Last year Microsoft announced the Microsoft Enterprise Mobility Suite. This suite consists of Azure Active Directory Premium, Microsoft Intune and Azure Rights Management Service. With Microsoft Intune you can manage mobile devices, and not only Mobile Device Management (MDM) but Mobile Application Management (MAM) as well. In the latest Microsoft Intune updates it is now possible to create a separate application layer / app isolation for the corporate apps and prevent data exchange between corporate and non-corporate apps.
With Microsoft new announcements about this new features I became curious about Microsoft Intune and all it’s possibilities. Beside that I’m getting more and more questions about Microsoft Intune from customers. I know Microsoft Intune integrates perfectly with Microsoft Office 365 and Microsoft System Center Configuration Manager (SCCM). But what about the Mobility management features in Microsoft Intune as a “stand alone” product? Time for a first look and lets find out!
Setting up a Microsoft Intune account
The first step is to create a Microsoft Intune account. You can create a free trail account at the Microsoft Intune website (link).
After creating a Microsoft Intune account it’s time to create users, or configuring Single Sign-on by using AD FS or Azure Active Directory.
For this blog I will create a test user manual, but first I will add my domain so I can create users at @robinhobo.com
Navigate to Domains and click Add a domain
Fill in you domain name (in my case robinhobo.com) and click Next
Next you need to verify your domain. You can do this by creating a TXT or a MX DNS record. In this window you can see which DNS record must be created. Click Verify after the DNS record is created.
Click Close
Now we can create users for the @robinhobo.com domain. Navigate to Users and click New > User
Fill in the required information of the user you want to create and click Next
Optionally you can Assign an Administrator role to this user. Fill in the country and click Next
Select the correct user group (license) and click Next
Optionally fill in a email address where the temporary password can send to. Click Create
Click Finish
Set Mobile Device Management Authority
Before you can manage mobile devices you need to set the Mobile Device Management Authority. This can be set to Intune itself or Microsoft System Center Configuration Manager (SCCM).
Login to manage.microsoft.com and navigate to Admin > Mobile Device Management.At the right click on Set Mobile Device Management Authority
Select Us Microsoft Intune to manage my mobile devices and click OK
Prepare for Mobile Device Management
For some type of Mobile Devices we need to do some preparations before they can be managed. For example, for Windows Phone 8 you need to get a code signing certificate from Symantec and for iOS you need to create and sign an APNs Certificate.
For this blog I will enrol an iOS device. Therefore I will show you the steps to create an APNs Certificate. Before you do this make sure you have an Apple Account. If you don’t have one you can create it here for free. Click on Enable the iOS platform.
Click on Download the APNs Certificate Request. After downloading the Certificate click on Apple Push Certificates Portal
Logon with your Apple ID
Click on Create a Certificate
Select I have read and agree to these terms and conditions and click Accept
Browse to the downloaded certificate and click Upload
Click on Download to download the signed APNs Certificate
Click on Upload the APNs Certificate
Browse to the download signed APNs certificate and click Upload
Now your ready to manage iOS devices
Customize the Company Portal
You have the ability to customize the Company Portal with logo’s and custom information. I will show some options in the following steps.
Browse to Admin > Company Portal. Here you can fill in the information that will be visible on the Company Portal
Click Save
You can also apply custom Terms And Conditions. Therefore browse to Admin > Company Portal > Terms And Conditions. This will be displayed and must be accepted when the user enrols his device.
Creating Configuration Policies
In the next steps I will create some policies, starting with the Common Mobile Device Security Policy.
Browse to POLICY > Configuration Policies. On the right side of the screen click on Add..
Navigate to Common Mobile Device Settings > Mobile Device Security Policy. On the rights side select Create and Deploy a Custom Policy and click on Create Policy
For this blog I configured the following;
Name : Default Mobile Device Policy
Require a password : Yes
Required password type : Numeric
Minimum password length : 4
Allow simple passwords : Yes
Number of repeated sign-in failures : 4
Allow web browser : No
Click on Save Policy
Click Yes
Add the All Mobile Devices and hit OK
In the next step I will create an iOS Configuration Policy.
Click on Add..
Navigate to iOS > iOS Configuration Policy. On the rights side select Create and Deploy a Custom Policy and click on Create Policy
For this blog I will give it the name iOS Configuration Policy. Select Report noncompliance when users install the listed app. Click Add..
For this test I will add the Dropbox App. Fill in the correct information and hit OK
Click on Save Policy
Click Yes
Add the All Mobile Devices and click OK
The second last policy I will add for this test is the Managed Browser Policy. Select the Managed Browser Policy and Create a Custom Policy. Click on Create Policy
For this test I will block https://www.facebook.com and https://www.dropbox.com.
Click Save Policy
In the last policy that I will create for this test I will configure the Mobile Application Management Policy. This one is to restrict data exchange between the applications.
Select Mobile Application Management Policy (iOS 7 and later) under Software and select Create a Custom Policy on the right side of the dialog window. Click on Create Policy
I leave everything default so that data exchanges is prevented.
Click on Save Policy
Publishing Applications
After creating all the policies its time to publish the applications. You can apply the Mobile Application Management Policies to Managed Apps from the public store (iTunes, Play) without the need to wrap the application first. But not every application can be managed from the public store, to see which application is manageable from the store, see this page: https://technet.microsoft.com/en-us/library/dn708489.aspx
Go to APPS > Apps. On the right side of the screen click on Add App
Select Add software
Klik Next
Select Managed iOS App from the App Store and copy the URL from the specific application (store URL to app). In this case to the Microsoft Intune Managed Browser app from the iTunes store.
