An easy way to manage your organization with Intune

Next up Intune

Since some time Microsoft has been promoting lots of companies to go with Intune. Most of these companies want to use a solution like Intune but sometime already have a system in place which takes care of their mobile devices. Think about Airwatch or Mobile Iron. Most of the time Intune gets compared with Mobile Iron or Airwatch but what most companies do not know is that Intune is not just about mobile devices. It can do lots more than that.

Where to start with Intune

As mentioned before lots of companies do not know where to start with Intune. One of the most asked question I get at customers is do I start with MDM for mobile devices or do I start with MAM and what is the difference. And how do i make sure i enroll the devices without big impact to my users.

First of all the best thing you can do is start with a simple pilot for Mobile Application Management (MAM). Based on a azureAD group. What MAM does is, it manages the applications you make available within Intune for you mobile devices. If you start with this i recommend to just select all the applications from the Microsoft Office 365 subscription.

You can do this within the App protection policies.

intune apps

As you can see my selection of apps are put in just for Android devices. This comes because i have created two policies. One for Android and One for IOS. The reason for this is that i can manage both type of devices separately. For instance if i want to add apps like Google Maps (Android) or Safari (Apple) you can manage these just for these device types.

*make sure you assign your policies to just a few of you, not for the entire company when testing.

Mobile application management (MAM)

As written above you can implement Mobile application management pretty easy. Just make sure you have the right licenses (EM+S E3 or EM+S E5 or Intune). and you are good to go. But what does Mobile application management actually do.

Basically MAM manages the applications you offer to your users as a service to use. This means that a user which has for example a private device can use Outlook for IOS/Android with corporate email in a safe way. The user just need to install the application from the Google playstore or Itunes. The users will be guided thru the process and will end up with a safe working version of outlook with his corporate email.

With the policies you have created you have set some properties to prevent options like; Copy from email to phone storage, open Urls from email into unmanaged browser, Save attachments to non managed storage.

Mobile Device Management (MDM)

What is mobile device management (MDM), MDM is a way of securing the device a user gets from his company. Most of the time i advise this option when a company has company phones which they give to their employees. In this case the device is owned by the company so there is a possibility that you want to do more with the device then just manage the applications like in MAM. Things you can do more then you can do with MAM  are;

  • Device encryption
  • Push company owned apps
  • Install applications from Itunes or Google playstore
  • Wipe entire device instead of just the managed applications
  • Push certificates and WiFi profiles
  • And lots more

I hope this gives you some insights on MAM and MDM. In my opinion these are the best options to start with when starting with Intune. But you can imagine there are lots more feature you can do with Intune. Think about enrolling Windows 10 devices with autopilot, so you can really give you customers a seamless out-of-the-box-experience (OOBE). Even Co-management is possible these days.  In the following blogs i will guid you thru the implementation of some of these features and possibilities.

If you have some ideas for a blogpost regarding Intune that you needs to be worked out please let me know. And i will try if i can create a tutorial for this.

Also do not forget to check my other blogs @j3rmeyer.nl

 

Please follow and like us:

Where is the Bitlocker Key stored within Microsoft Azure AD

Storing your Bitlocker key

When you enroll your  Windows 10 devices with  Microsoft Intune, you have the posibility to store your Bitlocker recovery keys in Azure AD. There are two ways to store the Bitlocker key the proper way

  1. Store the Bitlocker key into Active Directory (on-premise)
  2. Store the Key Into Azure AD (Cloud)

When you use the Azure AD join and activate Bitlocker, you get the option to store the Recovery Key in Azure AD. When you walk through the Join or register the device wizard.

The Key will be stored in the Cloud/ Azure AD. To get these keys in the Classic Azure Portal follow the steps below

Classic Azure Portal steps

  1. Open Azure AD in the Management Portal https://manage.windowsazure.com
  2. Open the Users tab and search/browse for the account you need to find recovery key for, then open it.
  3. Go to the Devices tab, and in the View box, select Devices.
  4. Select the affected device, and click View Details.

All registed recovery keys should be visible

(New) Azure Portal

Most of you will probably use the (new) azure Portal, to find the keys here is a little different but not to much. Follow the steps bellow to get the recovery keys from Azure AD

  1. Open Azure AD in the Management Portal https://portal.azure.com
  2. Open the Users and Groups blade and find the user involved.
  3. Go to his registred devices of the user.
  4. Click on the Device where you need the key from,

You will find the recovery key at the bottom of the device information

Please follow and like us:

Co-management with Intune and System Center (SCCM)

What is Co-management

Since a couple of weeks Microsoft has introduced Co-management with Intune and System Center Configuration manager. So what does co management means?  Co-management enables the device to be managed by both ConfigMgr agent and Intune MDM. This allows organizations to move parts or workloads to the cloud. Where they first used sccm.

As an example you can move the workload for Windows 10 update management from ConfigMgr to Intune while continuing to use ConfigMgr yet for other workloads such as software distribution and device security configurations.

In simple words, SCCM Intune co-management is a dual management capability offered for Windows 10 1709 (Fall Creators Update) devices.

Prerequisites

To use Co-management you must make sure your environment has the following prequisites.

  • Your system center environment (sccm) must be updated to SCCM CB 1709
  • The Windows 10 devices must be rolled out with the fall creators update Windows 10 1709
  • You need an active Intune with  subscription
  • You need an active Azure ad Premium with subscription

If you have the prequisites from above you can start configuring the setup.

Setting up Co-management

When you have installed verion 1709 of system center you can start configuring the Co management feature. You can do this as followed.

Step1: Launch you sccm console

Step2: Go to administration

Step3: Go to overview

Step4: Cloud Services

Step5: Click on Co-management and select Configure Co-management

Enable System center Co-Management for SCCM Intune Managed Devices

When you have configured Co-manangement for Intune and system center you need to enable the feature. There are two ways to enable SCCM co-management.

  1. Enable Co-management for SCCM managed devices
  2. Enable Co-management for Intune managed devices

Enable Co-management for SCCM Clients

To enable co-management for SCCM Managed Devices with Intune, you need to select one of the following options.

  • Select ALL or Pilot from the drop-down menu to manage all/pilot SCCM clients via Intune

Enable Co-management for Intune Managed Devices

To enable co-management for Intune managed devices with SCCM, so you need to create an application in Intune. The application will install a SCCM client at the  Intune managed devices. SCCM team provided sample command line to install SCCM client. (you can find this in the Wizard).

Seems like this is actually it. So If you need more information You can use the following resources at Microsoft

  • Co-management for Windows 10 devices – here
  • Migrate hybrid MDM users and devices to Intune standalone – here
  • Microsoft 365 and SCCM Windows 10 Co-Management – here
Please follow and like us: