Many organizations today struggle with securing the plethora of devices that are used for business purposes, regardless of their size. Even users that have company-provided computers and phones will often still use their personal devices to some degree. For small businesses, many of whom have no computer/device management, this presents a problem in protecting company-sensitive data without a cost-effective solution. For organizations that use Office365, Microsoft Intune can be easily added with little effort. Its user-subscription model follows the same process as adding Office365 e-mail accounts, using the familiar Microsoft Online interface.
NOTE: This guide is for small businesses that DO NOT use System Center 2012 Configuration Manager. The process for integrating Intune with Configuration Manager is different, which will be discussed in a later post.
Step 1: Microsoft Intune has a full featured trial for up to 100 users, which is perfect for small businesses. The first thing we need to do is create an Intune account. Go to http://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/default.aspx#fbid=CmV-Y09UnRn and click the Try Now button on the top right, click Sign In and use the same UserID that was used to create the Office365 account, then click Try Now on the confirmation page.
Step 2: After the account has been created, you will be brought to the Dashboard of the organization’s Microsoft Intune portal. On the dashboard you will see a rather large banner, suggesting that you add users first. Let’s do that by clicking on the the Add Users banner.
This will bring you to the Users node, where all user management takes place for Microsoft Cloud Services. Notice the big blue banner at the top? This will be our next step after users have been added to Intune.
Here you will see all the users that have been added to the Office365 portal. To provide Intune services to these users, select them from the list and click the Edit button, which will give you the following screen. Select Microsoft Intune and click Save.
Most Intune policies are applied on a group level, so we’ll want to set up an Intune Test group that contains the users. On the left (navigation) pane, select Security Groups. In the main window, click New to create a new group.
On the New security group page, give the group a name of Intune Test and click Save. Then check off the test users, and click Save and Close.
Step 3: Once all the users have been added to the Microsoft Intune service and the test group created, we need to go to the Admin Console to set up device management. Go here by clicking on the big blue banner at the top of the screen (the Admin Portal is always accessible from the link at the very top as well, or by navigating to https://admin.manage.microsoft.com), which will open up a new window that may require you to sign in again, ultimately leading you to the Microsoft Intune Dashboard.
In the Dashboard, we’ll first click on the Start Managing Mobile Devices banner, which opens up the Mobile Device Management, or MDM page. From here, it’s fairly evident what we need to do first, as there’s First Step banner at the top.
We’ll click the manage mobile devices link from this banner, check Use Microsoft Intune to management my mobile devices, and click OK.
This will lead us back to the MDM page, showing a new banner on the top, suggesting that the next step is to set up and deploy a mobile device security policy. Before we do this, we will need to create a Device Group to apply the policy to. Click on the Groups workspace, and Create Group on the right.
In the following window, type Intune Managed for the Group Name, and select All Devices for the parent group. Click Next.
On the Criteria Membership page, we’re going to select All devices for the device type, and click Finish.
Now we can go back to the Admin Workspace, and select Mobile Device Management again. Now we can follow the suggestion to deploy the mobile device security policy by clicking on policy within the banner.
You will notice that this has taken us to the Policy Workspace, with the Configuration Policies node selected. Here we have an option to add a device security policy. Click Add to create a new policy.
This next window will allow us to select templates for pretty much everything that can be configured for device management, including Android/iOS/Windows devices and actual computers. For this guide we will use typical settings for all mobile devices. Expand Common Mobile Device Settings, select Mobile Device Security Policy, ensuring that the Create and Deploy a Policy with the Recommended Settings radio button is selected, and click Create Policy. This will configure recommended settings for Security, Encryption, System, Email, and Applications for all mobile devices.
A group selection screen will appear. Select Intune Managed, click Add to place the group in the Selected Groups column, and OK.
At this point in the configuration, let’s also get a policy created to ensure that computers get Antivirus protection when they are added. Click Add to create a new policy, and in the Create a New Policy wizard, expand Computer Management and click on Microsoft Intune Agent Settings. Here, with the default Create and Deploy a Policy with the Recommended Settings radio button selected, click Create Policy.
In the Manage Deployment: Microsoft Intune Agent Settings window, this time we’re going to add the All Computers group. This will automatically configure Endpoint Protection (Antivirus) without requiring the Administrator to place the computer into the Intune Managed group.
Now, if we go to the Admin workspace and click on the Mobile Device Management node, we will see a new banner that instructs us to enable the mobile platforms that the organization supports.
