An easy way to manage your organization with Intune

Next up Intune

Since some time Microsoft has been promoting lots of companies to go with Intune. Most of these companies want to use a solution like Intune but sometime already have a system in place which takes care of their mobile devices. Think about Airwatch or Mobile Iron. Most of the time Intune gets compared with Mobile Iron or Airwatch but what most companies do not know is that Intune is not just about mobile devices. It can do lots more than that.

Where to start with Intune

As mentioned before lots of companies do not know where to start with Intune. One of the most asked question I get at customers is do I start with MDM for mobile devices or do I start with MAM and what is the difference. And how do i make sure i enroll the devices without big impact to my users.

First of all the best thing you can do is start with a simple pilot for Mobile Application Management (MAM). Based on a azureAD group. What MAM does is, it manages the applications you make available within Intune for you mobile devices. If you start with this i recommend to just select all the applications from the Microsoft Office 365 subscription.

You can do this within the App protection policies.

intune apps

As you can see my selection of apps are put in just for Android devices. This comes because i have created two policies. One for Android and One for IOS. The reason for this is that i can manage both type of devices separately. For instance if i want to add apps like Google Maps (Android) or Safari (Apple) you can manage these just for these device types.

*make sure you assign your policies to just a few of you, not for the entire company when testing.

Mobile application management (MAM)

As written above you can implement Mobile application management pretty easy. Just make sure you have the right licenses (EM+S E3 or EM+S E5 or Intune). and you are good to go. But what does Mobile application management actually do.

Basically MAM manages the applications you offer to your users as a service to use. This means that a user which has for example a private device can use Outlook for IOS/Android with corporate email in a safe way. The user just need to install the application from the Google playstore or Itunes. The users will be guided thru the process and will end up with a safe working version of outlook with his corporate email.

With the policies you have created you have set some properties to prevent options like; Copy from email to phone storage, open Urls from email into unmanaged browser, Save attachments to non managed storage.

Mobile Device Management (MDM)

What is mobile device management (MDM), MDM is a way of securing the device a user gets from his company. Most of the time i advise this option when a company has company phones which they give to their employees. In this case the device is owned by the company so there is a possibility that you want to do more with the device then just manage the applications like in MAM. Things you can do more then you can do with MAM  are;

  • Device encryption
  • Push company owned apps
  • Install applications from Itunes or Google playstore
  • Wipe entire device instead of just the managed applications
  • Push certificates and WiFi profiles
  • And lots more

I hope this gives you some insights on MAM and MDM. In my opinion these are the best options to start with when starting with Intune. But you can imagine there are lots more feature you can do with Intune. Think about enrolling Windows 10 devices with autopilot, so you can really give you customers a seamless out-of-the-box-experience (OOBE). Even Co-management is possible these days.  In the following blogs i will guid you thru the implementation of some of these features and possibilities.

If you have some ideas for a blogpost regarding Intune that you needs to be worked out please let me know. And i will try if i can create a tutorial for this.

Also do not forget to check my other blogs @j3rmeyer.nl

 

Please follow and like us:

Where is the Bitlocker Key stored within Microsoft Azure AD

Storing your Bitlocker key

When you enroll your  Windows 10 devices with  Microsoft Intune, you have the posibility to store your Bitlocker recovery keys in Azure AD. There are two ways to store the Bitlocker key the proper way

  1. Store the Bitlocker key into Active Directory (on-premise)
  2. Store the Key Into Azure AD (Cloud)

When you use the Azure AD join and activate Bitlocker, you get the option to store the Recovery Key in Azure AD. When you walk through the Join or register the device wizard.

The Key will be stored in the Cloud/ Azure AD. To get these keys in the Classic Azure Portal follow the steps below

Classic Azure Portal steps

  1. Open Azure AD in the Management Portal https://manage.windowsazure.com
  2. Open the Users tab and search/browse for the account you need to find recovery key for, then open it.
  3. Go to the Devices tab, and in the View box, select Devices.
  4. Select the affected device, and click View Details.

All registed recovery keys should be visible

(New) Azure Portal

Most of you will probably use the (new) azure Portal, to find the keys here is a little different but not to much. Follow the steps bellow to get the recovery keys from Azure AD

  1. Open Azure AD in the Management Portal https://portal.azure.com
  2. Open the Users and Groups blade and find the user involved.
  3. Go to his registred devices of the user.
  4. Click on the Device where you need the key from,

You will find the recovery key at the bottom of the device information

Please follow and like us:

Co-management with Intune and System Center (SCCM)

What is Co-management

Since a couple of weeks Microsoft has introduced Co-management with Intune and System Center Configuration manager. So what does co management means?  Co-management enables the device to be managed by both ConfigMgr agent and Intune MDM. This allows organizations to move parts or workloads to the cloud. Where they first used sccm.

As an example you can move the workload for Windows 10 update management from ConfigMgr to Intune while continuing to use ConfigMgr yet for other workloads such as software distribution and device security configurations.

In simple words, SCCM Intune co-management is a dual management capability offered for Windows 10 1709 (Fall Creators Update) devices.

