for a wide variety of devices. And these devices can either be personal or organization-owned. When devices are enrolled via a device enrollment manager or a device enrollment program, they fall under the category of organization-owned devices. So, for instance, all devices that you enroll using the Apple Device Enrollment Program will categorize as organizational devices. Subsequently they will add to the device group, which will receive organizational policies and applications.
Bulk enrollment
As an organization, when enrolling a large number of devices into Intune, the process is simplified by the availability of a bulk enrollment feature. This feature provides you with a quick and easy way of setting up a large number of devices for management. A few use case examples. These include setting up devices for large organizations, setting up school computers, and setting up industrial machinery, among others. Intune has different ways to process the bulk enrollment of devices so you’ll need to determine which method fits best with your Intune design plan.
Design requirements and Microsoft Intune
When making the design considerations, there are specific requirements you’ll need to look at for the Intune environment that you want to establish. There may be instances that require you to make adjustments to the general advice that you get concerning Intune deployment.
It’s essential to ensure that certain capabilities will meet the requirements for the use cases needed for your organization. These features include configuration policies, compliance policies, conditional access, terms and conditions policies, resource profiles, and apps.
Microsoft Intune Configuration policies
You can use configuration policies for the management of the security settings on devices in Intune in addition to the features, as well. It’s important that you design configuration policies that follow the configuration requirements by Intune devices. And the necessary information to design your configuration policies in this manner are in the use case requirements section. This enables you to note the settings and their configurations. Not only that, but you’ll need to make sure to verify to which users or device groups to apply certain configuration policies. The various device platforms that you use will need to have at least one configuration policy assigned to them or even several whenever the situation calls for it.
Compliance policies and Microsoft Intune
These types of policies are responsible for establishing whether devices are complying with the necessary requirements. Therefore, determining whether or not a device is compliant becomes a significantly easier matter for Intune. And this is very important because it allows for devices to categorize as either compliant or non-compliant. And that status can then determine which devices are given access to the organization’s network and which ones to restrict.
Furthermore, if you intend on using Conditional Access, then it will probably be in your best interests to create a device compliance policy. Before you can decide on your device compliance policies, you may again want to refer to the use cases and requirements section. This will provide you with the necessary information concerning the number of device compliance policies you’ll require. It will also help you decide which user groups you’ll be applying them. Lastly, you need to have clearly defined rules. These will detail how long devices are allowed to remain offline before they move to the non-compliant list.
Conditional Access for Microsoft Intune
Conditional access plays the role of enforcer for your organization’s policies on all devices. That means that if any device fails to comply with your requirements, conditional access measures can implement. They will prevent them from accessing organizational resources such as email. When it comes to Intune, you’ll also benefit from its integration with Enterprise Mobility + Security. This will give your organization better protocols to control access to organizational resources. So, when it comes to your design plan you still need to look at Conditional Access. You’ll also decide whether or not you need it and what you’d want to secure with it.
Terms and conditions
Terms and conditions are essential for determining your organization’s requirements for any users that want access to the network. This is especially important in BYOD scenarios where some users may not be willing to meet those conditions. So, by establishing terms and conditions, your organization can give users an ultimatum if they want to access the organization’s resources. With Intune, you also get the option to add and deploy several terms and conditions to your user groups.
Profiles
Profiles play a key role by enabling the end user to connect to company data. To cater to the multiple scenarios that your organization may encounter, Intune provides several types of profiles. The information that you need, concerning the timeline for the configuration of the profiles, is obtainable by going through the section on use cases and requirements. Planning is easier because you’ll find all the device profiles grouped according to platform type. Profile types that you need to know about include email profiles, certificate profiles, VPN profiles, and Wi-Fi profiles.
Email profile
Email profiles are responsible for several capabilities. These include reducing the workload of support staff and enabling end-users with access to company email on their personal devices. Email clients will automatically set up with connection information and email configuration. Moreover, all this can be done without users having to perform any setup tasks. So this will ultimately improve consistency. However, not all of these email profiles will have support, on all devices.
Certificate profiles
Certificate profiles are the elements that enable Microsoft Intune to provide certificates to users or devices. The certificates that Intune supports include Trusted Root Certificate, PFX certificate, and Simple Certificate Enrollment Protocol (SCEP). For SCEP, all users who will receive it are going to need a trusted root certificate. This is because the latter is a requirement for SCEP certificate profiles. So, before you proceed make sure to have a clear idea of the SCEP certificate templates that you’d like to use. Your design plan should include a record of the user groups that require certificates. It should also include the number of certificate profiles needed, and to which user groups they’ll be targeted.
