The information on this course is provided ‘AS IS’ with no warranties and confers no rights. This course does not represent the views of my employer. All content on this site is solely my own personal views and recommendations.

Episode 5 – Device Categories & Azure AD Groups

Create Device Categories

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com

From the home dashboard, navigate to Devices > Device Categories.

Select the ‘Create Device Category’ button.

Set a Name and Description.
**Example**
Name: Marketing
Description: Device category for Marketing devices

Select ‘Next’ and keep the default Scope Tag selected.

Select ‘Next’ and the ‘Create.

You will see Marketing device category appear in the list ready for use.

Create an Azure AD Dynamic Group

Sign in to your Azure portal by browsing to https://portal.azure.com

From the home dashboard, select ‘Azure Active Directory’.

From the left side menu, select ‘Groups’.

Select the ‘New Group’ button.

Complete the required information:

**Example**
Group Type: Security
Group Name: Marketing Devices
Group Description: Group for Marketing devices.
Azure AD roles can be assigned to the group: No
Membership Type: Dynamic Device
Owners: No

Select ‘Add Dynamic Query’

Within the query builder, we configure the query values as below:

Property: deviceCategory
Operator: Equals
Value: Marketing (Friendly name given to your device category in Endpoint Manager)

Clicking away from the query builder, we can see Azure AD automatically translates your configuration values into a Rule Syntax.

The Rule Syntax should look identical to this: (exception of the value between quotation marks is unique to your device category friendly name)

(device.deviceCategory -eq “Your_Device_Category_Name”)

Select the ‘Save’ button to save the dynamic query.

Select the ‘Create’ button to build the Azure AD dynamic group.

Once created, you will see Marketing Devices Azure AD dynamic group appear in the list ready for use.

See in Action

During enrolment to Endpoint Manager, Company Portal app will request the user select a device category from the list provided.

In this example, the Marketing device category is selected in order to demonstrate an Azure AD dynamic group at work.

Once enrolment has been completed, the Azure AD dynamic group triggers an evaluation of the tenant against criteria set in the dynamic rule syntax. If the evaluation finds a device matching the criteria, that device is automatically added as a member of the group.

We can see our iPhone is now a member of the Marketing Devices group.

Episode 6 – iOS Compliance Policy, iOS Configuration Profile & Email Profile

Create an iOS Compliance Policy

Note – Compliance requires users and devices to meet criteria set by an organisation. Rules and settings are defined which Endpoint Manager compliance engine will assess users and against to determine their respective compliance status. Compliance does not configure the device.

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com
From the home dashboard, navigate to Devices > Compliance Policies.

Select the ‘Create Policy’ button.

Select ‘iOS/iPadOS’ as the platform and then select ‘Create’.

Set a Name and Description.
**Example**
Name: iOS – Compliance Policy
Description: Compliance policy for iOS devices.

Select ‘Next’

For the purposes of this training course, the following example baseline compliance settings will be set:
**Example**
Email

• Unable to set up email on the device: Require

Device Health

• Jailbroken devices: Block
• Require the device to be at or under the Device Threat Level: Not Configured

Device Properties

• Minimum OS version: 13.0
• Microsoft Defender for Endpoint: Not Configured

System Security

• Require a password to unlock mobile devices: Require
• Simple passwords: Block

Minimum password length: 6

• Required password type: Numeric
• Number of non-alphanumeric characters in password: 1
• Maximum minutes after screen lock before the password is required: Immediately
• Maximum minutes of inactivity until screen locks: 5 minutes

Select ‘Next’.
Actions for noncompliance will remain unchanged.

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the compliance policy appear in the list ready for use.

See in Action

Device compliance status can be validated on the device by the user. Observing our enrolled device with Company Portal app, we can see the status says “Can access company resources”.

Within the Endpoint Manager portal, we can validate the compliance status of a device by navigating to Devices > All Devices.

Observing the device in question, we can see the compliance column indicates the device is compliant.

Selecting the device entry, under Device Compliance on the left side menu, we can see the compliance policy we created successfully assessed the device.

Create an iOS Configuration Profile

Note – Apple iOS/iPadOS supervised mode gives administrators more options when managing Apple devices, making it useful for corporate-owned devices deployed at scale. For example, you can restrict AirDrop or prevent users from changing the name of the device. For a list of settings that require supervised mode, see iOS device restriction settings in Intune.

From the home dashboard, navigate to Devices > Configuration Profiles.

Select the ‘Create Profile’ button.

Select ‘iOS/iPadOS’ as the platform.

