Introduction to Cloud-Based Mobile Device Management with Intune
Information in this document, including URLs and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright 2014 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveSync, Azure, Forefront, Internet Explorer, Silverlight, Windows, Microsoft Intune, Windows PowerShell, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Session 6 / User and device management / Page 2
Overview Getting started For these demonstrations, use the following virtual machines (VMs): CM BYOD For more information about these VMs and their use, see the Enterprise Client IT Camp Demonstrations Delivery and Setup Guide. Session 6 / User and device management / Page 3
Lab Create a user account in Microsoft Intune To begin, we ll navigate to the Microsoft Intune account management website and create a new user account. You have already established a Microsoft Intune administrator account for your company, so sign in using those credentials. To begin managing a user, we first need to establish a user account in Microsoft Intune. This account will be used to connect the user (and device) to the management services. In practice you would probably establish directory synchronization to synchronize your on-premises AD credentials to Azure AD. In this lab we create a cloud based identity for our user. First, let s create a new user. We do this in the Users node. Notice that a user has already been created. This is the Microsoft Intune administrator account that was created when the Microsoft Intune subscription was created. We will create a new user, Lori Penor. We can provide the typical information that we would expect for a user (first name, last name, display name, and user name). If we expand the Additional details section, we can also enter information that is similar to what we would expect for an Active Directory user (job title, department, office number, mobile phone, etc.). We don t need to add any of this additional information, so we will just proceed to the next wizard page. Perform the following steps on CM logged on as CORP\Administrator with the password Passw0rd: 1. In Internet Explorer, go to https://account.manage.microsoft.com. The Microsoft Intune sign-in web page appears. 2. On the Microsoft Intune sign in web page, type Admin@<tennant>.onmicrosoft.com (where Admin is the administrative credentials for the Microsoft Intune subscription), and then click Sign in. The Microsoft Intune admin portal is displayed. 3. On the Don t lose access to your account page click the Remind me later link. 4. In the navigation pane, under Management, click Users. The Users page is displayed. 5. On the actions menu, click the New link, and then click User. Tip The actions menu is immediately above the list of users. The New User Wizard starts. 6. In the New User Wizard, on the Details page, perform the following steps, and then click Next: a. In First name, type Lori. Session 6 / User and device management / Page 4
On this wizard page, we select the country in which the user resides. In this case, we ll select the appropriate country, and then continue to the next wizard page. Microsoft Intune uses the country information to provide the right services to the user. On this wizard page, we grant the user membership in Microsoft Intune user groups. Currently, we have only one user group Microsoft Intune so we accept that default membership and go on to the next wizard page. On this wizard page, we verify that the email address listed is correct. An email message will be sent to this address that contains the new user passwords for the user that we are creating. The email address looks correct, so we click Create to create the user. On this wizard page, we see the temporary passwords that have been created for our users. Start Microsoft Notepad, and save these passwords for later in the demonstration. The user will be asked to change their password the first time they log on to Microsoft Intune. The passwords are sent by email in case the user forgets the passwords before they log on for the first time. If users forget their password, we can reset a user password in the Microsoft Intune account portal. Now that we have saved the password, we can finish the wizard and move on to configuring the mobile device management authority in Microsoft Intune. b. In Last name, type Penor. c. In Display name, verify that Lori Penor has been automatically populated. d. In User name, type lori. e. Expand the Additional details section, click Next. 7. On the Settings page, in Set user location, select location (where location is the location of the user, such as United States or Canada), and then click Next. 8. On the Microsoft Intune user group page, click Next. 9. On the Send results in email page, verify that the email address is correct, and then click Create. You can skip this, but it might be useful to know. 10. Start Notepad. 11. On the Results page, copy and paste the temporary password for Lori Penor into Notepad for use later in the lab. 12. Click Finish. Session 6 / User and device management / Page 5
