Ultimate Microsoft Intune for Administrators: Master Enterprise Endpoint Security and Manage Devices, Apps, and Cloud Security with Expert Microsoft Intune Strategies (English Edition)

CHAPTER 1

Introduction to Microsoft Intune

Introduction

This chapter will cover what Microsoft Intune is, what it can help you deliver and achieve, and the prerequisite requirements for the platform. This chapter will give you a core understanding of the platform and will introduce you to some of the terminology and technology that we will be using throughout the book.

Within this chapter, we will not be deep-diving into the technology areas, as the following chapters will deliver this information in a structured format. We will, however, discuss licensing, device management concepts, and the core capabilities of the platform.

Structure

In this chapter, we will discuss the following topics:

Understanding Microsoft Intune

Device Management Concepts

Licensing Requirements

Platform Capabilities

Understanding Microsoft Intune

Microsoft Intune is a cloud-based endpoint management platform that allows organizations to manage multiple device platforms from a single solution. Intune can be used to manage Windows, macOS, Linux, iOS, and Android devices. It offers the ability to manage device policy, device security, and applications for your entire estate.

Microsoft Intune as a platform comprises multiple products such as Intune, Intune Suite, Microsoft Endpoint Configuration Manager, and Windows Autopilot.

Device Management Concepts

Microsoft Intune can manage physical, virtual, and cloud computing resources anywhere they have the required connectivity. In this section, we will provide an overview of the management concepts used by organizations and provide insight into the pros and cons of each concept.

Hybrid Joined

Hybrid joining devices to Entra ID is a great first step into the world of cloud management of your endpoint devices. If your organization currently has an on-premises Active Directory Domain Services (AD DS) environment, you can Entra Hybrid Join devices to make use of the benefits that cloud-joined devices bring, such as SSO into cloud apps, Conditional Access, Cloud Managed Encryption keys, Microsoft Intune management, and so much more.

Hybrid Join is only supported on Windows 10 and 11, excluding home editions of the products, and can be provisioned through Microsoft Entra Connect, AD FS Configuration, or using Windows Autopilot Hybrid Join profiles.

Hybrid Joined devices can still make use of their traditional configuration in Active Directory Group Policy for configuring endpoints with policies and applications without any additional configuration required.

Using a hybrid joined device strategy should be the first step towards cloud management of endpoints, with a view towards making devices cloud native in the longer term. There are certainly organizations that exist that require devices to be hybrid joined due to application, network, or security requirements. However, it is recommended that these solutions be reviewed individually to help your organization modernize.

Pros

Hybrid Join is a great first step into the cloud management of endpoints.

Organizations can enable this without having to migrate policies.

Enables SSO into Cloud Apps.

Allows the use of Conditional Access.

Cons

Policy Configurations require line-of-sight to the on-premise Domain.

Devices can lose the domain trust relationship without frequent connectivity.

Cloud Native

Cloud Native endpoints, in reference to this book, are related to those devices that are Entra ID Joined only and have no hybrid identity within Active Directory Domain Services (AD DS).

Being cloud native does not mean that you are unable to access on-premises resources from the endpoint; it just means that the device is not joined or managed by the AD DS domain.

In the modern workspace, the landscape of devices is constantly evolving; for example, today organizations not only use Windows laptops and desktops, but environments also often consist of macOS, iOS, Android, Windows, and Linux devices. If we think about a diverse landscape, domain joining resources is not always achievable, and as a result, applications and resource access are diversifying to support the movement to a modern workplace.

Moving towards a cloud-native strategy can also help organizations reduce and remove the burden of technical debt by redesigning and rethinking their policies and posture towards device management. This shift often allows organizations to embed security controls at the core of their environment while having the ability to ensure that end-user productivity is not impacted.

Having cloud-native endpoints will allow your organization to move faster and allow for things such as direct shipping, remote device resets, and redeployments, and allow users to be productive from anywhere at any time, while still allowing the IT Administrator and organization to protect their data.

Being cloud-native does not mean that the devices are unable to access on-premises resources with their identities; it simply means that there is no dependency on the on-premises infrastructure to manage the device security and policies. The removal of this reliance allows organizations to respond to threats and vulnerabilities faster by deploying the settings from the cloud, without the device having to connect to a VPN or the internal network to receive such updates.

