Microsoft Intune Configuration Check List

Make most of Microsoft Intune

Check list to make most of Microsoft Intune MDM and MAM features/

In this post, I have cover the Intune MDM and MAM features that can help enterprises to improve user experience and security. I have seen multiple MDM setups where its utilisation becomes limited to email profile deployment and password policies. I hope this checklist will help to enhance the capabilities and make most of the Microsoft Intune/EMS.

Please note that this checklist might not complete due to fluid nature of the cloud services, I will keep adding link of the existing resources that might help you to kick start with design, deployment and Testing. I will keep revising this list on frequent basis, please review latest Microsoft Documentation for new Intune features.  
  
·        Identity
o   Configure Azure AD & AD Connect : Required to provision users and assign licenses

·         Device and Application Management
o   Intune Standalone vs Intune Hybrid with SCCM Integration
o   Recommended to configure Intune Standalone to avoid delays with SCCM/Intune Sync
o   Leverage latest feature of Intune Standalone
o   Intune Hybrid support ending on 1st Sep 2019.

·         Unified Device Management and Platform Integration
o   iOS Device Enrollment
o   APN certificate
o   Apple Business Manager (aka Apple Deployment Manager)
o   Apple Volume Purchase Program
o   Android Device Enrollment :
o   Android Enterprise (Android for Work)
o   Samsung Knox
o   Mac Device Enrollment
o   Apple Configurator Profile
o   Windows Device Enrollment :
o   Windows AutoPilot
o   Windows Store for Business

·         Device configuration and compliance policies for all device Platforms:
o   Password Policies
o   Device Profiles and Configuration
o   Security Policies i.e. Minimum OS version, block jailbroken device.
o   Compliance Policies Threat level

·         Configure Intune MAM policies:
o   To protect Enlightened iOS and Android Apps
o   Windows 10 Information Protection Policies

·         Configure Azure AD Conditional Access
o   Exchange Online
o   Exchange On-Premises
o   SharePoint
o   Skype Online
o   Office 365 Apps - Sharepoint, OneDrive, Teams, OneDrive etc.
o   Identify Exchange Active Sync Users and lock down Exchange Active Sync
o   Enforce Device Enrolment or Application requirements i.e. Outlook App

·         Deploy Profiles:
o   VPN Profile
o   WiFi Profile
o   Email Profiles

·         Applications & Services
o   Deploy Apps for public store to users with App Configuration Policies
o   Enforce mobile devices to use approved apps or enroll device.
o   Define Compulsory Apps and Option App
o   Deploy Corporate Apps to users : Outlook, Word, OneDrive, Skype, Teams etc.
o   Configure Apps Configuration Policies to pre-populate information : i.e. Server, User email etc.
o   Configure NetScaler to provide seamless experience to Mobile Users - Provided ability to users to configure Citrix Receive with Email !

·         Network & Security
o   Configure & Deploy SCEP & NDES Infrastructure
o   Deploy Certificates to Mobile Devices
o   Deploy WiFi Service with Certificate based authentication (seamless experience to users)
o   Configure Mobile Threat Mgt Solution with Intune Integration
o   Provision Mobile Threat client on Mobile Devices
o   Configure compliance polices
o   Configure Wi-Fi hotspot for Mobile Devices
o   Configure Cisco ISE Intune Integration (Optional)
o   Provision & Deploy VPN solution for Mobile Devices
o   Configure Firewalls to allow access corporate systems hosted on-premise.

Please stay tuned for more updates to above list with useful links to get started quickly! Please feel free to email your feedback or message on Twitter.

Comments

Post a Comment

Popular posts from this blog

How to enable iOS unmanaged apps to read managed contacts & write unmanaged contacts without compromising security using Microsoft Intune

Image
The contacts saved in Exchange is considered managed contacts. with iOS 12 onwards managed contacts are not visible from unmanaged Apps. As stated in Apple Article (https://support.apple.com/en-au/HT208749)  iOS 12, you can use MDM to make the following exceptions to this policy: Allow unmanaged apps to access managed contacts Allow managed apps to save contacts to the local Contacts app Microsoft Intune have introduced new feature, but it has pre-requisite to "Viewing corporate documents in unmanaged apps" to write contact to unmanaged app and "Viewing non-corporate documents in corporate apps" to read managed contacts in unmanaged app.  This can be security issue for many organisations. However, you can enable this without changing the parent policy by following trick! Go to iOS restriction settings in Intune, go to 'App Store, Doc Viewing, Gaming controls'. As highlighted above 'Allow managed apps to write contacts...
Read more

Network Driver for HP Elitebook 840 G1

Network Driver for HP Elitebook 840 G1 Issue :  HP elitebook 840 G1 does no PXE boot when network drivers are injected in boot image. environment SCCM 2012 SP1. Answer: To build HP elitebook 840 G1  inject the Windows 8 network driver.  Please see post below from Niall C. Brady on how to inject or test drive during task sequence. Thanks Niall C. Brady for this article:  http://myitforum.com/cs2/blogs/nbrady/archive/2011/08/31/missing-nic-driver-in-winpe-boot-image-no-problem.aspx . TO\o Download Driver click here   Unzip the file using 7 zip, go to \sp63299\Setup\Win8x64  folders and inject driver in boot image  from SCCM or using drvload command as explain in article.  Happy Days....
Read more

How to deploy Application (offline installer DMG) on Apple MacOS Devices using Microsoft Intune

Image
Microsoft Intune does not support deployment of DMG file. As per the  Microsoft documentation   : " Only  .pkg files may be used to upload macOS LOB apps to Microsoft Intune. Conversion of other formats, such as .dmg to .pkg is not supported." Microsoft Intune have provided support to deploy shell script to macOS. In the example below, I will deploy Adobe Acrobat Reader DC 2020.009.20063 DMG file on MacOS Device. Save following script as .sh package i.e.  InstallAdobeReader.sh #! /bin/sh url=https://ardownload2.adobe.com/pub/adobe/reader/mac/AcrobatDC/2000920063/AcroRdrDC_2000920063_MUI.dmg   set -x tempd=$(mktemp -d) curl $url > $tempd/AdobeReaderDC.dmg listing=$(sudo hdiutil attach $tempd/AdobeReaderDC.dmg | grep Volumes) volume=$(echo "$listing" | cut -f 3) package=$(ls -1 "$volume" | grep .pkg | head -1) sudo installer -pkg "$volume"/"$package" -target / sudo hdiutil detach "$(echo "$volume" | cut -f 1)" rm -r...
Read more