Step 9. Browse to the .PEM file you downloaded from Apple in Step 7 and enter your Apple ID; then click Upload.
After completing these steps and installing your APNs certificate, you are ready to enroll iOS and Mac OS X devices in Intune. You should see a screen similar to Figure 13-8.
Figure 13-8. After Installing an APNs Certificate in Intune, You Are Ready to Enroll iOS Devices
To enroll an iOS device, you use the Microsoft Intune Company Portal app from the Apple store. Install the app on the iOS device and then log in. The process for enrolling the device is similar to the Android process. The main difference is that you will be required to accept the APNs certificate and install it as part of the Management Profile on the device trust store, as shown in Figure 13-9.
Figure 13-9. Installing the Intune Organizational Management Profile on an iOS Device
You can also enroll Windows computers and devices to Microsoft Intune.
Just like mobile devices, users must be set up in Office 365 portal and
assigned an Intune license before they can enroll a computer. The first step is to download the client software for Microsoft Intune. You can then deploy it to client computers. This can be done manually on each computer, or you can deploy the software using Group Policy or custom scripts.
Use the following procedure to manually enroll a Windows 10 computer with your organization’s Intune management portal.
Step 1. Log in to the computer using the organizational account credentials or a local account with rights to install new software.
Step 2. Extract the .ZIP file to the local computer. The file includes the setup executable and an ACCOUNTCERT file. Be sure not to rename or remove the ACCOUNTCERT file. It should be in the same directory as the setup executable.
Step 3. The computer will be automatically enrolled.
After the client software is installed, you should see the device show up in the Intune portal.
Note that there are two ways to enroll a Windows 10 computer. The preceding procedure installs the Intune client, and the computer will be enrolled as a “Computer” device. You can also enroll the device using the Windows settings, and the device will be enrolled as a “Device” instead of as a “Computer.” This is useful only if you are not using on-premises Active Directory. Use this procedure to enroll the computer as a device.
Step 1. Access the Action Center and select All Settings.
Step 2. From the Settings page, select Accounts.
Step 3. Select the Access Work or School option, and then click Connect.
Step 4. Enter the email for your Intune user account and then click Next. The Microsoft Intune sign-in page is displayed.
Step 5. Enter the credentials for your Intune or Office 365 user account, and then click Sign In.
Step 6. When the You’re All Set! page is displayed, click Close.
Enrolling as a device is more appropriate for users who want to use their personal devices while gaining access to organizational resources such as email, SharePoint, or Office 365. This is also the preferred method for organizations that are using Microsoft cloud-based solutions for
infrastructure management. If you have an investment in on-premises Active Directory, Exchange, the Microsoft System Center Configuration Manager (SCCM), and other tools, you should use the Intune client software if you want to manage devices with Intune.
Viewing and Managing Devices
You can view all enrolled devices from the Microsoft Intune portal. To view devices, click the Groups menu, and then select All Devices. The list of devices will be displayed, as shown in Figure 13-10.
Figure 13-10. Viewing the Enrolled Devices in Microsoft Intune
This is the interface for managing all your enrolled devices. Many attributes are displayed for each device, such as the name of the device as configured locally, the type of device, the operating system, and other basic information.
You can view more details by selecting the device and clicking the View Properties menu. The properties available will depend on the type of device.
For Windows 10 computers, the following categories of properties will be available on a tabbed menu, similar to Figure 13-11.
• General: Basic information about the device and status, such as updates, endpoint protection status, the user linked to the device, and the date and time when the last update was applied. This tab also provides links to retire or wipe the device and to link the device to a user.
• Updates: Windows updates for the computer. From this menu you can approve updates, check installed or failed updates, and do other tasks related to applying updates to the device.
• Malware: Lists any malware that has been detected on the device.
• Alerts: View any device-related alerts that may need administrator attention.
• Hardware: Displays detailed hardware information about the device, including any attached network interfaces, printers, and peripherals.
• Software: Lists all software installed on the computer and the current
version. The list will include Windows operating system components and any Windows Store apps.
• Policy: Displays the list of Intune policies that have been applied to the device.
Figure 13-11. Computer Properties Page for Devices in Microsoft Intune
If a device has been lost or stolen, or you simply want to stop managing the device from Intune for any reason, you can use the Retire/Wipe link to close out the device. Clicking the link displays the dialog shown in Figure 13-12.
Select whether you want to clear out only company data or completely wipe everything from the device and restore it to factory settings; then click the Yes button. If the device is turned on and connected to the Internet, it will take less than 15 minutes to start wiping the device.
Figure 13-12. Confirm the Type of Remote Wipe for a Mobile Device
There are also a few additional tasks you can perform on selected devices using the Remote Tasks drop-down menu. The following tasks are available.
Some tasks are available only for computer device types, whereas others are available for mobile device types.
• Run a Full Malware Scan (Computer): Runs the installed malware
scanner on the computer, performing a full scan. On Windows 10 computers, Windows Defender will run a full scan.
