Chapter 6
Planning and Managing Microsoft Intune

MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

  • ✓   Manage devices with Microsoft Intune.
    • This objective may include but is not limited to the following subobjectives: Provision user accounts, enroll devices, view and manage all managed devices, configure the Microsoft Intune subscriptions, configure the Microsoft Intune connector site system role, manage user and computer groups, configure monitoring and alerts, manage policies, manage remote computers.
  • ✓   Deploy software updates by using Microsoft Intune.
    • This objective may include but is not limited to the following subobjectives: Use reports and In-Console Monitoring to identify required updates, approve or decline updates, configure automatic approval settings, configure deadlines for update installations, deploy third-party updates.
  • ✓   Support mobile devices.
    • This objective may include but is not limited to the following subobjectives: Support mobile device policies including security policies, remote access, and remote wipe; support mobile access and data synchronization including Work Folders and Sync Center; support broadband connectivity including broadband tethering and metered networks; support Mobile Device Management by using Microsoft Intune, including Windows Phone, iOS, and Android.
  • ✓   Support Windows Store and cloud apps.
    • This objective may include but is not limited to the following subobjectives: Deeplink apps by using Microsoft Intune; sideload apps by using Microsoft Intune.
  • ✓   Support desktop apps.
    • This objective may include but is not limited to the following subobjective: Deploy desktop apps by using Microsoft Intune.

inline   In this chapter, we will start diving into the world of the cloud. I am going to talk about Microsoft Intune and how you can manage devices and software by using Microsoft Intune. I will show you how to set up and configure an Intune subscription and how you can use that subscription to help your network users get the most out of the network resources and software.

I will start the chapter by talking about managing devices using Intune. I will show you how to provision user accounts and enroll devices. I will also discuss how to manage and configure devices using the Microsoft Intune subscription.

I will then continue the discussion by showing you how to deploy and configure updates using Intune. I will show you how to use the In-Console monitoring tools and how to approve and decline updates.

I will then talk about working with mobile devices including Windows tablets, broadband metering, and tethering, as well as how to wipe mobile devices for employees who leave the company.

I will then show you how to use Intune to help deploy and maintain your company’s software packages. I will also talk to you about sideloading applications into your users’ devices and the different types of reports that you can run to check on the various hardware and software in your environment.

Let’s get started by discussing how you can use Microsoft Intune to help manage and maintain your corporate devices.

Managing Devices with Microsoft Intune

The first thing we need to discuss in this chapter is exactly what Microsoft Intune is. Microsoft Intune is a device management system (see Figure 6.1). Microsoft Intune allows administrators to manage mobile devices, mobile applications, and PC management capabilities all from the cloud.

Image described by surrounding text.

Figure 6.1 Microsoft Intune dashboard

Administrators using Intune can provide their users with access to corporate applications, data, and resources from almost anywhere and on almost any device while also keeping corporate information secure.

Microsoft Intune also helps you save money because it allows you to license users instead of devices. So if you have a user who works from multiple devices (laptop, tablet, and Windows Phone), you pay only once for the user license instead of multiple times for all of the user’s devices.

Administrators can use Microsoft Intune to support and manage Windows 10. Administrators can use Intune on a Windows 10 device for the following:

Microsoft Intune is built on Microsoft Azure Active Directory and System Center. Active Directory is a Directory Services database created by Microsoft. Directory Services was originally designed by Novell, and starting in Windows Server 2000, Microsoft’s version—Active Directory—was introduced to the world. To put this in an easy way to think about, Active Directory is just a database that allows administrators to control access to the network.

Microsoft has now taken Active Directory to a new level with cloud-based Active Directory, or Azure Active Directory. Now instead of requiring your organization to buy Windows Server and the required hardware, you can just use a cloud-based version of Active Directory.

Microsoft System Center Configuration Manager allows administrators to have a wide-ranging solution for change and configuration management. Configuration Manager allows an administrator to perform the following tasks:

Understanding Microsoft Intune Benefits

Microsoft Intune has many different benefits to help an IT department be more productive and keep its systems running all on the same software. Intune provides an IT department the ability to keep corporate data secure while allowing users to access the same company software from any device that they want to work from. Here are some other Intune benefits:

  • Multiple device enrollments for users. Licenses are per user and not per device, so users can work from multiple devices.
  • Corporate data security for users and applications like Microsoft Exchange, Outlook, and Office.
  • The ability to use Office 365 from any approved device.
  • Since Microsoft Intune is a cloud-based system, the IT department is not required to build an infrastructure. This saves the additional cost of buying and maintaining hardware and software.
  • Microsoft Intune extends your System Center Configuration Manager through both the cloud and on-premise versions by connecting the two systems together through the use of an application connector.
  • Microsoft 24/7 support is available through worldwide phone support or online support. Also, administrators have access to Microsoft.com for Intune FAQs and its knowledge base.
  • Corporations have multiple licensing options available to them to choose from. Intune is also part of the Enterprise Mobility Suite by default.

Configuring Intune Subscriptions

When you are deciding about using Microsoft Intune, you must think about the subscription type that you want. You can start with a free 30-day trial or move directly into a full paid subscription. Either choice allows you to start managing mobile devices and corporate computers immediately.

One of the nice advantages to the Intune subscriptions is that if you decide to add at least 150 user licenses, you get to use Microsoft’s FastTrack Benefits Center. This benefit also allows a Microsoft specialist to work with your organization. This Microsoft specialist then helps you get the most out of using Intune and all of its benefits.

To start using Microsoft Intune is a very easy and free process. You go out to Microsoft’s website and sign up for a free 30-day trial of Intune. Then you start adding your users, groups, and devices. Then if you decide that Microsoft Intune is right for your organization, you can sign up for one of their monthly rates.

