Modern management and security principles driving our Microsoft Endpoint Manager vision
In this document I want to set forth Microsoft’s vision for how IT organizations will deliver, manage and secure this Modern Workplace going forward across all devices – with an emphasis on the definition and path to modern management of Windows PCs as organizations generally have well-managed PCs solution in place (usually built on ConfigMgr).Microsoft Intune rolls out an improved, streamlined endpoint management administration experience
Over the past several months, Microsoft conducted significant research with IT professionals to see where we could make the most impact. We took the feedback from that research and designed enhancements to the IT administrator experience for Microsoft Intune. These changes and improvements are in process of being rolled out at https://devicemanagement.microsoft.comMicrosoft Edge on iOS and Android now supports conditional access and single sign-on
Microsoft Enterprise Mobility + Security (EMS) is excited to deliver Azure Active Directory conditional access protection for Microsoft Edge on iOS and Android. This integration expands the Microsoft Intune management capabilities as you deploy Microsoft Edge for the best browsing experience across all endpoints in the enterprise. Users get easy, secure access to Office 365 and all your web apps that use Azure Active Directory, with the same application management and security capabilities that previously required Intune Managed Browser.Microsoft Intune customer adoption pack is now available
Microsoft Intune is designed for the modern era of corporate connectivity from any location and any device that not only enable great consumer experiences at work, but must also protect against increased risk of inadvertent and malicious threats to corporate data. Join the over 100 million customers across the world who trust Microsoft 365 Enterprise Mobility + Security (EMS) to stay connected, secure data and get things done on the go. You can view resources for each phase of roll-out below or download customer adoption resources from this Customer Adoption Pack .zip file.Helping IT send and provision business PCs at home to work securely during COVID-19
With so many organizations shifting to remote work, our teams are helping customers daily to understand how to provision new and existing PCs at home. In this article, we want to help you ship new business PCs to employees and provision them out-of-the-box using Windows Autopilot without manual set up or your technical supportBehind the scenes: How Microsoft and Google work together for customers on Android Enterprise
Microsoft Intune, now integrated in Microsoft Endpoint Manager, works closely with Google as part of the Android Enterprise Recommended program for Enterprise Mobility Managers (EMM). We recently had the opportunity to host Google’s engineering team at Microsoft’s Redmond campus. Let's pull back the curtain a bit and share with you how we work together.Evolution of macOS management capabilities in Microsoft Intune
Back in 2015 I wrote a blog about Mac management with Intune, however it’s been a few years and I feel it’s time we re-visit Mac management with Intune to learn more about what’s changed. You’ll soon learn there’s been a significant amount of progress and since my first post Intune now has a lot of native Mac management capabilities built in. First let’s look at MacOS enrollment options with Intune. MacOS enrollment options There are two methods to enroll MacOS with Intune, user driven or using Device Enrollment Program. User driven enrollment For user driven enrollment the end user will need to sign into the web based version of the company portal via https://portal.manage.microsoft.com If the user already had a device registered it will show on the screen, if the Mac is the first device being enrolled, they will see the following: Once the user selects “Add this one by tapping here” they’ll be prompted to download the Intune Company Portal app. After the Company Portal is downloaded and installed, open it up and you’ll be asked to sign-in using your corporate credentials. These are the same credentials used to sign into Office 365 (derived from Azure AD). After sign-in is complete the device will begin the enrollment process. For more details on user driven Mac enrollment please visit: https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp Apple Device Enrollment Program The concept of the Apple DEP is to associate devices with an organization and to streamline the enrollment process, similar to enrolling Apple iOS devices. However, enrollment requires a different process by associating an Apple enrollment token with Intune. After the enrollment token is added and enrollment profile is created in Intune and associated with the enrollment token. During the enrollment profile creation process you’ll be asked to select user affinity (i.e. userless or user associated). Once user affinity is selected, you’ll also select whether or not you’ll allow users to remove the enrollment profile via the “Locked enrollment” setting. Finally, you’ll customize the setup assistance which allows for hiding setup screen, e.g. Apple Pay, Siri, Registration, etc. For more details on the Apple enrollment token process with Intune please visit: https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-macos Conditional access An exciting feature of Azure AD is the ability to target certain device platforms (e.g. MacOS) and set a series of conditions for access by creating conditional access policies in Azure AD. Compliance Azure AD and Intune compliance policies also play a role in access. Step through the compliance policies below to view the restrictions that may be enabled for the device to be compliant. Device Health System integrity protection prevents malicious apps from modifying protected files and folders. Device Properties Specify which OS version and builds you’ll allow before accessing corporate resources. System Security Configured password and password integrity, storage encryption, firewall, and gatekeeper to project against malware. Actions to take for non-compliance Take action when devices are not compliant with the compliance policy by sending the user a mail and/or locking the device. Associating an Intune compliance policy with Azure AD conditional access policy Create an Azure AD conditional access policy to require the device be compliant to access corporate resources. Looking at device configuration for MacOS there are a number of settings, and in my opinion, those settings address a lot of organizations requirements for Apple Mac management. Device features Device restrictions Endpoint protection Looking to protect the device further by configuring the firewall and controlling where apps are installed from? Gatekeep will help with those requirements. Further configure firewall settings to device what you’ll allow in and which apps are allowed and/or blocked. Certificates Intune supports PKCS certificates for general and S/MIME purposes. Device and user-based certificates are both supported via SCEP VPN Many VPN settings are available including 3rd party VPN support. Make note of On-demand and per-app VPN Use a proxy server? No problem! Wi-Fi Both Basic and Enterprise Wi-Fi profiles are supported with various auth types. Customize with Apple Configurator Don’t see a setting in the UI, not to worry as you can create a custom profile using Apple Profile Manager and/or Apple Configurator and upload the payload for delivery through Intune. App deployment Both line of business and Office apps are supported right from the UI. When selecting “Line-of-business app” the MacOS app must be wrapped using the app wrapping tool for Mac which will wrap the app and give it an extension of .intuneMac. The tool is available on GitHub: https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac To learn more about Mac app deployment with Intune please visit: https://docs.microsoft.com/en-us/intune/lob-apps-macos One of my peers Scott Duffey @Scottduf has a great post on this topic: https://blogs.technet.microsoft.com/microscott/deploying-apps-to-macs-using-microsoft-intune/ Note: as of this post only .pkg files are supported nor are conversions from .dmg to .pkg Microsoft + Jamf partnership Microsoft has also has a partnership with Jamf. Jamf also provides MacOS management and if your organization currently utilizes Jamf and would like to receive the benefits of integrating Jamf with Intune you can do this today with Jamf Pro. So, what does this mean? MacOS devices managed by Jamf remain managed by Jamf when Intune comes into the picture (thus are only registered with Intune not enrolled) and integrating Jamf Pro with Intune provides a path for Jamf to send signals in the form of inventory to Intune. Intune will use compliance policies to evaluate the Jamf signals and in turn send signals over to Azure AD stating whether the device is compliant or not. The Azure AD conditional access policy will kick in and based on your configuration of the conditional access policy, will either block or further challenge the user to remediate before access company resources. For more details about Intune and Jamf integration please visit: https://docs.microsoft.com/en-us/intune/conditional-access-integrate-jamf Jamf also has a whitepaper about Intune integration: https://www.jamf.com/resources/technical-papers/integrating-with-microsoft-intune-to-enforce-compliance-on-macs/ That’s it for now, however Microsoft is always releasing updates for Intune. Check back monthly with What’s new in Microsoft Intune and be sure to check which Intune features are under development by visiting: https://docs.microsoft.com/en-us/intune/in-development Article re-posted from https://uem4all.com/2019/03/11/intune-macos-management/Microsoft Intune expands macOS app management support
New features in macOS Catalina and the consolidation of management of apps, devices and accounts under Apple Business Manager are transforming how apps are developed, verified and distributed on macOS. This article describes how Microsoft Intune is invested in macOS management capabilities to ensure that IT admins are ready to effectively manage their growing fleet of macOS devices.Microsoft Intune supports Zebra devices with Android Enterprise OEMConfig
Microsoft Intune is delighted to announce support for specialized configuration of Zebra Technologies devices deployed with Android Enterprise (AE). Zebra Technologies is a leading manufacturer of ruggedized devices used by several industries such as retail, healthcare, manufacturing, logistics, and more.
