First Impressions of Microsoft Intune Endpoint Manager for MDM to an Intune Endpoint Manager Noob

By Mark Manoukian posted 03-10-2021 09:19

  
Please enjoy this blog post authored by Mark Manoukian, IT Director, Kegler, Brown, Hill & Ritter.

In 2011, Microsoft introduced an MDM solution known as Intune. Without knowing anything specific about it, at all, Intune was and is immediately attractive to some of us for the reason that it’s baked into our existing M365 subscriptions. Ideally, if Microsoft’s MDM solution works then it’s one less vendor relationship and contract to manage, and we can eliminate an expense.

Of course, it’s never that easy. For starters, Intune is now known as Endpoint Manager. The name change is intended to reflect Microsoft’s aspirations to fully incorporate SCCM’s PC management functionality into this solution – i.e Intune provides MDM whereas. Endpoint Manager provides MDM and PC management. It makes sense. But, that’s not to say that Microsoft, itself, has truly adopted the name change. There are numerous instances within Endpoint Manager where it remains labeled as Intune. 

If you spend much time managing a Microsoft 365 subscription then you’ll discover that you have an Azure admin portal and an Office 365 admin portal that offer duplicative admin tools, but aren’t always exactly in sync with each other. Endpoint Manager is in both admin portals. Which should I use? It doesn’t seem to make much difference; whether you go in through “Intune” within the Azure admin portal or Microsoft Endpoint Manager within the O365 admin portal. Either way, you land on “https://endpoint.microsoft.com” . In general and more recently, I’ve had better luck administering many functions through the O365 admin portal, so that’s how I’m getting to Endpoint Manager.

The UI is a bit overwhelming. It looks like some policy wonk engineer decided to add everything but the kitchen sink, and delivered in an interface designed by the creators of Where’s Waldo? It only adds to the confusion that PC management functions are co-mingled with mobile device management functions. And, it doesn’t help that Microsoft feels the need to move stuff around a little too much and too frequently.

But, it’s not all that bad. Once I learned my way around the interface, created my first policies and enrolled my first device I was pretty happy. Things are working in our pilot. Unlike the admin portal, the user facing management app that is installed on the smartphone – Company Portal – seems simple. It works on iPhone and Android, and displaces the older, clumsier Android management featureset.

Setting up my first BYOD Android device within Endpoint Manager was fairly straightforward. Do the following if you want to do what I did:

  1. Open the Office 365 Admin portal, not the Azure Admin portal.
  2. From there, open Endpoint Manager. ( Choose Show All in the navigation pane that runs down the left side of the portal to see all of the admin tools. )
  3. Choose Devices
  4. Choose Android
  5. Choose Compliance Policies
  6. Create An Android Compliance Policy
    1. You’ll know what to do when it comes to many of the options when creating a compliance policy, but maybe not all.
    2. Choose Android Enterprise, not Android Device Administrator.
    3. You’ll see the various options – e.g. encryption… yes, require a passcode or biometrics to unlock the device, etc., etc.… yes – that you’ll want.
    4. I have a pet peeve that we have to assign the OS version manually – e.g. minimum OS version is 10 and max is 11. I’d rather have a choose for current plus X versions back, as I previously enjoyed on another MDM solution. Nevertheless, this is how it works. We just need to remember that as Google and makers of Android phones release new versions of Android that we need to edit the policy.
    5. Assign the policy to a group, ideally a pilot group or some such. ( Please know that just because you assign it to a group doesn’t mean that it immediately applies, but rather becomes available to anyone in that group. It only applies once they have installed Company Portal on their mobile device, logged in and approved admin rights of the Company Portal app. )
  7. On the mobile device…
    1. Download the Company Portal app. I believe it now shows up as “Intune Company Portal”. ( Please know that there is still a “Microsoft Intune” app. You don’t want that app. It won’t hurt anything if you do install it, just waste your time. )
    2. Log in. ( You must use a login of a user who is a member of the group that was assigned rights to the Compliance Policy as per 6e, above.)
    3. When prompted, indicate whether it is a personal or firm device.
    4. Company Portal will display a list of the permissions that will be granted to the MDM administrator. Take a close look. Make sure that you agree.
    5. Finish the install on the mobile device.
  8. That’s it.

The steps outlined herein go to ensuring the device complies with basic security requirements, and no more. Endpoint Manager is certainly capable of application management and deployment, and separating work data from personal data. But these are lessons for another day.

More information on setting up Microsoft Endpoint Manager is available any number of places. The obvious is YouTube, but don’t forget about Microsoft resources, which you might have to go looking for. Here is a shortlist of decent resources:

Intune fundamentals | Microsoft Docs

Tutorial - Walkthrough Intune in Microsoft Endpoint Manager - Microsoft Intune | Microsoft Docs

Video Hub - Microsoft Tech Community

For the latest and greatest features in Endpoint Manager, revisit the Video Hub (above), and don’t forget to check out Microsoft Ignite, which ran March 2-4. The catalog is available after the fact. Search on both Intune and Microsoft Endpoint Manager. My favorite session re: MEM for mobile was probably:

MyIgnite - Thirty minutes of reasons to stay excited about Microsoft Endpoint Manager

Check it out. See you on the e-Groups. Let me know what I got right, and what I got wrong.

#ApplicationInterfacesandDeployment
#ITOperations
#Microsoft
#ProfessionalDevelopment​​
1 comment
42 views

Permalink

Comments

03-10-2021 13:12

Good stuff Mark!  Walk-throughs like this save everyone time and pain. I appreciate you documenting your experience.