Once you have decided to take that next step, you need to start redesigning your company’s infrastructure to include the cloud-based subscription. This can be as easy as setting up your DNS servers to include the cloud-based services or as complex as adding all of your devices to the cloud and phasing out many of the infrastructure servers that you currently have running in house.

Whatever you decide, one of the most important phases of moving to a cloud-based system is planning. Once you have made the decision to move to the cloud, that’s when the real work happens. Here are some questions to think about:

  • Will you be moving all users to Azure Active Directory?
  • Will you be using the cloud just for device and software deployment?
  • Will you be phasing out in-house equipment?
  • Will you allow users to use their own devices (Bring Your Own Device—BYOD)?
  • If users use their personal devices, will you supply them with corporate software applications?
  • Will you be using Office 2013 or Office 365?

When you sign up for a Microsoft Intune account, you will choose a domain for your Intune subscription. After you sign up for your Intune subscription, Microsoft will send you an email that will have your Intune information contained within the email. Figure 6.2 shows an example of the information contained within the Microsoft Intune email.

Screenshot shows the link to sign in to the Microsoft Intune Account portal, user ID, name, Get started today button and account information such as organization, service, trial start date and trial end date.

Figure 6.2 Microsoft Intune email

In Exercise 6.1, I will show you how to set up a free Microsoft Intune 30-day trial account. You will need to complete this exercise to do some of the other exercises in this chapter.

Image described by surrounding text.

Figure 6.3 Microsoft Intune signup

Provisioning User Accounts

Once you have decided to sign up for the Microsoft Intune subscription, you next need to start assigning your corporate users and groups to Intune. By assigning users and groups, you are choosing which individuals get to access the cloud-based services of Intune, and the IT department gets to start using all of the Intune benefits.

As stated previously, once you sign up for the Microsoft Intune subscription, you will receive an email with your user information along with a link to the Microsoft Intune portal. Click that link and then sign in. Once you sign in, you will automatically be redirected to the Intune Dashboard. This is where you can start creating your users and groups.

During the Microsoft Intune subscription process, you create a domain name, and that domain is added to a Microsoft extension by default. So, if I choose a domain named Stormwind, then the default Microsoft subscription will look like Stormwind.onmicrosoft.com. If your company already owns its own domain name, then you can use that domain instead of the default Microsoft option.

Setting Administrator Accounts

Be sure to decide which way you want to set up your cloud-based domain because if you decide to use Microsoft’s default, all of your users will end up with an onmicrosoft.com extension for their User Principal Names (UPNs). Using a pre-owned domain name can make your life in IT much easier because your users will log in using the same domain name that they are using now on a daily basis.

When setting up your Azure Active Directory, you can have this cloud-based version of Active Directory work with the on-premise server-based version of Active Directory by using the Azure Active Directory (AD) Connect tool (formerly known as the Directory Synchronization tool, the Directory Sync tool, or the DirSync.exe tool).

The Azure Active Directory (AD) Connect tool is a server-based application that can be installed onto a server that is currently joined to your local domain. The connect tool allows your corporate onsite users to synchronize to your cloud-based services.

When you decide to connect your Azure Active Directory to your onsite server-based Active Directory, user administration becomes much easier for your IT department. It allows your users to use a single sign-on to access both the local resources and the cloud-based resources. When users have to log in using different accounts, it puts more stress on an IT department and/or help desk.

The first users that you should add to Microsoft Intune are your administrators. By adding the administrators first, then they can start to help also build other user accounts. When you are choosing administrative privileges, you can choose from three administrator types: Tenant Administrator, Service Administrator, or Device Enrollment Manager. Let’s take a look at each of these administrator’s permissions.

Tenant Administrator

Organizations have the ability to set an administrator up as tenant administrators. Tenant Administrators are used for very specific tasks. Normally, Tenant Administrators are assigned only one dministrator role. This one administrative role determines the administrative scope for the user and the tasks they can manage. Tenant Administrators' can be any of the following roles:

Billing Administrator The Billing Administrator makes purchases, handles company subscriptions, manages support items, and handles service health issues.

Global Administrator The Global Administrator has the ability to access all administrative features. By default, the administrator who signs up for the Intune subscription is the Global Administrator for your organization.

  • Global Administrators are the only administrators who can assign other administrator their rights.
  • Organizations have the ability to have more than one Global Administrator within your organization.

Password Administrator Password Administrators have the ability to deal with user password issues like resetting passwords, managing requests, and monitoring service health. Password Administrators are allowed to reset passwords for users and other password administrators.

Service Support Administrator Service Support Administrators can manage service requests, and they can handle service health requests.

User Management Administrator User Management Administrators can deal with user issues like resetting passwords, handling service health requests, and managing user accounts and groups.

Service Administrator

This is a tough role to truly understand because Intune doesn’t assign a Service Administrator role. Actually, the Service Administrator role is just a Tenant Administrator role with the Global Administrator permission assigned to the individual who signed up for the Microsoft Intune subscription. Service Administrators use the administrative console to handle the daily tasks for Intune.

Device Enrollment Manager

One of the great benefits of using Microsoft Intune is the ability of users to enroll multiple devices. By default, each user can enroll five devices if they want. If you want a user to help other users enroll devices, then you can also make a user a Device Enrollment Manager. This role allows an administrator or user the ability to enroll devices for other users. This is also useful for companies that have kiosk-type machines. Your Device Enrollment Manager can enroll these types of systems.

Creating a User in Intune

Once you have decided to use Microsoft Intune, you must start setting up user accounts within Intune so that your users can start accessing the benefits of using Intune.

For users to access Intune, they must have a valid license. When a user has a valid user license, they can then enroll up to five of their devices. This way they can use different devices to do different tasks from both work and home.

