Sie sind auf Seite 1von 245

MICROSOFT INTUNE

STEP BY STEP

Abstract
This document includes step by step guide for Implementing and Configuring Microsoft
Intune components including Software distribution, Mobile Management policies,
Software updates and Reporting.
Microsoft Intune step by step

Table of Contents
Chapter 1 ..................................................................................................................................................... 6
Definition of Microsoft Intune ................................................................................................................... 6
What is Microsoft Intune? ..................................................................................................................... 6
Why Microsoft Intune? .......................................................................................................................... 6
Comparison between Configuration Manager 2012 R2 & Microsoft Intune .................................... 7
Chapter 2 ................................................................................................................................................... 11
Configure Microsoft Intune ..................................................................................................................... 11
Setting up a Microsoft Intune account ................................................................................................ 11
Add Custom Domain ............................................................................................................................ 13
Assign additional Administrators to manage Microsoft Intune ....................................................... 15
Add Intune Users .................................................................................................................................. 17
Create Individual Intune User ......................................................................................................... 18
Create bulk Intune Users using CSV file ........................................................................................ 21
Synchronize users from Active Directory on Microsoft Intune .................................................... 26
Activate Synchronized Users and Grant Licenses ............................................................................. 38
Chapter 3 ................................................................................................................................................... 41
Implement and Configure ADFS for Single Sign-ON ........................................................................... 41
Install ADFS on Windows Server 2012 R2 ......................................................................................... 41
Configure ADFS .................................................................................................................................... 45
Setup the ADFS trust using PowerShell ............................................................................................. 55
Chapter 4 ................................................................................................................................................... 58
Create Intune Groups to organize Users and Devices ........................................................................... 58
To create a Device group ...................................................................................................................... 58
To create a User group ......................................................................................................................... 61
Configure Security Groups .................................................................................................................. 64
To create a Security group ............................................................................................................... 65
Chapter 5 ................................................................................................................................................... 68
Set Mobile Devices Management (MDM) Authority ............................................................................. 68
Set Mobile Device Management Authority ......................................................................................... 68
Prepare for Mobile Device Management Authority “iOS” ............................................................... 69
Prepare for Mobile Device Management Authority “Windows phone 8.1” .................................... 73
Set up Windows Phone enrollment with Intune ............................................................................. 74
Chapter 6 ................................................................................................................................................... 76

1|Page
Microsoft Intune step by step

Create Mobile Management Policies ....................................................................................................... 76


Configuration policies in Microsoft Intune ........................................................................................ 76
Compliance policies in Microsoft Intune ............................................................................................ 81
Conditional Access policies in Microsoft Intune ................................................................................ 85
Conditional Access Policy on Exchange Online ............................................................................. 85
Conditional Access Policy on SharePoint Online ........................................................................... 87
Conditional Access Policy on Exchange On-premise ..................................................................... 90
Chapter 7 ................................................................................................................................................... 96
Manage Computers Using Microsoft Intune .......................................................................................... 96
Install Intune software on computers.................................................................................................. 96
To download the client software ...................................................................................................... 96
To manually deploy the client software .......................................................................................... 97
To automatically deploy the client software by using Group Policy ............................................ 98
How users can self-enroll their computers.................................................................................... 103
Install the Microsoft Intune client software as part of an image ................................................ 106
Monitor and validate successful client deployment ......................................................................... 109
To verify the installation of the client software from the Microsoft Intune administrator
console .............................................................................................................................................. 109
To create a computer inventory report to display all enrolled computers ................................ 110
Manage Computer Remotely ............................................................................................................. 111
Manage User-Device linking .............................................................................................................. 114
Configure Remote Assistance ............................................................................................................ 116
Chapter 8 ................................................................................................................................................. 124
Deploy Applications Using Microsoft Intune ....................................................................................... 124
Deploy Apps “Office ProPlus” to Windows Pc using Intune .......................................................... 124
Configure the App........................................................................................................................... 124
Deploy the App ................................................................................................................................ 130
Monitor the app............................................................................................................................... 132
Deploy Apps to Mobile Devices in Microsoft Intune ....................................................................... 133
Configure the App........................................................................................................................... 133
Deploy the App ................................................................................................................................ 141
Monitor the app............................................................................................................................... 143
Chapter 9 ................................................................................................................................................. 145
Configure Alerts, Notifications and Reports ........................................................................................ 145

2|Page
Microsoft Intune step by step

Configure Alerts in Microsoft Intune................................................................................................ 145


Configure Notifications in Microsoft Intune .................................................................................... 147
Configure Reports in Microsoft Intune ............................................................................................ 151
Chapter 10 ............................................................................................................................................... 156
Enroll Mobile Devices in Intune ............................................................................................................ 156
For Android ......................................................................................................................................... 156
For iOS ................................................................................................................................................. 158
For Windows Phone............................................................................................................................ 164
Custom Company Portal ........................................................................................................................ 169
Chapter 11 ............................................................................................................................................... 172
Configure Mobile Application Management Policies “MAM” ........................................................... 172
Control Applications using Mobile Application Management Policies.......................................... 172
Use Mobile Application Management without MDM...................................................................... 177
Chapter 12 ............................................................................................................................................... 183
Resource Access Profile with Microsoft Intune.................................................................................... 183
Enable access to corporate email using email profiles ..................................................................... 183
Help users connect to their work using VPN profiles ...................................................................... 187
Help users connect to company networks using Wi-Fi profiles ...................................................... 191
Enable access to company resources using Certificate profiles ...................................................... 200
Configure Prerequisites for Certificate Profile ............................................................................ 200
Step 1 - Configure certificate templates on the certification authority .................................. 200
Step 2, for SCEP profile only: - Configure prerequisites on the NDES server ..................... 206
Step 3, for SCEP profile only: - Configure NDES for use with Intune .................................. 212
Step 4 - Enable, install, and configure the Intune Certificate Connector .............................. 219
Configuring Certificate Profiles .................................................................................................... 230
Step 1 - Export the Trusted Root CA certificate ...................................................................... 230
Step 2 - Create Trusted CA certificate profiles ........................................................................ 231
Step 3 - Create SCEP certificate profiles .................................................................................. 233
Step 4 - Create .PFX certificate profiles.................................................................................... 237
APPENDIX .............................................................................................................................................. 242
Firewall and Proxy Server Settings for Client Computers ................................................................. 242
Required firewall configuration ........................................................................................................ 242
Required domains for documentation, online Help, and support .................................................. 242
Required domains for Microsoft Update Services ........................................................................... 242

3|Page
Microsoft Intune step by step

Required domains for Windows Intune and related services ......................................................... 242
Required domains for Windows Update Services ............................................................................ 243
Required proxy server configuration ................................................................................................ 243
Reference ................................................................................................................................................. 244
Other articles ........................................................................................................................................... 244

4|Page
Microsoft Intune step by step

Mai Ali is a Senior Infrastructure Consultant, with a strong


focus in Microsoft, virtualization, Management solution and
Unified Communications area. Over 5 years' study and
hands on experience delivering small to large-scale projects
for different industries, mainly based on Microsoft and other
leading edge technologies, systems applications and
operations running on top of them. She has Broad and
mixed technical background in infrastructure and
communications field, systems integration, Systems
Management, security, as well as an in-depth understanding
of the business of computing and networking. Currently her
main tasks are Architectural design and delivery of Microsoft
environments, with specific focus on multi-vendor UC solutions, based on Microsoft System
Center 2007, Microsoft System Center 2012, Microsoft Lync 2013 with Enterprise Voice, Office
365, Microsoft Enterprise Mobility Suite, Azure, Microsoft Operations Management Suite,
Exchange Unified Messaging, migrations from Lync 2010 and OCS 2007, load balancers, reverse
proxy, firewall, Exchange UM.

Mai Ali has various Technology Certifications and Awards: Microsoft Valuable Professional
System Center Cloud and Data Management, Microsoft Certified Solutions Expert
(Communication, Server Infrastructure, Private Cloud, and Messaging), MCITP (Office 365
Administrator), MCITP (Enterprise Administrator Windows 2008), MCITP (Enterprise Messaging
Administrator), MCITP (Lync Server 2010 Administrator), Microsoft Certified Systems Engineer
(Security, Messaging) Windows 2003, MCSA (Office 365, Windows 2012), MCSA Windows 2008,
MCSA (Security) Windows 2003, Citrix Certified Professional - Virtualization, Cisco Certified
Network Professional, Red Hat Certified Engineer, STS Symantec Enterprise Vault 10.0 for
Exchange and Symantec Certified Professional Program Data Protection.

Mai Ali has been very involved with Windows Server based virtualization, communication and
Management solutions including Microsoft System Center, Microsoft Lync, Enterprise Mobility,
Azure and Office 365. She is currently a prolific blogger at http://expertslab.wordpress.com and
has done many Scripts for automatic configuration on Microsoft TechNet Gallery. Mai likes
giving back via community forums: She has contributed thousands of posts to Microsoft System
Center, Microsoft Lync and Experts-Exchange community forums over the years.

Mai Ali’s Blog: http://expertslab.wordpress.com

5|Page
Microsoft Intune step by step

Chapter 1
Definition of Microsoft Intune
Posted on July 14, 2015 by Mai Ali

What is Microsoft Intune?

Microsoft Intune is a cloud-based desktop and mobile device management tool that helps
organizations provide their employees with access to corporate applications, data, and resources
from the device of their choice.

 Supported clients now include Windows 8, Windows RT, Windows Phone 8


 Ability to restrict access to SharePoint Online, Exchange On-premises and Exchange
Online email based upon device enrollment and compliance policies
 Management of Office mobile apps (Word, Excel, PowerPoint) for iOS devices,
including ability to restrict actions such as copy, cut, and paste outside of the managed
app ecosystem
 Ability to extend application protection to existing line-of-business apps using the Intune
App Wrapping Tool for iOS
 Managed Browser app for Android devices that controls actions that users can perform,
including allow/deny access to specific websites. Managed Browser app for iOS devices
currently pending store approval
 Allow users to securely view content on devices within your managed app ecosystem
using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps for Intune
 Deploy certificates, Wi-Fi, VPN, and email profiles automatically once a device is
enrolled, enabling users to access corporate resources with the appropriate security
configurations
 Provide a self-service Company Portal for users to enroll their own devices and install
corporate applications across the most popular mobile platforms
 New software publishing capabilities
 Endpoint protection powered by the same malware engine used by System Center 2012
Endpoint Protection, delivering alerts and infection reports

Why Microsoft Intune?

