How to setup Microsoft Intune

Last year Microsoft announced the Microsoft Enterprise Mobility Suite. This suite consists of Azure Active Directory Premium, Microsoft Intune and Azure Rights Management Service. With Microsoft Intune you can manage mobile devices, and not only Mobile Device Management (MDM) but Mobile Application Management (MAM) as well. In the latest Microsoft Intune updates it is now possible to create a separate application layer / app isolation for the corporate apps and prevent data exchange between corporate and non-corporate apps.

With Microsoft new announcements about this new features I became curious about Microsoft Intune and all it’s possibilities. Beside that I’m getting more and more questions about Microsoft Intune from customers. I know Microsoft Intune integrates perfectly with Microsoft Office 365 and Microsoft System Center Configuration Manager (SCCM). But what about the Mobility management features in Microsoft Intune as a “stand alone” product? Time for a first look and lets find out!

Setting up a Microsoft Intune account

The first step is to create a Microsoft Intune account. You can create a free trail account at the Microsoft Intune website (link).

How to setup Microsoft Intune 001

After creating a Microsoft Intune account it’s time to create users, or configuring Single Sign-on by using AD FS or Azure Active Directory.

How to setup Microsoft Intune 002

For this blog I will create a test user manual, but first I will add my domain so I can create users at @robinhobo.com

How to setup Microsoft Intune 003

 Navigate to Domains and click Add a domain

How to setup Microsoft Intune 004

Fill in you domain name (in my case robinhobo.com) and click Next

How to setup Microsoft Intune 005

Next you need to verify your domain. You can do this by creating a TXT or a MX DNS record. In this window you can see which DNS record must be created. Click Verify after the DNS record is created.

How to setup Microsoft Intune 006

Click Close

How to setup Microsoft Intune 007

Now we can create users for the @robinhobo.com domain. Navigate to Users and click New > User

How to setup Microsoft Intune 008

Fill in the required information of the user you want to create and click Next

How to setup Microsoft Intune 010

Optionally you can Assign an Administrator role to this user. Fill in the country and click Next

How to setup Microsoft Intune 011

Select the correct user group (license) and click Next

How to setup Microsoft Intune 012

Optionally fill in a email address where the temporary password can send to. Click Create

How to setup Microsoft Intune 013

Click Finish

Set Mobile Device Management Authority

Before you can manage mobile devices you need to set the Mobile Device Management Authority. This can be set to Intune itself or Microsoft System Center Configuration Manager (SCCM).

How to setup Microsoft Intune 014

Login to manage.microsoft.com and navigate to Admin > Mobile Device Management.At the right click on Set Mobile Device Management Authority

How to setup Microsoft Intune 015

Select Us Microsoft Intune to manage my mobile devices and click OK

Prepare for Mobile Device Management

For some type of Mobile Devices we need to do some preparations before they can be managed. For example, for Windows Phone 8 you need to get a code signing certificate from Symantec and for iOS you need to create and sign an APNs Certificate.

How to setup Microsoft Intune 016

For this blog I will enrol an iOS device. Therefore I will show you the steps to create an APNs Certificate. Before you do this make sure you have an Apple Account. If you don’t have one you can create it here for free. Click on Enable the iOS platform.

How to setup Microsoft Intune 017

Click on Download the APNs Certificate Request. After downloading the Certificate click on Apple Push Certificates Portal

How to setup Microsoft Intune 018

Logon with your Apple ID

How to setup Microsoft Intune 019

Click on Create a Certificate

How to setup Microsoft Intune 020

Select I have read and agree to these terms and conditions and click Accept

How to setup Microsoft Intune 021

Browse to the downloaded certificate and click Upload

How to setup Microsoft Intune 022

Click on Download to download the signed APNs Certificate

How to setup Microsoft Intune 023

Click on Upload the APNs Certificate

How to setup Microsoft Intune 024

Browse to the download signed APNs certificate and click Upload

How to setup Microsoft Intune 025

Now your ready to manage iOS devices

Customize the Company Portal

You have the ability to customize the Company Portal with logo’s and custom information. I will show some options in the following steps.

How to setup Microsoft Intune 026

Browse to Admin > Company Portal. Here you can fill in the information that will be visible on the Company Portal

How to setup Microsoft Intune 027

Click Save

How to setup Microsoft Intune 028

You can also apply custom Terms And Conditions. Therefore browse to Admin > Company Portal > Terms And Conditions. This will be displayed and must be accepted when the user enrols his device.

Creating Configuration Policies

In the next steps I will create some policies, starting with the Common Mobile Device Security Policy.

