question

tommysoo-0984 avatar image
0 Votes"
tommysoo-0984 asked LuDaiMSFT-0289 commented

need help clarifying intune for MDM

Hi,

I am currently working on setting up intune as our MDM solution for both our iOS and Android devices and would like to get some help / clarification on the setup and configuration of intune. I know that there is a lot more than just MDM for intune however this is what we are going with at the moment. Licensing wise, all our users are on M365 E3, so using intune is kinda a no brainer since its part of the package :)

The MDM model we are going with is COPE. The design is quite straightforward

  1. Enroll intune to iOS and Android devices

  2. Manage devices via Compliance and Configuration policies

  3. Ensure iOS devices are kept up-to-date via Update policies for iOS/iPadOS

  4. Manage apps via App protection policies and App configuration policies

My questions are as below:

  1. Group assignments for device policies - do you target the user group or device group? currently i have both the user and device group targeted

  2. Group assignments for app policies - do you target the user group or device group? currently i have both the user and device group targeted

  3. App configuration policies - some apps like M$ Authenticator and OneDrive have very different type of configuration options available if compared to outlook for example. Authenticator uses a configuration key while OneDrive uses a Name and Value configuration setting which i have no clue what to enter

  4. App updates - how are managed iOS apps updated? is it automatic?

  5. The current enrollment is targeted to only company-owned devices however we may look at a BYOD model for user who don't own a company-owned device. What do i need to do to achieve this?

These are the items i need help clarifying for now but will definitely post more once i hit a road block

Thanks again for your time and i hope to hear from anyone soon

Kind Regards :)

mem-intune-generalmem-intune-device-configurationsmem-intune-application-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NickHogarth-MVP avatar image
0 Votes"
NickHogarth-MVP answered

For questions 1 and 2, see https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-assign#user-groups-vs-device-groups

for question 5 - you can look at using app protection policies https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy . if you did want to limit to only enrolled Intune devices, you can use conditional access to require compliant devices

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered LuDaiMSFT-0289 commented

@tommysoo-0984 Thanks for posting in our Q&A.

For these questions, I will share some information with you.
1.Device policies can be assigned to user groups or device groups. When the policy is assigned to device groups, the devices in the device groups will apply these policies. When the policy is assigned to user groups, this policy is applied to all the devices that these users login to.

2.For app policy, it is similar with device policy. However, for app protection policy, it is needed to be assigned to user groups. If it is assigned to device groups, it will not work.

3.For App configuration policy about OneDrive, the configuartion key is provided by the app vender. So, it is suggested to contact OndDrive for more accurate help:
https://support.microsoft.com/en-us/onedrive

4.For iOS apps update, update is different in different types of apps.
For volume-purchased iOS apps, we can configure the "Automatic app updates" setting to enable automatic updates.
https://docs.microsoft.com/en-us/mem/intune/apps/vpp-apps-ios#upload-an-apple-vpp-or-apple-business-manager-location-token
For line-of-business apps, it is needed to deploy an update package file.
https://docs.microsoft.com/en-us/mem/intune/apps/lob-apps-ios#step-5-update-a-line-of-business-app
For other iOS apps, these app updates are automatic by app themselves and their updates not controlled by intune. The following article describes app types in intune.
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add#app-types-in-microsoft-intune

5.For BYOD enrollment, the steps are easy.
Step1:Make sure the iOS device is the supported OS:
https://docs.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers#apple
Step2:Get an Apple MDM push certificate
https://docs.microsoft.com/en-us/mem/intune/enrollment/apple-mdm-push-certificate-get
Step3:Enroll the iOS device. We can refer to the video in the following article.
https://docs.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-ios

Hope the above information will help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your response LuDai

Can i ask a bit more about app protection?
if you look at the screenshot below, i have configured outlook to require passcode to access the app
The app is targeted to a user group, however there is no change at all, meaning when outlook is installed via the company portal, the access requirement is not getting applied
How can i tell if this policy is actually being applied? Also, what is this user check-in screen?

119182-outlook.png


119221-user-checkin.png



Thanks again for yout time :)

0 Votes 0 ·
outlook.png (45.5 KiB)
user-checkin.png (15.0 KiB)

@tommysoo-0984 For this iOS app protection policy issue, it is suggested to try the following action:
1.Please enter the small number(like 1 minute) in the setting "Recheck the access requirements after (minutes of inactivity)". The minutes will affect the effective time of the policy.

2.Please select the user that you assigned the policy to check the app protection status in Troubleshooting + support > Troubleshoot > change user.
119167-image.png

If there is any update, feel free to let us know.


1 Vote 1 ·
image.png (99.0 KiB)

@tommysoo-0984 I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.

1 Vote 1 ·
Show more comments