Bring Your Own Device (BYOD)

Bring Your Own Device (BYOD) has been around for many years, and it has often been a struggle for organizations and IT Administrators. Users often like to use their personal devices, such as smartphones, to access their data, which provides a data security challenge for organizations.

BYOD devices are not owned by the organization, but the individual registering the device into the management platform, and there are numerous factors whereby device management capabilities may be restricted due to BYOD enrollment.

For example, if a personal macOS device is enrolled in Intune by the end user any settings that require the device to be supervised will not be applicable to the device.

If a personal Windows device does not have a certain Stock Keeping Unit (SKU), such as Windows 10/11 Professional or Enterprise, some configuration capabilities will not be applicable.

There is an alternate option available to enable a BYOD experience to access corporate applications and data, which is called Mobile Application Management (MAM), or more specifically MAM-WE (Without Enrollment). MAM-WE is only applicable to iOS, Android, and Windows operating systems and can be configured via Microsoft Intune.

Licensing Requirements

Licensing for Microsoft products is not always the easiest to understand, leaving businesses with Licensed features they do not use and/or need.

Microsoft Intune has two plans, simply called Intune Plan 1 and Intune Plan 2. There is an additional add-on called Intune Suite, which is also available for purchase alongside Intune Plan 1 or 2.

There is a community website called M365 Maps (https://m365maps.com) that helps visualize and compare Microsoft licensing products. We would recommend having a review of the license structures here if a visual representation would provide a deeper understanding.

Intune Plan 1

Microsoft Intune Plan 1 offers core cross-platform management capabilities such as endpoint management, endpoint security, Mobile Application Management (MAM), and Microsoft Configuration Manager. Microsoft Configuration Manager is not applicable to anyone with Business Premium licenses.

Intune Plan 1 is a product of the following Licenses:

Microsoft 365 E5

Microsoft 365 E3

Enterprise Mobility + Security E5

Enterprise Mobility + Security E3

Microsoft 365 Business Premium

Microsoft 365 F1

Microsoft 365 F3

Microsoft 365 Government G5

Microsoft 365 Government G3

Microsoft Intune for Education

Intune Plan 2

Microsoft Intune Plan 2 is an extension of Microsoft Intune Plan 1. Plan 2 does not include the core capabilities and should be purchased alongside Plan 1. Plan 2 provides the addition of the following products, which are not available for purchase as singular add-ons.

Microsoft Intune Tunnel for Mobile Application Management, which offers you a lightweight VPN solution for iOS and Android-based devices without requiring Device Enrollment.

Microsoft Intune Management of Specialty Devices, which offers an extended range of configuration, management, and security features for specialty devices such as Virtual Reality Headsets, Smart-Screen devices, and conference room devices.

Microsoft Intune Firmware-Over-The-Air (FOTA) Updates, which offer organizations the ability to manage mobile device firmware updates for selected platforms via Intune.

Intune Suite

Microsoft Intune suite is an add-on to Microsoft Intune Plan 1, which includes all the features of Microsoft Intune Plan 2 with the addition of the following products.

Microsoft Intune Remote Help

Microsoft Intune Endpoint Privilege Management (EPM)

Microsoft Intune Advanced Analytics

Microsoft Intune Enterprise Application Management

Microsoft Cloud PKI

All of these capabilities, apart from the products included in Intune Plan 2, are available to purchase as singular add-ons if your organization does not want to purchase the entire Intune Suite. However, if you are looking to purchase more than three of these capabilities, it may be worth purchasing the entire suite for cost efficiency.

We will be revisiting these capabilities in a chapter dedicated to Intune Suite later in this book.

Platform Capabilities

Microsoft Intune is made up of various capabilities, combined within a single platform. These capabilities are highlighted in the following subheadings to aid you in having a high-level understanding of these capabilities.

Cross-Platform Endpoint Management

As mentioned throughout this chapter, Microsoft Intune provides cross-platform endpoint management, ranging from Windows, iOS, Android, and macOS to Linux-based devices.