Microsoft Intune is a unified device management solution that combines cloud and on-premises
capabilities. Microsoft Intune provides mobile device management, mobile application
management, and PC management capabilities from the cloud. Using Intune, organizations can
provide their employees with access to corporate applications, data, and resources from virtually
anywhere on almost any device, while helping to keep corporate information secure.

6|Page
Microsoft Intune step by step

Comparison between Configuration Manager 2012 R2 & Microsoft Intune

The following table lists compares the device and application management capabilities available
to you when you use Intune alone, Configuration Manager alone, or a solution that uses both
products.

Scenario Microsoft Intune System Center System Center 2012 System Center 2012
2012 R2 Configuration R2 Configuration
Configuration Manager SP2 and Manager SP1 and
Manager Intune Intune
Platform Support
Microsoft Windows Yes Yes Yes Yes
Microsoft Windows No Yes Yes Yes
Server
Windows Phone Yes No Yes Yes
Windows RT Yes No Yes Yes
iOS Yes No Yes Yes
Android Yes No Yes Yes
Mac OS X No Yes Yes Yes
Unix/Linux Servers No Yes Yes Yes
Compliance Settings
Extensible Windows No Yes Yes Yes
PC Device
Configuration
Settings (e.g., WMI,
Registry)
Extensible Mac OS X No Yes Yes Yes
Configuration
Settings
Mobile Device Yes Yes Yes Yes
Configuration
Settings
Custom Mobile Yes Yes Yes Yes
Device Settings (such
as OMA-URI and
Apple Configurator)
Deployment
Application Yes Yes Yes Yes
Deployment
Windows Operating No Yes Yes Yes
System Deployment
Security and Privacy
Software Updates Yes Yes Yes Yes
Endpoint Protection Yes Yes Yes Yes
Administration and
Reporting
Software Metering No Yes Yes Yes
Hardware and Yes Yes Yes Yes
Software Inventory

7|Page
Microsoft Intune step by step

Scenario Microsoft Intune System Center System Center 2012 System Center 2012
2012 R2 Configuration R2 Configuration
Configuration Manager SP2 and Manager SP1 and
Manager Intune Intune
Custom hardware and No Yes Yes Yes
software inventory
Role-based No Yes Yes Yes
Administration and
Reporting
Unified Reporting for No No Yes Yes
Cloud and Corporate-
connected Devices
Cloud-based Yes No No No
Reporting
Data Protection for mobile devices
Security Settings Yes Yes Yes Yes
Remote Wipe Yes Yes Yes Yes
Remote Lock Yes Yes Yes Yes
Passcode Reset Yes Yes Yes Yes
Company Resource Access
Email Profiles Yes Yes No Yes
Wi-Fi Profiles Yes Yes No Yes
VPN Profiles Yes Yes No Yes
Certificate Profiles Yes Yes No Yes
Conditional Access Yes Yes Yes Yes
Mobile Application Yes Yes Yes Yes
Management
App Compliance Yes Yes Yes Yes
Policies (compliant
and noncompliant
apps)
Kiosk Mode Yes Yes Yes Yes
Managed Internet Yes Yes Yes Yes
Browser Policy

You can use the following table to help you decide if using Intune stand-alone or using Intune
with System Center 2012 Configuration Manager is a better fit for your business. It is followed
by a table that provides a detailed comparison of your device management options.

8|Page
Microsoft Intune step by step

You might choose Intune stand-alone if: You might choose Intune + Configuration Manager if:
 You want to manage mobile devices  You want to manage computers joined to a
 You want to manage computers that are domain.
not joined to a domain  You want to manage servers.
 You have fewer than 50,000 devices to  You want to manage computers with the
manage Configuration Manager client, Mac computers,
 You have no (or limited) on-premises IT Linux and UNIX server, and mobile devices
infrastructure enrolled with Intune from the same console.
 You have a mobile or highly distributed  You have more than 50,000 devices to manage.
workforce. Cloud-based device  You have on-premises IT infrastructure in place,
management lets you manage mobile or plan to deploy such infrastructure. In this
devices and computers anywhere in the configuration, the device and resource
world. management experience is fully unified.
 User names and passwords are synchronized,
providing users with a single account that they use
to access company resources, whether from a
domain-joined computer or from a mobile device.

Use the following table to help you decide if using Microsoft Intune or Built-in MDM for
Office 365 is the best fit for your business.

Considerations Built-in MDM for Office 365 Microsoft Intune


Cost Included with Office 365 commercial Requires a paid subscription for Microsoft Intune or
subscriptions, including Business, can be purchased with the Enterprise Mobility Suite.
Enterprise, EDU and Government
plans.
How you Manage devices using the Office 365 For Intune standalone, you manage devices using the
manage devices admin Center. Intune admin console.

If you choose to integrate Intune with System Center


2012 Configuration Manager, you use the
Configuration Manager console to manage devices
on-premises and in the cloud.
Devices you can Cloud-based management for devices Cloud-based management for devices that run on the
manage that run on the following device following device platforms:
platforms:
 iOS
 iOS  Android
 Android  Windows Phone
 Windows Phone  Windows

9|Page
Microsoft Intune step by step

Considerations Built-in MDM for Office 365 Microsoft Intune


Key capabilities MDM for Office 365 includes: Microsoft Intune includes all of the MDM for
Office 365 capabilities, plus the following:
Conditional access:
Advanced mobile device management:
 Set up security policies to
ensure that Office 365  Provision and manage certificates, Wi-Fi,
corporate email and VPN (device and app-specific), and email
documents can be accessed profiles automatically for devices that enroll,
only on phones and tablets enabling users to access corporate resources
that are managed by your with the appropriate security configurations.
company and that are  Enroll and manage collections of corporate-
compliant with your IT owned devices, simplifying policy and app
policies. deployment.

Device management: Mobile application management:

 Set and manage security  Deploy your internal line-of-business apps


policies, like device level pin and apps in public app stores to users.
lock and jailbreak detection,  Enable your workforce to securely access
to help prevent unauthorized corporate information using the Office
users from accessing mobile apps they know and love, while
corporate email and data on a preventing leakage of company data by
device when it is lost or restricting actions like copy, cut, paste, and
stolen. save as, to only those apps managed by
Intune.
Selectively wipe:  Extend protection for company data to
existing line-of-business apps by using the
 Remove Office 365 company Intune App Wrapping Tool.
data from an employee’s  Enable secure viewing of content using the
device while leaving their Intune Managed Browser, PDF Viewer,
personal data in place. AV Player, and Image Viewer apps.

PC management:

 Manage devices from the cloud with no


infrastructure required using Intune, or
connect Intune to System Center 2012
Configuration Manager to manage all of
your devices including PCs, Macs, Linux
and UNIX servers, and mobile devices from
a single management console.

10 | P a g e
Microsoft Intune step by step

Chapter 2
Configure Microsoft Intune
Setting up a Microsoft Intune account
Posted on July 14, 2015 by Mai Ali

To Create Microsoft Intune Account, you need to follow below steps:

1. Create Trial Account using this Microsoft Intune website.

2. Enter your personal data then sign up.

11 | P a g e
Microsoft Intune step by step

3. On “Don’t lose access to your account” page, enter your phone no. and alternate Email
Address.

4. Now Microsoft Intune Account is created successfully.

12 | P a g e
Microsoft Intune step by step

Add Custom Domain

To add custom domain, you can follow below steps:

1. In the Intune account portal, click Domains and then Add a Domain.

2. Fill your Domain Name “lab17563.o365ready.com” and Click Next.

13 | P a g e
Microsoft Intune step by step

3. Copy Text Record and create it in your public DNS to verify Domain, then click Verify.

4. Click Close.

14 | P a g e
Microsoft Intune step by step

Assign additional Administrators to manage Microsoft Intune

Administrator roles are common between the different Microsoft cloud services although some
services might not support some roles. Intune uses the following roles:

 Tenant administrator
 Service administrator
 Device enrollment manager

Assign additional Administrators to manage Microsoft Intune

1. Login to the Intune Portal and click on Admin.

15 | P a g e
Microsoft Intune step by step

2. Under Administrator Management, click on Service Administrators or Device Enrollment


Managers then Click on Add.

3. Provide the user ID for the new Intune Administrator then Select the Access permission.

16 | P a g e
Microsoft Intune step by step

4. Click on OK.

Add Intune Users


Posted on July 14, 2015 by Mai Ali

To Create Intune Users, you have 3 options:

17 | P a g e
Microsoft Intune step by step

 Create Individual Intune User.


 Create bulk of Intune users using CSV file.
 Synchronize users from Active Directory on Microsoft Intune.

Create Individual Intune User

Posted on July 14, 2015 by Mai Ali

To create individual user, you can follow below steps:

1. In the Intune account portal, click Add Users > New> User to start the New users wizard.

2. Fill in the required information of user you want to create and click Next.

18 | P a g e
Microsoft Intune step by step

3. On “Settings” page, Assign Role for this user if Administrator or not. Fill the country
“Egypt” and click Next.

4. Select Microsoft Intune user group (license) then click Next.

19 | P a g e
Microsoft Intune step by step

5. Type Email Address that you want to receive mail of this account Credential or leave it
blank.

6. Click Finish.

20 | P a g e
Microsoft Intune step by step

7. Now User is created Successfully.

8. To verify that the new user was created successfully. From the Intune administration
console, click Admin > Company Portal, and then scroll to the bottom of the screen.
Copy the URL shown under Intune company portal. New user should be access
successfully.

