You are on page 1of 699

Table of Contents

Introduction
What is the Azure portal?
What is Intune for Education?
Intune features in Azure
Sign up for a free trial
What's new
What's new in the app UI
What's new archive (Azure portal)
What's new archive (classic portal)
Device and app lifecycles
Device lifecycle
App lifecycle
Common scenarios
Known issues
Get support
Plan deployment
Planning guide
Determine goals and objectives
Identify scenarios
Determine requirements
Develop a rollout plan
Develop a communication plan
Develop a support plan
Design
Implement
Test and validate
Additional resources
Migration guide
Prepare Intune
Migration campaign
How to
Set up Intune
Prerequisites
Sign into Intune
Configure domains
Add users
Assign licenses
Customize Company Portal
Set the MDM authority
Enroll devices
Setup options
Set up Windows enrollment
Set up Android enrollment
Set up iOS enrollment
Set up macOS enrollment
Manage devices
Wipe device
Bypass activation lock
Factory reset device
Manage Windows Fresh Start
Locate lost iOS device
Enable iOS lost mode
Lock device
Remove company data
Reset passcode
Restart device
Logout current user
Remove user
Remote control for Android
Examine device inventory
Manage users
Get started with groups
Manage apps
Add apps
Assign apps
Monitor apps
iOS app configuration profiles
Android app configuration profiles
Use iOS app provisioning profiles
Selectively wipe apps
Work with volume-purchased apps and books
Configure the Company Portal app
Configure the Managed Browser
Configure devices
Configure device profiles
Configure device features
Configure device restrictions
Configure email settings
Configure VPN settings
Configure Wi-Fi settings
Configure Windows 10 edition upgrade settings
Windows 10 endpoint protection
Configure Windows 10 education settings
Configure iOS education settings
Configure iOS education shared devices
Configure Windows Update for Business settings
Configure certificates
Configure Windows Information Protection settings
Assign profiles
Monitor profiles
Troubleshoot profiles
Set device compliance
Prerequisites
Create Android policy
Create Android for Work policy
Create iOS policy
Create Windows policy
Create Actions for noncompliance
Monitor device compliance
Set up conditional access
Common ways to use conditional access
App-based conditional access
Install Exchange on-premises connector
Create and assign conditional access policy
Set up app-based conditional access
ADAL and Intune
Monitor conditional access compliance
Protect app and device data
Use app protection policies
Mobile Threat Defense
Network access control
Set up Windows Hello
Manage roles
Use the helpdesk operator role
Manage PCs with software agent
Compare PC management
Install the PC client
Common PC management tasks
Policies to protect Windows PCs
Add apps for Intune client PCs
Manage license agreements
Resolve policy conflicts
Educate users
Company Portal messages
MAM-enabled apps on Android
MAM-enabled apps on iOS
How to get Android apps
How to get iOS apps
How to get Windows apps
Monitor and troubleshoot
Monitor telecom expenses
Develop and customize
Configure custom device settings
Android
iOS
macOS
Windows Phone 8.1
Windows 10
Android for Work
Prepare LOB apps for MAM
App Wrapping Tool for iOS
App Wrapping Tool for Android
Sideload Windows apps
Intune App SDK
Get started with Intune App SDK
Intune App SDK for iOS
Intune App SDK for Android
Intune App SDK Cordova plugin
Intune App SDK Xamarin component
How to use Intune Graph APIs
Intune Graph API
Glossary
What is Intune?
6/19/2017 6 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce to be
productive while keeping your corporate data protected. With Intune, you can:
Manage the mobile devices your workforce uses to access company data.
Manage the mobile apps your workforce uses.
Protect your company information by helping to control the way your workforce accesses and shares it.
Ensure devices and apps are compliant with company security requirements.
Intune integrates closely with Azure Active Directory (Azure AD) for identity and access control, and Azure
Information Protection for data protection.
Together, Office 365 and EMS enable your workforce to be productive on all of their devices while keeping your
organization's information protected. Office 365 with EMS is a complete, integrated suite for enterprise mobility
inclusive of productivity, identity, access control, management, and data protection. It gives you an effective way to
deploy and operate a mobility solution in your organization.

How does Intune work?


Intune provides mobile device management (MDM) and mobile app management (MAM). Intunes MDM and MAM
features then contribute to the EMS suite of data protection and compliance scenarios.
How youll use the MDM/MAM features of Intune and EMS data protection depends on the business problem
youre trying to solve. For example:
Youll make strong use of MDM if you're creating a pool of single-use devices to be shared by shift workers in a
retail store.
Youll lean on MAM and data protection if you allow your workforce to use their personal devices to access
corporate data (BYOD).
If you are issuing corporate phones to information workers, youll rely heavily on all of the technologies.

Intune mobile device management (MDM) explained


MDM works by using the protocols or APIs that are available in the mobile operating systems. It includes tasks like:
Enrolling devices into management so IT has an inventory of devices that are accessing corporate services
Configuring devices to ensure they meet company security and health standards
Providing certificates and Wi-Fi/VPN profiles to access corporate services
Reporting on and measuring device compliance to corporate standards
Removing corporate data from managed devices
Sometimes, people think that access control to corporate data is an MDM feature. We dont think of it that way
because it isnt something that the mobile operating system provides. Rather, its something the identity provider
delivers. In our case, the identity provider is Azure Active Directory (Azure AD), Microsofts identity and access
management system.
Intune integrates with Azure AD to enable a broad set of access control scenarios. For example, you can require a
mobile device to be compliant with corporate standards as defined in Intune before the device can access a
corporate service like Exchange. Likewise, you can lock down the corporate service to a specific set of mobile apps.
For example, you can lock down Exchange Online to only be accessed by Outlook or Outlook Mobile.

Intune mobile app management (MAM) explained


When we talk about MAM, we are talking about the set of things our solutions enable IT Pros to do with mobile
apps, such as:
Publishing mobile apps to employees
Configuring apps
Controlling how corporate data is used and shared in mobile apps
Removing corporate data from mobile apps
Updating mobile apps
Reporting on mobile app inventory
Tracking mobile app usage
We have seen the term MAM used to mean any one of those things individually or to mean specific combinations.
In particular, its common for folks to conflate the concept of app configuration (that is, using technologies like
managed app configuration on iOS) with the concept of securing corporate data within mobile apps. Thats
because some mobile apps expose settings that allow their data security features to be configured.
That, in combination with operating system features for protecting data (for example, MDM features such as
Windows Information Protection on Windows 10), gives a lot of protection to data on mobile devices.
When you use Intune with the other services in EMS, you can provide your organization mobile app security over
and above what is provided by the mobile operating system and the mobile apps themselves through app
configuration. An app that is managed with EMS has access to a broader set of mobile app and data protections
that includes:
Single sign-on
Multi-factor authentication
App conditional access - allow access if the mobile app contains corporate data (Classic console)
Isolating corporate data from personal data inside the same app (Classic console)
App protection policy (PIN, encryption, save-as, clipboard, etc.) (Classic console)
Corporate data wipe from a mobile app
Rights management support
Intune mobile app security
Providing app security is a part of MAM, and in Intune, when we talk about mobile app security, we mean:
Keeping personal information isolated from corporate IT awareness
Restricting the actions users can take with corporate information such as copy, cut/paste, save, and view
Removing corporate data from mobile apps, also known as selective wipe or corporate wipe
One way that Intune provides mobile app security is through its app protection policy feature. App protection
policy uses Azure AD identity to isolate corporate data from personal data. Data that is accessed using a corporate
credential will be given additional corporate protections.
When a user logs on to her device with her corporate credentials, her corporate identity allows her access to data
that is denied to her personal identity. As that corporate data is used, Intune, along with other EMS technologies,
controls how it is saved and shared. Those same protections are not applied to data that is accessed when the user
logs on to her device with her personal identity. In this way, IT has control of corporate data while the end user
maintains control and privacy over personal data.

EMM with and without device enrollment


Most enterprise mobility management solutions support basic mobile device and mobile app technologies. These
are usually tied to the device being enrolled in your organizations MDM solution. Intune supports these scenarios
and additionally supports many without enrollment scenarios.
Organizations differ to the extent they will adopt without enrollment scenarios. Some organizations standardize
on it. Some allow it for companion devices such as a personal tablet. Others dont support it at all. Even in this last
case, where an organization requires all employee devices to be enrolled in MDM, these organizations typically
support "without enrollment" scenarios for contractors, vendors, and for other devices that have a specific
exemption.
You can even use Intunes without-enrollment technology on enrolled devices. For example, a device enrolled in
MDM may have open-in protections provided by the mobile operating system. (Open-in protection is an iOS
feature that restricts you from opening a document from one app, like Outlook, into another app, like Word, unless
both apps are managed by the MDM provider.) In addition, IT may apply the app protection policy to EMS-
managed mobile apps to control save-as or to provide multi-factor authentication.
Whatever your organizations position on enrolled and unenrolled mobile devices and apps, Intune, as a part of
EMS, has tools that will help increase your workforce productivity while protecting your corporate data.
Common business problems that Intune helps solve
The following list of business problems link to more detailed information about the solutions we can provide. Only
the last item requires MDM enrollment as part of the solution:
Protect your on-premises email and data so that it can be accessed by mobile devices
Protect your Office 365 mail and data so that it can be safely accessed by mobile devices
Issue corporate-owned phones to your workforce
Offer a bring-your-own-device (BYOD) or personal device program to all employees
Enable your employees to securely access Office 365 from an unmanaged public kiosk
Issue limited-use shared tables to your task workers
Next steps
Read about some of the common ways to use Intune (Classic console).
Get familiar with the product with a 30-day trial of Intune (Classic console).
Dive into the technical requirements and capabilities (Classic console) of Intune .
Introduction to Microsoft Intune in the Azure portal
6/28/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Microsoft Intune is now in the Azure portal meaning that the workflows and functionality you are used to are now
different. The new portal offers you new and updated functionality in the Azure portal where you can manage your
organization's mobile devices, PCs, and apps.

IMPORTANT
Dont see the new portal yet?
Existing tenants are being migrated to the new experience. A notification is shown in the Office Message Center before your
tenant migrates.
Intune accounts created before January 2017 require a one-time migration before Apple Enrollment workflows are available
in Azure. The schedule for migration has not been announced yet. If your existing account cannot access the Azure portal, we
recommend creating a trial account.
Review the list of potential blockers https://blogs.technet.microsoft.com/intunesupport/2017/05/17/intune-migration-
blockers-for-grouping-targeting/

You can find information about the new portal in this library, and it is continually updated. If you have suggestions
you'd like to see, leave feedback in the topic comments. We'd love to hear from you.
Highlights of the new experience include:
An integrated console for all your Enterprise Mobility + Security (EMS) components
An HTML-based console built on web standards
Microsoft Graph API support to automate many actions
Azure Active Directory (AD) groups to provide compatibility across all your Azure applications
Support for most modern web browsers
If you are looking for documentation for the classic Intune console, see the Intune documentation library.

Before you start


To use Intune in the Azure portal, you must have an Intune admin and tenant account. Sign up for an account if you
don't already have one.

Supported web browsers for the Azure portal


The Azure portal runs on most modern PCs, Macs, and tablets. Mobile phones are not supported. Currently, the
following browsers are supported:
Microsoft Edge (latest version)
Microsoft Internet Explorer 11
Safari (latest version, Mac only)
Chrome (latest version)
Firefox (latest version)
Check the Azure portal for the latest information about supported browsers.

What's in this library?


The documentation reflects the layout of the Intune portal to make it easier to find the information you need.

Introduction and get started


This section contains introductory information that helps you get started using Intune.
Plan and design
Information to help you plan and design your Intune environment.
Device enrollment
How to get your devices managed by Intune.
Device compliance
Define a compliance level for your devices, then report any devices that are not compliant.
Device configuration
Understand the profiles you can use to configure settings and features on devices you manage.
Devices
Get to know the devices you manage with inventory and reports.
Mobile apps
How to publish, manage, configure, and protect apps.
Conditional access
Restrict access to Exchange services depending on conditions you specify.
On-premises access
Configure access to Exchange ActiveSync, and Exchange on-premises
Users
Learn about the users of devices you manage and sort resources into groups.
Groups
Learn about how you can use Azure Active Directory groups with Intune
Intune roles
Control who can perform various Intune actions, and who those actions apply to. You can either use the built-in
roles that cover some common Intune scenarios, or you can create your own roles.
Software updates
Learn about how to configure software updates for Windows 10 devices.

What's new?
Find out what's new in Intune.
What is Intune for Education?
6/19/2017 1 min to read Edit Online

Intune for Education is designed to enable your teachers and students to be productive while keeping school data
protected. Intune is a cloud-based enterprise mobility management (EMM) service that is the foundation for Intune
for Education.

Intune for Education lets you manage Windows 10 devices using the full MDM capabilities available in Intune.
Intune can also manage additional platforms, such as iOS and Android, and is designed to let you access the full set
of policies in the same console.
Intune for Education can be used by itself, or in harmony with the full device management experience available in
Intune. It can also be used alongside the rest of the tools available in Microsoft Education, which makes it easy for
you to use Intune for Education with other useful educational tools from Microsoft.

With both Intune and Intune for Education, you can:


Manage the mobile devices your workforce uses to access data.
Manage the mobile apps your users access every day.
Protect your organizational information by helping to control the way your users access and share it.
Ensure devices and apps are compliant with security requirements.
Next steps
Get familiar with the product with a 30-day trial of Intune.
Read about the quickest way to start using Intune for Education.
Dive into the technical requirements and capabilities of Intune.
Where did my Intune feature go in Azure?
6/19/2017 4 min to read Edit Online

We took the opportunity to organize some tasks more logically as we moved Intune into the Azure portal. But every
improvement comes with the cost of learning the new organization. So, we created this reference guide for those of
you who are thoroughly familiar with Intune in the classic console and are wondering how to get something done
in Intune on Azure. If this article doesnt cover a feature youre trying to find, please leave a comment at the end of
the article so we can update it.

Quick reference guide


FEATURE PATH IN CLASSIC CONSOLE PATH IN INTUNE ON AZURE

Device Enrollment Program (DEP) Admin > Mobile Device Management > Device enrollment > Apple Enrollment
iOS and Mac OS X > Device Enrollment > Enrollment Program Token
Program

Device Enrollment Program (DEP) Admin > Mobile Device Management > Device enrollment > Apple Enrollment
iOS and Mac OS X > Device Enrollment > Enrollment Program Serial Numbers
Program

Enrollment Rules Admin > Mobile Device Management > Device enrollment > Enrollment
Enrollment Rules Restrictions

Groups by iOS Serial Number Groups > All Devices > Corporate Pre- Device enrollment > Apple Enrollment
enrolled devices > By iOS Serial Number > Enrollment Program Serial Numbers

Groups by iOS Serial Number Groups > All Devices > Corporate Pre- Device enrollment > Apple Enrollment
enrolled devices > By iOS Serial Number > AC Serial numbers

Groups by IMEI (all platforms) Groups > All Devices > Corporate Pre- Device enrollment > Corporate Device
enrolled devices > By IMEI (All Identifiers
platforms)

Corporate Device Enrollment profile Policy > Corporate Device Enrollment Device enrollment > Apple Enrollment
> Enrollment Program Profiles

Corporate Device Enrollment profile Policy > Corporate Device Enrollment Device enrollment > Apple Enrollment
> AC Profiles

Android for Work Admin > Mobile Device Management > Device enrollment > Android for Work
Android for Work Enrollment

Terms and Conditions Policy > Terms and Conditions Device enrollment > Terms and
Conditions

Where do I manage groups?


Intune on Azure uses Azure Active Directory (AD) to manage groups.

Where did enrollment rules go?


In the classic console, you could set rules governing the MDM enrollment of mobile and modern Windows and
macOS devices:

These rules applied to all users in your Intune account without exception. In the Azure portal these rules now
appear in two distinct polices types: Device Type Restrictions and Device Limit Restrictions:

The default Device Limit Restriction corresponds to the Device Enrollment Limit in the classic console:
The default Device Type Restriction corresponds to the Platform Restrictions in the classic console:

The ability to allow or block personally owned devices is now managed under the Device Type Restrictions
Platform Configurations:

New restriction capabilities will be added to the Azure Portal only.

Where did Apple DEP go?


In the classic console, you could set up Intune to integrate with Apples Device Enrollment Program and manually
request synchronization with Apples service:
In the Azure portal, you set up Apple Device Enrollment Program with the same steps as in Intune classic:

However the Sync option in the classic console has been moved to the serial number management workflow since
the results of a manual sync will appear there:

Where did corporate pre-enrolled devices go?


By iOS serial number
In the classic console, you can enroll iOS devices through the Apple Device Enrollment Program (DEP) and the
Apple Configurator tool. Both methods offer device pre-enrollment by serial number and involve the assignment of
special Corporate Device Enrollment profiles. Prior to enrollment, the enrollment profile assignment can be
managed through the Corporate Pre-enrolled Device by iOS Serial Number device group:

This lists serial numbers for both Apple DEP and Configurator enrollment in a single list. To reduce profile
assignment mis-match (DEP profile to AC serial number and vice-versa), we have separated the serial numbers into
two lists in the Azure portal:
DEP serial numbers

Apple Configurator serial numbers


By IMEI (all platforms)
In the classic console, you can pre-list the IMEI numbers of devices to mark them as corporate when they enrolled
to Intune:

In the Azure console, you must upload the same IMEI to the Corporate Device Identifiers list with a comma-
separated-values (CSV) file. The new portal will not support manual entry of IMEI numbers:
Intune in the Azure portal is future-proofed to support other types of identifiers beside IMEI, but currently only
allows IMEI numbers for pre-listing.

Where did Corporate Device Enrollment profiles go?


To enroll iOS devices through the Apple Device Enrollment Program or with the Apple Configurator tool, you must
supply a Corporate Device Enrollment profile to be assigned the device. In the classic console, the creation and
management of these profiles was located in a single list:

This list shows profiles enabled for use with the Apple Device Enrollment Program (DEP On) and profile only
enabled for use with the Apple Configurator tool (DEP Off).
To reduce confusion between the two profile types and potential mis-matched assignments (DEP profile to
Configurator devices and vice-versa), we have separated creation and management of Enrollment Program profiles
(support both Apples Device Enrollment Program and Apple School Manager) and Apple Configurator profiles:
DEP profiles
Apple Configurator profiles
Sign up for a Microsoft Intune free trial for the Azure
portal
6/29/2017 2 min to read Edit Online

This article walks you through signing up for a trial of Intune standalone for the Azure portal.
1. Visit the Intune Sign up page and fill out the form to sign up for a trial subscription. account-sign-up.md
If most of your IT operations and users are in a different locale than you, you may want to select that locale
under Where's your company located?.
2. At the end of the sign-up process, you get a message with your new account information.

At this point, if you click You're ready to go, you are taken to the Office 365 Admin Center, where you can
add users to your test environment.

However, if you want to go directly into the Intune Azure portal, open a new browser window, and enter
https://portal.azure.com in the address bar. You are taken to the Azure sign-in page where you can use
the credentials you were given to sign in. Use this address whenever you want to sign into your Intune trial.
The first time you sign on to the Intune Azure portal, you may not see Intune on your Azure dashboard. To add the
Intune service to your Azure dashboard:
1. Choose More services > in the list of Azure services to the left of the dashboard, and enter Intune in the
search box.
2. Choose Intune from the list, and select the star to add the service to the list of services.
3. Then choose Intune in the list of services to open the Intune dashboard.
When you sign up for a trial, you will also receive an email message that contains your account information at the
email address that you provided during the sign-up process. This email confirms your trial is active.

Keeping the admin experiences straight


There are three portals you use for the Intune Azure portal:
The Intune dashboard in Azure (portal.azure.com) where you can explore the capabilities of Intune in the Azure
portal.
The Office 365 Admin center (portal.office.com) where you can add and manage users if you are not using
Azure Active Directory for that. You can also manage other aspects of your account, including billing and
support.
The classic Intune admin console (manage.microsoft.com) where you can explore features that have not yet
been added to Azure.
Normally, youll do your work in the Intune dashboard, shown below. This is the site where you set up and manage
your groups, policies, devices, and apps.
You can go to the classic Intune admin console from the dashboard by choosing Classic portal at the top of your
dashboard.
To return to the Intune Azure portal, enter https://portal.azure.com in your browser address bar and then choose
Intune again from the services list.

You use the Office 365 Admin center, shown below, to add and manage your users and other aspects of your
account, including billing and support.
To go from the Office 365 Admin center to the Intune dashboard, enter https://portal.azure.com in your browser
address bar. Choose Intune in the services list.
To get from Intune back to the Office 365 Admin center, enter https://portal.office.com in your browser address
bar. If you are already logged into Intune, you will be taken directly to the Office 365 Admin Center.

Next steps
Intune on Azure
Learn more about Intune in the Azure portal
Classic Intune
Evaluation scenario: Evaluate mobile device management in Microsoft Intune
Integration with other products
Learn more about using your Azure Active Directory user accounts with Intune:
Identity requirements
Directory synchronization requirements
Multi-factor authentication requirements
Learn more about using Intune with System Center Configuration Manager
What's new in Microsoft Intune
6/30/2017 18 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Learn whats new each week in Microsoft Intune. You can also find out about upcoming changes, important
notices about the service, and information about past releases.

NOTE
Many of these features will eventually be supported for hybrid deployments with Configuration Manager. For more
information about new hybrid features, check out our hybrid Whats New page.

Week of June 26th, 2017


Role-based access control
New role-based administration access for Intune admins
A new conditional access admin role is being added to view, create, modify, and delete Azure AD Conditional
Access policies. Previously, only global admins and security admins had this permission. Intune admins can be
granted with this role permission so that they have access to conditional access policies.
Device enrollment
Tag corporate-owned devices with serial number
Intune now supports uploading iOS, macOS, and Android serial numbers as Corporate Device Identifiers. You
can't use serial numbers to block personal devices from enrolling at this time because serial numbers are not
verified during enrollment. Blocking personal devices by serial number will be released in the near future.
Device management
New remote actions for iOS devices
In this release, we've added two new remote device actions for iOS devices:
Logout current user - Logs out the current user of an iOS device you choose.
Remove user - Deletes a user you choose from the local cache on an iOS device.
Using these remote actions, admins be able to manage the users accounts cached on a shared iPad and also log
out the user currently logged into the device.
During enrollment, the admin determines the maximum number of user accounts that can be cached on a device.
"Remove user" allows admins to remove specific users that are cached.
"Logout current user" will log out the user that's currently logged in to the device. This action can be found at the
top of the device overview blade where device actions traditionally exist.
"Remove user" will delete a specified user from the local cache of the device. This action can be found by
navigating to "Monitor" -> "Users" -> right click on a specific user in the list. Any data that is associated with the
user account that hasn't been synced will be lost. Also, it may take up to 24 hours for the user list to reflect that the
user has been removed.
Support for shared iPads with the iOS Classroom app
In this release, we've expanded the support for managing the iOS Classroom app to include students who log into
shared iPads using their managed Apple ID.
App management
Support for offline apps from the Windows Store for Business
Offline apps you purchased from the Windows Store for Business will now be synchronized to the Intune portal.
You can then deploy these apps to device groups, or user groups. Offline apps are installed by Intune, and not by
the store.
Microsoft teams is now part of the App-based CA list of approved apps
The Microsoft Teams app for iOS and Android is now part of approved apps for app-based conditional access
policies for Exchange and SharePoint Online. The app can be configured through the Intune App Protection blade
in the Azure portal to all tenants currently using app-based conditional access.
Managed browser and app proxy integration
The Intune Managed Browser can now integrate with the Azure AD Application Proxy service to let users access
internal web sites even when they are working remotely. Users of the browser simply enter the site URL as they
normally would and the Managed Browser routes the request through the application proxy web gateway. For
more information, see Manage Internet access using Managed browser policies.
New app configuration settings for the Intune Managed Browser
In this release, we've added further configurations for the Intune Managed Browser app. You can now use an app
configuration policy to configure the default home page and bookmarks for the browser. This is currently for
Android devices only, but will be available soon for iOS devices. For more information, see Manage Internet access
using Managed browser policies
Device configuration
BitLocker settings for Windows 10
You can now configure BitLocker settings for Windows 10 devices using a new Intune device profile. For example,
you can require that devices are encrypted, and also configure further settings that are applied when BitLocker is
turned on. For more information, see Endpoint protection settings for Windows 10 and later.
New settings for Windows 10 device restriction profile
In this release, we've added new settings for the Windows 10 device restriction profile, in the following categories:
Windows Defender
Cellular and connectivity
Locked screen experience
Privacy
Search
Windows Spotlight
Edge browser
For more information about Windows 10 settings, see Windows 10 and later device restriction settings.

Week of June 12, 2017


Company Portal app for Android now has a new end user experience for App Protection Policies
Based on customer feedback, we've modified the Company Portal app for Android to show an Access Company
Content button. The intent is to prevent end users from unnecessarily going through the enrollment process
when they only need to access apps that support App Protection Policies, a feature of Intune mobile application
management. You can see these changes on the what's new in app UI page.
New menu action to easily remove Company Portal
Based on user feedback, the Company Portal app for Android has added a new menu action to initiate the removal
of Company Portal from your device. This action removes the device from Intune management so that the app can
be removed from the device by the user. You can see these changes on the what's new in app UI page and in the
Android end user documentation.
Improvements to app syncing with Windows 10 Creators Update
The Company Portal app for Windows 10 will now automatically initiate a sync for app install requests for devices
with Windows 10 Creators Update (version 1703). This will reduce the issue of app installs stalling during the
"Pending Sync" state. In addition, users will be able to manually initiate a sync from within the app. You can see
these changes on the what's new in app UI page.
New guided experience for Windows 10 Company Portal
The Company Portal app for Windows 10 will include a guided Intune walkthrough experience for devices that
have not been identified or enrolled. The new experience provides step-by-step instructions that guide the user
through registering into Azure Active Directory (required for Conditional Access features) and MDM enrollment
(required for device management features). The guided experience will be accessible from the Company Portal
home page. Users can continue to use the app if they do not complete registration and enrollment, but will
experience limited functionality.
This update is only visible on devices running Windows 10 Anniversary Update (build 1607) or higher. You can
see these changes on the what's new in app UI page.

Week of June 5, 2017


Microsoft Intune and Conditional Access admin consoles are generally available
Were announcing the general availability of both the new Intune on Azure admin console and the Conditional
Access admin console. Through Intune on Azure, you can now manage all Intune MAM and MDM capabilities in
one consolidated admin experience, and leverage Azure AD grouping and targeting. Conditional access in Azure
brings rich capabilities across Azure AD and Intune together in one unified console. And from an administrative
experience, moving to the Azure platform allows you to use modern browsers.
Intune is now visible without the preview label in the Azure console at portal.azure.com.
There is no action required for existing customers at this time, unless you have received one of a series of
messages in the message center requesting that you take action so that we can migrate your groups. You may
have also received a message center notice informing you that migration is taking longer due to bugs on our side.
We are diligently continuing work to migrate any impacted customer.
Improvements to the app tiles in the Company Portal app for iOS
We updated the design of the app tiles on the homepage to reflect the branding color you set for the Company
Portal. For more information, see what's new in app UI.
Account picker now available for the Company Portal app for iOS
Users of iOS devices might see our new account picker when they sign into the Company Portal if they use their
work or school account to sign into other Microsoft apps. For more information, see what's new in app UI.

Week of May 29, 2017


Change your MDM authority without unenrolling managed devices
You can now change your MDM authority without having to contact Microsoft Support, and without having to
unenroll and reenroll your existing managed devices. In the Configuration Manager console, you can change your
MDM authority from Set to Configuration Manager (hybrid) to Microsoft Intune (standalone) or vice versa.
Improved notification for Samsung KNOX startup PINs
When end users need to set a start-up PIN on Samsung KNOX devices to become compliant with encryption, the
notification displayed to end users will bring them to the exact place in the Settings app when the notification is
tapped. Previously, the notification brought the end user to the password change screen.
Device enrollment
Apple School Manager (ASM) support with shared iPad
Intune now supports use of Apple School Manager (ASM) in place of Apple Device Enrollment Program to provide
out-of-box enrollment of iOS devices. ASM onboarding is required to use the Classroom app for Shared iPads,
and is required to enable syncing data from ASM to Azure Active Directory via Microsoft School Data Sync (SDS).
For more information, see Enable iOS device enrollment with Apple School Manager.

NOTE
Configuring Shared iPads to work with the Classroom app requires iOS Education configurations in Azure are that not yet
available. This functionality will be added soon.

Device management
Provide remote assistance to Android devices using TeamViewer
Intune can now use the TeamViewer software, purchased separately, to enable you to give remote assistance to
your users who are running Android devices. For more information, see Provide remote assistance for Intune
managed Android devices.
App management
New app protection policies conditions for MAM
You can now set a requirement for MAM without enrollment users that enforces the following policies:
Minimum application version
Minimum operating system version
Minimum Intune APP SDK version of the targeted application (iOS only)
This feature is available on both Android and iOS. Intune supports minimum version enforcement for OS platform
versions, application versions, and Intune APP SDK. On iOS, applications that have the SDK integrated can also set
a minimum version enforcement at the SDK level. The user will be unable to access the targeted application if the
minimum requirements through the app protection policy are not met at the three different levels mentioned
above. At this point, the user may either remove their account (for multi-identity applications), close the
application, or update the version of the OS or application.
You can also configure additional settings to provide a non-blocking notification that recommends an OS or
application upgrade. This notification can be closed and the application may be used as normal.
For more information, see iOS app protection policy settings and Android app protection policy settings.
Configure app configurations for Android for Work
Some Android apps from the store support managed configuration options that let an IT admin control how an
app runs in the work profile. With Intune, you can now view the configurations supported by an app, and
configure them from the Intune portal with a configuration designer or a JSON editor. For more information, see
Use app configurations for Android for Work.
New app configuration capability for MAM without enrollment
You can now create app configuration policies through the MAM without enrollment channel. This feature is
equivalent to the app configuration policies available in the mobile device management (MDM) app configuration.
For an example of app configuration using MAM without enrollment, see Manage Internet access using Managed
browser policies with Microsoft Intune.
Configure allowed and blocked URL lists for the Managed Browser
You can now configure a list of allowed and blocked domains and URLs for the Intune Managed Browser using
app configuration settings in the Azure portal. These settings can be configured regardless of whether it is being
used on a managed or unmanaged device. For more information, see Manage Internet access using Managed
browser policies with Microsoft Intune.
App protection policy helpdesk view
IT Helpdesk users can now check user license status and the status of app protection policy apps assigned to users
in the Troubleshooting blade. For details, see Troubleshooting.
Device configuration
Control website visits on iOS devices
You can now control which websites users of iOS devices can visit using one of the following two methods:
Add permitted, and blocked URLs using Apples built-in web content filter.
Allow only specified websites to be accessed by the Safari browser. Bookmarks are created in Safari for
each site you specify.
For more information, see Web content filter settings for iOS devices.
Preconfigure device permissions for Android for Work apps
For apps deployed to Android for Work device work profiles, you can now configure the permissions state for
individual apps. By default, Android apps that require device permissions such as access to location or the device
camera will prompt users to accept or deny permissions. For example, if an app uses the device's microphone,
then the end user is prompted to grant the app permission to use the microphone. This feature allows you to
define permissions on behalf of the end user. You can configure permissions to a) automatically deny without
notifying the user, b) automatically approve without notifying the user, or c) prompt the user to accept or deny.
For more information, see Android for Work device restriction settings in Microsoft Intune.
Define app-specific PIN for Android for Work devices
Android 7.0 and above devices with a work profile managed as an Android for Work device let the administrator
define a passcode policy that only applies to apps in the work profile. Options include:
Define just a device-wide passcode policy - This is the passcode that the user must use to unlock their entire
device. -Define just a work profile passcode policy - Users will be prompted to enter a passcode whenever any
app in the work profile is opened.
Define both a device and work profile policy - IT admin has the choice to define both a device passcode policy
and a work profile passcode policy at differing strengths (for example, a four-digit PIN to unlock the device, but
a six-digit PIN to open any work app).
For more information, see Android for Work device restriction settings in Microsoft Intune.

NOTE
This is only available on Android 7.0 and above. By default, the end user can use the two separately defined PINs or they
can elect to combine the two defined PINs into the strongest of the two.

New settings for Windows 10 devices


We've added new Windows device restriction settings that control features like wireless displays, device discovery,
task switching, and SIM card error messages.
Updates to certificate configuration
When creating a SCEP certificate profile, for Subject name format, the Custom option is available for iOS,
Android, and Windows devices. Before this update, the Custom field was available for iOS devices only. For more
information, see How to create a SCEP certificate profile.
When creating a PKCS certificate profile, for Subject alternative name, the Custom Azure AD attribute is
available. The Department option is available when you select Custom Azure AD attribute. For more
information, see How to create a PKCS certificate profile.
Configure multiple apps that can run when an Android device is in kiosk mode
When an Android device is in kiosk mode, you could previously only configure one app that was allowed to run.
You can now configure multiple apps using the app ID, store URL, or by selecting an Android app you already
manage. For more information, see Kiosk mode settings.

Notices
IP addresses for Intune updated
An updated list of DNS names and IP addresses is available for firewall proxy settings.
Use Azure Active Directory for conditional access
Conditional access is available in the Azure Active Directory section of the Azure console and provides a more
powerful and flexible framework for setting policies for cloud apps like Office 365 Exchange Online and
SharePoint Online. Use the Conditional access in Azure Active Directory blade to configure policies instead of
the classic Intune console. Existing policies in the classic Intune console need to be re-created in the Azure console.
For more information, see Create Azure AD conditional access policies
Direct access to Apple enrollment scenarios
For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios
using the Enroll Devices workload in the Azure portal. Previously, the Apple enrollment preview was only
accessible from links in the classic Intune portal. Intune accounts created before January 2017 require a one-time
migration before these features are available in Azure. The schedule for migration has not been announced yet,
but details will be made available as soon as possible. We strongly recommend creating a trial account to test out
the new experience if your existing account cannot access the Azure portal.
Administration roles being replaced in Azure portal
The existing mobile application management (MAM) administration roles (Contributor, Owner, and Read-Only)
used in the Intune classic portal (Silverlight) are being replaced with a full set of new role-based administration
controls (RBAC) in the Intune Azure portal. Once you are migrated to the Azure portal, you will need to reassign
your admins to these new administration roles. For more information about RBAC and the new roles, see Role-
based access control for Microsoft Intune.

What's coming
Changes in support for the Intune iOS Company Portal app
Coming soon, there will be a new version of the Microsoft Intune Company Portal app for iOS that will support
only devices running iOS 9.0 or later. The version of the Company Portal that supports iOS 8 will still be available
for a very short period of time. However, please note that if you also use MAM-enabled iOS apps we support iOS
9.0 and later, so you'll want to ensure your end users update to the latest OS.
How does this affect me?
We are letting you know this in advance, even though we don't have specific dates, so you have time to plan.
Please ensure your users are updated to iOS 9+ and when the Company Portal app releases, request that your
end users update their Company Portal app.
What do I need to do to prepare for this change?
Encourage your users to update to iOS 9.0 or later to take full advantage of new Intune features. Encourage users
to install the new version of the Company Portal and take advantage of the new features it will offer.
Go to the Intune on Azure portal and view Devices > All Devices and filter by iOS version to see any current
devices with operating systems earlier than iOS 9.
Improved sign in experience across Company Portal apps for all platforms
We are announcing a change that is coming in the next few months that will improve the sign-in experience for
the Intune Company Portal apps for Android, iOS, and Windows. The new user experience will automatically
appear across all platforms for the Company Portal app when Azure AD makes this change. In addition, users can
now sign in to the Company Portal from another device with a generated, single-use code. This is especially useful
in cases when users need to sign in without credentials.
To see screenshots of the previous sign-in experience, the new sign-in experience with credentials, and the new
sign-in experience from another device, see What's new in app UI.
Plan for change: Intune is changing the Intune Partner Portal experience
We are removing the Intune Partner page from manage.microsoft.com beginning with the service update in mid-
May 2017.
If you are a partner administrator, you will no longer be able to view and take action on behalf of your customers
from the Intune Partner page, but will instead need to sign in at one of two other partner portals at Microsoft.
Both the Microsoft Partner Center and the Microsoft Office 365 Partner Admin Center will allow you to sign into
the customer accounts you manage. Moving forward as a partner, please use one of these sites to manage your
customers.
Apple to require updates for Application Transport Security
Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). ATS is
used to enforce stricter security on all app communications over HTTPS. This change impacts Intune customers
using the iOS Company Portal apps.
We have made available a version of the Company Portal app for iOS through the Apple TestFlight program that
enforces the new ATS requirements. If you would like to try it so you can test your ATS compliance, email
CompanyPortalBeta@microsoft.com with your first name, last name, email address, and company name. Review
our Intune support blog for more details.
See also
Microsoft Intune Blog
Cloud Platform roadmap
What's new in the Company Portal UI
What's new in previous months
UI updates for Intune end user apps
6/29/2017 5 min to read Edit Online

Learn what updates we've made to the UI for apps that your end users will see in this release of Microsoft Intune.
This can help you with user communications and any updating custom documentation that you've created to
support your deployment. It can also help you understand how to better troubleshoot any issues they're facing
should they call helpdesk for support using the Company Portal.

Week of June 26, 2017


Improved sign in experience across Company Portal apps for all platforms
We are announcing a change that is coming in the next few months that will improve the sign in experience for
the Intune Company Portal apps for Android, iOS, and Windows. The new user experience will automatically
appear across all platforms for the Company Portal app when Azure AD makes this change. In addition, users can
now sign in to the Company Portal from another device with a generated, single-use code. This is especially
useful in cases when users need to sign in without credentials.
Below you can see the previous sign in experience, the new sign in experience with credentials, and the new sign
in experience from another device.
Previous sign in experience
New sign in experience
New sign in experience when signing in from another device
Tap the Sign in from another device link.

Launch a browser and go to https://aka.ms/devicelogin.


Enter the code you saw in the Company Portal app. When you select Continue, you will be able to authenticate
in the using any method that is supported by your company, such as a smartcard.
The Company Portal app will begin signing in.

Week of June 12, 2017


Company Portal app for Android now has a new end user experience for App Protection Policies
Based on customer feedback, we've modified the Company Portal app for Android to show an Access Company
Content button. The intent is to prevent end users from unnecessarily going through the enrollment process
when they only need to access apps that support App Protection Policies, a feature of Intune mobile application
management.
The user will tap on the Access Company Content button instead of beginning to enroll the device.

The user then is taken to the Company Portal website to authorize the app for use on their device, where the
Company Portal website verifies their credentials.

The device can still be enrolled into full management by tapping on the action menu.
Improvements to app syncing with Windows 10 Creators Update
The Company Portal app for Windows 10 will now automatically initiate a sync for app install requests for
devices with Windows 10 Creators Update (version 1703). This will reduce the issue of app installs stalling
during the "Pending Sync" state. In addition, users will be able to manually initiate a sync from within the app.
New guided experience for Windows 10 Company Portal
The Company Portal app for Windows 10 will include a guided Intune walkthrough experience for devices that
have not been identified or enrolled. The new experience provides step-by-step instructions that guide the user
through registering into Azure Active Directory (required for Conditional Access features) and MDM enrollment
(required for device management features). The guided experience will be accessible from the Company Portal
home page. Users can continue to use the app if they do not complete registration and enrollment, but will
experience limited functionality.
This update is only visible on devices running Windows 10 Anniversary Update (build 1607) or higher.
New menu action to easily remove Company Portal
Based on user feedback, the Company Portal app for Android has added a new menu action to initiate the
removal of Company Portal from your device. This action removes the device from Intune management so that
the app can be removed from the device by the user.
Week of June 5, 2017
Improvements to the app tiles in the Company Portal app for iOS
We updated the design of the app tiles on the homepage to reflect the branding color you set for the Company
Portal.
Before

After
Account picker now available for the Company Portal app for iOS
If users have used their work or school account to sign in to other Microsoft apps on their iOS device, then they
may see our new account picker when signing into the Company Portal for the first time.

April 2017
New icons for the Managed Browser and the Company Portal
The Managed Browser is receiving updated icons for both the Android and iOS versions of the app. The new icon
will contain the updated Intune badge to make it more consistent with other apps in Enterprise Mobility +
Security (EM+S).
The Company Portal is also receiving updated icons for the Android, iOS, and Windows versions of the app to
improve consistency with other apps in EM+S. These icons will be gradually released across platforms from April
to late May.
Sign-in progress indicator in Android Company Portal
An update to the Android Company Portal app shows a sign-in progress indicator when the user launches or
resumes the app. The indicator progresses through new statuses, beginning with "Connecting...", then "Signing
in...", then "Checking for security requirements..." before allowing the user to access the app.

Improved app install status for the Windows 10 Company Portal app
The Windows 10 Company Portal app now provides an install progress bar on the app details page. This is
supported for modern apps on devices running the Windows 10 Anniversary Update and up..
Before

After
February 2017
New user experience for the Company Portal app for Android
Beginning in March, the Company Portal app for Android will follow material design guidelines to create a more
modern look and feel. This improved user experience includes:
Colors: tab headers can be colored according to your custom color palette.

Interface: Featured Apps and All Apps buttons have been updated in the Apps tab. The Search button is
now a floating action button.
Navigation: All Apps shows a tabbed view of Featured, All and Categories for easier navigation. Contact
IT has been streamlined for improved readability.

January 2017
Modernizing the Company Portal website
Beginning in February, the Company Portal website will support apps that are targeted to users who do not have
managed devices. The website will align with other Microsoft products and services by using a new contrasting
color scheme, dynamic illustrations, and a "hamburger menu," which will contain helpdesk contact details
and information on existing managed devices. The landing page will be rearranged to emphasize apps that are
available to users, with carousels for Featured and Recently Updated apps.

Coming soon in the UI


These are the plans for ways we will be improving the user experience by updating our user interface.
NOTE
Please note that the images below may be previews, and the announced product may differ from the presented versions.

There are no upcoming announcements to share at this time.


See also
Microsoft Intune Blog
Cloud Platform roadmap
What's new in Intune
What's new in the Microsoft Intune - previous months
6/22/2017 15 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

April 2017
Support for managing the Apple Classroom app
You can now manage the iOS Classroom app on iPad devices. Set up the Classroom app on the teachers iPad with
the correct class and student data, then configure student iPads registered to a class, so that you can control them
using the app. For details, see Configure iOS education settings.
Support for managed configuration options for Android apps
Android apps in the Play store that support managed configuration options can now be configure by Intune. This
feature lets IT view the list of configuration values supported by an app, and provides a guided, first-class UI to
allow them to configure those values.
New Android policy for complex PINs
You can now set a required password type of Numeric complex in an Android device profile for devices that run
Android 5.0 and above. Use this setting to prevent device users from creating a PIN that contains repeating, or
consecutive numbers, like 1111, or 1234.
Additional support for Android for Work devices
Manage password and work profile settings
This new Android for Work device restriction policy now lets you manage password and work profile
settings on Android for Work devices you manage.
Allow data sharing between work and personal profiles
This Android for Work device restriction profile now has new options to help you configure data sharing between
work and personal profiles.
Restrict copy and paste between work and personal profiles
A new custom device profile for Android for Work devices now lets you restrict whether copy and paste
actions between work and personal apps are allowed.
For more information, see Device restrictions for Android for Work.
Assign LOB apps to iOS and Android devices
You can now assign line of business (LOB) apps for iOS (.ipa files) and Android (.apk files) to users or devices.
New device policies for iOS
Apps on Home screen - Controls which apps users see on the Home screen of their iOS device. This policy
changes the layout of the Home screen, but does not deploy any apps.
Connections to AirPrint devices - Controls which AirPrint devices (network printers) that end users of
iOS device can connect to.
Connections to AirPlay devices - Controls which AirPlay devices (like Apple TV) that end users of iOS
device can connect to.
Custom lock screen message - Configures a custom message that users will see on the lock screen of
their iOS device, that replaces the default lock screen message. For more information, see Activate lost
mode on iOS devices
Restrict push notifications for iOS apps
In an Intune device restriction profile, you can now configure the following notification settings for iOS devices:
Fully turn on or off notification for a specified app.
Turn on or off, the notification in the notification center for a specified app.
Specify the alert type, either None, Banner, or Modal Alert.
Specify whether badges are allowed for this app.
Specify whether notification sounds are allowed.
Configure iOS apps to run in single app mode autonomously
You can now use an Intune device profile to configure iOS devices to run specified apps in autonomous single app
mode. When this mode is configured, and the app is run, the device is locked so that it can only run that app. An
example of this is when you configure an app that lets users take a test on the device. When the app's actions are
complete, or you remove this policy, the device returns to its normal state.
Configure trusted domains for email and web browsing on iOS devices
From an iOS device restriction profile, you can now configure the following domain settings:
Unmarked email domains - Emails that the user sends or receives which don't match the domains you
specify here will be marked as untrusted.
Managed web domains - Documents downloaded from the URLs you specify here will be considered
managed (Safari only).
Safari password auto-fill domains - Users can save passwords in Safari only from URLs matching the
patterns you specify here. To use this setting, the device must be in supervised mode and not configured for
multiple users. (iOS 9.3+)
VPP apps available in iOS Company Portal
You can now assign iOS volume-purchased (VPP) apps as Available installs to end users. End users will need an
Apple Store account to install the app.
Synchronize eBooks from Apple VPP Store
You can now synchronize books you purchased from the Apple volume-purchase program store with Intune, and
assign the books to users.
Multi-user management for Samsung KNOX Standard devices
Devices that run Samsung KNOX Standard are now supported for multi-user management by Intune. This means
that end users can sign in and out of the device with their Azure Active Directory credentials, and the device is
centrally managed whether its in use or not. When end-users sign-in, they have access to apps and get any
policies applied to them. When users sign out, all app data is cleared.
Additional Windows device restriction settings
We've added support for additional Windows device restriction settings like additional Edge browser support,
device lock screen customization, start menu customizations, Windows Spotlight search set wallpaper, and proxy
setting.
Multi-user support for Windows 10 Creators Update
We've added support for multi-user management for devices that run the Windows 10 Creators Update and are
Azure Active Directory domain-joined. This means that when different standard users log into the device with their
Azure AD credentials, they will receive any apps and policies that were assigned to their user name. Users cannot
currently use the Company Portal for self-service scenarios like installing apps.
Fresh Start for Windows 10 PCs
A new Fresh Start device action for Windows 10 PCs is now available. When you issue this action, any apps that
were installed on the PC are removed, and the PC is automatically updated to the latest version of Windows. This
can be used to help remove pre-installed OEM apps that are often delivered with a new PC. You can configure if
user data is retained when this device action is issued.
Additional Windows 10 upgrade paths
You can now create an edition upgrade policy to upgrade devices to the following additional Windows 10 editions:
Windows 10 Professional
Windows 10 Professional N
Windows 10 Professional Education
Windows 10 Professional Education N
Bulk Enroll Windows 10 devices
You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory
and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD
tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration
Designer, and apply the package to corporate-owned devices you'd like to bulk enroll and manage. Once the
package is applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users
to log on. Azure AD users are standard users on these devices and receive assigned policies and required apps.
Self-service and Company Portal scenarios are not supported currently.
New MAM settings for PIN and managed storage locations
Two new app settings are now available to help you with mobile application management (MAM) scenarios:
Disable app PIN when device PIN is managed - Detects if a device PIN is present on the enrolled device,
and if so, bypasses the app PIN triggered by the app protection policies. This setting will allow for a
reduction in the number of times a PIN prompt is displayed to users opening a MAM-enabled application
on an enrolled device. This feature is available for both Android and iOS.
Select which storage services corporate data can be saved to -Allows you to specify which storage
locations in which to save corporate data. Users can save to the selected storage location services, which
means all other storage location services not listed will be blocked.
List of supported storage location services:
OneDrive
Business SharePoint Online
Local storage
Help desk troubleshooting portal
The new troubleshooting portal lets help desk operators and Intune administrators view users and their devices,
and perform tasks to resolve Intune technical problems.

March 2017
Support for iOS Lost Mode
For iOS 9.3 and later devices, Intune added support for Lost Mode. You can now lock down a device to prevent all
use and display a message and contact phone number of the device lock screen.
The end user will not be able to unlock the device until an admin disables Lost Mode. When Lost Mode is enabled,
you can use the Locate device action to display the geographical location of the device on a map in the Intune
console.
The device must be a corporate-owned iOS device, enrolled through DEP, that is in supervised mode.
For more information, see What is Microsoft Intune device management?
Improvements to Device Actions report
Weve made improvements to the Device Actions report to improve performance. Additionally, you can now filter
the report by state. For example, you could filter the report to show only device actions that were completed.
Custom app categories
You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be
specified in English. See How to add an app to Intune.
Assign LOB apps to users with unenrolled devices
You can now assign line-of-business apps from the store to users whether or not their devices are enrolled with
Intune. If the user's device is not enrolled with Intune, they must go to the Company Portal website to install it,
instead of the Company Portal app.
New compliance reports
You now have compliance reports that give you the compliance posture of devices in your company and allow you
to quickly troubleshoot compliance-related issues encountered by your users. You can view information about
Overall compliance state of devices
Compliance state for an individual setting
Compliance state for an individual policy
You can also use these reports to drill down into an individual device to view specific settings and policies that
affect that device.
Direct access to Apple enrollment scenarios
For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios
using the Enroll Devices workload in the Azure portal. Previously, the Apple enrollment preview was only
accessible from links in the classic Intune portal. Intune accounts created before January 2017 will require a one-
time migration before these features are available in Azure. The schedule for migration has not been announced
yet, but details will be made available as soon as possible. We strongly recommend creating a trial account to test
out the new experience if your existing account cannot access the preview.

February 2017
Ability to restrict mobile device enrollment
Intune is adding new enrollment restrictions that control which mobile device platforms are allowed to enroll.
Intune separates mobile device platforms as iOS, macOS, Android, Windows and Windows Mobile.
Restricting mobile device enrollment does not restrict PC client enrollment.
For iOS and Android only, there is one additional option to block the enrollment of personally owned devices.
Intune marks all new devices as personal unless the IT admin takes action to mark them as corporate owned, as
explained in this article.
View all actions on managed devices
A new Device Actions report shows who has performed remote actions like factory reset on devices, and
additionally shows the status of that action. See What is device management?.
Non-managed devices can access assigned apps
As part of the design changes on the Company Portal website, iOS and Android users will be able to install apps
assigned to them as "available without enrollment" on their non-managed devices. Using their Intune credentials,
users will be able to log into the Company Portal website and see the list of apps assigned to them. The app
packages of the "available without enrollment" apps are made available for download via the Company Portal
website. Apps which require enrollment for installation are not affected by this change, as users will be prompted
to enroll their device if they wish to install those apps.
Custom app categories
You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be
specified in English. See How to add an app to Intune.
Display device categories
You can now view the device category as a column in the device list. You can also edit the category from the
properties section of the device properties blade. See How to add an app to Intune.
Configure Windows Update for Business settings
Windows as a Service is the new way of providing updates for Windows 10. Starting with Windows 10, any new
Feature Updates and Quality Updates will contain the contents of all previous updates. This means that as long as
you've installed the latest update, you know that your Windows 10 devices are completely up-to-date. Unlike with
previous versions of Windows, you now must install the entire update instead of part of an update.
By using Windows Update for Business, you can simplify the update management experience so that you dont
need to approve individual updates for groups of devices. You can still manage risk in your environments by
configuring an update rollout strategy and Windows Update will make sure that updates are installed at right time.
Microsoft Intune provides the ability to configure update settings on devices and gives you the ability to defer
update installation. Intune doesnt store the updates, but only the update policy assignment. Devices access
Windows Update directly for the updates.Use Intune to configure and manage Windows 10 update rings. An
update ring contains a group of settings that configure when and how Windows 10 updates get installed. For
details, see Configure Windows Update for Business settings.

January 2017
Assign line of business apps whether or not devices are enrolled
You can now assign line of business and apps from the store to users whether or not their devices are enrolled
with Intune. If the users device is not enrolled with Intune, they must go to the Company Portal website to install it,
instead of the Company Portal app. See What is app management.
Resolve issue where iOS devices are inactive, or the admin console cannot communicate with them
When users devices lose contact with Intune, you can give them new troubleshooting steps to help them regain
access to company resources. See Devices are inactive, or the admin console cannot communicate with them.

December 2016 (initial release)


Telecom expense management integration in Azure portal
We are now beginning to preview integration with third-party telecom expense management (TEM) services within
the Azure portal. You can use Intune to enforce limits on domestic and roaming data usage. We are beginning
these integrations with Saaswedo. To enable this feature in your trial tenant, please contact Microsoft support.
Deploy and manage apps from a store to iOS, Android, and Windows devices
Deploy and manage line of business (LOB) apps to iOS, Android, and Windows devices
Deploy and manage volume-purchased apps to iOS, and Windows devices
Deploy and manage web apps for Android, iOS, and Windows devices
iOS managed app configuration profiles
Configure app protection policies, and deploy line of business apps to devices that are not enrolled with Intune
VPN profiles, per-app VPN, Wi-Fi, email, and certificate profiles
Compliance policies
Conditional access for Azure AD
Conditional access for On-Premises Exchange
Device enrollment
Role-based access control

Deprecated features in the Azure portal


Support for row-by-row review of hardware identifiers
The Azure portal does not support row-by-row review of hardware identifiers for IMEI numbers and Apple serial
numbers. In the classic Intune console, you can import details from a comma-separated-values (.csv) file and
overwrite the existing details for individual hardware identifiers. The Azure portal features a single, streamlined
option that automatically overwrites details for all hardware identifiers or ignores new details for existing
identifiers.
How this affects you
In the Azure portal, you will not be able to decide, row by row, which International Mobile Equipment Identity
(IMEI) devices to update. The classic Intune console will continue to support this functionality.
How to get ready for this change
We are providing this information in advance so, if it affects you, you can make your support admins aware of this
change. This change will coincide with the move to the Azure portal, anticipated for the first half of 2017.
Support for default Corporate Device Enrollment profiles in Apple DEP
The Azure portal does not support the default Corporate Device Enrollment profile for Apple Device Enrollment
Program (DEP) device serial numbers. This functionality, available in the classic Intune console, is being
discontinued to prevent unintentionally assigned profiles. In the Azure portal, serial numbers synchronized from an
Apple DEP account will initially have no Corporate Device Enrollment profile assigned.
How this affects you
In the Azure portal, you will not be able to set a default profile policy across all Apple devices. The classic Intune
console will continue to support this functionality.
How to get ready for this change
We are providing this information in advance so, if it affects you, you can make your support admins aware of this
change. This will coincide with the move to the Azure portal, anticipated for the first half of 2017.
See also
See Whats New in Microsoft Intune for details on recent developments.
What's new in the Intune classic console - previous
months
6/19/2017 24 min to read Edit Online

APPLIES TO: INTUNE IN THE CLASSIC PORTAL

Looking for documentation about Intune on Azure? Go here.

This page lists new features and notices previously announced on the What's new page for the Intune classic
console.

April 2017
New capabilities
MyApps available for Managed Browser
Microsoft MyApps now have better support within the Managed Browser. Managed Browser users who are not
targeted for management will be brought directly to the MyApps service, where they can access their admin-
provisioned SaaS apps. Users who are targeted for Intune management will continue to be able to access MyApps
from the built-in Managed Browser bookmark.
New icons for the Managed Browser and the Company Portal
The Managed Browser is receiving updated icons for both the Android and iOS versions of the app. The new icon
will contain the updated Intune badge to make it more consistent with other apps in Enterprise Mobility + Security
(EM+S). You can see the new icon for the Managed Browser on the what's new in Intune app UI page.
The Company Portal is also receiving updated icons for the Android, iOS, and Windows versions of the app to
improve consistency with other apps in EM+S. These icons will be gradually released across platforms from April to
late May.
Sign-in progress indicator in Android Company Portal
An update to the Android Company Portal app shows a sign-in progress indicator when the user launches or
resumes the app. The indicator progresses through new statuses, beginning with "Connecting...", then "Signing in...",
then "Checking for security requirements..." before allowing the user to access the app. You can see the new screens
for the Company Portal app for Android on the what's new in Intune app UI page.
Block apps from accessing SharePoint Online
You can now create an app-based conditional access policy to block apps, which don't have app protection policies
applied to them, from accessing SharePoint Online. In the apps-based conditional access scenario, you can specify
the apps that you want to have access to SharePoint Online using the Azure portal.
Single sign-on support from the Company Portal for iOS to Outlook for iOS
Users no longer have to sign in to the Outlook app if they are signed in to the Company Portal app for iOS on the
same device with the same account. When users launch the Outlook app, they will be able to select their account
and automatically sign in. We are also working toward adding this functionality for other Microsoft apps.
Improved status messaging in the Company Portal app for iOS
New, more specific error messages will now be displayed within the Company Portal app for iOS to provide more
accessible information about what is happening on devices. These error cases were previously included in a general
error message titled "Company Portal Temporarily Unavailable". Additionally, if a user launches the Company
Portal on iOS when they do not have an Internet connection, they will now see a persistent status bar on the
homepage saying "No Internet Connection."
Improved app install status for the Windows 10 Company Portal app
New improvements for app installs started in the Windows 10 Company Portal app include:
Faster install progress reporting for MSI packages
Faster install progress reporting for modern apps on devices running the Windows 10 Anniversary Update and
beyond
New progress bar for modern app installs on devices running the Windows 10 Anniversary Update and beyond
You can see the new progress bar on the what's new in Intune app UI page.
Bulk Enroll Windows 10 devices
You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and
Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant,
create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer,
and apply the package to corporate-owned devices you'd like to bulk enroll and manage. Once the package is
applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on.
Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service
and Company Portal scenarios are not supported at this time.
What's new in the public preview of the Intune admin experience on Azure
In early calendar year 2017 we will be migrating our full admin experience onto Azure, allowing for powerful and
integrated management of core EMS workflows on a modern service platform thats extensible using Graph APIs.
New trial tenants will start to see the public preview of the new admin experience in the Azure portal this month.
While in preview state, capabilities and parity with the existing Intune console will be delivered iteratively.
The admin experience in the Azure portal will use the already announced new grouping and targeting functionality;
when your existing tenant is migrated to the new grouping experience you will also be migrated to preview the
new admin experience on your tenant. In the meantime, if you want to test or look at any of the new functionality
until your tenant is migrated, sign up for a new Intune trial account or take a look at the new documentation.
You can find what's new in the Intune preview in Azure here.
Notices
Direct access to Apple enrollment scenarios
For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios
using the Enroll Devices workload in the Azure Preview portal. Previously, the Apple enrollment preview was only
accessible from links in the classic Intune portal. Intune accounts created before January 2017 will require a one-
time migration before these features are available in Azure. The schedule for migration has not been announced
yet, but details will be made available as soon as possible. We strongly recommend creating a trial account to test
out the new experience if your existing account cannot access the preview.
What's coming for Appx in Intune on Azure
As part of the migration to Intune on Azure, we are making three appx changes:
1. Adding a new appx app type in the classic Intune console that can only be deployed to MDM-enrolled devices.
2. Repurposing the existing appx app type to only be targeted to PCs managed through the Intune PC agent.
3. Converting all existing appxs into MDM appxs with the migration.
H o w d o e s t h i s a ffe c t m e ?

This will not impact any of your existing deployments to devices that are managed through the Intune PC agent.
However, after migration, you will not be able to deploy those migrated appxs to any new devices that are
managed through the Intune PC agent that were not previously targeted.
W h at ac t i o n do I n eed t o t ake

After migration, you will need to re-upload the appx again as a PC appx if you want to do new PC deployments. To
learn more, see Appx changes in Intune on Azure on the Intune Support team blog.
Administration roles being replaced in Azure portal
The existing mobile application management (MAM) administration roles (Contributor, Owner, and Read-Only)
used in the Intune classic portal (Silverlight) are being replaced with a full set of new role-based administration
controls (RBAC) in the Intune Azure portal. Once you are migrated to the Azure portal, you will need to re-assign
your admins to these new administration roles. For more information about RBAC and the new roles, see Role-
based access control for Microsoft Intune.
What's coming
Improved sign in experience across Company Portal apps for all platforms
We are announcing a change that is coming in the next few months that will improve the sign in experience for the
Intune Company Portal apps for Android, iOS, and Windows. The new user experience will automatically appear
across all platforms for the Company Portal app when Azure AD makes this change. In addition, users can now sign
in to the Company Portal from another device with a generated, single-use code. This is especially useful in cases
when users need to sign in without credentials.
You can find screenshots of the previous sign in experience, the new sign in experience with credentials, and the
new sign in experience from another device on the What's new in app UI page.
Plan for change: Intune is changing the Intune Partner Portal experience
We are removing the Intune Partner page from manage.microsoft.com beginning with the service update in mid-
May 2017.
If you are a partner administrator, you will no longer be able to view and take action on behalf of your customers
from the Intune Partner page, but will instead need to sign in at one of two other partner portals at Microsoft.
Both the Microsoft Partner Center and the Microsoft Office 365 Partner Admin Center will allow you to sign into the
customer accounts you manage. Moving forward as a partner, please use one of these sites to manage your
customers.
Apple to require updates for Application Transport Security
Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). ATS is
used to enforce stricter security on all app communications over HTTPS. This change impacts Intune customers
using the iOS Company Portal apps.
We have made available a version of the Company Portal app for iOS through the Apple TestFlight program that
enforces the new ATS requirements. If you would like to try it so you can test your ATS compliance, email
CompanyPortalBeta@microsoft.com with your first name, last name, email address, and company name. Review
our Intune support blog for more details.

March 2017
New Capabilities
Support for Skycure
You can now control mobile device access to corporate resources using conditional access based on risk
assessment conducted by Skycure, a mobile threat defense solution that integrates with Microsoft Intune. Risk is
assessed based on telemetry collected from devices running Skycure, including:
Physical defense
Network defense
Application defense
Vulnerabilities defense
You can configure EMS conditional access policies based on Skycure risk assessment enabled through Intune
device compliance policies. You can use these policies to allow or block non-compliant devices access to corporate
resources based on detected threats. For more information, see Skycure Mobile Threat Defense connector.
New user experience for the Company Portal app for Android
The Company Portal app for Android will be updating its user interface for a more modern look and feel, and better
user experience. The notable updates are:
Colors: Company Portal tab headers are colored in IT-defined branding.
Apps: In the Apps tab, the Featured Apps and All Apps buttons are updated.
Search: In the Apps tab, the Search button is a floating action button.
Navigating Apps: All Apps view shows a tabbed view of Featured, All, and Categories for easier navigation.
Support: My Devices and Contact IT tabs are updated to improve readability.
For more details about these changes, see UI updates for Intune end user apps.
Non-managed devices can access assigned apps
As part of the design changes on the Company Portal website, iOS and Android users will be able to install apps
assigned to them as "available without enrollment" on their non-managed devices. Using their Intune credentials,
users will be able to log into the Company Portal website and see the list of apps assigned to them. The app
packages of the "available without enrollment" apps are made available for download via the Company Portal
website. Apps which require enrollment for installation are not affected by this change, as users will be prompted to
enroll their device if they wish to install those apps.
Signing Script for Windows 10 Company Portal
If you need to download and sideload the Windows 10 Company Portal app, you can now use a script to simplify
and streamline the app-signing process for your organization. To download the script and the instructions for using
it, see Microsoft Intune Signing Script for Windows 10 Company Portal on TechNet Gallery. For more details about
this announcement, see Updating your Windows 10 Company Portal app on the Intune Support Team Blog.
Notices
Support for iOS 10.3
The iOS 10.3 release started rolling out on March 27, 2017 to iOS users. All existing Intune MDM and MAM
scenarios are compatible with the latest version of Apples OS. We anticipate all existing Intune features currently
available for managing iOS devices will continue to work as your users upgrade their devices and apps to iOS 10.3.
There are currently no known issues to share. If you run into any issues with iOS 10.3, please feel free to reach out
to the Intune support team.
Improved support for Android users based in China
Due to the absence of the Google Play Store in China, Android devices must obtain apps from Chinese
marketplaces. The Company Portal will support this workflow by redirecting Android users in China to download
the Company Portal and Outlook apps from local app stores. This will improve the user experience when
Conditional Access policies are enabled, both for Mobile Device Management and for Mobile Application
Management. The Company Portal and Outlook apps for Android are available on the following Chinese app stores:
Baidu
Xiaomi
Tencent
Huawei
Wandoujia
Best practice: make sure your Company Portal apps are up-to-date
In December 2016, we released an update that enabled enforcement for multi-factor authentication (MFA) on a
group of users when they enroll an iOS, Android, Windows 8.1+, or Windows Phone 8.1+ device. This feature
cannot work without certain baseline versions of the Company Portal app for Android (v5.0.3419.0+) and iOS
(v2.1.17+).
Microsoft is continuously improving Intune by adding new functions to both the console and the Company Portal
apps on all supported platforms. As a result, Microsoft only releases fixes for issues that we find in the current
version of the Company Portal app. We therefore recommend to use the latest versions of the Company Portal
apps for the best user experience.

TIP
Have your users set their devices to automatically update apps from the appropriate app store. If you have made the Android
Company Portal app available on a network share, you can download the latest version from Microsoft Download Center.

Microsoft Teams is now enabled for MAM on iOS and Android


Microsoft has announced the general availability of Microsoft Teams. The updated Microsoft Teams apps for iOS
and Android are now enabled with Intune mobile app management (MAM) capabilities, so you can empower your
teams to work freely across devices, while ensuring that conversations and corporate data is protected at every
turn. For more details, see the Microsoft Teams announcement on the Enterprise Mobility and Security blog.

February 2017
New Capabilities
Modernizing the Company Portal website
The Company Portal website will support apps that are targeted to users who do not have managed devices. The
website will align with other Microsoft products and services by using a new contrasting color scheme, dynamic
illustrations, and a "hamburger menu," .
Notices
Group migration will not require any updates to groups or policies for iOS devices
For every Intune device group pre-assigned by a Corporate Device Enrollment profile, a corresponding dynamic
device group will be created in AAD based on the Corporate Device Enrollment profiles name, during the migration
to Azure Active Directory device groups. This will ensure the as devices enroll, they will be automatically grouped
and receive the same policies and apps as the original Intune group.
Once a tenant enters the migration process for grouping and targeting, Intune will automatically create a dynamic
AAD group to correspond to an Intune group targeted by a Corporate Device Enrollment profile. If the Intune
Admin deletes the targeted Intune group, the corresponding dynamic AAD group will not be deleted. The group's
members and the dynamic query will be cleared, but the group itself will remain until the IT Admin removes it via
the AAD portal.
Similarly, if the IT Admin changes which Intune group is targeted by a Corporate Device Enrollment profile, Intune
will create new dynamic group reflecting the new profile assignment, but will not remove the dynamic group
created for the old assignment.
Defaulting to managing Windows desktop devices through Windows settings
The default behavior for enrolling Windows 10 desktops is changing. New enrollments will follow the typical MDM
agent enrollment flow rather than through the PC agent. The Company Portal website will provide Windows 10
desktop users with enrollment instructions that guide them through the process of adding Windows 10 desktop
computers as mobile devices. This will not impact currently enrolled PCs, and your organization can still manage
Windows 10 desktops using the PC agent if you prefer.
Improving mobile app management support for selective wipe
End users will be given additional guidance on how to regain access to work or school data if that data is
automatically removed due to the "Offline interval before app data is wiped" policy.
Company Portal for iOS links open inside the app
Links inside of the Company Portal app for iOS, including those to documentation and apps, will open directly in
the Company Portal app using an in-app view of Safari. This update will ship separately from the service update in
January.
New MDM server address for Windows devices
Windows and Windows Phone users attempting to enroll a device will fail if they enter manage.microsoft.com as
the MDM server address (if prompted). The MDM server address is changing from manage.microsoft.com to
enrollment.manage.microsoft.com. Notify your user to use enrollment.manage.microsoft.com as the MDM
server address if prompted for it while enrolling a Windows or and Windows Phone device. No changes are needed
to your CNAME setup. For additional information about this change, visit aka.ms/intuneenrollsvrchange.
New user experience for the Company Portal app for Android
Beginning in March, the Company Portal app for Android will follow material design guidelines to create a more
modern look and feel. This improved user experience includes:
Colors: tab headers can be colored according to your custom color palette.
Interface: Featured Apps and All Apps buttons have been updated in the Apps tab. The Search button is now a
floating action button.
Navigation: All Apps shows a tabbed view of Featured, All and Categories for easier navigation.
Service: My Devices and Contact IT tabs have improved readability.
You can find before and after images on the UI updates page.
Associate multiple management tools with the Windows Store for Business
If you are using more than one management tool to deploy Windows Store for Business apps, previously, you
could only associate one of these with the Windows Store for Business. You can now associate multiple
management tools with the store, for example, Intune and Configuration Manager. For details, see Manage apps
you purchased from the Windows Store for Business with Microsoft Intune.

What's new in the public preview of the Intune admin experience on


Azure
In early calendar year 2017 we will be migrating our full admin experience onto Azure, allowing for powerful and
integrated management of core EMS workflows on a modern service platform thats extensible using Graph APIs.
New trial tenants will start to see the public preview of the new admin experience in the Azure portal this month.
While in preview state, capabilities and parity with the existing Intune console will be delivered iteratively.
The admin experience in the Azure portal will use the already announced new grouping and targeting functionality;
when your existing tenant is migrated to the new grouping experience you will also be migrated to preview the
new admin experience on your tenant. In the meantime, if you want to test or look at any of the new functionality
until your tenant is migrated, sign up for a new Intune trial account or take a look at the new documentation.
You can find what's new in the Intune preview in Azure here.