VPN profiles
Virtual private networks enable internet users to have secure access from almost any location across the globe. And using VPN profiles achieves the same thing for your organization’s users. They will be able to have secure access to the organization’s networks even from remote locations. Furthermore, Intune widens the options available to you by supporting VPN profiles from native mobile VPN connections and third-party vendors.
Wi–Fi profiles
Wi-Fi profiles are important tools that enable your mobile devices to automatically connect to wireless networks. Using Intune, you can deploy Wi-Fi profiles to the various supported platforms. The device platforms that Wi-Fi profiles support include Android 5 and newer, Android Enterprise and kiosk, Android (AOSP), iOS 11.0 and newer, iPadOS 13.0 and newer, macOS X 10.12 and newer, Windows 11, Windows 10, and Windows Holographic for Business.
Microsoft Intune Apps
When using Intune, you’ll have the option to deliver apps to users or devices using any number of different ways. The apps that you can deliver cover a wide range including apps from public app stores, managed iOS apps, software installer apps, as well as external links. Moreover, this capability extends beyond individual app deployments. You’ll also be able to manage and deploy volume-purchased apps that you may have obtained from volume-purchase programs for both Windows and iOS.
App type requirements
Your design plan needs to include clear details regarding the types of apps that you will allow Intune to manage. This is especially necessary when you consider how apps deploy to users and devices. Information that you should consider for your criteria includes whether or not these apps will require integration with cloud services as well as the deployment measures you’d like to use.
You also need to decide if you’ll be availing these apps to employees using their personal devices and if users will need to have internet access to use the apps. Additionally, you need to verify if your organization’s partners will require you to provide them with Software-As-A-Service (SaaS) app data. Lastly, you need to check the availability of these apps to see if they will be available publicly in app stores or if they will be uniquely custom line-of-business apps.
App protection policies
These policies intend to safeguard your organization’s data by keeping it secure or contained in a managed app. Generally, these policies are rules that go into play when users try to access or move your organization’s data. These rules may also be enforced if users try to engage in actions that are prohibited or monitored when users are inside the app.
Therefore, you can reduce the risk of data loss because of how apps are set up to manage organizational data. Any app that can function with mobile app management will receive app protection policy support from Intune. It will be up to the organization and the team of admins to determine what restrictions you’d like to place on your organization’s data within certain apps.
Setting up Microsoft Intune
When you have your design plan in place, then you can begin looking at setting up Microsoft Intune for your environment. To do that, there will be a few things that you need to consider.
Requirements for Microsoft Intune
The first thing you need to have is an Intune subscription and the license for this is offered as a stand-alone Azure service. It is a part of Enterprise Mobility + Security (EMS) and is included with Microsoft 365. From your design plan, you’ll have a better idea of what the goals of your organization are and you may end up choosing Microsoft 365 because it comes with all of Microsoft Intune, EMS, and Office 365 apps.
Current status
If your organization doesn’t have any MDM or MAM solutions that it is currently using then Intune is probably the best choice for you. Especially if a cloud solution is what you want and then you’ll also benefit from features like Windows Update, configuration, compliance, and app features in Intune.
You can add Endpoint Manager admin center as well to the list of benefits that will be availed to you. Something that does need to be mentioned is that organizations that use more than one device management solution should consider using only a single one.
And if you’ve been using MDM providers such as MobileIron, Workspace ONE, and MaaS360 you’ll still have the option to move to Intune. This will come with a significant inconvenience, however, because before users can enroll their devices in Intune, they will have to unenroll their devices from the current management platform.
Before you make the move to Intune, you’ll need to note in your design plan all the tasks you’ve been running and the features you need so that you know how to proceed with setting up Intune. Unenrolling devices from your current MDM solution not only presents a challenge but makes devices temporarily vulnerable.
This is because while they are in that unenrolled state, they stop receiving all your policies thus security is compromised. By using conditional access, you can block unenrolled devices until they complete their enrollment in Intune.
