Microsoft Intune Cookbook

By : Andrew Taylor

Microsoft Intune Cookbook

By: Andrew Taylor

Overview of this book

Microsoft Intune is a cloud-managed mobile device management (MDM) tool that empowers you to manage your end-user device estate across various platforms. While it is an excellent platform, the initial setup and configuration can be a daunting process, and mistakes made early on can be more challenging to resolve later. This book addresses these issues by guiding you through the end-to-end configuration of an Intune environment, incorporating best practices and utilizing the latest functionalities. In addition to setting up your environment, you’ll delve into the Microsoft Graph platform to understand the underlying mechanisms behind the web GUI. This knowledge will enable you to automate a significant portion of your daily tasks using PowerShell. By the end of this book, you’ll have established an Intune environment that supports Windows, Apple iOS, Apple macOS, and Android devices. You’ll possess the expertise to add new configurations, policies, and applications, tailoring an environment to your specific requirements. Additionally, you’ll have the ability to troubleshoot any issues that may arise and package and deploy your company applications. Overall, this book is an excellent resource for anyone who wants to learn how to use Microsoft Intune to manage their organization's end-user devices.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download a free PDF copy of this book

Free Chapter

Chapter 1: Getting Started with Microsoft Intune

Technical requirements

Chapter materials

Creating a tenant

Creating a user

Assigning Entra ID roles

Configuring Entra ID Device settings

Configuring Entra ID ESR

Creating Entra ID static groups

Creating Entra ID dynamic groups

Configuring Entra ID MDM/MAM scopes

Chapter 2: Configuring Your New Tenant for Windows Devices

Technical requirements

Chapter materials

Configuring a Settings catalog policy

Configuring a custom policy

Importing and ingesting an ADMX policy

Group policy analytics

Chapter 3: Securing Your Windows Devices with Security Policies

Technical requirements

Chapter materials

Setting up a security baseline

Configuring an antivirus policy

Configuring Windows Security Experience

Configuring your BitLocker policy

Configuring Windows Firewall

Deploying ASR rules

Enrolling in Defender for Endpoint

Deploying Windows LAPS

Configuring Application Control

Chapter 4: Setting Up Enrollment and Updates for Windows

Technical requirements

Building your update rings – including feature and quality updates

Configuring driver updates

Enrolling and using Autopatch

Configuring Windows Hello for Business

Setting up Windows Autopilot Enrollment Profiles

Configuring an ESP

Enrolling a Windows device

Chapter 5: Android Device Management

Chapter materials

Technical requirements

Setting up a managed Google Play account

Configuring enrollment profiles

Adding a Google Play application

Configuring a device restrictions policy

Configuring an OEM policy

Configuring a Wi-Fi policy

Adding an app protection policy

Enrolling an Android device – managed device

Enrolling an Android device – BYOD

Chapter 6: iOS Device Management

Chapter materials

Important notes

Technical requirements

Configuring a connector between Apple and Intune

Configuring an Apple VPP token

Adding enrollment profile tokens

Configuring iOS policies using the settings catalog

Configuring iOS policies using device restrictions

Deploying applications via Apple VPP

Configuring iOS update settings

Configuring an app protection policy

Enrolling your device – corporate

Enrolling your device – BYOD

Chapter 7: macOS Device Management

Chapter materials

Important notes

Technical requirements

Configuring a macOS Settings catalog policy

Deploying shell scripts to macOS

Configuring update policies for macOS

Deploying apps to macOS

Configuring a macOS enrollment profile

Enrolling your corporate device

Chapter 8: Setting Up Your Compliance Policies

Technical requirements

Chapter materials

Configuring notification templates

Deploying a Windows compliance policy

Deploying an Android compliance policy

Deploying an iOS compliance policy

Deploying a macOS compliance policy

Deploying a Linux compliance policy

Configuring and deploying a Windows custom compliance policy

Using conditional access to restrict access based on compliance

Chapter 9: Monitoring Your New Environment

Technical requirements

Monitoring applications

Monitoring device configuration

Monitoring device compliance

Monitoring device enrollment

Monitoring updates across platforms

Monitoring device actions

Reviewing audit logs

Chapter 10: Looking at Reporting

Technical requirements

Checking device management reports

Reviewing endpoint security reports

Reviewing endpoint analytics reports

Using Intune Data Warehouse with Power BI

Checking Windows updates via reporting

Expanding Windows Update reporting

Exporting diagnostics to Azure

Chapter 11: Packaging Your Windows Applications

Chapter materials

Technical requirements

Using the Microsoft Store integration

Packaging into MSIX

Packaging Win32 applications

Managing app supersedence and dependencies

Deploying Office applications

Updating Office applications

Windows app protection

Chapter 12: PowerShell Scripting across Intune

Technical requirements

Deploying Platform scripts

Configuring Remediations

Using custom detection scripts in apps

Using custom requirements scripts in apps

Chapter 13: Tenant Administration

Technical requirements

Reviewing your connectors

Adding filters

Configuring Intune roles

Using scope tags

Customizing the end user experience

Deploying organizational messages

Setting up terms and conditions

Configuring multi-admin approvals

Checking your tenant version

Using Intune’s troubleshooting tools

Enrollment notifications

Configuring device restrictions

Configuring Quiet time policies

Chapter 14: Looking at Intune Suite

Technical requirements

Chapter materials

Deploying and using Remote help

Learning about Microsoft Tunnel for Mobile Application Management

Reviewing device anomalies

Configuring Endpoint Privilege Management

Future developments

Index

Why subscribe?