Select ‘Device Restrictions’ as the Profile Type and then select ‘Create’.

Set a Name and Description.
**Example**
Name: iOS – Device Restrictions Profile
Description: Device Restrictions profile for iOS devices.

Select ‘Next’

For the purposes of this training course, the following example baseline configuration profile settings will be tailored to an Unsupervised device:
**Example**
App Store, Doc Viewing, Gaming

• Treat AirDrop as an unmanaged destination: Yes

Cloud and Storage

• Force encrypted backup: Yes

Password

• Require password: Yes
• Block simple passwords: Yes
• Required password type: Numeric
• Number of non-alphanumeric characters in password: 1
• Minimum password length: 6
• Maximum minutes after screen lock before the password is required: Immediately
• Maximum minutes of inactivity until screen locks: 5 minutes

Show or Hide Apps

• Type of apps list: Hidden apps
• Apps list: (Microsoft kindly provide a list of known Apple native app bundle ID’s)
  • App bundle ID: com.apple.gamecenter
  • App Name: Game Center

Wireless

• Block data roaming: Yes

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the configuration profile appear in the list ready for use.

See in Action

Installed configuration can be validated on the device by the user. Observing our enrolled device with the setting app, under General > Device Management > Management Profile, we can see “2 Restrictions” and “Password Policy” listed in the Contains list.

Selecting Restrictions, we can further validate device restriction settings match the Endpoint Manager deployed configuration profile we created.

Drilling down into more detail by selecting the password policy, again, we can validate the password policy being enforced on the device matches the Endpoint Manager deployed configuration profile.

Within the Endpoint Manager portal, we can validate the configuration profile has been successfully installed on the device by navigating to Devices > All Devices.

Selecting the device entry, under Device Configuration on the left side menu, we can see the configuration profile we created successfully installed.

Create an iOS Email Profile

Note – The email profile uses the native or built-in email app on the device, and allows users to connect to their work email. This profile will not apply settings for Outlook mobile app.

From the home dashboard, navigate to Devices > Configuration Profiles.

Select the ‘Create Profile’ button.

Select ‘iOS/iPadOS’ as the platform.

Select ‘Email’ as the Profile Type and then select ‘Create’.

Set a Name and Description.
**Example**
Name: iOS – Email Profile
Description: Email profile for iOS devices.

Select ‘Next’

For the purposes of this training course, the following example email profile settings will be set:
**Example**
Exchange ActiveSync account settings

• Email server: outlook.office365.com
• Account name: Work Email
• Username attribute from AAD: User Principal Name
• Email address attribute from AAD: Primary SMTP Address
• Authentication method: Username and password
• SSL: Enable

Exchange ActiveSync profile configuration

• Exchange data to sync: All data

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the email profile appear in the list ready for use.

See in Action

Note – Device prompts and their wording may change and present slightly different between iOS versions.

Once the email profile has been successfully installed, the device will automatically prompt the user to complete Exchange ActiveSync authentication by asking for a password.

After authentication is complete, within the settings app under Mail > Accounts, we can see our account listed. Drilling down further into detail by selecting the email profile, we can validate the details match the Endpoint Manager deployed email profile.

Moving over to the native mail app, a test email has been received successfully.

Within the Endpoint Manager portal, we can validate the email profile has been successfully installed on the device by navigating to Devices > All Devices.

Selecting the device entry, under Device Configuration on the left side menu, we can see the email profile we created successfully installed.

Episode 7 – Applications, App Configuration & App Protection (MAM)

Add Outlook for iOS

Note – Apps deployed straight from the public app store require an Apple ID account signed in on the device. If an Apple ID account isn’t present, the operating system will prompt the user to sign in before apps can be installed.

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com

From the home dashboard, navigate to Apps > iOS/iPadOS > iOS/iPadOS apps.

Select the ‘Add’ button.

Select ‘iOS store app’ from the App Type drop-down and then press ‘Select’.

Select ‘Search the App Store’.

Ensure the correct locale is selected before search for an app. (United States is the default)

Enter Outlook into the search field.

Select ‘Microsoft Outlook’ from the list and then press ‘Select’.

In the App Information section, observe that Endpoint Manager will conveniently pull all information about the app from the app store.

Select ‘Next’.

Choose the correct type of assignment relevant to your organisation requirements.

For the purpose of this training course, we assign Outlook as ‘Required’.

Select ‘Add Group’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Save’.

Once created, you will see Outlook app appear in the list ready for use.

See in Action

After assigning your chosen application as ‘Required’, Endpoint Manager will automatically prompt the user to install the application. Should the user select, ‘Cancel’, Endpoint Manager will prompt again upon the next scheduled device check-in.

Within the Endpoint Manager portal, we can validate the email profile has been successfully installed on the device by navigating to Devices > All Devices.

Selecting the device entry, under Managed App on the left side menu, we can see the application successfully installed.

Add Outlook for Android

Note – By default, once Managed Google Play Store has been integrated with Endpoint Manager, Endpoint Manager will pre-populate four Microsoft apps.
– Intune Company Portal
– Managed Home Screen
– Microsoft Authenticator
– Microsoft Intune

From the home dashboard, navigate to Apps > Android > Android apps.

Select the ‘Add’ button.

Select ‘Managed Google Play Store’ from the App Type drop-down and then press ‘Select’.

Managed Google Play Store will render within the Endpoint Manager console using an integrated API called iFrame.

Enter Outlook into the search field.

Select Outlook from the search results.

Select ‘Approve’.

Select ‘Approve’ and then select ‘Done’.

Invoke a manual synchronisation by selecting the ‘Sync’ button.

Allow up to 5 minutes whilst Managed Google Play syncs with Endpoint Manager.

Select the ‘Refresh’ button in order to update the apps list.

Now select ‘Outlook’ from the list and then select ‘Properties’.

Under Assignments, select ‘Edit’.

Choose the correct type of assignment relevant to your organisation requirements.

For the purpose of this training course, we assign Outlook as ‘Required’.

Select ‘Add Group’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Save’.

See in Action

After assigning your chosen application as ‘Required’, Endpoint Manager will automatically install the application. Gesturing down from the top of the screen, Google Play Store displays a notification “Installing apps from your organisation”.

Pressing the notification, Google Play Store shows the chosen app being installed.

Within the Endpoint Manager portal, we can validate the email profile has been successfully installed on the device by navigating to Devices > All Devices.

Selecting the device entry, under Managed App on the left side menu, we can see the application successfully installed.

Create an App Configuration Policy

Note – Save Contacts settings refers to the enablement of Outlook Contacts and Calendar synchronization with your respective Native contacts and calendar apps. At present, only contacts sync is supported with Outlook for iOS. Outlook for Andoird supports both contacts and calendar sync. Refer to Microsoft documentation for further guidance.

Important – Outlook for Android supports bi-directional contact synchronization. However, if a user edits a field in the native contacts app that is restricted (such as the Notes field), then that data will not synchronize back into Outlook for Android.

From the home dashboard, navigate to Apps > App Configuration Policies.

Select the ‘Add’ button and then select ‘Managed Devices’.

Set a Name and Description.
**Example**
Name: iOS – Outlook App Configuration Policy
Description: App Configuration policy for Outlook on iOS.

Select iOS/iPadOS from the Platform dropdown.

Press the ‘Select app’ button, select Outlook from the list and then press ‘Ok’.

Select ‘Next’.

Select ‘Use Configuration Designer’ from the Configuration Settings Format dropdown.

For the purposes of this training course, the following Outlook App Configuration settings will be set:
**Example**
Email Account Configuration

• Configure email account settings: Yes
• Authentication type: Basic authentication
• Username attribute from AAD: User Principal Name
• Email address attribute from AAD: Primary SMTP Address
• Email Server: outlook.office365.com
• Email Account Name: Corporate Email

General App Configuration

• Focused Inbox: On
• Require Biometrics to access app: Off
• Save Contacts: On
• Allow user to change settings: Yes
• Default app signature: On

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the App Configuration Policy appear in the list ready for use.

See in Action

App Configuration can be enabled and validated on the device by the user. Observing our enroled device in Outlook, we can see App Configuration has detected and pre-populated our enroled user account – johndoe@traininguemauthority.onmicrosoft.com

After selecting ‘Add Account’, we sign in to complete authentication.

Within the Endpoint Manager portal, we can validate the App Configuration policy has been successfully installed on the device by navigating to Devices > All Devices.

Selecting the device entry, under App Configuration on the left side menu, we can see the App Configuration policy we created successfully installed.

Create an App Protection Policy

Note – Outlook MAM protection requires an Azure AD account (Hybrid or Cloud) and Exchange Online mailbox (Hybrid or Cloud)

From the home dashboard, navigate to Apps > App Protection Policies.

Select the ‘Add’ button and then select ‘iOS/iPadOS’.

Set a Name and Description.
**Example**
Name: iOS – MAM Policy
Description: MAM Policy for iOS devices.

Select ‘Next’.

For the purposes of this training course, MAM will be targeted to both Managed and Unmanaged iOS devices.

The following App Protection settings will be set:
**Example**
Target to apps on all device types: Yes

Press ‘Select Public Apps’ and then select Outlook from the list.

Select ‘Next’.

Data Transfer

• Backup org data to iTunes and iCloud backups: Block
• Send org data to other apps: Policy managed apps
• Select apps to exempt: Default
• Save copies of org data: Block
• Allow user to save copies to select services: OneDrive for Business & SharePoint
• Transfer telecommunication data to: Any dialer app
• Dialer App URL Scheme: None
• Receive data from other apps: Policy managed apps
• Open data into Org documents: Block
• Allow to user open data from select services: OneDrive for Business, SharePoint & Camera
• Restrict cut, copy, and paste between other apps: Policy managed apps
• Cut and copy character limit for any app: 0
• Third-party keyboards: Allow

Encryption

• Encrypt org data: Require

Functionality

• Sync policy managed app data with native apps: Allow
• Printing org data: Block
• Restrict web content transfer with other apps: Microsoft Edge
• Unmanaged browser protocol: None
• Org data notifications: Allow

Access Requirements

• Pin for Acces: Not Required
• Work or school account credentials for access: Not Required
• Recheck the access requirements after (minutes of inactivity): 30

Conditional Launch

• Offline grace period: 720 – Block access (minutes)
• Offline grace period: 90 – Wipe data (days)
• Jailbroken/Rooted devices: Block access

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the App Protection Policy appear in the list ready for use.

See in Action

App Protection can be validated on the device by the user. Observing our enroled device in Outlook, we can test cut, copy and paste restrictions that are being enforced by our App Protection policy.

For the purposes of this demonstration, we have received an email from our fictional organisation that contains sensitive information. We will attempt to exfiltrate this information by means of Copy and Paste.

Copying text from the body of the email, we close Outlook and then open the native Notes app. Attempting to paste the copied information, App Protection replaces the original text in the clipboard cache with “Your orginastion’s data cannot be pasted here”.

Within the Endpoint Manager portal, we can validate which apps App Protection is applied to by app or user. Navigating to Apps > Monitor > App Protection Status > Reports.

Selecting the User Report, we choose the enroled user – johndoe@traininguemauthority.onmicrosoft.com.

The report shows iOS – MAM Policy is successfully applied against Microsoft Outlook.

Episode 8 – Enrol iOS & Android Devices

iOS Device Manual Enrolment

Note – A manually enroled iOS/iPadOS device will automatically be assigned a ‘Personal’ ownership designation. For this reason, Corporate Device Identifiers are used for pre-declaring known Corporate Owned devices, prior to enrolment.

Android Device Manual Enrolment

Note – For the purposes of this training course, enrolment of the Android Enterprise Corporate Owned Business Only (COBO) management mode will be demonstrated using the Token method.

Enable Android Enterprise Enrolment

To support Android Enterprise Corporate Owned Business Only enrolment to Endpoint Manager, the relevant enrolment profile must first be activated.

From the home dashboard, navigate to Devices > Android > Android Enrolment.

Under Enrolment Profiles, Select ‘Corporate-owned, fully managed user devices’.

Next to Allow user to enrol corporate-owned user devices, toggle to ‘Yes’.

Intune will generate a unique QR code and Token ID.

Once enrolment has been invoked using AFW#SETUP during Out of Box setup wizard, the Token ID must be inputted when prompted.

The information on this course is provided ‘AS IS’ with no warranties and confers no rights. This course does not represent the views of my employer. All content on this site is solely my own personal views and recommendations.

Activate a trial Enterprise Mobility & Security license

Sign in to your Azure portal by browsing to https://portal.azure.com

From the home dashboard, select ‘Azure Active Directory’.

All Products.","type":"unordered-list-item","depth":0,"inlineStyleRanges":[],"entityRanges":[],"data":{}}],"entityMap":{},"VERSION":"8.55.3"}”>

Select the ‘Try / Buy’ button.

Under Enterprise Mobility + Security E5, select ‘Free Trial’.

 

Carefully read the description to understand which services are included and how many users can utilise this trial license.

Azure Active Directory takes up to 5 minutes to initialise the trial license within your tenant. We recommend you sign out and back into the Azure portal to allow the interface to refresh, alternatively press Ctrl + F5 to refresh the browser page and flush its cache.

Create a Cloud Azure AD user

We shall create an Azure AD user for enrolment testing purposes only. This account will not be granted administrator access to the Azure portal.