January 2017
New Capabilities
In-console reports for MAM without enrollment
New app protection reports have been added for both enrolled devices and devices that have not been enrolled.
Find out more about how you can monitor mobile app management policies with Intune here.
Android 7.1.1 support
Intune now fully supports and manages Android 7.1.1.
Resolve issue where iOS devices are inactive, or the admin console cannot communicate with them
When users devices lose contact with Intune, you can give them new troubleshooting steps to help them regain
access to company resources. See Devices are inactive, or the admin console cannot communicate with them.
Notices
Defaulting to managing Windows desktop devices through Windows settings
The default behavior for enrolling Windows 10 desktops is changing. New enrollments will follow the typical MDM
agent enrollment flow rather than through the PC agent.
The Company Portal website will provide Windows 10 desktop users with enrollment instructions that guide them
through the process of adding Windows 10 desktop computers as mobile devices. This will not impact currently
enrolled PCs, and your organization can still manage Windows 10 desktops using the PC agent if you prefer.
Improving mobile app management support for selective wipe
End users will be given additional guidance on how to regain access to work or school data if that data is
automatically removed due to the "Offline interval before app data is wiped" policy.
Company Portal for iOS links open inside the app
Links inside of the Company Portal app for iOS, including those to documentation and apps, will open directly in
the Company Portal app using an in-app view of Safari. This update will ship separately from the service update in
January.
Modernizing the Company Portal website
Beginning in February, the Company Portal website will support apps that are targeted to users who do not have
managed devices. The website will align with other Microsoft products and services by using a new contrasting
color scheme, dynamic illustrations, and a "hamburger menu," .
New documentation for app protection policies
We have updated our documentation for admins and app developers who want to enable app protection policies
(known as MAM policies) in their iOS and Android apps using the Intune App Wrapping Tool or Intune App SDK.
The following articles have been updated:
Decide how to prepare apps for mobile application management with Microsoft Intune
Prepare iOS apps for mobile application management with the Intune App Wrapping Tool
Get started with the Microsoft Intune App SDK
Intune App SDK for iOS developer guide
The following articles are new additions to the docs library:
Intune App SDK Cordova Plugin
Intune App SDK Xamarin Component
Progress bar when launching the Company Portal on iOS
The Company Portal for iOS is introducing a progress bar on the launch screen to provide the user with
information about the loading processes that occur. There will be a phased rollout of the progress bar to replace
the spinner. This means that some of your users will see the new progress bar while others will continue to see the
spinner.

December 2016
Public preview of the new Intune admin experience on Azure
In early calendar year 2017, we will be migrating our full admin experience onto Azure, allowing for powerful and
integrated management of core EMS workflows on a modern service platform thats extensible using Graph APIs. In
advance of the general availability of this portal for all Intune tenants, we're excited to announce that we will begin
rolling out a preview of this new admin experience later this month to select tenants.
The admin experience in the Azure portal will use the already announced new grouping and targeting functionality;
when your existing tenant is migrated to the new grouping experience you will also be migrated to preview the
new admin experience on your tenant. In the meantime, find out more about what we have in store for Microsoft
Intune in the Azure portal in our new documentation.
Telecom expense management integration in public preview of Azure portal We are now beginning to
preview integration with third-party telecom expense management (TEM) services within the Azure portal. You can
use Intune to enforce limits on domestic and roaming data usage. We are beginning these integrations with
Saaswedo. To enable this feature in your trial tenant, please contact Microsoft support.
New Capabilities
Multi-factor authentication across all platforms You can now enforce multi-factor authentication (MFA) on a
selected group of users when they enroll an iOS, Android, Windows 8.1+, or Windows Phone 8.1+ device from the
Azure Management Portal by configuring MFA on the Microsoft Intune Enrollment application in Azure Active
Directory.
Ability to restrict mobile device enrollment Intune is adding new enrollment restrictions that control which
mobile device platforms are allowed to enroll. Intune separates mobile device platforms as iOS, macOS, Android,
Windows and Windows Mobile.
Restricting mobile device enrollment does not restrict PC client enrollment.
For iOS only, there is one additional option to block the enrollment of personally owned devices.
Intune marks all new devices as personal unless the IT admin takes action to mark them as corporate owned, as
explained in this article.
Notices
Multi-Factor Authentication on Enrollment moving to the Azure portal Previously, admins would go to
either the Intune console or the Configuration Manager (earlier than release October 2016) console to set MFA for
Intune enrollments. With this updated feature, you will now login to the Microsoft Azure portal using your Intune
credentials and configure MFA settings through Azure AD. Learn more about this here.
Company Portal app for Android now available in China We are publishing the Company Portal app for
Android for download in China.Due to the absence of Google Play Store in China, Android devices must obtain
apps from Chinese app marketplaces. The Company Portal app for Android will be available for download on the
following stores:
Baidu
Huawei
Tencent
Wandoujia
Xiaomi
The Company Portal app for Android uses Google Play Services to communicate with the Microsoft Intune service.
Since Google Play Services are not yet available in China, performing any of the following tasks can take up to 8
hours to complete.

INTUNE COMPANY PORTAL APP FOR


INTUNE ADMIN CONSOLE ANDROID INTUNE COMPANY PORTAL WEBSITE

Full wipe Remove a remote device Remove device (local and remote)

Selective wipe Reset device Reset device

New or updated app deployments Install available line-of-business apps Device passcode reset

Remote lock
INTUNE COMPANY PORTAL APP FOR
INTUNE ADMIN CONSOLE ANDROID INTUNE COMPANY PORTAL WEBSITE

Passcode reset

Deprecations
Firefox to no longer support Silverlight Mozilla is removing support for Silverlight in version 52 of the Firefox
browser, effective March 2017. As a result, you will no longer be able to log in to the existing Intune console using
Firefox versions greater than 51. We recommend using Internet Explorer 10 or 11 to access the admin console, or a
version of Firefox prior to version 52. Intune's transition to the Azure portal will allow it to support a number of
modern browsers without dependency on Silverlight.
Removal of Exchange Online mobile inbox policies Beginning in December, admins will no longer be able to
view or configure Exchange Online (EAS) mobile mailbox policies within the Intune console. This change will roll out
to all Intune tenants over December and January. All existing policies will stay as configured; for configuring new
policies, use the Exchange Management Shell. Find out more information here.
Intune AV Player, Image Viewer, and PDF Viewer apps are no longer supported on Android From mid-
December 2016 on, users will no longer be able to use the Intune AV Player, Image Viewer, and PDF Viewer apps.
These apps have been replaced with the Azure Information Protection app. Find out more about the Azure
Information Protection app here.

November 2016
New capabilities
New Microsoft Intune Company Portal available for Windows 10 devices Microsoft has released a new
Microsoft Intune Company Portal app for Windows 10 devices. This app, which leverages the new Windows 10
Universal format, will provide the user with an updated user experience within the app and identical experiences
across all Windows 10 devices, PC and Mobile alike, while still enabling all the same functionality that they are
using today.
The new app will also allow users to leverage additional platform features like single sign-on (SSO) and certificate-
based authentication on Windows 10 devices. The app will be made available as an upgrade to the existing
Windows 8.1 Company Portal and Windows Phone 8.1 Company Portal installs from the Windows Store. For more
details, go to aka.ms/intunecp_universalapp.

IMPORTANT
An Update on Intune and Android for Work While you can deploy Android for Work apps with an action of Required,
you can only deploy apps as Available if your Intune groups have been migrated to the new Azure AD groups experience.

Intune App SDK for Cordova plugin now supports MAM without enrollment App developers can now use
the Intune App SDK for Cordova plugin to enable MAM functionality without device enrollment in their Cordova-
based apps for Android and iOS. The Intune App SDK for Cordova plugin can be found here.
Intune App SDK Xamarin component now supports MAM without enrollment App developers can now use
the Intune App SDK Xamarin component to enable MAM functionality without device enrollment in their Xamarin-
based apps for Android and iOS. The Intune App SDK Xamarin component can be found here.
Notices
Symantec signing certificate no longer requires signed Windows Phone 8 Company Portal for upload
Uploading the Symantec signing certificate will no longer require a signed Windows Phone 8 Company Portal app.
The certificate can be uploaded independently.
Deprecations
Support for the Windows Phone 8 Company Portal Support for Windows Phone 8 Company Portal will now be
deprecated. Support for the Windows Phone 8 and WinRT platforms was deprecated in October 2016. Support for
the Windows 8 Company Portal was also deprecated in October 2016.
See also
See Whats New in Microsoft Intune for details on recent developments.
Overview of device and app lifecycles
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Although the needs of individual organizations might differ, there are certain common steps that all organizations
need to take on an ongoing basis, whatever their other operational needs. These can be grouped into two main
categories, which are termed lifecycles. The deployment lifecycle you follow depends on the scenario youre trying
to enable. For example, you might need only the device lifecycle or the app lifecycle, or you might need both.

For management purposes, all devices have a lifecycle. It starts when you enroll the device and extends through its
retirement. The device management lifecycle walks you through how to enroll the device, how to configure and
protect it, and then how to remove it from management.
Similarly, apps you work with have their own app lifecycle that includes steps ranging from adding an app to
Intune, all the way through to removing them when they are no longer required.
Overview of the mobile device management (MDM)
lifecycle
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

All devices that you manage have what we call a lifecycle. Intune can help you manage this lifecyclefrom
enrollment, through configuration and protection, to retiring the device when it's no longer required:

Enroll
Today's mobile device management (MDM) strategies deal with a variety of phones, tablets, and PCs (iOS, Android,
Windows, and Mac OS X). If you need to be able to manage the device, which is commonly the case for corporate-
owned devices, the first step is to set up device enrollment (Classic portal). You can also manage Windows PCs by
enrolling them with Intune (MDM) or by installing the Intune client software.

Configure
Getting your devices enrolled is just the first step. To take advantage of all that Intune offers and to ensure that
your devices are secure and compliant with company standards, you can choose from a wide range of policies.
These let you configure almost every aspect of how managed devices operate. For example, should users have a
password on devices that have company data? You can require one. Do you have corporate Wi-Fi? You can
automatically configure it. Here are the types of configuration options that are available:
Device configuration (Classic portal). These policies let you configure the features and capabilities of the
devices that you manage. For example, you could require the use of a password on Windows phones or disable
the use of the camera on iPhones.
Company resource access (Classic portal). When you let your users access their work on their personal device,
this can present you with challenges. For example, how do you ensure that all devices that need to access
company email are configured correctly? How can you ensure that users can access the company network with
a VPN connection without having to know complex settings? Intune can help to reduce this burden by
automatically configuring the devices that you manage to access common company resources.
Windows PC management policies (with the Intune client software). While enrolling Windows PCs with
Intune gives you the most device management capabilities, Intune continues to support managing Windows
PCs with the Intune client software. If you need information about some of the tasks that you can perform with
PCs, start here.

Protect
In the modern IT world, protecting devices from unauthorized access is one of the most important tasks that you'll
perform. In addition to the items in the Configure step of the device lifecycle, Intune provides these capabilities
that help protect devices you manage from unauthorized access or malicious attacks:
Multi-factor authentication. Adding an extra layer of authentication to user sign-ins can help make devices
even more secure. Many devices support multi-factor authentication that requires a second level of
authentication, such as a phone call or text message, before users can gain access.
Windows Hello for Business settings (Classic portal). Windows Hello for Business is an alternative sign-in
method that lets users use a gesturesuch as a fingerprint or Windows Helloto sign in without needing a
password.
Policies to protect Windows PCs (with the Intune client software). When you manage Windows PCs by
using the Intune client software, policies are available that let you control settings for Endpoint Protection,
software updates, and Windows Firewall on PCs that you manage.

Retire
When a device gets lost or stolen, when it needs to be replaced, or when users move to another position, it's
usually time to retire or wipe (Classic portal) the device. There are a number of ways you can do thisincluding
resetting the device, removing it from management, and wiping the corporate data on it.
Overview of the app lifecycle
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

The Intune app lifecycle begins when an app is added and progresses through additional phases until you remove
the app.

Add
The first step in app deployment is to add the apps, which you want to manage and assign, to Intune. While you can
work with many different app types, the basic procedures are the same. With Intune, you can add apps for both
enrolled devices (Classic portal) and Windows PCs you manage with the Intune client software.

Deploy
After you've added the app to Intune, you can then assign it to users and devices that you manage (Classic portal).
Intune makes this process easy, and after the app is deployed, you can monitor the success (Classic portal) of the
deployment from the Intune administration console. Additionally, in some app stores, like the Apple (Classic portal)
and Windows (Classic portal) app stores, you can purchase app licenses in bulk for your company. Intune can
synchronize data with these stores so that you can deploy and track license usage for these types of apps right
from the Intune administration console.

Configure
As part of the app lifecycle, new versions of apps are regularly released. Intune provides tools to easily update apps
(Classic portal) that you have deployed to a newer version. Additionally, you can configure extra functionality for
some apps, for example:
iOS app configuration policies (Classic portal) supply settings for compatible iOS apps that are used when the
app is run. For example, an app might require specific branding settings or the name of a server to connect to.
Managed browser policies (Classic portal) help you to configure settings for the Intune managed browser,
which replaces the default device browser and lets you restrict the websites that your users can visit.

Protect
Intune gives you many ways to help protect the data in your apps. The main methods are:
Conditional access (Classic portal) controls access to email and other services based on conditions that you
specify. Conditions include device types or compliance with a device compliance policy (Classic portal) that you
deployed.
App protection policies (Classic portal) works with individual apps to help protect the company data that they
use. For example, you can restrict copying data between unmanaged apps and apps that you manage, or you
can prevent apps from running on devices that have been jailbroken or rooted.

Retire
Eventually, it's likely that apps that you deployed become outdated and need to be removed. Intune makes it easy
to retire apps from service (Classic portal).
Common ways to use Intune
6/19/2017 7 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Before diving into implementation tasks, it's important to align your companys enterprise mobility stakeholders
around the business goals. This is important whether you're brand new to enterprise mobility or migrating from
another product.
The needs around enterprise mobility are dynamically evolving, and Microsoft's approach to addressing them is
sometimes different from other solutions in the market. The best way to align around business goals is to express
your goals in terms of the scenarios you want to enable for your employees, partners, and IT department.
Following are short introductions to the six most common scenarios that rely on Intune, accompanied with links to
more information about how to plan and deploy each of them.

NOTE
Do you want to know how Microsoft IT uses Intune to give Microsoft access to corporate resources on their mobile devices
while also keeping corporate data protected? Read this technical case study to see in detail how Microsoft IT uses Intune and
other services to manage identity, devices, and apps, and data.

IMPORTANT
We want to ensure that mobile devices are up to date In light of the recent "Trident" malware attacks on iOS devices. So
we've published a blog post that's called Ensuring mobile devices are up to date using Microsoft Intune. It provides
information about the different ways that Intune can help keep your devices secure and up to date.

Protecting your on-premises email and data so it can be safely


accessed by mobile devices
Most enterprise mobility strategies begin with a plan to enable secure access to email for employees with mobile
devices that connect to the Internet. Many organizations still have on-premises data and application servers, such
as Microsoft Exchange, that are hosted on their corporate network.
Intune and Microsoft Enterprise Mobility + Security (EMS) provide a uniquely integrated conditional access
solution (Classic portal) for Exchange Server, which ensures that no mobile app can access email until that device is
enrolled with Intune. You can do this all without deploying another gateway machine to the edge of your corporate
network!
Intune also supports enabling access to mobile apps that require secure access to on-premises data, such as line-
of-business app servers. This is typically done using Intune-managed certificates (Classic portal) for access control,
combined with a standard VPN gateway or proxy in the perimeter such as Microsoft Azure Active Directory
Application Proxy.
In these cases, the only way to access the corporate data is to enroll the device into management. Once the devices
are enrolled, the management system ensures that they are compliant with your policies before they can access
corporate data. Additionally, Intunes App Wrapping Tool and App SDK can help contain the accessed data within
your line of business app, so that it cant pass corporate data to consumer apps or services.

Protecting your Office 365 email and data so it can be safely accessed
by mobile devices
Protecting corporate data in Office 365 (email, documents, instant messages, contacts) could not be easier for you
or more seamless for your users.
Intune and Microsoft Enterprise Mobility + Security provide a uniquely integrated conditional access solution that
ensures no users, apps, or devices can access Office 365 data unless they meet your companys compliance
requirements (performed multi-factor authentication, enrolled with Intune, using managed app, supported OS
version, device pin, low user risk profile, etc.).
The Office mobile apps in their respective app stores are ready to go with data containment policies that you can
configure via Intune. This enables you to prevent data from being shared with apps (for example, with native email
apps) and storage locations (for example, Dropbox) that arent managed by IT. All this functionality is built into
Office 365 and EMS. You don't have to deploy additional infrastructure to get this value.
A common Office 365 deployment practice is to require devices to enroll into management if they need to be fully
set up with corporate apps, certs, Wi-Fi, or VPN configurations, a common scenario for corporate-owned devices.
However, if the user simply needs to access corporate email and documents, which is often the case for personally
owned devices, then you can require the user to use the Office mobile apps (to which you have applied app
protection policies (Classic portal) and skip enrolling the device altogether!
Either way, the Office 365 data will be secured by policies youve defined.

Offer a bring your own device program to all employees


Bring your own device (BYOD) continues to grow in popularity among organizations as a means to reduce
hardware expenditures or increase mobile productivity choices for employees. Just about everyone has a personal
phone these days so why put another one in their pocket? The main challenge has always been to convince
employees to enroll their personal device into management, as they are fearful of what their IT department will be
able to see and do with their device.
When device enrollment is not a viable option, Intune offers an alternative BYOD approach of simply managing the
apps that contain corporate data (Classic portal). Intune protects the corporate data even if the app in question
accesses both corporate and personal data, as is the case for Office mobile apps.
As an administrator, you can require users to access Office 365 from the Office mobile apps and configure the apps
with policies that keep the data protected (such as encrypting it, protecting it with a pin, and so on). These policies
prevent data loss from unmanaged apps and storage locations--inside or outside of those apps. For example, the
policies prevent a user from copying text from a corporate email profile into a consumer email profile even if both
profiles are configured within Outlook Mobile. Similar configurations can be deployed for other services and
applications that are required by your BYOD users.

Issue corporate-owned phones to your employees


Many employees are mobile these days, making productivity on mobile devices an imperative to be competitive.
These employees need seamless access to all corporate apps and data, at any time, wherever they are. You need to
ensure that corporate data is secure and administrative costs are low.
Intune offers bulk provisioning and management solutions (Classic portal) that are integrated with the major
corporate device management platforms on the market today, including the Apple Device Enrollment Program and
the Samsung KNOX mobile security platform. Centralized authoring of device configurations with Intune helps
make provisioning of corporate devices something that can be highly automated.
Picture this: hand an employee an unopened iPhone box. The employee powers it on and is walked through a
corporate-branded setup flow where they must authenticate themselves. The iPhone is seamlessly configured with
security policies (Classic portal).
Then the employee launches the Intune Company Portal app to access the optional corporate apps that are
available to them.

Issue limited-use shared tablets to your employees


Employees are increasingly making use of mobile technologies. For example, shared tablets are now commonly
used by retail store employees. Whether they're used to process a sale or instantly check inventory, tablets help
create great customer interactions.
Simplicity of the user experience is critical in this case. For this reason, tablets are usually handed to employees in a
limited-use mode, such that a single line-of-business app is the only thing that the employee can interact with.
Intune enables you to bulk provision, secure, and centrally manage these shared iOS and Android (Classic portal)
devices that can be configured to run in this limited-use mode.

Enable your employees to securely access Office 365 from an


unmanaged public kiosk
Sometimes your employees need to use devices, apps, or browsers that you cant manage, such as the public
computers at trade shows and in hotel lobbies.
Should you allow your employees to access corporate email from them? With Intune and Microsoft Enterprise
Mobility + Security, the answer can simply be no, by limiting email access to devices that are managed by your
organization (Classic portal). This ensures that your strongly authenticated employee doesn't accidentally leave
corporate data on the untrusted computer.
Known issues in Microsoft Intune
6/28/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use this topic to learn about any known issues in Microsoft Intune.
If you want to report a bug that is not listed here, open a support request.
If you want to request a new feature for Intune, consider filing a report on our Uservoice site.

Migration
Groups created by Intune during migration might affect functionality of other Microsoft products
When you migrate from classic Intune to the Azure, you might see a new group named All Users - b0b08746-
4dbe-4a37-9adf-9e7652c0b421. This group contains all users in your Azure Active Directory, not only Intune
licensed users. This usage can cause issues with other Microsoft products if you expect some existing or new users
to not be a member of any groups.
Secondary migration required for select capabilities
Intune accounts created before January 2017 must be migrated before these capabilities can be used in the Azure
portal:
Corporate Device Enrollment profiles
Apple Device Enrollment Program
Corporate Pre-enrolled devices by iOS Serial Number group
Device Enrollment Managers
Apple Volume Purchase Program
Because these capabilities cannot be managed from both the classic Silverlight and Azure consoles, the migration:
Disables them in the classic console
Enables them in the Azure console.
If you now manage these Intune capabilities in the Azure portal, be aware of the following points:
Removes default Corporate Device Enrollment profiles in Apple DEP
The Azure Portal does not support a default Corporate Device Enrollment profile for Apple Device Enrollment
Program (DEP) devices. This functionality, available in the classic Silverlight Intune console, is discontinued to
prevent unintentional profile assignment. When DEP serial numbers sync in the Azure Portal, no Corporate Device
Enrollment profile is assigned. An enrollment profile must be assigned before using the device.
Apple DEP token restored with migration
If you deleted an Apple Device Enrollment Program token in the Intune classic (Silverlight) portal and do not upload
a new token to the Azure portal, the original token is restored in the Azure portal when you migrate. To remove this
token and prevent DEP enrollment, delete the token from the Azure portal.
Status blades for migrated policies do not work
You cannot view status information for policies that were migrated from the classic portal in the Azure portal.
However, you can continue to view reports for these policies in the Classic portal. To view status information for
migrated configuration policies, recreate them in the Azure portal.

Apps
iOS volume-purchased apps only available in default Intune tenant language
iOS volume-purchased apps are displayed, and can be assigned only for the same country code as your Intune
account. Intune only sync apps from the same iTunes locale as the Intune tenant account country code. For example,
if you purchase an app which is only available in the US store, but your Intune account is German, Intune will not
show that app.
Multiple copies of the same iOS volume-purchase program are uploaded
Do not click the Upload button multiple times for the same VPP token. This will result in duplicate VPP tokens
being uploaded, and apps syncing multiple times for the same VPP token.

Device configuration
You cannot save a Windows Information Protection policy for some devices
For devices not enrolled with Intune, you can only specify a primary domain in the Corporate Identify field in the
settings for a Windows Information Protection policy. If you add additional domains (using Advanced settings >
Network perimeter > Add a protected domain), you cannot save the policy. The error message you see will
soon be changed to be more accurate.
Cisco AnyConnect VPN client support
The latest release of the Cisco AnyConnect VPN client (4.0.07072) is not currently compatible with Intune. A future
Intune update will include compatibility with this VPN client version. Until then, we recommend that you do not
update your Cisco AnyConnect VPN client, and continue to use the existing version.
Using the numeric password type with macOS Sierra devices
Currently, if you select the Numeric Required password type in a device restriction profile for macOS Sierra
devices, it is enforced as Alphanumeric. If you want to use a numeric password with these devices, do not
configure this setting. This issue might be corrected in a future version of macOS.
For more information about these settings, see macOS device restriction settings in Microsoft Intune.

Compliance
Compliance policies from Intune do not show up in new console
Compliance policies you created in the classic portal are migrated, but are not displayed in the Azure portal because
of design changes in the Azure portal. Compliance policies you created in the classic Intune portal are still enforced,
but you must view and edit them in the classic Intune portal. Additionally, new compliance policies you create in the
Azure portal are not visible in the classic Intune portal.
For more information, see What is device compliance.

Administration and accounts


Global Admins (also referred to as Tenant Admins) can continue day-to-day administration tasks without a separate
Intune or Enterprise Mobility Suite (EMS) license. However, to use the service, such as to enroll their own device, a
corporate device, or use the Intune Company Portal, they need an Intune or EMS license.
How to get support for Microsoft Intune
6/27/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Microsoft provides global technical, pre-sales, billing, and subscription support for Microsoft Intune. Support is
available both online and by phone for paid and trial subscriptions. Online technical support is available in English
and Japanese. Phone support and online billing support are available in additional languages.

IMPORTANT
For technical support with products that work with Intune but not made by Microsoft, for example SaaSwedo, Cisco, or
Lookout, contact the supplier of that product first. Before you open a request with Intune support, ensure you configured
the other product correctly.

Create an online support ticket


As an IT admin, you can file a support ticket from the Azure portal by using the following steps:
1. Log on to the Azure portal (https://portal.azure.com) with your Intune admin credentials, choose the ? icon
in the upper-right corner of the portal, and then select Help + support to go to the Azure Help + support
page.

2. On the Azure Help and support page, select New support request.
3. On the Basics blade, for most Intune technical support issues, choose the following options:
Issue type: Technical
Service: Microsoft Intune
Support plan: Technical support - included (For Intune technical issues, support is
complimentary.)

IMPORTANT
Support for Intune, and for Intune when used with Configuration Manager, is free of charge. To review details
of the Premier Support offering, please see the Description of Services documentation, section 5.3.3 "Advisory
Services."

Choose Next to continue.


4. On the Problem blade, to ensure your request is addressed by the right subject matter expert for your
problem, select the following options:
Severity
Problem type
Category
These details also lets us provide Related help that might solve your problem without filing a ticket.
To help us research and resolve your problem, enter the following information:
Details
Date
Time
Supplemental data
Choose Next.
5. Provide Contact information for this support request. Microsoft support uses this information to contact you.
6. Choose Create to submit your support request.

IMPORTANT
If you have a billing or subscription question, you can open a case to get support through the Office Admin Center.

Additional resources
Contact assisted phone support for Microsoft Intune
Volume Licensing Service Center
Billing and subscription management support
Volume licensing
Intune deployment planning, design, and
implementation guide
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

A successful Intune deployment starts with having a good plan and design. The purpose of this guide is to step you
through the process of developing a deployment plan, creating a design, onboarding Intune, and conducting a
production rollout.

Whats included in this guide?


This guide includes sections that will walk you through the end-to-end process of deploying Intune. Start with
Section 1 to clarify your goals, objectives, and challenges. Then move on to Sections 2 7 in the order that best
meets your needs. You don't need to work through these sections sequentially; you can complete them in parallel.
Section 1: Determine deployment goals, objectives, and challenges
Section 2: Identify use case scenarios
Section 3: Determine use case requirements
Section 4: Develop a rollout plan
Section 5: Develop a rollout communication plan
Section 6: Develop a support plan
Section 7: Create an Intune design
Section 8: Intune implementation
Section 9: Testing and validation
This guide also provides additional technical information and table templates that can be used to assist you with
the Intune deployment planning, design, and implementation process.
Additional resources: Links and table templates

Assumptions
You've already evaluated Intune in a proof of concept (PoC) environment, and have decided to use it as the
mobile device management solution in your organization.
You're already familiar with Intune and its features.

Next steps
Lets get started with the first section: Determine deployment goals, objectives, and challenges.
Determine deployment goals, objectives, and
challenges
6/19/2017 3 min to read Edit Online

Having a good deployment plan begins with first identifying your organizations deployment goals and objectives,
along with potential challenges. Lets discuss each area in more detail.

Deployment goals
Deployment goals are the long-term achievements you intend to gain by deploying Intune in your organization.
Listed below are some examples of such goals along with the description and business value for each.
Integrate with Office 365 and support the use of Office mobile apps
Description: Provide tight integration with Office 365 and the use of Office mobile applications with
application protection.
Business value: Secure and improved user experience by allowing users to use apps they are
familiar with and prefer.
Enable access to internal corporate services on mobile devices
Description: Enable employees to be productive wherever they need to work from, and with
whichever device is most appropriate for them. This project should look to enable mobile
productivity and access to corporate data in a safe manner.
Business value: Enabling employees to be agile and work from where they need allows the business
to be more competitive and to provide a more rewarding working environment.
Provide data protection on mobile devices
Description: When data is stored on a mobile device, it should be protected from malicious and
accidental loss or sharing.
Business value: Data protection is vital to ensure that we remain competitive, and that we treat our
clients and their data with the utmost diligence.
Reduce costs
Description: When possible, the project reduces deployment and operating costs.
Business value: The efficient use of resources enables the business to invest in other areas, compete
more effectively, and provide better service to clients.

Deployment objectives
Deployment objectives are the actions your organization can take to reach its Intune deployment goals. Below are
listed some examples of deployment objectives, and how each would be accomplished.
Reduce the number of device management solutions
Implementation: Consolidate to a single mobile device management solution: Microsoft Intune for
corporate data protection of apps and devices.
Provide secure access to Exchange and SharePoint Online
Implementation: Apply conditional access for Exchange and SharePoint Online.
Prevent corporate data from being stored or forwarded to non-corporate services on the mobile
device
Implementation: Apply Intune app protection policies for Microsoft Office and line-of-business apps.
Provide capability to wipe corporate data from the device
Implementation: Enroll devices into Intune. This gives you the capability to perform a remote wipe of
corporate data and resources when appropriate.

Deployment challenges
Deployment challenges are issues that are top of mind for an organization and that may have a negative impact on
deployment. Sometimes they are related to past issues from previous projects that you would like to avoid or new
issues related to the current deployment effort. Listed below are some examples of Intune deployment challenges
along with potential mitigations.
Support readiness and end-user experience are not included in an initial project scope. This leads to poor
end-user adoption and challenges for your support organization.
Mitigation: Incorporate support training. Validate the end-user experience with success metrics in your
deployment plan.
Lack of clearly defined goals and success metrics leads to intangible results. It may also shift your
organization into reactive mode when issues arise.
Mitigation: Define your goals and success metrics early in your project scope, and use these data points
to flesh out your other rollout phases. Make sure goals are SMART (Specific, Measurable, Attainable,
Realistic, and Timely). Plan to measure against your goals at each phase and to ensure your rollout
project stays on track.
You neglect to create, validate, and aggressively share a clear value proposition that resonates for your
organization. This often leads to limited adoption and a lack of return on investment (ROI).
Mitigation: While you may be excited to jump into your project, ensure you have clearly-defined your
goals and objectives. Include these in all awareness and training activities to help ensure users
understand why your organization selected Intune.

Next steps
Now that you have identified your deployment goals, objectives, and potential challenges, lets move to the next
section: Identify use case scenarios.
Identify mobile device management use-case
scenarios
6/19/2017 2 min to read Edit Online

Identifying your use-case scenarios is an important part of the planning process for a successful Intune
deployment. Use-case scenarios are helpful because they let you segment your users into manageable groups by
user type or role, and the ownership of the user's device (for example, company or personal).
Lets discuss a few examples to help your organization identify Intune use-case scenarios, as well as organizational
groups, and mobile device platforms associated with each use case.

Device ownership
You can begin by referring to your organization's Intune deployment goals and objectives to help identity the main
use-case scenarios for your deployment. Within the scope of your Intune deployment plan, answer the following
questions:
Are you planning to support corporate owned devices?
Are you planning to support personally owned devices (BYOD)?
These are not either/or options. You may find you need to support both forms of device ownership to meet your
organizational goals. The sub-use-cases will help clarify where to apply the different device management policies.
User type or device role
Determine if each use-case scenario also includes sub-use-cases. For example, your organization may have
identified requirements to support a corporate use-case scenario that includes additional sub-use-cases based on
user type or device role, such as:
Information worker
Executive
Kiosk
Here are a few examples of use-case and sub-use-case scenarios:

USE CASES SUB-USE CASES

Corporate Information worker

Corporate Executives

Corporate Kiosk

BYOD Information worker

BYOD Executives

You can download a template of the above table to enter your organizations use-case and sub-use-case scenarios.
Organizational groups for your scenarios
Now you need to identify the organizational groups that are associated with each use-case and sub-use-case
scenario. For example:

USE CASES SUB-USE CASES ORGANIZATIONAL GROUPS

Corporate Information worker HR, Finance

Corporate Executive HR, Finance

Corporate Kiosk Retail

BYOD Information worker Marketing, Sales

BYOD Executive Marketing, Sales

Mobile device platforms for your scenarios


The next step is to identify the mobile device platforms associated with each use-case scenario. There may be more
than one.
For example, your corporate use-case scenario may support iOS and Android Samsung KNOX device platforms.
Your BYOD policy may include support for additional mobile device platforms like Android (non-Samsung KNOX)
and Windows 10 Mobile. Building on the preceding examples, we've associated mobile device platforms with each
use-case scenario.

USE CASES SUB-USE CASES GROUPS DEVICE PLATFORMS

Corporate Information worker HR, Finance iOS

Corporate Executives HR, Finance iOS

Corporate Kiosk Retail Android

BYOD Information worker Marketing, Sales iOS

BYOD Executives Marketing, Sales iOS

Next steps
The next section provides guidance on how to identify the Intune requirements for each use case scenario.
Determine use-case scenario requirements
6/19/2017 1 min to read Edit Online

In this section, you determine the requirements for each organizational group within each use-case scenario. This
process helps you prepare for the other Intune deployment planning areas like architecture and design,
onboarding, and rollout. It can also help identify potential gaps and challenges related to your Intune deployment
project.
You might have different sets of requirements for each of your use-case and sub-use-case scenarios, and their
associated organizational groups and mobile device platforms. For example, your corporate use-case scenario
requirements might require devices to enroll into Intune with a more restrictive set of device settings, like a PIN of
6 characters or disabled cloud backup. Your "bring your own device" (BYOD) use-case scenario, may be less
restrictive and allow a 4-character PIN and cloud backup.
You may also have organizational groups for the corporate use-case scenario that have different sets of
requirements (for example, PIN settings, Wi-Fi or VPN profile, apps deployed). Your requirements may also be
determined by the capabilities of the mobile device platform (for example, finger print reader, email profile).
Here are a few examples of an organizations use-case requirements showing different sets of requirements for
each use-case and sub-use-case scenario, organizational group, and mobile device platform. You can also use the
following table to enter your organizations use-case requirements:

USE CASES SUB-USE CASES GROUPS DEVICE PLATFORMS REQUIREMENTS

Corporate Information worker HR, Finance iOS Secure e-mail, device


settings, profiles, apps

Corporate Executives HR, Finance iOS Secure e-mail, device


settings, profiles, apps

Corporate Kiosk Retail Android Device settings,


profiles, apps

BYOD Information worker Marketing, Sales iOS Secure e-mail, device


settings, profiles, apps

BYOD Executives Marketing, Sales iOS Secure e-mail, device


settings, profiles, apps

You can download a template of the above table to enter your organizations use-case and sub-use-case
requirements.

Examples of requirements
Here are a few more examples that can be used in the "Requirements" column:
Secure e-mail
Conditional access for Exchange Online / on-premises
Outlook app protection policies
Device settings
PIN setting with four, six characters
Restrict cloud backup
Profiles
Wi-Fi
VPN
Email (Windows 10 mobile)
Apps
Office 365 with app protection policies
Line of business (LOB) with app protection policies

Next section
The next section provides guidance on how to develop an Intune rollout plan.
Develop a rollout plan
6/19/2017 4 min to read Edit Online

Your rollout plan identifies the organizational groups you want to target for your Intune rollout, the rollout
timeframe for each group, and the enrollment approaches you will use.

Targeted groups and timeframes


First, review the groups that are targeted with your Intune rollout and that you identified in your use-case
scenarios.
Second, determine the time frame for each targeted group. This task typically requires a discussion between the
Intune deployment team and the targeted groups to determine the most appropriate rollout time frame for each
group. Points to cover in such a discussion include:
The groups willingness for change
The number of users and devices
Types of device platforms
Requirements
Geographic location
Business risk

Rollout phases
Organizations commonly choose to start the Intune rollout with an initial pilot, targeting a small group of users in
the IT department. The pilot can be expanded to include a broader set of IT users and may include participation
from other organizational groups.
Pilot
The first phase to rollout should be to pilot users. The pilot users should understand they are the first users in a
new solution. They must be willing to provide feedback to help improve configuration, documentation,
notifications, and ease the way for all other users in later rollout phases. These users should not be executives or
VIPs.
The pilot is a good opportunity for you to test the challenges and refine requirements you gathered earlier.
Include your communication plan, support plan, and testing and validation to work out any problems while the
impact to users is still small.
Production rollout
After a successful pilot, you're ready to start a full production rollout, targeting the rest of your organizations
groups. Some examples of different rollout groups and phases are:
Departments
Each department can be a rollout phase. You target an entire department at a time. In this type of rollout,
users in each department tend to use the mobile device in the same way and access the same applications.
Users will likely have the same types of policies.
Geography
In this approach, you deploy to all users in a specific geography whether its the same continent, country,
region, or same companys building. This type of phased deployment lets you focus on the specific location
of users. This could let you provide more of a white glove approach because the number of locations
deploying Intune at the same time is reduced. Because there are chances of different departments or use
cases being at the same location, different use cases might be deployed at the same time.
Platform
This type of deployment consists of deploying similar platforms at the same time. An example might be all
iOS devices the first month, followed by Android, followed by Windows. This type of phased deployment
helps simplify helpdesk support because helpdesk would only have to support a single platform at a time.
Heres an example of an Intune rollout plan that includes targeted groups and timelines:

ROLLOUT PHASE JULY AUGUST SEPTEMBER OCTOBER

Limited Pilot IT (50 users)

Expanded Pilot IT (200 users), IT


Executives (10 users)

Production rollout Sales and Marketing


phase 1 (2000 users)

Production rollout Retail (1000 users)


phase 2

Production rollout HR (50 users), Finance


phase 3 (40 users), Executives
(30 users)

You can download a template of the above table to enter your organizations rollout phases.

Match rollout groups to enrollment approaches


Now that you have determined the targeted groups and time frames for your Intune rollout, the next step is to
choose the most appropriate Intune enrollment approach for each group. There are different enrollment
approaches you can use including:
User self-service
User assisted-enrollment
IT tech fair
User self-service
In this case, the user is responsible for enrolling their own device, usually following enrollment instructions
provided by their IT organization. This approach is most commonly used in organizations and is more scalable
than user-assisted enrollment.
User-assisted enrollment
This is known as a "white glove" approach. An IT team member helps the user through the enrollment process, in
person or with Skype. This approach is commonly used with executive staff and other groups that might need
more assistance during the enrollment process.
IT tech fair
Another option for Intune user enrollment is to have an IT technical fair. At this event, the IT group sets up an
Intune enrollment assistance booth where users could receive information on Intune enrollment, ask questions,
and receive assistance with the enrollment process. This option can be beneficial for both the IT group and users,
especially during early phases of Intune rollout.
Heres an updated example of the above Intune rollout plan to include enrollment approaches:

ROLLOUT PHASE JULY AUGUST SEPTEMBER OCTOBER

Limited Pilot

Self-service IT

Expanded Pilot

Self-service IT

White glove IT Executives

Production rollout Sales, Marketing


phase 1

Self-service Sales and Marketing

Production rollout Retail


phase 2

Self-service

Production rollout Retail


phase 3

Self-service HR, Finance

White glove Executives

Next section
The next section provides guidance on developing an Intune rollout communication plan.
Develop a rollout communication plan
6/22/2017 2 min to read Edit Online

Good change management relies on clear and helpful communications about the upcoming changes. To smooth
the path of your Intune deployment, your rollout communication plan should include four areas:
What information is to be communicated
The delivery method used for the communications
Who receives the communications
The timeline for communications
Lets review each area in more detail.

What needs to be communicated?


Determining what information to be communicated depends on when in the Intune rollout process you are
communicating. You might decide to communicate in waves to your organizational groups and users, starting with
an Intune rollout kickoff, followed by pre-enrollment, and follow up with post-enrollment. Lets discuss the type of
information that could be communicated in each wave.
Kickoff wave
Broad communications that introduce the Intune project itself. It should answer questions like what is Intune, why
the organization is adopting Intune (benefits to the organization and users), and provide a high-level plan of the
deployment and rollout.
Pre-enrollment wave
Broad communications that include additional information about Intune and complementary offerings (for
example, Office, Outlook, OneDrive), user resources, and specific timelines for when organization groups and users
are scheduled to receive Intune.
Enrollment wave
Communications targeting organization groups and users that are scheduled to receive Intune. These should
inform the users that they are ready to receive Intune and provide enrollment instructions along with contact
information for getting assistance or asking questions.
Post enrollment wave
Communications targeting organization groups and users that have enrolled in Intune. These should provide
additional resources that might be helpful to the user, and collect feedback about their experience during and after
enrollment.
You may find this end-user enrollment guide helpful. You can use it as is or modify for your organization.

Communication delivery methods


There are several delivery methods you can use to communicate Intune rollout information to your targeted
organizational groups and users. The following list shows some examples and the wave you can use the method
with:
Organizational-wide in-person or Skype meetings used for kickoff wave
Email used for pre-enrollment, enrollment, and post-enrollment waves
Organization web sites used for all waves
Yammer, posters, and flyers used for kickoff and pre-enrollment waves

Communications timeline
After determining what you need to communicate and the methods you will use, determine the timeline for your
communications that includes when and who would receive the communications.
For example, the initial Intune project kickoff communications can target the entire organization or just a subset,
and take place over several weeks before the Intune rollout begins. After that, information could be communicated
in waves to organizational groups and users, aligned with their Intune rollout schedule. The following example is a
sample high-level Intune rollout communications plan:

COMMUNICATION
PLAN JULY AUGUST SEPTEMBER OCTOBER

Wave 1 All

Kickoff meeting First week

Wave 2 IT Sales and Marketing Retail HR, Finance, and


Executives

Pre-rollout Email 1 First week First week First week First week

Wave 3 IT Sales and Marketing Retail HR, Finance, and


Executives

Pre-rollout Email 2 Second week Second week Second week Second week

Wave 4 IT Sales and Marketing Retail HR, Finance, and


Executives

Enrollment email Third week Third week Third week Third week

Wave 5 IT Sales and Marketing Retail HR, Finance, and


Executives

Post-enrollment email Fourth week Fourth week Fourth week Fourth week

You can download a template of the above table to develop your communication plan.

Next section
The next section provides guidance on developing a support plan.
Develop a support plan
6/22/2017 2 min to read Edit Online

Having an Intune support plan can help you identify and resolve Intune related issues more effectively. This, in
turn, improves your users' overall Intune experience. Here are some questions to consider as you develop your
Intune support plan:
Which teams will be responsible for providing Intune support?
What process will be used to provide Intune support?
How you plan to provide Intune support training?
What are the opportunities to involve the support team early in the Intune deployment process?
Lets review each area in more detail.

Which teams are responsible for providing support


Organizations may have different tiers or levels (1-3) of support. For example, tier 1 and 2 may be part of the
support team, and tier 3 include members of the MDM team responsible for the deployment of Intune.
Tier 1 is normally the first level of support and typically the first tier to be contacted by the user for support
requests. If tier 1 is unable to resolve the end users issue, they escalate it to tier 2. Tier 2 escalates it to tier 3 if
needed. In addition, Microsoft support may be considered as tier 4.
Learn more about Intune support.

What is the support process


For the initial production rollout phases, you could have all three tiers participating in a bridge or Skype call. Heres
one example of how an organization could implement their IT support or helpdesk work-flows:
1. End-user contacts IT support or helpdesk tier 1 with an enrollment issue.
2. IT support or helpdesk tier 1 is unable to determine the root cause and escalates to tier 2.
3. IT support or helpdesk tier 2 investigates, but is unable to resolve the issue and escalates to tier 3, providing
additional information to assist with the investigation.
4. IT support or helpdesk tier 3 investigates further, determines the root cause, and communicates the
resolution to tier 2 and 1.
5. IT support/helpdesk tier 1 then contacts the customer and resolves their issue.
This type of approach, especially in early stages of the Intune rollout, adds many benefits, including:
Assisting in technology learning and ramp up.
Quickly identifying issues and resolution.
Improving the overall user experience.

How you plan to provide Intune support training


Its important to provide Intune technical training for your IT support or helpdesk staff so that the training is at an
appropriate level and applies to the specific support tier and their responsibilities. You could have the Intune MDM
team conduct this training to the support leads (training the trainer), then have the leads provide this training to
their support team members. This training can typically be provided in 2-3 hours, and it includes lecture and labs.
An example of an Intune support training agenda is provided below.
Intune support plan review
Intune overview
Troubleshooting common issues
Tools and resources
Q&A
The Intune documentation provides an Intune overview, detailed feature descriptions, and some troubleshooting
information. The Intune forum is a community-based resource for questions and topics not covered in the Intune
documentation.

What opportunities are there to involve the support team earlier?


Involving your IT support/helpdesk staff in early stages of Intune deployment planning and pilot efforts can
improve your Intune deployment and end-user adoption. Early involvement provides your support staff with
exposure to Intune and valuable experience from the beginning. This helps prepare your IT support/helpdesk staff
for supporting the organization's full production rollout.

Next section
The next section provides guidance on designing Intune.
Create a design
6/19/2017 13 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

The section of the guide should be used in parallel with other topics in Section 2. This design is based on the
information you collect and decisions you make when completing previous sections of this guide. In this design
section, we focus on Intune standalone, which is a Microsoft cloud-based service.
Although theres minimal on-premises infrastructure requirements, work on a design plan to make sure you have
the right mobile device management solution that meets your goals, objectives, and requirements.
Additionally, its common to have design changes during the implementation and testing phases, make sure to
document these changes, and the rationale behind it as they occur. The design includes the following areas:
The current environment
Intune deployment options
Identity requirements for external dependencies
Device platform considerations
Requirements to be delivered
Lets review each of these areas in more detail.

Record your environment


The first step before you can create your design is to record your current environment. The current environment
can influence design decisions and should be documented and referenced when making other Intune design
decisions. Below are few examples of how to record the current environment:
Identity in the cloud
Do you use DirSync or Azure Active Directory (Azure AD) Connect?
Is your environment Federated?
Is multi-factor authentication enabled?
Email environment
Is Exchange being used, is it on-premises or in the cloud?
Are you in the middle of a project to migrate Exchange to the cloud?
Current MDM solution
Are you currently using other MDM solutions?
What MDM solutions are you using for corporate and BYOD use case scenarios?
What capabilities are you using (e.g. app device settings, Wi-Fi configurations, etc.)?
What device platforms are supported?
What groups and how many users are using the MDM solution?
Certificate Solution
Have you implemented a certificate solution?
What type of certificates do you use?
Systems Management
How are you managing your PC and server environment?
Is System Center Configuration Manager being used? Are you using a third-party system
management platform?
VPN Solution
What is your VPN solution?
Is it used for both corporate and BYOD use case scenarios?
Make sure to note any projects or any other plans in place to could make changes to your environment when
recording the current MDM environment. Below is an example of a way to record the current environment to assist
when creating your Intune design:

SOLUTION AREA CURRENT ENVIRONMENT COMMENTS

Identity Azure AD, Azure AD Connect, not Project in place to enable MFA by end
federated, no MFA of year

Email environment Exchange on-premises, Exchange online Currently migrating from Exchange on-
premises to Exchange online. 75% of
mailboxes migrated. Last 25% will be
migrated before Intune Pilot begins.

SharePoint SharePoint on-premises No plans to move to SharePoint online

Current MDM Exchange ActiveSync

Certificate solution Microsoft Server 2012 R2, AD Only use PKI for Web Site Servers
Certificate Services

System Management System Center Configuration Manager Would like to investigate Intune hybrid
CB 1606 solution

VPN solution Cisco AnyConnect

Choose an Intune deployment option


Intune offers two deployment options: standalone and hybrid. Decide which one fits your business requirements.
Standalone refers to Intune service running in the cloud, hybrid refers to the integration of Intune with System
Center Configuration Manager.
Learn more about choosing between Microsoft Intune standalone and hybrid mobile device management with
System Center Configuration Manager
Intune tenant location
If your organization has global presence, make sure to plan where your tenant resides when subscribing to the
service. The country is defined when you sign up for an Intune subscription for the first time, and map to regions
around the world which are listed below:
North America
Europe, Middle East, and Africa
Asia and Pacific

IMPORTANT
Its not possible to change the country and tenant location later.

External dependencies
External dependencies are services and products that are separate from Intune, but are either a requirement of
Intune, or might integrate with Intune. Its important to identify requirements for any external dependencies and
how it is to be configured. Some examples of common external dependencies are listed below.
Identity
User and device groups
PKI
Lets explore in more detail these common external dependencies below
Identity
Identity is how we identify the users who belong to your organization and are enrolling a device. Intune requires
Azure Active Directory (Azure AD) as the user identity provider. If you already use this service, youll be able to
leverage your existing identity already in the cloud. In addition, Azure AD Connect is the recommended tool to
synchronize your on-premises user identities with Microsoft cloud services. If your organization is already using
Office 365, its important that Intune uses the same Azure Active Directory environment.
You can find more information regarding Intunes identity requirements below.
Learn more about identity requirements.
Learn more about directory synchronization requirements.
Learn more about multi-factor authentication requirements.
User and device groups
User and device groups determines the target of a deployment. This could include deployment targeting for
policies, applications, and profiles. Intune cloud-only supports user and device groups youll need to determine
what user and device groups will be required. Its recommended that all groups are created in the on-premises
Active Directory, then synchronized to Azure Active Directory. You can find more information about user and
device group planning and creation below.
Learn more about planning your user and device groups.
Learn how to create user and device groups.
Public Key Infrastructure (PKI)
Public Key Infrastructure supplies certificates to devices or users to securely authenticate to a service. Intune
supports a Microsoft PKI infrastructure. Device and user certificates can be issued to a mobile device to satisfy
certificate based authentication requirements. Before implementing certificates, you need to determine if
certificates are needed, whether the network infrastructure can support certificate based authentication, and
whether certificates are currently used in the existing environment.
If you're planning to use certificates with VPN, Wi-Fi, or e-mail profiles with Intune, you need to make sure you
have a supported PKI infrastructure in place, ready to create and deploy certificate profiles.
In addition, If SCEP certificates will be issued, you need to determine which server will host the Network Device
Enrollment Service (NDES) feature, and how the communication will happen.
More information about configuring certificates in Intune:
How to configure the certificate infrastructure for SCEP.
How to configure the certificate infrastructure for PFX.
How to configure Intune certificate profiles.
How to configure resource access policies.

Device Platform Considerations


You need to take a closer look at your devices to understand how them correctly.
Determine supported device platforms
Devices
Device ownership
Bulk enrollment
Lets review these areas in more detail.
Determine supported device platforms
You need to know what devices will be in the environment and verify whether they are supported or not by Intune
when creating your design. Intune supports iOS, Android, and Windows platforms.
Learn more about Intune Supported Devices.
Devices
Intune manages mobile devices to secure corporate data and allow end users to work from more locations. Intune
supports multiple device platforms, so its recommended to document the devices and the OS platforms that will
be supported in your organizations design. This will expand on the devices and platforms created in section (use
case requirements).
Its also recommended to know the versions to reference the list when checking for device capabilities by OS
platform and version. Heres an example:

DEVICE PLATFORM OS VERSIONS

iOS - iPhone 9.0+

iOS - iPad 8.0+

Android Samsung Knox Standard 4.0+

Windows 10 tablet 10+


DEVICE PLATFORM OS VERSIONS

Device ownership
Intune supports both corporate owned and BYOD ownership. A Device is considered corporate owned if enrolled
by a device enrollment manager, or device enrollment program. As an example, a device could be enrolled via
Apple DEP, marked as corporate, and placed in a device group that receives targeted corporate policies and apps.
Refer to Section 3: Determine use case scenario requirements for more information about Corporate and BYOD
use cases.
Bulk enrollment
There are multiple enrollment options available for enrolling a device in Intune to complement the self-service
enrollment through the company portal. Bulk enrollment can be accomplished different ways depending on the
platform. If bulk enrollment will be required, first determine the bulk enrollment method and incorporate in to
your design. Find more information about different methods of bulk enrollment below.
Learn about more bulk enrollment.

Feature requirements
In these sections, well review the following features and capabilities that are aligned with your use case scenario
requirements:
Terms and Conditions Policies
Configuration Policies
Resource Profiles
Apps
Compliance Policy
Conditional Access
Lets review each of these areas in more detail.
Terms and Conditions policies
Terms and Conditions can be used to explain policies or conditions that an end user must accept before
enrollment. Intune supports the ability to add and deploy multiple terms and conditions policies to user groups.
You need to determine if terms and condition policies are needed. If so, who will be responsible for providing this
information in the organization.
Learn how to create term and condition policies on Intune. An example of how to document the terms and
conditions policy is below.

TERMS AND CONDITIONS NAME USE CASE TARGETED GROUP

Corporate T&C Corporate Corporate users

BYOD T&C BYOD BYOD users

Configuration policies
Configuration policies are used to manage security settings and features on a device. When designing your
configuration policies, refer to the use case requirements section to determine the configurations required for
Intune devices. Document which settings, and how they should be configured, also document which user, or device
groups they will be targeted to.
You should create at least one Configuration Policy per platform. You can create multiple Configuration Policies
per platform if needed. Below is an example of designing four different configuration policies for different
platforms and use case scenarios.

POLICY NAME DEVICE PLATFORM SETTINGS TARGET GROUP

Corporate - iOS iOS PIN is required, Length: 6, Corporate Devices


Restrict Cloud Backup

Corporate - Android Android PIN is required, Length: 6, Corporate Devices


Restrict Cloud Backup

BYOD iOS iOS PIN is required, Length: 4 BYOD devices

BYOD Android Android PIN is required, Length: 4 BYOD devices

Profiles
Profiles are used to help the end user connect to company data. Intune supports many types of profiles. Refer to
the use cases and requirements to determine when the profiles will be configured. All device profiles are
categorized per platform type, and should be included in the design documentation.
Certificate profiles
Wi-Fi profile
VPN profile
Email profile
Lets review each type of profile in more detail.
C e r t i fi c a t e p r o fi l e s

Certificate profiles allow Intune to issue a certificate to a user or device. Intune supports the following:
Simple Certificate Enrollment Protocol (SCEP)
Trusted Root Certificate
PFX certificate.
Its recommended to document which user group needs a certificate, how many certificate profiles will be needed,
and which user groups to deploy them to.

NOTE
Remember that the trusted root certificate is required for the SCEP certificate, so make sure all users targeted for the SCEP
certificate also receive a trusted root certificate. If SCEP certificates are needed, design and document what SCEP certificate
templates will be needed.

Heres an example how you can document the certificates during the design:
TYPE PROFILE NAME DEVICE PLATFORM USE CASES

Root CA Corporate Root CA Android, iOS, Windows Corporate, BYOD


mobile

SCEP User Certificate Android, iOS, Windows Corporate, BYOD


mobile

W i - F i p r o fi l e

Wi-Fi Profiles are used to automatically connect a mobile device to a wireless network. Intune supports deploying
Wi-Fi profiles to all supported platforms.
Learn more about how Intune supports Wi-Fi profiles.
Below is an example of a design for a Wi-Fi profile:

TYPE PROFILE NAME DEVICE PLATFORM USE CASES

Wi-Fi Asia Wi-Fi profile Android Corporate, BYOD Asia


region

Wi-Fi North America Wi-Fi profile Android, iOS, Windows 10 Corporate, BYOD North
Mobile America region

V P N p r o fi l e

VPN profiles let users securely access your network from remote locations. Intune supports VPN profiles from
native mobile VPN connections and third party vendors.
Learn more about VPN profiles and vendors supported by Intune.
Below is an example of documenting the design of a VPN profile.

TYPE PROFILE NAME DEVICE PLATFORM USE CASES

VPN VPN Cisco any connect Android, iOS, Windows 10 Corporate, BYOD North
Profile Mobile America and Germany

VPN Pulse Secure Android Corporate, BYOD Asia


region

Em a i l p r o fi l e

Email profiles allow an email client to be automatically setup with connection information and setup email
configuration. Intune supports email profiles on some devices.
Learn more about email profiles and what platforms are supported.
Below is an example of documenting the design of email profiles:

TYPE PROFILE NAME DEVICE PLATFORM USE CASES

Email profile iOS email profile iOS Corporate Information


worker BYOD

Email profile Android Knox email profile Android Knox BYOD

Apps
Intune supports delivering apps to the users or devices in multiple ways. The type of application delivered could be
software installer apps, apps from a public app store, external links, or managed iOS apps. In addition to individual
app deployments, volume-purchased apps can be managed and deployed through the volume-purchase programs
for iOS and Windows. Below is more information about how Intune supports apps and the volume purchase
programs.
Learn more about types of apps
Learn more about iOS Volume Purchase Program for Business (VPP)).
Learn more about Windows Store for Business.
App type requirements
Since apps can be deployed to users and devices, its recommended to decide which applications will be managed
by Intune. While gathering the list, try to answer the following questions:
Do the apps require integration with cloud services?
Will all apps be available to BYOD users?
What are the deployment options available for these apps?
Does your company need to provide access to Software as a service (SaaS) apps data for their partners?
Do the apps require internet access from users devices?
Are the apps publicly available in an app store, or are they custom Line of Business Apps?

TIP
Check out the different types of applications that Intune support.

App protection policies


App protection policies minimize data loss by defining how the application manages the corporate data. Intune
supports app protection policies for any application built to function with mobile app management. When
designing the app protection policy, you need to determine what restrictions you will place on corporate data in a
given app. Its recommended to review how app protection policies work. Below is an example of how to document
the existing applications and what protection is needed.

APP PROTECTION
APPLICATION PURPOSE PLATFORMS USE CASE POLICY

Outlook mobile Available iOS Corporate - Cannot be jail broken,


Executives encrypt files

Word Available iOS, Android - Corporate, BYOD Cannot be jail broken,


Samsung Knox, non- encrypt files
Knox, Windows 10
mobile

Compliance policies
Compliance policies determine whether a device conforms to certain requirements. Intune uses compliance
policies to determine if a device is considered compliant or non-compliant. The compliance status can then be used
to restrict access to company resources. If conditional access is required, it is recommended to design a device
compliance policy. Refer to requirements and use cases to determine how many device compliance policies are
needed and which user groups are the target user groups. Additionally, you need to determine how long a device
can be offline without checking in before its considered non-compliant.
Below is an example of how to design a compliance policy:
POLICY NAME DEVICE PLATFORM SETTINGS TARGET GROUP

Compliance policy iOS, Android - Samsung PIN - required, cannot be jail Corporate, BYOD
Knox, non-Knox, Windows broken
10 mobile

Conditional access policies


Conditional Access is used to allow only compliant devices to access company resources. Intune works with the
entire Enterprise Mobility + Security (EMS) to control access to company resources. Youll need to determine if
conditional access is required, and what must be secured.
Learn more about Conditional Access.
For online access, determine what platforms, and user groups will be targeted by conditional access policies.
Additionally, you need to determine whether you need to install/configure the Intune service-to-service connector
for Exchange Online or Exchange on-premises.
Learn more how to install and configure the Intune service-to-service connectors:
Exchange Online
Exchange On-premises
Heres an example of how to document conditional access policies:

PLATFORMS FOR MODERN


SERVICE AUTHENTICATION BASIC AUTHENTICATION USE CASES

Exchange online iOS, Android Block non-compliant devices Corporate, BYOD


on platforms supported by
Intune

SharePoint online iOS, Android Corporate, BYOD

Next Section
The next section provides guidance on the Intune implementation process.
Intune implementation
6/19/2017 5 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

During the onboarding phase, youll implement Intune into your production environment. The implementation
process will consist of setting up and configuring Intune and external dependencies (if required), based on your
use case requirements that were reviewed in previous sections of this guide.
The following section provides an overview of the Intune implementation process that includes requirements and
high-level tasks.

TIP
Check Additional resources for more information about the Intune implementation process.

Intune requirements
The main Intune standalone requirements are provided below:
EMS/Intune subscription
Office 365 subscription (for Office apps and MAM policy managed apps)
Apple APNs Certificate (to enable iOS device platform management)
Azure AD Connect (for directory synchronization)
Intune On-Premises Connector for Exchange (for CA for Exchange On-Premises, if needed)
Intune Certificate Connector (for SCEP certificate deployment, if needed)

TIP
You can find more information about Intune standalone requirements here.

Intune implementation process


Overview of implementation tasks
Here's an overview of each task when implementing Intune.
Task 1: Add Intune subscription
As identified in the previous requirements section, an EMS or Intune subscription is required. If your organization
does not have an EMS or Intune subscription, please contact Microsoft or your Microsoft Account Team regarding
your interest in purchasing Enterprise Mobility + Security (EMS) or Intune.
Learn more about how to buy Microsoft Intune.
Task 2: Add Office 365 subscription
This step is optional. As identified in the previous requirements section, an Office 365 subscription is required if
you plan to use Exchange Online and manage Office mobile apps with MAM policy. If your organization does not
have an Office 365 subscription, please contact Microsoft or your Microsoft account team regarding your interest
in purchasing Office 365.
Learn more about how to buy Office 365.
Task 3: Add users groups in Azure AD
You may need to add users or security groups in AD or AAD based on your Intune deployment use case scenarios
and requirements. You should review your current users and security groups in Active Directory or Azure Active
Directory and determine if they fully meet your needs. New users and security groups are most commonly added
in Active Directory and synchronized into Azure Active Directory via Azure AD Directory Connect.
Learn more about how to add users/groups in Intune.
Task 4: Assign Intune and Office 365 user licenses
All users that will be targeted for EMS/Intune and Office 365 rollout will need to have a license assigned to them.
EMS/Intune and Office 365 license assignment can be done in the Office 365 Admin Center Portal.
Learn more about how to assign Intune licenses.
Task 5: Set Mobile Device Management Authority to Intune
Before you can begin to set up, configure, manage and enroll devices using Intune, you must set the Device
Management Authority to Intune. Setting the Device Management Authority task is completed in the Intune Admin
Portal, Admin workspace.
Learn more about how to set the Device Management Authority.
Task 6: Enable device platforms
By default, in the Intune admin console, most device platforms are enabled, except for Apple devices (iOS and Mac).
Before iOS devices can be enrolled and managed in Intune, the device platform must be enabled. Enabling the iOS
device platform consists of a three-step process: create and download the APNs certificate and upload the APNs
certificate into Intune.
Learn more about how the iOS and Mac device management setup works.
Task 7: Add and deploy terms and conditions policies
Microsoft Intune supports adding and deploying terms and conditions policies. Adding and deploying terms and
conditions policies are completed in the Intune Admin Portal, Policy workspace. Add terms and conditions policies
as appropriate and deploy to targeted groups based on your Intune deployment use cases and requirements.
Learn more about how to add and deploy terms and condition policies.
Task 8: Add and deploy configuration policies
Microsoft Intune supports adding and deploying two types of Configuration policies, General and Custom. Adding
and deploying Configuration policies are completed in the Intune Admin Portal, Policy workspace. Add the
Configuration policies as appropriate and deploy to targeted groups based on your Intune deployment use cases
and requirements.
Learn more about how to add and deploy configuration policies.
Task 9: Add and deploy resource profiles
Microsoft Intune supports Email, Wi-Fi and VPN profiles. Adding and deploying profiles are completed in the
Intune Admin Portal, Policy workspace. Add Email/Wi-Fi/VPN profiles as appropriate and deploy to targeted
groups based on your Intune deployment use cases and requirements.
Learn more about enable access to company resources with Intune.
Task 10: Add and deploy apps
Microsoft Intune supports the deployment of Web, LOB and Public Store Apps. In addition, managing apps that
have integrated the Intune SDK by associated them with MAM policies is supported. Adding and deploying apps
are completed in the Intune Admin Portal, App workspace. Adding MAM policies are completed in the Intune
Admin Portal, Policy workspace. Add apps as appropriate and deploy to targeted groups based on your Intune
deployment use cases and requirements.
Learn more about add and deploy applications.
Task 11: Add and deploy compliance policies
Microsoft Intune supports Compliance policies. Adding and deploying Compliance policies are completed in the
Intune Admin Portal, Policy workspace. Add Compliance policies as appropriate and deploy to targeted groups
based on your Intune deployment use cases and requirements.
Learn more about compliance policies.
Task 12: Enable Conditional Access Policies
Microsoft Intune supports Conditional Access for Exchange Online and On-premises, SharePoint Online, Skype for
Business Online and Dynamics CRM Online. You enable Conditional Access policies in the Intune Admin Portal,
Policy workspace. Enable and configure Conditional Access as appropriate based on your Intune deployment use
cases and requirements.
Learn more about conditional access.
Task 13: Enroll devices
Intune supports iOS, Mac OS, Android, Windows desktop and Windows mobile device platforms. Enroll mobile
device platforms as appropriate, based on your Intune deployment use cases and requirements.
Learn more about how to enroll devices.

TIP
Check out this Microsoft Virtual Academy Intune session module for more information on the Intune implementation
process.

Next Section
The next section provides guidance on testing and validating your Intune deployment.
Intune testing and validation
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

The testing phase should be during and after the implementation phase, you will need to have test accounts,
groups, and devices for testing all required IT (admin) and end user (use case) scenarios previously identified.
It's recommended to incorporate your IT support/helpdesk staff in the testing phase so that support
documentation is created, and the IT support/helpdesk staff become comfortable supporting the product. If a
component or scenario does not function based on the use cases, make sure to document the necessary changes
and include the reason a change was made.

Before you begin


Its recommended to document the following:
Test criteria: Identifies the benchmarks to be measured against.
Design components: must exist in at least 1 testing criteria.
If a design component does not exist in at least 1 test criteria that aligns to a requirement or scenario, consider
whether the design component is required or not. In addition, make sure to have the following items:
Accounts: The accounts used in testing should be test accounts that are licensed for EMS and Office 365 to
test all use case scenarios.
Devices: The devices used at this point should be test devices that could potentially be wiped or reset to
factory defaults.
Integration components: All integration components (Certificate Connector, Intune service to service
connector for hosted Exchange, and Intune on-premises Exchange connector) should be installed and
configured if needed.
Design changes could be needed to accommodate unforeseen difficulties. In addition, all design changes should be
fully documented with the reason for each change. Here's an example to illustrate what a change could be:
You might realize that you dont meet the requirements of Network Device Enrollment Service (NDES), and you
also learn that the VPN and Wi-Fi profiles can be configured with a root CA satisfying the same requirements
without a NDES implementation.
You might experience challenges or issues that require technical guidance, or specialized troubleshooting during
the testing and validation process. Its recommended to seek assistance through the Microsoft support channels.
Learn how to get Intune support
General troubleshooting tips for Microsoft Intune.
Learn how to get support for Microsoft Intune.
Contact assisted phone support for Microsoft Intune
Functional validation testing
Functional validation consists of testing each component and configuration to determine if it is working correctly.
An example of validation testing is in the table below.

Use case validation testing


Use case validation testing should be performed to verify the scenarios are complete and functional. There are two
types of use case scenarios, IT admin and end user.
IT Admin
IT Admin validation testing should be performed to validate that Administrative action performed on a device or
user functions correctly. Below is an example of an IT admin end to end validation scenario.

End user
End user validation testing should be performed to validate that the end user experience is as expected and
presented correctly in all user communications. It is important to validate the end user experience is correct as
failure to validate can lead to lower adoption rates and higher volume of helpdesk calls.
Next Steps
Now that you have tested and validated your Intune functional and user case scenarios, you're ready for your
Intune production rollout. Refer to Additional resources for more information.
Additional resources for planning your Intune
deployment
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Templates
Microsoft Excel templates for the tables used in the planning guide are available for download.
Here's a list of table templates for each section.

DEPLOYMENT PLANNING DESIGN & IMPLEMENTATION TEST & VALIDATION

Deployment goals Current environment Functional validation testing

Deployment objectives Devices IT admin scenario validation testing

Deployment challenges Terms & conditions End-user scenario validation testing

Use-case scenarios Configuration policy

Use-case scenario requirements Certificate profile

Rollout plan Wi-Fi profile

Rollout communication plan VPN profile

Email Profile

Applications

Compliance policy

Conditional access policy -

Links
Check out these resources for additional information that may be helpful during the Intune deployment planning,
design, and implementation process.
Microsoft Intune documentation - The full set of Intune documentation.
Intune blog - Posts to help you understand how Intune fits into the larger Enterprise Mobility picture.
Microsoft Trust Center - Learn Microsoft's approach to security, privacy, compliance, and transparency in all
Microsoft cloud products and services.
Intune User Voice - Want to request a feature or vote with other customers for features? Provide feedback
on Intune through User Voice. We're listening.
Enrollment guide - A set of docs you can use as is or modify as part of your communication plan with your
end users to help them understand what it means to have their personal device enrolled in Intune.
Intune migration guide
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

A successful migration to Intune starts with a solid plan that factors in the current mobile device management
(MDM) environment, business goals and technical requirements. Additionally, you need to have the key
stakeholders whose will support and collaborate with your migration plan.
The purpose of this guide is to step you through the various details involved in migrating from a third-party MDM
provider to Intune.

Whats included in this guide?


This guide includes two phases, both of which include tasks, strategies, and tactical guidance that will help you step
through the end to end process of migrating to Intune MDM.
Phase 1: Prepare Intune for Mobile device management
Assess your MDM migration requirements
Basic setup
Configure device and app management policies
Configure app protection policies
Special migration considerations
Phase 2: Migration campaign
Communication Plan
Drive end-user adoption with conditional access
Typical Migration Cycle
Monitoring migration
Post migration
Assumptions
You've already evaluated Intune in a proof of concept (PoC) environment, and have decided to use it as the
MDM solution in your organization.
You are already familiar with Intune and its features.

NOTE
Check out the Intune evaluation guide, if you want to get more familiar with Intune before you migrate.

Before you begin


It's important to recognize that your new Intune deployment might be different from your old MDM deployment.
Unlike traditional MDM services, Intune centers on identity-driven access control, and so does not require a
network proxy appliance to control access to corporate data from mobile devices outside the organization's
network perimeter. Microsoft offers solutions to secure data services within the cloud itself via a suite of tightly
integrated cloud services, collectively referred to as the Enterprise Client + Security offering.
Review the common ways to use Intune.

Next steps
Phase 1: Prepare Intune for mobile device management
Phase 1: Prepare Intune for mobile device
management (MDM)
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Before diving into the details of setting up Intune, lets review the mobile device management requirements of
your organization. It might be helpful to run reports of active users in your current MDM provider to identify the
critical user groups, then you can begin addressing the questions under the Assess MDM requirements section.