Create bulk Intune Users using CSV file

Posted on July 14, 2015 by Mai Ali

21 | P a g e
Microsoft Intune step by step

To create bulk Intune users using CSV file, you can follow below steps:

1. Create CSV file “User Name, First name, Last Name, Display Name, State, Country”.

2. In the Intune account portal, click Add Users > New> Bulk Add to start the New users
wizard.

3. Select CSV file then Click Next.

22 | P a g e
Microsoft Intune step by step

4. On “Verification” Page, check all users are correct upload without error.

5. On “Settings” page, Assign Role for this user if Administrator or not. Fill the country
“Egypt” and click Next.

23 | P a g e
Microsoft Intune step by step

6. Select Microsoft Intune user group (license) then click Next.

7. Type Email Address that you want to receive mail of this account Credential or leave it
blank.

24 | P a g e
Microsoft Intune step by step

8. Click Close.

9. Now Bulk Users are created successfully.

25 | P a g e
Microsoft Intune step by step

Synchronize users from Active Directory on Microsoft Intune

Add Verified domain as UPN suffix on Active Directory, you can follow below steps

1. Open Active Directory Domains and Trusts, Right Click properties

2. Type your verified domain “lab17563.o365ready.com”, Click Add

26 | P a g e
Microsoft Intune step by step

3. Click Ok

Use PowerShell to Update UPN for Users, you can follow below steps

1. From the taskbar, right click the PowerShell icon , select Run as Administrator
2. Type cd C:\
3. Type .\UPN-Update.ps1

27 | P a g e
Microsoft Intune step by step

4. Enter your Domain Account

28 | P a g e
Microsoft Intune step by step

Note
Edit UPN-Update Script, Write OU Path that you need to update UPN suffix on it.

Configure Directory Synchronization, you can follow below steps

1. In the Intune account portal, click Users and Click Set up on Active Directory
Synchronization

2. Click Activate.

29 | P a g e
Microsoft Intune step by step

3. You will find Active Directory is activated

4. Install and configure the Directory Sync Tool Click Download

30 | P a g e
Microsoft Intune step by step

5. Click Save Then Click Run

6. Click Next

31 | P a g e
Microsoft Intune step by step

7. Check I accept and Click Next

8. Click Next

32 | P a g e
Microsoft Intune step by step

9. Click Next

10. Uncheck Start Configuration Wizard now, Click Finish

33 | P a g e
Microsoft Intune step by step

11. Logoff and Logon. Double click on Directory Sync Configuration icon on the
desktop
12. Click Next on the welcome page.

13. On the Microsoft Online Services Credentials page enter the credentials and Click Next

34 | P a g e
Microsoft Intune step by step

14. On the Active Directory Credentials page enter the credentials and Click Next

15. On the Exchange hybrid deployment page, make sure the box is unchecked and click
Next

35 | P a g e
Microsoft Intune step by step

16. On the Password Synchronization page, make sure the box is checked and click Next

17. Wait for the configuration page to complete. Click Next

36 | P a g e
Microsoft Intune step by step

18. Leave the Synchronize directories now checkbox and click Finish

19. In the Intune account portal, click Users and verify all users synchronize on Intune Portal

37 | P a g e
Microsoft Intune step by step

Activate Synchronized Users and Grant Licenses

To activate synchronized users, you can follow below steps

1. In the Intune account portal, click Users

2. Next to Display Name, check the box to select all users on the page or select Specific
user and click Activate synced users

38 | P a g e
Microsoft Intune step by step

3. On Group Page, Set User Location and Click Next

4. On Email page, Write email address that will send temp password to it then click
Activate

39 | P a g e
Microsoft Intune step by step

5. On Results page, click finish

40 | P a g e
Microsoft Intune step by step

Chapter 3
Implement and Configure ADFS for Single Sign-ON
Install ADFS on Windows Server 2012 R2
1. To install ADFS server, open Server Manager, on the Dashboard click Add Roles and
Features.

2. In the before you begin box, click Next.

41 | P a g e
Microsoft Intune step by step

3. On the Select installation type box, click Next to proceed (make sure Role-based or
feature-based installation is selected).

4. On the Select destination server box, click Next to proceed.

42 | P a g e
Microsoft Intune step by step

5. On the Select server roles page, Select Active Directory Federation Service, and click
Next.

6. Next, on the Select features box, click Next.

43 | P a g e
Microsoft Intune step by step

7. On Active Directory Federation Service page, click Next.

8. On the Confirm installation selections box, click Install.

44 | P a g e
Microsoft Intune step by step

9. Wait for few minutes for the installation to complete and when the installation completes,
click close.

Configure ADFS
1. On ADFS server, Open Server Manager, In the upper right corner select More for the
Configuration Required Notice and Click Configure the Federation service

45 | P a g e
Microsoft Intune step by step

2. Select “Create the first federation server in a federation farm”, and Click Next

3. Click Next on Connect to AD DS

46 | P a g e
Microsoft Intune step by step

4. Select the certificate FS.LAB17653.O365ready.com and enter Contoso Corporation in


the Federation Service Display Name. Click Next

5. Click Select, Type in svc_adfs and click Check Names. Click OK


6. Type password in the Account Password field. Click Next

47 | P a g e
Microsoft Intune step by step

7. Select “Create a database on the server using windows internal database” and Click Next

8. On Review Options page, Click Next

48 | P a g e
Microsoft Intune step by step

9. Verify there are no errors and click Configure

10. Verify configuration is complete and click Close

49 | P a g e
Microsoft Intune step by step

11. Click Start > Administrative Tools> IIS\


12. Expand Sites > Default Web Site, Right Click and click Edit Bindings

13. Select https, and Click Edit

50 | P a g e
Microsoft Intune step by step

14. Change https to port 444, Click OK and Close

15. Double click on Windows Azure PowerShell from the desktop


16. Run the following Command

Set-ADFSProperties -HttpsPort 444

51 | P a g e
Microsoft Intune step by step

17. Right Click Start, Click on Command Prompt (Admin)


18. Stop ADFS services by running the following

Net Stop adfssrv

19. Start the services by running

Net Start adfssrv

52 | P a g e
Microsoft Intune step by step

20. From the command prompt run an IISRESET

21. Navigate to Start > Administrative Tools > ADFS Management

53 | P a g e
Microsoft Intune step by step

22. At the opening page, select Edit Federation Service Properties

23. Make sure the prefix is sts and not autodiscover or adfs for both the service name and
service identifier sts.lab17563.o365ready.com

54 | P a g e
Microsoft Intune step by step

24. Click OK and restart ADFS service

Setup the ADFS trust using PowerShell

1. From the taskbar, open Windows Azure PowerShell


2. Enter the following commands to enable a federation trust for Office 365:

Import-Module MSOnline
Connect-MsolService

55 | P a g e
Microsoft Intune step by step

3. Enter the following credentials in the pop-up

4. Continue with the following commands:

Convert-MsolDomainToFederated –DomainName lab17563.o365ready.com


Get-MsolFederationProperty –DomainName lab17563.o365ready.com

56 | P a g e
Microsoft Intune step by step

After completing the last command, you should see an entry called Microsoft Intune.
This means you have correctly setup a federation trust with the online Intune
environment.
5. Close PowerShell and the AD FS Management Console
6. Now SSO work, you can verify access from client PC

57 | P a g e
Microsoft Intune step by step

Chapter 4
Create Intune Groups to organize Users and Devices
Groups in Intune give you great flexibility for managing your devices and users. You can set up
groups to suit your organizational needs (for example, by geographic location, department, or
hardware characteristics). You can use groups to perform a wide variety of administrative tasks
at scale, from setting policies for a set of users to deploying applications to a set of devices.

To Create Intune groups to organize users and devices, you can follow below steps

To create a Device group

1. In the Intune administration console, click Groups > Overview > Create Group.

2. For the Group name, type “Test Devices PC” and from the parent group list, select All
Devices, and then click Next.

58 | P a g e
Microsoft Intune step by step

3. On the Define Membership Criteria page, select All devices to indicate that the group
includes both mobile devices and computers.

4. On the Define Direct Membership page, click Next. If you had created a group that did
not include all devices, and you wanted to add specific devices to your new group, you
could do that here.

59 | P a g e
Microsoft Intune step by step

5. On the Summary page, review the actions that will be taken, and then click Finish.

6. You can find the newly created group in the Groups list, in the Groups workspace, under
All Devices. From here, you can also edit or delete the group.

60 | P a g e
Microsoft Intune step by step

To create a User group

1. In the Intune administration console, click Groups > Overview > Create Group.

2. For the Group name, type “Test Users” and from the parent group list, select All Users,
and then click Next.

61 | P a g e
Microsoft Intune step by step

3. On the Define Membership Criteria page, set Start group membership with to All users in
the Parent group.

4. Next to Exclude members from these security groups, click Browse and then select
Company Administrator. This exclusion will let you manage the Test Users group
without affecting the Company Administrator account (also known as the tenant
administrator).

62 | P a g e
Microsoft Intune step by step

5. On the Define Direct Membership page, click Next. You don’t need to do anything here
because you want the Test Users group to include all users, except for the Company
Administrator.

6. On the Summary page, review the actions that will be taken, and then click Finish.

63 | P a g e
Microsoft Intune step by step

7. You can find the newly created group in the Groups list, in the Groups workspace, under
All Users. From here, you can also edit or delete the group.

Configure Security Groups

In the Microsoft Intune account portal, you can create, edit, and delete security groups. You can
use security groups as criteria for the organization groups that service administrators use for day-
to-day management of Intune, including deploying software or assigning policies.

Security groups can include the following:

64 | P a g e
Microsoft Intune step by step

 Users and groups you sync from your on-premises Active Directory
 Users and groups you add directly to your subscription

To create a Security group

1. In the Microsoft Intune account portal, click Security Groups > New to start the New
security group wizard.

2. On the Details page, provide a name for the group, and then click Save.

65 | P a g e
Microsoft Intune step by step

3. On the Members page, you can add both users and groups to a group:

o To add users: Set List type to Users, select one or more users to add to this group,
and then click Add.
o To add groups: Set List Type to Groups, select one or more groups, and then click
Add.

After you add the users and groups you want to include, click Save and Close to complete the
wizard.

66 | P a g e
Microsoft Intune step by step

67 | P a g e
Microsoft Intune step by step

Chapter 5
Set Mobile Devices Management (MDM) Authority
Posted on August 19, 2015 by Mai Ali

Set Mobile Device Management Authority

To Set Mobile Device Management Authority, you can follow below steps

1. Make Intune your mobile device management authority


In the Intune administration console, click Admin > Mobile Device Management, and
click Set Mobile Device Management Authority under Tasks. Click Yes in the MDM
Authority dialog.
2. Select Microsoft Intune to manage my mobile devices and click Ok.

