- EventSentry 5: SIEM & Monitoring with many new features - Tue, Aug 9 2022
- ScriptRunner Portal Edition R4: A portal for PowerShell scripts - Wed, Aug 3 2022
- Free SquaredUp Community Dashboard Server for PowerShell - Thu, Jul 28 2022
MDM is one of the primary features of Microsoft's Intune platform. It allows businesses to manage a wide range of devices, including phones, tablets, laptops, and desktops. These could be corporate-owned devices, or they could be personal "bring your own device" (BYOD) allowed for use with corporate access and applications.
Intune can compartmentalize the device in the latter case so that business-critical data is protected and personal data and management are isolated from corporate data. Thus, it allows businesses to have the best of both worlds by having the end user supply their hardware while still being comfortable with corporate data security, management, and isolation.
Intune has a wide range of other features, including:
- Setting up policies that control which data and networks the device can access
- Authenticate apps on devices
- Control information sharing from the managed device
- Align the devices with specific security requirements
For managed personal devices, Intune allows administrators to:
- See devices enrolled
- Inventory devices accessing business resources
- Require certain health checks and security standards for devices allowed to connect
- Certificate management
- Reporting capabilities, such as which devices are out of compliance
- Delete organization data if the device is lost or stolen or the employee has left the company
MDM vs. CSP ^
You may see the terms MDM and CSP thrown around in referencing Microsoft Intune. CSP stands for Configuration Service Provider. Intune is not the CSP, but rather the MDM solution. CSP is to the Intune MDM what Client Side Extensions (CSEs) are to Group Policy. The CSP applies specific settings to Windows devices. The Windows 10 operating system contains the CSP that allows the application of the settings specified by the MDM.
Enrolling devices in Intune MDM ^
Microsoft Intune is now housed as part of the Microsoft Endpoint Manager solution. The management portal is located at https://endpoint.microsoft.com.
Enrollment in Microsoft Intune can be carried out as a user or administrator:
- Users can self-enroll using
- Microsoft Store Company Portal app
- MDM-only enrollment
- Azure Active Directory (Azure AD) join
- Admins can configure policies to force automatic enrollment by:
- Hybrid Azure AD join
- Configuration Manager co-management
- Device enrollment manager
- Bulk enroll
- Enrolling Windows IoT core devices
To understand the best practices and use cases for each enrollment method, look at the official Microsoft Intune enrollment method capabilities for Windows devices. Let's see how to use the Company Portal app found in the Microsoft Store to enroll a Windows 10 device in Intune.
The Company Portal app is a free application found in the Microsoft Store. Use it to onboard your workstation into Intune.
After installation, you will be asked to sign in. If the end user has already signed in with the organization account, the app will not need to sign in.
Note the directive to Allow my organization to manage my device.
The device synchronizes with your organization and applies policies, etc.
After logging in and synchronizing, the app is connected.
You will now see a message that says This device hasn't been set up for corporate use yet. Select this message to begin setup.
At this point, you have added a corporate account to the device. However, it still needs to be connected to work.
Click the Connect button.
You will be prompted to set up a work or school account. The organization account is prepopulated for you based on the account signed in to the Company Portal.
The device is set up after confirming the sign-in.
The device successfully connects to the work account.
The device is fully connected and is managed by the Endpoint Manager Intune MDM solution.
Managing Windows from the Intune MDM interface ^
After enrolling, you will see your device appear in Microsoft Endpoint Manager under Windows devices.
If you sign in to your Windows 10 workstation with the organization account first and then connect using the Company Portal app, it will be onboarded as corporate instead of personal.
Once a Windows 10 machine is onboarded, note the different operational controls for the remote Windows 10 management. Options include:
- Remote lock
- Reset passcode
- Collect diagnostics
- Fresh start
- Autopilot reset
- Quick scan
- Full scan
- Update Windows Defender security intelligence
- BitLocker key rotation
- Rename device
You can also assign applications to Windows 10 PCs that are onboarded into the Intune MDM. Note below that Microsoft 365 apps for Windows 10 have been assigned to the WIN10TEST PC and are pending the install.
Intune Endpoint Security options ^
Microsoft Intune MDM provides a wealth of security options for IT admins to control managed devices. In the Endpoint Security dashboard, you can manage:
- Disk encryption
- Endpoint detection and response
- Attack surface reduction
- Account protection
- Device compliance
- Conditional access
In addition, you can easily apply security baselines to remote Windows devices.
It also provides visibility into security issues. Intune's Endpoint security Firewall > Windows 10 MDM devices with firewall off recognizes the managed Windows 10 PC has the firewall turned off.
Let's see how to use Intune's Endpoint security policies. Using them, we can ensure that the Windows Firewall is enabled for all profiles. Click Endpoint security > Firewall > Create policy.
This begins the Create profile wizard. Name the new policy.
Next, under the configuration settings, we can specify the firewall settings to apply. Below, we enable the Windows Firewall for all profiles.
Additionally, you can set scope tags. Next, determine the Windows 10 PCs to which the policy applies.
Review the settings and create the policy.
After the Windows 10 PC synchronizes settings and policies with Intune, the Windows Firewall settings are remediated and turned on for all configured profiles.
Wrapping up ^
There are many options for enrolling your Windows 10 PCs in Intune. This can be accomplished from both the user side and by an administrator.
Subscribe to 4sysops newsletter!
As shown, the Company Portal app is an easy way to onboard Windows 10 clients, including BYOD. Managing your Windows 10 clients using the MDM interface is made possible by the CSP functionality in Windows 10. It allows the application of policy settings from Intune, much like settings are applied from Group Policies in on-premises Active Directory.