Assess MDM requirements


What kinds of devices do you need to manage?
Which platforms do you need to support?
Are the devices you need to support corporate or BYOD?
What kind of connectivity is used? Wi-Fi, cellular, VPN?
What do your users need to do on managed devices?
Do you need to provision apps to your end-users?
Do you use custom line-of-business apps? Or do you only need public store apps?
Do you need to provision email accounts?
What kinds of users?
How many users will use a single device?
What Terms of Use do you need?
Make sure to involve your legal department early in this.
What localization is required?
Are the users familiar with technology and IT in general?
What is your device security policy?
Do you need device-level encryption?
Device passcode/pin code lengths?
Do you need to disable device features, or restrict certain device behaviors?
You can control a variety of platform-specific settings with device configuration profiles, for example:
Disable camera, Lock to single-app mode.
What kinds of authentication must you support?
If you need cert-based authentication, what kinds of certificates must be provisioned?
Intune can provision certificates with resource access profiles for enrolled devices.
What kind of Public Key Infrastructure (PKI) infra do you need to support?
Do you need to support Virtual Private Network (VPN) at the device or app level?
Intune can provision VPN configurations for third-party VPN providers.
Can temporary exceptions be made for certain requirements to avoid down time? Or must devices with access
always comply with all security requirements?

Additional information
For more detailed examples, review these case studies from different industry sectors to see how organizations
assessed their requirements for mobile device management.

Next steps
Basic Setup
Basic setup
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

After you assess your environment, its time to setup Intune.

External dependencies for an Intune deployment


Identity
Intune requires Azure Active Directory (AAD) as the identity and user grouping provider.
Learn more about identity requirements.
Learn more about directory synchronization requirements.
Learn more about multi-factor authentication requirements.
Learn more about planning your user and device groups.
Learn how to create user and device groups.
If your organization is already using Office 365, its important that Intune uses the same Azure Active Directory
environment.
PKI (optional)
If you're planning to use certificate-based authentication for VPN, Wi-Fi, or e-mail profiles with Intune, youll need
to make sure that you have a supported PKI infrastructure in place, ready to create and deploy certificate profiles.
More information about configuring certificates in Intune is below.
How to configure the certificate infrastructure for SCEP.
How to configure the certificate infrastructure for PFX.

Task list for an Intune Setup


Task 1: Intune subscription
Before you can migrate to Intune, you first need an Intune subscription.
You can visit this page, which gives you instructions on how to:
Create a new Intune subscription linked to a new AAD tenant.
Link the Intune subscription by signing into an existing AAD tenant.
Task 2: Assign Intune user licenses
Learn how to assign Intune user licenses.
If you have created a new Azure Active Directory tenant, learn how to create new users or sync user from
your on-premises Active Directory (AD).
Task 3: Set your MDM authority to Intune
Intune can be managed through the Azure portal or the Configuration Manager Current Branch console. Unless
you need to integrate Intune with a Configuration Manager Current Branch deployment, it is recommended to
manage Intune from the Azure Portal.
Set your MDM authority to Intune to enable the Intune Azure Portal. Using a different MDM authority allows
Intune to transfer MDM management to alternate Microsoft management consoles. These cases are uncommon.

IMPORTANT
If you are transferring your mobile device management to Intune for the first time, you should set the MDM authority to
Intune.

Learn how to set the mobile management authority.

Next step
Configure device and app management policies
Configure device compliance and app management
policies
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

The main goal when migrating to Intune is to have all devices enrolled, and compliant with its policies. Device
policies not only help you to manage corporate-owned single-user devices, but also personal (BYOD), and shared
devices such as, kiosks, point-of-sales machines, tablets shared by multiple students in a classroom, or user-less
devices (iOS only).
Each device platform may offer different settings, but Intune device policies work with each device platform by
providing the following mobile device management capabilities:
Regulate numbers of devices each user enrolls.
Manage devices settings (e.g. device-level encryption, password length, camera usage).
Deliver apps, email profiles, VPN profiles, etc.
Evaluate device-level criteria for security compliance policies.

IMPORTANT
Device management policies are not assigned directly to individual devices or users, but instead are assigned to user groups.
The policies may be directly applied to a user group, and thereby to the user device, or the policies may be applied to a
device group, and thereby to group members.

Task list for device compliance policies


Task 1: Add device groups (optional)
You can create device groups, when you need to perform a variety of administrative tasks based on device identity,
instead of user identity.
Device groups are useful for managing devices without dedicated users, such as kiosk devices, or devices shared by
shift workers or assigned to a specific location.
By configuring device groups ahead of device enrollment, you can leverage device categories to auto-group
devices upon enrollment to receive their groups device policies automatically. Get started with groups.
Task 2: Use resource access profiles (Wi-Fi, VPN, and email certificates)
Resource access profiles provision certificates and access configurations to enrolled devices.
As previously discussed in the Assess MDM requirements section, if you are using certificate-based authentication,
configure certificates.
Task 3: Create and deploy device configuration profiles
You need to create a device configuration profile to enforce device-level settings, for example: disable camera, app-
store, configure single-app mode, home screen, etc.
Learn about device profiles.
Direct import of iOS configuration profiles (optional)
Apple Configurator iOS Profiles (iOS 7.1 and later): If your existing MDM solution uses Apple
Configurator profiles (.mobileconfig files), Intune can directly import them as custom configuration policies.
iOS Mobile Application Configuration policies: If your existing MDM solution uses iOS Mobile
Application Configuration policies, Intune can directly import them as long as they meet the XML format
specified by Apple for property lists.
Learn how to add a custom policy for iOS
Task 4: Create and deploy device compliance policies (optional)
Device compliance policies evaluate security oriented settings, and provides reporting which shows whether the
devices are compliant with corporate standards or not. Device compliance policies evaluate security oriented
factors such as:
PIN length
Jail-broken status
OS Version
See additional resources for device compliance settings:
Learn about device compliance policies.
Learn how to create a device compliance policy.
Task 5: Publish and deploy Apps
When using Intune MDM, you can provision apps by either requiring their automatic installation, or making them
available in the Company Portal.
Learn how to add apps.
Learn how to deploy apps.
Task 6: Enable device enrollment
Enrollment establishes management by provisioning control on the device. Learn how to get ready to enroll
corporate-owned and user personal's devices.

Next steps
Configure App Protection Policies (optional)
Configure app protection policies (optional)
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

App protection policies allow you to encrypt apps, define a PIN when the app is accessed, block apps from running
on jail-broken or rooted devices, and many other protections. If the user's phone is lost or stolen, you can
selectively remote wipe the corporate data while leaving the personal data intact by applying mobile app
protection policies.
App protection policies apply security at the app level and do not require device enrollment. It can be used with
devices enrolled into Intune or not. Additionally, it can be used with devices enrolled into a third-party MDM
provider.

App protection policies with LOB apps


You can also extend the mobile app protection policies to your line-of-business (LOB) apps by leveraging the
Microsoft Intune App SDK or the Microsoft Intune App Wrapping Tool for both IOS and Android platforms.

How do app protection policies help during migration?


Migration requires removing devices from the old MDM provider and enrolling them into Intune. You should plan
for this and encourage your end-users to leave the old MDM provider and immediately enroll into Intune.
However, during the migration there may be users who delay completing the enrollment process and whose
devices are not managed by either MDM provider.
This period can leave your organization more vulnerable to device theft and corporate data loss if corporate
resource access is still allowed, and/or loss of user productivity if corporate resource access is blocked.
Intune can offer corporate data protections during the migration so you can still have security coverage for your
corporate data when theres no device-level management.
As you disable conditional access in the old MDM provider, users can still be productive while you on-board them
into Intune.

Task list for app protection policies


1. Create an app protection policy
2. Deploy a policy

Next steps
Special migration considerations
Special migration considerations
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

There are special migration considerations which may be applicable depending on your existing MDM provider
environment.

Factory reset for Apples Device Enrollment Program (DEP)


The Apple Device Enrollment Program (DEP) sets device configurations that cannot be removed by the end user. To
retain the advanced management features of DEP, the device must be returned to the out-of-box (new) state via
factory reset to enroll to Intune.
To continue using DEP to manage the devices in Intune, set up iOS device enrollment with Device Enrollment
Program.

Next steps
Phase 2: Migration campaign
Phase 2: Migration Campaign
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Organizations should a migration approaches which is most suitable for their needs and adjust implementation
tactics based on their specific requirements. The remainder of this guide will equip you with the tools you need to
achieve the goal of getting your users devices enrolled into Intune.

Keys to a successful migration


These are the key lessons learned when migrating from a third-party MDM provide to Intune:
Communication is key to minimize end-user downtime and satisfaction.
Be sure to have specific and concrete migration instructions.
All managed devices must be un-enrolled from your existing MDM provider prior to enrolling in Intune.
Provide guidance from the existing MDM provider to end-users for how to un-enroll their devices.
Use a phased approach. Start with a small group of pilot users and incrementally add more groups of users
until you reach full scale deployment.
Monitor the Help-desk load and enrollment success of each cycle. Leave time in the schedule to ensure
success criteria can be evaluated for each group before migrating the next. Your pilot deployment should
validate the following:
Enrollment success and failure rates are within expectations.
User productivity:
Corporate resources such as VPN, Wi-Fi, email, and certificates are working.
Provisioned Apps are accessible.
Data security:
Compliance reporting
Mobile app protections enforced
When you are satisfied with the first phase of migrations, repeat the Migration Cycle (described below
under Typical Migration cycle) for next phase.
Repeat phased cycles until all users are migrated to Intune.
Ensure Help-desk team is ready to support end-users throughout the migration campaign. Run a voluntary
migration until you can estimate support call workload.
Dont set deadlines for enrollment until remaining population can be handled by your Help-desk
IMPORTANT
Do not configure both Intune and your existing third party MDM solution to apply access controls to resources such as
Exchange or SharePoint Online. Additionally, devices should only be enrolled in one solution at a time.

Next steps
Communication plan
Plan communications
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

The communication plan is a key element in an Intune migration. You can follow the same communication plan for
each phase as previously discussed under the Keys to a successful migration section.

E-mail templates
Heres an example on how you could communicate migration to your organization:
Email #1: Explain benefits, expectations, and schedule. Take this opportunity to showcase any other new
services whose access will be granted on Intune managed devices.
Download E-mail #1 template to use in your organization.
Email #2: Announce that services are now ready for access through Intune. Tell users to enroll now. Remind
users of benefits and strategic reasons for migration.
Download E-mail #2 template to use in your organization.
Email #3: Giving users timeline before access is impacted. Again, remind users of benefits and strategic
reasons for migration. Email timing should have sliding window to match pipelining of phases. E.g. in June
send email #1 to Phase 1 users, email #2 to phase 2 users and email #1 to Phase 3 users.
Download E-mail #3 template to use in your organization.
After a certain period, you can begin enforcing compliance through conditional access policies and use it as criteria
to access corporate data.
For more information, see Drive end-user adoption with conditional access.

Additional communication templates


Intune has additional template resources to promote device enrollment to end-users:
Refer to How to educate your end users about Microsoft Intune for further guidance on enrollment steps per
mobile OS platform
Download a customizable, end-user Intune enrollment template for IT administrators

Next steps
Drive end-user adoption with conditional access
Drive end-user adoption with conditional access
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Enabling conditional access features with Intune, such as blocking email for un-enrolled devices, can help drive
enrollment and compliance but they are not required for a migration to be successful. Your migration adoption
goals and security requirements should dictate the success.

Migration campaign with conditional access


Here is a typical approach to enhancing a migration campaign with conditional access:
1. Set conditional access rules to be enforced for all users but specifically exclude the users who need to
migrate from the old MDM provider. You can create an Azure AD user group with all conditional access
excluded users.
2. As users migrate, remove them from the conditional access exclusion group.
3. After migration completes, configure all conditional access policies to block by default unless Intune allows
access.
Advantages
Provides access control for new user accounts or user account who were not managed by the previous
solution.
Provides grace period for users of previous solution to migration.
Minimizes loss of productivity
Disadvantages
Users of previous solution could potentially access resources using un-managed devices until conditional
access is enabled for those users.

TIP
This is one approach among many. You may choose a simpler process that defers all conditional access until after every
phase has been instructed to enroll, or a stricter process that enforces conditional access from the very beginning and
requires full compliance for all access.

Learn more about conditional access.

Task list for conditional access


Task 1: Decide how you are going to implement conditional access
Common ways to use conditional access.
Task 2: Set up Intune conditional access
Choose one of the following options:
Configure conditional access in Azure Active Directory
Install on-premises Exchange connector with Intune
Set up app-based conditional access policies for Exchange Online
Set up app-based conditional access policies for SharePoint Online
Block apps that do not use modern authentication (ADAL)

Next steps
Typical migration cycle
Typical migration cycle
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Its common for an organization to start their Intune migration with a small pilot by targeting a subset of their
users in the IT department. Additionally, your organization may need to discuss such factors as the groups
willingness for change, number of users, complexity, requirements, location, and business risk to assist in
determining the migration time-frame.
Heres an example of how your target groups could be scheduled:

MIGRATION
TARGETED
GROUPS TIME PERIOD 1 TIME PERIOD 2 TIME PERIOD 3 TIME PERIOD 4 ...

Limited Pilot IT Announce Plan Instruct to enroll Give deadline Enforce


org (50 users) conditional access

Expanded Pilot IT Announce Plan Instruct to enroll Give deadline Enforce


org (200 users) conditional access

Migration phase Announce Plan Instruct to enroll Give deadline


1 Tech-savvy
users (2000)

Migration phase Announce Plan Instruct to enroll


2 Eastern US

All Regions Announce Plan

Customer migration case study


Adatum Corporation
Check out how Adatum Corporation went through the process of migration from a third-party MDM provider
to Intune.

Monitoring migration
Microsoft Intune provides several ways that you can monitor your migration:
1. Intune user group views
2. Set of built-in reports, and
3. In-console alerts.
You should track how many users have enrolled devices after each phase so that you can:
Evaluate the effectiveness of your communication plan.
Estimate the impact of enforcing conditional access.

Post-migration
Youll need to retire the previous MDM provider and unsubscribe from the service after migrating to Intune.
Additionally, youll need to remove any unneeded infrastructure requirements by following the MDM providers
instructions.
Set up Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

The steps in this section set up your environment for mobile device management.
If you're currently using Microsoft System Center Configuration Manager to manage computers and servers, you
can extend Configuration Manager to manage mobile devices.

TIP
If you purchase at least 150 licenses for Intune in an eligible plan, you can use the FastTrack Center Benefit, which is a service
where Microsoft specialists work with you to get your environment ready for Intune. See FastTrack Center Benefit for
Enterprise Mobility + Security (EMS).

Checklist
STEPS STATUS

1 Prerequisites - What you need and what to know before you


start

2 Sign in to Intune - Sign in to your trial subscription or create a


new subscription to start managing your organization

3 Configure a custom domain name - Use your company's


domain name to manage Intune by updating your DNS
registration

4 Add users and synchronize AD - Connect Active Directory to


synchronize users or add users to Intune

5 Assign Intune licenses - Give users permission to use Intune

6 Organize user and device groups - Use groups to organize


deployments of policy, apps, and resources

7 Add apps - Enable settings and apps that can be deployed to


users

8 Customize the Company Portal - Customize the Company


Portal app that users see when working with Intune

9 Enable mobile device enrollment - Enable Intune management


of iOS, Windows, Android, and Mac devices
Supported devices and browsers
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This article is for system administrators responsible for device management in the enterprise. For help installing
Intune on your phone, see using managed devices to get work done.
Before you start setting up Microsoft Intune, review the following requirements:
Supported devices and computers
List of supported web browsers use Intune
You should also familiarize yourself with Intune network bandwidth usage (Classic console) .

Intune supported devices


You can manage the following devices using Intune mobile device management:
Apple
Apple iOS 8.0 and later
Mac OS X 10.9 and later
Windows
PCs running Windows 10 (Home, Pro, Education, and Enterprise versions)
Windows Phone 8.1 and later
Windows 8.1 RT
PCs running Windows 8.1
Devices running Windows 10 IoT Enterprise (x86, x64)
Devices running Windows 10 IoT Mobile Enterprise
Windows Holographic & Windows Holographic Enterprise
Customers with Enterprise Management + Security (EMS) can also use Azure Active Directory (AAD) to
register Windows 10 devices.
Windows 7 and later PCs, with the exception of Windows 10 Home edition, can also be managed with the
Intune software client.
Google
Google Android 4.0 and later (including Samsung KNOX Standard 4.0 and higher)*
Google Android for Work (requirements)
*The following models of the Samsung Galaxy Ace phone cannot be managed by Intune as Samsung KNOX
Standard devices: SM-G313HU, SM-G313HY, SM-G313M, SM-G313MY, and SM-G313U. These devices are
managed as standard Android devices. See the Samsung KNOX website for more information.
For a full list of devices and management methods, see Intune supported devices.
Intune cannot be used to manage Windows Server operating systems.
Windows PC software client
An Intune software client can be deployed and installed on Windows PCs as an alternate enrollment method. This
functionality is only available using the Intune classic console. You can use the Intune software client to manage
Windows 7 and later PCs with the exception of Windows 10 Home edition.

Intune supported web browsers


Different administrative tasks require that you use one of the following administrative websites.
Office 365 portal
Intune portal
The following browsers are supported for these portals:
Microsoft Edge (latest version)
Microsoft Internet Explorer 11
Safari (latest version, Mac only)
Chrome (latest version)
Firefox (latest version)
Intune classic portal
Intune classic-only features such as Intune PC software client and integration with Mobile Threat Defense partners
are only available in the Intune classic portal (https://manage.microsoft.com). The classic Intune console requires
Silverlight browser support.
The following Silverlight browsers support the classic Intune console:
Internet Explorer 10 or later
Google Chrome (versions prior to version 42)
Mozilla Firefox with Silverlight enabled Learn more

NOTE
Microsoft Edge and mobile browsers are not supported for the Intune classic console because they do not support Microsoft
Silverlight.

Only users with service administrator permissions or tenant administrators with the global administrator role can
sign in to this portal. To access the administration console, your account must have a license to use Intune and a
sign-in status of Allowed.
Intune network bandwidth use
6/22/2017 5 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This guidance helps Intune admins understand the network requirements for the Intune service. You can use this
information to understand bandwidth requirements and IP address and port settings needed for proxy settings.

Average network traffic


This table lists the approximate size and frequency of common content that travels across the network for each
client.

NOTE
To ensure that computers and mobile devices receive the necessary updates and content from the Intune service, they must
be periodically connected to the Internet. The time taken to receive updates or content will vary, but as a guideline, they
should remain continuously connected to the Internet for at least 1 hour each day.

CONTENT TYPE APPROXIMATE SIZE FREQUENCY AND DETAILS

Intune client installation 125 MB One time

The following requirements are in The size of the client download varies
addition to the Intune client depending on the operating system of
installation the client computer.

Client enrollment package 15 MB One time

Additional downloads are possible when


there are updates for this content type.

Endpoint Protection agent 65 MB One time

Additional downloads are possible when


there are updates for this content type.

Operations Manager agent 11 MB One time

Additional downloads are possible when


there are updates for this content type.

Policy agent 3 MB One time

Additional downloads are possible when


there are updates for this content type.
CONTENT TYPE APPROXIMATE SIZE FREQUENCY AND DETAILS

Remote Assistance via Microsoft Easy 6 MB One time


Assist agent
Additional downloads are possible when
there are updates for this content type.

Daily client operations 6 MB Daily

The Intune client regularly


communicates with the Intune service
to check for updates and policies, and
to report the clients status to the
service.

Endpoint Protection malware definition Varies Daily


updates
Typically 40 KB to 2 MB Up to three times a day.

Endpoint Protection engine update 5 MB Monthly

Software updates Varies Monthly

The size depends on the updates you Typically, software updates release on
deploy. the second Tuesday of each month.

A newly enrolled or deployed computer


can use more network bandwidth while
downloading the full set of previously
released updates.

Service packs Varies Varies

The size varies for each service pack you Depends on when you deploy service
deploy. packs.

Software distribution Varies Varies

The size depends on the software you Depends on when you deploy software.
deploy.

Ways to reduce network bandwidth use


You can use one or more of the following methods to reduce network bandwidth use for Intune clients.
Use a proxy server to cache content requests
You can use a proxy server that can cache content to reduce duplicate downloads and reduce the use of network
bandwidth by clients that request content from the Internet.
A caching proxy server receives requests for content from client computers on your network, retrieves that content
from the Internet, and can then cache both HTTP responses and binary downloads. The server uses the cached
information to answer subsequent requests from Intune client computers.
The following are typical settings to use for a proxy server that caches content for Intune clients.
SETTING RECOMMENDED VALUE DETAILS

Cache size 5 GB to 30 GB The value varies based on the number


of client computers in your network and
the configurations you use. To prevent
files from being deleted too soon, adjust
the size of the cache for your
environment.

Individual cache file size 950 MB This setting might not be available in all
caching proxy servers.

Object types to cache HTTP Intune packages are CAB files retrieved
by Background Intelligent Transfer
HTTPS Service (BITS) download over HTTP.

BITS

For information about using a proxy server to cache content, see the documentation for your proxy server solution.
Use Background Intelligent Transfer Service on computers
Intune supports using Background Intelligent Transfer Service (BITS) on a Windows computer to reduce the
network bandwidth that is used during the hours that you configure. You can configure policy for BITS on the
Network bandwidth page of the Intune Agent policy.
To learn more about BITS and Windows computers, see Background Intelligent Transfer Service in the TechNet
Library.
Use BranchCache on computers
Intune clients can use BranchCache to reduce wide area network (WAN) traffic. The following operating systems
that are supported as clients also support BranchCache:
Windows 7
Windows 8.0
Windows 8.1
Windows 10
To use BranchCache, the client computer must have BranchCache enabled, and then be configured for distributed
cache mode.
By default, BranchCache and distributed cache mode are enabled on a computer when the Intune client is installed.
However, if the client already has Group Policy that disables BranchCache, Intune does not override that policy and
BranchCache will remains disabled on that computer.
If you use BranchCache, you should communicate with other administrators in your organization who manage
Group Policy and Intune Firewall policy to ensure they do not deploy policy that disables BranchCache or Firewall
exceptions. For more about BranchCache, see BranchCache Overview.

Network communication requirements


You must enable network communications between the devices you manage and use to manage your Intune
subscription, and the websites required for cloud-based services.
Intune uses no on-premises infrastructure such as servers running Intune software, but there are options to use on-
premises infrastructure including Exchange and Active Directory synchronization tools.
To manage computers that are behind firewalls and proxy servers, you must set up firewalls and proxy servers to
allow communications for Intune. To manage computers that are behind a proxy server, be aware that:
The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols
Intune supports unauthenticated proxy servers
You can modify proxy server settings on individual client computers, or you can use Group Policy settings to
change settings for all client computers that are located behind a specified proxy server.
Managed devices require configurations that let All Users access services through firewalls.
The following tables list the ports and services that the Intune client accesses:

DOMAINS IP ADDRESS

portal.manage.microsoft.com 40.86.181.86
m.manage.microsoft.com 13.82.59.78
13.74.184.100
40.68.188.2
13.75.42.6
52.230.25.184

sts.manage.microsoft.com 13.93.223.241
52.170.32.182
52.164.224.159
52.174.178.4
13.75.122.143
52.163.120.84

Manage.microsoft.com 104.40.82.191
i.manage.microsoft.com 13.82.96.212
r.manage.microsoft.com 52.169.9.87
a.manage.microsoft.com 52.174.26.23
p.manage.microsoft.com 40.83.123.72
EnterpriseEnrollment.manage.microsoft.com 13.76.177.110
EnterpriseEnrollment-s.manage.microsoft.com

portal.fei.msua01.manage.microsoft.com 13.64.196.170
m.fei.msua01.manage.microsoft.com

fei.msua01.manage.microsoft.com 40.71.34.120
portal.fei.msua01.manage.microsoft.com
m.fei.msua01.manage.microsoft.com

fei.msua02.manage.microsoft.com 13.64.198.190
portal.fei.msua02.manage.microsoft.com
m.fei.msua02.manage.microsoft.com

fei.msua02.manage.microsoft.com 13.64.198.190
portal.fei.msua02.manage.microsoft.com
m.fei.msua02.manage.microsoft.com

fei.msua04.manage.microsoft.com 13.64.188.173
portal.fei.msua04.manage.microsoft.com
m.fei.msua04.manage.microsoft.com

fei.msua04.manage.microsoft.com 40.71.32.174
portal.fei.msua04.manage.microsoft.com
m.fei.msua04.manage.microsoft.com
DOMAINS IP ADDRESS

fei.msua05.manage.microsoft.com 13.64.197.181
portal.fei.msua05.manage.microsoft.com
m.fei.msua05.manage.microsoft.com

fei.msua05.manage.microsoft.com 40.71.38.205
portal.fei.msua05.manage.microsoft.com
m.fei.msua05.manage.microsoft.com

fei.amsua0502.manage.microsoft.com 13.64.191.182
portal.fei.amsua0502.manage.microsoft.com
m.fei.amsua0502.manage.microsoft.com

fei.amsua0502.manage.microsoft.com 40.71.37.51
portal.fei.amsua0502.manage.microsoft.com
m.fei.amsua0502.manage.microsoft.com

fei.msua06.manage.microsoft.com 40.118.250.246
portal.fei.msua06.manage.microsoft.com
m.fei.msua06.manage.microsoft.com

fei.msua06.manage.microsoft.com 13.90.142.194
portal.fei.msua06.manage.microsoft.com
m.fei.msua06.manage.microsoft.com

fei.amsua0602.manage.microsoft.com 13.64.250.226
portal.fei.amsua0602.manage.microsoft.com
m.fei.amsua0602.manage.microsoft.com

fei.amsua0602.manage.microsoft.com 13.90.151.142
portal.fei.amsua0602.manage.microsoft.com
m.fei.amsua0602.manage.microsoft.com

fei.msub01.manage.microsoft.com 52.169.155.165
portal.fei.msub01.manage.microsoft.com
m.fei.msub01.manage.microsoft.com

fei.msub01.manage.microsoft.com 52.174.188.97
portal.fei.msub01.manage.microsoft.com
m.fei.msub01.manage.microsoft.com

fei.amsub0102.manage.microsoft.com 52.178.190.24
portal.fei.amsub0102.manage.microsoft.com
m.fei.amsub0102.manage.microsoft.com

fei.amsub0102.manage.microsoft.com 52.174.16.215
portal.fei.amsub0102.manage.microsoft.com
m.fei.amsub0102.manage.microsoft.com

fei.msub02.manage.microsoft.com 40.69.69.27
portal.fei.msub02.manage.microsoft.com
m.fei.msub02.manage.microsoft.com

fei.msub02.manage.microsoft.com 52.166.196.199
portal.fei.msub02.manage.microsoft.com
m.fei.msub02.manage.microsoft.com
DOMAINS IP ADDRESS

fei.msub03.manage.microsoft.com 40.69.71.164
portal.fei.msub03.manage.microsoft.com
m.fei.msub03.manage.microsoft.com

fei.msub03.manage.microsoft.com 52.174.182.102
portal.fei.msub03.manage.microsoft.com
m.fei.msub03.manage.microsoft.com

fei.msub05.manage.microsoft.com 40.69.78.145
portal.fei.msub05.manage.microsoft.com
m.fei.msub05.manage.microsoft.com

fei.msub05.manage.microsoft.com 52.174.192.105
portal.fei.msub05.manage.microsoft.com
m.fei.msub05.manage.microsoft.com

fei.msuc01.manage.microsoft.com 13.94.46.250
portal.fei.msuc01.manage.microsoft.com
m.fei.msuc01.manage.microsoft.com

fei.msuc01.manage.microsoft.com 52.163.119.15
portal.fei.msuc01.manage.microsoft.com
m.fei.msuc01.manage.microsoft.com

fei.msuc02.manage.microsoft.com 13.75.124.145
portal.fei.msuc02.manage.microsoft.com
m.fei.msuc02.manage.microsoft.com

fei.msuc02.manage.microsoft.com 52.163.119.5
portal.fei.msuc02.manage.microsoft.com
m.fei.msuc02.manage.microsoft.com

fei.msuc03.manage.microsoft.com 52.175.35.226
portal.fei.msuc03.manage.microsoft.com
m.fei.msuc03.manage.microsoft.com

fei.msuc03.manage.microsoft.com 52.163.119.6
portal.fei.msuc03.manage.microsoft.com
m.fei.msuc03.manage.microsoft.com

fei.msuc05.manage.microsoft.com 52.175.38.24
portal.fei.msuc05.manage.microsoft.com
m.fei.msuc05.manage.microsoft.com

fei.msuc05.manage.microsoft.com 52.163.119.3
portal.fei.msuc05.manage.microsoft.com
m.fei.msuc05.manage.microsoft.com

fef.msua01.manage.microsoft.com 138.91.243.97

fef.msua02.manage.microsoft.com 52.177.194.236

fef.msua04.manage.microsoft.com 23.96.112.28

fef.msua05.manage.microsoft.com 138.91.244.151
DOMAINS IP ADDRESS

fef.msua06.manage.microsoft.com 13.78.185.97

fef.msua07.manage.microsoft.com 52.175.208.218

fef.msub01.manage.microsoft.com 137.135.128.214

fef.msub02.manage.microsoft.com 137.135.130.29

fef.msub03.manage.microsoft.com 23.97.165.17

fef.msub05.manage.microsoft.com 23.97.166.52

fef.msuc01.manage.microsoft.com 52.230.19.86

fef.msuc02.manage.microsoft.com 23.98.66.118

fef.msuc03.manage.microsoft.com 23.101.0.100

fef.msuc05.manage.microsoft.com 52.230.16.180
Sign up or sign in to Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This topic tells system administrators how they can sign up for an Intune account.
Before you can sign in or sign up for Intune, you'll need to determine whether your organization already has a
Microsoft Online Services work or school account, or if your organization has an Enterprise Agreement or
equivalent volume licensing agreement with Microsoft. A work or school account is provided when you sign a
volume licensing agreement with Microsoft or subscribe to other Microsoft cloud services such as Office 365.
If you already have a work or school account, you will be able to simply sign in with that account to add Intune to
your pre-existing subscription environment. Otherwise, you'll need to sign up to create a new account to use to
manage Intune for your organization.

WARNING
If you sign up for a new account, you cannot later use an existing work or school account to manage your subscription or
combine it with existing volume licensing agreements.

How to sign up or sign in to Intune


1. Visit the Intune Sign up page.
2. On the Sign up page, sign in or sign up to manage a new subscription of Intune.

Post sign up considerations


If you sign up for a new subscription, you'll receive an email message that contains your account information at the
email address that you provided during the sign up process. This email confirms your subscription is active.
After completing the sign up process you will be directed to a page used to add users and assign them licenses
using the Office 365 admin center. If you will only have cloud-based accounts using your default onmicrosoft.com
domain name then you can go ahead and add users and assign licenses at this point. However, if you will use your
organization's custom domain name or want to synchronize user account information from on-premises Active
Directory, then you can close that browser window and move on to step 2 of this quick start guide. You can also
learn more About your initial onmicrosoft.com domain in Office 365

TIP
The next time you sign in to Intune you'll automatically be directed to the Intune administration console.
Configure a custom domain name
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This topic tells administrators how they can create a DNS CNAME to simplify and customize their logon experience.
When your organization signs up for a Microsoft cloud-based service like Intune, you're given an initial domain
name hosted in Azure Active Directory (AD) that looks like the following: yourdomain.onmicrosoft.com. In this
example, yourdomain is the domain name that you chose when you signed up, and onmicrosoft.com is the
suffix assigned to the accounts you add to your subscription. When your organization owns a custom domain, you
can configure your instance of Intune to use that domain instead of the domain name provided with your
subscription.
Before you create user accounts or synchronize your on-premises Active Directory, we strongly recommend that
you decide whether to use only the .onmicrosoft.com domain or to add one or more of your custom domain
names. Configuring a custom domain before adding users can help simplify the management of user identities for
your subscription by enabling users to sign in with the credentials they use to access other domain resources.
When you subscribe to a cloud-based service from Microsoft, your instance of that service becomes a Microsoft
Azure AD tenant, which provides identity and directory services for your cloud-based service. And, because the
tasks to configure Intune to use your organizations custom domain name are the same as for other Azure AD
tenants, you can use the information and procedures found in Add your domain.

TIP
For more information about using your custom domain with a cloud-based service from Microsoft, see Conceptual overview
of custom domain names in Azure Active Directory.

You cannot rename or remove that initial domain name. However, you can add, verify or remove your own custom
domain names to use with Intune, which is helpful if you want to keep your business identity.

To add and verify your custom domain


1. Go to Office 365 management portal and sign into your administrator account.
2. In the navigation pane, choose Settings > Domains.
3. Choose Add domain, and type your custom domain name.
4. The Verify domain dialog box opens giving you the values to create the TXT record in your DNS hosting
provider.
GoDaddy users: Office 365 Management portal redirects you to GoDaddy's login page. After you enter
your credentials and accept the domain change permission agreement, the TXT record is created
automatically. You can alternatively create the TXT record.
Register.com users: Follow the step-by-step instructions to create the TXT record.
The steps to add and verify a custom domain can also be performed in Azure Active Directory.
You can learn more about your initial onmicrosoft.com domain in Office 365
Add users and give administrative permission to
Intune
6/23/2017 5 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This topic tells administrators how they can add users to Intune and what administrative permissions are available
in the Intune service.
As an administrator, you can add users directly or synchronize users from your on-premises Active Directory. Once
added, users can enroll devices and access company resources. You can also give users additional permissions
including global administrator and service administrator permissions.

Add users to Intune


You can manually add users to your Intune subscription via the Office 365 portal or the Azure Intune portal, but
they might not automatically be assigned an Intune license. An administrator can edit user accounts to assign
Intune licenses. This can be done from either the Office 365 portal or the Intune Azure portal. For additional
guidance on using the Office 365 portal, see Add users individually or in bulk to the Office 365 portal.
Add Intune users in the Office 365 Admin Center
1. Sign in to Office 365 portal.
2. In the Office 365 menu, select Admin.
3. In the Admin center, select Add a user.
4. Specify the following user details:
First name
Last name
Display name - Displayed in Intune portal
User name - UPN name in Intune portal
Location
Contact information (optional)
Password - Auto-generate or specify
5. Assign an Intune license. Select Product licenses and choose the product license to assign the user.
6. Choose Add to create the new user.
Add Intune users in the Azure Intune portal
1. Sign in to Azure portal. and go Monitoring + Management > Intune. You can also search resources for
Intune.
2. Select Users.
3. In the Admin center, select Add a user.
4. Specify the following user details:
Name
User name - The new name in Azure Active Directory portal
Choose OK to continue.
5. Optionally, you can specify the following:
Profile - Work information including Job title and Department
Groups - Select groups to add for the user
Directory role - Give the user administrative permissions for Intune
Select Create to add the new user to Intune.
6. Select Profile, and then choose a Usage location for the new user. Usage location is required before you can
assign the new user an Intune license. Choose Save to continue.
7. Select Licenses and then choose Assign to assign an Intune license for this user. An Intune license is required
to enroll devices or access company resources. Select Products, choose the license type, choose Select, and
then choose Assign.

Grant admin permissions


After you've added users to your Intune subscription, we recommend that you grant a few user accounts
administrative permission. :
Global administrator: Use the Office 365 portal to assign this type of administrator to manage your
subscription, including billing, cloud storage, and managing the users who can use Intune.
Customized or limited administrator: Use the Office 365 or Azure Intune console to assign this type of
administrator for day-to-day tasks including device and computer management, deploying policy and apps,
and running reports.
Types of administrators
Users can be assigned one or more administrator permissions, which define the administrative scope for that user
and the tasks they can manage. Administrator permissions are common between the different Microsoft cloud
services, although some services might not support some permissions. Intune uses the following administrator
permissions:
Global administrator - (Office 365 and Intune) Accesses all administrative features in Intune. By default the
person who signs up for Intune becomes a Global admin. Global admins are the only admins who can assign
other admin roles. You can have more than one global admin in your organization. As a best practice we
recommend that only a few people in your company have this role to reduce the risk to your business.
Billing administrator - (Office 365 and Intune) Makes purchases, manages subscriptions, manages support
tickets, and monitors service health.
Password administrator - (Office 365 and Intune) Resets passwords, manages service requests, and monitors
service health. Password admins are limited to resetting passwords for users.
Service administrator - (Office 365) Opens support requests with Microsoft, and views the service dashboard
and message center. They have view only permissions except for opening support tickets and reading them.
User management administrator - (Office 365 and Intune) Resets passwords, monitors service health, adds
and deletes user accounts, and manages service requests. The user management admin cant delete a global
admin, create other admin roles, or reset passwords for billing, global, and service admins.
By default, the account you use to create your Microsoft Intune subscription is a global administrator. As a best
practice, do not use a global administrator for day-to-day management tasks. A administrator does not require a
license to Intune to access the Intune administrator console. See the Azure AD tenant section in What is an Azure
AD directory? for more information.
To access the Office 365 portal, your account must have a Sign-in allowed set. In the Intune portal under Profile,
set Block sign in to No to allow access. This status is different from having a license to the subscription. By
default, all user accounts are Allowed. Users without administrator permissions can use the Office 365 portal to
reset Intune passwords.

Sync Active Directory and add users to Intune


You can configure directory synchronization to import user accounts from your on-premises Active Directory to
Microsoft Azure Active Directory (Azure AD) which includes Intune users. Having your on-premises Active
Directory service connected with all of your Azure Active Directory-based services makes managing user identity
much simpler. You can also configure single sign-on features to make the authentication experience for your users
familiar and easy. By linking the same Azure AD tenant with multiple services, the user accounts that you have
previously synchronized are available to all cloud-based services.
How to sync on-premises users with Azure AD
The only tool that you need to synchronize your user accounts with Azure AD is the Azure AD Connect wizard. The
Azure AD Connect wizard provides a simplified and guided experience for connecting your on-premises identity
infrastructure to the cloud. Choose your topology and needs (single or multiple directories, password sync or
federation), and the wizard will deploy and configure all components required to get your connection up and
running. Including: sync services, Active Directory Federation Services (AD FS), and the Azure AD PowerShell
module.

TIP
Azure AD Connect encompasses functionality that was previously released as Dirsync and Azure AD Sync. Learn more about
directory integration. To learn about the benefits of synchronizing user accounts from your local directory to Azure AD, see
Similarities between Active Directory and Azure AD.
Assign Intune licenses to your user accounts
6/23/2017 3 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Whether you manually add users or synchronize from your on-premises Active Directory, you must first assign
each user an Intune license before users can enroll their devices in Intune.

Assign an Intune license in the Office 365 Admin center


You can use the Office 365 portal to manually add cloud-based users and assign licenses to both cloud-based user
accounts and accounts synchronized from your on-premises Active Directory to Azure AD.
1. Sign in to the Office 365 portal using your tenant administrator credentials, and then choose Users >
Active Users.
2. Select the user account that you want to assign an Intune user license to, and then choose Product
licenses > Edit.
3. Toggle Intune or Enterprise Mobility + Security to On, and choose Save.
4. The user account now has the permissions needed to use the service and enroll devices into management.

NOTE
Users will appear in the Admin console only after they have enrolled a device. Also, you can select a group of users to edit at
once, either selecting to add or replace a license for all selected users.

Use School Data Sync to assign licenses to users in Intune for


Education
If you are an educational organization, you can use School Data Sync (SDS) to assign Intune for Education licenses
to synced users. Just choose the Intune for Education checkbox when you're setting up your SDS profile.

When you assign an Intune for Education license, make sure that Intune A Direct license is also assigned.
See this overview of School Data Sync to learn more about SDS.

How user and device licenses affect access to services


Each user that you assign a user software license to may access and use the online services and related
software (including System Center software) to manage applications and up to 15 devices.
Each device that you assign a device software license to may access and use the online services and related
software (including System Center software) for use by any number of users.
If a device is used by more than one user, each requires a device software license or all users require a user
software license.

Use PowerShell to selectively manage EMS user licenses


Organizations that use Microsoft Enterprise Mobility + Security (formerly Enterprise Mobility Suite) might have
users who only require Azure Active Directory Premium or Intune services in the EMS package. You can assign one
or a subset of services using Azure Active Directory PowerShell cmdlets.
To selectively assign user licenses for EMS services, open PowerShell as an administrator on a computer with the
Azure Active Directory Module for Windows PowerShell installed. You can install PowerShell on a local computer
or on an ADFS server.
You must create a new license SKU definition that applies only to the desired service plans. To do this, disable the
plans you dont want to apply. For example, you might create a license SKU definition that does not assign an
Intune license. To see a list of available services, type:

(Get-MsolAccountSku | Where {$_.SkuPartNumber -eq "EMS"}).ServiceStatus

You can run the following command to exclude the Intune service plan. You can use the same method to expand to
an entire security group or you can use more granular filters.
Example 1
Create a new user on the command line and assign an EMS license without enabling the Intune portion of the
license:

Connect-MsolService

New-MsolUser -DisplayName Test User -FirstName FName -LastName LName -UserPrincipalName user@<TenantName>.onmicrosoft.com
Department DName -UsageLocation US

$CustomEMS = New-MsolLicenseOptions -AccountSkuId "<TenantName>:EMS" -DisabledPlans INTUNE_A


Set-MsolUserLicense -UserPrincipalName user@<TenantName>.onmicrosoft.com -AddLicenses <TenantName>:EMS -LicenseOptions
$CustomEMS

Verify with:

(Get-MsolUser -UserPrincipalName "user@<TenantName>.onmicrosoft.com").Licenses.ServiceStatus

Example 2
Disable the Intune portion of EMS license for a user that is already assigned with a license:

Connect-MsolService

$CustomEMS = New-MsolLicenseOptions -AccountSkuId "<TenantName>:EMS" -DisabledPlans INTUNE_A


Set-MsolUserLicense -UserPrincipalName user@<TenantName>.onmicrosoft.com -LicenseOptions $CustomEMS

Verify with:

(Get-MsolUser -UserPrincipalName "user@<TenantName>.onmicrosoft.com").Licenses.ServiceStatus


Customize the Company Portal
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This topic tells administrators how they can customize the Intune Company Portal app and Company Portal
website.
The Intune Company Portal is where users access company data and can do common tasks like enrolling devices,
installing apps, and locating information for assistance from your IT department.
The Intune Company Portal provides users with access to company data and apps. The Company Portal is available
in two forms:
The Company Portal app: An application that is available on devices you manage with Intune. Learn more
about the Company Portal apps for Android, iOS , and Windows.
The Company Portal website: A website that lets end users do most of the tasks they can do from the
Company Portal app. The Intune Company Portal URL is https://portal.manage.microsoft.com. Learn more
about this website at Using the Intune Company Portal website.

TIP
When you customize the Company Portal, the configurations apply to both the Company Portal website and Company
Portal apps.

Some of the tasks that users can do in the Company Portal are:
Enroll devices
View the status of their devices
Reset their device
Reset their password
Remotely lock their device
Download software that is deployed by your organization
Contact the IT department for support

Customize Company Portal settings


Customizing the Company Portal helps provide a familiar and helpful experience for your end users. Log in to the
Microsoft Intune administrator console as a tenant or service administrator, choose Admin > Company Portal
and configure the Company Portal settings.

Company contact information and privacy statement


The company name is displayed as the Company Portal title. The contact information and details are displayed to
users in the Contact IT screen of the Company Portal. The privacy statement is displayed when a user clicks on the
privacy link.
FIELD NAME MAX LENGTH MORE INFORMATION

Company name 40 This name is displayed as the title of the


Company Portal.

IT department contact name 40 This name is displayed on the Contact


IT page.

IT department phone number 20 This contact number is displayed on the


Contact IT page.

IT department email address 40 This contact address is displayed on the


Contact IT page. You must enter a
valid email address in the format
alias@domainname.com.

Additional information 120 Displayed on the Contact IT page.

Company privacy statement URL 79 You can specify your own company
privacy statement that appears when
users click the privacy links from the
Company Portal. You must enter a valid
URL in the format
https://www.contoso.com.

Support contacts
The support website is displayed to users in the Company Portal to enable them to access online support.

FIELD NAME MAX LENGTH MORE INFORMATION

Support website URL 150 If you have a support website that you
want your users to use, specify the URL
here. The URL must be in the format
https://www.contoso.com. If you don't
specify a URL, nothing is displayed for
the support website on the Contact IT
page in the Company Portal.

Website name 40 This name is the friendly name that is


displayed for the URL to the support
website. If you specify a support
website URL and no friendly name, then
Go to IT website is displayed on the
Contact IT page in the Company
Portal.

Company branding customization


You can customize your Company Portal with your company logo, company name, theme color and background.

FIELD NAME MORE INFORMATION

Theme color Select a theme color to apply to the Company Portal.


FIELD NAME MORE INFORMATION

Include company logo When you enable this option, you can upload your company
logo to show in your Company Portal. You can upload two
logos: one logo that is displayed when the Company Portal
background is white, and one logo that is displayed when the
Company Portal background uses your selected theme color.
Each logo must be a .png or .jpg file type and have a
maximum resolution of 400 x 100 pixels and be 750 KB or less
in size.

Choose a background for Windows 8 Company Portal app This setting affects the background for the Windows 8
Company Portal app only.

After you save your changes, you can use the links provided at the bottom of the Company Portal page of the
administration console to view the Company Portal website. These links cannot be changed. When a user signs in,
these links display your subscriptions in the Company Portal.
Set the mobile device management authority
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The mobile device management (MDM) authority setting determines how you manage your devices. As an IT
admin, you must set an MDM authority before users can enroll devices for management.
Possible configurations are:
Intune Standalone - cloud-only management, which you configure by using the Azure portal. Includes the
full set of capabilities that Intune offers. Set the MDM authority in the Intune console.
Intune Hybrid - integration of the Intune cloud solution with System Center Configuration Manager. You
configure Intune by using the Configuration Manager console. Set the MDM authority in Configuration
Manager.
Mobile Device Management for Office 365 - integration of Office 365 with the Intune cloud solution.
You configure Intune from your Office 365 Admin Center. Includes a subset of the capabilities that are
available with Intune Standalone. Set the MDM authority in Office 365 Admin Center.

IMPORTANT
In Configuration Manager version 1610 or later and Microsoft Intune version 1705, you change the MDM authority without
having to contact Microsoft Support, and without having to unenroll and reenroll your existing managed devices. For details,
see What to do if you choose the wrong MDM authority setting.

Set MDM authority to Intune


1. In the Azure portal, choose More Services > Monitoring + Management > Intune.

2. On the Intune blade, choose Device enrollment, and then choose Overview.
3. On the Start managing devices blade, choose Set MDM Authority to Intune. A message indicates that
you have successfully set your MDM authority to Intune.

Mobile device cleanup after MDM certificate expiration


The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. If
mobile devices are wiped, or they fail to communicate with the Intune service for some period of time, the MDM
certificate will not get renewed. The device is removed from the Azure portal 180 days after the MDM certificate
expires.
What is device enrollment?
6/20/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic describes enrollment and lists the different ways to enroll mobile devices in Intune management.
You enroll devices in Intune so that you can manage those devices. We refer to this capability in the Intune
documentation as mobile device management (MDM). When devices are enrolled in Intune, they are issued an
MDM certificate, which the devices then use to communicate with the Intune service.
The way you enroll your devices depends on the device type, ownership, and the level of management you
needed. "Bring your own device" (BYOD) enrollment lets users enroll their personal phones, tablets, or PCs.
Corporate-owned device (COD) enrollment enables management scenarios like automatic enrollment, shared
devices, or pre-authorized enrollment requirements.
If you use Exchange ActiveSync, either on-premises or hosted in the cloud, you can enable simple Intune
management without enrollment (more information is coming soon). You can manage Windows PCs as mobile
devices, which is the recommended method described below.

Overview of device enrollment methods


The following table offers an overview of Intune enrollment methods with their capabilities and requirements
described below. Legend
Reset required - Device are factory reset during enrollment.
User Affinity - Associates devices with users. For more information, see User affinity.
Locked - Prevents users from unenrolling devices.
iOS enrollment methods

METHOD RESET REQUIRED USER AFFINITY LOCKED DETAILS

BYOD No Yes No More information

DEM No No No More information

DEP Yes Optional Optional More information

USB-SA Yes Optional No More information

USB-Direct No No No More information

Windows enrollment methods


METHOD RESET REQUIRED USER AFFINITY LOCKED DETAILS

BYOD No Yes No More information

DEM No No No More information

Auto-enroll No Yes No More information

Bulk enroll No No No More information

Android enrollment methods

METHOD RESET REQUIRED USER AFFINITY LOCKED DETAILS

BYOD No Yes No More information

DEM No No No More information

Android for Work No Yes No More information

BYOD
"Bring your own device" users install and run the Company Portal app to enroll their devices. This program lets
users access company resources like email.

Corporate-owned devices
The following are corporate-owned devices (COD) enrollment scenarios. iOS devices can be enrolled directly
through the tools that are provided by Apple. All device types can be enrolled by an admin or manager using the
device enrollment manager. Devices with an IMEI number can also be identified and tagged as company-owned to
enable COD scenarios.
DEM
Device enrollment manager (DEM) is a special user account that's used to enroll and manage multiple corporate-
owned devices. Managers can install the Company Portal and enroll many user-less devices. Learn more about
DEM.
DEP
Apple Device Enrollment Program (DEP) management lets you create and deploy policy over the air to iOS
devices that are purchased and managed with DEP. The device is enrolled when users turn on the device for the
first time and run iOS Setup Assistant. This method supports iOS Supervised mode, which in turn enables the
following functionality:
Locked enrollment
Kiosk mode and other advanced configurations and restrictions
Learn more about iOS DEP enrollment:
Choose how to enroll iOS devices
Enroll iOS devices using Device Enrollment Program
USB-SA
IT admins use Apple Configurator, through USB, to prepare each corporate-owned device manually for enrollment
using Setup Assistant. The IT admin creates an enrollment profile and exports it to Apple Configurator. When users
receive their devices, they are then prompted to run Setup Assistant to enroll their device. This method supports
iOS Supervised mode, which in turn enables the following features:
Locked enrollment
Kiosk mode and other advanced configurations and restrictions
Learn more about iOS Apple Configurator enrollment with Setup Assistant:
Decide how to enroll iOS devices
Enroll iOS devices with Configurator and Setup Assistant
USB-Direct
For direct enrollment, the admin must enroll each device manually by creating an enrollment policy and exporting
it to Apple Configurator. USB-connected, corporate-owned devices are enrolled directly and don't require a factory
reset. Devices are managed as user-less devices. They are not locked or supervised and cannot support conditional
access, jailbreak detection, or mobile application management.
To learn more about iOS enrollment, see:
Decide how to enroll iOS devices
Enroll iOS devices with Configurator and direct enrollment

Mobile device management with Exchange ActiveSync and Intune


Mobile devices that aren't enrolled, but that connect to Exchange ActiveSync (EAS), can be managed by Intune
using EAS MDM policy. Intune uses an Exchange Connector to communicate with EAS, either on-premises or
cloud-hosted. More information is coming soon.

Mobile device cleanup after MDM certificate expiration


The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. If
mobile devices are wiped, or they fail to communicate with the Intune service for some period of time, the MDM
certificate will not get renewed. The device is removed from the Azure portal 180 days after the MDM certificate
expires.
Ensure users accept company terms for access
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an Intune admin, you can require that users accept your company's terms and conditions before they can use the
Company Portal to enroll their devices and access resources like company apps and email. Configuration of terms
and conditions is optional.
You can create multiple sets of terms and assign them to different groups, such as to support different languages.

Create terms and conditions


Complete these steps to create terms and conditions. The display name and description are for administrative use
while terms properties are displayed to users in the Company Portal.
1. In the Intune portal, choose Device enrollment, and then choose Terms and Conditions.
2. Select Create.

3. On the expanded blade, specify the following information:


Display name: The name for the terms in the Intune portal. Users don't see this name.
Description: Optional details that help you identify this set of terms in the Intune portal.
4. Select the arrow next to Define terms of use to open the Terms and Conditions blade, and then enter the
following information:
Title: The name for your terms that users see in the Company Portal above the Summary.
Summary of Terms: Text that explains what it means when users accept the terms. For example, "By
enrolling your device, you are agreeing to the terms of use set out by Contoso. Read the terms carefully
before proceeding."
Terms and Conditions: The terms and conditions that users see and must either accept or reject.
5. Select Ok and then select Create.

See how terms are displayed to your users


The following example shows the Title and Summary of Terms in the admin console and Company Portal.

The following example shows the terms and conditions in the admin console and the Company Portal.
Assign terms and conditions
You can assign terms and conditions to groups of user who must accept them before using the Company Portal.
1. In the Intune portal, choose Device enrollment, and then choose Terms and Conditions.
2. In the list of terms and conditions, select the terms you want to assign, and then select Assigned Groups.

3. Click the Select Group button and in the Select Groups blade, select the groups you want to assign the terms,
and then click Select. Dynamic groups cannot be assigned Terms and Conditions.
4. In the Assigned Groups blade, click Save. The terms and conditions are now assigned to users in the selected
groups. Users will be prompted to accept terms the next time they access the company portal. The terms and
conditions only need to be accepted once. Users with multiple devices don't have to accept on each device.

Monitor terms and conditions


1. In the Azure portal, choose More Services > Monitoring + Management > Intune. On the Intune blade,
choose Device enrollment, and then choose Terms and Conditions.
2. In the list of terms and conditions, select the terms you want to view acceptance for, and then select Acceptance
Statuses.

Work with multiple versions of terms and conditions


You can edit your terms and conditions and manage their versions. We recommend that you increase the version
number and require acceptance any time you make significant changes to your terms and conditions. Keep the
current version number if, for example, you are fixing typos or changing formatting.
1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. On the Intune blade, choose Device enrollment, choose Terms and Conditions, select the terms and
conditions you want to modify, and then select Properties.
3. On the Properties blade, select Terms and Conditions and then modify the Title, Summary of Terms, and
Terms and Conditions as needed. If the changes you made make it necessary for users to reaccept the new
terms, click Require users to re-accept, and increment the version number to
4. Select OK and then select Save.
Users only have to accept updated terms and conditions once. Users with multiple devices don't have to accept
terms and conditions on each device.
Set enrollment restrictions
6/29/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an Intune admin, you can determine which devices can enroll into management with Intune. Use the Intune
portal to set the following restrictions for device enrollment:
Maximum number of enrolled devices
Device platforms that can enroll:
Android
iOS
macOS
Windows
Restrict personally owned devices (iOS, Android, macOS only)

NOTE
Enrollment restrictions are not a security feature. Compromised devices can misrepresent their character. These restrictions
are a best-effort barrier for non-malicious users.

Set device type restrictions


The default enrollment restrictions apply to all users who aren't assigned higher priority enrollment restrictions.
1. In the Intune portal, choose Device enrollment, choose Enrollment restrictions.

2. Under Enrollment restrictions > Device Type Restrictions, select Default.


3. Under All Users, select Platforms. Choose Allow or Block for each platform:
Android
iOS
macOS
Windows
Click Save.
4. Under All Users, select Platform Configurations and select the following configurations:
Personally Owned - Specify whether to Allow or Block for Android, iOS, and macOS devices.

Click Save.

Set device limit restrictions


The default enrollment restrictions apply to all users who aren't assigned higher priority enrollment restrictions.
1. In the Intune portal, choose Device enrollment, choose Enrollment restrictions.
2. Choose Enrollment restrictions > Device Limit Restrictions.
3. Under All Users, select Device Limit. Specify the maximum number of enrolled devices per user.

Click Save.
Get an Apple MDM push certificate
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Intune enables mobile device management (MDM) of iPads, iPhones, and Mac computers and gives users access to
company email and apps. An MDM Push certificate is required for Intune to manage iOS and Mac devices. After
you add the certificate to Intune, your users can install the Company Portal app to enroll their devices. You can also
set up corporate-owned iOS device management with Apple's Device Enrollment Program or enroll devices using
Apple Configurator, for example. For more information about enrollment options, see Choose how to enroll iOS
devices.

Steps to get your certificate


In the Intune portal, choose Device enrollment > Apple Enrollment Apple MDM Push Certificate, and then
follow the numbered steps in the Azure portal, which are shown below.
Step 1. Download the Intune certificate signing request required to create an Apple MDM push
certificate.
Select Download your CSR to download and save the .csr file locally. The .csr file is used to request a trust
relationship certificate from the Apple Push Certificates Portal.
Step 2. Create an Apple MDM push certificate.
Select Create your MDM push Certificate to go to the Apple Push Certificates Portal. Sign in with your company
Apple ID to create the push certificate by using the .csr file. After choosing Upload on Apple's Push Certificate
Portal, you will receive a .json file. Do use this file for the push certificate. Complete the download, return to the
Apple Push Certificates Portal for Certificates for Third-Party Servers, and then choose Download. Download the
push certificate (.pem file), and save the file locally.

NOTE
The certificate is associated with the Apple ID used to create it. As a best practice, use a company Apple ID for management
tasks. Never use a personal Apple ID.

Step 3. Enter the Apple ID used to create your Apple MDM push certificate.
Step 4. Browse to your Apple MDM push certificate to upload.
Go to the certificate (.pem) file, choose Open, and then choose Upload. With the push certificate, Intune can enroll
and manage iOS devices by pushing policy to enrolled mobile devices.

Renew Apple MDM push certificate


The Apple MDM push certificate is valid for one year and must be renewed annually to maintain iOS and macOS
device management. If your certificate expires, enrolled Apple devices cannot be contacted.
The certificate is associated with the Apple ID used to create it. Renew the MDM push certificate with the same
Apple ID used to create it.
NOTE
The certificate is associated with the Apple ID used to create it. As a best practice, use a company Apple ID for management
tasks. Never use a personal Apple ID.

1. In the Intune portal, choose Device enrollment > Apple Enrollment and then select Apple MDM Push
Certificate.
2. Select Download your CSR to download and save the .csr file locally. The .csr file is used to request a trust
relationship certificate from the Apple Push Certificates Portal.
3. Find the certificate you want to renew and select Renew.
4. On the Renew Push Certificate screen, provide notes to help you identify the certificate in the future, select
Choose File to browse to the new .csr file you downloaded, and choose Upload.
5. On the Confirmation screen, select Download and save the .pem file locally.
6. In the Azure Intune portal, select the Apple MDM push certificate browse icon, select the .pem file
downloaded from Apple, and choose Upload.
Your Apple MDM push certificate appears Active and has 365 days until expiration.
Add corporate identifiers
6/29/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an IT admin, you can create and import a comma-separated value (.csv) file that lists international mobile
equipment identifier (IMEI) numbers or serial numbers to identify corporate-owned devices. You can only declare
serial number for iOS and Android devices. Each IMEI or serial number can have details specified in the list for
administrative purposes.
Learn how to find an Apple device serial number. Learn how to find your Android device serial number.

Add corporate identifiers


To create the list, create a two-column, comma-separated value (.csv) list without a header. Add the IMEI or serial
numbers in the left column, and the details in the right column. Only one type of ID, IMEI or serial number, can be
imported in a single .csv file. Details are limited to 128 characters and are for administrative use only. Details aren't
displayed on the device. The current limit is 500 rows per .csv file.
Upload a .csv file that has serial numbers Create a two-column, comma-separated value (.csv) list without a
header, and limit the list to 5,000 devices or 5 MB per .csv file.

<ID #1> <Device #1 Details>

<ID #2> <Device #2 Details>

This .csv file when viewed in a text editor appears as:

01234567890123,device details
02234567890123,device details

IMPORTANT
Some Android devices have multiple IMEI numbers. Intune only reads one IMEI number per enrolled device. If you import an
IMEI number but it is not the IMEI inventoried by Intune, the device will be classified as a personal device instead of a
company-owned device. If you import multiple IMEI numbers for a device, uninventoried numbers will display Unknown for
enrollment status.

To add a .csv list of corporate identifiers


1. In the Intune portal, choose Device enrollment > Enrollment Restrictions, choose Corporate Device
Identifiers, and then click Add.
2. In the Add Identifiers blade, specify the identifier type, IMEI or Serial. You can specify whether previously
imported numbers should Overwrite details for existing identifiers.
3. Click the folder icon and specify the path to the list you want to import. Navigate to the .csv file, and select
Add. You can click Refresh to see new device identifiers.
Once imported, these devices might or might not be enrolled, and can have a state of either Enrolled or Not
contacted. Not contacted means that the device has never communicated in with the Intune service.

Delete corporate identifiers


1. In the Intune portal, choose Device enrollment > Enrollment Restrictions, choose Corporate Device
Identifiers, and choose Delete.
2. In the Delete Identifiers blade, brows to the .csv file of device IDs to delete, and then click Delete.

IMEI specifications
For detailed specifications about International Mobile Equipment Identifiers, see 3GGPP TS 23.003.
Enroll devices using device enrollment manager
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Organizations can use Intune to manage large numbers of mobile devices with a single user account. The device
enrollment manager (DEM) account is a special user account that can enroll up to 1,000 devices. You add existing
users to the DEM account to give them the special DEM capabilities. Each enrolled device uses a single license. We
recommend that you use devices enrolled through this account as shared devices rather than personal ("BYOD")
devices.
Users must exist in the Azure portal to be added as device enrollment managers. For optimal security, the DEM
user should not also be an Intune admin.

NOTE
The DEM enrollment method can't be used with these other enrollment methods: Apple Configurator with Setup Assistant,
Apple Configurator with direct enrollment, Apple School Manager (ASM), or Device Enrollment Program (DEP).

Example of a device enrollment manager scenario


A restaurant wants to provide 50 point-of-sale tablets for its wait staff, and order monitors for its kitchen staff. The
employees never need to access company data or sign in as users. The Intune admin creates a device enrollment
manager account and adds a restaurant supervisor to the DEM account, in effect giving that supervisor DEM
capabilities. The supervisor can now enroll the 50 tablets devices by using the DEM credentials.
Only users in the Intune console can be device enrollment managers. The device enrollment manager user cannot
be an Intune admin.
The DEM user can:
Enroll up to 1000 devices in Intune.
Sign in to the Company Portal to get company apps.
Configure access to company data by deploying role-specific apps to the tablets.

Limitations of devices that are enrolled with a DEM account


Devices that are enrolled with a device enrollment manager account have the following limitations:
No per-user access. Because devices don't have an assigned user, the device have no email or company data
access. VPN configurations, for example, could still be used to provide device apps with access to data.
No conditional access because these scenarios are per-user.
The DEM user can't unenroll DEM-enrolled devices on the device itself by using the Company Portal. The Intune
admin can do this, but the DEM user does not.
Only the local device appears in the Company Portal app or website.
Users can't use Apple Volume Purchase Program (VPP) apps because of per-user Apple ID requirements for
app management.
(iOS only) If you use DEM to enroll iOS devices, you can't use the Apple Configurator, Apple Device Enrollment
Program (DEP), or Apple School Manager (ASM) to enroll devices.
Each device requires a device license. Learn more about user and device licenses.

NOTE
To deploy company apps to devices that are managed by the device enrollment manager, deploy the Company Portal app
as a Required Install to the device enrollment manager's user account. To improve performance, viewing the Company
Portal app on a DEM device shows only the local device. Remote management of other DEM devices can only be done from
the Intune admin console.

Add a device enrollment manager


1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. On the Intune blade, choose Enroll devices, and then choose Device Enrollment Managers.
3. Select Add.
4. On the Add User blade, enter a user principal name for the DEM user, and select Add. The DEM user is
added to the list of DEM users.

Permissions for DEM


Global or Intune Service Administrator Azure AD roles are required to perform DEM enrollment tasks. These roles
are also required to see all DEM users despite RBAC permissions being listed and available under the custom User
role. A user without Global administrator or Intune Service administrator role assigned, but who has read
permissions for the Device Enrollment Managers role, can only see the DEM users they created. RBAC role support
for these features will be announced in the future.
If a user does not have Global administrator or Intune Service administrator role assigned to them but has read
permissions enabled for the Device Enrollment Managers role assigned to them, theyll only be able to see the
DEM users they have created.

Remove a device enrollment manager


Removing a device enrollment manager does not affect enrolled devices. When a device enrollment manager is
removed:
Enrolled devices are unaffected and continue to be fully managed.
The removed device enrollment manager account credentials remain valid.
The removed device enrollment manager still cannot wipe or retire devices.
The removed device enrollment manager can only enroll a number of devices up to the per-user limit
configured by the Intune admin.
To remove a device enrollment manager
1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. On the Intune blade, choose Enroll devices, and then choose Device Enrollment Managers.
3. On the Device Enrollment Managers blade, right-click the DEM user, and select Remove.

View the properties of a device enrollment manager


1. In the Intune portal, choose Device enrollment, and then choose Device Enrollment Managers.
2. On the Device Enrollment Managers blade, right-click the DEM user, and select Properties.
Map device groups
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use Microsoft Intune device categories to automatically add devices to groups based on categories that you define,
in order to make it easier for you to manage those devices.
Device categories use the following workflow:
1. Create categories that users will choose from when they enroll their device
2. When end users of iOS and Android devices enroll their device, they must choose a category from the list of
categories you configured. To assign a category to a Windows device, end users must use the Company Portal
website (see After you configure device groups in this topic for more details).
3. You can then deploy policies and apps to these groups.
You can create any device categories you want, for example:
Point of sale device
Demonstration device
Sales
Accounting
Manager

How to configure device categories


Step 1 - Create device categories in the Intune blade of the Azure portal
1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. On the Intune blade, choose Enroll devices.
3. In the Enrollment blade, choose Device Categories.
4. On the Device Categories page, choose Create to add a new category.
5. In the next blade, enter a Name for the new category, and an optional Description.
6. When you are done, click Create. Youll see the category you just created in the list of categories.
You'll use the device category name when you create Azure Active Directory security groups in step 2.
Step 2 - Create Azure Active Directory security groups
In this step, you'll create dynamic groups in the Azure portal based on the device category and device category
name.
To continue, refer to the topic Using attributes to create advanced rules in the Azure Active Directory
documentation.
Use the information in this section to create a device group with an advanced rule using the deviceCategory
attribute. For example (device.deviceCategory -eq "")
After you configure device groups, and users enroll their device, they are presented with a list of the categories you
configured. After they choose a category and finish enrollment, their device is added to the Active Directory security
group that corresponds with the category they chose.
How to view the categories of devices you manage
1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. In the Intune blade of the Azure portal, choose Devices and Groups.
3. Under Manage, click All devices.
4. In the list of devices, examine the Category column.
If the Category column isnt displayed, click Columns, choose Category from the list, and then click Apply.
To change the category of a device
1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. On the Intune blade, choose Devices & Groups.
3. On the Devices and Groups blade, choose Manage > All devices.
4. In the list of devices, choose the device you want, then, on the device properties blade, choose Manage >
Properties.
5. On the next blade, you can change the Device category of the selected device to any of the category names
you previously configured.

After you configure device groups


When end users of iOS and Android devices enroll their device, they must choose a category from the list of
categories you configured. After they choose a category and finish enrollment, their device is added to the Intune
device group, or Active Directory security group that corresponds with the category they chose.
To assign a category to a Windows device, end users must use the Company Portal website
(portal.manage.microsoft.com) after enrolling the device. On a Windows device, access the website and go to Menu
> My Devices. Choose an enrolled device listed on the page, then select a category.
After choosing a category, the device is automatically added to the corresponding group you created. If a device is
already enrolled before you configure categories, the end user will see a notification about the device on the
Company Portal website, and will be asked to select a category the next time they access the Company Portal app
on iOS or Android.

Further information
You can edit a device category in the Azure Portal, but if you do this, you must manually update any Azure
Active Directory Security groups that reference this category.
If you delete a category, any devices that were assigned to it will subsequently display the category name
Unassigned.
Enroll Windows devices
6/22/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic helps IT administrators simplify Windows enrollment for their users. Windows devices can be enrolled
without any additional steps, but you can make enrollment easier for users.
Devices that run the Windows 10 Creators Update, and are Azure Active Directory domain-joined, are now
supported for multi-user management by Intune. This means that when different standard users log onto the
device with their Azure AD credentials, they will receive any apps and policies that were assigned to their user
name. Users cannot currently use the Company Portal for self-service scenarios like installing apps.
Two factors determine how you can simplify Windows device enrollment:
Do you use Azure Active Directory Premium?
Azure AD Premium is included with Enterprise Mobility + Security and other licensing plans.
What versions of Windows clients will enroll?
Windows 10 devices can automatically enroll by adding a work or school account. Earlier versions must enroll
using the Company Portal app.

AZURE AD PREMIUM OTHER AD

Windows 10 Automatic enrollment User enrollment

Earlier Windows versions User enrollment User enrollment

Enable Windows 10 automatic enrollment


Automatic enrollment lets users enroll their Windows 10 devices in Intune when adding their work account to their
personally-owned devices or joining their corporate-owned devices to your Azure Active Directory. In the
background, the user's device registers and joins Azure Active Directory. Once registered, the device is managed
with Intune.
Prerequisites
Azure Active Directory Premium subscription (trial subscription)
Microsoft Intune subscription
Configure automatic MDM enrollment
1. Sign in to the Azure management portal (https://manage.windowsazure.com), and select Azure Active
Directory.
2. Select Mobility (MDM and MAM).

3. Select Microsoft Intune.


4. Configure MDM User scope. Specify which users devices should be managed by Microsoft Intune. These
users Windows 10 devices will be automatically enrolled for management with Microsoft Intune.
None
Some
All

5. Use the default values for the following URLs:


MDM Terms of use URL
MDM Discovery URL
MDM Compliance URL

IMPORTANT
If a user is a member of a group that has both automatic MDM enrollment and MAM enabled, and the user
tries to workplace join their personal device, then only MAM is enabled.

6. Select Save.
By default, two-factor authentication is not enabled for the service. However, two-factor authentication is
recommended when registering a device. Before requiring two-factor authentication for this service, you must
configure a two-factor authentication provider in Azure Active Directory and configure your user accounts for
multi-factor authentication. See Getting started with the Azure Multi-Factor Authentication Server.

Enable Windows enrollment without Azure AD Premium


You can let users enroll their devices without Azure AD Premium automatic enrollment. Once you assign licenses,
users can enroll after adding their work account to their personally-owned devices or joining their corporate-
owned devices to your Azure AD. Creating a DNS alias (CNAME record type) makes it easier for users to enroll their
devices. If you create DNS CNAME resource records, users connect and enroll in Intune without having to enter the
Intune server name.
Step 1: Create CNAME (optional)
Create CNAME DNS resource records for your companys domain. For example, if your companys website is
contoso.com, you would create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to
enterpriseenrollment-s.manage.microsoft.com.
Although creating CNAME DNS entries is optional, CNAME records make enrollment easier for users. If no
enrollment CNAME record is found, users are prompted to manually enter the MDM server name,
enrollment.manage.microsoft.com.

