EMS – the Easy Way (continued)
We left off at that part of our story with a fully fledged E3 – Office 365 tenant and an E5 Enterprise Mobility & Security subscription. We also have a custom domain connected to the tenant. Now to enforce device compliance.
The first step in this post is to show the necessary DNS entries to successfully connect all the Office 365 services to your custom domain. The next stage is to examine all the portals you will be using.
I will then walk through the steps needed to configure the Microsoft Intune console for Mobile Device Management (MDM) and finally enrol an iOS client and a Windows 10 client to the Intune tenant for MDM
DNS for Office 365 and Microsoft Intune
To successfully connect a custom domain to an Azure Active Directory and use the Office 365 applications, several Domain Naming System (DNS) records need to be created. This either requires Office 365 to manage the DNS zone for the domain or someone with the ability to update DNS themselves.
|Record||Application / Service||Purpose|
|CNAME||Office 365 Suite||Identity Platform redirection|
|TXT||Office 365 Suite||Domain ownership verification|
|CNAME||Autodiscover – Exchange Online||Exchange online record to direct outlook clients|
|MX||Exchange Online Email||This record points all email toward the Exchange online service.|
|SPF (TXT)||Exchange online||Spam prevention tool|
|SRV||Skype for Business||Required by SfB IM|
|CNAME||Skype for Business||SfB client uses this to find the SfB online service|
Other records are required for Single Sign On and other federation services (Hybrid Exchange online service)
A portal, a portal my kingdom for a portal.
The one thing that is NOT lacking in the Microsoft online services world is a portal. Well actually there is one portal that is lacking. There are so many portals in use in Microsoft Azure, Microsoft Intune, Office 365 and Enterprise Mobility & Security that what is missing is a single portal providing access to all your relevant portals by function.
So, if you are listening Microsoft!
This short section is a list of portals, their function and a screenshot to help you identify where you are and what you can do.
The Office 365 Admin Center
All top level functions and access to all other Office 365 service portals.
The Microsoft Intune Portal
The setup, configuration and management portal for Microsoft Intune
The Microsoft Azure Portal (https://portal.azure.com) For active directory management (IN PREVIEW)
A preview portal for managing all aspect of Azure Active Directory
The Microsoft Azure Classic Portal https://manage.windowsazure.com) For active directory management
Azure service manager portal for managing Azure Active Directory
Intune Portal in Azure (Preview)
Mobile Device management Preview in Azure
Intune Portal in Azure for MAM (https://portal.azure.com/#blade/Microsoft_Intune/SummaryBlade)
Mobile Application Management for iOS and Android in Azure Portal
Office 365 Product Admin Centers (Portals)
Each Office 365 service has its own Portal or Admin Center linked from the main Office 365 Admin Portal
The above is a small sample of the portals available and as with all cloud services, they will change on a regular basis. You have been warned.
Having created the tenant and the custom domain link the next stage is to add a corporate brand to the applications and sign in pages of your tenant. This is a simple process which can be carried out in a number of places. I used the Office 365 portal and uploaded a couple of graphics.
The Enterprise Mobility and Security product suite is led by the Microsoft Intune service. This service uses an Azure Active Directory (AAD) to store the users and computers in your organization that you want to be managed.
At present Intune can work in two distinct Mobile Device Management (MDM) modes. Hybrid or cloud only. The selection of this mode is made before you configure any other settings. The two modes are mutually exclusive and currently very hard to reverse if you change your mind.
The Hybrid solution uses Microsoft System Center Configuration Manager (SCCM) to manage all MDM activities. Whilst this necessarily cannot be as ‘up to date’ as a pure cloud service, the SCCM team have added a number of new features to allow fast service updates.
I do not use SCCM for my deployment and this series of posts will not consider it further.
To set the MDM authority, select the Admin menu of the Intune Portal. Then select Mobile Device Management. On this page you can configure the authority to either Intune or SCCM the screenshot below shows an tenant configured for Intune MDM.
This completes in seconds and your tenant is now ready to be configured with Compliance Policies, Configuration Policies, Device Groups and User Groups.
To make things simpler later on, before starting on the policies, you can connect your tenant to the Exchange online system. This is done by navigating from the Admin section of the Office 365 Portal, expand the Microsoft Exchange menu and Click on the Set up Exchange Connections, finally click on Set up Service to Service Connector. You require an admin credential for an Office 365 account with an Exchange Online service to make this connection. (So Office 365 Pro Plus, Office 365 Business and all Office 365 Home subscriptions are not suitable for this)
Having chosen your Mobile Device management authority, you can now continue with configuring and deploying Microsoft Intune.
Microsoft Intune has, at first glance a plethora of different types of policy to implement. To cut through the confusion, and to keep this post to the steps I actually took to implement my own deployment, I shall stick to a single compliance policy and two configuration policies, one for iOS and one for Windows 10.
