Table of Contents

Introduction
What is the Azure portal?
What is Intune for Education?
Intune features in Azure
Sign up for a free trial
What's new
What's new in the app UI
What's new archive (Azure portal)
What's new archive (classic portal)
Device and app lifecycles
Device lifecycle
App lifecycle
Common scenarios
Known issues
Get support
Plan deployment
Planning guide
Determine goals and objectives
Identify scenarios
Determine requirements
Develop a rollout plan
Develop a communication plan
Develop a support plan
Design
Implement
Test and validate
Additional resources
Migration guide
Prepare Intune
Migration campaign
How to
Set up Intune
 Prerequisites
Sign into Intune
Configure domains
Add users
Assign licenses
Customize Company Portal
Set the MDM authority
Enroll devices
Setup options
Set up Windows enrollment
Set up Android enrollment
Set up iOS enrollment
Set up macOS enrollment
Manage devices
Wipe device
Bypass activation lock
Factory reset device
Manage Windows Fresh Start
Locate lost iOS device
Enable iOS lost mode
Lock device
Remove company data
Reset passcode
Restart device
Logout current user
Remove user
Remote control for Android
Examine device inventory
Manage users
Get started with groups
Manage apps
Add apps
Assign apps
Monitor apps
iOS app configuration profiles
Android app configuration profiles
 Use iOS app provisioning profiles
Selectively wipe apps
Work with volume-purchased apps and books
Configure the Company Portal app
Configure the Managed Browser
Configure devices
Configure device profiles
Configure device features
Configure device restrictions
Configure email settings
Configure VPN settings
Configure Wi-Fi settings
Configure Windows 10 edition upgrade settings
Windows 10 endpoint protection
Configure Windows 10 education settings
Configure iOS education settings
Configure iOS education shared devices
Configure Windows Update for Business settings
Configure certificates
Configure Windows Information Protection settings
Assign profiles
Monitor profiles
Troubleshoot profiles
Set device compliance
Prerequisites
Create Android policy
Create Android for Work policy
Create iOS policy
Create Windows policy
Create Actions for noncompliance
Monitor device compliance
Set up conditional access
Common ways to use conditional access
App-based conditional access
Install Exchange on-premises connector
Create and assign conditional access policy
 Set up app-based conditional access
ADAL and Intune
Monitor conditional access compliance
Protect app and device data
Use app protection policies
Mobile Threat Defense
Network access control
Set up Windows Hello
Manage roles
Use the helpdesk operator role
Manage PCs with software agent
Compare PC management
Install the PC client
Common PC management tasks
Policies to protect Windows PCs
Add apps for Intune client PCs
Manage license agreements
Resolve policy conflicts
Educate users
Company Portal messages
MAM-enabled apps on Android
MAM-enabled apps on iOS
How to get Android apps
How to get iOS apps
How to get Windows apps
Monitor and troubleshoot
Monitor telecom expenses
Develop and customize
Configure custom device settings
Android
iOS
macOS
Windows Phone 8.1
Windows 10
Android for Work
Prepare LOB apps for MAM
 App Wrapping Tool for iOS
App Wrapping Tool for Android
Sideload Windows apps
Intune App SDK
Get started with Intune App SDK
Intune App SDK for iOS
Intune App SDK for Android
Intune App SDK Cordova plugin
Intune App SDK Xamarin component
How to use Intune Graph APIs
Intune Graph API
Glossary
 What is Intune?
6/19/2017 6 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce to be
productive while keeping your corporate data protected. With Intune, you can:
Manage the mobile devices your workforce uses to access company data.
Manage the mobile apps your workforce uses.
Protect your company information by helping to control the way your workforce accesses and shares it.
Ensure devices and apps are compliant with company security requirements.
Intune integrates closely with Azure Active Directory (Azure AD) for identity and access control, and Azure
Information Protection for data protection.
Together, Office 365 and EMS enable your workforce to be productive on all of their devices while keeping your
organization's information protected. Office 365 with EMS is a complete, integrated suite for enterprise mobility
inclusive of productivity, identity, access control, management, and data protection. It gives you an effective way to
deploy and operate a mobility solution in your organization.

How does Intune work?

Intune provides mobile device management (MDM) and mobile app management (MAM). Intunes MDM and MAM
features then contribute to the EMS suite of data protection and compliance scenarios.
How youll use the MDM/MAM features of Intune and EMS data protection depends on the business problem
youre trying to solve. For example:
Youll make strong use of MDM if you're creating a pool of single-use devices to be shared by shift workers in a
retail store.
Youll lean on MAM and data protection if you allow your workforce to use their personal devices to access
corporate data (BYOD).
If you are issuing corporate phones to information workers, youll rely heavily on all of the technologies.

Intune mobile device management (MDM) explained

MDM works by using the protocols or APIs that are available in the mobile operating systems. It includes tasks like:
Enrolling devices into management so IT has an inventory of devices that are accessing corporate services
Configuring devices to ensure they meet company security and health standards
Providing certificates and Wi-Fi/VPN profiles to access corporate services
Reporting on and measuring device compliance to corporate standards
Removing corporate data from managed devices
Sometimes, people think that access control to corporate data is an MDM feature. We dont think of it that way
because it isnt something that the mobile operating system provides. Rather, its something the identity provider
delivers. In our case, the identity provider is Azure Active Directory (Azure AD), Microsofts identity and access
management system.
Intune integrates with Azure AD to enable a broad set of access control scenarios. For example, you can require a
mobile device to be compliant with corporate standards as defined in Intune before the device can access a
corporate service like Exchange. Likewise, you can lock down the corporate service to a specific set of mobile apps.
For example, you can lock down Exchange Online to only be accessed by Outlook or Outlook Mobile.

Intune mobile app management (MAM) explained

When we talk about MAM, we are talking about the set of things our solutions enable IT Pros to do with mobile
apps, such as:
Publishing mobile apps to employees
Configuring apps
Controlling how corporate data is used and shared in mobile apps
Removing corporate data from mobile apps
Updating mobile apps
Reporting on mobile app inventory
Tracking mobile app usage
We have seen the term MAM used to mean any one of those things individually or to mean specific combinations.
In particular, its common for folks to conflate the concept of app configuration (that is, using technologies like
managed app configuration on iOS) with the concept of securing corporate data within mobile apps. Thats
because some mobile apps expose settings that allow their data security features to be configured.
That, in combination with operating system features for protecting data (for example, MDM features such as
Windows Information Protection on Windows 10), gives a lot of protection to data on mobile devices.
When you use Intune with the other services in EMS, you can provide your organization mobile app security over
and above what is provided by the mobile operating system and the mobile apps themselves through app
configuration. An app that is managed with EMS has access to a broader set of mobile app and data protections
that includes:
Single sign-on
Multi-factor authentication
App conditional access - allow access if the mobile app contains corporate data (Classic console)
Isolating corporate data from personal data inside the same app (Classic console)
App protection policy (PIN, encryption, save-as, clipboard, etc.) (Classic console)
Corporate data wipe from a mobile app
Rights management support
Intune mobile app security
Providing app security is a part of MAM, and in Intune, when we talk about mobile app security, we mean:
Keeping personal information isolated from corporate IT awareness
Restricting the actions users can take with corporate information such as copy, cut/paste, save, and view
Removing corporate data from mobile apps, also known as selective wipe or corporate wipe
One way that Intune provides mobile app security is through its app protection policy feature. App protection
policy uses Azure AD identity to isolate corporate data from personal data. Data that is accessed using a corporate
credential will be given additional corporate protections.
When a user logs on to her device with her corporate credentials, her corporate identity allows her access to data
that is denied to her personal identity. As that corporate data is used, Intune, along with other EMS technologies,
controls how it is saved and shared. Those same protections are not applied to data that is accessed when the user
logs on to her device with her personal identity. In this way, IT has control of corporate data while the end user
maintains control and privacy over personal data.

EMM with and without device enrollment

Most enterprise mobility management solutions support basic mobile device and mobile app technologies. These
are usually tied to the device being enrolled in your organizations MDM solution. Intune supports these scenarios
and additionally supports many without enrollment scenarios.
Organizations differ to the extent they will adopt without enrollment scenarios. Some organizations standardize
on it. Some allow it for companion devices such as a personal tablet. Others dont support it at all. Even in this last
case, where an organization requires all employee devices to be enrolled in MDM, these organizations typically
support "without enrollment" scenarios for contractors, vendors, and for other devices that have a specific
exemption.
You can even use Intunes without-enrollment technology on enrolled devices. For example, a device enrolled in
MDM may have open-in protections provided by the mobile operating system. (Open-in protection is an iOS
feature that restricts you from opening a document from one app, like Outlook, into another app, like Word, unless
both apps are managed by the MDM provider.) In addition, IT may apply the app protection policy to EMS-
managed mobile apps to control save-as or to provide multi-factor authentication.
Whatever your organizations position on enrolled and unenrolled mobile devices and apps, Intune, as a part of
EMS, has tools that will help increase your workforce productivity while protecting your corporate data.
Common business problems that Intune helps solve
The following list of business problems link to more detailed information about the solutions we can provide. Only
the last item requires MDM enrollment as part of the solution:
Protect your on-premises email and data so that it can be accessed by mobile devices
Protect your Office 365 mail and data so that it can be safely accessed by mobile devices
Issue corporate-owned phones to your workforce
Offer a bring-your-own-device (BYOD) or personal device program to all employees
Enable your employees to securely access Office 365 from an unmanaged public kiosk
Issue limited-use shared tables to your task workers
Next steps
Read about some of the common ways to use Intune (Classic console).
Get familiar with the product with a 30-day trial of Intune (Classic console).
Dive into the technical requirements and capabilities (Classic console) of Intune .
 Introduction to Microsoft Intune in the Azure portal
6/28/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Microsoft Intune is now in the Azure portal meaning that the workflows and functionality you are used to are now
different. The new portal offers you new and updated functionality in the Azure portal where you can manage your
organization's mobile devices, PCs, and apps.

IMPORTANT
Dont see the new portal yet?
Existing tenants are being migrated to the new experience. A notification is shown in the Office Message Center before your
tenant migrates.
Intune accounts created before January 2017 require a one-time migration before Apple Enrollment workflows are available
in Azure. The schedule for migration has not been announced yet. If your existing account cannot access the Azure portal, we
recommend creating a trial account.
Review the list of potential blockers https://blogs.technet.microsoft.com/intunesupport/2017/05/17/intune-migration-
blockers-for-grouping-targeting/

You can find information about the new portal in this library, and it is continually updated. If you have suggestions
you'd like to see, leave feedback in the topic comments. We'd love to hear from you.
Highlights of the new experience include:
An integrated console for all your Enterprise Mobility + Security (EMS) components
An HTML-based console built on web standards
Microsoft Graph API support to automate many actions
Azure Active Directory (AD) groups to provide compatibility across all your Azure applications
Support for most modern web browsers
If you are looking for documentation for the classic Intune console, see the Intune documentation library.

Before you start

To use Intune in the Azure portal, you must have an Intune admin and tenant account. Sign up for an account if you
don't already have one.

Supported web browsers for the Azure portal

The Azure portal runs on most modern PCs, Macs, and tablets. Mobile phones are not supported. Currently, the
following browsers are supported:
Microsoft Edge (latest version)
Microsoft Internet Explorer 11
Safari (latest version, Mac only)
 Chrome (latest version)
Firefox (latest version)
Check the Azure portal for the latest information about supported browsers.

What's in this library?

The documentation reflects the layout of the Intune portal to make it easier to find the information you need.

Introduction and get started

This section contains introductory information that helps you get started using Intune.
Plan and design
Information to help you plan and design your Intune environment.
Device enrollment
How to get your devices managed by Intune.
Device compliance
Define a compliance level for your devices, then report any devices that are not compliant.
Device configuration
Understand the profiles you can use to configure settings and features on devices you manage.
Devices
Get to know the devices you manage with inventory and reports.
Mobile apps
How to publish, manage, configure, and protect apps.
Conditional access
Restrict access to Exchange services depending on conditions you specify.
On-premises access
Configure access to Exchange ActiveSync, and Exchange on-premises
Users
Learn about the users of devices you manage and sort resources into groups.
Groups
Learn about how you can use Azure Active Directory groups with Intune
Intune roles
Control who can perform various Intune actions, and who those actions apply to. You can either use the built-in
roles that cover some common Intune scenarios, or you can create your own roles.
Software updates
Learn about how to configure software updates for Windows 10 devices.

What's new?
Find out what's new in Intune.
 What is Intune for Education?
6/19/2017 1 min to read Edit Online

Intune for Education is designed to enable your teachers and students to be productive while keeping school data
protected. Intune is a cloud-based enterprise mobility management (EMM) service that is the foundation for Intune
for Education.

Intune for Education lets you manage Windows 10 devices using the full MDM capabilities available in Intune.
Intune can also manage additional platforms, such as iOS and Android, and is designed to let you access the full set
of policies in the same console.
Intune for Education can be used by itself, or in harmony with the full device management experience available in
Intune. It can also be used alongside the rest of the tools available in Microsoft Education, which makes it easy for
you to use Intune for Education with other useful educational tools from Microsoft.

With both Intune and Intune for Education, you can:

Manage the mobile devices your workforce uses to access data.
Manage the mobile apps your users access every day.
Protect your organizational information by helping to control the way your users access and share it.
Ensure devices and apps are compliant with security requirements.
Next steps
Get familiar with the product with a 30-day trial of Intune.
Read about the quickest way to start using Intune for Education.
Dive into the technical requirements and capabilities of Intune.
 Where did my Intune feature go in Azure?
6/19/2017 4 min to read Edit Online

We took the opportunity to organize some tasks more logically as we moved Intune into the Azure portal. But every
improvement comes with the cost of learning the new organization. So, we created this reference guide for those of
you who are thoroughly familiar with Intune in the classic console and are wondering how to get something done
in Intune on Azure. If this article doesnt cover a feature youre trying to find, please leave a comment at the end of
the article so we can update it.

Quick reference guide

FEATURE PATH IN CLASSIC CONSOLE PATH IN INTUNE ON AZURE

Device Enrollment Program (DEP) Admin > Mobile Device Management > Device enrollment > Apple Enrollment
iOS and Mac OS X > Device Enrollment > Enrollment Program Token
Program

Device Enrollment Program (DEP) Admin > Mobile Device Management > Device enrollment > Apple Enrollment
iOS and Mac OS X > Device Enrollment > Enrollment Program Serial Numbers
Program

Enrollment Rules Admin > Mobile Device Management > Device enrollment > Enrollment
Enrollment Rules Restrictions

Groups by iOS Serial Number Groups > All Devices > Corporate Pre- Device enrollment > Apple Enrollment
enrolled devices > By iOS Serial Number > Enrollment Program Serial Numbers

Groups by iOS Serial Number Groups > All Devices > Corporate Pre- Device enrollment > Apple Enrollment
enrolled devices > By iOS Serial Number > AC Serial numbers

Groups by IMEI (all platforms) Groups > All Devices > Corporate Pre- Device enrollment > Corporate Device
enrolled devices > By IMEI (All Identifiers
platforms)

Corporate Device Enrollment profile Policy > Corporate Device Enrollment Device enrollment > Apple Enrollment
> Enrollment Program Profiles

Corporate Device Enrollment profile Policy > Corporate Device Enrollment Device enrollment > Apple Enrollment
> AC Profiles

Android for Work Admin > Mobile Device Management > Device enrollment > Android for Work
Android for Work Enrollment

Terms and Conditions Policy > Terms and Conditions Device enrollment > Terms and
Conditions

Where do I manage groups?

Intune on Azure uses Azure Active Directory (AD) to manage groups.

Where did enrollment rules go?

In the classic console, you could set rules governing the MDM enrollment of mobile and modern Windows and
macOS devices:

These rules applied to all users in your Intune account without exception. In the Azure portal these rules now
appear in two distinct polices types: Device Type Restrictions and Device Limit Restrictions:

The default Device Limit Restriction corresponds to the Device Enrollment Limit in the classic console:
The default Device Type Restriction corresponds to the Platform Restrictions in the classic console:

The ability to allow or block personally owned devices is now managed under the Device Type Restrictions
Platform Configurations:

New restriction capabilities will be added to the Azure Portal only.

Where did Apple DEP go?

In the classic console, you could set up Intune to integrate with Apples Device Enrollment Program and manually
request synchronization with Apples service:
In the Azure portal, you set up Apple Device Enrollment Program with the same steps as in Intune classic:

However the Sync option in the classic console has been moved to the serial number management workflow since
the results of a manual sync will appear there:

Where did corporate pre-enrolled devices go?

By iOS serial number
In the classic console, you can enroll iOS devices through the Apple Device Enrollment Program (DEP) and the
Apple Configurator tool. Both methods offer device pre-enrollment by serial number and involve the assignment of
special Corporate Device Enrollment profiles. Prior to enrollment, the enrollment profile assignment can be
managed through the Corporate Pre-enrolled Device by iOS Serial Number device group:

This lists serial numbers for both Apple DEP and Configurator enrollment in a single list. To reduce profile
assignment mis-match (DEP profile to AC serial number and vice-versa), we have separated the serial numbers into
two lists in the Azure portal:
DEP serial numbers

Apple Configurator serial numbers

By IMEI (all platforms)
In the classic console, you can pre-list the IMEI numbers of devices to mark them as corporate when they enrolled
to Intune:

In the Azure console, you must upload the same IMEI to the Corporate Device Identifiers list with a comma-
separated-values (CSV) file. The new portal will not support manual entry of IMEI numbers:
Intune in the Azure portal is future-proofed to support other types of identifiers beside IMEI, but currently only
allows IMEI numbers for pre-listing.

Where did Corporate Device Enrollment profiles go?

To enroll iOS devices through the Apple Device Enrollment Program or with the Apple Configurator tool, you must
supply a Corporate Device Enrollment profile to be assigned the device. In the classic console, the creation and
management of these profiles was located in a single list:

This list shows profiles enabled for use with the Apple Device Enrollment Program (DEP On) and profile only
enabled for use with the Apple Configurator tool (DEP Off).
To reduce confusion between the two profile types and potential mis-matched assignments (DEP profile to
Configurator devices and vice-versa), we have separated creation and management of Enrollment Program profiles
(support both Apples Device Enrollment Program and Apple School Manager) and Apple Configurator profiles:
DEP profiles
Apple Configurator profiles
 Sign up for a Microsoft Intune free trial for the Azure
portal
6/29/2017 2 min to read Edit Online

This article walks you through signing up for a trial of Intune standalone for the Azure portal.
1. Visit the Intune Sign up page and fill out the form to sign up for a trial subscription. account-sign-up.md
If most of your IT operations and users are in a different locale than you, you may want to select that locale
under Where's your company located?.
2. At the end of the sign-up process, you get a message with your new account information.

At this point, if you click You're ready to go, you are taken to the Office 365 Admin Center, where you can
add users to your test environment.

However, if you want to go directly into the Intune Azure portal, open a new browser window, and enter
https://portal.azure.com in the address bar. You are taken to the Azure sign-in page where you can use
the credentials you were given to sign in. Use this address whenever you want to sign into your Intune trial.
The first time you sign on to the Intune Azure portal, you may not see Intune on your Azure dashboard. To add the
Intune service to your Azure dashboard:
1. Choose More services > in the list of Azure services to the left of the dashboard, and enter Intune in the
search box.
2. Choose Intune from the list, and select the star to add the service to the list of services.
3. Then choose Intune in the list of services to open the Intune dashboard.
When you sign up for a trial, you will also receive an email message that contains your account information at the
email address that you provided during the sign-up process. This email confirms your trial is active.

Keeping the admin experiences straight

There are three portals you use for the Intune Azure portal:
The Intune dashboard in Azure (portal.azure.com) where you can explore the capabilities of Intune in the Azure
portal.
 The Office 365 Admin center (portal.office.com) where you can add and manage users if you are not using
Azure Active Directory for that. You can also manage other aspects of your account, including billing and
support.
The classic Intune admin console (manage.microsoft.com) where you can explore features that have not yet
been added to Azure.
Normally, youll do your work in the Intune dashboard, shown below. This is the site where you set up and manage
your groups, policies, devices, and apps.
You can go to the classic Intune admin console from the dashboard by choosing Classic portal at the top of your
dashboard.
To return to the Intune Azure portal, enter https://portal.azure.com in your browser address bar and then choose
Intune again from the services list.

You use the Office 365 Admin center, shown below, to add and manage your users and other aspects of your
account, including billing and support.
To go from the Office 365 Admin center to the Intune dashboard, enter https://portal.azure.com in your browser
address bar. Choose Intune in the services list.
To get from Intune back to the Office 365 Admin center, enter https://portal.office.com in your browser address
bar. If you are already logged into Intune, you will be taken directly to the Office 365 Admin Center.

Next steps
Intune on Azure
Learn more about Intune in the Azure portal
Classic Intune
Evaluation scenario: Evaluate mobile device management in Microsoft Intune
Integration with other products
Learn more about using your Azure Active Directory user accounts with Intune:
Identity requirements
Directory synchronization requirements
Multi-factor authentication requirements
Learn more about using Intune with System Center Configuration Manager
 What's new in Microsoft Intune
6/30/2017 18 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Learn whats new each week in Microsoft Intune. You can also find out about upcoming changes, important
notices about the service, and information about past releases.

NOTE
Many of these features will eventually be supported for hybrid deployments with Configuration Manager. For more
information about new hybrid features, check out our hybrid Whats New page.

Week of June 26th, 2017

Role-based access control
New role-based administration access for Intune admins
A new conditional access admin role is being added to view, create, modify, and delete Azure AD Conditional
Access policies. Previously, only global admins and security admins had this permission. Intune admins can be
granted with this role permission so that they have access to conditional access policies.
Device enrollment
Tag corporate-owned devices with serial number
Intune now supports uploading iOS, macOS, and Android serial numbers as Corporate Device Identifiers. You
can't use serial numbers to block personal devices from enrolling at this time because serial numbers are not
verified during enrollment. Blocking personal devices by serial number will be released in the near future.
Device management
New remote actions for iOS devices
In this release, we've added two new remote device actions for iOS devices:
Logout current user - Logs out the current user of an iOS device you choose.
Remove user - Deletes a user you choose from the local cache on an iOS device.
Using these remote actions, admins be able to manage the users accounts cached on a shared iPad and also log
out the user currently logged into the device.
During enrollment, the admin determines the maximum number of user accounts that can be cached on a device.
"Remove user" allows admins to remove specific users that are cached.
"Logout current user" will log out the user that's currently logged in to the device. This action can be found at the
top of the device overview blade where device actions traditionally exist.
"Remove user" will delete a specified user from the local cache of the device. This action can be found by
navigating to "Monitor" -> "Users" -> right click on a specific user in the list. Any data that is associated with the
user account that hasn't been synced will be lost. Also, it may take up to 24 hours for the user list to reflect that the
user has been removed.
Support for shared iPads with the iOS Classroom app
In this release, we've expanded the support for managing the iOS Classroom app to include students who log into
shared iPads using their managed Apple ID.
App management
Support for offline apps from the Windows Store for Business
Offline apps you purchased from the Windows Store for Business will now be synchronized to the Intune portal.
You can then deploy these apps to device groups, or user groups. Offline apps are installed by Intune, and not by
the store.
Microsoft teams is now part of the App-based CA list of approved apps
The Microsoft Teams app for iOS and Android is now part of approved apps for app-based conditional access
policies for Exchange and SharePoint Online. The app can be configured through the Intune App Protection blade
in the Azure portal to all tenants currently using app-based conditional access.
Managed browser and app proxy integration
The Intune Managed Browser can now integrate with the Azure AD Application Proxy service to let users access
internal web sites even when they are working remotely. Users of the browser simply enter the site URL as they
normally would and the Managed Browser routes the request through the application proxy web gateway. For
more information, see Manage Internet access using Managed browser policies.
New app configuration settings for the Intune Managed Browser
In this release, we've added further configurations for the Intune Managed Browser app. You can now use an app
configuration policy to configure the default home page and bookmarks for the browser. This is currently for
Android devices only, but will be available soon for iOS devices. For more information, see Manage Internet access
using Managed browser policies
Device configuration
BitLocker settings for Windows 10
You can now configure BitLocker settings for Windows 10 devices using a new Intune device profile. For example,
you can require that devices are encrypted, and also configure further settings that are applied when BitLocker is
turned on. For more information, see Endpoint protection settings for Windows 10 and later.
New settings for Windows 10 device restriction profile
In this release, we've added new settings for the Windows 10 device restriction profile, in the following categories:
Windows Defender
Cellular and connectivity
Locked screen experience
Privacy
Search
Windows Spotlight
Edge browser
For more information about Windows 10 settings, see Windows 10 and later device restriction settings.

Week of June 12, 2017

Company Portal app for Android now has a new end user experience for App Protection Policies
Based on customer feedback, we've modified the Company Portal app for Android to show an Access Company
Content button. The intent is to prevent end users from unnecessarily going through the enrollment process
when they only need to access apps that support App Protection Policies, a feature of Intune mobile application
management. You can see these changes on the what's new in app UI page.
New menu action to easily remove Company Portal
Based on user feedback, the Company Portal app for Android has added a new menu action to initiate the removal
of Company Portal from your device. This action removes the device from Intune management so that the app can
be removed from the device by the user. You can see these changes on the what's new in app UI page and in the
Android end user documentation.
Improvements to app syncing with Windows 10 Creators Update
The Company Portal app for Windows 10 will now automatically initiate a sync for app install requests for devices
with Windows 10 Creators Update (version 1703). This will reduce the issue of app installs stalling during the
"Pending Sync" state. In addition, users will be able to manually initiate a sync from within the app. You can see
these changes on the what's new in app UI page.
New guided experience for Windows 10 Company Portal
The Company Portal app for Windows 10 will include a guided Intune walkthrough experience for devices that
have not been identified or enrolled. The new experience provides step-by-step instructions that guide the user
through registering into Azure Active Directory (required for Conditional Access features) and MDM enrollment
(required for device management features). The guided experience will be accessible from the Company Portal
home page. Users can continue to use the app if they do not complete registration and enrollment, but will
experience limited functionality.
This update is only visible on devices running Windows 10 Anniversary Update (build 1607) or higher. You can
see these changes on the what's new in app UI page.

Week of June 5, 2017

Microsoft Intune and Conditional Access admin consoles are generally available
Were announcing the general availability of both the new Intune on Azure admin console and the Conditional
Access admin console. Through Intune on Azure, you can now manage all Intune MAM and MDM capabilities in
one consolidated admin experience, and leverage Azure AD grouping and targeting. Conditional access in Azure
brings rich capabilities across Azure AD and Intune together in one unified console. And from an administrative
experience, moving to the Azure platform allows you to use modern browsers.
Intune is now visible without the preview label in the Azure console at portal.azure.com.
There is no action required for existing customers at this time, unless you have received one of a series of
messages in the message center requesting that you take action so that we can migrate your groups. You may
have also received a message center notice informing you that migration is taking longer due to bugs on our side.
We are diligently continuing work to migrate any impacted customer.
Improvements to the app tiles in the Company Portal app for iOS
We updated the design of the app tiles on the homepage to reflect the branding color you set for the Company
Portal. For more information, see what's new in app UI.
Account picker now available for the Company Portal app for iOS
Users of iOS devices might see our new account picker when they sign into the Company Portal if they use their
work or school account to sign into other Microsoft apps. For more information, see what's new in app UI.

Week of May 29, 2017

Change your MDM authority without unenrolling managed devices
You can now change your MDM authority without having to contact Microsoft Support, and without having to
unenroll and reenroll your existing managed devices. In the Configuration Manager console, you can change your
MDM authority from Set to Configuration Manager (hybrid) to Microsoft Intune (standalone) or vice versa.
Improved notification for Samsung KNOX startup PINs
When end users need to set a start-up PIN on Samsung KNOX devices to become compliant with encryption, the
notification displayed to end users will bring them to the exact place in the Settings app when the notification is
tapped. Previously, the notification brought the end user to the password change screen.
Device enrollment
Apple School Manager (ASM) support with shared iPad
Intune now supports use of Apple School Manager (ASM) in place of Apple Device Enrollment Program to provide
out-of-box enrollment of iOS devices. ASM onboarding is required to use the Classroom app for Shared iPads,
and is required to enable syncing data from ASM to Azure Active Directory via Microsoft School Data Sync (SDS).
For more information, see Enable iOS device enrollment with Apple School Manager.

NOTE
Configuring Shared iPads to work with the Classroom app requires iOS Education configurations in Azure are that not yet
available. This functionality will be added soon.

Device management
Provide remote assistance to Android devices using TeamViewer
Intune can now use the TeamViewer software, purchased separately, to enable you to give remote assistance to
your users who are running Android devices. For more information, see Provide remote assistance for Intune
managed Android devices.
App management
New app protection policies conditions for MAM
You can now set a requirement for MAM without enrollment users that enforces the following policies:
Minimum application version
Minimum operating system version
Minimum Intune APP SDK version of the targeted application (iOS only)
This feature is available on both Android and iOS. Intune supports minimum version enforcement for OS platform
versions, application versions, and Intune APP SDK. On iOS, applications that have the SDK integrated can also set
a minimum version enforcement at the SDK level. The user will be unable to access the targeted application if the
minimum requirements through the app protection policy are not met at the three different levels mentioned
above. At this point, the user may either remove their account (for multi-identity applications), close the
application, or update the version of the OS or application.
You can also configure additional settings to provide a non-blocking notification that recommends an OS or
application upgrade. This notification can be closed and the application may be used as normal.
For more information, see iOS app protection policy settings and Android app protection policy settings.
Configure app configurations for Android for Work
Some Android apps from the store support managed configuration options that let an IT admin control how an
app runs in the work profile. With Intune, you can now view the configurations supported by an app, and
configure them from the Intune portal with a configuration designer or a JSON editor. For more information, see
Use app configurations for Android for Work.
New app configuration capability for MAM without enrollment
You can now create app configuration policies through the MAM without enrollment channel. This feature is
equivalent to the app configuration policies available in the mobile device management (MDM) app configuration.
For an example of app configuration using MAM without enrollment, see Manage Internet access using Managed
browser policies with Microsoft Intune.
Configure allowed and blocked URL lists for the Managed Browser
You can now configure a list of allowed and blocked domains and URLs for the Intune Managed Browser using
app configuration settings in the Azure portal. These settings can be configured regardless of whether it is being
used on a managed or unmanaged device. For more information, see Manage Internet access using Managed
browser policies with Microsoft Intune.
App protection policy helpdesk view
IT Helpdesk users can now check user license status and the status of app protection policy apps assigned to users
in the Troubleshooting blade. For details, see Troubleshooting.
Device configuration
Control website visits on iOS devices
You can now control which websites users of iOS devices can visit using one of the following two methods:
Add permitted, and blocked URLs using Apples built-in web content filter.
Allow only specified websites to be accessed by the Safari browser. Bookmarks are created in Safari for
each site you specify.
For more information, see Web content filter settings for iOS devices.
Preconfigure device permissions for Android for Work apps
For apps deployed to Android for Work device work profiles, you can now configure the permissions state for
individual apps. By default, Android apps that require device permissions such as access to location or the device
camera will prompt users to accept or deny permissions. For example, if an app uses the device's microphone,
then the end user is prompted to grant the app permission to use the microphone. This feature allows you to
define permissions on behalf of the end user. You can configure permissions to a) automatically deny without
notifying the user, b) automatically approve without notifying the user, or c) prompt the user to accept or deny.
For more information, see Android for Work device restriction settings in Microsoft Intune.
Define app-specific PIN for Android for Work devices
Android 7.0 and above devices with a work profile managed as an Android for Work device let the administrator
define a passcode policy that only applies to apps in the work profile. Options include:
Define just a device-wide passcode policy - This is the passcode that the user must use to unlock their entire
device. -Define just a work profile passcode policy - Users will be prompted to enter a passcode whenever any
app in the work profile is opened.
Define both a device and work profile policy - IT admin has the choice to define both a device passcode policy
and a work profile passcode policy at differing strengths (for example, a four-digit PIN to unlock the device, but
a six-digit PIN to open any work app).
For more information, see Android for Work device restriction settings in Microsoft Intune.

NOTE
This is only available on Android 7.0 and above. By default, the end user can use the two separately defined PINs or they
can elect to combine the two defined PINs into the strongest of the two.

New settings for Windows 10 devices

We've added new Windows device restriction settings that control features like wireless displays, device discovery,
task switching, and SIM card error messages.
Updates to certificate configuration
When creating a SCEP certificate profile, for Subject name format, the Custom option is available for iOS,
Android, and Windows devices. Before this update, the Custom field was available for iOS devices only. For more
information, see How to create a SCEP certificate profile.
When creating a PKCS certificate profile, for Subject alternative name, the Custom Azure AD attribute is
available. The Department option is available when you select Custom Azure AD attribute. For more
information, see How to create a PKCS certificate profile.
Configure multiple apps that can run when an Android device is in kiosk mode
When an Android device is in kiosk mode, you could previously only configure one app that was allowed to run.
You can now configure multiple apps using the app ID, store URL, or by selecting an Android app you already
manage. For more information, see Kiosk mode settings.

Notices
IP addresses for Intune updated
An updated list of DNS names and IP addresses is available for firewall proxy settings.
Use Azure Active Directory for conditional access
Conditional access is available in the Azure Active Directory section of the Azure console and provides a more
powerful and flexible framework for setting policies for cloud apps like Office 365 Exchange Online and
SharePoint Online. Use the Conditional access in Azure Active Directory blade to configure policies instead of
the classic Intune console. Existing policies in the classic Intune console need to be re-created in the Azure console.
For more information, see Create Azure AD conditional access policies
Direct access to Apple enrollment scenarios
For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios
using the Enroll Devices workload in the Azure portal. Previously, the Apple enrollment preview was only
accessible from links in the classic Intune portal. Intune accounts created before January 2017 require a one-time
migration before these features are available in Azure. The schedule for migration has not been announced yet,
but details will be made available as soon as possible. We strongly recommend creating a trial account to test out
the new experience if your existing account cannot access the Azure portal.
Administration roles being replaced in Azure portal
The existing mobile application management (MAM) administration roles (Contributor, Owner, and Read-Only)
used in the Intune classic portal (Silverlight) are being replaced with a full set of new role-based administration
controls (RBAC) in the Intune Azure portal. Once you are migrated to the Azure portal, you will need to reassign
your admins to these new administration roles. For more information about RBAC and the new roles, see Role-
based access control for Microsoft Intune.

What's coming
Changes in support for the Intune iOS Company Portal app
Coming soon, there will be a new version of the Microsoft Intune Company Portal app for iOS that will support
only devices running iOS 9.0 or later. The version of the Company Portal that supports iOS 8 will still be available
for a very short period of time. However, please note that if you also use MAM-enabled iOS apps we support iOS
9.0 and later, so you'll want to ensure your end users update to the latest OS.
How does this affect me?
We are letting you know this in advance, even though we don't have specific dates, so you have time to plan.
Please ensure your users are updated to iOS 9+ and when the Company Portal app releases, request that your
end users update their Company Portal app.
What do I need to do to prepare for this change?
Encourage your users to update to iOS 9.0 or later to take full advantage of new Intune features. Encourage users
to install the new version of the Company Portal and take advantage of the new features it will offer.
Go to the Intune on Azure portal and view Devices > All Devices and filter by iOS version to see any current
devices with operating systems earlier than iOS 9.
Improved sign in experience across Company Portal apps for all platforms
We are announcing a change that is coming in the next few months that will improve the sign-in experience for
the Intune Company Portal apps for Android, iOS, and Windows. The new user experience will automatically
appear across all platforms for the Company Portal app when Azure AD makes this change. In addition, users can
now sign in to the Company Portal from another device with a generated, single-use code. This is especially useful
in cases when users need to sign in without credentials.
To see screenshots of the previous sign-in experience, the new sign-in experience with credentials, and the new
sign-in experience from another device, see What's new in app UI.
Plan for change: Intune is changing the Intune Partner Portal experience
We are removing the Intune Partner page from manage.microsoft.com beginning with the service update in mid-
May 2017.
If you are a partner administrator, you will no longer be able to view and take action on behalf of your customers
from the Intune Partner page, but will instead need to sign in at one of two other partner portals at Microsoft.
Both the Microsoft Partner Center and the Microsoft Office 365 Partner Admin Center will allow you to sign into
the customer accounts you manage. Moving forward as a partner, please use one of these sites to manage your
customers.
Apple to require updates for Application Transport Security
Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). ATS is
used to enforce stricter security on all app communications over HTTPS. This change impacts Intune customers
using the iOS Company Portal apps.
We have made available a version of the Company Portal app for iOS through the Apple TestFlight program that
enforces the new ATS requirements. If you would like to try it so you can test your ATS compliance, email
[email protected] with your first name, last name, email address, and company name. Review
our Intune support blog for more details.
See also
Microsoft Intune Blog
Cloud Platform roadmap
What's new in the Company Portal UI
What's new in previous months
 UI updates for Intune end user apps
6/29/2017 5 min to read Edit Online

Learn what updates we've made to the UI for apps that your end users will see in this release of Microsoft Intune.
This can help you with user communications and any updating custom documentation that you've created to
support your deployment. It can also help you understand how to better troubleshoot any issues they're facing
should they call helpdesk for support using the Company Portal.

Week of June 26, 2017

Improved sign in experience across Company Portal apps for all platforms
We are announcing a change that is coming in the next few months that will improve the sign in experience for
the Intune Company Portal apps for Android, iOS, and Windows. The new user experience will automatically
appear across all platforms for the Company Portal app when Azure AD makes this change. In addition, users can
now sign in to the Company Portal from another device with a generated, single-use code. This is especially
useful in cases when users need to sign in without credentials.
Below you can see the previous sign in experience, the new sign in experience with credentials, and the new sign
in experience from another device.
Previous sign in experience
New sign in experience
New sign in experience when signing in from another device
Tap the Sign in from another device link.

Launch a browser and go to https://aka.ms/devicelogin.

Enter the code you saw in the Company Portal app. When you select Continue, you will be able to authenticate
in the using any method that is supported by your company, such as a smartcard.
The Company Portal app will begin signing in.

Week of June 12, 2017

Company Portal app for Android now has a new end user experience for App Protection Policies
Based on customer feedback, we've modified the Company Portal app for Android to show an Access Company
Content button. The intent is to prevent end users from unnecessarily going through the enrollment process
when they only need to access apps that support App Protection Policies, a feature of Intune mobile application
management.
The user will tap on the Access Company Content button instead of beginning to enroll the device.

The user then is taken to the Company Portal website to authorize the app for use on their device, where the
Company Portal website verifies their credentials.

The device can still be enrolled into full management by tapping on the action menu.
Improvements to app syncing with Windows 10 Creators Update
The Company Portal app for Windows 10 will now automatically initiate a sync for app install requests for
devices with Windows 10 Creators Update (version 1703). This will reduce the issue of app installs stalling
during the "Pending Sync" state. In addition, users will be able to manually initiate a sync from within the app.
New guided experience for Windows 10 Company Portal
The Company Portal app for Windows 10 will include a guided Intune walkthrough experience for devices that
have not been identified or enrolled. The new experience provides step-by-step instructions that guide the user
through registering into Azure Active Directory (required for Conditional Access features) and MDM enrollment
(required for device management features). The guided experience will be accessible from the Company Portal
home page. Users can continue to use the app if they do not complete registration and enrollment, but will
experience limited functionality.
This update is only visible on devices running Windows 10 Anniversary Update (build 1607) or higher.
New menu action to easily remove Company Portal
Based on user feedback, the Company Portal app for Android has added a new menu action to initiate the
removal of Company Portal from your device. This action removes the device from Intune management so that
the app can be removed from the device by the user.
Week of June 5, 2017
Improvements to the app tiles in the Company Portal app for iOS
We updated the design of the app tiles on the homepage to reflect the branding color you set for the Company
Portal.
Before

After
Account picker now available for the Company Portal app for iOS
If users have used their work or school account to sign in to other Microsoft apps on their iOS device, then they
may see our new account picker when signing into the Company Portal for the first time.

April 2017
New icons for the Managed Browser and the Company Portal
The Managed Browser is receiving updated icons for both the Android and iOS versions of the app. The new icon
will contain the updated Intune badge to make it more consistent with other apps in Enterprise Mobility +
Security (EM+S).
The Company Portal is also receiving updated icons for the Android, iOS, and Windows versions of the app to
improve consistency with other apps in EM+S. These icons will be gradually released across platforms from April
to late May.
Sign-in progress indicator in Android Company Portal
An update to the Android Company Portal app shows a sign-in progress indicator when the user launches or
resumes the app. The indicator progresses through new statuses, beginning with "Connecting...", then "Signing
in...", then "Checking for security requirements..." before allowing the user to access the app.

Improved app install status for the Windows 10 Company Portal app
The Windows 10 Company Portal app now provides an install progress bar on the app details page. This is
supported for modern apps on devices running the Windows 10 Anniversary Update and up..
Before

After
February 2017
New user experience for the Company Portal app for Android
Beginning in March, the Company Portal app for Android will follow material design guidelines to create a more
modern look and feel. This improved user experience includes:
Colors: tab headers can be colored according to your custom color palette.

Interface: Featured Apps and All Apps buttons have been updated in the Apps tab. The Search button is
now a floating action button.
 Navigation: All Apps shows a tabbed view of Featured, All and Categories for easier navigation. Contact
IT has been streamlined for improved readability.

January 2017
Modernizing the Company Portal website
Beginning in February, the Company Portal website will support apps that are targeted to users who do not have
managed devices. The website will align with other Microsoft products and services by using a new contrasting
color scheme, dynamic illustrations, and a "hamburger menu," which will contain helpdesk contact details
and information on existing managed devices. The landing page will be rearranged to emphasize apps that are
available to users, with carousels for Featured and Recently Updated apps.

Coming soon in the UI

These are the plans for ways we will be improving the user experience by updating our user interface.
 NOTE
Please note that the images below may be previews, and the announced product may differ from the presented versions.

There are no upcoming announcements to share at this time.

See also
Microsoft Intune Blog
Cloud Platform roadmap
What's new in Intune
 What's new in the Microsoft Intune - previous months
6/22/2017 15 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

April 2017
Support for managing the Apple Classroom app
You can now manage the iOS Classroom app on iPad devices. Set up the Classroom app on the teachers iPad with
the correct class and student data, then configure student iPads registered to a class, so that you can control them
using the app. For details, see Configure iOS education settings.
Support for managed configuration options for Android apps
Android apps in the Play store that support managed configuration options can now be configure by Intune. This
feature lets IT view the list of configuration values supported by an app, and provides a guided, first-class UI to
allow them to configure those values.
New Android policy for complex PINs
You can now set a required password type of Numeric complex in an Android device profile for devices that run
Android 5.0 and above. Use this setting to prevent device users from creating a PIN that contains repeating, or
consecutive numbers, like 1111, or 1234.
Additional support for Android for Work devices
Manage password and work profile settings
This new Android for Work device restriction policy now lets you manage password and work profile
settings on Android for Work devices you manage.
Allow data sharing between work and personal profiles
This Android for Work device restriction profile now has new options to help you configure data sharing between
work and personal profiles.
Restrict copy and paste between work and personal profiles
A new custom device profile for Android for Work devices now lets you restrict whether copy and paste
actions between work and personal apps are allowed.
For more information, see Device restrictions for Android for Work.
Assign LOB apps to iOS and Android devices
You can now assign line of business (LOB) apps for iOS (.ipa files) and Android (.apk files) to users or devices.
New device policies for iOS
Apps on Home screen - Controls which apps users see on the Home screen of their iOS device. This policy
changes the layout of the Home screen, but does not deploy any apps.
Connections to AirPrint devices - Controls which AirPrint devices (network printers) that end users of
iOS device can connect to.
 Connections to AirPlay devices - Controls which AirPlay devices (like Apple TV) that end users of iOS
device can connect to.
Custom lock screen message - Configures a custom message that users will see on the lock screen of
their iOS device, that replaces the default lock screen message. For more information, see Activate lost
mode on iOS devices
Restrict push notifications for iOS apps
In an Intune device restriction profile, you can now configure the following notification settings for iOS devices:
Fully turn on or off notification for a specified app.
Turn on or off, the notification in the notification center for a specified app.
Specify the alert type, either None, Banner, or Modal Alert.
Specify whether badges are allowed for this app.
Specify whether notification sounds are allowed.
Configure iOS apps to run in single app mode autonomously
You can now use an Intune device profile to configure iOS devices to run specified apps in autonomous single app
mode. When this mode is configured, and the app is run, the device is locked so that it can only run that app. An
example of this is when you configure an app that lets users take a test on the device. When the app's actions are
complete, or you remove this policy, the device returns to its normal state.
Configure trusted domains for email and web browsing on iOS devices
From an iOS device restriction profile, you can now configure the following domain settings:
Unmarked email domains - Emails that the user sends or receives which don't match the domains you
specify here will be marked as untrusted.
Managed web domains - Documents downloaded from the URLs you specify here will be considered
managed (Safari only).
Safari password auto-fill domains - Users can save passwords in Safari only from URLs matching the
patterns you specify here. To use this setting, the device must be in supervised mode and not configured for
multiple users. (iOS 9.3+)
VPP apps available in iOS Company Portal
You can now assign iOS volume-purchased (VPP) apps as Available installs to end users. End users will need an
Apple Store account to install the app.
Synchronize eBooks from Apple VPP Store
You can now synchronize books you purchased from the Apple volume-purchase program store with Intune, and
assign the books to users.
Multi-user management for Samsung KNOX Standard devices
Devices that run Samsung KNOX Standard are now supported for multi-user management by Intune. This means
that end users can sign in and out of the device with their Azure Active Directory credentials, and the device is
centrally managed whether its in use or not. When end-users sign-in, they have access to apps and get any
policies applied to them. When users sign out, all app data is cleared.
Additional Windows device restriction settings
We've added support for additional Windows device restriction settings like additional Edge browser support,
device lock screen customization, start menu customizations, Windows Spotlight search set wallpaper, and proxy
setting.
Multi-user support for Windows 10 Creators Update
We've added support for multi-user management for devices that run the Windows 10 Creators Update and are
Azure Active Directory domain-joined. This means that when different standard users log into the device with their
Azure AD credentials, they will receive any apps and policies that were assigned to their user name. Users cannot
currently use the Company Portal for self-service scenarios like installing apps.
Fresh Start for Windows 10 PCs
A new Fresh Start device action for Windows 10 PCs is now available. When you issue this action, any apps that
were installed on the PC are removed, and the PC is automatically updated to the latest version of Windows. This
can be used to help remove pre-installed OEM apps that are often delivered with a new PC. You can configure if
user data is retained when this device action is issued.
Additional Windows 10 upgrade paths
You can now create an edition upgrade policy to upgrade devices to the following additional Windows 10 editions:
Windows 10 Professional
Windows 10 Professional N
Windows 10 Professional Education
Windows 10 Professional Education N
Bulk Enroll Windows 10 devices
You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory
and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD
tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration
Designer, and apply the package to corporate-owned devices you'd like to bulk enroll and manage. Once the
package is applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users
to log on. Azure AD users are standard users on these devices and receive assigned policies and required apps.
Self-service and Company Portal scenarios are not supported currently.
New MAM settings for PIN and managed storage locations
Two new app settings are now available to help you with mobile application management (MAM) scenarios:
Disable app PIN when device PIN is managed - Detects if a device PIN is present on the enrolled device,
and if so, bypasses the app PIN triggered by the app protection policies. This setting will allow for a
reduction in the number of times a PIN prompt is displayed to users opening a MAM-enabled application
on an enrolled device. This feature is available for both Android and iOS.
Select which storage services corporate data can be saved to -Allows you to specify which storage
locations in which to save corporate data. Users can save to the selected storage location services, which
means all other storage location services not listed will be blocked.
List of supported storage location services:
OneDrive
Business SharePoint Online
Local storage
Help desk troubleshooting portal
The new troubleshooting portal lets help desk operators and Intune administrators view users and their devices,
and perform tasks to resolve Intune technical problems.

March 2017
Support for iOS Lost Mode
For iOS 9.3 and later devices, Intune added support for Lost Mode. You can now lock down a device to prevent all
use and display a message and contact phone number of the device lock screen.
The end user will not be able to unlock the device until an admin disables Lost Mode. When Lost Mode is enabled,
you can use the Locate device action to display the geographical location of the device on a map in the Intune
console.
The device must be a corporate-owned iOS device, enrolled through DEP, that is in supervised mode.
For more information, see What is Microsoft Intune device management?
Improvements to Device Actions report
Weve made improvements to the Device Actions report to improve performance. Additionally, you can now filter
the report by state. For example, you could filter the report to show only device actions that were completed.
Custom app categories
You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be
specified in English. See How to add an app to Intune.
Assign LOB apps to users with unenrolled devices
You can now assign line-of-business apps from the store to users whether or not their devices are enrolled with
Intune. If the user's device is not enrolled with Intune, they must go to the Company Portal website to install it,
instead of the Company Portal app.
New compliance reports
You now have compliance reports that give you the compliance posture of devices in your company and allow you
to quickly troubleshoot compliance-related issues encountered by your users. You can view information about
Overall compliance state of devices
Compliance state for an individual setting
Compliance state for an individual policy
You can also use these reports to drill down into an individual device to view specific settings and policies that
affect that device.
Direct access to Apple enrollment scenarios
For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios
using the Enroll Devices workload in the Azure portal. Previously, the Apple enrollment preview was only
accessible from links in the classic Intune portal. Intune accounts created before January 2017 will require a one-
time migration before these features are available in Azure. The schedule for migration has not been announced
yet, but details will be made available as soon as possible. We strongly recommend creating a trial account to test
out the new experience if your existing account cannot access the preview.

February 2017
Ability to restrict mobile device enrollment
Intune is adding new enrollment restrictions that control which mobile device platforms are allowed to enroll.
Intune separates mobile device platforms as iOS, macOS, Android, Windows and Windows Mobile.
Restricting mobile device enrollment does not restrict PC client enrollment.
For iOS and Android only, there is one additional option to block the enrollment of personally owned devices.
Intune marks all new devices as personal unless the IT admin takes action to mark them as corporate owned, as
explained in this article.
View all actions on managed devices
A new Device Actions report shows who has performed remote actions like factory reset on devices, and
additionally shows the status of that action. See What is device management?.
Non-managed devices can access assigned apps
As part of the design changes on the Company Portal website, iOS and Android users will be able to install apps
assigned to them as "available without enrollment" on their non-managed devices. Using their Intune credentials,
users will be able to log into the Company Portal website and see the list of apps assigned to them. The app
packages of the "available without enrollment" apps are made available for download via the Company Portal
website. Apps which require enrollment for installation are not affected by this change, as users will be prompted
to enroll their device if they wish to install those apps.
Custom app categories
You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be
specified in English. See How to add an app to Intune.
Display device categories
You can now view the device category as a column in the device list. You can also edit the category from the
properties section of the device properties blade. See How to add an app to Intune.
Configure Windows Update for Business settings
Windows as a Service is the new way of providing updates for Windows 10. Starting with Windows 10, any new
Feature Updates and Quality Updates will contain the contents of all previous updates. This means that as long as
you've installed the latest update, you know that your Windows 10 devices are completely up-to-date. Unlike with
previous versions of Windows, you now must install the entire update instead of part of an update.
By using Windows Update for Business, you can simplify the update management experience so that you dont
need to approve individual updates for groups of devices. You can still manage risk in your environments by
configuring an update rollout strategy and Windows Update will make sure that updates are installed at right time.
Microsoft Intune provides the ability to configure update settings on devices and gives you the ability to defer
update installation. Intune doesnt store the updates, but only the update policy assignment. Devices access
Windows Update directly for the updates.Use Intune to configure and manage Windows 10 update rings. An
update ring contains a group of settings that configure when and how Windows 10 updates get installed. For
details, see Configure Windows Update for Business settings.

January 2017
Assign line of business apps whether or not devices are enrolled
You can now assign line of business and apps from the store to users whether or not their devices are enrolled
with Intune. If the users device is not enrolled with Intune, they must go to the Company Portal website to install it,
instead of the Company Portal app. See What is app management.
Resolve issue where iOS devices are inactive, or the admin console cannot communicate with them
When users devices lose contact with Intune, you can give them new troubleshooting steps to help them regain
access to company resources. See Devices are inactive, or the admin console cannot communicate with them.

December 2016 (initial release)

Telecom expense management integration in Azure portal
We are now beginning to preview integration with third-party telecom expense management (TEM) services within
the Azure portal. You can use Intune to enforce limits on domestic and roaming data usage. We are beginning
these integrations with Saaswedo. To enable this feature in your trial tenant, please contact Microsoft support.
Deploy and manage apps from a store to iOS, Android, and Windows devices
Deploy and manage line of business (LOB) apps to iOS, Android, and Windows devices
Deploy and manage volume-purchased apps to iOS, and Windows devices
Deploy and manage web apps for Android, iOS, and Windows devices
 iOS managed app configuration profiles
Configure app protection policies, and deploy line of business apps to devices that are not enrolled with Intune
VPN profiles, per-app VPN, Wi-Fi, email, and certificate profiles
Compliance policies
Conditional access for Azure AD
Conditional access for On-Premises Exchange
Device enrollment
Role-based access control

Deprecated features in the Azure portal

Support for row-by-row review of hardware identifiers
The Azure portal does not support row-by-row review of hardware identifiers for IMEI numbers and Apple serial
numbers. In the classic Intune console, you can import details from a comma-separated-values (.csv) file and
overwrite the existing details for individual hardware identifiers. The Azure portal features a single, streamlined
option that automatically overwrites details for all hardware identifiers or ignores new details for existing
identifiers.
How this affects you
In the Azure portal, you will not be able to decide, row by row, which International Mobile Equipment Identity
(IMEI) devices to update. The classic Intune console will continue to support this functionality.
How to get ready for this change
We are providing this information in advance so, if it affects you, you can make your support admins aware of this
change. This change will coincide with the move to the Azure portal, anticipated for the first half of 2017.
Support for default Corporate Device Enrollment profiles in Apple DEP
The Azure portal does not support the default Corporate Device Enrollment profile for Apple Device Enrollment
Program (DEP) device serial numbers. This functionality, available in the classic Intune console, is being
discontinued to prevent unintentionally assigned profiles. In the Azure portal, serial numbers synchronized from an
Apple DEP account will initially have no Corporate Device Enrollment profile assigned.
How this affects you
In the Azure portal, you will not be able to set a default profile policy across all Apple devices. The classic Intune
console will continue to support this functionality.
How to get ready for this change
We are providing this information in advance so, if it affects you, you can make your support admins aware of this
change. This will coincide with the move to the Azure portal, anticipated for the first half of 2017.
See also
See Whats New in Microsoft Intune for details on recent developments.
 What's new in the Intune classic console - previous
months
6/19/2017 24 min to read Edit Online

APPLIES TO: INTUNE IN THE CLASSIC PORTAL

Looking for documentation about Intune on Azure? Go here.

This page lists new features and notices previously announced on the What's new page for the Intune classic
console.

April 2017
New capabilities
MyApps available for Managed Browser
Microsoft MyApps now have better support within the Managed Browser. Managed Browser users who are not
targeted for management will be brought directly to the MyApps service, where they can access their admin-
provisioned SaaS apps. Users who are targeted for Intune management will continue to be able to access MyApps
from the built-in Managed Browser bookmark.
New icons for the Managed Browser and the Company Portal
The Managed Browser is receiving updated icons for both the Android and iOS versions of the app. The new icon
will contain the updated Intune badge to make it more consistent with other apps in Enterprise Mobility + Security
(EM+S). You can see the new icon for the Managed Browser on the what's new in Intune app UI page.
The Company Portal is also receiving updated icons for the Android, iOS, and Windows versions of the app to
improve consistency with other apps in EM+S. These icons will be gradually released across platforms from April to
late May.
Sign-in progress indicator in Android Company Portal
An update to the Android Company Portal app shows a sign-in progress indicator when the user launches or
resumes the app. The indicator progresses through new statuses, beginning with "Connecting...", then "Signing in...",
then "Checking for security requirements..." before allowing the user to access the app. You can see the new screens
for the Company Portal app for Android on the what's new in Intune app UI page.
Block apps from accessing SharePoint Online
You can now create an app-based conditional access policy to block apps, which don't have app protection policies
applied to them, from accessing SharePoint Online. In the apps-based conditional access scenario, you can specify
the apps that you want to have access to SharePoint Online using the Azure portal.
Single sign-on support from the Company Portal for iOS to Outlook for iOS
Users no longer have to sign in to the Outlook app if they are signed in to the Company Portal app for iOS on the
same device with the same account. When users launch the Outlook app, they will be able to select their account
and automatically sign in. We are also working toward adding this functionality for other Microsoft apps.
Improved status messaging in the Company Portal app for iOS
New, more specific error messages will now be displayed within the Company Portal app for iOS to provide more
accessible information about what is happening on devices. These error cases were previously included in a general
error message titled "Company Portal Temporarily Unavailable". Additionally, if a user launches the Company
Portal on iOS when they do not have an Internet connection, they will now see a persistent status bar on the
homepage saying "No Internet Connection."
Improved app install status for the Windows 10 Company Portal app
New improvements for app installs started in the Windows 10 Company Portal app include:
Faster install progress reporting for MSI packages
Faster install progress reporting for modern apps on devices running the Windows 10 Anniversary Update and
beyond
New progress bar for modern app installs on devices running the Windows 10 Anniversary Update and beyond
You can see the new progress bar on the what's new in Intune app UI page.
Bulk Enroll Windows 10 devices
You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and
Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant,
create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer,
and apply the package to corporate-owned devices you'd like to bulk enroll and manage. Once the package is
applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on.
Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service
and Company Portal scenarios are not supported at this time.
What's new in the public preview of the Intune admin experience on Azure
In early calendar year 2017 we will be migrating our full admin experience onto Azure, allowing for powerful and
integrated management of core EMS workflows on a modern service platform thats extensible using Graph APIs.
New trial tenants will start to see the public preview of the new admin experience in the Azure portal this month.
While in preview state, capabilities and parity with the existing Intune console will be delivered iteratively.
The admin experience in the Azure portal will use the already announced new grouping and targeting functionality;
when your existing tenant is migrated to the new grouping experience you will also be migrated to preview the
new admin experience on your tenant. In the meantime, if you want to test or look at any of the new functionality
until your tenant is migrated, sign up for a new Intune trial account or take a look at the new documentation.
You can find what's new in the Intune preview in Azure here.
Notices
Direct access to Apple enrollment scenarios
For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios
using the Enroll Devices workload in the Azure Preview portal. Previously, the Apple enrollment preview was only
accessible from links in the classic Intune portal. Intune accounts created before January 2017 will require a one-
time migration before these features are available in Azure. The schedule for migration has not been announced
yet, but details will be made available as soon as possible. We strongly recommend creating a trial account to test
out the new experience if your existing account cannot access the preview.
What's coming for Appx in Intune on Azure
As part of the migration to Intune on Azure, we are making three appx changes:
1. Adding a new appx app type in the classic Intune console that can only be deployed to MDM-enrolled devices.
2. Repurposing the existing appx app type to only be targeted to PCs managed through the Intune PC agent.
3. Converting all existing appxs into MDM appxs with the migration.
H o w d o e s t h i s a ffe c t m e ?

This will not impact any of your existing deployments to devices that are managed through the Intune PC agent.
However, after migration, you will not be able to deploy those migrated appxs to any new devices that are
managed through the Intune PC agent that were not previously targeted.
W h at ac t i o n do I n eed t o t ake

After migration, you will need to re-upload the appx again as a PC appx if you want to do new PC deployments. To
learn more, see Appx changes in Intune on Azure on the Intune Support team blog.
Administration roles being replaced in Azure portal
The existing mobile application management (MAM) administration roles (Contributor, Owner, and Read-Only)
used in the Intune classic portal (Silverlight) are being replaced with a full set of new role-based administration
controls (RBAC) in the Intune Azure portal. Once you are migrated to the Azure portal, you will need to re-assign
your admins to these new administration roles. For more information about RBAC and the new roles, see Role-
based access control for Microsoft Intune.
What's coming
Improved sign in experience across Company Portal apps for all platforms
We are announcing a change that is coming in the next few months that will improve the sign in experience for the
Intune Company Portal apps for Android, iOS, and Windows. The new user experience will automatically appear
across all platforms for the Company Portal app when Azure AD makes this change. In addition, users can now sign
in to the Company Portal from another device with a generated, single-use code. This is especially useful in cases
when users need to sign in without credentials.
You can find screenshots of the previous sign in experience, the new sign in experience with credentials, and the
new sign in experience from another device on the What's new in app UI page.
Plan for change: Intune is changing the Intune Partner Portal experience
We are removing the Intune Partner page from manage.microsoft.com beginning with the service update in mid-
May 2017.
If you are a partner administrator, you will no longer be able to view and take action on behalf of your customers
from the Intune Partner page, but will instead need to sign in at one of two other partner portals at Microsoft.
Both the Microsoft Partner Center and the Microsoft Office 365 Partner Admin Center will allow you to sign into the
customer accounts you manage. Moving forward as a partner, please use one of these sites to manage your
customers.
Apple to require updates for Application Transport Security
Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). ATS is
used to enforce stricter security on all app communications over HTTPS. This change impacts Intune customers
using the iOS Company Portal apps.
We have made available a version of the Company Portal app for iOS through the Apple TestFlight program that
enforces the new ATS requirements. If you would like to try it so you can test your ATS compliance, email
[email protected] with your first name, last name, email address, and company name. Review
our Intune support blog for more details.

March 2017
New Capabilities
Support for Skycure
You can now control mobile device access to corporate resources using conditional access based on risk
assessment conducted by Skycure, a mobile threat defense solution that integrates with Microsoft Intune. Risk is
assessed based on telemetry collected from devices running Skycure, including:
Physical defense
Network defense
Application defense
Vulnerabilities defense
You can configure EMS conditional access policies based on Skycure risk assessment enabled through Intune
device compliance policies. You can use these policies to allow or block non-compliant devices access to corporate
resources based on detected threats. For more information, see Skycure Mobile Threat Defense connector.
New user experience for the Company Portal app for Android
The Company Portal app for Android will be updating its user interface for a more modern look and feel, and better
user experience. The notable updates are:
Colors: Company Portal tab headers are colored in IT-defined branding.
Apps: In the Apps tab, the Featured Apps and All Apps buttons are updated.
Search: In the Apps tab, the Search button is a floating action button.
Navigating Apps: All Apps view shows a tabbed view of Featured, All, and Categories for easier navigation.
Support: My Devices and Contact IT tabs are updated to improve readability.
For more details about these changes, see UI updates for Intune end user apps.
Non-managed devices can access assigned apps
As part of the design changes on the Company Portal website, iOS and Android users will be able to install apps
assigned to them as "available without enrollment" on their non-managed devices. Using their Intune credentials,
users will be able to log into the Company Portal website and see the list of apps assigned to them. The app
packages of the "available without enrollment" apps are made available for download via the Company Portal
website. Apps which require enrollment for installation are not affected by this change, as users will be prompted to
enroll their device if they wish to install those apps.
Signing Script for Windows 10 Company Portal
If you need to download and sideload the Windows 10 Company Portal app, you can now use a script to simplify
and streamline the app-signing process for your organization. To download the script and the instructions for using
it, see Microsoft Intune Signing Script for Windows 10 Company Portal on TechNet Gallery. For more details about
this announcement, see Updating your Windows 10 Company Portal app on the Intune Support Team Blog.
Notices
Support for iOS 10.3
The iOS 10.3 release started rolling out on March 27, 2017 to iOS users. All existing Intune MDM and MAM
scenarios are compatible with the latest version of Apples OS. We anticipate all existing Intune features currently
available for managing iOS devices will continue to work as your users upgrade their devices and apps to iOS 10.3.
There are currently no known issues to share. If you run into any issues with iOS 10.3, please feel free to reach out
to the Intune support team.
Improved support for Android users based in China
Due to the absence of the Google Play Store in China, Android devices must obtain apps from Chinese
marketplaces. The Company Portal will support this workflow by redirecting Android users in China to download
the Company Portal and Outlook apps from local app stores. This will improve the user experience when
Conditional Access policies are enabled, both for Mobile Device Management and for Mobile Application
Management. The Company Portal and Outlook apps for Android are available on the following Chinese app stores:
Baidu
Xiaomi
Tencent
Huawei
Wandoujia
Best practice: make sure your Company Portal apps are up-to-date
In December 2016, we released an update that enabled enforcement for multi-factor authentication (MFA) on a
group of users when they enroll an iOS, Android, Windows 8.1+, or Windows Phone 8.1+ device. This feature
cannot work without certain baseline versions of the Company Portal app for Android (v5.0.3419.0+) and iOS
(v2.1.17+).
Microsoft is continuously improving Intune by adding new functions to both the console and the Company Portal
apps on all supported platforms. As a result, Microsoft only releases fixes for issues that we find in the current
version of the Company Portal app. We therefore recommend to use the latest versions of the Company Portal
apps for the best user experience.

TIP
Have your users set their devices to automatically update apps from the appropriate app store. If you have made the Android
Company Portal app available on a network share, you can download the latest version from Microsoft Download Center.

Microsoft Teams is now enabled for MAM on iOS and Android

Microsoft has announced the general availability of Microsoft Teams. The updated Microsoft Teams apps for iOS
and Android are now enabled with Intune mobile app management (MAM) capabilities, so you can empower your
teams to work freely across devices, while ensuring that conversations and corporate data is protected at every
turn. For more details, see the Microsoft Teams announcement on the Enterprise Mobility and Security blog.

February 2017
New Capabilities
Modernizing the Company Portal website
The Company Portal website will support apps that are targeted to users who do not have managed devices. The
website will align with other Microsoft products and services by using a new contrasting color scheme, dynamic
illustrations, and a "hamburger menu," .
Notices
Group migration will not require any updates to groups or policies for iOS devices
For every Intune device group pre-assigned by a Corporate Device Enrollment profile, a corresponding dynamic
device group will be created in AAD based on the Corporate Device Enrollment profiles name, during the migration
to Azure Active Directory device groups. This will ensure the as devices enroll, they will be automatically grouped
and receive the same policies and apps as the original Intune group.
Once a tenant enters the migration process for grouping and targeting, Intune will automatically create a dynamic
AAD group to correspond to an Intune group targeted by a Corporate Device Enrollment profile. If the Intune
Admin deletes the targeted Intune group, the corresponding dynamic AAD group will not be deleted. The group's
members and the dynamic query will be cleared, but the group itself will remain until the IT Admin removes it via
the AAD portal.
Similarly, if the IT Admin changes which Intune group is targeted by a Corporate Device Enrollment profile, Intune
will create new dynamic group reflecting the new profile assignment, but will not remove the dynamic group
created for the old assignment.
Defaulting to managing Windows desktop devices through Windows settings
The default behavior for enrolling Windows 10 desktops is changing. New enrollments will follow the typical MDM
agent enrollment flow rather than through the PC agent. The Company Portal website will provide Windows 10
desktop users with enrollment instructions that guide them through the process of adding Windows 10 desktop
computers as mobile devices. This will not impact currently enrolled PCs, and your organization can still manage
Windows 10 desktops using the PC agent if you prefer.
Improving mobile app management support for selective wipe
End users will be given additional guidance on how to regain access to work or school data if that data is
automatically removed due to the "Offline interval before app data is wiped" policy.
Company Portal for iOS links open inside the app
Links inside of the Company Portal app for iOS, including those to documentation and apps, will open directly in
the Company Portal app using an in-app view of Safari. This update will ship separately from the service update in
January.
New MDM server address for Windows devices
Windows and Windows Phone users attempting to enroll a device will fail if they enter manage.microsoft.com as
the MDM server address (if prompted). The MDM server address is changing from manage.microsoft.com to
enrollment.manage.microsoft.com. Notify your user to use enrollment.manage.microsoft.com as the MDM
server address if prompted for it while enrolling a Windows or and Windows Phone device. No changes are needed
to your CNAME setup. For additional information about this change, visit aka.ms/intuneenrollsvrchange.
New user experience for the Company Portal app for Android
Beginning in March, the Company Portal app for Android will follow material design guidelines to create a more
modern look and feel. This improved user experience includes:
Colors: tab headers can be colored according to your custom color palette.
Interface: Featured Apps and All Apps buttons have been updated in the Apps tab. The Search button is now a
floating action button.
Navigation: All Apps shows a tabbed view of Featured, All and Categories for easier navigation.
Service: My Devices and Contact IT tabs have improved readability.
You can find before and after images on the UI updates page.
Associate multiple management tools with the Windows Store for Business
If you are using more than one management tool to deploy Windows Store for Business apps, previously, you
could only associate one of these with the Windows Store for Business. You can now associate multiple
management tools with the store, for example, Intune and Configuration Manager. For details, see Manage apps
you purchased from the Windows Store for Business with Microsoft Intune.

What's new in the public preview of the Intune admin experience on

Azure
In early calendar year 2017 we will be migrating our full admin experience onto Azure, allowing for powerful and
integrated management of core EMS workflows on a modern service platform thats extensible using Graph APIs.
New trial tenants will start to see the public preview of the new admin experience in the Azure portal this month.
While in preview state, capabilities and parity with the existing Intune console will be delivered iteratively.
The admin experience in the Azure portal will use the already announced new grouping and targeting functionality;
when your existing tenant is migrated to the new grouping experience you will also be migrated to preview the
new admin experience on your tenant. In the meantime, if you want to test or look at any of the new functionality
until your tenant is migrated, sign up for a new Intune trial account or take a look at the new documentation.
You can find what's new in the Intune preview in Azure here.

January 2017
New Capabilities
In-console reports for MAM without enrollment
New app protection reports have been added for both enrolled devices and devices that have not been enrolled.
Find out more about how you can monitor mobile app management policies with Intune here.
Android 7.1.1 support
Intune now fully supports and manages Android 7.1.1.
Resolve issue where iOS devices are inactive, or the admin console cannot communicate with them
When users devices lose contact with Intune, you can give them new troubleshooting steps to help them regain
access to company resources. See Devices are inactive, or the admin console cannot communicate with them.
Notices
Defaulting to managing Windows desktop devices through Windows settings
The default behavior for enrolling Windows 10 desktops is changing. New enrollments will follow the typical MDM
agent enrollment flow rather than through the PC agent.
The Company Portal website will provide Windows 10 desktop users with enrollment instructions that guide them
through the process of adding Windows 10 desktop computers as mobile devices. This will not impact currently
enrolled PCs, and your organization can still manage Windows 10 desktops using the PC agent if you prefer.
Improving mobile app management support for selective wipe
End users will be given additional guidance on how to regain access to work or school data if that data is
automatically removed due to the "Offline interval before app data is wiped" policy.
Company Portal for iOS links open inside the app
Links inside of the Company Portal app for iOS, including those to documentation and apps, will open directly in
the Company Portal app using an in-app view of Safari. This update will ship separately from the service update in
January.
Modernizing the Company Portal website
Beginning in February, the Company Portal website will support apps that are targeted to users who do not have
managed devices. The website will align with other Microsoft products and services by using a new contrasting
color scheme, dynamic illustrations, and a "hamburger menu," .
New documentation for app protection policies
We have updated our documentation for admins and app developers who want to enable app protection policies
(known as MAM policies) in their iOS and Android apps using the Intune App Wrapping Tool or Intune App SDK.
The following articles have been updated:
Decide how to prepare apps for mobile application management with Microsoft Intune
Prepare iOS apps for mobile application management with the Intune App Wrapping Tool
Get started with the Microsoft Intune App SDK
Intune App SDK for iOS developer guide
The following articles are new additions to the docs library:
Intune App SDK Cordova Plugin
Intune App SDK Xamarin Component
Progress bar when launching the Company Portal on iOS
The Company Portal for iOS is introducing a progress bar on the launch screen to provide the user with
information about the loading processes that occur. There will be a phased rollout of the progress bar to replace
the spinner. This means that some of your users will see the new progress bar while others will continue to see the
spinner.

December 2016
Public preview of the new Intune admin experience on Azure
In early calendar year 2017, we will be migrating our full admin experience onto Azure, allowing for powerful and
integrated management of core EMS workflows on a modern service platform thats extensible using Graph APIs. In
advance of the general availability of this portal for all Intune tenants, we're excited to announce that we will begin
rolling out a preview of this new admin experience later this month to select tenants.
The admin experience in the Azure portal will use the already announced new grouping and targeting functionality;
when your existing tenant is migrated to the new grouping experience you will also be migrated to preview the
new admin experience on your tenant. In the meantime, find out more about what we have in store for Microsoft
Intune in the Azure portal in our new documentation.
Telecom expense management integration in public preview of Azure portal We are now beginning to
preview integration with third-party telecom expense management (TEM) services within the Azure portal. You can
use Intune to enforce limits on domestic and roaming data usage. We are beginning these integrations with
Saaswedo. To enable this feature in your trial tenant, please contact Microsoft support.
New Capabilities
Multi-factor authentication across all platforms You can now enforce multi-factor authentication (MFA) on a
selected group of users when they enroll an iOS, Android, Windows 8.1+, or Windows Phone 8.1+ device from the
Azure Management Portal by configuring MFA on the Microsoft Intune Enrollment application in Azure Active
Directory.
Ability to restrict mobile device enrollment Intune is adding new enrollment restrictions that control which
mobile device platforms are allowed to enroll. Intune separates mobile device platforms as iOS, macOS, Android,
Windows and Windows Mobile.
Restricting mobile device enrollment does not restrict PC client enrollment.
For iOS only, there is one additional option to block the enrollment of personally owned devices.
Intune marks all new devices as personal unless the IT admin takes action to mark them as corporate owned, as
explained in this article.
Notices
Multi-Factor Authentication on Enrollment moving to the Azure portal Previously, admins would go to
either the Intune console or the Configuration Manager (earlier than release October 2016) console to set MFA for
Intune enrollments. With this updated feature, you will now login to the Microsoft Azure portal using your Intune
credentials and configure MFA settings through Azure AD. Learn more about this here.
Company Portal app for Android now available in China We are publishing the Company Portal app for
Android for download in China.Due to the absence of Google Play Store in China, Android devices must obtain
apps from Chinese app marketplaces. The Company Portal app for Android will be available for download on the
following stores:
Baidu
Huawei
Tencent
Wandoujia
Xiaomi
The Company Portal app for Android uses Google Play Services to communicate with the Microsoft Intune service.
Since Google Play Services are not yet available in China, performing any of the following tasks can take up to 8
hours to complete.

INTUNE COMPANY PORTAL APP FOR

INTUNE ADMIN CONSOLE ANDROID INTUNE COMPANY PORTAL WEBSITE

Full wipe Remove a remote device Remove device (local and remote)

Selective wipe Reset device Reset device

New or updated app deployments Install available line-of-business apps Device passcode reset

Remote lock
 INTUNE COMPANY PORTAL APP FOR
INTUNE ADMIN CONSOLE ANDROID INTUNE COMPANY PORTAL WEBSITE

Passcode reset

Deprecations
Firefox to no longer support Silverlight Mozilla is removing support for Silverlight in version 52 of the Firefox
browser, effective March 2017. As a result, you will no longer be able to log in to the existing Intune console using
Firefox versions greater than 51. We recommend using Internet Explorer 10 or 11 to access the admin console, or a
version of Firefox prior to version 52. Intune's transition to the Azure portal will allow it to support a number of
modern browsers without dependency on Silverlight.
Removal of Exchange Online mobile inbox policies Beginning in December, admins will no longer be able to
view or configure Exchange Online (EAS) mobile mailbox policies within the Intune console. This change will roll out
to all Intune tenants over December and January. All existing policies will stay as configured; for configuring new
policies, use the Exchange Management Shell. Find out more information here.
Intune AV Player, Image Viewer, and PDF Viewer apps are no longer supported on Android From mid-
December 2016 on, users will no longer be able to use the Intune AV Player, Image Viewer, and PDF Viewer apps.
These apps have been replaced with the Azure Information Protection app. Find out more about the Azure
Information Protection app here.

November 2016
New capabilities
New Microsoft Intune Company Portal available for Windows 10 devices Microsoft has released a new
Microsoft Intune Company Portal app for Windows 10 devices. This app, which leverages the new Windows 10
Universal format, will provide the user with an updated user experience within the app and identical experiences
across all Windows 10 devices, PC and Mobile alike, while still enabling all the same functionality that they are
using today.
The new app will also allow users to leverage additional platform features like single sign-on (SSO) and certificate-
based authentication on Windows 10 devices. The app will be made available as an upgrade to the existing
Windows 8.1 Company Portal and Windows Phone 8.1 Company Portal installs from the Windows Store. For more
details, go to aka.ms/intunecp_universalapp.

IMPORTANT
An Update on Intune and Android for Work While you can deploy Android for Work apps with an action of Required,
you can only deploy apps as Available if your Intune groups have been migrated to the new Azure AD groups experience.

Intune App SDK for Cordova plugin now supports MAM without enrollment App developers can now use
the Intune App SDK for Cordova plugin to enable MAM functionality without device enrollment in their Cordova-
based apps for Android and iOS. The Intune App SDK for Cordova plugin can be found here.
Intune App SDK Xamarin component now supports MAM without enrollment App developers can now use
the Intune App SDK Xamarin component to enable MAM functionality without device enrollment in their Xamarin-
based apps for Android and iOS. The Intune App SDK Xamarin component can be found here.
Notices
Symantec signing certificate no longer requires signed Windows Phone 8 Company Portal for upload
Uploading the Symantec signing certificate will no longer require a signed Windows Phone 8 Company Portal app.
The certificate can be uploaded independently.
Deprecations
Support for the Windows Phone 8 Company Portal Support for Windows Phone 8 Company Portal will now be
deprecated. Support for the Windows Phone 8 and WinRT platforms was deprecated in October 2016. Support for
the Windows 8 Company Portal was also deprecated in October 2016.
See also
See Whats New in Microsoft Intune for details on recent developments.
 Overview of device and app lifecycles
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Although the needs of individual organizations might differ, there are certain common steps that all organizations
need to take on an ongoing basis, whatever their other operational needs. These can be grouped into two main
categories, which are termed lifecycles. The deployment lifecycle you follow depends on the scenario youre trying
to enable. For example, you might need only the device lifecycle or the app lifecycle, or you might need both.

For management purposes, all devices have a lifecycle. It starts when you enroll the device and extends through its
retirement. The device management lifecycle walks you through how to enroll the device, how to configure and
protect it, and then how to remove it from management.
Similarly, apps you work with have their own app lifecycle that includes steps ranging from adding an app to
Intune, all the way through to removing them when they are no longer required.
 Overview of the mobile device management (MDM)
lifecycle
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

All devices that you manage have what we call a lifecycle. Intune can help you manage this lifecyclefrom
enrollment, through configuration and protection, to retiring the device when it's no longer required:

Enroll
Today's mobile device management (MDM) strategies deal with a variety of phones, tablets, and PCs (iOS, Android,
Windows, and Mac OS X). If you need to be able to manage the device, which is commonly the case for corporate-
owned devices, the first step is to set up device enrollment (Classic portal). You can also manage Windows PCs by
enrolling them with Intune (MDM) or by installing the Intune client software.

Configure
Getting your devices enrolled is just the first step. To take advantage of all that Intune offers and to ensure that
your devices are secure and compliant with company standards, you can choose from a wide range of policies.
These let you configure almost every aspect of how managed devices operate. For example, should users have a
password on devices that have company data? You can require one. Do you have corporate Wi-Fi? You can
automatically configure it. Here are the types of configuration options that are available:
Device configuration (Classic portal). These policies let you configure the features and capabilities of the
devices that you manage. For example, you could require the use of a password on Windows phones or disable
the use of the camera on iPhones.
Company resource access (Classic portal). When you let your users access their work on their personal device,
this can present you with challenges. For example, how do you ensure that all devices that need to access
company email are configured correctly? How can you ensure that users can access the company network with
a VPN connection without having to know complex settings? Intune can help to reduce this burden by
 automatically configuring the devices that you manage to access common company resources.
Windows PC management policies (with the Intune client software). While enrolling Windows PCs with
Intune gives you the most device management capabilities, Intune continues to support managing Windows
PCs with the Intune client software. If you need information about some of the tasks that you can perform with
PCs, start here.

Protect
In the modern IT world, protecting devices from unauthorized access is one of the most important tasks that you'll
perform. In addition to the items in the Configure step of the device lifecycle, Intune provides these capabilities
that help protect devices you manage from unauthorized access or malicious attacks:
Multi-factor authentication. Adding an extra layer of authentication to user sign-ins can help make devices
even more secure. Many devices support multi-factor authentication that requires a second level of
authentication, such as a phone call or text message, before users can gain access.
Windows Hello for Business settings (Classic portal). Windows Hello for Business is an alternative sign-in
method that lets users use a gesturesuch as a fingerprint or Windows Helloto sign in without needing a
password.
Policies to protect Windows PCs (with the Intune client software). When you manage Windows PCs by
using the Intune client software, policies are available that let you control settings for Endpoint Protection,
software updates, and Windows Firewall on PCs that you manage.

Retire
When a device gets lost or stolen, when it needs to be replaced, or when users move to another position, it's
usually time to retire or wipe (Classic portal) the device. There are a number of ways you can do thisincluding
resetting the device, removing it from management, and wiping the corporate data on it.
 Overview of the app lifecycle
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

The Intune app lifecycle begins when an app is added and progresses through additional phases until you remove
the app.

Add
The first step in app deployment is to add the apps, which you want to manage and assign, to Intune. While you can
work with many different app types, the basic procedures are the same. With Intune, you can add apps for both
enrolled devices (Classic portal) and Windows PCs you manage with the Intune client software.

Deploy
After you've added the app to Intune, you can then assign it to users and devices that you manage (Classic portal).
Intune makes this process easy, and after the app is deployed, you can monitor the success (Classic portal) of the
deployment from the Intune administration console. Additionally, in some app stores, like the Apple (Classic portal)
and Windows (Classic portal) app stores, you can purchase app licenses in bulk for your company. Intune can
synchronize data with these stores so that you can deploy and track license usage for these types of apps right
from the Intune administration console.

Configure
As part of the app lifecycle, new versions of apps are regularly released. Intune provides tools to easily update apps
(Classic portal) that you have deployed to a newer version. Additionally, you can configure extra functionality for
some apps, for example:
iOS app configuration policies (Classic portal) supply settings for compatible iOS apps that are used when the
app is run. For example, an app might require specific branding settings or the name of a server to connect to.
Managed browser policies (Classic portal) help you to configure settings for the Intune managed browser,
 which replaces the default device browser and lets you restrict the websites that your users can visit.

Protect
Intune gives you many ways to help protect the data in your apps. The main methods are:
Conditional access (Classic portal) controls access to email and other services based on conditions that you
specify. Conditions include device types or compliance with a device compliance policy (Classic portal) that you
deployed.
App protection policies (Classic portal) works with individual apps to help protect the company data that they
use. For example, you can restrict copying data between unmanaged apps and apps that you manage, or you
can prevent apps from running on devices that have been jailbroken or rooted.

Retire
Eventually, it's likely that apps that you deployed become outdated and need to be removed. Intune makes it easy
to retire apps from service (Classic portal).
 Common ways to use Intune
6/19/2017 7 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Before diving into implementation tasks, it's important to align your companys enterprise mobility stakeholders
around the business goals. This is important whether you're brand new to enterprise mobility or migrating from
another product.
The needs around enterprise mobility are dynamically evolving, and Microsoft's approach to addressing them is
sometimes different from other solutions in the market. The best way to align around business goals is to express
your goals in terms of the scenarios you want to enable for your employees, partners, and IT department.
Following are short introductions to the six most common scenarios that rely on Intune, accompanied with links to
more information about how to plan and deploy each of them.

NOTE
Do you want to know how Microsoft IT uses Intune to give Microsoft access to corporate resources on their mobile devices
while also keeping corporate data protected? Read this technical case study to see in detail how Microsoft IT uses Intune and
other services to manage identity, devices, and apps, and data.

IMPORTANT
We want to ensure that mobile devices are up to date In light of the recent "Trident" malware attacks on iOS devices. So
we've published a blog post that's called Ensuring mobile devices are up to date using Microsoft Intune. It provides
information about the different ways that Intune can help keep your devices secure and up to date.

Protecting your on-premises email and data so it can be safely

accessed by mobile devices
Most enterprise mobility strategies begin with a plan to enable secure access to email for employees with mobile
devices that connect to the Internet. Many organizations still have on-premises data and application servers, such
as Microsoft Exchange, that are hosted on their corporate network.
Intune and Microsoft Enterprise Mobility + Security (EMS) provide a uniquely integrated conditional access
solution (Classic portal) for Exchange Server, which ensures that no mobile app can access email until that device is
enrolled with Intune. You can do this all without deploying another gateway machine to the edge of your corporate
network!
Intune also supports enabling access to mobile apps that require secure access to on-premises data, such as line-
of-business app servers. This is typically done using Intune-managed certificates (Classic portal) for access control,
combined with a standard VPN gateway or proxy in the perimeter such as Microsoft Azure Active Directory
Application Proxy.
In these cases, the only way to access the corporate data is to enroll the device into management. Once the devices
are enrolled, the management system ensures that they are compliant with your policies before they can access
corporate data. Additionally, Intunes App Wrapping Tool and App SDK can help contain the accessed data within
your line of business app, so that it cant pass corporate data to consumer apps or services.

Protecting your Office 365 email and data so it can be safely accessed
by mobile devices
Protecting corporate data in Office 365 (email, documents, instant messages, contacts) could not be easier for you
or more seamless for your users.
Intune and Microsoft Enterprise Mobility + Security provide a uniquely integrated conditional access solution that
ensures no users, apps, or devices can access Office 365 data unless they meet your companys compliance
requirements (performed multi-factor authentication, enrolled with Intune, using managed app, supported OS
version, device pin, low user risk profile, etc.).
The Office mobile apps in their respective app stores are ready to go with data containment policies that you can
configure via Intune. This enables you to prevent data from being shared with apps (for example, with native email
apps) and storage locations (for example, Dropbox) that arent managed by IT. All this functionality is built into
Office 365 and EMS. You don't have to deploy additional infrastructure to get this value.
A common Office 365 deployment practice is to require devices to enroll into management if they need to be fully
set up with corporate apps, certs, Wi-Fi, or VPN configurations, a common scenario for corporate-owned devices.
However, if the user simply needs to access corporate email and documents, which is often the case for personally
owned devices, then you can require the user to use the Office mobile apps (to which you have applied app
protection policies (Classic portal) and skip enrolling the device altogether!
Either way, the Office 365 data will be secured by policies youve defined.

Offer a bring your own device program to all employees

Bring your own device (BYOD) continues to grow in popularity among organizations as a means to reduce
hardware expenditures or increase mobile productivity choices for employees. Just about everyone has a personal
phone these days so why put another one in their pocket? The main challenge has always been to convince
employees to enroll their personal device into management, as they are fearful of what their IT department will be
able to see and do with their device.
When device enrollment is not a viable option, Intune offers an alternative BYOD approach of simply managing the
apps that contain corporate data (Classic portal). Intune protects the corporate data even if the app in question
accesses both corporate and personal data, as is the case for Office mobile apps.
As an administrator, you can require users to access Office 365 from the Office mobile apps and configure the apps
with policies that keep the data protected (such as encrypting it, protecting it with a pin, and so on). These policies
prevent data loss from unmanaged apps and storage locations--inside or outside of those apps. For example, the
policies prevent a user from copying text from a corporate email profile into a consumer email profile even if both
profiles are configured within Outlook Mobile. Similar configurations can be deployed for other services and
applications that are required by your BYOD users.

Issue corporate-owned phones to your employees

Many employees are mobile these days, making productivity on mobile devices an imperative to be competitive.
These employees need seamless access to all corporate apps and data, at any time, wherever they are. You need to
ensure that corporate data is secure and administrative costs are low.
Intune offers bulk provisioning and management solutions (Classic portal) that are integrated with the major
corporate device management platforms on the market today, including the Apple Device Enrollment Program and
the Samsung KNOX mobile security platform. Centralized authoring of device configurations with Intune helps
make provisioning of corporate devices something that can be highly automated.
Picture this: hand an employee an unopened iPhone box. The employee powers it on and is walked through a
corporate-branded setup flow where they must authenticate themselves. The iPhone is seamlessly configured with
security policies (Classic portal).
Then the employee launches the Intune Company Portal app to access the optional corporate apps that are
available to them.

Issue limited-use shared tablets to your employees

Employees are increasingly making use of mobile technologies. For example, shared tablets are now commonly
used by retail store employees. Whether they're used to process a sale or instantly check inventory, tablets help
create great customer interactions.
Simplicity of the user experience is critical in this case. For this reason, tablets are usually handed to employees in a
limited-use mode, such that a single line-of-business app is the only thing that the employee can interact with.
Intune enables you to bulk provision, secure, and centrally manage these shared iOS and Android (Classic portal)
devices that can be configured to run in this limited-use mode.

Enable your employees to securely access Office 365 from an

unmanaged public kiosk
Sometimes your employees need to use devices, apps, or browsers that you cant manage, such as the public
computers at trade shows and in hotel lobbies.
Should you allow your employees to access corporate email from them? With Intune and Microsoft Enterprise
Mobility + Security, the answer can simply be no, by limiting email access to devices that are managed by your
organization (Classic portal). This ensures that your strongly authenticated employee doesn't accidentally leave
corporate data on the untrusted computer.
 Known issues in Microsoft Intune
6/28/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use this topic to learn about any known issues in Microsoft Intune.
If you want to report a bug that is not listed here, open a support request.
If you want to request a new feature for Intune, consider filing a report on our Uservoice site.

Migration
Groups created by Intune during migration might affect functionality of other Microsoft products
When you migrate from classic Intune to the Azure, you might see a new group named All Users - b0b08746-
4dbe-4a37-9adf-9e7652c0b421. This group contains all users in your Azure Active Directory, not only Intune
licensed users. This usage can cause issues with other Microsoft products if you expect some existing or new users
to not be a member of any groups.
Secondary migration required for select capabilities
Intune accounts created before January 2017 must be migrated before these capabilities can be used in the Azure
portal:
Corporate Device Enrollment profiles
Apple Device Enrollment Program
Corporate Pre-enrolled devices by iOS Serial Number group
Device Enrollment Managers
Apple Volume Purchase Program
Because these capabilities cannot be managed from both the classic Silverlight and Azure consoles, the migration:
Disables them in the classic console
Enables them in the Azure console.
If you now manage these Intune capabilities in the Azure portal, be aware of the following points:
Removes default Corporate Device Enrollment profiles in Apple DEP
The Azure Portal does not support a default Corporate Device Enrollment profile for Apple Device Enrollment
Program (DEP) devices. This functionality, available in the classic Silverlight Intune console, is discontinued to
prevent unintentional profile assignment. When DEP serial numbers sync in the Azure Portal, no Corporate Device
Enrollment profile is assigned. An enrollment profile must be assigned before using the device.
Apple DEP token restored with migration
If you deleted an Apple Device Enrollment Program token in the Intune classic (Silverlight) portal and do not upload
a new token to the Azure portal, the original token is restored in the Azure portal when you migrate. To remove this
token and prevent DEP enrollment, delete the token from the Azure portal.
Status blades for migrated policies do not work
You cannot view status information for policies that were migrated from the classic portal in the Azure portal.
However, you can continue to view reports for these policies in the Classic portal. To view status information for
migrated configuration policies, recreate them in the Azure portal.

Apps
iOS volume-purchased apps only available in default Intune tenant language
iOS volume-purchased apps are displayed, and can be assigned only for the same country code as your Intune
account. Intune only sync apps from the same iTunes locale as the Intune tenant account country code. For example,
if you purchase an app which is only available in the US store, but your Intune account is German, Intune will not
show that app.
Multiple copies of the same iOS volume-purchase program are uploaded
Do not click the Upload button multiple times for the same VPP token. This will result in duplicate VPP tokens
being uploaded, and apps syncing multiple times for the same VPP token.

Device configuration
You cannot save a Windows Information Protection policy for some devices
For devices not enrolled with Intune, you can only specify a primary domain in the Corporate Identify field in the
settings for a Windows Information Protection policy. If you add additional domains (using Advanced settings >
Network perimeter > Add a protected domain), you cannot save the policy. The error message you see will
soon be changed to be more accurate.
Cisco AnyConnect VPN client support
The latest release of the Cisco AnyConnect VPN client (4.0.07072) is not currently compatible with Intune. A future
Intune update will include compatibility with this VPN client version. Until then, we recommend that you do not
update your Cisco AnyConnect VPN client, and continue to use the existing version.
Using the numeric password type with macOS Sierra devices
Currently, if you select the Numeric Required password type in a device restriction profile for macOS Sierra
devices, it is enforced as Alphanumeric. If you want to use a numeric password with these devices, do not
configure this setting. This issue might be corrected in a future version of macOS.
For more information about these settings, see macOS device restriction settings in Microsoft Intune.

Compliance
Compliance policies from Intune do not show up in new console
Compliance policies you created in the classic portal are migrated, but are not displayed in the Azure portal because
of design changes in the Azure portal. Compliance policies you created in the classic Intune portal are still enforced,
but you must view and edit them in the classic Intune portal. Additionally, new compliance policies you create in the
Azure portal are not visible in the classic Intune portal.
For more information, see What is device compliance.

Administration and accounts

Global Admins (also referred to as Tenant Admins) can continue day-to-day administration tasks without a separate
Intune or Enterprise Mobility Suite (EMS) license. However, to use the service, such as to enroll their own device, a
corporate device, or use the Intune Company Portal, they need an Intune or EMS license.
 How to get support for Microsoft Intune
6/27/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Microsoft provides global technical, pre-sales, billing, and subscription support for Microsoft Intune. Support is
available both online and by phone for paid and trial subscriptions. Online technical support is available in English
and Japanese. Phone support and online billing support are available in additional languages.

IMPORTANT
For technical support with products that work with Intune but not made by Microsoft, for example SaaSwedo, Cisco, or
Lookout, contact the supplier of that product first. Before you open a request with Intune support, ensure you configured
the other product correctly.

Create an online support ticket

As an IT admin, you can file a support ticket from the Azure portal by using the following steps:
1. Log on to the Azure portal (https://portal.azure.com) with your Intune admin credentials, choose the ? icon
in the upper-right corner of the portal, and then select Help + support to go to the Azure Help + support
page.

2. On the Azure Help and support page, select New support request.
3. On the Basics blade, for most Intune technical support issues, choose the following options:
Issue type: Technical
Service: Microsoft Intune
Support plan: Technical support - included (For Intune technical issues, support is
complimentary.)

IMPORTANT
Support for Intune, and for Intune when used with Configuration Manager, is free of charge. To review details
of the Premier Support offering, please see the Description of Services documentation, section 5.3.3 "Advisory
Services."

Choose Next to continue.

4. On the Problem blade, to ensure your request is addressed by the right subject matter expert for your
problem, select the following options:
Severity
Problem type
Category
These details also lets us provide Related help that might solve your problem without filing a ticket.
 To help us research and resolve your problem, enter the following information:
Details
Date
Time
Supplemental data
Choose Next.
5. Provide Contact information for this support request. Microsoft support uses this information to contact you.
6. Choose Create to submit your support request.

IMPORTANT
If you have a billing or subscription question, you can open a case to get support through the Office Admin Center.

Additional resources
Contact assisted phone support for Microsoft Intune
Volume Licensing Service Center
Billing and subscription management support
Volume licensing
 Intune deployment planning, design, and
implementation guide
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

A successful Intune deployment starts with having a good plan and design. The purpose of this guide is to step you
through the process of developing a deployment plan, creating a design, onboarding Intune, and conducting a
production rollout.

Whats included in this guide?

This guide includes sections that will walk you through the end-to-end process of deploying Intune. Start with
Section 1 to clarify your goals, objectives, and challenges. Then move on to Sections 2 7 in the order that best
meets your needs. You don't need to work through these sections sequentially; you can complete them in parallel.
Section 1: Determine deployment goals, objectives, and challenges
Section 2: Identify use case scenarios
Section 3: Determine use case requirements
Section 4: Develop a rollout plan
Section 5: Develop a rollout communication plan
Section 6: Develop a support plan
Section 7: Create an Intune design
Section 8: Intune implementation
Section 9: Testing and validation
This guide also provides additional technical information and table templates that can be used to assist you with
the Intune deployment planning, design, and implementation process.
Additional resources: Links and table templates

Assumptions
You've already evaluated Intune in a proof of concept (PoC) environment, and have decided to use it as the
mobile device management solution in your organization.
You're already familiar with Intune and its features.

Next steps
Lets get started with the first section: Determine deployment goals, objectives, and challenges.
 Determine deployment goals, objectives, and
challenges
6/19/2017 3 min to read Edit Online

Having a good deployment plan begins with first identifying your organizations deployment goals and objectives,
along with potential challenges. Lets discuss each area in more detail.

Deployment goals
Deployment goals are the long-term achievements you intend to gain by deploying Intune in your organization.
Listed below are some examples of such goals along with the description and business value for each.
Integrate with Office 365 and support the use of Office mobile apps
Description: Provide tight integration with Office 365 and the use of Office mobile applications with
application protection.
Business value: Secure and improved user experience by allowing users to use apps they are
familiar with and prefer.
Enable access to internal corporate services on mobile devices
Description: Enable employees to be productive wherever they need to work from, and with
whichever device is most appropriate for them. This project should look to enable mobile
productivity and access to corporate data in a safe manner.
Business value: Enabling employees to be agile and work from where they need allows the business
to be more competitive and to provide a more rewarding working environment.
Provide data protection on mobile devices
Description: When data is stored on a mobile device, it should be protected from malicious and
accidental loss or sharing.
Business value: Data protection is vital to ensure that we remain competitive, and that we treat our
clients and their data with the utmost diligence.
Reduce costs
Description: When possible, the project reduces deployment and operating costs.
Business value: The efficient use of resources enables the business to invest in other areas, compete
more effectively, and provide better service to clients.

Deployment objectives
Deployment objectives are the actions your organization can take to reach its Intune deployment goals. Below are
listed some examples of deployment objectives, and how each would be accomplished.
Reduce the number of device management solutions
Implementation: Consolidate to a single mobile device management solution: Microsoft Intune for
corporate data protection of apps and devices.
Provide secure access to Exchange and SharePoint Online
 Implementation: Apply conditional access for Exchange and SharePoint Online.
Prevent corporate data from being stored or forwarded to non-corporate services on the mobile
device
Implementation: Apply Intune app protection policies for Microsoft Office and line-of-business apps.
Provide capability to wipe corporate data from the device
Implementation: Enroll devices into Intune. This gives you the capability to perform a remote wipe of
corporate data and resources when appropriate.

Deployment challenges
Deployment challenges are issues that are top of mind for an organization and that may have a negative impact on
deployment. Sometimes they are related to past issues from previous projects that you would like to avoid or new
issues related to the current deployment effort. Listed below are some examples of Intune deployment challenges
along with potential mitigations.
Support readiness and end-user experience are not included in an initial project scope. This leads to poor
end-user adoption and challenges for your support organization.
Mitigation: Incorporate support training. Validate the end-user experience with success metrics in your
deployment plan.
Lack of clearly defined goals and success metrics leads to intangible results. It may also shift your
organization into reactive mode when issues arise.
Mitigation: Define your goals and success metrics early in your project scope, and use these data points
to flesh out your other rollout phases. Make sure goals are SMART (Specific, Measurable, Attainable,
Realistic, and Timely). Plan to measure against your goals at each phase and to ensure your rollout
project stays on track.
You neglect to create, validate, and aggressively share a clear value proposition that resonates for your
organization. This often leads to limited adoption and a lack of return on investment (ROI).
Mitigation: While you may be excited to jump into your project, ensure you have clearly-defined your
goals and objectives. Include these in all awareness and training activities to help ensure users
understand why your organization selected Intune.

Next steps
Now that you have identified your deployment goals, objectives, and potential challenges, lets move to the next
section: Identify use case scenarios.
 Identify mobile device management use-case
scenarios
6/19/2017 2 min to read Edit Online

Identifying your use-case scenarios is an important part of the planning process for a successful Intune
deployment. Use-case scenarios are helpful because they let you segment your users into manageable groups by
user type or role, and the ownership of the user's device (for example, company or personal).
Lets discuss a few examples to help your organization identify Intune use-case scenarios, as well as organizational
groups, and mobile device platforms associated with each use case.

Device ownership
You can begin by referring to your organization's Intune deployment goals and objectives to help identity the main
use-case scenarios for your deployment. Within the scope of your Intune deployment plan, answer the following
questions:
Are you planning to support corporate owned devices?
Are you planning to support personally owned devices (BYOD)?
These are not either/or options. You may find you need to support both forms of device ownership to meet your
organizational goals. The sub-use-cases will help clarify where to apply the different device management policies.
User type or device role
Determine if each use-case scenario also includes sub-use-cases. For example, your organization may have
identified requirements to support a corporate use-case scenario that includes additional sub-use-cases based on
user type or device role, such as:
Information worker
Executive
Kiosk
Here are a few examples of use-case and sub-use-case scenarios:

USE CASES SUB-USE CASES

Corporate Information worker

Corporate Executives

Corporate Kiosk

BYOD Information worker

BYOD Executives

You can download a template of the above table to enter your organizations use-case and sub-use-case scenarios.
Organizational groups for your scenarios
Now you need to identify the organizational groups that are associated with each use-case and sub-use-case
scenario. For example:

USE CASES SUB-USE CASES ORGANIZATIONAL GROUPS

Corporate Information worker HR, Finance

Corporate Executive HR, Finance

Corporate Kiosk Retail

BYOD Information worker Marketing, Sales

BYOD Executive Marketing, Sales

Mobile device platforms for your scenarios

The next step is to identify the mobile device platforms associated with each use-case scenario. There may be more
than one.
For example, your corporate use-case scenario may support iOS and Android Samsung KNOX device platforms.
Your BYOD policy may include support for additional mobile device platforms like Android (non-Samsung KNOX)
and Windows 10 Mobile. Building on the preceding examples, we've associated mobile device platforms with each
use-case scenario.

USE CASES SUB-USE CASES GROUPS DEVICE PLATFORMS

Corporate Information worker HR, Finance iOS

Corporate Executives HR, Finance iOS

Corporate Kiosk Retail Android

BYOD Information worker Marketing, Sales iOS

BYOD Executives Marketing, Sales iOS

Next steps
The next section provides guidance on how to identify the Intune requirements for each use case scenario.
 Determine use-case scenario requirements
6/19/2017 1 min to read Edit Online

In this section, you determine the requirements for each organizational group within each use-case scenario. This
process helps you prepare for the other Intune deployment planning areas like architecture and design,
onboarding, and rollout. It can also help identify potential gaps and challenges related to your Intune deployment
project.
You might have different sets of requirements for each of your use-case and sub-use-case scenarios, and their
associated organizational groups and mobile device platforms. For example, your corporate use-case scenario
requirements might require devices to enroll into Intune with a more restrictive set of device settings, like a PIN of
6 characters or disabled cloud backup. Your "bring your own device" (BYOD) use-case scenario, may be less
restrictive and allow a 4-character PIN and cloud backup.
You may also have organizational groups for the corporate use-case scenario that have different sets of
requirements (for example, PIN settings, Wi-Fi or VPN profile, apps deployed). Your requirements may also be
determined by the capabilities of the mobile device platform (for example, finger print reader, email profile).
Here are a few examples of an organizations use-case requirements showing different sets of requirements for
each use-case and sub-use-case scenario, organizational group, and mobile device platform. You can also use the
following table to enter your organizations use-case requirements:

USE CASES SUB-USE CASES GROUPS DEVICE PLATFORMS REQUIREMENTS

Corporate Information worker HR, Finance iOS Secure e-mail, device

settings, profiles, apps

Corporate Executives HR, Finance iOS Secure e-mail, device

settings, profiles, apps

Corporate Kiosk Retail Android Device settings,

profiles, apps

BYOD Information worker Marketing, Sales iOS Secure e-mail, device

settings, profiles, apps

BYOD Executives Marketing, Sales iOS Secure e-mail, device

settings, profiles, apps

You can download a template of the above table to enter your organizations use-case and sub-use-case
requirements.

Examples of requirements
Here are a few more examples that can be used in the "Requirements" column:
Secure e-mail
Conditional access for Exchange Online / on-premises
Outlook app protection policies
Device settings
 PIN setting with four, six characters
Restrict cloud backup
Profiles
Wi-Fi
VPN
Email (Windows 10 mobile)
Apps
Office 365 with app protection policies
Line of business (LOB) with app protection policies

Next section
The next section provides guidance on how to develop an Intune rollout plan.
 Develop a rollout plan
6/19/2017 4 min to read Edit Online

Your rollout plan identifies the organizational groups you want to target for your Intune rollout, the rollout
timeframe for each group, and the enrollment approaches you will use.

Targeted groups and timeframes

First, review the groups that are targeted with your Intune rollout and that you identified in your use-case
scenarios.
Second, determine the time frame for each targeted group. This task typically requires a discussion between the
Intune deployment team and the targeted groups to determine the most appropriate rollout time frame for each
group. Points to cover in such a discussion include:
The groups willingness for change
The number of users and devices
Types of device platforms
Requirements
Geographic location
Business risk

Rollout phases
Organizations commonly choose to start the Intune rollout with an initial pilot, targeting a small group of users in
the IT department. The pilot can be expanded to include a broader set of IT users and may include participation
from other organizational groups.
Pilot
The first phase to rollout should be to pilot users. The pilot users should understand they are the first users in a
new solution. They must be willing to provide feedback to help improve configuration, documentation,
notifications, and ease the way for all other users in later rollout phases. These users should not be executives or
VIPs.
The pilot is a good opportunity for you to test the challenges and refine requirements you gathered earlier.
Include your communication plan, support plan, and testing and validation to work out any problems while the
impact to users is still small.
Production rollout
After a successful pilot, you're ready to start a full production rollout, targeting the rest of your organizations
groups. Some examples of different rollout groups and phases are:
Departments
Each department can be a rollout phase. You target an entire department at a time. In this type of rollout,
users in each department tend to use the mobile device in the same way and access the same applications.
Users will likely have the same types of policies.
Geography
In this approach, you deploy to all users in a specific geography whether its the same continent, country,
region, or same companys building. This type of phased deployment lets you focus on the specific location
 of users. This could let you provide more of a white glove approach because the number of locations
deploying Intune at the same time is reduced. Because there are chances of different departments or use
cases being at the same location, different use cases might be deployed at the same time.
Platform
This type of deployment consists of deploying similar platforms at the same time. An example might be all
iOS devices the first month, followed by Android, followed by Windows. This type of phased deployment
helps simplify helpdesk support because helpdesk would only have to support a single platform at a time.
Heres an example of an Intune rollout plan that includes targeted groups and timelines:

ROLLOUT PHASE JULY AUGUST SEPTEMBER OCTOBER

Limited Pilot IT (50 users)

Expanded Pilot IT (200 users), IT

Executives (10 users)

Production rollout Sales and Marketing

phase 1 (2000 users)

Production rollout Retail (1000 users)

phase 2

Production rollout HR (50 users), Finance

phase 3 (40 users), Executives
(30 users)

You can download a template of the above table to enter your organizations rollout phases.

Match rollout groups to enrollment approaches

Now that you have determined the targeted groups and time frames for your Intune rollout, the next step is to
choose the most appropriate Intune enrollment approach for each group. There are different enrollment
approaches you can use including:
User self-service
User assisted-enrollment
IT tech fair
User self-service
In this case, the user is responsible for enrolling their own device, usually following enrollment instructions
provided by their IT organization. This approach is most commonly used in organizations and is more scalable
than user-assisted enrollment.
User-assisted enrollment
This is known as a "white glove" approach. An IT team member helps the user through the enrollment process, in
person or with Skype. This approach is commonly used with executive staff and other groups that might need
more assistance during the enrollment process.
IT tech fair
Another option for Intune user enrollment is to have an IT technical fair. At this event, the IT group sets up an
Intune enrollment assistance booth where users could receive information on Intune enrollment, ask questions,
and receive assistance with the enrollment process. This option can be beneficial for both the IT group and users,
especially during early phases of Intune rollout.
Heres an updated example of the above Intune rollout plan to include enrollment approaches:

ROLLOUT PHASE JULY AUGUST SEPTEMBER OCTOBER

Limited Pilot

Self-service IT

Expanded Pilot

Self-service IT

White glove IT Executives

Production rollout Sales, Marketing

phase 1

Self-service Sales and Marketing

Production rollout Retail

phase 2

Self-service

Production rollout Retail

phase 3

Self-service HR, Finance

White glove Executives

Next section
The next section provides guidance on developing an Intune rollout communication plan.
 Develop a rollout communication plan
6/22/2017 2 min to read Edit Online

Good change management relies on clear and helpful communications about the upcoming changes. To smooth
the path of your Intune deployment, your rollout communication plan should include four areas:
What information is to be communicated
The delivery method used for the communications
Who receives the communications
The timeline for communications
Lets review each area in more detail.

What needs to be communicated?

Determining what information to be communicated depends on when in the Intune rollout process you are
communicating. You might decide to communicate in waves to your organizational groups and users, starting with
an Intune rollout kickoff, followed by pre-enrollment, and follow up with post-enrollment. Lets discuss the type of
information that could be communicated in each wave.
Kickoff wave
Broad communications that introduce the Intune project itself. It should answer questions like what is Intune, why
the organization is adopting Intune (benefits to the organization and users), and provide a high-level plan of the
deployment and rollout.
Pre-enrollment wave
Broad communications that include additional information about Intune and complementary offerings (for
example, Office, Outlook, OneDrive), user resources, and specific timelines for when organization groups and users
are scheduled to receive Intune.
Enrollment wave
Communications targeting organization groups and users that are scheduled to receive Intune. These should
inform the users that they are ready to receive Intune and provide enrollment instructions along with contact
information for getting assistance or asking questions.
Post enrollment wave
Communications targeting organization groups and users that have enrolled in Intune. These should provide
additional resources that might be helpful to the user, and collect feedback about their experience during and after
enrollment.
You may find this end-user enrollment guide helpful. You can use it as is or modify for your organization.

Communication delivery methods

There are several delivery methods you can use to communicate Intune rollout information to your targeted
organizational groups and users. The following list shows some examples and the wave you can use the method
with:
Organizational-wide in-person or Skype meetings used for kickoff wave
Email used for pre-enrollment, enrollment, and post-enrollment waves
 Organization web sites used for all waves
Yammer, posters, and flyers used for kickoff and pre-enrollment waves

Communications timeline
After determining what you need to communicate and the methods you will use, determine the timeline for your
communications that includes when and who would receive the communications.
For example, the initial Intune project kickoff communications can target the entire organization or just a subset,
and take place over several weeks before the Intune rollout begins. After that, information could be communicated
in waves to organizational groups and users, aligned with their Intune rollout schedule. The following example is a
sample high-level Intune rollout communications plan:

COMMUNICATION
PLAN JULY AUGUST SEPTEMBER OCTOBER

Wave 1 All

Kickoff meeting First week

Wave 2 IT Sales and Marketing Retail HR, Finance, and

Executives

Pre-rollout Email 1 First week First week First week First week

Wave 3 IT Sales and Marketing Retail HR, Finance, and

Executives

Pre-rollout Email 2 Second week Second week Second week Second week

Wave 4 IT Sales and Marketing Retail HR, Finance, and

Executives

Enrollment email Third week Third week Third week Third week

Wave 5 IT Sales and Marketing Retail HR, Finance, and

Executives

Post-enrollment email Fourth week Fourth week Fourth week Fourth week

You can download a template of the above table to develop your communication plan.

Next section
The next section provides guidance on developing a support plan.
 Develop a support plan
6/22/2017 2 min to read Edit Online

Having an Intune support plan can help you identify and resolve Intune related issues more effectively. This, in
turn, improves your users' overall Intune experience. Here are some questions to consider as you develop your
Intune support plan:
Which teams will be responsible for providing Intune support?
What process will be used to provide Intune support?
How you plan to provide Intune support training?
What are the opportunities to involve the support team early in the Intune deployment process?
Lets review each area in more detail.

Which teams are responsible for providing support

Organizations may have different tiers or levels (1-3) of support. For example, tier 1 and 2 may be part of the
support team, and tier 3 include members of the MDM team responsible for the deployment of Intune.
Tier 1 is normally the first level of support and typically the first tier to be contacted by the user for support
requests. If tier 1 is unable to resolve the end users issue, they escalate it to tier 2. Tier 2 escalates it to tier 3 if
needed. In addition, Microsoft support may be considered as tier 4.
Learn more about Intune support.

What is the support process

For the initial production rollout phases, you could have all three tiers participating in a bridge or Skype call. Heres
one example of how an organization could implement their IT support or helpdesk work-flows:
1. End-user contacts IT support or helpdesk tier 1 with an enrollment issue.
2. IT support or helpdesk tier 1 is unable to determine the root cause and escalates to tier 2.
3. IT support or helpdesk tier 2 investigates, but is unable to resolve the issue and escalates to tier 3, providing
additional information to assist with the investigation.
4. IT support or helpdesk tier 3 investigates further, determines the root cause, and communicates the
resolution to tier 2 and 1.
5. IT support/helpdesk tier 1 then contacts the customer and resolves their issue.
This type of approach, especially in early stages of the Intune rollout, adds many benefits, including:
Assisting in technology learning and ramp up.
Quickly identifying issues and resolution.
Improving the overall user experience.

How you plan to provide Intune support training

Its important to provide Intune technical training for your IT support or helpdesk staff so that the training is at an
appropriate level and applies to the specific support tier and their responsibilities. You could have the Intune MDM
team conduct this training to the support leads (training the trainer), then have the leads provide this training to
their support team members. This training can typically be provided in 2-3 hours, and it includes lecture and labs.
An example of an Intune support training agenda is provided below.
Intune support plan review
Intune overview
Troubleshooting common issues
Tools and resources
Q&A
The Intune documentation provides an Intune overview, detailed feature descriptions, and some troubleshooting
information. The Intune forum is a community-based resource for questions and topics not covered in the Intune
documentation.

What opportunities are there to involve the support team earlier?

Involving your IT support/helpdesk staff in early stages of Intune deployment planning and pilot efforts can
improve your Intune deployment and end-user adoption. Early involvement provides your support staff with
exposure to Intune and valuable experience from the beginning. This helps prepare your IT support/helpdesk staff
for supporting the organization's full production rollout.

Next section
The next section provides guidance on designing Intune.
 Create a design
6/19/2017 13 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

The section of the guide should be used in parallel with other topics in Section 2. This design is based on the
information you collect and decisions you make when completing previous sections of this guide. In this design
section, we focus on Intune standalone, which is a Microsoft cloud-based service.
Although theres minimal on-premises infrastructure requirements, work on a design plan to make sure you have
the right mobile device management solution that meets your goals, objectives, and requirements.
Additionally, its common to have design changes during the implementation and testing phases, make sure to
document these changes, and the rationale behind it as they occur. The design includes the following areas:
The current environment
Intune deployment options
Identity requirements for external dependencies
Device platform considerations
Requirements to be delivered
Lets review each of these areas in more detail.

Record your environment

The first step before you can create your design is to record your current environment. The current environment
can influence design decisions and should be documented and referenced when making other Intune design
decisions. Below are few examples of how to record the current environment:
Identity in the cloud
Do you use DirSync or Azure Active Directory (Azure AD) Connect?
Is your environment Federated?
Is multi-factor authentication enabled?
Email environment
Is Exchange being used, is it on-premises or in the cloud?
Are you in the middle of a project to migrate Exchange to the cloud?
Current MDM solution
Are you currently using other MDM solutions?
What MDM solutions are you using for corporate and BYOD use case scenarios?
What capabilities are you using (e.g. app device settings, Wi-Fi configurations, etc.)?
 What device platforms are supported?
What groups and how many users are using the MDM solution?
Certificate Solution
Have you implemented a certificate solution?
What type of certificates do you use?
Systems Management
How are you managing your PC and server environment?
Is System Center Configuration Manager being used? Are you using a third-party system
management platform?
VPN Solution
What is your VPN solution?
Is it used for both corporate and BYOD use case scenarios?
Make sure to note any projects or any other plans in place to could make changes to your environment when
recording the current MDM environment. Below is an example of a way to record the current environment to assist
when creating your Intune design:

SOLUTION AREA CURRENT ENVIRONMENT COMMENTS

Identity Azure AD, Azure AD Connect, not Project in place to enable MFA by end
federated, no MFA of year

Email environment Exchange on-premises, Exchange online Currently migrating from Exchange on-
premises to Exchange online. 75% of
mailboxes migrated. Last 25% will be
migrated before Intune Pilot begins.

SharePoint SharePoint on-premises No plans to move to SharePoint online

Current MDM Exchange ActiveSync

Certificate solution Microsoft Server 2012 R2, AD Only use PKI for Web Site Servers
Certificate Services

System Management System Center Configuration Manager Would like to investigate Intune hybrid
CB 1606 solution

VPN solution Cisco AnyConnect

Choose an Intune deployment option

Intune offers two deployment options: standalone and hybrid. Decide which one fits your business requirements.
Standalone refers to Intune service running in the cloud, hybrid refers to the integration of Intune with System
Center Configuration Manager.
Learn more about choosing between Microsoft Intune standalone and hybrid mobile device management with
System Center Configuration Manager
Intune tenant location
If your organization has global presence, make sure to plan where your tenant resides when subscribing to the
service. The country is defined when you sign up for an Intune subscription for the first time, and map to regions
around the world which are listed below:
North America
Europe, Middle East, and Africa
Asia and Pacific

IMPORTANT
Its not possible to change the country and tenant location later.

External dependencies
External dependencies are services and products that are separate from Intune, but are either a requirement of
Intune, or might integrate with Intune. Its important to identify requirements for any external dependencies and
how it is to be configured. Some examples of common external dependencies are listed below.
Identity
User and device groups
PKI
Lets explore in more detail these common external dependencies below
Identity
Identity is how we identify the users who belong to your organization and are enrolling a device. Intune requires
Azure Active Directory (Azure AD) as the user identity provider. If you already use this service, youll be able to
leverage your existing identity already in the cloud. In addition, Azure AD Connect is the recommended tool to
synchronize your on-premises user identities with Microsoft cloud services. If your organization is already using
Office 365, its important that Intune uses the same Azure Active Directory environment.
You can find more information regarding Intunes identity requirements below.
Learn more about identity requirements.
Learn more about directory synchronization requirements.
Learn more about multi-factor authentication requirements.
User and device groups
User and device groups determines the target of a deployment. This could include deployment targeting for
policies, applications, and profiles. Intune cloud-only supports user and device groups youll need to determine
what user and device groups will be required. Its recommended that all groups are created in the on-premises
Active Directory, then synchronized to Azure Active Directory. You can find more information about user and
device group planning and creation below.
Learn more about planning your user and device groups.
Learn how to create user and device groups.
Public Key Infrastructure (PKI)
Public Key Infrastructure supplies certificates to devices or users to securely authenticate to a service. Intune
supports a Microsoft PKI infrastructure. Device and user certificates can be issued to a mobile device to satisfy
certificate based authentication requirements. Before implementing certificates, you need to determine if
certificates are needed, whether the network infrastructure can support certificate based authentication, and
whether certificates are currently used in the existing environment.
If you're planning to use certificates with VPN, Wi-Fi, or e-mail profiles with Intune, you need to make sure you
have a supported PKI infrastructure in place, ready to create and deploy certificate profiles.
In addition, If SCEP certificates will be issued, you need to determine which server will host the Network Device
Enrollment Service (NDES) feature, and how the communication will happen.
More information about configuring certificates in Intune:
How to configure the certificate infrastructure for SCEP.
How to configure the certificate infrastructure for PFX.
How to configure Intune certificate profiles.
How to configure resource access policies.

Device Platform Considerations

You need to take a closer look at your devices to understand how them correctly.
Determine supported device platforms
Devices
Device ownership
Bulk enrollment
Lets review these areas in more detail.
Determine supported device platforms
You need to know what devices will be in the environment and verify whether they are supported or not by Intune
when creating your design. Intune supports iOS, Android, and Windows platforms.
Learn more about Intune Supported Devices.
Devices
Intune manages mobile devices to secure corporate data and allow end users to work from more locations. Intune
supports multiple device platforms, so its recommended to document the devices and the OS platforms that will
be supported in your organizations design. This will expand on the devices and platforms created in section (use
case requirements).
Its also recommended to know the versions to reference the list when checking for device capabilities by OS
platform and version. Heres an example:

DEVICE PLATFORM OS VERSIONS

iOS - iPhone 9.0+

iOS - iPad 8.0+

Android Samsung Knox Standard 4.0+

Windows 10 tablet 10+

 DEVICE PLATFORM OS VERSIONS

Device ownership
Intune supports both corporate owned and BYOD ownership. A Device is considered corporate owned if enrolled
by a device enrollment manager, or device enrollment program. As an example, a device could be enrolled via
Apple DEP, marked as corporate, and placed in a device group that receives targeted corporate policies and apps.
Refer to Section 3: Determine use case scenario requirements for more information about Corporate and BYOD
use cases.
Bulk enrollment
There are multiple enrollment options available for enrolling a device in Intune to complement the self-service
enrollment through the company portal. Bulk enrollment can be accomplished different ways depending on the
platform. If bulk enrollment will be required, first determine the bulk enrollment method and incorporate in to
your design. Find more information about different methods of bulk enrollment below.
Learn about more bulk enrollment.

Feature requirements
In these sections, well review the following features and capabilities that are aligned with your use case scenario
requirements:
Terms and Conditions Policies
Configuration Policies
Resource Profiles
Apps
Compliance Policy
Conditional Access
Lets review each of these areas in more detail.
Terms and Conditions policies
Terms and Conditions can be used to explain policies or conditions that an end user must accept before
enrollment. Intune supports the ability to add and deploy multiple terms and conditions policies to user groups.
You need to determine if terms and condition policies are needed. If so, who will be responsible for providing this
information in the organization.
Learn how to create term and condition policies on Intune. An example of how to document the terms and
conditions policy is below.

TERMS AND CONDITIONS NAME USE CASE TARGETED GROUP

Corporate T&C Corporate Corporate users

BYOD T&C BYOD BYOD users

Configuration policies
Configuration policies are used to manage security settings and features on a device. When designing your
configuration policies, refer to the use case requirements section to determine the configurations required for
Intune devices. Document which settings, and how they should be configured, also document which user, or device
groups they will be targeted to.
You should create at least one Configuration Policy per platform. You can create multiple Configuration Policies
per platform if needed. Below is an example of designing four different configuration policies for different
platforms and use case scenarios.

POLICY NAME DEVICE PLATFORM SETTINGS TARGET GROUP

Corporate - iOS iOS PIN is required, Length: 6, Corporate Devices

Restrict Cloud Backup

Corporate - Android Android PIN is required, Length: 6, Corporate Devices

Restrict Cloud Backup

BYOD iOS iOS PIN is required, Length: 4 BYOD devices

BYOD Android Android PIN is required, Length: 4 BYOD devices

Profiles
Profiles are used to help the end user connect to company data. Intune supports many types of profiles. Refer to
the use cases and requirements to determine when the profiles will be configured. All device profiles are
categorized per platform type, and should be included in the design documentation.
Certificate profiles
Wi-Fi profile
VPN profile
Email profile
Lets review each type of profile in more detail.
C e r t i fi c a t e p r o fi l e s

Certificate profiles allow Intune to issue a certificate to a user or device. Intune supports the following:
Simple Certificate Enrollment Protocol (SCEP)
Trusted Root Certificate
PFX certificate.
Its recommended to document which user group needs a certificate, how many certificate profiles will be needed,
and which user groups to deploy them to.

NOTE
Remember that the trusted root certificate is required for the SCEP certificate, so make sure all users targeted for the SCEP
certificate also receive a trusted root certificate. If SCEP certificates are needed, design and document what SCEP certificate
templates will be needed.

Heres an example how you can document the certificates during the design:
 TYPE PROFILE NAME DEVICE PLATFORM USE CASES

Root CA Corporate Root CA Android, iOS, Windows Corporate, BYOD

mobile

SCEP User Certificate Android, iOS, Windows Corporate, BYOD

mobile

W i - F i p r o fi l e

Wi-Fi Profiles are used to automatically connect a mobile device to a wireless network. Intune supports deploying
Wi-Fi profiles to all supported platforms.
Learn more about how Intune supports Wi-Fi profiles.
Below is an example of a design for a Wi-Fi profile:

TYPE PROFILE NAME DEVICE PLATFORM USE CASES

Wi-Fi Asia Wi-Fi profile Android Corporate, BYOD Asia

region

Wi-Fi North America Wi-Fi profile Android, iOS, Windows 10 Corporate, BYOD North
Mobile America region

V P N p r o fi l e

VPN profiles let users securely access your network from remote locations. Intune supports VPN profiles from
native mobile VPN connections and third party vendors.
Learn more about VPN profiles and vendors supported by Intune.
Below is an example of documenting the design of a VPN profile.

TYPE PROFILE NAME DEVICE PLATFORM USE CASES

VPN VPN Cisco any connect Android, iOS, Windows 10 Corporate, BYOD North
Profile Mobile America and Germany

VPN Pulse Secure Android Corporate, BYOD Asia

region

Em a i l p r o fi l e

Email profiles allow an email client to be automatically setup with connection information and setup email
configuration. Intune supports email profiles on some devices.
Learn more about email profiles and what platforms are supported.
Below is an example of documenting the design of email profiles:

TYPE PROFILE NAME DEVICE PLATFORM USE CASES

Email profile iOS email profile iOS Corporate Information

worker BYOD

Email profile Android Knox email profile Android Knox BYOD

Apps
Intune supports delivering apps to the users or devices in multiple ways. The type of application delivered could be
software installer apps, apps from a public app store, external links, or managed iOS apps. In addition to individual
app deployments, volume-purchased apps can be managed and deployed through the volume-purchase programs
for iOS and Windows. Below is more information about how Intune supports apps and the volume purchase
programs.
Learn more about types of apps
Learn more about iOS Volume Purchase Program for Business (VPP)).
Learn more about Windows Store for Business.
App type requirements
Since apps can be deployed to users and devices, its recommended to decide which applications will be managed
by Intune. While gathering the list, try to answer the following questions:
Do the apps require integration with cloud services?
Will all apps be available to BYOD users?
What are the deployment options available for these apps?
Does your company need to provide access to Software as a service (SaaS) apps data for their partners?
Do the apps require internet access from users devices?
Are the apps publicly available in an app store, or are they custom Line of Business Apps?

TIP
Check out the different types of applications that Intune support.

App protection policies

App protection policies minimize data loss by defining how the application manages the corporate data. Intune
supports app protection policies for any application built to function with mobile app management. When
designing the app protection policy, you need to determine what restrictions you will place on corporate data in a
given app. Its recommended to review how app protection policies work. Below is an example of how to document
the existing applications and what protection is needed.

APP PROTECTION
APPLICATION PURPOSE PLATFORMS USE CASE POLICY

Outlook mobile Available iOS Corporate - Cannot be jail broken,

Executives encrypt files

Word Available iOS, Android - Corporate, BYOD Cannot be jail broken,

Samsung Knox, non- encrypt files
Knox, Windows 10
mobile

Compliance policies
Compliance policies determine whether a device conforms to certain requirements. Intune uses compliance
policies to determine if a device is considered compliant or non-compliant. The compliance status can then be used
to restrict access to company resources. If conditional access is required, it is recommended to design a device
compliance policy. Refer to requirements and use cases to determine how many device compliance policies are
needed and which user groups are the target user groups. Additionally, you need to determine how long a device
can be offline without checking in before its considered non-compliant.
Below is an example of how to design a compliance policy:
 POLICY NAME DEVICE PLATFORM SETTINGS TARGET GROUP

Compliance policy iOS, Android - Samsung PIN - required, cannot be jail Corporate, BYOD
Knox, non-Knox, Windows broken
10 mobile

Conditional access policies

Conditional Access is used to allow only compliant devices to access company resources. Intune works with the
entire Enterprise Mobility + Security (EMS) to control access to company resources. Youll need to determine if
conditional access is required, and what must be secured.
Learn more about Conditional Access.
For online access, determine what platforms, and user groups will be targeted by conditional access policies.
Additionally, you need to determine whether you need to install/configure the Intune service-to-service connector
for Exchange Online or Exchange on-premises.
Learn more how to install and configure the Intune service-to-service connectors:
Exchange Online
Exchange On-premises
Heres an example of how to document conditional access policies:

PLATFORMS FOR MODERN

SERVICE AUTHENTICATION BASIC AUTHENTICATION USE CASES

Exchange online iOS, Android Block non-compliant devices Corporate, BYOD

on platforms supported by
Intune

SharePoint online iOS, Android Corporate, BYOD

Next Section
The next section provides guidance on the Intune implementation process.
 Intune implementation
6/19/2017 5 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

During the onboarding phase, youll implement Intune into your production environment. The implementation
process will consist of setting up and configuring Intune and external dependencies (if required), based on your
use case requirements that were reviewed in previous sections of this guide.
The following section provides an overview of the Intune implementation process that includes requirements and
high-level tasks.

TIP
Check Additional resources for more information about the Intune implementation process.

Intune requirements
The main Intune standalone requirements are provided below:
EMS/Intune subscription
Office 365 subscription (for Office apps and MAM policy managed apps)
Apple APNs Certificate (to enable iOS device platform management)
Azure AD Connect (for directory synchronization)
Intune On-Premises Connector for Exchange (for CA for Exchange On-Premises, if needed)
Intune Certificate Connector (for SCEP certificate deployment, if needed)

TIP
You can find more information about Intune standalone requirements here.

Intune implementation process

Overview of implementation tasks
Here's an overview of each task when implementing Intune.
Task 1: Add Intune subscription
As identified in the previous requirements section, an EMS or Intune subscription is required. If your organization
does not have an EMS or Intune subscription, please contact Microsoft or your Microsoft Account Team regarding
your interest in purchasing Enterprise Mobility + Security (EMS) or Intune.
Learn more about how to buy Microsoft Intune.
Task 2: Add Office 365 subscription
This step is optional. As identified in the previous requirements section, an Office 365 subscription is required if
you plan to use Exchange Online and manage Office mobile apps with MAM policy. If your organization does not
have an Office 365 subscription, please contact Microsoft or your Microsoft account team regarding your interest
in purchasing Office 365.
Learn more about how to buy Office 365.
Task 3: Add users groups in Azure AD
You may need to add users or security groups in AD or AAD based on your Intune deployment use case scenarios
and requirements. You should review your current users and security groups in Active Directory or Azure Active
Directory and determine if they fully meet your needs. New users and security groups are most commonly added
in Active Directory and synchronized into Azure Active Directory via Azure AD Directory Connect.
Learn more about how to add users/groups in Intune.
Task 4: Assign Intune and Office 365 user licenses
All users that will be targeted for EMS/Intune and Office 365 rollout will need to have a license assigned to them.
EMS/Intune and Office 365 license assignment can be done in the Office 365 Admin Center Portal.
Learn more about how to assign Intune licenses.
Task 5: Set Mobile Device Management Authority to Intune
Before you can begin to set up, configure, manage and enroll devices using Intune, you must set the Device
Management Authority to Intune. Setting the Device Management Authority task is completed in the Intune Admin
Portal, Admin workspace.
Learn more about how to set the Device Management Authority.
Task 6: Enable device platforms
By default, in the Intune admin console, most device platforms are enabled, except for Apple devices (iOS and Mac).
Before iOS devices can be enrolled and managed in Intune, the device platform must be enabled. Enabling the iOS
device platform consists of a three-step process: create and download the APNs certificate and upload the APNs
certificate into Intune.
Learn more about how the iOS and Mac device management setup works.
Task 7: Add and deploy terms and conditions policies
Microsoft Intune supports adding and deploying terms and conditions policies. Adding and deploying terms and
conditions policies are completed in the Intune Admin Portal, Policy workspace. Add terms and conditions policies
as appropriate and deploy to targeted groups based on your Intune deployment use cases and requirements.
Learn more about how to add and deploy terms and condition policies.
Task 8: Add and deploy configuration policies
Microsoft Intune supports adding and deploying two types of Configuration policies, General and Custom. Adding
and deploying Configuration policies are completed in the Intune Admin Portal, Policy workspace. Add the
Configuration policies as appropriate and deploy to targeted groups based on your Intune deployment use cases
and requirements.
Learn more about how to add and deploy configuration policies.
Task 9: Add and deploy resource profiles
Microsoft Intune supports Email, Wi-Fi and VPN profiles. Adding and deploying profiles are completed in the
Intune Admin Portal, Policy workspace. Add Email/Wi-Fi/VPN profiles as appropriate and deploy to targeted
groups based on your Intune deployment use cases and requirements.
Learn more about enable access to company resources with Intune.
Task 10: Add and deploy apps
Microsoft Intune supports the deployment of Web, LOB and Public Store Apps. In addition, managing apps that
have integrated the Intune SDK by associated them with MAM policies is supported. Adding and deploying apps
are completed in the Intune Admin Portal, App workspace. Adding MAM policies are completed in the Intune
Admin Portal, Policy workspace. Add apps as appropriate and deploy to targeted groups based on your Intune
deployment use cases and requirements.
Learn more about add and deploy applications.
Task 11: Add and deploy compliance policies
Microsoft Intune supports Compliance policies. Adding and deploying Compliance policies are completed in the
Intune Admin Portal, Policy workspace. Add Compliance policies as appropriate and deploy to targeted groups
based on your Intune deployment use cases and requirements.
Learn more about compliance policies.
Task 12: Enable Conditional Access Policies
Microsoft Intune supports Conditional Access for Exchange Online and On-premises, SharePoint Online, Skype for
Business Online and Dynamics CRM Online. You enable Conditional Access policies in the Intune Admin Portal,
Policy workspace. Enable and configure Conditional Access as appropriate based on your Intune deployment use
cases and requirements.
Learn more about conditional access.
Task 13: Enroll devices
Intune supports iOS, Mac OS, Android, Windows desktop and Windows mobile device platforms. Enroll mobile
device platforms as appropriate, based on your Intune deployment use cases and requirements.
Learn more about how to enroll devices.

TIP
Check out this Microsoft Virtual Academy Intune session module for more information on the Intune implementation
process.

Next Section
The next section provides guidance on testing and validating your Intune deployment.
 Intune testing and validation
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

The testing phase should be during and after the implementation phase, you will need to have test accounts,
groups, and devices for testing all required IT (admin) and end user (use case) scenarios previously identified.
It's recommended to incorporate your IT support/helpdesk staff in the testing phase so that support
documentation is created, and the IT support/helpdesk staff become comfortable supporting the product. If a
component or scenario does not function based on the use cases, make sure to document the necessary changes
and include the reason a change was made.

Before you begin

Its recommended to document the following:
Test criteria: Identifies the benchmarks to be measured against.
Design components: must exist in at least 1 testing criteria.
If a design component does not exist in at least 1 test criteria that aligns to a requirement or scenario, consider
whether the design component is required or not. In addition, make sure to have the following items:
Accounts: The accounts used in testing should be test accounts that are licensed for EMS and Office 365 to
test all use case scenarios.
Devices: The devices used at this point should be test devices that could potentially be wiped or reset to
factory defaults.
Integration components: All integration components (Certificate Connector, Intune service to service
connector for hosted Exchange, and Intune on-premises Exchange connector) should be installed and
configured if needed.
Design changes could be needed to accommodate unforeseen difficulties. In addition, all design changes should be
fully documented with the reason for each change. Here's an example to illustrate what a change could be:
You might realize that you dont meet the requirements of Network Device Enrollment Service (NDES), and you
also learn that the VPN and Wi-Fi profiles can be configured with a root CA satisfying the same requirements
without a NDES implementation.
You might experience challenges or issues that require technical guidance, or specialized troubleshooting during
the testing and validation process. Its recommended to seek assistance through the Microsoft support channels.
Learn how to get Intune support
General troubleshooting tips for Microsoft Intune.
Learn how to get support for Microsoft Intune.
Contact assisted phone support for Microsoft Intune
Functional validation testing
Functional validation consists of testing each component and configuration to determine if it is working correctly.
An example of validation testing is in the table below.

Use case validation testing

Use case validation testing should be performed to verify the scenarios are complete and functional. There are two
types of use case scenarios, IT admin and end user.
IT Admin
IT Admin validation testing should be performed to validate that Administrative action performed on a device or
user functions correctly. Below is an example of an IT admin end to end validation scenario.

End user
End user validation testing should be performed to validate that the end user experience is as expected and
presented correctly in all user communications. It is important to validate the end user experience is correct as
failure to validate can lead to lower adoption rates and higher volume of helpdesk calls.
Next Steps
Now that you have tested and validated your Intune functional and user case scenarios, you're ready for your
Intune production rollout. Refer to Additional resources for more information.
 Additional resources for planning your Intune
deployment
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Templates
Microsoft Excel templates for the tables used in the planning guide are available for download.
Here's a list of table templates for each section.

DEPLOYMENT PLANNING DESIGN & IMPLEMENTATION TEST & VALIDATION

Deployment goals Current environment Functional validation testing

Deployment objectives Devices IT admin scenario validation testing

Deployment challenges Terms & conditions End-user scenario validation testing

Use-case scenarios Configuration policy

Use-case scenario requirements Certificate profile

Rollout plan Wi-Fi profile

Rollout communication plan VPN profile

Email Profile

Applications

Compliance policy

Conditional access policy -

Links
Check out these resources for additional information that may be helpful during the Intune deployment planning,
design, and implementation process.
Microsoft Intune documentation - The full set of Intune documentation.
Intune blog - Posts to help you understand how Intune fits into the larger Enterprise Mobility picture.
Microsoft Trust Center - Learn Microsoft's approach to security, privacy, compliance, and transparency in all
Microsoft cloud products and services.
Intune User Voice - Want to request a feature or vote with other customers for features? Provide feedback
on Intune through User Voice. We're listening.
Enrollment guide - A set of docs you can use as is or modify as part of your communication plan with your
end users to help them understand what it means to have their personal device enrolled in Intune.
 Intune migration guide
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

A successful migration to Intune starts with a solid plan that factors in the current mobile device management
(MDM) environment, business goals and technical requirements. Additionally, you need to have the key
stakeholders whose will support and collaborate with your migration plan.
The purpose of this guide is to step you through the various details involved in migrating from a third-party MDM
provider to Intune.

Whats included in this guide?

This guide includes two phases, both of which include tasks, strategies, and tactical guidance that will help you step
through the end to end process of migrating to Intune MDM.
Phase 1: Prepare Intune for Mobile device management
Assess your MDM migration requirements
Basic setup
Configure device and app management policies
Configure app protection policies
Special migration considerations
Phase 2: Migration campaign
Communication Plan
Drive end-user adoption with conditional access
Typical Migration Cycle
Monitoring migration
Post migration
Assumptions
You've already evaluated Intune in a proof of concept (PoC) environment, and have decided to use it as the
MDM solution in your organization.
You are already familiar with Intune and its features.

NOTE
Check out the Intune evaluation guide, if you want to get more familiar with Intune before you migrate.

Before you begin

It's important to recognize that your new Intune deployment might be different from your old MDM deployment.
Unlike traditional MDM services, Intune centers on identity-driven access control, and so does not require a
network proxy appliance to control access to corporate data from mobile devices outside the organization's
network perimeter. Microsoft offers solutions to secure data services within the cloud itself via a suite of tightly
integrated cloud services, collectively referred to as the Enterprise Client + Security offering.
Review the common ways to use Intune.

Next steps
Phase 1: Prepare Intune for mobile device management
 Phase 1: Prepare Intune for mobile device
management (MDM)
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Before diving into the details of setting up Intune, lets review the mobile device management requirements of
your organization. It might be helpful to run reports of active users in your current MDM provider to identify the
critical user groups, then you can begin addressing the questions under the Assess MDM requirements section.

Assess MDM requirements

What kinds of devices do you need to manage?
Which platforms do you need to support?
Are the devices you need to support corporate or BYOD?
What kind of connectivity is used? Wi-Fi, cellular, VPN?
What do your users need to do on managed devices?
Do you need to provision apps to your end-users?
Do you use custom line-of-business apps? Or do you only need public store apps?
Do you need to provision email accounts?
What kinds of users?
How many users will use a single device?
What Terms of Use do you need?
Make sure to involve your legal department early in this.
What localization is required?
Are the users familiar with technology and IT in general?
What is your device security policy?
Do you need device-level encryption?
Device passcode/pin code lengths?
Do you need to disable device features, or restrict certain device behaviors?
You can control a variety of platform-specific settings with device configuration profiles, for example:
Disable camera, Lock to single-app mode.
What kinds of authentication must you support?
If you need cert-based authentication, what kinds of certificates must be provisioned?
 Intune can provision certificates with resource access profiles for enrolled devices.
What kind of Public Key Infrastructure (PKI) infra do you need to support?
Do you need to support Virtual Private Network (VPN) at the device or app level?
Intune can provision VPN configurations for third-party VPN providers.
Can temporary exceptions be made for certain requirements to avoid down time? Or must devices with access
always comply with all security requirements?

Additional information
For more detailed examples, review these case studies from different industry sectors to see how organizations
assessed their requirements for mobile device management.

Next steps
Basic Setup
 Basic setup
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

After you assess your environment, its time to setup Intune.

External dependencies for an Intune deployment

Identity
Intune requires Azure Active Directory (AAD) as the identity and user grouping provider.
Learn more about identity requirements.
Learn more about directory synchronization requirements.
Learn more about multi-factor authentication requirements.
Learn more about planning your user and device groups.
Learn how to create user and device groups.
If your organization is already using Office 365, its important that Intune uses the same Azure Active Directory
environment.
PKI (optional)
If you're planning to use certificate-based authentication for VPN, Wi-Fi, or e-mail profiles with Intune, youll need
to make sure that you have a supported PKI infrastructure in place, ready to create and deploy certificate profiles.
More information about configuring certificates in Intune is below.
How to configure the certificate infrastructure for SCEP.
How to configure the certificate infrastructure for PFX.

Task list for an Intune Setup

Task 1: Intune subscription
Before you can migrate to Intune, you first need an Intune subscription.
You can visit this page, which gives you instructions on how to:
Create a new Intune subscription linked to a new AAD tenant.
Link the Intune subscription by signing into an existing AAD tenant.
Task 2: Assign Intune user licenses
Learn how to assign Intune user licenses.
If you have created a new Azure Active Directory tenant, learn how to create new users or sync user from
your on-premises Active Directory (AD).
Task 3: Set your MDM authority to Intune
Intune can be managed through the Azure portal or the Configuration Manager Current Branch console. Unless
you need to integrate Intune with a Configuration Manager Current Branch deployment, it is recommended to
manage Intune from the Azure Portal.
Set your MDM authority to Intune to enable the Intune Azure Portal. Using a different MDM authority allows
Intune to transfer MDM management to alternate Microsoft management consoles. These cases are uncommon.

IMPORTANT
If you are transferring your mobile device management to Intune for the first time, you should set the MDM authority to
Intune.

Learn how to set the mobile management authority.

Next step
Configure device and app management policies
 Configure device compliance and app management
policies
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

The main goal when migrating to Intune is to have all devices enrolled, and compliant with its policies. Device
policies not only help you to manage corporate-owned single-user devices, but also personal (BYOD), and shared
devices such as, kiosks, point-of-sales machines, tablets shared by multiple students in a classroom, or user-less
devices (iOS only).
Each device platform may offer different settings, but Intune device policies work with each device platform by
providing the following mobile device management capabilities:
Regulate numbers of devices each user enrolls.
Manage devices settings (e.g. device-level encryption, password length, camera usage).
Deliver apps, email profiles, VPN profiles, etc.
Evaluate device-level criteria for security compliance policies.

IMPORTANT
Device management policies are not assigned directly to individual devices or users, but instead are assigned to user groups.
The policies may be directly applied to a user group, and thereby to the user device, or the policies may be applied to a
device group, and thereby to group members.

Task list for device compliance policies

Task 1: Add device groups (optional)
You can create device groups, when you need to perform a variety of administrative tasks based on device identity,
instead of user identity.
Device groups are useful for managing devices without dedicated users, such as kiosk devices, or devices shared by
shift workers or assigned to a specific location.
By configuring device groups ahead of device enrollment, you can leverage device categories to auto-group
devices upon enrollment to receive their groups device policies automatically. Get started with groups.
Task 2: Use resource access profiles (Wi-Fi, VPN, and email certificates)
Resource access profiles provision certificates and access configurations to enrolled devices.
As previously discussed in the Assess MDM requirements section, if you are using certificate-based authentication,
configure certificates.
Task 3: Create and deploy device configuration profiles
You need to create a device configuration profile to enforce device-level settings, for example: disable camera, app-
store, configure single-app mode, home screen, etc.
Learn about device profiles.
Direct import of iOS configuration profiles (optional)
Apple Configurator iOS Profiles (iOS 7.1 and later): If your existing MDM solution uses Apple
Configurator profiles (.mobileconfig files), Intune can directly import them as custom configuration policies.
iOS Mobile Application Configuration policies: If your existing MDM solution uses iOS Mobile
Application Configuration policies, Intune can directly import them as long as they meet the XML format
specified by Apple for property lists.
Learn how to add a custom policy for iOS
Task 4: Create and deploy device compliance policies (optional)
Device compliance policies evaluate security oriented settings, and provides reporting which shows whether the
devices are compliant with corporate standards or not. Device compliance policies evaluate security oriented
factors such as:
PIN length
Jail-broken status
OS Version
See additional resources for device compliance settings:
Learn about device compliance policies.
Learn how to create a device compliance policy.
Task 5: Publish and deploy Apps
When using Intune MDM, you can provision apps by either requiring their automatic installation, or making them
available in the Company Portal.
Learn how to add apps.
Learn how to deploy apps.
Task 6: Enable device enrollment
Enrollment establishes management by provisioning control on the device. Learn how to get ready to enroll
corporate-owned and user personal's devices.

Next steps
Configure App Protection Policies (optional)
 Configure app protection policies (optional)
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

App protection policies allow you to encrypt apps, define a PIN when the app is accessed, block apps from running
on jail-broken or rooted devices, and many other protections. If the user's phone is lost or stolen, you can
selectively remote wipe the corporate data while leaving the personal data intact by applying mobile app
protection policies.
App protection policies apply security at the app level and do not require device enrollment. It can be used with
devices enrolled into Intune or not. Additionally, it can be used with devices enrolled into a third-party MDM
provider.

App protection policies with LOB apps

You can also extend the mobile app protection policies to your line-of-business (LOB) apps by leveraging the
Microsoft Intune App SDK or the Microsoft Intune App Wrapping Tool for both IOS and Android platforms.

How do app protection policies help during migration?

Migration requires removing devices from the old MDM provider and enrolling them into Intune. You should plan
for this and encourage your end-users to leave the old MDM provider and immediately enroll into Intune.
However, during the migration there may be users who delay completing the enrollment process and whose
devices are not managed by either MDM provider.
This period can leave your organization more vulnerable to device theft and corporate data loss if corporate
resource access is still allowed, and/or loss of user productivity if corporate resource access is blocked.
Intune can offer corporate data protections during the migration so you can still have security coverage for your
corporate data when theres no device-level management.
As you disable conditional access in the old MDM provider, users can still be productive while you on-board them
into Intune.

Task list for app protection policies

1. Create an app protection policy
2. Deploy a policy

Next steps
Special migration considerations
 Special migration considerations
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

There are special migration considerations which may be applicable depending on your existing MDM provider
environment.

Factory reset for Apples Device Enrollment Program (DEP)

The Apple Device Enrollment Program (DEP) sets device configurations that cannot be removed by the end user. To
retain the advanced management features of DEP, the device must be returned to the out-of-box (new) state via
factory reset to enroll to Intune.
To continue using DEP to manage the devices in Intune, set up iOS device enrollment with Device Enrollment
Program.

Next steps
Phase 2: Migration campaign
 Phase 2: Migration Campaign
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Organizations should a migration approaches which is most suitable for their needs and adjust implementation
tactics based on their specific requirements. The remainder of this guide will equip you with the tools you need to
achieve the goal of getting your users devices enrolled into Intune.

Keys to a successful migration

These are the key lessons learned when migrating from a third-party MDM provide to Intune:
Communication is key to minimize end-user downtime and satisfaction.
Be sure to have specific and concrete migration instructions.
All managed devices must be un-enrolled from your existing MDM provider prior to enrolling in Intune.
Provide guidance from the existing MDM provider to end-users for how to un-enroll their devices.
Use a phased approach. Start with a small group of pilot users and incrementally add more groups of users
until you reach full scale deployment.
Monitor the Help-desk load and enrollment success of each cycle. Leave time in the schedule to ensure
success criteria can be evaluated for each group before migrating the next. Your pilot deployment should
validate the following:
Enrollment success and failure rates are within expectations.
User productivity:
Corporate resources such as VPN, Wi-Fi, email, and certificates are working.
Provisioned Apps are accessible.
Data security:
Compliance reporting
Mobile app protections enforced
When you are satisfied with the first phase of migrations, repeat the Migration Cycle (described below
under Typical Migration cycle) for next phase.
Repeat phased cycles until all users are migrated to Intune.
Ensure Help-desk team is ready to support end-users throughout the migration campaign. Run a voluntary
migration until you can estimate support call workload.
Dont set deadlines for enrollment until remaining population can be handled by your Help-desk
 IMPORTANT
Do not configure both Intune and your existing third party MDM solution to apply access controls to resources such as
Exchange or SharePoint Online. Additionally, devices should only be enrolled in one solution at a time.

Next steps
Communication plan
 Plan communications
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

The communication plan is a key element in an Intune migration. You can follow the same communication plan for
each phase as previously discussed under the Keys to a successful migration section.

E-mail templates
Heres an example on how you could communicate migration to your organization:
Email #1: Explain benefits, expectations, and schedule. Take this opportunity to showcase any other new
services whose access will be granted on Intune managed devices.
Download E-mail #1 template to use in your organization.
Email #2: Announce that services are now ready for access through Intune. Tell users to enroll now. Remind
users of benefits and strategic reasons for migration.
Download E-mail #2 template to use in your organization.
Email #3: Giving users timeline before access is impacted. Again, remind users of benefits and strategic
reasons for migration. Email timing should have sliding window to match pipelining of phases. E.g. in June
send email #1 to Phase 1 users, email #2 to phase 2 users and email #1 to Phase 3 users.
Download E-mail #3 template to use in your organization.
After a certain period, you can begin enforcing compliance through conditional access policies and use it as criteria
to access corporate data.
For more information, see Drive end-user adoption with conditional access.

Additional communication templates

Intune has additional template resources to promote device enrollment to end-users:
Refer to How to educate your end users about Microsoft Intune for further guidance on enrollment steps per
mobile OS platform
Download a customizable, end-user Intune enrollment template for IT administrators

Next steps
Drive end-user adoption with conditional access
 Drive end-user adoption with conditional access
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Enabling conditional access features with Intune, such as blocking email for un-enrolled devices, can help drive
enrollment and compliance but they are not required for a migration to be successful. Your migration adoption
goals and security requirements should dictate the success.

Migration campaign with conditional access

Here is a typical approach to enhancing a migration campaign with conditional access:
1. Set conditional access rules to be enforced for all users but specifically exclude the users who need to
migrate from the old MDM provider. You can create an Azure AD user group with all conditional access
excluded users.
2. As users migrate, remove them from the conditional access exclusion group.
3. After migration completes, configure all conditional access policies to block by default unless Intune allows
access.
Advantages
Provides access control for new user accounts or user account who were not managed by the previous
solution.
Provides grace period for users of previous solution to migration.
Minimizes loss of productivity
Disadvantages
Users of previous solution could potentially access resources using un-managed devices until conditional
access is enabled for those users.

TIP
This is one approach among many. You may choose a simpler process that defers all conditional access until after every
phase has been instructed to enroll, or a stricter process that enforces conditional access from the very beginning and
requires full compliance for all access.

Learn more about conditional access.

Task list for conditional access

Task 1: Decide how you are going to implement conditional access
Common ways to use conditional access.
Task 2: Set up Intune conditional access
Choose one of the following options:
Configure conditional access in Azure Active Directory
Install on-premises Exchange connector with Intune
Set up app-based conditional access policies for Exchange Online
Set up app-based conditional access policies for SharePoint Online
Block apps that do not use modern authentication (ADAL)

Next steps
Typical migration cycle
 Typical migration cycle
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Its common for an organization to start their Intune migration with a small pilot by targeting a subset of their
users in the IT department. Additionally, your organization may need to discuss such factors as the groups
willingness for change, number of users, complexity, requirements, location, and business risk to assist in
determining the migration time-frame.
Heres an example of how your target groups could be scheduled:

MIGRATION
TARGETED
GROUPS TIME PERIOD 1 TIME PERIOD 2 TIME PERIOD 3 TIME PERIOD 4 ...

Limited Pilot IT Announce Plan Instruct to enroll Give deadline Enforce

org (50 users) conditional access

Expanded Pilot IT Announce Plan Instruct to enroll Give deadline Enforce

org (200 users) conditional access

Migration phase Announce Plan Instruct to enroll Give deadline

1 Tech-savvy
users (2000)

Migration phase Announce Plan Instruct to enroll

2 Eastern US

All Regions Announce Plan

Customer migration case study

Adatum Corporation
Check out how Adatum Corporation went through the process of migration from a third-party MDM provider
to Intune.

Monitoring migration
Microsoft Intune provides several ways that you can monitor your migration:
1. Intune user group views
2. Set of built-in reports, and
3. In-console alerts.
You should track how many users have enrolled devices after each phase so that you can:
 Evaluate the effectiveness of your communication plan.
Estimate the impact of enforcing conditional access.

Post-migration
Youll need to retire the previous MDM provider and unsubscribe from the service after migrating to Intune.
Additionally, youll need to remove any unneeded infrastructure requirements by following the MDM providers
instructions.
 Set up Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

The steps in this section set up your environment for mobile device management.
If you're currently using Microsoft System Center Configuration Manager to manage computers and servers, you
can extend Configuration Manager to manage mobile devices.

TIP
If you purchase at least 150 licenses for Intune in an eligible plan, you can use the FastTrack Center Benefit, which is a service
where Microsoft specialists work with you to get your environment ready for Intune. See FastTrack Center Benefit for
Enterprise Mobility + Security (EMS).

Checklist
STEPS STATUS

1 Prerequisites - What you need and what to know before you

start

2 Sign in to Intune - Sign in to your trial subscription or create a

new subscription to start managing your organization

3 Configure a custom domain name - Use your company's

domain name to manage Intune by updating your DNS
registration

4 Add users and synchronize AD - Connect Active Directory to

synchronize users or add users to Intune

5 Assign Intune licenses - Give users permission to use Intune

6 Organize user and device groups - Use groups to organize

deployments of policy, apps, and resources

7 Add apps - Enable settings and apps that can be deployed to

users

8 Customize the Company Portal - Customize the Company

Portal app that users see when working with Intune

9 Enable mobile device enrollment - Enable Intune management

of iOS, Windows, Android, and Mac devices
 Supported devices and browsers
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This article is for system administrators responsible for device management in the enterprise. For help installing
Intune on your phone, see using managed devices to get work done.
Before you start setting up Microsoft Intune, review the following requirements:
Supported devices and computers
List of supported web browsers use Intune
You should also familiarize yourself with Intune network bandwidth usage (Classic console) .

Intune supported devices

You can manage the following devices using Intune mobile device management:
Apple
Apple iOS 8.0 and later
Mac OS X 10.9 and later
Windows
PCs running Windows 10 (Home, Pro, Education, and Enterprise versions)
Windows Phone 8.1 and later
Windows 8.1 RT
PCs running Windows 8.1
Devices running Windows 10 IoT Enterprise (x86, x64)
Devices running Windows 10 IoT Mobile Enterprise
Windows Holographic & Windows Holographic Enterprise
Customers with Enterprise Management + Security (EMS) can also use Azure Active Directory (AAD) to
register Windows 10 devices.
Windows 7 and later PCs, with the exception of Windows 10 Home edition, can also be managed with the
Intune software client.
Google
Google Android 4.0 and later (including Samsung KNOX Standard 4.0 and higher)*
Google Android for Work (requirements)
*The following models of the Samsung Galaxy Ace phone cannot be managed by Intune as Samsung KNOX
Standard devices: SM-G313HU, SM-G313HY, SM-G313M, SM-G313MY, and SM-G313U. These devices are
managed as standard Android devices. See the Samsung KNOX website for more information.
For a full list of devices and management methods, see Intune supported devices.
Intune cannot be used to manage Windows Server operating systems.
Windows PC software client
An Intune software client can be deployed and installed on Windows PCs as an alternate enrollment method. This
functionality is only available using the Intune classic console. You can use the Intune software client to manage
Windows 7 and later PCs with the exception of Windows 10 Home edition.

Intune supported web browsers

Different administrative tasks require that you use one of the following administrative websites.
Office 365 portal
Intune portal
The following browsers are supported for these portals:
Microsoft Edge (latest version)
Microsoft Internet Explorer 11
Safari (latest version, Mac only)
Chrome (latest version)
Firefox (latest version)
Intune classic portal
Intune classic-only features such as Intune PC software client and integration with Mobile Threat Defense partners
are only available in the Intune classic portal (https://manage.microsoft.com). The classic Intune console requires
Silverlight browser support.
The following Silverlight browsers support the classic Intune console:
Internet Explorer 10 or later
Google Chrome (versions prior to version 42)
Mozilla Firefox with Silverlight enabled Learn more

NOTE
Microsoft Edge and mobile browsers are not supported for the Intune classic console because they do not support Microsoft
Silverlight.

Only users with service administrator permissions or tenant administrators with the global administrator role can
sign in to this portal. To access the administration console, your account must have a license to use Intune and a
sign-in status of Allowed.
 Intune network bandwidth use
6/22/2017 5 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This guidance helps Intune admins understand the network requirements for the Intune service. You can use this
information to understand bandwidth requirements and IP address and port settings needed for proxy settings.

Average network traffic

This table lists the approximate size and frequency of common content that travels across the network for each
client.

NOTE
To ensure that computers and mobile devices receive the necessary updates and content from the Intune service, they must
be periodically connected to the Internet. The time taken to receive updates or content will vary, but as a guideline, they
should remain continuously connected to the Internet for at least 1 hour each day.

CONTENT TYPE APPROXIMATE SIZE FREQUENCY AND DETAILS

Intune client installation 125 MB One time

The following requirements are in The size of the client download varies
addition to the Intune client depending on the operating system of
installation the client computer.

Client enrollment package 15 MB One time

Additional downloads are possible when

there are updates for this content type.

Endpoint Protection agent 65 MB One time

Additional downloads are possible when

there are updates for this content type.

Operations Manager agent 11 MB One time

Additional downloads are possible when

there are updates for this content type.

Policy agent 3 MB One time

Additional downloads are possible when

there are updates for this content type.
 CONTENT TYPE APPROXIMATE SIZE FREQUENCY AND DETAILS

Remote Assistance via Microsoft Easy 6 MB One time

Assist agent
Additional downloads are possible when
there are updates for this content type.

Daily client operations 6 MB Daily

The Intune client regularly

communicates with the Intune service
to check for updates and policies, and
to report the clients status to the
service.

Endpoint Protection malware definition Varies Daily

updates
Typically 40 KB to 2 MB Up to three times a day.

Endpoint Protection engine update 5 MB Monthly

Software updates Varies Monthly

The size depends on the updates you Typically, software updates release on
deploy. the second Tuesday of each month.

A newly enrolled or deployed computer

can use more network bandwidth while
downloading the full set of previously
released updates.

Service packs Varies Varies

The size varies for each service pack you Depends on when you deploy service
deploy. packs.

Software distribution Varies Varies

The size depends on the software you Depends on when you deploy software.
deploy.

Ways to reduce network bandwidth use

You can use one or more of the following methods to reduce network bandwidth use for Intune clients.
Use a proxy server to cache content requests
You can use a proxy server that can cache content to reduce duplicate downloads and reduce the use of network
bandwidth by clients that request content from the Internet.
A caching proxy server receives requests for content from client computers on your network, retrieves that content
from the Internet, and can then cache both HTTP responses and binary downloads. The server uses the cached
information to answer subsequent requests from Intune client computers.
The following are typical settings to use for a proxy server that caches content for Intune clients.
 SETTING RECOMMENDED VALUE DETAILS

Cache size 5 GB to 30 GB The value varies based on the number

of client computers in your network and
the configurations you use. To prevent
files from being deleted too soon, adjust
the size of the cache for your
environment.

Individual cache file size 950 MB This setting might not be available in all
caching proxy servers.

Object types to cache HTTP Intune packages are CAB files retrieved
by Background Intelligent Transfer
HTTPS Service (BITS) download over HTTP.

BITS

For information about using a proxy server to cache content, see the documentation for your proxy server solution.
Use Background Intelligent Transfer Service on computers
Intune supports using Background Intelligent Transfer Service (BITS) on a Windows computer to reduce the
network bandwidth that is used during the hours that you configure. You can configure policy for BITS on the
Network bandwidth page of the Intune Agent policy.
To learn more about BITS and Windows computers, see Background Intelligent Transfer Service in the TechNet
Library.
Use BranchCache on computers
Intune clients can use BranchCache to reduce wide area network (WAN) traffic. The following operating systems
that are supported as clients also support BranchCache:
Windows 7
Windows 8.0
Windows 8.1
Windows 10
To use BranchCache, the client computer must have BranchCache enabled, and then be configured for distributed
cache mode.
By default, BranchCache and distributed cache mode are enabled on a computer when the Intune client is installed.
However, if the client already has Group Policy that disables BranchCache, Intune does not override that policy and
BranchCache will remains disabled on that computer.
If you use BranchCache, you should communicate with other administrators in your organization who manage
Group Policy and Intune Firewall policy to ensure they do not deploy policy that disables BranchCache or Firewall
exceptions. For more about BranchCache, see BranchCache Overview.

Network communication requirements

You must enable network communications between the devices you manage and use to manage your Intune
subscription, and the websites required for cloud-based services.
Intune uses no on-premises infrastructure such as servers running Intune software, but there are options to use on-
premises infrastructure including Exchange and Active Directory synchronization tools.
To manage computers that are behind firewalls and proxy servers, you must set up firewalls and proxy servers to
allow communications for Intune. To manage computers that are behind a proxy server, be aware that:
The proxy server must support both HTTP (80) and HTTPS (443) because Intune clients use both protocols
Intune supports unauthenticated proxy servers
You can modify proxy server settings on individual client computers, or you can use Group Policy settings to
change settings for all client computers that are located behind a specified proxy server.
Managed devices require configurations that let All Users access services through firewalls.
The following tables list the ports and services that the Intune client accesses:

DOMAINS IP ADDRESS

portal.manage.microsoft.com 40.86.181.86
m.manage.microsoft.com 13.82.59.78
13.74.184.100
40.68.188.2
13.75.42.6
52.230.25.184

sts.manage.microsoft.com 13.93.223.241
52.170.32.182
52.164.224.159
52.174.178.4
13.75.122.143
52.163.120.84

Manage.microsoft.com 104.40.82.191
i.manage.microsoft.com 13.82.96.212
r.manage.microsoft.com 52.169.9.87
a.manage.microsoft.com 52.174.26.23
p.manage.microsoft.com 40.83.123.72
EnterpriseEnrollment.manage.microsoft.com 13.76.177.110
EnterpriseEnrollment-s.manage.microsoft.com

portal.fei.msua01.manage.microsoft.com 13.64.196.170
m.fei.msua01.manage.microsoft.com

fei.msua01.manage.microsoft.com 40.71.34.120
portal.fei.msua01.manage.microsoft.com
m.fei.msua01.manage.microsoft.com

fei.msua02.manage.microsoft.com 13.64.198.190
portal.fei.msua02.manage.microsoft.com
m.fei.msua02.manage.microsoft.com

fei.msua02.manage.microsoft.com 13.64.198.190
portal.fei.msua02.manage.microsoft.com
m.fei.msua02.manage.microsoft.com

fei.msua04.manage.microsoft.com 13.64.188.173
portal.fei.msua04.manage.microsoft.com
m.fei.msua04.manage.microsoft.com

fei.msua04.manage.microsoft.com 40.71.32.174
portal.fei.msua04.manage.microsoft.com
m.fei.msua04.manage.microsoft.com
DOMAINS IP ADDRESS

fei.msua05.manage.microsoft.com 13.64.197.181
portal.fei.msua05.manage.microsoft.com
m.fei.msua05.manage.microsoft.com

fei.msua05.manage.microsoft.com 40.71.38.205
portal.fei.msua05.manage.microsoft.com
m.fei.msua05.manage.microsoft.com

fei.amsua0502.manage.microsoft.com 13.64.191.182
portal.fei.amsua0502.manage.microsoft.com
m.fei.amsua0502.manage.microsoft.com

fei.amsua0502.manage.microsoft.com 40.71.37.51
portal.fei.amsua0502.manage.microsoft.com
m.fei.amsua0502.manage.microsoft.com

fei.msua06.manage.microsoft.com 40.118.250.246
portal.fei.msua06.manage.microsoft.com
m.fei.msua06.manage.microsoft.com

fei.msua06.manage.microsoft.com 13.90.142.194
portal.fei.msua06.manage.microsoft.com
m.fei.msua06.manage.microsoft.com

fei.amsua0602.manage.microsoft.com 13.64.250.226
portal.fei.amsua0602.manage.microsoft.com
m.fei.amsua0602.manage.microsoft.com

fei.amsua0602.manage.microsoft.com 13.90.151.142
portal.fei.amsua0602.manage.microsoft.com
m.fei.amsua0602.manage.microsoft.com

fei.msub01.manage.microsoft.com 52.169.155.165
portal.fei.msub01.manage.microsoft.com
m.fei.msub01.manage.microsoft.com

fei.msub01.manage.microsoft.com 52.174.188.97
portal.fei.msub01.manage.microsoft.com
m.fei.msub01.manage.microsoft.com

fei.amsub0102.manage.microsoft.com 52.178.190.24
portal.fei.amsub0102.manage.microsoft.com
m.fei.amsub0102.manage.microsoft.com

fei.amsub0102.manage.microsoft.com 52.174.16.215
portal.fei.amsub0102.manage.microsoft.com
m.fei.amsub0102.manage.microsoft.com

fei.msub02.manage.microsoft.com 40.69.69.27
portal.fei.msub02.manage.microsoft.com
m.fei.msub02.manage.microsoft.com

fei.msub02.manage.microsoft.com 52.166.196.199
portal.fei.msub02.manage.microsoft.com
m.fei.msub02.manage.microsoft.com
DOMAINS IP ADDRESS

fei.msub03.manage.microsoft.com 40.69.71.164
portal.fei.msub03.manage.microsoft.com
m.fei.msub03.manage.microsoft.com

fei.msub03.manage.microsoft.com 52.174.182.102
portal.fei.msub03.manage.microsoft.com
m.fei.msub03.manage.microsoft.com

fei.msub05.manage.microsoft.com 40.69.78.145
portal.fei.msub05.manage.microsoft.com
m.fei.msub05.manage.microsoft.com

fei.msub05.manage.microsoft.com 52.174.192.105
portal.fei.msub05.manage.microsoft.com
m.fei.msub05.manage.microsoft.com

fei.msuc01.manage.microsoft.com 13.94.46.250
portal.fei.msuc01.manage.microsoft.com
m.fei.msuc01.manage.microsoft.com

fei.msuc01.manage.microsoft.com 52.163.119.15
portal.fei.msuc01.manage.microsoft.com
m.fei.msuc01.manage.microsoft.com

fei.msuc02.manage.microsoft.com 13.75.124.145
portal.fei.msuc02.manage.microsoft.com
m.fei.msuc02.manage.microsoft.com

fei.msuc02.manage.microsoft.com 52.163.119.5
portal.fei.msuc02.manage.microsoft.com
m.fei.msuc02.manage.microsoft.com

fei.msuc03.manage.microsoft.com 52.175.35.226
portal.fei.msuc03.manage.microsoft.com
m.fei.msuc03.manage.microsoft.com

fei.msuc03.manage.microsoft.com 52.163.119.6
portal.fei.msuc03.manage.microsoft.com
m.fei.msuc03.manage.microsoft.com

fei.msuc05.manage.microsoft.com 52.175.38.24
portal.fei.msuc05.manage.microsoft.com
m.fei.msuc05.manage.microsoft.com

fei.msuc05.manage.microsoft.com 52.163.119.3
portal.fei.msuc05.manage.microsoft.com
m.fei.msuc05.manage.microsoft.com

fef.msua01.manage.microsoft.com 138.91.243.97

fef.msua02.manage.microsoft.com 52.177.194.236

fef.msua04.manage.microsoft.com 23.96.112.28

fef.msua05.manage.microsoft.com 138.91.244.151
DOMAINS IP ADDRESS

fef.msua06.manage.microsoft.com 13.78.185.97

fef.msua07.manage.microsoft.com 52.175.208.218

fef.msub01.manage.microsoft.com 137.135.128.214

fef.msub02.manage.microsoft.com 137.135.130.29

fef.msub03.manage.microsoft.com 23.97.165.17

fef.msub05.manage.microsoft.com 23.97.166.52

fef.msuc01.manage.microsoft.com 52.230.19.86

fef.msuc02.manage.microsoft.com 23.98.66.118

fef.msuc03.manage.microsoft.com 23.101.0.100

fef.msuc05.manage.microsoft.com 52.230.16.180
 Sign up or sign in to Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This topic tells system administrators how they can sign up for an Intune account.
Before you can sign in or sign up for Intune, you'll need to determine whether your organization already has a
Microsoft Online Services work or school account, or if your organization has an Enterprise Agreement or
equivalent volume licensing agreement with Microsoft. A work or school account is provided when you sign a
volume licensing agreement with Microsoft or subscribe to other Microsoft cloud services such as Office 365.
If you already have a work or school account, you will be able to simply sign in with that account to add Intune to
your pre-existing subscription environment. Otherwise, you'll need to sign up to create a new account to use to
manage Intune for your organization.

WARNING
If you sign up for a new account, you cannot later use an existing work or school account to manage your subscription or
combine it with existing volume licensing agreements.

How to sign up or sign in to Intune

1. Visit the Intune Sign up page.
2. On the Sign up page, sign in or sign up to manage a new subscription of Intune.

Post sign up considerations

If you sign up for a new subscription, you'll receive an email message that contains your account information at the
email address that you provided during the sign up process. This email confirms your subscription is active.
After completing the sign up process you will be directed to a page used to add users and assign them licenses
using the Office 365 admin center. If you will only have cloud-based accounts using your default onmicrosoft.com
domain name then you can go ahead and add users and assign licenses at this point. However, if you will use your
organization's custom domain name or want to synchronize user account information from on-premises Active
Directory, then you can close that browser window and move on to step 2 of this quick start guide. You can also
learn more About your initial onmicrosoft.com domain in Office 365

TIP
The next time you sign in to Intune you'll automatically be directed to the Intune administration console.
 Configure a custom domain name
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This topic tells administrators how they can create a DNS CNAME to simplify and customize their logon experience.
When your organization signs up for a Microsoft cloud-based service like Intune, you're given an initial domain
name hosted in Azure Active Directory (AD) that looks like the following: yourdomain.onmicrosoft.com. In this
example, yourdomain is the domain name that you chose when you signed up, and onmicrosoft.com is the
suffix assigned to the accounts you add to your subscription. When your organization owns a custom domain, you
can configure your instance of Intune to use that domain instead of the domain name provided with your
subscription.
Before you create user accounts or synchronize your on-premises Active Directory, we strongly recommend that
you decide whether to use only the .onmicrosoft.com domain or to add one or more of your custom domain
names. Configuring a custom domain before adding users can help simplify the management of user identities for
your subscription by enabling users to sign in with the credentials they use to access other domain resources.
When you subscribe to a cloud-based service from Microsoft, your instance of that service becomes a Microsoft
Azure AD tenant, which provides identity and directory services for your cloud-based service. And, because the
tasks to configure Intune to use your organizations custom domain name are the same as for other Azure AD
tenants, you can use the information and procedures found in Add your domain.

TIP
For more information about using your custom domain with a cloud-based service from Microsoft, see Conceptual overview
of custom domain names in Azure Active Directory.

You cannot rename or remove that initial domain name. However, you can add, verify or remove your own custom
domain names to use with Intune, which is helpful if you want to keep your business identity.

To add and verify your custom domain

1. Go to Office 365 management portal and sign into your administrator account.
2. In the navigation pane, choose Settings > Domains.
3. Choose Add domain, and type your custom domain name.
4. The Verify domain dialog box opens giving you the values to create the TXT record in your DNS hosting
provider.
GoDaddy users: Office 365 Management portal redirects you to GoDaddy's login page. After you enter
your credentials and accept the domain change permission agreement, the TXT record is created
automatically. You can alternatively create the TXT record.
Register.com users: Follow the step-by-step instructions to create the TXT record.
The steps to add and verify a custom domain can also be performed in Azure Active Directory.
You can learn more about your initial onmicrosoft.com domain in Office 365
 Add users and give administrative permission to
Intune
6/23/2017 5 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This topic tells administrators how they can add users to Intune and what administrative permissions are available
in the Intune service.
As an administrator, you can add users directly or synchronize users from your on-premises Active Directory. Once
added, users can enroll devices and access company resources. You can also give users additional permissions
including global administrator and service administrator permissions.

Add users to Intune

You can manually add users to your Intune subscription via the Office 365 portal or the Azure Intune portal, but
they might not automatically be assigned an Intune license. An administrator can edit user accounts to assign
Intune licenses. This can be done from either the Office 365 portal or the Intune Azure portal. For additional
guidance on using the Office 365 portal, see Add users individually or in bulk to the Office 365 portal.
Add Intune users in the Office 365 Admin Center
1. Sign in to Office 365 portal.
2. In the Office 365 menu, select Admin.
3. In the Admin center, select Add a user.
4. Specify the following user details:
First name
Last name
Display name - Displayed in Intune portal
User name - UPN name in Intune portal
Location
Contact information (optional)
Password - Auto-generate or specify
5. Assign an Intune license. Select Product licenses and choose the product license to assign the user.
6. Choose Add to create the new user.
Add Intune users in the Azure Intune portal
1. Sign in to Azure portal. and go Monitoring + Management > Intune. You can also search resources for
Intune.
2. Select Users.
3. In the Admin center, select Add a user.
4. Specify the following user details:
Name
User name - The new name in Azure Active Directory portal
 Choose OK to continue.
5. Optionally, you can specify the following:
Profile - Work information including Job title and Department
Groups - Select groups to add for the user
Directory role - Give the user administrative permissions for Intune
Select Create to add the new user to Intune.
6. Select Profile, and then choose a Usage location for the new user. Usage location is required before you can
assign the new user an Intune license. Choose Save to continue.
7. Select Licenses and then choose Assign to assign an Intune license for this user. An Intune license is required
to enroll devices or access company resources. Select Products, choose the license type, choose Select, and
then choose Assign.

Grant admin permissions

After you've added users to your Intune subscription, we recommend that you grant a few user accounts
administrative permission. :
Global administrator: Use the Office 365 portal to assign this type of administrator to manage your
subscription, including billing, cloud storage, and managing the users who can use Intune.
Customized or limited administrator: Use the Office 365 or Azure Intune console to assign this type of
administrator for day-to-day tasks including device and computer management, deploying policy and apps,
and running reports.
Types of administrators
Users can be assigned one or more administrator permissions, which define the administrative scope for that user
and the tasks they can manage. Administrator permissions are common between the different Microsoft cloud
services, although some services might not support some permissions. Intune uses the following administrator
permissions:
Global administrator - (Office 365 and Intune) Accesses all administrative features in Intune. By default the
person who signs up for Intune becomes a Global admin. Global admins are the only admins who can assign
other admin roles. You can have more than one global admin in your organization. As a best practice we
recommend that only a few people in your company have this role to reduce the risk to your business.
Billing administrator - (Office 365 and Intune) Makes purchases, manages subscriptions, manages support
tickets, and monitors service health.
Password administrator - (Office 365 and Intune) Resets passwords, manages service requests, and monitors
service health. Password admins are limited to resetting passwords for users.
Service administrator - (Office 365) Opens support requests with Microsoft, and views the service dashboard
and message center. They have view only permissions except for opening support tickets and reading them.
User management administrator - (Office 365 and Intune) Resets passwords, monitors service health, adds
and deletes user accounts, and manages service requests. The user management admin cant delete a global
 admin, create other admin roles, or reset passwords for billing, global, and service admins.
By default, the account you use to create your Microsoft Intune subscription is a global administrator. As a best
practice, do not use a global administrator for day-to-day management tasks. A administrator does not require a
license to Intune to access the Intune administrator console. See the Azure AD tenant section in What is an Azure
AD directory? for more information.
To access the Office 365 portal, your account must have a Sign-in allowed set. In the Intune portal under Profile,
set Block sign in to No to allow access. This status is different from having a license to the subscription. By
default, all user accounts are Allowed. Users without administrator permissions can use the Office 365 portal to
reset Intune passwords.

Sync Active Directory and add users to Intune

You can configure directory synchronization to import user accounts from your on-premises Active Directory to
Microsoft Azure Active Directory (Azure AD) which includes Intune users. Having your on-premises Active
Directory service connected with all of your Azure Active Directory-based services makes managing user identity
much simpler. You can also configure single sign-on features to make the authentication experience for your users
familiar and easy. By linking the same Azure AD tenant with multiple services, the user accounts that you have
previously synchronized are available to all cloud-based services.
How to sync on-premises users with Azure AD
The only tool that you need to synchronize your user accounts with Azure AD is the Azure AD Connect wizard. The
Azure AD Connect wizard provides a simplified and guided experience for connecting your on-premises identity
infrastructure to the cloud. Choose your topology and needs (single or multiple directories, password sync or
federation), and the wizard will deploy and configure all components required to get your connection up and
running. Including: sync services, Active Directory Federation Services (AD FS), and the Azure AD PowerShell
module.

TIP
Azure AD Connect encompasses functionality that was previously released as Dirsync and Azure AD Sync. Learn more about
directory integration. To learn about the benefits of synchronizing user accounts from your local directory to Azure AD, see
Similarities between Active Directory and Azure AD.
 Assign Intune licenses to your user accounts
6/23/2017 3 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Whether you manually add users or synchronize from your on-premises Active Directory, you must first assign
each user an Intune license before users can enroll their devices in Intune.

Assign an Intune license in the Office 365 Admin center

You can use the Office 365 portal to manually add cloud-based users and assign licenses to both cloud-based user
accounts and accounts synchronized from your on-premises Active Directory to Azure AD.
1. Sign in to the Office 365 portal using your tenant administrator credentials, and then choose Users >
Active Users.
2. Select the user account that you want to assign an Intune user license to, and then choose Product
licenses > Edit.
3. Toggle Intune or Enterprise Mobility + Security to On, and choose Save.
4. The user account now has the permissions needed to use the service and enroll devices into management.

NOTE
Users will appear in the Admin console only after they have enrolled a device. Also, you can select a group of users to edit at
once, either selecting to add or replace a license for all selected users.

Use School Data Sync to assign licenses to users in Intune for

Education
If you are an educational organization, you can use School Data Sync (SDS) to assign Intune for Education licenses
to synced users. Just choose the Intune for Education checkbox when you're setting up your SDS profile.

When you assign an Intune for Education license, make sure that Intune A Direct license is also assigned.
See this overview of School Data Sync to learn more about SDS.

How user and device licenses affect access to services

Each user that you assign a user software license to may access and use the online services and related
software (including System Center software) to manage applications and up to 15 devices.
Each device that you assign a device software license to may access and use the online services and related
software (including System Center software) for use by any number of users.
If a device is used by more than one user, each requires a device software license or all users require a user
software license.

Use PowerShell to selectively manage EMS user licenses

Organizations that use Microsoft Enterprise Mobility + Security (formerly Enterprise Mobility Suite) might have
users who only require Azure Active Directory Premium or Intune services in the EMS package. You can assign one
or a subset of services using Azure Active Directory PowerShell cmdlets.
To selectively assign user licenses for EMS services, open PowerShell as an administrator on a computer with the
Azure Active Directory Module for Windows PowerShell installed. You can install PowerShell on a local computer
or on an ADFS server.
You must create a new license SKU definition that applies only to the desired service plans. To do this, disable the
plans you dont want to apply. For example, you might create a license SKU definition that does not assign an
Intune license. To see a list of available services, type:

(Get-MsolAccountSku | Where {$_.SkuPartNumber -eq "EMS"}).ServiceStatus

You can run the following command to exclude the Intune service plan. You can use the same method to expand to
an entire security group or you can use more granular filters.
Example 1
Create a new user on the command line and assign an EMS license without enabling the Intune portion of the
license:

Connect-MsolService

New-MsolUser -DisplayName Test User -FirstName FName -LastName LName -UserPrincipalName user@<TenantName>.onmicrosoft.com
Department DName -UsageLocation US

$CustomEMS = New-MsolLicenseOptions -AccountSkuId "<TenantName>:EMS" -DisabledPlans INTUNE_A

Set-MsolUserLicense -UserPrincipalName user@<TenantName>.onmicrosoft.com -AddLicenses <TenantName>:EMS -LicenseOptions
$CustomEMS

Verify with:

(Get-MsolUser -UserPrincipalName "user@<TenantName>.onmicrosoft.com").Licenses.ServiceStatus

Example 2
Disable the Intune portion of EMS license for a user that is already assigned with a license:

Connect-MsolService

$CustomEMS = New-MsolLicenseOptions -AccountSkuId "<TenantName>:EMS" -DisabledPlans INTUNE_A

Set-MsolUserLicense -UserPrincipalName user@<TenantName>.onmicrosoft.com -LicenseOptions $CustomEMS

Verify with:

(Get-MsolUser -UserPrincipalName "user@<TenantName>.onmicrosoft.com").Licenses.ServiceStatus

 Customize the Company Portal
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This topic tells administrators how they can customize the Intune Company Portal app and Company Portal
website.
The Intune Company Portal is where users access company data and can do common tasks like enrolling devices,
installing apps, and locating information for assistance from your IT department.
The Intune Company Portal provides users with access to company data and apps. The Company Portal is available
in two forms:
The Company Portal app: An application that is available on devices you manage with Intune. Learn more
about the Company Portal apps for Android, iOS , and Windows.
The Company Portal website: A website that lets end users do most of the tasks they can do from the
Company Portal app. The Intune Company Portal URL is https://portal.manage.microsoft.com. Learn more
about this website at Using the Intune Company Portal website.

TIP
When you customize the Company Portal, the configurations apply to both the Company Portal website and Company
Portal apps.

Some of the tasks that users can do in the Company Portal are:
Enroll devices
View the status of their devices
Reset their device
Reset their password
Remotely lock their device
Download software that is deployed by your organization
Contact the IT department for support

Customize Company Portal settings

Customizing the Company Portal helps provide a familiar and helpful experience for your end users. Log in to the
Microsoft Intune administrator console as a tenant or service administrator, choose Admin > Company Portal
and configure the Company Portal settings.

Company contact information and privacy statement

The company name is displayed as the Company Portal title. The contact information and details are displayed to
users in the Contact IT screen of the Company Portal. The privacy statement is displayed when a user clicks on the
privacy link.
 FIELD NAME MAX LENGTH MORE INFORMATION

Company name 40 This name is displayed as the title of the

Company Portal.

IT department contact name 40 This name is displayed on the Contact

IT page.

IT department phone number 20 This contact number is displayed on the

Contact IT page.

IT department email address 40 This contact address is displayed on the

Contact IT page. You must enter a
valid email address in the format
[email protected].

Additional information 120 Displayed on the Contact IT page.

Company privacy statement URL
79 You can specify your own company
privacy statement that appears when
users click the privacy links from the
Company Portal. You must enter a valid
URL in the format
https://www.contoso.com.

Support contacts
The support website is displayed to users in the Company Portal to enable them to access online support.

FIELD NAME MAX LENGTH MORE INFORMATION

Support website URL 150 If you have a support website that you
want your users to use, specify the URL
here. The URL must be in the format
https://www.contoso.com. If you don't
specify a URL, nothing is displayed for
the support website on the Contact IT
page in the Company Portal.

Website name 40 This name is the friendly name that is

displayed for the URL to the support
website. If you specify a support
website URL and no friendly name, then
Go to IT website is displayed on the
Contact IT page in the Company
Portal.

Company branding customization

You can customize your Company Portal with your company logo, company name, theme color and background.

FIELD NAME MORE INFORMATION

Theme color Select a theme color to apply to the Company Portal.

 FIELD NAME MORE INFORMATION

Include company logo When you enable this option, you can upload your company
logo to show in your Company Portal. You can upload two
logos: one logo that is displayed when the Company Portal
background is white, and one logo that is displayed when the
Company Portal background uses your selected theme color.
Each logo must be a .png or .jpg file type and have a
maximum resolution of 400 x 100 pixels and be 750 KB or less
in size.

Choose a background for Windows 8 Company Portal app This setting affects the background for the Windows 8
Company Portal app only.

After you save your changes, you can use the links provided at the bottom of the Company Portal page of the
administration console to view the Company Portal website. These links cannot be changed. When a user signs in,
these links display your subscriptions in the Company Portal.
 Set the mobile device management authority
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The mobile device management (MDM) authority setting determines how you manage your devices. As an IT
admin, you must set an MDM authority before users can enroll devices for management.
Possible configurations are:
Intune Standalone - cloud-only management, which you configure by using the Azure portal. Includes the
full set of capabilities that Intune offers. Set the MDM authority in the Intune console.
Intune Hybrid - integration of the Intune cloud solution with System Center Configuration Manager. You
configure Intune by using the Configuration Manager console. Set the MDM authority in Configuration
Manager.
Mobile Device Management for Office 365 - integration of Office 365 with the Intune cloud solution.
You configure Intune from your Office 365 Admin Center. Includes a subset of the capabilities that are
available with Intune Standalone. Set the MDM authority in Office 365 Admin Center.

IMPORTANT
In Configuration Manager version 1610 or later and Microsoft Intune version 1705, you change the MDM authority without
having to contact Microsoft Support, and without having to unenroll and reenroll your existing managed devices. For details,
see What to do if you choose the wrong MDM authority setting.

Set MDM authority to Intune

1. In the Azure portal, choose More Services > Monitoring + Management > Intune.

2. On the Intune blade, choose Device enrollment, and then choose Overview.
3. On the Start managing devices blade, choose Set MDM Authority to Intune. A message indicates that
 you have successfully set your MDM authority to Intune.

Mobile device cleanup after MDM certificate expiration

The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. If
mobile devices are wiped, or they fail to communicate with the Intune service for some period of time, the MDM
certificate will not get renewed. The device is removed from the Azure portal 180 days after the MDM certificate
expires.
 What is device enrollment?
6/20/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic describes enrollment and lists the different ways to enroll mobile devices in Intune management.
You enroll devices in Intune so that you can manage those devices. We refer to this capability in the Intune
documentation as mobile device management (MDM). When devices are enrolled in Intune, they are issued an
MDM certificate, which the devices then use to communicate with the Intune service.
The way you enroll your devices depends on the device type, ownership, and the level of management you
needed. "Bring your own device" (BYOD) enrollment lets users enroll their personal phones, tablets, or PCs.
Corporate-owned device (COD) enrollment enables management scenarios like automatic enrollment, shared
devices, or pre-authorized enrollment requirements.
If you use Exchange ActiveSync, either on-premises or hosted in the cloud, you can enable simple Intune
management without enrollment (more information is coming soon). You can manage Windows PCs as mobile
devices, which is the recommended method described below.

Overview of device enrollment methods

The following table offers an overview of Intune enrollment methods with their capabilities and requirements
described below. Legend
Reset required - Device are factory reset during enrollment.
User Affinity - Associates devices with users. For more information, see User affinity.
Locked - Prevents users from unenrolling devices.
iOS enrollment methods

METHOD RESET REQUIRED USER AFFINITY LOCKED DETAILS

BYOD No Yes No More information

DEM No No No More information

DEP Yes Optional Optional More information

USB-SA Yes Optional No More information

USB-Direct No No No More information

Windows enrollment methods

 METHOD RESET REQUIRED USER AFFINITY LOCKED DETAILS

BYOD No Yes No More information

DEM No No No More information

Auto-enroll No Yes No More information

Bulk enroll No No No More information

Android enrollment methods

METHOD RESET REQUIRED USER AFFINITY LOCKED DETAILS

BYOD No Yes No More information

DEM No No No More information

Android for Work No Yes No More information

BYOD
"Bring your own device" users install and run the Company Portal app to enroll their devices. This program lets
users access company resources like email.

Corporate-owned devices
The following are corporate-owned devices (COD) enrollment scenarios. iOS devices can be enrolled directly
through the tools that are provided by Apple. All device types can be enrolled by an admin or manager using the
device enrollment manager. Devices with an IMEI number can also be identified and tagged as company-owned to
enable COD scenarios.
DEM
Device enrollment manager (DEM) is a special user account that's used to enroll and manage multiple corporate-
owned devices. Managers can install the Company Portal and enroll many user-less devices. Learn more about
DEM.
DEP
Apple Device Enrollment Program (DEP) management lets you create and deploy policy over the air to iOS
devices that are purchased and managed with DEP. The device is enrolled when users turn on the device for the
first time and run iOS Setup Assistant. This method supports iOS Supervised mode, which in turn enables the
following functionality:
Locked enrollment
Kiosk mode and other advanced configurations and restrictions
Learn more about iOS DEP enrollment:
Choose how to enroll iOS devices
Enroll iOS devices using Device Enrollment Program
USB-SA
IT admins use Apple Configurator, through USB, to prepare each corporate-owned device manually for enrollment
using Setup Assistant. The IT admin creates an enrollment profile and exports it to Apple Configurator. When users
receive their devices, they are then prompted to run Setup Assistant to enroll their device. This method supports
iOS Supervised mode, which in turn enables the following features:
Locked enrollment
Kiosk mode and other advanced configurations and restrictions
Learn more about iOS Apple Configurator enrollment with Setup Assistant:
Decide how to enroll iOS devices
Enroll iOS devices with Configurator and Setup Assistant
USB-Direct
For direct enrollment, the admin must enroll each device manually by creating an enrollment policy and exporting
it to Apple Configurator. USB-connected, corporate-owned devices are enrolled directly and don't require a factory
reset. Devices are managed as user-less devices. They are not locked or supervised and cannot support conditional
access, jailbreak detection, or mobile application management.
To learn more about iOS enrollment, see:
Decide how to enroll iOS devices
Enroll iOS devices with Configurator and direct enrollment

Mobile device management with Exchange ActiveSync and Intune

Mobile devices that aren't enrolled, but that connect to Exchange ActiveSync (EAS), can be managed by Intune
using EAS MDM policy. Intune uses an Exchange Connector to communicate with EAS, either on-premises or
cloud-hosted. More information is coming soon.

Mobile device cleanup after MDM certificate expiration

The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. If
mobile devices are wiped, or they fail to communicate with the Intune service for some period of time, the MDM
certificate will not get renewed. The device is removed from the Azure portal 180 days after the MDM certificate
expires.
 Ensure users accept company terms for access
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an Intune admin, you can require that users accept your company's terms and conditions before they can use the
Company Portal to enroll their devices and access resources like company apps and email. Configuration of terms
and conditions is optional.
You can create multiple sets of terms and assign them to different groups, such as to support different languages.

Create terms and conditions

Complete these steps to create terms and conditions. The display name and description are for administrative use
while terms properties are displayed to users in the Company Portal.
1. In the Intune portal, choose Device enrollment, and then choose Terms and Conditions.
2. Select Create.

3. On the expanded blade, specify the following information:

Display name: The name for the terms in the Intune portal. Users don't see this name.
Description: Optional details that help you identify this set of terms in the Intune portal.
4. Select the arrow next to Define terms of use to open the Terms and Conditions blade, and then enter the
following information:
 Title: The name for your terms that users see in the Company Portal above the Summary.
Summary of Terms: Text that explains what it means when users accept the terms. For example, "By
enrolling your device, you are agreeing to the terms of use set out by Contoso. Read the terms carefully
before proceeding."
Terms and Conditions: The terms and conditions that users see and must either accept or reject.
5. Select Ok and then select Create.

See how terms are displayed to your users

The following example shows the Title and Summary of Terms in the admin console and Company Portal.

The following example shows the terms and conditions in the admin console and the Company Portal.
Assign terms and conditions
You can assign terms and conditions to groups of user who must accept them before using the Company Portal.
1. In the Intune portal, choose Device enrollment, and then choose Terms and Conditions.
2. In the list of terms and conditions, select the terms you want to assign, and then select Assigned Groups.

3. Click the Select Group button and in the Select Groups blade, select the groups you want to assign the terms,
and then click Select. Dynamic groups cannot be assigned Terms and Conditions.
4. In the Assigned Groups blade, click Save. The terms and conditions are now assigned to users in the selected
groups. Users will be prompted to accept terms the next time they access the company portal. The terms and
conditions only need to be accepted once. Users with multiple devices don't have to accept on each device.

Monitor terms and conditions

1. In the Azure portal, choose More Services > Monitoring + Management > Intune. On the Intune blade,
 choose Device enrollment, and then choose Terms and Conditions.
2. In the list of terms and conditions, select the terms you want to view acceptance for, and then select Acceptance
Statuses.

Work with multiple versions of terms and conditions

You can edit your terms and conditions and manage their versions. We recommend that you increase the version
number and require acceptance any time you make significant changes to your terms and conditions. Keep the
current version number if, for example, you are fixing typos or changing formatting.
1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. On the Intune blade, choose Device enrollment, choose Terms and Conditions, select the terms and
conditions you want to modify, and then select Properties.
3. On the Properties blade, select Terms and Conditions and then modify the Title, Summary of Terms, and
Terms and Conditions as needed. If the changes you made make it necessary for users to reaccept the new
terms, click Require users to re-accept, and increment the version number to
4. Select OK and then select Save.
Users only have to accept updated terms and conditions once. Users with multiple devices don't have to accept
terms and conditions on each device.
 Set enrollment restrictions
6/29/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an Intune admin, you can determine which devices can enroll into management with Intune. Use the Intune
portal to set the following restrictions for device enrollment:
Maximum number of enrolled devices
Device platforms that can enroll:
Android
iOS
macOS
Windows
Restrict personally owned devices (iOS, Android, macOS only)

NOTE
Enrollment restrictions are not a security feature. Compromised devices can misrepresent their character. These restrictions
are a best-effort barrier for non-malicious users.

Set device type restrictions

The default enrollment restrictions apply to all users who aren't assigned higher priority enrollment restrictions.
1. In the Intune portal, choose Device enrollment, choose Enrollment restrictions.

2. Under Enrollment restrictions > Device Type Restrictions, select Default.

3. Under All Users, select Platforms. Choose Allow or Block for each platform:
Android
iOS
macOS
Windows
 Click Save.
4. Under All Users, select Platform Configurations and select the following configurations:
Personally Owned - Specify whether to Allow or Block for Android, iOS, and macOS devices.

Click Save.

Set device limit restrictions

The default enrollment restrictions apply to all users who aren't assigned higher priority enrollment restrictions.
1. In the Intune portal, choose Device enrollment, choose Enrollment restrictions.
2. Choose Enrollment restrictions > Device Limit Restrictions.
3. Under All Users, select Device Limit. Specify the maximum number of enrolled devices per user.

Click Save.
 Get an Apple MDM push certificate
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Intune enables mobile device management (MDM) of iPads, iPhones, and Mac computers and gives users access to
company email and apps. An MDM Push certificate is required for Intune to manage iOS and Mac devices. After
you add the certificate to Intune, your users can install the Company Portal app to enroll their devices. You can also
set up corporate-owned iOS device management with Apple's Device Enrollment Program or enroll devices using
Apple Configurator, for example. For more information about enrollment options, see Choose how to enroll iOS
devices.

Steps to get your certificate

In the Intune portal, choose Device enrollment > Apple Enrollment Apple MDM Push Certificate, and then
follow the numbered steps in the Azure portal, which are shown below.
Step 1. Download the Intune certificate signing request required to create an Apple MDM push
certificate.
Select Download your CSR to download and save the .csr file locally. The .csr file is used to request a trust
relationship certificate from the Apple Push Certificates Portal.
Step 2. Create an Apple MDM push certificate.
Select Create your MDM push Certificate to go to the Apple Push Certificates Portal. Sign in with your company
Apple ID to create the push certificate by using the .csr file. After choosing Upload on Apple's Push Certificate
Portal, you will receive a .json file. Do use this file for the push certificate. Complete the download, return to the
Apple Push Certificates Portal for Certificates for Third-Party Servers, and then choose Download. Download the
push certificate (.pem file), and save the file locally.

NOTE
The certificate is associated with the Apple ID used to create it. As a best practice, use a company Apple ID for management
tasks. Never use a personal Apple ID.

Step 3. Enter the Apple ID used to create your Apple MDM push certificate.
Step 4. Browse to your Apple MDM push certificate to upload.
Go to the certificate (.pem) file, choose Open, and then choose Upload. With the push certificate, Intune can enroll
and manage iOS devices by pushing policy to enrolled mobile devices.

Renew Apple MDM push certificate

The Apple MDM push certificate is valid for one year and must be renewed annually to maintain iOS and macOS
device management. If your certificate expires, enrolled Apple devices cannot be contacted.
The certificate is associated with the Apple ID used to create it. Renew the MDM push certificate with the same
Apple ID used to create it.
 NOTE
The certificate is associated with the Apple ID used to create it. As a best practice, use a company Apple ID for management
tasks. Never use a personal Apple ID.

1. In the Intune portal, choose Device enrollment > Apple Enrollment and then select Apple MDM Push
Certificate.
2. Select Download your CSR to download and save the .csr file locally. The .csr file is used to request a trust
relationship certificate from the Apple Push Certificates Portal.
3. Find the certificate you want to renew and select Renew.
4. On the Renew Push Certificate screen, provide notes to help you identify the certificate in the future, select
Choose File to browse to the new .csr file you downloaded, and choose Upload.
5. On the Confirmation screen, select Download and save the .pem file locally.
6. In the Azure Intune portal, select the Apple MDM push certificate browse icon, select the .pem file
downloaded from Apple, and choose Upload.
Your Apple MDM push certificate appears Active and has 365 days until expiration.
 Add corporate identifiers
6/29/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an IT admin, you can create and import a comma-separated value (.csv) file that lists international mobile
equipment identifier (IMEI) numbers or serial numbers to identify corporate-owned devices. You can only declare
serial number for iOS and Android devices. Each IMEI or serial number can have details specified in the list for
administrative purposes.
Learn how to find an Apple device serial number. Learn how to find your Android device serial number.

Add corporate identifiers

To create the list, create a two-column, comma-separated value (.csv) list without a header. Add the IMEI or serial
numbers in the left column, and the details in the right column. Only one type of ID, IMEI or serial number, can be
imported in a single .csv file. Details are limited to 128 characters and are for administrative use only. Details aren't
displayed on the device. The current limit is 500 rows per .csv file.
Upload a .csv file that has serial numbers Create a two-column, comma-separated value (.csv) list without a
header, and limit the list to 5,000 devices or 5 MB per .csv file.

<ID #1> <Device #1 Details>

<ID #2> <Device #2 Details>

This .csv file when viewed in a text editor appears as:

01234567890123,device details
02234567890123,device details

IMPORTANT
Some Android devices have multiple IMEI numbers. Intune only reads one IMEI number per enrolled device. If you import an
IMEI number but it is not the IMEI inventoried by Intune, the device will be classified as a personal device instead of a
company-owned device. If you import multiple IMEI numbers for a device, uninventoried numbers will display Unknown for
enrollment status.

To add a .csv list of corporate identifiers

1. In the Intune portal, choose Device enrollment > Enrollment Restrictions, choose Corporate Device
Identifiers, and then click Add.
2. In the Add Identifiers blade, specify the identifier type, IMEI or Serial. You can specify whether previously
imported numbers should Overwrite details for existing identifiers.
3. Click the folder icon and specify the path to the list you want to import. Navigate to the .csv file, and select
Add. You can click Refresh to see new device identifiers.
Once imported, these devices might or might not be enrolled, and can have a state of either Enrolled or Not
contacted. Not contacted means that the device has never communicated in with the Intune service.

Delete corporate identifiers

1. In the Intune portal, choose Device enrollment > Enrollment Restrictions, choose Corporate Device
Identifiers, and choose Delete.
2. In the Delete Identifiers blade, brows to the .csv file of device IDs to delete, and then click Delete.

IMEI specifications
For detailed specifications about International Mobile Equipment Identifiers, see 3GGPP TS 23.003.
 Enroll devices using device enrollment manager
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Organizations can use Intune to manage large numbers of mobile devices with a single user account. The device
enrollment manager (DEM) account is a special user account that can enroll up to 1,000 devices. You add existing
users to the DEM account to give them the special DEM capabilities. Each enrolled device uses a single license. We
recommend that you use devices enrolled through this account as shared devices rather than personal ("BYOD")
devices.
Users must exist in the Azure portal to be added as device enrollment managers. For optimal security, the DEM
user should not also be an Intune admin.

NOTE
The DEM enrollment method can't be used with these other enrollment methods: Apple Configurator with Setup Assistant,
Apple Configurator with direct enrollment, Apple School Manager (ASM), or Device Enrollment Program (DEP).

Example of a device enrollment manager scenario

A restaurant wants to provide 50 point-of-sale tablets for its wait staff, and order monitors for its kitchen staff. The
employees never need to access company data or sign in as users. The Intune admin creates a device enrollment
manager account and adds a restaurant supervisor to the DEM account, in effect giving that supervisor DEM
capabilities. The supervisor can now enroll the 50 tablets devices by using the DEM credentials.
Only users in the Intune console can be device enrollment managers. The device enrollment manager user cannot
be an Intune admin.
The DEM user can:
Enroll up to 1000 devices in Intune.
Sign in to the Company Portal to get company apps.
Configure access to company data by deploying role-specific apps to the tablets.

Limitations of devices that are enrolled with a DEM account

Devices that are enrolled with a device enrollment manager account have the following limitations:
No per-user access. Because devices don't have an assigned user, the device have no email or company data
access. VPN configurations, for example, could still be used to provide device apps with access to data.
No conditional access because these scenarios are per-user.
The DEM user can't unenroll DEM-enrolled devices on the device itself by using the Company Portal. The Intune
admin can do this, but the DEM user does not.
Only the local device appears in the Company Portal app or website.
Users can't use Apple Volume Purchase Program (VPP) apps because of per-user Apple ID requirements for
app management.
 (iOS only) If you use DEM to enroll iOS devices, you can't use the Apple Configurator, Apple Device Enrollment
Program (DEP), or Apple School Manager (ASM) to enroll devices.
Each device requires a device license. Learn more about user and device licenses.

NOTE
To deploy company apps to devices that are managed by the device enrollment manager, deploy the Company Portal app
as a Required Install to the device enrollment manager's user account. To improve performance, viewing the Company
Portal app on a DEM device shows only the local device. Remote management of other DEM devices can only be done from
the Intune admin console.

Add a device enrollment manager

1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. On the Intune blade, choose Enroll devices, and then choose Device Enrollment Managers.
3. Select Add.
4. On the Add User blade, enter a user principal name for the DEM user, and select Add. The DEM user is
added to the list of DEM users.

Permissions for DEM

Global or Intune Service Administrator Azure AD roles are required to perform DEM enrollment tasks. These roles
are also required to see all DEM users despite RBAC permissions being listed and available under the custom User
role. A user without Global administrator or Intune Service administrator role assigned, but who has read
permissions for the Device Enrollment Managers role, can only see the DEM users they created. RBAC role support
for these features will be announced in the future.
If a user does not have Global administrator or Intune Service administrator role assigned to them but has read
permissions enabled for the Device Enrollment Managers role assigned to them, theyll only be able to see the
DEM users they have created.

Remove a device enrollment manager

Removing a device enrollment manager does not affect enrolled devices. When a device enrollment manager is
removed:
Enrolled devices are unaffected and continue to be fully managed.
The removed device enrollment manager account credentials remain valid.
The removed device enrollment manager still cannot wipe or retire devices.
The removed device enrollment manager can only enroll a number of devices up to the per-user limit
configured by the Intune admin.
To remove a device enrollment manager
1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. On the Intune blade, choose Enroll devices, and then choose Device Enrollment Managers.
3. On the Device Enrollment Managers blade, right-click the DEM user, and select Remove.

View the properties of a device enrollment manager

1. In the Intune portal, choose Device enrollment, and then choose Device Enrollment Managers.
2. On the Device Enrollment Managers blade, right-click the DEM user, and select Properties.
 Map device groups
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use Microsoft Intune device categories to automatically add devices to groups based on categories that you define,
in order to make it easier for you to manage those devices.
Device categories use the following workflow:
1. Create categories that users will choose from when they enroll their device
2. When end users of iOS and Android devices enroll their device, they must choose a category from the list of
categories you configured. To assign a category to a Windows device, end users must use the Company Portal
website (see After you configure device groups in this topic for more details).
3. You can then deploy policies and apps to these groups.
You can create any device categories you want, for example:
Point of sale device
Demonstration device
Sales
Accounting
Manager

How to configure device categories

Step 1 - Create device categories in the Intune blade of the Azure portal
1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. On the Intune blade, choose Enroll devices.
3. In the Enrollment blade, choose Device Categories.
4. On the Device Categories page, choose Create to add a new category.
5. In the next blade, enter a Name for the new category, and an optional Description.
6. When you are done, click Create. Youll see the category you just created in the list of categories.
You'll use the device category name when you create Azure Active Directory security groups in step 2.
Step 2 - Create Azure Active Directory security groups
In this step, you'll create dynamic groups in the Azure portal based on the device category and device category
name.
To continue, refer to the topic Using attributes to create advanced rules in the Azure Active Directory
documentation.
Use the information in this section to create a device group with an advanced rule using the deviceCategory
attribute. For example (device.deviceCategory -eq "")
After you configure device groups, and users enroll their device, they are presented with a list of the categories you
configured. After they choose a category and finish enrollment, their device is added to the Active Directory security
group that corresponds with the category they chose.
How to view the categories of devices you manage
1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. In the Intune blade of the Azure portal, choose Devices and Groups.
3. Under Manage, click All devices.
4. In the list of devices, examine the Category column.
If the Category column isnt displayed, click Columns, choose Category from the list, and then click Apply.
To change the category of a device
1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. On the Intune blade, choose Devices & Groups.
3. On the Devices and Groups blade, choose Manage > All devices.
4. In the list of devices, choose the device you want, then, on the device properties blade, choose Manage >
Properties.
5. On the next blade, you can change the Device category of the selected device to any of the category names
you previously configured.

After you configure device groups

When end users of iOS and Android devices enroll their device, they must choose a category from the list of
categories you configured. After they choose a category and finish enrollment, their device is added to the Intune
device group, or Active Directory security group that corresponds with the category they chose.
To assign a category to a Windows device, end users must use the Company Portal website
(portal.manage.microsoft.com) after enrolling the device. On a Windows device, access the website and go to Menu
> My Devices. Choose an enrolled device listed on the page, then select a category.
After choosing a category, the device is automatically added to the corresponding group you created. If a device is
already enrolled before you configure categories, the end user will see a notification about the device on the
Company Portal website, and will be asked to select a category the next time they access the Company Portal app
on iOS or Android.

Further information
You can edit a device category in the Azure Portal, but if you do this, you must manually update any Azure
Active Directory Security groups that reference this category.
If you delete a category, any devices that were assigned to it will subsequently display the category name
Unassigned.
 Enroll Windows devices
6/22/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic helps IT administrators simplify Windows enrollment for their users. Windows devices can be enrolled
without any additional steps, but you can make enrollment easier for users.
Devices that run the Windows 10 Creators Update, and are Azure Active Directory domain-joined, are now
supported for multi-user management by Intune. This means that when different standard users log onto the
device with their Azure AD credentials, they will receive any apps and policies that were assigned to their user
name. Users cannot currently use the Company Portal for self-service scenarios like installing apps.
Two factors determine how you can simplify Windows device enrollment:
Do you use Azure Active Directory Premium?
Azure AD Premium is included with Enterprise Mobility + Security and other licensing plans.
What versions of Windows clients will enroll?
Windows 10 devices can automatically enroll by adding a work or school account. Earlier versions must enroll
using the Company Portal app.

AZURE AD PREMIUM OTHER AD

Windows 10 Automatic enrollment User enrollment

Earlier Windows versions User enrollment User enrollment

Enable Windows 10 automatic enrollment

Automatic enrollment lets users enroll their Windows 10 devices in Intune when adding their work account to their
personally-owned devices or joining their corporate-owned devices to your Azure Active Directory. In the
background, the user's device registers and joins Azure Active Directory. Once registered, the device is managed
with Intune.
Prerequisites
Azure Active Directory Premium subscription (trial subscription)
Microsoft Intune subscription
Configure automatic MDM enrollment
1. Sign in to the Azure management portal (https://manage.windowsazure.com), and select Azure Active
Directory.
2. Select Mobility (MDM and MAM).

3. Select Microsoft Intune.

4. Configure MDM User scope. Specify which users devices should be managed by Microsoft Intune. These
users Windows 10 devices will be automatically enrolled for management with Microsoft Intune.
None
Some
All

5. Use the default values for the following URLs:

MDM Terms of use URL
MDM Discovery URL
MDM Compliance URL

IMPORTANT
If a user is a member of a group that has both automatic MDM enrollment and MAM enabled, and the user
tries to workplace join their personal device, then only MAM is enabled.

6. Select Save.
By default, two-factor authentication is not enabled for the service. However, two-factor authentication is
recommended when registering a device. Before requiring two-factor authentication for this service, you must
configure a two-factor authentication provider in Azure Active Directory and configure your user accounts for
multi-factor authentication. See Getting started with the Azure Multi-Factor Authentication Server.

Enable Windows enrollment without Azure AD Premium

You can let users enroll their devices without Azure AD Premium automatic enrollment. Once you assign licenses,
users can enroll after adding their work account to their personally-owned devices or joining their corporate-
owned devices to your Azure AD. Creating a DNS alias (CNAME record type) makes it easier for users to enroll their
devices. If you create DNS CNAME resource records, users connect and enroll in Intune without having to enter the
Intune server name.
Step 1: Create CNAME (optional)
Create CNAME DNS resource records for your companys domain. For example, if your companys website is
contoso.com, you would create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to
enterpriseenrollment-s.manage.microsoft.com.
Although creating CNAME DNS entries is optional, CNAME records make enrollment easier for users. If no
enrollment CNAME record is found, users are prompted to manually enter the MDM server name,
enrollment.manage.microsoft.com.

TYPE HOST NAME POINTS TO TTL

CNAME EnterpriseEnrollment.compa EnterpriseEnrollment- 1 hour

ny_domain.com s.manage.microsoft.com

If you have more than one UPN suffix, you need to create one CNAME for each domain name and point each one
to EnterpriseEnrollment-s.manage.microsoft.com. For example, if users at Contoso use [email protected], but
also use [email protected], and [email protected] as their email/UPN, the Contoso DNS admin would
need to create the following CNAMEs.

TYPE HOST NAME POINTS TO TTL

CNAME EnterpriseEnrollment.contos EnterpriseEnrollment- 1 hour

o.com s.manage.microsoft.com

CNAME EnterpriseEnrollment.us.cont EnterpriseEnrollment- 1 hour

oso.com s.manage.microsoft.com

CNAME EnterpriseEnrollment.eu.cont EnterpriseEnrollment- 1 hour

oso.com s.manage.microsoft.com

EnterpriseEnrollment-s.manage.microsoft.com Supports a redirect to the Intune service with domain recognition from the
emails domain name
Changes to DNS records might take up to 72 hours to propagate. You cannot verify the DNS change in Intune until
the DNS record propagates.
Step 2: Verify CNAME (optional)
In the Azure Intune portal, choose More Services > Monitoring + Management > Intune. On the Intune blade,
choose Enroll devices > Windows Enrollment. Enter the URL of the verified domain of the company website in
the Specify a verified domain name box, and then choose Test Auto-Detection.

Tell users how to enroll Windows devices

Tell your users how to enroll their Windows devices and what to expect after they're brought into management.
For end-user enrollment instructions, see Enroll your Windows device in Intune. You can also tell users What can
my IT admin see on my device.
For more information about end-user tasks, see Resources about the end-user experience with Microsoft Intune.
 Bulk enrollment for Windows devices
6/22/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an administrator, you can join large numbers of new Windows devices to Azure Active Directory and Intune. To
bulk enroll devices for your Azure AD tenant, you create a provisioning package with the Windows Configuration
Designer (WCD) app. Applying the provisioning package to corporate-owned devices joins the devices to your
Azure AD tenant and enrolls them for Intune management. Once the package is applied, it's ready for your Azure
AD users to log on.
Azure AD users are standard users on these devices and receive assigned Intune policies and required apps. Self-
service and Company Portal scenarios are not supported at this time.

Prerequisites for Windows devices bulk enrollment

Bulk enrollment for Window devices requires the following:
Devices running Windows 10 Creator update or later
Windows automatic enrollment

Create a provisioning package

1. Download Windows Configuration Designer (WCD) from the Windows Store.
2. Open the Windows Configuration Designer app and select Provision desktop devices.

3. A New project window opens where you specify the following:

Name - A name for your project
Project folder - Where your project will be saved
Description - An optional description of the project

4. Enter a unique name for your devices. Names can include a serial number (%%SERIAL%%) or a random set
of characters. Optionally, you can also enter a product key if you are upgrading the edition of Windows,
configure the device for shared use, and remove pre-installed software.
5. Optionally, you can configure the Wi-Fi network devices connect to when they first start. If this isnt
configured, a wired network connection is required when the device is first started.

6. Select Enroll in Azure AD, enter a Bulk Token Expiry date, and then select Get Bulk Token.

7. Provide your Azure AD credentials to get a bulk token.

 8. Click Next when Bulk Token is fetched successfully.
9. Optionally, you can Add applications and Add certificates. These apps and certificates are provisioned on
the device.
10. Optionally, you can password protect your provisioning package. Click Create.

Provision devices
1. Access the provisioning package in the location specified in Project folder specified in the app.
2. Choose how youre going to apply the provisioning package to the device. A provisioning package can be
applied to a device one of the following ways:
Place the provisioning package on a USB drive, insert the USB drive into the device youd like to bulk
enroll, and apply it during initial setup
Place the provisioning package on a network folder, and apply it insert on the device youd like to bulk
enroll after initial setup
For step-by-step instruction on applying a provisioning package, see Apply a provisioning package.
3. After you apply the package, the device will automatically restart in 1 minute.
4. When the device restarts, it connects to the Azure Active Directory and enrolls in Microsoft Intune.

Troubleshooting Windows bulk enrollment

Provisioning issues
Provisioning is intended to be used on new Windows devices. Provisioning failures might require a factory reset of
the device or device recovery from a boot image. These examples describe some reasons for provisioning failures:
A provisioning package that attempts to join an Active Directory domain or Azure Active Directory tenant that
does not create a local account could make the device unreachable if the domain-join process fails due to lack of
network connectivity.
Scripts run by the provisioning package are run in system context, and are able to make arbitrary changes to the
device file system and configurations. A malicious or bad script could put the device in a state that can only be
recovered by reimaging or factory resetting the device.
Problems with bulk enrollment and Company Portal
If a user tries to enroll a previously bulk-enrolled device using the Company Portal, they will receive a warning that
their device needs further actions, either setup or enrollment. The device is enrolled, but the enrollment is not
recognized by the Company Portal app or website.
Conditional access
Conditional access is not available for Windows devices enrolled using bulk enrollment.
 Enroll Android devices
6/29/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an Intune administrator, Intune lets you manage Android devices, including Samsung Knox Standard devices.
You can also manage the work profile on devices Android for Work devices.
Devices that run Samsung KNOX Standard, are supported for multi-user management by Intune. This means that
end users can sign in and out of the device with their Azure AD credentials, the device is centrally managed
whether its in use or not. When end users sign-in, they have access to apps and additionally get any policies
applied to them. When users sign out, all app data is cleared.

Prerequisite
You must set the MDM authority to Microsoft Intune to prepare to manage mobile devices. See Set the MDM
authority for instructions. You set this item only once, when you are first setting up Intune for mobile device
management.

Set up Android enrollment

By default, Intune allows enrollment of Android and Samsung Knox Standard devices.
To block Android devices, or to block only personally owned Android devices from enrollment, see Set device type
restrictions.
To enable device management, your users must enroll their devices by downloading the Intune Company Portal
app, which is available from Google Play, and then opening the app and following the prompts to enroll. Once
Android devices are managed, you assign compliance policies, manage apps, and more.

Enable enrollment of Android for Work devices

To enable management of the work profile on devices that support Android for Work, you must add an Android
for Work binding to Intune. To enroll devices that support Android for Work but were previously enrolled as
regular Android devices, the devices must be unenrolled and then re-enrolled.

Add Android for Work Binding for Intune

1. Set up Intune MDM
If you havent already, prepare for mobile device management by setting the mobile device management
authority as Microsoft Intune.
2. Configure Android for Work binding
As an Intune administrator, in the Azure portal, choose More Services > Monitoring + Management >
Intune.
a. On the Intune blade, choose Device enrollment, > Android for Work Enrollment, and click
Configure to open Google Play's Android for Work website. This will open in a new tab in your
 browser.

b. Log in to Google
On Google's sign-in page, enter the Google account that will be associated with all Android for Work
management tasks for this tenant. This is the Google account shared among your organization's IT
admins that used to manage and publish apps in the Play for Work console.
c. Provide organization details
Provide your company's name for the Organization name. For Enterprise mobility management
(EMM) provider, Microsoft Intune should be displayed. Agree to the Android for Work agreement,
and then click Confirm. Your request will be processed.

Specify Android for Work Enrollment Settings

Android for Work is only supported on certain Android devices. See Google's Android for Work requirements. Any
device that supports Android for Work will also support conventional Android management. Intune lets you
specify how devices that support Android for Work should be managed:
Manage all devices as Android - All Android devices, including devices that support Android for Work, will
be enrolled as conventional Android devices.
Manage supported devices as Android for Work - All devices that support Android for Work are enrolled as
Android for Work devices. Any Android device that does not support Android for Work is enrolled as a
conventional Android device.
Manage supported devices for users only in these user groups as Android for Work - Lets you target
Android for Work management to a limited set of users. Only members of the selected groups who enroll a
device that supports Android for Work are enrolled as Android for Work devices. All others are enrolled as
Android devices. This is useful during Android for Work pilots.

Tell your users how to enroll their devices to access company resources
You'll need to tell your end users to go to Google Play to download the Intune Company Portal app, and then open
the app and follow the prompts to enroll their device. The app guides users through the enrollment process,
explaining what users can expect and what IT administrators can and can't see on their devices.
You can also send them a link to online enrollment steps: Enroll your Android device in Intune.
For information about other end-user tasks, see these articles:
 Resources about the end-user experience with Microsoft Intune
Using your Android device with Intune

Unbinding your Android for Work administrative account

You can turn off Android for Work enrollment and management. Clicking Unbind in the Intune administration
console removes all enrolled Android for Work devices from enrollment and removes the relationship between the
Android for Work account and Intune.
How to unbind an Android for Work account
1. Unbind Android for Work binding
AAs an Intune administrator, in the Azure portal, choose More Services > Monitoring + Management >
Intune. On the Intune blade, choose Device enrollment, > Android for Work Enrollment, and click
Unbind.
2. Agree to delete Android for Work binding
Click Yes to delete the binding and unenroll all Android for Work devices from Intune.
 Set up iOS device enrollment with Device Enrollment
Program
6/19/2017 8 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic helps IT administrators enable iOS device enrollment for devices purchased through Device Enrollment
Program (DEP). Microsoft Intune can deploy an enrollment profile over the air that enrolls DEP devices into
management. The administrator never has to touch each managed device. An ASM profile contains management
settings that are applied to devices during enrollment including Setup Assistant options.

NOTE
DEP enrollment can't be used with the device enrollment manager.

DEP Enrollment steps

1. Get an Apple DEP token and assign devices
2. Create an enrollment profile
3. Synchronize DEP-managed devices
4. Assign DEP profile to devices
5. Distribute devices to users

Get the Apple DEP token

Before you can enroll corporate-owned iOS devices with Apple's Device Enrollment Program (DEP), you need a
DEP token (.p7m) file from Apple. This token lets Intune sync information about DEP-participating devices that
your corporation owns. It also permits Intune to perform enrollment profile uploads to Apple and to assign
devices to those profiles.

NOTE
If your Intune tenant was migrated from the Intune classic console to the Azure portal and you deleted an Apple DEP token
from the Intune administration console during the migration period, that the DEP token might have been restored to your
Intune account. You can delete the DEP token again from the Azure portal.

Prerequisites
Apple MDM Push certificate
Signed up for Apple's Device Enrollment Program
Step 1. Download an Intune public key certificate required to create an Apple DEP token.
1. In the Intune portal, choose Device enrollment, and then choose Apple enrollment, choose Enrollment
Program Profile.
2. Select Download your public key to download and save the encryption key (.pem) file locally. The .pem file is
used to request a trust-relationship certificate from the Apple Device Enrollment Program portal.
Step 2. Create and download an Apple DEP token.
Select Create a DEP token via Apple Deployment Programs, and sign in with your company Apple ID. You can use
this Apple ID to renew your DEP token.
1. In Apple's Device Enrollment Program Portal, go to Device Programs > Manage Servers, and then choose
Add MDM Server.
2. Enter the MDM Server Name, and then choose Next. The server name is for your reference to identify the
mobile device management (MDM) server. It is not the name or URL of the Microsoft Intune server.
3. The Add <ServerName> dialog box opens. Choose Choose File to upload the .pem file, and then choose
Next.
4. The Add <ServerName> dialog box shows a Your Server Token link. Download the server token (.p7m) file
to your computer, and then choose Done.
5. Go to Deployment Programs > Device Enrollment Program > Manage Devices.
6. Specify how you will Choose Devices By, and then provide device information and specify details by device
Serial Number, Order Number, or Upload CSV File.
7. Choose Assign to Server and choose the <ServerName> specified for Microsoft Intune, and then choose OK.
Step 3. Enter the Apple ID used to create your Apple DEP token.
This ID can be used in the future to renew your Apple DEP token.
Step 4. Browse to your Apple DEP token to upload.
Go to the certificate (.pem) file, choose Open, and then choose Upload. With the push certificate, Intune can
enroll and manage iOS devices by pushing policy to enrolled mobile devices. Intune will automatically
synchronize with your DEP account.

Create an Apple enrollment profile

A device enrollment profile defines the settings applied to a group of devices during enrollment.
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. Under Enrollment Program, select Enrollment Program Profiles.
3. On the Enrollment Program Profiles blade, select Create.
4. On the Create Enrollment Profile blade, enter a name and description for the profile.
5. For User Affinity choose whether devices with this profile will enroll with or without user affinity.
Enroll with user affinity - The device must be affiliated with a user during initial setup and can
then be permitted to access company data and email. Choose user affinity for DEP-managed devices
that belong to users and that need to use the company portal for services like installing apps. Note
that Multifactor authentication (MFA) doesn't work during enrollment on DEP devices with user
affinity. After enrollment, MFA works as expected on these devices. New users who are required to
change their password when they first sign in cannot be prompted during enrollment on DEP
devices. Additionally, users whose passwords have expired won't be prompted to reset their
password during DEP enrollment and must reset the password from a different device.

NOTE
DEP with user affinity requires WS-Trust 1.3 Username/Mixed endpoint to be enabled to request user token.
Learn more about WS-Trust 1.3.

Enroll without user affinity - The device is not affiliated with a user. Use this affiliation for devices
 that perform tasks without accessing local user data. Apps requiring user affiliation (including the
Company Portal app used for installing line-of-business apps) wont work.
6. Select Device Management Settings, configure the following profile settings, and then select Save:
Supervised - a management mode that enables more management options and disabled Activation
Lock by default. If you leave the check box blank, you have limited management capabilities.
Locked enrollment - (Requires Management Mode = Supervised) Disables iOS settings that could
allow removal of the management profile. If you leave the check box blank, it allows the
management profile to be removed from the Settings menu. This item is set during activation and
cannot be changed without a factory reset.
Allow Pairing - specifies whether iOS devices can sync with computers. If you choose Allow Apple
Configurator by certificate, you must choose a certificate under Apple Configurator
Certificates.
Apple Configurator Certificates - If you chose Allow Apple Configurator by certificate under
Allow Pairing, select an Apple Configurator Certificate to import.
7. Select Setup Assistant Settings, configure the following profile settings, and then select Save:
Department Name - Appears when users tap About Configuration during activation.
Department Phone - Appears when the user clicks the Need Help button during activation.
Setup Assistant Options - These optional settings can be set up later in the iOS Settings menu.
Passcode - Prompt for passcode during activation. Always require a passcode unless the device
will be secured or have access controlled in some other manner (that is, kiosk mode that restricts
the device to one app).
Location Services - If enabled, Setup Assistant prompts for the service during activation
Restore - If enabled, Setup Assistant prompts for iCloud backup during activation
Apple ID - If enabled, iOS will prompt users for an Apple ID when Intune attempts to install an
app without an ID. An Apple ID is required to download iOS App Store apps, including those
installed by Intune.
Terms and Conditions - If enabled, Setup Assistant prompts users to accept Apple's terms and
conditions during activation
Touch ID - If enabled, Setup Assistant prompts for this service during activation
Apple Pay - If enabled, Setup Assistant prompts for this service during activation
Zoom - If enabled, Setup Assistant prompts for this service during activation
Siri - If enabled, Setup Assistant prompts for this service during activation
Diagnostic Data - If enabled, Setup Assistant prompts for this service during activation
8. To save the profile settings, select Create on the Create Enrollment Profile blade.

Sync DEP managed devices

Now that Intune has been assigned permission to manage your DEP devices, you can synchronize Intune with the
DEP service to see your managed devices in the Intune portal.
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. Under Manage Enrollment Program Settings, select Serial Numbers.
3. On the Apple DEP Serial Numbers blade, select Sync.
4. On the Sync blade, select Request Sync. The progress bar shows the amount of time you must wait before
requesting Sync again.
 To comply with Apples terms for acceptable DEP traffic, Intune imposes the following restrictions:
A full DEP sync can run no more than once every seven days. During a full sync, Intune refreshes every
serial number that Apple has assigned to Intune whether the serial has previously been synced or not. If
a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers
that are not already listed in Intune.
Any sync request is given 10 minutes to finish. During this time or until the request succeeds, the Sync
button is disabled.

NOTE
You can also assign DEP serial numbers to profiles from the Apple DEP Serial Numbers blade.

Assign a DEP profile to devices

DEP devices managed by Intune must be assigned a DEP profile before they are enrolled.
1. In the Intune portal, choose Device enrollment > Apple Enrollment, and then select Enrollment Program
Profiles.
2. From the list of Enrollment Program Profiles, select the profile you want to assign to devices and then select
Device Assignments
3. Select Assign and then select the DEP devices you want to assign this profile. You can filter to view DEP
available devices:
unassigned
any
<DEP profile name>
4. Select the devices you want to assign. The checkbox above the column will select up to 1000 listed devices,
and then click Assign. To enroll more than 1000 devices, repeat the assignment steps until all devices are
assigned a DEP profile.

5. Select the devices you want to assign. The checkbox above the column will select up to 1000 listed devices,
 and then click Assign. To enroll more than 1000 devices, repeat the assignment steps until all devices are
assigned a DEP profile.

Distribute devices to users

You can now distribute corporate-owned devices to users. When an iOS DEP device is turned on, it will be
enrolled for management by Intune. If the device has been activated and is in use, the profile cannot be applied
until the device is factory reset.
How users install and use the Company Portal on their devices
Devices that are configured with user affinity can install and run the Company Portal app to download apps and
manage devices. After users receive their devices, they must complete the additional steps described below to
complete the Setup Assistant and install the Company Portal app.
 Enable iOS device enrollment with Apple School
Manager
6/19/2017 8 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic helps IT administrators enable iOS device enrollment for devices purchased through the Apple School
Manager (ASM) program. Microsoft Intune can deploy an enrollment profile over the air that enrolls ASM devices
into management. The administrator never has to touch each managed device. An ASM profile contains
management settings that are applied to devices during enrollment including Setup Assistant options.
ASM Enrollment steps
1. Get an ASM token and assign devices
2. Create an enrollment profile
3. Connect School Data Sync (Optional)
4. Sync ASM-managed devices
5. Assign ASM profile to devices
6. Distribute devices to users

NOTE
ASM enrollment can't be used with Apple's Device Enrollment Program (DEP) or Intune's device enrollment manager account.