TYPE HOST NAME POINTS TO TTL

CNAME EnterpriseEnrollment.compa EnterpriseEnrollment- 1 hour


ny_domain.com s.manage.microsoft.com

If you have more than one UPN suffix, you need to create one CNAME for each domain name and point each one
to EnterpriseEnrollment-s.manage.microsoft.com. For example, if users at Contoso use name@contoso.com, but
also use name@us.contoso.com, and name@eu.constoso.com as their email/UPN, the Contoso DNS admin would
need to create the following CNAMEs.

TYPE HOST NAME POINTS TO TTL

CNAME EnterpriseEnrollment.contos EnterpriseEnrollment- 1 hour


o.com s.manage.microsoft.com

CNAME EnterpriseEnrollment.us.cont EnterpriseEnrollment- 1 hour


oso.com s.manage.microsoft.com

CNAME EnterpriseEnrollment.eu.cont EnterpriseEnrollment- 1 hour


oso.com s.manage.microsoft.com

EnterpriseEnrollment-s.manage.microsoft.com Supports a redirect to the Intune service with domain recognition from the
emails domain name
Changes to DNS records might take up to 72 hours to propagate. You cannot verify the DNS change in Intune until
the DNS record propagates.
Step 2: Verify CNAME (optional)
In the Azure Intune portal, choose More Services > Monitoring + Management > Intune. On the Intune blade,
choose Enroll devices > Windows Enrollment. Enter the URL of the verified domain of the company website in
the Specify a verified domain name box, and then choose Test Auto-Detection.

Tell users how to enroll Windows devices


Tell your users how to enroll their Windows devices and what to expect after they're brought into management.
For end-user enrollment instructions, see Enroll your Windows device in Intune. You can also tell users What can
my IT admin see on my device.
For more information about end-user tasks, see Resources about the end-user experience with Microsoft Intune.
Bulk enrollment for Windows devices
6/22/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an administrator, you can join large numbers of new Windows devices to Azure Active Directory and Intune. To
bulk enroll devices for your Azure AD tenant, you create a provisioning package with the Windows Configuration
Designer (WCD) app. Applying the provisioning package to corporate-owned devices joins the devices to your
Azure AD tenant and enrolls them for Intune management. Once the package is applied, it's ready for your Azure
AD users to log on.
Azure AD users are standard users on these devices and receive assigned Intune policies and required apps. Self-
service and Company Portal scenarios are not supported at this time.

Prerequisites for Windows devices bulk enrollment


Bulk enrollment for Window devices requires the following:
Devices running Windows 10 Creator update or later
Windows automatic enrollment

Create a provisioning package


1. Download Windows Configuration Designer (WCD) from the Windows Store.
2. Open the Windows Configuration Designer app and select Provision desktop devices.

3. A New project window opens where you specify the following:


Name - A name for your project
Project folder - Where your project will be saved
Description - An optional description of the project

4. Enter a unique name for your devices. Names can include a serial number (%%SERIAL%%) or a random set
of characters. Optionally, you can also enter a product key if you are upgrading the edition of Windows,
configure the device for shared use, and remove pre-installed software.
5. Optionally, you can configure the Wi-Fi network devices connect to when they first start. If this isnt
configured, a wired network connection is required when the device is first started.

6. Select Enroll in Azure AD, enter a Bulk Token Expiry date, and then select Get Bulk Token.

7. Provide your Azure AD credentials to get a bulk token.


8. Click Next when Bulk Token is fetched successfully.
9. Optionally, you can Add applications and Add certificates. These apps and certificates are provisioned on
the device.
10. Optionally, you can password protect your provisioning package. Click Create.

Provision devices
1. Access the provisioning package in the location specified in Project folder specified in the app.
2. Choose how youre going to apply the provisioning package to the device. A provisioning package can be
applied to a device one of the following ways:
Place the provisioning package on a USB drive, insert the USB drive into the device youd like to bulk
enroll, and apply it during initial setup
Place the provisioning package on a network folder, and apply it insert on the device youd like to bulk
enroll after initial setup
For step-by-step instruction on applying a provisioning package, see Apply a provisioning package.
3. After you apply the package, the device will automatically restart in 1 minute.
4. When the device restarts, it connects to the Azure Active Directory and enrolls in Microsoft Intune.

Troubleshooting Windows bulk enrollment


Provisioning issues
Provisioning is intended to be used on new Windows devices. Provisioning failures might require a factory reset of
the device or device recovery from a boot image. These examples describe some reasons for provisioning failures:
A provisioning package that attempts to join an Active Directory domain or Azure Active Directory tenant that
does not create a local account could make the device unreachable if the domain-join process fails due to lack of
network connectivity.
Scripts run by the provisioning package are run in system context, and are able to make arbitrary changes to the
device file system and configurations. A malicious or bad script could put the device in a state that can only be
recovered by reimaging or factory resetting the device.
Problems with bulk enrollment and Company Portal
If a user tries to enroll a previously bulk-enrolled device using the Company Portal, they will receive a warning that
their device needs further actions, either setup or enrollment. The device is enrolled, but the enrollment is not
recognized by the Company Portal app or website.
Conditional access
Conditional access is not available for Windows devices enrolled using bulk enrollment.
Enroll Android devices
6/29/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an Intune administrator, Intune lets you manage Android devices, including Samsung Knox Standard devices.
You can also manage the work profile on devices Android for Work devices.
Devices that run Samsung KNOX Standard, are supported for multi-user management by Intune. This means that
end users can sign in and out of the device with their Azure AD credentials, the device is centrally managed
whether its in use or not. When end users sign-in, they have access to apps and additionally get any policies
applied to them. When users sign out, all app data is cleared.

Prerequisite
You must set the MDM authority to Microsoft Intune to prepare to manage mobile devices. See Set the MDM
authority for instructions. You set this item only once, when you are first setting up Intune for mobile device
management.

Set up Android enrollment


By default, Intune allows enrollment of Android and Samsung Knox Standard devices.
To block Android devices, or to block only personally owned Android devices from enrollment, see Set device type
restrictions.
To enable device management, your users must enroll their devices by downloading the Intune Company Portal
app, which is available from Google Play, and then opening the app and following the prompts to enroll. Once
Android devices are managed, you assign compliance policies, manage apps, and more.

Enable enrollment of Android for Work devices


To enable management of the work profile on devices that support Android for Work, you must add an Android
for Work binding to Intune. To enroll devices that support Android for Work but were previously enrolled as
regular Android devices, the devices must be unenrolled and then re-enrolled.

Add Android for Work Binding for Intune


1. Set up Intune MDM
If you havent already, prepare for mobile device management by setting the mobile device management
authority as Microsoft Intune.
2. Configure Android for Work binding
As an Intune administrator, in the Azure portal, choose More Services > Monitoring + Management >
Intune.
a. On the Intune blade, choose Device enrollment, > Android for Work Enrollment, and click
Configure to open Google Play's Android for Work website. This will open in a new tab in your
browser.

b. Log in to Google
On Google's sign-in page, enter the Google account that will be associated with all Android for Work
management tasks for this tenant. This is the Google account shared among your organization's IT
admins that used to manage and publish apps in the Play for Work console.
c. Provide organization details
Provide your company's name for the Organization name. For Enterprise mobility management
(EMM) provider, Microsoft Intune should be displayed. Agree to the Android for Work agreement,
and then click Confirm. Your request will be processed.

Specify Android for Work Enrollment Settings


Android for Work is only supported on certain Android devices. See Google's Android for Work requirements. Any
device that supports Android for Work will also support conventional Android management. Intune lets you
specify how devices that support Android for Work should be managed:
Manage all devices as Android - All Android devices, including devices that support Android for Work, will
be enrolled as conventional Android devices.
Manage supported devices as Android for Work - All devices that support Android for Work are enrolled as
Android for Work devices. Any Android device that does not support Android for Work is enrolled as a
conventional Android device.
Manage supported devices for users only in these user groups as Android for Work - Lets you target
Android for Work management to a limited set of users. Only members of the selected groups who enroll a
device that supports Android for Work are enrolled as Android for Work devices. All others are enrolled as
Android devices. This is useful during Android for Work pilots.

Tell your users how to enroll their devices to access company resources
You'll need to tell your end users to go to Google Play to download the Intune Company Portal app, and then open
the app and follow the prompts to enroll their device. The app guides users through the enrollment process,
explaining what users can expect and what IT administrators can and can't see on their devices.
You can also send them a link to online enrollment steps: Enroll your Android device in Intune.
For information about other end-user tasks, see these articles:
Resources about the end-user experience with Microsoft Intune
Using your Android device with Intune

Unbinding your Android for Work administrative account


You can turn off Android for Work enrollment and management. Clicking Unbind in the Intune administration
console removes all enrolled Android for Work devices from enrollment and removes the relationship between the
Android for Work account and Intune.
How to unbind an Android for Work account
1. Unbind Android for Work binding
AAs an Intune administrator, in the Azure portal, choose More Services > Monitoring + Management >
Intune. On the Intune blade, choose Device enrollment, > Android for Work Enrollment, and click
Unbind.
2. Agree to delete Android for Work binding
Click Yes to delete the binding and unenroll all Android for Work devices from Intune.
Set up iOS device enrollment with Device Enrollment
Program
6/19/2017 8 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic helps IT administrators enable iOS device enrollment for devices purchased through Device Enrollment
Program (DEP). Microsoft Intune can deploy an enrollment profile over the air that enrolls DEP devices into
management. The administrator never has to touch each managed device. An ASM profile contains management
settings that are applied to devices during enrollment including Setup Assistant options.

NOTE
DEP enrollment can't be used with the device enrollment manager.

DEP Enrollment steps


1. Get an Apple DEP token and assign devices
2. Create an enrollment profile
3. Synchronize DEP-managed devices
4. Assign DEP profile to devices
5. Distribute devices to users

Get the Apple DEP token


Before you can enroll corporate-owned iOS devices with Apple's Device Enrollment Program (DEP), you need a
DEP token (.p7m) file from Apple. This token lets Intune sync information about DEP-participating devices that
your corporation owns. It also permits Intune to perform enrollment profile uploads to Apple and to assign
devices to those profiles.

NOTE
If your Intune tenant was migrated from the Intune classic console to the Azure portal and you deleted an Apple DEP token
from the Intune administration console during the migration period, that the DEP token might have been restored to your
Intune account. You can delete the DEP token again from the Azure portal.

Prerequisites
Apple MDM Push certificate
Signed up for Apple's Device Enrollment Program
Step 1. Download an Intune public key certificate required to create an Apple DEP token.
1. In the Intune portal, choose Device enrollment, and then choose Apple enrollment, choose Enrollment
Program Profile.
2. Select Download your public key to download and save the encryption key (.pem) file locally. The .pem file is
used to request a trust-relationship certificate from the Apple Device Enrollment Program portal.
Step 2. Create and download an Apple DEP token.
Select Create a DEP token via Apple Deployment Programs, and sign in with your company Apple ID. You can use
this Apple ID to renew your DEP token.
1. In Apple's Device Enrollment Program Portal, go to Device Programs > Manage Servers, and then choose
Add MDM Server.
2. Enter the MDM Server Name, and then choose Next. The server name is for your reference to identify the
mobile device management (MDM) server. It is not the name or URL of the Microsoft Intune server.
3. The Add <ServerName> dialog box opens. Choose Choose File to upload the .pem file, and then choose
Next.
4. The Add <ServerName> dialog box shows a Your Server Token link. Download the server token (.p7m) file
to your computer, and then choose Done.
5. Go to Deployment Programs > Device Enrollment Program > Manage Devices.
6. Specify how you will Choose Devices By, and then provide device information and specify details by device
Serial Number, Order Number, or Upload CSV File.
7. Choose Assign to Server and choose the <ServerName> specified for Microsoft Intune, and then choose OK.
Step 3. Enter the Apple ID used to create your Apple DEP token.
This ID can be used in the future to renew your Apple DEP token.
Step 4. Browse to your Apple DEP token to upload.
Go to the certificate (.pem) file, choose Open, and then choose Upload. With the push certificate, Intune can
enroll and manage iOS devices by pushing policy to enrolled mobile devices. Intune will automatically
synchronize with your DEP account.

Create an Apple enrollment profile


A device enrollment profile defines the settings applied to a group of devices during enrollment.
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. Under Enrollment Program, select Enrollment Program Profiles.
3. On the Enrollment Program Profiles blade, select Create.
4. On the Create Enrollment Profile blade, enter a name and description for the profile.
5. For User Affinity choose whether devices with this profile will enroll with or without user affinity.
Enroll with user affinity - The device must be affiliated with a user during initial setup and can
then be permitted to access company data and email. Choose user affinity for DEP-managed devices
that belong to users and that need to use the company portal for services like installing apps. Note
that Multifactor authentication (MFA) doesn't work during enrollment on DEP devices with user
affinity. After enrollment, MFA works as expected on these devices. New users who are required to
change their password when they first sign in cannot be prompted during enrollment on DEP
devices. Additionally, users whose passwords have expired won't be prompted to reset their
password during DEP enrollment and must reset the password from a different device.

NOTE
DEP with user affinity requires WS-Trust 1.3 Username/Mixed endpoint to be enabled to request user token.
Learn more about WS-Trust 1.3.

Enroll without user affinity - The device is not affiliated with a user. Use this affiliation for devices
that perform tasks without accessing local user data. Apps requiring user affiliation (including the
Company Portal app used for installing line-of-business apps) wont work.
6. Select Device Management Settings, configure the following profile settings, and then select Save:
Supervised - a management mode that enables more management options and disabled Activation
Lock by default. If you leave the check box blank, you have limited management capabilities.
Locked enrollment - (Requires Management Mode = Supervised) Disables iOS settings that could
allow removal of the management profile. If you leave the check box blank, it allows the
management profile to be removed from the Settings menu. This item is set during activation and
cannot be changed without a factory reset.
Allow Pairing - specifies whether iOS devices can sync with computers. If you choose Allow Apple
Configurator by certificate, you must choose a certificate under Apple Configurator
Certificates.
Apple Configurator Certificates - If you chose Allow Apple Configurator by certificate under
Allow Pairing, select an Apple Configurator Certificate to import.
7. Select Setup Assistant Settings, configure the following profile settings, and then select Save:
Department Name - Appears when users tap About Configuration during activation.
Department Phone - Appears when the user clicks the Need Help button during activation.
Setup Assistant Options - These optional settings can be set up later in the iOS Settings menu.
Passcode - Prompt for passcode during activation. Always require a passcode unless the device
will be secured or have access controlled in some other manner (that is, kiosk mode that restricts
the device to one app).
Location Services - If enabled, Setup Assistant prompts for the service during activation
Restore - If enabled, Setup Assistant prompts for iCloud backup during activation
Apple ID - If enabled, iOS will prompt users for an Apple ID when Intune attempts to install an
app without an ID. An Apple ID is required to download iOS App Store apps, including those
installed by Intune.
Terms and Conditions - If enabled, Setup Assistant prompts users to accept Apple's terms and
conditions during activation
Touch ID - If enabled, Setup Assistant prompts for this service during activation
Apple Pay - If enabled, Setup Assistant prompts for this service during activation
Zoom - If enabled, Setup Assistant prompts for this service during activation
Siri - If enabled, Setup Assistant prompts for this service during activation
Diagnostic Data - If enabled, Setup Assistant prompts for this service during activation
8. To save the profile settings, select Create on the Create Enrollment Profile blade.

Sync DEP managed devices


Now that Intune has been assigned permission to manage your DEP devices, you can synchronize Intune with the
DEP service to see your managed devices in the Intune portal.
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. Under Manage Enrollment Program Settings, select Serial Numbers.
3. On the Apple DEP Serial Numbers blade, select Sync.
4. On the Sync blade, select Request Sync. The progress bar shows the amount of time you must wait before
requesting Sync again.
To comply with Apples terms for acceptable DEP traffic, Intune imposes the following restrictions:
A full DEP sync can run no more than once every seven days. During a full sync, Intune refreshes every
serial number that Apple has assigned to Intune whether the serial has previously been synced or not. If
a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers
that are not already listed in Intune.
Any sync request is given 10 minutes to finish. During this time or until the request succeeds, the Sync
button is disabled.

NOTE
You can also assign DEP serial numbers to profiles from the Apple DEP Serial Numbers blade.

Assign a DEP profile to devices


DEP devices managed by Intune must be assigned a DEP profile before they are enrolled.
1. In the Intune portal, choose Device enrollment > Apple Enrollment, and then select Enrollment Program
Profiles.
2. From the list of Enrollment Program Profiles, select the profile you want to assign to devices and then select
Device Assignments
3. Select Assign and then select the DEP devices you want to assign this profile. You can filter to view DEP
available devices:
unassigned
any
<DEP profile name>
4. Select the devices you want to assign. The checkbox above the column will select up to 1000 listed devices,
and then click Assign. To enroll more than 1000 devices, repeat the assignment steps until all devices are
assigned a DEP profile.

5. Select the devices you want to assign. The checkbox above the column will select up to 1000 listed devices,
and then click Assign. To enroll more than 1000 devices, repeat the assignment steps until all devices are
assigned a DEP profile.

Distribute devices to users


You can now distribute corporate-owned devices to users. When an iOS DEP device is turned on, it will be
enrolled for management by Intune. If the device has been activated and is in use, the profile cannot be applied
until the device is factory reset.
How users install and use the Company Portal on their devices
Devices that are configured with user affinity can install and run the Company Portal app to download apps and
manage devices. After users receive their devices, they must complete the additional steps described below to
complete the Setup Assistant and install the Company Portal app.
Enable iOS device enrollment with Apple School
Manager
6/19/2017 8 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic helps IT administrators enable iOS device enrollment for devices purchased through the Apple School
Manager (ASM) program. Microsoft Intune can deploy an enrollment profile over the air that enrolls ASM devices
into management. The administrator never has to touch each managed device. An ASM profile contains
management settings that are applied to devices during enrollment including Setup Assistant options.
ASM Enrollment steps
1. Get an ASM token and assign devices
2. Create an enrollment profile
3. Connect School Data Sync (Optional)
4. Sync ASM-managed devices
5. Assign ASM profile to devices
6. Distribute devices to users

NOTE
ASM enrollment can't be used with Apple's Device Enrollment Program (DEP) or Intune's device enrollment manager account.

Get the Apple ASM token and assign devices


Before you can enroll corporate-owned iOS devices with Apple School Manager (ASM), you need an ASM token
(.p7m) file from Apple. This token lets Intune sync information about ASM-participating devices. It also permits
Intune to perform enrollment profile uploads to Apple and to assign devices to those profiles. While you are in the
Apple portal, you can also assign device serial numbers to manage.
Prerequisites
Apple MDM Push certificate
Signed up for Apple School Management
Step 1. Download an Intune public key certificate required to create an Apple ASM token.
1. In the Azure Intune portal, choose Device enrollment and then select Enrollment program token.
2. In the Enrollment program token blade, select Download your public key to download and save the
encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple
School Manager portal.
Step 2. Download an ASM token and assign devices.
Select Create a token via Apple School Manager, and sign in with your company Apple ID. You can use this
Apple ID to renew your ASM token.
1. In the Apple School Manager portal, go to MDM Servers, and then select Add MDM Server (upper right).
2. Enter the MDM Server Name. The server name is for your reference to identify the mobile device management
(MDM) server. It is not the name or URL of the Microsoft Intune server.
3. Select Upload File... in the Apple portal, browse to the .pem file, and select Save MDM Server (lower right).
4. Select Get Token and then download the server token (.p7m) file to your computer.
5. Go to Device Assignments, and Choose Device by manual entry of Serial Numbers, Order Number, or
Upload CSV File.
6. Choose the action Assign to Server, and select the MDM Server you created.
7. Specify how you will Choose Devices, and then provide device information and specify details by device Serial
Number, Order Number, or Upload CSV File.
8. Choose Assign to Server and choose the <ServerName> specified for Microsoft Intune, and then choose OK.
Step 3. Enter the Apple ID used to create your ASM token.
This ID should be used to renew your Apple ASM token and is stored for your future reference.
Step 4. Locate and upload your token.
Go to the certificate (.p7m) file, choose Open, and then choose Upload. Intune automatically syncs your ASM
devices from Apple.

Create an Apple enrollment profile


A device enrollment profile defines the settings applied to a group of devices during enrollment.
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. Under Enrollment Program, select Enrollment Program Profiles.
3. On the Enrollment Program Profiles blade, select Create.
4. On the Create Enrollment Profile blade, enter a Name and Description for the profile that is displayed in the
Intune portal.
5. For User Affinity, choose whether devices with this profile enroll with or without user affinity.
Enroll with user affinity - The device must be affiliated with a user during initial setup and can then be
permitted to access company data and email. Choose user affinity for ASM-managed devices that users
log in to with their managed Apple ID.

NOTE
Multifactor authentication (MFA) doesn't work during enrollment on ASM devices with user affinity. After enrollment,
MFA works as expected on these devices.

Apple School Manager's Shared iPad mode requires user enroll with user affinity.

NOTE
ASM with user affinity requires WS-Trust 1.3 Username/Mixed endpoint to be enabled to request user token. Learn
more about WS-Trust 1.3.

Enroll without user affinity - The device is not affiliated with a user. Use this affiliation for devices that
perform tasks without accessing local user data. Apps requiring user affinity (including the Company
Portal app used for installing line-of-business apps) wont work.
6. Select Device Management Settings. These items are set during activation and require a factory reset to
change. configure the following profile settings, and then select Save:
Supervised - a management mode that enables more management options and disabled Activation
Lock by default. If you leave the check box blank, you have limited management capabilities.
Locked enrollment - (Requires Management Mode = Supervised) Disables iOS settings that could
allow removal of the management profile. If you leave the check box blank, it allows the management
profile to be removed from the Settings menu.
Shared iPad - (Requires Enroll with User Affinity and Supervised mode.) Allows multiple users to
logon to enrolled iPads by using a managed Apple ID. Managed Apple IDs are created in the Apple
School Manager portal.

NOTE
If Shared iPad mode is enabled in a profile and either User Affinity or Supervised mode is then set to Off, Shared
iPad mode is disabled for the enrollment profile.

Maximum Cached Users - (Requires Shared iPad = Yes) Creates a partition on the device for each
user. The recommended value is the number of students likely to use the device over a period of time.
For example, if six students use the device regularly during the week, set this number to six.
Allow Pairing - specifies whether iOS devices can sync with computers. If you choose Allow
Apple Configurator by certificate, you must choose a certificate under Apple
Configurator Certificates.
Apple Configurator Certificates - If you chose Allow Apple Configurator by certificate
under Allow Pairing, select an Apple Configurator Certificate to import.
7. Select Setup Assistant Settings, configure the following profile settings, and then select Save:
Department Name - Appears when users tap About Configuration during activation.
Department Phone - Appears when the user clicks the Need Help button during activation.
Setup Assistant Options - If excluded from Setup Assistant options, these settings can be set later in the
iOS Settings menu.
Passcode - Prompt for passcode during activation. Always require a passcode unless the device is
secured or has access controlled in some other manner (that is, kiosk mode that restricts the
device to one app).
Location Services - If enabled, Setup Assistant prompts for the service during activation
Restore - If enabled, Setup Assistant prompts for iCloud backup during activation
Apple ID - If enabled, iOS prompts users for an Apple ID when Intune attempts to install an app
without an ID. An Apple ID is required to download iOS App Store apps, including apps installed
by Intune.
Terms and Conditions - If enabled, Setup Assistant prompts users to accept Apple's terms and
conditions during activation
Touch ID - If enabled, Setup Assistant prompts for this service during activation
Apple Pay - If enabled, Setup Assistant prompts for this service during activation
Zoom - If enabled, Setup Assistant prompts for this service during activation
Siri - If enabled, Setup Assistant prompts for this service during activation
Diagnostic Data - If enabled, Setup Assistant prompts for this service during activation
8. To save the profile settings, select Create on the Create Enrollment Profile blade.

Connect School Data Sync


(Optional) ASM supports synching class roster data to Azure Active Directory (AD) using Microsoft School Data
Sync (SDS). Complete the following steps to use SDS to sync school data.
1. On the Enrollment Program Token blade, select either the blue information banner or Connect SDS.
2. Select Allow Microsoft School Data Sync to use this token, setting to Allow. This setting allows Intune to
connect with SDS in Office 365.
3. To enable a connection between ASM and Azure AD, select Set up Microsoft School Data Sync. Learn more
about how to set up School Data Sync.
4. Click OK to save and continue.

Sync ASM-managed devices


Now that Intune has been assigned permission to manage your ASM devices, you can synchronize Intune with the
ASM service to see your managed devices in the Intune portal.
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. Under Enrollment Program Devices, select Sync. The progress bar shows the amount of time you must
wait before requesting Sync again.
To comply with Apples terms for acceptable ASM traffic, Intune imposes the following restrictions:
A full ASM sync can run no more than once every seven days. During a full sync, Intune refreshes every
serial number that Apple has assigned to Intune whether the serial has previously been synced or not. If a
full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers
that are not already listed in Intune.
Any sync request is given 15 minutes to finish. During this time or until the request succeeds, the Sync
button is disabled.

NOTE
You can also assign ASM serial numbers to profiles from the Enrollment Program Devices blade.

Assign an ASM profile to devices


ASM devices managed by Intune must be assigned an ASM profile before they are enrolled.
1. In the Intune portal, choose Device enrollment > Apple Enrollment, and then select Enrollment Program
profiles.
2. From the list of Enrollment Program Profiles, select the profile you want to assign to devices and then select
Device Assignments
3. Select Assign and then select the ASM devices you want to assign this profile. You can filter to view ASM
available devices:
unassigned
any
<ASM profile name>
4. Select the devices you want to assign. The checkbox above the column selects up to 1000 listed devices. Click
Assign. To enroll more than 1000 devices, repeat the assignment steps until all devices are assigned an ASM
profile.

Distribute devices to users


You can now distribute corporate-owned devices to users. When an iOS ASM device is turned on, it is enrolled for
management by Intune. If the device has been activated and is in use, the profile cannot be applied until the device
is factory reset.
How users install and use the Company Portal on their devices
Devices that are configured with user affinity can install and run the Company Portal app to download apps and
manage devices. After users receive their devices, they must run Setup Assistant and install the Company Portal
app.
Enroll iOS devices with Apple Configurator
6/19/2017 9 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Intune supports the enrollment of corporate-owned iOS devices using Apple Configurator running on a Mac
computer. Enrolling with Apple Configurator requires that you USB-connect each iOS device to a Mac computer to
set up corporate enrollment. You can enroll devices into Intune with Apple Configurator in two ways:
Setup Assistant enrollment - Factory resets the device, prepares it to run Setup Assistant, and installs the
company's policies for the devices new user. Most scenarios require that the policy applied to the iOS device
include user affinity to enable the Intune Company Portal app.
Direct enrollment - Does not factory-reset the device and enrolls the device with a predefined policy. This
method is for devices with no user affinity.

NOTE
This enrollment method can't be used with the device enrollment manager method.

Other methods of enrolling iOS devices are described in Choose how to enroll iOS devices in Intune.

Prerequisites
Complete the following prerequisites before setting up iOS device enrollment:
An Apple MDM push certificate
Physical access to iOS devices
Device serial numbers (see How to get an iOS serial number)
USB connection cables
Mac PC with Apple Configurator 2.0
Add Apple Configurator serial numbers

Setup Assistant enrollment


Create an Apple Configurator profile for devices
A device enrollment profile defines the settings applied to a group of devices. The following steps show how to
create a device enrollment profile for iOS devices enrolled by using Apple Configurator.
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. Under Manage Apple Configurator Enrollment Settings, select AC Profiles.
3. On the Apple Configurator Enrollment Profiles blade, select Create.
4. On the Create Enrollment Profile blade, enter a name and description for the profile.
5. For User Affinity, choose whether devices with this profile will enroll with or without user affinity.
Enroll with user affinity - The device must be affiliated with a user during initial setup and can then be
permitted to access company data and email. User affinity should be set up for managed devices that
belong to users and that need to use the company portal for services like installing apps.
Enroll without user affinity - The device is not affiliated with a user. Use this affiliation for devices that
perform tasks without accessing local user data. Apps requiring user affiliation (including the Company
Portal app used for installing line-of-business apps) wont work.
6. Select Create to save the profile.
Add Apple Configurator serial numbers

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these steps to add serial numbers to Intune when you want to enroll corporate-owned iOS devices by using
Apple Configurator with Setup Assistant. You can add serial numbers one at a time, or upload a comma-separated-
value (CSV) file of serial numbers. After you add serial numbers, you can assign a profile to them. The profile
contains specific management settings that you want to apply to devices.
Other methods of enrolling iOS devices are described in Choose how to enroll iOS devices in Intune.
To add Apple Configurator serial numbers to Intune
1. Create a two-column, comma-separated value (.csv) list without a header. Add the IMEI identifier in the left
column, and the details in the right column. The current maximum for the list is 500 rows. In a text editor,
the .csv list looks something like this:
F7TLWCLBX196,device details
DLXQPCWVGHMJ,device details
2. In the Azure portal, choose Enroll devices, and then choose Apple Enrollment.
3. Under Manage Apple Configurator Enrollment Settings, select Apple Configurator Serial Numbers.
4. On the Apple Configurator Serial Numbers blade, select Add.
5. On the Add Serial Numbers blade, select a profile to apply to the serial numbers you're importing. If you are
importing a file with new details that will overwrite the existing ones, select Overwrite details for existing
identifiers to have the new details replace the existing details.
6. Navigate to the .csv file of serial numbers, and select Add.
Assign a profile to specific serial numbers
Intune lets you assign profiles from two different places in the Azure portal. You can assign by Apple Configurator
profile or you can assign by devices.
Assign by devices
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. On the Apple Configurator Devices blade, select the serial numbers you want to assign a profile to, and then
select Assign Profile.
3. On the Assign Profile blade, select the profile you want to assign, and then select Assign.
Assign by profiles
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. Choose AC Profiles, and select the profile that you want to assign serial numbers.
3. In the blade named for the profile, select Serial Numbers > Assign.
4. Select the serial numbers that you want to assign to the profile, and then select the Assign button.
Export the profile to iOS devices
After you create the profile and assign serial numbers, you have to export the profile from Intune, either as a URL
or as a file in the format described below. You then manually import it to the Apple Configurator program on a
Mac, after which the Apple Configurator program deploys it to the devices.
1. In the Intune portal, choose Apple Configurator Enrollment Profiles blade, choose the profile to export.
2. On the blade for the profile, select Export Profile.
3. Copy the profile URL into Apple Configurator, with the iOs device attached. You will upload it in Apple
Configurator later to define the Intune profile used by iOS devices.
You will upload this profile URL to the Apple service using Apple Configurator in the following procedure to
define the Intune profile used by iOS devices.
4. Upload this profile URL to the Apple service using Apple Configurator to define the Intune profile used by
iOS devices.
a. On a Mac computer, open Apple Configurator 2. In the menu bar, choose Apple Configurator 2, and
then choose Preferences. > [!WARNING] > The devices will be reset to factory configurations during
the enrollment process. As a best practice, reset the device and turn it on. Devices should be at the Hello
screen when you connect the device.
b. In the preferences pane, select Servers and choose the plus symbol (+) to launch the MDM Server
wizard. Choose Next.
c. Enter the Host name or URL and enrollment URL for the MDM server under Setup Assistant
enrollment for iOS devices with Microsoft Intune. For the Enrollment URL, enter the enrollment
profile URL exported from Intune. Choose Next.
You can safely disregard a warning stating "server URL is not verified." To continue, choose Next
until the wizard is finished.
d. Connect the iOS mobile devices to the Mac computer with a USB adapter. > [!WARNING] > The devices
will be reset to factory configurations during the enrollment process. As a best practice, reset the device
and turn it on. Devices should be at the Hello screen when you start Setup Assistant.
e. Choose Prepare. On the Prepare iOS Device pane, select Manual and then choose Next.
f. On the Enroll in MDM Server pane, select the server name you created, and then choose Next.
g. On the Supervise Devices pane, select the level of supervision, and then choose Next.
h. On the Create an Organization pane, choose the Organization or create a new organization, and then
choose Next.
i. On the Configure iOS Setup Assistant pane, choose the steps to be presented to the user, and then
choose Prepare. If prompted, authenticate to update trust settings.
j. When the iOS device finishes preparing, disconnect the USB cable.
5. Distribute devices. The devices are now ready for corporate enrollment. Turn off the devices and distribute
them to users. When users turn on their devices, Setup Assistant will start.

Direct enrollment
When you directly enroll iOS devices with Apple Configurator, you can enroll a device without acquiring the
device's serial number. You can also name the device for identification purposes before Intune captures the device
name during enrollment. The Company Portal app is not supported for directly enrolled devices. This guidance
assumes you are using Apple Configurator 2.0 on a Mac computer.
1. In the Intune portal, choose Device enrollment, Apple Enrollment, and then select AC Profiles.
2. On the Apple Configurator Enrollment Profiles blade, select Create.
3. On the Create Enrollment Profile blade, enter a name and description for the profile.
4. For User Affinity choose Enroll without user affinity to ensure that the device is not affiliated with a user.
Use this affiliation for devices that perform tasks without accessing local user data. Apps requiring user
affiliation (including the Company Portal app used for installing line-of-business apps) wont work.
5. Select Create to save the profile.
Export the profile as .mobileconfig to iOS devices
1. On the Export Profile blade, download the enrollment profile to Apple Configurator to push directly as a
management profile to a connected iOS device. This method does not do a factory reset of the device.
2. Prepare the device with Apple Configurator by using the following steps.
a. On a Mac computer, open Apple Configurator 2.0.
b. Connect the iOS device to the Mac computer with a USB cord. Close Photos, iTunes, and other apps that
open for the device when the device is detected.
c. In Apple Configurator, choose the connected iOS device, and then choose the Add button. Options that
can be added to the device appear in the drop-down list. Choose Profiles.
d. Use the file picker to select the .mobileconfig file that you exported from Intune, and then choose Add.
The profile is added to the device. If the device is Unsupervised, the installation will require acceptance
on the device.
3. Use the following steps to install the profile on the iOS device. The device must have already completed the
Setup Assistant and be ready to use. If enrollment entails app deployments, the device should have an Apple
ID set up because the app deployments will require that you have an Apple ID signed in for the App Store.
a. Unlock the iOS device.
b. In the Install profile dialog box for Management profile, choose Install.
c. Provide the Device Passcode or Apple ID, if required.
d. Accept the Warning, and choose Install.
e. Accept the Remote Warning, and choose Trust.
f. When the Profile Installed box confirms the profile as Installed, choose Done.
a. On the iOS device, open Settings and go to General > Device Management >
Management Profile. Confirm that the profile installation is listed, and check the iOS policy
restrictions and installed apps. Policy restrictions and apps might take up to 10 minutes to
appear on the device.
b. Distribute devices. The iOS device is now enrolled with Intune and managed.

How users install and use the Company Portal on their devices
Devices that are configured with user affinity can install and run the Company Portal app to download apps and
manage devices. After users receive their devices, they must complete the additional steps described below to
complete the Setup Assistant and install the Company Portal app.
Enroll macOS devices in Intune
6/29/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Intune enables you to manage macOS devices. To enable device management, your users must enroll their devices
by going to the Company Portal website, and following the prompts. Once macOS devices are under management,
you can create custom settings for macOS devices. More capabilities are coming soon.

Prerequisites
Complete the following prerequisites before setting up macOS device enrollment:
Configure domains
Set the MDM Authority
Create groups
Configure the Company Portal
Assign user licenses in the Office 365 portal
Get an Apple MDM push certificate

Set up macOS enrollment


By default, Intune already allows enrollment of macOS devices.
To block macOS devices from enrollment, see Set device type restrictions.

Tell your users how to enroll their devices to access company resources
You'll need to tell your end users to go to the Company Portal website, and follow the prompts to enroll their
devices. You can also send them a link to online enrollment steps: Enroll your macOS device in Intune.
For information about other end-user tasks, see these articles:
Resources about the end-user experience with Microsoft Intune
Using your iOS or macOS device with Intune
What is Microsoft Intune device management?
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Devices workload gives you insights into the devices you manage, and lets you perform remote tasks on
those devices. To access the workload:
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
Now, you can perform the following actions. For more information, click one of the related links:
View device inventory
Perform remote device actions:
Remove company data
Factory reset
Remote lock
Reset passcode
Bypass Activation Lock
Fresh Start
Lost mode
Locate device
Restart
Remote control for Android
Choose Device Actions to see a list of device actions that have been performed on devices you manage and
the current state of those actions.
Use full or selective wipe
6/19/2017 7 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

You can wipe apps and data from Intune-managed devices that are no longer needed, are being repurposed, or
have gone missing. To do this, Intune provides selective wipe and full wipe capabilities. Users can also issue a
remote device wipe command from the Intune Company Portal app on privately owned devices enrolled in Intune.

NOTE
This topic is only about wiping devices managed by Intune mobile device management. You can also use the Azure portal to
wipe company data from apps. You can also retire computers managed with the Intune client software.

Full wipe
Full wipe restores a device to its factory default settings, removing all company and user data and settings. The
device is removed from Intune. Full wipe is useful for resetting a device before giving it to a new user, or for
instances where the device has been lost or stolen. Be careful about selecting full wipe. Data on the device
cannot be recovered.

WARNING
Windows 10 RTM devices (devices earlier than the Windows 10 version 1511) with less than 4 GB of RAM might become
inaccessible if wiped. To access a Windows 10 device that has become unresponsive, you can boot the device from a USB
drive.

To do a full wipe (factory reset) of a device:


1. On the Devices and groups blade, choose All devices.
2. Choose the name of the device you want to wipe.
3. On the blade showing the device's name, choose Factory reset, and then choose Yes to confirm the wipe.
If the device is on and connected, it takes less than 15 minutes for a wipe command to propagate across all device
types.
To delete devices in the Azure Active Directory portal
1. Browse to http://aka.ms/accessaad or choose Admin > Azure AD from https://portal.office.com.
2. Log in with your Org ID using the link on the left side of the page.
3. Create an Azure Subscription if you dont have one. This should not require a credit card or payment if you
have a paid account (choose the Register your free Azure Active Directory subscription link).
4. Select Active Directory and then select your organization.
5. Select the Users tab.
6. Select the user whose devices you want to delete.
7. Choose Devices.
8. Remove devices as appropriate, such as those that are no longer in use, or those that have inaccurate
definitions.

Selective wipe
Selective wipe removes company data, including mobile app management (MAM) data (where applicable),
settings, and email profiles from a device. Selective wipe leaves the user's personal data on the device. The device is
removed from Intune. The following tables describe what data is removed, and the effect on data that remains on
the device after a selective wipe. (The tables are organized by platform.)
iOS

DATA TYPE IOS

Company apps and associated data installed by Intune Apps are uninstalled. Company app data is removed.

App data from Microsoft apps that use mobile app


management is removed. The app is not removed.

Settings Configurations that were set by Intune policy are no longer


enforced, and users can change the settings.

Wi-Fi and VPN profile settings Removed.

Certificate profile settings Certificates are removed and revoked.

Management Agent Management profile is removed.

Email Email profiles that are provisioned through Intune are


removed, and cached email on the device is deleted. If
Microsoft Exchange is hosted on premises, email profiles and
cached email are not removed.

Outlook Email received by the Microsoft Outlook app for iOS is


removed.
Exception: If Exchange is hosted on premises, email is not
removed.

Azure Active Directory (AAD) Unjoin AAD Record is removed.

Contacts Contacts synced directly from the app to the native address
book are removed. Any contacts synced from the native
address book to another external source cannot be wiped.

Currently, only Outlook app is supported.

Android

DATA TYPE ANDROID ANDROID SAMSUNG KNOX STANDARD

Web links Removed. Removed.


DATA TYPE ANDROID ANDROID SAMSUNG KNOX STANDARD

Unmanaged Google Play apps Apps and data remain installed. Apps and data remain installed.

Unmanaged line of business apps Apps and data remain installed. Apps are uninstalled and data local to
the app is removed as a result. No data
outside the app (for example, on an SD
card) is removed.

Managed Google Play apps App data is removed. App is not App data is removed. App is not
removed. Data protected by MAM removed. Data protected by MAM
encryption outside the app (for encryption outside the app (for
example, an SD card) remain encrypted example, an SD card) remain encrypted,
and unusable, but aren't removed. but aren't removed.

Managed line of business apps App data is removed. App is not App data is removed. App is not
removed. Data protected by MAM removed. Data protected by MAM
encryption outside the app (for encryption outside the app (for
example, an SD card) remain encrypted example, an SD card) remain encrypted
and unusable, but aren't removed. and unusable, but aren't removed.

Settings Configurations that were set by Intune Configurations that were set by Intune
policy are no longer enforced, and users policy are no longer enforced, and users
can change the settings. can change the settings.

Wi-Fi and VPN profile settings Removed. Removed.

Certificate profile settings Certificates revoked, but not removed. Certificates removed and revoked.

Management Agent Device Administrator privilege is Device Administrator privilege is


revoked. revoked.

Email n/a (email profiles are not supported by Email profiles that are provisioned
Android devices) through Intune are removed, and
cached email on the device is deleted.

Outlook Email received by the Microsoft Outlook Email received by the Microsoft Outlook
app for Android is removed. app for Android is removed.
Exception: If Exchange is hosted on Exception: If Exchange is hosted on
premises, email is not removed. premises, email is not removed.

Azure Active Directory (AAD) Unjoin AAD Record removed. AAD Record removed.

Contacts Contacts synced directly from the app Contacts synced directly from the app
to the native address book are to the native address book are
removed. Any contacts synced from the removed. Any contacts synced from the
native address book to another external native address book to another external
source cannot be wiped. source cannot be wiped.

Currently, only Outlook app is Currently, only Outlook app is


supported. supported.

Android for Work


Performing selective wipe on an Android for Work device removes all data, apps, and settings in the work profile
on that device. This retires the device from management with Intune. Full wipe is not supported for Android for
Work.
Windows

WINDOWS PHONE 8
WINDOWS 8.1 (MDM) AND WINDOWS PHONE
DATA TYPE AND WINDOWS RT 8.1 WINDOWS RT 8.1 WINDOWS 10

Company apps and Files protected by EFS Will not remove Apps originally Apps are uninstalled
associated data will have their key company apps. installed through the and sideloading keys
installed by Intune revoked and the user company portal are are removed.
will not be able to uninstalled. Company
open the files. app data is removed.

Settings Configurations that Configurations that Configurations that Configurations that


were set by Intune were set by Intune were set by Intune were set by Intune
policy are no longer policy are no longer policy are no longer policy are no longer
enforced, and users enforced, and users enforced, and users enforced, and users
can change the can change the can change the can change the
settings. settings. settings. settings.

Wi-Fi and VPN profile Removed. Removed. Not supported. Removed.


settings

Certificate profile Certificates removed Certificates removed Not supported. Certificates removed
settings and revoked. and revoked. and revoked.

Email Removes email that is Not supported. Email profiles that are Removes email that is
EFS enabled, which provisioned through EFS enabled, which
includes the Mail app Intune are removed, includes the Mail app
for Windows email and cached email on for Windows email
and attachments. the device is deleted. and attachments.
Removes mail
accounts that were
provisioned by Intune.
Exception: If
Microsoft Exchange is
hosted on premises,
email accounts are
not removed.

Azure Active Directory No. No. AAD Record removed. Not applicable.
(AAD) Unjoin Windows 10 does not
support selective wipe
for Azure Active
Directory joined
devices.

To do a selective wipe:
1. On the Devices and groups blade, choose All devices.
2. Choose the name of the device you want to wipe.
3. On the blade showing the device's name, choose Remove comp... (stands for Remove company data), and
then choose Yes to confirm the wipe.
If the device is on and connected, it takes less than 15 minutes for a wipe command to propagate across all device
types.
Bypass Activation Lock on supervised iOS devices
with Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Microsoft Intune can help you manage iOS Activation Lock, a feature of the Find My iPhone app for iOS 8.0 and
later devices. Activation Lock is enabled automatically when a user opens the Find My iPhone app on a device. After
it is enabled, the user's Apple ID and password must be entered before anyone can:
Turn off Find My iPhone
Erase the device
Reactivate the device

How Activation Lock affects you


While Activation Lock helps secure iOS devices and improves the chances of recovering a lost or stolen device, this
capability can present you, as an IT admin, with a number of challenges. For example:
A user sets up Activation Lock on a device. The user then leaves the company and returns the device. Without
the user's Apple ID and password, there is no way to reactivate the device.
You need a report of all devices that have Activation Lock enabled.
You want to reassign some devices to a different department during a device refresh in your organization. You
can only reassign devices that do not have Activation Lock enabled.
To help solve these problems, Apple introduced Activation Lock bypass in iOS 7.1. This lets you remove the
Activation Lock from supervised devices without the user's Apple ID and password. Supervised devices can
generate a device-specific Activation Lock bypass code, which is stored on Apple's activation server.

TIP
Supervised mode for iOS devices lets you use Apple Configurator to lock down a device and limit functionality to specific
business purposes. Supervised mode is generally only for corporate-owned devices.

You can read more about Activation Lock on Apple's web site.

How Intune helps you manage Activation Lock


Intune can request the Activation Lock status of supervised devices that run iOS 8.0 and later. For supervised
devices only, Intune can retrieve the Activation Lock bypass code and directly issue it to the device. If the device has
been wiped, you can directly access the device by using a blank user name and the code as the password.
The business benefits of this are:
The user gets the security benefits of the Find My iPhone app.
You can enable users to do their work and know that when a device needs to be re-purposed, you can retire or
unlock it.

Before you start


Before you can bypass Activation Lock on devices, you must enable it first. To do this:
1. Configure an Intune device restriction profile for iOS using the information in How to configure device
restriction settings.
2. Enable the Kiosk mode setting Activation Lock.
3. Save the profile, and then assign it to the devices on which you want to manage Activation Lock bypass.

How to use Activation Lock bypass


IMPORTANT
After you bypass the Activation Lock on a device, a new Activation Lock is automatically applied if the Find My iPhone app is
opened. Because of this, you should be in physical possession of the device before you follow this procedure.

The Intune Bypass Activation Lock remote device action removes the activation lock from an iOS device without
the users Apple ID and password. Once you bypass the activation lock, the device turns on activation lock again
when the Find My iPhone app launches. Only bypass the activation lock if you have physical access to the device.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a supervised iOS device, and then choose the Bypass Activation
Lock device remote action.
You can examine the status of the unlock request on the details page for the device in the Manage devices
workload.
Reset Intune-managed devices to factory settings
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Factory reset returns a device to its default settings. The device will no longer be managed by Intune and both
company and personal data are removed. You cannot undo this action.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a device, and then choose the Factory reset device remote action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
Use Fresh Start to reset Windows 10 devices with
Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Fresh Start device action removes any apps that were installed on a Windows 10 PC running the Creators
Update, then automatically updates the PC to the latest version of Windows. This can be used to help remove pre-
installed (OEM) apps that are often delivered with a new PC. You can configure if user data is retained when this
device action is issued. In this case, apps and settings are removed, but the contents of the users Home folder are
retained.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a Windows 10 desktop device, and then choose the Fresh Start
device remote action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
Locate lost or stolen iOS devices with Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Locate Device device action displays the location of a lost or stolen iOS device on a map. The device must be
a corporate-owned iOS device, enrolled through DEP, that is in supervised mode. Before you use this action, the
device must have been placed into lost mode.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose an iOS device, and then choose the Locate Device remote action.
6. After the device has been located, it's location is displayed on the Locate device blade.

NOTE
For privacy purposes, the distance you can zoom into the map is limited.

Security and privacy information for the lost mode and locate device
actions
No device location information is sent to Intune until you turn this action on.
When you use the locate device action, the latitude and longitude coordinates of the device are sent to Intune,
and displayed in the Azure portal.
The data is stored for 24 hours, then removed. You cannot manually remove the location data.
Location data is encrypted, both while stored, and while being transmitted.
When you configure lost mode, we recommend that the message you enter to display on the lock screen
includes information that helps someone who finds the device to return it.
Activate lost mode on iOS devices
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Lost mode device action helps you enable lost mode on lost or stolen iOS devices. This mode lets you specify
a message and a phone number that will be displayed on the lock screen of the device
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose an iOS device, and then choose the Lost mode remote action.
6. On the Lost mode blade, enable lost mode, enter the message that will be displayed, and optionally, a contact
phone number.
7. Click OK.
When you enable lost mode, you block all use of the device. The end user cannot access the device until you
disable lost mode. While lost mode is enabled, you can use the Locate device action to find out where the device
is. To use lost mode, the device must be a corporate-owned iOS device, enrolled through DEP, that is in supervised
mode.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.

Security and privacy information for the lost mode and locate device
actions
No device location information is sent to Intune until you turn this action on.
When you use the locate device action, the latitude and longitude coordinates of the device are sent to Intune,
and displayed in the Azure portal.
The data is stored for 24 hours, then removed. You cannot manually remove the location data.
Location data is encrypted, both while stored, and while being transmitted.
When you configure lost mode, we recommend that the message you enter to display on the lock screen
includes information that helps someone who finds the device to return it.
Remotely lock managed devices with Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Remote lock device locks the selected device. The device owner must use their passcode to unlock it. You can
only remotely lock a device that has a PIN or password set.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a device, and then choose the Remote lock device remote action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
Remove company data from Intune-managed
devices
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Remove company data removes only company data from devices managed by Intune. Does not remove
personal data from the device. The device will no longer be managed by Intune, and will no longer be able to
access corporate resources (not supported for Windows devices that are joined to Azure Active Directory).
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a device, and then choose the Remove company data device
remote action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
Reset the passcode on Intune-managed devices
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Reset passcode action generates a new passcode for the device which will be displayed on the <device
name> Overview blade.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a device, and then choose the Reset passcode device remote
action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
Remotely restart devices with Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Restart device action causes the device you choose to be restarted. The device owner is not automatically
notified of the restart, therefore might lose work.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. on the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a device, and then choose the Restart device remote action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
Logout the current user on Intune-managed iOS
devices
6/29/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Logout current user action logs out the current user of an iOS device you choose.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose an iOS device, and then choose the Logout current user device
remote action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
Remove a user from a shared iOS device with Intune
6/29/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Remove user action deletes a user you choose from the local cache on an iOS device.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices blade, choose All devices.
5. From the list of devices you manage, choose an iOS device.
6. On the blade for that device, choose Users.
7. From the list, right-click the user you want to remove, and then choose Remove user.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
Provide remote assistance for Intune managed
Android devices
6/19/2017 2 min to read Edit Online

Intune can use the TeamViewer software, purchased separately, to enable you to give remote assistance to your
users who are running Android devices. Use the information in this topic to set things up and get started.

Before you start


Required permissions
Ensure that the user of the Azure portal has the following permissions assigned to them as an Intune role:
To let the admin modify the TeamViewer connector settings, grant the Update Remote Assistance
permission.
To let the admin initiate a new remote assistance settings, grant the Request Remote Assistance permission.
Users with this permission can request to initiate a session for any user; this is not limited by any Intune role
assignment scope. Intune role assignment scopes do not limit the devices or users for which Remote Assistance
requests can be initiated.

NOTE
By enabling TeamViewer, you are allowing the TeamViewer for Intune Connector to create TeamViewer sessions, read Active
Directory data, and save the TeamViewer account access token.

Configure the Intune TeamViewer connector


Before you can provide remote assistance to Android devices, you'll need to configure the Intune TeamViewer
connector, using the following steps:
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose Setup > TeamViewer Connector.
5. On the TeamViewer Connector blade, click Enable, then view and accept the TeamViewer service license
agreement.
6. Choose Log in to TeamViewer & Authorize.
7. A web page opens to the TeamViewer site. Enter your TeamViewer license credentials, and then click Sign In.

How to remotely administer an Android device


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices blade, choose Manage > All devices.
5. Select the device that you want to remotely administer, and then, on the device properties blade, choose More
> New Remote Assistance Session.
6. After Intune connects to the TeamViewer service, you'll see some information about the Android device. Choose
Connect to start the remote session.
In the TeamViewer window, you can perform a range of remote actions on the Android device, including remote
control of the device. For full details of the actions you can perform, see the TeamViewer documentation.
When you are finished. close the TeamViewer window.

End user notifications


An end user will see a notification flag on the Company Portal app icon on their device, and also see a notification
when they open the app. They can then accept the remote assistance request.
How to view Intune device inventory
6/26/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Devices workload gives you insights into the devices you manage, including their hardware capabilities, and
the apps installed on them.
To view device inventory:
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
Now, choose one of the following options:
Overview Get information about devices you've enrolled, and the operating systems each device runs.
Manage - Choose All Devices to see a list of all the devices you manage. Select one of those devices in the list
to open the <device name> Overview blade where you can select one of:
Overview - See general information about the device including its name, owner, whether it is a BYOD
device, when it checked-in, and more.

Hardware - See more detailed information about the device including its free storage space, model and
manufacturer, and more.
Discovered apps - Displays a list of all apps that Intune found installed on the device.

Device compliance - Displays the compliance state of all compliance policies that have been assigned
to the device.
Device configuration - Displays the compliance state of all device configuration policies that have been
assigned to the device.
Monitor Choose Device Actions to see a list of device actions that have been performed on devices you
manage and their current state.
Setup > TeamViewer Connector - Let's you configure remote administration on devices using the
TeamViewer software. For details, see Provide remote assistance for Intune managed Android devices.
What is user management?
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

If you are new to Intune in the Azure portal, remember that you no longer create groups for Intune. Intune uses
Azure AD groups just like many other applications that you use.
To learn more about using groups in Azure AD, see Managing access to resources with Azure Active Directory
groups.
To manage groups in the Azure portal, search for Intune, choose Manage users, and you are taken to the Users
and groups workload where you can perform the following actions:
1. See Overview information about the users and groups you manage.
2. See details about all users you manage with Azure.
3. Create groups of users and devices.
4. Display audit activity for group actions.

Next step
Get started with groups
Get started with groups
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

We've heard your feedback and have made changes to how you work with groups in Microsoft Intune. If you are
using Intune from the Azure portal, your Intune groups have been migrated to Azure Active Directory security
groups.
The benefit to you is that you now use the same groups experience across all of you Enterprise Mobility + Security,
and Azure AD apps. Additionally, you'll be able to use PowerShell and Graph API to extend and customize this new
functionality.
Azure AD security groups support all types of Intune deployments to both users and devices. Additionally, you can
use Azure AD dynamic groups that automatically update based on the attributes you supply. For example, you
could create a group of devices that run iOS 9. Whenever a device running iOS 9 enrolls, the device automatically
appears the dynamic group.

What is not available?


Some of the Intune groups capabilities you previously might have used are not available in Azure AD:
The Ungrouped Users and Ungrouped Devices Intune groups are no longer available.
The option to Exclude specific members from a group does not exist in the Azure portal. You can,
however, use an Azure AD security group with advanced rules to replicate this behavior. For example, to
create an advanced rule that includes all people in your Sales department in a security group, but excludes
those with the word "Assistant" in their title, you could use this advanced rule:
(user.department -eq "Sales") -and -not (user.jobTitle -contains "Assistant") .
The All Exchange ActiveSync Managed Devices group in the Intune console was not migrated to Azure AD.
You can, however, still access information about EAS-managed devices from the Azure portal.

How to get started?


Read the following topics to learn about Azure AD security groups and how they work:
Managing access to resources with Azure Active Directory groups.
Managing groups in Azure Active Directory.
Using attributes to create advanced rules.
Ensure that admins who need to create groups are added to the Intune Service Administrator Azure AD role.
The Azure AD Service Admin role does not have Manage Group permissions.
If your Intune groups used the Exclude specific members option, decide whether you can redesign these
groups without exclusions, or if you need advanced rules to meet business needs.

What happened to Intune groups?


When groups are migrated from the classic Intune portal to Intune in the Azure portal, the following rules are
applied:

GROUPS IN INTUNE GROUP IN AZURE AD

Static user group Static Azure AD security group

Dynamic user group Static Azure AD security groups with an Azure AD security
group hierarchy

Static device group Static Azure AD security group

Dynamic device group Dynamic Azure AD security group

A group with an include condition Static Azure AD security group containing any static or
dynamic members from the include condition in Intune

A group with an exclude condition Not migrated

The built-in groups: Azure AD security groups


- All Users
- Ungrouped Users
- All Devices
- Ungrouped devices
- All Computers
- All Mobile Devices
- All MDM managed devices
- All EAS managed devices

Group hierarchy
In the classic Intune console, all groups had a parent group. Groups could only contain members of their parent
group. In Azure AD, child groups can contain members not in their parent group.

Group attributes
Attributes are device properties that may be used in defining groups. This table describes how those criteria will be
migrated to Azure AD security groups.

ATTRIBUTE IN INTUNE ATTRIBUTE IN AZURE AD

Organizational Unit (OU) attribute for device groups OU attribute for dynamic groups.

Domain name attribute for device groups Domain Name attribute for dynamic groups.

Security group as an attribute for user groups Groups cannot be attributes in Azure AD dynamic queries.
Dynamic groups can only contain user or device-specific
attributes.

Manager attribute for user groups Advanced Rule for manager attribute in dynamic groups

All users from the parent user group Static group with that group as a member

All mobile devices from the parent device group Static group with that group as a member
ATTRIBUTE IN INTUNE ATTRIBUTE IN AZURE AD

All mobile devices managed by Intune Management Type attribute with MDM as value for dynamic
group

Nested groups within static groups Nested groups within static groups

Nested groups within dynamic groups Dynamic group with one level of nesting

What happens to policies and apps you previously deployed?


Policies and apps continue to be deployed to groups, just like before. However, you'll now manage these groups
from the Azure portal, instead of the classic Intune console.
What is Microsoft Intune app management?
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an IT admin, you are responsible for making sure that your end users have access to the apps they need to do
their work. This can be a challenge because:
There are a wide range of device platforms and app types.
You might need to manage apps on company devices and users own devices.
You must ensure your network, and your data remain secure.
Additionally, you might want to assign, and manage apps on devices that are not enrolled with Intune.
Intune offers a range of capabilities to help you get the apps you need, on the devices you want.

App management capabilities by platform

Android iOS Windows Phone 8.1 Windows 10

Add and assign apps Yes Yes Yes Yes


to devices and users

Assign apps to Yes Yes No No


devices not enrolled
with Intune

Use app No Yes No No


configuration policies
to control the startup
behavior of apps

Use mobile app No Yes No No


provisioning policies
to renew expired
apps

Protect company Yes Yes No No1


data in apps with app
protection policies

Remove only Yes Yes Yes Yes


corporate data from
an installed app (App
selective wipe)
Monitor app Yes Yes Yes Yes
assignments

Assign and track No No No Yes


volume-purchased
apps from an app
store

Mandatory install of Yes Yes Yes Yes


apps on devices
(Required)2

Optional installation Yes Yes Yes Yes


on devices from the
Company Portal
(Available install)

Install shortcut to an Yes Yes Yes Yes


app on the web (web
clip)

In-house (line-of- Yes Yes No No


business) apps

Apps from a store Yes Yes Yes Yes

Update apps Yes Yes Yes Yes

1 Considerusing [Windows Information Protection]windows-information-protection-configure.md) to protect


apps on devices that run Windows 10.
2Applies to devices managed by Intune only.

How to get started


You can find most things app-related in the Mobile Apps workload that you can access as follows:
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
Manage
Apps - This node is where you add, assign, and monitor most of your apps.
Add apps
Assign apps
Monitor apps
App configuration policies - App configuration policies let you supply settings that might be required when
a user runs an app.
iOS app configuration policies
Android app configuration policies
App protection policies - Lets you associate settings with an app to help protect the company data it uses.
For example, you might restrict the capabilities of an app to communicate with other apps, or require the user
to enter a PIN to access a company app.
App protection policies
App selective wipe - Remove only corporate data from a users device you select.
App selective wipe
iOS provisioning profiles - iOS apps include a provisioning profile and code that is signed by a certificate.
When the certificate expires, the app can no longer be run. Intune gives you the tools to proactively assign a
new provisioning profile policy to devices that have apps that are nearing expiry.
iOS app provisioning profiles
Monitor
Licensed Apps - View, assign, and monitor volume-purchased apps from the app stores.
Windows Store for Business volume-purchased apps
Discovered Apps - Shows all apps that were assigned by Intune, and installed on a device.
App Install Status - Shows the status of an app assignment you created.
App protection status - Shows the status of an app protection policy for a user you select.
For details, see Monitor apps
Setup
Windows Store for Business - Set up integration to the Windows Store for Business. Afterwards, you can
synchronize purchased applications to Intune, assign them, and track your license usage.
Windows Store for Business volume-purchased apps
Company Portal branding - Customize the Company Portal to give it your company branding.
Company portal configuration
How to add an app to Microsoft Intune
6/30/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Before you can manage and assign apps for your users, you must add them to Intune. Intune supports a wide
range of different app types, and the options might be different for each type.
Intune lets you add and assign these app types:

The following platforms are supported.


Android store apps
Android line-of-business (LOB) apps
iOS store apps
iOS line-of-business (LOB) apps
Web apps
Windows Phone 8.1 store apps
Windows Phone line-of-business apps (.xap files)
Windows store apps
Windows line-of-business apps (.msi files only)

TIP
A line-of-business (or LOB) app is one that you do not install from an app store, but install from the app installation file.
For example, to install an iOS LOB app, you add the application archive file (with the extension .ipa). These are typically
apps you have written in-house.

Before you start


Consider the following points before you begin to add and assign apps.
When you add and assign an app from a store, end users must have an account with that store in order to be
able to install the app.
Some apps or items you assign might be dependent on built-in iOS apps. For example, if you assign a book
from the iOS store, then the iBooks app must be present on the device. If you have removed the iBooks built-
in app, you cannot use Intune to reinstate it.

Cloud storage space


All apps that you create by using the software installer installation type (for example, a line-of-business app) are
packaged and uploaded to Intune cloud storage. A trial subscription of Intune includes 2 gigabytes (GB) of cloud-
based storage that is used to store managed apps and updates. A full subscription includes 20 GB of storage
space.
You can purchase additional storage for Intune using your original purchase method. If you paid by invoice or
credit card, visit the Subscription Management portal. Otherwise, contact your partner or sales associate.
Requirements for cloud storage space are as follows:
All app installation files must be in the same folder.
The maximum file size for any file that you upload is 2 GB.

How to create and edit categories for apps


App categories can be used to help you sort apps to make them easier for users to find in the company portal.
You can assign one or more categories to an app, for example, Developer apps, or Communication apps.
When you add an app to Intune, you are given the option to select the category you want. Use the platform-
specific topics to add an app, and assign categories. To create and edit your own categories, use the following
procedure:
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile apps workload, choose Setup > App categories.
5. On the App categories blade, a list of the current categories is shown. Choose one of the following actions:
Create a category - On the Create category blade, enter a name for the new category. Names can be
entered in one language only, and are not translated by Intune. When you are done, click Create.
Edit a category - For any category in the list, choose '...'. On the Properties blade, you can enter a
new name for the category, or delete the category.

Apps added automatically by Intune


The following apps, published by Microsoft, are built-into Intune, and ready for you to assign:

Name Platform

Azure Information Protection Android

Dynamics CRM for Phones Android

Dynamics CRM for Tablets Android

Excel iOS
Excel Android

Managed Browser Android

Managed Browser iOS

Microsoft Dynamics CRM on Phones iOS

Microsoft Dynamics CRM on Tablets iOS

Microsoft Power BI iOS

Microsoft Power BI Android

Microsoft SharePoint iOS

Microsoft SharePoint Android

Microsoft Teams Android

Microsoft Teams iOS

OneDrive iOS

OneDrive Android

OneNote iOS

Outlook Android

Outlook iOS

Outlook Groups Android

Outlook Groups iOS

PowerPoint iOS

Next Steps
Choose one of the following topics to find out how to add apps for each platform to Intune:
Android store apps
Android LOB apps
iOS store apps
iOS LOB apps
Web apps (for all platforms)
Windows Phone 8.1 store apps
Windows Phone LOB apps
Windows store apps
Windows LOB app
How to add Android store apps to Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

1. Sign into the Azure portal.


2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose App Information.
7. In the Edit App blade, configure the following information. Once you are done, click Add. Depending on the
app you have chosen, some of the values in this blade might have been automatically filled-in:
App Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app
names that you use are unique. If the same app name exists twice, only one of the apps will be displayed
to users in the company portal.
App Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
App store URL - Enter the app store URL of the app you want to create.
Minimum Operating System - From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Category (optional) - Select one or more of the built-in app categories, or a category you created. This
will make it easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Upload Icon - Upload an icon that will be associated with the app. This is the icon that will be displayed
with the app when users browse the company portal.
8. When you are done, on the Add App blade, choose Save.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
How to add Android line-of-business (LOB) apps to
Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Step 1 - Specify the software setup file


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose Line-of-business app.

Step 2 - Configure the app package file


1. On the Add app blade, choose App package file.
2. On the App package file blade, choose the browse button, and select an Android installation file with the
extension .apk.
3. When you are finished, choose OK.

Step 3 - Configure app information


1. On the Add app blade, choose App package file.
2. On the App information blade, configure the following information. Depending on the app you have chosen,
some of the values in this blade might have been automatically filled-in:
Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app names
that you use are unique. If the same app name exists twice, only one of the apps will be displayed to
users in the company portal.
Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
Minimum Operating System - From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Category - Select one or more of the built-in app categories, or a category you created. This will make it
easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Logo - Upload an icon that will be associated with the app. This is the icon that will be displayed with the
app when users browse the company portal.
3. When you are finished, choose OK.

Step 4 - Finish up
1. On the Add app blade, verify the information you configured is correct.
2. Choose Add, to upload the app to Intune.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
How to add iOS store apps to Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Before you start


You can only assign apps using this method if they are free of charge in the app store. If you want to assign paid
apps using Intune, consider using the iOS volume-purchase program.

Step 1 - Search for the app in the store


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose Search the App Store.
7. In the Apple App Store blade, enter the name (or part of the name) in the search box. Intune will search the
store and return a list of relevant results.
8. From the list, choose the app you want, then click OK.

Step 2 - Configure app information


1. In the Add App blade, choose App Information.
2. In the Edit App blade, configure the following information. Once you are done, click Add. Depending on the
app you have chosen, some of the values in this blade might have been automatically filled-in:
3. App Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app names
that you use are unique. If the same app name exists twice, only one of the apps will be displayed to users in the
company portal.
App Description - Enter a description for the app. This will be displayed to users in the company portal.
4. Publisher - Enter the name of the publisher of the app.
5. App store URL - Enter the app store URL of the app you want to create.
6. Minimum Operating System - From the list, choose the minimum operating system version on which the app
can be installed. If you assign the app to a device with an earlier operating system, it will not be installed.
7. Category (optional). Select one or more of the built-in app categories, or a category you created. This will make
it easier for users to find the app when they browse the company portal.
8. Display this as a featured app in the Company Portal - Display the app prominently on the main page of
the company portal when users browse for apps.
9. Information URL - Optionally, enter the URL of a website that contains information about this app. The URL
will be displayed to users in the company portal.
10. Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The URL
will be displayed to users in the company portal.
11. Developer - Optionally, enter the name of the app developer.
12. Owner - Optionally, enter a name for the owner of this app, for example, HR department.
13. Notes - Enter any notes you would like to associate with this app.
14. Upload Icon - Upload an icon that will be associated with the app. This is the icon that will be displayed with
the app when users browse the company portal.
15. When you are done, on the Add App blade, choose Save.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
How to add iOS line-of-business (LOB) apps to
Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Step 1 - Specify the software setup file


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose Line-of-business app.

Step 2 - Configure the app package file


1. On the Add app blade, choose App package file.
2. On the App package file blade, choose the browse button, and select an iOS installation file with the extension
.ipa.
3. When you are finished, choose OK.

Step 3 - Configure app information


1. On the Add app blade, choose App package file.
2. On the App information blade, configure the following information. Depending on the app you have chosen,
some of the values in this blade might have been automatically filled-in:
Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app names
that you use are unique. If the same app name exists twice, only one of the apps will be displayed to
users in the company portal.
Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
Minimum Operating System - From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Category - Select one or more of the built-in app categories, or a category you created. This will make it
easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Logo - Upload an icon that will be associated with the app. This is the icon that will be displayed with the
app when users browse the company portal.
3. When you are finished, choose OK.

Step 4 - Finish up
1. On the Add app blade, verify the information you configured is correct.
2. Choose Add, to upload the app to Intune.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
How to add web apps to Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

1. Sign into the Azure portal.


2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose App Information.
7. In the Edit App blade, configure the following information. Once you are done, click Add:
App URL - Enter the URL of the web site that hosts the app you want to assign.
App Name - Enter the name of the app as it will be displayed in the company portal.
App Description - Enter a description for the app. This will be displayed to end users in the company
portal.
Publisher - Enter the name of the publisher of this app.
Category (optional) - Select one or more of the built-in app categories, or a category you created. This
will make it easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Require a managed browser to open this link - When you assign a link to a website or web app to
users, they will be able to open it only in the Intune managed browser. This browser must be installed on
their device.
Upload Icon - Upload an icon that will be associated with the app. This is the icon that will be displayed
with the app when users browse the company portal.
8. When you are done, on the Add App blade, choose Save.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
How to add Windows Phone 8.1 store apps to
Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

1. Sign into the Azure portal.


2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose App Information.
7. In the Edit App blade, configure the following information. Once you are done, click Add. Depending on the app
you have chosen, some of the values in this blade might have been automatically filled-in:
App Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app
names that you use are unique. If the same app name exists twice, only one of the apps will be displayed
to users in the company portal.
App Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
App store URL - Enter the app store URL of the app you want to create.
Minimum Operating System - From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Category (optional) - Select one or more of the built-in app categories, or a category you created. This
will make it easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Upload Icon - Upload an icon that will be associated with the app. This is the icon that will be displayed
with the app when users browse the company portal.
8. When you are done, on the Add App blade, choose Save.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
How to add Windows Phone line-of-business (LOB)
apps to Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Step 1 - Specify the software setup file


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose Line-of-business app.

Step 2 - Configure the app package file


1. On the Add app blade, choose App package file.
2. On the App package file blade, choose the browse button, and select a Windows Phone installation file with the
extension .xap.
3. When you are finished, choose OK.

