Anoop C Nair

Loads of people requested a starter kit for Intune as I have one for the SCCM 2012 starter kit, and the SCCM 2012 starter kit page was very useful for the community (I think that is why people are requesting the Intune Starter Kit). In this post, we will mainly concentrate on Intune standalone (not Intune Hybrid and Office 365 Intune MDM).

In most cases, no need/very minimal need for on-prem infrastructure if you are going with Intune standalone and all the other cloud components like Azure Active Directory, Office 365, etc. I’ll keep adding new things to this page. This is just starting 😉

63 Episodes Of Free Intune Training For Device Management Admins HTMD Blog (anoopcnair.com)

I started working with Intune in the later part of 2012, and Microsoft Intune has evolved during the years, and it has changed a lot. In 2013, I started a post called “Microsoft Intune Wiki” (most of the links in that post are outdated, but it’s worth going through if you want to see how Intune was ?).

We already have a Facebook group for Intune Professionals. If you would like to join the Facebook community of Intune Professionals, click here

What is Microsoft Intune?

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps manage mobile devices, network settings, and other mobile services and settings. Microsoft Intune is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in Cloud.

Additionally, Intune has features where admins can create a “Conditional Access” policy to get access to company resources. If the devices met those conditions, only Intune would provide access to company or corporate resources (corporate mail, Share point, etc…). 

Previously, I mentioned Microsoft Intune as a lighter version of SCCM or ConfigMgr in the cloud. However, I don’t want to make it so simple this time. Intune architecture is entirely cloud-based and agile.  To get a more detailed idea about Intune (Yes, this video is old and outdated in some parts as Intune evolved along with entire Microsoft’s Enterprise Mobility and Security (EMS))

Management Options using Intune?

I’m going to explain in a bit different way. Let me know if this is confusing. We can manage devices with an Intune client agent and arguably without an Intune client agent. For example, Intune company portal application(s) in different app stores like Google Play and Apple Store are Intune client agents.

So, when you install Intune company portal onto your Android or iOS devices, you are doing agent-based management. Also, there is Microsoft Intune client MSI available to download once you have a valid Intune subscription. You can download and install it on Windows machines that you want to manage.

I have an old post (published in Dec 2012) here to help you understand the basic stuff about Intune MSI agent installation. Once you install Intune MSI agent on Windows machines, those machines are “fully managed” by Intune.

So what is arguably agent less Intune management? Within Windows 10, we have an “in build – Native” MDM agent as part of the operating system. We can enroll Windows 10 devices to Intune using the “in build – Native” MDM agent. In this scenario, we have to use Intune company portal to install applications like a shopping cart.

So Intune company portal is not acting as Intune agent in native MDM enrolment scenarios. Native MDM-managed devices are arguably NOT fully managed devices (at this point in time). I’m sure this will change sooner or later. Windows 10 in-build MDM agent can be used to enroll your Windows 10 devices to any other MDM management software VMWare Airwatch, Mobileiron, etc…

• Enrolled via Intune company portal
• Enrolled via Installation of Intune MSI client
• Enrolled via Windows 10 1607 and above in build Azure AD join and MDM enrolment
• MAM without MDM enrolment

How to get an Intune account and start working/Testing with Intune?

Download the Microsoft EMS step-by-step guide from here. This guide will help you to get a trial version of Office 365, Azure AD, and Intune subscription for free. If you already have an Azure AD (Azure AD premium) subscription, things are very straightforward, as I posted in the blog here.

Suppose you don’t have an Azure AD subscription, then better to start with an Enterprise Mobility Suite (EMS) trial account, Azure Free Trial Account (Azure trial account is already created EMS trial account), and Office 365 free trial subscription. To get these trail accounts, it’s better to create a NEW outlook.com account and get ready with Credit Card details to activate the Azure trial subscription. 

Getting a trial version of Azure AD, Office 365, and Intune is a very straightforward process if you have never done this same process with your credit card and mobile number. Azure AD and Office 365 are prerequisites for Intune if you want to test/trial all the features of Intune.

Note:- Intune can be signed up separately as well from here. If you feel you are interested in testing only Intune now, this is the way.

How to start using Microsoft Intune Console

Once you have completed the subscription things and you can log in to Microsoft Intune (http://manage.microsoft.com/) portal (Silverlight is a must for Intune console to work). Internet Explorer with Silverlight plugin is the best internet browser for Intune console.

However, Intune console will work on any internet browser which can add Silverlight as a plugin. In the future, maybe, Intune console will work without the Silverlight plugin, and I would love to see this very soon.

The following documentation is where you can start reading about all the Intune topics:- Microsoft documentation Intune quick start guide here.

How to select the MDM authority from Intune console?

For me, MDM authority and management options are very important. Please note once you set MDM (Mobile Device Management) authority to Intune in the following place at Intune console, then you won’t be able to change it.

To change Intune MDM authority, you have to raise a ticket with CSS or service request via Intune/office 365 portal. So be very careful when you click on any links on the following page at Intune console.