You should plan to implement your deployment in phases that start with small pilot groups so that you can monitor the success of your approach. If all goes well you can then proceed with a full-scale deployment. Furthermore, those who currently use Configuration Manager and would like to move to Intune can use the options below:
Add tenant attach
This option offers you the simplest way to integrate Intune with your on-prem Configuration Manager setup. By leveraging this option, you can upload your Configuration Manager devices to your organization in Intune. And then once your devices are attached, you’ll be able to use Microsoft Endpoint Manager admin center to run remote actions including user policy and sync machine.
Set up co-management
With this option, Intune will be used for some workloads and Configuration Manager for others. You need to first navigate to Configuration Manager and then set up co-management. And then you proceed to deploy Intune and that also includes setting the MDM Authority to Intune. Once all this is done, devices will now be ready to be enrolled and receive the necessary policies.
Moving to Microsoft Intune from Configuration Manager
This may not happen often because Configuration Manger users tend to want to stay on this platform. However, making the move is possible if you decide that a 100% cloud solution is what you are looking for. You’ll need to first register existing on-prem Active Directory Windows client devices as devices in Azure AD. Then, you proceed to move your existing on-prem Configuration Manager workloads to Intune. Using this method would be good for providing you with a more seamless experience for existing Windows client devices but the downside is that it will be more labor-intensive for your admins.
And if we’re looking at new Windows client devices then you would be better off starting from scratch with Microsoft 365 and Intune:
Start by setting up hybrid Active Directory and Azure AD for the devices. Devices that are Hybrid Azure AD joined will be joined to your on-prem Active Directory as well as registered with your Azure AD. Having devices in Intune helps to safeguard your organization from malicious activity because these devices can receive your Intune-created policies and profiles.
Go to Configuration Manager and set up co-management.
Next, you need to deploy Intune and that includes setting the MDM Authority to Intune.
You’ll also need shift all workloads from Configuration Manager to Intune in the Configuration Manager section.
With all this done, you can go ahead and uninstall the Configuration Manager client on the concerned devices. This is something that can be done by creating an Intune app configuration policy that can perform the uninstallation once Intune has been set up.
Start from scratch with Microsoft 365 and Microsoft Intune
You can only use this approach for Windows client devices, so for those Windows Server OSs, Configuration Manager will be the option you have.
Next, you need to deploy Intune and that includes setting the MDM Authority to Intune.
The Configuration Manager client will need to be uninstalled on all existing devices.
Microsoft Intune Deployment
The steps to follow for your Microsoft Intune deployment are given below:
Navigate to Endpoint Manager admin center and sign up for Intune.
Set Intune Standalone as the MDM authority.
Next, you need to add your domain account because if you don’t your-domain.onmicrosoft.com is what will be used as the domain.
Add users and groups that will receive the policies you create in Intune.
Users will then need to be assigned licenses and once that is done, devices can enroll in Intune.
The default setting allows all device platforms to enroll in Intune so if there are platforms that you’d like to block you’ll need to create a restriction.
You need to customize the Company Portal app so that it has your company details.
Come up with your administrative team and assign roles as necessary.
Windows 365 management and Microsoft Intune
Microsoft Intune not only manages your physical devices but will also play a key role in the management of your Windows 365 Cloud PCs. All you need to sign in is to head over to the Microsoft Intune admin center. This is where you’ll find the landing page for managing your Cloud PCs which is known as the Overview tab. Once signed in, go to Devices > Windows 365 (under Provisioning). In this section, you get a quick overview of the state of your Cloud PCs including the Provisioning status which summarizes the state of Cloud PCs in your organization, and the Connection health which summarizes the health of the Azure network connection in your organization.
All Cloud PCs page
On this page, you’re going to find a summary as well as a list view that will give you all the necessary information you need to know about the status of all the Cloud PCs in your organization. To make the task easier for you, the list view is refreshed every five minutes and allows you to search, filter, and sort. Additionally, there will be multiple Cloud PCs given to those users that have been assigned multiple Windows 365 SKUs. And what this means is that in the All Cloud PCs list view you will see multiple rows dedicated to a single user.
Column details
Name
A combination of the assigned provisioning policy and the assigned user’s name will provide the name of the Cloud PC.
Device name
Windows computer name.
Image
Same image used during provisioning.
PC type
The user’s assigned Windows 365 SKU.
Status
Provisioned: provisioning successful and user can sign in. Provisioning: still in progress. Provisioned with warning: warning is flagged in case of failure of a non-critical step in the provisioning process. Not provisioned: user has been assigned a Windows 365 license but not a provisioning policy. Deprovisioning: Cloud PC going through active deprovisioning. Failed: provisioning failed. In grace period: users with current Cloud PCs are placed in this state when a license/assignment change occurs for them. Pending: this happens when a provisioning request cannot be processed because of a lack of available licenses.