Step 3 - Configure app information


1. On the Add app blade, choose App package file.
2. On the App information blade, configure the following information. Depending on the app you have chosen,
some of the values in this blade might have been automatically filled-in:
Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app names
that you use are unique. If the same app name exists twice, only one of the apps will be displayed to users
in the company portal.
Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
Category - Select one or more of the built-in app categories, or a category you created. This will make it
easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Logo - Upload an icon that will be associated with the app. This is the icon that will be displayed with the
app when users browse the company portal.
3. When you are finished, choose OK.

Step 4 - Finish up
1. On the Add app blade, verify the information you configured is correct.
2. Choose Add, to upload the app to Intune.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
How to add Windows store apps to Microsoft Intune
6/19/2017 6 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

1. Sign into the Azure portal.


2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose App Information.
7. In the Edit App blade, configure the following information. Once you are done, click Add. Depending on the app
you have chosen, some of the values in this blade might have been automatically filled-in:
App Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app
names that you use are unique. If the same app name exists twice, only one of the apps will be displayed
to users in the company portal.
App Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
App store URL - Enter the app store URL of the app you want to create.
Minimum Operating System - From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Category (optional) - Select one or more of the built-in app categories, or a category you created. This
will make it easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Upload Icon - Upload an icon that will be associated with the app. This is the icon that will be displayed
with the app when users browse the company portal.
8. When you are done, on the Add App blade, choose Save.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.

Manually assign Windows 10 Company Portal app


End users can install the Company Portal app from the Windows Store to manage devices and install apps. If,
however, your business needs require that you assign the Company Portal app, you can manually assign the
Windows 10 Company Portal app directly from Intune, even if you havent integrated Intune with the Windows
Store for Business.

NOTE
This option will require assigning manual updates each time an app update is released.

1. Log in to your account in the Windows Store for Business and acquire the offline license version of the
Company Portal app.
2. Once the app has been acquired, select the app in the Inventory page.
3. Select Windows 10 all devices as the Platform, then the appropriate Architecture and download. An app
license file is not needed for this app.

4. Download all the packages under Required Frameworks. This must be done for x86, x64 and ARM
architectures resulting in a total of 9 packages as shown below.

1. Before uploading the Company Portal app to Intune, create a folder (e.g., C:\Company Portal) with the packages
structured in the following way:
a. Place the Company Portal package into C:\Company Portal. Create a Dependencies subfolder in this
location as well.
b. Place the nine dependencies packages in the Dependencies folder.
If the dependencies are not placed in this format, Intune will not be able to recognize and upload them
during the package upload, causing the upload to fail with the following error.

2. Return to Intune, then upload the Company Portal app as a new app. Assign it as a required app to the desired
set of target users.
See Deploying an appxbundle with dependencies via Microsoft Intune MDM for more information about how
Intune handles dependencies for Universal apps.
How do I update the Company Portal on my users devices if they have already installed the older apps from the store?
If your users have already installed the Windows 8.1 or Windows Phone 8.1 Company Portal apps from the Store,
then they should be automatically updated to the new version with no action required from you or your user. If the
update does not happen, ask your users to check that they have enabled autoupdates for Store apps on their
devices.
How do I upgrade my sideloaded Windows 8.1 Company Portal app to the Windows 10 Company Portal app?
Our recommended migration path is to delete the assignment for the Windows 8.1 Company Portal app by setting
the assignment action to Uninstall. Once this is done, the Windows 10 Company Portal app can be assigned using
any of the above options.
If you need to sideload the app and assigned the Windows 8.1 Company Portal without signing it with the
Symantec Certificate, follow the steps in the Assign directly via Intune section above to complete the upgrade.
If you need to sideload the app and you signed and assigned the Windows 8.1 Company Portal with the Symantec
code-signing certificate, follow the steps in the section below.
How do I upgrade my signed and sideloaded Windows Phone 8.1 Company Portal app or Windows 8.1 Company Portal app to the
Windows 10 Company Portal app?
Our recommended migration path is to delete the existing assignment for the Windows Phone 8.1 Company Portal
app or the Windows 8.1 Company Portal app by setting the assignment action to Uninstall. Once this is done, the
Windows 10 Company Portal app can be assigned normally.
Otherwise, the Windows 10 Company Portal app needs to be appropriately updated and signed to ensure that the
upgrade path is respected.
If the Windows 10 Company Portal app is signed and assigned in this way, you will need to repeat this process for
each new app update when it is available in the store. The app will not automatically update when the store is
updated.
Heres how you sign and assign the app in this way:
1. Download the Microsoft Intune Windows 10 Company Portal App Signing Script from
https://aka.ms/win10cpscript. This script requires the Windows SDK for Windows 10 to be installed on the host
computer. To download the Windows SDK for Windows 10, visit https://go.microsoft.com/fwlink/?
LinkId=619296.
2. Download the Windows 10 Company Portal app from the Windows Store for Business, as detailed above.
3. Run the script with the input parameters detailed in the script header to sign the Windows 10 Company Portal
app (extracted below). Dependencies do not need to be passed into the script. These are only required when the
app is being uploaded to the Intune Admin Console.

PARAMETER DESCRIPTION

InputWin10AppxBundle The path to where the source appxbundle file is located

OutputWin10AppxBundle The output path for the signed appxbundle file. Win81Appx
The path to where the Windows 8.1 or Windows Phone 8.1
Company Portal (.APPX) file is located.

PfxFilePath The path to Symantec Enterprise Mobile Code Signing


Certificate (.PFX) file.

PfxPassword The password of the Symantec Enterprise Mobile Code Signing


Certificate.

PublisherId The Publisher ID of the enterprise. If absent, the 'Subject' field


of the Symantec Enterprise Mobile Code Signing Certificate is
used.

SdkPath The path to the root folder of the Windows SDK for Windows
10. This argument is optional and defaults to
${env:ProgramFiles(x86)}\Windows Kits\10

The script will output the signed version of the Windows 10 Company Portal app when it has finished running. You
can then assign the signed version of the app as an LOB app via Intune, which will upgrade the currently assigned
versions to this new app.
How to add Windows line-of-business (LOB) apps to
Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Step 1 - Specify the software setup file


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose Line-of-business app.

Step 2 - Configure the app package file


1. On the Add app blade, choose App package file.
2. On the App package file blade, choose the browse button, and select a Windows installation file with the
extension .msi (other installation file types are not supported).
3. When you are finished, choose OK.

Step 3 - Configure app information


1. On the Add app blade, choose App package file.
2. On the App information blade, configure the following information. Depending on the app you have chosen,
some of the values in this blade might have been automatically filled-in:
Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app names
that you use are unique. If the same app name exists twice, only one of the apps will be displayed to users
in the company portal.
Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
Category - Select one or more of the built-in app categories, or a category you created. This will make it
easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Command-line arguments - Optionally, enter any command line arguments that you want to apply to
the .msi file when it runs, like /q.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Logo - Upload an icon that will be associated with the app. This is the icon that will be displayed with the
app when users browse the company portal.
3. When you are finished, choose OK.

Step 4 - Finish up
1. On the Add app blade, verify the information you configured is correct.
2. Choose Add, to upload the app to Intune.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
How to assign apps to Android for Work devices with
Intune
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

You assign apps to Android for Work devices in a different way than you assign them to standard Android devices.
All apps you install for Android for Work come from the Google Play for Work store. You log on to the store,
browse for the apps you want, and approve them. The app then appears in the Licensed apps node of the Intune
portal. From here, you can manage assignment of the app in the same way you would assign any other app.
Additionally, if you have created your own line of business (LOB) apps, you can assign them as follows:
Sign up for a Google Developer account that lets you publish apps to a private area in the Google Play store.
Synchronize the apps with Intune.

Before you start


Make sure you have configured Intune and Android for Work to work together in the Device enrollment workload
of the Intune portal.

Synchronize an app from the Google Play for Work store


1. Go to the Google Play for Work store. Sign in with the same account you used to configure the connection
between Intune and Android for Work.
2. Search the store for the app you want to assign using Intune.
3. On the page for the app you chose, choose Approve. In this example, you have chosen the Microsoft Excel app.

4. A window for the app opens asking you to give permissions for the app to perform various operations. Choose
Approve to continue.
5. The app is approved and displays in your IT admin console.

Publish, then synchronize, a line-of-business app from the Google Play


for Work store
1. Go to the Google Play Developer Console, play.google.com/apps/publish.
2. Sign in with the same account you used to configure the connection between Intune and Android for Work. If
you are signing in for the first time, you must register, and pay a fee to become a member of the Google
Developer program.
3. In the console, choose Add new application.
4. You upload and provide information about your app in the same way as you publish any app to the Google Play
store. However, you must select the setting Only make this application available to my organization
(<organization name>):

This operation ensures that the app is only available to your organization, and is not available in the public
Google Play store. For more information about how to upload and publish Android apps, see the Google
Developer Console Help.
5. Once you have published your app, go to the Google Play for Work store. Sign in with the same account you
used to configure the connection between Intune and Android for Work.
6. In the Apps node of the store, verify you can see the app you have published. The app is automatically approved
to be synchronized with Intune.

Assign an Android for Work app


If you have approved an app from the store and don't see it in the Licensed apps node of the Mobile apps
workload, force an immediate sync as follows:
1. Sign into the Azure portal.
2. On the Intune blade, choose Mobile apps.
3. In the Mobile apps workload, choose Setup > Android for Work.
4. On the Android for Work blade, choose Sync Now.
5. The page also displays the time and status of the last sync.
When the app is displayed in the Licensed apps node of the Mobile apps workload, you can assign it just like you
would assign any other app. You can assign the app to groups of users only.
After you assign the app, it will be installed on the devices you targeted. The user of the device is not asked to
approve the installation.

Manage Android for Work app permissions


Android for Work requires you approve apps in Google's managed Play web console before syncing them to Intune
and assigning them to your users. Because Android for Work allows you to silently and automatically push these
apps to users' devices, you must accept the app's permissions on behalf of all your users. End users do not see any
app permissions when they install, so it's important that you read and understand these permissions.
When an app developer publishes a new version of the app with updated permissions, those permissions are not
automatically accepted, even if you've approved the previous permissions. Devices that run the old version of the
app can still use it. However, the app is not upgraded until the new permissions are approved. Devices without the
app installed do not install the app until you approve the app's new permissions.
How to update app permissions
Periodically visit the managed Google Play console to check for new permissions. You can configure Google Play to
send you or others an e-mail when new permissions are required for an approved app. If you assign an app and
observe it isn't installed on devices, check for new permissions with the following steps:
1. Visit http://play.google.com/work
2. Sign in with the Google account you used to publish and approve the apps.
3. Visit the Updates tab to see if any apps require an update. Any listed apps require new permissions and are not
assigned until they are applied.
Alternatively, you can configure Google Play to automatically reapprove app permissions on a per app basis.
How to assign apps to groups with Microsoft Intune
6/27/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Once you've added an app to Intune, you can assign it to users and devices.
Apps can be assigned to devices whether or not they are managed by Intune. Use the following table to help
you understand the various options for assigning apps to users and devices:

Devices enrolled with Intune Devices not enrolled with Intune

Assign to users Yes Yes

Assign to devices Yes No

Assign wrapped apps, or apps Yes Yes


incorporating the Intune SDK (for app
protection policies)

Assign apps as Available Yes Yes

Assign apps as Required Yes No

Uninstall apps Yes No

End users install available apps from Yes No


Company Portal app

End users install available apps from Yes Yes


web-based Company Portal

NOTE
Currently, you can assign iOS and Android apps (both line of business and store-purchased) to devices that are not
enrolled with Intune.

How to assign an app


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile Apps workload, choose Manage > Apps.
5. On the list of apps blade, click the app you want to assign.
6. On the <app name> - Overview blade, choose Manage > Assignments.
7. Choose Select Groups then, on the Select groups blade, choose the Azure AD groups to which you want to
assign the app.
8. For each app you choose, choose an assignment type for the app from:
Available - Users install the app from the Company Portal app or website.
Not Applicable - The app is not installed or shown in the Company Portal.
Required - The app is installed on devices in the selected groups.
Uninstall - The app is uninstalled from devices in the selected groups.
Available with or without enrollment - Assign this app to groups of users whose devices are not
enrolled with Intune.
9. Once you are done, choose Save.
The app is now assigned to the group you selected.

How conflicts between app intents are resolved


Sometimes, the same app is assigned to multiple groups, but with different intents. In these cases, use this table
to understand the resulting intent.

Group 1 intent Group 2 intent Resulting intent

User Required User Available Required and Available

User Required User Not Available Required

User Required User Uninstall Required

User Available User Not Available Not Available

User Available User Uninstall Uninstall

User Not Available User Uninstall Uninstall

User Required Device Required Both exists, Gateway treats required

User Required Device Uninstall Both exists, Gateway resolves required

User Available Device Required Both exists, Gateway resolves required


(Required and Available)

User Available Device Uninstall Both exists, Gateway resolves


Available.
App shows up in Company Portal.
In case if the app is already installed(as
required app with previous intent)
then the app gets uninstalled.
But if the user clicks install from the
company portal then the app gets
installed and uninstall intent is not
honored.

User Not Available Device Required Required


User Not Available Device Uninstall Uninstall

User Uninstall Device Required Both exists, Gateway resolves Required

User Uninstall Device Uninstall Both exist, Gateway resolves Uninstall

Device Required Device Uninstall Required

User Required And Available User Available Required and Available

User Required And Available User Uninstall Required and Available

User Required And Available User Not Available Required and Available

User Required And Available Device Required Both exists Required and Available

User Required And Available Device Not Available Required and Available

User Required And Available Device Uninstall Both exists, gateway resolves required.
Required + Available

User Not Available Device Not Available Not Available

User Available Device Not Available Available

User Required Device Not Available Required

User Available Without enrollment User Required and Available Required and Available

User Available without enrollment User Required Required

User Available without enrollment User Not available Not Available

User Available without enrollment User Available Available

User Available without enrollment Device Required Required and Available without
enrollment

User Available without enrollment Device Not Available Available without enrollment

User Available without enrollment Device Uninstall Uninstall and Available without
enrollment.
If the user didnt install the app from
the company portal then the uninstall
will be honored.
If the user installs the app from the
company portal then the install will be
prioritized over the uninstall.
NOTE
For managed iOS store apps only, when you add these to Intune and assign them as Required, they are automatically
created with both Required, and Available intents.

Next steps
See How to monitor apps for information to help you monitor app assignments.
How to monitor app information and assignments
with Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Intune provides a number of ways in which you can monitor the properties of apps you manage, as well as their
assignment status.
1. In the Mobile Apps workload, choose Manage > Apps.
2. In the list of apps blade, choose the app you want to see information for. You'll then see the <app name>

Device install status blade:


Then, take one of the following actions to learn more about your apps, and their assignments.

General
Overview - Provides a basic overview of the app, and information about the status of any assignments for
that app. You can choose one of the charts to open the Device install status or User install status blades to
get more detailed information.

Manage
Properties - Let's you view and change information about the selected app. For more information about app
properties, see How to add an app to Microsoft Intune.
Assignments - Provides information about assignments for this app. For more information, see How to
assign apps to groups with Microsoft Intune.

Monitor
Device install status - Provides detailed information for each device you assigned the selected app to
including the device name, operating system, when the device last checked-in to Intune, and the status of the
app installation.
User install status - Provides detailed information fro user to you assigned the selected app to including the
number of installations of the app the user has on all their devices, and information about any installation
failures.
How to use Microsoft Intune app configuration
policies for iOS
6/28/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use app configuration policies in Microsoft Intune to supply settings that might be required when users run an iOS
app. For example, an app might require users to specify:
A custom port number.
Language settings.
Security settings.
Branding settings such as a company logo.
If users enter these settings incorrectly, this can increase the burden on your help desk and slow the adoption of
new apps.
App configuration policies can help you eliminate these problems by letting you assign these settings to users in a
policy before they run the app. The settings are then supplied automatically, and users need to take no action.
You do not assign these policies directly to users and devices. Instead, you associate a policy with an app, and then
assign the app. The policy settings will be used whenever the app checks for them (typically, the first time it is run).

TIP
This policy type is currently available only for devices running iOS 8.0 and later. It supports the following app installation
types:
Managed iOS app from the app store
App package for iOS
For more information about app installation types, see How to add an app to Microsoft Intune.

Create an app configuration policy


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile apps workload, choose Manage > App Configuration Policies.
5. In the list of policies blade, choose Add.
6. On the Add Configuration Policy blade, supply a name and an optional description for the app
configuration policy.
7. Choose Associated App, then, on the Associated App blade, choose the managed app to which you want to
apply the configuration.
8. On the Add Configuration Policy blade, choose Configuration settings and then, on the Configuration
Settings blade, choose how you want to specify the XML values that make up the configuration profile from:
Enter XML data - enter or paste an XML property list that contains the app configuration settings that
you want. The format of the XML property list will vary depending on the app you are configuring.
Contact the supplier of the app for details about the exact format to use. Intune checks that the XML you
entered is in a valid format. It does not check that the XML property list will work with the app that it is
associated with. To find out more about XML property lists, see Understanding XML Property Lists in the
iOS Developer Library.
Use configuration designer - Lets you specify XML key and value pairs directly in the portal.
9. When you're done, go back to the Add Configuration Policy blade, and hit Create.
The policy will be created and appears on the policies list blade.
Then, continue to assign and monitor the app as usual.
When the assigned app is run on a device, it will run with the settings that you configured in the app configuration
policy.

TIP
If one or more app configuration policies conflict, neither policy is enforced.

Create a MAM targeted configuration policy


MAM targeted configuration allows an app to receive configuration data through the Intune App SDK. The format
and variants of this data must be defined and communicated to Intune customers by the application
owner/developer. Intune administrators can target and deploy configuration data via the Intune Azure console.
MAM targeted configuration data can be provided via the MAM Service to MAM-WE enabled applications. For
example, Intune Managed Browser has allowed/blocked url list. The application configuration data is pushed
through our MAM Service directly to the app instead of through the MDM channel. MDM app configuration
policies are the native solution through MDM. The key difference with MAM targeted configuration is that the
device that the app runs on does not need to be MDM-enrolled. MAM targeted configuration is available on iOS
and Android. For iOS, the app must have incorporated Intune APP SDK for iOS (v 7.0.1) and be participating in app
config settings. The steps for creating a MAM targeted configuration policy are as follows:
1. Sign into the Azure portal.
2. Choose Intune > Mobile apps - App configuration policies.
3. On the App configuration policies blade, choose Add.
4. Enter a Name, and optional Description for the app configuration settings and choose Not enrolled with
Intune.
5. Choose Select required apps and then, on the Targeted apps blade, choose apps for the platforms you
intend.
Note: For LOB apps, select More apps. Enter the package ID for your application.
6. Choose OK to return to the Add app configuration blade.
7. Choose Define configuration. On the Configuration blade, you define key and value pairs to supply
configurations.
8. When you are done, choose OK.
9. On the Add app configuration blade, choose Create.
The new configuration is created, and displayed on the App configuration blade.
Then, continue to assign and monitor the app as usual.
When the assigned app (integrated with the Intune APP SDK) is run on a device, it will run with the settings that
you configured in the MAM targeted configuration policy. The assigned app needs to have integrated the
supported version of the Intune APP SDK. For more information about the app development requirements to use
MAM Targeted Configuration policies, see iOS Intune APP SDK Integration Guide.
For more information about the capabilities our Graph API with respect to the MAM targeted config values, see
Graph API Reference MAM Targeted Config.

Information about the XML file format


Intune supports the following data types in a property list:
<integer>
<real>
<string>
<array>
<dict>
<true /> or <false />
For more information about data types, see About Property Lists in the iOS Developer Library.
Additionally, Intune supports the following token types in the property list:
{{userprincipalname}} - (Example: John@contoso.com)
{{mail}} - (Example: John@contoso.com)
{{partialupn}} - (Example: John)
{{accountid}} - (Example: fc0dc142-71d8-4b12-bbea-bae2a8514c81)
{{deviceid}} - (Example: b9841cd9-9843-405f-be28-b2265c59ef97)
{{userid}} - (Example: 3ec2c00f-b125-4519-acf0-302ac3761822)
{{username}} - (Example: John Doe)
{{serialnumber}} - (Example: F4KN99ZUG5V2) for iOS devices
{{serialnumberlast4digits}} - (Example: G5V2) for iOS devices
The {{ and }} characters are used by token types only and must not be used for other purposes.

Example format for an app configuration XML file


When you create an app configuration file, you can specify one or more of the following values by using this
format:
<dict>
<key>userprincipalname</key>
<string>{{userprincipalname}}</string>
<key>mail</key>
<string>{{mail}}</string>
<key>partialupn</key>
<string>{{partialupn}}</string>
<key>accountid</key>
<string>{{accountid}}</string>
<key>deviceid</key>
<string>{{deviceid}}</string>
<key>userid</key>
<string>{{userid}}</string>
<key>username</key>
<string>{{username}}</string>
<key>serialnumber</key>
<string>{{serialnumber}}</string>
<key>serialnumberlast4digits</key>
<string>{{serialnumberlast4digits}}</string>
<key>udidlast4digits</key>
<string>{{udidlast4digits}}</string>
</dict>
How to use Microsoft Intune app configuration
policies for Android for Work
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use app configuration policies in Microsoft Intune to supply settings that might be available when users run an
Android for Work app. Not all apps support app configuration. Check with the apps developer to see whether or
not they have built their app to support app configuration policies.
App configuration policies can help you pre-configure available app settings for your users before they run the
app. Some Android apps support managed configurations options that you can configure in the Intune console
with the configuration designer. Some configuration settings on apps (such as those with Bundle types) cannot be
configured with the configuration designer. You will need to use the JSON editor for those values. Settings are
supplied to apps automatically when the app is installed.
You do not assign these policies directly to users and devices. Instead, you associate a policy with an app, and then
assign the app. The policy settings is used when the app checks for them, typically the first time it is run).

Use configuration designer


1. In the Intune portal, choose Mobile apps. Under Manage, choose App configuration policies and then click
Add.
2. Set the following details:
Name - The name of the profile that will appear in the Intune console
Description - The description of the profile that will appear in the Intune console
Platform - Select Android
Device enrollment type - Enrolled with Intune is pre-selected for you.
3. Select Associated App to choose the app for which you want to define a configuration policy. Select from the
list of Android for Work apps that you have approved and synchronized with Intune
4. Select Configuration settings.
5. For Configuration settings format, select Use configuration designer.
6. Choose Add. A list of available configuration settings is displayed. The list includes:
Configuration keys - Name of the setting.
Value type - The setting that can be configured, for example Boolean or String.
Description - A description of the configuration setting.
7. Select the checkboxes of settings you want to configure with this profile, and then click OK.
8. A list of your selected settings is displayed with the available Configuration value. Specify a value for each
setting, and then click OK.

Use JSON editor


1. In the Intune portal, choose Mobile apps. Under Manage, choose App configuration policies and then click
Add.
2. Set the following details:
Name - The name of the profile that will appear in the Intune console
Description - The description of the profile that will appear in the Intune console
Platform - Select Android
Device enrollment type - Enrolled with Intune is pre-selected for you.
3. Select Associated App to choose the app for which you want to define a configuration policy. Select from the
list of Android for Work apps that you have approved and synchronized with Intune.
4. Select Configuration Settings.
5. For Configuration settings format, select Enter JSON editor.
6. In the editor you can define JSON values for configuration settings. You can choose Download JSON
template to download a sample file that you can then configure.
7. When you're done, choose OK and then click Add.
The policy will be created and appears on the policies list blade.
Then, continue to assign and monitor the app as usual.
When the assigned app is run on a device, it will run with the settings that you configured in the app configuration
policy.

Preconfigure permissions grant state for apps


You can also preconfigure permission for apps to access Android device features. By default, Android apps that
require device permissions such as access to location or the device camera prompt users to accept or deny
permissions. For example, if an app uses the device's microphone then the end user is prompted to grant the app
permission to use the microphone.
1. In the Intune portal, choose Mobile apps. Under Manage, choose App configuration policies and then click
Add.
2. Set the following details:
Name - The name of the profile that will appear in the Intune console
Description - The description of the profile that will appear in the Intune console
Platform - Select Android
Device enrollment type - Enrolled with Intune is pre-selected for you.
3. Select Associated App to choose the app for which you want to define a configuration policy. Select from the
list of Android for Work apps that you have approved and synchronized with Intune.
4. Select Permissions and then choose Add.
5. Select from the list of available app permissions and then choose OK.
6. Select an option for each permission to grant with this policy:
Prompt - Prompt the user to accept or deny.
Auto grant - Automatically approve without notifying the user.
Auto deny - Automatically deny without notifying the user.
7. To assign the app configuration policy, select the app configuration policy, select Assignment, and then select
Select groups.
8. Select the user groups to assign, and then choose Select.
9. Choose Save to assign the policy.
Use iOS mobile provisioning profiles to prevent your
apps from expiring
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Introduction
Apple iOS line of business apps that are assigned to iPhones and iPads are built with an included provisioning
profile and code that is signed with a certificate. When the app is run, iOS confirms the integrity of the iOS app and
enforces policies that are defined by the provisioning profile. The following validations happen:
Installation file integrity - iOS compares the app's details with the enterprise signing certificate's public key.
If they differ, the app's content might have changed, and the app will not be allowed to run.
Capabilities enforcement - iOS attempts to enforce the app's capabilities from the enterprise provisioning
profile (not individual developer provisioning profiles) that are in the app installation (.ipa) file.
The enterprise signing certificate that you use to sign apps typically lasts for three years. However, the provisioning
profile expires after a year. While the certificate is still valid, Intune gives you the tools to proactively assign a new
provisioning profile to devices that have apps that are nearing expiry. After the certificate expires, you must sign
the app again with a new certificate and embed a new provisioning profile with the key of the new certificate.

How to create an iOS mobile app provisioning profile


1. Sign into the Azure portal.
2. Choose More Services > Monitoring +Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile apps workload, choose Manage > iOS provisioning profiles.
5. In the list of profiles blade, choose Create profile.
6. In the Create profile blade, configure the following values:
Name - Provide a name for this mobile provisioning profile.
Description - Optionally, provide a description for the policy.
Upload profile file - Choose Import, and then choose an Apple Mobile Configuration Profile file (with
the extension .mobileprovision) that you downloaded from the Apple Developer website.
7. When you are done, choose Create.

Next steps
Assign the profile to the required iOS devices. For more information, use the steps in How to assign device profiles.
How to wipe only corporate data from Intune-
managed apps
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

When a device is lost or stolen, or if the employee leaves your company, you want to make sure company app data
is removed from the device. But you might not want to remove personal data on the device, especially if this is an
employee-owned device.
To selectively remove company app data, create a wipe request by using the steps in this topic. After the request is
finished, the next time the app runs on the device, company data is removed from the app.

IMPORTANT
Contacts synced directly from the app to the native address book are removed. Any contacts synced from the native address
book to another external source cannot be wiped. Currently, this only applies to the Microsoft Outlook app.

Create a wipe request


1. Sign in to the Azure portal.
2. Choose More Services, type Intune in the filter textbox, and select Intune. The Intune blade opens, choose
the Manage apps blade.
3. On the Mobile Apps blade, choose New wipe request. The New wipe request blade opens.
4. Choose New wipe request. The New wipe request blade opens.

5. Choose User to open the User blade, and select the user whose app data you want to wipe.
6. Choose Device. This opens the Device blade that lists all the devices associated with the selected user, and
also provides two columns, the device name, which is a friendly name defined by the user, and the device
type, its device platform. Select the device you want to wipe.
7. You are now back on the New wipe request blade. Choose Ok to make a wipe request.
The service creates and tracks a separate wipe request for each protected app on the device, and the user
associated with the wipe request.

Monitor your wipe requests


You can have a summarized report that shows the overall status of the wipe request, and includes the number of
pending requests and failures. To get more details, follow these steps:
1. On the Mobile Apps - App Selective Wipe blade blade, you can see the list of your requests grouped by
users. Because the system creates a wipe request for each protected app running on the device, you might
see multiple requests for a user. The status indicates whether a wipe request is pending, failed, or
successful.
Additionally, you'll be able to see the device name, and its device type, which can be helpful when reading the
reports.

IMPORTANT
The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made.

Delete a wipe request


Wipes with pending status are displayed until you manually delete them. To manually delete a wipe request:
1. On the Wipe request blade, choose the Wipe request tile to open the Wipe request blade.
2. Right-click on the wipe request you want to delete, then choose Delete wipe request.

3. You're prompted to confirm the deletion, choose Yes or No, then click OK.
See also
What's app protection policy
What's app management
Manage volume-purchased apps and books with
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Some app stores give you the ability to purchase multiple licenses for an app or books that you want to use in your
company. Buying licenses in bulk can help you reduce the administrative overhead of tracking multiple purchased
copies of apps and books.
Microsoft Intune helps you manage apps and books that you purchased through such a program. You can import
license information from the store, track how many licenses you have used, and ensure you don't install more
copies of the app or book than you own.

Which types of apps and books can you manage?


With Intune, you can manage apps and books that you purchased in volume from the iOS store, and manage apps
that you purchased from the Windows Store for Business. To discover how to manage licensed apps from each
store, choose one of the following topics:
Manage iOS volume-purchased apps Manage volume-purchased apps from the Windows Store for Business How
to manage iOS eBooks
How to manage iOS apps you purchased through a
volume-purchase program with Microsoft Intune
6/27/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The iOS app store lets you purchase multiple licenses for an app that you want to run in your company.
Purchasing multiple copies of an app helps you reduce the administrative overhead of tracking multiple purchased
copies of apps.
Microsoft Intune helps you manage apps that you purchased through this program by:
Importing the license information from the app store
Tracking how many of the licenses you have used
Preventing you from installing more copies of the app than you own
Additionally, you can synchronize, manage, and assign books you purchased from the Apple volume-purchase
program store with Intune. Use the Books workload in the Intune portal to manage books. The procedures to
manage books are the same as you use for managing apps. You must have uploaded an Apple Volume Purchase
Program token before you start. Currently, you can only assign books as a Required install. When you assign a
book to a device, that device must have the built-in iBooks app installed. If it is not, the end user must reinstall the
app in order to read the book. You cannot currently use Intune to restore removed built-in apps.

Manage volume-purchased apps for iOS devices


Purchase multiple licenses for iOS apps through the Apple Volume Purchase Program for Business or the Apple
Volume Purchase Program for Education. This process involves setting up an Apple VPP account from the Apple
website and uploading the Apple VPP token to Intune. You can then synchronize your volume purchase
information with Intune and track your volume-purchased app use.

Before you start


Before you start, you need to get a VPP token from Apple and upload it to your Intune account. Additionally, you
should understand the following criteria:
You can associate multiple volume-purchase program tokens with your Intune account.
If you previously used a VPP token with a different product, you must generate a new one to use with Intune.
Each token is valid for one year.
By default, Intune syncs with the Apple VPP service twice a day. You can start a manual sync at any time.
After you have imported the VPP token to Intune, do not import the same token to any other device
management solution. Doing so might result in the loss of license assignment and user records.
Before you start to use iOS VPP with Intune, remove any existing VPP user accounts created with other mobile
device management (MDM) vendors. Intune does not synchronize those user accounts into Intune as a security
measure. Intune only synchronizes data from the Apple VPP service that Intune created.
Intune supports adding up to 256 VPP tokens.
If you assign a volume-purchased app for a device enrolled through a Device Enrollment Profile or Apple
Configurator, only apps that are targeted to devices work. You cannot target volume-purchased apps to users
of a DEP device, which does not have any user affinity.
A VPP token is only supported for use on one Intune account at a time. Do not reuse the same VPP token for
multiple Intune tenants.

To get and upload an Apple VPP token


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile Apps workload, choose Setup > iOS VPP Tokens.
5. On the list of VPP tokens blade, click Add.
6. On the New VPP Token blade, specify the following information:
VPP token file - If you haven't already, sign up for the Volume Purchase Program for Business or the
program for Education. After you sign up, download the Apple VPP token for your account and select it
here.
Apple ID - Enter the Apple ID of the account associated with the volume-purchase program.
Type of VPP account - Choose from Business or Education.
7. When you are done, click Upload.
The token is displayed in the list of tokens blade.
You can synchronize the data held by Apple with Intune at any time by choosing Sync now.

NOTE
Microsoft Intune only syncs information of Apps, which are publicly available through the iTunes Store. Custom B2B Apps
for iOS are not yet supported. If your scenario targets such apps, the app information is not synchronized.

To assign a volume-purchased app


1. In the Mobile Apps workload, choose Manage > Licensed Apps.
2. On the list of apps blade, choose the app you want to assign, and then choose '...' > Assign Groups.
3. On the <app name> - Groups Assigned blade, choose Manage > Groups Assigned.
4. Choose Assign Groups then, on the Select groups blade, choose the Azure AD user or device groups to which
you want to assign the app. You must choose an assignment action of Required. Additionally, assignments to
device groups are available to new tenants created after January 2017. If your tenant was created before this
date, and you do not have the option to assign VPP apps to device groups, contact Intune support.
5. Once you are done, choose Save.

NOTE
The list of apps displayed is associated with a token. If you have an app that is associated with multiple VPP tokens, you see
the same app being displayed multiple times; once for each token.

See How to monitor apps for information to help you monitor app assignments.

Further information
When you assign the app as a Required installation, each user who installs the app uses a license.
To reclaim a license, you must change the assignment action to Uninstall. The license will be reclaimed after the
app is uninstalled.
When a user with an eligible device first tries to install a VPP app, they are asked to join the Apple Volume
Purchase program. They must join before the app installation proceeds. The invitation to join the Apple Volume
Purchase program requires that the user can use the iTunes app on the iOS device. If you have set a policy to
disable the iTunes Store app, user-based licensing for VPP apps does not work. The solution is to either allow the
iTunes app by removing the policy, or use device-based licensing.
When you assign a VPP app as Available, the app content and license are assigned directly from the app store.
How to manage apps you purchased from the
Windows Store for Business with Microsoft Intune
6/29/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Windows Store for Business gives you a place to find and purchase apps for your organization, individually, or
in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Intune
portal. For example:
You can synchronize the list of apps you have purchased from the store with Intune.
Apps that are synchronized appear in the Intune administration console; you can assign these apps like any
other apps.
You can track how many licenses are available, and how many are being used in the Intune administration
console.
Intune blocks assignment and installation of apps if there are an insufficient number of licenses available.

Before you start


Review the following information before you start syncing and assigning apps from the Windows Store for
Business:
Configure Intune as the mobile device management authority for your organization.
You must have signed up for an account on the Windows Store for Business.
Once you have associated a Windows Business Store account with Intune, you cannot change to a different
account in the future.
Apps purchased from the store cannot be manually added to or deleted from Intune. They can only be
synchronized with the Windows Store for Business.
Intune synchronizes both online and offline licensed apps you have purchased from the Windows Store for
Business.
Only offline apps that are free of charge can be synced to Intune.
To use this capability, devices must be joined to Active Directory Domain Services, or workplace-joined.
Enrolled devices must be using the 1511 release of Windows 10 or later.

Associate your Windows Store for Business account with Intune


Before you enable synchronization in the Intune console, you must configure your store account to use Intune as a
management tool:
1. Ensure that you sign into the Business Store using the same tenant account you use to sign into Intune.
2. In the Business Store, choose Settings > Management tools.
3. On the Management tools page, choose Add a management tool, and choose Microsoft Intune.
NOTE
You could previously only associate one management tool to assign apps with the Windows Store for Business. You can now
associate multiple management tools with the store, for example, Intune and Configuration Manager.

You can now continue, and set up synchronization in the Intune console.

Configure synchronization
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. On the Mobile Apps blade, choose Setup > Windows Store for Business.
5. Click Enable.
6. If you haven't already done so, click the link to sign up for the Windows Store for Business and associate your
account as detailed previously.
7. From the Language drop-down list, choose the language in which apps from the Windows Store for Business
is displayed in the Intune portal. Regardless of the language in which they are displayed, they are installed in
the end user's language when available.
8. Click Sync to get the apps you've purchased from the Windows Store into Intune.

Synchronize apps
1. In the Mobile apps workload, choose Setup > Windows Store for Business.
2. Click Sync to get the apps you've purchased from the Windows Store into Intune.

Assign apps
You assign apps from the store in the same way you assign any other Intune app. For more information, see How
to assign apps to groups with Microsoft Intune. However, instead of assigning apps from the All Apps page, you
assign them from the Licensed Apps page.
Offline apps can be targeted to user groups, device groups, or groups with users and devices. Offline apps can be
installed for a specific user on a device or for all users on a device.
When you assign a Windows Store for Business app, a license is used by each user who installs the app. If you use
all of the available licenses for an assigned app, you cannot assign any more copies. Take one of the following
actions:
Uninstall the app from some devices.
Reduce the scope of the current assignment, targeting only the users you have sufficient licenses for.
Buy more copies of the app from the Windows Store for Business.
How to manage iOS eBooks you purchased through
a volume-purchase program with Microsoft Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Apple Volume Purchase Program (VPP) lets you purchase multiple licenses for a book that you want to
distribute to users in your company. You can distribute books from the Business, or Education stores.
Microsoft Intune helps you synchronize, manage, and assign books that you purchased through this program. You
can import license information from the store and track how many of the licenses you have used.
The procedures to manage books are similar to managing VPP apps.

Manage volume-purchased books for iOS devices


You buy multiple licenses for iOS books through the Apple Volume Purchase Program for Business or the Apple
Volume Purchase Program for Education. This process involves setting up an Apple VPP account from the Apple
website and uploading the Apple VPP token to Intune. You can then synchronize your volume purchase information
with Intune and track your volume-purchased book use.

Before you start


Before you start, get a VPP token from Apple and upload it to your Intune account. Additionally:
You can associate up to 256 VPP tokens with your Intune account.
If you previously used a VPP token with a different product, you must generate a new one to use with Intune.
Each token is valid for one year.
By default, Intune syncs with the Apple VPP service twice a day. You can start a manual sync at any time.
After you have imported the VPP token to Intune, do not import the same token to any other device
management solution. Doing so might result in the loss of license assignment and user records.
Before you start to use iOS books with Intune, remove any existing VPP user accounts created with other mobile
device management (MDM) vendors. Intune does not synchronize those user accounts into Intune as a security
measure. Intune synchronizes only data from the Apple VPP service that Intune created.
Currently, you can only assign books as a Required install. When you assign the book as a Required
installation, each user who installs the book uses a license.
When you assign a book to a device, that device must have the built-in iBooks app installed. If it is not, the end
user must reinstall the app before they can read the book. You cannot currently use Intune to restore removed
built-in apps.
You can only assign books from the Apple Volume Purchase Program site. You cannot upload, then assign
books you created in-house.
You cannot currently assign books to end-user categories in the same way as you do apps.
You cannot reclaim a license once the book is assigned.
When a user with an eligible device first tries to install a VPP book, they must join the Apple Volume Purchase
program before they can install a book. You can also assign licenses to security groups with managed Apple IDs.
If you do this, then users are not prompted for their Apple ID when a book is installed.

To get and upload an Apple VPP token


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile Apps workload, choose Setup > iOS VPP Tokens.
5. On the list of VPP tokens blade, click Add.
6. On the New VPP Token blade, specify the following information:
VPP token file - Ensure you have signed for the Volume Purchase Program for Business or the Volume
Purchase Program for Education. Then, download the Apple VPP token for your account and select it here.
Apple ID - Enter the Apple ID of the account associated with the volume-purchase program.
Type of VPP account - Choose from Business or Education.
7. When you are done, click Upload.
The token is displayed in the list of tokens blade.
You can synchronize the data held by Apple with Intune at any time by choosing Sync now.

To assign a volume-purchased app


1. In the eBooks workload, choose Manage > All eBooks.
2. On the list of books blade, choose the book you want to assign, and then choose '...' > Assign Groups.
3. On the <book name> - Groups Assigned blade, choose Manage > Groups Assigned.
4. Choose Assign Groups then, on the Select groups blade, choose the Azure AD user groups to which you want
to assign the book. Device groups are currently not supported. Choose an assignment action of Required.
5. Once you are done, choose Save.

Next steps
See How to monitor apps for information to help you monitor book assignments.
How to configure the Microsoft Intune Company
Portal app
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Microsoft Intune company portal is where users access company data and can do common tasks like enrolling
devices, installing apps, and locating information for assistance from your IT department.

TIP
When you customize the Company Portal, the configurations apply to both the Company Portal website and Company
Portal apps.

Customizing the Company Portal helps provide a familiar and helpful experience for your end users. To do it, from
the Mobile apps workload, choose Setup > Company Portal Branding, then configure the required settings.

Company contact information and privacy statement


The company name is displayed as the Company Portal title. The contact information and details are displayed to
users in the Contact IT screen of the Company Portal. The privacy statement is displayed when a user clicks on the
privacy link.

FIELD NAME MAX LENGTH MORE INFORMATION

Company name 40 This name is displayed as the title of the


Company Portal.

IT department contact name 40 This name is displayed on the Contact


IT page.

IT department phone number 20 This contact number is displayed on the


Contact IT page.

IT department email address 40 This contact address is displayed on the


Contact IT page. You must enter a
valid email address in the format
alias@domainname.com.

Additional information 120 Displayed on the Contact IT page.


FIELD NAME MAX LENGTH MORE INFORMATION

Company privacy statement URL 79 You can specify your own company
privacy statement that appears when
users click the privacy links from the
Company Portal. You must enter a valid
URL in the format
https://www.contoso.com.

Support contacts
The support website is displayed to users in the Company Portal to enable them to access online support.

FIELD NAME MAX LENGTH MORE INFORMATION

Support website URL 150 If you have a support website that you
want your users to use, specify the URL
here. The URL must be in the format
https://www.contoso.com. If you
don't specify a URL, nothing is
displayed for the support website on
the Contact IT page in the Company
Portal.

Support website name 40 This name is the friendly name that is


displayed for the URL to the support
website. If you specify a support
website URL and no friendly name, then
Go to IT website is displayed on the
Contact IT page in the Company
Portal.

Company branding customization


You can customize your Company Portal with your company logo, company name, theme color and background.

FIELD NAME MORE INFORMATION

Theme color Select a theme color to apply to the Company Portal.

Show company logo When you enable this option, you can upload your company
logo to show in your Company Portal. You can upload two
logos: one logo that is displayed when the Company Portal
background is white, and one logo that is displayed when the
Company Portal background uses your selected theme color.
Each logo must be a .png or .jpg file type and have a
maximum resolution of 400 x 100 pixels and be 750 KB or less
in size.
You can also show the company name you entered next to
the uploaded logo.

After you save your changes, you can choose Preview your settings in the Intune Web Portal to see how your
configurations will look.
Manage Internet access using Managed browser
policies with Microsoft Intune
6/29/2017 8 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Managed Browser is a web browsing app that you can download from public app stores for use in your
organization. When configured with Intune, the Managed Browser can be:
Used to access corporate sites and SaaS apps with Single Sign-On via the MyApps service, while keeping web
data protected.
Pre-configured with a list of URLs and domains to restrict which sites the user can navigate to in the corporate
context.
Pre-configured with a homepage, and bookmarks you specify (Android only).
Because this app has integration with the Intune SDK, you can also apply app protection policies to it. These
policies include controlling the use of cut, copy, and paste, preventing screen captures, and ensuring that links to
content that users select open only in other managed apps. For details, see What are app protection policies? You
can apply these settings to devices that are enrolled with Intune, enrolled with another device management
product, or to devices that are not managed.

IMPORTANT
The Managed Browser app only retrieves and applies Intune app protection policies when another app on the device has
retrieved an app protection policy.

If users install the Managed Browser from the app store and Intune does not manage it, it can be used as a basic
web browser, with support for Single Sign-On through the Microsoft MyApps site. Users are taken directly to the
MyApps site, where they can see all of their provisioned SaaS applications. While the Managed Browser is not
managed by Intune, it cannot access data from other Intune-managed applications.
The Managed Browser does not support the Secure Sockets Layer version 3 (SSLv3) cryptographic protocol.
You can create Managed Browser policies for the following device types:
Devices that run Android 4 and later
Devices that run iOS 8.0 and later
The Intune Managed Browser supports opening web content from Microsoft Intune application partners.

Create a Managed Browser app configuration


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune App Protection.
3. On the Settings blade of the Intune mobile application management dashboard, choose App configuration.
4. On the App Configuration blade, choose Add Config.
5. On the Add app configuration blade, enter a Name, and optional Description for the app configuration
settings.
6. Choose Select required apps and then, on the Targeted apps blade, choose the Managed Browser for iOS,
for Android, or for both.
7. Choose OK to return to the Add app configuration blade.
8. Choose Define configuration. On the Configuration blade, you define key and value pairs to supply
configurations for the Managed Browser. Use the sections later in this topic to learn about the different key
and value pairs you can define.
9. When you are done, click OK.
10. On the Add app configuration blade, choose Create.
11. The new configuration is created, and displayed on the App configuration blade.

Assign the configuration settings you created


You assign the settings to Azure AD groups of users. If that user has the Managed Browser app installed, then the
app is managed by the settings you specified.
1. On the Settings blade of the Intune mobile application management dashboard, choose App configuration.
2. From the list of app configurations, select the one you want to assign.
3. On the next blade, choose User Groups.
4. On the User groups blade, select the Azure AD group to which you want to assign the app configuration, and
then choose OK.

How to configure Application Proxy settings for the Managed Browser


The Intune Managed Browser and Azure AD Application Proxy can be used together to support the following
scenarios for users of iOS and Android devices:
A user downloads and signs in to the Microsoft Outlook app. Intune app protection policies are
automatically applied. They encrypt saved data and block the user from transferring corporate files to
unmanaged apps or locations on the device. When the user then clicks a link to an intranet site in Outlook,
you can specify that the link opens in the Managed Browser app, rather than another browser. The
Managed Browser recognizes that this intranet site has been exposed to the user through the Application
Proxy. The user is automatically routed through the Application Proxy, to authenticate with any applicable
multi-factor authentication, and conditional access before reaching the intranet site. This site, which could
previously not be found while the user was remote, is now accessible and the link in Outlook works as
expected.
A remote user opens the Managed Browser application and navigates to an intranet site using the internal
URL. The Managed Browser recognizes that this intranet site has been exposed to the user via the
Application Proxy. The user is automatically routed through the Application Proxy, to authenticate with any
applicable multi-factor authentication, and conditional access before reaching the intranet site. This site,
which could previously not be found while the user was remote, is now accessible.
Before you start
Ensure that your internal applications published through Azure AD Application Proxy.
To configure Application Proxy and publish applications, see the setup documentation.
You must be using minimum version 1.2.0 of the Managed Browser app.
Users of the Managed Browser app have an Intune app protection policy assigned to the app.
Step 1: Enable automatic redirection to the Managed Browser from Outlook
Outlook must be configured with an app protection policy that enables the setting Restrict web content to
display in the Managed Browser.
Step 2: Assign an app configuration policy assigned for the Managed Browser.
This procedure configures the Managed Browser app to use app proxy redirection. Using the procedure to create
a Managed Browser app configuration, supply the following key and value pair:
Key

com.microsoft.intune.mam.managedbrowser.AppProxyRedirection
Va l u e

true

How to configure the homepage for the Managed Browser (Android


only)
This setting allows you to configure the homepage that users see when they start the Managed Browser or create
a new tab. Using the procedure to create a Managed Browser app configuration, supply the following key and
value pair:
Key
com.microsoft.intune.mam.managedbrowser.homepage
Value
Specify a valid URL. Incorrect URLs are blocked as a security measure.
Example: https://www.bing.com

How to configure bookmarks for the Managed Browser (Android only)


This setting allows you to configure a set of bookmarks that is available to users of the Managed Browser.
These bookmarks cannot be deleted or modified by users
These bookmarks display at the top of the list. Any bookmarks that users create are displayed below these
bookmarks.
Using the procedure to create a Managed Browser app configuration, supply the following key and value pair:
Key
com.microsoft.intune.mam.managedbrowser.bookmarks
Value
The value for this configuration is a list of bookmarks. Each bookmark consists of the bookmark title, and the
bookmark URL. Separate the title, and URL with the | character.
Example: Microsoft Bing|https://www.bing.com
To configure multiple bookmarks, separate each pair with the double character, ||
Example: Bing|https://www.bing.com||Contoso|https://www.contoso.com

How to specify allowed and blocked URLs for the Managed Browser
Using the procedure to create a Managed Browser app configuration, supply the following key and value pair:
Key
Choose from:
Specify allowed URLs (only these URLs are allowed; no other sites can be accessed):
com.microsoft.intune.mam.managedbrowser.AllowListURLs
Specify blocked URLs (all other sites can be accessed):
com.microsoft.intune.mam.managedbrowser.BlockListURLs

IMPORTANT
Do not specify both keys. If both keys are targeted to the same user, the allow key is used, as it's the most restrictive
option. Additionally, make sure not to block important pages like your company websites.

Value
The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow or block as a single
value, separated by a pipe | character.
Examples:
URL1|URL2|URL3
http://.contoso.com/|https://.bing.com/|https://expenses.contoso.com
URL format for allowed and blocked URLs
Use the following information to learn about the allowed formats and wildcards that you can use when specifying
URLs in the allowed and blocked lists:
You can use the wildcard symbol (*) according to the rules in the following permitted patterns list:
Ensure that you prefix all URLs with http or https when entering them into the list.
You can specify port numbers in the address. If you do not specify a port number, the values used are:
Port 80 for http
Port 443 for https
Using wildcards for the port number is not supported. For example, http://www.contoso.com:*; and
http://www.contoso.com: /*; are not supported.
Use the following table to learn about the permitted patterns that you can use when you specify URLs:

URL DETAILS MATCHES DOES NOT MATCH

http://www.contoso.com Matches a single page www.contoso.com host.contoso.com

www.contoso.com/images

contoso.com/

http://contoso.com Matches a single page contoso.com/ host.contoso.com

www.contoso.com/images

www.contoso.com

http://www.contoso.com/*; Matches all URLs that begin www.contoso.com host.contoso.com


with www.contoso.com
www.contoso.com/images host.contoso.com/images

www.contoso.com/videos/tv
shows
URL DETAILS MATCHES DOES NOT MATCH

http://*.contoso.com/* Matches all subdomains developer.contoso.com/reso contoso.host.com


under contoso.com urces

news.contoso.com/images

news.contoso.com/videos

http://www.contoso.com/im Matches a single folder www.contoso.com/images www.contoso.com/images/d


ages ogs

http://www.contoso.com:80 Matches a single page, by http://www.contoso.com:80


using a port number

https://www.contoso.com Matches a single, secure https://www.contoso.com http://www.contoso.com


page

http://www.contoso.com/im Matches a single folder and www.contoso.com/images/d www.contoso.com/videos


ages/*; all subfolders ogs

www.contoso.com/images/c
ats

The following are examples of some of the inputs that you cannot specify:
*.com
*.contoso/*
www.contoso.com/*images
www.contoso.com/*images*pigs
www.contoso.com/page*
IP addresses
https://*
http://*
http://www.contoso.com:*
http://www.contoso.com: /*

Security and privacy for the Managed Browser


On iOS devices, websites that users visit that have an expired or untrusted certificate cannot be opened.
The Managed Browser does not use settings that users make for the built-in browser on their devices. The
Managed Browser cannot access to these settings.
If you configure the option Require simple PIN for access or Require corporate credentials for access
in an app protection policy associated with the Managed Browser, and a user selects the help link on the
authentication page, they can browse any Internet sites regardless of whether they were added to a block
list in the policy.
The Managed Browser can block access to sites only when they are accessed directly. It does not block
access when intermediate services (such as a translation service) are used to access the site.
To allow authentication, and access to Intune documentation, *.microsoft.com is exempt from the allow or
block list settings. It is always allowed.
Turn off usage data
Microsoft automatically collects anonymous data about the performance and use of the Managed Browser to
improve Microsoft products and services. Users can turn off data collection by using the Usage Data setting on
their devices. You have no control over the collection of this data.
What are Microsoft Intune device profiles?
6/29/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use the Microsoft Intune Device configuration workload to manage settings and features on all of the devices
you manage. You mostly use this workload to create device profiles, which let you manage and control a whole
range of different features and functionality on devices.
When you open this workload, you see the following options:
Overview - This page gives you status and reports that help you monitor device configurations that you have
assigned to users and devices.
Manage Profiles - This section is where you go to create device configuration profiles. You can find a list all
the profile types you can create later in this topic.
Setup Certificate Authority - This workflow walks you though the steps required to configure Intune
certificate profiles.

Getting started
The workflow for creating device profiles is similar for all profiles. Read How to create Microsoft Intune device
configuration profiles for information. Then read on for specific information about creating settings for each
profile type.
You can manage the following capabilities on your devices:

Device features
Device features let you control features on iOS and macOS devices like AirPrint, notifications, and shared device
configurations. For more information, see How to configure device feature settings Supports: iOS and macOS.

Device restrictions
Device restrictions let you control many settings on devices you manage across categories including security,
hardware, and data sharing settings. For example, you could create a device restriction profile that prevents users
of iOS devices from accessing the device camera. For more information, see How to configure device restriction
settings Supports: Android, iOS, macOS, Windows 10, and Windows 10 Team.

Email
Email profiles let you create, assign, and monitor Exchange ActiveSync email settings on devices you manage.
Email profiles help ensure consistency, reduce support calls, and let end-users access company email on their
personal devices without any required setup on their part. For more information, see How to configure email
settings Supports: Android, iOS, Windows Phone 8.1, and Windows 10.

Wi-Fi
Use Wi-Fi profiles to assign wireless network settings to users and devices in your organization. When you assign
a Wi-Fi profile, your users get access to your corporate Wi-Fi without having to configure it themselves. For more
information, see How to configure Wi-Fi settings Supports: Android, iOS, macOS, and Windows 8.1 (import only).

VPN
Virtual private networks (VPNs) give your users secure remote access to your company network. Devices use a
VPN connection profile to initiate a connection with the VPN server. Assign VPN profiles to users and devices in
your organization, so they can easily and securely connect to the network. For more information, see How to
configure VPN settings. Supports: Android, iOS, macOS, Windows Phone 8.1, Windows 8.1, and Windows 10.

Education
Lets you configure options for the Windows Take a Test app. When you configure these options, no other apps
can run on the device until the test is complete. For more information, see How to configure education settings

Certificates
This profile type lets you configure trusted, SCEP, and PKCS certificates that can be assigned to devices and used
to authenticate Wi-Fi, VPN, and email profiles. For more information, see How to configure certificates Supports:
Android, iOS, Windows Phone 8.1, Windows 8.1, and Windows 10.

Edition upgrade
This profile type lets you automatically upgrade devices that run some versions of Windows 10 to a newer edition.
For more information, see How to configure Windows 10 edition upgrades Supports: Windows 10 only.

Endpoint protection
This profile type lets you configure BitLocker settings for Windows 10 devices. For more information, see Endpoint
protection settings for Windows 10 Supports: Windows 10 only.

Windows Information Protection


Windows Information Protection helps to protect against data leakage without otherwise interfering with the
employee experience. It also helps to protect enterprise apps and data against accidental data leaks on enterprise-
owned devices and personal devices that employees bring to work without requiring changes to your
environment or other apps. For more information, see How to configure Windows Information Protection
Supports: Windows 10 only.

Custom
Custom settings let you assign device settings that are not built-into Intune. For example, on Android devices, you
can specify OMA-URI values that configure the device. For iOS devices, you can import a configuration file you
created in the Apple Configurator. For more information, see How to configure custom settings Supports: Android,
iOS, macOS, and Windows Phone 8.1.

Next steps
Choose one of the profile types from the list to get started configuring devices.
How to create device configuration profiles in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

1. Sign into the Azure portal.


2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the blade showing the list of profiles, choose Create Profile.
6. On the Create Profile blade, specify the following items:
Name - Enter a descriptive name for the new profile.
Description - Enter an optional description for the profile.
Platform - Select the platform type for the profile you want to create.
Profile type - Select the type of profile you want to create. The list of available types differs depending
on the platform you chose.
Settings - See the following topics for information about the settings for each profile type:
Device feature settings
Device restriction settings
Email settings
VPN settings
Wi-Fi settings
Windows 10 edition upgrade settings
Certificate settings
Windows Information Protection settings
Education settings
Custom settings
7. Once you are done configuring settings, on the Create Profile blade, choose Create.
The profile is created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.
Next steps
For information about how to assign device profiles, see How to assign device profiles with Microsoft Intune.
How to configure device feature settings in Microsoft
Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Device restrictions let you control features on iOS and macOS devices like AirPrint, notifications, and shared device
configurations.
Use the information in this topic to learn the basics about configuring device feature profiles, and then read further
topics for each platform to learn about device specifics.

Create a device profile containing device restriction settings


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the device features profile.
7. From the Platform drop-down list, select the device platform to which you want to apply the settings.
Currently, you can choose one of the following platforms for device features:
iOS
macOS
8. From the Profile type type drop-down list, choose Device features.
9. Depending on the platform you chose, the settings you can configure will be different. Go to one of the
following topics for detailed settings for each platform:
AirPrint settings for iOS and MacOS
AirPlay settings for iOS
Home screen layout settings for iOS
App notification settings for iOS
Shared device configuration settings for iOS
Web content filter settings for iOS
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.
AirPrint settings for iOS and macOS devices
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these settings to configure iOS or macOS devices to automatically connect to AirPrint compatible printers on
your network. You'll need the IP address and resource path of your printers to proceed.

Find AirPrint printer information


Use this procedure to add AirPrint information to the AirPrint payload so that iOS device users can print to known
AirPrint printers.
1. On a Mac thats connected to the same local network (subnet) as the Airprint printers, open Terminal (from
/Applications/Utilities)
2. In the Terminal, type ippfind, then press enter.
3. Make a note of any printer information the command returns, for example:
ipp://myprinter.local.:631/ipp/port1. The first part of the information is the name of your printer and the last
part is the resource path.
4. In the Terminal, type ping myprinter.local, then press enter.
5. Make a note of the IP address information returned by the command, for example, PING myprinter.local
(10.50.25.21).
6. Finally, use the IP address and resource path in the AirPrint payload settings. An example IP address might be
10.50.25.21, and an example resource path might be /ipp/port1.

Configure an AirPrint profile


1. On the Device features blade choose AirPrint.
2. On the AirPrint blade, to add an AirPrint destination, enter its IP address and resource path, and then click
Add.
3. Continue to add as many destinations as you need. When you are finished, choose OK.
You can also import a list of printers from a comma-separated values (.csv) file or export the list.
Intune AirPlay settings for iOS devices
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these settings to help connect iOS devices you manage to AirPlay compatible devices (like Apple TVs) on your
network. With this capability you can:
Configure a device and password list - Let users automatically connect to AirPlay devices that are in range.
Provision them with the name and password of AirPlay devices so that they don't need to supply it when they
connect.
Configure allowed destinations - Configure a list of AirPlay devices (by device ID). End users can only see
and connect to the devices you list (for supervised devices only).

Get started
1. On the Device features blade, choose AirPlay.
2. On the AirPlay blade, choose one or both of the following actions:

Configure a device and password list


1. On the Passwords blade, enter the Device Name and Password of an AirPlay device, for example Contoso
Apple TV.
2. After entering the device details, click Add. The device appears in the Device Name list.
3. Continue to add devices. When you are finished, choose OK.

Configure allowed destinations


1. On the Allowed destinations (supervised only) blade, enter the Device ID of an AirPlay device, for example
52:46:CD:51:83:4C.
2. After entering the device ID, click Add. The ID appears in the Device ID list.
3. Continue to add devices. When you are finished, choose OK.
You can also import device and passwords, and allowed destinations from a comma-separated values (csv) file.
Intune Home screen layout settings for iOS devices
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these settings to configure the layout of apps, folders, and web clips on the dock and Home screen of all iOS
devices to which you assign the policy.
iOS devices to which you assign the profile must be in supervised mode and running iOS 9.3 or later.
1. On the Device features blade choose Home Screen Layout (supervised only).
2. On the Home Screen Layout (supervised only) blade, choose whether you want to configure the Dock, or
Pages layouts.

Add items to the dock


On the Dock blade, you can add up to 6 items or folders to the dock at the bottom of the iOS screen. However,
many devices support less items than this, for example, iPhone devices support up to 4 items. In this case, only the
first four items you configured will be displayed on the device.
1. Choose Add to add an item to the dock.
2. On the Add Row blade, choose whether you want to add an App, or a Folder.
3. Using the information in the How to add an app to the list and How to add a folder to the list sections in
this topic, configure the apps and folders you want to appear in the dock.
4. Continue to add items. When you are finished, click OK on each blade until you return to the Create Profile
blade. Choose Create.

TIP
You can drag and drop items in any Home screen and pages lists to reorder them.

Example
In this example, you've configured the dock screen to show only the Safari, Mail, and Stocks apps. In the following
image, the Mail app is selected to illustrate its properties:

When you assign the policy to an iPhone, the result will be a dock that looks similar to this:
Add Home screen pages
Add the pages you want to appear on the home screen, and the apps that will appear on each page. Apps that you
add to a page are arranged from left to right, in the order they are specified in the list. If you add more apps than
can fit on a page, the apps will be moved to a subsequent page.
1. On the Pages blade, choose Add.
2. On the Add Row blade, enter a Page name. This is used for your reference in the Intune portal, and is not
displayed on the iOS device.
3. Choose Add, then choose whether you want to add an App, or a Folder to the page.
4. Using the information in the How to add an app to the list and How to add a folder to the list sections in
this topic, configure the apps and folders you want to appear on the page.
Example
In this example, you've configured a new page named Contoso. The page shows only the Find Friends, and
Settings apps. In the following image, the Settings app is selected to illustrate its properties:

When you assign the policy to an iPhone, the result will be a page that looks similar to this:

How to add an app to the list


1. Enter the App Name. This is used for your reference in the Intune portal, and is not displayed on the iOS device.
2. Enter the App Bundle ID of the app you want to display. See Bundle ID reference for built-in iOS apps later
in this topic for help.
3. Click OK, then continue to add items, up to a maximum of 6 for the device dock, and 60 for a device page.
4. When you are finished, click OK.

How to add a folder to the list


Apps that you add to a page in a folder are arranged from left to right, in the order they are specified in the list. If
you add more apps than can fit on a page, the apps will be moved to a subsequent page.
1. Enter the Folder name. This will be displayed to users on their device.
2. Choose Add to create a page in the folder. You can add up to 20 pages.
3. On the Add Row blade, enter a name for the page. This is used for your reference in the Intune portal, and is not
displayed on the iOS device.
4. Enter the App Name. This is used for your reference in the Intune portal, and is not displayed on the iOS device.
5. Enter the App Bundle ID of the app you want to display. See How to add an app to the list for help.
6. Choose Add. You can add up to 60 items.
7. When you are finished, click OK.

Bundle ID reference for built-in iOS apps


This list shows the bundle ID of some common built-in iOS apps. To find the bundle ID of other apps, contact your
software vendor.

App name BundleID

App Store com.apple.AppStore

Calculator com.apple.calculator

Calendar com.apple.mobilecal

Camera com.apple.camera

Clock com.apple.mobiletimer

Compass com.apple.compass

Contacts com.apple.MobileAddressBook

FaceTime com.apple.facetime

Find Friends com.apple.mobileme.fmf1

Find iPhone com.apple.mobileme.fmip1

Game Center com.apple.gamecenter

GarageBand com.apple.mobilegarageband
Health com.apple.Health

iBooks com.apple.iBooks

iTunes Store com.apple.MobileStore

iTunes U com.apple.itunesu

Keynote com.apple.Keynote

Mail com.apple.mobilemail

Maps com.apple.Maps

Messages com.apple.MobileSMS

Music com.apple.Music

News com.apple.news

Notes com.apple.mobilenotes

Numbers com.apple.Numbers

Pages com.apple.Pages

Photo Booth com.apple.Photo-Booth

Photos com.apple.mobileslideshow

Podcasts com.apple.podcasts

Reminders com.apple.reminders

Safari com.apple.mobilesafari

Settings com.apple.Preferences

Stocks com.apple.stocks

Tips com.apple.tips

Videos com.apple.videos

VoiceMemos com.apple.VoiceMemos

Wallet com.apple.Passbook

Watch com.apple.Bridge

Weather com.apple.weather
Intune app notifications settings for IOS devices
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Lets you configure how apps installed on a device send notifications. This settings supports supervised devices
running iOS 9.3 and later.

Configure settings
1. On the Device features blade choose App Notifications (supervised only).
2. On the App Notifications blade, choose Add, and then configure the following values:
App bundle ID - Enter the App Bundle ID of the app you want to configure. See Bundle ID reference
for built-in iOS apps later in this topic for help.
App name - Enter the name of the app you want to configure. This is not displayed on the device and is
used to help you identify the app in the list.
Publisher - Enter the publisher of the app you want to configure. This is not displayed on the device and
is used to help you identify the app in the list.
Notifications - Enable or disable the app from sending notifications to the device. If you disable this
setting, the following settings are also disabled.
Show in Notification Center - Enable to allow the app to show notifications in the device
Notification Center.
Show in Lock Screen - Enable to see notifications from the app on the device lock screen.
Alert type - Select the type of notification you want when the device is unlocked from:
None - No notification is displayed.
Banner - A banner is briefly displayed showing the notification.
Modal - The notification is displayed and the user must manually dismiss it before you can
continue to use the device.
Badge on app icon - Enable this to add a badge to the app icon to indicate the app sent a
notification.
Sounds - Enable to play a sound when a notification is delivered.
3. Continue to add as many apps as you need. When you are finished, choose OK.
4. Choose OK until you return to the Create Profile blade, then choose Create.

Bundle ID reference for built-in iOS apps


This list shows the bundle ID of some common built-in iOS apps. To find the bundle ID of other apps, contact your
software vendor.

App name BundleID

App Store com.apple.AppStore


Calculator com.apple.calculator

Calendar com.apple.mobilecal

Camera com.apple.camera

Clock com.apple.mobiletimer

Compass com.apple.compass

Contacts com.apple.MobileAddressBook

FaceTime com.apple.facetime

Find Friends com.apple.mobileme.fmf1

Find iPhone com.apple.mobileme.fmip1

Game Center com.apple.gamecenter

GarageBand com.apple.mobilegarageband

Health com.apple.Health

iBooks com.apple.iBooks

iTunes Store com.apple.MobileStore

iTunes U com.apple.itunesu

Keynote com.apple.Keynote

Mail com.apple.mobilemail

Maps com.apple.Maps

Messages com.apple.MobileSMS

Music com.apple.Music

News com.apple.news

Notes com.apple.mobilenotes

Numbers com.apple.Numbers

Pages com.apple.Pages

Photo Booth com.apple.Photo-Booth

Photos com.apple.mobileslideshow
Podcasts com.apple.podcasts

Reminders com.apple.reminders

Safari com.apple.mobilesafari

Settings com.apple.Preferences

Stocks com.apple.stocks

Tips com.apple.tips

Videos com.apple.videos

VoiceMemos com.apple.VoiceMemos

Wallet com.apple.Passbook

Watch com.apple.Bridge

Weather com.apple.weather
Shared Device configuration settings to display
messages on the iOS device lock screen
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Shared device configuration settings let you specify optional text displayed on the login window and lock screen
(For example, an "If Lost, Return to" message and Asset Tag Information).

IMPORTANT
This capability is supported on supervised devices running iOS 9.3 and later.

1. On the Device features blade choose Shared Device Configuration (supervised only).
2. On the Shared Device Configuration (supervised only) blade, configure the following:
Asset tag information - Enter information about the asset tag of the device. For example: Owned by
Contoso Corp. The information you enter will be applied to all devices you assign this profile to.
Lock screen footnote - Enter a note that might help get the device returned if it's lost or stolen. For
example: If found, please call 'number'.
3. When you are finished, choose OK until you return to the Create Profile blade, then choose Create.
Web content filter settings for iOS devices
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these settings to configure URLs that end users of web browsers, on iOS devices, can, or cannot visit. There are
two methods you can use to do this.
Configure URLs - Use Apples built in web filter that looks for adult terms like profanity or sexually explicit
language. This function evaluates each web page as it is loaded and attempts to identify and block
unsuitable content. Additionally, you can configure URLs that will not be checked by the filter, or URLs that
will always be blocked, regardless of the filter settings.
Specific websites only (for the Safari web browser only) - These URLs are added to the Safari browsers
bookmarks. The user is only allowed to visit these sites; no other sites can be accessed. Use this option only
if you know the exact list of URLs that can be accessed by users. If you do not specify any URLs, then end
users will not be able to access any websites except for microsoft.com, microsoft.net, and apple.com.

Get started
1. On the Device features blade choose Web Content Filter (supervised only).
2. On the Web Content Filter blade, choose the Filter type you want to configure from:
Not Configured - No filtering is performed.
Configure URLs
Specific websites only
3. Next, depending on the filter type you are using, follow the relevant procedure below.

Configure URLs
1. On the Web Content Filter blade, choose one of the following if required:
Permitted URLs - On the Permitted URLs blade, enter the URLs you want to allow (bypassing the Apple
web filter), and choose enter after each.
Blocked URLs - On the Blocked URLs blade, enter the URLs you want to block (regardless of the Apple
web filter settings), and choose enter after each.
2. When you are finished, click OK.

Specific websites only


1. On the Web Content Filter blade, for each web site you want to permit, enter the following:
URL - Enter the URL of the website you want to permit, for example, http://www.contoso.com.
Bookmark Path - Enter the path to where you want to store the bookmark, for example
/Contoso/Business Apps. If you don't add a bookmark, it will be added to the default bookmark folder
on the device.
Title - Enter a descriptive title for the bookmark.
2. Click Add after you enter the information for each website.
3. When you are finished, click OK.

IMPORTANT
The following URLs are permitted automatically by Intune.
www.microsoft.com
www.microsoft.net
www.apple.com

Finish up
Choose OK to return to the Create Profile blade, and then choose Create.
How to configure device restriction settings in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Device restrictions let you control a wide range of settings and features you manage across a range of categories
including security, browser, hardware, and data sharing settings. For example, you could create a device restriction
profile that prevents users of iOS devices from accessing the device camera.
Use the information in this topic to learn the basics about configuring device restriction profiles, and then read
further topics for each platform to learn about device specifics.