What are types of Management Authority do we have for Intune?

1. Microsoft Intune
2. Configuration Manager (SCCM)
3. Office 365 (lightweight Intune)

Quick question:- Do I need to re-enroll devices if MDM authority is changed from o365 MDM to Intune MDM? – It is working without re-enrolment of devices, just a compliance check, and everything looks ok on the device. I think I heard it’s supported as both use Intune for MDM.

How to start managing Windows/iOS /Android devices with Intune?

Managing Windows devices is very straightforward. Yes, Windows 10 management is very straightforward; earlier we need to have side loading and key SEP certificates to manage/deploy app Windows, windows phone devices.

Now, most of these certificates and sideloading key requirements have been removed for most scenarios. Managing Android devices is also very straightforward. It’s 10 minutes of work to sync your Windows Store for Business and Microsoft Intune. More details in the post “Integrate Windows Store for business” are here.

If you want to install store apps without using a Microsoft account, read the blog post “How to Add Apps to Business Store and Install Intune Company Portal without Using MS Account” here.

However, iOS\MAC OS device management has certificate requirements, and we need to go to the apple portal, upload your cert for the tenant, and get the certificate for your Intune tenant.

The process for SCCM CB is explained in the following video, but the process is similar for Intune. More details here Microsoft document specifically for Intune.

How to Deploy MSI applications to Windows PCs using Intune?

Similar to SCCM, Intune can also deploy different kinds of applications to different types of devices. The types of applications that Intune supports now are EXE, MSI (Windows Installer and Windows Installer through MDM), APK, IPA, XAP, APPX – APPXBUNDLE for Windows app package and Windows Phone app package. We can make software or application available to devices via 3 methods.

1. Software Installer – select the type of software you want to install
2. External Link – this can be used for deploying the applications in Google Store via deep linking
3. Managed iOS apps from Apps Store – this can be used to deploy the apps in the apple store via the deep linking method

The following post will help understand the process of deploying applications using Intune “How to Deploy Applications and MAM Policies to Mobile Devices Using Intune Part 1” – here. More details about deploying the application via Intune are given in the following links here and here.

How to create policies within Intune console?

Creating policies in Intune are one of the other thing important step as part of Intune configuration and device management through Intune. Following is the list of policies you can create and deploy via Intune.

• Configuration Policies
• Compliance Policies
• Dynamics CRM Online Conditional Access Policy
• Exchange Online Conditional Access Policy
• Exchange On-premises Conditional Access Policy
• SharePoint Online Conditional Access Policy
• Skype for Business Online Conditional Access Policy
• MAM Application Policy
• MAM Browser Policy

What is the difference between Intune Configuration Policy and Intune Compliance Policy:- In some cases, you can see similar kinds of settings in compliance and configuration policies. So what is the exact difference? Compliance policy works with conditional access policies however configuration policies are independent of conditional access. Compliance policies can deploy ONLY to USERS, whereas Configuration policies can be deployed to both Devices and Users.

Compliance policy won’t force the device to change the configuration at device rather it will wait until the device gets into the compliance stage to provide access to company resources like mail/SharePoint (in case of Conditional access policy is set). Configuration policy forces the device or user to change the configuration setting mentioned in the policy (arguably not true in all the scenarios).

The following video will explain to you how to create and Deploy Intune Compliance Policies from the console.

What are MAM (Mobile Application Management) policies?

Mobile Application Management policies are application specific policies that you can set up via Intune. What is the difference between configuration, Compliance policies, and MAM policies? Configuration and Compliance policies are for the entire device. It’s applicable for everything on the device. MAM policies will get applied only to the application with which it’s associated.

The following post will guide you through the process of deploying MAM policies to iOS or Android devices “How to Deploy Applications and MAM Policies to Mobile Devices Using Intune” – here. Microsoft Intune documentation about MAM policy creation here.

What is MAM without MDM enrolment (MAM WE – MAM Less MDM)?

This one another policy type in Intune. What is the difference between MAM with MDM enrolment and MAM without MDM enrolment? This is Mobile Application Management policies without enrolling to Intune. These policies are really helpful in BYOD/personal devices to get access to corporate mail and SharePoint, etc., securing the corporate data.

Why Intune option is visible in the Azure portal (https://portal.azure.com/)? This is good news for SCCM/Intune admins. We are getting new features in Intune. This time it’s Intune MAM (Mobile Application Management) without MDM enrolment.

For full management of mobile devices, we need to use the original Intune portal (https://manage.microsoft.com). It was a regular question in forums and other communities that can Intune coexist with other MDM products like Airwatch or Mobile Iron. More details here.

How to Manually Add Users to Intune Console?

How to add users to Intune console, and how to provide permissions to users in Intune console? We don’t have to do this when Intune Silverlight console is migrated to the Azure portal?? Before you try to provide service administrator access (Only limited roles available in Intune Silverlight console Full Access, Read-Only access, or Helpdesk – Group Node access) to users in Intune, you should make sure the administrator or server administrator user is already available in Intune administrator console. More info here.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…