SUser
User assigned to the Cloud PC.
Date modified
Time when last change of state of the Cloud PC occurred.
Third-party connector
When you have third-party connectors installed and currently in use on Cloud PCs, the connector provider is displayed as well as the connector status.
Remote management
Your organization can take advantage of the Microsoft 365 admin center to remotely manage your Windows 365 Business Cloud PCs. There will be several remote actions available to you but to access them you need Azure AD role-based access roles, either Global administrator or Windows 365 administrator. Once you have one of those two roles assigned, you’ll have several methods you can use for Cloud PC management including:
Windows365.microsoft.com
Microsoft 365 admin center
Microsoft Intune (on condition that you have all the necessary licenses)
Option 1 (Windows 365 Azure AD Joined + hosted in Microsoft Network)
Microsoft Intune
Cloud PCs are hosted in the cloud (Microsoft Hosted Network) and managed in the cloud (Intune)
Cloud PCs are enrolled as Azure AD joined and managed out-of-the-box by Intune
Eliminates customer constraints
Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
Comfortably address Cloud PC remote management needs
Co-Management
This is optional and allows you to bring your on-premises device management solution MECM for Option 1
Requires MECM + Cloud Management Gateway
Depends on customer device management on-premises environment
Some considerations before managing Cloud PCs include: Azure subscription and on-premises infrastructure, deployment and configuration of a CMG as well as a public SSL certificate for this CMG, enable Co-Management in Configuration Manager, and more.
Option 2 (Windows 365 Azure AD Joined + hosted in Customer Network)
Microsoft Intune:
Cloud PCs are hosted in the Customer Network and managed in the cloud
Cloud PCs are enrolled as Azure AD joined and managed out-of-the-box by Intune
Eliminates customer constraints
Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
Comfortably address Cloud PC remote management needs
Co-Management
This is optional and allows you to bring your on-premises device management solution MECM for Option 2
Requires MECM. Cloud Management Gateway is optional
Depends on customer device management on-premises environment
Some considerations before managing Cloud PCs include: on-premises infrastructure, configuration of Intune to deploy the CM client for your Cloud PCs, enable Co-Management in Configuration Manager.
Option 3 (Windows 365 Hybrid Azure AD Joined + hosted in Customer Network)
Co-management:
Cloud PCs are hosted in the Customer Network and managed by the customer (Co-Management)
Cloud PCs are enrolled as Hybrid Azure AD joined and managed by Co-Management
Requires MECM
Depends on customer device management on-premises environment
Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
Comfortably address Cloud PC remote management needs
Some considerations before managing Cloud PCs include: on-premises infrastructure, configuration of MECM to deploy the CM client for your Cloud PCs, enable Co-Management in Configuration Manager.
Microsoft Intune
This is optional and if you don’t have a MECM environment you can use Intune as your Cloud PC device management solution for Option 3
Some considerations for this option include: configuration of Azure AD Connect for Hybrid Domain Joined, Hybrid Azure AD Joined Cloud PCs need to be directly attached to an on-premises AD environment, for device management the Active Directory environment will depend on Group Policy Objects.
Wrap Up About Microsoft Intune
Device and application management can prove to be a very challenging task to get right for a lot of organizations. Finding the right solution that can streamline application use across your organization’s devices without breaking the bank would be a dream for any organization. You also want a platform that can increase the productivity levels of your IT staff by minimizing the complexity of device management and by extension reducing the time spent on device management.
With Microsoft Intune, you can get this and plenty more. This MDM and MAM solution will enhance the security of your organization by establishing strict access protocols for your organization’s resources. This means greater protection at a time when endpoints are increasingly a vulnerable point for malicious attacks. Intune can provide you with peace of mind while providing an effective management platform that can vastly improve the way your organization operates.
Microsoft Intune is one of those brilliant products that has helped to optimize IT infrastructure for many businesses. It’s a platform that can transform your business into a modern workplace. And its capabilities are almost without limit. If you want to upload PowerShell scripts in Intune, there is the Microsoft Intune management extension (IME) that you can use for that. This management extension can enhance Mobile Device Management (MDM) resulting in a simpler move to modern management. With all this done, you can then run these scripts on Windows 10 devices. PowerShell scripts are important in a lot of different use cases and this blog is going to take a look at what this technology can do.