Create a device profile containing device restriction settings


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the device restriction profile.
7. From the Platform drop-down list, select the device platform to which you want to apply custom settings.
Currently, you can choose one of the following platforms for device restriction settings:
Android
iOS
macOS
Windows Phone 8.1
Windows 8.1 and later
Windows 10 and later
8. From the Profile type type drop-down list, choose Device restrictions. If you want to create a device
restrictions profile for Windows 10 Team devices like a Surface Hub, choose Device restrictions (Windows
10 Team).
9. Depending on the platform you chose, the settings you can configure will be different. Go to one of the
following topics for detailed settings for each platform:
Android settings
iOS settings
macOS settings
Windows Phone 8.1 settings
Windows 8.1
Windows 10 settings
Windows 10 Team settings
Android for Work settings
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.

Example of device restriction settings


In this high-level example, you'll create a device restriction policy that blocks the use of the built-in camera app on
Android devices.
Android and Samsung KNOX Standard device
restriction settings in Microsoft Intune
6/19/2017 6 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these settings with an Android device restriction policy to configure devices in your organization.

General

Setting name Details Android 4.0+ Samsung KNOX Standard

Camera Allows the use of the device Yes Yes


camera.

Copy and paste Allows copy and paste No Yes


functions on the device.

Clipboard sharing Allows use of the clipboard No Yes


between apps to copy and paste between
apps.

Diagnostic data Stops the user from No Yes


submission submitting diagnostic data
from the device.

Factory reset Allows the user to perform a No Yes


factory reset on the device.

Geolocation Allows the device to utilize No Yes


location information
(Samsung KNOX Standard
only).

Power off Allows the user to power off No Yes


the device.
If disabled, Number of
sign-in failures before
wiping device cannot be
set.

Screen capture Lets the user capture the No Yes


screen contents as an image.
Voice assistant Allows the use of voice No Yes
assistant software on the
device.

YouTube Allows the use of the No Yes


YouTube app on the device.

Shared devices Configure a managed No Yes


Samsung KNOX Standard
device as shared. In this
mode, end users can sign in
and out of the device with
their Azure AD credentials.
The device remains managed
whether its in use or not.
When end-users sign-in,
they have access to apps
and additionally get any
policies applied to them.
When users sign out, all app
data is cleared.

Password

Setting name Details Android 4.0+ Samsung KNOX Standard

Password Require the end user to Yes Yes


enter a password to access
the device.

Minimum password length Enter the minimum length of Yes Yes


password a user must
configure (between 4 and 16
characters).

Maximum minutes of Specifies the number of Yes Yes


inactivity until screen minutes of inactivity before
locks the device automatically
locks.

Number of sign-in failures Specifies the number of Yes Yes


before wiping device sign-in failures to allow
before the device is wiped.

Password expiration Specifies the number of days Yes Yes


(days) before the device password
must be changed.
Required password type Specifies the required Yes Yes
password complexity level,
and whether biometric
devices can be used. Choose
from:

- Device default
- Low security biometric
- At least numeric
- Numeric complex
(repeating, or consecutive
numbers like '1111' or
'1234' are not allowed)1
- At least alphabetic
- At least alphanumeric
- At least alphanumeric
with symbols

Prevent reuse of previous Stops the end user from Yes Yes
passwords creating a password they
have used before.

Fingerprint unlock Allows the use of a No Yes


fingerprint to unlock
supported devices.

Smart Lock and other Lets you control the Smart Yes (5.0 and later) Yes
trust agents Lock feature on compatible
Android devices (Samsung
KNOX Standard 5.0 and
later). This phone capability,
sometimes known as a trust
agent, lets you disable or
bypass the device lock
screen password if the
device is in a trusted
location. For example, this
could be used when the
device is connected to a
specific Bluetooth device, or
when it's close to an NFC
tag. You can use this setting
to prevent users from
configuring Smart Lock.

Encryption Requires that files on the Yes Yes


device are encrypted.

1 Before you assign this setting to devices, ensure to update the Company Portal app to the latest version on those

devices.
If you configure the Numeric complex setting, and then assign it to a device running a version of Android earlier
than 5.0, the following behavior applies.
If the Company Portal app is running a version earlier than 1704, no PIN policy is applied to the device and an
error is displayed in the Intune portal.
If the Company Portal app runs the 1704 version or later, only a simple PIN can be applied. Versions of Android
earlier than 5.0 do not support this setting. No error is displayed in the Intune portal.
Google Play Store

Setting name Details Android 4.0+ Samsung KNOX Standard

Google Play store Allows the user to access the No Yes


Google Play store on the
device

Restricted apps
In the restricted apps list, you can configure one of the following lists for both Android, and Samsung KNOX
Standard devices:
A Prohibited apps list - List the apps (not managed by Intune) that users are not allowed to install and run. An
Approved apps list - List the apps that users are allowed to install. To remain compliant, users must not install
other apps. Apps that are managed by Intune are automatically allowed. Device profiles that contain restricted app
settings must be assigned to groups of users.
To configure the list, click Add, then specify a name of your choice, optionally the app publisher, and the URL to the
app in the app store.
How to specify the URL to an app in the store
To specify an app URL in the compliant and noncompliant apps list, take the following steps:
In the Apps section of Google Play, search for the app you want to use.
Open the installation page for the app, and then copy the URL to the clipboard. You can now use this URL in either
the compliant or noncompliant apps list.
Example: Search Google Play for Microsoft Office Mobile. Use the URL:
https://play.google.com/store/apps/details?id=com.microsoft.office.officehub.
Additional options
You can also click Import to get the list from a csv file. Use the format <app url>, <app name>, <app publisher>
or click Export in the csv file containing the contents of the restricted apps list in the same format.

Browser

Setting name Details Android 4.0+ Samsung KNOX Standard

Web browser Specifies whether the No Yes


device's default web browser
can be used.

Autofill Allows the autofill function No Yes


of the web browser to be
used.

Cookies Allows the device web No Yes


browser to use cookies.

Javascript Allows the device web No Yes


browser to run Java scripts.
Pop-ups Allows the use of the pop- No Yes
up blocker in the web
browser.

Cloud and Storage

Setting name Details Android 4.0+ Samsung KNOX Standard

Google backup Allows the use of Google No Yes


backup.

Google account auto sync Allows Google account No Yes


settings to be automatically
synchronized.

Removable storage Allows the device to use No Yes


removable storage, like an
SD card.

Encryption on storage Specifies whether the device No Yes


cards storage card must be
encrypted.

Cellular and Connectivity

Setting name Details Android 4.0+ Samsung KNOX Standard

Data roaming Allows data roaming when No Yes


the device is on a cellular
network).

SMS/MMS messaging Allows the use of SMS and No Yes


MMS messaging on the
device.

Voice dialing Enables or disables the voice No Yes


dialing feature on the device.

Voice roaming Allows voice roaming when No Yes


the device is on a cellular
network.

Bluetooth Allows the use of Bluetooth No Yes


on the device.

NFC Allows operations that use No Yes


near field communication on
supported devices.
Wi-Fi Allows the use of the Wi-Fi No Yes
capabilities of the device.

Wi-Fi tethering Allows the use of Wi-Fi No Yes


tethering on the device.

Kiosk

Setting name Details Android 4.0+ Samsung KNOX Standard

Select a managed app Choose one of the following No Yes


options to add one or more
apps that can run when the
device is in kiosk mode. No
other apps are allowed to
run on the device.

- Add apps by package


name
- Add apps by URL
- Add managed apps

Screen sleep button Enables or disables the No Yes


screen sleep wake button on
the device.

Volume buttons Enables or disables the use No Yes


of the volume buttons on
the device.
iOS device restriction settings in Microsoft Intune
6/19/2017 15 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

General
Camera - Select whether the camera on the device can be used.
Diagnostic data submission - Allow or block the device from submitting diagnostic data to Apple.
FaceTime - Allow the FaceTime app to be used on the device.
Screen capture - Allow the user to capture the contents of the screen as an image.
Siri - Allow use of the Siri voice assistant on the device.
Siri while device is locked - Allow use of the Siri voice assistant on the device while it is locked.
Siri profanity filter (supervised only) - Prevents Siri from dictating, or speaking profane language.
Siri to query user-generated content from the internet (supervised only) - Allow Siri to access
websites to answer questions.
Untrusted TLS certificates - Allow untrusted Transport Layer Security certificates on the device.
Control Center access while device locked - Allow the user to access the control center app when the device
is locked.
Notifications while device locked - Allow the user to access the notifications view without unlocking the
device.
Passbook while device locked - Allow the user to access the Passbook app while the device is locked.
Today view while device locked - Allow the user to see the Today view when the device is locked.
Enterprise app trust - Lets the user select to trust apps that were not downloaded from the app store.
AirDrop (supervised only) - Allow use of the AirDrop feature to exchange content with nearby devices.
Spotlight search to return results from internet (supervised only) - Let Spotlight search connect to the
Internet to provide further results.
Word definition lookup (supervised only) - Allow the iOS feature that lets you highlight a word and look up
it's definition.
Predictive keyboards (supervised only) - Allow the use of predictive keyboards that suggest words the user
might want.
Auto-correction (supervised only) - Lets the device automatically correct misspelled words.
Keyboard spell-check (supervised only) - Allows the device spell checker.
Keyboard shortcuts (supervised only) - Allows use of keyboard shortcuts.
Wrist detection for paired Apple watch - When enabled, the Apple Watch won't display notifications when it
is not being worn.
Require AirPlay outgoing requests pairing password - Require a pairing password when the user uses
AirPlay to stream content to other Apple devices.
Account modification (supervised only) - When blocked, this prevents the user from modifying device-
specific settings from the iOS settings app, like creating new device accounts, and changing the user name or
password. This also applies to settings accessible from the iOS settings app like Mail, Contacts, Calendar,
Facebook, and Twitter. This does not apply to apps with account settings that are not configurable from the iOS
settings app, for example, the Microsoft Outlook app.
Apple Watch pairing (supervised only) - Allow the device to pair with an Apple Watch.
Bluetooth modification (supervised only) - Block the end user from changing Bluetooth settings on the
device.
Remote screen observation by Classroom app (supervised only) - Allow or block the Classroom app from
observing the screen on remote devices.
Enabling restrictions in the device settings (supervised only) - Allow the user to configure device
restrictions (parental controls) on the device.
Use of the erase all content and settings option on the device (supervised only) - Allow the user to use
the option of erasing all content and settings on the device.
Device name modification (supervised only) - Allow the user to change the name of the device.
Diagnostics submission settings modification (supervised only) - Allow or block the device from
submitting diagnostic data to Apple.
Host pairing to control the devices an iOS device can pair with (supervised only) - Allow host pairing to
let the administrator control which devices an iOS device can pair with.
Notification settings modification (supervised only) - Allow the user to change the device notification
settings.
Passcode modification (supervised only) - Allow the device password to be added, changed, or removed.
Wallpaper modification (supervised only) - Allow the user to change the device wallpaper.
Enterprise app trust settings modification (supervised only) - Lets the user select to trust apps that were
not downloaded from the app store.
Installing apps from App Store (supervised only) - Allow the device to access the app store and install apps.
Changes to the Find My Friends app settings (supervised only) - Allow the user to change settings for the
Find My Friends app.
iBooks store (supervised only) - Allow the user to browse and purchase books from the iBooks store.
Messages app on the device (supervised only) - Allow use of the Messages app to send and read text
messages.
Podcasts (supervised only) - Allow use of the Podcasts app.
Music service (supervised only) - Allow use of the Apple Music app.
iTunes Radio service (supervised only) - Allow use of the iTunes Radio app.
Apple News (supervised only) - Allow use of the Apple News app.
Configuration profile changes - Allow the user to install configuration profiles.

Password
Password required - Require the end user to enter a password to access the device.
Simple passwords - Allow simple passwords like 0000 and 1234.
Required password type - Specify the type of password that will be required, such as numeric only or
alphanumeric.
Number of non-alphanumeric characters in password - Specify the number of symbol characters (like # or
@) that must be included in the password.
Minimum password length - Specify the minimum number of characters in the password.
Number of sign-in failures before wiping device - Specify the number of failed login attempts before this
setting wipes the device.
Maximum minutes after screen lock before password is required1 - Specify how long the device can
remain idle before the user must re-enter their password.
Maximum minutes of inactivity until screen locks1 - Specify the number of minutes before the device
display is turned off.
Password expiration (days) - Specify the number of days before the device password must be changed.
Prevent reuse of previous passwords - Specify the number of previously used passwords that the device
remembers.
Fingerprint unlock - Allow using a fingerprint to unlock compatible devices.
1When you configure the settings Maximum minutes of inactivity until screen locks and Maximum minutes
after screen lock before password is required, they are applied in sequence. For example, if you set the value for
both settings to 5 minutes, the screen will turn off automatically after 5 minutes, and the device will be locked after
an additional 5 minutes. However, if the user turns off the screen manually, the second setting is immediately
applied. In the same example, after the user turns off the screen, the device will lock 5 minutes later.

App Store, Doc Viewing, Gaming


App store (supervised only) - Block access to the app store on supervised devices.
Password to access app store - Require the user to enter a password before they can visit the app store.
In-app purchases - Allow store purchases to be made from within a running app.
Automatic app downloads (supervised only) -
Explicit iTunes music, podcast, or news content (supervised only) - Allow the device to access content
rated as adult from the store.
Download content from iBook store flagged as 'Erotica' - Allow the user to download books with the
"Erotica" category.
Viewing corporate documents in unmanaged apps - Allow corporate documents to be viewed in any app.
Example: You want to prevent users from saving files from the OneDrive app to Dropbox. Configure this
setting as no. After the device receives the policy (for example, after a restart), it will no longer allow saving.
Viewing non-corporate documents in corporate apps - Allow any document to be viewed in corporate
managed apps.
Treat AirDrop as an unmanaged destination - Stops managed apps from being able to send data via.
Airdrop.
Adding Game Center friends (supervised only) - Allow the user to add friends in Game Center.
Game Center (supervised only) - Block or enable the use of the Game Center app.
Multiplayer gaming (supervised only) - Allow the user to play multiplayer games on the device.
Ratings region - Choose the ratings region for which you want to configure allowed downloads, then choose
the allowed ratings for Movies and TV Shows.
Apps - Choose the allowed age rating of apps that users will be able to download, or you can choose Allow All
Apps.

Restricted apps
In the restricted apps list, you can configure one of the following lists:
A Prohibited apps list - List the apps (not managed by Intune) that users are not allowed to install and run. An
Approved apps list - List the apps that users are allowed to install. To remain compliant, users must not install
apps that are not listed. Apps that are managed by Intune are automatically allowed.
To configure the list, click Add, then specify a name of your choice, optionally the app publisher, and the URL to the
app in the app store.
How to specify the URL to an app in the store
To specify an app URL in the apps list, use the following format:
Using a search engine, find the app that you want to use in the iTunes App Store and open the page for the app.
Copy the URL of the page and use this as the URL to configure the allowed or prohibited apps list or an app that
you want to run in kiosk mode. Device profiles that contain restricted app settings must be assigned to groups of
users.
Example: Search for Microsoft Word for iPad. The URL that you use will be
https://itunes.apple.com/us/app/microsoft-word-for-ipad/id586447913?mt=8.

NOTE
You can also use the iTunes software to find the app and then use the Copy Link command to get the app URL.

Additional options
You can also click Import to populate the list from a csv file in the format <app url>, <app name>, <app
publisher> or click Export to create a csv file containing the contents of the restricted apps list in the same format.

Show or hide apps


In the show or hide apps list, you can configure one of the following lists (requires supervised devices running iOS
9.3 or later).
A Hidden apps list - Specify a list of apps that will be hidden from users. Users cannot view, or launch these apps.
An Visible apps list - Specify a list of apps that users can view and launch. No other apps can be viewed or
launched.
To configure the list, click Add, then specify a name of your choice, optionally the app publisher, and the URL to the
app in the app store.
How to specify the URL to an app in the store
To specify an app URL in the apps list, use the following format:
Using a search engine, find the app that you want to use in the iTunes App Store and open the page for the app.
Copy the URL of the page and use this as the URL to configure the allowed or prohibited apps list or an app that
you want to run in kiosk mode.
Example: Search for Microsoft Word for iPad. The URL that you use will be
https://itunes.apple.com/us/app/microsoft-word-for-ipad/id586447913?mt=8.

NOTE
You can also use the iTunes software to find the app and then use the Copy Link command to get the app URL.

Additional options
You can also click Import to populate the list from a csv file in the format <app url>, <app name>, <app
publisher> or click Export to create a csv file containing the contents of the hidden or visible apps list in the same
format.

Cellular
Data roaming - Allow data roaming when the device is on a cellular network.
Global background fetch while roaming - Allow the device to fetch data such as email while it is roaming on
a cellular network.
Voice dialing - Allow use of the voice dialing feature on the device.
Voice roaming - Allow voice roaming when the device is on a cellular network.
Changes to app cellular data usage settings (supervised only) - Allow the user to control which apps are
allowed to use cellular data.
Cloud and Storage
Backup to iCloud - Allow the user to back up the device to iCloud.
Document sync to iCloud (supervised only) - Allow document and key-value synchronization to your iCloud
storage space.
Photo stream syncing to iCloud - Lets users enable My Photo Stream on their device which allow photos to
sync to iCloud and be available on all the users devices.
Encrypted backup - Require any device backups to be encrypted.
iCloud Photo Library - If set to No, disables the use of iCloud photo library which lets users store photos and
videos in the cloud. Any photos not fully downloaded from iCloud Photo Library to the device will be removed
from the device if this is set to No.
Managed apps sync to cloud - Allow apps that you manage with Intune to sync data to the user's iCloud
account.
Shared photo stream - Set to No to disable iCloud Photo Sharing on the device..
Activity continuation - Allow the user to continue work that they started on an iOS device on another iOS or
macOS device (Handoff).

Autonomous single app mode (supervised only)


Use these settings to configure iOS devices to run specified apps in autonomous single app mode. When this mode
is configured, and the app is run, the device is locked so that it can only run that app. An example of this is when
you configure an app that lets users take a test on the device. When the apps actions are complete, or you remove
this policy, the device returns to its normal state.
Settings
App name - Enter the name of the app as it will appear in the apps list on this blade.
App Bundle ID - Enter the bundle ID of the app. For help, see Bundle ID reference for built-in iOS apps in
this topic.
After you specify each app name and bundle ID, choose Add to append it to the list.
Import - Import a comma-separated values (.csv) file containing a list of app names, and their associated bundle
IDs.
Export - Export the app names, and associated bundle IDs you have configured to a comma-separated values
(.csv) file.
Bundle ID reference for built-in iOS apps
This list shows the bundle ID of some common built-in iOS apps. To find the bundle ID of other apps, contact your
software vendor.

App name BundleID

App Store com.apple.AppStore

Calculator com.apple.calculator

Calendar com.apple.mobilecal

Camera com.apple.camera

Clock com.apple.mobiletimer
Compass com.apple.compass

Contacts com.apple.MobileAddressBook

FaceTime com.apple.facetime

Find Friends com.apple.mobileme.fmf1

Find iPhone com.apple.mobileme.fmip1

Game Center com.apple.gamecenter

GarageBand com.apple.mobilegarageband

Health com.apple.Health

iBooks com.apple.iBooks

iTunes Store com.apple.MobileStore

iTunes U com.apple.itunesu

Keynote com.apple.Keynote

Mail com.apple.mobilemail

Maps com.apple.Maps

Messages com.apple.MobileSMS

Music com.apple.Music

News com.apple.news

Notes com.apple.mobilenotes

Numbers com.apple.Numbers

Pages com.apple.Pages

Photo Booth com.apple.Photo-Booth

Photos com.apple.mobileslideshow

Podcasts com.apple.podcasts

Reminders com.apple.reminders

Safari com.apple.mobilesafari

Settings com.apple.Preferences
Stocks com.apple.stocks

Tips com.apple.tips

Videos com.apple.videos

VoiceMemos com.apple.VoiceMemos

Wallet com.apple.Passbook

Watch com.apple.Bridge

Weather com.apple.weather

Kiosk
Activation Lock - Enable Activation Lock on supervised iOS devices.
App that runs in kiosk mode - Choose Managed App to select an app you've added to Intune, or Store App
to specify the URL to an app in the store. No other apps will be allowed to run on the device. For more help, see
"How to specify URLs to app stores" later in this topic.
Assistive touch - Enable or disable the Assistive Touch accessibility setting, which helps the user perform on-
screen gestures that might be difficult for them to perform.
Invert colors - Enable or disable the Invert Colors accessibility setting, which adjusts the display to help users
with visual impairments.
Mono audio - Enable or disable the accessibility setting Mono audio.
VoiceOver - Enable or disable the accessibility setting VoiceOver, which reads aloud text on the device display.
Zoom - Enable or disable the Zoom accessibility setting, which lets the user use touch to zoom in to the device
display.
Auto lock - Enable or disable automatic locking of the device.
Ringer switch - Enable or disable the ringer (mute) switch on the device.
Screen rotation - Enable or disable changing the screen orientation when the user rotates the device.
Screen sleep button - Enable or disable the screen sleep wake button on the device.
Touch - Enable or disable the touchscreen on the device.
Volume buttons - Enable or disable the use of the volume buttons on the device.
Assistive touch control - Enable or disable assistive touch adjustments, which let the user adjust the assistive
touch function.
Invert colors control - Enable or disable invert colors adjustments, which let the user adjust the invert colors
function.
Speak on selected text - Enable or disable the Speak Selection accessibility settings, which can read aloud the
text that the user selects.
VoiceOver control - Enable or disable voiceover adjustments, which let the user adjust the VoiceOver function
(for example, how fast on-screen text is read aloud).
Zoom control - Enable or disable zoom adjustments, which let the user adjust the zoom function.
NOTE
Before you can configure an iOS device for kiosk mode, you must use the Apple Configurator tool or the Apple Device
Enrollment Program to put the device into supervised mode. For more information about the Apple Configurator tool, see
your Apple documentation. If the iOS app that you specify is installed after you assign the profile, the device will not enter
kiosk mode until after it is restarted.

Safari
Safari (supervised only) - Specify whether the Safari browser can be used on the device.
Autofill - Allow the user to change autocomplete settings in the browser.
Cookies - Allow the browser to use cookies.
JavaScript - Allow Java scripts to run in the browser.
Fraud warnings - Allow fraud warnings in the browser.
Pop-ups - Enable or disable the browser pop-up blocker.

Domains
Unmarked email domains
In the Email Domain URL field, add one or more URLs to the list. When end users receive an email from a domain
other than those you configured, the email will be marked as untrusted in the iOS Mail app.
Managed web domains
In the Web Domain URL field, add one or more URLs to the list. When documents are downloaded from the
domains you specify, they will be considered managed. This setting applies only to documents downloaded using
the Safari browser.
Safari password auto fill domains
In the Domain URL field, add one or more URLs to the list. Users can only save web passwords from URLs in this
list. This setting applies only to the Safari browser, and to iOS 9.3 and later devices in supervised mode. If you don't
specify any URLs, then passwords can be saved from all web sites.
macOS device restriction settings in Microsoft Intune
6/23/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these settings to manage macOS devices in a device restriction profile.

Password
Password required - Require the end user to enter a password to access the device.
Required password type - Specify whether the password can be Numeric only, or whether it must be
Alphanumeric (contain letters and numbers). This setting is supported only on Mac OS X version 10.10.3
and later.
Number of non-alphanumeric characters in password - Specify the number of complex characters
required in the password (0 to 4).
A complex character is a symbol, like ?
Minimum password length - Enter the minimum length of password a user must configure (between 4
and 16 characters).
Simple passwords - Allow the use of simple passwords such as 0000 or 1234.
Maximum minutes after screen lock before password is required - Specify how long the computer
must be inactive before a password is required to unlock it.
Maximum minutes of inactivity until screen locks - Specify the length of time that the computer
must be idle before the screen locks.
Password expiration (days) - Specify how many days elapse before the user must change the
password (1 to 255 days).
Prevent reuse of previous passwords - Specify the number of previously used passwords that cannot
be reused (1 to 24).

Restricted apps
In the restricted apps list, you can configure one of the following lists:
A Prohibited apps list - List the apps (not managed by Intune) that users are not allowed to install and run. An
Approved apps list - List the apps that users are allowed to install. To remain compliant, users must not install
apps that are not listed. Apps that are managed by Intune are automatically allowed.
To configure the list, click Add, then specify a name of your choice, optionally the app publisher, and the bundle ID
of the app (for example com.apple.calculator).

Domains
Unmarked email domains
In the Email Domain URL field, add one or more URLs to the list. When end users receive an email from a domain
other than one you configured, the email is marked as untrusted in the iOS Mail app.
Windows 8.1 and later device restriction settings in
Microsoft Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

General
Apply all configurations to Windows 10 - Enables settings in this policy to be applied to Windows 10
devices, in addition to Windows 8.1 devices.
Diagnostic data submission - Enables the device to submit diagnostic information to Microsoft.
Firewall - Requires that the Windows Firewall is turned on.
User Account Control - Requires the use of User Account Control (UAC) on devices. ## Password
Required password type - Require the end user to enter a password to access the device.
Minimum password length - Configures the minimum required length (in characters) for the password.
Number of sign-in failures before wiping device - Wipes the device if the sign-in attempts fail this number
of times.
Maximum minutes of inactivity until screen locks - Specifies the number of minutes a device must be idle
before a password is required to unlock it.
Password expiration (days) - Specifies the number of days before the device password must be changed.
Prevent reuse of previous passwords - Specifies whether the user can configure previously used passwords.
Picture password and PIN - Enables the use of a picture password and PIN. A picture password lets the user
sign in with gestures on a picture. A PIN lets users quickly sign in with a four-digit code.
Encryption - Requires that files on the device are encrypted.
To enforce encryption on devices that run Windows 8.1, you must install the December 2014 MDM client update
for Windows on each device. If you enable this setting for Windows 8.1 devices, all users of the device must
have a Microsoft account. For encryption to work, the device must meet the Microsoft InstantGo hardware
certification requirements. When you enforce encryption on a device, the recovery key is only accessible from
the user's Microsoft account, which is accessed from their OneDrive account. You cannot recover this key on
behalf of a user.

Browser
Autofill - Enables users to change autocomplete settings in the browser.
Fraud warnings - Enables or disables warnings for potential fraudulent websites.
SmartScreen - Enables or disables warnings for potential fraudulent websites.
JavaScript - Enables the browser to run scripts, such as Java script.
Pop-ups - Enables or disables the browser pop-up blocker.
Send do-not-track headers - Sends a do not track header to visited sites in Internet Explorer.
Plugins - Enables users to add plug-ins to Internet Explorer.
Single word entry on intranet site - Enables use of a single word to direct Internet Explorer to a web site, such
as Bing.
Auto detect of intranet site - Helps configure security for intranet sites in Internet Explorer.
Internet security level - Sets the Internet Explorer security level for Internet sites.
Intranet security level - Sets the Internet Explorer security level for intranet sites.
Trusted sites security level - Configures the security level for the trusted sites zone.
High security for restricted sites - Configures the security level for the restricted sites zone.
Enterprise mode menu access - Lets users access the Enterprise Mode menu options from Internet Explorer. If
you select this setting, you can also specify a Logging report location, which contains a URL to a report that
shows websites for which users have turned on Enterprise Mode access.
Enterprise mode site list location - Specifies the location of the list of websites that will use Enterprise Mode
when it is active. ## Cellular
Data roaming - Enables data roaming when the device is on a cellular network. ## Cloud and Storage
Work folders URL - Sets the URL of the work folder to allow documents to be synchronized across devices.
Access to Windows Mail app without a Microsoft account - Enables access to the Windows Mail
application without a Microsoft account.
Windows Phone 8.1 device restriction settings in
Microsoft Intune
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

General
Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
Camera - Enables or blocks the device's camera.
Copy and paste - Enables or blocks copy and paste functionality on devices.
Removable storage - Lets the device use removable storage such as SD cards.
Geolocation - Enables the device to utilize location information.
Microsoft account - Enable or block the user from linking a Microsoft account to the device.
Screen capture - Lets the user capture the contents of the screen as an image file.
Diagnostic data submission - Enables the device to submit diagnostic information to Microsoft.
Custom email accounts sync - Enables the device to connect to non-Microsoft email accounts.

Password
Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
Password required - Require the end user to enter a password to access the device.
Required password type - Specifies the type of password that will be required, such as alphanumeric or
numeric only.
Minimum password length - Specifies the minimum number of characters that are required in the
password.
Simple passwords - Specifies that simple passwords such as 0000 and 1234 can be used.
Number of sign-in failures before wiping device - Specifies the number of times an incorrect
password can be entered before the device is wiped.
Maximum minutes of inactivity until screen locks - Specifies the amount of time a device must
remain idle before the screen is automatically locked.
Password expiration (days) - Specifies the number of days before the device password must be
changed.
Prevent reuse of previous passwords - Specifies how many previously used passwords are
remembered.
Encryption - Requires that the data on supported mobile devices be encrypted.
App Store
Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
App store - Lets users connect to the app store from the device.

Restricted apps
Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
In the restricted apps list, you can configure one of the following lists:
A Blocked apps list - List the apps (not managed by Intune) that users are not allowed to install and run. An
Allowed apps list - List the apps that users are allowed to install. Apps that are managed by Intune are
automatically allowed.
To configure the list, click Add, then specify a name of your choice, optionally the app publisher, and the URL to the
app in the app store.
How to specify the URL to an app in the store
To specify an app URL in the allowed and blocked apps list, use the following format:
From the Windows Phone Store page, search for the app that you want to use.
Open the apps page, and copy the URL to the clipboard. You can now use this as the URL in either the allowed or
blocked apps list.
Example: Search the store for the Skype app. The URL you use will be
http://www.windowsphone.com/store/app/skype/c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51.
Additional options
You can also click Import to populate the list from a csv file in the format <app url>, <app name>, <app
publisher> or click Export to create a csv file containing the contents of the restricted apps list in the same format.

Browser
Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
Web browser - Enables or blocks the built-in web browser on devices.

Cellular and Connectivity


Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
Wi-Fi - Enables or disables the Wi-Fi functionality of the device.
Wi-Fi tethering - Enables the use of Wi-Fi tethering on the device.
Automatically connect to Wi-Fi hotspots - Enables the device to automatically connect to free Wi-Fi hotspots
and automatically accept any terms of use.
Wi-Fi hotspot reporting - Sends information about Wi-Fi connections to help the user discover nearby
connections.
NFC - Enables or disables operations that use near field communication on devices that support it.
Bluetooth - Enables or disables the Bluetooth functionality of the device.
Windows 10 and later device restriction settings in
Microsoft Intune
6/29/2017 16 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

General
Screen capture (mobile only) - Lets the user capture the device screen as an image.
Copy and paste (mobile only) - Allow copy and paste actions between apps on the device.
Manual unenrollment - Lets the user manually delete the workplace account from the device.
Manual root certificate installation (mobile only) - Stops the user from manually installing root
certificates, and intermediate CAP certificates.
Diagnostic data submission - Possible values are:
None No data is sent to Microsoft
Basic Limited information is sent to Microsoft
Enhanced Enhanced diagnostic data is sent to Microsoft
Full Sends the same data as Enhanced, plus additional data about the device state
Camera - Allow or block use of the camera on the device.
OneDrive file sync - Blocks the device from synchronizing files to OneDrive.
Removable storage - Specifies whether external storage devices, like SD cards can be used with the device.
Geolocation - Specifies whether the device can use location services information.
Internet sharing - Allow the use of Internet connection sharing on the device.
Phone reset - Controls whether the user can do a factory reset on their device.
USB connection (mobile only) - Controls whether devices can access external storage devices through a USB
connection.
AntiTheft mode (mobile only) - Configure whether Windows Antitheft mode is enabled.
Action center notifications (mobile only) - Enable or disable action center notifications on the device lock
screen (Windows 10 Mobile only).
Cortana - Enable or disable the Cortana voice assistant.
Voice recording (mobile only) - Allow or block use of the device voice recorder.
Power and sleep settings modification (desktop only) - Prevents the end user from changing power and
sleep settings on the device.
Region settings modification (desktop only) - Prevents the end user from changing the region settings on
the device.
Language settings modification (desktop only) - Prevents the user from changing the language settings
on the device.
System Time modification - Prevents the end user from changing the device date and time.
Device name modification - Prevents the end user from changing the device name.
Add provisioning packages - Blocks the run time configuration agent that installs provisioning packages.
Remove provisioning packages - Blocks the run time configuration agent that removes provisioning
packages.
Device discovery - Block a device from being discovered by other devices.
Task Switcher (mobile only) - Blocks the task switcher on the device.
SIM card error dialog (mobile only) - Blocks an error message from displaying on the device if no SIM card
is detected.

Password
Password - Require the end user to enter a password to access the device.
Required password type - Specifies whether the password must be numeric only, or alphanumeric.
Minimum password length - Applies to Windows 10 Mobile only.
Number of sign-in failures before wiping device - For devices running Windows 10: If the device
has BitLocker enabled, it's put into BitLocker recovery mode after sign-in fails the number of times that
you specified. If the device is not BitLocker enabled, then this setting doesn't apply. For devices running
Windows 10 Mobile: After sign-in fails the number of times you specify, the device is wiped.
Maximum minutes of inactivity until screen locks - Specifies the length of time a device must be
idle before the screen is locked.
Password expiration (days) - Specifies the length of time after which the device password must be
changed.
Prevent reuse of previous passwords - Specifies the number of previously used passwords that are
remembered by the device.
Require password when device returns from idle state - Specifies that the user must enter a
password to unlock the device (Windows 10 Mobile only).
Simple passwords Lets you allow the use of simple passwords like 1111 and 1234. This setting also
allows or blocks the use of Windows picture passwords.
Encryption - Enable encryption on targeted devices (Windows 10 Mobile only).

Personalization
Desktop background picture URL (Desktop only) - Specify the URL to a picture in PNG, JPG, or JPEG
format that you want to use as the Windows desktop wallpaper. Users will not be able to change this.

Privacy
Input personalization Dont allow the use of cloud-based speech services for Cortana, dictation, or
Windows Store apps. If you allow these services, Microsoft might collect voice data to improve the service.
Automatic acceptance of the pairing and privacy user consent prompts Allow Windows to
automatically accept pairing and privacy consent messages when running apps.

Locked screen experience


Action center notifications (mobile only) Lets Action Center notifications appear on the device lock
screen (Windows 10 Mobile only).
Locked screen picture URL (Desktop only) - Specify the URL to a picture in PNG, JPG, or JPEG format that
will be used as the Windows lock screen wallpaper. Users will not be able to change this.
User configurable screen timeout (mobile only) Lets users configure the amount of time
Cortana on locked screen (desktop only) Dont allow the user to interact with Cortana when the device is
on the lock screen (Windows 10 desktop only).
Toast notifications on locked screen Block alert messages from being displayed on the device lock screen.
Screen timeout (mobile only) - Specifies the time in seconds after the screen locks, when it will turn off.
App Store
App store (mobile only) - Enable or block use of the app store on Windows 10 Mobile devices.
Auto-update apps from store - Allows apps installed from the Windows Store to be automatically updated.
Trusted app installation - Allows apps signed with a trusted certificate to be sideloaded.
Developer unlock - Allow Windows developer settings, such as allowing sideloaded apps to be modified by
the end user.
Shared user app data - Allows apps to share data between different users on the same device.
Use private store only - Enable this to only allow end users to download apps from your private store.
Store originated app launch - Used to disable all apps that were pre-installed on the device, or downloaded
from the Windows Store.
Install app data on system volume - Stops apps from storing data on the system volume of the device.
Install apps on system drive - Stops apps from storing data on the system drive of the device.
Game DVR (desktop only) - Configures whether recording and broadcasting of games is allowed.

Edge Browser
Microsoft Edge browser (mobile only) - Allow the use of the Edge web browser on the device.
Address bar dropdown (desktop only) Use this to stop Edge from displaying a list of suggestions in a
drop-down list when you type. This helps to minimize network bandwidth use between Edge and Microsoft
services.
Sync favorites between Microsoft browsers (desktop only) Lets Windows synchronize favorites between
Internet Explorer and Edge.
SmartScreen - Enables or disables SmartScreen, which blocks fraudulent web sites.
Send do-not-track headers - Configures the Edge browser to send do not track headers to websites that
users visit.
Cookies - Lets the browser save internet cookies to the device.
JavaScript - Allows scripts, such as Javascript, to run in the Edge browser.
Pop-ups - Blocks pop-up windows in the browser (Applies to Windows 10 desktop only).
Search suggestions - Lets your search engine suggest sites as you type search phrases.
Send intranet traffic to Internet Explorer - Lets users open intranet websites in Internet Explorer (Windows
10 desktop only).
Autofill - Allow users to change autocomplete settings in the browser (Windows 10 desktop only).
Password Manager - Enable or disable the Edge Password Manager feature.
Enterprise mode site list location - Specifies where to find the list of web sites that open in Enterprise mode.
Users cannot edit this list.
(Windows 10 desktop only).
Developer tools - Prevent the end user from opening the Edge developer tools.
Extensions - Allow the end user to install Edge extensions on the device.
InPrivate browsing - Prevent the end user from opening InPrivate browsing sessions.
Show first run page Stops the introduction page from appearing the first time you run Edge.
First run URL Specifies the URL of a page that is displayed the first time a user runs Edge (Windows
10 Mobile only).
Homepages - Add a list of sites that you want to use as home pages in the Edge browser (desktop only).
Changes to start page Lets users change the start pages displayed when Edge is opened. Use the
Homepages setting to create the page, or list of pages that is opened when Edge starts.
Block access to about flags - Prevent the end user from accessing the about:flags page in Edge that contains
developer and experimental settings.
Smart screen prompt override - Allow the end user to bypass SmartScreen filter warnings about potentially
malicious websites.
Smart screen prompt override for files - Allow the end user to bypass SmartScreen filter warnings about
downloading potentially malicious files.
WebRtc localhost ip address - Block the users localhost IP address from being displayed when making
phone calls using the web RTC protocol.
Default search engine - Specify the default search engine to be used. End users can change this value at any
time.
Clear browsing data on exit Clears history, and browsing data when the user exits Edge.
Live Tile data collection Stops Windows collecting information from the Live Tile when users pin a site to
the start menu from Edge.

Search
Safe Search (mobile only) - Control how Cortana filters adult content in search results. You can select Strict,
Moderate, or allow the end user to choose their own settings.

Cloud and Storage


Microsoft account - Lets the user associate a Microsoft account with the device.
Non-Microsoft account - Lets the user add email accounts to the device that are not associated with a
Microsoft account.
Settings synchronization for Microsoft account - Allow device and app settings that are associated with a
Microsoft account to synchronize between devices.

Cellular and Connectivity


Cellular data channel Stop users from using data, like browsing the web, when they are connected to a
cellular network.
Data roaming - Allow roaming between networks when accessing data.
VPN over the cellular network - Controls whether the device can access VPN connections when connected
to a cellular network.
VPN roaming over the cellular network - Controls whether the device can access VPN connections when
roaming on a cellular network.
Bluetooth - Controls whether the user can enable and configure Bluetooth on the device.
Bluetooth discoverability - Lets the device be discovered by other Bluetooth-enabled devices.
Bluetooth pre-pairing Lets you configure specific Bluetooth devices to automatically pair with a host device.
Bluetooth advertising - Lets the device receive advertisements over Bluetooth.
Device Bluetooth name Specify the Bluetooth name for a device. If you dont specify a name, the default
radio name is used.
Connected devices service Lets you choose whether to allow the connected devices service, which enables
discovery and connection to other Bluetooth devices.
NFC - Lets the user enable and configure Near Field Communications capabilities on the device.
Wi-Fi - Lets the user enable and configure Wi-Fi on the device (Windows 10 Mobile only).
Automatically connect to Wi-Fi hotspots - Lets the device automatically connect to free Wi-Fi hotspots and
automatically accept any terms and conditions for the connection.
Manual Wi-Fi configuration - Controls whether the user can configure their own Wi-Fi connections, or
whether they can only use connections configured by a Wi-Fi profile (Windows 10 Mobile only).
Wi-Fi scan interval Specify how often devices scan for Wi-Fi networks. Specify a value from 1 (most
frequent) to 500 (least frequent).
Bluetooth allowed services Specify as hex strings, a list of allowed Bluetooth services and profiles.
Control Panel and Settings
Settings app - Block access to the Windows settings app.
System - Blocks access to the system area of the settings app.
Devices - Blocks access to the devices area of the settings app.
Network Internet - Blocks access to the network and internet area of the settings app.
Personalization - Blocks access to the personalization area of the settings app.
Accounts - Blocks access to the accounts area of the settings app.
Time and Language - Blocks access to the time and language area of the settings app.
Ease of Access - Blocks access to the ease of access area of the settings app.
Privacy - Blocks access to the privacy area of the settings app.
Update Security - Blocks access to the updates and security area of the settings app.

Defender
Real-time monitoring - Enables real-time scanning for malware, spyware, and other unwanted software.
Behavior monitoring - Lets Defender check for certain known patterns of suspicious activity on devices.
Network Inspection System (NIS) - NIS helps to protect devices against network-based exploits. It uses the
signatures of known vulnerabilities from the Microsoft Endpoint Protection Center to help detect and block
malicious traffic.
Scan all downloads - Controls whether Defender scans all files downloaded from the Internet.
Scan scripts loaded in Microsoft web browsers - Lets Defender scan scripts that are used in Internet
Explorer.
End user access to Defender - Controls whether the Windows Defender user interface is hidden from end
users. When this setting is changed, it takes effect the next time the end user's PC is restarted.
Signature update interval (in hours) - Specify the interval at which Defender checks for new signature files.
Monitor file and program activity - Allows Defender to monitor file and program activity on devices.
Days before deleting quarantined malware - Lets Defender continue to track resolved malware for the
number of days you specify so that you can manually check previously affected devices. If you set the number
of days to 0, malware remains in the Quarantine folder and is not automatically removed.
CPU usage limit during a scan - Lets you limit the amount of CPU that scans are allowed to use (from 1 to
100).
Scan archive files - Allows Defender to scan archived files such as Zip or Cab files.
Scan incoming mail messages - Allows Defender to scan email messages as they arrive on the device.
Scan removable drives during a full scan - Lets Defender scan removable drives like USB sticks.
Scan mapped network drives during a full scan - Lets Defender scan files on mapped network drives.
If the files on the drive are read-only, Defender cannot remove any malware found in them.
Scan files opened from network folders - Lets Defender scan files on shared network drives (for example,
files accessed from a UNC path). If the files on the drive are read-only, Defender cannot remove any malware
found in them.
Cloud protection - Allows or blocks the Microsoft Active Protection Service from receiving information about
malware activity from devices that you manage. This information is used to improve the service in the future.
Prompt users before sample submission - Controls whether potentially malicious files that might require
further analysis are automatically sent to Microsoft.
Time to perform a daily quick scan - Lets you schedule a quick scan that occurs daily at the time you select.
Type of system scan to perform - Lets you specify the level of scanning that is performed when you schedule
a system scan.
Detect potentially unwanted applications Choose the level of protection when Windows detects
potentially unwanted applications from:
Block
Audit For more information about potentially unwanted apps, see this topic.
Actions on detected malware threats Enable this option to specify the actions you want Defender to take
for each threat level it detects (Low, Moderate, High, and Severe). The actions you can take are:
Clean
Quarantine
Remove
Allow
User defined
Block

Defender Exclusions
Files and folders to exclude from scans and real-time protection - Adds one or more files and folders like
C:\Path or %ProgramFiles%\Path\filename.exe to the exclusions list. These files and folders aren't included
in any real-time or scheduled scans.
File extensions to exclude from scans and real-time protection - Add one or more file extensions like jpg
or txt to the exclusions list. Any files with these extensions are not included in any real-time or scheduled scans.
Processes to exclude from scans and real-time protection - Add one or more processes of the type .exe,
.com, or .scr to the exclusions list. These processes are not included in any real-time, or scheduled scans.

Network proxy
Automatically detect proxy settings - When enabled, the device attempts to find the path to a PAC script.
Use proxy script - Select this if you want to specify a path to a PAC script to configure the proxy server.
Setup script address URL - Enter the URL of a PAC script you want to use to configure the proxy server.
Use manual proxy server - Select this if you want to manually provide proxy server information.
Address - Enter the name, or IP address of the proxy server.
Port number - Enter the port number of your proxy server.
Proxy exceptions - Enter any URLs that must not use the proxy server. Use a semicolon to separate
each item.
Bypass proxy server for local address - If you don't want to use the proxy server for local addresses
on your intranet, enable this option .

Windows Spotlight
Windows Spotlight Use this setting to block all Windows Spotlight functionality on Windows 10 devices. If
you block this setting, the following settings are not available.
Windows Spotlight on lock screen Stop Windows Spotlight from displaying information on the
device lock screen.
Third-party suggestions in Windows Spotlight Stop Windows Spotlight from suggesting content
that is not published by Microsoft.
Windows Tips - Lets you block pop-up tips from displaying in Windows.
Consumer Features - Lets you block consumer features like Start menu suggestions, and membership
notifications.
Windows Spotlight in action center Block Windows Spotlight suggestions like new app or security
content from appearing in the Windows Action Center.
Windows Spotlight personalization Stops Windows Spotlight from personalizing results based on
the usage of a device.
Windows welcome experience Block the Windows welcome experience that shows the user
information about new, or updated features.

Display
User input from wireless display receivers - Blocks user input from wireless display receivers.
Projection to this PC - Stops other devices from discovering the PC for projection.
Require PIN for pairing - Require a PIN when connecting to a projection device.

Start
Unpin apps from task bar - Stop the user from unpinning apps from the Start menu.
Documents on Start - Hide or show the Documents folder in the Windows Start menu.
Downloads on Start - Hide or show the Downloads folder in the Windows Start menu.
File Explorer on Start - Hide or show the File Explorer app in the Windows Start menu.
HomeGroup on Start - Hide or show the HomeGroup folder in the Windows Start menu.
Music on Start - Hide or show the Music folder in the Windows Start menu.
Network on Start - Hide or show the Network folder in the Windows Start menu.
Personal folder on Start - Hide or show the Personal folder in the Windows Start menu.
Pictures on Start - Hide or show the folder for pictures in the Windows Start menu.
Settings on Start - Hide or show the Settings app in the Windows Start menu.
Videos on Start - Hide or show the folder for videos in the Windows Start menu.
Windows 10 Team device restriction settings in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Wake screen when someone in room - Allows the device to wake automatically when its sensor detects
someone in the room.
PIN for wireless projection - Specifies whether you must enter a PIN before you can use the wireless
projection capabilities of the device.
Miracast wireless projection - Enable this option if you want to let the Windows 10 Team device use Miracast
enabled devices to project.
Meeting information displayed on welcome screen - Enable this option to choose the information that will
be displayed on the Meetings tile of the Welcome screen. You can:
Show organizer and time only
Show organizer, time and subject (subject hidden for private meetings)
Welcome screen background image URL - Enable this setting to display a custom background on the
Welcome screen of Windows 10 Team devices from the URL you specify.
The image must be in PNG format and the URL must begin with https://.
Maintenance window for updates - Configures the window when updates can take place to the device. You
can configure the start time of the window and the duration (from 1-5 hours).
Azure Operational Insights - Azure Operational Insights , part of the Microsoft Operations Manager suite
collects, stores, and analyzes log file data from Windows 10 Team devices.
To connect to Azure Operational insights, you must specify a Workspace ID and a Workspace Key.
Android for Work device restriction settings in
Microsoft Intune
6/19/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Work profile settings


Data sharing between work and personal profiles - Use this setting to control whether apps in the
work profile can share with apps in the personal profile. This setting controls sharing actions within
applications (for example, the Share option in the Chrome browser app) and does not apply to
copy/paste clipboard behavior. Unlike app protection policy settings, device restriction settings are
managed from the Intune portal and use the Android for Work work profile partition to isolate managed
apps. Choose from:
Default sharing restrictions - This is the default sharing behavior of the device which varies
depending on the version of Android it is running. By default, sharing from the personal profile to the
work profile is allowed. Also by default, sharing from the work profile to the personal profile is blocked.
This prevents sharing of data from the work to the personal profile. Google does not provide a way to
block sharing from the personal profile to work profile on devices running versions 6.0 and later.
Apps in work profile can handle sharing request from personal profile - Use this option to enable
the built-in Android feature that allows sharing from the personal to work profile. When enabled, a
sharing request from an app in the personal profile can share with apps in the work profile. This is the
default behavior for Android devices running versions earlier than 6.0.
Allow sharing across boundaries - Enables sharing across the work profile boundary in both
directions. When you select this setting, apps in the work profile can share data with un-badged apps in
the personal profile. Use this setting with care as this allows managed apps in the work profile to share
with apps on the unmanaged side of the device.
Work profile notifications while device locked - Controls whether apps in the work profile can display
data in notifications when the device is locked.
Default app permissions - Sets the default permission policy for all apps in the work profile. Starting with
Android 6, the user is prompted to grant certain permissions required by apps when the app is launched.
This policy setting lets you decide whether users are prompted to grant permissions for all apps in the work
profile. For example, you assign an app to the work profile that requires location access. Normally that app
prompts the user to approve or deny location access to the app. This policy lets you to decide whether all
permissions should be auto-granted without a prompt, auto-denied without a prompt, or let the end user
decide. Choose from:
Device default
Prompt
Auto grant
Auto deny
The grant state for permissions can be further defined for specific apps by defining an App Configuration
policy for an individual app (under Mobile Apps > App configuration policies).
Work profile password
Require Work Profile Password - (Android 7.0 and above with work profile enabled) Define a passcode
policy that applies just to the apps in the work profile. By default, the end user has the option to use the two
separately defined PINs or they can elect to combine the two defined PINs into the stronger of the two.
Minimum password length - Enter the minimum number of characters the user's password must contain
(from 4-16)
Maximum minutes of inactivity until screen locks - Select the amount of time before an inactive device
requires a user re-enter the work profile password to run an app in the work profile.
Number of sign-in failures before wiping device - Enter the number of times an incorrect password can be
entered before the work profile is wiped from the device.
Password expiration (days) - Enter the number of days until an end user's password must be changed (from
1-255).
Required password type - Select the type of password that must be set on the device. Choose from:
Device default
Low security biometric
Required
At least numeric
Numeric complex - (repeating, or consecutive numbers like '1111' or '1234' are not allowed)
At least alphabetic
At least alphanumeric
At least alphanumeric with symbols
Prevent reuse of previous passwords - Enter the number of new passwords that must have been used
before an old one can be reused (from 1-24).
Fingerprint unlock - Blocks an end user from using the device fingerprint scanner to unlock it.
Smart Lock and other trust agents - Lets you control the Smart Lock feature on compatible devices. This
phone capability, sometimes known as a trust agent, lets you disable or bypass the work profile password if the
device is in a trusted location (for example, when it's connected to a specific Bluetooth device, or when it's close
to an NFC tag) You can use this setting to prevent users from configuring Smart Lock.

Password
Minimum password length - Enter the minimum number of characters the users password must contain
(from 4-14)
Maximum minutes of inactivity until screen locks - Select the amount of time before an inactive device
automatically locks.
Number of sign-in failures before wiping device - Enter the number of times an incorrect password can be
entered before all data is wiped from the device.
Password expiration (days) - Enter the number of days until an end user's password must be changed (from
1-255).
Required password type - Select the type of password that must be set on the device. Choose from:
Device default
Low security biometric
Required
At least numeric
Numeric complex - (repeating, or consecutive numbers like '1111' or '1234' are not allowed)
At least alphabetic
At least alphanumeric
At least alphanumeric with symbols
Prevent reuse of previous passwords - Enter the number of new passwords that must have been used
before an old one can be reused (from 1-24).
Fingerprint unlock - Blocks an end user from using the device fingerprint scanner to unlock it.
Smart Lock and other trust agents - Lets you control the Smart Lock feature on compatible devices. This
phone capability, sometimes known as a trust agent, lets you disable or bypass the device lock screen password
if the device is in a trusted location (for example, when it's connected to a specific Bluetooth device, or when it's
close to an NFC tag) You can use this setting to prevent users from configuring Smart Lock.
How to configure email settings in Microsoft Intune
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Email profiles can be used to configure devices you manage with the settings necessary to connect to , and
synchronize with company email. This can help ensure that settings are standard across all of your devices, and
also help to reduce support calls from end users who do not know the correct email settings.
The built-in mail client is supported for most platforms. Most third-party email apps are not currently supported.
You can use email profiles to configure the native email client on the following device types:
Android Samsung KNOX Standard 4.0 and later
Android for Work
iOS 8.0 and later
Windows Phone 8.1 and later
Windows 10 (desktop) and Windows 10 Mobile
Use the information in this topic to learn the basics about configuring an email profile, and then read further topics
for each platform to learn about device specifics.

Create a device profile containing email settings


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the email profile.
7. From the Platform drop-down list, select the device platform to which you want to apply email settings.
Currently, you can choose one of the following platforms for email device settings:
Android (Samsung Android KNOX Standard only)
Android for Work
iOS
Windows Phone 8.1
Windows 10 and later
8. From the Profile type drop-down list, choose Email.
9. Depending on the platform you chose, the settings you can configure will be different. Go to one of the
following topics for detailed settings for each platform:
Android for Work and Samsung KNOX Standard settings
iOS settings
Windows Phone 8.1 settings
Windows 10 settings
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.

Further information
Remove an email profile
If you want to remove an email profile from a device, edit the assignment and remove any groups of which the
device is a member. Note that you cannot remove an email profile in this way if it is the only email profile on a
device.
Securing email access
You can help secure email profiles using one of two methods:
1. Certificates - When you create the email profile, you choose a certificate profile that you have previously
created in Intune. This is known as the identity certificate, and is used to authenticate against a trusted certificate
profile (or a root certificate) to establish that the users device is allowed to connect. The trusted certificate is
assigned to the computer that authenticates the email connection, typically, the native mail server. For more
information about how to create and use certificate profiles in Intune, see How to configure certificates with
Intune.
2. User name and password - The user authenticates to the native mail server by providing their user name and
password. The password is not contained in the email profile, so the user needs to supply this when they
connect to email.
How Intune handles existing email accounts
If the user has already configured an email account, the result of the Intune email profile assignment depends on
the device platform:
iOS: An existing, duplicate email profile is detected based on host name and email address. The duplicate email
profile will blocks the assignment of an Intune profile. In this case, the Company Portal informs the user that
they are not compliant and prompts the user to remove the manually configured profile. To help prevent this
problem, instruct your users to enroll before installing an email profile, which allows Intune to set up the profile.
Windows: An existing, duplicate email profile is detected based on host name and email address. Intune
overwrites the existing email profile created by the user.
Android Samsung KNOX Standard An existing, duplicate email profile is detected based on the email
address, and overwrites it with the Intune profile. Since Android does not use host name to identify the profile,
we recommend that you not create multiple email profiles to use on the same email address on different hosts,
as these overwrite each other.
Android for Work Intune provides two Android for Work email profiles, one for each of the Gmail and Nine
Work email apps. These apps are available in the Google Play Store, and install in the device work profile, so
they can't result in duplicate profiles. Both apps support connections to Exchange. To enable the email
connectivity, deploy one of these email apps to your users' devices, and then create and deploy the appropriate
email profile. Email apps such as Nine Work might not be free. Review the apps licensing details or contact the
app company with any questions.
Update an email profile
If you make changes to an email profile you previously assigned, end users might see a message asking them to
approve the reconfiguration of their email settings.
Email profile settings for Android devices in Microsoft
Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an Intune admin, you can create and assign email settings to the following Android devices:
Android Samsung KNOX Standard
Android for Work

Android Samsung KNOX Standard email settings


Email server - The host name of your Exchange server.
Account name - The display name for the email account as it appears to users on their devices.
Username attribute from AAD - This name is the attribute in Active Directory (AD) or Azure AD used to
generate the username for this email profile. Select Primary SMTP Address, such as user1@contoso.com or
User Principal Name, such as user1 or user1@contoso.com.
Email address attribute from AAD - How the email address for the user on each device is generated. Select
Primary SMTP Address to use the primary SMTP address to log in to Exchange or use User Principal Name
to use the full principal name as the email address.
Authentication method - Select either Username and Password or Certificates as the authentication
method used by the email profile.
If you selected Certificate, select a client SCEP or PKCS certificate profile that you previously created to
authenticate the Exchange connection.
Security settings
SSL - Use Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and
communicating with the Exchange server.
S/MIME - Send outgoing email using S/MIME encryption.
If you selected Certificate, select a client SCEP or PKCS certificate profile that you previously created to
authenticate the Exchange connection.
Synchronization settings
Amount of email to synchronize - Choose the number of days of email that you want to synchronize, or
select Unlimited to synchronize all available email.
Sync schedule - Select the schedule by which devices synchronize data from the Exchange server. You can also
select As Messages arrive, which synchronizes data when it arrives, or Manual, where the user of the device
must initiate the synchronization.
Content sync settings
Content type to sync - Select the content types that you want to synchronize to devices from:
Contacts
Calendar
Tasks

Android for Work email settings


Email app - Select either Gmail or Nine Work
Email server - The host name of your Exchange server.
Username attribute from AAD - This name is the attribute in Active Directory (AD) or Azure AD, that will be
used to generate the username for this email profile. Select Primary SMTP Address, such as
user1@contoso.com or User Principal Name, such as user1 or user1@contoso.com.
Email address attribute from AAD - How the email address for the user on each device is generated. Select
User Principal Name to use the full principal name as the email address or User name.
Authentication method - Select either Username and Password or Certificates as the authentication
method used by the email profile.
If you selected Certificate, select a client SCEP or PKCS certificate profile that you previously created to
authenticate the Exchange connection.
SSL - Use Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and
communicating with the Exchange server.
Amount of email to synchronize - Choose the number of days of email that you want to synchronize, or
select Unlimited to synchronize all available email.
Content type to sync (Nine Work only) - Select the content types that you want to synchronize to devices
from:
Contacts
Calendar
Tasks
Email profile settings for iOS devices in Microsoft
Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Email server - The host name of your Exchange server.


Account name - The display name for the email account as it will appear to users on their devices.
Username attribute from AAD - This is the attribute in Active Directory (AD) or Azure AD, that will be used to
generate the username for this email profile. Select Primary SMTP Address, such as user1@contoso.com or
User Principal Name, such as user1 or user1@contoso.com.
Email address attribute from AAD - How the email address for the user on each device is generated. Select
Primary SMTP Address to use the primary SMTP address to log into Exchange or use User Principal Name to
use the full principal name as the email address.
Authentication method - Select either Username and Password or Certificates as the authentication
method used by the email profile.
If you selected Certificate, select a client SCEP or PKCS certificate profile that you previously created that
will be used to authenticate the Exchange connection.
SSL - Use Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and
communicating with the Exchange server.
S/MIME - Send outgoing email using S/MIME signing.
If you selected Certificate, select a client SCEP or PKCS certificate profile that you previously created that
will be used to authenticate the Exchange connection.
Amount of email to synchronize - Choose the number of days of email that you want to synchronize, or
select Unlimited to synchronize all available email.
Allow messages to be moved to other email accounts - This allows users to move email messages between
different accounts they have configured on their device.
Allow email to be sent from third party applications - Allow the user to select this profile as the default
account for sending email, and allow third-party applications to open email in the native email app, for example,
to attach files to email.
Synchronize recently used email addresses - This feature allows users to synchronize the list of email
addresses that have been recently used on the device with the server.
Email profile settings for Windows Phone 8.1 devices
in Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
Email server - The host name of your Exchange server.
Account name - The display name for the email account as it will appear to users on their devices.
Username attribute from AAD - This is the attribute in Active Directory (AD) or Azure AD, that will be used to
generate the username for this email profile. Select Primary SMTP Address, such as user1@contoso.com or
User Principal Name, such as user1 or user1@contoso.com.
Email address attribute from AAD - How the email address for the user on each device is generated. Select
Primary SMTP Address to use the primary SMTP address to log into Exchange or use User Principal Name to
use the full principal name as the email address.

Security settings
SSL - Use Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and
communicating with the Exchange server.

Synchronization settings
Amount of email to synchronize - Choose the number of days of email that you want to synchronize, or
select Unlimited to synchronize all available email.
Sync schedule - Select the schedule by which devices will synchronize data from the Exchange server. You can
also select As Messages arrive, which synchronizes data as soon as it arrives, or Manual, where the user of the
device must initiate the synchronization.

Content sync settings


Content type to sync - Select the content types that you want to synchronize to devices from:
Contacts
Calendar
Tasks
Email profile settings for Windows 10 devices in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Email server - The host name of your Exchange server.


Account name - The display name for the email account as it will appear to users on their devices.
Username attribute from AAD - This is the attribute in Active Directory (AD) or Azure AD, that will be used to
generate the username for this email profile. Select Primary SMTP Address, such as user1@contoso.com or
User Principal Name, such as user1 or user1@contoso.com.
Email address attribute from AAD - How the email address for the user on each device is generated. Select
Primary SMTP Address to use the primary SMTP address to log into Exchange or use User Principal Name to
use the full principal name as the email address.

Security settings
SSL - Use Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and
communicating with the Exchange server.

Synchronization settings
Amount of email to synchronize - Choose the number of days of email that you want to synchronize, or
select Unlimited to synchronize all available email.
Sync schedule - Select the schedule by which devices will synchronize data from the Exchange server. You can
also select As Messages arrive, which synchronizes data as soon as it arrives, or Manual, where the user of the
device must initiate the synchronization.

Content sync settings


Content type to sync - Select the content types that you want to synchronize to devices from:
Contacts
Calendar
Tasks
How to configure VPN settings in Microsoft Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Virtual private networks (VPNs) give your users secure remote access to your company network. Devices use a
VPN connection profile to initiate a connection with the VPN server. Use VPN profiles in Microsoft Intune to
assign VPN settings to users and devices in your organization, so they can easily and securely connect to the
network.
For example, assume that you want to provision all iOS devices with the settings required to connect to a file share
on the corporate network. You create a VPN profile that contains the settings necessary to connect to the corporate
network, and then you assign this profile to all users who have iOS devices. The users will see the VPN connection
in the list of available networks and can connect with minimal effort.

VPN connection types


You can create VPN profiles using the following connection types:

ANDROID
CONNECTION ANDROID FOR WINDOWS
TYPE WORK IOS MACOS PHONE 8.1 WINDOWS 8.1 WINDOWS 10

Pulse Secure Yes Yes Yes Yes Yes Yes

Cisco (IPSec) No Yes No No No No

Citrix Yes (Android Yes No No No No


only)

F5 Edge Client Yes Yes Yes Yes Yes Yes

Dell Yes Yes Yes Yes Yes Yes


SonicWALL
Mobile
Connect

Check Point Yes Yes Yes Yes Yes Yes


Capsule VPN

Cisco Yes Yes Yes No No No


AnyConnect

Automatic No No No No No Yes

IKEv2 No No No No No Yes

L2TP No No No No No Yes
ANDROID
CONNECTION ANDROID FOR WINDOWS
TYPE WORK IOS MACOS PHONE 8.1 WINDOWS 8.1 WINDOWS 10

PPTP No No No No No Yes

Custom No Yes Yes No No No

IMPORTANT
Before you can use VPN profiles assigned to a device, you must install the applicable VPN app for the profile. You can use
the information in the What is app management in Microsoft Intune? topic to help you assign the app by using Intune.

Learn how to create custom VPN profiles by using URI settings in Create custom VPN profiles.

Create a device profile containing VPN settings


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the VPN profile.
7. From the Platform drop-down list, select the device platform to which you want to apply VPN settings.
Currently, you can choose one of the following platforms for VPN device settings:
Android
Android for Work
iOS
macOS
Windows Phone 8.1
Windows 8.1 and later
Windows 10 and later
8. From the Profile type drop-down list, choose VPN.
9. Depending on the platform you chose, the settings you can configure will be different. Go to one of the
following topics for detailed settings for each platform:
Android and Android for Work settings
iOS settings
macOS settings
Windows Phone 8.1 settings
Windows 8.1 settings
Windows 10 settings
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.

Methods of securing VPN profiles


VPN profiles can use a number of different connection types and protocols from different manufacturers. These
connections are typically secured through one of two methods.
Certificates
When you create the VPN profile, you choose a SCEP or PKCS certificate profile that you previously created in
Intune. This is known as the identity certificate. It's used to authenticate against a trusted certificate profile (or root
certificate) that you created to establish that the users device is allowed to connect. The trusted certificate is
assigned to the computer that authenticates the VPN connection, typically, the VPN server.
For more information about how to create and use certificate profiles in Intune, see How to configure certificates
with Microsoft Intune.
User name and password
The user authenticates to the VPN server by providing a user name and password.
VPN settings for Android devices in Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an Intune admin, you can configure VPN settings for the following platforms:
Android
Android for Work
Depending on the settings you choose, not all values listed below are configurable.

Android VPN settings


Connection name - Enter a name for this connection. End users will see this name when they browse their device
for the list of available VPN connections.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server that devices will
connect to. Examples: 192.168.1.1, vpn.contoso.com.
Authentication method - Choose how devices will authenticate to the VPN server from:
Certificates - Select a SCEP or PKCS certificate profile you previously created to authenticate the
connection. For more details about certificate profiles, see How to configure certificates.
Username and password - End users must supply a user name and password to log into the VPN
server.
Connection type - Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Cisco AnyConnect
Dell SonicWALL Mobile Connect
F5 Edge Client
Pulse Secure
Citrix
Fingerprint (Check Point Capsule VPN only) - Specify a string (for example, "Contoso Fingerprint Code")
that will be used to verify that the VPN server can be trusted. A fingerprint can be sent to the client so it
knows to trust any server that presents the same fingerprint when connecting. If the device doesnt already
have the fingerprint, it will prompt the user to trust the VPN server that they are connecting to while
showing the fingerprint (The user manually verifies the fingerprint and chooses trust to connect).
Enter key and value pairs for the Citrix VPN attributes (Citrix only) - Enter key and value pairs, provided by
Citrix, to configure the properties of the VPN connection.

Android for Work VPN settings


Connection name - Enter a name for this connection. End users will see this name when they browse their device
for the list of available VPN connections.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server that devices will
connect to. Examples: 192.168.1.1, vpn.contoso.com.
Authentication method - Choose how devices will authenticate to the VPN server from:
Certificates - Select a SCEP or PKCS certificate profile you previously created to authenticate the
connection. For more details about certificate profiles, see How to configure certificates.
Username and password - End users must supply a user name and password to log into the VPN
server.
Connection type - Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Cisco AnyConnect
Dell SonicWALL Mobile Connect
F5 Edge Client
Pulse Secure
Split tunneling - Enable to let certain web traffic use the VPN connection when the VPN while other traffic
uses the internet. Disable this setting if you want all traffic to use the VPN when active.
VPN settings for iOS devices in Microsoft Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Depending on the settings you choose, not all values in the list below will be configurable.

Base VPN settings


Connection name - Enter a name for this connection. End users will see this name when they browse their device
for the list of available VPN connections.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server that devices will
connect to. Examples: 192.168.1.1, vpn.contoso.com.
Authentication method - Choose how devices will authenticate to the VPN server from:
Certificates - Under Authentication certificate, Choose a SCEP or PKCS certificate profile you
previously created to authenticate the connection. For more details about certificate profiles, see How to
configure certificates.
Username and password - End users must supply a username and password to log into the VPN server.
Connection type - Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Cisco AnyConnect
Dell SonicWALL Mobile Connect
F5 Edge Client
Pulse Secure
Cisco (IPSec)
Citrix
Custom VPN
Split tunneling - Enable or Disable this option which lets devices decide which connection to use depending
on the traffic. For example, a user in a hotel will use the VPN connection to access work files, but use the hotel's
standard network for regular web browsing.

Custom VPN settings


If you selected Custom VPN as the connection type, configure these further settings:
VPN identifier This is an identifier for the VPN app you are using, and is supplied by your VPN provider.
Enter key and value pairs for the custom VPN attributes Add or import Keys and Values that customize
your VPN connection. Again, these values are typically supplied by your VPN provider.

Apps (per-app VPN) settings


Per-app VPN - Enable this option if you want to URLs that will enable the VPN connection when they are
visited from the Safari browser. To configure this, you must have selected Certificates as the authentication
method in the base VPN settings.
URLs that will enable the VPN connection while using the Safari browser - Click add to add one or
more web site URLs. When these URL's are visited, the VPN connection will be enabled.
On-demand rules - This lets you configure conditional rules that control when the VPN connection is
initiated. For example, you could create a condition where the VPN connection is only used when a device is
not connected to one of your company Wi-Fi networks. Alternatively, you could create a condition where, if a
device cannot access a DNS search domain you specify, then the VPN connection is not initiated.
SSIDs or DNS search domains - Select whether this condition will use wireless network SSIDs, or DNS
search domains. Choose Add to configure one or more SSIDs or search domains.
URL string probe - Optionally, provide a URL that the rule uses as a test. If the device on which this
profile is installed is able to access this URL without redirection, the VPN connection will be initiated and
the device will connect to the target URL. The user will not see the URL string probe site. An example of a
URL string probe is the address of an auditing Web server that checks device compliance before
connecting the VPN. Another possibility is that the URL tests the ability of the VPN to connect to a site,
before connecting the device to the target URL through the VPN.
Domain action - Choose one of the following:
Connect if needed -
Never connect -
Action - Choose one of the following:
Connect -
Evaluate connection -
Ignore -
Disconnect -

Proxy settings
Automatic configuration script - Use a file to configure the proxy server. Enter the Proxy server URL (for
example http://proxy.contoso.com) which contains the configuration file.
Address - Enter the proxy server address (as an IP address).
Port number - Enter the port number associated with the proxy server.
VPN settings for macOS devices in Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Depending on the settings you choose, not all values in the list below will be configurable.

Base VPN settings


Connection name - Enter a name for this connection. End users will see this name when they browse their device
for the list of available VPN connections.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server that devices will
connect to. Examples: 192.168.1.1, vpn.contoso.com.
Authentication method - Choose how devices will authenticate to the VPN server from:
Certificates - Under Authentication certificate, Choose a SCEP or PKCS certificate profile you
previously created to authenticate the connection. For more details about certificate profiles, see How to
configure certificates.
Username and password - End users must supply a username and password to log into the VPN server.
Connection type - Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Cisco AnyConnect
Dell SonicWALL Mobile Connect
F5 Edge Client
Pulse Secure
Custom VPN
Split tunneling - Enable or Disable this option which lets devices decide which connection to use depending
on the traffic. For example, a user in a hotel will use the VPN connection to access work files, but use the hotel's
standard network for regular web browsing.