When adding users into the Intune portal, you can do it either one user at a time or by bulk import from a CSV file. When adding users, you must assign licenses to each of these users. No matter how you add a user, adding a license to that user is not necessary at the time the user is created. But a license must be associated to that user before that user can access Intune.

If you decide to import your users from your on-site Active Directory to the cloud, the users will not have a license. You will be required to assign licenses to your users after the Active Directory merger to Intune.

Let’s take a look at how easy it is to create a new user. In Exercise 6.2, I will walk you through the process of creating a new user in the Intune Management Console.

Now that we have looked at creating a user in the Intune Management Console, let’s take a look at how to create device groups.

Creating Device Groups

Creating groups in Intune helps administrators have more flexibility when it comes to Intune management. Administrators can set up groups based on devices, users, geographic locations, departments, or even hardware types.

There are two main types of groups in Microsoft Intune: device groups and user groups. The groups are created in about the same way, but deciding which groups to create is when the planning and decision making takes place.

When creating new device groups, you can choose which types of devices you want to manage. For example, you can choose mobile devices or all devices. Also, when creating groups, you must add your groups to a parent group. For devices, the parent group is called All Devices. As you create more groups, those groups can become parent groups to other groups.

Administrators create device groups to help deploy applications and updates to specific devices. In Exercise 6.3, I will show you how to create a device group using the Microsoft Intune Management Console.

After you create the group, you can view and manage it from the Intune administrative console. You can change the group properties, and you can add or exclude devices from this group at any time. Managing and maintaining the device groups is easily accomplished from the Intune administrative console.

Now that you have created a device group, let’s look at how to create a security group.

Creating User Groups

Creating user groups is not much different than creating device groups. User groups allow administrators to manage users by position type, geographic location, or even by hierarchy (executives, directors, managers, etc.).

When creating new user groups, you can choose which parent group you want your group to be part of. For users, the default parent group is called All Users. As you create more groups, those groups can become parent groups to other groups.

In Exercise 6.4, I will show you how to create a user group called Intune Users.

After you create the security group, you can manage that group from the Intune administrative console. Administrators have the ability to change the group membership at any time. Managing and maintaining the security groups is easily accomplished from the Intune administrative console.

As I stated in the previous note, when you create a child group off a parent group, that child group can’t be moved to another parent group without deleting the group. Remember, when you delete groups, the users do not get deleted when the groups are deleted.

Now that you have seen how to create users and groups in Intune, let’s look at how to set up Intune policies.

Creating Intune Policies

Administrators have the ability to place rules on security settings, firewall settings, and endpoint protection settings on their Intune mobile devices and applications. Think of Intune policies as network Group Policies. These are rules that you can put on devices or users.

Once you decide to move to Microsoft Intune for your devices, it’s important to use Intune policies to help manage the devices on your network and set up endpoint protection. Microsoft Intune helps your IT staff deploy devices and applications, and Intune policies allow the IT team to manage the settings on these deployments. When you build a policy, you can deploy that policy to the user groups that you set up in the previous section. Then when the user logs in to Intune, the policy becomes their baseline policy.

You can create policies for the different types of devices available for Microsoft Intune. You can create policies for Android, iOS, Mac OS X, Windows, software, Computer Manager, and common mobile device settings.

In Exercise 6.5, I will walk you through the steps required to set up a Microsoft Intune policy. Administrators have the option to change the policy at any time.

Now that we have looked at how to set up Intune users, groups, and policies, it’s time to look at how an administrator enrolls devices in Intune.

Enrolling Devices Using Intune

To take advantage of using Intune, you must enroll devices into the Intune system. To enroll clients into this system, you must download the Intune client software onto the devices that need to be enrolled.

For some of the devices on the market today, you may need to take additional steps in order for them to work with your Intune network. For example, to use the Apple iOS, an Apple Push Notification service (APNs) certificate must be imported from Apple so that you can manage iOS devices. This certificate allows Intune administrators to manage iOS.

When an administrator goes to enroll the many different devices on the Intune network, as stated, some of the different devices require different installation options.

Apple iOS Administrators need to import an Apple Push Notification service certificate from Apple so that you can manage iOS devices. Administrators need to open the Microsoft Intune administration portal and go to Administration ➢ Mobile Device Management ➢ iOS and Mac OS X ➢ Download the APNs Certificate Requests (see Figure 6.10). Administrators then must save the certificate signing request (.csr) file locally. The .csr file is used to request a trust relationship certificate from the Apple Push Certificates Portal. The administrator then needs to click the Upload The APNs Certificate.

Image described by surrounding text.

Figure 6.10 Upload An APNs Certificate screen

Android Devices No additional configurations in the Intune console are needed to enable Android mobile device enrollment.

Windows Phone Administrators must set up some management requirements before Windows Phones will work with your Intune network. DNS administrators need to create CNAME records in order for users to connect to the Intune network resources. Windows Phones also require a certificate to establish encrypted communications between the client device and the Intune cloud-based system.

Windows Devices Windows devices are connected basically the same way as Windows Phones. The DNS administrator has to create a CNAME record, and then applications can be sideloaded into the Windows computer. Users can also connect to Intune by using the Intune Management Portal.

Administrators can use the Mobile Device Management (MDM) tools to help your company users enroll different devices and manage their Intune accounts. MDM provides the following benefits:

  • MDM gives users the capabilities of enrolling their own devices through the use of the self-service Company Portal app. After users enroll their devices, they can install corporate applications.
  • Once a device is enrolled, MDM helps deploy certificates, Wi-Fi, VPN, and email profiles automatically. This allows users to have access to corporate resources with the necessary security configuration options.
  • MDM allows administrators to use broad management tools for managing mobile devices, passcode resets, device lockouts, and data encryption and to fully wipe a stolen device to help protect against corporate data loss.
  • MDM helps simplify the enrollment of corporate devices using bulk enrollment tools like the Apple Configurator.
  • MDM allows administrators to easy enroll Apple iOS devices with the Device Enrollment Program (DEP).
  • MDM allows administrators to enforce a much stricter lockdown policy for iOS, Android, and Windows Phone devices.