Get the Apple ASM token and assign devices

Before you can enroll corporate-owned iOS devices with Apple School Manager (ASM), you need an ASM token
(.p7m) file from Apple. This token lets Intune sync information about ASM-participating devices. It also permits
Intune to perform enrollment profile uploads to Apple and to assign devices to those profiles. While you are in the
Apple portal, you can also assign device serial numbers to manage.
Prerequisites
Apple MDM Push certificate
Signed up for Apple School Management
Step 1. Download an Intune public key certificate required to create an Apple ASM token.
1. In the Azure Intune portal, choose Device enrollment and then select Enrollment program token.
2. In the Enrollment program token blade, select Download your public key to download and save the
encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple
School Manager portal.
Step 2. Download an ASM token and assign devices.
Select Create a token via Apple School Manager, and sign in with your company Apple ID. You can use this
Apple ID to renew your ASM token.
1. In the Apple School Manager portal, go to MDM Servers, and then select Add MDM Server (upper right).
2. Enter the MDM Server Name. The server name is for your reference to identify the mobile device management
(MDM) server. It is not the name or URL of the Microsoft Intune server.
3. Select Upload File... in the Apple portal, browse to the .pem file, and select Save MDM Server (lower right).
4. Select Get Token and then download the server token (.p7m) file to your computer.
5. Go to Device Assignments, and Choose Device by manual entry of Serial Numbers, Order Number, or
Upload CSV File.
6. Choose the action Assign to Server, and select the MDM Server you created.
7. Specify how you will Choose Devices, and then provide device information and specify details by device Serial
Number, Order Number, or Upload CSV File.
8. Choose Assign to Server and choose the <ServerName> specified for Microsoft Intune, and then choose OK.
Step 3. Enter the Apple ID used to create your ASM token.
This ID should be used to renew your Apple ASM token and is stored for your future reference.
Step 4. Locate and upload your token.
Go to the certificate (.p7m) file, choose Open, and then choose Upload. Intune automatically syncs your ASM
devices from Apple.

Create an Apple enrollment profile

A device enrollment profile defines the settings applied to a group of devices during enrollment.
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. Under Enrollment Program, select Enrollment Program Profiles.
3. On the Enrollment Program Profiles blade, select Create.
4. On the Create Enrollment Profile blade, enter a Name and Description for the profile that is displayed in the
Intune portal.
5. For User Affinity, choose whether devices with this profile enroll with or without user affinity.
Enroll with user affinity - The device must be affiliated with a user during initial setup and can then be
permitted to access company data and email. Choose user affinity for ASM-managed devices that users
log in to with their managed Apple ID.

NOTE
Multifactor authentication (MFA) doesn't work during enrollment on ASM devices with user affinity. After enrollment,
MFA works as expected on these devices.

Apple School Manager's Shared iPad mode requires user enroll with user affinity.

NOTE
ASM with user affinity requires WS-Trust 1.3 Username/Mixed endpoint to be enabled to request user token. Learn
more about WS-Trust 1.3.

Enroll without user affinity - The device is not affiliated with a user. Use this affiliation for devices that
perform tasks without accessing local user data. Apps requiring user affinity (including the Company
Portal app used for installing line-of-business apps) wont work.
6. Select Device Management Settings. These items are set during activation and require a factory reset to
change. configure the following profile settings, and then select Save:
Supervised - a management mode that enables more management options and disabled Activation
 Lock by default. If you leave the check box blank, you have limited management capabilities.
Locked enrollment - (Requires Management Mode = Supervised) Disables iOS settings that could
allow removal of the management profile. If you leave the check box blank, it allows the management
profile to be removed from the Settings menu.
Shared iPad - (Requires Enroll with User Affinity and Supervised mode.) Allows multiple users to
logon to enrolled iPads by using a managed Apple ID. Managed Apple IDs are created in the Apple
School Manager portal.

NOTE
If Shared iPad mode is enabled in a profile and either User Affinity or Supervised mode is then set to Off, Shared
iPad mode is disabled for the enrollment profile.

Maximum Cached Users - (Requires Shared iPad = Yes) Creates a partition on the device for each
user. The recommended value is the number of students likely to use the device over a period of time.
For example, if six students use the device regularly during the week, set this number to six.
Allow Pairing - specifies whether iOS devices can sync with computers. If you choose Allow
Apple Configurator by certificate, you must choose a certificate under Apple
Configurator Certificates.
Apple Configurator Certificates - If you chose Allow Apple Configurator by certificate
under Allow Pairing, select an Apple Configurator Certificate to import.
7. Select Setup Assistant Settings, configure the following profile settings, and then select Save:
Department Name - Appears when users tap About Configuration during activation.
Department Phone - Appears when the user clicks the Need Help button during activation.
Setup Assistant Options - If excluded from Setup Assistant options, these settings can be set later in the
iOS Settings menu.
Passcode - Prompt for passcode during activation. Always require a passcode unless the device is
secured or has access controlled in some other manner (that is, kiosk mode that restricts the
device to one app).
Location Services - If enabled, Setup Assistant prompts for the service during activation
Restore - If enabled, Setup Assistant prompts for iCloud backup during activation
Apple ID - If enabled, iOS prompts users for an Apple ID when Intune attempts to install an app
without an ID. An Apple ID is required to download iOS App Store apps, including apps installed
by Intune.
Terms and Conditions - If enabled, Setup Assistant prompts users to accept Apple's terms and
conditions during activation
Touch ID - If enabled, Setup Assistant prompts for this service during activation
Apple Pay - If enabled, Setup Assistant prompts for this service during activation
Zoom - If enabled, Setup Assistant prompts for this service during activation
Siri - If enabled, Setup Assistant prompts for this service during activation
Diagnostic Data - If enabled, Setup Assistant prompts for this service during activation
8. To save the profile settings, select Create on the Create Enrollment Profile blade.

Connect School Data Sync

(Optional) ASM supports synching class roster data to Azure Active Directory (AD) using Microsoft School Data
Sync (SDS). Complete the following steps to use SDS to sync school data.
1. On the Enrollment Program Token blade, select either the blue information banner or Connect SDS.
2. Select Allow Microsoft School Data Sync to use this token, setting to Allow. This setting allows Intune to
connect with SDS in Office 365.
3. To enable a connection between ASM and Azure AD, select Set up Microsoft School Data Sync. Learn more
about how to set up School Data Sync.
4. Click OK to save and continue.

Sync ASM-managed devices

Now that Intune has been assigned permission to manage your ASM devices, you can synchronize Intune with the
ASM service to see your managed devices in the Intune portal.
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. Under Enrollment Program Devices, select Sync. The progress bar shows the amount of time you must
wait before requesting Sync again.
To comply with Apples terms for acceptable ASM traffic, Intune imposes the following restrictions:
A full ASM sync can run no more than once every seven days. During a full sync, Intune refreshes every
serial number that Apple has assigned to Intune whether the serial has previously been synced or not. If a
full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers
that are not already listed in Intune.
Any sync request is given 15 minutes to finish. During this time or until the request succeeds, the Sync
button is disabled.

NOTE
You can also assign ASM serial numbers to profiles from the Enrollment Program Devices blade.

Assign an ASM profile to devices

ASM devices managed by Intune must be assigned an ASM profile before they are enrolled.
1. In the Intune portal, choose Device enrollment > Apple Enrollment, and then select Enrollment Program
profiles.
2. From the list of Enrollment Program Profiles, select the profile you want to assign to devices and then select
Device Assignments
3. Select Assign and then select the ASM devices you want to assign this profile. You can filter to view ASM
available devices:
unassigned
any
<ASM profile name>
4. Select the devices you want to assign. The checkbox above the column selects up to 1000 listed devices. Click
Assign. To enroll more than 1000 devices, repeat the assignment steps until all devices are assigned an ASM
profile.

Distribute devices to users

You can now distribute corporate-owned devices to users. When an iOS ASM device is turned on, it is enrolled for
management by Intune. If the device has been activated and is in use, the profile cannot be applied until the device
is factory reset.
How users install and use the Company Portal on their devices
Devices that are configured with user affinity can install and run the Company Portal app to download apps and
manage devices. After users receive their devices, they must run Setup Assistant and install the Company Portal
app.
 Enroll iOS devices with Apple Configurator
6/19/2017 9 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Intune supports the enrollment of corporate-owned iOS devices using Apple Configurator running on a Mac
computer. Enrolling with Apple Configurator requires that you USB-connect each iOS device to a Mac computer to
set up corporate enrollment. You can enroll devices into Intune with Apple Configurator in two ways:
Setup Assistant enrollment - Factory resets the device, prepares it to run Setup Assistant, and installs the
company's policies for the devices new user. Most scenarios require that the policy applied to the iOS device
include user affinity to enable the Intune Company Portal app.
Direct enrollment - Does not factory-reset the device and enrolls the device with a predefined policy. This
method is for devices with no user affinity.

NOTE
This enrollment method can't be used with the device enrollment manager method.

Other methods of enrolling iOS devices are described in Choose how to enroll iOS devices in Intune.

Prerequisites
Complete the following prerequisites before setting up iOS device enrollment:
An Apple MDM push certificate
Physical access to iOS devices
Device serial numbers (see How to get an iOS serial number)
USB connection cables
Mac PC with Apple Configurator 2.0
Add Apple Configurator serial numbers

Setup Assistant enrollment

Create an Apple Configurator profile for devices
A device enrollment profile defines the settings applied to a group of devices. The following steps show how to
create a device enrollment profile for iOS devices enrolled by using Apple Configurator.
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. Under Manage Apple Configurator Enrollment Settings, select AC Profiles.
3. On the Apple Configurator Enrollment Profiles blade, select Create.
4. On the Create Enrollment Profile blade, enter a name and description for the profile.
5. For User Affinity, choose whether devices with this profile will enroll with or without user affinity.
Enroll with user affinity - The device must be affiliated with a user during initial setup and can then be
 permitted to access company data and email. User affinity should be set up for managed devices that
belong to users and that need to use the company portal for services like installing apps.
Enroll without user affinity - The device is not affiliated with a user. Use this affiliation for devices that
perform tasks without accessing local user data. Apps requiring user affiliation (including the Company
Portal app used for installing line-of-business apps) wont work.
6. Select Create to save the profile.
Add Apple Configurator serial numbers

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these steps to add serial numbers to Intune when you want to enroll corporate-owned iOS devices by using
Apple Configurator with Setup Assistant. You can add serial numbers one at a time, or upload a comma-separated-
value (CSV) file of serial numbers. After you add serial numbers, you can assign a profile to them. The profile
contains specific management settings that you want to apply to devices.
Other methods of enrolling iOS devices are described in Choose how to enroll iOS devices in Intune.
To add Apple Configurator serial numbers to Intune
1. Create a two-column, comma-separated value (.csv) list without a header. Add the IMEI identifier in the left
column, and the details in the right column. The current maximum for the list is 500 rows. In a text editor,
the .csv list looks something like this:
F7TLWCLBX196,device details
DLXQPCWVGHMJ,device details
2. In the Azure portal, choose Enroll devices, and then choose Apple Enrollment.
3. Under Manage Apple Configurator Enrollment Settings, select Apple Configurator Serial Numbers.
4. On the Apple Configurator Serial Numbers blade, select Add.
5. On the Add Serial Numbers blade, select a profile to apply to the serial numbers you're importing. If you are
importing a file with new details that will overwrite the existing ones, select Overwrite details for existing
identifiers to have the new details replace the existing details.
6. Navigate to the .csv file of serial numbers, and select Add.
Assign a profile to specific serial numbers
Intune lets you assign profiles from two different places in the Azure portal. You can assign by Apple Configurator
profile or you can assign by devices.
Assign by devices
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. On the Apple Configurator Devices blade, select the serial numbers you want to assign a profile to, and then
select Assign Profile.
3. On the Assign Profile blade, select the profile you want to assign, and then select Assign.
Assign by profiles
1. In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
2. Choose AC Profiles, and select the profile that you want to assign serial numbers.
3. In the blade named for the profile, select Serial Numbers > Assign.
4. Select the serial numbers that you want to assign to the profile, and then select the Assign button.
Export the profile to iOS devices
After you create the profile and assign serial numbers, you have to export the profile from Intune, either as a URL
or as a file in the format described below. You then manually import it to the Apple Configurator program on a
Mac, after which the Apple Configurator program deploys it to the devices.
1. In the Intune portal, choose Apple Configurator Enrollment Profiles blade, choose the profile to export.
2. On the blade for the profile, select Export Profile.
3. Copy the profile URL into Apple Configurator, with the iOs device attached. You will upload it in Apple
Configurator later to define the Intune profile used by iOS devices.
You will upload this profile URL to the Apple service using Apple Configurator in the following procedure to
define the Intune profile used by iOS devices.
4. Upload this profile URL to the Apple service using Apple Configurator to define the Intune profile used by
iOS devices.
a. On a Mac computer, open Apple Configurator 2. In the menu bar, choose Apple Configurator 2, and
then choose Preferences. > [!WARNING] > The devices will be reset to factory configurations during
the enrollment process. As a best practice, reset the device and turn it on. Devices should be at the Hello
screen when you connect the device.
b. In the preferences pane, select Servers and choose the plus symbol (+) to launch the MDM Server
wizard. Choose Next.
c. Enter the Host name or URL and enrollment URL for the MDM server under Setup Assistant
enrollment for iOS devices with Microsoft Intune. For the Enrollment URL, enter the enrollment
profile URL exported from Intune. Choose Next.
You can safely disregard a warning stating "server URL is not verified." To continue, choose Next
until the wizard is finished.
d. Connect the iOS mobile devices to the Mac computer with a USB adapter. > [!WARNING] > The devices
will be reset to factory configurations during the enrollment process. As a best practice, reset the device
and turn it on. Devices should be at the Hello screen when you start Setup Assistant.
e. Choose Prepare. On the Prepare iOS Device pane, select Manual and then choose Next.
f. On the Enroll in MDM Server pane, select the server name you created, and then choose Next.
g. On the Supervise Devices pane, select the level of supervision, and then choose Next.
h. On the Create an Organization pane, choose the Organization or create a new organization, and then
choose Next.
i. On the Configure iOS Setup Assistant pane, choose the steps to be presented to the user, and then
choose Prepare. If prompted, authenticate to update trust settings.
j. When the iOS device finishes preparing, disconnect the USB cable.
5. Distribute devices. The devices are now ready for corporate enrollment. Turn off the devices and distribute
them to users. When users turn on their devices, Setup Assistant will start.

Direct enrollment
When you directly enroll iOS devices with Apple Configurator, you can enroll a device without acquiring the
device's serial number. You can also name the device for identification purposes before Intune captures the device
name during enrollment. The Company Portal app is not supported for directly enrolled devices. This guidance
assumes you are using Apple Configurator 2.0 on a Mac computer.
1. In the Intune portal, choose Device enrollment, Apple Enrollment, and then select AC Profiles.
2. On the Apple Configurator Enrollment Profiles blade, select Create.
3. On the Create Enrollment Profile blade, enter a name and description for the profile.
4. For User Affinity choose Enroll without user affinity to ensure that the device is not affiliated with a user.
 Use this affiliation for devices that perform tasks without accessing local user data. Apps requiring user
affiliation (including the Company Portal app used for installing line-of-business apps) wont work.
5. Select Create to save the profile.
Export the profile as .mobileconfig to iOS devices
1. On the Export Profile blade, download the enrollment profile to Apple Configurator to push directly as a
management profile to a connected iOS device. This method does not do a factory reset of the device.
2. Prepare the device with Apple Configurator by using the following steps.
a. On a Mac computer, open Apple Configurator 2.0.
b. Connect the iOS device to the Mac computer with a USB cord. Close Photos, iTunes, and other apps that
open for the device when the device is detected.
c. In Apple Configurator, choose the connected iOS device, and then choose the Add button. Options that
can be added to the device appear in the drop-down list. Choose Profiles.
d. Use the file picker to select the .mobileconfig file that you exported from Intune, and then choose Add.
The profile is added to the device. If the device is Unsupervised, the installation will require acceptance
on the device.
3. Use the following steps to install the profile on the iOS device. The device must have already completed the
Setup Assistant and be ready to use. If enrollment entails app deployments, the device should have an Apple
ID set up because the app deployments will require that you have an Apple ID signed in for the App Store.
a. Unlock the iOS device.
b. In the Install profile dialog box for Management profile, choose Install.
c. Provide the Device Passcode or Apple ID, if required.
d. Accept the Warning, and choose Install.
e. Accept the Remote Warning, and choose Trust.
f. When the Profile Installed box confirms the profile as Installed, choose Done.
a. On the iOS device, open Settings and go to General > Device Management >
Management Profile. Confirm that the profile installation is listed, and check the iOS policy
restrictions and installed apps. Policy restrictions and apps might take up to 10 minutes to
appear on the device.
b. Distribute devices. The iOS device is now enrolled with Intune and managed.

How users install and use the Company Portal on their devices
Devices that are configured with user affinity can install and run the Company Portal app to download apps and
manage devices. After users receive their devices, they must complete the additional steps described below to
complete the Setup Assistant and install the Company Portal app.
 Enroll macOS devices in Intune
6/29/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Intune enables you to manage macOS devices. To enable device management, your users must enroll their devices
by going to the Company Portal website, and following the prompts. Once macOS devices are under management,
you can create custom settings for macOS devices. More capabilities are coming soon.

Prerequisites
Complete the following prerequisites before setting up macOS device enrollment:
Configure domains
Set the MDM Authority
Create groups
Configure the Company Portal
Assign user licenses in the Office 365 portal
Get an Apple MDM push certificate

Set up macOS enrollment

By default, Intune already allows enrollment of macOS devices.
To block macOS devices from enrollment, see Set device type restrictions.

Tell your users how to enroll their devices to access company resources
You'll need to tell your end users to go to the Company Portal website, and follow the prompts to enroll their
devices. You can also send them a link to online enrollment steps: Enroll your macOS device in Intune.
For information about other end-user tasks, see these articles:
Resources about the end-user experience with Microsoft Intune
Using your iOS or macOS device with Intune
 What is Microsoft Intune device management?
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Devices workload gives you insights into the devices you manage, and lets you perform remote tasks on
those devices. To access the workload:
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
Now, you can perform the following actions. For more information, click one of the related links:
View device inventory
Perform remote device actions:
Remove company data
Factory reset
Remote lock
Reset passcode
Bypass Activation Lock
Fresh Start
Lost mode
Locate device
Restart
Remote control for Android
Choose Device Actions to see a list of device actions that have been performed on devices you manage and
the current state of those actions.
 Use full or selective wipe
6/19/2017 7 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

You can wipe apps and data from Intune-managed devices that are no longer needed, are being repurposed, or
have gone missing. To do this, Intune provides selective wipe and full wipe capabilities. Users can also issue a
remote device wipe command from the Intune Company Portal app on privately owned devices enrolled in Intune.

NOTE
This topic is only about wiping devices managed by Intune mobile device management. You can also use the Azure portal to
wipe company data from apps. You can also retire computers managed with the Intune client software.

Full wipe
Full wipe restores a device to its factory default settings, removing all company and user data and settings. The
device is removed from Intune. Full wipe is useful for resetting a device before giving it to a new user, or for
instances where the device has been lost or stolen. Be careful about selecting full wipe. Data on the device
cannot be recovered.

WARNING
Windows 10 RTM devices (devices earlier than the Windows 10 version 1511) with less than 4 GB of RAM might become
inaccessible if wiped. To access a Windows 10 device that has become unresponsive, you can boot the device from a USB
drive.

To do a full wipe (factory reset) of a device:

1. On the Devices and groups blade, choose All devices.
2. Choose the name of the device you want to wipe.
3. On the blade showing the device's name, choose Factory reset, and then choose Yes to confirm the wipe.
If the device is on and connected, it takes less than 15 minutes for a wipe command to propagate across all device
types.
To delete devices in the Azure Active Directory portal
1. Browse to http://aka.ms/accessaad or choose Admin > Azure AD from https://portal.office.com.
2. Log in with your Org ID using the link on the left side of the page.
3. Create an Azure Subscription if you dont have one. This should not require a credit card or payment if you
have a paid account (choose the Register your free Azure Active Directory subscription link).
4. Select Active Directory and then select your organization.
5. Select the Users tab.
6. Select the user whose devices you want to delete.
7. Choose Devices.
8. Remove devices as appropriate, such as those that are no longer in use, or those that have inaccurate
definitions.

Selective wipe
Selective wipe removes company data, including mobile app management (MAM) data (where applicable),
settings, and email profiles from a device. Selective wipe leaves the user's personal data on the device. The device is
removed from Intune. The following tables describe what data is removed, and the effect on data that remains on
the device after a selective wipe. (The tables are organized by platform.)
iOS

DATA TYPE IOS

Company apps and associated data installed by Intune Apps are uninstalled. Company app data is removed.

App data from Microsoft apps that use mobile app

management is removed. The app is not removed.

Settings Configurations that were set by Intune policy are no longer

enforced, and users can change the settings.

Wi-Fi and VPN profile settings Removed.

Certificate profile settings Certificates are removed and revoked.

Management Agent Management profile is removed.

Email Email profiles that are provisioned through Intune are

removed, and cached email on the device is deleted. If
Microsoft Exchange is hosted on premises, email profiles and
cached email are not removed.

Outlook Email received by the Microsoft Outlook app for iOS is

removed.
Exception: If Exchange is hosted on premises, email is not
removed.

Azure Active Directory (AAD) Unjoin AAD Record is removed.

Contacts Contacts synced directly from the app to the native address
book are removed. Any contacts synced from the native
address book to another external source cannot be wiped.

Currently, only Outlook app is supported.

Android

DATA TYPE ANDROID ANDROID SAMSUNG KNOX STANDARD

Web links Removed. Removed.

 DATA TYPE ANDROID
Unmanaged Google Play apps Apps and data remain installed.
Unmanaged line of business apps Apps and data remain installed.
Managed Google Play apps App data is removed. App is not
removed. Data protected by MAM
encryption outside the app (for
example, an SD card) remain encrypted
and unusable, but aren't removed.
Managed line of business apps App data is removed. App is not
removed. Data protected by MAM
encryption outside the app (for
example, an SD card) remain encrypted
and unusable, but aren't removed.
Settings Configurations that were set by Intune
policy are no longer enforced, and users
can change the settings.
Wi-Fi and VPN profile settings Removed.
Certificate profile settings Certificates revoked, but not removed.
Management Agent Device Administrator privilege is
revoked.
Email n/a (email profiles are not supported by
Android devices)
Outlook Email received by the Microsoft Outlook
app for Android is removed.
Exception: If Exchange is hosted on
premises, email is not removed.
Azure Active Directory (AAD) Unjoin AAD Record removed.
Contacts Contacts synced directly from the app
to the native address book are
removed. Any contacts synced from the
native address book to another external
source cannot be wiped.
Currently, only Outlook app is
supported.
Android for Work
Performing selective wipe on an Android for Work device removes all data, apps, and settings in the work profile
on that device. This retires the device from management with Intune. Full wipe is not supported for Android for
Work.
ANDROID SAMSUNG KNOX STANDARD
Apps and data remain installed.
Apps are uninstalled and data local to
the app is removed as a result. No data
outside the app (for example, on an SD
card) is removed.
App data is removed. App is not
removed. Data protected by MAM
encryption outside the app (for
example, an SD card) remain encrypted,
but aren't removed.
App data is removed. App is not
removed. Data protected by MAM
encryption outside the app (for
example, an SD card) remain encrypted
and unusable, but aren't removed.
Configurations that were set by Intune
policy are no longer enforced, and users
can change the settings.
Removed.
Certificates removed and revoked.
Device Administrator privilege is
revoked.
Email profiles that are provisioned
through Intune are removed, and
cached email on the device is deleted.
Email received by the Microsoft Outlook
app for Android is removed.
Exception: If Exchange is hosted on
premises, email is not removed.
AAD Record removed.
Contacts synced directly from the app
to the native address book are
removed. Any contacts synced from the
native address book to another external
source cannot be wiped.
Currently, only Outlook app is
supported.
Windows

WINDOWS PHONE 8
WINDOWS 8.1 (MDM) AND WINDOWS PHONE
DATA TYPE AND WINDOWS RT 8.1 WINDOWS RT 8.1 WINDOWS 10

Company apps and Files protected by EFS Will not remove Apps originally Apps are uninstalled
associated data will have their key company apps. installed through the and sideloading keys
installed by Intune revoked and the user company portal are are removed.
will not be able to uninstalled. Company
open the files. app data is removed.

Settings Configurations that Configurations that Configurations that Configurations that

were set by Intune were set by Intune were set by Intune were set by Intune
policy are no longer policy are no longer policy are no longer policy are no longer
enforced, and users enforced, and users enforced, and users enforced, and users
can change the can change the can change the can change the
settings. settings. settings. settings.

Wi-Fi and VPN profile Removed. Removed. Not supported. Removed.

settings

Certificate profile Certificates removed Certificates removed Not supported. Certificates removed
settings and revoked. and revoked. and revoked.

Email Removes email that is Not supported. Email profiles that are Removes email that is
EFS enabled, which provisioned through EFS enabled, which
includes the Mail app Intune are removed, includes the Mail app
for Windows email and cached email on for Windows email
and attachments. the device is deleted. and attachments.
Removes mail
accounts that were
provisioned by Intune.
Exception: If
Microsoft Exchange is
hosted on premises,
email accounts are
not removed.

Azure Active Directory No. No. AAD Record removed. Not applicable.
(AAD) Unjoin Windows 10 does not
support selective wipe
for Azure Active
Directory joined
devices.

To do a selective wipe:
1. On the Devices and groups blade, choose All devices.
2. Choose the name of the device you want to wipe.
3. On the blade showing the device's name, choose Remove comp... (stands for Remove company data), and
then choose Yes to confirm the wipe.
If the device is on and connected, it takes less than 15 minutes for a wipe command to propagate across all device
types.
 Bypass Activation Lock on supervised iOS devices
with Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Microsoft Intune can help you manage iOS Activation Lock, a feature of the Find My iPhone app for iOS 8.0 and
later devices. Activation Lock is enabled automatically when a user opens the Find My iPhone app on a device. After
it is enabled, the user's Apple ID and password must be entered before anyone can:
Turn off Find My iPhone
Erase the device
Reactivate the device

How Activation Lock affects you

While Activation Lock helps secure iOS devices and improves the chances of recovering a lost or stolen device, this
capability can present you, as an IT admin, with a number of challenges. For example:
A user sets up Activation Lock on a device. The user then leaves the company and returns the device. Without
the user's Apple ID and password, there is no way to reactivate the device.
You need a report of all devices that have Activation Lock enabled.
You want to reassign some devices to a different department during a device refresh in your organization. You
can only reassign devices that do not have Activation Lock enabled.
To help solve these problems, Apple introduced Activation Lock bypass in iOS 7.1. This lets you remove the
Activation Lock from supervised devices without the user's Apple ID and password. Supervised devices can
generate a device-specific Activation Lock bypass code, which is stored on Apple's activation server.

TIP
Supervised mode for iOS devices lets you use Apple Configurator to lock down a device and limit functionality to specific
business purposes. Supervised mode is generally only for corporate-owned devices.

You can read more about Activation Lock on Apple's web site.

How Intune helps you manage Activation Lock

Intune can request the Activation Lock status of supervised devices that run iOS 8.0 and later. For supervised
devices only, Intune can retrieve the Activation Lock bypass code and directly issue it to the device. If the device has
been wiped, you can directly access the device by using a blank user name and the code as the password.
The business benefits of this are:
The user gets the security benefits of the Find My iPhone app.
You can enable users to do their work and know that when a device needs to be re-purposed, you can retire or
 unlock it.

Before you start

Before you can bypass Activation Lock on devices, you must enable it first. To do this:
1. Configure an Intune device restriction profile for iOS using the information in How to configure device
restriction settings.
2. Enable the Kiosk mode setting Activation Lock.
3. Save the profile, and then assign it to the devices on which you want to manage Activation Lock bypass.

How to use Activation Lock bypass

IMPORTANT
After you bypass the Activation Lock on a device, a new Activation Lock is automatically applied if the Find My iPhone app is
opened. Because of this, you should be in physical possession of the device before you follow this procedure.

The Intune Bypass Activation Lock remote device action removes the activation lock from an iOS device without
the users Apple ID and password. Once you bypass the activation lock, the device turns on activation lock again
when the Find My iPhone app launches. Only bypass the activation lock if you have physical access to the device.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a supervised iOS device, and then choose the Bypass Activation
Lock device remote action.
You can examine the status of the unlock request on the details page for the device in the Manage devices
workload.
 Reset Intune-managed devices to factory settings
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Factory reset returns a device to its default settings. The device will no longer be managed by Intune and both
company and personal data are removed. You cannot undo this action.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a device, and then choose the Factory reset device remote action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
 Use Fresh Start to reset Windows 10 devices with
Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Fresh Start device action removes any apps that were installed on a Windows 10 PC running the Creators
Update, then automatically updates the PC to the latest version of Windows. This can be used to help remove pre-
installed (OEM) apps that are often delivered with a new PC. You can configure if user data is retained when this
device action is issued. In this case, apps and settings are removed, but the contents of the users Home folder are
retained.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a Windows 10 desktop device, and then choose the Fresh Start
device remote action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
 Locate lost or stolen iOS devices with Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Locate Device device action displays the location of a lost or stolen iOS device on a map. The device must be
a corporate-owned iOS device, enrolled through DEP, that is in supervised mode. Before you use this action, the
device must have been placed into lost mode.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose an iOS device, and then choose the Locate Device remote action.
6. After the device has been located, it's location is displayed on the Locate device blade.

NOTE
For privacy purposes, the distance you can zoom into the map is limited.

Security and privacy information for the lost mode and locate device
actions
No device location information is sent to Intune until you turn this action on.
When you use the locate device action, the latitude and longitude coordinates of the device are sent to Intune,
and displayed in the Azure portal.
The data is stored for 24 hours, then removed. You cannot manually remove the location data.
Location data is encrypted, both while stored, and while being transmitted.
When you configure lost mode, we recommend that the message you enter to display on the lock screen
includes information that helps someone who finds the device to return it.
 Activate lost mode on iOS devices
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Lost mode device action helps you enable lost mode on lost or stolen iOS devices. This mode lets you specify
a message and a phone number that will be displayed on the lock screen of the device
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose an iOS device, and then choose the Lost mode remote action.
6. On the Lost mode blade, enable lost mode, enter the message that will be displayed, and optionally, a contact
phone number.
7. Click OK.
When you enable lost mode, you block all use of the device. The end user cannot access the device until you
disable lost mode. While lost mode is enabled, you can use the Locate device action to find out where the device
is. To use lost mode, the device must be a corporate-owned iOS device, enrolled through DEP, that is in supervised
mode.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.

Security and privacy information for the lost mode and locate device
actions
No device location information is sent to Intune until you turn this action on.
When you use the locate device action, the latitude and longitude coordinates of the device are sent to Intune,
and displayed in the Azure portal.
The data is stored for 24 hours, then removed. You cannot manually remove the location data.
Location data is encrypted, both while stored, and while being transmitted.
When you configure lost mode, we recommend that the message you enter to display on the lock screen
includes information that helps someone who finds the device to return it.
 Remotely lock managed devices with Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Remote lock device locks the selected device. The device owner must use their passcode to unlock it. You can
only remotely lock a device that has a PIN or password set.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a device, and then choose the Remote lock device remote action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
 Remove company data from Intune-managed
devices
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Remove company data removes only company data from devices managed by Intune. Does not remove
personal data from the device. The device will no longer be managed by Intune, and will no longer be able to
access corporate resources (not supported for Windows devices that are joined to Azure Active Directory).
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a device, and then choose the Remove company data device
remote action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
 Reset the passcode on Intune-managed devices
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Reset passcode action generates a new passcode for the device which will be displayed on the <device
name> Overview blade.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a device, and then choose the Reset passcode device remote
action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
 Remotely restart devices with Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Restart device action causes the device you choose to be restarted. The device owner is not automatically
notified of the restart, therefore might lose work.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. on the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose a device, and then choose the Restart device remote action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
 Logout the current user on Intune-managed iOS
devices
6/29/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Logout current user action logs out the current user of an iOS device you choose.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose All devices.
5. From the list of devices you manage, choose an iOS device, and then choose the Logout current user device
remote action.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
 Remove a user from a shared iOS device with Intune
6/29/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Remove user action deletes a user you choose from the local cache on an iOS device.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices blade, choose All devices.
5. From the list of devices you manage, choose an iOS device.
6. On the blade for that device, choose Users.
7. From the list, right-click the user you want to remove, and then choose Remove user.
To see the status of the action you just took, on the Devices and groups blade, choose Device Actions.
 Provide remote assistance for Intune managed
Android devices
6/19/2017 2 min to read Edit Online

Intune can use the TeamViewer software, purchased separately, to enable you to give remote assistance to your
users who are running Android devices. Use the information in this topic to set things up and get started.

Before you start

Required permissions
Ensure that the user of the Azure portal has the following permissions assigned to them as an Intune role:
To let the admin modify the TeamViewer connector settings, grant the Update Remote Assistance
permission.
To let the admin initiate a new remote assistance settings, grant the Request Remote Assistance permission.
Users with this permission can request to initiate a session for any user; this is not limited by any Intune role
assignment scope. Intune role assignment scopes do not limit the devices or users for which Remote Assistance
requests can be initiated.

NOTE
By enabling TeamViewer, you are allowing the TeamViewer for Intune Connector to create TeamViewer sessions, read Active
Directory data, and save the TeamViewer account access token.

Configure the Intune TeamViewer connector

Before you can provide remote assistance to Android devices, you'll need to configure the Intune TeamViewer
connector, using the following steps:
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices and groups blade, choose Setup > TeamViewer Connector.
5. On the TeamViewer Connector blade, click Enable, then view and accept the TeamViewer service license
agreement.
6. Choose Log in to TeamViewer & Authorize.
7. A web page opens to the TeamViewer site. Enter your TeamViewer license credentials, and then click Sign In.

How to remotely administer an Android device

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices blade, choose Manage > All devices.
5. Select the device that you want to remotely administer, and then, on the device properties blade, choose More
> New Remote Assistance Session.
6. After Intune connects to the TeamViewer service, you'll see some information about the Android device. Choose
Connect to start the remote session.
In the TeamViewer window, you can perform a range of remote actions on the Android device, including remote
control of the device. For full details of the actions you can perform, see the TeamViewer documentation.
When you are finished. close the TeamViewer window.

End user notifications

An end user will see a notification flag on the Company Portal app icon on their device, and also see a notification
when they open the app. They can then accept the remote assistance request.
 How to view Intune device inventory
6/26/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Devices workload gives you insights into the devices you manage, including their hardware capabilities, and
the apps installed on them.
To view device inventory:
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Devices.
Now, choose one of the following options:
Overview Get information about devices you've enrolled, and the operating systems each device runs.
Manage - Choose All Devices to see a list of all the devices you manage. Select one of those devices in the list
to open the <device name> Overview blade where you can select one of:
Overview - See general information about the device including its name, owner, whether it is a BYOD
device, when it checked-in, and more.

Hardware - See more detailed information about the device including its free storage space, model and
manufacturer, and more.
 Discovered apps - Displays a list of all apps that Intune found installed on the device.

Device compliance - Displays the compliance state of all compliance policies that have been assigned
to the device.
Device configuration - Displays the compliance state of all device configuration policies that have been
assigned to the device.
Monitor Choose Device Actions to see a list of device actions that have been performed on devices you
manage and their current state.
Setup > TeamViewer Connector - Let's you configure remote administration on devices using the
TeamViewer software. For details, see Provide remote assistance for Intune managed Android devices.
 What is user management?
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

If you are new to Intune in the Azure portal, remember that you no longer create groups for Intune. Intune uses
Azure AD groups just like many other applications that you use.
To learn more about using groups in Azure AD, see Managing access to resources with Azure Active Directory
groups.
To manage groups in the Azure portal, search for Intune, choose Manage users, and you are taken to the Users
and groups workload where you can perform the following actions:
1. See Overview information about the users and groups you manage.
2. See details about all users you manage with Azure.
3. Create groups of users and devices.
4. Display audit activity for group actions.

Next step
Get started with groups
 Get started with groups
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

We've heard your feedback and have made changes to how you work with groups in Microsoft Intune. If you are
using Intune from the Azure portal, your Intune groups have been migrated to Azure Active Directory security
groups.
The benefit to you is that you now use the same groups experience across all of you Enterprise Mobility + Security,
and Azure AD apps. Additionally, you'll be able to use PowerShell and Graph API to extend and customize this new
functionality.
Azure AD security groups support all types of Intune deployments to both users and devices. Additionally, you can
use Azure AD dynamic groups that automatically update based on the attributes you supply. For example, you
could create a group of devices that run iOS 9. Whenever a device running iOS 9 enrolls, the device automatically
appears the dynamic group.

What is not available?

Some of the Intune groups capabilities you previously might have used are not available in Azure AD:
The Ungrouped Users and Ungrouped Devices Intune groups are no longer available.
The option to Exclude specific members from a group does not exist in the Azure portal. You can,
however, use an Azure AD security group with advanced rules to replicate this behavior. For example, to
create an advanced rule that includes all people in your Sales department in a security group, but excludes
those with the word "Assistant" in their title, you could use this advanced rule:
(user.department -eq "Sales") -and -not (user.jobTitle -contains "Assistant") .
The All Exchange ActiveSync Managed Devices group in the Intune console was not migrated to Azure AD.
You can, however, still access information about EAS-managed devices from the Azure portal.

How to get started?

Read the following topics to learn about Azure AD security groups and how they work:
Managing access to resources with Azure Active Directory groups.
Managing groups in Azure Active Directory.
Using attributes to create advanced rules.
Ensure that admins who need to create groups are added to the Intune Service Administrator Azure AD role.
The Azure AD Service Admin role does not have Manage Group permissions.
If your Intune groups used the Exclude specific members option, decide whether you can redesign these
groups without exclusions, or if you need advanced rules to meet business needs.

What happened to Intune groups?

When groups are migrated from the classic Intune portal to Intune in the Azure portal, the following rules are
applied:

GROUPS IN INTUNE GROUP IN AZURE AD

Static user group Static Azure AD security group

Dynamic user group Static Azure AD security groups with an Azure AD security
group hierarchy

Static device group Static Azure AD security group

Dynamic device group Dynamic Azure AD security group

A group with an include condition Static Azure AD security group containing any static or
dynamic members from the include condition in Intune

A group with an exclude condition Not migrated

The built-in groups: Azure AD security groups

- All Users
- Ungrouped Users
- All Devices
- Ungrouped devices
- All Computers
- All Mobile Devices
- All MDM managed devices
- All EAS managed devices

Group hierarchy
In the classic Intune console, all groups had a parent group. Groups could only contain members of their parent
group. In Azure AD, child groups can contain members not in their parent group.

Group attributes
Attributes are device properties that may be used in defining groups. This table describes how those criteria will be
migrated to Azure AD security groups.

ATTRIBUTE IN INTUNE ATTRIBUTE IN AZURE AD

Organizational Unit (OU) attribute for device groups OU attribute for dynamic groups.

Domain name attribute for device groups Domain Name attribute for dynamic groups.

Security group as an attribute for user groups Groups cannot be attributes in Azure AD dynamic queries.
Dynamic groups can only contain user or device-specific
attributes.

Manager attribute for user groups Advanced Rule for manager attribute in dynamic groups

All users from the parent user group Static group with that group as a member

All mobile devices from the parent device group Static group with that group as a member
 ATTRIBUTE IN INTUNE ATTRIBUTE IN AZURE AD

All mobile devices managed by Intune Management Type attribute with MDM as value for dynamic
group

Nested groups within static groups Nested groups within static groups

Nested groups within dynamic groups Dynamic group with one level of nesting

What happens to policies and apps you previously deployed?

Policies and apps continue to be deployed to groups, just like before. However, you'll now manage these groups
from the Azure portal, instead of the classic Intune console.
 What is Microsoft Intune app management?
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an IT admin, you are responsible for making sure that your end users have access to the apps they need to do
their work. This can be a challenge because:
There are a wide range of device platforms and app types.
You might need to manage apps on company devices and users own devices.
You must ensure your network, and your data remain secure.
Additionally, you might want to assign, and manage apps on devices that are not enrolled with Intune.
Intune offers a range of capabilities to help you get the apps you need, on the devices you want.

App management capabilities by platform

Android iOS Windows Phone 8.1 Windows 10

Add and assign apps Yes Yes Yes Yes

to devices and users

Assign apps to Yes Yes No No

devices not enrolled
with Intune

Use app No Yes No No

configuration policies
to control the startup
behavior of apps

Use mobile app No Yes No No

provisioning policies
to renew expired
apps

Protect company Yes Yes No No1

data in apps with app
protection policies

Remove only Yes Yes Yes Yes

corporate data from
an installed app (App
selective wipe)
 Monitor app Yes Yes Yes Yes
assignments

Assign and track No No No Yes

volume-purchased
apps from an app
store

Mandatory install of Yes Yes Yes Yes

apps on devices
(Required)2

Optional installation Yes Yes Yes Yes

on devices from the
Company Portal
(Available install)

Install shortcut to an Yes Yes Yes Yes

app on the web (web
clip)

In-house (line-of- Yes Yes No No

business) apps

Apps from a store Yes Yes Yes Yes

Update apps Yes Yes Yes Yes

1 Considerusing [Windows Information Protection]windows-information-protection-configure.md) to protect

apps on devices that run Windows 10.
2Applies to devices managed by Intune only.

How to get started

You can find most things app-related in the Mobile Apps workload that you can access as follows:
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
Manage
Apps - This node is where you add, assign, and monitor most of your apps.
Add apps
Assign apps
Monitor apps
App configuration policies - App configuration policies let you supply settings that might be required when
a user runs an app.
iOS app configuration policies
Android app configuration policies
App protection policies - Lets you associate settings with an app to help protect the company data it uses.
For example, you might restrict the capabilities of an app to communicate with other apps, or require the user
to enter a PIN to access a company app.
App protection policies
App selective wipe - Remove only corporate data from a users device you select.
App selective wipe
iOS provisioning profiles - iOS apps include a provisioning profile and code that is signed by a certificate.
When the certificate expires, the app can no longer be run. Intune gives you the tools to proactively assign a
new provisioning profile policy to devices that have apps that are nearing expiry.
iOS app provisioning profiles
Monitor
Licensed Apps - View, assign, and monitor volume-purchased apps from the app stores.
Windows Store for Business volume-purchased apps
Discovered Apps - Shows all apps that were assigned by Intune, and installed on a device.
App Install Status - Shows the status of an app assignment you created.
App protection status - Shows the status of an app protection policy for a user you select.
For details, see Monitor apps
Setup
Windows Store for Business - Set up integration to the Windows Store for Business. Afterwards, you can
synchronize purchased applications to Intune, assign them, and track your license usage.
Windows Store for Business volume-purchased apps
Company Portal branding - Customize the Company Portal to give it your company branding.
Company portal configuration
 How to add an app to Microsoft Intune
6/30/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Before you can manage and assign apps for your users, you must add them to Intune. Intune supports a wide
range of different app types, and the options might be different for each type.
Intune lets you add and assign these app types:

The following platforms are supported.

Android store apps
Android line-of-business (LOB) apps
iOS store apps
iOS line-of-business (LOB) apps
Web apps
Windows Phone 8.1 store apps
Windows Phone line-of-business apps (.xap files)
Windows store apps
Windows line-of-business apps (.msi files only)

TIP
A line-of-business (or LOB) app is one that you do not install from an app store, but install from the app installation file.
For example, to install an iOS LOB app, you add the application archive file (with the extension .ipa). These are typically
apps you have written in-house.

Before you start

Consider the following points before you begin to add and assign apps.
 When you add and assign an app from a store, end users must have an account with that store in order to be
able to install the app.
Some apps or items you assign might be dependent on built-in iOS apps. For example, if you assign a book
from the iOS store, then the iBooks app must be present on the device. If you have removed the iBooks built-
in app, you cannot use Intune to reinstate it.

Cloud storage space

All apps that you create by using the software installer installation type (for example, a line-of-business app) are
packaged and uploaded to Intune cloud storage. A trial subscription of Intune includes 2 gigabytes (GB) of cloud-
based storage that is used to store managed apps and updates. A full subscription includes 20 GB of storage
space.
You can purchase additional storage for Intune using your original purchase method. If you paid by invoice or
credit card, visit the Subscription Management portal. Otherwise, contact your partner or sales associate.
Requirements for cloud storage space are as follows:
All app installation files must be in the same folder.
The maximum file size for any file that you upload is 2 GB.

How to create and edit categories for apps

App categories can be used to help you sort apps to make them easier for users to find in the company portal.
You can assign one or more categories to an app, for example, Developer apps, or Communication apps.
When you add an app to Intune, you are given the option to select the category you want. Use the platform-
specific topics to add an app, and assign categories. To create and edit your own categories, use the following
procedure:
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile apps workload, choose Setup > App categories.
5. On the App categories blade, a list of the current categories is shown. Choose one of the following actions:
Create a category - On the Create category blade, enter a name for the new category. Names can be
entered in one language only, and are not translated by Intune. When you are done, click Create.
Edit a category - For any category in the list, choose '...'. On the Properties blade, you can enter a
new name for the category, or delete the category.

Apps added automatically by Intune

The following apps, published by Microsoft, are built-into Intune, and ready for you to assign:

Name Platform

Azure Information Protection Android

Dynamics CRM for Phones Android

Dynamics CRM for Tablets Android

Excel iOS
 Excel Android

Managed Browser Android

Managed Browser iOS

Microsoft Dynamics CRM on Phones iOS

Microsoft Dynamics CRM on Tablets iOS

Microsoft Power BI iOS

Microsoft Power BI Android

Microsoft SharePoint iOS

Microsoft SharePoint Android

Microsoft Teams Android

Microsoft Teams iOS

OneDrive iOS

OneDrive Android

OneNote iOS

Outlook Android

Outlook iOS

Outlook Groups Android

Outlook Groups iOS

PowerPoint iOS

Next Steps
Choose one of the following topics to find out how to add apps for each platform to Intune:
Android store apps
Android LOB apps
iOS store apps
iOS LOB apps
Web apps (for all platforms)
Windows Phone 8.1 store apps
Windows Phone LOB apps
Windows store apps
Windows LOB app
 How to add Android store apps to Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

1. Sign into the Azure portal.

2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose App Information.
7. In the Edit App blade, configure the following information. Once you are done, click Add. Depending on the
app you have chosen, some of the values in this blade might have been automatically filled-in:
App Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app
names that you use are unique. If the same app name exists twice, only one of the apps will be displayed
to users in the company portal.
App Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
App store URL - Enter the app store URL of the app you want to create.
Minimum Operating System - From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Category (optional) - Select one or more of the built-in app categories, or a category you created. This
will make it easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Upload Icon - Upload an icon that will be associated with the app. This is the icon that will be displayed
with the app when users browse the company portal.
8. When you are done, on the Add App blade, choose Save.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
 How to add Android line-of-business (LOB) apps to
Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Step 1 - Specify the software setup file

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose Line-of-business app.

Step 2 - Configure the app package file

1. On the Add app blade, choose App package file.
2. On the App package file blade, choose the browse button, and select an Android installation file with the
extension .apk.
3. When you are finished, choose OK.

Step 3 - Configure app information

1. On the Add app blade, choose App package file.
2. On the App information blade, configure the following information. Depending on the app you have chosen,
some of the values in this blade might have been automatically filled-in:
Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app names
that you use are unique. If the same app name exists twice, only one of the apps will be displayed to
users in the company portal.
Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
Minimum Operating System - From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Category - Select one or more of the built-in app categories, or a category you created. This will make it
easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
 URL will be displayed to users in the company portal.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Logo - Upload an icon that will be associated with the app. This is the icon that will be displayed with the
app when users browse the company portal.
3. When you are finished, choose OK.

Step 4 - Finish up
1. On the Add app blade, verify the information you configured is correct.
2. Choose Add, to upload the app to Intune.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
 How to add iOS store apps to Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Before you start

You can only assign apps using this method if they are free of charge in the app store. If you want to assign paid
apps using Intune, consider using the iOS volume-purchase program.

Step 1 - Search for the app in the store

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose Search the App Store.
7. In the Apple App Store blade, enter the name (or part of the name) in the search box. Intune will search the
store and return a list of relevant results.
8. From the list, choose the app you want, then click OK.

Step 2 - Configure app information

1. In the Add App blade, choose App Information.
2. In the Edit App blade, configure the following information. Once you are done, click Add. Depending on the
app you have chosen, some of the values in this blade might have been automatically filled-in:
3. App Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app names
that you use are unique. If the same app name exists twice, only one of the apps will be displayed to users in the
company portal.
App Description - Enter a description for the app. This will be displayed to users in the company portal.
4. Publisher - Enter the name of the publisher of the app.
5. App store URL - Enter the app store URL of the app you want to create.
6. Minimum Operating System - From the list, choose the minimum operating system version on which the app
can be installed. If you assign the app to a device with an earlier operating system, it will not be installed.
7. Category (optional). Select one or more of the built-in app categories, or a category you created. This will make
it easier for users to find the app when they browse the company portal.
8. Display this as a featured app in the Company Portal - Display the app prominently on the main page of
the company portal when users browse for apps.
9. Information URL - Optionally, enter the URL of a website that contains information about this app. The URL
will be displayed to users in the company portal.
10. Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The URL
will be displayed to users in the company portal.
11. Developer - Optionally, enter the name of the app developer.
12. Owner - Optionally, enter a name for the owner of this app, for example, HR department.
13. Notes - Enter any notes you would like to associate with this app.
14. Upload Icon - Upload an icon that will be associated with the app. This is the icon that will be displayed with
the app when users browse the company portal.
15. When you are done, on the Add App blade, choose Save.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
 How to add iOS line-of-business (LOB) apps to
Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Step 1 - Specify the software setup file

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose Line-of-business app.

Step 2 - Configure the app package file

1. On the Add app blade, choose App package file.
2. On the App package file blade, choose the browse button, and select an iOS installation file with the extension
.ipa.
3. When you are finished, choose OK.

Step 3 - Configure app information

1. On the Add app blade, choose App package file.
2. On the App information blade, configure the following information. Depending on the app you have chosen,
some of the values in this blade might have been automatically filled-in:
Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app names
that you use are unique. If the same app name exists twice, only one of the apps will be displayed to
users in the company portal.
Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
Minimum Operating System - From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Category - Select one or more of the built-in app categories, or a category you created. This will make it
easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
 URL will be displayed to users in the company portal.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Logo - Upload an icon that will be associated with the app. This is the icon that will be displayed with the
app when users browse the company portal.
3. When you are finished, choose OK.

Step 4 - Finish up
1. On the Add app blade, verify the information you configured is correct.
2. Choose Add, to upload the app to Intune.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
 How to add web apps to Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

1. Sign into the Azure portal.

2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose App Information.
7. In the Edit App blade, configure the following information. Once you are done, click Add:
App URL - Enter the URL of the web site that hosts the app you want to assign.
App Name - Enter the name of the app as it will be displayed in the company portal.
App Description - Enter a description for the app. This will be displayed to end users in the company
portal.
Publisher - Enter the name of the publisher of this app.
Category (optional) - Select one or more of the built-in app categories, or a category you created. This
will make it easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Require a managed browser to open this link - When you assign a link to a website or web app to
users, they will be able to open it only in the Intune managed browser. This browser must be installed on
their device.
Upload Icon - Upload an icon that will be associated with the app. This is the icon that will be displayed
with the app when users browse the company portal.
8. When you are done, on the Add App blade, choose Save.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
 How to add Windows Phone 8.1 store apps to
Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

1. Sign into the Azure portal.

2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose App Information.
7. In the Edit App blade, configure the following information. Once you are done, click Add. Depending on the app
you have chosen, some of the values in this blade might have been automatically filled-in:
App Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app
names that you use are unique. If the same app name exists twice, only one of the apps will be displayed
to users in the company portal.
App Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
App store URL - Enter the app store URL of the app you want to create.
Minimum Operating System - From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Category (optional) - Select one or more of the built-in app categories, or a category you created. This
will make it easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Upload Icon - Upload an icon that will be associated with the app. This is the icon that will be displayed
with the app when users browse the company portal.
8. When you are done, on the Add App blade, choose Save.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
 How to add Windows Phone line-of-business (LOB)
apps to Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Step 1 - Specify the software setup file

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose Line-of-business app.

Step 2 - Configure the app package file

1. On the Add app blade, choose App package file.
2. On the App package file blade, choose the browse button, and select a Windows Phone installation file with the
extension .xap.
3. When you are finished, choose OK.

Step 3 - Configure app information

1. On the Add app blade, choose App package file.
2. On the App information blade, configure the following information. Depending on the app you have chosen,
some of the values in this blade might have been automatically filled-in:
Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app names
that you use are unique. If the same app name exists twice, only one of the apps will be displayed to users
in the company portal.
Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
Category - Select one or more of the built-in app categories, or a category you created. This will make it
easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
 Notes - Enter any notes you would like to associate with this app.
Logo - Upload an icon that will be associated with the app. This is the icon that will be displayed with the
app when users browse the company portal.
3. When you are finished, choose OK.

Step 4 - Finish up
1. On the Add app blade, verify the information you configured is correct.
2. Choose Add, to upload the app to Intune.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
 How to add Windows store apps to Microsoft Intune
6/19/2017 6 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

1. Sign into the Azure portal.

2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose App Information.
7. In the Edit App blade, configure the following information. Once you are done, click Add. Depending on the app
you have chosen, some of the values in this blade might have been automatically filled-in:
App Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app
names that you use are unique. If the same app name exists twice, only one of the apps will be displayed
to users in the company portal.
App Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
App store URL - Enter the app store URL of the app you want to create.
Minimum Operating System - From the list, choose the minimum operating system version on which
the app can be installed. If you assign the app to a device with an earlier operating system, it will not be
installed.
Category (optional) - Select one or more of the built-in app categories, or a category you created. This
will make it easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Upload Icon - Upload an icon that will be associated with the app. This is the icon that will be displayed
with the app when users browse the company portal.
8. When you are done, on the Add App blade, choose Save.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.

Manually assign Windows 10 Company Portal app

End users can install the Company Portal app from the Windows Store to manage devices and install apps. If,
however, your business needs require that you assign the Company Portal app, you can manually assign the
Windows 10 Company Portal app directly from Intune, even if you havent integrated Intune with the Windows
Store for Business.

NOTE
This option will require assigning manual updates each time an app update is released.

1. Log in to your account in the Windows Store for Business and acquire the offline license version of the
Company Portal app.
2. Once the app has been acquired, select the app in the Inventory page.
3. Select Windows 10 all devices as the Platform, then the appropriate Architecture and download. An app
license file is not needed for this app.

4. Download all the packages under Required Frameworks. This must be done for x86, x64 and ARM
architectures resulting in a total of 9 packages as shown below.

1. Before uploading the Company Portal app to Intune, create a folder (e.g., C:\Company Portal) with the packages
structured in the following way:
a. Place the Company Portal package into C:\Company Portal. Create a Dependencies subfolder in this
location as well.
 b. Place the nine dependencies packages in the Dependencies folder.
If the dependencies are not placed in this format, Intune will not be able to recognize and upload them
during the package upload, causing the upload to fail with the following error.

2. Return to Intune, then upload the Company Portal app as a new app. Assign it as a required app to the desired
set of target users.
See Deploying an appxbundle with dependencies via Microsoft Intune MDM for more information about how
Intune handles dependencies for Universal apps.
How do I update the Company Portal on my users devices if they have already installed the older apps from the store?
If your users have already installed the Windows 8.1 or Windows Phone 8.1 Company Portal apps from the Store,
then they should be automatically updated to the new version with no action required from you or your user. If the
update does not happen, ask your users to check that they have enabled autoupdates for Store apps on their
devices.
How do I upgrade my sideloaded Windows 8.1 Company Portal app to the Windows 10 Company Portal app?
Our recommended migration path is to delete the assignment for the Windows 8.1 Company Portal app by setting
the assignment action to Uninstall. Once this is done, the Windows 10 Company Portal app can be assigned using
any of the above options.
If you need to sideload the app and assigned the Windows 8.1 Company Portal without signing it with the
Symantec Certificate, follow the steps in the Assign directly via Intune section above to complete the upgrade.
If you need to sideload the app and you signed and assigned the Windows 8.1 Company Portal with the Symantec
code-signing certificate, follow the steps in the section below.
How do I upgrade my signed and sideloaded Windows Phone 8.1 Company Portal app or Windows 8.1 Company Portal app to the
Windows 10 Company Portal app?
Our recommended migration path is to delete the existing assignment for the Windows Phone 8.1 Company Portal
app or the Windows 8.1 Company Portal app by setting the assignment action to Uninstall. Once this is done, the
Windows 10 Company Portal app can be assigned normally.
Otherwise, the Windows 10 Company Portal app needs to be appropriately updated and signed to ensure that the
upgrade path is respected.
If the Windows 10 Company Portal app is signed and assigned in this way, you will need to repeat this process for
each new app update when it is available in the store. The app will not automatically update when the store is
updated.
Heres how you sign and assign the app in this way:
1. Download the Microsoft Intune Windows 10 Company Portal App Signing Script from
 https://aka.ms/win10cpscript. This script requires the Windows SDK for Windows 10 to be installed on the host
computer. To download the Windows SDK for Windows 10, visit https://go.microsoft.com/fwlink/?
LinkId=619296.
2. Download the Windows 10 Company Portal app from the Windows Store for Business, as detailed above.
3. Run the script with the input parameters detailed in the script header to sign the Windows 10 Company Portal
app (extracted below). Dependencies do not need to be passed into the script. These are only required when the
app is being uploaded to the Intune Admin Console.

PARAMETER DESCRIPTION

InputWin10AppxBundle The path to where the source appxbundle file is located

OutputWin10AppxBundle The output path for the signed appxbundle file. Win81Appx
The path to where the Windows 8.1 or Windows Phone 8.1
Company Portal (.APPX) file is located.

PfxFilePath The path to Symantec Enterprise Mobile Code Signing

Certificate (.PFX) file.

PfxPassword The password of the Symantec Enterprise Mobile Code Signing

Certificate.

PublisherId The Publisher ID of the enterprise. If absent, the 'Subject' field

of the Symantec Enterprise Mobile Code Signing Certificate is
used.

SdkPath The path to the root folder of the Windows SDK for Windows
10. This argument is optional and defaults to
${env:ProgramFiles(x86)}\Windows Kits\10

The script will output the signed version of the Windows 10 Company Portal app when it has finished running. You
can then assign the signed version of the app as an LOB app via Intune, which will upgrade the currently assigned
versions to this new app.
 How to add Windows line-of-business (LOB) apps to
Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Step 1 - Specify the software setup file

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Manage apps.
4. In the Mobile apps workload, choose Manage > Apps.
5. Above the list of apps, choose Add.
6. In the Add App blade, choose Line-of-business app.

Step 2 - Configure the app package file

1. On the Add app blade, choose App package file.
2. On the App package file blade, choose the browse button, and select a Windows installation file with the
extension .msi (other installation file types are not supported).
3. When you are finished, choose OK.

Step 3 - Configure app information

1. On the Add app blade, choose App package file.
2. On the App information blade, configure the following information. Depending on the app you have chosen,
some of the values in this blade might have been automatically filled-in:
Name - Enter the name of the app as it will be displayed in the company portal. Make sure all app names
that you use are unique. If the same app name exists twice, only one of the apps will be displayed to users
in the company portal.
Description - Enter a description for the app. This will be displayed to users in the company portal.
Publisher - Enter the name of the publisher of the app.
Category - Select one or more of the built-in app categories, or a category you created. This will make it
easier for users to find the app when they browse the company portal.
Display this as a featured app in the Company Portal - Display the app prominently on the main
page of the company portal when users browse for apps.
Information URL - Optionally, enter the URL of a website that contains information about this app. The
URL will be displayed to users in the company portal.
Privacy URL - Optionally, enter the URL of a website that contains privacy information for this app. The
URL will be displayed to users in the company portal.
Command-line arguments - Optionally, enter any command line arguments that you want to apply to
the .msi file when it runs, like /q.
 Developer - Optionally, enter the name of the app developer.
Owner - Optionally, enter a name for the owner of this app, for example, HR department.
Notes - Enter any notes you would like to associate with this app.
Logo - Upload an icon that will be associated with the app. This is the icon that will be displayed with the
app when users browse the company portal.
3. When you are finished, choose OK.

Step 4 - Finish up
1. On the Add app blade, verify the information you configured is correct.
2. Choose Add, to upload the app to Intune.
The app you have created will be displayed in the apps list where you can assign it to the groups you choose. For
help, see How to assign apps to groups.
 How to assign apps to Android for Work devices with
Intune
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

You assign apps to Android for Work devices in a different way than you assign them to standard Android devices.
All apps you install for Android for Work come from the Google Play for Work store. You log on to the store,
browse for the apps you want, and approve them. The app then appears in the Licensed apps node of the Intune
portal. From here, you can manage assignment of the app in the same way you would assign any other app.
Additionally, if you have created your own line of business (LOB) apps, you can assign them as follows:
Sign up for a Google Developer account that lets you publish apps to a private area in the Google Play store.
Synchronize the apps with Intune.

Before you start

Make sure you have configured Intune and Android for Work to work together in the Device enrollment workload
of the Intune portal.

Synchronize an app from the Google Play for Work store

1. Go to the Google Play for Work store. Sign in with the same account you used to configure the connection
between Intune and Android for Work.
2. Search the store for the app you want to assign using Intune.
3. On the page for the app you chose, choose Approve. In this example, you have chosen the Microsoft Excel app.

4. A window for the app opens asking you to give permissions for the app to perform various operations. Choose
Approve to continue.
5. The app is approved and displays in your IT admin console.

Publish, then synchronize, a line-of-business app from the Google Play

for Work store
1. Go to the Google Play Developer Console, play.google.com/apps/publish.
2. Sign in with the same account you used to configure the connection between Intune and Android for Work. If
you are signing in for the first time, you must register, and pay a fee to become a member of the Google
Developer program.
3. In the console, choose Add new application.
4. You upload and provide information about your app in the same way as you publish any app to the Google Play
store. However, you must select the setting Only make this application available to my organization
(<organization name>):

This operation ensures that the app is only available to your organization, and is not available in the public
Google Play store. For more information about how to upload and publish Android apps, see the Google
Developer Console Help.
5. Once you have published your app, go to the Google Play for Work store. Sign in with the same account you
used to configure the connection between Intune and Android for Work.
6. In the Apps node of the store, verify you can see the app you have published. The app is automatically approved
to be synchronized with Intune.

Assign an Android for Work app

If you have approved an app from the store and don't see it in the Licensed apps node of the Mobile apps
workload, force an immediate sync as follows:
1. Sign into the Azure portal.
2. On the Intune blade, choose Mobile apps.
3. In the Mobile apps workload, choose Setup > Android for Work.
4. On the Android for Work blade, choose Sync Now.
5. The page also displays the time and status of the last sync.
When the app is displayed in the Licensed apps node of the Mobile apps workload, you can assign it just like you
would assign any other app. You can assign the app to groups of users only.
After you assign the app, it will be installed on the devices you targeted. The user of the device is not asked to
approve the installation.

Manage Android for Work app permissions

Android for Work requires you approve apps in Google's managed Play web console before syncing them to Intune
and assigning them to your users. Because Android for Work allows you to silently and automatically push these
apps to users' devices, you must accept the app's permissions on behalf of all your users. End users do not see any
app permissions when they install, so it's important that you read and understand these permissions.
When an app developer publishes a new version of the app with updated permissions, those permissions are not
automatically accepted, even if you've approved the previous permissions. Devices that run the old version of the
app can still use it. However, the app is not upgraded until the new permissions are approved. Devices without the
app installed do not install the app until you approve the app's new permissions.
How to update app permissions
Periodically visit the managed Google Play console to check for new permissions. You can configure Google Play to
send you or others an e-mail when new permissions are required for an approved app. If you assign an app and
observe it isn't installed on devices, check for new permissions with the following steps:
1. Visit http://play.google.com/work
2. Sign in with the Google account you used to publish and approve the apps.
3. Visit the Updates tab to see if any apps require an update. Any listed apps require new permissions and are not
assigned until they are applied.
Alternatively, you can configure Google Play to automatically reapprove app permissions on a per app basis.
 How to assign apps to groups with Microsoft Intune
6/27/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Once you've added an app to Intune, you can assign it to users and devices.
Apps can be assigned to devices whether or not they are managed by Intune. Use the following table to help
you understand the various options for assigning apps to users and devices:

Devices enrolled with Intune Devices not enrolled with Intune

Assign to users Yes Yes

Assign to devices Yes No

Assign wrapped apps, or apps Yes Yes

incorporating the Intune SDK (for app
protection policies)

Assign apps as Available Yes Yes

Assign apps as Required Yes No

Uninstall apps Yes No

End users install available apps from Yes No

Company Portal app

End users install available apps from Yes Yes

web-based Company Portal

NOTE
Currently, you can assign iOS and Android apps (both line of business and store-purchased) to devices that are not
enrolled with Intune.

How to assign an app

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile Apps workload, choose Manage > Apps.
5. On the list of apps blade, click the app you want to assign.
6. On the <app name> - Overview blade, choose Manage > Assignments.
7. Choose Select Groups then, on the Select groups blade, choose the Azure AD groups to which you want to
assign the app.
8. For each app you choose, choose an assignment type for the app from:
Available - Users install the app from the Company Portal app or website.
Not Applicable - The app is not installed or shown in the Company Portal.
Required - The app is installed on devices in the selected groups.
Uninstall - The app is uninstalled from devices in the selected groups.
Available with or without enrollment - Assign this app to groups of users whose devices are not
enrolled with Intune.
9. Once you are done, choose Save.
The app is now assigned to the group you selected.

How conflicts between app intents are resolved

Sometimes, the same app is assigned to multiple groups, but with different intents. In these cases, use this table
to understand the resulting intent.

Group 1 intent Group 2 intent Resulting intent

User Required User Available Required and Available

User Required User Not Available Required

User Required User Uninstall Required

User Available User Not Available Not Available

User Available User Uninstall Uninstall

User Not Available User Uninstall Uninstall

User Required Device Required Both exists, Gateway treats required

User Required Device Uninstall Both exists, Gateway resolves required

User Available Device Required Both exists, Gateway resolves required

(Required and Available)

User Available Device Uninstall Both exists, Gateway resolves

Available.
App shows up in Company Portal.
In case if the app is already installed(as
required app with previous intent)
then the app gets uninstalled.
But if the user clicks install from the
company portal then the app gets
installed and uninstall intent is not
honored.

User Not Available Device Required Required

User Not Available
User Uninstall
User Uninstall
Device Required
User Required And Available
User Required And Available
User Required And Available
User Required And Available
User Required And Available
User Required And Available
User Not Available
User Available
User Required
User Available Without enrollment
User Available without enrollment
User Available without enrollment
User Available without enrollment
User Available without enrollment
User Available without enrollment
User Available without enrollment
Device Uninstall
Device Required
Device Uninstall
Device Uninstall
User Available
User Uninstall
User Not Available
Device Required
Device Not Available
Device Uninstall
Device Not Available
Device Not Available
Device Not Available
User Required and Available
User Required
User Not available
User Available
Device Required
Device Not Available
Device Uninstall
Uninstall
Both exists, Gateway resolves Required
Both exist, Gateway resolves Uninstall
Required
Required and Available
Required and Available
Required and Available
Both exists Required and Available
Required and Available
Both exists, gateway resolves required.
Required + Available
Not Available
Available
Required
Required and Available
Required
Not Available
Available
Required and Available without
enrollment
Available without enrollment
Uninstall and Available without
enrollment.
If the user didnt install the app from
the company portal then the uninstall
will be honored.
If the user installs the app from the
company portal then the install will be
prioritized over the uninstall.
 NOTE
For managed iOS store apps only, when you add these to Intune and assign them as Required, they are automatically
created with both Required, and Available intents.

Next steps
See How to monitor apps for information to help you monitor app assignments.
 How to monitor app information and assignments
with Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Intune provides a number of ways in which you can monitor the properties of apps you manage, as well as their
assignment status.
1. In the Mobile Apps workload, choose Manage > Apps.
2. In the list of apps blade, choose the app you want to see information for. You'll then see the <app name>

Device install status blade:

Then, take one of the following actions to learn more about your apps, and their assignments.

General
Overview - Provides a basic overview of the app, and information about the status of any assignments for
that app. You can choose one of the charts to open the Device install status or User install status blades to
get more detailed information.

Manage
Properties - Let's you view and change information about the selected app. For more information about app
properties, see How to add an app to Microsoft Intune.
Assignments - Provides information about assignments for this app. For more information, see How to
assign apps to groups with Microsoft Intune.

Monitor
Device install status - Provides detailed information for each device you assigned the selected app to
including the device name, operating system, when the device last checked-in to Intune, and the status of the
app installation.
User install status - Provides detailed information fro user to you assigned the selected app to including the
number of installations of the app the user has on all their devices, and information about any installation
failures.
 How to use Microsoft Intune app configuration
policies for iOS
6/28/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use app configuration policies in Microsoft Intune to supply settings that might be required when users run an iOS
app. For example, an app might require users to specify:
A custom port number.
Language settings.
Security settings.
Branding settings such as a company logo.
If users enter these settings incorrectly, this can increase the burden on your help desk and slow the adoption of
new apps.
App configuration policies can help you eliminate these problems by letting you assign these settings to users in a
policy before they run the app. The settings are then supplied automatically, and users need to take no action.
You do not assign these policies directly to users and devices. Instead, you associate a policy with an app, and then
assign the app. The policy settings will be used whenever the app checks for them (typically, the first time it is run).

TIP
This policy type is currently available only for devices running iOS 8.0 and later. It supports the following app installation
types:
Managed iOS app from the app store
App package for iOS
For more information about app installation types, see How to add an app to Microsoft Intune.

Create an app configuration policy

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile apps workload, choose Manage > App Configuration Policies.
5. In the list of policies blade, choose Add.
6. On the Add Configuration Policy blade, supply a name and an optional description for the app
configuration policy.
7. Choose Associated App, then, on the Associated App blade, choose the managed app to which you want to
 apply the configuration.
8. On the Add Configuration Policy blade, choose Configuration settings and then, on the Configuration
Settings blade, choose how you want to specify the XML values that make up the configuration profile from:
Enter XML data - enter or paste an XML property list that contains the app configuration settings that
you want. The format of the XML property list will vary depending on the app you are configuring.
Contact the supplier of the app for details about the exact format to use. Intune checks that the XML you
entered is in a valid format. It does not check that the XML property list will work with the app that it is
associated with. To find out more about XML property lists, see Understanding XML Property Lists in the
iOS Developer Library.
Use configuration designer - Lets you specify XML key and value pairs directly in the portal.
9. When you're done, go back to the Add Configuration Policy blade, and hit Create.
The policy will be created and appears on the policies list blade.
Then, continue to assign and monitor the app as usual.
When the assigned app is run on a device, it will run with the settings that you configured in the app configuration
policy.

TIP
If one or more app configuration policies conflict, neither policy is enforced.

Create a MAM targeted configuration policy

MAM targeted configuration allows an app to receive configuration data through the Intune App SDK. The format
and variants of this data must be defined and communicated to Intune customers by the application
owner/developer. Intune administrators can target and deploy configuration data via the Intune Azure console.
MAM targeted configuration data can be provided via the MAM Service to MAM-WE enabled applications. For
example, Intune Managed Browser has allowed/blocked url list. The application configuration data is pushed
through our MAM Service directly to the app instead of through the MDM channel. MDM app configuration
policies are the native solution through MDM. The key difference with MAM targeted configuration is that the
device that the app runs on does not need to be MDM-enrolled. MAM targeted configuration is available on iOS
and Android. For iOS, the app must have incorporated Intune APP SDK for iOS (v 7.0.1) and be participating in app
config settings. The steps for creating a MAM targeted configuration policy are as follows:
1. Sign into the Azure portal.
2. Choose Intune > Mobile apps - App configuration policies.
3. On the App configuration policies blade, choose Add.
4. Enter a Name, and optional Description for the app configuration settings and choose Not enrolled with
Intune.
5. Choose Select required apps and then, on the Targeted apps blade, choose apps for the platforms you
intend.
Note: For LOB apps, select More apps. Enter the package ID for your application.
6. Choose OK to return to the Add app configuration blade.
7. Choose Define configuration. On the Configuration blade, you define key and value pairs to supply
configurations.
8. When you are done, choose OK.
9. On the Add app configuration blade, choose Create.
The new configuration is created, and displayed on the App configuration blade.
Then, continue to assign and monitor the app as usual.
When the assigned app (integrated with the Intune APP SDK) is run on a device, it will run with the settings that
you configured in the MAM targeted configuration policy. The assigned app needs to have integrated the
supported version of the Intune APP SDK. For more information about the app development requirements to use
MAM Targeted Configuration policies, see iOS Intune APP SDK Integration Guide.
For more information about the capabilities our Graph API with respect to the MAM targeted config values, see
Graph API Reference MAM Targeted Config.

Information about the XML file format

Intune supports the following data types in a property list:
<integer>
<real>
<string>
<array>
<dict>
<true /> or <false />
For more information about data types, see About Property Lists in the iOS Developer Library.
Additionally, Intune supports the following token types in the property list:
{{userprincipalname}} - (Example: [email protected])
{{mail}} - (Example: [email protected])
{{partialupn}} - (Example: John)
{{accountid}} - (Example: fc0dc142-71d8-4b12-bbea-bae2a8514c81)
{{deviceid}} - (Example: b9841cd9-9843-405f-be28-b2265c59ef97)
{{userid}} - (Example: 3ec2c00f-b125-4519-acf0-302ac3761822)
{{username}} - (Example: John Doe)
{{serialnumber}} - (Example: F4KN99ZUG5V2) for iOS devices
{{serialnumberlast4digits}} - (Example: G5V2) for iOS devices
The {{ and }} characters are used by token types only and must not be used for other purposes.

Example format for an app configuration XML file

When you create an app configuration file, you can specify one or more of the following values by using this
format:
<dict>
<key>userprincipalname</key>
<string>{{userprincipalname}}</string>
<key>mail</key>
<string>{{mail}}</string>
<key>partialupn</key>
<string>{{partialupn}}</string>
<key>accountid</key>
<string>{{accountid}}</string>
<key>deviceid</key>
<string>{{deviceid}}</string>
<key>userid</key>
<string>{{userid}}</string>
<key>username</key>
<string>{{username}}</string>
<key>serialnumber</key>
<string>{{serialnumber}}</string>
<key>serialnumberlast4digits</key>
<string>{{serialnumberlast4digits}}</string>
<key>udidlast4digits</key>
<string>{{udidlast4digits}}</string>
</dict>
 How to use Microsoft Intune app configuration
policies for Android for Work
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use app configuration policies in Microsoft Intune to supply settings that might be available when users run an
Android for Work app. Not all apps support app configuration. Check with the apps developer to see whether or
not they have built their app to support app configuration policies.
App configuration policies can help you pre-configure available app settings for your users before they run the
app. Some Android apps support managed configurations options that you can configure in the Intune console
with the configuration designer. Some configuration settings on apps (such as those with Bundle types) cannot be
configured with the configuration designer. You will need to use the JSON editor for those values. Settings are
supplied to apps automatically when the app is installed.
You do not assign these policies directly to users and devices. Instead, you associate a policy with an app, and then
assign the app. The policy settings is used when the app checks for them, typically the first time it is run).