If you have laptops, tablets, desktops, and, in some cases, wearable devices, Microsoft Intune offers a cloud-based platform that can help organizations take control of their fleet through granular configuration and security policies.

Microsoft Intune is integrated with Microsoft Entra ID, which allows organizations to track device compliance states and use tools such as Conditional Access to manage access to corporate apps and resources to provide a more robust security posture.

Mobile Application Management (MAM)

Mobile Application Management (MAM) is used to provide additional protection to your organization’s resources and data by providing security and policies at the application layer.

MAM policies are a great addition to the security arsenal for both managed and unmanaged devices. MAM-WE (Without Enrollment) allows organizations to extend their reach to non-corporate devices by enforcing app-level, user-targeted policies to secure and control access to corporate resources and data.

Application Deployment and Configuration

New and longstanding organizations often require a varied set of applications to be deployed across their fleet and often across multiple device platforms.

Microsoft Intune has integrations with Apple, Google, and the Microsoft Store to offer a streamlined and simple way to deploy applications to your agnostic fleet. Intune also offers the ability to use custom applications across different platforms; for example, on Windows, it is possible to wrap your custom application package as a Win32 application and deploy it via Intune. For macOS, Intune supports the deployment of applications using PKG and DMG file formats, ensuring seamless integration and management. iOS and Android require you to upload the custom app to their services prior to publishing via Intune.

Microsoft has recently released a new feature called Microsoft Intune Enterprise Application Management. This feature is designed to help organizations discover, deploy, and update them easily and at scale without the need for the IT Admin to package the application themselves.

Device Provisioning and Enrollment

In a traditional environment, IT Administrators usually create and use "Gold Image" Task Sequences or other device imaging processes to prepare devices for end users. This process could often take hours and can leave the end user frustrated if they are waiting for a device replacement.

In the modern workplace, there is still a need for device imaging when moving towards a cloud-native strategy or for device replacements; however, with Microsoft Intune and Windows Autopilot, there is not necessarily a need to create complex imaging solutions, although it is possible to image a device using imaging solutions and then allow the user to provision the device with Windows Autopilot.

Windows Autopilot is a device provisioning technology provided with Intune that allows organizations to deploy scripts, applications, and configurations to a device prior to the end user being able to use it, all without wiping and reloading the operating system.

Apple devices can also be synchronized from Apple Business or School Manager by using Automated Device Enrollment, which then allows administrators to configure enrollment policies and assign configuration profiles without having to be involved in the process.

Android devices do offer a Zero-Touch Enrollment (ZTE) service (https://g.co/zerotouch) to help organizations deploy Android devices with predefined configurations to get end-users up and running with their mobile devices at speed. Commonly, enterprises that have not enrolled in the Android ZTE will enroll their devices using a QR code or enrollment token from their corporate devices.

Linux devices require the IT Admin to install the Microsoft Intune application and then enroll them via the Microsoft Intune App to be managed by the IT Administrator.

Endpoint Analytics

Endpoint Analytics gives organizations insights and measurements on the quality and end-user experience scores for your device fleet. These scores and insights can help IT Administrators be more proactive in preventing help desk support tickets relating to performing applications and/or devices.

Endpoint Analytics measures startup performance, battery health, operating system restart history, application reliability and performance, Windows 11 eligibility, and so much more. These analytics can be reviewed at model or device level to help administrators assess the impact within their estate.

Endpoint Analytics can also be used to baseline an environment score prior to making significant changes to your fleet, which will provide you insights and an overview of the impact changes are having within the environment on end-user experience.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint (MDE) is a security platform designed to help prevent, detect, and respond to endpoint threats. MDE uses a combination of endpoint behavior, cloud security analytics, and threat intelligence to actively monitor and protect endpoints from threats.

Microsoft Defender for Endpoint also offers the ability to have a direct connection to Microsoft Intune, which allows IT Administrators to view devices and policies for your endpoints, including Windows, iOS, Android, and macOS devices.

Windows 365 Cloud PC’s

IT Administrators have been managing and maintaining Virtual Desktop Infrastructure (VDI) environments for many years, offering virtualized solutions for Disaster Recovery (DR), Controlled Partner Access, Privileged Access Workstations (PAWs), and various other scenarios.

Managing the infrastructure and VDI platform can be laborious and often a thankless exercise when performing upgrades and routine maintenance. With that in mind, Microsoft developed a solution called Windows 365 that is integrated with Microsoft Intune.

Windows 365 offers a Platform as a Service (PaaS) offering for virtualized compute resources called Cloud PCs. Windows 365 can reduce administrative burdens and allow organizations to build virtual cloud endpoints by assigning a user a license.

In addition to the dedicated Windows 365 Cloud PC offering, Microsoft offers Windows 365 Frontline licensing and capabilities. Windows 365 Frontline allows organizations to save licensing costs where a user does not need 24/7 access to the resource. Frontline licensing allows you to provision three Cloud PCs, each allowing one concurrent connection. The Windows 365 Frontline offering is a great fit for shift workers, distributed workforces across time zones, and short-lived sessions.

Endpoint Security

Organizations today face a wide range of security threats that require robust and flexible solutions to protect their digital environments. The Endpoint Security node in the Microsoft Intune console provides a comprehensive suite of tools to enhance your organization’s security posture. Administrators can configure and manage security baselines, deploy antivirus policies, and implement device compliance policies all from a single, intuitive interface. By utilizing the Endpoint Security node, organizations can ensure consistent security measures across their entire device fleet, minimizing vulnerabilities and enhancing overall protection.

Security Baselines

Microsoft Intune’s Security Baselines feature offers pre-configured security settings to help organizations quickly implement and enforce security best practices across their devices. This feature simplifies the process of securing devices by providing predefined baseline policies that can be easily deployed and managed. The available security baselines include the Microsoft Defender for Endpoint baseline, the Microsoft Edge baseline, and the Windows 10 and later baseline. Each baseline is tailored to address specific security needs, ensuring comprehensive protection and compliance with industry standards. By leveraging these security baselines, organizations can enhance their security posture with minimal effort, ensuring consistent and effective security configurations across their entire device fleet.

Reporting

Intune’s robust reporting capabilities provide detailed insights into areas such as security compliance, device health, and application deployment status, enabling administrators to make informed decisions and maintain a secure and efficient IT environment.

Examples of available reports include the Device Compliance report, which shows the compliance status of all managed devices, and the Group Policy Analytics report, which helps administrators assess the impact of migrating traditional group policies to modern management with Intune.

Conclusion

In this chapter, we reviewed the Microsoft Intune platform capabilities, licensing, and device management concepts and gave you an understanding at a high level of what Microsoft Intune is.

The information in this first chapter will be expanded on and dived into as we progress through this book to give you a deeper understanding of these capabilities and concepts.

In the next chapter, we will look at getting started with Microsoft Intune, configuring a greenfield tenant, and giving you an overview of the Administration console that we will use throughout the book.

Multiple Choice Questions

What Device Platforms can Intune Manage?

Windows. iOS, macOS, Chromebook

Android, iOS, macOS, Linux, Chromebook

Windows, iOS, Androids, macOS

Windows, Android, macOS, Linux, iOS

Which License does not include Microsoft Configuration Manager?

Microsoft 365/Enterprise Mobility + Security E3

Microsoft Business Premium

Microsoft 365/Enterprise Mobility + Security E5

Microsoft 365 Intune for Education

Which Licenses are not available for purchase as singular add-ons?

Microsoft Intune Tunnel for MAM/Specialty Device Management/FOTA Updates

Specialty Device Management/FOTA Updates/Remote Help

Cloud PKI/Tunnel for MAM/Endpoint Privilege Management

Advanced Analytics/Remote Help/Advanced Analytics

Which service is used to deliver Cloud PCs as a PaaS offering?

Azure Virtual Desktop

Windows 365

DevTest Labs

Remote Desktop Services (RDS)

Answers

d

b

a

b

Questions

What is the difference between Hybrid Joined and Cloud Native Devices?

What is an alternative option to BYOD to access corporate data?

What Intune Plan 2 or Intune Suite features could replace third-party products for license consolidation?

Keywords

BYOD: Bring your own device, relating to an end-user's personally owned device.

MAM/MAM-WE: Mobile Application Management (Without Enrollment).