Set the mobile device management authority in Microsoft Intune The next step in performing unified management through Microsoft Intune is to configure the mobile device management authority in Microsoft Intune. A Microsoft Intune subscription can only be managed by one mobile device management authority. The most common mobile device management authorities are Microsoft Intune itself and System Center 2012 R2 Configuration Manager. The mobile device management authority controls the management of all mobile devices, such as Windows devices, Windows Phones, ios devices, and Android devices. First, we will log on to the Microsoft Intune administration portal by using the credentials of a Microsoft Intune administrator. In the Microsoft Intune administration portal, we will go to the Microsoft Intune administration console. Here, we will navigate to the Administration workspace, then click Mobile Device Management to administer the mobile device management authority for our Microsoft Intune subscription. Perform the following steps on CM logged on as CORP\Administrator with the password Passw0rd: 1. In Internet Explorer, go to https://account.manage.microsoft.com. The Microsoft Intune sign-in web page appears. 2. On the Microsoft Intune sign in web page, type IntuneAdmin@<tennant>.onmicrosoft.com (where IntuneAdmin is the administrative credentials for the Microsoft Intune subscription), and then click Sign in. The Microsoft Intune administration portal is displayed 3. In the Microsoft Intune administration portal, click the Admin Console link. Tip The Admin Console link is at the top of the Microsoft Intune administration portal between the Company Portal and Admin links. The Microsoft Intune administration console opens, you might be asked to sign in again. 4. In the Microsoft Intune administration console, in the navigation pane, click the Administration workspace. 5. In the Administration workspace, click Mobile Device Management. The Mobile Device Management page opens. Session 6 / User and device management / Page 6
On the Mobile Device Management page, we click the Set Mobile Device Management Authority link to configure the mobile device management authority. Because Microsoft Intune can be managed by only one authority, we need to be certain that we want to configure the authority for either Microsoft Intune or System Center 2012 R2 Configuration Manager. If we look at the Set MDM authority dialog box, we can see a warning that this change is permanent and cannot be changed in the future. We do in fact want to configure Microsoft Intune as the mobile device management authority, so we select the check box, and then click Yes. 6. On the Mobile Device Management page, under Tasks, click the Set Mobile Device Management Authority link. Tip The Set Mobile Device Management Authority link is in the upper right corner of the page. The Set MDM authority dialog box appears. 7. In the Set MDM authority dialog box, select the I understand that after the mobile device management authority is step to Microsoft Intune, it is permanent and cannot be changed check box, and then click Yes. The mobile device management authority is set to Microsoft Intune. Now, back on the Mobile Device Management page, we can see that Microsoft Intune is now the mobile device management authority. We can also see the types of devices that Microsoft Intune can manage, including Windows devices (such as Windows 8.1 and Windows RT 8.1), Windows Phone 8, and ios devices. We can also manage Android devices, but that management does not require any configuration, so Android devices are not shown in this list. We can also configure a connection to Microsoft Exchange Server, which enables us to do enrollment and management of devices that are connected to Exchange Server through Microsoft Exchange ActiveSync. For this demonstration, we just configure the management of Windows devices. Let s click the Windows Management link to start this process. 8. On the Mobile Device Management page, click the Windows Management link. The Set Up Mobile Device Management for Windows page is displayed. Session 6 / User and device management / Page 7
For Windows 8.1 devices that are not domain joined, we need to add sideloading keys and code-signing certificates. We obtain sideloading keys through Microsoft Volume Licensing. Sideloading keys are necessary for Windows 8.1 apps when you re installing them to non-domain joined Pro and Enterprise devices and Windows RT devices. Sideloading keys are not necessary for Windows Store apps that are installed by deeplinks. Deeplinking lets us provide the URL to an app in the Windows Store, and then point the user directly to the app in the Windows Store. Because the user installs the app directly from the Windows Store, sideloading keys are not required. Let s add a fictitious sideloading key by giving it a name, entering the key, and entering the total number of activations the sideloading key supports. After we ve entered all that information, we click OK to return to the Set Up Mobile Device Management for Windows page. Next, we need to add a code-signing certificate for any apps that are code-signed by using a certificate from a non-microsoft public certification authority (CA) that the device trusts for example, if our organization developed a Windows Store app, and then code-signed the app with a certificate issued by CAs within our organizations. We click the Modify Code-Signing Certificate link, and then browse for the code-signing certificate. We select the certificate, and then click Upload to upload the certificate. When we see a notification about uploading the certificate, we click Close in that notification dialog box. If we look on the Set Up Mobile Device Management for Windows page, we can see that our certificate is listed. Now, we are ready to enroll a device in Microsoft Intune. 