Custom VPN settings


If you selected Custom VPN, configure these further settings:
VPN identifier This is an identifier for the VPN app you are using, and is supplied by your VPN provider.
Enter key and value pairs for the custom VPN attributes Add or import Keys and Values that customize
your VPN connection. Again, these values are typically supplied by your VPN provider.

Proxy settings
Automatic configuration script - Use a file to configure the proxy server. Enter the Proxy server URL (for
example http://proxy.contoso.com) which contains the configuration file.
Address - Enter the proxy server address (as an IP address).
Port number - Enter the port number associated with the proxy server.
VPN settings for Windows 8.1 devices in Microsoft
Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Depending on the settings you choose, not all values in the list below will be configurable.

Base VPN settings


Apply all settings to Windows 8.1 only - This is a setting you can configure in the classic Intune portal. In the
Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be applied to
Windows 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10 devices.
Connection name - Enter a name for this connection. End users will see this name when they browse their
device for the list of available VPN connections.
Servers - Add one or more VPN servers that devices will connect to.
Add - Opens the Add Row blade where you can specify the following information:
Description - Specify a descriptive name for the server like Contoso VPN server.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server
that devices will connect to. Examples: 192.168.1.1, vpn.contoso.com.
Default server - Enables this server as the default server that devices will use to establish the
connection. Make sure to set only one server as the default.
Import - Browse to a file containing a comma-seperated list of servers in the format description, IP
address or FQDN, Default server. Choose OK to import these into the Servers list.
Export - Exports the list of servers to a comma-seperated-values (csv) file.
Connection type - Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Dell SonicWALL Mobile Connect
F5 Edge Client
Pulse Secure
Login group or domain (Dell SonicWALL Mobile Connect only) - Specify the name of the login group or
domain that you want to connect to.
Role (Pulse Secure only) - Specify the name of the user role that has access to this connection. A user role
defines personal settings and options, and it enables or disables certain access features.
Realm (Pulse Secure only) - Specify the name of the authentication realm that you want to use. An
authentication realm is a grouping of authentication resources that the Pulse Secure connection type uses.
Custom XML - Specify any custom XML commands that configure the VPN connection.
Example for Pulse Secure:
<pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>

Example for CheckPoint Mobile VPN:

<CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />

Example for Dell SonicWALL Mobile Connect:

<MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging><packetCapture>False</packetCapture>
</MobileConnect>

Example for F5 Edge Client:

<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>

Refer to each manufacturer's VPN documentation for more information about how to write custom XML
commands.

Proxy settings
Automatically detect proxy settings - If your VPN server requires a proxy server for the connection, specify
whether you want devices to automatically detect the connection settings. For more information, see your
Windows Server documentation.
Automatic configuration script - Use a file to configure the proxy server. Enter the Proxy server URL (for
example http://proxy.contoso.com) which contains the configuration file.
Use proxy server - Enable this option if you want to manually enter the proxy server settings.
Address - Enter the proxy server address (as an IP address).
Port number - Enter the port number associated with the proxy server.
Bypass proxy for local addresses - If your VPN server requires a proxy server for the connection, select this
option if you do not want to use the proxy server for local addresses that you specify. For more information, see
your Windows Server documentation.
VPN settings for Windows Phone 8.1 devices in
Microsoft Intune
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Depending on the settings you choose, not all values in the list below will be configurable.

Base VPN settings


Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
Connection name - Enter a name for this connection. End users will see this name when they browse their
device for the list of available VPN connections.
Authentication method - Choose how devices will authenticate to the VPN server from:
Certificates - Under Authentication certificate, Choose a SCEP or PKCS certificate profile you
previously created to authenticate the connection. For more details about certificate profiles, see How to
configure certificates.
Username and password - End users must supply a username and password to log into the VPN server.
Servers - Add one or more VPN servers that devices will connect to.
Add - Opens the Add Row blade where you can specify the following information:
Description - Specify a descriptive name for the server like Contoso VPN server.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server
that devices will connect to. Examples: 192.168.1.1, vpn.contoso.com.
Default server - Enables this server as the default server that devices will use to establish the
connection. Make sure to set only one server as the default.
Import - Browse to a file containing a comma-separated list of servers in the format description, IP
address or FQDN, Default server. Choose OK to import these into the Servers list.
Export - Exports the list of servers to a comma-separated-values (csv) file.
Bypass VPN on company Wi-Fi network - Enable this option to specify that the VPN connection will not
be used when the device is connected to the company Wi-Fi network.
Bypass VPN on home Wi-Fi network - Enable this option to specify that the VPN connection will not be
used when the device is connected to a home Wi-Fi network.
Connection type - Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Dell SonicWALL Mobile Connect
F5 Edge Client
Pulse Secure
Login group or domain (Dell SonicWALL Mobile Connect only) - Specify the name of the login group or
domain that you want to connect to.
Role (Pulse Secure only) - Specify the name of the user role that has access to this connection. A user role
defines personal settings and options, and it enables or disables certain access features.
Realm (Pulse Secure only) - Specify the name of the authentication realm that you want to use. An
authentication realm is a grouping of authentication resources that the Pulse Secure connection type uses.
DNS suffix search list - Add one or more DNS suffices. Each DNS suffix that you specify will be searched
when connecting to a website by using a short name. For example, specify the DNS suffixes
domain1.contoso.com and domain2.contoso.com, visit the URL http://mywebsite, and the URLs
http://mywebsite.domain1.contoso.com and http://mywebsite.domain2.contoso.com will be
searched.
Custom XML - Specify any custom XML commands that configure the VPN connection.
Example for Pulse Secure:

<pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>

Example for CheckPoint Mobile VPN:

<CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />

Example for Dell SonicWALL Mobile Connect:

<MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging><packetCapture>False</packetCapture>
</MobileConnect>

Example for F5 Edge Client:

<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>

Refer to each manufacturer's VPN documentation for more information about how to write custom XML
commands.
Split tunneling - Enable or Disable this option which lets devices decide which connection to use depending
on the traffic. For example, a user in a hotel will use the VPN connection to access work files, but use the hotel's
standard network for regular web browsing.

Proxy settings
Automatically detect proxy settings - If your VPN server requires a proxy server for the connection, specify
whether you want devices to automatically detect the connection settings. For more information, see your
Windows Server documentation.
Automatic configuration script - Use a file to configure the proxy server. Enter the Proxy server URL (for
example http://proxy.contoso.com) which contains the configuration file.
Use proxy server - Enable this option if you want to manually enter the proxy server settings.
Address - Enter the proxy server address (as an IP address).
Port number - Enter the port number associated with the proxy server.
Bypass proxy for local addresses - If your VPN server requires a proxy server for the connection, select this
option if you do not want to use the proxy server for local addresses that you specify. For more information, see
your Windows Server documentation.
VPN settings for Windows 10 devices in Microsoft
Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Depending on the settings you choose, not all values in the list below will be configurable.

Base VPN settings


Connection name - Enter a name for this connection. End users will see this name when they browse their
device for the list of available VPN connections.
Servers - Add one or more VPN servers that devices will connect to.
Add - Opens the Add Row blade where you can specify the following information:
Description - Specify a descriptive name for the server like Contoso VPN server.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server
that devices will connect to. Examples: 192.168.1.1, vpn.contoso.com.
Default server - Enables this server as the default server that devices will use to establish the
connection. Make sure to set only one server as the default.
Import - Browse to a file containing a comma-separated list of servers in the format description, IP
address or FQDN, Default server. Choose OK to import these into the Servers list.
Export - Exports the list of servers to a comma-separated-values (csv) file.
Connection type - Select the VPN connection type from the following list of vendors:
Pulse Secure
F5 Edge Client
Dell SonicWALL Mobile Connect
Check Point Capsule VPN
Automatic
IKEv2
L2TP
PPTP
Login group or domain (Dell SonicWALL Mobile Connect only) - Specify the name of the login group or domain
that you want to connect to.
Custom XML/EAP XML - Specify any custom XML commands that configure the VPN connection.
Example for Pulse Secure:

<pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>

Example for CheckPoint Mobile VPN:


<CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />

Example for Dell SonicWALL Mobile Connect:

<MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging><packetCapture>False</packetCapture>
</MobileConnect>

Example for F5 Edge Client:

<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>

Refer to each manufacturer's VPN documentation for more information about how to write custom XML
commands.
Split tunneling - Enable or Disable this option which lets devices decide which connection to use depending on
the traffic. For example, a user in a hotel will use the VPN connection to access work files, but use the hotel's
standard network for regular web browsing.
Split tunneling routes for this VPN connection - Add optional routes for third-party VPN providers. Specify
a destination prefix, and a prefix size for each.

Apps and Traffic Rules


Restrict VPN connection to these apps - Enable this option if you only want apps you specify to use the VPN
connection. Associated Apps - Provide a list of apps that will automatically use the VPN connection. The type of
app will determine the app identifier. For a universal app, provide the package family name. For a desktop app,
provide the file path of the app.

IMPORTANT
We recommend that you secure all lists of apps that you compile for use in configuration of per-app VPN. If an unauthorized
user modifies your list and you import it into the per-app VPN app list, you will potentially authorize VPN access to apps that
should not have access. One way you can secure app lists is by using an access control list (ACL).

Network traffic rules for this VPN connection - Select which protocols, and which local and remote port and
address ranges, will be enabled for the VPN connection. If you do not create a network traffic rule, all protocols,
ports, and address ranges are enabled. After you create a rule, the VPN connection will use only the protocols,
ports, and address ranges that you specify in that rule.

Conditional Access
Conditional access for this VPN connection - Single sign-on (SSO) with alternate certificate - Extended
key usage - Issuer hash -

DNS Settings
DNS names and servers for this VPN connection - Select which DNS servers the VPN connection will use after
the connection is established. For each server. specify:
DNS Name
DNS Server
Proxy
Proxy settings
Automatically detect proxy settings - If your VPN server requires a proxy server for the connection, specify
whether you want devices to automatically detect the connection settings. For more information, see your
Windows Server documentation.
Automatic configuration script - Use a file to configure the proxy server. Enter the Proxy server URL (for
example http://proxy.contoso.com) which contains the configuration file.
Use proxy server - Enable this option if you want to manually enter the proxy server settings.
Address - Enter the proxy server address (as an IP address).
Port number - Enter the port number associated with the proxy server.
Bypass proxy for local addresses - If your VPN server requires a proxy server for the connection, select this
option if you do not want to use the proxy server for local addresses that you specify. For more information, see
your Windows Server documentation.
How to configure Wi-Fi settings in Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use Microsoft Intune Wi-Fi profiles to assign wireless network settings to users and devices in your organization.
When you assign a Wi-Fi profile, your users will have access to your corporate Wi-Fi network without having to
configure it themselves.
For example, you install a new Wi-Fi network named Contoso Wi-Fi and want to set up all iOS devices to connect
to this network. Here's the process:
1. Create a Wi-Fi profile containing the settings necessary to connect to the Contoso Wi-Fi wireless network.
2. Assign the profile to a group containing all users of iOS devices.
3. Users find the new Contoso Wi-Fi network in the list of wireless networks on their device and can easily connect
to it.
Wi-Fi profiles support the following device platforms:
Android 4 and later
Android for Work
iOS 8.0 and later
macOS (Mac OS X 10.9 and later)
For devices running Windows 8.1, Windows 10, and Windows 10 Mobile, you can import a Wi-Fi configuration
that was previously exported from another device.
Use the information in this topic to learn the basics about configuring a Wi-Fi profile, and then read further topics
for each platform to learn about device specifics.

Create a device profile containing Wi-Fi settings


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the Wi-Fi profile.
7. From the Platform drop-down list, select the device platform to which you want to apply Wi-Fi settings.
Currently, you can choose one of the following platforms for Wi-Fi settings:
Android
Android for Work
iOS
macOS
Windows 8.1 and later (import a profile)
8. From the Profile type drop-down list, choose Wi-Fi basic or Wi-Fi enterprise. >[!TIP] >Use Wi-fi basic to
supply basic features like the network name, and the SSID. Wi-Fi enterprise lets you supply more advanced
information like the Extensible Authentication Protocol (EAP) if your Wi-Fi network uses this. Wi-Fi import (for
Windows 8.1 and Windows 10) lets you import Wi-Fi settings as an XML file that you previusly exported from a
different device.
9. Depending on the platform you chose, the settings you can configure will be different. Go to one of the
following topics for detailed settings for each platform:
Android and Android for Work settings
iOS settings
macOS settings
Windows Phone 8.1 settings
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.
Wi-Fi settings for Android and Android for Work
devices in Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Wi-Fi settings for basic and enterprise profiles


The following Wi-Fi settings are available for both Android and Android for Work devices:
Network name - Enter a name for this Wi-Fi connection. This is the name that users will see when they browse
the list of available connections on their device.
SSID - Short for service set identifier. This is the real name of the wireless network that devices will connect to.
However, users only see the network name you created above when they choose the connection.
Connect automatically - Makes the device connect whenever it is in the range of this network.
Hidden network - Prevents this network from being shown in the list of available networks on the device.

Wi-Fi settings for enterprise profiles only


EAP type - Choose the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless
connections from:
EAP-TLS
EAP-TTLS
PEAP
Further options when you choose an EAP type
Server Trust

SETTING NAME MORE INFORMATION USE WHEN

Certificate server names Specify one or more common names EAP type is EAP-TLS or EAP-TTLS
used in the certificates issued by your
trusted certificate authority (CA). If you
provide this information, you can
bypass the dynamic trust dialog that is
displayed on end users devices when
they connect to this Wi-Fi network.

Root certificate for server validation Choose the trusted root certificate EAP type is EAP-TLS, EAP-TTLS, or
profile used to authenticate the PEAP
connection.
SETTING NAME MORE INFORMATION USE WHEN

Identity privacy (outer identity) Specify the text sent in response to an EAP type is PEAP
EAP identity request. This text can be
any value. During authentication, this
anonymous identity is initially sent, and
then followed by the real identification
sent in a secure tunnel.

Client Authentication

SETTING NAME MORE INFORMATION USE WHEN

Client certificate for client Choose the SCEP or PKCS certificate EAP type is EAP-TLS
authentication (Identity certificate) profile used to authenticate the
connection.

Authentication method Select the authentication method for EAP type is EAP-TTLS or PEAP
the connection:
- Certificates to select the SCEP or
PKCS the client certificate that is the
identity certificate presented to the
server.

- Username and Password to specify


a different method for authentication.

If you selected Username and


Password, configure:

- Non-EAP method (inner identity),


then select how you will authenticate
the connection from:
- None
- Unencrypted password (PAP)
- Challenge Handshake
Authentication Protocol (CHAP)
- Microsoft CHAP (MS-CHAP)
- Microsoft CHAP Version 2 (MS-
CHAP v2)
The available options depend on the
EAP type you selected.

and

- Identity privacy (outer identity) -


Specify the text sent in response to an
EAP identity request. This text can be
any value. During authentication, this
anonymous identity is initially sent, and
then followed by the real identification
sent in a secure tunnel.
Wi-Fi settings for iOS devices in Microsoft Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Wi-Fi settings for basic and enterprise profiles


Network name - Enter a name for this Wi-Fi connection. This is the name that users will see when they browse
the list of available connections on their device.
SSID - Short for service set identifier. This is the real name of the wireless network that devices will connect to.
However, users only see the network name you created above when they choose the connection.
Connect automatically - Makes the device connect whenever it is in the range of this network.
Hidden network - Prevents this network from being shown in the list of available networks on the device.
Proxy settings - Choose from:
None - No proxy settings will be configured.
Manual - Enter the Proxy server address (as an IP address), and it's associated Port number.
Automatic - Use a file to configure the proxy server. Enter the Proxy server URL (for example
http://proxy.contoso.com) which contains the configuration file.

Wi-Fi settings for basic profiles only


Security type - Select the security protocol to use to authenticate to the Wi-Fi network from:
Open (no authentication) - Only use this option if the network is unsecured.
WPA/WPA2 - Personal
WEP

Wi-Fi settings for enterprise profiles only


EAP type - Choose the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless
connections from:
EAP-FAST
EAP-SIM
EAP-TLS
EAP-TTLS
LEAP
PEAP
Further options when you choose an EAP type

SETTING NAME MORE INFORMATION USE WHEN


SETTING NAME MORE INFORMATION USE WHEN

Protected Access Credential (PAC) Select to use protected access EAP type is EAP-FAST
Settings credentials to establish an authenticated
tunnel between the client and the
authentication server. Select one of:
- Use PAC - Use an existing PAC file is
used if present.
- Use and Provision PAC - Provision
the PAC file to your devices.
- Use and Provision PAC
Anonymously - Provision the PAC file
to your devices and ensure that the
PAC file is provisioned without
authenticating the server.

Server Trust

SETTING NAME MORE INFORMATION USE WHEN

Certificate server names Specify one or more common names EAP type is EAP-TLS, EAP-TTLS, or
used in the certificates issued by your PEAP.
trusted certificate authority (CA). If you
provide this information, you can
bypass the dynamic trust dialog that is
displayed on end users devices when
they connect to this Wi-Fi network.

Root certificate for server validation Choose the trusted root certificate EAP type is EAP-TLS, EAP-TTLS, or
profile used to authenticate the PEAP
connection.

Identity privacy (outer identity) Specify the text sent in response to an EAP type is PEAP
EAP identity request. This text can be
any value. During authentication, this
anonymous identity is initially sent, and
then followed by the real identification
sent in a secure tunnel.

Client Authentication

SETTING NAME MORE INFORMATION USE WHEN

Client certificate for client Choose the SCEP or PKCS certificate EAP type is EAP-TLS
authentication (Identity certificate) profile used to authenticate the
connection.
SETTING NAME MORE INFORMATION USE WHEN

Authentication method Select the authentication method for EAP type is EAP-TTLS or *
the connection:
- Certificates to select the SCEP or
PKCS the client certificate that is the
identity certificate presented to the
server.

- Username and Password to specify


a different method for authentication.

If you selected Username and


Password, configure:

- Non-EAP method (inner identity),


then select how you will authenticate
the connection from:
- None
- Unencrypted password (PAP)
- Challenge Handshake
Authentication Protocol (CHAP)
- Microsoft CHAP (MS-CHAP)
- Microsoft CHAP Version 2 (MS-
CHAP v2)
The available options depend on the
EAP type you selected.

and

- Identity privacy (outer identity) -


Specify the text sent in response to an
EAP identity request. This text can be
any value. During authentication, this
anonymous identity is initially sent, and
then followed by the real identification
sent in a secure tunnel.
Wi-Fi settings for macOS devices in Microsoft Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Wi-Fi settings for basic and enterprise profiles


Network name - Enter a name for this Wi-Fi connection. This is the name that users will see when they browse
the list of available connections on their device.
SSID - Short for service set identifier. This is the real name of the wireless network that devices will connect to.
However, users only see the network name you created above when they choose the connection.
Connect automatically - Makes the device connect whenever it is in the range of this network.
Hidden network - Prevents this network from being shown in the list of available networks on the device.
Proxy settings - Choose from:
None - No proxy settings will be configured.
Manual - Enter the Proxy server address (as an IP address), and it's associated Port number.
Automatic - Use a file to configure the proxy server. Enter the Proxy server URL (for example
http://proxy.contoso.com) which contains the configuration file.

Wi-Fi settings for basic profiles only


Security type - Select the security protocol to use to authenticate to the Wi-Fi network from:
Open (no authentication) - Only use this option if the network is unsecured.
WPA/WPA2 - Personal
WEP

Wi-Fi settings for enterprise profiles only


EAP type - Choose the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless
connections from:
EAP-FAST
EAP-SIM
EAP-TLS
EAP-TTLS
LEAP
PEAP
Further options when you choose an EAP type

SETTING NAME MORE INFORMATION USE WHEN


SETTING NAME MORE INFORMATION USE WHEN

Protected Access Credential (PAC) Select to use protected access EAP type is EAP-FAST
Settings credentials to establish an authenticated
tunnel between the client and the
authentication server. Select one of:
- Use PAC - Use an existing PAC file is
used if present.
- Use and Provision PAC - Provision
the PAC file to your devices.
- Use and Provision PAC
Anonymously - Provision the PAC file
to your devices and ensure that the
PAC file is provisioned without
authenticating the server.

Server Trust

SETTING NAME MORE INFORMATION USE WHEN

Certificate server names Specify one or more common names EAP type is EAP-TLS, EAP-TTLS, or
used in the certificates issued by your PEAP.
trusted certificate authority (CA). If you
provide this information, you can
bypass the dynamic trust dialog that is
displayed on end users devices when
they connect to this Wi-Fi network.

Root certificate for server validation Choose the trusted root certificate EAP type is EAP-TLS, EAP-TTLS, or
profile used to authenticate the PEAP
connection.

Identity privacy (outer identity) Specify the text sent in response to an EAP type is PEAP
EAP identity request. This text can be
any value. During authentication, this
anonymous identity is initially sent, and
then followed by the real identification
sent in a secure tunnel.

Client Authentication

SETTING NAME MORE INFORMATION USE WHEN

Client certificate for client Choose the SCEP or PKCS certificate EAP type is EAP-TLS
authentication (Identity certificate) profile used to authenticate the
connection.
SETTING NAME MORE INFORMATION USE WHEN

Authentication method Select the authentication method for EAP type is EAP-TTLS or PEAP
the connection:
- Certificates to select the SCEP or
PKCS the client certificate that is the
identity certificate presented to the
server.

- Username and Password to specify


a different method for authentication.

If you selected Username and


Password, configure:

- Non-EAP method (inner identity),


then select how you will authenticate
the connection from:
- None
- Unencrypted password (PAP)
- Challenge Handshake
Authentication Protocol (CHAP)
- Microsoft CHAP (MS-CHAP)
- Microsoft CHAP Version 2 (MS-
CHAP v2)
The available options depend on the
EAP type you selected.

and

- Identity privacy (outer identity) -


Specify the text sent in response to an
EAP identity request. This text can be
any value. During authentication, this
anonymous identity is initially sent, and
then followed by the real identification
sent in a secure tunnel.
How to import Wi-Fi settings for Windows 8.1 and
later devices in Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

For devices that run Windows 8.1 or Windows 10 desktop or mobile, you can import a Wi-Fi configuration profile
that was previously exported to a file.

Export Wi-Fi settings from a Windows device


In Windows, use the netsh wlan utility to export an existing Wi-Fi profile to an XML file readable by Intune. On a
Windows computer that already has the required WiFi profile installed, follow this following procedure.
1. Create a local folder for the exported W-Fi- profiles, such as c:\WiFi.
2. Open up a Command Prompt as an administrator.
3. Run the command netsh wlan show profiles, and note the name of the profile you'd like to export. In this
example, the profile name is WiFiName.
4. Run this command: netsh wlan export profile name="ProfileName" folder=c:\Wifi.This will create a Wi-Fi
profile file named Wi-Fi-WiFiName.xml in your target folder.

Import the Wi-Fi settings into Intune


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, click Create Profile.
6. On the Create Profile blade, enter a Name and Description for the device restriction profile.
7. From the Platform drop-down list, choose Windows 8.1 and later.
8. From the Profile type drop-down list, choose Wi-Fi import.
9. On the Wi-Fi Basic blade, configure the following:
Connection name Enter the name of the Wi-Fi connection. This name will be displayed to end users
when they browse available Wi-Fi networks.
Profile XML Click the browse button to select the XML file containing the Wi-Fi profile settings that you
want to import into Intune.
File contents Displays the XML code for the configuration profile you selected.
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade.
How to configure Windows 10 edition upgrades in
Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use the information in this topic to learn how to configure a Windows 10 edition upgrade profile. This profile lets
you automatically upgrade devices that run one of the following Windows 10 versions to a different edition:
Windows 10 Home
Windows 10 Holographic
Windows 10 Mobile
The following upgrade paths are supported:
From Windows 10 Pro to Windows 10 Enterprise
From Windows 10 Home to Windows 10 Education
From Windows 10 Mobile to Windows 10 Mobile Enterprise
From Windows 10 Holographic Pro to Windows 10 Holographic Enterprise

Before you start


Before you begin to upgrade devices to the latest version, you will need one of the following:
A product key that is valid to install the new version of Windows on all devices that you target with the policy
(for Windows 10 Desktop editions). You can use either Multiple Activation Keys (MAK) or Key Management
Server (KMS) keys. or A license file from Microsoft that contains the licensing information to install the new
version of Windows on all devices that you target with the policy (for Windows 10 Mobile and Windows 10
Holographic editions).
The Windows 10 devices that you target must be enrolled in Microsoft Intune. You cannot use the edition
upgrade policy with PCs that run the Intune PC client software.

Create a device profile containing device restriction settings


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the edition upgrade profile.
7. From the Platform drop-down list, choose Windows 10 and later.
8. From the Profile type drop-down list, choose Edition upgrade.
9. On the Edition Upgrade blade, configure the following:
Edition to upgrade from - From the drop-down list, select the Windows 10 version that you want to
upgrade on devices.
Edition to upgrade to - From the drop-down list, select the version of Windows 10 Desktop, Windows
10 Holographic, or Windows 10 Mobile that you want to upgrade targeted devices to.
Product Key - Specify the product key that you obtained from Microsoft, which can be used to upgrade
all targeted Windows 10 Desktop devices.
.After you create a policy that contains a product key, you cannot edit the product key later. This is
because the key is obscured for security reasons. To change the product key, you must enter the entire
key again.
License File - Choose Browse to select the license file you obtained from Microsoft that contains license
information for the Windows Holographic, or Windows 10 Mobile edition that you want to upgrade
targeted devices to.
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.
Endpoint protection settings for Windows 10 and
later in Microsoft Intune
6/29/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The endpoint protection profile let you control security features on Windows 10 devices, like BitLocker.
Use the information in this topic to learn how to create endpoint protection profiles.

Create an endpoint protection profile


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the device features profile.
7. From the Platform drop-down list, select Windows 10 and later.
8. From the Profile type drop-down list, choose Endpoint protection.
9. On the Windows encryption blade, configure the settings you want. Use the details in this topic to help you
understand what each setting does. When you are finished, choose OK.
10. Go back to the Create Profile blade, and choose Create.
The profile is created and appears on the profiles list blade.

Endpoint protection profile settings reference


Windows Settings
Require devices to be encrypted (Desktop only) - If enabled, users are prompted to enable device
encryption. Additionally, they are asked to confirm that encryption from another provider has not been enabled.
If Windows encryption is turned on while another encryption method is active, the device might become
unstable.
Require Storage Card to be encrypted (mobile only) - Enable this setting to encrypt any removable storage
cards used by the device.
BitLocker base settings
Configure encryption methods - Enable this setting to configure encryption algorithms for operating system,
data, and removable drives.
Encryption for operating system drives - Choose the encryption method for operating system drives.
We recommend you use the XTS-AES algorithm.
Encryption for fixed data-drives - Choose the encryption method for fixed (built-in) data drives. We
recommend you use the XTS-AES algorithm.
Encryption for removable data-drives - Choose the encryption method for removable data drives. If
the removable drive is used with devices that are not running Windows 10, we recommend you use the
AES-CBC algorithm.
BitLocker OS drive settings
Require additional authentication at startup -
Block BitLocker on devices without a compatible TPM chip -
TPM startup - Configure whether the TPM chip is allowed, not allowed, or required.
TPM startup PIN - Configure whether using a startup PIN with the TPM chip is allowed, not allowed, or
required.
TPM startup key - Configure whether using a startup key with the TPM chip is allowed, not allowed, or
required.
TPM startup key and PIN - Configure whether using a startup key and PIN with the TPM chip is
allowed, not allowed, or required.
Minimum PIN Length - Enable this setting to configure a minimum length for the TPM startup PIN.
Minimum characters - Enter the number of characters required for the startup PIN from 4-20.
Enable OS drive recovery - Enable this setting to control how BitLocker-protected operating system drives are
recovered when the required start-up information is not available.
Allow certificate-based data recovery agent - Enable this setting if you want data recovery agents to
be able to be used with BitLocker-protected operating system drives.
User creation of recovery password - Configure whether users are allowed, required, or not allowed
to generate a 48-digit recovery password.
User creation of recovery key - Configure whether users are allowed, required, or not allowed to
generate a 256-bit recovery key.
Hide recovery options in the BitLocker setup wizard - Enable this setting to prevent users from
seeing, or changing recovery options when they turn on BitLocker.
Save BitLocker recovery information to AD DS - Enables the storage of BitLocker recovery
information in Active Directory.
Configure storage of BitLocker recovery Information to AD DS - Configure what parts of BitLocker
recovery information are stored in Active Directory. Choose from:
Backup recovery passwords and key packages
Backup recovery passwords only
Require recovery information to be stored in AD DS before enabling BitLocker - Enable this
setting to stop users from turning on BitLocker unless the device is domain-joined, and BitLocker
recovery information is successfully stored in Active Directory.
Enable pre-boot recovery message and URL - Enable this setting to configure the message and URL that are
displayed on the pre-boot key recovery screen.
Pre-boot recovery message - Configure how the pre-boot recovery message displays to users. Choose
from:
Use default recovery message and URL
Use empty recovery message and URL
Use custom recovery message
Use custom recovery URL
BitLocker fixed data-drive settings
Deny write access to fixed data-drive not protected by BitLocker - If enabled, BitLocker protection must
be enabled on all fixed, or built-in data drives to be able to write to them.
Enable fixed drive recovery - Enable this setting to control how BitLocker-protected fixed drives are
recovered when the required start-up information is not available.
Allow data recovery agent - Enable this setting if you want data recovery agents to be used with
BitLocker-protected fixed drives.
User creation of recovery password - Configure whether users are allowed, required, or not allowed
to generate a 48-digit recovery password.
User creation of recovery key - Configure whether users are allowed, required, or not allowed to
generate a 256-bit recovery key.
Hide recovery options in the BitLocker setup wizard - Enable this setting to prevent users from
seeing, or changing recovery options when they turn on BitLocker.
Save BitLocker recovery information to AD DS - Enables the storage of BitLocker recovery
information in Active Directory.
Configure storage of BitLocker recovery Information to AD DS - Configure what parts of BitLocker
recovery information are stored in Active Directory. Choose from:
Backup recovery passwords and key packages
Backup recovery passwords only
Require recovery information to be stored in AD DS before enabling BitLocker - Enable this
setting to stop users from turning on BitLocker unless the device is domain-joined, and BitLocker
recovery information has been successfully stored in Active Directory.
BitLocker removable data-drive settings
Deny write access to removable data-drive not protected by BitLocker - Specify whether BitLocker
encryption is required for removable storage drives.
Block write access to devices configured in another organization - Specify whether removable
data drives that belong to another organization can be written to.

Next steps
If you want to go ahead and assign this profile to groups, see How to assign device profiles.
How to configure Windows 10 education settings in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Education profiles let you specify details that configure the Windows Take a Test app including account details, and
the test URL. When you configure this, the Take a Test app opens with the test you specify, and no other apps can
be run on the device until the test is complete.
Use the information in this topic to learn the basics about configuring device restriction profiles, and then read
further topics for each platform to learn about device specifics.

Create a device profile containing education profile settings


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the device restriction profile.
7. From the Platform drop-down list, select Windows 10 and later.
8. From the Profile type type drop-down list, choose Education profile.
9. Choose Settings > Configure, then, on the Take a Test blade, configure the following:
Account user name - Enter the user name of the account used with Take a Test. This can be a domain
account, an Azure Active Directory (AAD) account, or a local computer account.
Assessment URL - Provide the URL of the test you want users to take. For more information, see the
Take a Test documentation.
Screen monitoring - Specify whether you want to be able to monitor screen activity while users are
taking a test.
Text suggestion - Allow or block text suggestions while users are taking a test.
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.
How to configure Intune settings for the iOS
Classroom app
6/29/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Introduction
Classroom is an app that helps teachers to guide learning, and control student devices in the classroom. For
example, using the app, a teacher can:
Open apps on student devices
Lock, and unlock the iPad screen
View the screen of a student iPad
Navigate students iPads to a bookmark, or chapter in a book
Display the screen from a student iPad on an Apple TV
Use the Intune iOS Education device profile, and the information in this topic to help you set up the Classroom
app, and the devices on which you use it.

Before you start


Consider the following before you begin to configure these settings:
Both teachers and student iPads must be enrolled in Intune
Ensure that you have installed the Apple Classroom app on the teachers device. You can either install the app
manually, or use Intune app management.
You must configure certificates to authenticate connections between teacher and student devices (see Step 2)
Teacher and student iPads must be on the same Wi-Fi network, and also have Bluetooth enabled
The Classroom app runs on supervised iPads running iOS 9.3 or later
In this release, Intune supports managing a 1:1 scenario where each student has their own dedicated iPad

Step 1 - Import your school data into Azure Active Directory


Use Microsoft's School Data Sync (SDS) to import school records from an existing Student Information System
(SIS) to Azure Active Directory (Azure AD). SDS synchronizes information from your SIS and stores it in Azure AD.
Azure AD is a Microsoft management system that helps you organize users and devices. You can then use this data
to help you manage your students and classes. Learn more about how to deploy SDS.
How to import data using SDS
You can import information into SDS by using one of the following methods:
CSV files - Manually export and compile comma-separated value (.csv) files
PowerSchool API - An SIS provider that simplifies syncing with Azure AD
Clever API - An identity management solution that syncs directly with Azure AD
OneRoster - A CSV format that you can export and convert to sync with Azure AD
Find out more
Find out more about the full experience of syncing on-premises school data to Azure AD
Find out more about Microsoft School Data Sync
Find out more about licensing in Azure Active Directory

Step 2 - Create and assign an iOS Education profile in Intune


Configure general settings
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the iOS education profile.
7. From the Platform drop-down list, choose iOS.
8. From the Profile type drop-down list, choose Education.
9. Choose Settings > Configure.
Next, you need certificates to establish a trust relationship between teacher and student iPads. Certificates are used
to seamlessly and silently authenticate connections between devices without having to enter user names and
passwords.

IMPORTANT
The teacher and student certificates you use must be issued by different certification authorities (CAs). You must create two
new subordinate CAs connected to your existing certificate infrastructure; one for teachers, and one for students.

iOS education profiles support only PFX certificates. SCEP certificates are not supported.
Certificates you create must support server authentication in addition to user authentication.
Configure teacher certificates
On the Education blade, choose Teacher certificates.
Configure teacher root certificate
Under Teacher root certificate, choose the browse button to select the teacher root certificate with the extension
.cer (DER, or Base64 encoded), or .P7B (with or without full chain).
Configure teacher PKCS#12 certificate
Under Teacher PKCS#12 certificate, configure the following values:
Subject name format - Intune automatically prefixes the certificate common name with leader, for the
teacher certificate, and member, for the student certificate.
Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported.
Certification authority name - Enter the name of your certification authority.
Certificate template name - Enter the name of a certificate template that has been added to an issuing CA.
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Certificate validity period - Specify the amount of remaining time before the certificate expires. You can
specify a value that is lower than the validity period in the specified certificate template, but not higher. For
example, if the certificate validity period in the certificate template is two years, you can specify a value of one
year but not a value of five years. The value must also be lower than the remaining validity period of the issuing
CA certificate.
When you have finished configuring certificates, choose OK.
Configure student certificates
1. On the Education blade, choose Student certificates.
2. On the Student certificates blade, from the Student device certificates type list, choose 1:1.
Configure student root certificate
Under Student root certificate, choose the browse button to select the student root certificate with the extension
.cer (DER, or Base64 encoded), or .P7B (with or without full chain).
Configure student PKCS#12 certificate
Under Student PKCS#12 certificate, configure the following values:
Subject name format - Intune automatically prefixes the certificate common name with leader, for the
teacher certificate, and member, for the student certificate.
Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported.
Certification authority name - Enter the name of your certification authority.
Certificate template name - Enter the name of a certificate template that has been added to an issuing CA.
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Certificate validity period - Specify the amount of remaining time before the certificate expires. You can
specify a value that is lower than the validity period in the specified certificate template, but not higher. For
example, if the certificate validity period in the certificate template is two years, you can specify a value of one
year but not a value of five years. The value must also be lower than the remaining validity period of the issuing
CA certificate.
When you are finished configuring certificates, choose OK.

Finish up
1. On the Education blade, choose OK.
2. On the Create Profile blade, choose Create.
The profile is created and appears on the profiles list blade.
Assign the profile to student devices in the classroom groups that were created when you synchronized your
school data with Azure AD (see How to assign device profiles.

Next steps
Now, when a teacher uses the Classroom app, they will have full control over student devices.
For more information about the Classroom app, see Classroom help, on the Apple web site.
If you want to configure shared iPad devices for students, see How to configure Intune education settings for
shared iPad devices.
How to configure Intune education settings for
shared iPad devices
6/29/2017 8 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Introduction Intune supports the iOS Classroom app that helps teachers to guide learning, and control student
devices in the classroom. In addition, to the Classroom app, Apple supports the ability for student iPad devices to
be configured such that multiple students can share a single device. This document guides you to achieve this goal
with Intune. For information about configuring dedicated (1:1) iPad devices to use the Classroom app, see How to
configure Intune settings for the iOS Classroom app.

Before you start


The prerequisites to use the shared iPad capabilities are:
Setup Apple School Manager and School Data Sync (SDS).
As part of Apple School Manager setup, configure Managed Apple IDs for students. Learn more about Managed
Apple IDs.
Create an enrollment profile for the device serial numbers synced from Apple School Manager.

Step 1 - Import your school data into Azure Active Directory


Use Microsoft's School Data Sync (SDS) to import school records from an existing Student Information System
(SIS) to Azure Active Directory (Azure AD). SDS synchronizes information from your SIS and stores it in Azure AD.
Azure AD is a Microsoft management system that helps you organize users and devices. You can then use this data
to help you manage your students and classes. Learn more about how to deploy SDS.
How to import data using SDS
You can import information into SDS by using one of the following methods:
CSV files - Manually export and compile comma-separated value (.csv) files
PowerSchool API - An SIS provider that simplifies syncing with Azure AD
Clever API - An identity management solution that syncs directly with Azure AD
OneRoster - A CSV format that you can export and convert to sync with Azure AD
Find out more
Find out more about the full experience of syncing on-premises school data to Azure AD
Find out more about Microsoft School Data Sync
Find out more about licensing in Azure Active Directory

Step 2 - Create and assign an iOS Education profile in Intune


Configure general settings
1. Sign into the Azure portal.
2. Choose More Services > Other > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the iOS education profile.
7. From the Platform drop-down list, choose iOS.
8. From the Profile type drop-down list, choose Education.
9. Choose Settings > Configure.
Next, you need certificates to establish a trust relationship between teacher and student iPads. Certificates are used
to seamlessly and silently authenticate connections between devices without having to enter user names and
passwords.

IMPORTANT
The teacher and student certificates you use must be issued by different certificate authorities (CAs). You must create two
new subordinate CAs connected to your existing certificate infrastructure; one for teachers, and one for students.

iOS education profiles support only PFX certificates. SCEP certificates are not supported.
Certificates you create must support server authentication in addition to user authentication.
Configure teacher certificates
On the Education blade, choose Teacher certificates.
Configure teacher root certificate
Under Teacher root certificate, choose the browse button to select the teacher root certificate with the extension
.cer (DER, or Base64 encoded), or .P7B (with or without full chain).
Configure teacher PKCS#12 certificate
Under Teacher PKCS#12 certificate, configure the following values:
Subject name format - Intune automatically prefixes the certificate common name with leader, for the teacher
certificate, and member, for the student certificate.
Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported.
Certification authority name - Enter the name of your certification authority.
**Certificate template name **- Enter the name of a certificate template that has been added to an issuing CA.
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Certificate validity period - Specify the amount of remaining time before the certificate expires. You can
specify a value that is lower than the validity period in the specified certificate template, but not higher. For
example, if the certificate validity period in the certificate template is two years, you can specify a value of one
year but not a value of five years. The value must also be lower than the remaining validity period of the issuing
CA certificate.
When you have finished configuring teacher certificates, choose OK.
Configure student certificates
1. On the Education blade, choose Student certificates.
2. On the Student certificates blade, from the Student device certificates type list, choose Shared iPad.
Configure student root certificate
Under Device root certificate, choose the browse button to select the student root certificate with the extension
.cer (DER, or Base64 encoded), or .P7B (with or without full chain).
Configure device PKCS#12 certificate
Under Student PKCS#12 certificate, configure the following values:
Subject name format - Intune automatically prefixes the certificate common name with leader, for the teacher
certificate, and member, for the device certificate.
Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported.
Certification authority name - Enter the name of your certification authority.
Certificate template name - Enter the name of a certificate template that has been added to an issuing CA.
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Certificate validity period - Specify the amount of remaining time before the certificate expires. You can
specify a value that is lower than the validity period in the specified certificate template, but not higher. For
example, if the certificate validity period in the certificate template is two years, you can specify a value of one
year but not a value of five years. The value must also be lower than the remaining validity period of the issuing
CA certificate.
When you are finished configuring certificates, choose OK.
Complete Certificate Setup
1. On the Education blade, choose OK.
2. On the Create Profile blade, choose Create.
The profile is created and appears on the profiles list blade.

Step 3 - Create a device category


1. Sign into the Azure portal.
2. Choose More Services > Other > Intune.
3. On the Intune blade, choose Device enrollment.
4. On the Enrollment - Overview blade, choose Device Categories.
5. On the Enrollment - Device Categories blade, choose Create.
6. On the Create device category blade, enter a Name and Description for the category.
7. On the Create device category blade, choose Create.
The device category is created in the Enrollment Device Categories blade.

Step 4 Create a dynamic group


1. Sign into the Azure portal.
2. Choose More Services > Other > Intune.
3. On the Intune blade, choose Groups.
4. On the Users and Groups All Groups blade, choose New Group.
5. On the Group blade, enter a Name and Description for the group.
6. From the Membership Type drop-down list, choose Dynamic Device.
7. Choose Dynamic device members to create membership rules.
8. On the Dynamic membership rules blade:
9. Select deviceCategory from the Add devices where drop-down list.
10. Choose Equals
11. Enter the device category you created in the blank text box
12. On the Dynamic membership rules blade, choose Add query.
13. On the Group blade, choose Create.
The dynamic group is created in the Users and Groups All Groups blade.

Step 5 Assign a device to a category (Carts)


1. Sign into the Azure portal.
2. Choose More Services > Other > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices blade, choose All devices.
5. On the Devices All devices blade, choose a device.
6. On the device blade, choose Properties.
7. On the devices properties blade, enter the device category in the Device category text box.
8. On the device blade, choose Save.
The device is now associated to the device category. Repeat this process for all the devices you want to associate to
the device category you created.

Step 6 Create classroom profiles


1. Sign into the Azure portal.
2. Choose More Services > Other > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Manage > Cart Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Association blade, enter a Name and Description.
7. Choose Select Classes > Configure to associate groups to the Cart Profile.
8. Choose the classes to include to the Cart Profile then choose Select.
9. Choose Select Carts > Configure to associate groups to the Cart Profile.
10. Choose the groups to include to the Cart Profile then choose Select.
11. On the Create Association blade, choose Save to save the Cart Profile.
The profile is created and appears on the profiles list blade.

Step 7 - Assign the Cart Profile to Classes


1. Sign into the Azure portal.
2. Choose More Services > Other > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Monitor > Assignment status.
5. On the Assignment status blade, select the Cart Profile you created.
6. On the Cart Profile blade choose Assignments and then, under Include choose Select groups to include.
7. Select the classes you want the cart profile to target (do not select a group), then choose Select.
8. When you are finished, choose Save.
The assignment completes, and Intune deploys the Classroom profile to the targeted devices based on the
classroom assignment.

Next Steps
Now students can share devices between students, and students can pick up any iPad in a classroom, log in with a
PIN and have it personalized with their content. For more information about Shared iPads, see the Apple website.
How to configure Windows Update for Business
settings with Microsoft Intune
6/19/2017 8 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Introduction
Windows as a Service is the new way of providing updates for Windows 10. Starting with Windows 10, any new
Feature Updates and Quality Updates will contain the contents of all previous updates. This means that as long as
you've installed the latest update, you know that your Windows 10 devices are completely up-to-date. Unlike with
previous versions of Windows, you now must install the entire update instead of part of an update.
By using Windows Update for Business, you can simplify the update management experience so that you dont
need to approve individual updates for groups of devices. You can still manage risk in your environments by
configuring an update rollout strategy and Windows Update will make sure that updates are installed at right time.
Microsoft Intune provides the ability to configure update settings on devices and gives you the ability to defer
update installation. Intune doesnt store the updates, but only the update policy assignment. Devices access
Windows Update directly for the updates.Use Intune to configure and manage Windows 10 update rings. An
update ring contains a group of settings that configure when and how Windows 10 updates get installed. For
example, you can configure the following:
Windows 10 Servicing Branch: Choose whether you want groups of devices to receive updates from the
Current Branch or from the Current Branch for Business.
Deferral Settings: Configure update deferral settings to delay update installations for groups of devices. You
will then have a staged update rollout so that you can review progress along the way.
Pausing: Postpone the installation of updates if you discover an issue at any point during the update rollout.
Maintenance window: Configure the hours in which updates can be installed.
Update type: Choose the types of updates that get installed. For example, Quality Updates, Feature Updates, or
drivers.
Installation behavior: This configures how the update gets installed. For example, does the device
automatically restart after the installation?
Peer downloading: You can specify whether to configure peer downloading. If configured, when a device has
finished downloading an update, other devices can download the update from that device. This speeds up the
download process.
After you create update rings, you assign them to groups of devices. By using update rings, you can create an
update strategy that mirrors your business needs. For more information, see Manage updates using Windows
Update for Business.

Before you start


To update Windows 10 PCs, they must be running at least Windows 10 Pro with the Windows Anniversary
update.
Windows Update supports the following Windows 10 versions:
Windows 10
Windows 10 Team (for Surface Hub devices)
Devices running Windows 10 Mobile and Windows 10 Holographic are not supported.
On Windows devices, Feedback & diagnostics > Diagnostic and usage data must be set to at least
Basic.

You can configure this setting manually, or you can use an Intune device restriction profile for Windows 10
and later. To do this, configure the setting General > Diagnostic data submission to at least Basic. For
more information about device profiles, see How to configure device restriction settings.
In the classic Intune administration console, there are four settings that control software updates behavior.
These settings are part of the general configuration policy for Windows 10 desktop and Mobile devices:
Allow automatic updates
Allow pre-release features
Scheduled Install Day
Scheduled Install Time
The classic console also has a limited number of other Windows 10 updates settings in the device
configuration profile. If you have any of these settings configured in the classic Intune administration
console when you migrate to the Azure portal, we strongly recommend that you do the following:
1. Create Windows 10 update rings in the Azure portal with the settings that you need. The Allow pre-release
features setting is not supported in the Azure portal because it is no longer applicable to the latest
Windows 10 builds. You can configure the other three settings, as well as other Windows 10 updates
settings, when you create update rings.

NOTE
Windows 10 updates settings created in the classic console are not displayed in the Azure portal after migration.
However, these settings continue to be applied. If you have migrated any of these settings and edit the migrated
policy from the Azure portal, these settings will be removed from the policy.

2. Delete the update settings in the classic console. After you migrate to the Azure portal and add the same
settings to an update ring, you must delete the settings in the classic portal to avoid any potential policy
conflicts. For example, when the same setting is configured with different values there will be a conflict and
no easy way to know because the setting configured in the classic console does not display in the Azure
portal.

How to create and assign update rings


1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Software Updates.
4. On the Software Updates blade, choose Manage > Windows 10 Update Rings.
5. On the blade showing the list of update rings, choose Create.
6. On the Create Update Ring blade, supply a name and optional description for the update ring, and then
choose Settings.
7. On the Settings blade, configure the following information:
Servicing branch: Set the branch for which the device will receive Windows updates (Current Branch or
Current Branch for Business).
Microsoft updates: Choose whether to scan for app updates from Microsoft Update.
Windows drivers: Choose whether to exclude Windows Update drivers during updates.
Automatic update behavior: Choose how to manage automatic update behavior to scan, download,
and install updates. For details, see Update/AllowAutoUpdate.
Quality update deferral period (days) - Specify the number of days for which quality updates will
be deferred. You can defer receiving these Quality Updates for a period of up to 30 days from their
release.
Quality Updates are generally fixes and improvements to existing Windows functionality and are
typically published the first Tuesday of every month, though can be released at any time by
Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates
following their availability.
Feature update deferral period (days) - Specify the number of days for which Feature Updates
will be deferred. You can defer receiving these Feature Updates for a period of 180 days from their
release.
Feature Updates are generally new features for Windows. After you configure the Servicing branch
setting (CB or CBB), you can then define if, and for how long, you would like to defer receiving
Feature Updates following their availability from Microsoft on Windows Update.
For example:
If the Servicing branch is set to CB and the defferal period is 30 days: Let's say that Feature
Update X is first publically available on Windows Update as a CB in January. The device will not
receive the update until February - 30 days later.
If the Servicing branch is set to CBB and the defferal period is 30 days: Let's say the Feature
Update X is first publically available on Windows Update as a CB in January. Four months later, in
April, Feature Update X is released to CBB. The device will receive the Feature Update 30 days
following this CBB release and will update in May.
Delivery optimization - Choose the method for which devices will download Windows updates.
For details, see DeliveryOptimization/DODownloadMode.
8. Once you are done, click OK, and then on the Create Update Ring blade, click Create.
The new update ring is displayed in the list of update rings.
1. To assign the ring, in the list of update rings, select a ring, and then on the <ring name> tab, choose
Assignments.
2. On the next tab, choose Select groups, and then choose the groups to which you want to assign this ring.
3. Once you are done, choose Select to complete the assignment.

Update compliance reporting


You can monitor Windows 10 update rollouts by using a free solution in the Operations Management Suite (OMS)
called Update Compliance. For details, see Monitor Windows Updates with Update Compliance. When you use this
solution, you can deploy a commercial ID to any of your Intune managed Windows 10 devices for which you want
to report update compliance.
In the Intune console, you can use the OMA-URI settings of a custom policy to configure the commercial ID. For
details, see Intune policy settings for Windows 10 devices in Microsoft Intune.
The OMA-URI (case sensitive) path for configuring the commercial ID is:
./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
For example, you can use the following values in Add or edit OMA-URI Setting:
Setting Name: Windows Analytics Commercial ID
Setting Description: Configuring commercial id for Windows Analytics solutions
Data Type: String
OMA-URI (case sensitive): ./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID
Value: <Use the GUID shown on the Windows Telemetry tab in your OMS workspace>

How to pause updates


You can pause a device from receiving Feature Updates or Quality Updates for a period of up to 35 days from the
time you pause the updates. After the maximum days have passed, pause functionality will automatically expire
and the device will scan Windows Updates for applicable updates. Following this scan, you can pause the updates
again.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Software Updates.
4. On the Software Updates blade, choose Manage > Windows 10 Update Rings.
5. On the blade showing the list of update rings, choose the ring you want to pause, and then, choose ... > Pause
Quality > or Pause Feature, depending on the type of updates you want to pause.

IMPORTANT
When you issue a pause command, devices receive this command when they next check into the service. It's possible that
before they check in, they might install a scheduled update. Additionally, if a targeted device is turned off when you issue the
pause command, when you turn it on, it might download and install scheduled updates before it checks in with Intune.
How to configure certificates in Microsoft Intune
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

When you give users access to corporate resources through VPN, Wi-Fi, or email profiles, you can authenticate
these connections by using certificates. These remove the need to enter user names and passwords to
authenticate connections.
You can use Intune to assign these certificates to devices you manage. Intune supports assigning and managing
these certificate types:
Simple Certificate Enrollment Protocol (SCEP)
PKCS#12 (or PFX)
Each of these certificate types has it's own prerequisites, and infrastructure requirements.

General workflow
1. Ensure you have the right certificate infrastructure in place. You can use SCEP certificates, and PKCS
certificates.
2. Install a root certificate or an intermediate Certification Authority (CA) certificate on each device so that the
device recognizes the legitimacy of your CA. To do this, create and assign a trusted certificate profile.
When you assign this profile, the devices that you manage with Intune will request and receive the root
certificate. You have to create a separate profile for each platform. Trusted certificate profiles are available for
these platforms:
iOS 8.0 and later
macOS 10.9 and later
Android 4.0 and later
Android for Work
Windows 8.1 and later
Windows Phone 8.1 and later
Windows 10 and later
3. Create certificate profiles so that devices request a certificate to be used for authentication of VPN, Wi-Fi,
and email access. You can create and assign a PKCS or a SCEP certificate profile for devices running these
platforms:
iOS 8.0 and later
Android 4.0 and later
Android for Work
Windows 10 (desktop and mobile) and later
You can only use a SCEP certificate profile with these platforms:
macOS 10.9 and later
Windows Phone 8.1 and later
You must create a separate profile for each device platform. When you create the profile, associate it with the
trusted root certificate profile that you've already created.
Further considerations
If you don't have an Enterprise Certification Authority, you must create one.
If you decide, based on your device platforms, to use the Simplified Certificate Enrollment Protocol (SCEP)
profile, you'll also need to configure a Network Device Enrollment Service (NDES) server.
Whether you plan to use SCEP or PKCS profiles, you must download and configure the Microsoft Intune
Certificate Connector.

Step 1- Configure your certificate infrastructure


See one of the following topics for help configuring the infrastructure for each type of certificate profile:
Configure and manage SCEP certificates with Intune
Configure and manage PKCS certificates with Intune

Step 2 - Export your trusted root CA certificate


Export the Trusted Root Certification Authorities (CA) certificate as a .cer file from the issuing CA, or from any
device that trusts your issuing CA. Do not export the private key.
You'll import this certificate when you set up a trusted certificate profile.

Step 3: Create trusted certificate profiles


You must create a trusted certificate profile before you can create a SCEP or PKCS certificate profile. You need a
trusted certificate profile and a SCEP or PKCS profile for each device platform. The flow for creating trusted
certificates is similar for each device platform.
To create a trusted certificate profile
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the trusted certificate profile.
7. From the Platform drop-down list, select the device platform for this trusted certificate. Currently, you can
choose one of the following platforms for certificate settings:
Android
iOS
macOS
Windows Phone 8.1
Windows 8.1 and later
Windows 10 and later
8. From the Profile type type drop-down list, choose Trusted certificate.
9. Browse to the certificate you saved in task 1, then click OK.
10. For Windows 8.1 and Windows 10 devices only, select the Destination Store for the trusted certificate from:
Computer certificate store - Root
Computer certificate store - Intermediate
User certificate store - Intermediate
11. When you're done, choose OK, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade.
If you want to go ahead and assign this profile to groups, see How to assign device profiles.

NOTE
Android devices will display a notice that a third party has installed a trusted certificate.

Step 4: Create SCEP or PKCS certificate profiles


See one of the following topics for help configuring and assigning each type of certificate profile:
Configure and manage SCEP certificates with Intune
Configure and manage PKCS certificates with Intune
After you create a trusted certificate profile, create SCEP or PKCS certificate profiles for each platform you want
to use. When you create a SCEP certificate profile, you must specify a trusted certificate profile for that same
platform. This links the two certificate profiles, but you still must assign each profile separately.

Next steps
See How to assign device profiles for general information about how to assign device profiles.
Configure and manage SCEP certificates with Intune
6/28/2017 18 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic shows how to configure your infrastructure, then create and assign Simple Certificate Enrollment
Protocol (SCEP) certificate profiles with Intune.

Configure on-premises infrastructure


Active Directory domain: All servers listed in this section (except for the Web Application Proxy Server)
must be joined to your Active Directory domain.
Certification Authority (CA): An Enterprise Certification Authority (CA) that runs on an Enterprise edition
of Windows Server 2008 R2 or later. A Standalone CA is not supported. For details, see Install the
Certification Authority. If your CA runs Windows Server 2008 R2, you must install the hotfix from
KB2483564.
NDES Server: On a server that runs Windows Server 2012 R2 or later, you must setup up the Network
Device Enrollment Service (NDES). Intune does not support using NDES when it runs on a server that also
runs the Enterprise CA. See Network Device Enrollment Service Guidance for instructions on how to
configure Windows Server 2012 R2 to host the Network Device Enrollment Service. The NDES server must
be domain joined to the domain that hosts the CA, and not be on the same server as the CA. More
information about deploying the NDES server in a separate forest, isolated network or internal domain can
be found in Using a Policy Module with the Network Device Enrollment Service.
Microsoft Intune Certificate Connector: Use the Intune portal to download the Certificate Connector
installer (ndesconnectorssetup.exe). Then you can run ndesconnectorssetup.exe on the computer
where you want to install the Certificate Connector.
Web Application Proxy Server (optional): Use a server that runs Windows Server 2012 R2 or later as a
Web Application Proxy (WAP) server. This configuration:
Allows devices to receive certificates using an Internet connection.
Is a security recommendation when devices connect through the Internet to receive and renew
certificates.
NOTE
The server that hosts WAP must install an update that enables support for the long URLs that are used by the
Network Device Enrollment Service. This update is included with the December 2014 update rollup, or individually
from KB3011135.
Also, the server that hosts WAP must have a SSL certificate that matches the name being published to external
clients as well as trust the SSL certificate that is used on the NDES server. These certificates enable the WAP server
to terminate the SSL connection from clients, and create a new SSL connection to the NDES server. For
information about certificates for WAP, see the Plan certificates section of Planning to Publish Applications
Using Web Application Proxy. For general information about WAP servers, see Working with Web Application
Proxy.|

Network requirements
From the Internet to perimeter network, allow port 443 from all hosts/IP addresses on the internet to the NDES
server.
From the perimeter network to trusted network, allow all ports and protocols needed for domain access on the
domain-joined NDES server. The NDES server needs access to the certificate servers, DNS servers, Configuration
Manager servers and domain controllers.
We recommend publishing the NDES server through a proxy, such as the Azure AD application proxy, Web Access
Proxy, or a third-party proxy.
Certificates and templates

OBJECT DETAILS

Certificate Template Configure this template on your issuing CA.

Client authentication certificate Requested from your issuing CA or public CA; you install this
certificate on the NDES Server.

Server authentication certificate Requested from your issuing CA or public CA; you install and
bind this SSL certificate in IIS on the NDES server.

Trusted Root CA certificate You export this as a .cer file from the root CA or any device
which trusts the root CA, and assign it to devices by using the
Trusted CA certificate profile.

You use a single Trusted Root CA certificate per operating


system platform, and associate it with each Trusted Root
Certificate profile you create.

You can use additional Trusted Root CA certificates when


needed. For example, you might do this to provide a trust to a
CA that signs the server authentication certificates for your
Wi-Fi access points.

Accounts

NAME DETAILS

NDES service account Specify a domain user account to use as the NDES Service
account.

Configure your infrastructure


Before you can configure certificate profiles you must complete the following tasks, which require knowledge of
Windows Server 2012 R2 and Active Directory Certificate Services (ADCS):
Step 1: Create an NDES service account
Step 2: Configure certificate templates on the certification authority
Step 3: Configure prerequisites on the NDES server
Step 4: Configure NDES for use with Intune
Step 5: Enable, install, and configure the Intune Certificate Connector

NOTE
Because of a known issue, download, install, and configure the certificate connector using the following procedure: Configure
certificate infrastructure for SCEP -> Configure your infrastructure -> Task 5

Step 1 - Create an NDES service account


Create a domain user account to use as the NDES service account. You will specify this account when you
configure templates on the issuing CA before you install and configure NDES. Make sure the user has the default
rights, Logon Locally, Logon as a Service and Logon as a batch job rights. Some organizations have hardening
policies that disable those rights.
Step 2 - Configure certificate templates on the certification authority
In this task you will:
Configure a certificate template for NDES
Publish the certificate template for NDES
To c o n fi g u r e t h e c e r t i fi c a t i o n a u t h o r i t y

1. Log on as an enterprise administrator.


2. On the issuing CA, use the Certificate Templates snap-in to create a new custom template or copy an
existing template and then edit an existing template (like the User template), for use with NDES.

NOTE
The NDES certificate template must be based off a v2 Certificate Template (with Windows 2003 compatibility).

The template must have the following configurations:


Specify a friendly Template display name for the template.
On the Subject Name tab, select Supply in the request. (Security is enforced by the Intune policy
module for NDES).
On the Extensions tab, ensure the Description of Application Policies includes Client
Authentication.

IMPORTANT
For iOS and macOS certificate templates, on the Extensions tab, edit Key Usage and ensure Signature is
proof of origin is not selected.

On the Security tab, add the NDES service account, and give it Enroll permissions to the template.
Intune admins who will create SCEP profiles require Read rights so that they can browse to the
template when creating SCEP profiles.

NOTE
To revoke certificates the NDES service account needs Issue and Manage Certificates rights for each certificate
template used by a certificate profile.

3. Review the Validity period on the General tab of the template. By default, Intune uses the value
configured in the template. However, you have the option to configure the CA to allow the requester to
specify a different value, which you can then set from within the Intune Administrator console. If you want
to always use the value in the template, skip the remainder of this step.

IMPORTANT
iOS and macOS always use the value set in the template regardless of other configurations you make.

Here are screenshots of an example template configuration.


IMPORTANT
For Application Policies, only add the application policies required. Confirm your choices with your security admins.

To configure the CA to allow the requester to specify the validity period:


1. On the CA run the following commands:
certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
net stop certsvc
net start certsvc
2. On the issuing CA, use the Certification Authority snap-in to publish the certificate template. Select the
Certificate Templates node, click Action-> New > Certificate Template to Issue, and then select the
template you created in step 2.
3. Validate that the template published by viewing it under the Certificate Templates folder.
Step 3 - Configure prerequisites on the NDES server
In this task you will:
Add NDES to a Windows Server and configure IIS to support NDES
Add the NDES Service account to the IIS_IUSR group
Set the SPN for the NDES Service account
1. On the server that will hosts NDES, you must log on as a an Enterprise Administrator, and then use the
Add Roles and Features Wizard to install NDES:
a. In the Wizard, select Active Directory Certificate Services to gain access to the AD CS Role
Services. Select the Network Device Enrollment Service, uncheck Certification Authority, and
then complete the wizard.

TIP
On the Installation progress page of the wizard, do not click Close. Instead, click the link for Configure
Active Directory Certificate Services on the destination server. This opens the AD CS Configuration
wizard that you use for the next task. After AD CS Configuration opens, you can close the Add Roles and
Features wizard.

b. When NDES is added to the server, the wizard also installs IIS. Ensure IIS has the following
configurations:
Web Server > Security > Request Filtering
Web Server > Application Development > ASP.NET 3.5. Installing ASP.NET 3.5 will install
.NET Framework 3.5. When installing .NET Framework 3.5, install both the core .NET
Framework 3.5 feature and HTTP Activation.
Web Server > Application Development > ASP.NET 4.5. Installing ASP.NET 4.5 will install
.NET Framework 4.5. When installing .NET Framework 4.5, install the core .NET Framework
4.5 feature, ASP.NET 4.5, and the WCF Services > HTTP Activation feature.
Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility
Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility
c. On the server, add the NDES service account as a member of the IIS_IUSR group.
2. In an elevated command prompt, run the following command to set the SPN of the NDES Service account:
**setspn -s http/&lt;DNS name of NDES Server&gt; &lt;Domain name&gt;\&lt;NDES Service account name&gt;**

For example, if your NDES Server is named Server01, your domain is Contoso.com, and the service account is
NDESService, use:
**setspn s http/Server01.contoso.com contoso\NDESService**

Step 4 - Configure NDES for use with Intune


In this task you will:
Configure NDES for use with the issuing CA
Bind the server authentication (SSL) certificate in IIS
Configure Request Filtering in IIS
1. On the NDES Server, open the AD CS Configuration wizard and then make the following configurations.

TIP
If you clicked the link in the previous task, this wizard is already open. Otherwise, open Server Manager to access the
post-deployment configuration for Active Directory Certificate Services.

On the Role Services Page, select the Network Device Enrollment Service.
On the Service Account for NDES page, specify the NDES Service Account.
On the CA for NDES page, click Select, and then select the issuing CA where you configured the
certificate template.
On the Cryptography for NDES page, set the key length to meet your company requirements.
On the Confirmation page, click Configure to complete the wizard.
2. After the wizard completes, edit the following registry key on the NDES Server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\
To edit this key, identify the certificate template's Purpose, as found on its Request Handling tab, and then
edit the corresponding entry in the registry by replacing the existing data with the name of the certificate
template (not the display name of the template) that you specified in Task 1. The following table maps the
certificate template purpose to the values in the registry:

CERTIFICATE TEMPLATE PURPOSE (ON VALUE SEEN IN THE INTUNE ADMIN


THE REQUEST HANDLING TAB) REGISTRY VALUE TO EDIT CONSOLE FOR THE SCEP PROFILE

Signature SignatureTemplate Digital Signature

Encryption EncryptionTemplate Key Encipherment

Signature and encryption GeneralPurposeTemplate Key Encipherment

Digital Signature

For example, if the Purpose of your certificate template is Encryption, then edit the EncryptionTemplate
value to be the name of your certificate template.
3. The NDES server will receive very long URLs (queries), which require that you add two registry entries:

LOCATION VALUE TYPE DATA

HKLM\SYSTEM\CurrentCo MaxFieldLength DWORD 65534 (decimal)


ntrolSet\Services\HTTP\Par
ameters

HKLM\SYSTEM\CurrentCo MaxRequestBytes DWORD 65534 (decimal)


ntrolSet\Services\HTTP\Par
ameters

4. In IIS manager, choose Default Web Site -> Request Filtering -> Edit Feature Setting, and change the
Maximum URL length and Maximum query string to 65534, as shown.
5. Restart the server. Running iisreset on the server will not be sufficient to finalize these changes.
6. Browse to http://FQDN/certsrv/mscep/mscep.dll. You should see an NDES page similar to this:

If you get a 503 Service unavailable, check the event viewer. It's likely that the application pool is stopped
due to a missing right for the NDES user. Those rights are described in Task 1.
To I n st a l l a n d b i n d c e r t i fi c a t e s o n t h e N D E S Se r v e r

1. On your NDES Server, request and install a server authentication certificate from your internal CA or
public CA. You will then bind this SSL certificate in IIS.

TIP
After you bind the SSL certificate in IIS, you will also install a client authentication certificate. This certificate can be
issued by any CA that is trusted by the NDES Server. Although it is not a best practice, you can use the same
certificate for both server and client authentication as long as the certificate has both Enhance Key Usages (EKUs).
Review the following steps for information about these authentication certificates.

a. After you obtain the server authentication certificate, open IIS Manager, select the Default Web
Site in the Connections pane, and then click Bindings in the Actions pane.
b. Click Add, set Type to https, and then ensure the port is 443. (Only port 443 is supported for
standalone Intune.
c. For SSL certificate, specify the server authentication certificate.

NOTE
If the NDES server uses both an external and internal name for a single network address, the server
authentication certificate must have a Subject Name with an external public server name, and a Subject
Alternative Name that includes the internal server name.

2. On your NDES Server, request and install a client authentication certificate from your internal CA, or a
public certificate authority. This can be the same certificate as the server authentication certificate if that
certificate has both capabilities.
The client authentication certificate must have the following properties:
Enhanced Key Usage - This must include Client Authentication.
Subject Name - This must be equal to the DNS name of the server where you are installing the certificate
(the NDES Server).
To c o n fi g u r e I I S r e q u e st fi l t e r i n g

1. On the NDES Server open IIS Manager, select the Default Web Site in the Connections pane, and then
open Request Filtering.
2. Click Edit Feature Settings, and then set the following:
query string (Bytes) = 65534
Maximum URL length (Bytes) = 65534
3. Review the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Ensure the following values are set as DWORD entries:
Name: MaxFieldLength, with a decimal value of 65534
Name: MaxRequestBytes, with a decimal value of 65534
4. Reboot the NDES server. The server is now ready to support the Certificate Connector.
Step 5 - Enable, install, and configure the Intune certificate connector
In this task you will:
Enable support for NDES in Intune.
Download, install, and configure the Certificate Connector on the NDES Server.
To e n a b l e su p p o r t fo r t h e c e r t i fi c a t e c o n n e c t o r

1. Sign into the Azure portal.


2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Certification Authority.
5. Select Enable Certificate Connector.
To d o w n l o a d , i n st a l l a n d c o n fi g u r e t h e c e r t i fi c a t e c o n n e c t o r

NOTE
Because of a known issue, download, install, and configure the certificate connector using the following procedure: Configure
certificate infrastructure for SCEP -> Configure your infrastructure -> Task 5

1. Sign into the Azure portal.


2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Certification Authority.
5. Choose Download Certificate Connector.
6. After the download completes, run the downloaded installer (ndesconnectorssetup.exe) on a Windows
Server 2012 R2 server. The installer also installs the policy module for NDES and the CRP Web Service. (The
CRP Web Service, CertificateRegistrationSvc, runs as an application in IIS.)
NOTE
When you install NDES for standalone Intune, the CRP service automatically installs with the Certificate Connector.
When you use Intune with Configuration Manager, you install the Certificate Registration Point as a separate site
system role.

7. When prompted for the client certificate for the Certificate Connector, choose Select, and select the client
authentication certificate you installed on your NDES Server in Task 3.
After you select the client authentication certificate, you are returned to the Client Certificate for
Microsoft Intune Certificate Connector surface. Although the certificate you selected is not shown, click
Next to view the properties of that certificate. Then click Next, and then click Install.
8. After the wizard completes, but before closing the wizard, click Launch the Certificate Connector UI.