The first policy to create is a compliance policy. I run a small business with a fewer than 30 devices. These devices are limited to Windows 10 desktops, laptops and phones and a few iOS devices iPhones and iPads. If your business is different you may choose a different plan.
Planning is essential to implement this solution effectively and to prevent duplicate policies or restrictions.
To create a compliance policy select the Policy icon on the left of the dashboard view .
Then click on the Compliance policies link
Finally click the Add… text at the top of the window
Which opens up the Create Policy screen. Here you can require certain properties to be present or absent on a device before it is in compliance. You can then set conditional access policies that only allow devices in compliance access to apps and data as well as monitor and remediate devices that may be out of compliance. Checkout the docs on Compliance policies here. Compliance policies are deployed to a user, so all the user’s devices must therefore comply with that policy to gain access to data and apps.
The Create policy screen contains settings such as password length and complexity, device encryption, Windows device health attestation, security settings, operating system version and whether or not the device is jailbroken.
As an example I have only one compliance policy and it is applied to all employees. It state that all devices must have a xx character password of a complex nature (security prevents me revealing any more).
Windows Devices have to be healthy. to be healthy a Windows 10 device must have code integrity, BitLocker encryption and secure boot enabled. In addition the early launch malware driver must be loaded on desktop devices. Windows devices must also be at a minimum version of Windows 10.
iOS devices cannot be jailbroken.
Configuration policies can be set on devices and / or users. These policies are specific to device types. Having clicked the Configuration policies link and Add.. at the top of the screen you see the Create a New Policy window.
Within each device type listed are a number of policy templates. The iOS choices are below
I set up a General Configuration policy for both Windows and iOS.
My policy settings cover use of a password to unlock the device and a whole raft of device settings for screenshots, camera usage and applications. it is possible to tie down the device in a very restrictive manner if you so choose.
Whereas a compliance policy monitors the device to report to conditional access as to a devices compliance, a configuration policy will actually force a device to comply with the settings laid down within the policy.
When the device is enrolled into Intune the compliance is checked and the configuration is applied (if deployed). If a configuration policy conflicts with a compliance policy, the compliance policy will always win. The most restrictive setting in a compliance policy will also take precedence.
Device and User Groups
This brings me to groupings. You can create device groups and user groups. I have set one user group up since the company is small and does not require more. I have also created a Windows Desktop PC group and iOS Devices group and two Windows 10 groups, for mobile devices. One for phones and one for surfaces.
This covers all the devices I am likely to have for a couple of years.
Having created policies, you can then choose to deploy them to users (or users and devices for configuration policies).
All these steps are simple wizard driven actions.
Two steps remain, first to enable conditional access policies for enrolled devices. I chose to enable only the Exchange Online policy, shown here.
I could also have selected Dynamics CRM, Exchange on-premises, SharePoint online and Skype for Business online.
Secondly I need to enable my client devices to register with Intune and there are a number of ways to do that. I will walk you through a Windows 10 desktop and an iOS iPad.
There are a number of ways to enrol a Windows device. If using a Windows version prior to Windows 10 you will need to download the Intune client. I chose to use the feature of Azure AD premium that allows Auto enrolment of devices into Intune when you join them to an Azure AD.
You could also use the Company Portal App or force the join through Windows 10 Settings as shown below
To connect an iOS device to Intune you need to install the company portal app and enrol the device. To be able to do this you need to prepare Intune for iOS device enrolment. This takes the form of an Apple Push Notification (APN) certificate. The process is quick, simple and free but does require an Apple ID.
The steps are From the Admin menu select iOS and Mac OS X the select Upload an APN Certificate.
Here you can download the certificate request from Intune. You then import that request to the APN website and download the certificate that is produced. The final step is to upload that certificate back to Intune.
This is acknowledged with a Green tick and ready for enrolment on the iOS and Mac OS X page.
To enrol the iPad into Intune MDM, simply download the Company Portal app from the Apple Store and sign in with your Office 365 / Intune / Azure AD credentials. If those credentials relate to a user that is enabled for a compliance policy on a device that has a configuration policy, the enrolment will also configure the device, or at least enforce the user to configure the device .
A short while after, the user and their devices appear in the Intune management portal.
Here you can see one of the users already has 8 devices under management. You can ‘drill down’ into the user and see all their devices and the state of compliance and even obtain a full inventory from each device.
Here you can see the hardware details of a Windows 10 Desktop device under management.
and how it conforms (or not) to the policies
The depth and richness of data that Intune can provide is quite staggering.
There are many many more features which I will cover in later posts. One of the most exciting and useful is Mobile Application Management without enrolment which is carried out through the Azure Portal.
Watch this space for the next exciting instalment.