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Download a free PDF copy of this book

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Configuring Entra ID MDM/MAM scopes

The last thing we must do before we move on to Intune is allow our users to enroll devices into Mobile Device Management (MDM) and, if required, Mobile Application Management (MAM).

MDM is for enrolling your corporate-owned devices into Intune, while MAM is for your bring-your-own devices (BYODs). MAM uses Windows Information Protection (WIP), which is only supported on Android and iOS, but we can block personal Windows devices within Intune so that we can still set this to everyone and let Intune handle the rest.

How to do it…

Follow these steps to configure your Entra ID MDM and MAM scopes:

Within Microsoft Entra ID, expand Settings and click on Mobility.
Within the Mobility portal, click Microsoft Intune:

Figure 1.12 – The Mobility (MDM and MAM) screen

For this environment, set them both to All. Note you can restrict by groups – for example, only allowing users with an Intune license based on a dynamic group, or block users from enrolling completely. Leave the default URLs as is and then click Save.

With that, we have configured our Microsoft Entra environment for device enrollment.

Automating it

This is a tricky one to automate. Not only does it use the IAM API that we used for ESR, but the MDM application ID is also tenant-specific.

Let us build a PowerShell script to automate these settings:

First, in your browser window, look in the address bar and grab the ID:

Figure 1.13 – Address bar object ID

Set the necessary variables, including this ID. A setting of 2 means enabled for all, while 0 means disabled:
```
$MDMstatus = 2
$MAMstatus = 2
$policyid = "Policy ID grabbed from browser"
```

Populate the JSON. As with the Entra ID device settings, we are manipulating the default values so that we can retrieve the current JSON with a GET request. In this case, we are only changing two settings; everything else remains the same:

$json = @"
{
    "appCategory": "Mdm",
    "appData": {
        "complianceUrl": "https://portal.manage.microsoft.com/?portalAction=Compliance",
        "enrollmentUrl": "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc",
        "mamComplianceUrl": "",
        "mamEnrollmentUrl": "https://wip.mam.manage.microsoft.com/Enroll",
        "mamTermsOfUseUrl": "",
        "termsOfUseUrl": "https://portal.manage.microsoft.com/TermsofUse.aspx"
    },
    "appDisplayName": "Microsoft Intune",
    "appId": "0000000a-0000-0000-c000-000000000000",
    "isOnPrem": false,
    "logoUrl": null,
    "mamAppliesTo": $MAMstatus,
    "mamAppliesToGroups": [],
    "mdmAppliesTo": $MDMstatus,
    "mdmAppliesToGroups": [],
    "objectId": "$policyid",
    "originalAppData": {
        "complianceUrl": "https://portal.manage.microsoft.com/?portalAction=Compliance",
        "enrollmentUrl": "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc",
        "mamComplianceUrl": "",
        "mamEnrollmentUrl": "https://wip.mam.manage.microsoft.com/Enroll",
        "mamTermsOfUseUrl": "",
        "termsOfUseUrl": "https://portal.manage.microsoft.com/TermsofUse.aspx"
    }
}
"@

Set the URL:

$url = "https://main.iam.ad.ext.azure.com/api/MdmApplications
/$policyid?mdmAppliesToChanged=true&mamAppliesToChanged=true"

Authenticate against the IAM API:

##Create Access Token
$clientid = "1950a258-227b-4e31-a9cf-717495945fc2"
$response = Invoke-RestMethod -Method POST -UseBasicParsing -Uri "https://login.microsoftonline.com/$tenantId/oauth2/devicecode" -ContentType "application/x-www-form-urlencoded" -Body "resource=https%3A%2F%2Fmain.iam.ad.ext.azure.com&client_id=$clientId"
Write-Output $response.message
$waited = 0
while($true){
    try{
        $authResponse = Invoke-RestMethod -uri "https://login.microsoftonline.com/$tenantId/oauth2/token" -ContentType "application/x-www-form-urlencoded" -Method POST -Body "grant_type=device_code&resource=https%3A%2F%2Fmain.iam.ad.ext.azure.com&code=$($response.device_code)&client_id=$clientId" -ErrorAction Stop
        $refreshToken = $authResponse.refresh_token
        break
    }catch{
        if($waited -gt 300){
            Write-Verbose "No valid login detected within 5 minutes"
            Throw
        }
        #try again
        Start-Sleep -s 5
        $waited += 5
    }
}
$response = (Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body "resource=74658136-14ec-4630-ad9b-26e160ff0fc6&grant_type=refresh_token&refresh_token=$refreshToken&client_id=$clientId&scope=openid" -ErrorAction Stop)
    $resourceToken = $response.access_token

Create the headers:

$Headers = @{
    "Authorization" = "Bearer " + $resourceToken
    "Content-type"  = "application/json"
    "X-Requested-With" = "XMLHttpRequest"
    "x-ms-client-request-id" = [guid]::NewGuid()
    "x-ms-correlation-id" = [guid]::NewGuid()
}

Configure the policy:

Invoke-RestMethod -Uri $url -Headers $Headers -Method PUT -Body $json -ErrorAction Stop

We now have a script to amend the MDM and MAM enrollment scopes.

Microsoft Intune Cookbook

By : Andrew Taylor

Microsoft Intune Cookbook

By: Andrew Taylor

Overview of this book

Related Content you might be interested in

Current Title:

Microsoft Intune Cookbook

Mastering Microsoft Intune

Mastering Microsoft Endpoint Manager

Mastering Windows Security and Hardening

Configuring Entra ID MDM/MAM scopes

How to do it…

Automating it