How to setup Microsoft Intune 029

Browse to POLICY > Configuration Policies. On the right side of the screen click on Add..

How to setup Microsoft Intune 031

Navigate to Common Mobile Device Settings > Mobile Device Security Policy. On the rights side select Create and Deploy a Custom Policy and click on Create Policy

How to setup Microsoft Intune 031

For this blog I configured the following;

Name : Default Mobile Device Policy

Require a password : Yes

Required password type : Numeric

Minimum password length : 4

Allow simple passwords : Yes

Number of repeated sign-in failures : 4

Allow web browser : No

Click on Save Policy

How to setup Microsoft Intune 034

Click Yes

How to setup Microsoft Intune 037

Add the All Mobile Devices and hit OK

In the next step I will create an iOS Configuration Policy.

How to setup Microsoft Intune 038

Click on Add..

How to setup Microsoft Intune 039

Navigate to iOS > iOS Configuration Policy. On the rights side select Create and Deploy a Custom Policy and click on Create Policy

How to setup Microsoft Intune 040

For this blog I will give it the name iOS Configuration Policy. Select Report noncompliance when users install the listed app. Click Add..

How to setup Microsoft Intune 041

For this test I will add the Dropbox App. Fill in the correct information and hit OK

How to setup Microsoft Intune 042

Click on Save Policy

How to setup Microsoft Intune 043

Click Yes

How to setup Microsoft Intune 044

Add the All Mobile Devices and click OK

how-to-setup-microsoft-intune-045

The second last policy I will add for this test is the Managed Browser Policy. Select the Managed Browser Policy and Create a Custom Policy. Click on Create Policy

How to setup Microsoft Intune 046

For this test I will block https://www.facebook.com and https://www.dropbox.com.

Click Save Policy

In the last policy that I will create for this test I will configure the Mobile Application Management Policy. This one is to restrict data exchange between the applications.

How to setup Microsoft Intune 047

Select Mobile Application Management Policy (iOS 7 and later) under Software and select Create a Custom Policy on the right side of the dialog window. Click on Create Policy

How to setup Microsoft Intune 048

I leave everything default so that data exchanges is prevented.

How to setup Microsoft Intune 048

Click on Save Policy

Publishing Applications

After creating all the policies its time to publish the applications. You can apply the Mobile Application Management Policies to Managed Apps from the public store (iTunes, Play) without the need to wrap the application first. But not every application can be managed from the public store, to see which application is manageable from the store, see this page: https://technet.microsoft.com/en-us/library/dn708489.aspx

How to setup Microsoft Intune 050

Go to APPS > Apps. On the right side of the screen click on Add App

How to setup Microsoft Intune 051

Select Add software

How to setup Microsoft Intune 052

Klik Next

How to setup Microsoft Intune 053

Select Managed iOS App from the App Store and copy the URL from the specific application (store URL to app). In this case to the Microsoft Intune Managed Browser app from the iTunes store.

How to setup Microsoft Intune 054

Fill in the Application Information (not filled in automatically) and click Next

How to setup Microsoft Intune 055

You can filter the target device, for example, publish the application to iPads only and not iPhones. Click Next

How to setup Microsoft Intune 056

Click Upload

How to setup Microsoft Intune 057

Click Close

You can repeat these steps for all the applications you want to publish, for now I will publish the Managed Browser, Word, Excel and PowerPoint for both iOS and Android.

Manage Deployments

So we created the policies and added the applications. The next step is to link these two and make the applications with the correct policies available in the Intune Portal on the mobile device.

How to setup Microsoft Intune 058
Select the application you want to publish (in this example I will use the Intune Managed Browser) and click on Manage Deployments

How to setup Microsoft Intune 059

Select the Users or Devices group where you want to publish the application to and click Next

How to setup Microsoft Intune 060

Managed applications from the iTunes store cannot be published as Available Install at this time. You can only select Required Install the make the application manageable. Click Next

How to setup Microsoft Intune 061

Select the Mobile Application Management Policy created in one of the first steps in this blog and click Next

How to setup Microsoft Intune 062

Optionally you can apply a VPN Profile / Policy. Click Next

How to setup Microsoft Intune 063

In the last step you can apply the Managed Browser Policy select it and click on Finishd

Device Enrollment (iPad) and testing the policies

It’s time to test all the policy settings on a device. For this test I will enroll my iPad with Microsoft Intune.