From the home dashboard, select ‘Azure Active Directory’.

From the left menu, select Users.

Groups and Roles are covered later in this training guide.

Under Settings:

Block Sign In: No
Usage Location: Your locale-specific location

Under Job Info, we have the option to set specific information about the Azure AD account owner. We will skip past this section, however, feel free to experiment here.

Select the ‘Create’ button to finish.

You will see the newly created account populate in the All Users pane.

Select the user account to review its details.

Things to note:
User Principal Name (UPN) should match the information provided during account creation.
User Type is set as Member, and not Guest, because the account is part of your organisation.
Object ID is a unique static attribute number assigned to this account.
Source is set as Azure Active Directory because this account originated in and resides in Azure Active Directory and not On-Premise Active Directory.

Assign a license to an Azure AD user account

Under Manage, select ‘Licenses’.

Select the ‘Assignments’ button.

Select ‘Enterprise Mobility + Security E5’.

Review licensing options to ensure the correct set of sub-services are included.

Select the ‘Save’ button.

Once the trial license has applied to the user, you will see Enterprise Mobility + Security E5 present with an active state.

Set the MDM Authority for Intune

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com

From the home dashboard, select ‘Tenant Administration’.

From the left menu, select Tenant Status > Tenant Status.

Important – Observe the Service Release for your tenant, because if your tenant is using 1911 and later, the MDM Authority is set automatically to Microsoft Intune. You will therefore not need to carry out further steps.

If your tenant is using a Service Release pre-1911, you must set the MDM Authority manually. Continue to follow the steps for this section.

Select the Orange Banner from the top right corner of the Endpoint Manager portal.

If the banner is no longer visible, select the notifications icon to reveal the notification.

In the Mobile Device Management Authority dialogue box, select ‘Intune MDM Authority’

A message in the top right corner of the Endpoint Manager portal will indicate that you have successfully set the MDM authority.

To validate this, under Tenant Status > Tenant Details, MDM Authority is ‘Microsoft Intune’.

Episode 2 – Branding, Customisation & Terms and Conditions

Configure Company Portal Branding and Customisation

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com

From the home dashboard, select ‘Tenant Administration’.

Under ‘End User Experiences’ select ‘Customisation’.

Next to ‘Settings’ select the ‘Edit’ button.

Under ‘Branding’, set an Organisation Name.

Our example here is UEM Authority.

Set a Standard or Custom colour by sliding the toggle.

If choosing Standard, select a colour from the ‘Theme Colour’ drop-down list.

If choosing Custom, define a custom colour by providing a Hex Code.

Select what should be displayed in the header of Company Portal app.

Our example will select Organisation Logo Only to be displayed in the header.

Upload a logo for the theme colour background.
(Max image size: 400 x 400 px. Max file size : 750KB. File type: PNG, JPG or JPEG)

Note – Upload the logo you want to show on top of your selected theme color. For the best appearance, upload a logo with a transparent background. You can see how this will look in the preview box below the setting.

Upload a logo for a white or light background.
(Max image size: 400 x 400 px. Max file size : 750KB. File type: PNG, JPG or JPEG)

Note – Upload the logo you want to show on top of white or light-colored backgrounds. For the best appearance, upload a logo with a transparent background. You can see how this will look on a white background in the preview box below the setting.

Upload a brand image.
(Recommended image width: Greater than 1125 px. Max file size: 1.3 MB. File type: PNG, JPG, or JPEG.​)

Brand image is displayed in these locations:

• iOS/iPadOS Company Portal: Background image on the user’s profile page.
  
• Windows Company Portal: Background image on the user’s profile page.
• Company Portal website: Background image on the user’s profile page.
• Android Intune app: In the drawer and as a background image on the user’s profile page.

Top Tip – Enter your organisation’s support information, so employees can reach out with questions. This support information will be displayed on Support, Help & Support, and Helpdesk pages across the end-user experience.

Under Support Information, complete the optional information:
**Example**
Contact Name: UEM Authority IT Help Desk
Phone Number: 0123456789
Email Address: support@uemauthority.com
Website Name: (This is a website-friendly name, so the ticketing and support system used by your organisation, such as ZenDesk or ServiceNow, etc.)
Website URL: https://uemauthority.com/internalitsupport for example
Additional Information: (Include any additional support-related messaging to users here.)

Important – The following settings apply only to traditional/manual enrolment for both Android and iOS/iPadOS devices. For more information, refer to Microsoft documentation

Under Configuration, you can customise the setup experience in Company Portal for Android and iOS/iPadOS devices.

