Microsoft Endpoint Manager Intune Microsoft Endpoint Manager helps deliver the moder workplace and modern management to keep your data secure, in the cloud and on-premises. Endpoint Manager includes the services and tools you use to manage and monitor mobile devices, desktop computers, virtual machines, embedded devices, and servers. Endpoint Manager combines services you may know and already be using, including 1) Microsoft intune 2) Configuration Manager 3) Desktop Analytics 4) Co-Management 5) Windows Autopilot 1. Microsoft Intune: Intune is a 100% cloud-based mobile device management (MDM) and mobile application management (MAM) provider for your apps and devices. It lets you control features and settings on Android, Android Enterprise, i0S/iPadOS, macOS, and Windows 10 devices. It integrates with other services, including Azure Active Directory (AD), mobile threat defenders, ADMX templates, Win32 and custom LOB apps, and more. ‘As part of Endpoint Manager, use Intune to create and check for compliance, and deploy apps, features, and settings to your devices using the cloud.Microsoft Endpoint Manager 2. Configuration Manager: Configuration Manager is an on-premises management solution to manage desktops, servers, and laptops that are on your network or internet-based. You can cloud-enable it to integrate with Intune, ‘Azure Active Directory (AD), Microsoft Defender ATP, and other cloud services. Use Configuration Manager to deploy apps, software updates, and operating systems. You can also monitor compliance, query and act on clients in real time, and much more. 3. Co-management: Co-management combines your existing on-premises Configuration Manager investment with the cloud using Intune and other Microsoft 365 cloud services. You choose whether Configuration Manager or Intune is the management authority for the seven different workload groups. ‘As part of Endpoint Manager, co-management uses cloud features, including conditional access. You keep some tasks ‘on-premises, while running other tasks in the cloud with Intune 4. Desktop Analytics: Desktop Analytics is a cloud-based service that integrates with Configuration Manager. It provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows clients. The service combines data from your organization with data aggregated from millions of devices connected to the Microsoft cloud. It provides information on security updates, apps, and devices in your organization, and identifies compatibility issues with apps and drivers. Create a pilot for devices most likely to provide the best insights for assets across your organization. As part of Endpoint Manager, use the cloud-powered insights of Desktop Analytics to keep Windows 10 devices current.Microsoft Endpoint Manager 5.Windows Autopilot: Windows Autopilot sets up and pre-configures new devices, getting them ready for use. It's designed to simplify the lifecycle of Windows devices, for both IT and end users, from initial deployment through end of life. Endpoint Manager admin center: The Admin Center is a one-stop web site to create policies and manage your devices. It plugs-in other key device management services, including groups, security, conditional access, and reporting. This admin center also shows devices managed by Configuration Manager and IntuneChoose what's right for you O Ifyou constantly provision new devices, then start with windows autopilot. G Ifyou add rules and control settings for your users, apps, and devices, then start with Intune. G Ifyou currently use configuration manager to deploy apps, and want to use conditional access based on security requirements, then start with Co-Management. G If you currently use configuration manager and are responsible for keeping windows 10 devices up-to-date, then start with desktop analytics. O Ifyou're getting started with MDM and MAM, or use admx templates to control office, Microsoft edge, and windows settings, then start with Intune. Think of Endpoint Manager in three parts: Cloud, On-Premises, and Cloud + On-Premises G Cloud: All data is stored in Azure. And, no more data centers. This approach gives you the mobility benefits of the cloud, and the security benefits of Azure. © On-Premises: if you have an on-premises infrastructure that includes Configuration Manager, or aren't ready to use the cloud, then you can keep your existing systems, i Cloud + On-Premises: Many environments are mixed, and use a cloud-attach approach. Meaning they use a combination of cloud and on-premises. For new devices, use the benefits of Intune to access and protect data. If you use Configuration Manager, connect to the cloud for additional functionality and analytics. If you want to move some workloads to the cloud, then co-management is a good option.Microsoft Intune Capabilities i Microsoft intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). 