Device enrollment, the process that links the mobile device to the organization’s Intune service, is a pretty straightforward process. For Windows-based laptops and phones, the process is very simple.
Windows 7 devices
- To enroll Windows 7 laptops, we will need to install a piece of software which is downloaded from the Intune portal. Under the Admin Workspace, click the Client Software Download node, which gives us another step-by-step guide. Since we’ve already prepared the environment for deployment, we will go to Step 2 and download the Client Software. To do this, click the Download Client Software link and click Save to save the file to your Downloads folder.
- Extract the .zip file to a USB Key or shared network location that is accessible from the Windows 7 computers. You can extract the .zip file by right-clicking on it, choosing Extract All…, and clicking Next on the Extract Compressed (zipped) files window.
On the Windows 7 computer that you wish to manage, open the Microsoft_Intune_Setup folder that was extracted in the previous step and double click the Microsoft_Intune_Setup file. In the Security Warning window that appears, click Run.
- The Microsoft Intune Setup window appears. Click Next and the installer will install the Intune client on the computer, adding it into the organization’s Intune service. This is automatically done by the information contained in the second extracted file, MicrosoftIntune.accountcert file. Click Finish when the installation is complete.
Windows 8 and Windows 8.1
- For Windows 8 and 8.1, installing the Intune Setup software isn’t required, though it’s still supported. If you are managing both Windows 7 and 8 computers, it’s easier to just use the Setup. If you haven’t had to download the Intune Setup app, it’s easier to get the required software from the Microsoft Store
From the Start Screen, go to the Microsoft Store. If you can’t find it, just type in Store from the start screen, and it will appear on the left.
From within the store, search for Intune and press Enter. This will return the Company Portal. We’re going to click on this and then click Install.
Once the Company Portal App has installed, go back to the Start Screen and click on it. Doing so will launch a wizard requesting you to sign in with your work account. Use the same e-mail and password to connect to Office365 here, and click Sign In.
After your account has been authenticated, move your mouse to the bottom-right of the screen (on a touch-screen, swipe your finger from the right edge) to bring up the Charms bar, and click on Settings.
From here, click on Change PC Settings at the bottom, and at the PC settings screen click on Network.
On the Network screen, click on Workplace, type your e-mail address in the field provided, and click Join. Once you have joined the Workplace, click Turn on to enable device management. Click OK when the warning page appears, to accept granting your administrator to manage the device.
Windows 10 clients have all necessary software built into the operating system. From the Start Screen, type in Settings and press Enter.
In the Settings App, click on Accounts and then Your workplace. From here click on Connect to workplace.
On the Connect to your workplace screen, enter your Office365 e-mail address and click Sign In. This will return an error message that it was unable to connect to the workplace, which is due to an optional configuration step we could have performed earlier that associates the company’s domain name with Intune. There is now a Server Address field, where we will enter manage.microsoft.com. Click Sign In again.
This will pop up an authentication window, where you must enter the password associated with your e-mail address. You will then receive another warning message that requests you to allow the computer to be managed by your Intune administrator. Click Allow.
- A message pops up to confirm that the computer has been added to the workplace, click Done to finish.
Windows Phone 8.1
- Similar to Windows 8.1, we need to install the Company Portal from the Microsoft Store on the Windows Phone.
- Launch the App once it’s been installed and sign in with your Office365 e-mail address and password.
- When the app fully loads, swipe to the right to access the My Devices page. You will see a warning that the device isn’t enrolled, followed by Tap to enroll this device. Tap it to go into the Workplace
- Here, click the Add account button and sign in once again with your Office365 e-mail address. When prompted for a server, enter manage.microsoft.com and click Sign In. This may require you to enter your password once more.
- You will now receive a message that the account was successfully added. Click Done to finish the process.
If your organization’s users also have Android devices, the process is virtually the same. Since I don’t actually own an Andriod device, I can’t show the step-by-step process. To manage Apple iOS devices, there is one extra step required. From the Admin workspace, expand Mobile Device Management and click on iOS. Here you will receive an option to download the client APNs Certificate Request. You must download this file, renew the certificate, and when completed upload it again to the Intune Portal. As with almost everything you do in Intune, the process is detailed on the MDM iOS page.
There you have it! At this point, all enrolled devices will be managed, patched, and secured through the policies we defined. Though this but scrapes the surface of the capabilities of Intune, it’s a great start J
Stay tuned for more blogs about integrating additional Intune services with your business.