Entra: Microsoft Entra is an Identity and Access management service.

AD DS: Active Directory Domain Services.

MDE: Microsoft Defender for Endpoint.

Greenfield Tenant: This refers to a brand-new, unconfigured environment.

CHAPTER 2

Getting Started with Microsoft Intune

Introduction

In this chapter, we will embark on the journey of configuring your Microsoft Intune tenant from the ground up. We will review the web portal in depth and discuss how to navigate it to ensure that you understand where to find Devices, Applications, Configurations, and more.

Alongside configuring your tenant, we will talk through the distinctions and differences between Mobile Application Management (MAM) and Mobile Device Management (MDM) to empower you to make the right choice for managing your estate across Corporate and BYOD devices.

By the end of this chapter, you should have the foundations in place for the rest of this book and for the future of your Intune Tenant management.

Structure

In this chapter, we will discuss the following topics:

Prerequisites and Assumptions

Custom Domain Configuration

Configuring your Intune Tenant

Intune Roles

Prerequisites and Assumptions

To get started with Microsoft Intune, we need to ensure that we have the following prerequisites in place:

Microsoft Entra ID: Formally known as Azure Active Directory, Entra ID is an Identity platform provided by Microsoft. Entra ID is used for User, Group, and Device identity management. There are varied levels of licensing for Microsoft Entra ID, and whilst it is possible to use the free tier, it is recommended that you look to purchase Entra ID P1 or P2 for additional capabilities such as Conditional Access, Multi-Factor Authentication (MFA), and dynamic group membership.

Microsoft Intune Licensing: To use Microsoft Intune, we must ensure our users are licensed for it. In Chapter 1, Introduction to Microsoft Intune, we discussed various Intune licensing plans, and it is recommended that you review and purchase the right license for your organizational objectives. Without the correct licenses, your organization may not have the required license for features it wishes to use.

As we progress through this book, there will be other associated prerequisites in each chapter, but right now, our focus is configuring a basic Microsoft Intune tenant to allow us to continue building out our device management platform for our needs.

As authors, we assume that Microsoft Intune is suitable for managing your devices and operating system versions. Please visit the following link to review the supported devices and browsers and ensure you have the most up-to-date version.

https://learn.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers.

Custom Domain Configuration

When an organization signs up for their Microsoft 365 tenant, each tenant is given a.onmicrosoft.com domain prepended by your company name. As shown in Figure 2.1, this domain will also be configured as your initial default domain.

Figure 2.1: Default Domain Name

Custom Domains are a great way to personalize your tenant and ensure that you can use your organization’s domain for things such as User Principal Names (UPNs), E-Mail Addresses, and so on.

Before proceeding to add a domain, you must ensure you have already purchased the domain and have the rights to add DNS Records for the purposes of registration and verification.

If you and your organization already have Microsoft 365 configured with your organization’s domain name, then this section will serve as a refresher.

Let us get a domain added.

Browse to https://admin.microsoft.com.

In the left-hand pane, click Show all.

Expand the Settings drop-down and click Domains.

Click Add domain from the ribbon.

Enter your domain name in the box provided, and then click Use this domain.

Figure 2.2: Add a Domain

Before proceeding to the next step, it is important to highlight that Microsoft offers a service to automatically perform the changes for you. However, this does not span all domain hosting services. For this book, we will manually complete the configuration to ensure you are comfortable with that process.

Figure 2.3: Automatic Verification

Click More options, select Add a TXT record to the domain's DNS records, and then click Continue.

Figure 2.4: Add a TXT Record to the Domain

Login to your domain host and find the DNS records.

Follow the guidance to add a TXT record to your top-level domain. (The following example is from a UK-based provider, TSOhost. Your domain provider will likely be different.)

Figure 2.5: Add a TXT Record to TSOhost Domain

Click Verify.

Once verified, review the information on screen and then click Continue.

At this point, you will be prompted about configuring records for exchange; if this is something you will be using, follow the information within the guided process. However, this is not required for the rest of this book, so they can be skipped.

Once complete or skipped, click Done.