To enroll clients into the Intune network, you can install the software in a variety of ways. The company administrator can provide an installation package to allow users to enroll their systems. Administrators can set up a Group Policy that can be used to enroll the computer into Intune, or users can self-enroll using the Intune portal.

If you decide to use MDM, you must first set up the mobile device management authority. This enables management of device platforms and allows your devices to be enrolled via the Company Portal app.

In Exercise 6.6, I will walk you through how to install and enroll your Windows 10 laptop or desktop in Microsoft Intune.

Configuring the Intune Connector Site

To understand how connectors work, you must first understand what a connector does and why we use them in the computer industry. Connectors allow different types of devices to communicate with each other. So, for example, let’s say you had a Microsoft Exchange server and a UNIX-based mail server. You would add a connector into the Exchange server so that it could communicate and understand the UNIX mail server. That’s how Intune connectors work also.

Intune connectors allow Microsoft Intune to communicate and understand other types of devices and software. So if you decide to use Azure Active Directory and Azure Exchange, you can install a connector so that Azure Exchange can work with the corporate Exchange mail server.

Exchange devices have the ability to be managed through both the on-premise Exchange servers and the hosted Exchange servers in the cloud. The Exchange connector connects your users with your Exchange deployments, and the connector lets you manage your mobile devices through the Intune console.

Administrators who have been using System Center Configuration Manager to manage their computers, Macs, and UNIX-based devices can add the Intune connector so that they can manage all of these devices from one console.

To configure connectors, in the Intune Management Console click the Admin link. Then expand the Mobile Device Management section. You would then click the device or software package and set up the connector.

Configuring Intune Alerts

One of the advantages of using Intune is the ability to monitor and see alerts within Intune. There are different levels of severity within the alerts. Table 6.1 shows you the different alert types and what each type means.

Table 6.1 Intune alert types

Alert Description
inline This alert shows you that you have a serious issue that needs to be investigated and fixed.
inline This alert shows you that there may be an issue but that issue is not very serious at this time. These alerts need to be investigated to make sure that they do not become a problem in the future.
inline This alert shows you that there is some information about a product but it’s not a problem. For example, an informational alert may tell you that there is an upgrade to a connector that you have installed.

When dealing with Intune monitoring and alerts, there are a few settings that you can set up to help configure how alerts work. For example, under the Alerts And Notifications section, you can set up recipients who will receive emails when alerts happen.

So if you get a critical error, an email can be sent to an administrator so that the IT department can work on resolving the issue as fast as possible. If you don’t set up email alerts, someone will need to monitor the Intune system daily to watch for issues. Intune administrators have the ability to set different email recipients for different alert types. So critical alerts can go to one IT person, and warnings can go to another.

Administrators also have the ability to enable or disable certain alert types. So if you are getting a warning that you know is not going to affect your Intune system, you can disable the warning to remove it completely. This way it’s not a message your Intune administrators need to see on a daily basis.

To configure your alerts and notifications, in the Intune Management Console click the Admin link. Then expand Alerts and Notifications. You can then create new alert rules and notifications.

Supporting Applications

Microsoft Intune gives an organization the ability to deploy and maintain software from the cloud. The advantage to this is that the software issued through Intune is licensed to the user and not the hardware. So what this means is that you can deploy a copy of Office to a user using multiple devices, and when that user works on corporate data, that data is secure. That’s the real advantage to Intune. This allows your users to work securely from their iPhone, Windows laptops, or tablet.

Microsoft Intune also allows an organization to use their current business apps by using the Intune App Wrapping tool. The Intune App Wrapping tool is a command line application that builds a package around the in-house application. Then the business application can be managed by the Intune mobile application management policies.

The Intune App Wrapping tool also gives you secure data viewing through the Intune Managed Browser, AV Player, Image viewer, and the PDF viewer. Administrators also have the ability to deny specific applications or web addresses from being accessed from specific types of mobile devices. Finally, when dealing with corporate data and security, administrators have the ability to wipe out a device in the event that the device is stolen, the device is lost, or the employee leaves the company.

Deploying Applications Using Intune

The way that we do business in the corporate world continues to change on a daily basis. Today, many of our users bring in their own devices. Because of BYOD, it is getting harder for IT departments to deploy software.

As stated earlier in this chapter, Microsoft Intune (Figure 6.18) is a cloud-based desktop and mobile device management tool. Intune helps IT departments provide their users with access to company applications, data, and resources. The users have the ability to access these resources from any type of device (i.e., Apple, Android, or Windows devices).

Image described by surrounding text.

Figure 6.18 Microsoft Intune

One of the issues that we face as IT administrators is that we have multiple copies of software throughout a company and multiple version types (Apple versions of Office compared to Windows versions). Let’s take a look at Office as an example. Many times we have older versions of Office (Office 2010) and newer versions of Office (Office 2016/Office 365).

This is where Microsoft Intune can help out an IT department. You can upload software packages to Intune and your users can get current copies of the software from the web. Also, Intune helps your organization protect its software by giving you extra security and features. Intune also allows you to set up application management policies that allow an IT department to manage applications on different devices.

As long as a device is compatible with Microsoft Intune, you can deploy the applications to that device. Depending on the device and the application, deployment options may vary. Administrators have the ability to upload their applications to Microsoft Intune or link a Windows Store application to Microsoft Intune storage.