9. On the Set Up Mobile Device Management for Windows page, under Tasks, click the Add Sideloading Key link. The Add Sideloading Key dialog box appears. 10. In the Add Sideloading Key dialog box, perform the following steps, and then click OK: a. In Name, type Contoso Sideloading Key. b. In Key, type 12345-12345-12345-12345-12345. c. In Total activations, type 5. The sideloading key is added to Microsoft Intune. 11. On the Set Up Mobile Device Management for Windows page, under Tasks, click the Modify Code-Signing Certificate link. The Upload a Code-Signing Certificate dialog box appears. 12. In the Upload a Code-Signing Certificate dialog box, perform the following steps: a. Click Browse. The Open dialog box appears. b. In the Open dialog box, in File name, type \\DC\Source$\SampleApps\Tiles_Sample.cer. The Upload a Code-Signing Certificate dialog box appears. c. Click Upload. 13. In the Upload a Code-Signing Certificate dialog box, click Close. Session 6 / User and device management / Page 8
14. The code-signing certificate is added to Microsoft Intune. Add software (apps) to Microsoft Intune for deployment In Microsoft Intune, we manage software in the Software workspace. In the navigation pane, we click the Software icon, which takes us to the Software workspace. In the Software workspace, we can see Detected Software and Managed Software. Perform the following steps on CM logged on as CORP\Administrator with the password Passw0rd: 1. Go to Internet Explorer and open a new tab, type http://aka.ms/skypewifiapp into the address bar. We used a short link to save typing errors in this lab, normally you would enter the URL for an app in the Store which can be obtained from the store. 2. Click Cancel on the dialog box if one appears. 3. The web version of the Windows Store will have loaded, copy the URL from the address bar to the clipboard. 4. In the Microsoft Intune administration console, in the navigation pane, click Software. In Managed Software, we administer the software that we want to deploy to our users and devices. Right now, we have no software in our list, so let s add a new app to Microsoft Intune. To add software to Microsoft Intune, we need to download, install, and start the Add Software - Microsoft Intune Software Publisher Wizard. This process only has to be done on a device the first time we add software to Microsoft Intune on a device. 5. In the Software workspace, go to Managed Software. 6. In the details pane, click Add Software. Tip The Add Software button is immediately above the list of software. The Microsoft Intune Software Publisher starts. The Application Run - Security Warning dialog box is displayed. 7. In the Application Run - Security Warning dialog box, click Run. Session 6 / User and device management / Page 9
The Add Software - Microsoft Intune Software Publisher is downloaded, installed, and started. 8. If prompted to log in to Microsoft Intune, log on using IntuneAdmin@<tennant>.onmicrosoft.com (where IntuneAdmin is the administrative credentials for the Microsoft Intune subscription). On the first page of the wizard, there is no information to be configured, so we will continue on to the next wizard page. On this wizard page, we select type of software installation to perform. If we look in the Select how this software is made available to device list, we can see that we can specify a software installer (like an.msi or.appx file) or an external link. We select Software installer for these types of files. Select External link for apps that are directly installed from a store (such as Windows Store, itunes, or Google Play). For the purposes of this demonstration, we are deploying a deeplinked app, so we will select External link. 9. In the Add Software - Microsoft Intune Software Publisher Wizard, on the Before you begin page, click Next. 10. On the Software setup page, perform the following steps, and then click Next: a. In Select how this software is made available to device, select External link. b. Return to the Add Software wizard. c. In Specify the URL, paste the windows store address you copied to the address bar. Now, we need the deeplink URL. We open the file where we stored the deeplink URL earlier in the demonstration. We copy the deeplink URL, and then paste it into Specify the URL. On this wizard page, we provide information about the software we are adding. For this demonstration, we enter information about our Skype Wi-Fi Windows Store app. In Publisher, we enter Microsoft. In Name, we enter a name and point out that this is the deeplinked version (as opposed to an.msi installation). We provide additional information in Description. And finally, we select the appropriate category for our software. In this case, Collaboration & Social is the most appropriate. 11. On the Software description page, perform the following steps, and then click Next: a. In Publisher, type Microsoft. b. In Name, type Skype Wi-Fi Windows Store App (Deeplink). c. In Description, type Skype Windows Store app to be installed from deeplink. d. In Category, select Collaboration & Social. e. Click Next. Session 6 / User and device management / Page 10