Configuring Your Intune Tenant

Let us get started with the first steps on our journey, the initial configuration steps. In this section, we will provide step-by-step guidance for configuring your tenant to allow device enrollment and prepare for device management.

Firstly, let us navigate to the Intune Web Console, open your web browser, and navigate to https://intune.microsoft.com. When you first navigate to the Intune console, you will be presented with something similar to Figure 2.6.

Figure 2.6: Microsoft Intune Landing Page

This is the landing page of Microsoft Intune; in the left-hand pane, we see all of the blades within the Intune console, which we will be using throughout the rest of this book.

MDM Authority

The Mobile Device Management (MDM) authority setting determines how your organization manages devices in the Microsoft ecosystem. Without configuring, the MDM Authority users cannot enroll their devices for management. Let us start by checking what our MDM authority is configured as.

Navigate to Tenant administration in the left-hand pane. This will display your tenant details, as shown in Figure 2.7. In this highlighted area, you will see that our MDM Authority is set to Microsoft Intune.

Figure 2.7: Microsoft Intune Tenant Details – MDM Authority

There are various values that this could be set to:

Microsoft Intune

Basic Mobility

Security for Microsoft 365

Basic Mobility and Security for Microsoft 365 are used to help you secure and manage mobile devices such as iPhones, iPads, Android devices, and Windows phones. This book will not delve into the difference between these MDM Authorities; however, the information can be found using this URL: https://learn.microsoft.com/en-us/microsoft-365/admin/basic-mobility-security/overview?view=o365-worldwide.

If your tenant is not configured as Microsoft Intune, which could be the case if you have used Microsoft Purview to assign Basic Mobility and Security settings, you will need to follow the steps detailed in this link: https://learn.microsoft.com/en-us/mem/intune/fundamentals/mdm-authority-set.

MDM User Scopes

The MDM user scopes within Microsoft Entra allow you to configure automatic enrollment into Microsoft Intune when a device is joined to Entra ID. This enrollment can take place on both personal and corporate devices, and the automatic enrollment can be used in the following scenarios.

Bring-your-own-device (BYOD)

Bulk Device Enrollment

Group Policy Enrollment

Windows Autopilot Provisioning

Configuration Manager Co-Management

The MDM scope only applies to Windows 10 and 11 devices and can be configured to None, Some, or All. Configuring this setting to None will not automatically enroll devices into Microsoft Intune, while setting it to All will automatically enroll all eligible devices into Microsoft Intune. Configuring this setting as Some will allow you to specify a User group to automatically enroll devices.

As documented by Microsoft, if your desire is to enable automatic enrollment for Windows BYOD Devices, ensure that the WIP Scope is set to None or Some, ensuring that there is no overlap of the users in scope.

To view and manage the MDM user scope, follow these steps:

Navigate to https://entra.microsoft.com.

In the left-hand pane, click Show more.

Click Settings | Mobility.

Click Microsoft Intune.

Figure 2.8: MDM User Scopes

In Figure 2.8, we can see that the default MDM and WIP user scope settings are set to None. During testing, you can configure the MDM scope to Some and target only specific users within an Entra ID group(s), which can offer peace of mind that all devices will not automatically enroll to Intune. As you progress towards a production deployment, you can configure this setting to All; however, it is possible to leave this to Some, but we would advise using a Dynamic Group (covered in Chapter 3, Group Management and Assignment Filters) to define a set of user properties criteria to allow automatic enrollment.

Note: Automatic enrollment will only occur if the user has a sufficient license.

If you need to change the scope, ensure you click Save prior to navigating away from this page.

CNAME Validation

Suppose your organization does not wish to enable automatic enrollment. In that case, it is possible to enable auto-discovery of the Intune enrollment server by configuring a CNAME record on your organization’s public-facing domain.

If you have configured the MDM user scope, this is not required, but if you want a belt-and-braces approach, you can optionally configure this.

Information on the CNAME record configuration can be found using this URL: https://learn.microsoft.com/en-gb/mem/intune/enrollment/windows-enrollment-create-cname.

While we are not going to walk through the CNAME record creation in this book, we will walk through how you can check and validate that the CNAME records are accessible. Let us take a look at how we can do that in Intune.

Navigate to Intune (https://intune.microsoft.com).