Use configuration designer

1. In the Intune portal, choose Mobile apps. Under Manage, choose App configuration policies and then click
Add.
2. Set the following details:
Name - The name of the profile that will appear in the Intune console
Description - The description of the profile that will appear in the Intune console
Platform - Select Android
Device enrollment type - Enrolled with Intune is pre-selected for you.
3. Select Associated App to choose the app for which you want to define a configuration policy. Select from the
list of Android for Work apps that you have approved and synchronized with Intune
4. Select Configuration settings.
5. For Configuration settings format, select Use configuration designer.
6. Choose Add. A list of available configuration settings is displayed. The list includes:
Configuration keys - Name of the setting.
Value type - The setting that can be configured, for example Boolean or String.
Description - A description of the configuration setting.
7. Select the checkboxes of settings you want to configure with this profile, and then click OK.
8. A list of your selected settings is displayed with the available Configuration value. Specify a value for each
setting, and then click OK.

Use JSON editor

1. In the Intune portal, choose Mobile apps. Under Manage, choose App configuration policies and then click
Add.
2. Set the following details:
Name - The name of the profile that will appear in the Intune console
Description - The description of the profile that will appear in the Intune console
Platform - Select Android
Device enrollment type - Enrolled with Intune is pre-selected for you.
3. Select Associated App to choose the app for which you want to define a configuration policy. Select from the
list of Android for Work apps that you have approved and synchronized with Intune.
4. Select Configuration Settings.
5. For Configuration settings format, select Enter JSON editor.
6. In the editor you can define JSON values for configuration settings. You can choose Download JSON
template to download a sample file that you can then configure.
7. When you're done, choose OK and then click Add.
The policy will be created and appears on the policies list blade.
Then, continue to assign and monitor the app as usual.
When the assigned app is run on a device, it will run with the settings that you configured in the app configuration
policy.

Preconfigure permissions grant state for apps

You can also preconfigure permission for apps to access Android device features. By default, Android apps that
require device permissions such as access to location or the device camera prompt users to accept or deny
permissions. For example, if an app uses the device's microphone then the end user is prompted to grant the app
permission to use the microphone.
1. In the Intune portal, choose Mobile apps. Under Manage, choose App configuration policies and then click
Add.
2. Set the following details:
Name - The name of the profile that will appear in the Intune console
Description - The description of the profile that will appear in the Intune console
Platform - Select Android
Device enrollment type - Enrolled with Intune is pre-selected for you.
3. Select Associated App to choose the app for which you want to define a configuration policy. Select from the
list of Android for Work apps that you have approved and synchronized with Intune.
4. Select Permissions and then choose Add.
5. Select from the list of available app permissions and then choose OK.
6. Select an option for each permission to grant with this policy:
Prompt - Prompt the user to accept or deny.
Auto grant - Automatically approve without notifying the user.
Auto deny - Automatically deny without notifying the user.
7. To assign the app configuration policy, select the app configuration policy, select Assignment, and then select
Select groups.
8. Select the user groups to assign, and then choose Select.
9. Choose Save to assign the policy.
 Use iOS mobile provisioning profiles to prevent your
apps from expiring
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Introduction
Apple iOS line of business apps that are assigned to iPhones and iPads are built with an included provisioning
profile and code that is signed with a certificate. When the app is run, iOS confirms the integrity of the iOS app and
enforces policies that are defined by the provisioning profile. The following validations happen:
Installation file integrity - iOS compares the app's details with the enterprise signing certificate's public key.
If they differ, the app's content might have changed, and the app will not be allowed to run.
Capabilities enforcement - iOS attempts to enforce the app's capabilities from the enterprise provisioning
profile (not individual developer provisioning profiles) that are in the app installation (.ipa) file.
The enterprise signing certificate that you use to sign apps typically lasts for three years. However, the provisioning
profile expires after a year. While the certificate is still valid, Intune gives you the tools to proactively assign a new
provisioning profile to devices that have apps that are nearing expiry. After the certificate expires, you must sign
the app again with a new certificate and embed a new provisioning profile with the key of the new certificate.

How to create an iOS mobile app provisioning profile

1. Sign into the Azure portal.
2. Choose More Services > Monitoring +Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile apps workload, choose Manage > iOS provisioning profiles.
5. In the list of profiles blade, choose Create profile.
6. In the Create profile blade, configure the following values:
Name - Provide a name for this mobile provisioning profile.
Description - Optionally, provide a description for the policy.
Upload profile file - Choose Import, and then choose an Apple Mobile Configuration Profile file (with
the extension .mobileprovision) that you downloaded from the Apple Developer website.
7. When you are done, choose Create.

Next steps
Assign the profile to the required iOS devices. For more information, use the steps in How to assign device profiles.
 How to wipe only corporate data from Intune-
managed apps
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

When a device is lost or stolen, or if the employee leaves your company, you want to make sure company app data
is removed from the device. But you might not want to remove personal data on the device, especially if this is an
employee-owned device.
To selectively remove company app data, create a wipe request by using the steps in this topic. After the request is
finished, the next time the app runs on the device, company data is removed from the app.

IMPORTANT
Contacts synced directly from the app to the native address book are removed. Any contacts synced from the native address
book to another external source cannot be wiped. Currently, this only applies to the Microsoft Outlook app.

Create a wipe request

1. Sign in to the Azure portal.
2. Choose More Services, type Intune in the filter textbox, and select Intune. The Intune blade opens, choose
the Manage apps blade.
3. On the Mobile Apps blade, choose New wipe request. The New wipe request blade opens.
4. Choose New wipe request. The New wipe request blade opens.

5. Choose User to open the User blade, and select the user whose app data you want to wipe.
6. Choose Device. This opens the Device blade that lists all the devices associated with the selected user, and
also provides two columns, the device name, which is a friendly name defined by the user, and the device
type, its device platform. Select the device you want to wipe.
7. You are now back on the New wipe request blade. Choose Ok to make a wipe request.
The service creates and tracks a separate wipe request for each protected app on the device, and the user
associated with the wipe request.

Monitor your wipe requests

You can have a summarized report that shows the overall status of the wipe request, and includes the number of
pending requests and failures. To get more details, follow these steps:
1. On the Mobile Apps - App Selective Wipe blade blade, you can see the list of your requests grouped by
users. Because the system creates a wipe request for each protected app running on the device, you might
see multiple requests for a user. The status indicates whether a wipe request is pending, failed, or
successful.
Additionally, you'll be able to see the device name, and its device type, which can be helpful when reading the
reports.

IMPORTANT
The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made.

Delete a wipe request

Wipes with pending status are displayed until you manually delete them. To manually delete a wipe request:
1. On the Wipe request blade, choose the Wipe request tile to open the Wipe request blade.
2. Right-click on the wipe request you want to delete, then choose Delete wipe request.

3. You're prompted to confirm the deletion, choose Yes or No, then click OK.
See also
What's app protection policy
What's app management
 Manage volume-purchased apps and books with
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Some app stores give you the ability to purchase multiple licenses for an app or books that you want to use in your
company. Buying licenses in bulk can help you reduce the administrative overhead of tracking multiple purchased
copies of apps and books.
Microsoft Intune helps you manage apps and books that you purchased through such a program. You can import
license information from the store, track how many licenses you have used, and ensure you don't install more
copies of the app or book than you own.

Which types of apps and books can you manage?

With Intune, you can manage apps and books that you purchased in volume from the iOS store, and manage apps
that you purchased from the Windows Store for Business. To discover how to manage licensed apps from each
store, choose one of the following topics:
Manage iOS volume-purchased apps Manage volume-purchased apps from the Windows Store for Business How
to manage iOS eBooks
 How to manage iOS apps you purchased through a
volume-purchase program with Microsoft Intune
6/27/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The iOS app store lets you purchase multiple licenses for an app that you want to run in your company.
Purchasing multiple copies of an app helps you reduce the administrative overhead of tracking multiple purchased
copies of apps.
Microsoft Intune helps you manage apps that you purchased through this program by:
Importing the license information from the app store
Tracking how many of the licenses you have used
Preventing you from installing more copies of the app than you own
Additionally, you can synchronize, manage, and assign books you purchased from the Apple volume-purchase
program store with Intune. Use the Books workload in the Intune portal to manage books. The procedures to
manage books are the same as you use for managing apps. You must have uploaded an Apple Volume Purchase
Program token before you start. Currently, you can only assign books as a Required install. When you assign a
book to a device, that device must have the built-in iBooks app installed. If it is not, the end user must reinstall the
app in order to read the book. You cannot currently use Intune to restore removed built-in apps.

Manage volume-purchased apps for iOS devices

Purchase multiple licenses for iOS apps through the Apple Volume Purchase Program for Business or the Apple
Volume Purchase Program for Education. This process involves setting up an Apple VPP account from the Apple
website and uploading the Apple VPP token to Intune. You can then synchronize your volume purchase
information with Intune and track your volume-purchased app use.

Before you start

Before you start, you need to get a VPP token from Apple and upload it to your Intune account. Additionally, you
should understand the following criteria:
You can associate multiple volume-purchase program tokens with your Intune account.
If you previously used a VPP token with a different product, you must generate a new one to use with Intune.
Each token is valid for one year.
By default, Intune syncs with the Apple VPP service twice a day. You can start a manual sync at any time.
After you have imported the VPP token to Intune, do not import the same token to any other device
management solution. Doing so might result in the loss of license assignment and user records.
Before you start to use iOS VPP with Intune, remove any existing VPP user accounts created with other mobile
device management (MDM) vendors. Intune does not synchronize those user accounts into Intune as a security
measure. Intune only synchronizes data from the Apple VPP service that Intune created.
Intune supports adding up to 256 VPP tokens.
 If you assign a volume-purchased app for a device enrolled through a Device Enrollment Profile or Apple
Configurator, only apps that are targeted to devices work. You cannot target volume-purchased apps to users
of a DEP device, which does not have any user affinity.
A VPP token is only supported for use on one Intune account at a time. Do not reuse the same VPP token for
multiple Intune tenants.

To get and upload an Apple VPP token

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile Apps workload, choose Setup > iOS VPP Tokens.
5. On the list of VPP tokens blade, click Add.
6. On the New VPP Token blade, specify the following information:
VPP token file - If you haven't already, sign up for the Volume Purchase Program for Business or the
program for Education. After you sign up, download the Apple VPP token for your account and select it
here.
Apple ID - Enter the Apple ID of the account associated with the volume-purchase program.
Type of VPP account - Choose from Business or Education.
7. When you are done, click Upload.
The token is displayed in the list of tokens blade.
You can synchronize the data held by Apple with Intune at any time by choosing Sync now.

NOTE
Microsoft Intune only syncs information of Apps, which are publicly available through the iTunes Store. Custom B2B Apps
for iOS are not yet supported. If your scenario targets such apps, the app information is not synchronized.

To assign a volume-purchased app

1. In the Mobile Apps workload, choose Manage > Licensed Apps.
2. On the list of apps blade, choose the app you want to assign, and then choose '...' > Assign Groups.
3. On the <app name> - Groups Assigned blade, choose Manage > Groups Assigned.
4. Choose Assign Groups then, on the Select groups blade, choose the Azure AD user or device groups to which
you want to assign the app. You must choose an assignment action of Required. Additionally, assignments to
device groups are available to new tenants created after January 2017. If your tenant was created before this
date, and you do not have the option to assign VPP apps to device groups, contact Intune support.
5. Once you are done, choose Save.

NOTE
The list of apps displayed is associated with a token. If you have an app that is associated with multiple VPP tokens, you see
the same app being displayed multiple times; once for each token.

See How to monitor apps for information to help you monitor app assignments.

Further information
When you assign the app as a Required installation, each user who installs the app uses a license.
To reclaim a license, you must change the assignment action to Uninstall. The license will be reclaimed after the
app is uninstalled.
When a user with an eligible device first tries to install a VPP app, they are asked to join the Apple Volume
Purchase program. They must join before the app installation proceeds. The invitation to join the Apple Volume
Purchase program requires that the user can use the iTunes app on the iOS device. If you have set a policy to
disable the iTunes Store app, user-based licensing for VPP apps does not work. The solution is to either allow the
iTunes app by removing the policy, or use device-based licensing.
When you assign a VPP app as Available, the app content and license are assigned directly from the app store.
 How to manage apps you purchased from the
Windows Store for Business with Microsoft Intune
6/29/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Windows Store for Business gives you a place to find and purchase apps for your organization, individually, or
in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Intune
portal. For example:
You can synchronize the list of apps you have purchased from the store with Intune.
Apps that are synchronized appear in the Intune administration console; you can assign these apps like any
other apps.
You can track how many licenses are available, and how many are being used in the Intune administration
console.
Intune blocks assignment and installation of apps if there are an insufficient number of licenses available.

Before you start

Review the following information before you start syncing and assigning apps from the Windows Store for
Business:
Configure Intune as the mobile device management authority for your organization.
You must have signed up for an account on the Windows Store for Business.
Once you have associated a Windows Business Store account with Intune, you cannot change to a different
account in the future.
Apps purchased from the store cannot be manually added to or deleted from Intune. They can only be
synchronized with the Windows Store for Business.
Intune synchronizes both online and offline licensed apps you have purchased from the Windows Store for
Business.
Only offline apps that are free of charge can be synced to Intune.
To use this capability, devices must be joined to Active Directory Domain Services, or workplace-joined.
Enrolled devices must be using the 1511 release of Windows 10 or later.

Associate your Windows Store for Business account with Intune

Before you enable synchronization in the Intune console, you must configure your store account to use Intune as a
management tool:
1. Ensure that you sign into the Business Store using the same tenant account you use to sign into Intune.
2. In the Business Store, choose Settings > Management tools.
3. On the Management tools page, choose Add a management tool, and choose Microsoft Intune.
 NOTE
You could previously only associate one management tool to assign apps with the Windows Store for Business. You can now
associate multiple management tools with the store, for example, Intune and Configuration Manager.

You can now continue, and set up synchronization in the Intune console.

Configure synchronization
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. On the Mobile Apps blade, choose Setup > Windows Store for Business.
5. Click Enable.
6. If you haven't already done so, click the link to sign up for the Windows Store for Business and associate your
account as detailed previously.
7. From the Language drop-down list, choose the language in which apps from the Windows Store for Business
is displayed in the Intune portal. Regardless of the language in which they are displayed, they are installed in
the end user's language when available.
8. Click Sync to get the apps you've purchased from the Windows Store into Intune.

Synchronize apps
1. In the Mobile apps workload, choose Setup > Windows Store for Business.
2. Click Sync to get the apps you've purchased from the Windows Store into Intune.

Assign apps
You assign apps from the store in the same way you assign any other Intune app. For more information, see How
to assign apps to groups with Microsoft Intune. However, instead of assigning apps from the All Apps page, you
assign them from the Licensed Apps page.
Offline apps can be targeted to user groups, device groups, or groups with users and devices. Offline apps can be
installed for a specific user on a device or for all users on a device.
When you assign a Windows Store for Business app, a license is used by each user who installs the app. If you use
all of the available licenses for an assigned app, you cannot assign any more copies. Take one of the following
actions:
Uninstall the app from some devices.
Reduce the scope of the current assignment, targeting only the users you have sufficient licenses for.
Buy more copies of the app from the Windows Store for Business.
 How to manage iOS eBooks you purchased through
a volume-purchase program with Microsoft Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Apple Volume Purchase Program (VPP) lets you purchase multiple licenses for a book that you want to
distribute to users in your company. You can distribute books from the Business, or Education stores.
Microsoft Intune helps you synchronize, manage, and assign books that you purchased through this program. You
can import license information from the store and track how many of the licenses you have used.
The procedures to manage books are similar to managing VPP apps.

Manage volume-purchased books for iOS devices

You buy multiple licenses for iOS books through the Apple Volume Purchase Program for Business or the Apple
Volume Purchase Program for Education. This process involves setting up an Apple VPP account from the Apple
website and uploading the Apple VPP token to Intune. You can then synchronize your volume purchase information
with Intune and track your volume-purchased book use.

Before you start

Before you start, get a VPP token from Apple and upload it to your Intune account. Additionally:
You can associate up to 256 VPP tokens with your Intune account.
If you previously used a VPP token with a different product, you must generate a new one to use with Intune.
Each token is valid for one year.
By default, Intune syncs with the Apple VPP service twice a day. You can start a manual sync at any time.
After you have imported the VPP token to Intune, do not import the same token to any other device
management solution. Doing so might result in the loss of license assignment and user records.
Before you start to use iOS books with Intune, remove any existing VPP user accounts created with other mobile
device management (MDM) vendors. Intune does not synchronize those user accounts into Intune as a security
measure. Intune synchronizes only data from the Apple VPP service that Intune created.
Currently, you can only assign books as a Required install. When you assign the book as a Required
installation, each user who installs the book uses a license.
When you assign a book to a device, that device must have the built-in iBooks app installed. If it is not, the end
user must reinstall the app before they can read the book. You cannot currently use Intune to restore removed
built-in apps.
You can only assign books from the Apple Volume Purchase Program site. You cannot upload, then assign
books you created in-house.
You cannot currently assign books to end-user categories in the same way as you do apps.
You cannot reclaim a license once the book is assigned.
When a user with an eligible device first tries to install a VPP book, they must join the Apple Volume Purchase
program before they can install a book. You can also assign licenses to security groups with managed Apple IDs.
 If you do this, then users are not prompted for their Apple ID when a book is installed.

To get and upload an Apple VPP token

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile Apps workload, choose Setup > iOS VPP Tokens.
5. On the list of VPP tokens blade, click Add.
6. On the New VPP Token blade, specify the following information:
VPP token file - Ensure you have signed for the Volume Purchase Program for Business or the Volume
Purchase Program for Education. Then, download the Apple VPP token for your account and select it here.
Apple ID - Enter the Apple ID of the account associated with the volume-purchase program.
Type of VPP account - Choose from Business or Education.
7. When you are done, click Upload.
The token is displayed in the list of tokens blade.
You can synchronize the data held by Apple with Intune at any time by choosing Sync now.

To assign a volume-purchased app

1. In the eBooks workload, choose Manage > All eBooks.
2. On the list of books blade, choose the book you want to assign, and then choose '...' > Assign Groups.
3. On the <book name> - Groups Assigned blade, choose Manage > Groups Assigned.
4. Choose Assign Groups then, on the Select groups blade, choose the Azure AD user groups to which you want
to assign the book. Device groups are currently not supported. Choose an assignment action of Required.
5. Once you are done, choose Save.

Next steps
See How to monitor apps for information to help you monitor book assignments.
 How to configure the Microsoft Intune Company
Portal app
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Microsoft Intune company portal is where users access company data and can do common tasks like enrolling
devices, installing apps, and locating information for assistance from your IT department.

TIP
When you customize the Company Portal, the configurations apply to both the Company Portal website and Company
Portal apps.

Customizing the Company Portal helps provide a familiar and helpful experience for your end users. To do it, from
the Mobile apps workload, choose Setup > Company Portal Branding, then configure the required settings.

Company contact information and privacy statement

The company name is displayed as the Company Portal title. The contact information and details are displayed to
users in the Contact IT screen of the Company Portal. The privacy statement is displayed when a user clicks on the
privacy link.

FIELD NAME MAX LENGTH MORE INFORMATION

Company name 40 This name is displayed as the title of the

Company Portal.

IT department contact name 40 This name is displayed on the Contact

IT page.

IT department phone number 20 This contact number is displayed on the

Contact IT page.

IT department email address 40 This contact address is displayed on the

Contact IT page. You must enter a
valid email address in the format
[email protected].

Additional information 120 Displayed on the Contact IT page.

 FIELD NAME MAX LENGTH MORE INFORMATION

Company privacy statement URL
79 You can specify your own company
privacy statement that appears when
users click the privacy links from the
Company Portal. You must enter a valid
URL in the format
https://www.contoso.com.

Support contacts
The support website is displayed to users in the Company Portal to enable them to access online support.

FIELD NAME MAX LENGTH MORE INFORMATION

Support website URL 150 If you have a support website that you
want your users to use, specify the URL
here. The URL must be in the format
https://www.contoso.com. If you
don't specify a URL, nothing is
displayed for the support website on
the Contact IT page in the Company
Portal.

Support website name 40 This name is the friendly name that is

displayed for the URL to the support
website. If you specify a support
website URL and no friendly name, then
Go to IT website is displayed on the
Contact IT page in the Company
Portal.

Company branding customization

You can customize your Company Portal with your company logo, company name, theme color and background.

FIELD NAME MORE INFORMATION

Theme color Select a theme color to apply to the Company Portal.

Show company logo When you enable this option, you can upload your company
logo to show in your Company Portal. You can upload two
logos: one logo that is displayed when the Company Portal
background is white, and one logo that is displayed when the
Company Portal background uses your selected theme color.
Each logo must be a .png or .jpg file type and have a
maximum resolution of 400 x 100 pixels and be 750 KB or less
in size.
You can also show the company name you entered next to
the uploaded logo.

After you save your changes, you can choose Preview your settings in the Intune Web Portal to see how your
configurations will look.
 Manage Internet access using Managed browser
policies with Microsoft Intune
6/29/2017 8 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The Managed Browser is a web browsing app that you can download from public app stores for use in your
organization. When configured with Intune, the Managed Browser can be:
Used to access corporate sites and SaaS apps with Single Sign-On via the MyApps service, while keeping web
data protected.
Pre-configured with a list of URLs and domains to restrict which sites the user can navigate to in the corporate
context.
Pre-configured with a homepage, and bookmarks you specify (Android only).
Because this app has integration with the Intune SDK, you can also apply app protection policies to it. These
policies include controlling the use of cut, copy, and paste, preventing screen captures, and ensuring that links to
content that users select open only in other managed apps. For details, see What are app protection policies? You
can apply these settings to devices that are enrolled with Intune, enrolled with another device management
product, or to devices that are not managed.

IMPORTANT
The Managed Browser app only retrieves and applies Intune app protection policies when another app on the device has
retrieved an app protection policy.

If users install the Managed Browser from the app store and Intune does not manage it, it can be used as a basic
web browser, with support for Single Sign-On through the Microsoft MyApps site. Users are taken directly to the
MyApps site, where they can see all of their provisioned SaaS applications. While the Managed Browser is not
managed by Intune, it cannot access data from other Intune-managed applications.
The Managed Browser does not support the Secure Sockets Layer version 3 (SSLv3) cryptographic protocol.
You can create Managed Browser policies for the following device types:
Devices that run Android 4 and later
Devices that run iOS 8.0 and later
The Intune Managed Browser supports opening web content from Microsoft Intune application partners.

Create a Managed Browser app configuration

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune App Protection.
3. On the Settings blade of the Intune mobile application management dashboard, choose App configuration.
 4. On the App Configuration blade, choose Add Config.
5. On the Add app configuration blade, enter a Name, and optional Description for the app configuration
settings.
6. Choose Select required apps and then, on the Targeted apps blade, choose the Managed Browser for iOS,
for Android, or for both.
7. Choose OK to return to the Add app configuration blade.
8. Choose Define configuration. On the Configuration blade, you define key and value pairs to supply
configurations for the Managed Browser. Use the sections later in this topic to learn about the different key
and value pairs you can define.
9. When you are done, click OK.
10. On the Add app configuration blade, choose Create.
11. The new configuration is created, and displayed on the App configuration blade.

Assign the configuration settings you created

You assign the settings to Azure AD groups of users. If that user has the Managed Browser app installed, then the
app is managed by the settings you specified.
1. On the Settings blade of the Intune mobile application management dashboard, choose App configuration.
2. From the list of app configurations, select the one you want to assign.
3. On the next blade, choose User Groups.
4. On the User groups blade, select the Azure AD group to which you want to assign the app configuration, and
then choose OK.

How to configure Application Proxy settings for the Managed Browser

The Intune Managed Browser and Azure AD Application Proxy can be used together to support the following
scenarios for users of iOS and Android devices:
A user downloads and signs in to the Microsoft Outlook app. Intune app protection policies are
automatically applied. They encrypt saved data and block the user from transferring corporate files to
unmanaged apps or locations on the device. When the user then clicks a link to an intranet site in Outlook,
you can specify that the link opens in the Managed Browser app, rather than another browser. The
Managed Browser recognizes that this intranet site has been exposed to the user through the Application
Proxy. The user is automatically routed through the Application Proxy, to authenticate with any applicable
multi-factor authentication, and conditional access before reaching the intranet site. This site, which could
previously not be found while the user was remote, is now accessible and the link in Outlook works as
expected.
A remote user opens the Managed Browser application and navigates to an intranet site using the internal
URL. The Managed Browser recognizes that this intranet site has been exposed to the user via the
Application Proxy. The user is automatically routed through the Application Proxy, to authenticate with any
applicable multi-factor authentication, and conditional access before reaching the intranet site. This site,
which could previously not be found while the user was remote, is now accessible.
Before you start
Ensure that your internal applications published through Azure AD Application Proxy.
To configure Application Proxy and publish applications, see the setup documentation.
You must be using minimum version 1.2.0 of the Managed Browser app.
Users of the Managed Browser app have an Intune app protection policy assigned to the app.
Step 1: Enable automatic redirection to the Managed Browser from Outlook
Outlook must be configured with an app protection policy that enables the setting Restrict web content to
display in the Managed Browser.
Step 2: Assign an app configuration policy assigned for the Managed Browser.
This procedure configures the Managed Browser app to use app proxy redirection. Using the procedure to create
a Managed Browser app configuration, supply the following key and value pair:
Key

com.microsoft.intune.mam.managedbrowser.AppProxyRedirection
Va l u e

true

How to configure the homepage for the Managed Browser (Android

only)
This setting allows you to configure the homepage that users see when they start the Managed Browser or create
a new tab. Using the procedure to create a Managed Browser app configuration, supply the following key and
value pair:
Key
com.microsoft.intune.mam.managedbrowser.homepage
Value
Specify a valid URL. Incorrect URLs are blocked as a security measure.
Example: https://www.bing.com

How to configure bookmarks for the Managed Browser (Android only)

This setting allows you to configure a set of bookmarks that is available to users of the Managed Browser.
These bookmarks cannot be deleted or modified by users
These bookmarks display at the top of the list. Any bookmarks that users create are displayed below these
bookmarks.
Using the procedure to create a Managed Browser app configuration, supply the following key and value pair:
Key
com.microsoft.intune.mam.managedbrowser.bookmarks
Value
The value for this configuration is a list of bookmarks. Each bookmark consists of the bookmark title, and the
bookmark URL. Separate the title, and URL with the | character.
Example: Microsoft Bing|https://www.bing.com
To configure multiple bookmarks, separate each pair with the double character, ||
Example: Bing|https://www.bing.com||Contoso|https://www.contoso.com

How to specify allowed and blocked URLs for the Managed Browser
Using the procedure to create a Managed Browser app configuration, supply the following key and value pair:
Key
Choose from:
Specify allowed URLs (only these URLs are allowed; no other sites can be accessed):
com.microsoft.intune.mam.managedbrowser.AllowListURLs
 Specify blocked URLs (all other sites can be accessed):
com.microsoft.intune.mam.managedbrowser.BlockListURLs

IMPORTANT
Do not specify both keys. If both keys are targeted to the same user, the allow key is used, as it's the most restrictive
option. Additionally, make sure not to block important pages like your company websites.

Value
The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow or block as a single
value, separated by a pipe | character.
Examples:
URL1|URL2|URL3
http://.contoso.com/|https://.bing.com/|https://expenses.contoso.com
URL format for allowed and blocked URLs
Use the following information to learn about the allowed formats and wildcards that you can use when specifying
URLs in the allowed and blocked lists:
You can use the wildcard symbol (*) according to the rules in the following permitted patterns list:
Ensure that you prefix all URLs with http or https when entering them into the list.
You can specify port numbers in the address. If you do not specify a port number, the values used are:
Port 80 for http
Port 443 for https
Using wildcards for the port number is not supported. For example, http://www.contoso.com:*; and
http://www.contoso.com: /*; are not supported.
Use the following table to learn about the permitted patterns that you can use when you specify URLs:

URL DETAILS MATCHES DOES NOT MATCH

http://www.contoso.com Matches a single page www.contoso.com host.contoso.com

www.contoso.com/images

contoso.com/

http://contoso.com Matches a single page contoso.com/ host.contoso.com

www.contoso.com/images

www.contoso.com

http://www.contoso.com/*; Matches all URLs that begin www.contoso.com host.contoso.com

with www.contoso.com
www.contoso.com/images host.contoso.com/images

www.contoso.com/videos/tv
shows
 URL DETAILS MATCHES DOES NOT MATCH

http://*.contoso.com/* Matches all subdomains developer.contoso.com/reso contoso.host.com

under contoso.com urces

news.contoso.com/images

news.contoso.com/videos

http://www.contoso.com/im Matches a single folder www.contoso.com/images www.contoso.com/images/d

ages ogs

http://www.contoso.com:80 Matches a single page, by http://www.contoso.com:80

using a port number

https://www.contoso.com Matches a single, secure https://www.contoso.com http://www.contoso.com

page

http://www.contoso.com/im Matches a single folder and www.contoso.com/images/d www.contoso.com/videos

ages/*; all subfolders ogs

www.contoso.com/images/c
ats

The following are examples of some of the inputs that you cannot specify:
*.com
*.contoso/*
www.contoso.com/*images
www.contoso.com/*images*pigs
www.contoso.com/page*
IP addresses
https://*
http://*
http://www.contoso.com:*
http://www.contoso.com: /*

Security and privacy for the Managed Browser

On iOS devices, websites that users visit that have an expired or untrusted certificate cannot be opened.
The Managed Browser does not use settings that users make for the built-in browser on their devices. The
Managed Browser cannot access to these settings.
If you configure the option Require simple PIN for access or Require corporate credentials for access
in an app protection policy associated with the Managed Browser, and a user selects the help link on the
authentication page, they can browse any Internet sites regardless of whether they were added to a block
list in the policy.
The Managed Browser can block access to sites only when they are accessed directly. It does not block
access when intermediate services (such as a translation service) are used to access the site.
 To allow authentication, and access to Intune documentation, *.microsoft.com is exempt from the allow or
block list settings. It is always allowed.
Turn off usage data
Microsoft automatically collects anonymous data about the performance and use of the Managed Browser to
improve Microsoft products and services. Users can turn off data collection by using the Usage Data setting on
their devices. You have no control over the collection of this data.
 What are Microsoft Intune device profiles?
6/29/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use the Microsoft Intune Device configuration workload to manage settings and features on all of the devices
you manage. You mostly use this workload to create device profiles, which let you manage and control a whole
range of different features and functionality on devices.
When you open this workload, you see the following options:
Overview - This page gives you status and reports that help you monitor device configurations that you have
assigned to users and devices.
Manage Profiles - This section is where you go to create device configuration profiles. You can find a list all
the profile types you can create later in this topic.
Setup Certificate Authority - This workflow walks you though the steps required to configure Intune
certificate profiles.

Getting started
The workflow for creating device profiles is similar for all profiles. Read How to create Microsoft Intune device
configuration profiles for information. Then read on for specific information about creating settings for each
profile type.
You can manage the following capabilities on your devices:

Device features
Device features let you control features on iOS and macOS devices like AirPrint, notifications, and shared device
configurations. For more information, see How to configure device feature settings Supports: iOS and macOS.

Device restrictions
Device restrictions let you control many settings on devices you manage across categories including security,
hardware, and data sharing settings. For example, you could create a device restriction profile that prevents users
of iOS devices from accessing the device camera. For more information, see How to configure device restriction
settings Supports: Android, iOS, macOS, Windows 10, and Windows 10 Team.

Email
Email profiles let you create, assign, and monitor Exchange ActiveSync email settings on devices you manage.
Email profiles help ensure consistency, reduce support calls, and let end-users access company email on their
personal devices without any required setup on their part. For more information, see How to configure email
settings Supports: Android, iOS, Windows Phone 8.1, and Windows 10.

Wi-Fi
Use Wi-Fi profiles to assign wireless network settings to users and devices in your organization. When you assign
a Wi-Fi profile, your users get access to your corporate Wi-Fi without having to configure it themselves. For more
information, see How to configure Wi-Fi settings Supports: Android, iOS, macOS, and Windows 8.1 (import only).

VPN
Virtual private networks (VPNs) give your users secure remote access to your company network. Devices use a
VPN connection profile to initiate a connection with the VPN server. Assign VPN profiles to users and devices in
your organization, so they can easily and securely connect to the network. For more information, see How to
configure VPN settings. Supports: Android, iOS, macOS, Windows Phone 8.1, Windows 8.1, and Windows 10.

Education
Lets you configure options for the Windows Take a Test app. When you configure these options, no other apps
can run on the device until the test is complete. For more information, see How to configure education settings

Certificates
This profile type lets you configure trusted, SCEP, and PKCS certificates that can be assigned to devices and used
to authenticate Wi-Fi, VPN, and email profiles. For more information, see How to configure certificates Supports:
Android, iOS, Windows Phone 8.1, Windows 8.1, and Windows 10.

Edition upgrade
This profile type lets you automatically upgrade devices that run some versions of Windows 10 to a newer edition.
For more information, see How to configure Windows 10 edition upgrades Supports: Windows 10 only.

Endpoint protection
This profile type lets you configure BitLocker settings for Windows 10 devices. For more information, see Endpoint
protection settings for Windows 10 Supports: Windows 10 only.

Windows Information Protection

Windows Information Protection helps to protect against data leakage without otherwise interfering with the
employee experience. It also helps to protect enterprise apps and data against accidental data leaks on enterprise-
owned devices and personal devices that employees bring to work without requiring changes to your
environment or other apps. For more information, see How to configure Windows Information Protection
Supports: Windows 10 only.

Custom
Custom settings let you assign device settings that are not built-into Intune. For example, on Android devices, you
can specify OMA-URI values that configure the device. For iOS devices, you can import a configuration file you
created in the Apple Configurator. For more information, see How to configure custom settings Supports: Android,
iOS, macOS, and Windows Phone 8.1.

Next steps
Choose one of the profile types from the list to get started configuring devices.
 How to create device configuration profiles in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

1. Sign into the Azure portal.

2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the blade showing the list of profiles, choose Create Profile.
6. On the Create Profile blade, specify the following items:
Name - Enter a descriptive name for the new profile.
Description - Enter an optional description for the profile.
Platform - Select the platform type for the profile you want to create.
Profile type - Select the type of profile you want to create. The list of available types differs depending
on the platform you chose.
Settings - See the following topics for information about the settings for each profile type:
Device feature settings
Device restriction settings
Email settings
VPN settings
Wi-Fi settings
Windows 10 edition upgrade settings
Certificate settings
Windows Information Protection settings
Education settings
Custom settings
7. Once you are done configuring settings, on the Create Profile blade, choose Create.
The profile is created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.
Next steps
For information about how to assign device profiles, see How to assign device profiles with Microsoft Intune.
 How to configure device feature settings in Microsoft
Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Device restrictions let you control features on iOS and macOS devices like AirPrint, notifications, and shared device
configurations.
Use the information in this topic to learn the basics about configuring device feature profiles, and then read further
topics for each platform to learn about device specifics.

Create a device profile containing device restriction settings

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the device features profile.
7. From the Platform drop-down list, select the device platform to which you want to apply the settings.
Currently, you can choose one of the following platforms for device features:
iOS
macOS
8. From the Profile type type drop-down list, choose Device features.
9. Depending on the platform you chose, the settings you can configure will be different. Go to one of the
following topics for detailed settings for each platform:
AirPrint settings for iOS and MacOS
AirPlay settings for iOS
Home screen layout settings for iOS
App notification settings for iOS
Shared device configuration settings for iOS
Web content filter settings for iOS
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.
 AirPrint settings for iOS and macOS devices
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these settings to configure iOS or macOS devices to automatically connect to AirPrint compatible printers on
your network. You'll need the IP address and resource path of your printers to proceed.

Find AirPrint printer information

Use this procedure to add AirPrint information to the AirPrint payload so that iOS device users can print to known
AirPrint printers.
1. On a Mac thats connected to the same local network (subnet) as the Airprint printers, open Terminal (from
/Applications/Utilities)
2. In the Terminal, type ippfind, then press enter.
3. Make a note of any printer information the command returns, for example:
ipp://myprinter.local.:631/ipp/port1. The first part of the information is the name of your printer and the last
part is the resource path.
4. In the Terminal, type ping myprinter.local, then press enter.
5. Make a note of the IP address information returned by the command, for example, PING myprinter.local
(10.50.25.21).
6. Finally, use the IP address and resource path in the AirPrint payload settings. An example IP address might be
10.50.25.21, and an example resource path might be /ipp/port1.

Configure an AirPrint profile

1. On the Device features blade choose AirPrint.
2. On the AirPrint blade, to add an AirPrint destination, enter its IP address and resource path, and then click
Add.
3. Continue to add as many destinations as you need. When you are finished, choose OK.
You can also import a list of printers from a comma-separated values (.csv) file or export the list.
 Intune AirPlay settings for iOS devices
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these settings to help connect iOS devices you manage to AirPlay compatible devices (like Apple TVs) on your
network. With this capability you can:
Configure a device and password list - Let users automatically connect to AirPlay devices that are in range.
Provision them with the name and password of AirPlay devices so that they don't need to supply it when they
connect.
Configure allowed destinations - Configure a list of AirPlay devices (by device ID). End users can only see
and connect to the devices you list (for supervised devices only).

Get started
1. On the Device features blade, choose AirPlay.
2. On the AirPlay blade, choose one or both of the following actions:

Configure a device and password list

1. On the Passwords blade, enter the Device Name and Password of an AirPlay device, for example Contoso
Apple TV.
2. After entering the device details, click Add. The device appears in the Device Name list.
3. Continue to add devices. When you are finished, choose OK.

Configure allowed destinations

1. On the Allowed destinations (supervised only) blade, enter the Device ID of an AirPlay device, for example
52:46:CD:51:83:4C.
2. After entering the device ID, click Add. The ID appears in the Device ID list.
3. Continue to add devices. When you are finished, choose OK.
You can also import device and passwords, and allowed destinations from a comma-separated values (csv) file.
 Intune Home screen layout settings for iOS devices
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these settings to configure the layout of apps, folders, and web clips on the dock and Home screen of all iOS
devices to which you assign the policy.
iOS devices to which you assign the profile must be in supervised mode and running iOS 9.3 or later.
1. On the Device features blade choose Home Screen Layout (supervised only).
2. On the Home Screen Layout (supervised only) blade, choose whether you want to configure the Dock, or
Pages layouts.

Add items to the dock

On the Dock blade, you can add up to 6 items or folders to the dock at the bottom of the iOS screen. However,
many devices support less items than this, for example, iPhone devices support up to 4 items. In this case, only the
first four items you configured will be displayed on the device.
1. Choose Add to add an item to the dock.
2. On the Add Row blade, choose whether you want to add an App, or a Folder.
3. Using the information in the How to add an app to the list and How to add a folder to the list sections in
this topic, configure the apps and folders you want to appear in the dock.
4. Continue to add items. When you are finished, click OK on each blade until you return to the Create Profile
blade. Choose Create.

TIP
You can drag and drop items in any Home screen and pages lists to reorder them.

Example
In this example, you've configured the dock screen to show only the Safari, Mail, and Stocks apps. In the following
image, the Mail app is selected to illustrate its properties:

When you assign the policy to an iPhone, the result will be a dock that looks similar to this:
Add Home screen pages
Add the pages you want to appear on the home screen, and the apps that will appear on each page. Apps that you
add to a page are arranged from left to right, in the order they are specified in the list. If you add more apps than
can fit on a page, the apps will be moved to a subsequent page.
1. On the Pages blade, choose Add.
2. On the Add Row blade, enter a Page name. This is used for your reference in the Intune portal, and is not
displayed on the iOS device.
3. Choose Add, then choose whether you want to add an App, or a Folder to the page.
4. Using the information in the How to add an app to the list and How to add a folder to the list sections in
this topic, configure the apps and folders you want to appear on the page.
Example
In this example, you've configured a new page named Contoso. The page shows only the Find Friends, and
Settings apps. In the following image, the Settings app is selected to illustrate its properties:

When you assign the policy to an iPhone, the result will be a page that looks similar to this:

How to add an app to the list

1. Enter the App Name. This is used for your reference in the Intune portal, and is not displayed on the iOS device.
2. Enter the App Bundle ID of the app you want to display. See Bundle ID reference for built-in iOS apps later
in this topic for help.
3. Click OK, then continue to add items, up to a maximum of 6 for the device dock, and 60 for a device page.
4. When you are finished, click OK.

How to add a folder to the list

Apps that you add to a page in a folder are arranged from left to right, in the order they are specified in the list. If
you add more apps than can fit on a page, the apps will be moved to a subsequent page.
1. Enter the Folder name. This will be displayed to users on their device.
2. Choose Add to create a page in the folder. You can add up to 20 pages.
3. On the Add Row blade, enter a name for the page. This is used for your reference in the Intune portal, and is not
displayed on the iOS device.
4. Enter the App Name. This is used for your reference in the Intune portal, and is not displayed on the iOS device.
5. Enter the App Bundle ID of the app you want to display. See How to add an app to the list for help.
6. Choose Add. You can add up to 60 items.
7. When you are finished, click OK.

Bundle ID reference for built-in iOS apps

This list shows the bundle ID of some common built-in iOS apps. To find the bundle ID of other apps, contact your
software vendor.

App name BundleID

App Store com.apple.AppStore

Calculator com.apple.calculator

Calendar com.apple.mobilecal

Camera com.apple.camera

Clock com.apple.mobiletimer

Compass com.apple.compass

Contacts com.apple.MobileAddressBook

FaceTime com.apple.facetime

Find Friends com.apple.mobileme.fmf1

Find iPhone com.apple.mobileme.fmip1

Game Center com.apple.gamecenter

GarageBand com.apple.mobilegarageband
Health com.apple.Health

iBooks com.apple.iBooks

iTunes Store com.apple.MobileStore

iTunes U com.apple.itunesu

Keynote com.apple.Keynote

Mail com.apple.mobilemail

Maps com.apple.Maps

Messages com.apple.MobileSMS

Music com.apple.Music

News com.apple.news

Notes com.apple.mobilenotes

Numbers com.apple.Numbers

Pages com.apple.Pages

Photo Booth com.apple.Photo-Booth

Photos com.apple.mobileslideshow

Podcasts com.apple.podcasts

Reminders com.apple.reminders

Safari com.apple.mobilesafari

Settings com.apple.Preferences

Stocks com.apple.stocks

Tips com.apple.tips

Videos com.apple.videos

VoiceMemos com.apple.VoiceMemos

Wallet com.apple.Passbook

Watch com.apple.Bridge

Weather com.apple.weather
 Intune app notifications settings for IOS devices
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Lets you configure how apps installed on a device send notifications. This settings supports supervised devices
running iOS 9.3 and later.

Configure settings
1. On the Device features blade choose App Notifications (supervised only).
2. On the App Notifications blade, choose Add, and then configure the following values:
App bundle ID - Enter the App Bundle ID of the app you want to configure. See Bundle ID reference
for built-in iOS apps later in this topic for help.
App name - Enter the name of the app you want to configure. This is not displayed on the device and is
used to help you identify the app in the list.
Publisher - Enter the publisher of the app you want to configure. This is not displayed on the device and
is used to help you identify the app in the list.
Notifications - Enable or disable the app from sending notifications to the device. If you disable this
setting, the following settings are also disabled.
Show in Notification Center - Enable to allow the app to show notifications in the device
Notification Center.
Show in Lock Screen - Enable to see notifications from the app on the device lock screen.
Alert type - Select the type of notification you want when the device is unlocked from:
None - No notification is displayed.
Banner - A banner is briefly displayed showing the notification.
Modal - The notification is displayed and the user must manually dismiss it before you can
continue to use the device.
Badge on app icon - Enable this to add a badge to the app icon to indicate the app sent a
notification.
Sounds - Enable to play a sound when a notification is delivered.
3. Continue to add as many apps as you need. When you are finished, choose OK.
4. Choose OK until you return to the Create Profile blade, then choose Create.

Bundle ID reference for built-in iOS apps

This list shows the bundle ID of some common built-in iOS apps. To find the bundle ID of other apps, contact your
software vendor.

App name BundleID

App Store com.apple.AppStore

Calculator com.apple.calculator

Calendar com.apple.mobilecal

Camera com.apple.camera

Clock com.apple.mobiletimer

Compass com.apple.compass

Contacts com.apple.MobileAddressBook

FaceTime com.apple.facetime

Find Friends com.apple.mobileme.fmf1

Find iPhone com.apple.mobileme.fmip1

Game Center com.apple.gamecenter

GarageBand com.apple.mobilegarageband

Health com.apple.Health

iBooks com.apple.iBooks

iTunes Store com.apple.MobileStore

iTunes U com.apple.itunesu

Keynote com.apple.Keynote

Mail com.apple.mobilemail

Maps com.apple.Maps

Messages com.apple.MobileSMS

Music com.apple.Music

News com.apple.news

Notes com.apple.mobilenotes

Numbers com.apple.Numbers

Pages com.apple.Pages

Photo Booth com.apple.Photo-Booth

Photos com.apple.mobileslideshow
Podcasts com.apple.podcasts

Reminders com.apple.reminders

Safari com.apple.mobilesafari

Settings com.apple.Preferences

Stocks com.apple.stocks

Tips com.apple.tips

Videos com.apple.videos

VoiceMemos com.apple.VoiceMemos

Wallet com.apple.Passbook

Watch com.apple.Bridge

Weather com.apple.weather
 Shared Device configuration settings to display
messages on the iOS device lock screen
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Shared device configuration settings let you specify optional text displayed on the login window and lock screen
(For example, an "If Lost, Return to" message and Asset Tag Information).

IMPORTANT
This capability is supported on supervised devices running iOS 9.3 and later.

1. On the Device features blade choose Shared Device Configuration (supervised only).
2. On the Shared Device Configuration (supervised only) blade, configure the following:
Asset tag information - Enter information about the asset tag of the device. For example: Owned by
Contoso Corp. The information you enter will be applied to all devices you assign this profile to.
Lock screen footnote - Enter a note that might help get the device returned if it's lost or stolen. For
example: If found, please call 'number'.
3. When you are finished, choose OK until you return to the Create Profile blade, then choose Create.
 Web content filter settings for iOS devices
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these settings to configure URLs that end users of web browsers, on iOS devices, can, or cannot visit. There are
two methods you can use to do this.
Configure URLs - Use Apples built in web filter that looks for adult terms like profanity or sexually explicit
language. This function evaluates each web page as it is loaded and attempts to identify and block
unsuitable content. Additionally, you can configure URLs that will not be checked by the filter, or URLs that
will always be blocked, regardless of the filter settings.
Specific websites only (for the Safari web browser only) - These URLs are added to the Safari browsers
bookmarks. The user is only allowed to visit these sites; no other sites can be accessed. Use this option only
if you know the exact list of URLs that can be accessed by users. If you do not specify any URLs, then end
users will not be able to access any websites except for microsoft.com, microsoft.net, and apple.com.

Get started
1. On the Device features blade choose Web Content Filter (supervised only).
2. On the Web Content Filter blade, choose the Filter type you want to configure from:
Not Configured - No filtering is performed.
Configure URLs
Specific websites only
3. Next, depending on the filter type you are using, follow the relevant procedure below.

Configure URLs
1. On the Web Content Filter blade, choose one of the following if required:
Permitted URLs - On the Permitted URLs blade, enter the URLs you want to allow (bypassing the Apple
web filter), and choose enter after each.
Blocked URLs - On the Blocked URLs blade, enter the URLs you want to block (regardless of the Apple
web filter settings), and choose enter after each.
2. When you are finished, click OK.

Specific websites only

1. On the Web Content Filter blade, for each web site you want to permit, enter the following:
URL - Enter the URL of the website you want to permit, for example, http://www.contoso.com.
Bookmark Path - Enter the path to where you want to store the bookmark, for example
/Contoso/Business Apps. If you don't add a bookmark, it will be added to the default bookmark folder
on the device.
Title - Enter a descriptive title for the bookmark.
2. Click Add after you enter the information for each website.
3. When you are finished, click OK.

IMPORTANT
The following URLs are permitted automatically by Intune.
www.microsoft.com
www.microsoft.net
www.apple.com

Finish up
Choose OK to return to the Create Profile blade, and then choose Create.
 How to configure device restriction settings in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Device restrictions let you control a wide range of settings and features you manage across a range of categories
including security, browser, hardware, and data sharing settings. For example, you could create a device restriction
profile that prevents users of iOS devices from accessing the device camera.
Use the information in this topic to learn the basics about configuring device restriction profiles, and then read
further topics for each platform to learn about device specifics.

Create a device profile containing device restriction settings

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the device restriction profile.
7. From the Platform drop-down list, select the device platform to which you want to apply custom settings.
Currently, you can choose one of the following platforms for device restriction settings:
Android
iOS
macOS
Windows Phone 8.1
Windows 8.1 and later
Windows 10 and later
8. From the Profile type type drop-down list, choose Device restrictions. If you want to create a device
restrictions profile for Windows 10 Team devices like a Surface Hub, choose Device restrictions (Windows
10 Team).
9. Depending on the platform you chose, the settings you can configure will be different. Go to one of the
following topics for detailed settings for each platform:
Android settings
iOS settings
macOS settings
Windows Phone 8.1 settings
Windows 8.1
Windows 10 settings
Windows 10 Team settings
Android for Work settings
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.

Example of device restriction settings

In this high-level example, you'll create a device restriction policy that blocks the use of the built-in camera app on
Android devices.
 Android and Samsung KNOX Standard device
restriction settings in Microsoft Intune
6/19/2017 6 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these settings with an Android device restriction policy to configure devices in your organization.

General

Setting name Details Android 4.0+ Samsung KNOX Standard

Camera Allows the use of the device Yes Yes

camera.

Copy and paste Allows copy and paste No Yes

functions on the device.

Clipboard sharing Allows use of the clipboard No Yes

between apps to copy and paste between
apps.

Diagnostic data Stops the user from No Yes

submission submitting diagnostic data
from the device.

Factory reset Allows the user to perform a No Yes

factory reset on the device.

Geolocation Allows the device to utilize No Yes

location information
(Samsung KNOX Standard
only).

Power off Allows the user to power off No Yes

the device.
If disabled, Number of
sign-in failures before
wiping device cannot be
set.

Screen capture Lets the user capture the No Yes

screen contents as an image.
 Voice assistant Allows the use of voice No Yes
assistant software on the
device.

YouTube Allows the use of the No Yes

YouTube app on the device.

Shared devices Configure a managed No Yes

Samsung KNOX Standard
device as shared. In this
mode, end users can sign in
and out of the device with
their Azure AD credentials.
The device remains managed
whether its in use or not.
When end-users sign-in,
they have access to apps
and additionally get any
policies applied to them.
When users sign out, all app
data is cleared.

Password

Setting name Details Android 4.0+ Samsung KNOX Standard

Password Require the end user to Yes Yes

enter a password to access
the device.

Minimum password length Enter the minimum length of Yes Yes

password a user must
configure (between 4 and 16
characters).

Maximum minutes of Specifies the number of Yes Yes

inactivity until screen minutes of inactivity before
locks the device automatically
locks.

Number of sign-in failures Specifies the number of Yes Yes

before wiping device sign-in failures to allow
before the device is wiped.

Password expiration Specifies the number of days Yes Yes

(days) before the device password
must be changed.
 Required password type Specifies the required Yes Yes
password complexity level,
and whether biometric
devices can be used. Choose
from:

- Device default
- Low security biometric
- At least numeric
- Numeric complex
(repeating, or consecutive
numbers like '1111' or
'1234' are not allowed)1
- At least alphabetic
- At least alphanumeric
- At least alphanumeric
with symbols

Prevent reuse of previous Stops the end user from Yes Yes
passwords creating a password they
have used before.

Fingerprint unlock Allows the use of a No Yes

fingerprint to unlock
supported devices.

Smart Lock and other
trust agents
Lets you control the Smart Yes (5.0 and later) Yes
Lock feature on compatible
Android devices (Samsung
KNOX Standard 5.0 and
later). This phone capability,
sometimes known as a trust
agent, lets you disable or
bypass the device lock
screen password if the
device is in a trusted
location. For example, this
could be used when the
device is connected to a
specific Bluetooth device, or
when it's close to an NFC
tag. You can use this setting
to prevent users from
configuring Smart Lock.

Encryption Requires that files on the Yes Yes

device are encrypted.

1 Before you assign this setting to devices, ensure to update the Company Portal app to the latest version on those

devices.
If you configure the Numeric complex setting, and then assign it to a device running a version of Android earlier
than 5.0, the following behavior applies.
If the Company Portal app is running a version earlier than 1704, no PIN policy is applied to the device and an
error is displayed in the Intune portal.
If the Company Portal app runs the 1704 version or later, only a simple PIN can be applied. Versions of Android
earlier than 5.0 do not support this setting. No error is displayed in the Intune portal.
Google Play Store

Setting name Details Android 4.0+ Samsung KNOX Standard

Google Play store Allows the user to access the No Yes

Google Play store on the
device

Restricted apps
In the restricted apps list, you can configure one of the following lists for both Android, and Samsung KNOX
Standard devices:
A Prohibited apps list - List the apps (not managed by Intune) that users are not allowed to install and run. An
Approved apps list - List the apps that users are allowed to install. To remain compliant, users must not install
other apps. Apps that are managed by Intune are automatically allowed. Device profiles that contain restricted app
settings must be assigned to groups of users.
To configure the list, click Add, then specify a name of your choice, optionally the app publisher, and the URL to the
app in the app store.
How to specify the URL to an app in the store
To specify an app URL in the compliant and noncompliant apps list, take the following steps:
In the Apps section of Google Play, search for the app you want to use.
Open the installation page for the app, and then copy the URL to the clipboard. You can now use this URL in either
the compliant or noncompliant apps list.
Example: Search Google Play for Microsoft Office Mobile. Use the URL:
https://play.google.com/store/apps/details?id=com.microsoft.office.officehub.
Additional options
You can also click Import to get the list from a csv file. Use the format <app url>, <app name>, <app publisher>
or click Export in the csv file containing the contents of the restricted apps list in the same format.

Browser

Setting name Details Android 4.0+ Samsung KNOX Standard

Web browser Specifies whether the No Yes

device's default web browser
can be used.

Autofill Allows the autofill function No Yes

of the web browser to be
used.

Cookies Allows the device web No Yes

browser to use cookies.

Javascript Allows the device web No Yes

browser to run Java scripts.
 Pop-ups Allows the use of the pop- No Yes
up blocker in the web
browser.

Cloud and Storage

Setting name Details Android 4.0+ Samsung KNOX Standard

Google backup Allows the use of Google No Yes

backup.

Google account auto sync Allows Google account No Yes

settings to be automatically
synchronized.

Removable storage Allows the device to use No Yes

removable storage, like an
SD card.

Encryption on storage Specifies whether the device No Yes

cards storage card must be
encrypted.

Cellular and Connectivity

Setting name Details Android 4.0+ Samsung KNOX Standard

Data roaming Allows data roaming when No Yes

the device is on a cellular
network).

SMS/MMS messaging Allows the use of SMS and No Yes

MMS messaging on the
device.

Voice dialing Enables or disables the voice No Yes

dialing feature on the device.

Voice roaming Allows voice roaming when No Yes

the device is on a cellular
network.

Bluetooth Allows the use of Bluetooth No Yes

on the device.

NFC Allows operations that use No Yes

near field communication on
supported devices.
 Wi-Fi Allows the use of the Wi-Fi No Yes
capabilities of the device.

Wi-Fi tethering Allows the use of Wi-Fi No Yes

tethering on the device.

Kiosk

Setting name Details Android 4.0+ Samsung KNOX Standard

Select a managed app Choose one of the following No Yes

options to add one or more
apps that can run when the
device is in kiosk mode. No
other apps are allowed to
run on the device.

- Add apps by package

name
- Add apps by URL
- Add managed apps

Screen sleep button Enables or disables the No Yes

screen sleep wake button on
the device.

Volume buttons Enables or disables the use No Yes

of the volume buttons on
the device.
 iOS device restriction settings in Microsoft Intune
6/19/2017 15 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

General
Camera - Select whether the camera on the device can be used.
Diagnostic data submission - Allow or block the device from submitting diagnostic data to Apple.
FaceTime - Allow the FaceTime app to be used on the device.
Screen capture - Allow the user to capture the contents of the screen as an image.
Siri - Allow use of the Siri voice assistant on the device.
Siri while device is locked - Allow use of the Siri voice assistant on the device while it is locked.
Siri profanity filter (supervised only) - Prevents Siri from dictating, or speaking profane language.
Siri to query user-generated content from the internet (supervised only) - Allow Siri to access
websites to answer questions.
Untrusted TLS certificates - Allow untrusted Transport Layer Security certificates on the device.
Control Center access while device locked - Allow the user to access the control center app when the device
is locked.
Notifications while device locked - Allow the user to access the notifications view without unlocking the
device.
Passbook while device locked - Allow the user to access the Passbook app while the device is locked.
Today view while device locked - Allow the user to see the Today view when the device is locked.
Enterprise app trust - Lets the user select to trust apps that were not downloaded from the app store.
AirDrop (supervised only) - Allow use of the AirDrop feature to exchange content with nearby devices.
Spotlight search to return results from internet (supervised only) - Let Spotlight search connect to the
Internet to provide further results.
Word definition lookup (supervised only) - Allow the iOS feature that lets you highlight a word and look up
it's definition.
Predictive keyboards (supervised only) - Allow the use of predictive keyboards that suggest words the user
might want.
Auto-correction (supervised only) - Lets the device automatically correct misspelled words.
Keyboard spell-check (supervised only) - Allows the device spell checker.
Keyboard shortcuts (supervised only) - Allows use of keyboard shortcuts.
Wrist detection for paired Apple watch - When enabled, the Apple Watch won't display notifications when it
is not being worn.
Require AirPlay outgoing requests pairing password - Require a pairing password when the user uses
AirPlay to stream content to other Apple devices.
Account modification (supervised only) - When blocked, this prevents the user from modifying device-
specific settings from the iOS settings app, like creating new device accounts, and changing the user name or
password. This also applies to settings accessible from the iOS settings app like Mail, Contacts, Calendar,
Facebook, and Twitter. This does not apply to apps with account settings that are not configurable from the iOS
 settings app, for example, the Microsoft Outlook app.
Apple Watch pairing (supervised only) - Allow the device to pair with an Apple Watch.
Bluetooth modification (supervised only) - Block the end user from changing Bluetooth settings on the
device.
Remote screen observation by Classroom app (supervised only) - Allow or block the Classroom app from
observing the screen on remote devices.
Enabling restrictions in the device settings (supervised only) - Allow the user to configure device
restrictions (parental controls) on the device.
Use of the erase all content and settings option on the device (supervised only) - Allow the user to use
the option of erasing all content and settings on the device.
Device name modification (supervised only) - Allow the user to change the name of the device.
Diagnostics submission settings modification (supervised only) - Allow or block the device from
submitting diagnostic data to Apple.
Host pairing to control the devices an iOS device can pair with (supervised only) - Allow host pairing to
let the administrator control which devices an iOS device can pair with.
Notification settings modification (supervised only) - Allow the user to change the device notification
settings.
Passcode modification (supervised only) - Allow the device password to be added, changed, or removed.
Wallpaper modification (supervised only) - Allow the user to change the device wallpaper.
Enterprise app trust settings modification (supervised only) - Lets the user select to trust apps that were
not downloaded from the app store.
Installing apps from App Store (supervised only) - Allow the device to access the app store and install apps.
Changes to the Find My Friends app settings (supervised only) - Allow the user to change settings for the
Find My Friends app.
iBooks store (supervised only) - Allow the user to browse and purchase books from the iBooks store.
Messages app on the device (supervised only) - Allow use of the Messages app to send and read text
messages.
Podcasts (supervised only) - Allow use of the Podcasts app.
Music service (supervised only) - Allow use of the Apple Music app.
iTunes Radio service (supervised only) - Allow use of the iTunes Radio app.
Apple News (supervised only) - Allow use of the Apple News app.
Configuration profile changes - Allow the user to install configuration profiles.

Password
Password required - Require the end user to enter a password to access the device.
Simple passwords - Allow simple passwords like 0000 and 1234.
Required password type - Specify the type of password that will be required, such as numeric only or
alphanumeric.
Number of non-alphanumeric characters in password - Specify the number of symbol characters (like # or
@) that must be included in the password.
Minimum password length - Specify the minimum number of characters in the password.
Number of sign-in failures before wiping device - Specify the number of failed login attempts before this
setting wipes the device.
Maximum minutes after screen lock before password is required1 - Specify how long the device can
remain idle before the user must re-enter their password.
Maximum minutes of inactivity until screen locks1 - Specify the number of minutes before the device
display is turned off.
Password expiration (days) - Specify the number of days before the device password must be changed.
 Prevent reuse of previous passwords - Specify the number of previously used passwords that the device
remembers.
Fingerprint unlock - Allow using a fingerprint to unlock compatible devices.
1When you configure the settings Maximum minutes of inactivity until screen locks and Maximum minutes
after screen lock before password is required, they are applied in sequence. For example, if you set the value for
both settings to 5 minutes, the screen will turn off automatically after 5 minutes, and the device will be locked after
an additional 5 minutes. However, if the user turns off the screen manually, the second setting is immediately
applied. In the same example, after the user turns off the screen, the device will lock 5 minutes later.

App Store, Doc Viewing, Gaming

App store (supervised only) - Block access to the app store on supervised devices.
Password to access app store - Require the user to enter a password before they can visit the app store.
In-app purchases - Allow store purchases to be made from within a running app.
Automatic app downloads (supervised only) -
Explicit iTunes music, podcast, or news content (supervised only) - Allow the device to access content
rated as adult from the store.
Download content from iBook store flagged as 'Erotica' - Allow the user to download books with the
"Erotica" category.
Viewing corporate documents in unmanaged apps - Allow corporate documents to be viewed in any app.
Example: You want to prevent users from saving files from the OneDrive app to Dropbox. Configure this
setting as no. After the device receives the policy (for example, after a restart), it will no longer allow saving.
Viewing non-corporate documents in corporate apps - Allow any document to be viewed in corporate
managed apps.
Treat AirDrop as an unmanaged destination - Stops managed apps from being able to send data via.
Airdrop.
Adding Game Center friends (supervised only) - Allow the user to add friends in Game Center.
Game Center (supervised only) - Block or enable the use of the Game Center app.
Multiplayer gaming (supervised only) - Allow the user to play multiplayer games on the device.
Ratings region - Choose the ratings region for which you want to configure allowed downloads, then choose
the allowed ratings for Movies and TV Shows.
Apps - Choose the allowed age rating of apps that users will be able to download, or you can choose Allow All
Apps.

Restricted apps
In the restricted apps list, you can configure one of the following lists:
A Prohibited apps list - List the apps (not managed by Intune) that users are not allowed to install and run. An
Approved apps list - List the apps that users are allowed to install. To remain compliant, users must not install
apps that are not listed. Apps that are managed by Intune are automatically allowed.
To configure the list, click Add, then specify a name of your choice, optionally the app publisher, and the URL to the
app in the app store.
How to specify the URL to an app in the store
To specify an app URL in the apps list, use the following format:
Using a search engine, find the app that you want to use in the iTunes App Store and open the page for the app.
Copy the URL of the page and use this as the URL to configure the allowed or prohibited apps list or an app that
you want to run in kiosk mode. Device profiles that contain restricted app settings must be assigned to groups of
users.
Example: Search for Microsoft Word for iPad. The URL that you use will be
https://itunes.apple.com/us/app/microsoft-word-for-ipad/id586447913?mt=8.

NOTE
You can also use the iTunes software to find the app and then use the Copy Link command to get the app URL.

Additional options
You can also click Import to populate the list from a csv file in the format <app url>, <app name>, <app
publisher> or click Export to create a csv file containing the contents of the restricted apps list in the same format.

Show or hide apps

In the show or hide apps list, you can configure one of the following lists (requires supervised devices running iOS
9.3 or later).
A Hidden apps list - Specify a list of apps that will be hidden from users. Users cannot view, or launch these apps.
An Visible apps list - Specify a list of apps that users can view and launch. No other apps can be viewed or
launched.
To configure the list, click Add, then specify a name of your choice, optionally the app publisher, and the URL to the
app in the app store.
How to specify the URL to an app in the store
To specify an app URL in the apps list, use the following format:
Using a search engine, find the app that you want to use in the iTunes App Store and open the page for the app.
Copy the URL of the page and use this as the URL to configure the allowed or prohibited apps list or an app that
you want to run in kiosk mode.
Example: Search for Microsoft Word for iPad. The URL that you use will be
https://itunes.apple.com/us/app/microsoft-word-for-ipad/id586447913?mt=8.

NOTE
You can also use the iTunes software to find the app and then use the Copy Link command to get the app URL.

Additional options
You can also click Import to populate the list from a csv file in the format <app url>, <app name>, <app
publisher> or click Export to create a csv file containing the contents of the hidden or visible apps list in the same
format.

Cellular
Data roaming - Allow data roaming when the device is on a cellular network.
Global background fetch while roaming - Allow the device to fetch data such as email while it is roaming on
a cellular network.
Voice dialing - Allow use of the voice dialing feature on the device.
Voice roaming - Allow voice roaming when the device is on a cellular network.
Changes to app cellular data usage settings (supervised only) - Allow the user to control which apps are
allowed to use cellular data.
Cloud and Storage
Backup to iCloud - Allow the user to back up the device to iCloud.
Document sync to iCloud (supervised only) - Allow document and key-value synchronization to your iCloud
storage space.
Photo stream syncing to iCloud - Lets users enable My Photo Stream on their device which allow photos to
sync to iCloud and be available on all the users devices.
Encrypted backup - Require any device backups to be encrypted.
iCloud Photo Library - If set to No, disables the use of iCloud photo library which lets users store photos and
videos in the cloud. Any photos not fully downloaded from iCloud Photo Library to the device will be removed
from the device if this is set to No.
Managed apps sync to cloud - Allow apps that you manage with Intune to sync data to the user's iCloud
account.
Shared photo stream - Set to No to disable iCloud Photo Sharing on the device..
Activity continuation - Allow the user to continue work that they started on an iOS device on another iOS or
macOS device (Handoff).

Autonomous single app mode (supervised only)

Use these settings to configure iOS devices to run specified apps in autonomous single app mode. When this mode
is configured, and the app is run, the device is locked so that it can only run that app. An example of this is when
you configure an app that lets users take a test on the device. When the apps actions are complete, or you remove
this policy, the device returns to its normal state.
Settings
App name - Enter the name of the app as it will appear in the apps list on this blade.
App Bundle ID - Enter the bundle ID of the app. For help, see Bundle ID reference for built-in iOS apps in
this topic.
After you specify each app name and bundle ID, choose Add to append it to the list.
Import - Import a comma-separated values (.csv) file containing a list of app names, and their associated bundle
IDs.
Export - Export the app names, and associated bundle IDs you have configured to a comma-separated values
(.csv) file.
Bundle ID reference for built-in iOS apps
This list shows the bundle ID of some common built-in iOS apps. To find the bundle ID of other apps, contact your
software vendor.

App name BundleID

App Store com.apple.AppStore

Calculator com.apple.calculator

Calendar com.apple.mobilecal

Camera com.apple.camera

Clock com.apple.mobiletimer
Compass com.apple.compass

Contacts com.apple.MobileAddressBook

FaceTime com.apple.facetime

Find Friends com.apple.mobileme.fmf1

Find iPhone com.apple.mobileme.fmip1

Game Center com.apple.gamecenter

GarageBand com.apple.mobilegarageband

Health com.apple.Health

iBooks com.apple.iBooks

iTunes Store com.apple.MobileStore

iTunes U com.apple.itunesu

Keynote com.apple.Keynote

Mail com.apple.mobilemail

Maps com.apple.Maps

Messages com.apple.MobileSMS

Music com.apple.Music

News com.apple.news

Notes com.apple.mobilenotes

Numbers com.apple.Numbers

Pages com.apple.Pages

Photo Booth com.apple.Photo-Booth

Photos com.apple.mobileslideshow

Podcasts com.apple.podcasts

Reminders com.apple.reminders

Safari com.apple.mobilesafari

Settings com.apple.Preferences
 Stocks com.apple.stocks

Tips com.apple.tips

Videos com.apple.videos

VoiceMemos com.apple.VoiceMemos

Wallet com.apple.Passbook

Watch com.apple.Bridge

Weather com.apple.weather

Kiosk
Activation Lock - Enable Activation Lock on supervised iOS devices.
App that runs in kiosk mode - Choose Managed App to select an app you've added to Intune, or Store App
to specify the URL to an app in the store. No other apps will be allowed to run on the device. For more help, see
"How to specify URLs to app stores" later in this topic.
Assistive touch - Enable or disable the Assistive Touch accessibility setting, which helps the user perform on-
screen gestures that might be difficult for them to perform.
Invert colors - Enable or disable the Invert Colors accessibility setting, which adjusts the display to help users
with visual impairments.
Mono audio - Enable or disable the accessibility setting Mono audio.
VoiceOver - Enable or disable the accessibility setting VoiceOver, which reads aloud text on the device display.
Zoom - Enable or disable the Zoom accessibility setting, which lets the user use touch to zoom in to the device
display.
Auto lock - Enable or disable automatic locking of the device.
Ringer switch - Enable or disable the ringer (mute) switch on the device.
Screen rotation - Enable or disable changing the screen orientation when the user rotates the device.
Screen sleep button - Enable or disable the screen sleep wake button on the device.
Touch - Enable or disable the touchscreen on the device.
Volume buttons - Enable or disable the use of the volume buttons on the device.
Assistive touch control - Enable or disable assistive touch adjustments, which let the user adjust the assistive
touch function.
Invert colors control - Enable or disable invert colors adjustments, which let the user adjust the invert colors
function.
Speak on selected text - Enable or disable the Speak Selection accessibility settings, which can read aloud the
text that the user selects.
VoiceOver control - Enable or disable voiceover adjustments, which let the user adjust the VoiceOver function
(for example, how fast on-screen text is read aloud).
Zoom control - Enable or disable zoom adjustments, which let the user adjust the zoom function.
 NOTE
Before you can configure an iOS device for kiosk mode, you must use the Apple Configurator tool or the Apple Device
Enrollment Program to put the device into supervised mode. For more information about the Apple Configurator tool, see
your Apple documentation. If the iOS app that you specify is installed after you assign the profile, the device will not enter
kiosk mode until after it is restarted.

Safari
Safari (supervised only) - Specify whether the Safari browser can be used on the device.
Autofill - Allow the user to change autocomplete settings in the browser.
Cookies - Allow the browser to use cookies.
JavaScript - Allow Java scripts to run in the browser.
Fraud warnings - Allow fraud warnings in the browser.
Pop-ups - Enable or disable the browser pop-up blocker.

Domains
Unmarked email domains
In the Email Domain URL field, add one or more URLs to the list. When end users receive an email from a domain
other than those you configured, the email will be marked as untrusted in the iOS Mail app.
Managed web domains
In the Web Domain URL field, add one or more URLs to the list. When documents are downloaded from the
domains you specify, they will be considered managed. This setting applies only to documents downloaded using
the Safari browser.
Safari password auto fill domains
In the Domain URL field, add one or more URLs to the list. Users can only save web passwords from URLs in this
list. This setting applies only to the Safari browser, and to iOS 9.3 and later devices in supervised mode. If you don't
specify any URLs, then passwords can be saved from all web sites.
 macOS device restriction settings in Microsoft Intune
6/23/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use these settings to manage macOS devices in a device restriction profile.

Password
Password required - Require the end user to enter a password to access the device.
Required password type - Specify whether the password can be Numeric only, or whether it must be
Alphanumeric (contain letters and numbers). This setting is supported only on Mac OS X version 10.10.3
and later.
Number of non-alphanumeric characters in password - Specify the number of complex characters
required in the password (0 to 4).
A complex character is a symbol, like ?
Minimum password length - Enter the minimum length of password a user must configure (between 4
and 16 characters).
Simple passwords - Allow the use of simple passwords such as 0000 or 1234.
Maximum minutes after screen lock before password is required - Specify how long the computer
must be inactive before a password is required to unlock it.
Maximum minutes of inactivity until screen locks - Specify the length of time that the computer
must be idle before the screen locks.
Password expiration (days) - Specify how many days elapse before the user must change the
password (1 to 255 days).
Prevent reuse of previous passwords - Specify the number of previously used passwords that cannot
be reused (1 to 24).

Restricted apps
In the restricted apps list, you can configure one of the following lists:
A Prohibited apps list - List the apps (not managed by Intune) that users are not allowed to install and run. An
Approved apps list - List the apps that users are allowed to install. To remain compliant, users must not install
apps that are not listed. Apps that are managed by Intune are automatically allowed.
To configure the list, click Add, then specify a name of your choice, optionally the app publisher, and the bundle ID
of the app (for example com.apple.calculator).

Domains
Unmarked email domains
In the Email Domain URL field, add one or more URLs to the list. When end users receive an email from a domain
other than one you configured, the email is marked as untrusted in the iOS Mail app.
 Windows 8.1 and later device restriction settings in
Microsoft Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

General
Apply all configurations to Windows 10 - Enables settings in this policy to be applied to Windows 10
devices, in addition to Windows 8.1 devices.
Diagnostic data submission - Enables the device to submit diagnostic information to Microsoft.
Firewall - Requires that the Windows Firewall is turned on.
User Account Control - Requires the use of User Account Control (UAC) on devices. ## Password
Required password type - Require the end user to enter a password to access the device.
Minimum password length - Configures the minimum required length (in characters) for the password.
Number of sign-in failures before wiping device - Wipes the device if the sign-in attempts fail this number
of times.
Maximum minutes of inactivity until screen locks - Specifies the number of minutes a device must be idle
before a password is required to unlock it.
Password expiration (days) - Specifies the number of days before the device password must be changed.
Prevent reuse of previous passwords - Specifies whether the user can configure previously used passwords.
Picture password and PIN - Enables the use of a picture password and PIN. A picture password lets the user
sign in with gestures on a picture. A PIN lets users quickly sign in with a four-digit code.
Encryption - Requires that files on the device are encrypted.
To enforce encryption on devices that run Windows 8.1, you must install the December 2014 MDM client update
for Windows on each device. If you enable this setting for Windows 8.1 devices, all users of the device must
have a Microsoft account. For encryption to work, the device must meet the Microsoft InstantGo hardware
certification requirements. When you enforce encryption on a device, the recovery key is only accessible from
the user's Microsoft account, which is accessed from their OneDrive account. You cannot recover this key on
behalf of a user.

Browser
Autofill - Enables users to change autocomplete settings in the browser.
Fraud warnings - Enables or disables warnings for potential fraudulent websites.
SmartScreen - Enables or disables warnings for potential fraudulent websites.
JavaScript - Enables the browser to run scripts, such as Java script.
Pop-ups - Enables or disables the browser pop-up blocker.
Send do-not-track headers - Sends a do not track header to visited sites in Internet Explorer.
Plugins - Enables users to add plug-ins to Internet Explorer.
Single word entry on intranet site - Enables use of a single word to direct Internet Explorer to a web site, such
as Bing.
Auto detect of intranet site - Helps configure security for intranet sites in Internet Explorer.
Internet security level - Sets the Internet Explorer security level for Internet sites.
Intranet security level - Sets the Internet Explorer security level for intranet sites.
Trusted sites security level - Configures the security level for the trusted sites zone.
High security for restricted sites - Configures the security level for the restricted sites zone.
Enterprise mode menu access - Lets users access the Enterprise Mode menu options from Internet Explorer. If
you select this setting, you can also specify a Logging report location, which contains a URL to a report that
shows websites for which users have turned on Enterprise Mode access.
Enterprise mode site list location - Specifies the location of the list of websites that will use Enterprise Mode
when it is active. ## Cellular
Data roaming - Enables data roaming when the device is on a cellular network. ## Cloud and Storage
Work folders URL - Sets the URL of the work folder to allow documents to be synchronized across devices.
Access to Windows Mail app without a Microsoft account - Enables access to the Windows Mail
application without a Microsoft account.
 Windows Phone 8.1 device restriction settings in
Microsoft Intune
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

General
Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
Camera - Enables or blocks the device's camera.
Copy and paste - Enables or blocks copy and paste functionality on devices.
Removable storage - Lets the device use removable storage such as SD cards.
Geolocation - Enables the device to utilize location information.
Microsoft account - Enable or block the user from linking a Microsoft account to the device.
Screen capture - Lets the user capture the contents of the screen as an image file.
Diagnostic data submission - Enables the device to submit diagnostic information to Microsoft.
Custom email accounts sync - Enables the device to connect to non-Microsoft email accounts.

