How to setup Microsoft Intune - Day 1.

New Microsoft Intune video Handbook released on Youtube to support this blog post. Work through all the videos on the GetModern Channel: https://youtu.be/GWtiHnYnGKo

MovetoModern #2 - Getting started with Microsoft Intune 
 
So you’ve decided that Microsoft Intune is for you….. Great choice. What next…. Sometimes just knowing where to start with a product especially when there are so many options can be difficult. With Microsoft Intune there are a set number of tasks you will need to follow Day1 before you can begin enrolling and managing your devices. So this post covers the things you will need to complete at a high level and includes the fundamental steps. By covering the topics included you will have a basic configured platform which will enable you to start enrolling devices.  

There are a number of planning steps to consider as part of your adoption, but this post will not cover these. If you would like to look at the types of considerations to work through for planning your rollout have a look at the Microsoft guide Here
After you've made your decisions on what Microsoft Licensing is best for you and your business the recommended Microsoft path for setting up the basic Intune configuration can be summarised with:
​
Microsoft Intune Handbook - Getting setup Day 1
Step 1 - Sign into your Intune subscription
Step 2 - Configure Domain Name (Optional)
Step 3 - Add your Users and groups
Step 4 - Assign Licenses
Step 5 - Configure MDM Authority and Automatic enrollment
Step 6 - Add required Applications
Step 7 - Verify enrollment restrictions and configure device settings
Step 8 - Customise the Company Portal (Optional)
Step 9 - Add an Autopilot Enrollment profile and amend device enrolment restrictions (Optional)
Step 10 - Configure app policies  (Optional)

​Step 1 – Login to Microsoft Endpoint Manager
Sign in to your Intune subscription using your Global Administrator account at https://Endpoint.microsoft.com
You will be presented with the Home screen as shown below. As a Global Admin user you have access and permissions to carry out all the necessary configuration steps.

The other portals you will require access to during the initial setup will be:
 - The Azure Portal - https://portal.azure.com/
 - Microsoft 365 Admin Centre - https://admin.microsoft.com/
 - Microsoft Store for Business - https://www.microsoft.com/business-store
​
Step 2 – Configure Domain name
If you decide you want to connect your company domain name with Intune you will need to set the DNS registration. By default, Microsoft provides an initial domain name that looks like your-domain.onmicrosoft.com.

While this is optional, most companies will however want to configure their custom domain to connect to Intune and this ideally needs to be done before you start adding new users on to the platform and their email addresses are assigned. It also allows users to sign in using their company user credentials to access resources.
There are a couple of ways of setting up your custom domain but I use the Microsoft 365 Admin center for this.

Login at https://admin.microsoft.com as an administrator and choose:
Setup > Domains > Choose a domain
Type in your domain name and click Next. This will provide you with the values required to create a TXT record on your DNS external hosting provider. If you use GoDaddy.com you will redirected to the GoDaddy Login page and after entering your credentials the TXT record will be created automatically.

The registration of the custom domain can take up to 72 hours and this depends on the hosting provider and how long the changes are distributed across DNS servers.
To verify the change for Intune login to MEM and go to
Devices > Windows > Windows enrolment > CName validation.
Enter your custom domain name and click the test button.
 
Step 3 – Users and Groups
Critical to your rollout will be the use of Users and Groups. The initial subscription includes an instance of Azure Active Directory (AAD). You now have the choice of synchronising your user identities through your company AD using Azure AD Connect or creating new users and groups within Azure AD particularly if you are going the cloud only route. The use of identities are required unless you plan on using “userless” devices such as Kiosk devices.
For those who want to deploy Windows Autopilot within a Hybrid environment you will also need to deploy the Azure AD Connector. More Info can be found Here   

Within MEM Navigate to Users and Groups from the left-hand navigation panel. Select the ‘Groups’ option which will open a new panel. Enter the Group name, description and membership type. Groups can be created for both users and devices. When creating a dynamic group this will automatically add users or devices based on a created expression you create.

You can find more information on the membership type Here  
To create either a new Azure AD User identity or invitation to a guest user select
MEM > Users >New User /New Guest User
​
You nay need to create a guest user where you want to collaborate with them such as allow access to configure Intune by a third party. For this option the user is emailed an invitation to join.
​
For a new Azure AD user enter the username, Name, First name and last name then select the groups and job Info if required.