Fill in the Application Information (not filled in automatically) and click Next
You can filter the target device, for example, publish the application to iPads only and not iPhones. Click Next
Click Upload
Click Close
You can repeat these steps for all the applications you want to publish, for now I will publish the Managed Browser, Word, Excel and PowerPoint for both iOS and Android.
Manage Deployments
So we created the policies and added the applications. The next step is to link these two and make the applications with the correct policies available in the Intune Portal on the mobile device.
Select the application you want to publish (in this example I will use the Intune Managed Browser) and click on Manage Deployments
Select the Users or Devices group where you want to publish the application to and click Next
Managed applications from the iTunes store cannot be published as Available Install at this time. You can only select Required Install the make the application manageable. Click Next
Select the Mobile Application Management Policy created in one of the first steps in this blog and click Next
Optionally you can apply a VPN Profile / Policy. Click Next
In the last step you can apply the Managed Browser Policy select it and click on Finishd
Device Enrollment (iPad) and testing the policies
It’s time to test all the policy settings on a device. For this test I will enroll my iPad with Microsoft Intune.
The first step is to intall the Microsoft Intune Company Portal. Therefore open the App Store
Search for Company Portal and install the App
After install the App open the Company Portal
Login with an Intune User Account
Press the Enroll button
Press the Install button
Press the Install button
Press the Install button
Press the Trust button
Press the Done button
Wait a sec…
The first policy had arrived, the passcode policy. Press Continue
Now the Apps will be installed, press Install for all the required applications
In published a link to my website as will. The link is visible in the Company Portal so I can “Install” it
After Installing all the Apps (inluding the link) my iPad looks like this. Note that the Safari browser app has disappeared, which is good.
The copy and past function between managed apps is possible and between managed apps and non-managed apps not, so that policy works great! Also when opening the Intune Managed Browser and open the Facebook.com or Dropbox.com website I get the Alert as shown above. So that policy works as well.
Conclusion
Microsoft Intune is easy to setup without the need to enroll new servers in your current infrastruction. I had it up and running in a few minutes (see blog above). The webinterface / console is easy to use and requires no explanation. Beside mobile devices it’s also possible to manage Windows updates for Windows devices and configure end point protection.
For Mobile Device Management (MDM) the basic features are available and works fine. I can wipe/retire my device, do a remote lock and do a password reset and see the device properties . Personally I miss the option to locate the device and to do a software inventory (for all apps and not only the installed apps from the Company Portal) but that is a deliberately choice of Microsoft to omit these options.
For the Mobile Application Management (MAM) it’s great that you have the option the create a policy and apply the same policy to several applications. Also the VPN policy which allows you to setup a “Per-App” VPN connection is a great feature. The Managed Browser policy works really good, and totally in combination with the option to disable the native browser on the device (Safari). I was able to block some websites (see blog above). The only drawback is that the published links from the Company Portal do not want to open with the Managed Browser, but perhaps I should published these links in a different way (I have to figure that out yet).
The Managed Application policy works good, I was able to block data exchange between managed and non-managed apps and set a pincode on the managed apps. The fact that you can managed applications with policies without the need to wrap them first is really cool! Microsoft has a monthly update schedule, and I am very curious about the future developments, especially in combination with other products from the Enterprise Mobility Suite!
Hi Robin,
Thanks for posting this, very insightful. I have a couple of follow up questions regarding the MAM part of InTune:
-you mention you were able to block content exchange between apps. Can you elaborate on that? From where to where? Does one of the apps need to be one listed by MSFT as managed apps in their website? (meaning you can only do this if either the source or the destination is an app that has the MSFT SDK included)
– what can you do in terms of blocking an app from being installed or executed?
Thanks again!
Chema
Hi Chema, I was able to block content/data exchange between the managed apps and the non-managed apps. See blog and link to managed apps. On Windows Phone you can prevent the installation of listed apps. On Android and iOS you can’t.
Kind Regards,
Robin
Is Azure AD premium a requirement for only intune (not ems)? Or if you purchase intune you also get ems and/or azure ad premium?
Hi Erik, No, you can purchase Intune as a “Stand Alone” product. EMS includes the Azure AD premium but is not necessary.
I noticed that you have published websites and android apps. Can you give us a demo if that please 🙂
Hi Robin,
I am facing a strange problem with device auto enrollment. I a have configured auto enrollment in azure AD following exactly MS documentation, But when ever i joined a WIN10 device to Azure AD it doesn’t show up on intune , neither under user profile ->devices old azure portal, where it shows on azure on new azure portal with all device details (AZURE joined, Managed bu intune, Compliant, .., etc). i would highly appreciate you advice to fix the issue.
Thanks in advance
Best Regards
Has the user you are using has an EM+S license assigned? How many devices has the user enrollend? What is the maximum number of allowed devices in Intune vs Aure AD ?
Hi Robin,
How do you connect to Internal Web Service on MAM Device thru wrapped iOS enterprise app?
Is there any alternate path instead of Per-App VPN?
Per-app VPN is an option, but also the Azure AD Application Proxy server is an option to publish internal Web apps / SaaS apps to Azure.