Next to Device Enrolment, select the drop-down box to choose how users should be prompted to enroll into mobile device management.

Next, provide a URL to send employees to your company’s Privacy Statement.

Next, we can retain the Endpoint Manager default Privacy message about what admins can’t/can see or do, or you may choose to define a custom message. (Applies to iOS/iPadOS only.)

Top Tip – Custom message input supports markdown so you can add bullets, bolding, italics, and links.

Depending on the use case and its respective transparency obligation, you can choose to configure a push notification to send to both your Android and iOS Company Portal users when their device ownership type has been changed from Personal to Corporate as a privacy courtesy.

Choose ‘Yes’ or ‘No’ for Device Ownership Notification.

Note – App Sources settings apply to Windows Company Portal app only.

Choose to ‘Hide’ or ‘Show’ Azure AD Enterprise Applications in the Company Portal for each end user.

Choose to ‘Hide’ or ‘Show’ Office Online Applications in the Company Portal for each end user.

To help prevent unintended device actions, you can customise the available self-service device actions that are shown to end users in the Company Portal app:
**Example**
Hide Remove button on corporate Windows devices: Toggled by default
Hide Reset button on corporate Windows devices: Not toggled
Hide Remove button on corporate iOS/iPadOS devices: Toggled
Hide Reset button on corporate iOS/iPadOS devices: Toggled

Select the ‘Review + Save’ button.

Under Policies, Endpoint Manager allows you to manage multiple customisation policies.

For this training guide, policies will not be explored, however, feel free to experiment.

See in Action

Note – Company branding may render different on certain form factors. For example, Windows 10 Company Portal app may display your company logo in the header banner, where Company Portal app for iPhone only shows the organisation name.

Post enrolment to Endpoint Manager on iPhone, the Company Portal app will display the organisation name in the header.

Selecting the user account icon, we can see UEM Authority logo applied as the background.

In the Support tab, we can see our support information applied.

Selecting More, Company Portal app lists additional custom information and links related to our organisation, such as a link to UEM Authority Privacy Policy.

Configure an end-user Terms & Conditions policy

From the home dashboard, select ‘Tenant Administration’.

Under ‘End User Experiences’ select ‘Terms and Conditions’.

Select the ‘Create’ button.

Set a Name and Description.

Select the ‘Next’ button.

Complete the required information:
**Example**
Title: The name for your terms that users see in the Company Portal above the Summary.
Terms and Conditions: The terms and conditions that users see and must either accept or reject.
Summary of Terms: Text that explains what it means when users accept the terms. For example, “By enrolling your device, you’re agreeing to the terms of use set out by UEM Authority. Read the terms carefully before proceeding.”

Select the ‘Next’ button.

On the Assignments page, choose whether to target select groups or all enrolled users.

Select the ‘Next’ button, then select the ‘Create’ button.

Once created, you will see the new policy populate in the Terms and Conditions settings overview pane.

See in Action

During enrolment to Endpoint Manager, Company Portal app will display a Terms & Conditions policy applied by your organisation. The user is given a choice to accept or decline.

Episode 3 – Apple APNS & Managed Google Play

Create an APNS Apple ID

Important – An Apple MDM Push certificate is required for Intune to manage iOS/iPadOS and macOS devices.
When a push certificate expires, you must renew it. When renewing, make sure to use the same Apple ID that you used when you first created the push certificate.

Critical – Revoking or allowing this certificate to expire means existing devices will need to be re-enroled with a new push certificate.

Open a browser and navigate to https://identity.apple.com/pushcert

Sign in with your Apple ID or select the ‘Create yours now’ button to register for an Apple ID.

Top Tip – The certificate is associated with the Apple ID used to create it. As a best practice, use a company Apple ID for management tasks and make sure the mailbox is monitored by more than one person like a distribution list. Never use a personal Apple ID.

To create an Apple ID, complete the required information:
**Example**
First Name: UEM
Last Name: Authority
Country/Region: United Kingdom
Birthday: 01/01/1990
Email Address: training1@uemauthority.com
Password: (8 characters or more, Upper and lowercase letters & At least one number)
Area Code: +44 United Kingdom
Phone Number: 0000000
2FA Verify Method: Text Message
Marketing Preference: None toggled
Security Code: Type the characters in the image

Select the ‘Continue’ button to complete registration.

You will now be required to verify the account, Apple will:

1. Send you an email containing a verification code.
2. Validate 2FA using the provided phone number, whether by text message or phone call.