Password
Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
Password required - Require the end user to enter a password to access the device.
Required password type - Specifies the type of password that will be required, such as alphanumeric or
numeric only.
Minimum password length - Specifies the minimum number of characters that are required in the
password.
Simple passwords - Specifies that simple passwords such as 0000 and 1234 can be used.
Number of sign-in failures before wiping device - Specifies the number of times an incorrect
password can be entered before the device is wiped.
Maximum minutes of inactivity until screen locks - Specifies the amount of time a device must
remain idle before the screen is automatically locked.
Password expiration (days) - Specifies the number of days before the device password must be
changed.
Prevent reuse of previous passwords - Specifies how many previously used passwords are
remembered.
Encryption - Requires that the data on supported mobile devices be encrypted.
App Store
Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
App store - Lets users connect to the app store from the device.

Restricted apps
Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
In the restricted apps list, you can configure one of the following lists:
A Blocked apps list - List the apps (not managed by Intune) that users are not allowed to install and run. An
Allowed apps list - List the apps that users are allowed to install. Apps that are managed by Intune are
automatically allowed.
To configure the list, click Add, then specify a name of your choice, optionally the app publisher, and the URL to the
app in the app store.
How to specify the URL to an app in the store
To specify an app URL in the allowed and blocked apps list, use the following format:
From the Windows Phone Store page, search for the app that you want to use.
Open the apps page, and copy the URL to the clipboard. You can now use this as the URL in either the allowed or
blocked apps list.
Example: Search the store for the Skype app. The URL you use will be
http://www.windowsphone.com/store/app/skype/c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51.
Additional options
You can also click Import to populate the list from a csv file in the format <app url>, <app name>, <app
publisher> or click Export to create a csv file containing the contents of the restricted apps list in the same format.

Browser
Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
Web browser - Enables or blocks the built-in web browser on devices.

Cellular and Connectivity

Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
Wi-Fi - Enables or disables the Wi-Fi functionality of the device.
Wi-Fi tethering - Enables the use of Wi-Fi tethering on the device.
Automatically connect to Wi-Fi hotspots - Enables the device to automatically connect to free Wi-Fi hotspots
and automatically accept any terms of use.
Wi-Fi hotspot reporting - Sends information about Wi-Fi connections to help the user discover nearby
connections.
NFC - Enables or disables operations that use near field communication on devices that support it.
Bluetooth - Enables or disables the Bluetooth functionality of the device.
 Windows 10 and later device restriction settings in
Microsoft Intune
6/29/2017 16 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

General
Screen capture (mobile only) - Lets the user capture the device screen as an image.
Copy and paste (mobile only) - Allow copy and paste actions between apps on the device.
Manual unenrollment - Lets the user manually delete the workplace account from the device.
Manual root certificate installation (mobile only) - Stops the user from manually installing root
certificates, and intermediate CAP certificates.
Diagnostic data submission - Possible values are:
None No data is sent to Microsoft
Basic Limited information is sent to Microsoft
Enhanced Enhanced diagnostic data is sent to Microsoft
Full Sends the same data as Enhanced, plus additional data about the device state
Camera - Allow or block use of the camera on the device.
OneDrive file sync - Blocks the device from synchronizing files to OneDrive.
Removable storage - Specifies whether external storage devices, like SD cards can be used with the device.
Geolocation - Specifies whether the device can use location services information.
Internet sharing - Allow the use of Internet connection sharing on the device.
Phone reset - Controls whether the user can do a factory reset on their device.
USB connection (mobile only) - Controls whether devices can access external storage devices through a USB
connection.
AntiTheft mode (mobile only) - Configure whether Windows Antitheft mode is enabled.
Action center notifications (mobile only) - Enable or disable action center notifications on the device lock
screen (Windows 10 Mobile only).
Cortana - Enable or disable the Cortana voice assistant.
Voice recording (mobile only) - Allow or block use of the device voice recorder.
Power and sleep settings modification (desktop only) - Prevents the end user from changing power and
sleep settings on the device.
Region settings modification (desktop only) - Prevents the end user from changing the region settings on
the device.
Language settings modification (desktop only) - Prevents the user from changing the language settings
on the device.
System Time modification - Prevents the end user from changing the device date and time.
Device name modification - Prevents the end user from changing the device name.
Add provisioning packages - Blocks the run time configuration agent that installs provisioning packages.
Remove provisioning packages - Blocks the run time configuration agent that removes provisioning
 packages.
Device discovery - Block a device from being discovered by other devices.
Task Switcher (mobile only) - Blocks the task switcher on the device.
SIM card error dialog (mobile only) - Blocks an error message from displaying on the device if no SIM card
is detected.

Password
Password - Require the end user to enter a password to access the device.
Required password type - Specifies whether the password must be numeric only, or alphanumeric.
Minimum password length - Applies to Windows 10 Mobile only.
Number of sign-in failures before wiping device - For devices running Windows 10: If the device
has BitLocker enabled, it's put into BitLocker recovery mode after sign-in fails the number of times that
you specified. If the device is not BitLocker enabled, then this setting doesn't apply. For devices running
Windows 10 Mobile: After sign-in fails the number of times you specify, the device is wiped.
Maximum minutes of inactivity until screen locks - Specifies the length of time a device must be
idle before the screen is locked.
Password expiration (days) - Specifies the length of time after which the device password must be
changed.
Prevent reuse of previous passwords - Specifies the number of previously used passwords that are
remembered by the device.
Require password when device returns from idle state - Specifies that the user must enter a
password to unlock the device (Windows 10 Mobile only).
Simple passwords Lets you allow the use of simple passwords like 1111 and 1234. This setting also
allows or blocks the use of Windows picture passwords.
Encryption - Enable encryption on targeted devices (Windows 10 Mobile only).

Personalization
Desktop background picture URL (Desktop only) - Specify the URL to a picture in PNG, JPG, or JPEG
format that you want to use as the Windows desktop wallpaper. Users will not be able to change this.

Privacy
Input personalization Dont allow the use of cloud-based speech services for Cortana, dictation, or
Windows Store apps. If you allow these services, Microsoft might collect voice data to improve the service.
Automatic acceptance of the pairing and privacy user consent prompts Allow Windows to
automatically accept pairing and privacy consent messages when running apps.

Locked screen experience

Action center notifications (mobile only) Lets Action Center notifications appear on the device lock
screen (Windows 10 Mobile only).
Locked screen picture URL (Desktop only) - Specify the URL to a picture in PNG, JPG, or JPEG format that
will be used as the Windows lock screen wallpaper. Users will not be able to change this.
User configurable screen timeout (mobile only) Lets users configure the amount of time
Cortana on locked screen (desktop only) Dont allow the user to interact with Cortana when the device is
on the lock screen (Windows 10 desktop only).
Toast notifications on locked screen Block alert messages from being displayed on the device lock screen.
Screen timeout (mobile only) - Specifies the time in seconds after the screen locks, when it will turn off.
App Store
App store (mobile only) - Enable or block use of the app store on Windows 10 Mobile devices.
Auto-update apps from store - Allows apps installed from the Windows Store to be automatically updated.
Trusted app installation - Allows apps signed with a trusted certificate to be sideloaded.
Developer unlock - Allow Windows developer settings, such as allowing sideloaded apps to be modified by
the end user.
Shared user app data - Allows apps to share data between different users on the same device.
Use private store only - Enable this to only allow end users to download apps from your private store.
Store originated app launch - Used to disable all apps that were pre-installed on the device, or downloaded
from the Windows Store.
Install app data on system volume - Stops apps from storing data on the system volume of the device.
Install apps on system drive - Stops apps from storing data on the system drive of the device.
Game DVR (desktop only) - Configures whether recording and broadcasting of games is allowed.

Edge Browser
Microsoft Edge browser (mobile only) - Allow the use of the Edge web browser on the device.
Address bar dropdown (desktop only) Use this to stop Edge from displaying a list of suggestions in a
drop-down list when you type. This helps to minimize network bandwidth use between Edge and Microsoft
services.
Sync favorites between Microsoft browsers (desktop only) Lets Windows synchronize favorites between
Internet Explorer and Edge.
SmartScreen - Enables or disables SmartScreen, which blocks fraudulent web sites.
Send do-not-track headers - Configures the Edge browser to send do not track headers to websites that
users visit.
Cookies - Lets the browser save internet cookies to the device.
JavaScript - Allows scripts, such as Javascript, to run in the Edge browser.
Pop-ups - Blocks pop-up windows in the browser (Applies to Windows 10 desktop only).
Search suggestions - Lets your search engine suggest sites as you type search phrases.
Send intranet traffic to Internet Explorer - Lets users open intranet websites in Internet Explorer (Windows
10 desktop only).
Autofill - Allow users to change autocomplete settings in the browser (Windows 10 desktop only).
Password Manager - Enable or disable the Edge Password Manager feature.
Enterprise mode site list location - Specifies where to find the list of web sites that open in Enterprise mode.
Users cannot edit this list.
(Windows 10 desktop only).
Developer tools - Prevent the end user from opening the Edge developer tools.
Extensions - Allow the end user to install Edge extensions on the device.
InPrivate browsing - Prevent the end user from opening InPrivate browsing sessions.
Show first run page Stops the introduction page from appearing the first time you run Edge.
First run URL Specifies the URL of a page that is displayed the first time a user runs Edge (Windows
10 Mobile only).
Homepages - Add a list of sites that you want to use as home pages in the Edge browser (desktop only).
Changes to start page Lets users change the start pages displayed when Edge is opened. Use the
Homepages setting to create the page, or list of pages that is opened when Edge starts.
Block access to about flags - Prevent the end user from accessing the about:flags page in Edge that contains
developer and experimental settings.
Smart screen prompt override - Allow the end user to bypass SmartScreen filter warnings about potentially
 malicious websites.
Smart screen prompt override for files - Allow the end user to bypass SmartScreen filter warnings about
downloading potentially malicious files.
WebRtc localhost ip address - Block the users localhost IP address from being displayed when making
phone calls using the web RTC protocol.
Default search engine - Specify the default search engine to be used. End users can change this value at any
time.
Clear browsing data on exit Clears history, and browsing data when the user exits Edge.
Live Tile data collection Stops Windows collecting information from the Live Tile when users pin a site to
the start menu from Edge.

Search
Safe Search (mobile only) - Control how Cortana filters adult content in search results. You can select Strict,
Moderate, or allow the end user to choose their own settings.

Cloud and Storage

Microsoft account - Lets the user associate a Microsoft account with the device.
Non-Microsoft account - Lets the user add email accounts to the device that are not associated with a
Microsoft account.
Settings synchronization for Microsoft account - Allow device and app settings that are associated with a
Microsoft account to synchronize between devices.

Cellular and Connectivity

Cellular data channel Stop users from using data, like browsing the web, when they are connected to a
cellular network.
Data roaming - Allow roaming between networks when accessing data.
VPN over the cellular network - Controls whether the device can access VPN connections when connected
to a cellular network.
VPN roaming over the cellular network - Controls whether the device can access VPN connections when
roaming on a cellular network.
Bluetooth - Controls whether the user can enable and configure Bluetooth on the device.
Bluetooth discoverability - Lets the device be discovered by other Bluetooth-enabled devices.
Bluetooth pre-pairing Lets you configure specific Bluetooth devices to automatically pair with a host device.
Bluetooth advertising - Lets the device receive advertisements over Bluetooth.
Device Bluetooth name Specify the Bluetooth name for a device. If you dont specify a name, the default
radio name is used.
Connected devices service Lets you choose whether to allow the connected devices service, which enables
discovery and connection to other Bluetooth devices.
NFC - Lets the user enable and configure Near Field Communications capabilities on the device.
Wi-Fi - Lets the user enable and configure Wi-Fi on the device (Windows 10 Mobile only).
Automatically connect to Wi-Fi hotspots - Lets the device automatically connect to free Wi-Fi hotspots and
automatically accept any terms and conditions for the connection.
Manual Wi-Fi configuration - Controls whether the user can configure their own Wi-Fi connections, or
whether they can only use connections configured by a Wi-Fi profile (Windows 10 Mobile only).
Wi-Fi scan interval Specify how often devices scan for Wi-Fi networks. Specify a value from 1 (most
frequent) to 500 (least frequent).
Bluetooth allowed services Specify as hex strings, a list of allowed Bluetooth services and profiles.
Control Panel and Settings
Settings app - Block access to the Windows settings app.
System - Blocks access to the system area of the settings app.
Devices - Blocks access to the devices area of the settings app.
Network Internet - Blocks access to the network and internet area of the settings app.
Personalization - Blocks access to the personalization area of the settings app.
Accounts - Blocks access to the accounts area of the settings app.
Time and Language - Blocks access to the time and language area of the settings app.
Ease of Access - Blocks access to the ease of access area of the settings app.
Privacy - Blocks access to the privacy area of the settings app.
Update Security - Blocks access to the updates and security area of the settings app.

Defender
Real-time monitoring - Enables real-time scanning for malware, spyware, and other unwanted software.
Behavior monitoring - Lets Defender check for certain known patterns of suspicious activity on devices.
Network Inspection System (NIS) - NIS helps to protect devices against network-based exploits. It uses the
signatures of known vulnerabilities from the Microsoft Endpoint Protection Center to help detect and block
malicious traffic.
Scan all downloads - Controls whether Defender scans all files downloaded from the Internet.
Scan scripts loaded in Microsoft web browsers - Lets Defender scan scripts that are used in Internet
Explorer.
End user access to Defender - Controls whether the Windows Defender user interface is hidden from end
users. When this setting is changed, it takes effect the next time the end user's PC is restarted.
Signature update interval (in hours) - Specify the interval at which Defender checks for new signature files.
Monitor file and program activity - Allows Defender to monitor file and program activity on devices.
Days before deleting quarantined malware - Lets Defender continue to track resolved malware for the
number of days you specify so that you can manually check previously affected devices. If you set the number
of days to 0, malware remains in the Quarantine folder and is not automatically removed.
CPU usage limit during a scan - Lets you limit the amount of CPU that scans are allowed to use (from 1 to
100).
Scan archive files - Allows Defender to scan archived files such as Zip or Cab files.
Scan incoming mail messages - Allows Defender to scan email messages as they arrive on the device.
Scan removable drives during a full scan - Lets Defender scan removable drives like USB sticks.
Scan mapped network drives during a full scan - Lets Defender scan files on mapped network drives.
If the files on the drive are read-only, Defender cannot remove any malware found in them.
Scan files opened from network folders - Lets Defender scan files on shared network drives (for example,
files accessed from a UNC path). If the files on the drive are read-only, Defender cannot remove any malware
found in them.
Cloud protection - Allows or blocks the Microsoft Active Protection Service from receiving information about
malware activity from devices that you manage. This information is used to improve the service in the future.
Prompt users before sample submission - Controls whether potentially malicious files that might require
further analysis are automatically sent to Microsoft.
Time to perform a daily quick scan - Lets you schedule a quick scan that occurs daily at the time you select.
Type of system scan to perform - Lets you specify the level of scanning that is performed when you schedule
a system scan.
Detect potentially unwanted applications Choose the level of protection when Windows detects
potentially unwanted applications from:
 Block
Audit For more information about potentially unwanted apps, see this topic.
Actions on detected malware threats Enable this option to specify the actions you want Defender to take
for each threat level it detects (Low, Moderate, High, and Severe). The actions you can take are:
Clean
Quarantine
Remove
Allow
User defined
Block

Defender Exclusions
Files and folders to exclude from scans and real-time protection - Adds one or more files and folders like
C:\Path or %ProgramFiles%\Path\filename.exe to the exclusions list. These files and folders aren't included
in any real-time or scheduled scans.
File extensions to exclude from scans and real-time protection - Add one or more file extensions like jpg
or txt to the exclusions list. Any files with these extensions are not included in any real-time or scheduled scans.
Processes to exclude from scans and real-time protection - Add one or more processes of the type .exe,
.com, or .scr to the exclusions list. These processes are not included in any real-time, or scheduled scans.

Network proxy
Automatically detect proxy settings - When enabled, the device attempts to find the path to a PAC script.
Use proxy script - Select this if you want to specify a path to a PAC script to configure the proxy server.
Setup script address URL - Enter the URL of a PAC script you want to use to configure the proxy server.
Use manual proxy server - Select this if you want to manually provide proxy server information.
Address - Enter the name, or IP address of the proxy server.
Port number - Enter the port number of your proxy server.
Proxy exceptions - Enter any URLs that must not use the proxy server. Use a semicolon to separate
each item.
Bypass proxy server for local address - If you don't want to use the proxy server for local addresses
on your intranet, enable this option .

Windows Spotlight
Windows Spotlight Use this setting to block all Windows Spotlight functionality on Windows 10 devices. If
you block this setting, the following settings are not available.
Windows Spotlight on lock screen Stop Windows Spotlight from displaying information on the
device lock screen.
Third-party suggestions in Windows Spotlight Stop Windows Spotlight from suggesting content
that is not published by Microsoft.
Windows Tips - Lets you block pop-up tips from displaying in Windows.
Consumer Features - Lets you block consumer features like Start menu suggestions, and membership
notifications.
Windows Spotlight in action center Block Windows Spotlight suggestions like new app or security
content from appearing in the Windows Action Center.
Windows Spotlight personalization Stops Windows Spotlight from personalizing results based on
the usage of a device.
Windows welcome experience Block the Windows welcome experience that shows the user
 information about new, or updated features.

Display
User input from wireless display receivers - Blocks user input from wireless display receivers.
Projection to this PC - Stops other devices from discovering the PC for projection.
Require PIN for pairing - Require a PIN when connecting to a projection device.

Start
Unpin apps from task bar - Stop the user from unpinning apps from the Start menu.
Documents on Start - Hide or show the Documents folder in the Windows Start menu.
Downloads on Start - Hide or show the Downloads folder in the Windows Start menu.
File Explorer on Start - Hide or show the File Explorer app in the Windows Start menu.
HomeGroup on Start - Hide or show the HomeGroup folder in the Windows Start menu.
Music on Start - Hide or show the Music folder in the Windows Start menu.
Network on Start - Hide or show the Network folder in the Windows Start menu.
Personal folder on Start - Hide or show the Personal folder in the Windows Start menu.
Pictures on Start - Hide or show the folder for pictures in the Windows Start menu.
Settings on Start - Hide or show the Settings app in the Windows Start menu.
Videos on Start - Hide or show the folder for videos in the Windows Start menu.
 Windows 10 Team device restriction settings in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Wake screen when someone in room - Allows the device to wake automatically when its sensor detects
someone in the room.
PIN for wireless projection - Specifies whether you must enter a PIN before you can use the wireless
projection capabilities of the device.
Miracast wireless projection - Enable this option if you want to let the Windows 10 Team device use Miracast
enabled devices to project.
Meeting information displayed on welcome screen - Enable this option to choose the information that will
be displayed on the Meetings tile of the Welcome screen. You can:
Show organizer and time only
Show organizer, time and subject (subject hidden for private meetings)
Welcome screen background image URL - Enable this setting to display a custom background on the
Welcome screen of Windows 10 Team devices from the URL you specify.
The image must be in PNG format and the URL must begin with https://.
Maintenance window for updates - Configures the window when updates can take place to the device. You
can configure the start time of the window and the duration (from 1-5 hours).
Azure Operational Insights - Azure Operational Insights , part of the Microsoft Operations Manager suite
collects, stores, and analyzes log file data from Windows 10 Team devices.
To connect to Azure Operational insights, you must specify a Workspace ID and a Workspace Key.
 Android for Work device restriction settings in
Microsoft Intune
6/19/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Work profile settings

Data sharing between work and personal profiles - Use this setting to control whether apps in the
work profile can share with apps in the personal profile. This setting controls sharing actions within
applications (for example, the Share option in the Chrome browser app) and does not apply to
copy/paste clipboard behavior. Unlike app protection policy settings, device restriction settings are
managed from the Intune portal and use the Android for Work work profile partition to isolate managed
apps. Choose from:
Default sharing restrictions - This is the default sharing behavior of the device which varies
depending on the version of Android it is running. By default, sharing from the personal profile to the
work profile is allowed. Also by default, sharing from the work profile to the personal profile is blocked.
This prevents sharing of data from the work to the personal profile. Google does not provide a way to
block sharing from the personal profile to work profile on devices running versions 6.0 and later.
Apps in work profile can handle sharing request from personal profile - Use this option to enable
the built-in Android feature that allows sharing from the personal to work profile. When enabled, a
sharing request from an app in the personal profile can share with apps in the work profile. This is the
default behavior for Android devices running versions earlier than 6.0.
Allow sharing across boundaries - Enables sharing across the work profile boundary in both
directions. When you select this setting, apps in the work profile can share data with un-badged apps in
the personal profile. Use this setting with care as this allows managed apps in the work profile to share
with apps on the unmanaged side of the device.
Work profile notifications while device locked - Controls whether apps in the work profile can display
data in notifications when the device is locked.
Default app permissions - Sets the default permission policy for all apps in the work profile. Starting with
Android 6, the user is prompted to grant certain permissions required by apps when the app is launched.
This policy setting lets you decide whether users are prompted to grant permissions for all apps in the work
profile. For example, you assign an app to the work profile that requires location access. Normally that app
prompts the user to approve or deny location access to the app. This policy lets you to decide whether all
permissions should be auto-granted without a prompt, auto-denied without a prompt, or let the end user
decide. Choose from:
Device default
Prompt
Auto grant
Auto deny
The grant state for permissions can be further defined for specific apps by defining an App Configuration
 policy for an individual app (under Mobile Apps > App configuration policies).
Work profile password
Require Work Profile Password - (Android 7.0 and above with work profile enabled) Define a passcode
policy that applies just to the apps in the work profile. By default, the end user has the option to use the two
separately defined PINs or they can elect to combine the two defined PINs into the stronger of the two.
Minimum password length - Enter the minimum number of characters the user's password must contain
(from 4-16)
Maximum minutes of inactivity until screen locks - Select the amount of time before an inactive device
requires a user re-enter the work profile password to run an app in the work profile.
Number of sign-in failures before wiping device - Enter the number of times an incorrect password can be
entered before the work profile is wiped from the device.
Password expiration (days) - Enter the number of days until an end user's password must be changed (from
1-255).
Required password type - Select the type of password that must be set on the device. Choose from:
Device default
Low security biometric
Required
At least numeric
Numeric complex - (repeating, or consecutive numbers like '1111' or '1234' are not allowed)
At least alphabetic
At least alphanumeric
At least alphanumeric with symbols
Prevent reuse of previous passwords - Enter the number of new passwords that must have been used
before an old one can be reused (from 1-24).
Fingerprint unlock - Blocks an end user from using the device fingerprint scanner to unlock it.
Smart Lock and other trust agents - Lets you control the Smart Lock feature on compatible devices. This
phone capability, sometimes known as a trust agent, lets you disable or bypass the work profile password if the
device is in a trusted location (for example, when it's connected to a specific Bluetooth device, or when it's close
to an NFC tag) You can use this setting to prevent users from configuring Smart Lock.

Password
Minimum password length - Enter the minimum number of characters the users password must contain
(from 4-14)
Maximum minutes of inactivity until screen locks - Select the amount of time before an inactive device
automatically locks.
Number of sign-in failures before wiping device - Enter the number of times an incorrect password can be
entered before all data is wiped from the device.
Password expiration (days) - Enter the number of days until an end user's password must be changed (from
1-255).
Required password type - Select the type of password that must be set on the device. Choose from:
Device default
Low security biometric
Required
At least numeric
Numeric complex - (repeating, or consecutive numbers like '1111' or '1234' are not allowed)
At least alphabetic
At least alphanumeric
 At least alphanumeric with symbols
Prevent reuse of previous passwords - Enter the number of new passwords that must have been used
before an old one can be reused (from 1-24).
Fingerprint unlock - Blocks an end user from using the device fingerprint scanner to unlock it.
Smart Lock and other trust agents - Lets you control the Smart Lock feature on compatible devices. This
phone capability, sometimes known as a trust agent, lets you disable or bypass the device lock screen password
if the device is in a trusted location (for example, when it's connected to a specific Bluetooth device, or when it's
close to an NFC tag) You can use this setting to prevent users from configuring Smart Lock.
 How to configure email settings in Microsoft Intune
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Email profiles can be used to configure devices you manage with the settings necessary to connect to , and
synchronize with company email. This can help ensure that settings are standard across all of your devices, and
also help to reduce support calls from end users who do not know the correct email settings.
The built-in mail client is supported for most platforms. Most third-party email apps are not currently supported.
You can use email profiles to configure the native email client on the following device types:
Android Samsung KNOX Standard 4.0 and later
Android for Work
iOS 8.0 and later
Windows Phone 8.1 and later
Windows 10 (desktop) and Windows 10 Mobile
Use the information in this topic to learn the basics about configuring an email profile, and then read further topics
for each platform to learn about device specifics.

Create a device profile containing email settings

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the email profile.
7. From the Platform drop-down list, select the device platform to which you want to apply email settings.
Currently, you can choose one of the following platforms for email device settings:
Android (Samsung Android KNOX Standard only)
Android for Work
iOS
Windows Phone 8.1
Windows 10 and later
8. From the Profile type drop-down list, choose Email.
9. Depending on the platform you chose, the settings you can configure will be different. Go to one of the
following topics for detailed settings for each platform:
Android for Work and Samsung KNOX Standard settings
iOS settings
Windows Phone 8.1 settings
Windows 10 settings
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.

Further information
Remove an email profile
If you want to remove an email profile from a device, edit the assignment and remove any groups of which the
device is a member. Note that you cannot remove an email profile in this way if it is the only email profile on a
device.
Securing email access
You can help secure email profiles using one of two methods:
1. Certificates - When you create the email profile, you choose a certificate profile that you have previously
created in Intune. This is known as the identity certificate, and is used to authenticate against a trusted certificate
profile (or a root certificate) to establish that the users device is allowed to connect. The trusted certificate is
assigned to the computer that authenticates the email connection, typically, the native mail server. For more
information about how to create and use certificate profiles in Intune, see How to configure certificates with
Intune.
2. User name and password - The user authenticates to the native mail server by providing their user name and
password. The password is not contained in the email profile, so the user needs to supply this when they
connect to email.
How Intune handles existing email accounts
If the user has already configured an email account, the result of the Intune email profile assignment depends on
the device platform:
iOS: An existing, duplicate email profile is detected based on host name and email address. The duplicate email
profile will blocks the assignment of an Intune profile. In this case, the Company Portal informs the user that
they are not compliant and prompts the user to remove the manually configured profile. To help prevent this
problem, instruct your users to enroll before installing an email profile, which allows Intune to set up the profile.
Windows: An existing, duplicate email profile is detected based on host name and email address. Intune
overwrites the existing email profile created by the user.
Android Samsung KNOX Standard An existing, duplicate email profile is detected based on the email
address, and overwrites it with the Intune profile. Since Android does not use host name to identify the profile,
we recommend that you not create multiple email profiles to use on the same email address on different hosts,
as these overwrite each other.
Android for Work Intune provides two Android for Work email profiles, one for each of the Gmail and Nine
Work email apps. These apps are available in the Google Play Store, and install in the device work profile, so
they can't result in duplicate profiles. Both apps support connections to Exchange. To enable the email
connectivity, deploy one of these email apps to your users' devices, and then create and deploy the appropriate
email profile. Email apps such as Nine Work might not be free. Review the apps licensing details or contact the
app company with any questions.
Update an email profile
If you make changes to an email profile you previously assigned, end users might see a message asking them to
approve the reconfiguration of their email settings.
 Email profile settings for Android devices in Microsoft
Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an Intune admin, you can create and assign email settings to the following Android devices:
Android Samsung KNOX Standard
Android for Work

Android Samsung KNOX Standard email settings

Email server - The host name of your Exchange server.
Account name - The display name for the email account as it appears to users on their devices.
Username attribute from AAD - This name is the attribute in Active Directory (AD) or Azure AD used to
generate the username for this email profile. Select Primary SMTP Address, such as [email protected] or
User Principal Name, such as user1 or [email protected].
Email address attribute from AAD - How the email address for the user on each device is generated. Select
Primary SMTP Address to use the primary SMTP address to log in to Exchange or use User Principal Name
to use the full principal name as the email address.
Authentication method - Select either Username and Password or Certificates as the authentication
method used by the email profile.
If you selected Certificate, select a client SCEP or PKCS certificate profile that you previously created to
authenticate the Exchange connection.
Security settings
SSL - Use Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and
communicating with the Exchange server.
S/MIME - Send outgoing email using S/MIME encryption.
If you selected Certificate, select a client SCEP or PKCS certificate profile that you previously created to
authenticate the Exchange connection.
Synchronization settings
Amount of email to synchronize - Choose the number of days of email that you want to synchronize, or
select Unlimited to synchronize all available email.
Sync schedule - Select the schedule by which devices synchronize data from the Exchange server. You can also
select As Messages arrive, which synchronizes data when it arrives, or Manual, where the user of the device
must initiate the synchronization.
Content sync settings
Content type to sync - Select the content types that you want to synchronize to devices from:
Contacts
Calendar
 Tasks

Android for Work email settings

Email app - Select either Gmail or Nine Work
Email server - The host name of your Exchange server.
Username attribute from AAD - This name is the attribute in Active Directory (AD) or Azure AD, that will be
used to generate the username for this email profile. Select Primary SMTP Address, such as
[email protected] or User Principal Name, such as user1 or [email protected].
Email address attribute from AAD - How the email address for the user on each device is generated. Select
User Principal Name to use the full principal name as the email address or User name.
Authentication method - Select either Username and Password or Certificates as the authentication
method used by the email profile.
If you selected Certificate, select a client SCEP or PKCS certificate profile that you previously created to
authenticate the Exchange connection.
SSL - Use Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and
communicating with the Exchange server.
Amount of email to synchronize - Choose the number of days of email that you want to synchronize, or
select Unlimited to synchronize all available email.
Content type to sync (Nine Work only) - Select the content types that you want to synchronize to devices
from:
Contacts
Calendar
Tasks
 Email profile settings for iOS devices in Microsoft
Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Email server - The host name of your Exchange server.

Account name - The display name for the email account as it will appear to users on their devices.
Username attribute from AAD - This is the attribute in Active Directory (AD) or Azure AD, that will be used to
generate the username for this email profile. Select Primary SMTP Address, such as [email protected] or
User Principal Name, such as user1 or [email protected].
Email address attribute from AAD - How the email address for the user on each device is generated. Select
Primary SMTP Address to use the primary SMTP address to log into Exchange or use User Principal Name to
use the full principal name as the email address.
Authentication method - Select either Username and Password or Certificates as the authentication
method used by the email profile.
If you selected Certificate, select a client SCEP or PKCS certificate profile that you previously created that
will be used to authenticate the Exchange connection.
SSL - Use Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and
communicating with the Exchange server.
S/MIME - Send outgoing email using S/MIME signing.
If you selected Certificate, select a client SCEP or PKCS certificate profile that you previously created that
will be used to authenticate the Exchange connection.
Amount of email to synchronize - Choose the number of days of email that you want to synchronize, or
select Unlimited to synchronize all available email.
Allow messages to be moved to other email accounts - This allows users to move email messages between
different accounts they have configured on their device.
Allow email to be sent from third party applications - Allow the user to select this profile as the default
account for sending email, and allow third-party applications to open email in the native email app, for example,
to attach files to email.
Synchronize recently used email addresses - This feature allows users to synchronize the list of email
addresses that have been recently used on the device with the server.
 Email profile settings for Windows Phone 8.1 devices
in Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
Email server - The host name of your Exchange server.
Account name - The display name for the email account as it will appear to users on their devices.
Username attribute from AAD - This is the attribute in Active Directory (AD) or Azure AD, that will be used to
generate the username for this email profile. Select Primary SMTP Address, such as [email protected] or
User Principal Name, such as user1 or [email protected].
Email address attribute from AAD - How the email address for the user on each device is generated. Select
Primary SMTP Address to use the primary SMTP address to log into Exchange or use User Principal Name to
use the full principal name as the email address.

Security settings
SSL - Use Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and
communicating with the Exchange server.

Synchronization settings
Amount of email to synchronize - Choose the number of days of email that you want to synchronize, or
select Unlimited to synchronize all available email.
Sync schedule - Select the schedule by which devices will synchronize data from the Exchange server. You can
also select As Messages arrive, which synchronizes data as soon as it arrives, or Manual, where the user of the
device must initiate the synchronization.

Content sync settings

Content type to sync - Select the content types that you want to synchronize to devices from:
Contacts
Calendar
Tasks
 Email profile settings for Windows 10 devices in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Email server - The host name of your Exchange server.

Account name - The display name for the email account as it will appear to users on their devices.
Username attribute from AAD - This is the attribute in Active Directory (AD) or Azure AD, that will be used to
generate the username for this email profile. Select Primary SMTP Address, such as [email protected] or
User Principal Name, such as user1 or [email protected].
Email address attribute from AAD - How the email address for the user on each device is generated. Select
Primary SMTP Address to use the primary SMTP address to log into Exchange or use User Principal Name to
use the full principal name as the email address.

Security settings
SSL - Use Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and
communicating with the Exchange server.

Synchronization settings
Amount of email to synchronize - Choose the number of days of email that you want to synchronize, or
select Unlimited to synchronize all available email.
Sync schedule - Select the schedule by which devices will synchronize data from the Exchange server. You can
also select As Messages arrive, which synchronizes data as soon as it arrives, or Manual, where the user of the
device must initiate the synchronization.

Content sync settings

Content type to sync - Select the content types that you want to synchronize to devices from:
Contacts
Calendar
Tasks
 How to configure VPN settings in Microsoft Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Virtual private networks (VPNs) give your users secure remote access to your company network. Devices use a
VPN connection profile to initiate a connection with the VPN server. Use VPN profiles in Microsoft Intune to
assign VPN settings to users and devices in your organization, so they can easily and securely connect to the
network.
For example, assume that you want to provision all iOS devices with the settings required to connect to a file share
on the corporate network. You create a VPN profile that contains the settings necessary to connect to the corporate
network, and then you assign this profile to all users who have iOS devices. The users will see the VPN connection
in the list of available networks and can connect with minimal effort.

VPN connection types

You can create VPN profiles using the following connection types:

ANDROID
CONNECTION ANDROID FOR WINDOWS
TYPE WORK IOS MACOS PHONE 8.1 WINDOWS 8.1 WINDOWS 10

Pulse Secure Yes Yes Yes Yes Yes Yes

Cisco (IPSec) No Yes No No No No

Citrix Yes (Android Yes No No No No

only)

F5 Edge Client Yes Yes Yes Yes Yes Yes

Dell Yes Yes Yes Yes Yes Yes

SonicWALL
Mobile
Connect

Check Point Yes Yes Yes Yes Yes Yes

Capsule VPN

Cisco Yes Yes Yes No No No

AnyConnect

Automatic No No No No No Yes

IKEv2 No No No No No Yes

L2TP No No No No No Yes
 ANDROID
CONNECTION ANDROID FOR WINDOWS
TYPE WORK IOS MACOS PHONE 8.1 WINDOWS 8.1 WINDOWS 10

PPTP No No No No No Yes

Custom No Yes Yes No No No

IMPORTANT
Before you can use VPN profiles assigned to a device, you must install the applicable VPN app for the profile. You can use
the information in the What is app management in Microsoft Intune? topic to help you assign the app by using Intune.

Learn how to create custom VPN profiles by using URI settings in Create custom VPN profiles.

Create a device profile containing VPN settings

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the VPN profile.
7. From the Platform drop-down list, select the device platform to which you want to apply VPN settings.
Currently, you can choose one of the following platforms for VPN device settings:
Android
Android for Work
iOS
macOS
Windows Phone 8.1
Windows 8.1 and later
Windows 10 and later
8. From the Profile type drop-down list, choose VPN.
9. Depending on the platform you chose, the settings you can configure will be different. Go to one of the
following topics for detailed settings for each platform:
Android and Android for Work settings
iOS settings
macOS settings
Windows Phone 8.1 settings
Windows 8.1 settings
Windows 10 settings
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.

Methods of securing VPN profiles

VPN profiles can use a number of different connection types and protocols from different manufacturers. These
connections are typically secured through one of two methods.
Certificates
When you create the VPN profile, you choose a SCEP or PKCS certificate profile that you previously created in
Intune. This is known as the identity certificate. It's used to authenticate against a trusted certificate profile (or root
certificate) that you created to establish that the users device is allowed to connect. The trusted certificate is
assigned to the computer that authenticates the VPN connection, typically, the VPN server.
For more information about how to create and use certificate profiles in Intune, see How to configure certificates
with Microsoft Intune.
User name and password
The user authenticates to the VPN server by providing a user name and password.
 VPN settings for Android devices in Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

As an Intune admin, you can configure VPN settings for the following platforms:
Android
Android for Work
Depending on the settings you choose, not all values listed below are configurable.

Android VPN settings

Connection name - Enter a name for this connection. End users will see this name when they browse their device
for the list of available VPN connections.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server that devices will
connect to. Examples: 192.168.1.1, vpn.contoso.com.
Authentication method - Choose how devices will authenticate to the VPN server from:
Certificates - Select a SCEP or PKCS certificate profile you previously created to authenticate the
connection. For more details about certificate profiles, see How to configure certificates.
Username and password - End users must supply a user name and password to log into the VPN
server.
Connection type - Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Cisco AnyConnect
Dell SonicWALL Mobile Connect
F5 Edge Client
Pulse Secure
Citrix
Fingerprint (Check Point Capsule VPN only) - Specify a string (for example, "Contoso Fingerprint Code")
that will be used to verify that the VPN server can be trusted. A fingerprint can be sent to the client so it
knows to trust any server that presents the same fingerprint when connecting. If the device doesnt already
have the fingerprint, it will prompt the user to trust the VPN server that they are connecting to while
showing the fingerprint (The user manually verifies the fingerprint and chooses trust to connect).
Enter key and value pairs for the Citrix VPN attributes (Citrix only) - Enter key and value pairs, provided by
Citrix, to configure the properties of the VPN connection.

Android for Work VPN settings

Connection name - Enter a name for this connection. End users will see this name when they browse their device
for the list of available VPN connections.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server that devices will
connect to. Examples: 192.168.1.1, vpn.contoso.com.
Authentication method - Choose how devices will authenticate to the VPN server from:
Certificates - Select a SCEP or PKCS certificate profile you previously created to authenticate the
connection. For more details about certificate profiles, see How to configure certificates.
Username and password - End users must supply a user name and password to log into the VPN
server.
Connection type - Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Cisco AnyConnect
Dell SonicWALL Mobile Connect
F5 Edge Client
Pulse Secure
Split tunneling - Enable to let certain web traffic use the VPN connection when the VPN while other traffic
uses the internet. Disable this setting if you want all traffic to use the VPN when active.
 VPN settings for iOS devices in Microsoft Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Depending on the settings you choose, not all values in the list below will be configurable.

Base VPN settings

Connection name - Enter a name for this connection. End users will see this name when they browse their device
for the list of available VPN connections.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server that devices will
connect to. Examples: 192.168.1.1, vpn.contoso.com.
Authentication method - Choose how devices will authenticate to the VPN server from:
Certificates - Under Authentication certificate, Choose a SCEP or PKCS certificate profile you
previously created to authenticate the connection. For more details about certificate profiles, see How to
configure certificates.
Username and password - End users must supply a username and password to log into the VPN server.
Connection type - Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Cisco AnyConnect
Dell SonicWALL Mobile Connect
F5 Edge Client
Pulse Secure
Cisco (IPSec)
Citrix
Custom VPN
Split tunneling - Enable or Disable this option which lets devices decide which connection to use depending
on the traffic. For example, a user in a hotel will use the VPN connection to access work files, but use the hotel's
standard network for regular web browsing.

Custom VPN settings

If you selected Custom VPN as the connection type, configure these further settings:
VPN identifier This is an identifier for the VPN app you are using, and is supplied by your VPN provider.
Enter key and value pairs for the custom VPN attributes Add or import Keys and Values that customize
your VPN connection. Again, these values are typically supplied by your VPN provider.

Apps (per-app VPN) settings

Per-app VPN - Enable this option if you want to URLs that will enable the VPN connection when they are
visited from the Safari browser. To configure this, you must have selected Certificates as the authentication
method in the base VPN settings.
 URLs that will enable the VPN connection while using the Safari browser - Click add to add one or
more web site URLs. When these URL's are visited, the VPN connection will be enabled.
On-demand rules - This lets you configure conditional rules that control when the VPN connection is
initiated. For example, you could create a condition where the VPN connection is only used when a device is
not connected to one of your company Wi-Fi networks. Alternatively, you could create a condition where, if a
device cannot access a DNS search domain you specify, then the VPN connection is not initiated.
SSIDs or DNS search domains - Select whether this condition will use wireless network SSIDs, or DNS
search domains. Choose Add to configure one or more SSIDs or search domains.
URL string probe - Optionally, provide a URL that the rule uses as a test. If the device on which this
profile is installed is able to access this URL without redirection, the VPN connection will be initiated and
the device will connect to the target URL. The user will not see the URL string probe site. An example of a
URL string probe is the address of an auditing Web server that checks device compliance before
connecting the VPN. Another possibility is that the URL tests the ability of the VPN to connect to a site,
before connecting the device to the target URL through the VPN.
Domain action - Choose one of the following:
Connect if needed -
Never connect -
Action - Choose one of the following:
Connect -
Evaluate connection -
Ignore -
Disconnect -

Proxy settings
Automatic configuration script - Use a file to configure the proxy server. Enter the Proxy server URL (for
example http://proxy.contoso.com) which contains the configuration file.
Address - Enter the proxy server address (as an IP address).
Port number - Enter the port number associated with the proxy server.
 VPN settings for macOS devices in Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Depending on the settings you choose, not all values in the list below will be configurable.

Base VPN settings

Connection name - Enter a name for this connection. End users will see this name when they browse their device
for the list of available VPN connections.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server that devices will
connect to. Examples: 192.168.1.1, vpn.contoso.com.
Authentication method - Choose how devices will authenticate to the VPN server from:
Certificates - Under Authentication certificate, Choose a SCEP or PKCS certificate profile you
previously created to authenticate the connection. For more details about certificate profiles, see How to
configure certificates.
Username and password - End users must supply a username and password to log into the VPN server.
Connection type - Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Cisco AnyConnect
Dell SonicWALL Mobile Connect
F5 Edge Client
Pulse Secure
Custom VPN
Split tunneling - Enable or Disable this option which lets devices decide which connection to use depending
on the traffic. For example, a user in a hotel will use the VPN connection to access work files, but use the hotel's
standard network for regular web browsing.

Custom VPN settings

If you selected Custom VPN, configure these further settings:
VPN identifier This is an identifier for the VPN app you are using, and is supplied by your VPN provider.
Enter key and value pairs for the custom VPN attributes Add or import Keys and Values that customize
your VPN connection. Again, these values are typically supplied by your VPN provider.

Proxy settings
Automatic configuration script - Use a file to configure the proxy server. Enter the Proxy server URL (for
example http://proxy.contoso.com) which contains the configuration file.
Address - Enter the proxy server address (as an IP address).
Port number - Enter the port number associated with the proxy server.
 VPN settings for Windows 8.1 devices in Microsoft
Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Depending on the settings you choose, not all values in the list below will be configurable.

Base VPN settings

Apply all settings to Windows 8.1 only - This is a setting you can configure in the classic Intune portal. In the
Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be applied to
Windows 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10 devices.
Connection name - Enter a name for this connection. End users will see this name when they browse their
device for the list of available VPN connections.
Servers - Add one or more VPN servers that devices will connect to.
Add - Opens the Add Row blade where you can specify the following information:
Description - Specify a descriptive name for the server like Contoso VPN server.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server
that devices will connect to. Examples: 192.168.1.1, vpn.contoso.com.
Default server - Enables this server as the default server that devices will use to establish the
connection. Make sure to set only one server as the default.
Import - Browse to a file containing a comma-seperated list of servers in the format description, IP
address or FQDN, Default server. Choose OK to import these into the Servers list.
Export - Exports the list of servers to a comma-seperated-values (csv) file.
Connection type - Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Dell SonicWALL Mobile Connect
F5 Edge Client
Pulse Secure
Login group or domain (Dell SonicWALL Mobile Connect only) - Specify the name of the login group or
domain that you want to connect to.
Role (Pulse Secure only) - Specify the name of the user role that has access to this connection. A user role
defines personal settings and options, and it enables or disables certain access features.
Realm (Pulse Secure only) - Specify the name of the authentication realm that you want to use. An
authentication realm is a grouping of authentication resources that the Pulse Secure connection type uses.
Custom XML - Specify any custom XML commands that configure the VPN connection.
Example for Pulse Secure:
 <pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>

Example for CheckPoint Mobile VPN:

<CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />

Example for Dell SonicWALL Mobile Connect:

<MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging><packetCapture>False</packetCapture>
</MobileConnect>

Example for F5 Edge Client:

<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>

Refer to each manufacturer's VPN documentation for more information about how to write custom XML
commands.

Proxy settings
Automatically detect proxy settings - If your VPN server requires a proxy server for the connection, specify
whether you want devices to automatically detect the connection settings. For more information, see your
Windows Server documentation.
Automatic configuration script - Use a file to configure the proxy server. Enter the Proxy server URL (for
example http://proxy.contoso.com) which contains the configuration file.
Use proxy server - Enable this option if you want to manually enter the proxy server settings.
Address - Enter the proxy server address (as an IP address).
Port number - Enter the port number associated with the proxy server.
Bypass proxy for local addresses - If your VPN server requires a proxy server for the connection, select this
option if you do not want to use the proxy server for local addresses that you specify. For more information, see
your Windows Server documentation.
 VPN settings for Windows Phone 8.1 devices in
Microsoft Intune
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Depending on the settings you choose, not all values in the list below will be configurable.

Base VPN settings

Apply all settings to Windows Phone 8.1 only - This is a setting you can configure in the classic Intune
portal. In the Azure portal, this setting cannot be changed. If this is set to Configured, any settings will only be
applied to Windows Phone 8.1 devices. If set to Not Configured, these settings will also apply to Windows 10
Mobile devices.
Connection name - Enter a name for this connection. End users will see this name when they browse their
device for the list of available VPN connections.
Authentication method - Choose how devices will authenticate to the VPN server from:
Certificates - Under Authentication certificate, Choose a SCEP or PKCS certificate profile you
previously created to authenticate the connection. For more details about certificate profiles, see How to
configure certificates.
Username and password - End users must supply a username and password to log into the VPN server.
Servers - Add one or more VPN servers that devices will connect to.
Add - Opens the Add Row blade where you can specify the following information:
Description - Specify a descriptive name for the server like Contoso VPN server.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server
that devices will connect to. Examples: 192.168.1.1, vpn.contoso.com.
Default server - Enables this server as the default server that devices will use to establish the
connection. Make sure to set only one server as the default.
Import - Browse to a file containing a comma-separated list of servers in the format description, IP
address or FQDN, Default server. Choose OK to import these into the Servers list.
Export - Exports the list of servers to a comma-separated-values (csv) file.
Bypass VPN on company Wi-Fi network - Enable this option to specify that the VPN connection will not
be used when the device is connected to the company Wi-Fi network.
Bypass VPN on home Wi-Fi network - Enable this option to specify that the VPN connection will not be
used when the device is connected to a home Wi-Fi network.
Connection type - Select the VPN connection type from the following list of vendors:
Check Point Capsule VPN
Dell SonicWALL Mobile Connect
F5 Edge Client
Pulse Secure
 Login group or domain (Dell SonicWALL Mobile Connect only) - Specify the name of the login group or
domain that you want to connect to.
Role (Pulse Secure only) - Specify the name of the user role that has access to this connection. A user role
defines personal settings and options, and it enables or disables certain access features.
Realm (Pulse Secure only) - Specify the name of the authentication realm that you want to use. An
authentication realm is a grouping of authentication resources that the Pulse Secure connection type uses.
DNS suffix search list - Add one or more DNS suffices. Each DNS suffix that you specify will be searched
when connecting to a website by using a short name. For example, specify the DNS suffixes
domain1.contoso.com and domain2.contoso.com, visit the URL http://mywebsite, and the URLs
http://mywebsite.domain1.contoso.com and http://mywebsite.domain2.contoso.com will be
searched.
Custom XML - Specify any custom XML commands that configure the VPN connection.
Example for Pulse Secure:

<pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>

Example for CheckPoint Mobile VPN:

<CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />

Example for Dell SonicWALL Mobile Connect:

<MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging><packetCapture>False</packetCapture>
</MobileConnect>

Example for F5 Edge Client:

<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>

Refer to each manufacturer's VPN documentation for more information about how to write custom XML
commands.
Split tunneling - Enable or Disable this option which lets devices decide which connection to use depending
on the traffic. For example, a user in a hotel will use the VPN connection to access work files, but use the hotel's
standard network for regular web browsing.

Proxy settings
Automatically detect proxy settings - If your VPN server requires a proxy server for the connection, specify
whether you want devices to automatically detect the connection settings. For more information, see your
Windows Server documentation.
Automatic configuration script - Use a file to configure the proxy server. Enter the Proxy server URL (for
example http://proxy.contoso.com) which contains the configuration file.
Use proxy server - Enable this option if you want to manually enter the proxy server settings.
Address - Enter the proxy server address (as an IP address).
Port number - Enter the port number associated with the proxy server.
Bypass proxy for local addresses - If your VPN server requires a proxy server for the connection, select this
option if you do not want to use the proxy server for local addresses that you specify. For more information, see
your Windows Server documentation.
 VPN settings for Windows 10 devices in Microsoft
Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Depending on the settings you choose, not all values in the list below will be configurable.

Base VPN settings

Connection name - Enter a name for this connection. End users will see this name when they browse their
device for the list of available VPN connections.
Servers - Add one or more VPN servers that devices will connect to.
Add - Opens the Add Row blade where you can specify the following information:
Description - Specify a descriptive name for the server like Contoso VPN server.
IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server
that devices will connect to. Examples: 192.168.1.1, vpn.contoso.com.
Default server - Enables this server as the default server that devices will use to establish the
connection. Make sure to set only one server as the default.
Import - Browse to a file containing a comma-separated list of servers in the format description, IP
address or FQDN, Default server. Choose OK to import these into the Servers list.
Export - Exports the list of servers to a comma-separated-values (csv) file.
Connection type - Select the VPN connection type from the following list of vendors:
Pulse Secure
F5 Edge Client
Dell SonicWALL Mobile Connect
Check Point Capsule VPN
Automatic
IKEv2
L2TP
PPTP
Login group or domain (Dell SonicWALL Mobile Connect only) - Specify the name of the login group or domain
that you want to connect to.
Custom XML/EAP XML - Specify any custom XML commands that configure the VPN connection.
Example for Pulse Secure:

<pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>

Example for CheckPoint Mobile VPN:

 <CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />

Example for Dell SonicWALL Mobile Connect:

<MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging><packetCapture>False</packetCapture>
</MobileConnect>

Example for F5 Edge Client:

<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>

Refer to each manufacturer's VPN documentation for more information about how to write custom XML
commands.
Split tunneling - Enable or Disable this option which lets devices decide which connection to use depending on
the traffic. For example, a user in a hotel will use the VPN connection to access work files, but use the hotel's
standard network for regular web browsing.
Split tunneling routes for this VPN connection - Add optional routes for third-party VPN providers. Specify
a destination prefix, and a prefix size for each.

Apps and Traffic Rules

Restrict VPN connection to these apps - Enable this option if you only want apps you specify to use the VPN
connection. Associated Apps - Provide a list of apps that will automatically use the VPN connection. The type of
app will determine the app identifier. For a universal app, provide the package family name. For a desktop app,
provide the file path of the app.

IMPORTANT
We recommend that you secure all lists of apps that you compile for use in configuration of per-app VPN. If an unauthorized
user modifies your list and you import it into the per-app VPN app list, you will potentially authorize VPN access to apps that
should not have access. One way you can secure app lists is by using an access control list (ACL).

Network traffic rules for this VPN connection - Select which protocols, and which local and remote port and
address ranges, will be enabled for the VPN connection. If you do not create a network traffic rule, all protocols,
ports, and address ranges are enabled. After you create a rule, the VPN connection will use only the protocols,
ports, and address ranges that you specify in that rule.

Conditional Access
Conditional access for this VPN connection - Single sign-on (SSO) with alternate certificate - Extended
key usage - Issuer hash -

DNS Settings
DNS names and servers for this VPN connection - Select which DNS servers the VPN connection will use after
the connection is established. For each server. specify:
DNS Name
DNS Server
Proxy
Proxy settings
Automatically detect proxy settings - If your VPN server requires a proxy server for the connection, specify
whether you want devices to automatically detect the connection settings. For more information, see your
Windows Server documentation.
Automatic configuration script - Use a file to configure the proxy server. Enter the Proxy server URL (for
example http://proxy.contoso.com) which contains the configuration file.
Use proxy server - Enable this option if you want to manually enter the proxy server settings.
Address - Enter the proxy server address (as an IP address).
Port number - Enter the port number associated with the proxy server.
Bypass proxy for local addresses - If your VPN server requires a proxy server for the connection, select this
option if you do not want to use the proxy server for local addresses that you specify. For more information, see
your Windows Server documentation.
 How to configure Wi-Fi settings in Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use Microsoft Intune Wi-Fi profiles to assign wireless network settings to users and devices in your organization.
When you assign a Wi-Fi profile, your users will have access to your corporate Wi-Fi network without having to
configure it themselves.
For example, you install a new Wi-Fi network named Contoso Wi-Fi and want to set up all iOS devices to connect
to this network. Here's the process:
1. Create a Wi-Fi profile containing the settings necessary to connect to the Contoso Wi-Fi wireless network.
2. Assign the profile to a group containing all users of iOS devices.
3. Users find the new Contoso Wi-Fi network in the list of wireless networks on their device and can easily connect
to it.
Wi-Fi profiles support the following device platforms:
Android 4 and later
Android for Work
iOS 8.0 and later
macOS (Mac OS X 10.9 and later)
For devices running Windows 8.1, Windows 10, and Windows 10 Mobile, you can import a Wi-Fi configuration
that was previously exported from another device.
Use the information in this topic to learn the basics about configuring a Wi-Fi profile, and then read further topics
for each platform to learn about device specifics.

Create a device profile containing Wi-Fi settings

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the Wi-Fi profile.
7. From the Platform drop-down list, select the device platform to which you want to apply Wi-Fi settings.
Currently, you can choose one of the following platforms for Wi-Fi settings:
Android
Android for Work
iOS
macOS
Windows 8.1 and later (import a profile)
8. From the Profile type drop-down list, choose Wi-Fi basic or Wi-Fi enterprise. >[!TIP] >Use Wi-fi basic to
 supply basic features like the network name, and the SSID. Wi-Fi enterprise lets you supply more advanced
information like the Extensible Authentication Protocol (EAP) if your Wi-Fi network uses this. Wi-Fi import (for
Windows 8.1 and Windows 10) lets you import Wi-Fi settings as an XML file that you previusly exported from a
different device.
9. Depending on the platform you chose, the settings you can configure will be different. Go to one of the
following topics for detailed settings for each platform:
Android and Android for Work settings
iOS settings
macOS settings
Windows Phone 8.1 settings
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.
 Wi-Fi settings for Android and Android for Work
devices in Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Wi-Fi settings for basic and enterprise profiles

The following Wi-Fi settings are available for both Android and Android for Work devices:
Network name - Enter a name for this Wi-Fi connection. This is the name that users will see when they browse
the list of available connections on their device.
SSID - Short for service set identifier. This is the real name of the wireless network that devices will connect to.
However, users only see the network name you created above when they choose the connection.
Connect automatically - Makes the device connect whenever it is in the range of this network.
Hidden network - Prevents this network from being shown in the list of available networks on the device.

Wi-Fi settings for enterprise profiles only

EAP type - Choose the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless
connections from:
EAP-TLS
EAP-TTLS
PEAP
Further options when you choose an EAP type
Server Trust

SETTING NAME MORE INFORMATION USE WHEN

Certificate server names
Specify one or more common names EAP type is EAP-TLS or EAP-TTLS
used in the certificates issued by your
trusted certificate authority (CA). If you
provide this information, you can
bypass the dynamic trust dialog that is
displayed on end users devices when
they connect to this Wi-Fi network.

Root certificate for server validation Choose the trusted root certificate EAP type is EAP-TLS, EAP-TTLS, or
profile used to authenticate the PEAP
connection.
 SETTING NAME
Identity privacy (outer identity)
Client Authentication
SETTING NAME
Client certificate for client
authentication (Identity certificate)
Authentication method
MORE INFORMATION USE WHEN
Specify the text sent in response to an EAP type is PEAP
EAP identity request. This text can be
any value. During authentication, this
anonymous identity is initially sent, and
then followed by the real identification
sent in a secure tunnel.
MORE INFORMATION USE WHEN
Choose the SCEP or PKCS certificate EAP type is EAP-TLS
profile used to authenticate the
connection.
Select the authentication method for EAP type is EAP-TTLS or PEAP
the connection:
- Certificates to select the SCEP or
PKCS the client certificate that is the
identity certificate presented to the
server.
- Username and Password to specify
a different method for authentication.
If you selected Username and
Password, configure:
- Non-EAP method (inner identity),
then select how you will authenticate
the connection from:
- None
- Unencrypted password (PAP)
- Challenge Handshake
Authentication Protocol (CHAP)
- Microsoft CHAP (MS-CHAP)
- Microsoft CHAP Version 2 (MS-
CHAP v2)
The available options depend on the
EAP type you selected.
and
- Identity privacy (outer identity) -
Specify the text sent in response to an
EAP identity request. This text can be
any value. During authentication, this
anonymous identity is initially sent, and
then followed by the real identification
sent in a secure tunnel.
 Wi-Fi settings for iOS devices in Microsoft Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Wi-Fi settings for basic and enterprise profiles

Network name - Enter a name for this Wi-Fi connection. This is the name that users will see when they browse
the list of available connections on their device.
SSID - Short for service set identifier. This is the real name of the wireless network that devices will connect to.
However, users only see the network name you created above when they choose the connection.
Connect automatically - Makes the device connect whenever it is in the range of this network.
Hidden network - Prevents this network from being shown in the list of available networks on the device.
Proxy settings - Choose from:
None - No proxy settings will be configured.
Manual - Enter the Proxy server address (as an IP address), and it's associated Port number.
Automatic - Use a file to configure the proxy server. Enter the Proxy server URL (for example
http://proxy.contoso.com) which contains the configuration file.

Wi-Fi settings for basic profiles only

Security type - Select the security protocol to use to authenticate to the Wi-Fi network from:
Open (no authentication) - Only use this option if the network is unsecured.
WPA/WPA2 - Personal
WEP

Wi-Fi settings for enterprise profiles only

EAP type - Choose the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless
connections from:
EAP-FAST
EAP-SIM
EAP-TLS
EAP-TTLS
LEAP
PEAP
Further options when you choose an EAP type

SETTING NAME MORE INFORMATION USE WHEN

 SETTING NAME
Protected Access Credential (PAC)
Settings
Server Trust
SETTING NAME
Certificate server names
Root certificate for server validation
Identity privacy (outer identity)
Client Authentication
SETTING NAME
Client certificate for client
authentication (Identity certificate)
MORE INFORMATION USE WHEN
Select to use protected access EAP type is EAP-FAST
credentials to establish an authenticated
tunnel between the client and the
authentication server. Select one of:
- Use PAC - Use an existing PAC file is
used if present.
- Use and Provision PAC - Provision
the PAC file to your devices.
- Use and Provision PAC
Anonymously - Provision the PAC file
to your devices and ensure that the
PAC file is provisioned without
authenticating the server.
MORE INFORMATION USE WHEN
Specify one or more common names EAP type is EAP-TLS, EAP-TTLS, or
used in the certificates issued by your PEAP.
trusted certificate authority (CA). If you
provide this information, you can
bypass the dynamic trust dialog that is
displayed on end users devices when
they connect to this Wi-Fi network.
Choose the trusted root certificate EAP type is EAP-TLS, EAP-TTLS, or
profile used to authenticate the PEAP
connection.
Specify the text sent in response to an EAP type is PEAP
EAP identity request. This text can be
any value. During authentication, this
anonymous identity is initially sent, and
then followed by the real identification
sent in a secure tunnel.
MORE INFORMATION USE WHEN
Choose the SCEP or PKCS certificate EAP type is EAP-TLS
profile used to authenticate the
connection.
SETTING NAME MORE INFORMATION USE WHEN

Authentication method Select the authentication method for EAP type is EAP-TTLS or *
the connection:
- Certificates to select the SCEP or
PKCS the client certificate that is the
identity certificate presented to the
server.

- Username and Password to specify

a different method for authentication.

If you selected Username and

Password, configure:

- Non-EAP method (inner identity),

then select how you will authenticate
the connection from:
- None
- Unencrypted password (PAP)
- Challenge Handshake
Authentication Protocol (CHAP)
- Microsoft CHAP (MS-CHAP)
- Microsoft CHAP Version 2 (MS-
CHAP v2)
The available options depend on the
EAP type you selected.

and

- Identity privacy (outer identity) -

Specify the text sent in response to an
EAP identity request. This text can be
any value. During authentication, this
anonymous identity is initially sent, and
then followed by the real identification
sent in a secure tunnel.
 Wi-Fi settings for macOS devices in Microsoft Intune
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Wi-Fi settings for basic and enterprise profiles

Network name - Enter a name for this Wi-Fi connection. This is the name that users will see when they browse
the list of available connections on their device.
SSID - Short for service set identifier. This is the real name of the wireless network that devices will connect to.
However, users only see the network name you created above when they choose the connection.
Connect automatically - Makes the device connect whenever it is in the range of this network.
Hidden network - Prevents this network from being shown in the list of available networks on the device.
Proxy settings - Choose from:
None - No proxy settings will be configured.
Manual - Enter the Proxy server address (as an IP address), and it's associated Port number.
Automatic - Use a file to configure the proxy server. Enter the Proxy server URL (for example
http://proxy.contoso.com) which contains the configuration file.

Wi-Fi settings for basic profiles only

Security type - Select the security protocol to use to authenticate to the Wi-Fi network from:
Open (no authentication) - Only use this option if the network is unsecured.
WPA/WPA2 - Personal
WEP

Wi-Fi settings for enterprise profiles only

EAP type - Choose the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless
connections from:
EAP-FAST
EAP-SIM
EAP-TLS
EAP-TTLS
LEAP
PEAP
Further options when you choose an EAP type

SETTING NAME MORE INFORMATION USE WHEN

 SETTING NAME
Protected Access Credential (PAC)
Settings
Server Trust
SETTING NAME
Certificate server names
Root certificate for server validation
Identity privacy (outer identity)
Client Authentication
SETTING NAME
Client certificate for client
authentication (Identity certificate)
MORE INFORMATION USE WHEN
Select to use protected access EAP type is EAP-FAST
credentials to establish an authenticated
tunnel between the client and the
authentication server. Select one of:
- Use PAC - Use an existing PAC file is
used if present.
- Use and Provision PAC - Provision
the PAC file to your devices.
- Use and Provision PAC
Anonymously - Provision the PAC file
to your devices and ensure that the
PAC file is provisioned without
authenticating the server.
MORE INFORMATION USE WHEN
Specify one or more common names EAP type is EAP-TLS, EAP-TTLS, or
used in the certificates issued by your PEAP.
trusted certificate authority (CA). If you
provide this information, you can
bypass the dynamic trust dialog that is
displayed on end users devices when
they connect to this Wi-Fi network.
Choose the trusted root certificate EAP type is EAP-TLS, EAP-TTLS, or
profile used to authenticate the PEAP
connection.
Specify the text sent in response to an EAP type is PEAP
EAP identity request. This text can be
any value. During authentication, this
anonymous identity is initially sent, and
then followed by the real identification
sent in a secure tunnel.
MORE INFORMATION USE WHEN
Choose the SCEP or PKCS certificate EAP type is EAP-TLS
profile used to authenticate the
connection.
SETTING NAME MORE INFORMATION USE WHEN

Authentication method Select the authentication method for EAP type is EAP-TTLS or PEAP
the connection:
- Certificates to select the SCEP or
PKCS the client certificate that is the
identity certificate presented to the
server.

- Username and Password to specify

a different method for authentication.

If you selected Username and

Password, configure:

- Non-EAP method (inner identity),

then select how you will authenticate
the connection from:
- None
- Unencrypted password (PAP)
- Challenge Handshake
Authentication Protocol (CHAP)
- Microsoft CHAP (MS-CHAP)
- Microsoft CHAP Version 2 (MS-
CHAP v2)
The available options depend on the
EAP type you selected.

and

- Identity privacy (outer identity) -

Specify the text sent in response to an
EAP identity request. This text can be
any value. During authentication, this
anonymous identity is initially sent, and
then followed by the real identification
sent in a secure tunnel.
 How to import Wi-Fi settings for Windows 8.1 and
later devices in Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

For devices that run Windows 8.1 or Windows 10 desktop or mobile, you can import a Wi-Fi configuration profile
that was previously exported to a file.

Export Wi-Fi settings from a Windows device

In Windows, use the netsh wlan utility to export an existing Wi-Fi profile to an XML file readable by Intune. On a
Windows computer that already has the required WiFi profile installed, follow this following procedure.
1. Create a local folder for the exported W-Fi- profiles, such as c:\WiFi.
2. Open up a Command Prompt as an administrator.
3. Run the command netsh wlan show profiles, and note the name of the profile you'd like to export. In this
example, the profile name is WiFiName.
4. Run this command: netsh wlan export profile name="ProfileName" folder=c:\Wifi.This will create a Wi-Fi
profile file named Wi-Fi-WiFiName.xml in your target folder.

Import the Wi-Fi settings into Intune

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, click Create Profile.
6. On the Create Profile blade, enter a Name and Description for the device restriction profile.
7. From the Platform drop-down list, choose Windows 8.1 and later.
8. From the Profile type drop-down list, choose Wi-Fi import.
9. On the Wi-Fi Basic blade, configure the following:
Connection name Enter the name of the Wi-Fi connection. This name will be displayed to end users
when they browse available Wi-Fi networks.
Profile XML Click the browse button to select the XML file containing the Wi-Fi profile settings that you
want to import into Intune.
File contents Displays the XML code for the configuration profile you selected.
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade.
 How to configure Windows 10 edition upgrades in
Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use the information in this topic to learn how to configure a Windows 10 edition upgrade profile. This profile lets
you automatically upgrade devices that run one of the following Windows 10 versions to a different edition:
Windows 10 Home
Windows 10 Holographic
Windows 10 Mobile
The following upgrade paths are supported:
From Windows 10 Pro to Windows 10 Enterprise
From Windows 10 Home to Windows 10 Education
From Windows 10 Mobile to Windows 10 Mobile Enterprise
From Windows 10 Holographic Pro to Windows 10 Holographic Enterprise

Before you start

Before you begin to upgrade devices to the latest version, you will need one of the following:
A product key that is valid to install the new version of Windows on all devices that you target with the policy
(for Windows 10 Desktop editions). You can use either Multiple Activation Keys (MAK) or Key Management
Server (KMS) keys. or A license file from Microsoft that contains the licensing information to install the new
version of Windows on all devices that you target with the policy (for Windows 10 Mobile and Windows 10
Holographic editions).
The Windows 10 devices that you target must be enrolled in Microsoft Intune. You cannot use the edition
upgrade policy with PCs that run the Intune PC client software.

Create a device profile containing device restriction settings

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the edition upgrade profile.
7. From the Platform drop-down list, choose Windows 10 and later.
8. From the Profile type drop-down list, choose Edition upgrade.
9. On the Edition Upgrade blade, configure the following:
Edition to upgrade from - From the drop-down list, select the Windows 10 version that you want to
upgrade on devices.
 Edition to upgrade to - From the drop-down list, select the version of Windows 10 Desktop, Windows
10 Holographic, or Windows 10 Mobile that you want to upgrade targeted devices to.
Product Key - Specify the product key that you obtained from Microsoft, which can be used to upgrade
all targeted Windows 10 Desktop devices.
.After you create a policy that contains a product key, you cannot edit the product key later. This is
because the key is obscured for security reasons. To change the product key, you must enter the entire
key again.
License File - Choose Browse to select the license file you obtained from Microsoft that contains license
information for the Windows Holographic, or Windows 10 Mobile edition that you want to upgrade
targeted devices to.
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.
 Endpoint protection settings for Windows 10 and
later in Microsoft Intune
6/29/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The endpoint protection profile let you control security features on Windows 10 devices, like BitLocker.
Use the information in this topic to learn how to create endpoint protection profiles.

Create an endpoint protection profile

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the device features profile.
7. From the Platform drop-down list, select Windows 10 and later.
8. From the Profile type drop-down list, choose Endpoint protection.
9. On the Windows encryption blade, configure the settings you want. Use the details in this topic to help you
understand what each setting does. When you are finished, choose OK.
10. Go back to the Create Profile blade, and choose Create.
The profile is created and appears on the profiles list blade.

Endpoint protection profile settings reference

Windows Settings
Require devices to be encrypted (Desktop only) - If enabled, users are prompted to enable device
encryption. Additionally, they are asked to confirm that encryption from another provider has not been enabled.
If Windows encryption is turned on while another encryption method is active, the device might become
unstable.
Require Storage Card to be encrypted (mobile only) - Enable this setting to encrypt any removable storage
cards used by the device.
BitLocker base settings
Configure encryption methods - Enable this setting to configure encryption algorithms for operating system,
data, and removable drives.
Encryption for operating system drives - Choose the encryption method for operating system drives.
We recommend you use the XTS-AES algorithm.
Encryption for fixed data-drives - Choose the encryption method for fixed (built-in) data drives. We
recommend you use the XTS-AES algorithm.
Encryption for removable data-drives - Choose the encryption method for removable data drives. If
 the removable drive is used with devices that are not running Windows 10, we recommend you use the
AES-CBC algorithm.
BitLocker OS drive settings
Require additional authentication at startup -
Block BitLocker on devices without a compatible TPM chip -
TPM startup - Configure whether the TPM chip is allowed, not allowed, or required.
TPM startup PIN - Configure whether using a startup PIN with the TPM chip is allowed, not allowed, or
required.
TPM startup key - Configure whether using a startup key with the TPM chip is allowed, not allowed, or
required.
TPM startup key and PIN - Configure whether using a startup key and PIN with the TPM chip is
allowed, not allowed, or required.
Minimum PIN Length - Enable this setting to configure a minimum length for the TPM startup PIN.
Minimum characters - Enter the number of characters required for the startup PIN from 4-20.
Enable OS drive recovery - Enable this setting to control how BitLocker-protected operating system drives are
recovered when the required start-up information is not available.
Allow certificate-based data recovery agent - Enable this setting if you want data recovery agents to
be able to be used with BitLocker-protected operating system drives.
User creation of recovery password - Configure whether users are allowed, required, or not allowed
to generate a 48-digit recovery password.
User creation of recovery key - Configure whether users are allowed, required, or not allowed to
generate a 256-bit recovery key.
Hide recovery options in the BitLocker setup wizard - Enable this setting to prevent users from
seeing, or changing recovery options when they turn on BitLocker.
Save BitLocker recovery information to AD DS - Enables the storage of BitLocker recovery
information in Active Directory.
Configure storage of BitLocker recovery Information to AD DS - Configure what parts of BitLocker
recovery information are stored in Active Directory. Choose from:
Backup recovery passwords and key packages
Backup recovery passwords only
Require recovery information to be stored in AD DS before enabling BitLocker - Enable this
setting to stop users from turning on BitLocker unless the device is domain-joined, and BitLocker
recovery information is successfully stored in Active Directory.
Enable pre-boot recovery message and URL - Enable this setting to configure the message and URL that are
displayed on the pre-boot key recovery screen.
Pre-boot recovery message - Configure how the pre-boot recovery message displays to users. Choose
from:
Use default recovery message and URL
Use empty recovery message and URL
Use custom recovery message
Use custom recovery URL
BitLocker fixed data-drive settings
Deny write access to fixed data-drive not protected by BitLocker - If enabled, BitLocker protection must
be enabled on all fixed, or built-in data drives to be able to write to them.
Enable fixed drive recovery - Enable this setting to control how BitLocker-protected fixed drives are
recovered when the required start-up information is not available.
Allow data recovery agent - Enable this setting if you want data recovery agents to be used with
 BitLocker-protected fixed drives.
User creation of recovery password - Configure whether users are allowed, required, or not allowed
to generate a 48-digit recovery password.
User creation of recovery key - Configure whether users are allowed, required, or not allowed to
generate a 256-bit recovery key.
Hide recovery options in the BitLocker setup wizard - Enable this setting to prevent users from
seeing, or changing recovery options when they turn on BitLocker.
Save BitLocker recovery information to AD DS - Enables the storage of BitLocker recovery
information in Active Directory.
Configure storage of BitLocker recovery Information to AD DS - Configure what parts of BitLocker
recovery information are stored in Active Directory. Choose from:
Backup recovery passwords and key packages
Backup recovery passwords only
Require recovery information to be stored in AD DS before enabling BitLocker - Enable this
setting to stop users from turning on BitLocker unless the device is domain-joined, and BitLocker
recovery information has been successfully stored in Active Directory.
BitLocker removable data-drive settings
Deny write access to removable data-drive not protected by BitLocker - Specify whether BitLocker
encryption is required for removable storage drives.
Block write access to devices configured in another organization - Specify whether removable
data drives that belong to another organization can be written to.

Next steps
If you want to go ahead and assign this profile to groups, see How to assign device profiles.
 How to configure Windows 10 education settings in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Education profiles let you specify details that configure the Windows Take a Test app including account details, and
the test URL. When you configure this, the Take a Test app opens with the test you specify, and no other apps can
be run on the device until the test is complete.
Use the information in this topic to learn the basics about configuring device restriction profiles, and then read
further topics for each platform to learn about device specifics.

Create a device profile containing education profile settings

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the device restriction profile.
7. From the Platform drop-down list, select Windows 10 and later.
8. From the Profile type type drop-down list, choose Education profile.
9. Choose Settings > Configure, then, on the Take a Test blade, configure the following:
Account user name - Enter the user name of the account used with Take a Test. This can be a domain
account, an Azure Active Directory (AAD) account, or a local computer account.
Assessment URL - Provide the URL of the test you want users to take. For more information, see the
Take a Test documentation.
Screen monitoring - Specify whether you want to be able to monitor screen activity while users are
taking a test.
Text suggestion - Allow or block text suggestions while users are taking a test.
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.
 How to configure Intune settings for the iOS
Classroom app
6/29/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Introduction
Classroom is an app that helps teachers to guide learning, and control student devices in the classroom. For
example, using the app, a teacher can:
Open apps on student devices
Lock, and unlock the iPad screen
View the screen of a student iPad
Navigate students iPads to a bookmark, or chapter in a book
Display the screen from a student iPad on an Apple TV
Use the Intune iOS Education device profile, and the information in this topic to help you set up the Classroom
app, and the devices on which you use it.

Before you start

Consider the following before you begin to configure these settings:
Both teachers and student iPads must be enrolled in Intune
Ensure that you have installed the Apple Classroom app on the teachers device. You can either install the app
manually, or use Intune app management.
You must configure certificates to authenticate connections between teacher and student devices (see Step 2)
Teacher and student iPads must be on the same Wi-Fi network, and also have Bluetooth enabled
The Classroom app runs on supervised iPads running iOS 9.3 or later
In this release, Intune supports managing a 1:1 scenario where each student has their own dedicated iPad

Step 1 - Import your school data into Azure Active Directory

Use Microsoft's School Data Sync (SDS) to import school records from an existing Student Information System
(SIS) to Azure Active Directory (Azure AD). SDS synchronizes information from your SIS and stores it in Azure AD.
Azure AD is a Microsoft management system that helps you organize users and devices. You can then use this data
to help you manage your students and classes. Learn more about how to deploy SDS.
How to import data using SDS
You can import information into SDS by using one of the following methods:
CSV files - Manually export and compile comma-separated value (.csv) files
PowerSchool API - An SIS provider that simplifies syncing with Azure AD
Clever API - An identity management solution that syncs directly with Azure AD
 OneRoster - A CSV format that you can export and convert to sync with Azure AD
Find out more
Find out more about the full experience of syncing on-premises school data to Azure AD
Find out more about Microsoft School Data Sync
Find out more about licensing in Azure Active Directory

Step 2 - Create and assign an iOS Education profile in Intune

Configure general settings
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the iOS education profile.
7. From the Platform drop-down list, choose iOS.
8. From the Profile type drop-down list, choose Education.
9. Choose Settings > Configure.
Next, you need certificates to establish a trust relationship between teacher and student iPads. Certificates are used
to seamlessly and silently authenticate connections between devices without having to enter user names and
passwords.