To deploy applications using Intune, you must use the proper software installation type based on the different devices that your users may be using. Microsoft gives you a trial subscription of 2 GB of cloud storage. You can purchase more storage depending on how much money you want to spend.

Intune Software Publisher

To make an application available for your users to deploy, you must upload the installation package and then publish the package. As soon as you add or modify an application to Microsoft Intune, the Microsoft Intune Software Publisher starts. Then from the publisher you can choose and configure the software installation type.

To use the Microsoft Intune Software Publisher, you must have Microsoft .NET 4.0 installed on the Windows system. After you install .NET, restart the system and you should be able to use the Microsoft Intune Software Publisher.

Sideload Apps by Using Microsoft Intune

Sideloading an application means that you are loading an application that you already own or one that your company created into a delivery system (i.e., Intune, Microsoft Store, or images).

You may be familiar with sideloading apps into the Windows Store. This is the process of building or buying your own application and then adding it to the Windows Store so that all of your users can download and use that app. Sideloading an application into Microsoft Intune means the same thing. You are taking an application that you built or bought and adding it into Microsoft Intune for user downloads.

Think about how you deploy software today. You buy a package and either manually install the software to your users or use some type of deployment package like System Center Configuration Manager. The only difference now is that the application gets loaded into the cloud and can be deployed to any device that is compatible with the application.

When sideloading applications you can use Microsoft Intune or a combination of Microsoft Intune and System Center Configuration Manager. Microsoft has a Windows Intune connector that allows Intune to work directly with System Center Configuration Manager. Here are the steps required to sideload applications into Microsoft Intune:

  1. Upload your application into Microsoft Intune. To do this, click the Add Apps link (shown in Figure 6.19).
  2. A dialog box will appear asking you if you want to download a setup.exe file. Click Yes. This is the Microsoft Intune Software Publisher. After it is downloaded, click the exe. The Software Publisher dialog box will appear, asking if you want to install. Click Run (shown in Figure 6.20).
  3. The Microsoft Intune Software Publisher sign-in screen will appear. Enter the credentials for a Microsoft account tied to Intune and click the Sign In link.
  4. At the Software Setup page, choose the Windows application package software installer type and the Universal Naming Convention (UNC) path to the application.
  5. When the Software Description page appears, choose the publisher, user-friendly name, and description of the app. Click Next.

    When the Add Software Wizard is complete, the app will be listed in the Managed Software node in the Software workspace.

Screenshot shows Apps is chosen from the side menu. It shows Apps status, Volume-purchased Apps status, Add Apps link in tasks section and View detected software report link in reports section.

Figure 6.19 The Add Apps link

Image described by surrounding text.

Figure 6.20 Install the Intune Software Publisher

Once an application is uploaded to Intune, the next step would be to deploy the application to your users. To deploy the application to the users, you assign the application to the created Windows Intune groups. While in the Windows Intune portal, you would click the Apps link and then choose the app for deployment. The following steps describe how to deploy the application:

  1. Open the Microsoft Intune administrator console and click the Apps link.
  2. Select the application that you want to deploy, and then click the Manage Deployment link.
  3. Choose the user or device groups that you want to deploy the application to.
  4. On the Deployment Action page, configure for approval (Required, Available, Not Applicable, or Uninstall) or deadline (when the application must be installed).
  5. If the application that you are deploying has the ability to be configured by a mobile application management policy, then the Mobile App Management page will be displayed. On this page an administrator can choose the mobile application management policy that they want with this application.
  6. If the application that you are deploying has the ability to be configured by a VPN profile, then the VPN Profile page will be displayed. Here is where you can choose the iOS apps with the VPN profile.

After the application is set up and ready for deployment, an administrator can always go back into the application properties and make changes. To view the properties of an application, click the app and choose the View Properties link. There are three tabs for the software properties.

General The General tab allows an administrator to see the applications general information and its installation status.

Devices The Device tab allows an administrator to see the devices that have successfully installed the application.

Users The Users tab allows an administrator to see the users that have successfully installed the application.

Deep-Link Applications by Using Microsoft Intune

One of the nice advantages of using Windows 10 is that you can purchase Windows store applications. After you purchase the applications, you can deploy the Windows Store application (deep-link) to all of your users.

Supporting Broadband Connectivity

Administrators have a few weapons in their broadband arsenal. Two different options that we can set up as administrators are the ability to see how much network or software bandwidth is being used (metering) and how we can set up our Windows 10 devices to use our cellular Internet connections (tethering).

Understanding Metering

Administrators have the ability to limit and monitor network usage by configuring the network as a metered network. Network metering allows network downloading to be watched or metered, and then administrators can charge users or departments for the network usage.

This is becoming something that many IT departments have started doing due to budgeting. Many IT departments are non-revenue-generating departments, and because of this, it can be difficult for an IT administrator to get a budget passed. But with network metering, you can charge other departments for the amount of bandwidth and network that is being used.

When setting up your company’s Internet connection, your ISP has the ability to charge by the amount of data used. That’s called a metered Internet connection. If you have a metered Internet connection, setting your network connection to metered in Windows can help you reduce the amount of data you send and receive. To set this up in Windows, you would take the following steps:

  1. Click Start ➢ Settings, and then tap Network & Internet.
  2. Tap or click the Wi-Fi link and then, under Metered Connection, turn the Set As a Metered Connection option on or off.

Administrators also have the ability to limit how much bandwidth a user or department gets to use when downloading applications. This is referred to as software metering.

To set up software metering, an administrator must use a combination of Microsoft Windows Intune and System Center Configuration Monitor.

Understanding Broadband Tethering

Tethering allows a user to use their Windows 10 mobile device through their cellular phone. If you have a Windows 10 mobile device and want it to access the Internet, you can go through your cell coverage to get online.

Tethering can also be connecting one mobile device to another mobile device for Internet access. For example, let’s say I have an iPad with cellular Internet connection. I can connect another Windows 10 tablet to that iPad to gain Internet access. So tethering is the ability to connect one device to another for Internet access. Before you set up tethering, here are a few things that you should know:

  • There may be extra charges when connecting your data connection with another device.
  • Applications and updates may not be downloaded over a metered connection, and by default, tethered and mobile broadband connections are metered.
  • Many cellular carriers require that you pay an extra fee for allowing your phone to be a hotspot for tethering. To enable tethering on most devices, you set up your mobile device as an Internet hotspot.

Understanding Data Synchronization

Data synchronization allows you to synchronize your devices with your servers. These servers can be network-based or cloud-based. Administrators have the ability to synchronize work folders, and they can also use the Sync Center to use one application for all of their synchronization needs.

To enable synchronization on the Windows 10 device, click the Start button and choose Settings. When you are in the Settings window, click the Accounts link to set up your user accounts and synchronization (see Figure 6.21).

Image described by surrounding text.

Figure 6.21 Data synchronization

Once you enter into the Accounts link, you can choose the bottom option (Sync Your Settings) to set up all of your synchronization settings (see Figure 6.22).

Image described by surrounding text.

Figure 6.22 Sync Your Settings

One of the final things that you want to look at in the Accounts link is the Work Access link. The Work Access link allows you to connect your device to your work or school, sign in to Azure, and enroll in device management (see Figure 6.23).

Image described by surrounding text.

Figure 6.23

Understanding Updates

Deploying updates can be a very difficult process for many organizations. Depending on the number of users that you have and the number of applications that each user uses, updates can be a very time-consuming process.

Many organizations install a Microsoft server called Windows Server Update Services (WSUS). WSUS servers allow administrators to deploy Microsoft product updates to computers that are running the Windows operating system. Administrators can manage all of their organization’s Microsoft updates from one application.

The downside to WSUS is that it is used for Microsoft updates. So you can deploy updates to all of your applications, Microsoft and Non-Microsoft, by using the Intune management portal.

Deploying Software Updates Using Intune

When you decide to use Intune to deploy your updates, you get a lot of options that you get to consider and set up. For example, do you want to approve all of your updates or do you want the updates to automatically deploy? Many administrators like to approve all of their updates so that they have a chance to test them first before deploying.

As updates become available from Microsoft or from any third-party software vendor that your company is using, a notification will be displayed on the Overview page of the Updates workspace (see Figure 6.24).

Image described by surrounding text.

Figure 6.24 Overview of update types

Once an administrator sees these notifications, they can click the notification link and view the information about the update. After viewing the update information, the administrator can then decide if they want to approve or deny the update.

If you have been in the IT industry long enough, you have run into the situation when you did a software update and then the software stopped performing properly. Now, with the ability to test and approve updates in Intune, you can solve this issue. You can guarantee that the update will work as needed or deny the update from being deployed.

This is just one of the options that you have when using Intune updates. Let’s take a look at some of the other settings that you need to plan out before setting up your Intune updates.

Identifying Required Updates

When you decide to use Intune for updates, you need to decide which type of updates that you want to install. Administrators have the ability to choose what type of updates they want to install.

All Updates The All Updates section means just that, all updates. Every possible update that can be deployed will be shown under the All Updates section.

Critical Updates Critical updates are updates that are released to fix a specific issue that is for a critical bug that is not security related.

Security Updates Security updates are updates that need to be applied to fix a security issue. These security issues are used by hackers to either hack into a device or software.

Definition Updates Definition updates are normally software updates that contain additions to a product’s definition database. Definition databases get used to identify objects that have very specific attributes. These attributes look for malicious code, phishing websites, or junk mail.

Service Packs Service packs are a collective set of all current hotfixes, security updates, critical updates, and updates. Normally service packs also contain additional fixes for known issues that are found since the release of the product. Service packs may also contain customer requested design changes or features.

Update Rollups Update rollup updates are current hotfixes, security updates, critical updates, and updates that are bundled together for easy deployment. Update rollups are normally used to target a specific component or software package.

Mandatory Updates Mandatory updates are updates that are released to either fix or replace a software or hardware issue. Mandatory updates are required to run or the device or Windows system may stop functioning properly.

Non-Microsoft Updates Non-Microsoft updates are updates for third-party software and hardware devices. These are updates that other vendors release for solving problems or improving their product.

Approving or Declining Updates

One of the best advantages to using any update service is the ability to either approve or deny updates. Plus, having the ability to approve updates gives you the ability to test the updates first.

In today’s virtualization world testing updates can be easier than before. It’s easy to set up a virtual server just for update testing without spending thousands of dollars on new hardware. Let’s take a look at the steps necessary to approve or deny updates:

  1. Open the Microsoft Intune administration console. Then click the Updates link ➢ Overview ➢ New to approve.
  2. Select any of the updates and then look at the update description at the bottom of the page. Once you know you want to approve the update, click the Approve link on the top of the page. If you want to approve multiple updates at the same time, hold down the Ctrl key as you select each update and then click Approve.
  3. On the Select Groups page, select which group you want to deploy the updates to and then click the Add button. Once you done choosing your groups, click Next.
  4. On the Deployment Action page, you have two options to choose from. You can either approve or deny the update.
    • Under the Approval list, Administrators can choose to do the following:
      • Required Install—Installs the update on the computers that were chosen in the specified group.
      • Do Not Install—Allows you to use update reporting but the update is not installed.
      • Available Install—The user has the ability to choose if they want the update to install from the Company Portal.
      • Uninstall—Removes the update from the computers in the listed group.
    • Under the Deadline list, administrators can choose to do the following:
      • None—This choice sets no deadline for the installation of the update, and users can choose to install or ignore the update as long as the update remains in the list.
      • As Soon As Possible—This choice forces the update to be installed on the computers at the next possible opportunity.
      • Custom—This choice allows administrators to specify the date and time that approved updates will be installed.
      • One Week, Two Weeks, One Month—This choice forces the update to install within the specified time period.
  5. Click Finish to save the settings.
  6. You can check the details pane at the bottom of the All Updates page for information about the updates.

Configuring Automatic Approval

Another option that administrators can set is the ability to automatically configure updates for automatic approvals. To set this up, administrators would complete the following steps:

  1. Open the Microsoft Intune administration console. Then click the Configure Updates link.
  2. In the Automatic Approval Rules section (see Figure 6.25) under the Server Settings: Updates page, click the New button.
  3. On the General page, type in the approval rule name and optional description. Click Next.
  4. On the Product Categories page, select the products for which you want to have automatic updates. Click Next.
  5. On the Update Classifications page, choose the update classifications that have automatic approval. Click Next.
  6. On the Deployment page, choose the devices that these automatic approvals will apply to and click Add. Click Next.
  7. On the Summary page, review your settings and then click the Finish button.
Image described by surrounding text.

Figure 6.25 Automatic Approval Rules

Deploying Third-Party Updates

Microsoft Intune has one advantage over using other types of update servers (like WSUS) because Intune can also update third-party non-Microsoft updates. This is very useful when deploying applications like virus protection. The virus list constantly needs to be updated, and Intune can help administrators achieve this.

To deploy software updates to non-Microsoft vendors, you would use the Upload Update Wizard. The Upload Update Wizard helps an administrator get their updates into the cloud storage space. After they are uploaded, administrators can then approve or deny the updates to specific groups. To launch the Upload Update wizard, you would click the Add Updates link (see Figure 6.26).

Image described by surrounding text.

Figure 6.26 Add Updates link

Using the Intune Reports

One of the best tools that Microsoft Intune offers is the ability to obtain all of the different types of reports. The Intune reports help an administrator monitor the status of their enrolled devices and see if there are any issues that need to be addressed. The reports also allow an administrator to examine both the hardware and software inventory.

To access the many different reports available in Intune, you open the Intune Management Console and click the Reports link on the left side (shown in Figure 6.27).

Image described by surrounding text.

Figure 6.27 Reports link

The following descriptions are of just some of the reports that you can run as an administrator to get information about your updates and about your hardware.

Update Report Running this report allows administrators to see the software updates that were successfully installed on computers in your organization along with information about updates that failed, are pending, or are needed.

Detected Software Report This report allows administrators to see what software was installed on the computers throughout your organization. This report also includes the software version that was installed. Administrators have the ability to filter the information and display only specific software publishers and specific software categories. Administrators can also get more details by clicking the directional arrow next to the list item.

Computer Inventory Report Running this report will help administrators get detailed information about the managed computers in the organization. Administrators can use this report for planning hardware purchases and also to get a better understanding about the hardware needs of the users in your organization.

Mobile Device Inventory Report Administrators can use this report to gather information about the mobile devices in their organization. Administrators have the ability to filter the information that is displayed. Some of this information includes the groups the device belongs to and the operating system that is running on the device.

License Purchase Report This report allows an administrator to see the software titles for all licensed software in selected license groups. License reports are not an exact list of software that is being used or proof of the software compliance. The report is used by administrators as a tool to help you make licensing decisions for your organization.

License Installation Report Administrators can use this report to compare installed software with your current license agreement coverage.

Terms and Conditions Report This report allows administrators to see whether users have accepted the terms and conditions that you deployed and which version they accepted.

Noncompliant Apps Report Administrators can use this report to see information about users who have applications installed that are on your lists of compliant and noncompliant apps.

Certificate Compliance Report This report allows you to see which certificates have been installed to users and devices through the Network Device Enrollment Service (NDES). NDES allows hardware, like routers, to be able to receive a certificate even though the router can’t request a certificate.

Device History Report Administrators can use this report to see a historical log of retired, wiped, and delete actions that have been performed. Administrators use this report to see who initiated actions on devices in the past.

Mac OS X Report This report is run to show you the Mac OS X groups and what software and hardware that they run. This report allows administrators to watch the Apple devices enrolled into the Intune cloud system.

Summary

In this chapter, we talked about the cloud and Microsoft Intune. I showed you how Microsoft Intune can help you manage devices and software. I showed you how to set up and configure an Intune subscription and how you can use that subscription to help your network users get the most out of their network resources and software.

I also talked about managing devices using Intune. I showed you how to provision user accounts and enroll devices. I also discussed how to manage and configure devices using the Microsoft Intune subscription.

I then continued the chapter by discussing how to deploy and configure software and updates using Intune. I showed you how to use the In-Console monitoring tool and how to approve and decline updates.

I then talked about how to work with mobile devices including Windows tablets, broadband metering, and tethering, and I also showed you how to wipe mobile devices for employees who leave the company. I then showed you how to use Intune to help deploy and maintain your company’s software packages and updates.

Finally, we looked at the different types of reports that an administrator can run using Intune. These reports can help you see what devices still need updates and also what hardware may need to be installed or replaced.

Video Resources

There are no videos for this chapter.

Exam Essentials

Understand Microsoft Intune. Understand what Microsoft Intune can do to help your network. Make sure you understand how users and devices get connected to Intune.

Know how to configure a Microsoft Intune Subscription. Understand how to set up and manage a Microsoft Intune Subscription. Understand how to configure a device to use Microsoft Intune.