3. Enable MDM for your device platform


Enable mobile device management for the device platform you want to manage:
o iOS.
o Windows Phone.
o Android: No requirements

68 | P a g e
Microsoft Intune step by step

4. Enroll devices:
o Android – Install the Company Portal app from Microsoft Corporation available
on Google Play and sign in with Intune user credentials added above.
o iOS – Install the Company Portal app from Microsoft Corporation available in the
App Store and sign in with Intune user credentials added above. View Enrolled
devices to add your device.
o Windows Phone 8.1- Users install the Company Portal app from Microsoft
Corporation available in the Windows Phone store and sign in with Intune user
credentials added above. View Enrolled devices to add your device.

Prepare for Mobile Device Management Authority “iOS”


For some type of Mobile Devices, we need to do some preparations before they can be managed
like iOS, you need to create and sign an APNs Certificate

1. In the Intune administration console, click Admin > Mobile Device Management, and
for iOS, click on Enable the iOS platform

69 | P a g e
Microsoft Intune step by step

2. Click on Download the APNs Certificate Request. After downloading the certificate
click on Apple Push Certificate Portal.

3. Click on Create a Certificate, Check I have read and agree to these terms and
conditions and click Accept.

70 | P a g e
Microsoft Intune step by step

4. Click Browse, select downloaded certificate and click Upload.

5. Click on Download to download the signed APNs Certificate.

71 | P a g e
Microsoft Intune step by step

6. Click on Upload the APNs Certificate.

7. Browse to the download signed APNs certificate and click Upload.

72 | P a g e
Microsoft Intune step by step

8. Now you’re ready to manage iOS devices

Prepare for Mobile Device Management Authority “Windows phone 8.1”

Setup requirements for Window Phone mobile device management depend upon how you'll
manage devices. Setting two CNAMEs in your company's DNS registration makes enrollment
easier for uses. If your users will download the Company Portal app from the Store, then once
you've configured DNS settings you just need to set up the Company Portal and inform users
how to enroll.

73 | P a g e
Microsoft Intune step by step

Set up Windows Phone enrollment with Intune

Set a DNS alias for the enrollment server address

1. In the Intune administration console, click Administration > Mobile Device Management
> Windows Phone.

2. Type the URL of the verified domain of the company website in the Specify a verified
domain name box and then click Test Auto-Detection.

74 | P a g e
Microsoft Intune step by step

3. Create CNAME resource records for your company’s domain. The CNAME resource
records must contain the following information:

TYPE Host Name Points to TTL


CNAME enterpriseenrollment.company_domain manage.microsoft.com 1 Hour
.com
CNAME enterpriseregistration.company_domain enterpriseregistration.windows.n 1 Hour
.com et

75 | P a g e
Microsoft Intune step by step

Chapter 6
Create Mobile Management Policies
Intune policies provide you with straightforward settings that help control the security settings on
mobile devices, maintain Windows Firewall and Endpoint Protection settings for computers, and
deploy applications. If you are planning to use the service or devices that you configure in this
walkthrough for real production use (instead of just evaluation), it is absolutely essential that you
follow the instructions found in Manage settings and features on your devices with Microsoft
Intune policies and Help secure computers with Endpoint Protection for Microsoft Intune. In this
walkthrough, you will set up a mobile device security policy and a computer firewall policy, and
then prepare to deploy an app to mobile devices after they are enrolled.

Configuration policies in Microsoft Intune


Posted on August 19, 2015 by Mai Ali

To create and deploy a mobile device security policy

1. Open the Intune administration console.


2. In the left pane, click the Policy icon.
3. In the Tasks list on the Policy Overview page, click Add Policy.

76 | P a g e
Microsoft Intune step by step

4. Expand Common Mobile Device Settings, select Mobile Device Security Policy, choose
Create and Deploy a Policy with the Recommended Settings, and then click Create
Policy.

5. When prompted to Select the groups to which you want to deploy this policy, select Test
Users from the list, click Add > OK.

6. Your policy appears in the list of configuration policies, and has been deployed to the
Test Users group. Double-click the policy to view its settings.

77 | P a g e
Microsoft Intune step by step

Your policy appears in the list of configuration policies, and has been deployed to the Test Users
group. Double-click the policy to view its settings.

To create custom security policy

1. Open the Intune administration console.


2. In the left pane, click the Policy icon.
3. In the Tasks list on the Policy Overview page, click Add Policy.

78 | P a g e
Microsoft Intune step by step

4. Expand Common Mobile Device Settings, select Mobile Device Security Policy, choose
Create and Deploy a Custom Policy, and then click Create Policy.

5. Configure Security policy “Reset Mobile to factory setting after wrong password” as
following.

6. Click yes.

79 | P a g e
Microsoft Intune step by step

7. Add Mobile devices and click ok.

8. Your policy appears in the list of configuration policies, and has been deployed to the All
Direct Managed Devices group. Double-click the policy to view its settings.

80 | P a g e
Microsoft Intune step by step

Compliance policies in Microsoft Intune

Define the rules and settings that a device must comply with in order to be considered compliant
by conditional access polices. You can also use compliance policies to monitor and remediate
compliant issues with devices independently of conditional access.

These rules include:


 PIN and passwords
 Encryption
 Whether the device is jailbroken or rooted
 Whether email on the device is managed by an Intune policy

To create custom security policy

1. Open the Intune administration console, click Policy > Compliance Policies > Add.

81 | P a g e
Microsoft Intune step by step

2. On the Create Policy page, configure the settings you require “Enable Encryption and
required password”

82 | P a g e
Microsoft Intune step by step

3. Click Save Policy and click yes to deploy policy.

83 | P a g e
Microsoft Intune step by step

4. Select Group that you will assign policy to it and Click Add.

5. Compliance Policy now is created.

84 | P a g e
Microsoft Intune step by step

Conditional Access policies in Microsoft Intune


Use the Microsoft Intune conditional access policies for Exchange to manage access to Exchange
email based on conditions you specify.

You can manage access to:

 Microsoft Exchange On-premises


 Microsoft Exchange Online
 Exchange Online Dedicated

Conditional Access Policy on Exchange Online

To Create Conditional Access Policy on Exchange Online, you can follow below steps

1. Open the Intune administration console, click Policy > Conditional Access > Exchange
Online Policy.

85 | P a g e
Microsoft Intune step by step

2. Configure the policy with the settings you require, Check “Block e-mails for accessing
Exchange online if the device is noncompliant”.

3. On Selected Security Group, Click Modify. Add security that will apply policy to it.

86 | P a g e
Microsoft Intune step by step

4. Click Save.

Conditional Access Policy on SharePoint Online

Next, configure the policy to require that only managed and compliant devices can access
SharePoint Online. This policy will be will be stored in Azure Active Directory.

1. In the Microsoft Intune administration console, click Policy > Conditional Access >
SharePoint Online Policy.

87 | P a g e
Microsoft Intune step by step

2. Select Enable conditional access policy for SharePoint Online.

3. Under Device platforms, you can choose to apply conditional access policy to All
platforms
4. For windows PCs, the PC must either be domain joined, or enrolled with Intune and
compliant. You can set the following requirements: Devices must be domain joined or
compliant.

88 | P a g e
Microsoft Intune step by step

5. Under Targeted Groups, click Modify to select the Azure Active Directory security
groups to which the policy will apply. You can choose to target this to all users or just a
select groups of users.

6. Under Exempted Groups, optionally, click Modify to select the Azure Active Directory
security groups that are exempt from this policy.

89 | P a g e
Microsoft Intune step by step

7. When you are done, click Save.

Conditional Access Policy on Exchange On-premise

Set up the Service to Service Connector

1. Open the Microsoft Intune administrator console.


2. In the workspace shortcuts pane, click Administration.
3. In the navigation pane, under Mobile Device Management, expand Microsoft Exchange
and then click Set Up Exchange Connection.

90 | P a g e
Microsoft Intune step by step

4. On the Set Up Exchange Connection page, click Set Up Service to Service Connector,
Click Next.

5. On Ready page, Click Install.

91 | P a g e
Microsoft Intune step by step

6. On Completed Microsoft Intune Connector, Click finish.

7. On-premises Microsoft Exchange server, Write FQDN of CAS server and Enter
Credential of Exchange Administrator On-premises Then click connect.

92 | P a g e
Microsoft Intune step by step

8. Connector is now installed successfully.

To Configure Conditional Access Policy on Exchange On-Premise, you need to follow


below steps

93 | P a g e
Microsoft Intune step by step

1. From the Intune Portal, click on Policy Conditional Access > Exchange On-premises
Policy.

2. Select Block email apps from accessing Exchange On-premises if the device is
noncompliant or not enrolled to Microsoft Intune

3. Select the Group created previously and Click on Add.

94 | P a g e
Microsoft Intune step by step

4. Click on Save

95 | P a g e
Microsoft Intune step by step

Chapter 7
Manage Computers Using Microsoft Intune
Install Intune software on computers
We have one or more of the following methods to get the Intune client installed

 Manually deploy the client software


 Automatically deploy the client software by using Group Policy
 How users can self-enroll their computers
 Install the Microsoft Intune client software as part of an image

If you no longer need to manage a computer with Intune, you can retire the computer, which also
removes the client software from the computer.

To download the client software

1. In the Microsoft Intune administration console, click Admin > Client Software Download

2. On the Client Software Download page, click Download Client Software and save the
Microsoft_Intune_Setup.zip package containing the software to a secure location on your
network.
3. Extract the contents of the installation package to the secure location on your network.

96 | P a g e
Microsoft Intune step by step

To manually deploy the client software

1. On a computer, browse to the folder where the client software installation files are
located, and then run Microsoft_Intune_Setup.exe to install the client software.

2. Click Finish.

97 | P a g e
Microsoft Intune step by step

To automatically deploy the client software by using Group Policy

1. In the folder that contains the files Microsoft_Intune_Setup.exe and


MicrosoftIntune.accountcert, run the following command to extract the Windows
Installer-based installation programs for 32-bit and 64-bit computers:
Microsoft_Intune_Setup.exe /Extract <destination folder>

98 | P a g e
Microsoft Intune step by step

2. Copy the Microsoft_Intune_x86.msi file, the Microsoft_Intune_x64.msi file, and the


MicrosoftIntune.accountcert file to a network location that can be accessed by all
computers to which the client software is to be installed.

Note

Do not separate or rename the files or the client software installation will fail

3. Use Group Policy to deploy the software to computers on your network, Open Group
Policy Management console and click create New GPO.