Once your Apple ID account is verified, navigate back to https://identity.apple.com/pushcert and sign in with your Apple ID.

Configure Apple APNS certificate for Intune

Note – During these steps, you will flick back and forth between Apple Push Certificates Portal and Endpoint Manager console. Ensure you are signed into Endpoint Manager console in a new browser tab.

Select the ‘Create a Certificate’ button to get started.

Select the toggle box to acknowledge you agree to Apple’s terms and conditions.

Select the ‘Accept’ button to proceed.

Switch tabs to Endpoint Manager console.

Navigate to Devices > Enroll Devices > Apple Enrollment > Apple MDM Push Certificate

At Step 1, select the toggle box to acknowledge you agree for Microsoft to send user and device information to Apple.

At Step 2, select ‘Download your CSR’.

Switch tabs to Apple Push Certificates Portal.

Under Notes, provide a comment to differentiate this certificate from others. (Handy when you carry out a certificate renewal).

Select the ‘Choose File’ button. Select the recently downloaded IntuneCSR.csr file.

Select the ‘Upload’ button.

Select the ‘Download’ button to download the MDM APNs certificate (which is a .pem file).

Switch tabs to Endpoint Manager console.

At ‘Step 4’, input the same Apple ID used to create the certificate.

At ‘Step 5’, browse and locate the recently downloaded MDM APNs certificate (which is a .pem file).

Select the ‘Upload’ button.

Intune will notify you as to a successful MDM Push Certificate creation.

Scroll to the top of the dialogue box in order to validate a successful configuration. Hopefully, you will observe the following:
Status: Active
Days until expiration: 365 (From the date of Last Updated)
Last Updated: Date certificate was created
Expiration: 365 days from date certificate was created
Apple ID: Same Apple ID used to create the certificate.

Should the MDM Push Certificate process fail or the status returns an error, delete the Endpoint Manager configuration and repeat this section again from the beginning.

Create a Managed Google Play Account

Important – Managed Google Play requires a personal or consumer Google Account. A G Suite or Workspace account is not valid.

In the Endpoint Manager Console, navigate to Devices > Enroll Devices > Android Enrollment > Managed Google Play

At Step 1, select the toggle box to acknowledge you agree for Microsoft to send user and device information to Google.

At Step 2, select ‘Launch Google to Connect Now’.

Google Play will open in a new window, select ‘Sign In’.

Select ‘Create Account’, then select ‘For Myself’.

Top Tip – The Managed Google Play integration is associated with the Google Account used to create it. As best practice, use a consumer Google Account, which belongs to your organisation for management tasks and make sure the mailbox is monitored by more than one person like a distribution list.

To create a Google Account, complete the required information:
**Example**
First Name: UEM
Last Name: Authority
Username: uemauthority@gmail.com
Password: (8 characters or more, Upper and lowercase letters & At least one number)
Phone Number: 0000000
Recovery Email Address: (Use an email address that belongs to your company domain. A shared mailbox for admins only, for example)
Birthday: 01/01/1990
Gender: (Your preference)
Birthday: 01/01/1990

Personalisation Settings: Express Personalisation

Select ‘Next’ to confirm personalisation settings.

Select ‘Confirm’ to acknowledge how Google will use your account data.

Select ‘I Agree’ to agree with Google privacy and terms.

You have now created a Google Account.

Configure Managed Google Play for Intune

Important – Managed Google Play carries no validity. This means the integration with Endpoint Manager is persistent.

In the Endpoint Manager Console, navigate to Devices > Enroll Devices > Android Enrollment > Managed Google Play

At Step 1, select the toggle box to acknowledge you agree Microsoft to send user and device information to Google.

At Step 2, select ‘Launch Google to Connect Now’.

Google Play will open in a new window, select ‘Sign In’.

Once signed in with the Google Account created in the last section or a Google Account already belonging to your company, select ‘Get Started’.

Enter your organisation business or trading name.

You will see Microsoft Intune is identified as the EMM provider.

Select ‘Next’.

Note – This next section is optional. Data Protection Officer and EU Representative contact details can be added later, in the Google Account admin portal, if you do not have them to hand right now.

Toggle the tick box to acknowledge that you have read and agree to Managed Google Play Agreement.

Select ‘Confirm’ to continue.

Select ‘Complete Registration’ to finish the setup.

Head back to your Endpoint Manager console. Observe a notification appear to confirm “Managed google Play successfully configured with tenant”

To confirm a successful integration, the following information should be present:
Status: Setup (With green tick)
Organistion: Your organisation name or trading name
Google Account: The Google Account used to set up integration
Registration Date: The date and time Managed Google Play was configured

Managed Google Play is now integrated with your Endpoint Manager tenant.