Understand the Microsoft Intune benefits. Understand what Microsoft Intune benefits can be used in a corporate environment. Understand how these benefits, like remote wipe, can help you protect corporate data.

Understand the Azure Active Directory (AD) Connect tool. Understand that Administrators can connect their cloud-based version of Active Directory (Azure Active Directory) with their on-premise server-based version of Active Directory by using the Azure Active Directory (AD) Connect tool.

Understand Intune Connectors. Understand Microsoft Intune Connectors allow Microsoft Intune to work with software within a network. The connector allows the cloud-based software to communicate properly with the infrastructure based software.

Understand Intune Alerts. Understand each type of Intune alerts and which alerts are important to fix immediately or which alerts just are giving you information. Understand how to set up notifications for each alert type.

Know how to work with Intune Reports. Understand that the different reports help an administrator monitor the status of Intune managed devices. These reports give you information on the status of software updates, software installed, and certificate compliance. Understand how reports also let you examine the inventory of your network’s hardware and software.

Review Questions

  1. You are the network administrator for your organization. Your users use both desktops and tablets to access the network. Your tablet users use a 4G mobile broadband Wi-Fi connection. You need to watch how much data your users are using on this connection. How do you do that?

    1. Configure the broadband connection as a metered network.
    2. Turn on network resource monitoring.
    3. Enable performance monitor.
    4. Enable tablet metering in the tablets settings.

  2. You are the network administrator for a company that has a Microsoft Intune subscription. You have decided to set up three Intune Security groups called CorpGroup, NHGroup, and Portsmouth. CorpGroup is a parent group to Portsmouth. Portsmouth has 75 users in the group. You realized that you need to make NHGroup the parent to Portsmouth. What is the first thing that you need to do?

    1. Edit the security properties of CorpGroup.
    2. Edit the security properties of NHGroup.
    3. Remove all 75 users from Portsmouth
    4. Delete Portsmouth and then re-create the Portsmouth group under NHGroup.

  3. You are the IT manager of a large manufacturing company. Sales personnel are allowed to bring their own personal Windows 10 devices to the office. The company allows the sales people to install company software and use their devices to retrieve company mail by using the management infrastructure agent. One of your salespeople reports that their Windows 10 laptop was stolen while at the airport. You need to make sure that no one can steal any of the corporate data or access any corporate emails. Which two actions should you perform? Each correct answer presents part of the solution.

    1. Prevent the computer from connecting to the corporate wireless network.
    2. Remove the computer from the management infrastructure.
    3. Reset the user’s password.
    4. Do a remote wipe on the users laptop.

  4. You are the IT director for a large school system. The school has decided that students can bring in their own devices to do school work with. Your organization uses Microsoft Azure Active Directory and Intune for all of the student’s applications and network authentication. You need to be sure that students that are using IPADs as well as Windows 10 devices have full access. What do you need to do to be sure that all iOS devices can get access?

    1. Add a Student Portal app from the Apple App Store.
    2. Create a device enrollment manager account.
    3. Configure an Intune Service Connector for Exchange.
    4. Import an Apple Push Notification service (APNs) certificate.

  5. You are the administrator for Stormwind Studios. Stormwind has subscribed to Microsoft Intune. All of your client computers are running Windows 10 Enterprise. Users are complaining that they get prompted to restart their systems after mandatory updates. You need to stop the prompts from appearing on the clients Windows 10 systems following their updates. Which Intune policy template should you use?

    1. Microsoft Intune Agent Settings.
    2. Windows Intune Policy Configuration.
    3. Microsoft Intune Security Settings.
    4. You need to create a Custom Windows 10 Policy.

  6. You are the IT Manager for WillPanek.com. The company has an Active Directory domain and a cloud-based Azure Active Directory. The two are synchronized by using the Azure Active Directory Synchronization Tool. The company also uses System Center Configuration Manager. You need to use Configuration Manager to manage devices registered with Intune. What do you need to do to accomplish this? (Choose two.)

    1. Create a new device enrollment manager account in Microsoft Intune.
    2. In Microsoft Intune, configure an Active Directory Connector.
    3. Configure the Microsoft Intune Connector role in Configuration Manager.
    4. Create the Microsoft Intune subscription in Configuration Manager.

  7. You are the administrator of your organization’s Active Directory domain. The owners of the company want to move to the cloud by using Azure Active Directory. You need to be able to have the on-site version of Active Directory work with the cloud-based Azure Active Directory. What do you need to install to make this happen?

    1. The Active Directory (AD) user connector
    2. Azure Active Directory (AD) Connect tool
    3. Microsoft Intune Connection tool
    4. Microsoft Intune single sign-on tool

  8. You are the IT director for large company that has decided to move to the cloud. The company wants to use Azure Active Directory and Microsoft Intune. The company has been looking into this because users have been using multiple devices to get their job done. When your users get added to Intune and get licensed, how many devices can each user add by default?

    1. 3
    2. 4
    3. 5
    4. None. Device Administrators are the only person who can add devices to Intune.

  9. You are the administrator of a company that builds its own applications. You have decided that you want to install a company application to all employees by using the Windows Store. Which term is used to refer to installing corporate apps through the Windows Store?

    1. WS Installations
    2. BranchCache
    3. Image installation
    4. Sideloading

  10. You are the IT Director for Stormwind training studios. Your company has decided to start using Microsoft Intune for all of their software deployments. You want to set up a notification system so that you see all alerts and that you IT Manager only gets notified for Critical alerts. How do you accomplish this? (Choose all that apply.)

    1. Set up all event notifications for the IT Manager in Intune.
    2. Set up all event notifications for the IT Director in Intune.
    3. Set up Critical event notifications for the IT Manager in Intune.
    4. Set up Critical event notifications for the IT Manager in Intune.