On the Summary page, we review all the information the wizard has collected. All the information looks good, so we click Upload to add the software to Microsoft Intune. We can see that the software has successfully been added to Microsoft Intune. We close the wizard and see that our Skype Wi-Fi Windows Store app is shown in the list of managed software. Now that our app is added to Microsoft Intune, we need to deploy the app to our devices. 12. On the Summary page, review the information collected during the wizard, and then click Upload. The software is added to Microsoft Intune. 13. On the Upload page, review the completion status of the wizard, and then click Close. 14. In the details pane, the new software (Skype Wi-Fi) is shown in the list of managed software. Deploy an app Now, we will deploy our Skype Wi-Fi deeplinked Windows Store app to our user. We do this by using the Manage Deployment Wizard. We start the Manage Deployment Wizard by clicking Manage Deployment immediately above the list of software. Perform the following steps on CM logged on as CORP\Administrator with the password Passw0rd: 1. In the Microsoft Intune administration console, in the navigation pane, click Software. 2. In the Software workspace, go to Managed Software. 3. In the details pane, click Skype Wi-Fi Windows Store App (Deeplink). 4. In the details pane, click Manage Deployment. Tip The Manage Deployment button is immediately above the list of software. The Manage Deployment Wizard starts. On this wizard page, we select the user groups to which we want to deploy the software. 5. In the Manage Deployment Wizard, on the Select Groups page, click Ungrouped Users, click Add, and then click Next. Session 6 / User and device management / Page 11
On this wizard page, we select the type of deployment action that we want to perform for each user group. If we click the drop-down list in the Approval column, we can see that the options include Required Install, Do Not Install, Available Install, and Uninstall. Required Install is used when we have software that we can force users to install. You can see that this option is greyed out, because we cannot force users to install Windows Store apps from the Windows Store: We can only make the apps available. 6. On the Deployment page, in the Approval column, click the drop-down list to show the list of options. 7. Select Available Install, and then click Finish. Do Not Install is used when we want to do all the preparation for deploying software but not actually perform the deployment at that moment. For example, we could prepare the software for deployment but wait because operating system updates are necessary and have not yet been completed. Available Install is used when we want to make the software available to the user in the Company Portal. This option allows the user to install the software if they desire. Uninstall is used when we want to uninstall software that has been previously deployed to users. We can also see that we can provide a deadline in the Deadline column. The deadline is provided when we select the Required Install option in the Approval column. You can see that we can select a predefined deadline or create a custom deadline. Because we are installing a Windows Store app by deeplinking and deeplinked Windows Store apps can only be installed by using the Available Install option, we will not specify a deadline. 8. For the purposes of this demonstration, we select Available Install, and then click Finish to deploy our Skype Windows Store app to our user group. Session 6 / User and device management / Page 12
If we now look at our Skype Windows Store App, we can see that the status in the Deployed column is set to Yes, which indicates that the software has been deployed. Now, if we want to see the list of users to which the software has been deployed, we can view the properties of the software by clicking View Properties. Then, we will look at the list of users on the Users tab. There, we can see Lori Penor in the list of users, which is what we would expect. Now, let s install the software. 9. In the details pane, click Skype Windows Store App (Deeplink). 10. In the details pane, click View Properties. Tip The View Properties button is immediately above the list of software. The properties of the software are displayed. 11. Click the User tab. Tip The User tab is immediately beneath the title of the application at the top the details pane. The list of users to which the software has been deployed is displayed Enroll a Windows 8.1 device with Microsoft Intune and OMA-DM Now that we've configured Microsoft Intune let's enroll our Windows 8.1 device. To enroll their Windows 8.1 devices, users provide their email address. Windows 8.1 takes the domain portion of their email address and performs auto-discovery by looking for a DNS record named EnterpriseEnrollment. For example, if the user's email account is lori@contoso.com, then Windows 8.1 automatically looks for EnterpriseEnrollment.contoso.com (which points to manage.microsoft.com). Perform the following steps on BYOD logged on as the Microsoft account that is associated with the BYOD\Lori account earlier in the process: 1. Start the Windows PowerShell integrated scripting environment (ISE) as an administrator by holding CTRL and Shift and clicking the ISE icon on the taskbar. 2. In the Windows PowerShell ISE, open the Contoso_BYOD_WindowsIntune_Override_Enrollment_UPN.ps1 script, which is stored in the C:\DemoContent folder. Session 6 / User and device management / Page 13