Step 4 – Assign Licenses

You will need to assign licenses to users so they can enrol their devices into Intune. Intune licenses can be obtain in various Microsoft packages including EMS E3/E5 and Microsoft E3/E5 options. Which you choose depends on the type of rollout for functionality and applications you require.
Find some more details Here
To assign licenses, select the user and click the ‘Licenses’ option under manage.

Step 5 – MDM Authority and Automatic enrolment

For companies who used the Pre 1911 Intune service it meant they had to set the MDM authority upon first logon. From 1911 onwards the service is automatically set to Intune as the MDM Authority option was removed.
Its worth noting that the MDM authority cannot be changed. The basic premise for this setting is that it is used by the service to ensure the correct portal is used by the devices registered with it.
 
Windows automatic enrolment settings
If the core of the devices you will be managing are Windows 10 then you will need to verify you have the correct settings for automatic enrolment as shown below.


















​
These are settings which can be configured for both Windows 10 or newer corporate owned devices via MDM and personally (BYOD)  owned devices.

Go to MEM > Devices \ Windows > Windows Enrollment > Automatic Enrollment
You set the scope of enrolment depending on your specific enrolment needs.
Setting the MDM user scope to Some or All means devices will join Azure AD regardless of who signs in or if the devices are corporate or BYOD. Setting this to None means devices are not joined to Azure AD or managed by Intune.

In some sceanrios you may only want to mange the company account on the device and the corporate resources it accesses. For this set the MDM user scope to None and set the MAM user scope to Some or All.

The main difference with the MAM settings are that when set to Some or All the company accounts are managed by Intune and devices are registered and not managed. MAM settings are there for BYOD or personal devices.

Step 6 - Add required Applications

The whole topic on Applications, adding, securing them, deploying, packaging etc is a fairly large subject by itself and I will write more on this in another post. For the day one setup you will more than likely want to setup Intune to deploy Microsoft 365 Applications as a core productivity requirement.

Intune allows for various types of Applications each of which are available for the different types of device (Win 10, iOS, Android).  As described above you have made your choices on whether you manage user devices(including Apps), accounts or both. Once you have chosen the right applications you want to deploy these can be added into Intune.

Go to MEM> Apps > All Apps
This will show you all the Apps you have deployed. At this point you most likely won’t have any to see so select ‘Add’ from the top pane.​

---

Add an Application

Choose the platform you want to deploy the App for. Here I will select “Microsoft 365 Apps – Windows 10”
The resulting pane will be a configuration page where you can:
·       Change the Name and description
·       The Category such as Productivity
·       Add in any notes like this is for the Design group
·       Choose if you want to make it a featured app available within the company portal.

​Click the next button and configure the Apps suite options. The key setting here is the selection of Office 365 Apps you want to deploy making sure users have the correct Licenses assigned before deploying.

The other setting on this pane you will need to select is “Update Channel”. For me I chose “Current Channel” but I will go into the options here in another post and describe the options. Click Next to select the Assignment groups. You have three options here:
·       Required
·       Available
·       Uninstall

Required means the Application will be deployed for installation to these devices you assign them to automatically in the background. When the device next checks in with Intune approximately every 8 hours after the initial setup the app will be downloaded and installed silently.

Add groups to “Available” where you would like to make them available for the user to install in their timeframe. The App will become available within the Microsoft Company portal App (Which you will also need to deploy)

If you choose to add any groups to “Uninstall” this means those selected Apps will be uninstalled from devices assuming they already exist.

Its worth noting you the quick options available which are “All Users” or “All Devices” made available to you.

If at this stage you want to delay deploying to anyone or any devices then simply don’t select or add any groups. The Application will be added into your Intune Apps list but will not deploy.

When you do add groups click next, verify the configuration and click ‘Create’
By completing this action with groups the App will automatically start deploying to the selected user/device groups.

Step 7 - Verify enrollment restrictions and configure device settings

The first step here is verify you have the correct enrollment restrictions set up for your devices and users. This is important as it determines the types of devices and versions you allow to enrol within your tenant while also specifying the number of devices a single person can enrol. 
To configure this :
MEM > Devices >Enrollment Restrictions

Under the 'Device Type restrictions' option click 'All Users' and you will be presented with a new pane. Select 'Properties' to see the default settings. Under 'Platform Settings' click 'Edit' and choose the platforms restrictions that apply for you platform management. These can be the platform type and if you want to allow personally owned devices of the type to enrol. As an added setting specify the min and max version for the device platform you want to allow. When finished click the 'Review + Save' button and then the 'X' to close the pane.​

---

Go back to Devices> Enrollment restrictions and choose 'All Users' under 'Device Limit restrictions'
This presents a new window pane. Select 'Properties' then 'Edit. You will be presented with a drop down box from which you can choose the limit of devices each user can enrol. The maximum is 15 as per below.