IMPORTANT
The teacher and student certificates you use must be issued by different certification authorities (CAs). You must create two
new subordinate CAs connected to your existing certificate infrastructure; one for teachers, and one for students.

iOS education profiles support only PFX certificates. SCEP certificates are not supported.
Certificates you create must support server authentication in addition to user authentication.
Configure teacher certificates
On the Education blade, choose Teacher certificates.
Configure teacher root certificate
Under Teacher root certificate, choose the browse button to select the teacher root certificate with the extension
.cer (DER, or Base64 encoded), or .P7B (with or without full chain).
Configure teacher PKCS#12 certificate
Under Teacher PKCS#12 certificate, configure the following values:
Subject name format - Intune automatically prefixes the certificate common name with leader, for the
teacher certificate, and member, for the student certificate.
Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported.
Certification authority name - Enter the name of your certification authority.
Certificate template name - Enter the name of a certificate template that has been added to an issuing CA.
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Certificate validity period - Specify the amount of remaining time before the certificate expires. You can
specify a value that is lower than the validity period in the specified certificate template, but not higher. For
 example, if the certificate validity period in the certificate template is two years, you can specify a value of one
year but not a value of five years. The value must also be lower than the remaining validity period of the issuing
CA certificate.
When you have finished configuring certificates, choose OK.
Configure student certificates
1. On the Education blade, choose Student certificates.
2. On the Student certificates blade, from the Student device certificates type list, choose 1:1.
Configure student root certificate
Under Student root certificate, choose the browse button to select the student root certificate with the extension
.cer (DER, or Base64 encoded), or .P7B (with or without full chain).
Configure student PKCS#12 certificate
Under Student PKCS#12 certificate, configure the following values:
Subject name format - Intune automatically prefixes the certificate common name with leader, for the
teacher certificate, and member, for the student certificate.
Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported.
Certification authority name - Enter the name of your certification authority.
Certificate template name - Enter the name of a certificate template that has been added to an issuing CA.
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Certificate validity period - Specify the amount of remaining time before the certificate expires. You can
specify a value that is lower than the validity period in the specified certificate template, but not higher. For
example, if the certificate validity period in the certificate template is two years, you can specify a value of one
year but not a value of five years. The value must also be lower than the remaining validity period of the issuing
CA certificate.
When you are finished configuring certificates, choose OK.

Finish up
1. On the Education blade, choose OK.
2. On the Create Profile blade, choose Create.
The profile is created and appears on the profiles list blade.
Assign the profile to student devices in the classroom groups that were created when you synchronized your
school data with Azure AD (see How to assign device profiles.

Next steps
Now, when a teacher uses the Classroom app, they will have full control over student devices.
For more information about the Classroom app, see Classroom help, on the Apple web site.
If you want to configure shared iPad devices for students, see How to configure Intune education settings for
shared iPad devices.
 How to configure Intune education settings for
shared iPad devices
6/29/2017 8 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Introduction Intune supports the iOS Classroom app that helps teachers to guide learning, and control student
devices in the classroom. In addition, to the Classroom app, Apple supports the ability for student iPad devices to
be configured such that multiple students can share a single device. This document guides you to achieve this goal
with Intune. For information about configuring dedicated (1:1) iPad devices to use the Classroom app, see How to
configure Intune settings for the iOS Classroom app.

Before you start

The prerequisites to use the shared iPad capabilities are:
Setup Apple School Manager and School Data Sync (SDS).
As part of Apple School Manager setup, configure Managed Apple IDs for students. Learn more about Managed
Apple IDs.
Create an enrollment profile for the device serial numbers synced from Apple School Manager.

Step 1 - Import your school data into Azure Active Directory

Use Microsoft's School Data Sync (SDS) to import school records from an existing Student Information System
(SIS) to Azure Active Directory (Azure AD). SDS synchronizes information from your SIS and stores it in Azure AD.
Azure AD is a Microsoft management system that helps you organize users and devices. You can then use this data
to help you manage your students and classes. Learn more about how to deploy SDS.
How to import data using SDS
You can import information into SDS by using one of the following methods:
CSV files - Manually export and compile comma-separated value (.csv) files
PowerSchool API - An SIS provider that simplifies syncing with Azure AD
Clever API - An identity management solution that syncs directly with Azure AD
OneRoster - A CSV format that you can export and convert to sync with Azure AD
Find out more
Find out more about the full experience of syncing on-premises school data to Azure AD
Find out more about Microsoft School Data Sync
Find out more about licensing in Azure Active Directory

Step 2 - Create and assign an iOS Education profile in Intune

Configure general settings
1. Sign into the Azure portal.
2. Choose More Services > Other > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the iOS education profile.
7. From the Platform drop-down list, choose iOS.
8. From the Profile type drop-down list, choose Education.
9. Choose Settings > Configure.
Next, you need certificates to establish a trust relationship between teacher and student iPads. Certificates are used
to seamlessly and silently authenticate connections between devices without having to enter user names and
passwords.

IMPORTANT
The teacher and student certificates you use must be issued by different certificate authorities (CAs). You must create two
new subordinate CAs connected to your existing certificate infrastructure; one for teachers, and one for students.

iOS education profiles support only PFX certificates. SCEP certificates are not supported.
Certificates you create must support server authentication in addition to user authentication.
Configure teacher certificates
On the Education blade, choose Teacher certificates.
Configure teacher root certificate
Under Teacher root certificate, choose the browse button to select the teacher root certificate with the extension
.cer (DER, or Base64 encoded), or .P7B (with or without full chain).
Configure teacher PKCS#12 certificate
Under Teacher PKCS#12 certificate, configure the following values:
Subject name format - Intune automatically prefixes the certificate common name with leader, for the teacher
certificate, and member, for the student certificate.
Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported.
Certification authority name - Enter the name of your certification authority.
**Certificate template name **- Enter the name of a certificate template that has been added to an issuing CA.
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Certificate validity period - Specify the amount of remaining time before the certificate expires. You can
specify a value that is lower than the validity period in the specified certificate template, but not higher. For
example, if the certificate validity period in the certificate template is two years, you can specify a value of one
year but not a value of five years. The value must also be lower than the remaining validity period of the issuing
CA certificate.
When you have finished configuring teacher certificates, choose OK.
Configure student certificates
1. On the Education blade, choose Student certificates.
2. On the Student certificates blade, from the Student device certificates type list, choose Shared iPad.
Configure student root certificate
Under Device root certificate, choose the browse button to select the student root certificate with the extension
 .cer (DER, or Base64 encoded), or .P7B (with or without full chain).
Configure device PKCS#12 certificate
Under Student PKCS#12 certificate, configure the following values:
Subject name format - Intune automatically prefixes the certificate common name with leader, for the teacher
certificate, and member, for the device certificate.
Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported.
Certification authority name - Enter the name of your certification authority.
Certificate template name - Enter the name of a certificate template that has been added to an issuing CA.
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device
requests renewal of the certificate.
Certificate validity period - Specify the amount of remaining time before the certificate expires. You can
specify a value that is lower than the validity period in the specified certificate template, but not higher. For
example, if the certificate validity period in the certificate template is two years, you can specify a value of one
year but not a value of five years. The value must also be lower than the remaining validity period of the issuing
CA certificate.
When you are finished configuring certificates, choose OK.
Complete Certificate Setup
1. On the Education blade, choose OK.
2. On the Create Profile blade, choose Create.
The profile is created and appears on the profiles list blade.

Step 3 - Create a device category

1. Sign into the Azure portal.
2. Choose More Services > Other > Intune.
3. On the Intune blade, choose Device enrollment.
4. On the Enrollment - Overview blade, choose Device Categories.
5. On the Enrollment - Device Categories blade, choose Create.
6. On the Create device category blade, enter a Name and Description for the category.
7. On the Create device category blade, choose Create.
The device category is created in the Enrollment Device Categories blade.

Step 4 Create a dynamic group

1. Sign into the Azure portal.
2. Choose More Services > Other > Intune.
3. On the Intune blade, choose Groups.
4. On the Users and Groups All Groups blade, choose New Group.
5. On the Group blade, enter a Name and Description for the group.
6. From the Membership Type drop-down list, choose Dynamic Device.
7. Choose Dynamic device members to create membership rules.
8. On the Dynamic membership rules blade:
9. Select deviceCategory from the Add devices where drop-down list.
10. Choose Equals
11. Enter the device category you created in the blank text box
12. On the Dynamic membership rules blade, choose Add query.
13. On the Group blade, choose Create.
The dynamic group is created in the Users and Groups All Groups blade.

Step 5 Assign a device to a category (Carts)

1. Sign into the Azure portal.
2. Choose More Services > Other > Intune.
3. On the Intune blade, choose Devices.
4. On the Devices blade, choose All devices.
5. On the Devices All devices blade, choose a device.
6. On the device blade, choose Properties.
7. On the devices properties blade, enter the device category in the Device category text box.
8. On the device blade, choose Save.
The device is now associated to the device category. Repeat this process for all the devices you want to associate to
the device category you created.

Step 6 Create classroom profiles

1. Sign into the Azure portal.
2. Choose More Services > Other > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Manage > Cart Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Association blade, enter a Name and Description.
7. Choose Select Classes > Configure to associate groups to the Cart Profile.
8. Choose the classes to include to the Cart Profile then choose Select.
9. Choose Select Carts > Configure to associate groups to the Cart Profile.
10. Choose the groups to include to the Cart Profile then choose Select.
11. On the Create Association blade, choose Save to save the Cart Profile.
The profile is created and appears on the profiles list blade.

Step 7 - Assign the Cart Profile to Classes

1. Sign into the Azure portal.
2. Choose More Services > Other > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Monitor > Assignment status.
5. On the Assignment status blade, select the Cart Profile you created.
6. On the Cart Profile blade choose Assignments and then, under Include choose Select groups to include.
7. Select the classes you want the cart profile to target (do not select a group), then choose Select.
8. When you are finished, choose Save.
The assignment completes, and Intune deploys the Classroom profile to the targeted devices based on the
classroom assignment.

Next Steps
Now students can share devices between students, and students can pick up any iPad in a classroom, log in with a
PIN and have it personalized with their content. For more information about Shared iPads, see the Apple website.
 How to configure Windows Update for Business
settings with Microsoft Intune
6/19/2017 8 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Introduction
Windows as a Service is the new way of providing updates for Windows 10. Starting with Windows 10, any new
Feature Updates and Quality Updates will contain the contents of all previous updates. This means that as long as
you've installed the latest update, you know that your Windows 10 devices are completely up-to-date. Unlike with
previous versions of Windows, you now must install the entire update instead of part of an update.
By using Windows Update for Business, you can simplify the update management experience so that you dont
need to approve individual updates for groups of devices. You can still manage risk in your environments by
configuring an update rollout strategy and Windows Update will make sure that updates are installed at right time.
Microsoft Intune provides the ability to configure update settings on devices and gives you the ability to defer
update installation. Intune doesnt store the updates, but only the update policy assignment. Devices access
Windows Update directly for the updates.Use Intune to configure and manage Windows 10 update rings. An
update ring contains a group of settings that configure when and how Windows 10 updates get installed. For
example, you can configure the following:
Windows 10 Servicing Branch: Choose whether you want groups of devices to receive updates from the
Current Branch or from the Current Branch for Business.
Deferral Settings: Configure update deferral settings to delay update installations for groups of devices. You
will then have a staged update rollout so that you can review progress along the way.
Pausing: Postpone the installation of updates if you discover an issue at any point during the update rollout.
Maintenance window: Configure the hours in which updates can be installed.
Update type: Choose the types of updates that get installed. For example, Quality Updates, Feature Updates, or
drivers.
Installation behavior: This configures how the update gets installed. For example, does the device
automatically restart after the installation?
Peer downloading: You can specify whether to configure peer downloading. If configured, when a device has
finished downloading an update, other devices can download the update from that device. This speeds up the
download process.
After you create update rings, you assign them to groups of devices. By using update rings, you can create an
update strategy that mirrors your business needs. For more information, see Manage updates using Windows
Update for Business.

Before you start

To update Windows 10 PCs, they must be running at least Windows 10 Pro with the Windows Anniversary
update.
 Windows Update supports the following Windows 10 versions:
Windows 10
Windows 10 Team (for Surface Hub devices)
Devices running Windows 10 Mobile and Windows 10 Holographic are not supported.
On Windows devices, Feedback & diagnostics > Diagnostic and usage data must be set to at least
Basic.

You can configure this setting manually, or you can use an Intune device restriction profile for Windows 10
and later. To do this, configure the setting General > Diagnostic data submission to at least Basic. For
more information about device profiles, see How to configure device restriction settings.
In the classic Intune administration console, there are four settings that control software updates behavior.
These settings are part of the general configuration policy for Windows 10 desktop and Mobile devices:
Allow automatic updates
Allow pre-release features
Scheduled Install Day
Scheduled Install Time
The classic console also has a limited number of other Windows 10 updates settings in the device
configuration profile. If you have any of these settings configured in the classic Intune administration
console when you migrate to the Azure portal, we strongly recommend that you do the following:
1. Create Windows 10 update rings in the Azure portal with the settings that you need. The Allow pre-release
features setting is not supported in the Azure portal because it is no longer applicable to the latest
Windows 10 builds. You can configure the other three settings, as well as other Windows 10 updates
settings, when you create update rings.

NOTE
Windows 10 updates settings created in the classic console are not displayed in the Azure portal after migration.
However, these settings continue to be applied. If you have migrated any of these settings and edit the migrated
policy from the Azure portal, these settings will be removed from the policy.

2. Delete the update settings in the classic console. After you migrate to the Azure portal and add the same
settings to an update ring, you must delete the settings in the classic portal to avoid any potential policy
conflicts. For example, when the same setting is configured with different values there will be a conflict and
no easy way to know because the setting configured in the classic console does not display in the Azure
portal.

How to create and assign update rings

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Software Updates.
4. On the Software Updates blade, choose Manage > Windows 10 Update Rings.
5. On the blade showing the list of update rings, choose Create.
6. On the Create Update Ring blade, supply a name and optional description for the update ring, and then
choose Settings.
7. On the Settings blade, configure the following information:
Servicing branch: Set the branch for which the device will receive Windows updates (Current Branch or
Current Branch for Business).
Microsoft updates: Choose whether to scan for app updates from Microsoft Update.
Windows drivers: Choose whether to exclude Windows Update drivers during updates.
Automatic update behavior: Choose how to manage automatic update behavior to scan, download,
and install updates. For details, see Update/AllowAutoUpdate.
Quality update deferral period (days) - Specify the number of days for which quality updates will
be deferred. You can defer receiving these Quality Updates for a period of up to 30 days from their
release.
Quality Updates are generally fixes and improvements to existing Windows functionality and are
typically published the first Tuesday of every month, though can be released at any time by
Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates
following their availability.
Feature update deferral period (days) - Specify the number of days for which Feature Updates
will be deferred. You can defer receiving these Feature Updates for a period of 180 days from their
release.
Feature Updates are generally new features for Windows. After you configure the Servicing branch
setting (CB or CBB), you can then define if, and for how long, you would like to defer receiving
Feature Updates following their availability from Microsoft on Windows Update.
For example:
If the Servicing branch is set to CB and the defferal period is 30 days: Let's say that Feature
Update X is first publically available on Windows Update as a CB in January. The device will not
receive the update until February - 30 days later.
If the Servicing branch is set to CBB and the defferal period is 30 days: Let's say the Feature
Update X is first publically available on Windows Update as a CB in January. Four months later, in
April, Feature Update X is released to CBB. The device will receive the Feature Update 30 days
following this CBB release and will update in May.
Delivery optimization - Choose the method for which devices will download Windows updates.
For details, see DeliveryOptimization/DODownloadMode.
8. Once you are done, click OK, and then on the Create Update Ring blade, click Create.
The new update ring is displayed in the list of update rings.
1. To assign the ring, in the list of update rings, select a ring, and then on the <ring name> tab, choose
Assignments.
2. On the next tab, choose Select groups, and then choose the groups to which you want to assign this ring.
3. Once you are done, choose Select to complete the assignment.

Update compliance reporting

You can monitor Windows 10 update rollouts by using a free solution in the Operations Management Suite (OMS)
called Update Compliance. For details, see Monitor Windows Updates with Update Compliance. When you use this
solution, you can deploy a commercial ID to any of your Intune managed Windows 10 devices for which you want
to report update compliance.
In the Intune console, you can use the OMA-URI settings of a custom policy to configure the commercial ID. For
details, see Intune policy settings for Windows 10 devices in Microsoft Intune.
The OMA-URI (case sensitive) path for configuring the commercial ID is:
./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
For example, you can use the following values in Add or edit OMA-URI Setting:
Setting Name: Windows Analytics Commercial ID
Setting Description: Configuring commercial id for Windows Analytics solutions
Data Type: String
OMA-URI (case sensitive): ./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID
Value: <Use the GUID shown on the Windows Telemetry tab in your OMS workspace>

How to pause updates

You can pause a device from receiving Feature Updates or Quality Updates for a period of up to 35 days from the
time you pause the updates. After the maximum days have passed, pause functionality will automatically expire
and the device will scan Windows Updates for applicable updates. Following this scan, you can pause the updates
again.
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Software Updates.
4. On the Software Updates blade, choose Manage > Windows 10 Update Rings.
5. On the blade showing the list of update rings, choose the ring you want to pause, and then, choose ... > Pause
Quality > or Pause Feature, depending on the type of updates you want to pause.

IMPORTANT
When you issue a pause command, devices receive this command when they next check into the service. It's possible that
before they check in, they might install a scheduled update. Additionally, if a targeted device is turned off when you issue the
pause command, when you turn it on, it might download and install scheduled updates before it checks in with Intune.
 How to configure certificates in Microsoft Intune
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

When you give users access to corporate resources through VPN, Wi-Fi, or email profiles, you can authenticate
these connections by using certificates. These remove the need to enter user names and passwords to
authenticate connections.
You can use Intune to assign these certificates to devices you manage. Intune supports assigning and managing
these certificate types:
Simple Certificate Enrollment Protocol (SCEP)
PKCS#12 (or PFX)
Each of these certificate types has it's own prerequisites, and infrastructure requirements.

General workflow
1. Ensure you have the right certificate infrastructure in place. You can use SCEP certificates, and PKCS
certificates.
2. Install a root certificate or an intermediate Certification Authority (CA) certificate on each device so that the
device recognizes the legitimacy of your CA. To do this, create and assign a trusted certificate profile.
When you assign this profile, the devices that you manage with Intune will request and receive the root
certificate. You have to create a separate profile for each platform. Trusted certificate profiles are available for
these platforms:
iOS 8.0 and later
macOS 10.9 and later
Android 4.0 and later
Android for Work
Windows 8.1 and later
Windows Phone 8.1 and later
Windows 10 and later
3. Create certificate profiles so that devices request a certificate to be used for authentication of VPN, Wi-Fi,
and email access. You can create and assign a PKCS or a SCEP certificate profile for devices running these
platforms:
iOS 8.0 and later
Android 4.0 and later
Android for Work
Windows 10 (desktop and mobile) and later
You can only use a SCEP certificate profile with these platforms:
macOS 10.9 and later
Windows Phone 8.1 and later
 You must create a separate profile for each device platform. When you create the profile, associate it with the
trusted root certificate profile that you've already created.
Further considerations
If you don't have an Enterprise Certification Authority, you must create one.
If you decide, based on your device platforms, to use the Simplified Certificate Enrollment Protocol (SCEP)
profile, you'll also need to configure a Network Device Enrollment Service (NDES) server.
Whether you plan to use SCEP or PKCS profiles, you must download and configure the Microsoft Intune
Certificate Connector.

Step 1- Configure your certificate infrastructure

See one of the following topics for help configuring the infrastructure for each type of certificate profile:
Configure and manage SCEP certificates with Intune
Configure and manage PKCS certificates with Intune

Step 2 - Export your trusted root CA certificate

Export the Trusted Root Certification Authorities (CA) certificate as a .cer file from the issuing CA, or from any
device that trusts your issuing CA. Do not export the private key.
You'll import this certificate when you set up a trusted certificate profile.

Step 3: Create trusted certificate profiles

You must create a trusted certificate profile before you can create a SCEP or PKCS certificate profile. You need a
trusted certificate profile and a SCEP or PKCS profile for each device platform. The flow for creating trusted
certificates is similar for each device platform.
To create a trusted certificate profile
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the trusted certificate profile.
7. From the Platform drop-down list, select the device platform for this trusted certificate. Currently, you can
choose one of the following platforms for certificate settings:
Android
iOS
macOS
Windows Phone 8.1
Windows 8.1 and later
Windows 10 and later
8. From the Profile type type drop-down list, choose Trusted certificate.
9. Browse to the certificate you saved in task 1, then click OK.
10. For Windows 8.1 and Windows 10 devices only, select the Destination Store for the trusted certificate from:
Computer certificate store - Root
Computer certificate store - Intermediate
User certificate store - Intermediate
11. When you're done, choose OK, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade.
If you want to go ahead and assign this profile to groups, see How to assign device profiles.

NOTE
Android devices will display a notice that a third party has installed a trusted certificate.

Step 4: Create SCEP or PKCS certificate profiles

See one of the following topics for help configuring and assigning each type of certificate profile:
Configure and manage SCEP certificates with Intune
Configure and manage PKCS certificates with Intune
After you create a trusted certificate profile, create SCEP or PKCS certificate profiles for each platform you want
to use. When you create a SCEP certificate profile, you must specify a trusted certificate profile for that same
platform. This links the two certificate profiles, but you still must assign each profile separately.

Next steps
See How to assign device profiles for general information about how to assign device profiles.
 Configure and manage SCEP certificates with Intune
6/28/2017 18 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic shows how to configure your infrastructure, then create and assign Simple Certificate Enrollment
Protocol (SCEP) certificate profiles with Intune.

Configure on-premises infrastructure

Active Directory domain: All servers listed in this section (except for the Web Application Proxy Server)
must be joined to your Active Directory domain.
Certification Authority (CA): An Enterprise Certification Authority (CA) that runs on an Enterprise edition
of Windows Server 2008 R2 or later. A Standalone CA is not supported. For details, see Install the
Certification Authority. If your CA runs Windows Server 2008 R2, you must install the hotfix from
KB2483564.
NDES Server: On a server that runs Windows Server 2012 R2 or later, you must setup up the Network
Device Enrollment Service (NDES). Intune does not support using NDES when it runs on a server that also
runs the Enterprise CA. See Network Device Enrollment Service Guidance for instructions on how to
configure Windows Server 2012 R2 to host the Network Device Enrollment Service. The NDES server must
be domain joined to the domain that hosts the CA, and not be on the same server as the CA. More
information about deploying the NDES server in a separate forest, isolated network or internal domain can
be found in Using a Policy Module with the Network Device Enrollment Service.
Microsoft Intune Certificate Connector: Use the Intune portal to download the Certificate Connector
installer (ndesconnectorssetup.exe). Then you can run ndesconnectorssetup.exe on the computer
where you want to install the Certificate Connector.
Web Application Proxy Server (optional): Use a server that runs Windows Server 2012 R2 or later as a
Web Application Proxy (WAP) server. This configuration:
Allows devices to receive certificates using an Internet connection.
Is a security recommendation when devices connect through the Internet to receive and renew
certificates.
 NOTE
The server that hosts WAP must install an update that enables support for the long URLs that are used by the
Network Device Enrollment Service. This update is included with the December 2014 update rollup, or individually
from KB3011135.
Also, the server that hosts WAP must have a SSL certificate that matches the name being published to external
clients as well as trust the SSL certificate that is used on the NDES server. These certificates enable the WAP server
to terminate the SSL connection from clients, and create a new SSL connection to the NDES server. For
information about certificates for WAP, see the Plan certificates section of Planning to Publish Applications
Using Web Application Proxy. For general information about WAP servers, see Working with Web Application
Proxy.|

Network requirements
From the Internet to perimeter network, allow port 443 from all hosts/IP addresses on the internet to the NDES
server.
From the perimeter network to trusted network, allow all ports and protocols needed for domain access on the
domain-joined NDES server. The NDES server needs access to the certificate servers, DNS servers, Configuration
Manager servers and domain controllers.
We recommend publishing the NDES server through a proxy, such as the Azure AD application proxy, Web Access
Proxy, or a third-party proxy.
Certificates and templates

OBJECT DETAILS

Certificate Template Configure this template on your issuing CA.

Client authentication certificate Requested from your issuing CA or public CA; you install this
certificate on the NDES Server.

Server authentication certificate Requested from your issuing CA or public CA; you install and
bind this SSL certificate in IIS on the NDES server.

Trusted Root CA certificate You export this as a .cer file from the root CA or any device
which trusts the root CA, and assign it to devices by using the
Trusted CA certificate profile.

You use a single Trusted Root CA certificate per operating

system platform, and associate it with each Trusted Root
Certificate profile you create.

You can use additional Trusted Root CA certificates when

needed. For example, you might do this to provide a trust to a
CA that signs the server authentication certificates for your
Wi-Fi access points.

Accounts

NAME DETAILS

NDES service account Specify a domain user account to use as the NDES Service
account.

Configure your infrastructure

Before you can configure certificate profiles you must complete the following tasks, which require knowledge of
Windows Server 2012 R2 and Active Directory Certificate Services (ADCS):
Step 1: Create an NDES service account
Step 2: Configure certificate templates on the certification authority
Step 3: Configure prerequisites on the NDES server
Step 4: Configure NDES for use with Intune
Step 5: Enable, install, and configure the Intune Certificate Connector

NOTE
Because of a known issue, download, install, and configure the certificate connector using the following procedure: Configure
certificate infrastructure for SCEP -> Configure your infrastructure -> Task 5

Step 1 - Create an NDES service account

Create a domain user account to use as the NDES service account. You will specify this account when you
configure templates on the issuing CA before you install and configure NDES. Make sure the user has the default
rights, Logon Locally, Logon as a Service and Logon as a batch job rights. Some organizations have hardening
policies that disable those rights.
Step 2 - Configure certificate templates on the certification authority
In this task you will:
Configure a certificate template for NDES
Publish the certificate template for NDES
To c o n fi g u r e t h e c e r t i fi c a t i o n a u t h o r i t y

1. Log on as an enterprise administrator.

2. On the issuing CA, use the Certificate Templates snap-in to create a new custom template or copy an
existing template and then edit an existing template (like the User template), for use with NDES.

NOTE
The NDES certificate template must be based off a v2 Certificate Template (with Windows 2003 compatibility).

The template must have the following configurations:

Specify a friendly Template display name for the template.
On the Subject Name tab, select Supply in the request. (Security is enforced by the Intune policy
module for NDES).
On the Extensions tab, ensure the Description of Application Policies includes Client
Authentication.

IMPORTANT
For iOS and macOS certificate templates, on the Extensions tab, edit Key Usage and ensure Signature is
proof of origin is not selected.

On the Security tab, add the NDES service account, and give it Enroll permissions to the template.
Intune admins who will create SCEP profiles require Read rights so that they can browse to the
 template when creating SCEP profiles.

NOTE
To revoke certificates the NDES service account needs Issue and Manage Certificates rights for each certificate
template used by a certificate profile.

3. Review the Validity period on the General tab of the template. By default, Intune uses the value
configured in the template. However, you have the option to configure the CA to allow the requester to
specify a different value, which you can then set from within the Intune Administrator console. If you want
to always use the value in the template, skip the remainder of this step.

IMPORTANT
iOS and macOS always use the value set in the template regardless of other configurations you make.

Here are screenshots of an example template configuration.

 IMPORTANT
For Application Policies, only add the application policies required. Confirm your choices with your security admins.

To configure the CA to allow the requester to specify the validity period:

1. On the CA run the following commands:
certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
net stop certsvc
net start certsvc
2. On the issuing CA, use the Certification Authority snap-in to publish the certificate template. Select the
Certificate Templates node, click Action-> New > Certificate Template to Issue, and then select the
template you created in step 2.
3. Validate that the template published by viewing it under the Certificate Templates folder.
Step 3 - Configure prerequisites on the NDES server
In this task you will:
Add NDES to a Windows Server and configure IIS to support NDES
Add the NDES Service account to the IIS_IUSR group
Set the SPN for the NDES Service account
1. On the server that will hosts NDES, you must log on as a an Enterprise Administrator, and then use the
Add Roles and Features Wizard to install NDES:
a. In the Wizard, select Active Directory Certificate Services to gain access to the AD CS Role
Services. Select the Network Device Enrollment Service, uncheck Certification Authority, and
then complete the wizard.

TIP
On the Installation progress page of the wizard, do not click Close. Instead, click the link for Configure
Active Directory Certificate Services on the destination server. This opens the AD CS Configuration
wizard that you use for the next task. After AD CS Configuration opens, you can close the Add Roles and
Features wizard.

b. When NDES is added to the server, the wizard also installs IIS. Ensure IIS has the following
configurations:
Web Server > Security > Request Filtering
Web Server > Application Development > ASP.NET 3.5. Installing ASP.NET 3.5 will install
.NET Framework 3.5. When installing .NET Framework 3.5, install both the core .NET
Framework 3.5 feature and HTTP Activation.
Web Server > Application Development > ASP.NET 4.5. Installing ASP.NET 4.5 will install
.NET Framework 4.5. When installing .NET Framework 4.5, install the core .NET Framework
4.5 feature, ASP.NET 4.5, and the WCF Services > HTTP Activation feature.
Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility
Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility
c. On the server, add the NDES service account as a member of the IIS_IUSR group.
2. In an elevated command prompt, run the following command to set the SPN of the NDES Service account:
**setspn -s http/&lt;DNS name of NDES Server&gt; &lt;Domain name&gt;\&lt;NDES Service account name&gt;**

For example, if your NDES Server is named Server01, your domain is Contoso.com, and the service account is
NDESService, use:
**setspn s http/Server01.contoso.com contoso\NDESService**

Step 4 - Configure NDES for use with Intune

In this task you will:
Configure NDES for use with the issuing CA
Bind the server authentication (SSL) certificate in IIS
Configure Request Filtering in IIS
1. On the NDES Server, open the AD CS Configuration wizard and then make the following configurations.

TIP
If you clicked the link in the previous task, this wizard is already open. Otherwise, open Server Manager to access the
post-deployment configuration for Active Directory Certificate Services.

On the Role Services Page, select the Network Device Enrollment Service.
On the Service Account for NDES page, specify the NDES Service Account.
On the CA for NDES page, click Select, and then select the issuing CA where you configured the
certificate template.
On the Cryptography for NDES page, set the key length to meet your company requirements.
On the Confirmation page, click Configure to complete the wizard.
2. After the wizard completes, edit the following registry key on the NDES Server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\
To edit this key, identify the certificate template's Purpose, as found on its Request Handling tab, and then
edit the corresponding entry in the registry by replacing the existing data with the name of the certificate
template (not the display name of the template) that you specified in Task 1. The following table maps the
certificate template purpose to the values in the registry:

CERTIFICATE TEMPLATE PURPOSE (ON VALUE SEEN IN THE INTUNE ADMIN

THE REQUEST HANDLING TAB) REGISTRY VALUE TO EDIT CONSOLE FOR THE SCEP PROFILE

Signature SignatureTemplate Digital Signature

Encryption EncryptionTemplate Key Encipherment

Signature and encryption GeneralPurposeTemplate Key Encipherment

Digital Signature

For example, if the Purpose of your certificate template is Encryption, then edit the EncryptionTemplate
value to be the name of your certificate template.
3. The NDES server will receive very long URLs (queries), which require that you add two registry entries:

LOCATION VALUE TYPE DATA

HKLM\SYSTEM\CurrentCo MaxFieldLength DWORD 65534 (decimal)

ntrolSet\Services\HTTP\Par
ameters

HKLM\SYSTEM\CurrentCo MaxRequestBytes DWORD 65534 (decimal)

ntrolSet\Services\HTTP\Par
ameters

4. In IIS manager, choose Default Web Site -> Request Filtering -> Edit Feature Setting, and change the
Maximum URL length and Maximum query string to 65534, as shown.
5. Restart the server. Running iisreset on the server will not be sufficient to finalize these changes.
6. Browse to http://FQDN/certsrv/mscep/mscep.dll. You should see an NDES page similar to this:

If you get a 503 Service unavailable, check the event viewer. It's likely that the application pool is stopped
due to a missing right for the NDES user. Those rights are described in Task 1.
To I n st a l l a n d b i n d c e r t i fi c a t e s o n t h e N D E S Se r v e r

1. On your NDES Server, request and install a server authentication certificate from your internal CA or
public CA. You will then bind this SSL certificate in IIS.

TIP
After you bind the SSL certificate in IIS, you will also install a client authentication certificate. This certificate can be
issued by any CA that is trusted by the NDES Server. Although it is not a best practice, you can use the same
certificate for both server and client authentication as long as the certificate has both Enhance Key Usages (EKUs).
Review the following steps for information about these authentication certificates.

a. After you obtain the server authentication certificate, open IIS Manager, select the Default Web
Site in the Connections pane, and then click Bindings in the Actions pane.
b. Click Add, set Type to https, and then ensure the port is 443. (Only port 443 is supported for
standalone Intune.
c. For SSL certificate, specify the server authentication certificate.

NOTE
If the NDES server uses both an external and internal name for a single network address, the server
authentication certificate must have a Subject Name with an external public server name, and a Subject
Alternative Name that includes the internal server name.

2. On your NDES Server, request and install a client authentication certificate from your internal CA, or a
public certificate authority. This can be the same certificate as the server authentication certificate if that
certificate has both capabilities.
The client authentication certificate must have the following properties:
 Enhanced Key Usage - This must include Client Authentication.
Subject Name - This must be equal to the DNS name of the server where you are installing the certificate
(the NDES Server).
To c o n fi g u r e I I S r e q u e st fi l t e r i n g

1. On the NDES Server open IIS Manager, select the Default Web Site in the Connections pane, and then
open Request Filtering.
2. Click Edit Feature Settings, and then set the following:
query string (Bytes) = 65534
Maximum URL length (Bytes) = 65534
3. Review the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Ensure the following values are set as DWORD entries:
Name: MaxFieldLength, with a decimal value of 65534
Name: MaxRequestBytes, with a decimal value of 65534
4. Reboot the NDES server. The server is now ready to support the Certificate Connector.
Step 5 - Enable, install, and configure the Intune certificate connector
In this task you will:
Enable support for NDES in Intune.
Download, install, and configure the Certificate Connector on the NDES Server.
To e n a b l e su p p o r t fo r t h e c e r t i fi c a t e c o n n e c t o r

1. Sign into the Azure portal.

2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Certification Authority.
5. Select Enable Certificate Connector.
To d o w n l o a d , i n st a l l a n d c o n fi g u r e t h e c e r t i fi c a t e c o n n e c t o r

NOTE
Because of a known issue, download, install, and configure the certificate connector using the following procedure: Configure
certificate infrastructure for SCEP -> Configure your infrastructure -> Task 5

1. Sign into the Azure portal.

2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Certification Authority.
5. Choose Download Certificate Connector.
6. After the download completes, run the downloaded installer (ndesconnectorssetup.exe) on a Windows
Server 2012 R2 server. The installer also installs the policy module for NDES and the CRP Web Service. (The
CRP Web Service, CertificateRegistrationSvc, runs as an application in IIS.)
 NOTE
When you install NDES for standalone Intune, the CRP service automatically installs with the Certificate Connector.
When you use Intune with Configuration Manager, you install the Certificate Registration Point as a separate site
system role.

7. When prompted for the client certificate for the Certificate Connector, choose Select, and select the client
authentication certificate you installed on your NDES Server in Task 3.
After you select the client authentication certificate, you are returned to the Client Certificate for
Microsoft Intune Certificate Connector surface. Although the certificate you selected is not shown, click
Next to view the properties of that certificate. Then click Next, and then click Install.
8. After the wizard completes, but before closing the wizard, click Launch the Certificate Connector UI.

TIP
If you close the wizard before launching the Certificate Connector UI, you can reopen it by running the following
command:
<install_Path>\NDESConnectorUI\NDESConnectorUI.exe

9. In the Certificate Connector UI:

Click Sign In and enter your Intune service administrator credentials, or credentials for a tenant
administrator with the global administration permission.
If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet,
click Use proxy server and then provide the proxy server name, port, and account credentials to connect.
Select the Advanced tab, and then provide credentials for an account that has the Issue and Manage
Certificates permission on your issuing Certificate Authority, and then click Apply.
You can now close the Certificate Connector UI.
10. Open a command prompt and type services.msc, and then press Enter, right-click the Intune Connector
Service, and then click Restart.
To validate that the service is running, open a browser and enter the following URL, which should return a 403
error:
http:// <FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dll

How to create a SCEP certificate profile

1. In the Azure Portal, select the Configure devices workload.
2. On the Device Configuration blade, choose Manage > Profiles.
3. On the profiles blade, choose Create Profile.
4. On the Create Profile blade, enter a Name and Description for the SCEP certificate profile.
5. From the Platform drop-down list, select the device platform for this SCEP certificate. Currently, you can
choose one of the following platforms for device restriction settings:
Android
iOS
macOS
Windows Phone 8.1
 Windows 8.1 and later
Windows 10 and later
6. From the Profile type drop-down list, choose SCEP certificate.
7. On the SCEP Certificate blade, configure the following settings:
Certificate validity period - If you have run the certutil - setreg Policy\EditFlags
+EDITF_ATTRIBUTEENDDATE command on the issuing CA, which allows a custom validity period, you
can specify the amount of remaining time before the certificate expires.
You can specify a value that is lower than the validity period in the specified certificate template, but not
higher. For example, if the certificate validity period in the certificate template is two years, you can
specify a value of one year but not a value of five years. The value must also be lower than the remaining
validity period of the issuing CA's certificate.
Key storage provider (KSP) (Windows Phone 8.1, Windows 8.1, Windows 10) - Specify where the key
to the certificate will be stored. Choose from one of the following values:
Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP
Enroll to Trusted Platform Module (TPM) KSP, otherwise fail
Enroll to Passport, otherwise fail (Windows 10 and later)
Enroll to Software KSP
Subject name format - From the list, select how Intune automatically creates the subject name in
the certificate request. If the certificate is for a user, you can also include the user's email address in
the subject name. Choose from:
Not configured
Common name
Common name including email
Common name as email
Custom - When you select this option, another drop-down field is displayed. You use this field to
enter a custom subject name format. The two variables supported for the custom format are
Common Name (CN) and Email (E). By using a combination of one or many of these variables
and static strings, you can create a custom subject name format, like this one: CN=
{{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance
Group,L=Redmond,ST=Washington,C=US In this example, you created a subject name format
that, in addition to the CN and E variables, uses strings for Organizational Unit, Organization,
Location, State, and Country values. This topic shows the CertStrToName function and its
supported strings.
Subject alternative name - Specify how Intune automatically creates the values for the subject
alternative name (SAN) in the certificate request. For example, if you selected a user certificate type,
you can include the user principal name (UPN) in the subject alternative name. If the client certificate
will be used to authenticate to a Network Policy Server, you must set the subject alternative name to
the UPN.
Key usage - Specify key usage options for the certificate. You can choose from the following options:
Key encipherment: Allow key exchange only when the key is encrypted.
Digital signature: Allow key exchange only when a digital signature helps protect the key.
Key size (bits) - Select the number of bits that will be contained in the key.
Hash algorithm (Android, Windows Phone 8.1, Windows 8.1, Windows 10) - Select one of the available
hash algorithm types to use with this certificate. Select the strongest level of security that the connecting
devices support.
Root Certificate - Choose a root CA certificate profile that you have previously configured and assigned
to the user or device. This CA certificate must be the root certificate for the CA that will issue the
certificate that you are configuring in this certificate profile.
 Extended key usage - Choose Add to add values for the certificate's intended purpose. In most cases,
the certificate will require Client Authentication so that the user or device can authenticate to a server.
However, you can add any other key usages as required.
Enrollment Settings
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before
the device requests renewal of the certificate.
SCEP Server URLs - Specify one or more URLs for the NDES Servers that will issue certificates via
SCEP.
8. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade.

How to assign the certificate profile

Consider the following before you assign certificate profiles to groups:
When you assign certificate profiles to groups, the certificate file from the Trusted CA certificate profile is
installed on the device. The device uses the SCEP certificate profile to create a certificate request by the device.
Certificate profiles install only on devices running the platform you use when you created the profile.
You can assign certificate profiles to user collections or to device collections.
To publish a certificate to a device quickly after the device enrolls, assign the certificate profile to a user group
rather than to a device group. If you assign to a device group, a full device registration is required before the
device receives policies.
Although you assign each profile separately, you also need to assign the Trusted Root CA and the SCEP or PKCS
profile. Otherwise, the SCEP or PKCS certificate policy will fail.
For information about how to assign profiles, see How to assign device profiles.
 Configure and manage PKCS certificates with Intune
6/19/2017 11 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic shows how to configure your infrastructure, then create and assign PKCS certificate profiles with Intune.
To do any certificate-based authentication in your organization, you need an Enterprise Certification Authority.
To use PKCS Certificate profiles, in addition to the Enterprise Certification Authority, you also need:
A computer that can communicate with the Certification Authority, or you can use the Certification Authority
computer itself.
The Intune Certificate Connector, which runs on the computer that can communicate with the Certification
Authority.

Important terms
Active Directory domain: All servers listed in this section (except for the Web Application Proxy Server)
must be joined to your Active Directory domain.
Certification Authority: An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported. For instructions on how to set up a
Certification Authority, see Install the Certification Authority. If your CA runs Windows Server 2008 R2, you
must install the hotfix from KB2483564.
Computer that can communicate with Certification Authority: Alternatively, use the Certification
Authority computer itself.
Microsoft Intune Certificate Connector: From the Azure portal, you download the Certificate Connector
installer (ndesconnectorssetup.exe). Then you can run ndesconnectorssetup.exe on the computer where
you want to install the Certificate Connector. For PKCS Certificate profiles, install the Certificate Connector on
the computer that communicates with the Certification Authority.
Web Application Proxy server (optional): You can use a server that runs Windows Server 2012 R2 or
later as a Web Application Proxy (WAP) server. This configuration:
Allows devices to receive certificates using an Internet connection.
Is a security recommendation when devices connect through the Internet to receive and renew
certificates.
 NOTE
The server that hosts WAP must install an update that enables support for the long URLs that are used by the
Network Device Enrollment Service (NDES). This update is included with the December 2014 update rollup, or
individually from KB3011135.
Also, the server that hosts WAP must have an SSL certificate that matches the name being published to external
clients as well as trust the SSL certificate that is used on the NDES server. These certificates enable the WAP server
to terminate the SSL connection from clients, and create a new SSL connection to the NDES server. For
information about certificates for WAP, see the Plan certificates section of Planning to Publish Applications
Using Web Application Proxy. For general information about WAP servers, see Working with Web Application
Proxy.|

Certificates and templates

OBJECT DETAILS

Certificate Template You configure this template on your issuing CA.

Trusted Root CA certificate You export this as a .cer file from the issuing CA or any device
which trusts the issuing CA, and assign it to devices by using
the Trusted CA certificate profile.

You use a single Trusted Root CA certificate per operating

system platform, and associate it with each Trusted Root
Certificate profile you create.

You can use additional Trusted Root CA certificates when

needed. For example, you might do this to provide a trust to a
CA that signs the server authentication certificates for your
Wi-Fi access points.

Configure your infrastructure

Before you can configure certificate profiles, you must complete the following steps. These steps require
knowledge of Windows Server 2012 R2 and Active Directory Certificate Services (ADCS):
Step 1 - Configure certificate templates on the certification authority.
Step 2 - Enable, install, and configure the Intune Certificate Connector.

Step 1 - Configure certificate templates on the certification authority

To configure the certification authority
1. On the issuing CA, use the Certificate Templates snap-in to create a new custom template, or copy and edit
an existing template (like the User template), for use with PKCS.
The template must include the following:
Specify a friendly Template display name for the template.
On the Subject Name tab, select Supply in the request. (Security is enforced by the Intune policy
module for NDES).
On the Extensions tab, ensure the Description of Application Policies includes Client
Authentication.
 IMPORTANT
For iOS and macOS certificate templates, on the Extensions tab, edit Key Usage and ensure that Signature
is proof of origin is not selected.

2. Review the Validity period on the General tab of the template. By default, Intune uses the value
configured in the template. However, you have the option to configure the CA to allow the requester to
specify a different value, which you can then set from within the Intune Administrator console. If you want
to always use the value in the template, skip the remainder of this step.

IMPORTANT
iOS and macOS always use the value set in the template, regardless of other configurations you make.

To configure the CA to allow the requester to specify the validity period, run the following commands on the
CA:
a. certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
b. net stop certsvc
c. net start certsvc
3. On the issuing CA, use the Certification Authority snap-in to publish the certificate template.
a. Select the Certificate Templates node, click Action-> New > Certificate Template to Issue, and then
select the template you created in step 2.
b. Validate that the template published by viewing it under the Certificate Templates folder.
4. On the CA computer, ensure that the computer that hosts the Intune Certificate Connector has enroll
permission, so that it can access the template used in creating the PKCS certificate profile. Set that
permission on the Security tab of the CA computer properties.

Step 2 - Enable, install, and configure the Intune certificate connector

In this step you will:
Enable support for the Certificate Connector
Download, install, and configure the Certificate Connector.
To enable support for the certificate connector
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Configure devices.
4. On the Device Configuration blade, choose Setup > Certificate Authority.
5. Under Step 1, choose Enable.
To download, install, and configure the certificate connector
1. On the Configure devices blade, choose Setup > Certificate Authority.
2. choose Download the certificate connector.
3. After the download completes, run the downloaded installer (ndesconnectorssetup.exe). Run the installer
on the computer that is able to connect with the Certification Authority. Choose the PKCS (PFX) Distribution
option, and then choose Install. When the installation has completed, continue by creating a certificate
profile as described in How to configure certificate profiles.
4. When prompted for the client certificate for the Certificate Connector, choose Select, and select the client
authentication certificate you installed.
After you select the client authentication certificate, you are returned to the Client Certificate for
Microsoft Intune Certificate Connector surface. Although the certificate you selected is not shown,
choose Next to view the properties of that certificate. Then choose Next, and then Install.
5. After the wizard completes, but before closing the wizard, click Launch the Certificate Connector UI.

TIP
If you close the wizard before launching the Certificate Connector UI, you can reopen it by running the following
command:
<install_Path>\NDESConnectorUI\NDESConnectorUI.exe

6. In the Certificate Connector UI:

a. Choose Sign In and enter your Intune service administrator credentials, or credentials for a tenant
administrator with the global administration permission.
b. Select the Advanced tab, and then provide credentials for an account that has the Issue and Manage
Certificates permission on your issuing Certificate Authority.
c. Choose Apply.
You can now close the Certificate Connector UI.
7. Open a command prompt and type services.msc. Then press Enter, right-click the Intune Connector
Service, and choose Restart.
To validate that the service is running, open a browser and enter the following URL, which should return a 403
error:
http:// <FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dll
How to create a PKCS certificate profile
In the Azure Portal, select the Configure devices workload.
1. On the Device configuration blade, choose Manage > Profiles.
2. On the profiles blade, click Create Profile.
3. On the Create Profile blade, enter a Name and Description for the PKCS certificate profile.
4. From the Platform drop-down list, select the device platform for this PKCS certificate from:
Android
Android for Work
iOS
Windows 10 and later
5. From the Profile type drop-down list, choose PKCS certificate.
6. On the PKCS Certificate blade, configure the following settings:
Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the
device requests renewal of the certificate.
Certificate validity period - If you have run the certutil - setreg Policy\EditFlags
+EDITF_ATTRIBUTEENDDATE command on the issuing CA, which allows a custom validity period, you
can specify the amount of remaining time before the certificate expires.
You can specify a value that is lower than the validity period in the specified certificate template, but not
 higher. For example, if the certificate validity period in the certificate template is two years, you can
specify a value of one year but not a value of five years. The value must also be lower than the remaining
validity period of the issuing CA's certificate.
Key storage provider (KSP) (Windows 10) - Specify where the key to the certificate will be stored.
Choose from one of the following values:
Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP
Enroll to Trusted Platform Module (TPM) KSP, otherwise fail
Enroll to Passport, otherwise fail (Windows 10 and later)
Enroll to Software KSP
Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of
Windows Server 2008 R2 or later. A Standalone CA is not supported. For instructions on how to set up a
Certification Authority, see Install the Certification Authority. If your CA runs Windows Server 2008 R2,
you must install the hotfix from KB2483564.
Certification authority name - Enter the name of your certification authority.
Certificate template name - Enter the name of a certificate template that the Network Device
Enrollment Service is configured to use and that has been added to an issuing CA. Make sure that the
name exactly matches one of the certificate templates that are listed in the registry of the server that is
running the Network Device Enrollment Service. Make sure that you specify the name of the certificate
template and not the display name of the certificate template. To find the names of certificate templates,
browse to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP. You
will see the certificate templates listed as the values for EncryptionTemplate,
GeneralPurposeTemplate, and SignatureTemplate. By default, the value for all three certificate
templates is IPSECIntermediateOffline, which maps to the template display name of IPSec (Offline
request).
Subject name format - From the list, select how Intune automatically creates the subject name in the
certificate request. If the certificate is for a user, you can also include the user's email address in the
subject name. Choose from:
Not configured
Common name
Common name including email
Common name as email
Subject alternative name - Specify how Intune automatically creates the values for the subject
alternative name (SAN) in the certificate request. For example, if you selected a user certificate type, you
can include the user principal name (UPN) in the subject alternative name. If the client certificate is used
to authenticate to a Network Policy Server, set the subject alternative name to the UPN. You can also
select Custom Azure AD attribute. When you select this option, another drop-down field is displayed.
From the Custom Azure AD attribute drop-down field, there is one option: Department. When you
select this option, if the department is not identified in Azure AD, the certificate is not issued. To resolve
this issue, identify the department and save the changes. At the next device checkin, the problem is
resolved and certificate is issued. ASN.1 is the notation used for this field.
Extended key usage (Android) - Choose Add to add values for the certificate's intended purpose. In
most cases, the certificate will require Client Authentication so that the user or device can authenticate
to a server. However, you can add any other key usages as required.
Root Certificate (Android) - Choose a root CA certificate profile that you have previously configured
and assigned to the user or device. This CA certificate must be the root certificate for the CA that will
issue the certificate that you are configuring in this certificate profile. This is the trusted certificate profile
that you created previously.
7. When you're done, go back to the Create Profile blade, and click Create.
The profile is created and is displayed on the profiles list blade.
How to assign the certificate profile
Consider the following before you assign certificate profiles to groups:
When you assign certificate profiles to groups, the certificate file from the Trusted CA certificate profile is
installed on the device. The device uses the PKCS certificate profile to create a certificate request by the device.
Certificate profiles install only on devices running the platform you use when you created the profile.
You can assign certificate profiles to user collections or to device collections.
To publish a certificate to a device quickly after the device enrolls, assign the certificate profile to a user group
rather than to a device group. If you assign to a device group, a full device registration is required before the
device receives policies.
Although you assign each profile separately, you also need to assign the Trusted Root CA and the PKCS profile.
Otherwise, the PKCS certificate policy will fail.
For information about how to assign profiles, see How to assign device profiles.
 How to configure Windows Information Protection in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data
leaks through apps and services, like email, social media, and the public cloud, which are outside of the enterprises
control. For example, an employee sends the latest engineering pictures from a personal email account, copies and
pastes product info into a tweet, or saves an in-progress sales report to public cloud storage.
Windows Information Protection helps to protect against this potential data leakage without otherwise
interfering with the employee experience. It also helps to protect enterprise apps and data against accidental data
leaks on enterprise-owned devices and personal devices that employees bring to work without requiring changes
to your environment or other apps.
This Intune policy manages the list of apps protected by Windows Information Protection, enterprise network
locations, protection level, and encryption settings.

NOTE
To use the Windows 10 Company Portal app with Windows Information Protection, you must add the Company Portal app
under the Windows Information Protection mode of Exempt.

Next steps
For more information, see Protect your enterprise data using Windows Information Protection.
 How to assign Microsoft Intune device profiles
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

1. Sign into the Azure portal.

2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device configuration blade, choose Manage > Profiles.
5. In the list of profiles blade, choose the profile you want to manage, and then, on the <profile name>
Reports blade, choose Manage > Assignments.
6. On the next blade, click Select groups, and then, in the Select groups blade, choose the Azure AD groups
to which you want to assign the profile. You can hold down the CTRL key to select multiple groups.
7. When you are done, on the Select groups blade, choose Select.
Next steps
See How to monitor device profiles for information to help you monitor device profile assignments.
 How to monitor device profiles in Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

You can monitor the assignment progress of Intune device profiles in two ways:
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. In the list of profiles blade, choose the profile you want to manage, and then, either:
On the <profile name> Reports blade, choose Overview to see basic information about the profile and
its assignments.
On the <profile name> Reports blade, choose Reports to see more detailed information about the
profile and its assignments.
 Troubleshooting device profiles in Microsoft Intune
6/19/2017 18 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The information in this topic can be used to help you troubleshoot common issues around Intune device profiles.

How long does it take for mobile devices to get a policy or apps after
they have been assigned?
When a policy or an app is assigned, Intune immediately begins attempting to notify the device that it should check
in with the Intune service. This typically takes less than five minutes.
If a device doesn't check in to get the policy after the first notification is sent, Intune makes three more attempts. If
the device is offline (for example, it is turned off or not connected to a network), it might not receive the
notifications. In this case, the device will get the policy on its next scheduled check-in with the Intune service as
follows:
iOS and macOS: Every 6 hours.
Android: Every 8 hours.
Windows Phone: Every 8 hours.
Windows 8.1 and Windows 10 PCs enrolled as devices: Every 8 hours.
If the device has just enrolled, the check-in frequency will be more frequent, as follows:
iOS and macOS: Every 15 minutes for 6 hours, and then every 6 hours.
Android: Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours.
Windows Phone: Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours.
Windows PCs enrolled as devices: Every 3 minutes for 30 minutes, and then every 8 hours.
Users can also open the Company Portal app and sync the device to immediately check for the policy anytime.

What actions cause Intune to immediately send a notification to a

device?
Devices check in with Intune either when they receive a notification that tells them to check in or during their
regularly scheduled check-in. When you target a device or user specifically with an action such as a wipe, lock,
passcode reset, app assignment, profile assignment (Wi-Fi, VPN, email, etc.), or policy assignment, Intune will
immediately begin trying to notify the device that it should check in with the Intune service to receive these
updates.
Other changes, such as revising the contact information in the company portal, do not cause an immediate
notification to devices.

If multiple policies are assigned to the same user or device, how do I

know which settings will get applied?
When two or more policies are assigned to the same user or device, the evaluation for which setting is applied
happens at the individual setting level:
Compliance policy settings always have precedence over configuration policy settings.
The most restrictive compliance policy setting is applied if it is evaluated against the same setting in a
different compliance policy.
If a configuration policy setting conflicts with a setting in a different configuration policy, this conflict will be
displayed in the Intune console. You must manually resolve such conflicts.

What happens when app protection policies conflict with each other?
Which one will be applied to the app?
Conflict values are the most restrictive settings available in an app protection policy, except for the number entry
fields (like PIN attempts before reset). The number entry fields will be set the same as the values, as if you created a
MAM policy in the console by using the recommended settings option.
Conflicts occur when two profile settings are the same. For example, you configured two MAM policies that are
identical except for the copy/paste setting. In this scenario, the copy/paste setting will be set to the most restrictive
value, but the rest of the settings will be applied as configured.
If one profile is assignedd to the app and takes effect, and then a second one is assigned, the first one will take
precedence and stay applied, while the second shows in conflict. If they are both applied at the same time, meaning
that there is no preceding profile, then they will both be in conflict. Any conflicting settings will be set to the most
restrictive values.

What happens when iOS custom policies conflict?

Intune does not evaluate the payload of Apple Configuration files or a custom Open Mobile Alliance Uniform
Resource Identifier (OMA-URI) profile. It merely serves as the delivery mechanism.
When you assign a custom profile, ensure that the configured settings do not conflict with compliance,
configuration, or other custom policies. In the case of a custom profile with settings conflicts, the order in which
settings are applied is random.

What happens when a profile is deleted or no longer applicable?

When you delete a profile, or you remove a device from a group to which a profile was assigned, the profile and
settings will be removed from the device according to the following lists.
Enrolled devices
Wi-Fi, VPN, certificate, and email profiles: These profiles are removed from all supported enrolled devices.
All other profile types:
Windows and Android devices: Settings are not removed from the device.
Windows Phone 8.1 devices: The following settings are removed:
Require a password to unlock mobile devices
Allow simple passwords
Minimum password length
Required password type
Password expiration (days)
Remember password history
Number of repeated sign-in failures to allow before the device is wiped
 Minutes of inactivity before password is required
Required password type minimum number of character sets
Allow camera
Require encryption on mobile device
Allow removable storage
Allow web browser
Allow application store
Allow screen capture
Allow geolocation
Allow Microsoft account
Allow copy and paste
Allow Wi-Fi tethering
Allow automatic connection to free Wi-Fi hotspots
Allow Wi-Fi hotspot reporting
Allow factory reset
Allow Bluetooth
Allow NFC
Allow Wi-Fi
iOS: All settings are removed, except:
Allow voice roaming
Allow data roaming
Allow automatic synchronization while roaming

I changed a device restriction profile, but the changes haven't taken

effect
Windows Phone devices do not allow security policies set via MDM or EAS to be reduced in security once you've
set them. For example, you set a Minimum number of character password to 8 then try to reduce it to 4. The
more restrictive profile has already been applied to the device.
Depending on the device platform, if you want to change the profile to a less secure value you may need to reset
security policies. For example, in Windows, on the desktop swipe in from right to open the Charms bar and choose
Settings > Control Panel. Select the User Accounts applet. In the left hand navigation menu, there is a Reset
Security Policies link at the bottom. Choose it and then choose the Reset Policies button. Other MDM devices,
such as Android, Windows Phone 8.1 and later, and iOS, may need to be retired and re-enrolled back into the
service for you to be able to apply a less restrictive profile.
Next steps
If this troubleshooting information didn't help you, contact Microsoft Support as described in How to get support
for Microsoft Intune.
 What is device compliance in Intune?
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Device compliance policies in Intune define the rules and settings that a device must comply with in order to be
considered compliant by Intune and EMS conditional access polices. You can also use device compliance policies
to monitor and remediate compliance issues with devices.
These rules include the following:
Use a password to access devices
Encryption
Whether the device is jail-broken or rooted
Minimum OS version required
Maximum OS version allowed
Require the device to be at or under the Mobile Threat Defense level

How should I use a device compliance policy?

Using EMS conditional access
You can use compliance policy with EMS conditional access to allow only devices that comply with one or more
device compliance policy rules to access email and other corporate resources.
Not using EMS conditional access
You can also use device compliance policies independently of EMS conditional access. When you use compliance
policies independently, the targeted devices are evaluated and reported with their compliance status. For example,
you can get a report on how many devices are not encrypted, or which devices are jail-broken or rooted. But
when you use compliance policies independently, no access restrictions to company resources are in place.
You deploy compliance policy to users. When a compliance policy is deployed to a user, the user's devices are
checked for compliance. To learn about how long it takes for mobile devices to get a policy after the policy is
deployed, see Manage settings and features on your devices.

Intune classic admin console vs. Intune on the Azure portal

If you have been using the Intune classic admin console, note the following differences to help transition to the
new device compliance policy work-flow in the Azure portal:
In the Azure portal, the compliance policies are created separately for each supported platform. In the Intune
Admin console, one compliance policy was common to all supported platforms.

Migration from Intune classic console to Intune on the Azure portal

Device compliance policies created in the Intune classic console will not appear in the new Intune Azure portal.
However, theyll still be targeted to users and manageable via the Intune classic console.
If you want to take advantage of the new device compliance related features in the Intune Azure portal, youll
need to create new device compliance policies in the Intune Azure portal itself. If you assign a new device
compliance policy in the Intune Azure portal to a user who also has been assigned with a device compliance
policy from the Intune classic portal, then the device compliance policies from the Intune Azure portal takes
precedence over the ones created in the Intune classic console.

Next steps
Get started on device compliance policies
 Get started with device compliance in Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

In this topic, you'll learn the following:

What you need before you can start creating a device compliance policy.
A quick glance on what you can see and do in the Intune Azure portal.
If you're not familiar with device compliance, you may want to read this topic to learn what device compliance is,
and how you might use it in your organization.

Pre-requisites
A subscription to Intune
A subscription to Azure Active Directory

Supported Platforms:
Android
iOS
Windows 8.1
Windows Phone 8.1
Windows 10

Azure portal workflow

Here is an overview of how you can create and manage device compliance in the Intune Azure portal.
Manage
You can create, edit and delete compliance policies. You will also be able to assign policies to users from here.
Setup
Compliance status validity period

Next steps
Create a compliance policy for Android
Create a compliance policy for Android for work
Create a compliance policy for iOS
Create a compliance policy for Windows
 How to create a device compliance policy for
Android devices in Intune
6/19/2017 6 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Device compliance policies are created for each platform form the Intune Azure portal.
To learn more about what compliance policy is see What is a device compliance topic.
To learn about the prerequisites that you need to address before creating a compliance policy see Get started
with device compliance topic.

To create a device compliance policy

1. From the Intune blade, choose Set Device compliance. Under Manage, choose All device compliance
policies, and choose Create.
2. Type a name, description and choose the platform that you want this policy to apply to.
3. Choose Compliance requirements to specify the Security, Device health, and Device property settings.
When you are done, choose OK.

To assign user groups

To assign a compliance policy to users, choose a policy that you have configured. Existing policies can be found in
the Compliance policies blade.
1. Choose the policy and choose Assignments. This opens the blade where you can select Azure Active
Directory security groups and assign them to the policy.
2. Choose Select groups to open the blade that displays the Azure AD security groups. Here you can find the
security groups in your Azure Active Directory. You can select the user groups you want this policy to apply to
and choose Select. Choosing Select deploys the policy to users.
You have applied the policy to users. The devices used by the users who are targeted by the policy will be
evaluated for compliance.

Device health and security settings

Device must not be jailbroken or rooted : If you enable this setting, jailbroken devices will be evaluated as
noncompliant.
Require that devices prevent installation of apps from unknown sources (Android 4.0 or later): To
block devices that have Security >; Unknown sources enabled on the device, enable this setting and set it to
Yes.
Important
Side-loading applications require that the Unknown sources setting is enabled. Enforce this compliance policy
only if you are not side-loading Android apps on devices.
 Require that USB debugging is disabled (Android 4.2 or later): This setting specifies whether to detect the
USB debugging option on the device is enabled.
Require devices have enabled Scan device for security threats (Android 4.2-4.4): This setting specifies
that the Verify apps feature is enabled on the device.
Minimum Android security patch level (Android 6.0 or later): Use this setting to specify the minimum
Android patch level. Devices that are not at least at this patch level will be noncompliant. The date must be
specified in the format YYYY-MM-DD.
Require device threat protection to be enabled : Use this setting to take the risk assessment from the
Lookout MTP solution as a condition for compliance. Choose the maximum allowed threat level, which is one of
the following:
None (secured): This is the most secure. This means that the device cannot have any threats. If the
device is detected as having any level of threats, it will be evaluated as noncompliant.
Low : The device is evaluated as compliant if only low-level threats are present. Anything higher puts the
device in a noncompliant status.
Medium : The device is evaluated as compliant if the threats that are present on the device are low or
medium level. If the device is detected to have high-level threats, it is determined to be noncompliant.
High : This is the least secure. Essentially, this allows all threat levels. Perhaps it is useful if you are using
this solution only for reporting purposes.
For more details, see Enable device threat protection rule in the compliance policy.

System security settings

Password
Require a password to unlock mobile devices : Set this to Yes to require users to enter a password before
they can access their device.
Minimum password length : Specify the minimum number of digits or characters that the user's password
must have.
Password quality : This setting detects if the password requirements that you specify are set up on the device.
Enable this setting to require that users meet certain password requirements for Android devices. Choose from:
Low security biometric
Required
At least numeric
At least alphabetic
At least alphanumeric
Alphanumeric with symbols
Minutes of inactivity before password is required : Specify the idle time before the user must reenter their
password.
Password expiration (days): Select the number of days before the password expires and they must create a
new one.
Remember password history : Use this setting together with Prevent reuse of previous passwords to
restrict the user from creating previously used passwords.
Prevent reuse of previous passwords : If you selected Remember password history , specify the number of
previously used passwords that cannot be reused.
Require a password when the device returns from an idle state : Use this setting together with the
Minutes of inactivity before password is required setting. The user is prompted to enter a password to
access a device that has been inactive for the time specified in the Minutes of inactivity before password is
required setting.
Encryption
 Require encryption on mobile device : Set this to Yes to require devices to be encrypted in order to connect
to resources. Devices are encrypted when you choose the setting Require a password to unlock mobile
devices.

Device property settings

Minimum OS required : When a device does not meet the minimum OS version requirement, it is reported as
noncompliant. A link with information on how to upgrade is shown. The user can choose to upgrade their
device, after which they can access company resources.
Maximum OS version allowed : When a device is using an OS version later than the one specified in the rule,
access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change
in rules to allow the OS version, this device cannot be used to access company resources.

How non-compliant settings work with conditional access policies?

The table below describes how non-compliant settings are managed when a compliance policy is used with a
conditional access policy.

ANDROID 4.0 AND LATER, SAMSUNG KNOX STANDARD 4.0 AND

POLICY SETTING LATER

PIN or password configuration Quarantined

Device encryption Quarantined

Jailbroken or rooted device Quarantined (not a setting)

email profile Not applicable

Minimum OS version Quarantined

Maximum OS version Quarantined

Windows health attestation Not applicable

Remediated = The device operating system enforces compliance. (For example, the user is forced to set a PIN.)+
Quarantined = The device operating system does not enforce compliance. (For example, Android devices do not
force the user to encrypt the device.) When the devices is not compliant, the following actions take place:+
The device is blocked if a conditional access policy applies to the user.
The company portal notifies the user about any compliance problems.
 How to create a device compliance policy for
Android for Work devices in Intune
6/19/2017 6 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Compliance policies are created for each platform. You can create a compliance policy in the Azure portal. To learn
more about what compliance policy is see What is device compliance topic. To learn about the prerequisites that
you need to address before creating a compliance policy see Get started with device compliance topic.
The table below describes how noncompliant settings are managed when a compliance policy is used with a
conditional access policy.

POLICY SETTING ANDROID FOR WORK

PIN or password configuration Quarantined

Device encryption Quarantined

Jailbroken or rooted device Quarantined (not a setting)

email profile Not applicable

Minimum OS version Quarantined

Maximum OS version Quarantined

Windows health attestation Not applicable

Remediated = The device operating system enforces compliance. (For example, the user is forced to set a PIN.)+
Quarantined = The device operating system does not enforce compliance. (For example, Android devices do not
force the user to encrypt the device.) When the devices is not compliant, the following actions take place:
The device is blocked if a conditional access policy applies to the user.
The company portal notifies the user about any compliance problems.

Create a compliance policy in the Azure portal

1. From the Intune blade, choose Set Device compliance. Under Manage, choose All device compliance
policies and choose Create.
2. Type a name, description and choose the platform that you want this policy to apply to.
3. Choose Compliance requirements to specify the Security, Device health, and Device property settings
here, When you are done, choose Ok.
Assign user groups
To assign a compliance policy to users, choose a policy that you have configured. Existing policies can be found in
the Compliance policy blade.
1. Choose the policy you want to assign to users and choose Assignments. This opens the blade where you can
select Azure Active Directory security groups and assign them to the policy.
2. Choose Select groups to open the blade that displays the Azure AD security groups. Choosing Select deploys
the policy to users.
You have applied the policy to users. The devices used by the users who are targeted by the policy will be evaluated
for compliance.

System security settings

Password
Require a password to unlock mobile devices: Set this to Yes to require users to enter a password before
they can access their device.
Minimum password length: Specify the minimum number of digits or characters that the password must
contain.
Password quality: This setting detects if the password requirements you specify is configured on the device.
Enable this setting to require that users configure certain password requirements for Android devices. Choose
from:
Low security biometric
Required
At least numeric
At least alphabetic
At least alphanumeric
Alphanumeric with symbols
Minutes of inactivity before password is required: Specifies the idle time before the user must re-enter
their password.
Password expiration (days): Select the number of days before the user's password expires and they must
create a new one.
Remember password history: Use this setting in conjunction with Prevent reuse of previous passwords to
restrict the user from creating previously used passwords.
Prevent reuse of previous passwords: If Remember password history is selected, specify the number of
previously used passwords that cannot be re-used.
Require a password when the device returns from an idle state: This setting should be used together with
the in the Minutes of inactivity before password is required setting. The end-users are prompted to enter a
password to access a device that has been inactive for the time specified in the Minutes of inactivity before
password is required setting.
Encryption
Require encryption on mobile device: You don't have to configure this setting since Android for Work
devices enforce encryption.

Device health and security settings

Device must not be jailbroken or rooted: If you enable this setting, jailbroken devices will be evaluated as
noncompliant.
Require that devices prevent installation of apps from unknown sources: You do not have to configure
 this setting as Android for Work devices always restrict installation from unknown sources. .
Require that USB debugging is disabled : You do not have to configure this settings as USB debugging is
already disabled on Android for Work devices.
Minimum Android security patch level: Use this setting to specify the minimum Android patch level. Devices
that are not at least at this patch level will be noncompliant. The date must be specified the format: YYYY-MM-
DD.
Require device threat protection to be enabled : Use this setting to take the risk assessment from the
Lookout MTP solution as a condition for compliance. Select the maximum allowed threat level, which is one of
the following:
None (secured) This is the most secure. This means that the device cannot have any threats. If the
device is detected as having any level of threats, it will be evaluated as non-compliant.
Low: Device is evaluated as compliant if only low level threats are present. Anything higher puts the
device in a non-compliant status.
Medium: Device is evaluated as compliant if the threats that are present on the device are low or
medium level. If the device is detected to have high level threats, it is determined as non-compliant.
High: This is the least secure. Essentially, this allows all threat levels, and perhaps only useful if you using
this solution only for reporting purposes.
For more details, see Enable device threat protection rule in the compliance policy.

Device property settings

Minimum OS required: When a device does not meet the minimum OS version requirement, it is reported as
noncompliant. A link with information on how to upgrade is displayed. The end-user can choose to upgrade
their device after which they can access company resources.
Maximum OS version allowed: When a device is using an OS version later than the one specified in the rule,
access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in
rule to allow the OS version, this device cannot be used to access company resources.
 How to create a device compliance policy for iOS
devices in Intune
6/19/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Compliance policies are created for each platform. You can create a compliance policy in the Azure portal. To learn
more about what compliance policy is see what is a device compliance topic. To learn about the prerequisites that
you need to address before creating a compliance policy see Get started with device compliance topic.
The table below describes how noncompliant settings are managed when a compliance policy is used with a
conditional access policy.

POLICY SETTING IOS 8.0 AND LATER

PIN or password configuration Remediated

Device encryption Remediated (by setting PIN)

Jailbroken or rooted device Quarantined (not a setting)

Email profile Quarantined

Minimum OS version Quarantined

Maximum OS version Quarantined

Windows health attestation Not applicable

Remediated = The device operating system enforces compliance. (For example, the user is forced to set a PIN.)
Quarantined = The device operating system does not enforce compliance. (For example, Android devices do not
force the user to encrypt the device.) When the devices is not compliant, the following actions take place:
The device is blocked if a conditional access policy applies to the user.
The company portal notifies the user about any compliance problems.

Create a compliance policy in the Azure portal

1. From the Intune blade, choose Set Device compliance. Under Manage, choose All device compliance
policies and choose Create.
2. Type a name, description and choose the platform that you want this policy to apply to.
3. Choose Compliance requirements to specify the Security, Device health, and Device property settings
here, When you are done, choose Ok.
Assign user groups
To assign a compliance policy to users, choose a policy that you have configured. Existing policies can be found in
the Compliance policies blade.
1. Choose the policy you want to assign to users and choose Assignments. This opens the blade where you can
select Azure Active Directory security groups and assign them to the policy.
2. Choose Select groups to open the blade that displays the Azure AD security groups. Choosing Select deploys
the policy to users.
You have applied the policy to users. The devices used by the users who are targeted by the policy will be evaluated
for compliance.

System security settings

Password
Require a password to unlock mobile devices : Set this to Yes to require the user to enter a password
before they can access their device. iOS devices that use a password are encrypted.
Allow simple passwords : Set this to Yes to let the user create a simple password like 1234 or 1111.
Minimum password length : Specify the minimum number of digits or characters that the password must
have.
Required password type : Specify whether the user must create an Alphanumeric password or a Numeric
password.
Minimum number of character sets : If you set Required password type to Alphanumeric , use this setting
to specify the minimum number of character sets that the password must have. The four character sets are:
Lowercase letters
Uppercase letters
Symbols
Numbers
Setting a higher number will require the user to create a password that is more complex.
For iOS devices, this setting refers to the number of special characters (for example, ! , # , & ) that must be included
in the password.
Minutes of inactivity before password is required : Specify the idle time before the user must reenter their
password.
Password expiration (days): Select the number of days before the password expires and they must create a
new one.
Remember password history : Use this setting in conjunction with Prevent reuse of previous passwords to
restrict the user from creating previously used passwords.
Prevent reuse of previous passwords : If you selected Remember password history , specify the number of
previously used passwords that cannot be reused.
Require a password when the device returns from an idle state : Use this setting together with the in the
Minutes of inactivity before password is required setting. The user is prompted to enter a password to
access a device that has been inactive for the time specified in the Minutes of inactivity before password is
required setting.
Email profile
Email account must be managed by Intune : When this option is set to Yes , the device must use the email
profile deployed to the device. The device is considered noncompliant in the following situations:
The email profile is deployed to a user group other than the user group that the compliance policy
targets.
 The user has already set up an email account on the device that matches the Intune email profile
deployed to the device. Intune cannot overwrite the user-provisioned profile, and therefore cannot
manage it. To ensure compliance, the user must remove the existing email settings. Then, Intune can
install the managed email profile.
Select the email profile that must be managed by Intune : If the Email account must be managed by
Intune setting is selected, choose Select to specify the Intune email profile. The email profile must be present
on the device.
For details about email profile, see Configure access to corporate email using email profiles with Microsoft Intune.

Device health settings

Device must not be jailbroken or rooted : If you enable this setting, jailbroken devices will not be compliant.

Device properties
Minimum OS required : When a device does not meet the minimum OS version requirement, it is reported as
noncompliant. A link with information on how to upgrade appears. The user can choose to upgrade their device.
After that, they can access company resources.
Maximum OS version allowed : When a device is using an OS version later than the one specified in the rule,
access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in
rule to allow the OS version, this device cannot be used to access company resources.
 How to create a device compliance policy for
Windows devices in Intune
6/19/2017 11 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Compliance policies are created for each platform. You can create a compliance policy in the Azure portal. To learn
more about what compliance policy is see What is a device compliance topic. To learn about the prerequisites that
you need to address before creating a compliance policy see Get started with device compliance topic.
The table below describes how noncompliant settings are managed when a compliance policy is used with a
conditional access policy.