4. Enter Name of your Group Policy “Intune deployment x86”

99 | P a g e
Microsoft Intune step by step

5. Click on Computer Configuration > Policies > Software Settings > Software Installation,
then click New > package

6. Select Network path of Intune Package \\dc01\intune\Microsoft_Intune_x86.msi

100 | P a g e
Microsoft Intune step by step

7. Click Assigned Then Click Ok.

8. Now Package is ready to deploy on client machine.

101 | P a g e
Microsoft Intune step by step

9. Logon to Client Pc, Open cmd and run gpupdate /force and click yes.

10. Now Package is deployment, you will find Intune center in start menu.

102 | P a g e
Microsoft Intune step by step

How users can self-enroll their computers

Posted on August 19, 2015 by Mai Ali

Users can self-enroll each of their computers through the Microsoft Intune company portal. Each
enrolled computer is linked to the user account that was used to install the client software.

Note
 The user must be an administrator on the computer to install the client software.
 Self-enrolling requires that Internet Explorer is installed on the client computer.
 Each time a user self-enrolls a computer, it uses an Intune license.
 You must use a work or school account to self-enroll a computer. You cannot self-enroll
a computer using a Microsoft account.
 If the client software is already installed on a computer, the end-user will receive an
error.

If the client software is already installed on a computer, the end-user will receive an error.

To self-enroll a computer

1. Log on to the company portal from the computer that you want to enroll.

103 | P a g e
Microsoft Intune step by step

2. Click This device is either not enrolled or the company portal can’t identify it.

3. Click Enroll Device.

104 | P a g e
Microsoft Intune step by step

4. Click Download Software and then click Run.

5. Click Next to start the Microsoft Intune Setup wizard.

105 | P a g e
Microsoft Intune step by step

6. When the Setup wizard has completed, click Finish.

Install the Microsoft Intune client software as part of an image

You can deploy the Intune client software to computers as part of an operating system image by
using the following example procedure as a basis:

106 | P a g e
Microsoft Intune step by step

1. Copy the client installation files, Microsoft_Intune_Setup.exe and


MicrosoftIntune.accountcert to the %Systemdrive%\Temp\Microsoft_Intune_Setup
folder on the reference computer.

2. Create the WindowsIntuneEnrollPending registry entry by adding the following


command to the SetupComplete.cmd script: %windir%\system32\reg.exe add
HKEY_LOCAL_MACHINE\Software\Microsoft\Onlinemanagement\Deployment
/vWindowsIntuneEnrollPending /t REG_DWORD /d 1

3. Add the following command to setupcomplete.cmd to run the enrollment package with
the /PrepareEnroll command-line
argument: %systemdrive%\temp\Microsoft_Intune_Setup\Microsoft_Intune_Setup.exe
/PrepareEnroll

107 | P a g e
Microsoft Intune step by step

4. Put SetupComplete.cmd in the %Windir%\Setup\Scripts folder on the reference


computer.

5. Capture an image of the reference computer and then deploy this to targeted computers.

When the targeted computer restarts at the completion of Windows Setup, the
WindowsIntuneEnrollPending registry key is created. The enrollment package checks whether
the computer is enrolled. If the computer is enrolled, no further action is taken. If the computer is
not enrolled, the enrollment package creates a Microsoft Intune Automatic Enrollment Task.

When the Microsoft Intune Automatic Enrollment Task runs at the next scheduled time, it checks
the existence of the WindowsIntuneEnrollPending registry value, and it tries to enroll the

108 | P a g e
Microsoft Intune step by step

targeted computer in Intune. If the enrollment fails for any reason, the enrollment is retried the
next time the task runs. The retries continue for a period of one month.

The Intune Automatic Enrollment Task, the WindowsIntuneEnrollPending registry value, and
the account certificate are deleted from the targeted computer when the enrollment is successful
or after one month.

Monitor and validate successful client deployment

Use one of the following procedures to help you monitor and validate successful client
deployment.

To verify the installation of the client software from the Microsoft Intune administrator
console

1. In the Microsoft Intune administration console, click Groups > All Devices > All
Computers.

2. Examine the status of the computer in the bottom pane of the console, and resolve any
errors.

109 | P a g e
Microsoft Intune step by step

To create a computer inventory report to display all enrolled computers

1. In the Microsoft Intune administration console, click Reports > Computer Inventory
Reports.

2. On the Create New Report page, leave all fields as the default values (unless you want to
apply filters), and click View Report.
3. The Computer Inventory Report page opens in a new window that displays all computers
that are successfully enrolled in Intune.

110 | P a g e
Microsoft Intune step by step

Manage Computer Remotely

To remotely restart a computer

1. In the Microsoft Intune administration console, click Groups > All Devices (or another
group that contains the computer you want to restart).

2. Select one or more computers, and then click Remote Tasks > Restart Computer.

111 | P a g e
Microsoft Intune step by step

3. Click yes.

4. To view the task status, click Remote Tasks in the bottom right corner of the page.
5. In the Task Status dialog box, review the current remote tasks, task status, device name,
and any reported errors.

To retire a computer

1. In the Microsoft Intune administration console, click Groups > All Devices (or another
group that contains the computer you want to retire).

112 | P a g e
Microsoft Intune step by step

2. Select the devices you want to retire, and then click Retire/Wipe.

3. Select “Selectively wipe the device” then Click yes.

113 | P a g e
Microsoft Intune step by step

Manage User-Device linking


To link a user to a computer, you can follow below steps:

1. In the Microsoft Intune administration console, click Groups > All Devices (or another
group that contains the computer you want to link to a user).

2. Select the computer that you want to link a user, and then click Link User.

114 | P a g e
Microsoft Intune step by step

3. If a user is already linked to the selected computer, that user’s name and user ID are
displayed under Current user. If the computer is not linked to any user, No User appears
under Current User. To link the computer to a new user, in the All users list, select a user.
Confirm that the user data is correct, and then click OK.

4. Do one of the following:


o To leave the computer linked to its current user, if there is one, click Cancel.
o To remove the link to the current user, if there is one, click Remove link>OK.
o To link the computer to a new user, in the All users list, select a user. Confirm
that the user data is correct, and then click OK.

115 | P a g e
Microsoft Intune step by step

Configure Remote Assistance

To start Remote Assistance, you need to follow below steps

1. From Client Pc, Select Request Remote Assistance

2. In the Microsoft Intune administration console, click Alerts > Remote Assistance.

116 | P a g e
Microsoft Intune step by step

3. Select a Remote Assistance request in the Alerts list to open the properties page of the
request.

4. Click Approve request and launch Remote Assistance to open a dialog box that provides
options for resolving the alert.

5. Click Accept the request - To join the remote session, click Accept the Remote
Assistance request.

117 | P a g e
Microsoft Intune step by step

6. Click Accept Terms and Install Client

118 | P a g e
Microsoft Intune step by step

7. Click Join session

119 | P a g e
Microsoft Intune step by step

8. Type your name “IT Admin”

9. On Client Pc, Remote session will be start, click on share Desktop

120 | P a g e
Microsoft Intune step by step

10. Now IT Admin can view client Pc

11. Click Request control

121 | P a g e
Microsoft Intune step by step

12. From Client Pc, Accept remote session

13. Now IT Admin can manage client pc remotely

122 | P a g e
Microsoft Intune step by step

123 | P a g e
Microsoft Intune step by step

Chapter 8
Deploy Applications Using Microsoft Intune
Deploy Apps “Office ProPlus” to Windows Pc using Intune
This generally involves three steps:

 Configure the App


 Deploy the App
 Monitor the App

Configure the App

In this procedure, you'll use the Intune Software Publisher to configure the properties of the app
and, where applicable, upload it to your cloud storage space.

To configure an App

1. In the Intune administration console, click the Apps icon, then click Apps > Add App. If
prompted, enter your Intune credentials.

2. Review the security warning and click Run.

124 | P a g e
Microsoft Intune step by step

3. On the Before you begin page, click Next.

4. On the Software setup page in Select how this software is made available to devices
select Software installer.

125 | P a g e
Microsoft Intune step by step

5. Enter the location of the software setup files, and then click Next.
6. On the Software description page, provide the information that you want users to see in
the company portal for the software, and then click Next. The following settings are
available:

Setting Details
Publisher Enter the name of the publisher: Microsoft.
Name Enter Office ProPlus 2016-32 bit.
Description Enter a description for the software, such as Office ProPlus 2016-32
bit
Category Select the category that best fits this software: Other
Display this as a featured app Select this option to display the app prominently in the company
and highlight it in the company portal on mobile devices.
portal
Icon Choose whether to associate an icon with the software. The
maximum size for the icon is 250 x 250 pixels. The recommended
size is 32 x 32 pixels. This setting is optional, so skip it for this
walkthrough.

126 | P a g e
Microsoft Intune step by step

7. On Requirement Page, Select Architecture 32 bit

8. On Detection Rule, Select Registry Key “HKEY_LOCAL_MACHINE\


Software\Microsoft\Windows\CurrentVersion\Uninstall\O365ProPlusRetail - en-us”

127 | P a g e
Microsoft Intune step by step

9. On command line argument, select yes and type “setup.exe /configure install.xml”

128 | P a g e
Microsoft Intune step by step

10. On Return code, select yes “0 for success and 3010 for success with restart”

11. On the Summary page, verify the software information, and then click Upload.

129 | P a g e
Microsoft Intune step by step

12. Click Close to exit the wizard.

Deploy the App

In this procedure, you'll deploy the app to selected devices or users.

To deploy the App

1. In the Intune administration console, click Apps > Apps > Office ProPlus > Manage
Deployment.

130 | P a g e
Microsoft Intune step by step

2. On the Select Groups page, select All computers to deploy the software to all Pc, and
then click Add > Next.

3. On the Deployment Action page, select Available Install from the Approval column for
your group.

131 | P a g e
Microsoft Intune step by step

4. Click Finish.

Monitor the app

You can see the apps you manage, and their deployment status in the Intune console.

To view the Apps, you manage and their status

In the Apps workspace, click the Apps node.

132 | P a g e
Microsoft Intune step by step

The list of apps you manage will be displayed. You can click on any app to see an installation
status in the lower pane of the console windows. Click the status to see more details. For
example, if the status shows 1 computer that have Installation pending, you can click the
message to see the name of the computer.

Deploy Apps to Mobile Devices in Microsoft Intune

This generally involves three steps:

 Configure the App


 Deploy the App
 Monitor the App

Configure the App

In this procedure, you'll use the Intune Software Publisher to configure the properties of the app
and, where applicable, upload it to your cloud storage space.

To configure an App using Managed iOS App

1. In the Intune administration console, click the Apps icon, then click Apps > Add App. If
prompted, enter your Intune credentials.

133 | P a g e
Microsoft Intune step by step

2. Review the security warning and click Run.

3. On the Before you begin page, click Next.

134 | P a g e
Microsoft Intune step by step

4. On the Software setup page in Select how this software is made available to devices
select Managed iOS App from App store.

5. Enter the location of the software setup files, and then click Next.
6. On the Software description page, provide the information that you want users to see in
the company portal for the software, and then click Next. The following settings are
available:

Setting Details
Publisher Enter the name of the publisher: Microsoft.
Name Enter Microsoft word for iOS.

135 | P a g e
Microsoft Intune step by step

Setting Details
Description Enter a description for the software, such as Other
Category Select the category that best fits this software: other
Display this as a featured app and Select this option to display the app prominently in the company
highlight it in the company portal portal on mobile devices.
Icon Choose whether to associate an icon with the software. The
maximum size for the icon is 250 x 250 pixels. The recommended
size is 32 x 32 pixels. This setting is optional, so skip it for this
walkthrough.

7. On Requirement Page, Select Any.

136 | P a g e
Microsoft Intune step by step

8. On the Summary page, verify the software information, and then click Upload.

9. Click Close to exit the wizard.

To configure an App using External link

1. In the Intune administration console, click the Apps icon, then click Apps > Add App. If
prompted, enter your Intune credentials.

137 | P a g e
Microsoft Intune step by step

2. Review the security warning and click Run.

3. On the Before you begin page, click Next.

138 | P a g e
Microsoft Intune step by step

4. On the Software setup page in Select how this software is made available to devices
select External link.

5. Enter the external link for the software in Specify the URL, and then click Next. Make
sure that you preface the URL with http://. This example deploys Skype. Depending on
which mobile device platform you are using for this walkthrough, you should use one of
the following links:
a. iOS: https://itunes.apple.com/us/app/skype-for-iphone/id304878510?mt%3D8
b. Android: https://play.google.com/store/apps/details?id=com.skype.raider
c. Windows Phone 8 or Windows Phone 8.1: http://www.windowsphone.com/en-
us/store/app/skype/c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51

139 | P a g e
Microsoft Intune step by step

6. On the Software description page, provide the information that you want users to see in
the company portal for the software, and then click Next. The following settings are
available (this example refers to Microsoft Lync):

Setting Details
Publisher Enter the name of the publisher: Microsoft.
Name Enter Skype.
Description Enter a description for the software, such as Skype
communication app
Category Select the category that best fits this software: Collaboration
Display this as a featured app and Select this option to display the app prominently in the company
highlight it in the company portal portal on mobile devices.
Icon Choose whether to associate an icon with the software. The
maximum size for the icon is 250 x 250 pixels. The recommended
size is 32 x 32 pixels. This setting is optional, so skip it for this
walkthrough.

140 | P a g e
Microsoft Intune step by step

7. On the Summary page, verify the software information, and then click Upload. Click
Close to exit the wizard.

Deploy the App

In this procedure, you'll deploy the app to selected devices or users.

To deploy the App

1. In the Intune administration console, click Apps > Apps > Skype > Manage Deployment.

141 | P a g e
Microsoft Intune step by step

2. On the Select Groups page, select Test Users to deploy the software to that user group,
and then click Add > Next.

3. On the Deployment Action page, select Available Install from the Approval column for
your group.

142 | P a g e
Microsoft Intune step by step

4. Click Finish.

Monitor the app

You can see the apps you manage, and their deployment status in the Intune console.

To view the Apps, you manage and their status

In the Apps workspace, click the Apps node.

143 | P a g e
Microsoft Intune step by step

The list of apps you manage will be displayed. You can click on any app to see an installation
status in the lower pane of the console windows. Click the status to see more details. For
example, if the status shows 6 user has this software available, you can click the message to
see the name of the user.

144 | P a g e
Microsoft Intune step by step

Chapter 9
Configure Alerts, Notifications and Reports
In the Intune administration console, alerts are used to quickly assess the overall health of
managed devices in your organization. You can configure and customize alerts so that they
report and display only the information you need for your organization. You can set whether an
alert is enabled or disabled, configure the severity, use the display threshold to determine how
frequently an alert event must be triggered before an alert is displayed, and also configure
settings that are specific to certain types of alerts.

Notifications are used to inform administrators (and other users) using e-mail when certain types
of alerts are triggered.

Reports are used to answer a range of questions, such as how many computers have a particular
application or update installed, what malware was blocked, or which users needed Remote
Assistance over the last month.

Configure Alerts in Microsoft Intune


Posted on August 19, 2015 by Mai Ali

To configure an alert

1. In the Intune administration console, click Alerts > Overview > Configure Alert Type
Settings.

145 | P a g e
Microsoft Intune step by step

2. Click the search box, type “malware”, and then click the search icon.
3. Right-click Investigate New Malware > Configure. Note that this alert is part of the
Endpoint Protection category.

4. In the Severity list, change the alert severity to Critical, and then click OK.

146 | P a g e
Microsoft Intune step by step

Configure Notifications in Microsoft Intune


Posted on August 19, 2015 by Mai Ali

To create a notification based on an alert

1. First we’ll add some email addresses to our list of possible notification recipients. In the
Intune administration console, click Admin > Alerts and notifications > Select Recipients
for Email Notifications.

147 | P a g e
Microsoft Intune step by step

2. Click Add.

3. Enter and confirm an email address for a notification recipient, then click OK. Repeat as
necessary to add recipients.

4. In the Intune administration console, click Alerts > Overview > and under Tasks, click
Configure Notification Rules.

148 | P a g e
Microsoft Intune step by step

5. Click Create New Rule.

6. Complete Step 1 of the Create Notification Rule Wizard as follows:


o Name: type “Critical Malware Alerts”.
o Select the categories that apply: choose Endpoint Protection.
o Select the alert severity: choose Critical.
o Click Next.
7. Complete Step 2 of the wizard by selecting “Test Devices PC” and then clicking Next.

149 | P a g e
Microsoft Intune step by step

8. Complete Step 3 the wizard by choosing e-mail addresses that will be notified.

9. Now Notification Alert is created.

150 | P a g e
Microsoft Intune step by step

Configure Reports in Microsoft Intune


Posted on August 19, 2015 by Mai Ali

To create a simple report

1. In the Intune administration console, click Reports > Mobile Device Inventory Reports.

2. Under Select device groups, click Edit.

151 | P a g e
Microsoft Intune step by step

3. Clear the checkbox for All Devices and select the checkbox for Test Devices Mobiles.

4. Click View Report.

152 | P a g e
Microsoft Intune step by step

5. To view the report, click Load at the top right of the console, then View Report at the
bottom right of the console.

6. Click Save As.

153 | P a g e
Microsoft Intune step by step

7. For the name, type “Test Devices Mobiles Report”.

8. You now have a report that shows you the inventory for all devices in the Test Devices
Mobiles group.

154 | P a g e
Microsoft Intune step by step

155 | P a g e
Microsoft Intune step by step

Chapter 10
Enroll Mobile Devices in Intune
For Android

Android mobile devices allow users to enroll using the Company Portal app available from
Google Play.

Enroll Android devices in Intune

1. On your Android device, open the Play Store and search for Intune, open the Intune
Company Portal app and click on INSTALL, then accept the permissions

2. Open the Intune Company Portal app and click on Sign in

156 | P a g e
Microsoft Intune step by step

3. Type your user name and password

4. Click on Sign in, then click on Enroll and then on Activate


Note: Depending on the policies defined in Intune, you will receive prompts to setup
password and/or encrypt your device. Follow the prompts to make the device compliant.

157 | P a g e
Microsoft Intune step by step

5. Now Mobile device is now Enrolled

For iOS

To enroll iOS Mobile Phone, you need to follow below steps

1. From the iOS device, open the Apple Store app and search for Intune

158 | P a g e
Microsoft Intune step by step

2. Open Microsoft Intune Company Portal app and click on Get

3. Click Install

159 | P a g e
Microsoft Intune step by step

4. Open the app and type your user name and password

5. Click on Sign in

160 | P a g e
Microsoft Intune step by step

6. Wait for the process to complete


7. Read the rules and conditions Click on Enroll

8. Click on Install

161 | P a g e
Microsoft Intune step by step

9. Enter Passcode

10. Click Install again

162 | P a g e
Microsoft Intune step by step

11. Click Trust

12. Click on Done

163 | P a g e
Microsoft Intune step by step

13. Click Ok. Now Mobile device is enrolled.

For Windows Phone

Follow these steps to enroll a Windows phone 8.1.

1. Click Store and search on Intune

164 | P a g e
Microsoft Intune step by step

2. Click Intune

3. On Company Portal click view

165 | P a g e
Microsoft Intune step by step

4. Type your Username and password then click sign in

5. On the Windows phone, open Settings and click on workplace


6. Click on add account

166 | P a g e
Microsoft Intune step by step

7. Type your user name and Click on sign in

8. Type your Username and password then click sign in

167 | P a g e
Microsoft Intune step by step

9. Account Added click done

10. Setting workplace is enrolled

168 | P a g e
Microsoft Intune step by step

11. Now Company portal is enrolled

Custom Company Portal


To Configure Company Portal, you need to follow below steps:
1. Logon on to the Microsoft Intune administration console; Navigate to Admin > Company
Portal > Terms and Conditions; Select Require users to accept company terms and

169 | P a g e
Microsoft Intune step by step

conditions before using the Company Portal, provide the following information and click
Save:
 Title: Test lab
 Text for terms: You agree company terms and conditions before using company
portal
 Text to explain what it means if the user accepts: You agree company terms and
conditions before using company portal

2. On customization tab, select Theme color “purple” then select include a company logo.
Select show the company name next to your logo.

170 | P a g e
Microsoft Intune step by step

3. Click Save. Open Company Portal.

171 | P a g e
Microsoft Intune step by step

Chapter 11
Configure Mobile Application Management Policies
“MAM”
Control Applications using Mobile Application Management Policies

Mobile application management policies in Microsoft Intune let you modify the functionality of
apps that you deploy to help bring them into line with your company compliance and security
policies. For example, you can restrict cut, copy and paste operations within a managed app, or
configure an app to open all web links inside a managed browser.
MAM policies will only work with Managed Apps.