Prerequisites

To use Co-management you must make sure your environment has the following prequisites.

  • Your system center environment (sccm) must be updated to SCCM CB 1709
  • The Windows 10 devices must be rolled out with the fall creators update Windows 10 1709
  • You need an active Intune with  subscription
  • You need an active Azure ad Premium with subscription

If you have the prequisites from above you can start configuring the setup.

Setting up Co-management

When you have installed verion 1709 of system center you can start configuring the Co management feature. You can do this as followed.

Step1: Launch you sccm console

Step2: Go to administration

Step3: Go to overview

Step4: Cloud Services

Step5: Click on Co-management and select Configure Co-management

Enable System center Co-Management for SCCM Intune Managed Devices

When you have configured Co-manangement for Intune and system center you need to enable the feature. There are two ways to enable SCCM co-management.

  1. Enable Co-management for SCCM managed devices
  2. Enable Co-management for Intune managed devices

Enable Co-management for SCCM Clients

To enable co-management for SCCM Managed Devices with Intune, you need to select one of the following options.

  • Select ALL or Pilot from the drop-down menu to manage all/pilot SCCM clients via Intune

Enable Co-management for Intune Managed Devices

To enable co-management for Intune managed devices with SCCM, so you need to create an application in Intune. The application will install a SCCM client at the  Intune managed devices. SCCM team provided sample command line to install SCCM client. (you can find this in the Wizard).

Seems like this is actually it. So If you need more information You can use the following resources at Microsoft

  • Co-management for Windows 10 devices – here
  • Migrate hybrid MDM users and devices to Intune standalone – here
  • Microsoft 365 and SCCM Windows 10 Co-Management – here
Please follow and like us:

The Power of Enterprise Mobility Suite (EMS)

Microsoft Enterprise Mobility Suite (EMS) is set of tools including Microsoft Intune, Azure AD and Azure RMS to help you manage your mobile devices to control the mobilityof your users and customers. But where do you start?

Trying new technology is hard, particularly in Enterprise Mobility. Microsoft is the exception. With Enterprise Mobility Suite (EMS) you are up and running and trying mobility management in just a few minutes if you’re doing it right!

Enterprise Mobility Suite is a kind of group of mobility tools. As the name suggests Microsoft’s new and improved offering is a suite of often leading components, that come together.

“Where do I start with these tools?”

You’ll be set up in about 5 steps.

  1. Get a 30 day trial for Office 365(see below)
  2. Get a 30 day trial for EMS suite
  3. Synchronize an on-premises AD to Azure AD
  4. Configure mobile device authorities most of the time with a certificate
  5. Enroll a device
  6. And there you are

Microsoft has one place for user accounts: Active Directory.

One of the big benefits of EMS is that it doesn’t harm your identity strategy. You need Active Directory and with Enterprise Mobility Suite Microsoft safely extend your on-prem AD DS to the modern architecture  of Azure AD (you don’t need an on-prem AD as the solution is cloud stand-alone too).

The idea, of extending your on-prem AD to the internet, might sound daunting, but it really is a good idea. Because you are able to use your identities on lots of more places.

Office 365, Microsoft Intune and ANY apps you want can share your Azure AD. lots are built-in, out of the box (like Salesforce, Facebook, Box and Nomadesk)!

Manage Devices and Apps with Microsoft Intune

If identity is the fundamental of enterprise mobility management then device management is the first floor and application management is the second floor. Mobility management technology has evolved to deal with the newer challenges that mobility in today’s world faces.

You probably know of MDM – Mobile Device Management. MDM manages things like remote wipe, applying company policy I suppose an old school admin would see MDM as the Group Policy of the modern device world.

This type is the need to control what you need on a device. It’s an essential layer in today’s world. If you use Office 365 and or Azure, you want Microsoft Intune, no matter what device platform (Windows, iOS, Android).

Protecting Data with Azure Rights Management

Azure RMS will protect your data and only allow the people intended to have access to it under the right conditions. Protection has become much more important and easier to deliver.

Example: You install a Azure RMS Connector servers on-prem and your Exchange, SharePoint, and File Servers can be protected by Azure RMS. Besides that you can bring your own key and Azure will store your keys in a safe vault.

The Power of Tools

With the above you can do some amazing things. You can protect all your data on your OneDrive  and allow enrolled devices with MDM (Intune) to have access to the information where you have access to from any device.

In some situations EMS can help you out in the most worst case scenarios:

  • The user loses their device: You know that it protects the data at rest, even if you can’t remote wipe it.
  • If the user leaves the company: You can remove the apps and the data that the user was accessing and know they have no access to further data.
  • when the user sells their device without wiping it: You can block the devices access while leaving their access intact.

Quick Start trials

  1. Do you have an Office 365 trial? If not get one. If you do, make sure it’s still valid and then return to click Sign in.

Office 365 proberen

  1. Go get an Azure trial, or if you already have one you can just use that.
  2. Now go get a Microsoft EMS Trial, be sure to click the Sign in button and be signed in with your Office 365 trial. You can add EMS to your free Office365 Subscription.
Please follow and like us: