Deployment guide: Setup or move to Microsoft Intune

This deployment guide includes information when moving to Intune, or adopting Intune as your MDM and MAM solution.

In this guide, you sign up for Intune, add your domain name, configure Intune as the MDM authority, and more. Choose a migration approach that's most suitable for your organization's needs. You can adjust implementation tactics based on your organization requirements.

Tip

This guide is a living thing. So, be sure to add or update existing tips and guidance you've found helpful.

Prerequisites

Currently don't use anything

If you currently don't use any MDM or MAM provider, then you have some options:

To help you decide, see choose a device management solution.

Currently use a third party MDM provider

Devices should only have one MDM provider. If you use another MDM provider, such as AirWatch, MobileIron, or MaaS360, then you can move to Intune. The biggest challenge is users must unenroll their devices from the current MDM provider, and then enroll in Intune.

Important

Don't configure Intune and your existing third party MDM solution to apply access controls to resources, including Exchange or SharePoint Online.

Recommendations:

  • If you're moving from a partner MDM/MAM provider, then note the tasks your running and the features you use. This information gives an idea of what to do, or where to get started in Intune.

  • When devices are unenrolled, they aren't receiving your policies, including policies that provide protection. They're vulnerable until they enroll in Intune. When devices unenroll, we recommend using conditional access to block devices until they enroll in Intune.

    Be sure you have specific unenroll and enroll steps. Include guidance from your existing MDM provider on how to unenroll devices. Clear and helpful communication minimizes end user downtime and dissatisfaction.

  • Use a phased approach. Start with a small group of pilot users, and add more groups until you reach full scale deployment.

  • Monitor the helpdesk load and enrollment success of each phase. Leave time in the schedule to evaluate success criteria for each group before migrating the next group. Your pilot deployment should validate the following tasks:

    • Enrollment success and failure rates are within your expectations.

    • User productivity:

      • Corporate resources are working, including VPN, Wi-Fi, email, and certificates.
      • Deployed apps are accessible.
    • Data security:

      • Review compliance reports, and look for common issues and trends. Communicate issues, resolutions, and trends with your help desk.
      • Mobile app protections are applied.
  • When you're satisfied with the first phase of migrations, repeat the migration cycle for the next phase.

    • Repeat the phased cycles until all users are migrated to Intune.
    • Confirm the helpdesk is ready to support end users throughout the migration. Run a voluntary migration until you can estimate the support call workload.
    • Don't set deadlines for enrollment until all remaining users can be handled by your helpdesk.

For enrollment guidance, see the Intune enrollment deployment guide.

Next, deploy Intune (in this article).

Currently use Configuration Manager

Configuration Manager supports Windows and macOS devices, and Windows Servers. If you're using other platforms, you may need to reset the devices, and then enroll them in Intune. Once enrolled, they'll receive the policies and profiles you create. For more information, see the Intune enrollment deployment guide.

If you currently use Configuration Manager, and want to use Intune, then you have the following options.

Option 1: Add tenant attach

Tenant attach allows you to upload your Configuration Manager devices to your organization in Intune, also known as a "tenant". After you attach your devices, you use the Microsoft Endpoint Manager admin center to run remote actions, such as sync machine and user policy. You can also see your on-premises servers, and get OS information.

Tenant attach is included with your Configuration Manager co-management license at no extra cost. It's the easiest way to integrate the cloud (Intune) with your on-premise Configuration Manager setup.

For more information, see enable tenant attach.

Option 2: Set up co-management

This option uses Configuration Manager for some workloads, and uses Intune for other workloads.

  1. In Configuration Manager, set up co-management.
  2. Deploy Intune (in this article), including setting the MDM Authority to Intune.

Next, devices are ready to be enrolled, and receive your policies.

Helpful information:

Option 3: Move from Configuration Manager to Intune

This scenario is rare. Most existing Configuration Manager customers want to keep using Configuration Manager. Microsoft wants you to continue using Configuration Manager. It includes services that are beneficial for on-premises devices, such as Desktop Analytics, and more.

These steps are an overview, and are only included for those users who want a 100% cloud solution. With this option, you:

  • Register existing on-premises Active Directory Windows 10 devices as devices in Azure Active Directory (AD).
  • Move your existing on-premises Configuration Manager workloads to Intune.

This option is more work for administrators, but can create a more seamless experience for existing Windows 10 devices. For new Windows 10 devices, it's recommended to start from scratch with Microsoft 365 and Intune (in this article).

  1. Set up hybrid Active Directory and Azure AD for your devices. Hybrid Azure AD joined devices are joined to your on-premises Active Directory, and registered with your Azure AD. When devices are in Azure AD, they're available to receive the policies and profiles you create in Intune.

    Hybrid Azure AD support Windows devices. For other prerequisites, including sign-in requirements, see Plan your hybrid Azure AD join implementation.

  2. In Configuration Manager, set up co-management.

  3. Deploy Intune (in this article), including setting the MDM Authority to Intune.

  4. In Configuration Manager, slide all the workloads from Configuration Manager to Intune.

  5. On the devices, uninstall the Configuration Manager client. For more information, see uninstall the client.

    Once Intune is set up, you can create an Intune app configuration policy that uninstalls the Configuration Manager client. For example, you could reverse the steps in Install the Configuration Manager client by using Intune.

Next, devices are ready to be enrolled, and receive your policies.

Important

Hybrid Azure AD supports only Windows devices. Configuration Manager supports Windows and macOS devices. For macOS devices managed in Configuration Manager, you can:

  1. Uninstall the Configuration Manager client. When you uninstall, the devices aren't receiving your policies, including policies that provide protection. They're vulnerable until they enroll in Intune.
  2. Enroll the devices in Intune to receive policies.

To help minimize vulnerabilities, move macOS devices after Intune is setup, and your enrollment policies are ready to be deployed.

Option 4: Start from scratch with Microsoft 365 and Intune

This option applies to Windows 10 and newer devices. If you use Windows Server OSs, such as Windows Server 2016, then don't use this option. Use Configuration Manager.

  1. Deploy Microsoft 365, including creating users and groups.

    Helpful links:

  2. Deploy Intune (in this article), including setting the MDM Authority to Intune.

  3. On existing devices, uninstall the Configuration Manager client. For more information, see uninstall the client.

Next, devices are ready to be enrolled, and receive your policies.

Currently use on-premises group policy

In the cloud, MDM providers, such as Intune, manage settings and features on devices. Group policies objects (GPO) aren't used. When managing devices, Intune device configuration profiles replace on-premises GPO. These profiles use settings exposed by Apple, Google, and Microsoft. Specifically:

When moving devices from group policy, use Group policy analytics. In Endpoint Manager, you import your GPOs, and see which policies are available (and not available) in Intune.

Next, deploy Intune (in this article).

Deploy Intune

  1. Sign in to the Endpoint Manager admin center, and sign up for Intune. If you have an existing subscription, you can also sign in to it.

    For more information, see Sign up, or sign in to Intune.

  2. Set Intune Standalone as the MDM authority. For more information, see Set the MDM authority.

  3. Add your domain account, such as contoso.com. Otherwise, your-domain.onmicrosoft.com is automatically used for the domain. For example, if you don't add your domain account, then contoso.onmicrosoft.com may be used.

    If you're moving to Microsoft 365 from an Office 365 subscription, your domain may already be in Azure AD. Intune uses the same Azure AD, and can use your existing domain.

    For more information, see Add a custom domain name.

  4. Add users and groups. These users and groups receive the policies you create in Endpoint Manager.

    Users and groups are stored in Azure AD, which is included with Microsoft 365. You may not see the Azure AD branding, but that's what you're using. Azure AD is the backend system that stores users, groups, and devices. It also controls access to resources, and authenticates users and devices. Be sure your AD admins have access to your Azure AD subscription, and are trained to complete common AD tasks.

    If you're moving to Microsoft 365 from an Office 365 subscription, your users and groups are already in Azure AD. Intune uses the same Azure AD, and can use the existing users and groups.

    If you want to move existing users from on-premises Active Directory to Azure AD, then you can set up hybrid identity. Hybrid identities exist in both services - on-premises AD and Azure AD. You can also export Active Directory users using the UI or through script. Do an internet search for your options.

    You can create device groups when you need to run administrative tasks based on the device identity, not the user identity. They're useful for managing devices that don't have dedicated users, such as kiosk devices, devices shared by shift workers, or devices assigned to a specific location. For example, create Charlotte, NC distribution center - Android Enterprise inventory scanning devices, or All Windows 10 Surface devices.

    By configuring device groups before device enrollment, you can use device categories to automatically join devices to groups when they enroll. Then, they receive their group's device policies automatically. For more information, see the Intune enrollment deployment guide.

  5. Assign Intune licenses to your users. When license are assigned, users' devices can enroll in Intune.

    For more information, see assign licenses.

  6. By default, all device platforms can enroll in Intune. If you want to prevent specific platforms, then create a restriction.

    For more information, see Create a device type restriction.

  7. Customize the Company Portal app so it includes your organization details. Users will use this app to enroll their devices, install apps, and get IT help desk support.

    For more information, see Configure the Company Portal app.

  8. Create your administrative team. Intune uses role-based access control to control what users can see and change. As a global administrator, you can assign roles to users, such as Help Desk operator, Application Manager, Intune Role Administrator, and more.

    For more information, see Role-based access control (RBAC) with Microsoft Intune.

Common issues and resolutions

In this section, add extra information provided by CSS and PFE teams.

Next steps

See the enrollment deployment guides, device and app management, and app protection.