TIP
If you close the wizard before launching the Certificate Connector UI, you can reopen it by running the following
command:
<install_Path>\NDESConnectorUI\NDESConnectorUI.exe

9. In the Certificate Connector UI:


Click Sign In and enter your Intune service administrator credentials, or credentials for a tenant
administrator with the global administration permission.
If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet,
click Use proxy server and then provide the proxy server name, port, and account credentials to connect.
Select the Advanced tab, and then provide credentials for an account that has the Issue and Manage
Certificates permission on your issuing Certificate Authority, and then click Apply.
You can now close the Certificate Connector UI.
10. Open a command prompt and type services.msc, and then press Enter, right-click the Intune Connector
Service, and then click Restart.
To validate that the service is running, open a browser and enter the following URL, which should return a 403
error:
http:// <FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dll

How to create a SCEP certificate profile


1. In the Azure Portal, select the Configure devices workload.
2. On the Device Configuration blade, choose Manage > Profiles.
3. On the profiles blade, choose Create Profile.
4. On the Create Profile blade, enter a Name and Description for the SCEP certificate profile.
5. From the Platform drop-down list, select the device platform for this SCEP certificate. Currently, you can
choose one of the following platforms for device restriction settings:
Android
iOS
macOS
Windows Phone 8.1
Windows 8.1 and later
Windows 10 and later
6. From the Profile type drop-down list, choose SCEP certificate.
7. On the SCEP Certificate blade, configure the following settings:
Certificate validity period - If you have run the certutil - setreg Policy\EditFlags
+EDITF_ATTRIBUTEENDDATE command on the issuing CA, which allows a custom validity period, you
can specify the amount of remaining time before the certificate expires.
You can specify a value that is lower than the validity period in the specified certificate template, but not
higher. For example, if the certificate validity period in the certificate template is two years, you can
specify a value of one year but not a value of five years. The value must also be lower than the remaining
validity period of the issuing CA's certificate.
Key storage provider (KSP) (Windows Phone 8.1, Windows 8.1, Windows 10) - Specify where the key
to the certificate will be stored. Choose from one of the following values:
Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP
Enroll to Trusted Platform Module (TPM) KSP, otherwise fail
Enroll to Passport, otherwise fail (Windows 10 and later)
Enroll to Software KSP
Subject name format - From the list, select how Intune automatically creates the subject name in
the certificate request. If the certificate is for a user, you can also include the user's email address in
the subject name. Choose from:
Not configured
Common name
Common name including email
Common name as email
Custom - When you select this option, another drop-down field is displayed. You use this field to
enter a custom subject name format. The two variables supported for the custom format are
Common Name (CN) and Email (E). By using a combination of one or many of these variables
and static strings, you can create a custom subject name format, like this one: CN=
{{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance
Group,L=Redmond,ST=Washington,C=US In this example, you created a subject name format
that, in addition to the CN and E variables, uses strings for Organizational Unit, Organization,
Location, State, and Country values. This topic shows the CertStrToName function and its
supported strings.
Subject alternative name - Specify how Intune automatically creates the values for the subject
alternative name (SAN) in the certificate request. For example, if you selected a user certificate type,
you can include the user principal name (UPN) in the subject alternative name. If the client certificate
will be used to authenticate to a Network Policy Server, you must set the subject alternative name to
the UPN.
Key usage - Specify key usage options for the certificate. You can choose from the following options:
Key encipherment: Allow key exchange only when the key is encrypted.
Digital signature: Allow key exchange only when a digital signature helps protect the key.
Key size (bits) - Select the number of bits that will be contained in the key.
Hash algorithm (Android, Windows Phone 8.1, Windows 8.1, Windows 10) - Select one of the available
hash algorithm types to use with this certificate. Select the strongest level of security that the connecting
devices support.
Root Certificate - Choose a root CA certificate profile that you have previously configured and assigned
to the user or device. This CA certificate must be the root certificate for the CA that will issue the
certificate that you are configuring in this certificate profile.
Extended key usage - Choose Add to add values for the certificate's intended purpose. In most cases,
the certificate will require Client Authentication so that the user or device can authenticate to a server.
However, you can add any other key usages as required.
Enrollment Settings
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before
the device requests renewal of the certificate.
SCEP Server URLs - Specify one or more URLs for the NDES Servers that will issue certificates via
SCEP.
8. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade.

How to assign the certificate profile


Consider the following before you assign certificate profiles to groups:
When you assign certificate profiles to groups, the certificate file from the Trusted CA certificate profile is
installed on the device. The device uses the SCEP certificate profile to create a certificate request by the device.
Certificate profiles install only on devices running the platform you use when you created the profile.
You can assign certificate profiles to user collections or to device collections.
To publish a certificate to a device quickly after the device enrolls, assign the certificate profile to a user group
rather than to a device group. If you assign to a device group, a full device registration is required before the
device receives policies.
Although you assign each profile separately, you also need to assign the Trusted Root CA and the SCEP or PKCS
profile. Otherwise, the SCEP or PKCS certificate policy will fail.
For information about how to assign profiles, see How to assign device profiles.
Configure and manage PKCS certificates with Intune
6/19/2017 11 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic shows how to configure your infrastructure, then create and assign PKCS certificate profiles with Intune.
To do any certificate-based authentication in your organization, you need an Enterprise Certification Authority.
To use PKCS Certificate profiles, in addition to the Enterprise Certification Authority, you also need:
A computer that can communicate with the Certification Authority, or you can use the Certification Authority
computer itself.
The Intune Certificate Connector, which runs on the computer that can communicate with the Certification
Authority.

Important terms
Active Directory domain: All servers listed in this section (except for the Web Application Proxy Server)
must be joined to your Active Directory domain.
Certification Authority: An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported. For instructions on how to set up a
Certification Authority, see Install the Certification Authority. If your CA runs Windows Server 2008 R2, you
must install the hotfix from KB2483564.
Computer that can communicate with Certification Authority: Alternatively, use the Certification
Authority computer itself.
Microsoft Intune Certificate Connector: From the Azure portal, you download the Certificate Connector
installer (ndesconnectorssetup.exe). Then you can run ndesconnectorssetup.exe on the computer where
you want to install the Certificate Connector. For PKCS Certificate profiles, install the Certificate Connector on
the computer that communicates with the Certification Authority.
Web Application Proxy server (optional): You can use a server that runs Windows Server 2012 R2 or
later as a Web Application Proxy (WAP) server. This configuration:
Allows devices to receive certificates using an Internet connection.
Is a security recommendation when devices connect through the Internet to receive and renew
certificates.
NOTE
The server that hosts WAP must install an update that enables support for the long URLs that are used by the
Network Device Enrollment Service (NDES). This update is included with the December 2014 update rollup, or
individually from KB3011135.
Also, the server that hosts WAP must have an SSL certificate that matches the name being published to external
clients as well as trust the SSL certificate that is used on the NDES server. These certificates enable the WAP server
to terminate the SSL connection from clients, and create a new SSL connection to the NDES server. For
information about certificates for WAP, see the Plan certificates section of Planning to Publish Applications
Using Web Application Proxy. For general information about WAP servers, see Working with Web Application
Proxy.|

Certificates and templates


OBJECT DETAILS

Certificate Template You configure this template on your issuing CA.

Trusted Root CA certificate You export this as a .cer file from the issuing CA or any device
which trusts the issuing CA, and assign it to devices by using
the Trusted CA certificate profile.

You use a single Trusted Root CA certificate per operating


system platform, and associate it with each Trusted Root
Certificate profile you create.

You can use additional Trusted Root CA certificates when


needed. For example, you might do this to provide a trust to a
CA that signs the server authentication certificates for your
Wi-Fi access points.

Configure your infrastructure


Before you can configure certificate profiles, you must complete the following steps. These steps require
knowledge of Windows Server 2012 R2 and Active Directory Certificate Services (ADCS):
Step 1 - Configure certificate templates on the certification authority.
Step 2 - Enable, install, and configure the Intune Certificate Connector.

Step 1 - Configure certificate templates on the certification authority


To configure the certification authority
1. On the issuing CA, use the Certificate Templates snap-in to create a new custom template, or copy and edit
an existing template (like the User template), for use with PKCS.
The template must include the following:
Specify a friendly Template display name for the template.
On the Subject Name tab, select Supply in the request. (Security is enforced by the Intune policy
module for NDES).
On the Extensions tab, ensure the Description of Application Policies includes Client
Authentication.
IMPORTANT
For iOS and macOS certificate templates, on the Extensions tab, edit Key Usage and ensure that Signature
is proof of origin is not selected.

2. Review the Validity period on the General tab of the template. By default, Intune uses the value
configured in the template. However, you have the option to configure the CA to allow the requester to
specify a different value, which you can then set from within the Intune Administrator console. If you want
to always use the value in the template, skip the remainder of this step.

IMPORTANT
iOS and macOS always use the value set in the template, regardless of other configurations you make.

To configure the CA to allow the requester to specify the validity period, run the following commands on the
CA:
a. certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
b. net stop certsvc
c. net start certsvc
3. On the issuing CA, use the Certification Authority snap-in to publish the certificate template.
a. Select the Certificate Templates node, click Action-> New > Certificate Template to Issue, and then
select the template you created in step 2.
b. Validate that the template published by viewing it under the Certificate Templates folder.
4. On the CA computer, ensure that the computer that hosts the Intune Certificate Connector has enroll
permission, so that it can access the template used in creating the PKCS certificate profile. Set that
permission on the Security tab of the CA computer properties.

Step 2 - Enable, install, and configure the Intune certificate connector


In this step you will:
Enable support for the Certificate Connector
Download, install, and configure the Certificate Connector.
To enable support for the certificate connector
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Setup > Certificate Authority.
5. Under Step 1, choose Enable.
To download, install, and configure the certificate connector
1. On the Configure devices blade, choose Setup > Certificate Authority.
2. choose Download the certificate connector.
3. After the download completes, run the downloaded installer (ndesconnectorssetup.exe). Run the installer
on the computer that is able to connect with the Certification Authority. Choose the PKCS (PFX) Distribution
option, and then choose Install. When the installation has completed, continue by creating a certificate
profile as described in How to configure certificate profiles.
4. When prompted for the client certificate for the Certificate Connector, choose Select, and select the client
authentication certificate you installed.
After you select the client authentication certificate, you are returned to the Client Certificate for
Microsoft Intune Certificate Connector surface. Although the certificate you selected is not shown,
choose Next to view the properties of that certificate. Then choose Next, and then Install.
5. After the wizard completes, but before closing the wizard, click Launch the Certificate Connector UI.

TIP
If you close the wizard before launching the Certificate Connector UI, you can reopen it by running the following
command:
<install_Path>\NDESConnectorUI\NDESConnectorUI.exe

6. In the Certificate Connector UI:


a. Choose Sign In and enter your Intune service administrator credentials, or credentials for a tenant
administrator with the global administration permission.
b. Select the Advanced tab, and then provide credentials for an account that has the Issue and Manage
Certificates permission on your issuing Certificate Authority.
c. Choose Apply.
You can now close the Certificate Connector UI.
7. Open a command prompt and type services.msc. Then press Enter, right-click the Intune Connector
Service, and choose Restart.
To validate that the service is running, open a browser and enter the following URL, which should return a 403
error:
http:// <FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dll
How to create a PKCS certificate profile
In the Azure Portal, select the Configure devices workload.
1. On the Device configuration blade, choose Manage > Profiles.
2. On the profiles blade, click Create Profile.
3. On the Create Profile blade, enter a Name and Description for the PKCS certificate profile.
4. From the Platform drop-down list, select the device platform for this PKCS certificate from:
Android
Android for Work
iOS
Windows 10 and later
5. From the Profile type drop-down list, choose PKCS certificate.
6. On the PKCS Certificate blade, configure the following settings:
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the
device requests renewal of the certificate.
Certificate validity period - If you have run the certutil - setreg Policy\EditFlags
+EDITF_ATTRIBUTEENDDATE command on the issuing CA, which allows a custom validity period, you
can specify the amount of remaining time before the certificate expires.
You can specify a value that is lower than the validity period in the specified certificate template, but not
higher. For example, if the certificate validity period in the certificate template is two years, you can
specify a value of one year but not a value of five years. The value must also be lower than the remaining
validity period of the issuing CA's certificate.
Key storage provider (KSP) (Windows 10) - Specify where the key to the certificate will be stored.
Choose from one of the following values:
Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP
Enroll to Trusted Platform Module (TPM) KSP, otherwise fail
Enroll to Passport, otherwise fail (Windows 10 and later)
Enroll to Software KSP
Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported. For instructions on how to set up a
Certification Authority, see Install the Certification Authority. If your CA runs Windows Server 2008 R2,
you must install the hotfix from KB2483564.
Certification authority name - Enter the name of your certification authority.
Certificate template name - Enter the name of a certificate template that the Network Device
Enrollment Service is configured to use and that has been added to an issuing CA. Make sure that the
name exactly matches one of the certificate templates that are listed in the registry of the server that is
running the Network Device Enrollment Service. Make sure that you specify the name of the certificate
template and not the display name of the certificate template. To find the names of certificate templates,
browse to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP. You
will see the certificate templates listed as the values for EncryptionTemplate,
GeneralPurposeTemplate, and SignatureTemplate. By default, the value for all three certificate
templates is IPSECIntermediateOffline, which maps to the template display name of IPSec (Offline
request).
Subject name format - From the list, select how Intune automatically creates the subject name in the
certificate request. If the certificate is for a user, you can also include the user's email address in the
subject name. Choose from:
Not configured
Common name
Common name including email
Common name as email
Subject alternative name - Specify how Intune automatically creates the values for the subject
alternative name (SAN) in the certificate request. For example, if you selected a user certificate type, you
can include the user principal name (UPN) in the subject alternative name. If the client certificate is used
to authenticate to a Network Policy Server, set the subject alternative name to the UPN. You can also
select Custom Azure AD attribute. When you select this option, another drop-down field is displayed.
From the Custom Azure AD attribute drop-down field, there is one option: Department. When you
select this option, if the department is not identified in Azure AD, the certificate is not issued. To resolve
this issue, identify the department and save the changes. At the next device checkin, the problem is
resolved and certificate is issued. ASN.1 is the notation used for this field.
Extended key usage (Android) - Choose Add to add values for the certificate's intended purpose. In
most cases, the certificate will require Client Authentication so that the user or device can authenticate
to a server. However, you can add any other key usages as required.
Root Certificate (Android) - Choose a root CA certificate profile that you have previously configured
and assigned to the user or device. This CA certificate must be the root certificate for the CA that will
issue the certificate that you are configuring in this certificate profile. This is the trusted certificate profile
that you created previously.
7. When you're done, go back to the Create Profile blade, and click Create.
The profile is created and is displayed on the profiles list blade.
How to assign the certificate profile
Consider the following before you assign certificate profiles to groups:
When you assign certificate profiles to groups, the certificate file from the Trusted CA certificate profile is
installed on the device. The device uses the PKCS certificate profile to create a certificate request by the device.
Certificate profiles install only on devices running the platform you use when you created the profile.
You can assign certificate profiles to user collections or to device collections.
To publish a certificate to a device quickly after the device enrolls, assign the certificate profile to a user group
rather than to a device group. If you assign to a device group, a full device registration is required before the
device receives policies.
Although you assign each profile separately, you also need to assign the Trusted Root CA and the PKCS profile.
Otherwise, the PKCS certificate policy will fail.
For information about how to assign profiles, see How to assign device profiles.
How to configure Windows Information Protection in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data
leaks through apps and services, like email, social media, and the public cloud, which are outside of the enterprises
control. For example, an employee sends the latest engineering pictures from a personal email account, copies and
pastes product info into a tweet, or saves an in-progress sales report to public cloud storage.
Windows Information Protection helps to protect against this potential data leakage without otherwise
interfering with the employee experience. It also helps to protect enterprise apps and data against accidental data
leaks on enterprise-owned devices and personal devices that employees bring to work without requiring changes
to your environment or other apps.
This Intune policy manages the list of apps protected by Windows Information Protection, enterprise network
locations, protection level, and encryption settings.

NOTE
To use the Windows 10 Company Portal app with Windows Information Protection, you must add the Company Portal app
under the Windows Information Protection mode of Exempt.

Next steps
For more information, see Protect your enterprise data using Windows Information Protection.
How to assign Microsoft Intune device profiles
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

1. Sign into the Azure portal.


2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device configuration blade, choose Manage > Profiles.
5. In the list of profiles blade, choose the profile you want to manage, and then, on the <profile name>
Reports blade, choose Manage > Assignments.
6. On the next blade, click Select groups, and then, in the Select groups blade, choose the Azure AD groups
to which you want to assign the profile. You can hold down the CTRL key to select multiple groups.
7. When you are done, on the Select groups blade, choose Select.
Next steps
See How to monitor device profiles for information to help you monitor device profile assignments.
How to monitor device profiles in Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

You can monitor the assignment progress of Intune device profiles in two ways:
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. In the list of profiles blade, choose the profile you want to manage, and then, either:
On the <profile name> Reports blade, choose Overview to see basic information about the profile and
its assignments.
On the <profile name> Reports blade, choose Reports to see more detailed information about the
profile and its assignments.
Troubleshooting device profiles in Microsoft Intune
6/19/2017 18 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The information in this topic can be used to help you troubleshoot common issues around Intune device profiles.

How long does it take for mobile devices to get a policy or apps after
they have been assigned?
When a policy or an app is assigned, Intune immediately begins attempting to notify the device that it should check
in with the Intune service. This typically takes less than five minutes.
If a device doesn't check in to get the policy after the first notification is sent, Intune makes three more attempts. If
the device is offline (for example, it is turned off or not connected to a network), it might not receive the
notifications. In this case, the device will get the policy on its next scheduled check-in with the Intune service as
follows:
iOS and macOS: Every 6 hours.
Android: Every 8 hours.
Windows Phone: Every 8 hours.
Windows 8.1 and Windows 10 PCs enrolled as devices: Every 8 hours.
If the device has just enrolled, the check-in frequency will be more frequent, as follows:
iOS and macOS: Every 15 minutes for 6 hours, and then every 6 hours.
Android: Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours.
Windows Phone: Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours.
Windows PCs enrolled as devices: Every 3 minutes for 30 minutes, and then every 8 hours.
Users can also open the Company Portal app and sync the device to immediately check for the policy anytime.

What actions cause Intune to immediately send a notification to a


device?
Devices check in with Intune either when they receive a notification that tells them to check in or during their
regularly scheduled check-in. When you target a device or user specifically with an action such as a wipe, lock,
passcode reset, app assignment, profile assignment (Wi-Fi, VPN, email, etc.), or policy assignment, Intune will
immediately begin trying to notify the device that it should check in with the Intune service to receive these
updates.
Other changes, such as revising the contact information in the company portal, do not cause an immediate
notification to devices.

If multiple policies are assigned to the same user or device, how do I


know which settings will get applied?
When two or more policies are assigned to the same user or device, the evaluation for which setting is applied
happens at the individual setting level:
Compliance policy settings always have precedence over configuration policy settings.
The most restrictive compliance policy setting is applied if it is evaluated against the same setting in a
different compliance policy.
If a configuration policy setting conflicts with a setting in a different configuration policy, this conflict will be
displayed in the Intune console. You must manually resolve such conflicts.

What happens when app protection policies conflict with each other?
Which one will be applied to the app?
Conflict values are the most restrictive settings available in an app protection policy, except for the number entry
fields (like PIN attempts before reset). The number entry fields will be set the same as the values, as if you created a
MAM policy in the console by using the recommended settings option.
Conflicts occur when two profile settings are the same. For example, you configured two MAM policies that are
identical except for the copy/paste setting. In this scenario, the copy/paste setting will be set to the most restrictive
value, but the rest of the settings will be applied as configured.
If one profile is assignedd to the app and takes effect, and then a second one is assigned, the first one will take
precedence and stay applied, while the second shows in conflict. If they are both applied at the same time, meaning
that there is no preceding profile, then they will both be in conflict. Any conflicting settings will be set to the most
restrictive values.

What happens when iOS custom policies conflict?


Intune does not evaluate the payload of Apple Configuration files or a custom Open Mobile Alliance Uniform
Resource Identifier (OMA-URI) profile. It merely serves as the delivery mechanism.
When you assign a custom profile, ensure that the configured settings do not conflict with compliance,
configuration, or other custom policies. In the case of a custom profile with settings conflicts, the order in which
settings are applied is random.

What happens when a profile is deleted or no longer applicable?


When you delete a profile, or you remove a device from a group to which a profile was assigned, the profile and
settings will be removed from the device according to the following lists.
Enrolled devices
Wi-Fi, VPN, certificate, and email profiles: These profiles are removed from all supported enrolled devices.
All other profile types:
Windows and Android devices: Settings are not removed from the device.
Windows Phone 8.1 devices: The following settings are removed:
Require a password to unlock mobile devices
Allow simple passwords
Minimum password length
Required password type
Password expiration (days)
Remember password history
Number of repeated sign-in failures to allow before the device is wiped
Minutes of inactivity before password is required
Required password type minimum number of character sets
Allow camera
Require encryption on mobile device
Allow removable storage
Allow web browser
Allow application store
Allow screen capture
Allow geolocation
Allow Microsoft account
Allow copy and paste
Allow Wi-Fi tethering
Allow automatic connection to free Wi-Fi hotspots
Allow Wi-Fi hotspot reporting
Allow factory reset
Allow Bluetooth
Allow NFC
Allow Wi-Fi
iOS: All settings are removed, except:
Allow voice roaming
Allow data roaming
Allow automatic synchronization while roaming

I changed a device restriction profile, but the changes haven't taken


effect
Windows Phone devices do not allow security policies set via MDM or EAS to be reduced in security once you've
set them. For example, you set a Minimum number of character password to 8 then try to reduce it to 4. The
more restrictive profile has already been applied to the device.
Depending on the device platform, if you want to change the profile to a less secure value you may need to reset
security policies. For example, in Windows, on the desktop swipe in from right to open the Charms bar and choose
Settings > Control Panel. Select the User Accounts applet. In the left hand navigation menu, there is a Reset
Security Policies link at the bottom. Choose it and then choose the Reset Policies button. Other MDM devices,
such as Android, Windows Phone 8.1 and later, and iOS, may need to be retired and re-enrolled back into the
service for you to be able to apply a less restrictive profile.
Next steps
If this troubleshooting information didn't help you, contact Microsoft Support as described in How to get support
for Microsoft Intune.
What is device compliance in Intune?
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Device compliance policies in Intune define the rules and settings that a device must comply with in order to be
considered compliant by Intune and EMS conditional access polices. You can also use device compliance policies
to monitor and remediate compliance issues with devices.
These rules include the following:
Use a password to access devices
Encryption
Whether the device is jail-broken or rooted
Minimum OS version required
Maximum OS version allowed
Require the device to be at or under the Mobile Threat Defense level

How should I use a device compliance policy?


Using EMS conditional access
You can use compliance policy with EMS conditional access to allow only devices that comply with one or more
device compliance policy rules to access email and other corporate resources.
Not using EMS conditional access
You can also use device compliance policies independently of EMS conditional access. When you use compliance
policies independently, the targeted devices are evaluated and reported with their compliance status. For example,
you can get a report on how many devices are not encrypted, or which devices are jail-broken or rooted. But
when you use compliance policies independently, no access restrictions to company resources are in place.
You deploy compliance policy to users. When a compliance policy is deployed to a user, the user's devices are
checked for compliance. To learn about how long it takes for mobile devices to get a policy after the policy is
deployed, see Manage settings and features on your devices.

Intune classic admin console vs. Intune on the Azure portal


If you have been using the Intune classic admin console, note the following differences to help transition to the
new device compliance policy work-flow in the Azure portal:
In the Azure portal, the compliance policies are created separately for each supported platform. In the Intune
Admin console, one compliance policy was common to all supported platforms.

Migration from Intune classic console to Intune on the Azure portal


Device compliance policies created in the Intune classic console will not appear in the new Intune Azure portal.
However, theyll still be targeted to users and manageable via the Intune classic console.
If you want to take advantage of the new device compliance related features in the Intune Azure portal, youll
need to create new device compliance policies in the Intune Azure portal itself. If you assign a new device
compliance policy in the Intune Azure portal to a user who also has been assigned with a device compliance
policy from the Intune classic portal, then the device compliance policies from the Intune Azure portal takes
precedence over the ones created in the Intune classic console.

Next steps
Get started on device compliance policies
Get started with device compliance in Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

In this topic, you'll learn the following:


What you need before you can start creating a device compliance policy.
A quick glance on what you can see and do in the Intune Azure portal.
If you're not familiar with device compliance, you may want to read this topic to learn what device compliance is,
and how you might use it in your organization.

Pre-requisites
A subscription to Intune
A subscription to Azure Active Directory

Supported Platforms:
Android
iOS
Windows 8.1
Windows Phone 8.1
Windows 10

Azure portal workflow


Here is an overview of how you can create and manage device compliance in the Intune Azure portal.
Manage
You can create, edit and delete compliance policies. You will also be able to assign policies to users from here.
Setup
Compliance status validity period

Next steps
Create a compliance policy for Android
Create a compliance policy for Android for work
Create a compliance policy for iOS
Create a compliance policy for Windows
How to create a device compliance policy for
Android devices in Intune
6/19/2017 6 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Device compliance policies are created for each platform form the Intune Azure portal.
To learn more about what compliance policy is see What is a device compliance topic.
To learn about the prerequisites that you need to address before creating a compliance policy see Get started
with device compliance topic.

To create a device compliance policy


1. From the Intune blade, choose Set Device compliance. Under Manage, choose All device compliance
policies, and choose Create.
2. Type a name, description and choose the platform that you want this policy to apply to.
3. Choose Compliance requirements to specify the Security, Device health, and Device property settings.
When you are done, choose OK.

To assign user groups


To assign a compliance policy to users, choose a policy that you have configured. Existing policies can be found in
the Compliance policies blade.
1. Choose the policy and choose Assignments. This opens the blade where you can select Azure Active
Directory security groups and assign them to the policy.
2. Choose Select groups to open the blade that displays the Azure AD security groups. Here you can find the
security groups in your Azure Active Directory. You can select the user groups you want this policy to apply to
and choose Select. Choosing Select deploys the policy to users.
You have applied the policy to users. The devices used by the users who are targeted by the policy will be
evaluated for compliance.

Device health and security settings


Device must not be jailbroken or rooted : If you enable this setting, jailbroken devices will be evaluated as
noncompliant.
Require that devices prevent installation of apps from unknown sources (Android 4.0 or later): To
block devices that have Security >; Unknown sources enabled on the device, enable this setting and set it to
Yes.
Important
Side-loading applications require that the Unknown sources setting is enabled. Enforce this compliance policy
only if you are not side-loading Android apps on devices.
Require that USB debugging is disabled (Android 4.2 or later): This setting specifies whether to detect the
USB debugging option on the device is enabled.
Require devices have enabled Scan device for security threats (Android 4.2-4.4): This setting specifies
that the Verify apps feature is enabled on the device.
Minimum Android security patch level (Android 6.0 or later): Use this setting to specify the minimum
Android patch level. Devices that are not at least at this patch level will be noncompliant. The date must be
specified in the format YYYY-MM-DD.
Require device threat protection to be enabled : Use this setting to take the risk assessment from the
Lookout MTP solution as a condition for compliance. Choose the maximum allowed threat level, which is one of
the following:
None (secured): This is the most secure. This means that the device cannot have any threats. If the
device is detected as having any level of threats, it will be evaluated as noncompliant.
Low : The device is evaluated as compliant if only low-level threats are present. Anything higher puts the
device in a noncompliant status.
Medium : The device is evaluated as compliant if the threats that are present on the device are low or
medium level. If the device is detected to have high-level threats, it is determined to be noncompliant.
High : This is the least secure. Essentially, this allows all threat levels. Perhaps it is useful if you are using
this solution only for reporting purposes.
For more details, see Enable device threat protection rule in the compliance policy.

System security settings


Password
Require a password to unlock mobile devices : Set this to Yes to require users to enter a password before
they can access their device.
Minimum password length : Specify the minimum number of digits or characters that the user's password
must have.
Password quality : This setting detects if the password requirements that you specify are set up on the device.
Enable this setting to require that users meet certain password requirements for Android devices. Choose from:
Low security biometric
Required
At least numeric
At least alphabetic
At least alphanumeric
Alphanumeric with symbols
Minutes of inactivity before password is required : Specify the idle time before the user must reenter their
password.
Password expiration (days): Select the number of days before the password expires and they must create a
new one.
Remember password history : Use this setting together with Prevent reuse of previous passwords to
restrict the user from creating previously used passwords.
Prevent reuse of previous passwords : If you selected Remember password history , specify the number of
previously used passwords that cannot be reused.
Require a password when the device returns from an idle state : Use this setting together with the
Minutes of inactivity before password is required setting. The user is prompted to enter a password to
access a device that has been inactive for the time specified in the Minutes of inactivity before password is
required setting.
Encryption
Require encryption on mobile device : Set this to Yes to require devices to be encrypted in order to connect
to resources. Devices are encrypted when you choose the setting Require a password to unlock mobile
devices.

Device property settings


Minimum OS required : When a device does not meet the minimum OS version requirement, it is reported as
noncompliant. A link with information on how to upgrade is shown. The user can choose to upgrade their
device, after which they can access company resources.
Maximum OS version allowed : When a device is using an OS version later than the one specified in the rule,
access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change
in rules to allow the OS version, this device cannot be used to access company resources.

How non-compliant settings work with conditional access policies?


The table below describes how non-compliant settings are managed when a compliance policy is used with a
conditional access policy.

ANDROID 4.0 AND LATER, SAMSUNG KNOX STANDARD 4.0 AND


POLICY SETTING LATER

PIN or password configuration Quarantined

Device encryption Quarantined

Jailbroken or rooted device Quarantined (not a setting)

email profile Not applicable

Minimum OS version Quarantined

Maximum OS version Quarantined

Windows health attestation Not applicable

Remediated = The device operating system enforces compliance. (For example, the user is forced to set a PIN.)+
Quarantined = The device operating system does not enforce compliance. (For example, Android devices do not
force the user to encrypt the device.) When the devices is not compliant, the following actions take place:+
The device is blocked if a conditional access policy applies to the user.
The company portal notifies the user about any compliance problems.
How to create a device compliance policy for
Android for Work devices in Intune
6/19/2017 6 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Compliance policies are created for each platform. You can create a compliance policy in the Azure portal. To learn
more about what compliance policy is see What is device compliance topic. To learn about the prerequisites that
you need to address before creating a compliance policy see Get started with device compliance topic.
The table below describes how noncompliant settings are managed when a compliance policy is used with a
conditional access policy.

POLICY SETTING ANDROID FOR WORK

PIN or password configuration Quarantined

Device encryption Quarantined

Jailbroken or rooted device Quarantined (not a setting)

email profile Not applicable

Minimum OS version Quarantined

Maximum OS version Quarantined

Windows health attestation Not applicable

Remediated = The device operating system enforces compliance. (For example, the user is forced to set a PIN.)+
Quarantined = The device operating system does not enforce compliance. (For example, Android devices do not
force the user to encrypt the device.) When the devices is not compliant, the following actions take place:
The device is blocked if a conditional access policy applies to the user.
The company portal notifies the user about any compliance problems.

Create a compliance policy in the Azure portal


1. From the Intune blade, choose Set Device compliance. Under Manage, choose All device compliance
policies and choose Create.
2. Type a name, description and choose the platform that you want this policy to apply to.
3. Choose Compliance requirements to specify the Security, Device health, and Device property settings
here, When you are done, choose Ok.
Assign user groups
To assign a compliance policy to users, choose a policy that you have configured. Existing policies can be found in
the Compliance policy blade.
1. Choose the policy you want to assign to users and choose Assignments. This opens the blade where you can
select Azure Active Directory security groups and assign them to the policy.
2. Choose Select groups to open the blade that displays the Azure AD security groups. Choosing Select deploys
the policy to users.
You have applied the policy to users. The devices used by the users who are targeted by the policy will be evaluated
for compliance.

System security settings


Password
Require a password to unlock mobile devices: Set this to Yes to require users to enter a password before
they can access their device.
Minimum password length: Specify the minimum number of digits or characters that the password must
contain.
Password quality: This setting detects if the password requirements you specify is configured on the device.
Enable this setting to require that users configure certain password requirements for Android devices. Choose
from:
Low security biometric
Required
At least numeric
At least alphabetic
At least alphanumeric
Alphanumeric with symbols
Minutes of inactivity before password is required: Specifies the idle time before the user must re-enter
their password.
Password expiration (days): Select the number of days before the user's password expires and they must
create a new one.
Remember password history: Use this setting in conjunction with Prevent reuse of previous passwords to
restrict the user from creating previously used passwords.
Prevent reuse of previous passwords: If Remember password history is selected, specify the number of
previously used passwords that cannot be re-used.
Require a password when the device returns from an idle state: This setting should be used together with
the in the Minutes of inactivity before password is required setting. The end-users are prompted to enter a
password to access a device that has been inactive for the time specified in the Minutes of inactivity before
password is required setting.
Encryption
Require encryption on mobile device: You don't have to configure this setting since Android for Work
devices enforce encryption.

Device health and security settings


Device must not be jailbroken or rooted: If you enable this setting, jailbroken devices will be evaluated as
noncompliant.
Require that devices prevent installation of apps from unknown sources: You do not have to configure
this setting as Android for Work devices always restrict installation from unknown sources. .
Require that USB debugging is disabled : You do not have to configure this settings as USB debugging is
already disabled on Android for Work devices.
Minimum Android security patch level: Use this setting to specify the minimum Android patch level. Devices
that are not at least at this patch level will be noncompliant. The date must be specified the format: YYYY-MM-
DD.
Require device threat protection to be enabled : Use this setting to take the risk assessment from the
Lookout MTP solution as a condition for compliance. Select the maximum allowed threat level, which is one of
the following:
None (secured) This is the most secure. This means that the device cannot have any threats. If the
device is detected as having any level of threats, it will be evaluated as non-compliant.
Low: Device is evaluated as compliant if only low level threats are present. Anything higher puts the
device in a non-compliant status.
Medium: Device is evaluated as compliant if the threats that are present on the device are low or
medium level. If the device is detected to have high level threats, it is determined as non-compliant.
High: This is the least secure. Essentially, this allows all threat levels, and perhaps only useful if you using
this solution only for reporting purposes.
For more details, see Enable device threat protection rule in the compliance policy.

Device property settings


Minimum OS required: When a device does not meet the minimum OS version requirement, it is reported as
noncompliant. A link with information on how to upgrade is displayed. The end-user can choose to upgrade
their device after which they can access company resources.
Maximum OS version allowed: When a device is using an OS version later than the one specified in the rule,
access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in
rule to allow the OS version, this device cannot be used to access company resources.
How to create a device compliance policy for iOS
devices in Intune
6/19/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Compliance policies are created for each platform. You can create a compliance policy in the Azure portal. To learn
more about what compliance policy is see what is a device compliance topic. To learn about the prerequisites that
you need to address before creating a compliance policy see Get started with device compliance topic.
The table below describes how noncompliant settings are managed when a compliance policy is used with a
conditional access policy.

POLICY SETTING IOS 8.0 AND LATER

PIN or password configuration Remediated

Device encryption Remediated (by setting PIN)

Jailbroken or rooted device Quarantined (not a setting)

Email profile Quarantined

Minimum OS version Quarantined

Maximum OS version Quarantined

Windows health attestation Not applicable

Remediated = The device operating system enforces compliance. (For example, the user is forced to set a PIN.)
Quarantined = The device operating system does not enforce compliance. (For example, Android devices do not
force the user to encrypt the device.) When the devices is not compliant, the following actions take place:
The device is blocked if a conditional access policy applies to the user.
The company portal notifies the user about any compliance problems.

Create a compliance policy in the Azure portal


1. From the Intune blade, choose Set Device compliance. Under Manage, choose All device compliance
policies and choose Create.
2. Type a name, description and choose the platform that you want this policy to apply to.
3. Choose Compliance requirements to specify the Security, Device health, and Device property settings
here, When you are done, choose Ok.
Assign user groups
To assign a compliance policy to users, choose a policy that you have configured. Existing policies can be found in
the Compliance policies blade.
1. Choose the policy you want to assign to users and choose Assignments. This opens the blade where you can
select Azure Active Directory security groups and assign them to the policy.
2. Choose Select groups to open the blade that displays the Azure AD security groups. Choosing Select deploys
the policy to users.
You have applied the policy to users. The devices used by the users who are targeted by the policy will be evaluated
for compliance.

System security settings


Password
Require a password to unlock mobile devices : Set this to Yes to require the user to enter a password
before they can access their device. iOS devices that use a password are encrypted.
Allow simple passwords : Set this to Yes to let the user create a simple password like 1234 or 1111.
Minimum password length : Specify the minimum number of digits or characters that the password must
have.
Required password type : Specify whether the user must create an Alphanumeric password or a Numeric
password.
Minimum number of character sets : If you set Required password type to Alphanumeric , use this setting
to specify the minimum number of character sets that the password must have. The four character sets are:
Lowercase letters
Uppercase letters
Symbols
Numbers
Setting a higher number will require the user to create a password that is more complex.
For iOS devices, this setting refers to the number of special characters (for example, ! , # , & ) that must be included
in the password.
Minutes of inactivity before password is required : Specify the idle time before the user must reenter their
password.
Password expiration (days): Select the number of days before the password expires and they must create a
new one.
Remember password history : Use this setting in conjunction with Prevent reuse of previous passwords to
restrict the user from creating previously used passwords.
Prevent reuse of previous passwords : If you selected Remember password history , specify the number of
previously used passwords that cannot be reused.
Require a password when the device returns from an idle state : Use this setting together with the in the
Minutes of inactivity before password is required setting. The user is prompted to enter a password to
access a device that has been inactive for the time specified in the Minutes of inactivity before password is
required setting.
Email profile
Email account must be managed by Intune : When this option is set to Yes , the device must use the email
profile deployed to the device. The device is considered noncompliant in the following situations:
The email profile is deployed to a user group other than the user group that the compliance policy
targets.
The user has already set up an email account on the device that matches the Intune email profile
deployed to the device. Intune cannot overwrite the user-provisioned profile, and therefore cannot
manage it. To ensure compliance, the user must remove the existing email settings. Then, Intune can
install the managed email profile.
Select the email profile that must be managed by Intune : If the Email account must be managed by
Intune setting is selected, choose Select to specify the Intune email profile. The email profile must be present
on the device.
For details about email profile, see Configure access to corporate email using email profiles with Microsoft Intune.

Device health settings


Device must not be jailbroken or rooted : If you enable this setting, jailbroken devices will not be compliant.

Device properties
Minimum OS required : When a device does not meet the minimum OS version requirement, it is reported as
noncompliant. A link with information on how to upgrade appears. The user can choose to upgrade their device.
After that, they can access company resources.
Maximum OS version allowed : When a device is using an OS version later than the one specified in the rule,
access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in
rule to allow the OS version, this device cannot be used to access company resources.
How to create a device compliance policy for
Windows devices in Intune
6/19/2017 11 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Compliance policies are created for each platform. You can create a compliance policy in the Azure portal. To learn
more about what compliance policy is see What is a device compliance topic. To learn about the prerequisites that
you need to address before creating a compliance policy see Get started with device compliance topic.
The table below describes how noncompliant settings are managed when a compliance policy is used with a
conditional access policy.

POLICY SETTING WINDOWS 8.1 AND LATER WINDOWS PHONE 8.1 AND LATER

PIN or password configuration Remediated Remediated

Device encryption Not applicable Remediated

Jailbroken or rooted device Not applicable Not applicable

Email profile Not applicable Not applicable

Minimum OS version Quarantined Quarantined

Maximum OS version Quarantined Quarantined

Windows health attestation Quarantined: Windows 10 and Not applicable: Windows 8.1
Windows 10 Mobile

Remediated = The device operating system enforces compliance. (For example, the user is forced to set a PIN.)+
Quarantined = The device operating system does not enforce compliance. (For example, Android devices do not
force the user to encrypt the device.) When the devices is not compliant, the following actions take place:+
The device is blocked if a conditional access policy applies to the user.
The company portal notifies the user about any compliance problems.

Create a compliance policy in the Azure portal


1. From the Intune blade, choose Set Device compliance. Under Manage, choose All device compliance
policies and choose Create.
2. Type a name, description and choose the platform that you want this policy to apply to.
3. Choose Compliance requirements to open the compliance requirements blade. You can specify the Security,
Device health, and Device property settings here, When you are done, choose Ok.
Assign user groups
To assign a compliance policy to users, choose a policy that you have configured. Existing policies can be found in
the Compliance policies blade.
1. Choose the policy you want to assign to users and choose Assignments. This opens the blade where you can
select Azure Active Directory security groups and assign them to the policy.
2. Choose Select groups to open the blade that displays the Azure AD security groups. Choosing Select deploys
the policy to users.
You have applied the policy to users. The devices used by the users who are targeted by the policy will be evaluated
for compliance.

System security settings


Password
Require a password to unlock mobile devices: Set this to Yes to require users to enter a password before
they can access their device.
Allow simple passwords: Set this to Yes to let users create simple passwords such as ' '1234'; or ' 1111'.
Minimum password length: Specify the minimum number of digits or characters that the user's password
must contain.
Required password type: Specify whether users must create an Alphanumeric , or a Numeric password.
For devices that run Windows and accessed with a Microsoft account, the compliance policy will fail to evaluate
correctly if minimum password length is greater than eight characters or if minimum number of character sets is
more than two.
Minimum number of character sets: If Required password type is set to Alphanumeric , this setting
specifies the minimum number of character sets that the password must contain. The four character sets are:
Lowercase letters
Uppercase letters
Symbols
Numbers
Setting a higher number for this setting will require users to create passwords that are more complex. For devices
that run Windows and accessed with a Microsoft account, the compliance policy will fail to evaluate correctly if
minimum password length is greater than eight characters or if minimum number of character sets is more than
two.
Minutes of inactivity before password is required: Specifies the idle time before the user must re-enter
their password.
Password expiration (days): Select the number of days before the user's password expires and they must
create a new one.
Remember password history: Use this setting in conjunction with Prevent reuse of previous passwords to
restrict the user from creating previously used passwords.
Prevent reuse of previous passwords: If Remember password history is selected, specify the number of
previously used passwords that cannot be re-used.
Require a password when the device returns from an idle state: This setting should be used together with
the Minutes of inactivity before password is required setting. The end users are prompted to enter a
password to access a device that has been inactive for the time specified in the Minutes of inactivity before
password is required setting.
This setting only applies to Windows 10 Mobile devices.
Encryption
Require encryption on mobile device: Set this to Yes to require the device to be encrypted in order to
connect to resources.

Device health settings


Require devices to be reported as healthy: You can set a rule to require that Windows 10 Mobile devices
must be reported as healthy in new or existing Compliance Policies. If this setting is enabled, Windows 10
devices are evaluated via the Health Attestation Service (HAS) for the following data points:
BitLocker is enabled: When BitLocker is on, the device is able to protect data that is stored on the drive
from unauthorized access, when the system is turned off or goes to hibernation. Windows BitLocker
Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker uses the
TPM to help protect the Windows operating system and user data and helps to ensure that a computer is
not tampered with, even if it is left unattended, lost, or stolen. If the computer is equipped with a
compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the
keys cannot be accessed until the TPM has verified the state of the computer
Code integrity is enabled: Code integrity is a feature that validates the integrity of a driver or system
file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file
is being loaded into the kernel, or whether a system file has been modified by malicious software that is
being run by a user account with administrator privileges.
Secure Boot is enabled: When Secure Boot is enabled, the system is forced to boot to a factory trusted
state. Also, when Secure Boot is enabled, the core components used to boot the machine must have
correct cryptographic signatures that are trusted by the organization that manufactured the device. The
UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking
their signature, the system will not boot.
For information on how the HAS service works, see Health Attestation CSP.

Device property settings


Minimum OS required: When a device does not meet the minimum OS version requirement, it is reported as
noncompliant. A link with information on how to upgrade is displayed. The end user can choose to upgrade
their device after which they can access company resources.
Maximum OS version allowed: When a device is using an OS version later than the one specified in the rule,
access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in
rule to allow the OS version, this device cannot be used to access company resources.

System security settings


Password
Minimum password length: - Supported on Windows 8.1.
Specify the minimum number of digits or characters that the user's password must contain.
For devices that are accessed with a Microsoft Account, the compliance policy will fail to evaluate correctly if
Minimum password length is greater than 8 characters or if Minimum number of character sets is more than
two characters.
Required password type: - Supported on Windows RT, Windows RT 8.1, and Windows 8.1
Specify whether users must create an Alphanumeric , or a Numeric password.
Minimum number of character sets: - Supported on Windows RT, Windows RT 8.1, and Windows 8.1. If
Required password type is set to Alphanumeric , this setting specifies the minimum number of character
sets that the password must contain. The four character sets are:
Lowercase letters
Uppercase letters
Symbols
Numbers: Setting a higher number for this setting will require users to create passwords that are more
complex.
For devices that are accessed with a Microsoft Account, the compliance policy will fail to evaluate correctly if
Minimum password length is greater than 8 characters or if Minimum number of character sets is more than
2 characters.
Minutes of inactivity before password is required: - Supported on Windows RT, Windows RT 8.1, and
Windows 8.1
Specify the idle time before the user must re-enter their password.
Password expiration (days): -Supported on Windows RT, Windows RT 8.1, and Windows 8.1.
Select the number of days before the user's password expires and they must create a new one.
Remember password history: - Supported on Windows RT, Windows RT, and Windows 8.1.
Use this setting in conjunction with Prevent reuse of previous passwords to restrict the user from creating
previously used passwords.
Prevent reuse of previous passwords: - Supported on Windows RT, Windows RT 8.1, and Windows 8.1
If Remember password history: is selected, specify the number of previously used passwords that cannot be re-
used.

Device health settings


Require devices to be reported as healthy: - Supported on Windows 10 devices. You can set a rule to
require that Windows 10 devices must be reported as healthy in new or existing Compliance Policies. If this
setting is enabled, Windows 10 devices are evaluated via the Health Attestation Service (HAS) for the following
data points:
BitLocker is enabled: When BitLocker is on, the device is able to protect data that is stored on the drive
from unauthorized access, when the system is turned off or goes to hibernation. Windows BitLocker
Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker uses the
TPM to help protect the Windows operating system and user data and helps to ensure that a computer is
not tampered with, even if it is left unattended, lost, or stolen. If the computer is equipped with a
compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the
keys cannot be accessed until the TPM has verified the state of the computer
Code integrity is enabled: Code integrity is a feature that validates the integrity of a driver or system
file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file
is being loaded into the kernel, or whether a system file has been modified by malicious software that is
being run by a user account with administrator privileges.
Secure Boot is enabled: When Secure Boot is enabled, the system is forced to boot to a factory trusted
state. Also, when Secure Boot is enabled, the core components used to boot the machine must have
correct cryptographic signatures that are trusted by the organization that manufactured the device. The
UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking
their signature, the system will not boot.
Early-launch antimalware is enabled: Early launch anti-malware (ELAM) provides protection for the
computers in your network when they start up and before third party drivers initialize.
For information on how the HAS service works, see Health Attestation CSP.

Device property settings


Minimum OS required: - Supported on Windows 8.1, and Windows 10.
Specify the major.minor.build number here. The version number must correspond to the version returned by the
winver command.

When a device has a earlier version that the specified OS version, it is reported as noncompliant. A link with
information on how to upgrade is displayed. The end user can choose to upgrade their device after which they can
access company resources.
Maximum OS version allowed: - Supported on Windows 8.1, and Windows 10.
When a device is using an OS version later than the one specified in the rule, access to company resources is
blocked and the user is asked to contact their IT admin. Until there is a change in rule to allow the OS version, this
device cannot be used to access company resources.
To find the OS version to use for the Minimum OS required , and Maximum OS version allowed settings, run
the winver command from the command prompt. The winver command returns the reported version of the OS.+
Windows 8.1 PCs return a version of 3. If the OS version rule is set to Windows 8.1 for Windows, then the
device is reported as noncompliant even if the device has Windows 8.1.
PCs running Windows 10, the version should be set as "10.0"+ the OS Build number returned by the winver
command.
Monitor Intune Device compliance policies
6/19/2017 4 min to read Edit Online

Compliance reports help admins to analyze the compliance posture of devices in their organization, and quickly
troubleshoot compliance related issues encountered by users inside their organization. You can view information
about the overall compliance state of devices, compliance state for an individual setting, compliance state for an
individual policy and drill down into individual devices to view specific settings and policies that affect the device.

Before you begin


Follow the steps below to find the Intune Device compliance dashboard in the Azure portal:
1. Go to the Azure Portal, and sign in with your Intune credentials.
2. Choose More services from the left menu, then type Intune in the text box filter.
3. Choose Intune > Device compliance > Overview, then the Device compliance dashboard opens.

IMPORTANT
Devices must be enrolled into Intune to receive device compliance policies.

Device compliance dashboard


In the Device compliance dashboard, you can monitor the Device compliance policy states, which provides
different reports within different tiles that give you the compliance posture of devices in your organization. You can
view the following reports:
Overall device compliance aggregate
Per-policy device compliance
Per-setting device compliance
You can also view the specific compliance policies and settings that apply to an individual device, and the final
compliance state for each of those settings on the device.
Overall device compliance aggregate report
Its a donut chart showing the aggregate compliance state for all Intune enrolled devices. The device compliance
states are kept in two different databases, Intune and Azure Active Directory. Heres more details about the device
compliance policy states:
Compliant: The device successfully applied one or more device compliance policy settings targeted by the
admin.
Not-compliant: The device failed to apply one or more device compliance policy settings targeted by the
admin or the user hasnt complied with the policies targeted by the admin.
In-grace period: The device was targeted by the admin with one or more device compliance policy settings,
but the user hasnt applied the policies yet, which means the device is not-compliant, but its in the grace-
period defined by the admin.
Learn more about Actions for non-compliant devices.
Device not synced: The device failed to report its device compliance policy status because one of the
following:
Unknown: The device is offline or failed to communicate with Intune or Azure AD for other reasons.
Error: The device failed to communicate with Intune and Azure AD, and received an error message
with the reason.

IMPORTANT
Devices that are enrolled into Intune, but not targeted by any device compliance policies will be included in this report under
the Compliant bucket.

Drill-down option
From the Device compliance dashboard, If you click on the Device compliance tile, you can drill-down into a
specific compliance status, users email alias, device model, and location for each device that was targeted by
the device compliance policies.

If you need more details about a specific user, you can filter the Device compliance chart report by typing the users
e-mail alias.
You can also click the different compliance status on the Device compliance chart to see more details about the
users devices compliance policy statuses.

Filter
If you click on Filter button, the filter fly-out opens with the following options:
Model
Textbox accepting free search string
Platform
Android
iOS
Mac OS
Windows
Windows Phone
Status
Compliant
Not Compliant
In Grace period
Unknown
Error
If clicking the Update button, the fly out should close and the results should update as per the selected filter
criteria.
Devi c e det ai l s

Clicking on a device, opens the Devices Blade with the device selected. This provides more details on the device
compliance policy setting applied for that device.

When you click on the device policy setting itself, you can see the device compliance policy name originated that
device compliance setting targeted by the admin.
Per-policy device compliance report
This report provides you per compliance policy view and the total number of devices in each compliance state. The
Policy compliance title is available from the Device compliance dashboard, and it shows all policies previously
created by the admin, the platforms the policy is applied, number of compliant devices and number of non-
compliant devices.

When you click on the Policy compliance tile, then click on one of the device compliance policies, youll be able to
see the compliance status, users email alias, device model, and location for each device that was targeted by
that device compliance policy.
Per-setting device compliance report
This report allows you to view, per compliance setting, the total number of devices in each compliance state. The
Settings compliance title is available from the Device compliance dashboard, and it shows all device
compliance policy settings from all device compliance policies created by the admin, the platforms which the policy
settings were applied, and the number of non-compliant devices.

When you click on the Setting compliance tile, then click on one of the device compliance policy settings, youll be
able to see the compliance status, users email alias, device model, and location for each device that was
targeted by that device compliance policy setting.
What's conditional access?
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic describes Conditional access as it applies to Enterprise Mobility + Security (EMS), and follows that with
Conditional access common scenarios when using Intune.
Enterprise Mobility + Security (EMS) Conditional Access is not a standalone product, its a solution that takes part
on all services and products that are part of the EMS. It provides granular access control to keep your corporate
data secure, while giving users an experience that allows them to do their best work from any device, and from
any location.
You can define conditions that gate access to your corporate data based on location, device, user state, and
application sensitivity.

NOTE
Conditional Access also extends its capabilities to Office 365 services.

Conditional access with Intune


Intune adds mobile device compliance and mobile application management capabilities to support the EMS
Conditional Access solution.
Ways to use conditional access with Intune:
Device-based conditional access
Conditional access for Exchange on-premises
Conditional access based on network access control
Conditional access based on device risk
Conditional access for Windows PCs
Corporate-owned
Bring your own device (BYOD)
App-based conditional access

Next steps
Common ways to use conditional access with Intune
Common ways to use conditional access with Intune
6/23/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

You need to configure Intune mobile device compliance policy, and the Intune mobile application management
(MAM) capabilities to drive conditional access compliance at your organization. Lets talk about the common ways
to use conditional access with Intune.

Device-based conditional access


Intune and Azure Active Directory work together to make sure only managed and compliant devices are allowed
access to email, Office 365 services, Software as a service (SaaS) apps, and on-premises apps. Additionally, you can
set a policy in Azure Active Directory to only enable computers that are domain-joined, or mobile devices that are
enrolled in Intune to access Office 365 services.
Intune provides device compliance policy capabilities that evaluate the compliance status of the devices. The
compliance status is reported to Azure Active Directory that uses it to enforce the conditional access policy created
in Azure Active Directory when the user tries to access company resources.
Starting at the new Azure portal, device-based conditional access policies for Exchange online and other Office 365
products are configured through the Azure portal.
Learn more about conditional access in Azure Active Directory.
Learn more about what is Intune device compliance.
Learn more about protecting e-mail, Office 365, and other services using conditional access with Intune.
Conditional access for Exchange on-premises
Conditional access can be used to allow or block access to Exchange on-premises based on the device
compliance policies and enrollment state. When conditional access is used in combination with a device
compliance policy, only compliant devices are allowed access to Exchange on-premises.
You can configure advanced settings in conditional access for more granular control such as:
Allow or block certain platforms.
Immediately block devices that are not managed by Intune.
Any device used to access Exchange on-premises is checked for compliance when device compliance and
conditional access policies are applied.
When devices do not meet the conditions set, the end user is guided through the process of enrolling the device to
fix the issue that is making the device non-compliant.
How conditional access for Exchange on-premises works
The Intune Exchange connector pulls in all the Exchange Active Sync (EAS) records that exist at the Exchange server
so Intune can take these EAS records and map them to Intune device records. These records are devices enrolled
and recognized by Intune. This process allows or blocks e-mail access.
If the EAS record is brand new, and Intune is not aware of it, Intune issues a command-let that blocks access to e-
mail. Here are more details on how this process works:

1. User tries to access corporate e-mail, which is hosted on Exchange on-premises 2010 SP1 or later.
2. If the device is not managed by Intune, it will be blocked access to e-mail. Intune sends block notification to
the EAS client.
3. EAS receives block notification, moves the device to quarantine, and sends the quarantine e-mail with
remediation steps that contain links so the users can enroll their devices.
4. The Workplace join process happens, which is the first step to have the device managed by Intune.
5. The device gets enrolled into Intune.
6. Intune maps the EAS record to a device record, and saves the device compliance state.
7. The EAS client ID gets registered by the Azure AD Device Registration process, which creates a relationship
between the Intune device record, and the EAS client ID.
8. The Azure AD Device Registration saves the device state information.
9. If the user meets the conditional access policies, Intune issues a command-let through the Intune Exchange
connector that allows the mailbox to sync.
10. Exchange server sends the notification to EAS client so the user can access e-mail.
Whats the Intune role?
Intune evaluates and manage the device state.
Whats the Exchange server role?
Exchange server provides API and infrastructure to move devices to its quarantine.

IMPORTANT
Keep in mind that the user whos using the device must have a compliance profile assigned to them so the device to be
evaluated for compliance. If no compliance policy is deployed to the user, the device is treated as compliant and no access
restrictions are applied.

Conditional access based on network access control


Intune integrated with partners like Cisco ISE, Aruba Clear Pass, and Citrix NetScaler to provide access controls
based on the Intune enrollment and the device compliance state.
Users can be allowed or denied access when trying to access corporate Wi-Fi or VPN resources based on whether
the device is managed and compliant with Intune device compliance policies.
Learn more about the NAC integration with Intune.
Conditional access based on device risk
Intune partnered with Mobile Threat Defense vendors that provides a security solution to detect malwares, Trojans,
and other threats on mobile devices.
How the Intune and mobile threat defense integration works
When mobile devices have the mobile threat defense agent installed, the agent can send compliance state
messages back to Intune reporting if a threat has been found in the mobile device itself.
The Intune and mobile threat defense integration plays a factor at the conditional access decisions based on device
risk.
Learn more about Intune mobile threat defense.
Conditional access for Windows PCs
Conditional access for PCs provide similar capabilities available for mobile devices. Lets talk about the ways you
can use conditional access when managing PCs with Intune.
Corporate-owned
On premises AD domain joined: This has been the most common conditional access deployment option
for organizations, whose are reasonable comfortable with the fact theyre already managing their PCs
through AD group policies and/or with System Center Configuration Manager.
Azure AD domain joined and Intune management: This scenario is typically geared to Choose Your
Own Device (CYOD), and roaming laptop scenarios where these devices are rarely connected to corporate-
network. The device joins to the Azure AD and gets enrolled to Intune, which removes any dependency on
on-premises AD, and domain controllers. This can be used as a conditional access criteria when accessing
corporate resources.
AD domain joined and System Center Configuration Manager: As of current branch, System Center
Configuration Manager provides conditional access capabilities that can evaluate specific compliance
criteria, in addition to be a domain-joined PC:
Is the PC encrypted?
Is Malware installed? Is it up-to-date?
Is the device jailbroken or rooted?
Bring your own device (BYOD)
Workplace join and Intune management: Here the user can join their personal devices to access corporate
resources and services. You can use Workplace join and enroll devices into Intune to receive device-level
policies, which is also another option to evaluate conditional access criteria.

App-based conditional access


Intune and Azure Active Directory work together to make sure only managed apps can access corporate e-mail or
other Office 365 services.
Learn more about app-based conditional access with Intune.

Next steps
How to configure conditional access in Azure Active Directory
How to install on-premises Exchange connector with Intune.
How to create a conditional access policy for Exchange on-premises
App-based conditional access with Intune
6/28/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Intune app protection policies help protect your company data on devices that are enrolled into Intune. You can
also use app protection policies on employee owned devices that are not enrolled for management in Intune. In
this case, even though your company doesn't manage the device, you still need to make sure that company data
and resources are protected.
App-based conditional access and mobile application management adds a security layer by making sure only
mobile apps that support Intune app protection policies can access Exchange online, and other Office 365 services.

NOTE
A managed app is an app that has app protection policies applied to it, and can be managed by Intune.

You can block the built-in mail apps on iOS and Android when you only allow the Microsoft Outlook app to access
Exchange Online. Additionally, you can block apps that dont have Intune app protection policies applied from
accessing SharePoint Online.

Prerequisites
Before you create an App-based conditional access policy, you must have:
Enterprise Mobility + Security or an Azure Active Directory premium subscription, and the users must
be licensed for EMS or Azure AD.
For more details, see the Enterprise Mobility pricing page or the Azure Active Directory pricing page.

Supported apps
Exchange Online:
Microsoft Outlook for Android and iOS.
SharePoint Online
Microsoft Word for iOS and Android
Microsoft Excel for iOS and Android
Microsoft PowerPoint for iOS and Android
Microsoft OneDrive for Business for iOS and Android
Microsoft OneNote for iOS
Microsoft Teams

NOTE
App-based conditional access also supports LOB apps, but these apps need to use Office 365 modern
authentication.
How app-based conditional access works
In this example, the admin has app protection policies applied to the Outlook app followed by a conditional access
rule that adds the Outlook app to an approved list of apps that can be used when accessing corporate e-mail.

NOTE
The flowchart structure below can be used for other managed apps.

1. The user tries to authenticate to Azure AD from the Outlook app.


2. The user gets redirected to the app store to install a broker app when trying to authenticate for the first
time. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for
Android devices.

NOTE
In this scenario, if users try to use a native e-mail app, theyll be redirected to the app store to then install the
Outlook app.

3. The broker app gets installed on the device.


4. The broker app starts the Azure AD registration process which creates a device record in Azure AD. This is
not the same as the mobile device management (MDM) enrollment process, but this record is necessary so
the conditional access policies can be enforced on the device.
5. The broker app verifies the identity of the app. Theres a security layer so the broker app can validate if the
app is authorized to be used by the user.
6. The broker app sends the App Client ID to Azure AD as part of the user authentication process to check if its
in the policy approved list.
7. Azure AD allows the user to authenticate and use the app based on the policy approved list. If the app is not
in the policy approved list, Azure AD denies access to the app.
8. Outlook app communicates with Outlook Cloud Service to initiate communication with Exchange Online.
9. Outlook Cloud Service communicates with Azure AD to retrieve Exchange Online service access token for
the user.
10. Outlook app communicates with Exchange Online to retrieve user's corporate e-mail.
11. Corporate e-mail is delivered to the user's mailbox.

Next steps
Create an app-based conditional access policy
Block apps that do not have modern authentication
Set up the Intune on-premises Exchange Connector
in Microsoft Intune Azure preview
6/19/2017 5 min to read Edit Online

On-premises Exchange Server environments can use the Intune on-premises Exchange connector to manage
devices access to on-premises Exchange mailboxes based on whether or not the devices are enrolled into Intune
and compliant with Intune device compliance policies. The on-premises Exchange connector is also responsible for
discovering mobile devices that connect to on-premises Exchange Servers by synchronizing the existing Exchange
Active Sync (EAS) record with Intune.

IMPORTANT
Intune only supports one on-premises Exchange Connector connection of any type per subscription.

To set up a connection that enables Microsoft Intune to communicate with the on-premises Exchange Server, you
need to follow the steps below:
1. Download the Intune on-premises Exchange Connector from the Intune portal.
2. Install and configure the Intune on-premises Exchange connector.
3. Validate the Exchange connection.

On-premises Exchange Connector requirements


The following table lists the requirements for the computer on which you install the On-premises Exchange
Connector.

REQUIREMENT MORE INFORMATION

Operating systems Intune supports the On-premises Exchange Connector on a


computer that runs any edition of Windows Server 2008 SP2
64-bit, Windows Server 2008 R2, Windows Server 2012, or
Windows Server 2012 R2.

The Connector is not supported on any Server Core


installation.

Microsoft Exchange On-premises Connectors require Microsoft Exchange 2010


SP1 or later or legacy Exchange Online Dedicated. To
determine if your Exchange Online Dedicated environment is
in the new or legacy configuration, contact your account
manager.

Mobile device management authority Set the mobile device management authority to Intune.

Hardware The computer on which you install the connector requires a


1.6 GHz CPU with 2 GB of RAM and 10 GB of free disk space.
REQUIREMENT MORE INFORMATION

Active Directory synchronization Before you can use Connector to connect Intune to your
Exchange Server, you must set up Active Directory
synchronization so that your local users and security groups
are synchronized with your instance of Azure Active Directory.

Additional software A full installation of Microsoft .NET Framework 4.5 and


Windows PowerShell 2.0 must be installed on the computer
that hosts the connector.

Network The computer on which you install the connector must be in a


domain that has a trust relationship to the domain that hosts
your Exchange Server.

The computer requires configurations to enable it to access


the Intune service through firewalls and proxy servers over
Ports 80 and 443. Domains that are used by Intune include
manage.microsoft.com, *manage.microsoft.com, and
*.manage.microsoft.com.

Exchange cmdlet requirements


You must create an Active Directory user account that is used by the Intune Exchange Connector. The account must
have permission to run the following required Windows PowerShell Exchange cmdlets:
Get-ActiveSyncOrganizationSettings, Set-ActiveSyncOrganizationSettings
Get-CasMailbox, Set-CasMailbox
Get-ActiveSyncMailboxPolicy, Set-ActiveSyncMailboxPolicy, New-ActiveSyncMailboxPolicy, Remove-
ActiveSyncMailboxPolicy
Get-ActiveSyncDeviceAccessRule, Set-ActiveSyncDeviceAccessRule, New-ActiveSyncDeviceAccessRule,
Remove-ActiveSyncDeviceAccessRule
Get-ActiveSyncDeviceStatistics
Get-ActiveSyncDevice
Get-ExchangeServer
Get-ActiveSyncDeviceClass
Get-Recipient
Clear-ActiveSyncDevice, Remove-ActiveSyncDevice
Set-ADServerSettings
Get-Command

Download the On-premises Exchange Connector software installation


package
1. On a supported Windows Server operating system for the On-premises Exchange Connector, open the
Azure portal and sign in with a user account that is an administrator in the on-premises Exchange server,
and that has a license to use Exchange Server.
2. Choose More services from the left menu, then type Intune in the text box filter.
3. Choose Intune, the Intune Dashboard opens, choose On-premises access.
4. On the On-premises access - Exchange ActiveSync connector blade, from the Setup section, choose
Download the on-premises connector.
5. The On-premises Exchange Connector is contained in a compressed (.zip) folder that can be opened or
saved. In the File Download dialog box, choose Save to store the compressed folder to a secure location.

IMPORTANT
Do not rename or move the files that are in the on-premises Exchange Connector folder. Moving or renaming the
folder's contents will cause the Exchange Connector installation to fail.

Install and configure the Intune On-premises Exchange Connector


Perform the following steps to install the Intune On-premises Exchange Connector. The On-premises Exchange
Connector can only be installed once per Intune subscription, and only on one computer. If you try to configure an
additional On-premises Exchange Connector, the new connection will replace the original one.
1. On a supported operating system for the On-premises Connector, extract the files in
Exchange_Connector_Setup.zip to a secure location.
2. After the files are extracted, open the extracted folder and double-click Exchange_Connector_Setup.exe to
install the On-premises Exchange Connector.

IMPORTANT
If the destination folder is not a secure location, you should delete the certificate file WindowsIntune.accountcert
after you install the On-premises Connector.

3. In the Microsoft Intune Exchange Connector dialog box, select either On-premises Microsoft
Exchange Server or Hosted Microsoft Exchange Server.
For an On-premises Exchange server, provide either the server name or the fully-qualified domain name of
the Exchange server that hosts the Client Access Server role.
For a hosted Exchange server, provide the Exchange server address. To find the hosted Exchange server URL:
a. Open the Outlook Web App for Office 365.
b. Choose the ? icon at the upper left, and then select About.
c. Locate the POP External Server value.
d. Choose Proxy Server to specify proxy server settings for your hosted Exchange server.
a. Select Use a proxy server when synchronizing mobile device information.
b. Enter the proxy server name and the port number to be used to access the server.
c. If it's necessary to provide user credentials to access the proxy server, select Use credentials
to connect to the proxy server. Then enter the domain\user and the password.
d. Choose OK.
e. In the User (Domain\user) and Password fields, enter the credentials that are necessary to connect
to your Exchange server.
f. Provide the necessary administrative credentials to send notifications to a users Exchange Server
mailbox. You can configure these notifications with Conditional Access policies in Intune.
Ensure that the Autodiscover service and Exchange Web Services are configured on the Exchange
Client Access Server. For more information, see Client Access server.
g. In the Password field, provide the password for this account to enable Intune to access the Exchange
Server.
h. Choose Connect.

NOTE
It might take a few minutes for the connection to be configured.

During configuration, the Exchange Connector stores your proxy settings to enable access to the Internet. If your
proxy settings change, you will have to reconfigure the Exchange Connector to apply the updated proxy settings to
the Exchange Connector.
After the Exchange Connector sets up the connection, mobile devices that are associated with users that are
managed in Exchange Connector are automatically synchronized and added to the Exchange Connector. This
synchronization might take some time to complete.

NOTE
If you have installed the On-premises Exchange Connector, and if at some point you delete the Exchange connection, you
must uninstall the On-premises Exchange Connector from the computer onto which it was installed.

Validate the Exchange connection


After you have successfully configured the Exchange Connector, you can view the status of the connection and the
last successful synchronization attempt. To validate the Exchange Connector connection:
On the Intune Dashboard, choose On-premises access. Under Manage, select Exchange on-premises access
to verify the connection status.
You can also check the time and date of the last successful synchronization attempt.

Next steps
Create a conditional access policy for Exchange on-premises
How to create and assign a conditional access policy
for Exchange on-premises and legacy Exchange
Online Dedicated in Microsoft Intune
6/19/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic walks you through the process of configuring conditional access for Exchange on-premises based on
device compliance.
If you have an Exchange Online Dedicated environment and need to find out whether it is in the new or the legacy
configuration, please contact your account manager. To control email access to Exchange on-premises or to your
legacy Exchange Online Dedicated environment, configure conditional access to Exchange on-premises in Intune.

Before you begin


Before you can configure conditional access, verify the following:
Your Exchange version must be Exchange 2010 SP1 or later. Exchange server Client Access Server (CAS)
array is supported.
You must use the Exchange Active Sync on-premises Exchange connector, which connects Intune to on-
premises Exchange.

IMPORTANT
The on-premises Exchange connector is specific to your Intune tenant and cannot be used with any other tenant.
You should also ensure that the exchange connector for your tenant is installed on only one machine.

The connector can be installed on any machine as long as that machine is able to communicate with the
Exchange server.
The connector supports Exchange CAS environment. You can technically install the connector on the
Exchange CAS server directly if you wish to, but it is not recommended, as it will increase the load on the
server. When configuring the connector, you must set it up to communicate to one of the Exchange CAS
servers.
Exchange ActiveSync must be configured with certificate based authentication, or user credential entry.
When conditional access policies are configured and targeted to a user, before a user can connect to their
email, the device they use must be:
Either enrolled with Intune or is a domain joined PC.
Registered in Azure Active Directory. Additionally, the client Exchange ActiveSync ID must be
registered with Azure Active Directory.
AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have already
deployed the ADFS Device Registration Service will not see registered devices in their on-premises Active
Directory. This does not apply to Windows PCs and Windows Phone devices.
Compliant with device compliance policies deployed to that device.
If the device does not meet conditional access settings, the user is presented with one of the following
messages when they log in:
If the device is not enrolled with Intune, or is not registered in Azure Active Directory, a message is
displayed with instructions about how to install the Company Portal app, enroll the device, and activate
email. This process also associates the device's Exchange ActiveSync ID with the device record in Azure
Active Directory.
If the device is not compliant, a message is displayed that directs the user to the Intune Company Portal
website, or the Company Portal app where they can find information about the problem and how to
remediate it.
Support for mobile devices
Windows Phone 8.1 and later