The problem is that in our environment, we do not have a publicfacing DNS where we could add the EnterpriseEnrollment.contoso.com DNS record. Instead, we will use a workaround by making a registry modification. Again, although this works for our lab environment, we should never do this in a production environment. Instead, we should add the EnterpriseEnrollment DNS record to our public-facing DNS and verify this in Microsoft Intune. We enroll our device on the Workplace panel, in the Network panel, in PC settings. 3. In Windows PowerShell ISE, highlight the entire script, and then press F8 or click Run Selection on the toolbar at the top of the console. Tip You can highlight the entire script by pressing Ctrl+A. The registry is updated. 4. Minimize the Windows PowerShell ISE. 5. In the notification area (system tray), click the network icon. The Networks panel is displayed. 6. On the Networks panel, select View Connection Settings. PC settings opens and displays the Network panel. 7. In PC settings, in the Network panel, select Workplace. The Workplace panel opens. Users only need their email account to enroll their device, so we enter our Lori Penor email address, and then click Turn on. This allows System Center 2012 R2 Configuration Manager and Microsoft Intune to manage our device. We need to enter the password for our Microsoft Intune account and sign in to Microsoft Intune. 8. In the Workplace panel, in Enter your user ID to get workplace access or turn on device management, type lori@xxx.onmicrosoft.com (where xxx is the domain for the Microsoft Intune subscription), and then click Turn on. Windows 8.1 locates the Microsoft Intune servers. The Microsoft Intune sign in page is displayed. 9. On the Microsoft Intune sign in page, in Password, type the password for lori@xxx.onmicrosoft.com (where xxx is the domain for the Microsoft Intune subscription), and then click Sign in. You noted this in Notepad on the CM machine previously. 10. You will be asked to update the password, provide your own password at this point and click Submit. Session 6 / User and device management / Page 14
After we are signed in to Microsoft Intune, Windows 8.1 displays a notification about having apps and services being provided by the organization's IT admin. This notification makes the user aware that some features of their device will be now managed by the IT department. This is especially critical in BYOD scenarios, where the user owns the device. Let's agree to allow our organization to manage our device. When we have connected to the workplace, we can close PC settings. The Allow apps and services from IT admin page is displayed. 11. On the Allow apps and services from IT admin page, review the information, select I agree, and then click Turn on. Windows 8.1 connects to the workplace. 12. Close PC settings. Associate a Microsoft account with our device to allow Store access As the first step, we need to associate a Microsoft account with the CORP\Lori domain account. We will do that by using the Connect to a Microsoft account on this PC wizard. Perform the following steps on BYOD logged on as Lori Penor with the password Passw0rd: 1. Press Win + I, and then click Change PC settings. 2. Tap or click Accounts. 3. Tap or click Connect to a Microsoft account. 4. The Connect to a Microsoft account on this PC wizard starts. 5. Enter Lori s password: Passw0rd 6. Select the link Create a new account be sure to note your password. 7. Fill out the requested details, click Next 8. On the Add security info page enter at least a Birthdate (your user needs to be over 18) and Gender and one alternate email address, click Next Session 6 / User and device management / Page 15
9. On the Communication Preferences page enter the characters shown and click Next 10. On the Help us protect your info page click the I can t do this right now link 11. Click Next and then Switch Create a Microsoft Intune Trial We now need to get you a Microsoft Intune tenant to use for testing purposes in our lab. Perform the following steps on CM logged on as CORP\Administrator with the password Passw0rd: 12. Go to the Desktop and launch Internet Explorer from the taskbar 13. Enter http://aka.ms/tryintune into the address bar 14. On the website select the Try tab 15. Select Signup for a Microsoft Intune free 30-day-trial 16. Complete the details on the Signup screen DO NOT use your own organizations real name in the New Domain Name field use a variation such as contosolab1 where Contoso is your company name. 17. Click Check availability 18. Enter Admin in New user ID and provide a password. 19. Enter the verification code as seen on screen. 20. Click I accept and continue. Your account will now be created, continue when prompted to do so. Session 6 / User and device management / Page 16