Control applications using mobile application management (MAM) policies


1. From the Intune Portal, click on Policy > Configuration Policies and Click on Add

2. Select Software Then Select Mobile Application Management (iOS 7.1 and later)

172 | P a g e
Microsoft Intune step by step

3. Select Create a Custom Policy and Click on Create Policy

4. Type the name of the policy “App. Policy for iOS”

173 | P a g e
Microsoft Intune step by step

5. Customize your policy

6. Click on Save Policy

174 | P a g e
Microsoft Intune step by step

7. Click on APPS > Click on Apps, select your managed app “Microsoft word for iOS” and
Click on Manage Deployment

8. Select your group “Test Group” and Click on Add then Click on Next

175 | P a g e
Microsoft Intune step by step

9. Select the Approval option “Required Install” and Click on Next

10. Select the App Management Policy

176 | P a g e
Microsoft Intune step by step

11. Click on Next, then Next again and Finish

Use Mobile Application Management without MDM

You can use Mobile Application Management (MAM) without enrolling a device to Intune
MDM policies or even when the device is enrolled into a third party MDM solution.

Use Mobile Application Management (MAM) without enrolling device to MDM


1. Login to the Azure Portal, Click on Browse Then Click on Intune

177 | P a g e
Microsoft Intune step by step

2. Click on Policy

3. Click on Add a policy

178 | P a g e
Microsoft Intune step by step

4. Type a name for the policy “App. Policy for Office iOS”

5. Click on Apps

179 | P a g e
Microsoft Intune step by step

6. Select the apps you want this policy to apply to

7. Click on Settings and choose your options

180 | P a g e
Microsoft Intune step by step

8. Click on Create

9. Select the policy created previously and click on User Group

181 | P a g e
Microsoft Intune step by step

10. Click on Add user group and select the group you want the policy to apply to

182 | P a g e
Microsoft Intune step by step

Chapter 12
Resource Access Profile with Microsoft Intune
Microsoft Intune resource access profiles work together to help your users gain access to the
files and resources they need to do their work successfully, wherever they are.

Intune provides the following mobile device policies that help you to accomplish this goal:

Intune What it does Windows 8.1 Windows iOS Android Samsung


policy and later Phone 8.1 KNOX
and later
Certificate Help secure access to company Yes Yes Yes Yes Yes
Profiles resources including wireless
networks and VPN connections.
Wi-Fi Deploy wireless network settings to Yes (you can Yes (you can Yes Yes Yes
Profiles your users. By deploying these import a configure
settings, you minimize the end-user Windows Wi- OMA-URI) 1
effort required to connect to the Fi profile)
corporate network.
VPN Deploy Virtual Private Network Yes Yes Yes Yes Yes
Profiles (VPN) settings to your users. By
deploying these settings, you
minimize the end-user effort
required to connect to resources on
the corporate network.
Email Create, deploy and monitor No Yes Yes No Yes
Profiles Exchange ActiveSync email
settings on devices in your
organization.

Enable access to corporate email using email profiles

Email profiles in Microsoft Intune help you create, deploy and monitor Exchange ActiveSync
email settings on devices. This lets user’s access corporate email on their personal devices
without any required setup on their part.
Enable access to corporate email using Email profiles

These steps will help you deploy an email profile for iOS devices.

1. From the Intune Portal, click on Policy >Configuration Policies Then Click on Add

183 | P a g e
Microsoft Intune step by step

2. Click on Email Profile (iOS 7.1 and later) and Click on Create Policy

3. Type a name for the policy “Email Profile for iOS” and Type the URL for the Exchange
server “Outlook.office.com”

184 | P a g e
Microsoft Intune step by step

4. Type a name for the profile “Office 365” then Click on Save Policy

5. Click on Yes

185 | P a g e
Microsoft Intune step by step

6. Select a group to apply the policy to “Test Group” and Click on Add

7. Click on OK

186 | P a g e
Microsoft Intune step by step

Help users connect to their work using VPN profiles

VPN profiles in Microsoft Intune help you Deploy Virtual Private Network (VPN) settings to
your users. By deploying these settings, you minimize the end-user effort required to connect to
resources on the corporate network.
Help users connect to their work using VPN profiles

These steps will help you deploy an VPN profile for Windows devices.

1. From the Intune Portal, click on Policy > Configuration Policies and Click on Add

187 | P a g e
Microsoft Intune step by step

2. Select on VPN Profile (Windows 8.1 and later) Then Click on Create Policy

3. Type a name for the policy “VPN Profile for Win.” Then Type VPN Connection Name
“Test IT VPN”

188 | P a g e
Microsoft Intune step by step

4. Type VPN Server Description “VPN Connection to Test IT HQ” and Type server IP
address “41.38.25.xxx”. Click on Save Policy

5. Click on Yes

189 | P a g e
Microsoft Intune step by step

6. Select a group to apply the policy to “Test Group” and Click on Add

7. Click on OK

190 | P a g e
Microsoft Intune step by step

Help users connect to company networks using Wi-Fi profiles

Wi-Fi profiles in Microsoft Intune help you Deploy wireless network settings to your users. By
deploying these settings, you minimize the end-user effort required to connect to the corporate
network.
 Help users connect to company networks using Wi-Fi profiles

These steps will help you deploy a Wi-Fi profile for Android devices.

1. From the Intune Portal, click on Policy > Configuration Policies and Click on Add

191 | P a g e
Microsoft Intune step by step

2. Click on Wi-Fi Profile (Android 4 and later) Then Click on Create Policy

3. Type a name for the policy “Wi-Fi Profile for Android”

192 | P a g e
Microsoft Intune step by step

4. Type Network name “OfficeMaadi” and SSID “OfficeMaadi”. Both Network name and
SSID must be matched.

5. Select “Connect automatically when this network is in range” & “Connect when the
network is not broadcasting its name (SSID)”
6. Select EAP Type “PEAP” and type Enable Identity Privacy “PEAP” Then Click on Save
Policy

193 | P a g e
Microsoft Intune step by step

7. Click on Yes

8. Select a group to apply the policy to “Test Group” and Click on Add

194 | P a g e
Microsoft Intune step by step

9. Click on OK

 Import a Wi-Fi configuration profile (Windows 8.1 and later only)

Use the Windows Wi-Fi Import Policy to import a set of Wi-Fi settings that you can then
deploy to the required user or device groups.
1. Open Cmd and run “netsh wlan export profile Dlink_DWR”

195 | P a g e
Microsoft Intune step by step

2. In the Microsoft Intune administration console, click Policy > Add Policy.

3. Configure a policy of the type Windows > Windows Wi-Fi Import Policy.

196 | P a g e
Microsoft Intune step by step

4. Specify the following general values for the Windows Wi-Fi Import Policy, Type Name
“Wi-Fi Profile for Windows”

5. Specify the following values under the Custom Wi-Fi Profile heading: Select Import

197 | P a g e
Microsoft Intune step by step

6. When you are finished, click Save Policy.

7. Click yes

198 | P a g e
Microsoft Intune step by step

8. Select a group to apply the policy to “Test Group” and Click on Add

9. Click on OK

199 | P a g e
Microsoft Intune step by step

Enable access to company resources using Certificate profiles

Certificate profiles in Microsoft Intune help you Help secure access to company resources
including wireless networks and VPN connections.
Configure Prerequisites for Certificate Profile

Before you can configure certificate profiles you must complete the following tasks, which
require knowledge of Windows Server 2012 R2 and Active Directory Certificate Services
(ADCS):

Step 1 - Configure certificate templates on the certification authority


Step 2, for SCEP profile only: - Configure prerequisites on the NDES server
Step 3, for SCEP profile only: - Configure NDES for use with Intune
Step 4 - Enable, install, and configure the Intune Certificate Connector

Step 1 - Configure certificate templates on the certification authority

To Configure certification authority, you need to follow below steps:


1. Create a domain user account to use as the NDES service account. You will specify this
account when you configure templates on the issuing CA before you install and configure
NDES.

200 | P a g e
Microsoft Intune step by step

2. Create a new custom template or copy an existing template and then edit an existing
template (like the User template), for use with NDES.

3. Specify a friendly Template display name for the template “IntuneTemplate”

201 | P a g e
Microsoft Intune step by step

4. On the Subject Name tab, select Supply in the request. (Security is enforced by the Intune
policy module for NDES).

202 | P a g e
Microsoft Intune step by step

5. On the Extensions tab, ensure the Description of Application Policies includes Client
Authentication.

6. On the Security tab, add the NDES service account, and give it Read and Enroll
permissions to the template.

203 | P a g e
Microsoft Intune step by step

7. Click Apply and OK

8. Select the Certificate Templates node, click Action-> New > Certificate Template to
Issue

204 | P a g e
Microsoft Intune step by step

9. Select the template you created in

10. Validate that the template published by viewing it under the Certificate Templates folder.

205 | P a g e
Microsoft Intune step by step

Step 2, for SCEP profile only: - Configure prerequisites on the NDES server

To configure prerequisites on the NDES sever, you need to follow below steps:
1. When NDES is added to the server, the wizard also installs IIS. Ensure IIS has the
following configurations:
 Web Server > Security > Request Filtering

 Web Server > Application Development > ASP.NET 3.5. Installing ASP.NET 3.5
will install .NET Framework 3.5. When installing .NET Framework 3.5, install both
the core .NET Framework 3.5 feature and HTTP Activation.

206 | P a g e
Microsoft Intune step by step

 Web Server > Application Development > ASP.NET 4.5. Installing ASP.NET 4.5
will install .NET Framework 4.5. When installing .NET Framework 4.5, install the
core .NET Framework 4.5 feature, ASP.NET 4.5, and the WCF Services > HTTP
Activation feature.

 Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase


Compatibility

207 | P a g e
Microsoft Intune step by step

 Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility

2. On the server, add the NDES service account as a member of the IIS_IUSR group.

208 | P a g e
Microsoft Intune step by step

3. Run the following command to set the SPN of the NDES Service account: setspn -s
http/<DNS name of NDES Server> <Domain name>\<NDES Service account name>

4. On the server that will hosts NDES, you must log on as an Enterprise Administrator, and
then use the Add Roles and Features Wizard to install NDES

209 | P a g e
Microsoft Intune step by step

5. In the Wizard, select Active Directory Certificate Services to gain access to the AD CS
Role Services.

6. Select the Network Device Enrollment Service, uncheck Certification Authority, and then
complete the wizard.

210 | P a g e
Microsoft Intune step by step

7. On the Installation progress page of the wizard, do not click Close. Instead, click the link
for Configure Active Directory Certificate Services on the destination server.

8. NDES Configuration windows will open

211 | P a g e
Microsoft Intune step by step

Step 3, for SCEP profile only: - Configure NDES for use with Intune

To configure NDES, you need to follow below steps:


1. On the Role Services Page, select the Network Device Enrollment Service.

2. On the Service Account for NDES page, specify the NDES Service Account

212 | P a g e
Microsoft Intune step by step

3. On the CA for NDES page, click Select, and then select the issuing CA where you
configured the certificate template.

4. On RA Information, Click Next

213 | P a g e
Microsoft Intune step by step

5. On the Cryptography for NDES page, set the key length to meet your company
requirements.

6. On the Confirmation page, click Configure to complete the wizard.

214 | P a g e
Microsoft Intune step by step

7. After the wizard completes, edit the following registry key on the NDES Server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\, edit on 3
Template and type your template name “IntuneTemplate”

8. After editing the registry, run iisreset on the server to force the server to pick up recent
configuration changes.

215 | P a g e
Microsoft Intune step by step

To Install and bind certificates on the NDES Server


1. On your NDES Server, request and install a server authentication certificate from your
internal CA or public CA. You will then bind this SSL certificate in IIS.

2. After you obtain the server authentication certificate, open IIS Manager, select the
Default Web Site in the Connections pane, and then click Bindings in the Actions pane.

216 | P a g e
Microsoft Intune step by step

3. Click Add, set Type to https, and then ensure the port is 443. (Only port 443 is supported
for standalone Intune).

217 | P a g e
Microsoft Intune step by step

4. For SSL certificate, specify the server authentication certificate.

To configure IIS Request Filtering


1. On the NDES Server open IIS Manager, select the Default Web Site in the Connections
pane, and then open Request Filtering.

2. Click Edit Feature Settings, and then set the following:


1. query string (Bytes) = 65534
2. Maximum URL length (Bytes) = 65534

218 | P a g e
Microsoft Intune step by step

3. Review the following registry key:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
4. Ensure the following values are set as DWORD entries:
 Name: MaxFieldLength, with a decimal value of 65534
 Name: MaxRequestBytes, with a decimal value of 65534

5. Reboot the NDES server. The server is now ready to support the Certificate Connector.
Step 4 - Enable, install, and configure the Intune Certificate Connector

To enable support for the Certificate Connector


1. Open the Intune administration console, click Admin > Certificate Connector.

219 | P a g e
Microsoft Intune step by step

2. Click Configure On-Premises Certificate Connector.

3. Select Enable Certificate Connector, and then click OK.

220 | P a g e
Microsoft Intune step by step

To download, install and configure the Certificate Connector


1. Click on Request certificate then Enroll Client Certificate “IntuneTemplate”

221 | P a g e
Microsoft Intune step by step

2. Open the Intune administration console, and then click Admin > Mobile Device
Management > Certificate Connector > Download Certificate Connector.

3. After the download completes, run the downloaded installer (ndesconnectorssetup.exe)

222 | P a g e
Microsoft Intune step by step

4. Click Next

5. Click Next

223 | P a g e
Microsoft Intune step by step

6. Click Next

7. Select SCEP and PFX Destination Click Next

224 | P a g e
Microsoft Intune step by step

8. Click Select Client Intune Certificate

9. Click Next

225 | P a g e
Microsoft Intune step by step

10. Click Install

11. Select Launch Intune connector and click finish

226 | P a g e
Microsoft Intune step by step

12. Click sign-in

13. On Advanced Tab, Type Credential

227 | P a g e
Microsoft Intune step by step

14. Successfully Enrolled, Click Ok

15. Specify Credential. Click Apply and Close windows

228 | P a g e
Microsoft Intune step by step

16. Open a command prompt and type services.msc, and then press Enter, right-click the
Intune Connector Service, and then click Restart.

17. validate that the service is running, open a browser and enter the following URL, which
should return a 403 error: http://
<FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dll. You are now ready to
configure certificate profiles.

229 | P a g e
Microsoft Intune step by step

Configuring Certificate Profiles

After your infrastructure and certificates are configured, you can configure certificate profiles:

Step 1 - Export the Trusted Root CA certificate


Step 2 - Create Trusted CA certificate profiles
Step 3 - Create SCEP certificate profiles
Step 4 - Create PFX certificate profiles

Step 1 - Export the Trusted Root CA certificate

1. Export Root Certificate as a .cer file from the issuing CA

230 | P a g e
Microsoft Intune step by step

Step 2 - Create Trusted CA certificate profiles

To create Trusted CA certificate profile, you need to follow below steps:


1. Open the Intune administration console, and click Policy > Add Policy.

2. Select Android > Trusted Certificate Profile (Android 4 and later)

3. Click Import and Select Root Certificate

231 | P a g e
Microsoft Intune step by step

4. When you are finished, click Save Policy. Then Click Yes.

5. Select a group to apply the policy to “Test Group” and Click on Add

232 | P a g e
Microsoft Intune step by step

6. Click Ok

Step 3 - Create SCEP certificate profiles

To create a SCEP certificate profile, you need to follow below steps:


1. From the Intune Portal, click on Policy > Configuration Policies and Click on Add

233 | P a g e
Microsoft Intune step by step

2. Select Android > SCEP Certificate Profile (Android 4 and later) and Click on Create
Policy

3. Type a name for the policy “SCEP for Android”. Type the URL for the SCEP

234 | P a g e
Microsoft Intune step by step

4. Select Subject name and user principle

5. When you are finished, click Save Policy.

235 | P a g e
Microsoft Intune step by step

6. Click yes

7. Select a group to apply the policy to “Test Group” and Click on Add

236 | P a g e
Microsoft Intune step by step

8. Click Ok
Step 4 - Create .PFX certificate profiles

To create .PFX certificate profile, you need to follow below steps:


1. From the Intune Portal, click on Policy > Configuration Policies and Click on Add

2. Select Android > PFX Certificate Profile (Android 4 and later) and Click on Create
Policy

237 | P a g e
Microsoft Intune step by step

3. Type a name for the policy “PFX cert. for Android”

4. Type the certificate authority, certificate authority name and certificate Template

238 | P a g e
Microsoft Intune step by step

7. When you are finished, click Save Policy.

8. Click Yes.

239 | P a g e
Microsoft Intune step by step

9. Select a group to apply the policy to “Test Group” and Click on Add

10. Click Ok

240 | P a g e
Microsoft Intune step by step

241 | P a g e
Microsoft Intune step by step

APPENDIX
Firewall and Proxy Server Settings for Client Computers
Those of you out there with firewalls may have run into issues with the Windows Intune clients
having difficulty communicating with the service. The excerpt below provides detailed
information on how to set up your firewall for a successful Windows Implementation. Thanks
goes to our awesome documentation team for putting this together, and to the Windows Intune
client team for doing the research and testing.
If you want to use Windows Intune™ to manage client computers that exist behind firewalls or
proxy servers, you must configure the firewall or proxy server to allow Windows Intune to
communicate with the client computers.

Required firewall configuration


If the client computers exist behind a firewall, you must configure the firewall to allow
communications with the domains through the specified ports that are listed in the following
tables.

Required domains for documentation, online Help, and support

Domain Ports
*.livemeeting.com 80 and 443
*.microsoftonline.com 80
onlinehelp.microsoft.com 80
*.social.technet.microsoft.com 80
blogs.technet.com 80
go.microsoft.com 80
www.microsoft.com 80

Required domains for Microsoft Update Services

Domain Ports
*.update.microsoft.com 80 and 443
download.microsoft.com 80 and 443
update.microsoft.com 80 and 443
Depending on the firewall and how it processes DNS lookup requests, you might also need to
allow access to the domain manage.microsoft.com.nsatc.net on port 80.

Required domains for Windows Intune and related services

242 | P a g e
Microsoft Intune step by step

Domain Ports
*.manage.microsoft.com 80 and 443
*.spynet2.microsoft.com 443
manage.microsoft.com 80 and 443
wustat.microsoft.com 80 and 443

Required domains for Windows Update Services

Domain Ports
*.download.windowsupdate.com 80 and 443
*.windowsupdate.com 80 and 443
download.windowsupdate.com 80 and 443
ntservicepack.microsoft.com 80 and 443
windowsupdate.microsoft.com 80 and 443

Required proxy server configuration

If the client computers exist behind a proxy server, you must configure the proxy server as
follows:
 Windows Intune communicates with client computers by using both the HTTP and
HTTPS protocols. Confirm that the proxy server supports HTTP and HTTPS.
 Windows Intune supports the Non-auth and Negotiate (Kerberos) authentication
methods. If the proxy server uses the Negotiate (Kerberos) authentication method, the
proxy server must allow computer accounts (instead of domain user accounts) to be
enrolled in the service because the client software enrollment package runs as user
LocalSystem.
You can modify proxy server settings on individual client computers, or you can use Group
Policy to change settings for all client computers that exist behind a specified proxy server.
Authenticated proxy servers are not supported

243 | P a g e
Microsoft Intune step by step

Reference
TechNet Microsoft
 https://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/overview.aspx
 https://technet.microsoft.com/en-us/library/dn646960.aspx
 https://technet.microsoft.com/en-us/library/mt282239.aspx

Other articles
This eBook is part of a series of articles dedicated to Configuration and Troubleshooting System
Center Family and Intune.
They are actually written and hosted on Mai Ali’s Blog http://expertslab.wordpress.com
 How to Install Operation Manager 2012R2 using PowerShell
 Troubleshooting the Installation of the System Center Operations Manager Agent
 SQL Server cannot authenticate using Kerberos because the Service Principal Name
(SPN) is missing, misplaced, or duplicated
 Removing Bulk Management Packs using PowerShell
 Enable Proxy Agent for all SCOM Agents
 Error Configure Portal web site during Install SCSM

244 | P a g e

Das könnte Ihnen auch gefallen