Click Devices|Device onboarding|Enrollment.

Under the Windows tab, click CNAME Validation.

Figure 2.9: CNAME Validation Navigation

Enter your domain name and click Test.

This will take only a couple of seconds to complete; if your domain does not have the CNAME records configured, you will be informed that it is not configured correctly.

Figure 2.10: CNAME Validation Failure

Once the CNAME configuration has been completed as desired and the test completes successfully, the validation message will inform you that it has been configured successfully.

Figure 2.11: CNAME Validation Success

Tenant Customizations

As with the custom domain we configured at the start of this chapter, Tenant Customizations is a great way to not only personalize your tenant, but it also allows your users to know who is managing their devices.

In this section, we will cover how to add your corporate logos, support information, color scheme, and privacy information, and how you can control the ability to remove and reset devices from the Company portal.

To get started, let us navigate to the Intune console and then navigate to Tenant administration | End user experiences | Customization. On this page, you will be able to view the values already configured for your tenant.

Figure 2.12: Tenant Customization

With customizations, you have two options. There are the default options, and then you can create policies that are assigned to different Entra ID groups that override the default settings. In this book, we will not delve into the custom policies for groups, as the options available are a replica of the default settings; this is just to provide you with information on the capabilities.

As we look at the options we have to configure, we will be uploading images to complete our personalization experience; these image sizes may change and may differ per image. Information on image pixel and file sizes can be found on the following URL: https://learn.microsoft.com/en-us/mem/intune/apps/company-portal-app#customizing-the-user-experience.

Let us look at what options we have:

Click Edit located next to Setting.

Enter your Organization Name.

Select your theme color.

Standard: This option will give you a drop-down list of predefined options for color themes.

Custom: This option will allow you to enter the Hex codes for the color you wish to use for your organization.

Choose your Show in header preference.

Organization name only: Will display just the defined organization name in the Company Portal App/Website and the Microsoft Intune App.

Organization logo only: Will display just the defined organization logo in the Company Portal App/Website and the Microsoft Intune App.

Organization logo and name: Will display the defined organization logo and name in the Company Portal App/Website and the Microsoft Intune App.

Upload your organization’s logo for a color background.

Upload your organization’s logo for a white or light color background.

Enter our Support Information.

Contact Name: If you are entering support desk information, enter IT Support for example.

Phone number: Enter the phone number. As a tip, enter the country code if this is a multi-national organization.

E-Mail Address: If your support contact has an e-mail address, enter it here.

Website Name: This is used as a display name for the Website URL.

Website URL: For example, https://support.masteringintune.co.uk

Additional Information: Enter any additional information, up to 120 characters.

Enrollment Configuration

Choose your Device enrollment experience in the Company Portal for Android and iOS/iPadOS.

Available, with prompts: This is the default experience that allows users to enrol the device in all possible locations.

Available, no prompts: The user can only enrol via the status page in the device details or via apps that require enrollment.

Unavailable: Prevents users from enrolling.

Privacy Configuration

Set your organization’s Privacy Statement URL; it is good practice to ensure that all users can access this URL.

Privacy message about what support can’t see or do (iOS/iPadOS)

Default: You can choose not to enter a customized message and leave the default Microsoft set message.

Customize Message: You can enter a customized message in the Markdown format to inform your users about what your organization cannot see or do on their devices.

Privacy message about what support can see and do (iOS/iPadOS)

Default: You can choose not to enter a customized message and leave the default Microsoft set message.

Customize Message: You can enter a customized message in the Markdown format to inform your users about what your organization can see and do on their devices.

Device Categories

Let users select device categories in the Company Portal.

Allow: This will allow the user to change their device category from the Company Portal application; this is the default behavior.

Block: If you plan to use categories within Intune and would like to ensure that this is organization-controlled you can choose to block users from setting their own category.

App Sources allows you to choose which applications are displayed within the Company Portal App.

Microsoft Entra enterprise applications: You can choose to Show or Hide enterprise applications. Enterprise Applications are often used to control things such as SSO into your organization's apps.

Office Online Applications: You can choose to Show or Hide the links to Microsoft Office online applications.