• Run a Quick Malware Scan (Computer): Tells the computer to run a quick malware scan using the installed antimalware software. On Windows 10 computers, Windows Defender will run a quick scan.
• Restart Computer (Computer): Performs a soft reboot of the operating system.
• Update Malware Definitions (Computer): Causes the computer to check the Internet for any new malware definitions and install any new ones
available.
• Refresh Policies (Computer): Causes the computer to check for any policy updates and apply them immediately.
• Refresh Inventory (Computer): Tells the Intune client on the device to refresh the inventory of hardware and software and report back to the Intune portal.
• Remote Lock (Mobile): Causes the device to enable the screen lock immediately.
• Passcode Reset (Mobile): Resets the passcode used to unlock the device screen. This works differently depending on the device. On an iOS device, the passcode is removed and must be added back to the device. On Android, a new temporary passcode is set, and the user will need to change it.
The Microsoft Intune Connector Site System Role
You can use a hybrid solution for managing your mobile devices. Large organizations that are currently using SCCM may want to leverage the
management capabilities of the current infrastructure and be able to remotely manage all their mobile devices using an Intune subscription.
By integrating SCCM functions with the Intune management portal,
administrators can configure a “single pane of glass” management interface.
That is, they will have a single administration UI for managing all the
organization’s devices, even while some functionality is supported by SCCM and others by Intune. Centralizing administration views in this way can go a long way to simplifying and streamlining administration tasks.
Organizations that currently are not using SCCM for device management should avoid the hybrid model and leverage the Intune standalone instead.
Several new features are coming to Intune, and should be available by the publication date of this text. These features make using a hybrid model with SCCM unnecessary and redundant.
• Programmatic access (API), including an SDK and PowerShell management options.
• Custom reporting.
• Role-based Access Control.
• Scalable support for more than 50,000 mobile devices.
• Manage both traditional PC clients and Intune-managed devices from the same console.
As you will see, configuring a hybrid MDM solution is an involved process that requires careful planning and execution. The details of these tasks are out of scope of this text and not needed for the 70-697 exam. Instead, you should only be concerned with knowing what technologies are involved in
configuring the connector and the purpose for using a hybrid solution, as described in the list that follows:
Step 1. Create an MDM Collection: This is a collection of users you create in SCCM to specify all the users that can enroll devices.
Step 2. Configure Domain Name Requirements: Users must be able to enroll using a publicly resolvable email address or UPN. If your company does not have a public domain name, you must create an alternate login ID for your users in Azure AD.
Step 3. Configure the Intune Subscription: In SCCM, you must configure your Intune subscription information. This includes specifying the user collection you created in Step 1, and specifying a site code and company contact, and other information. You will use your Intune subscription credentials, which will be managed by SCCM.
Step 4. Create the Service Connection Point: You first install the service connection point site system role using the normal process for installing server roles. After it is installed, you use SCCM to create a Site System Server using the available wizard. This will be the back-end communication channel between your on-premises SCCM installation and the Microsoft
Intune management site.
Step 5. Enable Platform Enrollment: Configure the device enrollment types. You can set up iOS, Windows, and Android enrollment. Just like with Intune standalone, you will need to configure an Apple APNs certificate for iOS enrollment. Windows enrollment requires the creation of DNS records to point to the SCCM enrollment server.
Step 6. Verify MDM Configuration: After all these configuration tasks are complete, check the logs for any issues and start enrolling devices.
After you have configured SCCM and Intune as a hybrid MDM, you will not be able to manage devices from the Intune website anymore. The single pane of glass management interface has become the only interface available. If you want to disconnect SCCM and start using Intune standalone, you need to contact Microsoft support to help you with that transition, so it’s very important to plan your roadmap for device management in advance.
Note
For more information about configuring SCCM and hybrid MDM, see “Setup Hybrid Mobile Device Management (MDM) with System Center
Configuration Manager and Microsoft Intune” at
https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/setup-hybrid-mdm.
Manage User and Computer Groups
Devices are organized and managed using device groups. Do not confuse device groups with user groups, which are managed in Microsoft Azure AD.
Device groups are managed in Intune, including some built-in groups. By default, all devices are members of the All Devices group. Also, Windows computers will automatically be added to the All Computers group, and any iOS, Android, or Windows Mobile device will be added to the All Mobile Devices group.
You can add your own custom groups for managing devices, based on your own criteria, and newly enrolled devices will be added to these groups based on the criteria you define. The type of criteria you can use includes the device type (computer or mobile), an organization unit from your directory, or the Active Directory domain that the device is joined to. From the menu
previously shown in Figure 13-10, you can select several devices and then click the Create Group from Selection link to create a custom group.
Instead of using general criteria for the devices added, you will be adding specific devices to the group. If you want to add other devices later, you will need to edit the group and add those devices to the list.