Obviously one of the powerful features of Intune and key management methods includes the various options for configuring the settings for you devices you want to manage. To achieve this Intune provides profiles which allow you to pre-configure settings for email, VPN, Wi-fi and device features. The other side is that they help you restrict the features and settings available on the devices which protects both the device and data.

Features and settings are set using “Configuration Profiles” within Intune. These can be targeted across platforms including Android / iOS/iPadOS / macOS / Win 10  later / Win 8.1 and later.

Settings can include configurations for encryption, accounts, bluetooth, Camera, browser, display, firewall, power, notifications to name just a few.

In a recent release on to MEM Microsoft have deployed the “Settings catalog (Preview)”. This has simplified the selection of setting options by allowing Admins to choose the those they specifically want to configure. 100’s of settings previously only available using Group policies on Windows are now easily configured.

To create a new profile
MEM > Devices >Configuration Profiles > Create profile

While selecting individual settings is powerful Intune provides collections of settings wrapped into templates. This may be ‘Device Restrictions’, ‘Identity Protection or for those more technical you can deploy ‘Custom Templates’.
 
Step 8 – Customise the Company Portal
 
The Microsoft Company Portal App deployed to Windows, Android and iOS provides a common purpose and is where users can access company data and carry out tasks for installing apps and finding information relating either to the device, registration with Intune or company details such as information on the IT helpdesk and corporate policy.

The App includes a number of pages such as Home, App details and device details and provides a bridging point between the device and Intune managing it. It is also the location for manually synchronising the device with Intune outside of the scheduled check-in every 8 hours.

For added benefits the App includes details of applications deployed through Configuration manager and Intune where co-management has been configured.
​
By way of customising the Company Portal App this allows organizations to brand it into something recognisable by end users. You may want to change the theme colour and add a company header including a logo.​

The Company portal App can be downloaded via the Microsoft, Apple or Google store but is best deployed through Intune. This way by deploying the Application during enrolment this allows for the organization to better control the initial deployment to devices and ensure it is installed and managed.

To add company portal
MEM >Apps > All Apps > Add
Select the appropriate store App (Managed Google play / iOS store App / Microsoft store App) , and select the groups you want to deploy to. The company portal App is a store App and therefore will need to be synchronized from the store appropriate for the device you are deploying to.
To integrate Microsoft store for Business with Intune read the post by James Vincent:
​How To Integrate Microsoft Store For Business With Intune - Prajwal Desai
 
Step 9 – Amend the device enrolment restrictions
 
MEM > Devices > Device Restrictions
Out of the box MEM provides some default restrictions which covers both device type and device limits for enrollment. These can be changed to suit your deployment requirements. 
The options for device type include:
·       Android device administrator
·       Android Enterprise work profile
·       iOS/iPadOS
·       macOS
·       Windows
​
The admin screens also allow you control the versions of type allowed and whether personal devices are allowed for each type.

The maximum number of device enrollments is set to 15

Step 10 – Configure App Policies

Intune App protection policies are rules you set to protect your company’s data and when applied that app becomes managed by Intune. The policy allows you restrict specific actions when using an app.
Mobile App Management (MAM) app protection policies are configured to protect data within the application and can be applied as MAM without enrolment (MAM-WE) which means  data is protected within managed apps on devices not enrolled with in Intune or any other MDM. 
 
For devices which are corporate owned and managed the benefits to app protection is limited given the device will m ore than likely have configuration policies already installed which restrict or protect the whole device the application runs on. This also means that this step is optional and may not apply to your basic Intune setup.
 
MEM > Apps > Apps Protection
You can create app protection policies for iOS/IPadOS / Android and Windows 10 devices. Depending on the platform selected you will be provided with options to protect the use of the application. Below I have selected an app protection policy and set Pin and credential requirements for accessing an application. You will notice this can be configured to work with Biometric access.

You can also set conditional launch settings such as the maximum number of PIN attempts or the minimum OS level required. 
Once you have configured the appropriate settings, assign to the users groups and click create.
 
The steps above provide a high-level description to how you first setup Intune. This is the starting point and will naturally vary depending on the Apps, devices and user base you ae deploying to. In later posts I will go into other configuration options.