Configuration Manager Applications: You can choose to Show or Hide Configuration Manager Applications; this is only applicable to tenants that are using co-management with Microsoft Configuration Manager.

Hide Features

Hide remove button on corporate Windows devices: This option is not available to toggle off; it prevents end-users from removing their corporate Windows OS from Intune.

Hide reset button on corporate Windows devices: You can choose to remove the Reset option from the company portal for Windows devices. We would recommend hiding this option and allowing only the IT Admins to initiate the reset.

Hide remove button on corporate iOS/iPadOS devices: This option will hide the option to remove their iOS/iPadOS devices using the Company Portal App.

Hide reset button on corporate Windows devices: This option will hide the option to reset their iOS/iPadOS devices using the Company Portal App.

Once you have configured your organization’s desired settings, click Review + save. In Figure 2.13, you can see that the settings we configured take effect on the Company Portal home page.

Figure 2.13: Company Portal Branding Logo

If you then navigate to the Help & support page, you will also see your support information, as shown in Figure 2.14.

Figure 2.14: Company Portal Support Information

Now that we have our tenant personalized to the organization, let us take a look at configuring Intune Roles.

Intune Roles

Intune Roles allows organizations to manage the Role-based Access Control (RBAC) permission for their administrators. RBAC permissions to resources, configurations, policies, and applications across your device management platform is an area often overlooked when first starting with Microsoft Intune, but we believe the configuration of these roles is paramount from the initial pilot all the way through the implementation of Microsoft Intune as your production device management platform.

In this section, we will cover the Built-in and Custom roles and Scope Tags for Microsoft Intune and how you can use a combination of these roles and tags to manage your platform effectively, regardless of organization size.

The ability to manage Microsoft Intune roles requires one of the following roles:

Intune Administrator (also known as Intune Service Administrator) (Entra ID Role)

Global Administrator (Entra ID Role)

Intune Role Administrator (Intune Role)

During this section, we will also allude to the practice of the principle of least privilege, and with that in mind, using the Intune Administrator role would be our recommended approach.

It is important to note that Intune roles with custom RBAC permissions do not apply to Microsoft Entra roles, so if an administrator has the Global Administrator or Intune Administrator role, they will not be subject to any restraints applied in Intune Roles.

Scope Tags

Prior to looking at RBAC permissions, we will first take a brief look at scope tags. Scope tags within Microsoft Intune allow you to tag resources (apps, policies, and more) with scope tags to allow IT Administrators to control what resources are accessible when they are tagged.

To break it down to a high level, you can think of scope tags as "controlling what you see" and Intune roles as controlling what actions you can do. If you are moving to Intune from Microsoft Configuration Manager, you can think of scope tags such as security scopes.

Intune has a Default scope tag that is automatically added to all of the resources that are supported and untagged. When creating new resources, ALL assigned scope tags to that administrator will be applied to that resource, unless they are manually removed during the creation process on the scope tag screen.

To create a scope tag, you can follow these steps:

Navigate to Tenant administration|Roles|Scope tags.

Click Create.

Enter a Name and Description, and then click Next.

Assign the tag to a Security group, and then click Next.

Click Create.

Up to this point, you have only assigned the members of that group a scope tag and not any permissions. If a user tries to access any resource, they will still receive an unauthorized message until they are granted a role, which we will discuss next.

Built-in Roles

Built-in roles are a great starting point for organizations, giving IT Admins the ability to restrict access across the platform based on pre-defined RBAC Roles.

The list of built-in roles is as follows:

Application Manager: This role allows you to manage mobile and platform applications. This role also allows the assignee to read device information and view device configuration profiles.

Endpoint Privilege Manager: This role allows you to manage Endpoint Privilege Management (EPM) policies.

Endpoint Privilege Reader: This role allows you to view, but NOT edit Endpoint Privilege Management policies.

Endpoint Security Manager: This role allows you to manage security baselines, device compliance, conditional access, and Microsoft Defender for Endpoint policies.

Help Desk Operator: This role allows you to perform remote tasks on users and devices as well as assign applications or policies to users or devices.

Intune Role Administrator: This role allows you to manage Intune roles and add assignments for roles. This applies to both custom and built-in roles.

Policy