Episode 4 – Device Enrolment (DEM) Manager & Enrolment Restrictions

Create a DEM account

Important – Device Enrolment Manager accounts include their own set of limitations. Reference to Microsoft documentation for an exhaustive list.

Note – A Device Enrolment Manager account must be assigned an Intune license before the account can be added.

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com
From the home dashboard, navigate to Devices > Enrol Devices > Device Enrolment Managers.

Select the ‘Add’ button.

Enter the UPN of the Azure AD account to be added as a Device Enrolment Manager, then select the ‘Add’ button.
**Example**
UPN: iOSEnrol@traininguemauthority.onmicrosoft.com

Intune will notify you as to a successful Device Enrolment Manager creation.

You will see the Device Enrolment Account present in the list, ready to enrol devices.

See in Action

To enrol using a DEM account, in this example an iPhone, we follow the standard manual enrolment process.

Once complete, Company Portal app confirms the device is enroled however using a DEM account carries limited capabilities.

Intune (Endpoint Manager) console also confirms the iPhone is enroled, observing iOS Enrol DEM account as the Primary User.

Configure Device Type Restrictions

Note – Enrollment restrictions are not security features. Compromised devices can misrepresent their character. These restrictions are a best-effort barrier for non-malicious users.

From the home dashboard, navigate to Devices > Enrol Devices > Enrolment Restrictions

Under Device Type Restrictions, select the Default Policy called All Users.

Select Properties. Under Platform Settings, select Edit.

In this example, the Default Policy will be modified to reflect the below settings:
**Example**
Android Enterprise (Work Profile)

• Platform: Allow
• Versions: 10.0 min
• Personally Owned: Block

Android Device Administrator

• Platform: Block

iOS/iPadOS

• Platform: Allow
• Versions: 13.0 min
• Personally Owned: Block

macOS

• Platform: Block

Windows (MDM)

• Platform: Allow
• Personally Owned: Block

Select ‘Review + Save’ and then ‘Save’.

Top Tip – A separate personally owned device type policy allows an organisation better control over whom and what has access to corporate resources. For example, an organisation may choose to limit personal device or BYOD enrolment to eligible users or personas. Device Type restriction enables such granular gate keeping.

To create a personally owned or BYOD policy, using the best practice example below, select the ‘Create Restriction’ button.

Select the ‘Device Type Restriction’ option.

Set a Name and Description:
**Example**
Name: Personally Owned/BYOD Policy
Description: A device type restriction policy that limits enrolment of personally owned and BYOD devices to an eligible group of users.

Select ‘Next’.

Set the policy Platform Settings:
**Example**
Android Enterprise (Work Profile)

• Platform: Allow
• Versions: 10.0 min
• Personally Owned: Allow

Android Device Administrator

• Platform: Block

iOS/iPadOS

• Platform: Allow
• Versions: 13.0 min
• Personally Owned: Allow

macOS

• Platform: Block

Windows (MDM)

• Platform: Allow
• Personally Owned: Block

Select ‘Next’, and then ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Personal BYOD Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

You will see the Device Type Restrictions policy appear ready for use.

See in Action

Top Tip – During Personally Owned/BYOD enrolment for an iOS/iPadOS device, the enrolment profile will fail to install. The Personally Owned Device Type Restrictions policy will block this device from being able to enrol. Generally, this means the user’s Azure AD/AD account does not yet reside in the eligible Azure AD Group.

Test User 01 Azure AD user account does not yet reside within any groups.

Attempting to enrol on an iOS device, installation of the profile will fail.

Observing Intune enrolment failures report under Devices > Monitor > Enrolment Failures, we can see the reason why enrolment was blocked.

Configure Device Limit Restrictions

Important – Device limit restrictions don’t apply for the following Windows enrollment types:
– Co-managed enrollments
– GPO enrollments
– Azure Active Directory joined enrollments
– Bulk Azure Active Directory joined enrollments
– Autopilot enrollments
– Device Enrollment Manager enrollments

From the home dashboard, navigate to Devices > Enrol Devices > Enrolment Restrictions

Under Device Type Restrictions, select the Default Policy called All Users.

Select Properties. Under Platform Settings, select Edit.

In this example, the Default Policy will be modified to reflect the below settings:
**Example**
Device Limit: From 10 to 5

Select ‘Review + Save’ and then ‘Save’.

Continue to Part 2