To create a user group, click the Users option from the Groups menu, and then click the Create User Groups link from the menu. This will redirect you to the Azure portal where user groups are managed, as shown in Figure 13-13. Click the Add button at the top to create a new group. Each group will have a Name, an optional Description, and a Membership Type, which can be either Assigned or Dynamic. The Membership Type determines how
members are added to the group. For a Dynamic group, you create a rule based on the Azure AD attributes of your users. For instance, you could assign members automatically if they are members of a certain department, have a specific job title, or other criteria. If you create a group with an Assigned Membership Type, you will be manually adding and removing members to the group.
Figure 13-13. Managing User Groups in the Azure AD Portal
You can view the group membership of a user in Intune. Select Users from
the Groups menu, and select a user from the list. The user details at the
bottom of the page includes a Group Membership section that lists the groups that the user belongs to. Clicking the link for any of the groups listed will direct you to the group in the Azure portal.
Note
This section describes user and computer groups as they work in Intune and Azure AD currently. However, Microsoft is in the process of migrating all groups, including device groups, to Azure, so this information will change after the migration occurs. For more information, see
https://docs.microsoft.com/en-us/intune/deploy-use/categorize-devices-with- device-group-mapping-in-microsoft-intune.
Manage Remote Computers
You learned earlier in the chapter how to enroll Windows 10 computers for Microsoft Intune. You can enroll any Windows computer with Intune that uses Microsoft Vista or later, and manage those computers from the Intune console. The computer must be running a supported edition, using
Professional or higher. You cannot enroll Home or Basic editions. These computers will show up in your Intune console as Computer device types, and will automatically be added to the All Computers group.
After you have installed the Intune client as described earlier, and the
computer is successfully enrolled, a new icon will show up in the system tray.
Click the icon and select Microsoft Intune Center to display the page shown in Figure 13-14. These are options for users on an enrolled Windows
computer. They can download any applications you have made available on the Intune portal, check for updates, use their installed antimalware tool, or send a request for Remote Assistance to the organization’s administrators.
Figure 13-14. Microsoft Intune Center on Windows Computers with the Intune Client Installed
In Figure 13-14, you may notice the message Remote Assistance Is Not Supported on This Version of Windows. To use Remote Assistance through the Intune Center, you need to sign up for a TeamViewer account and
connect your TeamViewer subscription account to Intune.
To enable TeamViewer, navigate to the Admin menu of the Microsoft Intune portal, click TeamViewer from the menu, and then select the Enable link.
After your TeamViewer account is enabled, users will have a Request Remote Assistance link in their Intune Center console. When they click the link, the support technicians monitoring the TeamViewer console will get a notification that a user is requesting assistance and can then connect to a remote desktop session to render assistance. Configuring and using
TeamViewer for desktop support is far outside the scope of this text, but you should know what it is used for and how to enable the connector in Intune.
Microsoft Intune Monitoring
Devices and computers that are managed by Intune return detailed
information about their hardware properties, updates, and other information.
You can configure Intune to provide monitoring information and trigger alerts for events that you want to be notified about.
Configure Monitoring and Alerts
Alerts are used to keep you in touch with what’s happening in Microsoft Intune and the devices and computers that are enrolled. Alerts are generated
based on alert types, which are preconfigured rules built in to Intune. You can configure the State and Severity for each alert. State is whether the alert type is enabled or disabled. There are three levels of Severity that you can set.
• Critical: Indicates a serious issue that requires investigation as soon as possible
• Warning: Indicates an issue that is not serious but might become serious without attention or intervention.
• Informational: Indicates information that is not critical.
Some alert types might have some additional configuration properties, such as a percentage of devices affected before the alert is triggered. You manage alerts from the Intune Alerts menu. From the Overview page, you can view a summary of any alerts that have been triggered. Alerts are categories for you in a hierarchy, with All Alerts at the top. Other major categories include Endpoint Protection, Monitoring, Notices, Policy, Remote Assistance, System, and Updates.
To configure alert types, access the Overview page from the Alerts menu and select Configure Alert Type Settings. Intune displays a page similar to Figure 13-15. To modify alert type settings, select the alert type from the list.
You can enable or disable the alert from the menu at the top, or choose the Configure link to configure settings for the alert to change the state or select the severity you want for the alert.
Figure 13-15. Alerts Types in Microsoft Intune
Some alerts also allow you to select a display threshold. This setting allows you to configure a percentage of devices so that the alert type is triggered only after the threshold has been reached. Other alerts may have additional settings that you can configure. For instance, the Available Megabytes of Memory alert, shown in Figure 13-16, can be set with a Frequency and Threshold. The frequency tells Intune how often to check the available memory, in seconds, and the threshold is the amount of available memory below which an alert would be triggered.
Figure 13-16. Some Alert Types in Microsoft Intune Have Additional Attributes That Can Be Configured
You can also configure Microsoft Intune to send email notifications when an alert is triggered. You first need to set up recipients for alerts. To configure emails for alerts, use the following procedure:
Step 1. Select the Admin menu and then click Recipients.
Step 2. Click the Add Link to add a recipient. You must enter the email in the Email Address field and the Confirm Email Address field, and then click OK. Add as many recipients as needed using this procedure.
Step 3. Select the Notification Rules option from the Admin menu.