21. On the Don t lose access to your account page click the Remind me later link. Obtain the Company Portal app from the Windows Store Now, let's install the Company Portal app. In practice your users might install this first and it will direct them to enroll their device if they have not already done so. We can do this by searching for the app on the Start screen. When we find the Company Portal Install app entry, we select it and are taken to the Company Portal app page in the Windows Store app. Let's install the Company Portal app. It only takes a few minutes for the installation process to finish, and we are notified that the Company Portal app was successfully installed. 22. On the Start screen, type Company Portal. The list of search results is displayed. 23. In the list of search results, select Company Portal Install app. 24. The Windows Store app opens to the Company Portal app. 25. On the Company Portal app page, click Install. Company Portal app installation begins. You may be asked to provide credit card into. Do not worry, you don t need to for this lab! Click Ask me later if prompted. After a few moments, you are notified that installation is complete. Close the Windows Store app. Now, let's run the Company Portal app. Again, we search for the app, and then select it from the list of search results. 26. On the Start screen, type Company Portal. The list of search results is displayed. 27. In the list of search results, select Company Portal. 28. The Company Portal app starts, and the Microsoft Intune sign-in page appears. Session 6 / User and device management / Page 17
We need to sign in to Microsoft Intune, so we provide Lori Penor's Microsoft Intune credentials. The Company Portal app opens. 29. On the Microsoft Intune sign-in page, in Password, type the password for lori@xxx.onmicrosoft.com (where xxx is the domain for the Microsoft Intune subscription), and then click Sign in. The Company Portal information is displayed. Notice that the BYOD device is listed under devices users can see all their enrolled devices in the company portal, regardless of platform. 30. Click BYOD, notice the available options 31. Click back to the Company Portal app. Install an app from the Company Portal as a user On the Company Portal home page, we can see our deployed Skype app in the company apps section. We click Skype and are taken to a page that displays the details of our software (in this case, our Skype app). We can see that because our software (Skype) is only available through the Windows Store, we are given a link to the app in the Windows Store. We click the link, and the Windows Store app opens. Perform the following steps on BYOD logged on as Lori with the password for her Microsoft account. 1. On the Company Portal home page, under All Apps, click Skype Wi-Fi. The details of the software we have deployed are displayed. Specifically, we can see that the software is only available in the Windows Store, and we are given a link to view the app in the Windows Store. 2. Click the View in Windows Store link. The Skype Wi-Fi Windows Store app is displayed in the Windows Store. In the Windows Store app, we can see the Skype Wi-Fi app page. There is the Install button that we would expect for a Windows Store app. We click Install. The download and installation process behaves just as it would for any app deployed from the Windows Store. 3. In the Windows Store, on the Skype Wi-Fi app page, notice that the Skype Wi-Fi app can be installed on this device 4. Click Install. 5. Close the Company Portal app. Session 6 / User and device management / Page 18
We see the notification that our Skype Wi-Fi app was installed. We ll close the Window Store app and the Company Portal app. Now, if we look on the Start screen, we can see the Skype Wi-Fi tile. As you can see, installing an app from the Microsoft Intune Company Portal is easy for users. And from an administrator s perspective, adding the software to Microsoft Intune and deploying the software are easy, as well. 6. On the Start screen, display all apps, and show the Skype Wi-Fi tile. Now, let s look at how to scan a device for malware. Add a web-based app to Microsoft Intune and deploy it Perform the following steps on CM logged on as CORP\Administrator with the password Passw0rd: 7. In the Microsoft Intune console add a new application (you ve already done this once yes this is a test) 8. In the Add Software wizard click Next on the Before you begin page 9. Select External link under Select how this software is made available to devices. 10. Enter the URL http://outlook.office365.com, click Next 11. In Publisher enter Microsoft, in Name enter OWA, in Description enter Outlook Web App, change the Category to Productivity. 12. Click Next and Upload and Close. 13. Now deploy the web app to your users (you ve already done this once yes this is a test) Session 6 / User and device management / Page 19
Explore the web-based Company Portal The web based company portal is available anywhere and allows a user to remotely manage their devices, including the ability to wipe devices (both fully and partially where supported), to rename them and to install software onto them. The web-based portal can also be used to enroll a new device. Here we will install our Outlook Web App link to our BYOD device as a user from another computer. We will now test the remote install that our user initiated. Perform the following steps on CM logged on as CORP\Administrator with the password Passw0rd: 14. On the taskbar right click the Internet Explorer icon and select Start InPrivate Browsing 15. Enter http://portal.manage.microsoft.com in the address bar. 16. Log in using Lori s credentials lori@xxx.onmicrosoft.com 17. Click the link Click here to select your device 18. Select the BYOD device and click OK We are going to be managing this device remotely using the Web portal. 19. You can now see the apps that are available to Lori on this device, click the All Apps tile. 20. Select OWA. 21. Click Install. 22. Close the InPrivate window. Perform the following steps on BYOD logged on as Lori with the password for her Microsoft account. 23. Go to the Start Screen 24. Click the arrow at the bottom of the screen to show all apps, scroll right to find OWA and click the OWA tile. The sign-in screen for Outlook Web Access will load, you do not need to sign in. Session 6 / User and device management / Page 20