How to setup Microsoft Intune 064

The first step is to intall the Microsoft Intune Company Portal. Therefore open the App Store

How to setup Microsoft Intune 065

Search for Company Portal and install the App

How to setup Microsoft Intune 066

After install the App open the Company Portal

How to setup Microsoft Intune 067

Login with an Intune User Account

How to setup Microsoft Intune 068

Press the Enroll button

How to setup Microsoft Intune 069

Press the Install button

How to setup Microsoft Intune 070

Press the Install button

How to setup Microsoft Intune 071

Press the Install button

How to setup Microsoft Intune 072

Press the Trust button

How to setup Microsoft Intune 073

Press the Done button

How to setup Microsoft Intune 074

Wait a sec…

How to setup Microsoft Intune 075

The first policy had arrived, the passcode policy. Press Continue

How to setup Microsoft Intune 076

Now the Apps will be installed, press Install for all the required applications

How to setup Microsoft Intune 077

In published a link to my website as will. The link is visible in the Company Portal so I can “Install” it

How to setup Microsoft Intune 078

After Installing all the Apps (inluding the link) my iPad looks like this. Note that the Safari browser app has disappeared, which is good.

How to setup Microsoft Intune 079

The copy and past function between managed apps is possible and between managed apps and non-managed apps not, so that policy works great! Also when opening the Intune Managed Browser and open the Facebook.com or Dropbox.com website I get the Alert as shown above. So that policy works as well.

Conclusion

Microsoft Intune is easy to setup without the need to enroll new servers in your current infrastruction. I had it up and running in a few minutes (see blog above). The webinterface / console is easy to use and requires no explanation. Beside mobile devices it’s also possible to manage Windows updates for Windows devices and configure end point protection.

For Mobile Device Management (MDM) the basic features are available and works fine. I can wipe/retire my device, do a remote lock and do a password reset and see the device properties . Personally I miss the option to locate the device and to do a software inventory (for all apps and not only the installed apps from the Company Portal) but that is a deliberately choice of Microsoft to omit these options.

For the Mobile Application Management (MAM) it’s great that you have the option the create a policy and apply the same policy to several applications. Also the VPN policy which allows you to setup a “Per-App” VPN connection is a great feature. The Managed Browser policy works really good, and totally in combination with the option to disable the native browser on the device (Safari). I was able to block some websites (see blog above). The only drawback is that the published links from the Company Portal do not want to open with the Managed Browser, but perhaps I should published these links in a different way (I have to figure that out yet).

The Managed Application policy works good, I was  able to block data exchange between managed and non-managed apps and set a pincode on the managed apps. The fact that you can managed applications with policies without the need to wrap them first is really cool! Microsoft has a monthly update schedule,  and I am very curious about the future developments, especially in combination with other products from the Enterprise Mobility Suite!

9 comments

  • Hi Robin,
    Thanks for posting this, very insightful. I have a couple of follow up questions regarding the MAM part of InTune:
    -you mention you were able to block content exchange between apps. Can you elaborate on that? From where to where? Does one of the apps need to be one listed by MSFT as managed apps in their website? (meaning you can only do this if either the source or the destination is an app that has the MSFT SDK included)
    – what can you do in terms of blocking an app from being installed or executed?
    Thanks again!
    Chema

    • Hi Chema, I was able to block content/data exchange between the managed apps and the non-managed apps. See blog and link to managed apps. On Windows Phone you can prevent the installation of listed apps. On Android and iOS you can’t.

      Kind Regards,

      Robin

  • Is Azure AD premium a requirement for only intune (not ems)? Or if you purchase intune you also get ems and/or azure ad premium?

  • I noticed that you have published websites and android apps. Can you give us a demo if that please 🙂

  • Hi Robin,
    I am facing a strange problem with device auto enrollment. I a have configured auto enrollment in azure AD following exactly MS documentation, But when ever i joined a WIN10 device to Azure AD it doesn’t show up on intune , neither under user profile ->devices old azure portal, where it shows on azure on new azure portal with all device details (AZURE joined, Managed bu intune, Compliant, .., etc). i would highly appreciate you advice to fix the issue.
    Thanks in advance
    Best Regards

    • Has the user you are using has an EM+S license assigned? How many devices has the user enrollend? What is the maximum number of allowed devices in Intune vs Aure AD ?

  • Hi Robin,
    How do you connect to Internal Web Service on MAM Device thru wrapped iOS enterprise app?
    Is there any alternate path instead of Per-App VPN?

    • Per-app VPN is an option, but also the Azure AD Application Proxy server is an option to publish internal Web apps / SaaS apps to Azure.

About Robin Hobo

Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page. You can also join me on the following social networks:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close