1 You control how your organization's devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. O For example, you can prevent emails from being sent to people outside your organization. Intune also allows people in your organization to use their personal devices for school or work. 1 On personal devices, Intune helps make sure your organization data stays protected, and can isolate organization data from personal data Set rules and configure settings on personal and organization-owned devices to access data and networks. 1 Deploy and authenticate apps on devices -- on-premises and mobile. O Protect your company information by controlling the way users access and share information. O Be sure devices and apps are compliant with your security requirements. 1 See the devices enrolled, and get an inventory of devices accessing organization resources. Oi Configure devices so they meet your security and health standards. For example, you probably want to block jailbroken devices. i Push certificates to devices so users can easily access your Wi-Fi network, or use a VPN to connect to your network. O See reports on users and devices that are compliant, and not compliant. i Remove organization data if a device is lost, stolen, or not used anymore.Microsoft Intune Capabilities C1 Add and assign mobile apps to user groups and devices, including users in specific groups, devices in specific groups, and more. O Configure apps to start or run with specific settings enabled, and update existing apps already on the device. O See reports on which apps are used, and track their usage. 1 Do a selective wipe by removing only organization data from apps. C1 Use Azure AD identity to isolate organization data from personal data. So personal information is isolated from organizational IT awareness. Data accessed using organization credentials are given additional security protection. G Help secure access on personal devices by restricting actions users can take, such as copy-and-paste, save, and view. O Can be created and deployed on devices that are enrolled in Intune, enrolled in another MDM service, or not enrolled in any MDM service. On enrolled devices, app protection policies can add an extra layer of protection, O Support a diverse mobile environment and manage iOS/iPadOS, Android, Windows, and macOS devices securely.Enterprise Mobility Management (EMM) Microsoft Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce to be productive while keeping your corporate data protected. Mobile Device Management (MDM) Intune app protection polices (APP) Azure Active Directory (AAD) Microsoft Store for Business (MSFB Mobile App Management (MAM) ‘Bring your own device” (BYOD): Users enroll their personal phones, tablets, or PCs Corporate-owned device (COD): Enable management scenarios like remote wipe, shared devices, or user affinity for a deviceTrails for office http:!/go.microsoft.comifwlink/p/?LinkID=5 10938 hetps:ligo.microsoft.comi/fwlink/p/?LinkID=403802 bhetpsi//wewwairsquirrels.com/reflector Portal.azure.comFew Drawbacks to uti ig Intune 100% You can't manage Intune requires servers with the entire fleet of | Windows 7 will For PCs, Intune Intune (June PCs be Windows be unsupported in _has no "image" 2019). 10 for Update Intune in January poly beyond ike Lil keep you posted if ny rings. 2020 (Windows utopilot service hme 2 Ceo (eatin Rana Windows 10). though).Why Microsoft? Cry fark errr See ns Inform Dror nat eae ena tected Okta Salesforce Identity AirWatch — Mobilelron ‘Adobe LiveCycle Faso Ping Identity Symantec Kaseya Seclore Centrify Good Nees EMS: One Vendor, One Contract, One SKU‘As of August 14,2018, hybrid mobile device management is a deprecated feature Starting withthe 1902 Intune service release, expected atthe end of February 2018, new customers cart create a new hybrid connection. Therefore, on September 1, 2019, Microsoft will retire the Hybrid MDM service offeringComparison between MDM for Office 365 & Microsoft Intune ‘The following table lists compares the device and application management capabilities available to you when you use MDM for Office 365, Intune Stand alone. ea MDM for | Microvoft Intune Office 365 | (Stand-alone) Taventory mobile devices that access corporate applications ‘Yes Yes ‘Remove factory Reset "Full wipe™ Yes Yes ‘Mobile device configuration settings “PIN length, Pin required, ete” ‘Yes Yes Provides reporting on devices that do not meet IT Policy Yes Yes ‘Root and jailbreak detection Yes Yes ‘Remove Office 368 app data frou mobile devices while aving persoual data | Yes Yes | & apps Prevent access fo Ollice 68 corporate email & documeuts based ou device Ye Ye enrolment & compliance [Application Deployment Ye ‘Self-Service Company portal for users to carol their own devices Yes Deploy Certificate, VPN Profiles, Wi-Fi Profile & email Profile Yes Secare access corporate information using the Office mobile and line-of Ye business apps & prevent sharing with persoual app. Remote device lock, Yes ‘Manage & Secure PCs Irom the loud with no lnfrastructure. Yes Note: As of August 14, 2018, hybrid mobile device management is a deprecated feature Microsoft won't support Intune hybrid by 1 September 2019. In case. you have System Center ‘Configuration Manager on your environment. You can use Co-management which allow windows 10 PCs to be manage with Intune & configuration Manager at the same time.Pc Nanageen top Mengenen laventory mobile devices that access corporate applications Remote factory reset (full device wipe) Mobile device configuration stings (PI lrg, PIN eae, Selt-servce password reset (Office 365 cloud only users) Provides eparing on divices that dort meet pote ‘Group-based policies and reporting (abilty to use groups for areeted device configuration) Root cert and jalbreak detection Remove Office 365 app data from mobile devices while leaving personal deta and apps intoc selective wipe) jovice exwolinient ane compaance poles Deploy cartifcates, VEN profiles (including app-specfe profes), Prevent eut/copy/paste/save ar of date from corporate apps to personal apps (mobile application management) ‘PC management (eg. Inventory, antimalware, patch, policies, ete) (5 deployment (via System Center Contis Manager) Single management console for PCs and mobile devices (through ineepration wth system center Contig Manget)Deployment flexibility ao) | 3- & > be Gio | GENE oooDev management in Office 365 today Leimert o rman no GBexchange e @Microsoft IntuneMicrosoft intune is a cloud-based service in the enterprise mobility management (EMM) space that helps enable your workforce to be productive while keeping your corporate data protected Intune is the component of Microsoft's Enterprise Mobility + Security (EMS) suite that manages mobile devices and apps. It integrates closely with other EMS components like Azure Active Directory (Azure AD) for identity and access control and Azure Information Protection for data protection. When you use it with Office 365, you can enable your workforce to be productive on all their devices, while keeping your organization's information protected. DRC OR CR Cole eRe NAL cy Runes el aration egcatirs Ces a aa re ay OREBusiness Problems that Can Intune Helps to SolveIntune Office EMS 365Domain Verify _ Create Users and Groups Assign Licenses Create Bulk Users . PN < Update UPN for all users ] _ Sync with OnPremises AD with Azure ADMicrosoft Intune Intune Device Intune app Elita til Eero tilIntune Device Management Enrolling devices into management so your IT ‘Configuring Providing Reporting on department has devices to certificates and and measuring Removing an inventory of ensure they ‘Wi-Fi/VPN device corporate data idaviene that ars meet company profiles to access compliance to from managed accessing security and corporate corporate devices aaa health standards services standards servicesIntune APP Management Configuritg | | Controlling Assigning | | Sandard | | OW. | | Removing reporting | | sacking mobile sectngs ieee A ae pa Updating on mobile | | spite app bad sate and shared mobile oe ape usage employees | | used when aimobae oe inventory the app ne runs:oO De creole Lilet QO COS ee C) Serr (@) App protection policy (PIN, encryption, save-as, clipboard, etc.) .) Corporate data wipe from a mobile app ights management support.Managing mobile apps Pease een TTeemployee,orforeion MA aaa maneged BorOne-way Intune provides mobile app security is through its app protection policy feature. App protection policy uses Azure AD identity to isolate corporate data from personal data. Data that is accessed using corporate credentials will be given additional corporate protections.Protect App Data Enrolled in Microsoft Intune: These devices are ‘typically corporate owned Enrolled in a third-party Mobile device management (MDM) solution:These devices are ‘typically corporate owned, Not enrolled in any mobile device management solution: The devices are eypcally employee owned Gevices that aren't managed or enrolled in Incune or ‘other MDM solutionsaeApp protection Global policy - Global policy applies to all users in your tenant and has no way to control the policy targeting. By default, there can only be one Global policy per tenant. Multi-identity ‘Apps that support mult-identity let you use different accounts (work and personal) to access the same apps, while app protection policies apply only when the apps are used in the work context.Admin experiences There are two portals that you might use: 1. The Intune dashboard in Azure (portalazure,com) is where you can explore the capabilities of Intune. Normally, you'll do your work in the Intune dashboard. 2. The Microsoft 365 admin center (admin.microsoft.com) is where you can add and manage users, if you are not using Azure Active Directory for this. You can also manage other aspects of your account, including billing and support.1. Try Microsoft Intune for free 2, Set the MDM authority to Intune 3. Configure your custom domain name (Optional) 4. Create a user in Intune and assign them a license 5. Create a group to manage users 6. Create a Dynamic Group add Members I. Verify from Office portal, Intune, and AAD 7, Set up automatic enrollment for Windows 10 devices 8 Create a device compliance policy 9. Add the machine to AAD and wait for 2 mins to check the compliance and enrolment of device in portal 10. QuickStart: Send notificat 1. Action for noncomy |Add and assign aPeete heel Activate Enterprise Mobility + Security ES trial > Enterprise Mobility + Security E5 provides a comprehensive solution enabling you to effectively manage devices, identity and access in your organization. The suite includes Microsoft Intune, as well as Azure AD Premium P2 and ‘Azure Rights Management. > The trial includes 250 licenses and will be active for 90 days beginning on the activation date. If you wish to Upgrade to a paid version, you will need to purchase Enterprise Mobility + Security ES or its individual ‘components, > Enterprise Mobility + Security E5 is licensed separately from Azure ServicesChoose MDM Authority Cl x Mobile Device Management Authority choose wheter ite oF Cong anager yeur me choose mune at your MOM ath manage mobie dices with Mizeso® mune hooweconfguation Manager a your MO suthory to marage mile eves wth ‘stem Carter Conigurton Manager and bie sacs canot be mnages fan TDM auton nt chosen team more about hocsing your MOM her. tguton Manage MDM ther Set the Mobile Device Management AuthorityDevice Enrollment Intune lets you manage your workforce's devices and apps and how they access your company data, To use this mobile device management (MDM), the devices must first be enrolled in the Intune service. When a device is. enrolled, itis issued an MDM certificate. This certificate is used to communicate with the Intune service. By default, devices for all platforms are allowed to enroll in Intune, However, you can restrict devices by platform.+Maximum number of enrolled devices. “Device platforms that can Enroll: + Android Android work profile ios macOS Windows Windows Mobile Platform operating system version for iOS, Android, Android work profile, Windows, and Windows Mobile. (Only Windows 10 versions can be used. Leave this blank if Windows 8.1 is allowed.) + Minimum version. + Maximum version. Restrict personally owned devices (iS, Android, Android work profile, macOS, Windows, and Windows Mobile only)Categorize devices into groups I willbe explaining this once we have few devices in the consoleAutomate email and add actions for noncompliant devices in IntuneAndroid deployment scenarios with Intune BYODWhy Intune App Protection for Mobile Devices Independent of Mobile Device Management Protecting Data at App Level End User Productivity not Affected Separate Work from PrivateWhat is Conditional Access?GATHER AUTOPILOT DEVICE DATA Device Serial Number wmic bios get serialnumber Get-ItemPropertyValue Windows Product ID ““hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey\” “Productid” $wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext0I -Filter “InstancelD=’Ext’ AND Hardware Hash ParentID=" /DevDetail!” $wmi.DeviceHardwareData | Out-File “($env:COMPUTERNAME).txt”md c\\HWID Set-Location c:\\HWID Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted Install-Script -Name Get-WindowsAutoPilotInfo Get-WindowsAutoPilotinfo.ps| -OutputFile AutoPilotHWID.csvWindows AutoPiot Configure ‘AutoPiict Profle biseg Devers : set eo pared Dae OS Day alesis Dea Hardware Vendor IT Admin Delver direct to Employee peach EO Employee unboxes device, sef-deploys