Remotely manage devices Let s see how we can remotely manage devices from the Microsoft Intune administration console. We manage devices in the Groups workspace. Within the Groups workspace, we go to the All Devices device group. We can also perform several remote tasks on devices through the Microsoft Intune software that was installed when the device was enrolled. The Run a Full Malware Scan and Run a Quick Malware Scan tasks deal with performing a full or quick malware scan on the device. We could select these options to force malware scan on a device. As expected, a full scan takes longer and consumes more resources than a quick scan. The Restart Computer task remotely restarts the selected device. The Update Malware Definitions task forces the device to download the latest malware definitions for Microsoft Forefront Endpoint Protection. The Refresh Policies task forces the device to download the latest Microsoft Intune policies (which we configured in the Policy workspace). The Remote Lock task remotely locks the device. This is useful if a user misplaces the device and you want to give them time to find it while maintaining security. Perform the following steps on CM logged on as CORP\Administrator with the password Passw0rd: 1. In the Microsoft Intune administration console, in the navigation pane, click Groups. 2. In the Groups workspace, go to All Devices. The list of devices is displayed, including the BYOD device. 3. In the details pane, click BYOD. 4. In the details pane, click the Remote Tasks list. Tip The Remote tasks button is immediately above the list of devices. 5. Select Remote Lock. 6. Switch to the BYOD VM you will see that the machine will lock even if you are actively using it! Session 6 / User and device management / Page 21
Finally, the Refresh Inventory task forces the Microsoft Intune client software on the device to perform an inventory and discover the system resources and software on the device. For the purposes of this demonstration, we won t perform any of these actions, because they can take some time to finish. So, let s look at how to deploy an update to a device. Deploy an update to a device Applying policy to mobile devices is a critical management task. Microsoft Intune allows us to do this, here we create a simple policy and enable Enterprise Mode for Internet Explorer a way of managing LoB web app compatibility. Perform the following steps on CM logged on as CORP\Administrator with the password Passw0rd: 1. In the Microsoft Intune administration console, in the navigation pane, click Policy. 2. Select All Policies in the Policy workspace 3. Click Add 4. Select Mobile Device Security Policy 5. Click Create Policy leaving the defaults in place. 6. Select Ungrouped Users and click Add, then click OK 7. Highlight the policy and click Edit 8. Select the Applications section of the policy 9. Scroll down to and enable Allow Enterprise Model menu access, set the drop down box to Yes. 10. Click Save Policy. Session 6 / User and device management / Page 22
Retire a device In some instances, we may want to no longer manage a device by using Microsoft Intune. We can stop managing devices by retiring the device. We retire devices in the Microsoft Intune administration console. First, we find the device we want to retire in the Microsoft Intune administration console. We will find the BYOD.corp.contoso.com device that we used earlier. Next, we click Retire/Wipe to retire the device. The Retire device: BYOD dialog box is displayed. We can see that there is an option to also wipe the device. Wiping the device removes any user data from the device. We would elect to wipe a device if the device has been stolen or we want to repurpose the device for another user. For the purposes of our demonstration, we will not wipe the device. We will click Yes to retire the device. In the Microsoft Intune administration console we can see a notification that the device is in the process of retiring. This process will take 10-15 minutes to complete. Perform the following steps on CM logged on as CORP\Administrator with the password Passw0rd: 1. In the Microsoft Intune administration console, in the navigation pane, click Groups. 2. In the Groups workspace, go to All Devices. 3. In the details pane, click the Devices tab. 4. The list of devices is displayed, including the BYOD device. 5. In the details pane, click Retire/Wipe. Tip The Retire/Wipe button is immediately above the list of updates. The Retire device: BYOD dialog box is displayed. 6. In the Retire device: BYOD dialog box, hover the mouse pointer over the Wipe the device before retiring check box while discussing it, but do not select the check box. 7. In the Retire device: BYOD dialog box, click Yes. The notification This devices in the in the process of retiring. is displayed in the information area. Session 6 / User and device management / Page 23