What is PowerShell?
PowerShell is a scripting and automation platform belonging to Microsoft. It’s an amazing product that is both a scripting language as well as an interactive command environment that is built on the .NET framework. Released back in 2006, PowerShell was basically a replacement for Command Prompt as the default method for automation of batch processes and creation of customized system management tools. PowerShell can easily automate laborious admin tasks by combining commands known as cmdlets and creating scripts. Available in all Windows OS starting with Windows 2008R2, PowerShell plays a huge role in helping IT professionals configure systems.
Adopting modern management
Modern workplaces now have plenty of user and business-owned platforms allowing users to work from anywhere. With MDM services like Microsoft Intune, you can manage devices that are running Windows 10. The Windows 10 management client will communicate with Intune to run enterprise management tasks. Windows 10 MDM features will be supplemented by IME. With this in place, you can create PowerShell scripts to run on Windows 10 devices e.g, creating a PowerShell script that does advanced device configurations. Having done this, you can upload the script to Intune and assign the script to an Azure AD group. Then run the script. Moreover, you can monitor the run status of the script from start to finish.
Latest updates from Microsoft
In November 2020, Microsoft announced the general availability of PowerShell 7.1 which is built on the foundation of PowerShell 7.0. The goal was to bring about improvements and fixes to the existing technology. Some of these features, updates, and breaking changes include:
PSReadLine 2.1.0, including Predictive IntelliSense
PowerShell 7.1 has been published to the Microsoft Store
Installer packages have been updated for new operating system versions with support for ARM64
4 new experimental features and 2 experimental features promoted to mainstream
A number of breaking changes that improve usability
Using scripts in Intune
Before IME can automatically install, when a PowerShell script or a Win32 app is assigned to the device or user, a few prerequisites should be met:
Windows 10 version 1607 or later, Windows 10 version 1709 or later for devices enrolled using bulk auto-enrollment.
Devices joined to Azure AD including Hybrid Azure AD-joined which consists of devices that are joined to Azure AD, and are also joined to on-premises Active Directory (AD).
Devices enrolled in Intune namely devices enrolled in a group policy, devices that are manually enrolled in Intune, and co-managed devices that use both Configuration Manager and Intune.
Script policy creation
Start by signing in to the Microsoft Endpoint Manager admin center. From there you’ll select Devices then PowerShell scripts then add. Under Basics, you will then have to provide a name and a description for the PowerShell script. Next, you go to Script settings and you’ll have to enter the required properties. After that, you select Scope tags, however, these are optional. And then select Assignments > Select groups to include and an existing list of Azure AD groups will be shown. Lastly, in Review + add, you’ll see a summary of the settings you configured. Select Add to save the script. When you have done so, the policy is deployed to the groups you chose.
Important considerations
If you have scripts that are set to user context with the end-user having admin rights, by default, the PowerShell script runs under the administrator privilege. Also, end-users don’t need to sign in to the device to execute PowerShell scripts. The IME agent checks with Intune once per hour and after every reboot for any new scripts or changes. In the event of a script failing, the agent attempts to retry the script three times for the next 3 consecutive IME agent check-ins. And as far as shared devices are concerned, the PowerShell script runs for every new user that signs in.
PowerShell scripts limitations
Although with Microsoft Intune you can deploy PowerShell scripts to Windows 10 devices, there are a few limitations worth noting. These include:
You won’t get support for running PowerShell scripts on a scheduled basis.
Although you can see whether the PowerShell script execution succeeded or failed, the output generated is only available on the endpoint that executes it and is not returned to the MEM Admin Portal.
Since executed PowerShell scripts are visible in the Intune Management Extension log file as plain text, credentials can’t be passed securely.
The Intune Management Extension agent responsible for executing PowerShell scripts on the endpoints only checks once an hour for new scripts so there is a delay with execution.
Wrap up about Microsoft Intune
Maximizing the time we have is increasingly a massive concern for most organizations. Technological innovation has made it such that we can have more productive time on our hands. PowerShell is a product that is very useful to IT professionals for overall system management. By being able to automate the administration of Windows OS and other applications, organizations can operate more efficiently. The evolution of this platform since its release fourteen years ago has seen it grow from strength to strength. Undoubtedly, this is a product that can easily boost your productivity.