POLICY SETTING WINDOWS 8.1 AND LATER WINDOWS PHONE 8.1 AND LATER

PIN or password configuration Remediated Remediated

Device encryption Not applicable Remediated

Jailbroken or rooted device Not applicable Not applicable

Email profile Not applicable Not applicable

Minimum OS version Quarantined Quarantined

Maximum OS version Quarantined Quarantined

Windows health attestation Quarantined: Windows 10 and Not applicable: Windows 8.1
Windows 10 Mobile

Remediated = The device operating system enforces compliance. (For example, the user is forced to set a PIN.)+
Quarantined = The device operating system does not enforce compliance. (For example, Android devices do not
force the user to encrypt the device.) When the devices is not compliant, the following actions take place:+
The device is blocked if a conditional access policy applies to the user.
The company portal notifies the user about any compliance problems.

Create a compliance policy in the Azure portal

1. From the Intune blade, choose Set Device compliance. Under Manage, choose All device compliance
policies and choose Create.
2. Type a name, description and choose the platform that you want this policy to apply to.
3. Choose Compliance requirements to open the compliance requirements blade. You can specify the Security,
Device health, and Device property settings here, When you are done, choose Ok.
Assign user groups
To assign a compliance policy to users, choose a policy that you have configured. Existing policies can be found in
the Compliance policies blade.
1. Choose the policy you want to assign to users and choose Assignments. This opens the blade where you can
select Azure Active Directory security groups and assign them to the policy.
2. Choose Select groups to open the blade that displays the Azure AD security groups. Choosing Select deploys
the policy to users.
You have applied the policy to users. The devices used by the users who are targeted by the policy will be evaluated
for compliance.

System security settings

Password
Require a password to unlock mobile devices: Set this to Yes to require users to enter a password before
they can access their device.
Allow simple passwords: Set this to Yes to let users create simple passwords such as ' '1234'; or ' 1111'.
Minimum password length: Specify the minimum number of digits or characters that the user's password
must contain.
Required password type: Specify whether users must create an Alphanumeric , or a Numeric password.
For devices that run Windows and accessed with a Microsoft account, the compliance policy will fail to evaluate
correctly if minimum password length is greater than eight characters or if minimum number of character sets is
more than two.
Minimum number of character sets: If Required password type is set to Alphanumeric , this setting
specifies the minimum number of character sets that the password must contain. The four character sets are:
Lowercase letters
Uppercase letters
Symbols
Numbers
Setting a higher number for this setting will require users to create passwords that are more complex. For devices
that run Windows and accessed with a Microsoft account, the compliance policy will fail to evaluate correctly if
minimum password length is greater than eight characters or if minimum number of character sets is more than
two.
Minutes of inactivity before password is required: Specifies the idle time before the user must re-enter
their password.
Password expiration (days): Select the number of days before the user's password expires and they must
create a new one.
Remember password history: Use this setting in conjunction with Prevent reuse of previous passwords to
restrict the user from creating previously used passwords.
Prevent reuse of previous passwords: If Remember password history is selected, specify the number of
previously used passwords that cannot be re-used.
Require a password when the device returns from an idle state: This setting should be used together with
the Minutes of inactivity before password is required setting. The end users are prompted to enter a
password to access a device that has been inactive for the time specified in the Minutes of inactivity before
password is required setting.
This setting only applies to Windows 10 Mobile devices.
Encryption
Require encryption on mobile device: Set this to Yes to require the device to be encrypted in order to
connect to resources.

Device health settings

Require devices to be reported as healthy: You can set a rule to require that Windows 10 Mobile devices
must be reported as healthy in new or existing Compliance Policies. If this setting is enabled, Windows 10
devices are evaluated via the Health Attestation Service (HAS) for the following data points:
BitLocker is enabled: When BitLocker is on, the device is able to protect data that is stored on the drive
from unauthorized access, when the system is turned off or goes to hibernation. Windows BitLocker
Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker uses the
TPM to help protect the Windows operating system and user data and helps to ensure that a computer is
not tampered with, even if it is left unattended, lost, or stolen. If the computer is equipped with a
compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the
keys cannot be accessed until the TPM has verified the state of the computer
Code integrity is enabled: Code integrity is a feature that validates the integrity of a driver or system
file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file
is being loaded into the kernel, or whether a system file has been modified by malicious software that is
being run by a user account with administrator privileges.
Secure Boot is enabled: When Secure Boot is enabled, the system is forced to boot to a factory trusted
state. Also, when Secure Boot is enabled, the core components used to boot the machine must have
correct cryptographic signatures that are trusted by the organization that manufactured the device. The
UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking
their signature, the system will not boot.
For information on how the HAS service works, see Health Attestation CSP.

Device property settings

Minimum OS required: When a device does not meet the minimum OS version requirement, it is reported as
noncompliant. A link with information on how to upgrade is displayed. The end user can choose to upgrade
their device after which they can access company resources.
Maximum OS version allowed: When a device is using an OS version later than the one specified in the rule,
access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in
rule to allow the OS version, this device cannot be used to access company resources.

System security settings

Password
Minimum password length: - Supported on Windows 8.1.
Specify the minimum number of digits or characters that the user's password must contain.
For devices that are accessed with a Microsoft Account, the compliance policy will fail to evaluate correctly if
Minimum password length is greater than 8 characters or if Minimum number of character sets is more than
two characters.
Required password type: - Supported on Windows RT, Windows RT 8.1, and Windows 8.1
Specify whether users must create an Alphanumeric , or a Numeric password.
Minimum number of character sets: - Supported on Windows RT, Windows RT 8.1, and Windows 8.1. If
Required password type is set to Alphanumeric , this setting specifies the minimum number of character
 sets that the password must contain. The four character sets are:
Lowercase letters
Uppercase letters
Symbols
Numbers: Setting a higher number for this setting will require users to create passwords that are more
complex.
For devices that are accessed with a Microsoft Account, the compliance policy will fail to evaluate correctly if
Minimum password length is greater than 8 characters or if Minimum number of character sets is more than
2 characters.
Minutes of inactivity before password is required: - Supported on Windows RT, Windows RT 8.1, and
Windows 8.1
Specify the idle time before the user must re-enter their password.
Password expiration (days): -Supported on Windows RT, Windows RT 8.1, and Windows 8.1.
Select the number of days before the user's password expires and they must create a new one.
Remember password history: - Supported on Windows RT, Windows RT, and Windows 8.1.
Use this setting in conjunction with Prevent reuse of previous passwords to restrict the user from creating
previously used passwords.
Prevent reuse of previous passwords: - Supported on Windows RT, Windows RT 8.1, and Windows 8.1
If Remember password history: is selected, specify the number of previously used passwords that cannot be re-
used.

Device health settings

Require devices to be reported as healthy: - Supported on Windows 10 devices. You can set a rule to
require that Windows 10 devices must be reported as healthy in new or existing Compliance Policies. If this
setting is enabled, Windows 10 devices are evaluated via the Health Attestation Service (HAS) for the following
data points:
BitLocker is enabled: When BitLocker is on, the device is able to protect data that is stored on the drive
from unauthorized access, when the system is turned off or goes to hibernation. Windows BitLocker
Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker uses the
TPM to help protect the Windows operating system and user data and helps to ensure that a computer is
not tampered with, even if it is left unattended, lost, or stolen. If the computer is equipped with a
compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the
keys cannot be accessed until the TPM has verified the state of the computer
Code integrity is enabled: Code integrity is a feature that validates the integrity of a driver or system
file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file
is being loaded into the kernel, or whether a system file has been modified by malicious software that is
being run by a user account with administrator privileges.
Secure Boot is enabled: When Secure Boot is enabled, the system is forced to boot to a factory trusted
state. Also, when Secure Boot is enabled, the core components used to boot the machine must have
correct cryptographic signatures that are trusted by the organization that manufactured the device. The
UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking
their signature, the system will not boot.
Early-launch antimalware is enabled: Early launch anti-malware (ELAM) provides protection for the
computers in your network when they start up and before third party drivers initialize.
For information on how the HAS service works, see Health Attestation CSP.

Device property settings

Minimum OS required: - Supported on Windows 8.1, and Windows 10.
Specify the major.minor.build number here. The version number must correspond to the version returned by the
winver command.

When a device has a earlier version that the specified OS version, it is reported as noncompliant. A link with
information on how to upgrade is displayed. The end user can choose to upgrade their device after which they can
access company resources.
Maximum OS version allowed: - Supported on Windows 8.1, and Windows 10.
When a device is using an OS version later than the one specified in the rule, access to company resources is
blocked and the user is asked to contact their IT admin. Until there is a change in rule to allow the OS version, this
device cannot be used to access company resources.
To find the OS version to use for the Minimum OS required , and Maximum OS version allowed settings, run
the winver command from the command prompt. The winver command returns the reported version of the OS.+
Windows 8.1 PCs return a version of 3. If the OS version rule is set to Windows 8.1 for Windows, then the
device is reported as noncompliant even if the device has Windows 8.1.
PCs running Windows 10, the version should be set as "10.0"+ the OS Build number returned by the winver
command.
 Monitor Intune Device compliance policies
6/19/2017 4 min to read Edit Online

Compliance reports help admins to analyze the compliance posture of devices in their organization, and quickly
troubleshoot compliance related issues encountered by users inside their organization. You can view information
about the overall compliance state of devices, compliance state for an individual setting, compliance state for an
individual policy and drill down into individual devices to view specific settings and policies that affect the device.

Before you begin

Follow the steps below to find the Intune Device compliance dashboard in the Azure portal:
1. Go to the Azure Portal, and sign in with your Intune credentials.
2. Choose More services from the left menu, then type Intune in the text box filter.
3. Choose Intune > Device compliance > Overview, then the Device compliance dashboard opens.

IMPORTANT
Devices must be enrolled into Intune to receive device compliance policies.

Device compliance dashboard

In the Device compliance dashboard, you can monitor the Device compliance policy states, which provides
different reports within different tiles that give you the compliance posture of devices in your organization. You can
view the following reports:
Overall device compliance aggregate
Per-policy device compliance
Per-setting device compliance
You can also view the specific compliance policies and settings that apply to an individual device, and the final
compliance state for each of those settings on the device.
Overall device compliance aggregate report
Its a donut chart showing the aggregate compliance state for all Intune enrolled devices. The device compliance
states are kept in two different databases, Intune and Azure Active Directory. Heres more details about the device
compliance policy states:
Compliant: The device successfully applied one or more device compliance policy settings targeted by the
admin.
Not-compliant: The device failed to apply one or more device compliance policy settings targeted by the
admin or the user hasnt complied with the policies targeted by the admin.
In-grace period: The device was targeted by the admin with one or more device compliance policy settings,
but the user hasnt applied the policies yet, which means the device is not-compliant, but its in the grace-
period defined by the admin.
Learn more about Actions for non-compliant devices.
Device not synced: The device failed to report its device compliance policy status because one of the
following:
Unknown: The device is offline or failed to communicate with Intune or Azure AD for other reasons.
Error: The device failed to communicate with Intune and Azure AD, and received an error message
with the reason.

IMPORTANT
Devices that are enrolled into Intune, but not targeted by any device compliance policies will be included in this report under
the Compliant bucket.

Drill-down option
From the Device compliance dashboard, If you click on the Device compliance tile, you can drill-down into a
specific compliance status, users email alias, device model, and location for each device that was targeted by
the device compliance policies.

If you need more details about a specific user, you can filter the Device compliance chart report by typing the users
e-mail alias.
You can also click the different compliance status on the Device compliance chart to see more details about the
users devices compliance policy statuses.

Filter
If you click on Filter button, the filter fly-out opens with the following options:
 Model
Textbox accepting free search string
Platform
Android
iOS
Mac OS
Windows
Windows Phone
Status
Compliant
Not Compliant
In Grace period
Unknown
Error
If clicking the Update button, the fly out should close and the results should update as per the selected filter
criteria.
Devi c e det ai l s

Clicking on a device, opens the Devices Blade with the device selected. This provides more details on the device
compliance policy setting applied for that device.

When you click on the device policy setting itself, you can see the device compliance policy name originated that
device compliance setting targeted by the admin.
Per-policy device compliance report
This report provides you per compliance policy view and the total number of devices in each compliance state. The
Policy compliance title is available from the Device compliance dashboard, and it shows all policies previously
created by the admin, the platforms the policy is applied, number of compliant devices and number of non-
compliant devices.

When you click on the Policy compliance tile, then click on one of the device compliance policies, youll be able to
see the compliance status, users email alias, device model, and location for each device that was targeted by
that device compliance policy.
Per-setting device compliance report
This report allows you to view, per compliance setting, the total number of devices in each compliance state. The
Settings compliance title is available from the Device compliance dashboard, and it shows all device
compliance policy settings from all device compliance policies created by the admin, the platforms which the policy
settings were applied, and the number of non-compliant devices.

When you click on the Setting compliance tile, then click on one of the device compliance policy settings, youll be
able to see the compliance status, users email alias, device model, and location for each device that was
targeted by that device compliance policy setting.
 What's conditional access?
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic describes Conditional access as it applies to Enterprise Mobility + Security (EMS), and follows that with
Conditional access common scenarios when using Intune.
Enterprise Mobility + Security (EMS) Conditional Access is not a standalone product, its a solution that takes part
on all services and products that are part of the EMS. It provides granular access control to keep your corporate
data secure, while giving users an experience that allows them to do their best work from any device, and from
any location.
You can define conditions that gate access to your corporate data based on location, device, user state, and
application sensitivity.

NOTE
Conditional Access also extends its capabilities to Office 365 services.

Conditional access with Intune

Intune adds mobile device compliance and mobile application management capabilities to support the EMS
Conditional Access solution.
Ways to use conditional access with Intune:
Device-based conditional access
Conditional access for Exchange on-premises
Conditional access based on network access control
Conditional access based on device risk
Conditional access for Windows PCs
Corporate-owned
Bring your own device (BYOD)
App-based conditional access

Next steps
Common ways to use conditional access with Intune
 Common ways to use conditional access with Intune
6/23/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

You need to configure Intune mobile device compliance policy, and the Intune mobile application management
(MAM) capabilities to drive conditional access compliance at your organization. Lets talk about the common ways
to use conditional access with Intune.

Device-based conditional access

Intune and Azure Active Directory work together to make sure only managed and compliant devices are allowed
access to email, Office 365 services, Software as a service (SaaS) apps, and on-premises apps. Additionally, you can
set a policy in Azure Active Directory to only enable computers that are domain-joined, or mobile devices that are
enrolled in Intune to access Office 365 services.
Intune provides device compliance policy capabilities that evaluate the compliance status of the devices. The
compliance status is reported to Azure Active Directory that uses it to enforce the conditional access policy created
in Azure Active Directory when the user tries to access company resources.
Starting at the new Azure portal, device-based conditional access policies for Exchange online and other Office 365
products are configured through the Azure portal.
Learn more about conditional access in Azure Active Directory.
Learn more about what is Intune device compliance.
Learn more about protecting e-mail, Office 365, and other services using conditional access with Intune.
Conditional access for Exchange on-premises
Conditional access can be used to allow or block access to Exchange on-premises based on the device
compliance policies and enrollment state. When conditional access is used in combination with a device
compliance policy, only compliant devices are allowed access to Exchange on-premises.
You can configure advanced settings in conditional access for more granular control such as:
Allow or block certain platforms.
Immediately block devices that are not managed by Intune.
Any device used to access Exchange on-premises is checked for compliance when device compliance and
conditional access policies are applied.
When devices do not meet the conditions set, the end user is guided through the process of enrolling the device to
fix the issue that is making the device non-compliant.
How conditional access for Exchange on-premises works
The Intune Exchange connector pulls in all the Exchange Active Sync (EAS) records that exist at the Exchange server
so Intune can take these EAS records and map them to Intune device records. These records are devices enrolled
and recognized by Intune. This process allows or blocks e-mail access.
 If the EAS record is brand new, and Intune is not aware of it, Intune issues a command-let that blocks access to e-
mail. Here are more details on how this process works:

1. User tries to access corporate e-mail, which is hosted on Exchange on-premises 2010 SP1 or later.
2. If the device is not managed by Intune, it will be blocked access to e-mail. Intune sends block notification to
the EAS client.
3. EAS receives block notification, moves the device to quarantine, and sends the quarantine e-mail with
remediation steps that contain links so the users can enroll their devices.
4. The Workplace join process happens, which is the first step to have the device managed by Intune.
5. The device gets enrolled into Intune.
6. Intune maps the EAS record to a device record, and saves the device compliance state.
7. The EAS client ID gets registered by the Azure AD Device Registration process, which creates a relationship
between the Intune device record, and the EAS client ID.
8. The Azure AD Device Registration saves the device state information.
9. If the user meets the conditional access policies, Intune issues a command-let through the Intune Exchange
connector that allows the mailbox to sync.
10. Exchange server sends the notification to EAS client so the user can access e-mail.
Whats the Intune role?
Intune evaluates and manage the device state.
Whats the Exchange server role?
Exchange server provides API and infrastructure to move devices to its quarantine.

IMPORTANT
Keep in mind that the user whos using the device must have a compliance profile assigned to them so the device to be
evaluated for compliance. If no compliance policy is deployed to the user, the device is treated as compliant and no access
restrictions are applied.

Conditional access based on network access control

Intune integrated with partners like Cisco ISE, Aruba Clear Pass, and Citrix NetScaler to provide access controls
based on the Intune enrollment and the device compliance state.
Users can be allowed or denied access when trying to access corporate Wi-Fi or VPN resources based on whether
the device is managed and compliant with Intune device compliance policies.
Learn more about the NAC integration with Intune.
Conditional access based on device risk
Intune partnered with Mobile Threat Defense vendors that provides a security solution to detect malwares, Trojans,
and other threats on mobile devices.
How the Intune and mobile threat defense integration works
When mobile devices have the mobile threat defense agent installed, the agent can send compliance state
messages back to Intune reporting if a threat has been found in the mobile device itself.
The Intune and mobile threat defense integration plays a factor at the conditional access decisions based on device
risk.
Learn more about Intune mobile threat defense.
Conditional access for Windows PCs
Conditional access for PCs provide similar capabilities available for mobile devices. Lets talk about the ways you
can use conditional access when managing PCs with Intune.
Corporate-owned
On premises AD domain joined: This has been the most common conditional access deployment option
for organizations, whose are reasonable comfortable with the fact theyre already managing their PCs
through AD group policies and/or with System Center Configuration Manager.
Azure AD domain joined and Intune management: This scenario is typically geared to Choose Your
Own Device (CYOD), and roaming laptop scenarios where these devices are rarely connected to corporate-
network. The device joins to the Azure AD and gets enrolled to Intune, which removes any dependency on
on-premises AD, and domain controllers. This can be used as a conditional access criteria when accessing
corporate resources.
AD domain joined and System Center Configuration Manager: As of current branch, System Center
Configuration Manager provides conditional access capabilities that can evaluate specific compliance
criteria, in addition to be a domain-joined PC:
Is the PC encrypted?
Is Malware installed? Is it up-to-date?
Is the device jailbroken or rooted?
Bring your own device (BYOD)
Workplace join and Intune management: Here the user can join their personal devices to access corporate
resources and services. You can use Workplace join and enroll devices into Intune to receive device-level
policies, which is also another option to evaluate conditional access criteria.

App-based conditional access

Intune and Azure Active Directory work together to make sure only managed apps can access corporate e-mail or
other Office 365 services.
Learn more about app-based conditional access with Intune.

Next steps
How to configure conditional access in Azure Active Directory
How to install on-premises Exchange connector with Intune.
How to create a conditional access policy for Exchange on-premises
 App-based conditional access with Intune
6/28/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Intune app protection policies help protect your company data on devices that are enrolled into Intune. You can
also use app protection policies on employee owned devices that are not enrolled for management in Intune. In
this case, even though your company doesn't manage the device, you still need to make sure that company data
and resources are protected.
App-based conditional access and mobile application management adds a security layer by making sure only
mobile apps that support Intune app protection policies can access Exchange online, and other Office 365 services.

NOTE
A managed app is an app that has app protection policies applied to it, and can be managed by Intune.

You can block the built-in mail apps on iOS and Android when you only allow the Microsoft Outlook app to access
Exchange Online. Additionally, you can block apps that dont have Intune app protection policies applied from
accessing SharePoint Online.

Prerequisites
Before you create an App-based conditional access policy, you must have:
Enterprise Mobility + Security or an Azure Active Directory premium subscription, and the users must
be licensed for EMS or Azure AD.
For more details, see the Enterprise Mobility pricing page or the Azure Active Directory pricing page.

Supported apps
Exchange Online:
Microsoft Outlook for Android and iOS.
SharePoint Online
Microsoft Word for iOS and Android
Microsoft Excel for iOS and Android
Microsoft PowerPoint for iOS and Android
Microsoft OneDrive for Business for iOS and Android
Microsoft OneNote for iOS
Microsoft Teams

NOTE
App-based conditional access also supports LOB apps, but these apps need to use Office 365 modern
authentication.
How app-based conditional access works
In this example, the admin has app protection policies applied to the Outlook app followed by a conditional access
rule that adds the Outlook app to an approved list of apps that can be used when accessing corporate e-mail.

NOTE
The flowchart structure below can be used for other managed apps.

1. The user tries to authenticate to Azure AD from the Outlook app.

2. The user gets redirected to the app store to install a broker app when trying to authenticate for the first
time. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for
Android devices.

NOTE
In this scenario, if users try to use a native e-mail app, theyll be redirected to the app store to then install the
Outlook app.

3. The broker app gets installed on the device.

4. The broker app starts the Azure AD registration process which creates a device record in Azure AD. This is
not the same as the mobile device management (MDM) enrollment process, but this record is necessary so
the conditional access policies can be enforced on the device.
5. The broker app verifies the identity of the app. Theres a security layer so the broker app can validate if the
app is authorized to be used by the user.
6. The broker app sends the App Client ID to Azure AD as part of the user authentication process to check if its
in the policy approved list.
7. Azure AD allows the user to authenticate and use the app based on the policy approved list. If the app is not
in the policy approved list, Azure AD denies access to the app.
8. Outlook app communicates with Outlook Cloud Service to initiate communication with Exchange Online.
9. Outlook Cloud Service communicates with Azure AD to retrieve Exchange Online service access token for
 the user.
10. Outlook app communicates with Exchange Online to retrieve user's corporate e-mail.
11. Corporate e-mail is delivered to the user's mailbox.

Next steps
Create an app-based conditional access policy
Block apps that do not have modern authentication
 Set up the Intune on-premises Exchange Connector
in Microsoft Intune Azure preview
6/19/2017 5 min to read Edit Online

On-premises Exchange Server environments can use the Intune on-premises Exchange connector to manage
devices access to on-premises Exchange mailboxes based on whether or not the devices are enrolled into Intune
and compliant with Intune device compliance policies. The on-premises Exchange connector is also responsible for
discovering mobile devices that connect to on-premises Exchange Servers by synchronizing the existing Exchange
Active Sync (EAS) record with Intune.

IMPORTANT
Intune only supports one on-premises Exchange Connector connection of any type per subscription.

To set up a connection that enables Microsoft Intune to communicate with the on-premises Exchange Server, you
need to follow the steps below:
1. Download the Intune on-premises Exchange Connector from the Intune portal.
2. Install and configure the Intune on-premises Exchange connector.
3. Validate the Exchange connection.

On-premises Exchange Connector requirements

The following table lists the requirements for the computer on which you install the On-premises Exchange
Connector.

REQUIREMENT MORE INFORMATION

Operating systems Intune supports the On-premises Exchange Connector on a

computer that runs any edition of Windows Server 2008 SP2
64-bit, Windows Server 2008 R2, Windows Server 2012, or
Windows Server 2012 R2.

The Connector is not supported on any Server Core

installation.

Microsoft Exchange On-premises Connectors require Microsoft Exchange 2010

SP1 or later or legacy Exchange Online Dedicated. To
determine if your Exchange Online Dedicated environment is
in the new or legacy configuration, contact your account
manager.

Mobile device management authority Set the mobile device management authority to Intune.

Hardware The computer on which you install the connector requires a

1.6 GHz CPU with 2 GB of RAM and 10 GB of free disk space.
 REQUIREMENT MORE INFORMATION

Active Directory synchronization Before you can use Connector to connect Intune to your
Exchange Server, you must set up Active Directory
synchronization so that your local users and security groups
are synchronized with your instance of Azure Active Directory.

Additional software A full installation of Microsoft .NET Framework 4.5 and

Windows PowerShell 2.0 must be installed on the computer
that hosts the connector.

Network The computer on which you install the connector must be in a

domain that has a trust relationship to the domain that hosts
your Exchange Server.

The computer requires configurations to enable it to access

the Intune service through firewalls and proxy servers over
Ports 80 and 443. Domains that are used by Intune include
manage.microsoft.com, *manage.microsoft.com, and
*.manage.microsoft.com.

Exchange cmdlet requirements

You must create an Active Directory user account that is used by the Intune Exchange Connector. The account must
have permission to run the following required Windows PowerShell Exchange cmdlets:
Get-ActiveSyncOrganizationSettings, Set-ActiveSyncOrganizationSettings
Get-CasMailbox, Set-CasMailbox
Get-ActiveSyncMailboxPolicy, Set-ActiveSyncMailboxPolicy, New-ActiveSyncMailboxPolicy, Remove-
ActiveSyncMailboxPolicy
Get-ActiveSyncDeviceAccessRule, Set-ActiveSyncDeviceAccessRule, New-ActiveSyncDeviceAccessRule,
Remove-ActiveSyncDeviceAccessRule
Get-ActiveSyncDeviceStatistics
Get-ActiveSyncDevice
Get-ExchangeServer
Get-ActiveSyncDeviceClass
Get-Recipient
Clear-ActiveSyncDevice, Remove-ActiveSyncDevice
Set-ADServerSettings
Get-Command

Download the On-premises Exchange Connector software installation

package
1. On a supported Windows Server operating system for the On-premises Exchange Connector, open the
Azure portal and sign in with a user account that is an administrator in the on-premises Exchange server,
and that has a license to use Exchange Server.
2. Choose More services from the left menu, then type Intune in the text box filter.
3. Choose Intune, the Intune Dashboard opens, choose On-premises access.
4. On the On-premises access - Exchange ActiveSync connector blade, from the Setup section, choose
Download the on-premises connector.
5. The On-premises Exchange Connector is contained in a compressed (.zip) folder that can be opened or
 saved. In the File Download dialog box, choose Save to store the compressed folder to a secure location.

IMPORTANT
Do not rename or move the files that are in the on-premises Exchange Connector folder. Moving or renaming the
folder's contents will cause the Exchange Connector installation to fail.

Install and configure the Intune On-premises Exchange Connector

Perform the following steps to install the Intune On-premises Exchange Connector. The On-premises Exchange
Connector can only be installed once per Intune subscription, and only on one computer. If you try to configure an
additional On-premises Exchange Connector, the new connection will replace the original one.
1. On a supported operating system for the On-premises Connector, extract the files in
Exchange_Connector_Setup.zip to a secure location.
2. After the files are extracted, open the extracted folder and double-click Exchange_Connector_Setup.exe to
install the On-premises Exchange Connector.

IMPORTANT
If the destination folder is not a secure location, you should delete the certificate file WindowsIntune.accountcert
after you install the On-premises Connector.

3. In the Microsoft Intune Exchange Connector dialog box, select either On-premises Microsoft
Exchange Server or Hosted Microsoft Exchange Server.
For an On-premises Exchange server, provide either the server name or the fully-qualified domain name of
the Exchange server that hosts the Client Access Server role.
For a hosted Exchange server, provide the Exchange server address. To find the hosted Exchange server URL:
a. Open the Outlook Web App for Office 365.
b. Choose the ? icon at the upper left, and then select About.
c. Locate the POP External Server value.
d. Choose Proxy Server to specify proxy server settings for your hosted Exchange server.
a. Select Use a proxy server when synchronizing mobile device information.
b. Enter the proxy server name and the port number to be used to access the server.
c. If it's necessary to provide user credentials to access the proxy server, select Use credentials
to connect to the proxy server. Then enter the domain\user and the password.
d. Choose OK.
e. In the User (Domain\user) and Password fields, enter the credentials that are necessary to connect
to your Exchange server.
f. Provide the necessary administrative credentials to send notifications to a users Exchange Server
mailbox. You can configure these notifications with Conditional Access policies in Intune.
Ensure that the Autodiscover service and Exchange Web Services are configured on the Exchange
 Client Access Server. For more information, see Client Access server.
g. In the Password field, provide the password for this account to enable Intune to access the Exchange
Server.
h. Choose Connect.

NOTE
It might take a few minutes for the connection to be configured.

During configuration, the Exchange Connector stores your proxy settings to enable access to the Internet. If your
proxy settings change, you will have to reconfigure the Exchange Connector to apply the updated proxy settings to
the Exchange Connector.
After the Exchange Connector sets up the connection, mobile devices that are associated with users that are
managed in Exchange Connector are automatically synchronized and added to the Exchange Connector. This
synchronization might take some time to complete.

NOTE
If you have installed the On-premises Exchange Connector, and if at some point you delete the Exchange connection, you
must uninstall the On-premises Exchange Connector from the computer onto which it was installed.

Validate the Exchange connection

After you have successfully configured the Exchange Connector, you can view the status of the connection and the
last successful synchronization attempt. To validate the Exchange Connector connection:
On the Intune Dashboard, choose On-premises access. Under Manage, select Exchange on-premises access
to verify the connection status.
You can also check the time and date of the last successful synchronization attempt.

Next steps
Create a conditional access policy for Exchange on-premises
 How to create and assign a conditional access policy
for Exchange on-premises and legacy Exchange
Online Dedicated in Microsoft Intune
6/19/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic walks you through the process of configuring conditional access for Exchange on-premises based on
device compliance.
If you have an Exchange Online Dedicated environment and need to find out whether it is in the new or the legacy
configuration, please contact your account manager. To control email access to Exchange on-premises or to your
legacy Exchange Online Dedicated environment, configure conditional access to Exchange on-premises in Intune.

Before you begin

Before you can configure conditional access, verify the following:
Your Exchange version must be Exchange 2010 SP1 or later. Exchange server Client Access Server (CAS)
array is supported.
You must use the Exchange Active Sync on-premises Exchange connector, which connects Intune to on-
premises Exchange.

IMPORTANT
The on-premises Exchange connector is specific to your Intune tenant and cannot be used with any other tenant.
You should also ensure that the exchange connector for your tenant is installed on only one machine.

The connector can be installed on any machine as long as that machine is able to communicate with the
Exchange server.
The connector supports Exchange CAS environment. You can technically install the connector on the
Exchange CAS server directly if you wish to, but it is not recommended, as it will increase the load on the
server. When configuring the connector, you must set it up to communicate to one of the Exchange CAS
servers.
Exchange ActiveSync must be configured with certificate based authentication, or user credential entry.
When conditional access policies are configured and targeted to a user, before a user can connect to their
email, the device they use must be:
Either enrolled with Intune or is a domain joined PC.
Registered in Azure Active Directory. Additionally, the client Exchange ActiveSync ID must be
registered with Azure Active Directory.
AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have already
 deployed the ADFS Device Registration Service will not see registered devices in their on-premises Active
Directory. This does not apply to Windows PCs and Windows Phone devices.
Compliant with device compliance policies deployed to that device.
If the device does not meet conditional access settings, the user is presented with one of the following
messages when they log in:
If the device is not enrolled with Intune, or is not registered in Azure Active Directory, a message is
displayed with instructions about how to install the Company Portal app, enroll the device, and activate
email. This process also associates the device's Exchange ActiveSync ID with the device record in Azure
Active Directory.
If the device is not compliant, a message is displayed that directs the user to the Intune Company Portal
website, or the Company Portal app where they can find information about the problem and how to
remediate it.
Support for mobile devices
Windows Phone 8.1 and later
Native email app on iOS.
EAS mail clients such as Gmail on Android 4 or later.
EAS mail clients Android for Work devices: Only Gmail and Nine Work apps in the work profile are
supported on Android for Work devices. For conditional access to work with Android for Work, you must
deploy an email profile for the Gmail or Nine Work app, and also deploy those apps as a required install.

NOTE
Microsoft Outlook app for Android and iOS is not supported. Android for Work is currently being rolled out across Intune
tenants over the next few months.

Support for PCs

The native Mail application on Windows 8.1 and later (when enrolled with Intune)

Configure Exchange on-premises access

1. Go to the Azure portal, and sign in with your Intune credentials.
2. After you've successfully signed in, you see the Azure Dashboard.
3. Choose More services from the left menu, then type Intune in the text box filter.
4. Choose Intune, you see the Intune Dashboard.
5. Choose Conditional Access, then choose
6. The On-premises blade shows the status of the conditional access policy and the devices that are affected
by it.
7. Under Manage, choose Exchange on-premises access.
8. On the Exchange on-premises access blade, choose Yes to enable Exchange on-premises access control.

NOTE
If you have not configured the Exchange Active Sync on-premises connector, this option will be disabled. You must
first install and configure this connector before enabling conditional access for Exchange on-premises. For more
details, see Install the Intune On-premises Exchange Connector
 9. Under Assignment, choose Groups Included. Use the security user group that should have conditional
access applied to it. This would require the users to enroll their devices in Intune and be compliant with the
compliance profiles.
10. If you want to exclude a certain groups of users, you can do so by choosing Groups Excluded and selecting
a user group that you want to be exempt from requiring device enrollment and compliance.
11. Under Settings, choose User notifications to modify the default email message. This message is sent to
users if their device is not compliant and they want to access Exchange on-premises. The message template
uses Markup language. You will also see the preview of how the message looks as you type.

TIP
To learn more about Markup language see this Wikipedia article.

12. On the Advanced Exchange Active Sync access settings blade, set the global default rule for access
from devices that are not managed by Intune, and for platform-level rules as described in the next two
steps.
13. For a device that is not affected by conditional access or other rules, you can choose to allow it to access
Exchange, or block it.
When you set this to allow access, all devices will be able to access Exchange on-premises immediately.
Devices that belong to the users in the Groups Included, are blocked if they are subsequently evaluated
as not compliant with the compliant policies or not enrolled in Intune.
When you set this to block access, all devices will be immediately blocked from accessing Exchange on-
premises initially. Devices that belong to users in the Groups Included will get access once the device is
enrolled in Intune and is evaluated as compliant. On Android devices that do not run Samsung KNOX
standard will always be blocked as they do not support this setting.
14. Under Device platform exceptions, choose Add to specify the platforms. If the unmanaged device
access setting is set to blocked, devices that are enrolled and compliant will be allowed even if there is a
platform exception to block. Choose Ok to save the settings.
15. On the On-premises blade, click Save to save the conditional access policy.

Create Azure AD Conditional access policies in Intune

Beginning with Intune 1704 release, admins can create Azure AD conditional access policies from the Intune Azure
portal, which gives convenience so you don't need to switch between the Azure and Intune workloads.

IMPORTANT
You need to have an Azure AD Premium license to create Azure AD conditional access policies from the Intune Azure portal.

To create Azure AD conditional access policy

1. In the Intune Dashboard, choose Conditional access.
2. In the Conditional access dashboard, choose Conditional access in Azure Active Directory.
3. Choose New policy to create your new Azure AD conditional access policy.
See also
Conditional Access in Azure Active Directory
 Set up app-based conditional access policies
6/28/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic provides instructions on how to set up app-based conditional access policies for apps that are part of the
list of approved apps. The list of approved apps consists of apps that were tested by Microsoft.

IMPORTANT
This topic walks through the steps to add an app-based conditional access policy using Exchange Online, but you can use the
same steps when adding other apps like SharePoint Online, Microsoft Teams, etc. from the list of approved apps.

To create an app-based conditional access policy

1. Go the Azure portal and sign in with your credentials.
2. Choose More services, and type: "Intune".
3. Choose Intune App Protection.
4. On the Intune mobile application management blade choose All Settings.
5. On the Conditional access section, choose Exchange Online.
6. On the Allowed apps blade, choose the Allow apps that support Intune app policies option to allow
only apps that are supported by Intune app protection policies to have the ability to access Exchange Online.
When you select this option, the list of supported apps is displayed.

NOTE
All Exchange Active Sync mail clients, including the built-in mail clients on iOS and Android that connect to Exchange
Online, will be prevented from sending or receiving email. Users will instead receive a single email informing them
that they need to use the Outlook mail app.

7. To apply this policy to users, open the Restricted user groups blade, and choose Add user group. Select
one or more user groups that should get this policy.
8. You may want some users in the user group you selected in the previous step not to be affected by this
policy. In such cases, add the group of users to the exempted user groups list. From the Exchange Online
blade, choose Exempted user groups. Choose Add user group to open the list of user groups. Select the
groups you want to exempt from this policy.

To modify or delete user groups from an existing app-based CA policy

1. Open the Restricted user groups blade, then highlight the user group you want to delete.
2. Click on the ellipse to see the delete options.
3. Choose Delete to remove the user group from the list.

Next steps
Block apps that do not have modern authentication
See also
Protect app data with app protection policies
 Block apps that do not use modern authentication
(ADAL)
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

App-based conditional access with app protection policies rely on applications using modern authentication which
is an implementation of OAuth2. Most current Office mobile and desktop applications use modern authentication,
however there are third-party apps and older Office apps that user other authentication methods like basic
authentication and forms based authentication.
To block access to these apps we recommend the following:
Set up ADFS claims rules to block non-modern authentication protocols. Detailed instructions are provided in
scenario 3 - block all access to O365 except browser-based applications.
For SharePoint Online, disable non-modern authentication in the SharePoint Online service using the
PowerShell commandlet Set-SPOTenant to set the legacy authentication protocols property to false:

Set-SPOTenant -LegacyAuthProtocolsEnabled $false

IMPORTANT
App-based CA must not be used with Azure Active Directory (Azure AD) certificate based authentication. You can only have
one of these configured at a time.

See also
App-based conditional access with Intune
 Monitor conditional access compliance for on-
premises Exchange and Exchange Online in Intune
6/19/2017 1 min to read Edit Online

Beginning with Intune 1704 release, admins can see reporting information related to Exchange ActiveSync device
records that are synchronized with Intune through either the on-premises Exchange Connector or the Intune
service-to-service connector (Exchange Online connector). The conditional access compliance reporting provides a
summary of devices with different synchronization states:
Allow
Block
Quarantine

To monitor conditional access compliance

1. Go to the Azure portal, and sign in with your Intune credentials.
2. After you've successfully signed in, you see the Azure Dashboard.
3. Choose More services from the left menu, then type Intune in the text box filter.
4. Choose Intune, you see the Intune Dashboard.
5. Choose Conditional Access, then choose Overview.
6. Choose one of the three areas (Blocked, Quarantine or Allowed) on the chart to view your conditional
access compliance reporting.

Once you choose one of three areas, you can see more details about devices being allowed, blocked or quarantined.
You can also drill down in specific devices to see more details. For example, the device chosen on the image below
is blocked. Intune gives you the option of removing corporate data from the conditional access compliance report
blade.

At the device details blade, you can see more information:

Overview: You can see device properties like: OS version, device model, ownership, serial number, device
manufacturer, phone number and last time the device checked in.
Properties: You can set the device ownership (Personal or Corporate).
Hardware: It provides the information you see on the Overview, and also storage details (total space and
free space), system enclosure, network details, network service, and more conditional access blocking details.
Discovered Apps: It shows all applications installed at your device. You can also export the list of installed
apps to .CSV format.
Compliance: It shows all device compliance policy details.
Device Configuration: It shows all device configuration details.
Exchange Access: Here you can learn more about the device state after applying conditional access policies.
 What are app protection policies?
6/19/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Microsoft Intune app protection policies help protect your company data and prevent data loss.

How you can protect app data

Your employees use mobile devices for both personal and work tasks. While making sure your employees can be
productive, you also want to prevent data loss, intentional and unintentional. In addition, you want to have the
ability to protect company data accessed using devices even in the case where they are not managed by you.
You can use Intune app protection policies to help protect your companys data. Because Intune app protection
policies can be used independent of any mobile-device management (MDM) solution, you can use it to
protect your companys data with or without enrolling devices in a device management solution. By
implementing app-level policies, you can restrict access to company resources and keep data within the
purview of your IT department.
App protection policies can be configured for app running on devices that are:
Enrolled in Microsoft Intune: The devices in this category are typically corporate owned devices.
Enrolled in a third-party Mobile device management (MDM) solution: The devices in this category
are typically corporate owned devices.

NOTE
Mobile app management policies should not be used with third party mobile app management or secure container
solutions.

Not enrolled in any mobile device management solution: The devices in this category are typically
employee owned devices that are not managed or enrolled in Intune or other MDM solutions.

IMPORTANT
You can create mobile app management policies for Office mobile apps that connect to Office 365 services. App protection
policies are not supported for apps that connect to on-premises Exchange, Skype for Business, or SharePoint services.

The important benefits of using App protection policies are

Protecting your company data at the app level. Since mobile app management does not require device
management, you can protect company data on both managed and unmanaged devices. The management
is centered on the user identity, which removes the requirement for device management.
End user productivity is not impacted, and the policies are not applied when using the app in a personal
context. The policies are applied only in a work context, thus giving you the ability to protect company data
without touching personal data.
There are additional benefits to using MDM with App protection policies, and companies can use both App
protection policies with and without MDM at the same time. For example, an employee may use a phone issued
by the company as well as a personal tablet. In this case, the company phone is enrolled in MDM and protected by
App protection policies, and the personal device is protected by App protection policies only.
MDM makes sure that the device is protected. For example, you can require a PIN to access the device,
or you can deploy managed apps to the device. You can also deploy apps to devices through your MDM
solution, to give you more control over app management.
App protection policies makes sure that the app-layer protections are in place. For example, you
can require a PIN to open an app in a work context, or if data can be shared between apps, or preventing
company app data from being saved to a personal storage location.
Supported platforms for app protection polices
iOS 8.1 or later
Android 4 or later
Windows devices are currently not supported. However, when you enroll Windows 10 devices with Intune, you
can use Windows Information Protection, which offers similar functionality. For details, see Protect your
enterprise data using Windows Information Protection (WIP).

How app protection policies protect app data

Apps without app protection policies

When apps are used without restrictions, company and personal data can get intermingled. Company data could
end up in locations like personal storage or transferred to apps outside of your purview, resulting in data loss. The
arrows in the diagram show unrestricted data movement between apps (corporate and personal) and to storage
locations.
Data protection with app protection policies
You can use App protection policies to prevent company data from saving to the local storage of the device, and
restrict data movement to other apps that are not protected by App protection policies. App protection policy
settings include:
Data relocation policies like Prevent Save As, Restrict cut, copy, and paste.
Access policy settings like Require simple PIN for access, Block managed apps from running on
jailbroken or rooted devices.
Data protection with app protection policies on devices managed by a MDM solution

For devices enrolled in an MDM solution-

The illustration above shows the layers of protection that MDM and App protection policies offer together.
The MDM solution:
Enrolls the device
Deploys the apps to the device
Provides ongoing device compliance and management
App protection policies add value by:
Helping protect company data from leaking to consumer apps and services
Applying restrictions (save-as, clipboard, PIN, etc.) to mobile apps
Wipe company data from apps without removing those apps from the device
Data protection with app protection policies for devices without enrollment

The diagram above illustrates how the data protection policies work at the app level without MDM.
For BYOD devices not enrolled in any MDM solution, App protection policies can help protect company data at the
app level. However, there are some limitations to be aware of, like:
You cannot deploy apps to the device. The end user has to get the apps from the store.
You cannot provision certificate profiles on these devices.
You cannot provision company Wi-Fi and VPN settings on these devices.

Multi-identity
Apps that support multi-identity let you use different accounts (work and personal) to access the same apps, while
app protection policies are applied only when the apps are used in the work context.
For example, when a user starts the OneDrive app by using their work account, they can't move the files to a
personal storage location. However, when they use OneDrive with their personal account, they can copy and
move data from their personal OneDrive without restrictions.
Learn more about the apps that support MAM and multi-identity with Intune.

Next steps
How to create and deploy app protection policies with Microsoft Intune
 How to create and assign app protection policies
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Before you begin

If you're looking for instructions in the Intune classic console, see how to create app protection policies.
App protection policies can be applied to apps running on devices that may or may not be managed by Intune.
For a more detailed description of how app protection policies work and the scenarios supported by Intune app
protection policies, see What is Microsoft Intune app protection policies.
If you're looking for a list of MAM supported apps, see MAM apps list.

Create an app protection policy

1. In the Mobile apps workload, choose Manage > App protection policies.
2. This opens the App protection policies blade, where you'll create new policies and edit existing policies.
Choose Add a policy.

3. Type a name for the policy, add a brief description, and select the platform type to create a policy for iOS
or Android. You can create more than one policy for each platform.
4. Choose Apps to open the Apps blade, where a list of available apps is displayed. Select one or more apps
from the list that you want to associate with the policy that you are creating. Once you have selected the
apps, choose Select at the bottom of the Apps blade to save your selection.
 IMPORTANT
You must select at least one app to create a policy.

5. On the Add a policy blade, choose Configure required settings to open the policy settings blade.
There are two categories of policy settings, Data relocation and Access. Data relocation policies are
applicable to data movement in and out of the apps, while the access polices determine how the end user
accesses the apps in a work context. To get you started, the policy settings have default values. You do not
have to make any changes if the default values meet your requirements.

TIP
These policy settings are enforced only when using apps in the work context. When the end user uses the app to
do a personal task, they will not be affected by these policies.

6. Choose OK to save this configuration. You are now back in the Add a policy blade. Choose Create to
create the policy and save your settings.
When you finish creating a policy as described in the previous procedure, it is not deployed to any users. To
deploy a policy, see the following section, "Deploy a policy to users."

Deploy a policy to users

1. In the Policy blade, choose User groups, which opens the User groups blade. Choose Add user group
in the User groups blade to open the Add user group blade.

2. A list of user groups is displayed on the Add user group blade. This is a list of all the security groups in
your Azure Active Directory. Select the user groups you want this policy to apply to, and then choose
 Select. Choosing Select, deploys the policy to users.
You have now created a policy and deployed it to users.
Only users with Microsoft Intune licenses assigned to them are affected by the policy. Users who are in the
security group that you selected who dont have a Microsoft Intune license assigned to them are not affected.

IMPORTANT
If you are using Intune with Configuration Manager to manage your iOS and Android devices, the policy is only applied to
the users directly in the group that you selected. Members of child groups nested within the group you selected are not
affected.

End users can download the apps from the App store or Google Play. For more information, see:
What to expect when your Android app is managed by app protection policies
What to expect when your iOS app is managed by app protection policies

Change existing policies

You can edit an existing policy and apply it to the targeted users. However, when you change existing policies,
users who are already signed in to the apps wont see the changes for an 8-hour period.
To see the effect of the changes immediately, the end user will have to log out of the app, and sign back in.
To change the list of apps associated with the policy
1. In the App policy blade, choose the policy you want to change. This opens a blade specific to the policy
you just selected.
2. In the policy blade, choose Targeted apps to open the list of apps.
3. Remove or add apps from the list and choose the Save icon to save your changes.
To change the list of user groups
1. In the App policy blade, choose the policy you want to change. This opens the blade specific to the policy
you selected.
2. In the policy blade, choose User groups to open the User group blade that shows the list of current user
groups who have this policy.
3. To add a new user group to the policy, choose Add user group, and select the user group. Choose Select
to deploy the policy to the group you selected.
4. To delete a user group, highlight the user group you want to remove. Then choose the ellipses (), and
choose Delete to remove the user group.

To change policy settings

1. In the App policy blade, choose the policy you want to change. This opens a blade specific to the policy
you just selected.
2. Choose Policy settings to open the Policy settings blade.
3. Change the settings, and choose the Save icon to save your changes.

Policy settings
To see a full list of the policy settings for iOS and Android, select one of the following:
iOS policies
Android policies

Next steps
Monitor compliance and user status
See also
What to expect when your Android app is managed by app protection policies
What to expect when your iOS app is managed by app protection policies
 Android app protection policy settings
6/19/2017 7 min to read Edit Online

The policy settings that are described in this topic can be configured for an app protection policy on the Settings
blade in the Azure portal. There are two categories of policy settings: data relocation settings and access settings. In
this topic, the term policy-managed apps refers to apps that are configured with app protection policies.

Data relocation settings

SETTING HOW TO USE DEFAULT VALUE(S)

Prevent Android backups
Choose Yes to prevent this app from Yes
backing up work or school data to the
Android Backup Service Choose No to
allow this app to back up work or
school data.

Allow app to transfer data to other Specify what apps can receive data from All apps
apps this app:
Policy managed apps: Allow
transfer only to other policy-
managed apps.
All apps: Allow transfer to any
app.
None: Do not allow data
transfer to any app, including
other policy-managed apps.
There are some exempts apps and
services to which Intune may allow
data transfer. See Data transfer
exemptions for a full list of apps
and services.

Allow app to receive data from Specify what apps can transfer data to All apps
other apps this app:
Policy managed apps: Allow
transfer only from other policy-
managed apps.
All apps: Allow data transfer
from any app.
None: Do not allow data
transfer from any app, including
other policy-managed apps.
There are some exempts apps and
services from which Intune may
allow data transfer. See Data
transfer exemptions for a full list of
apps and services.
SETTING HOW TO USE DEFAULT VALUE(S)

Prevent "Save As" Choose Yes to disable the use of the No

Save As option in this app. Choose No
if you want to allow the use of Save As. 0 selected

Select which storage services

corporate data can be saved to
Users are able to save to the
selected services (OneDrive for
Busines, SharePoint and Local
Storage). All other services will be
blocked.

Restrict cut, copy and paste with
other apps
Specify when cut, copy, and paste Any app
actions can be used with this app.
Choose from:
Blocked: Do not allow cut,
copy, and paste actions between
this app and any other app.
Policy managed apps: Allow
cut, copy, and paste actions
between this app and other
policy-managed apps.
Policy managed with paste in:
Allow cut or copy between this
app and other policy-managed
apps. Allow data from any app
to be pasted into this app.
Any app: No restrictions for cut,
copy, and paste to and from this
app.

Restrict web content to display in Choose Yes to enforce web links in the No
the Managed Browser app to be opened in the Managed
Browser app.

For devices not enrolled in Intune, the

web links in policy-managed apps can
open only in the Managed Browser app.

If you are using Intune to manage your

devices, see Manage Internet access
using managed browser policies with
Microsoft Intune.

Encrypt app data Choose Yes to enable encryption of Yes

work or school data in this app. Intune
uses an OpenSSL, 128-bit AES
encryption scheme along with the
Android Keystore system to securely
encrypt app data. Data is encrypted
synchronously during file I/O tasks.
Content on the device storage is always
encrypted.

The encryption method is not FIPS

140-2 certified.
 SETTING HOW TO USE DEFAULT VALUE(S)

Disable contact sync Choose Yes to prevent the app from No

saving data to the native Contacts app
on the device. If you choose No, the
app can save data to the native
Contacts app on the device.

When you perform a selective wipe to

remove work or school data from the
app, contacts synced directly from the
app to the native Contacts app are
removed. Any contacts synced from the
native address book to another external
source cannot be wiped. Currently this
applies only to the Microsoft Outlook
app.

Disable printing Choose Yes to prevent the app from No

printing work or school data.

NOTE
The encryption method for the Encrypt app data setting is not FIPS 140-2 certified.

Data transfer exemptions

There are some exempt apps and platform services that Intune app protection policy may allow data transfer to
and from. For example, all Intune-enlightened apps on Android must be able to transfer data to and from the
Google Text-to-speech, so that text from your mobile device screen can be read aloud. This list is subject to change
and reflects the services and apps considered useful for secure productivity.
Full exemptions
These apps and services are fully allowed for data transfer to and from Intune-managed apps.

APP/SERVICE NAME DESCRIPTION

com.android.phone Native phone app

com.android.vending Google Play Store

com.android.documentsui Android Document Picker

com.google.android.webview WebView, which is necessary for many apps including

Outlook.

com.android.webview Webview, which is necessary for many apps including Outlook.

com.google.android.tts Google Text-to-speech

com.android.providers.settings Android system settings

com.azure.authenticator Azure Authenticator app, which is required for successful

authentication in many scenarios.
 APP/SERVICE NAME DESCRIPTION

com.microsoft.windowsintune.companyportal Intune Company Portal

Conditional exemptions
These apps and services are only allowed for data transfer to and from Intune-managed apps under certain
conditions.

APP/SERVICE NAME DESCRIPTION EXEMPTION CONDITION

com.android.chrome Google Chrome Browser Chrome is used for some WebView

components on Android 7.0+ and is
never hidden from view. Data flow to
and from the app, however, is always
restricted.

com.skype.raider Skype The Skype app is allowed only for

certain actions that result in a phone
call.

com.android.providers.media Android media content provider The media content provider allowed
only for the ringtone selection action.

com.google.android.gms; Google Play Services packages These packages are allowed for Google
com.google.android.gsf Cloud Messaging actions, such as push
notifications.

Access settings
SETTING HOW TO USE DEFAULT VALUE(S)
SETTING
Require PIN for access
Require corporate credentials for
access
Block managed apps from running
on jailbroken or rooted devices
HOW TO USE DEFAULT VALUE(S)
Choose Yes to require a PIN to use this Require PIN: Yes
app. The user is prompted to set up this
PIN the first time they run the app in a PIN reset attempts: 5
work or school context. Default value =
Yes. Allow simple PIN: Yes
Configure the following settings for PIN PIN length: 4
strength:
Number of attempts before Allow fingerprint: Yes
PIN reset: Specify the number
of tries the user has to
successfully enter their PIN
before they must reset it.
Default value = 5.
Allow simple PIN: Choose Yes
to allow users to use simple PIN
sequences like 1234 or 1111.
Choose No to prevent them
from using simple sequences.
Default value = Yes.
PIN length: Specify the
minimum number of digits in a
PIN sequence. Default value = 4.
Allow fingerprint instead of
PIN (Android 6.0+): Choose
Yes to allow the user to use
fingerprint authentication
instead of a PIN for app access.
Default value = Yes.
On Android devices, you can let the
user prove their identity by using
Android fingerprint authentication
instead of a PIN. When the user tries
use this app with their work or school
account, they are prompted to provide
their fingerprint identity instead of
entering a PIN.
Choose Yes to require the user to sign No
in with their work or school account
instead of entering a PIN for app access.
If you set this to Yes, this overrides the
requirements for PIN or Touch ID.
Choose Yes to prevent this app from Yes
running on jailbroken or rooted devices.
The user will continue to be able to use
this app for personal tasks, but will have
to use a different device to access work
or school data in this app.
SETTING
Recheck the access requirements
after (minutes)
Offline interval before app data is
wiped (days)
Block screen capture and Android
Assistant (Android 6.0+)
Disable app PIN when device PIN is
managed
HOW TO USE DEFAULT VALUE(S)
Configure the following settings: Timeout: 30
Timeout: This is the number of
minutes before the access Offline: 720
requirements (defined earlier in
the policy) are rechecked. For
example, an admin turns on PIN
in the policy, a user opens a
MAM app, and must enter a pin.
When using this setting, the
user would not have to enter a
PIN on any MAM app for
another 30 minutes (default
value).
Offline grace period: This is
the number of minutes that
MAM apps can run offline,
specify the time (in minutes)
before the access requirements
for the app are rechecked.
Default value = 720 minutes (12
hours). After this period is
expired, the app will require user
authentication to AAD, so the
app can continue to run.
After this many days (defined by the 90 days
admin) of running offline, the app itself
will do a selective wipe. This selective
wipe is the same wipe as the one that
can be initiated by the admin in the
MAM wipe work-flow.
Choose Yes to block screen capture No
and the Android Assistant capabilities
of the device when using this app.
Choosing Yes will also blur the App-
switcher preview image when using this
app with a work or school account.
Choose Yes to disable the app PIN No
when a device lock is detected on an
enrolled device.
 iOS app protection policy settings
6/19/2017 9 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The policy settings described in this topic can be configured for an app protection policy on the Settings blade in
the Azure portal.
There are two categories of policy settings: data relocation settings and access settings. In this topic, the term
policy-managed apps refers to apps that are configured with app protection policies.

Data relocation settings

SETTING HOW TO USE DEFAULT VALUE

Prevent iTunes and iCloud backups
Choose Yes to prevent this app from Yes
backing up work or school data to
iTunes and iCloud. Choose No to allow
this app to back up of work or school
data to iTunes and iCloud.

Allow app to transfer data to other Specify what apps can receive data from All apps
apps this app:
Policy managed apps: Allow
transfer only to other policy-
managed apps.
All apps: Allow transfer to any
app.
None: Do not allow data
transfer to any app, including
other policy-managed apps.
Additionally, if you set this option to
Policy managed apps or None, the
iOS 9 feature that allows Spotlight
Search to search data within apps will
be blocked.

There are some exempts apps and

services to which Intune may allow data
transfer. See Data transfer exemptions
for a full list of apps and services.
SETTING HOW TO USE DEFAULT VALUE

Allow app to receive data from
other apps
Specify what apps can transfer data to All apps
this app:
Policy managed apps: Allow
transfer only from other policy-
managed apps.
All apps: Allow data transfer
from any app.
None: Do not allow data
transfer from any app, including
other policy-managed apps.
There are some exempts apps and
services from which Intune may allow
data transfer. See Data transfer
exemptions for a full list of apps and
services.

Prevent "Save As" Choose Yes to disable the use of the No

Save As option in this app. Choose No
if you want to allow the use of Save As.

Restrict cut, copy and paste with
other apps
Specify when cut, copy, and paste Any app
actions can be used with this app.
Choose from:
Blocked: Do not allow cut,
copy, and paste actions between
this app and any other app.
Policy managed apps: Allow
cut, copy, and paste actions
between this app and other
policy-managed apps.
Policy managed with paste in:
Allow cut or copy between this
app and other policy-managed
apps. Allow data from any app
to be pasted into this app.
Any app: No restrictions for cut,
copy, and paste to and from this
app.

Restrict web content to display in Choose Yes to enforce web links in the No
the Managed Browser app to be opened in the Managed
Browser app.

For devices not enrolled in Intune, the

web links in policy-managed apps can
open only in the Managed Browser app.

If you are using Intune to manage your

devices, see Manage Internet access
using managed browser policies with
Microsoft Intune.
SETTING HOW TO USE DEFAULT VALUE

Encrypt app data For policy-managed apps, data is When device is locked
encrypted at rest using the device-level
encryption scheme provided by iOS.
When a PIN is required, the data is
encrypted according to the settings in
the app protection policy.

Go to the official Apple documentation

here to see which iOS encryption
modules are FIPS 140-2 certified or
pending FIPS 140-2 certification.

Specify when work or school data in this

app is encrypted. Choose from:
When device is locked: All app
data that is associated with this
policy is encrypted while the
device is locked.
When device is locked and
there are open files: All app
data associated with this policy
is encrypted while the device is
locked, except for data in the
files that are currently open in
the app.
After device restart:All app
data associated with this policy
is encrypted when the device is
restarted, until the device is
unlocked for the first time.
Use device settings: App data
is encrypted based on the
default settings on the device.
When you enable this setting, the user
may be required to set up and use a
PIN to access their device. If there is no
device PIN and encryption is required,
the apps will not open and the user will
be prompted to set a PIN with the
message Your organization has
required you to first enable a device PIN
to access this app.

Disable contact sync Choose Yes to prevent the app from No

saving data to the native Contacts app
on the device. If you choose No, the
app can save data to the native
Contacts app on the device.

When you perform a selective wipe to

remove work or school data from the
app, contacts synced directly from the
app to the native Contacts app are
removed. Any contacts synced from the
native address book to another external
source cannot be wiped. Currently this
applies only to the Microsoft Outlook
app.
 SETTING HOW TO USE DEFAULT VALUE

Disable printing Choose Yes to prevent the app from No

printing work or school data.

Select which storage services Users are able to save to the selected 0 Selected
corporate data can be saved to services (OneDrive for Busines,
SharePoint and Local Storage). All other
services will be blocked.

NOTE
None of the data relocation settings controls the Apple managed open-in feature on iOS devices. To use manage Apple
open-in, see Manage data transfer between iOS apps with Microsoft Intune.

Data transfer exemptions

There are some exempt apps and platform services that Intune app protection policy may allow data transfer to
and from in certain scenarios. This list is subject to change and reflects the services and apps considered useful for
secure productivity.

APP/SERVICE NAME(S) DESCRIPTION

tel; telprompt Native phone app

skype Skype

app-settings Device settings

itms; itmss; itms-apps; itms-appss; itms-services App Store

calshow Native Calendar

Access settings
SETTING HOW TO USE DEFAULT VALUE
SETTING
Require PIN for access
Require corporate credentials for
access
Block managed apps from running
on jailbroken or rooted devices
HOW TO USE DEFAULT VALUE
Choose Yes to require a PIN to use this Require PIN: Yes
app. The user is prompted to set up this
PIN the first time they run the app in a PIN reset attempts: 5
work or school context. Default value =
Yes. Allow simple PIN: Yes
Configure the following settings for PIN PIN length: 4
strength:
Number of attempts before Allow fingerprint: Yes
PIN reset: Specify the number
of tries the user has to
successfully enter their PIN
before they must reset it.
Default value = 5.
Allow simple PIN: Choose Yes
to allow users to use simple PIN
sequences like 1234 or 1111.
Choose No to prevent them
from using simple sequences.
Default value = Yes.
PIN length: Specify the
minimum number of digits in a
PIN sequence. Default value = 4.
Allow fingerprint instead of
PIN (iOS 8.0+): Choose Yes to
allow the user to use Touch ID
instead of a PIN for app access.
Default value = Yes
On iOS devices, you can let the user
prove their identity by using Touch ID
instead of a PIN. When the user tries
use this app with their work or school
account, they are prompted to provide
their fingerprint identity instead of
entering a PIN. When this setting is
enabled, the App-switcher preview
image will be blurred while using a work
or school account.
Choose Yes to require the user to sign No
in with their work or school account
instead of entering a PIN for app access.
If you set this to Yes, this overrides the
requirements for PIN or Touch ID.
Choose Yes to prevent this app from Yes
running on jailbroken or rooted devices.
The user will continue to be able to use
this app for personal tasks, but will have
to use a different device to access work
or school data in this app.
SETTING
Recheck the access requirements
after (minutes)
Offline interval before app data is
wiped (days)
Disable app PIN when device PIN is
managed
Require minimum iOS operating
system
Require minimum iOS operating
system (Warning only)
HOW TO USE DEFAULT VALUE
Configure the following settings: Timeout: 30
Timeout: This is the number of
minutes before the access Offline: 720
requirements (defined earlier in
the policy) are rechecked. For
example, an admin turns on PIN
in the policy, a user opens a
MAM app, and must enter a pin.
When using this setting, the
user would not have to enter a
PIN on any MAM app for
another 30 minutes (default
value).
Offline grace period: This is
the number of minutes that
MAM apps can run offline,
specify the time (in minutes)
before the access requirements
for the app are rechecked.
Default value = 720 minutes (12
hours). After this period is
expired, the app will require user
authentication to AAD, so the
app can continue to run.
After this many days (defined by the 90 days
admin) of running offline, the app itself
will do a selective wipe. This selective
wipe is the same wipe as the one that
can be initiated by the admin in the
MAM wipe work-flow.
Choose Yes to disable the app PIN No
when a device lock is detected on an
enrolled device.
Choose Yes to require a minimum iOS No
operating system to use this app. The
user will be blocked from access if the
iOS version on the device does not
meet the requirement.
Choose Yes to require a minimum iOS No
operating system to use this app. The
user will see a notification if the iOS
version on the device does not meet
the requirement. This notification can
be dismissed.
 SETTING HOW TO USE DEFAULT VALUE

Require minimum app version Choose Yes to require a minimum app No

version to use the app. The user is
blocked from access if the app version
on the device does not meet the
requirement.

As apps often have distinct versioning

schemes between them, create a policy
with one minimum app version
targeting one app (for example,
"Outlook version policy").

Require minimum app version Choose Yes to recommend a minimum No

(Warning only) app version to use this app. The user
sees a notification if the app version on
the device does not meet the
requirement. This notification can be
dismissed.

As apps often have distinct versioning

schemes between them, create a policy
with one minimum app version
targeting one app (for example,
"Outlook version policy").

Require minimum Intune app Choose Yes to require a minimum No

protection policy SDK version
Intune app protection policy SDK
version on the app to use. The user is
blocked from access if the apps Intune
app protection policy SDK version does
not meet the requirement.

To learn more about the Intune app

protection policy SDK, see Intune App
SDK overview

Add-ins for Outlook app

Outlook recently brought add-ins to Outlook for iOS which let you integrate popular apps with the email client.
Add-ins for Outlook are available on the web, Windows, Mac, and Outlook for iOS. Since add-ins are managed via
Microsoft Exchange, users will be able to share data and messages across Outlook and unmanaged add-in
applications unless add-ins are turned off for the user by their Exchange.
If you want to stop your end users from accessing and installing Outlook add-ins (this affects all Outlook clients),
make sure you have the following changes to roles in the Exchange admin center:
To prevent users from installing Office Store add-ins, remove the My Marketplace role from them.
To prevent users from side loading add-ins, remove the My Custom Apps role from them.
To prevent users from installing all add-ins, remove both, My Custom Apps and My Marketplace roles from
them.
These instructions apply to Office 365, Exchange 2016, Exchange 2013 across Outlook on the web, Windows, Mac
and mobile.
Learn more about add-ins for Outlook.
Learn more about how to specify the administrators and users who can install and manage add-ins for Outlook
app.
 How to validate your app protection policy setup
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

This topic provides information on checking for issues after you set up an app protection policy. This guidance
applies to app protection policies in the Azure portal.
Checking for symptoms
Users are unlikely to report issues since app protection is a data protection tool. If there is a problem with the app
protection configuration the user will have unrestricted access, as they would have without app protection, and
would not be aware that there is an issue. For this reason we recommend that you validate your app protection
configuration by piloting your app protection policies with a small group of users who can deliberately test the app
protection restrictions.
What to check
If testing shows that your app protection policy behavior is not as anticipated, we recommend that you check the
following:
Are the users licensed for app protection?
Are the users licensed for O365?
The status of each of the users' app protection apps. The possible statuses for the apps are Checked in and Not
checked in.
User app protection status
1. In the Azure portal choose Manage apps > Monitor > App protection user status > users.
2. Choose a user from the list or search for and choose a user, then choose Select user. At the top of the App
reporting column you will see whether the user is licensed for app protection. Below that you will see
whether the user is licensed for O365 and the app status for all of the user's devices.
What to do
Here are the actions to take based on the user status:
If the user is not licensed for app protection, assign an Intune license to the user.
If the user is not licensed for O365 obtain a license for the user.
If a user's app is listed as Not checked in, check if you've correctly configured a app protection policy for that
app.
Ensure that these conditions are applied across all users to which you want app protection policies to apply.
See also
What is Intune app protection policy?
 How to monitor app protection policies
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

If you are not in the Azure portal, this topic explains how to create app protection policies in the classic Intune
console.
You can monitor the compliance status of the mobile app management (MAM) policies that you've applied to users
at the Intune app protection blade on the Azure portal. You'll be able to find information about the users affected by
the MAM policies, its compliance status, and any issues that your users might be experiencing.
There are three different places to monitor the compliance status:
Summary view
Detailed view
Reporting view

Summary view
1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Mobile apps.
4. In the Mobile apps workload, choose Monitor > App protection user status, to see the summary view:

Users: The total number of users in your company who are using the apps that are associated with the
 policy.
MANAGED BY POLICY: The number of users who have used at least one of the apps in the work context.
NO POLICY: The number of users who are using the apps that are associated with the policy, but who are
not targeted by the policy. You might consider adding these users to the policy.
Flagged users: The number of users who are experiencing issues. Currently, only users with jailbroken
devices are reported under Flagged users.

Detailed view
You can get to the detailed view of the summary by choosing the User status tile (based on device OS platform),
and the Flagged users tile.
User status
You can search for a single user and check the compliance status for that user. The App reporting blade shows the
following information for a selected user:
Devices that are associated with the user account
Apps with a MAM policy on the device
Status:
Checked in: The policy was deployed to the user, and the app was used in the work context at least
once.
Not checked in: The policy was deployed to the user, but the app has not been used in the work
context since then.

NOTE
If the users you searched for does not have the MAM policy deployed to them, you'll see a message informing you that the
user is not targeted by any MAM policies.

To see the reporting for a user, follow these steps:

1. To select a user, choose the Summary tile.
2. On the App reporting blade that opens, choose Select user to search for an Azure Active Directory user.

3. Select the user from the list. You will see the details of the compliance status for that user.
Flagged users
The detailed view shows the error message, the app that was accessed when the error happened, the device OS
platform affected, and a time stamp.

Reporting view
You can find the same reports from the Detailed view, and additional reports to help you with the MAM policy
compliance status:
App protection user report: It outlines the same information you can find at the User status report under
the Detailed view section above.
App protection app report: It provides two different app protection statuses that admins can select before
generating the report. The statuses can be protected or unprotected.
User status for managed MAM activity (Protected): This report outlines the activity of each managed
MAM app, on a per user basis.
It shows all apps targeted by MAM policies for each user, and break down the status of each app
as checked in with MAM policies, or that was targeted with a MAM policy but the app was never
checked in.
User status for unmanaged MAM activity (Unprotected): This report outlines the activity of MAM-
enabled apps that are currently unmanaged, on a per user basis. This might happen according to the
following reasons:
These apps are either being used by a user or an app that is not currently targeted by a MAM
policy.
All apps are checked in, but aren't getting any MAM policies.
Table grouping
Once the App protection user report data shows up, you can aggregate data by the following:
Validation result: The data shows up grouped by app protection status, which can be failure, warning or
success.
App name: The data shows up grouped by apps (the actual app name) with failure, warning or success.

Export app protection activities to CSV

You can export all your app protection policy activities to a single .csv file. This can be helpful to analyze all the app
protection statuses reported from the users.
Follow these steps to generate the App protection report:
1. On the Intune mobile application management blade, choose App protection report.

2. Choose Yes to save your report, then choose Save As and select the folder you want to save the report in.
See also
Manage data transfer between iOS apps
What to expect when your Android app is managed by app protection policies
What to expect when your iOS app is managed by app protection policies
 Get ready to configure app protection policies for
Windows 10
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Before creating a Windows 10 app protection policy using, you need to enable mobile application management
(MAM) for Windows 10 by setting up the MAM provider in Azure AD. This configuration allows you to define the
enrollment state when creating a new Windows Information Protection (WIP) policy with Intune.

NOTE
The enrollment state can be either MAM or mobile device management (MDM).

To configure the MAM provider

1. Go to the Azure portal and sign in with your Intune credentials.
2. From the left menu, choose Azure Active Directory.

3. Azure AD blade opens, choose Mobility (MDM and MAM), then click Microsoft Intune.
4. The configure blade opens, choose Restore default MAM URLs first, then configure the following:
a. MAM user scope: You can use MAM to protect corporate data on specific group of users that use Windows
10 devices or all users.
b. MAM terms of use URL: The URL of the terms of use endpoint of the MAM service. This is used to display
the term of MAM service to end-users.
c. MAM discovery URL: This the URL devices seek when they need to apply app protection policies.
d. MAM compliance URL:
5. Once you configure these settings, choose Save.

Next steps
Create a WIP app protection policy
 Create and deploy Windows Information Protection
(WIP) app protection policy with Intune
6/19/2017 6 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Beginning with Intune 1704 release, you can use app protection policies with Windows 10 in the mobile application
management (MAM) without enrollment scenario.

Before you begin

Lets talk about a few concepts when adding a WIP policy.
List of Allowed and Exempt apps
Allowed apps: These are the apps that need to adhere to this policy.
Exempt apps: These apps are exempt from this policy and can access corporate data without restrictions.
Types of apps
Recommended apps: a pre-populated list of (mostly Microsoft Office) apps that allow admins easily import
into policy.
Store apps: Admin can add any app from the Windows store to policy.
Windows desktop apps: Admin can add any traditional Windows desktop apps to the policy (e.g. exe, dll,
etc.)

Pre-requisites
You need to configure the MAM provider before you can create a WIP app protection policy.
Learn more about how to configure your MAM provider with Intune.
Additionally, you need to have the following:
Azure AD Premium license.
Windows Creators Update

IMPORTANT
WIP does not support multi-identity, only one managed identity can exist at a time.

To add a WIP policy

After you set up Intune in your organization, you can create a WIP-specific policy through the Azure portal.
1. Go to the Intune mobile application management dashboard, choose All settings, and then choose
App policy.
2. In the App policy blade, choose Add a policy, then enter the following values:
a. Name: Type a name (required) for your new policy.
b. Description: Type an optional description.
c. Platform: Choose Windows 10 as the supported platform for your app protection policy.
d. Enrollment state: Choose Without enrollment as the enrollment state for your policy.
3. Choose Create. The policy is created and appears in the table on the App Policy blade.

To add recommended apps to your Allowed apps list

1. From the App policy blade, choose the name of your policy, then choose Allowed apps from the Add a
policy blade. The Allowed apps blade opens, showing you all apps that are already included in the list for
this app protection policy.
2. From the Allowed apps blade, choose Add apps. The Add apps blade opens, showing you all apps that are
part of this list.
3. Select each app you want to access your corporate data, and then choose OK. The Allowed apps blade gets
updated showing you all selected apps.

Add a Store app to your Allowed apps list

To add a Store app
1. From the App policy blade, choose the name of your policy, then choose Allowed apps from the menu
that appears showing all apps that are already included in the list for this app protection policy.
2. From the Allowed apps blade, choose Add apps.
3. On the Add apps blade, choose Store apps from the dropdown list. The blade changes to show boxes for
you to add a publisher and app name.
4. Type the name of the app and the name of its publisher, and then choose OK.

TIP
Heres an app example, where the Publisher is CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond,
S=Washington, C=US and the Product name is Microsoft.MicrosoftAppForWindows.

5. After youve entered the info into the fields, choose OK to add the app to your Allowed apps list.

NOTE
To add multiple Store apps at the same time, you can click the menu () at the end of the app row, then continue to add
more apps. Once youre done, choose OK.

Add a Desktop app to your Allowed apps list

To add a Desktop app
1. From the App policy blade, choose the name of your policy, and then choose Allowed apps. The Allowed
apps blade opens showing you all apps that are already included in the list for this app protection policy.
2. From the Allowed apps blade, choose Add apps.
3. On the Add apps blade, choose Desktop apps from the drop-down list.
4. After you entered the info into the fields, choose OK to add the app to your Allowed apps list.

NOTE
To add multiple Desktop apps at the same time, you can click the menu () at the end of the app row, then continue to
add more apps. Once youre done, choose OK.

Windows Information Protection (WIP) Learning

After you add the apps you want to protect with WIP, you need to apply a protection mode by using WIP Learning.
Before you begin
Windows Information Protection (WIP) Learning is a report that allows admins to monitor their WIP unknown apps.
The unknown apps are the ones not deployed by your organizations IT department. The admin can export these
apps from the report and add them to their WIP policies to avoid productivity disruption before they enforce WIP in
Hide Override mode.
We recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the
right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, Hide
Overrides.
What the protection modes are?
Hide Overrides:
WIP looks for inappropriate data sharing practices and stops the user from completing the action.
This can include sharing info across non-corporate-protected apps, and sharing corporate data between
other people and devices outside of your organization.
Allow Overrides:
WIP looks for inappropriate data sharing, warning users if they do something deemed potentially unsafe.
However, this mode lets the user override the policy and share the data, logging the action to your audit
log.
Silent:
WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been
prompted for employee interaction while in Allow Override mode.
Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data,
are still stopped.
Off (not recommended):
WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives.
Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP
protection back on.
To add a protection mode
1. From the App policy blade, choose the name of your policy, then click Required settings from the Add
Policy blade.
2. Choose Save.
To use WIP Learning
1. Go to the Azure Dashboard.
2. Choose More services from the left menu, then type Intune in the text box filter.
3. Choose Intune, the Intune dashboard opens, choose Mobile Apps.
4. Choose WIP Learning under Monitor section. You see the unknown apps logged by the WIP Learning.

IMPORTANT
Once you have the apps showing up in the WIP Learning logging report, you can them into your app protection policies.

To deploy your WIP app protection policy

IMPORTANT
This applies for WIP with mobile application management (MAM) without enrollment scenario.

After you created your WIP app protection policy, you need to deploy it to your organization using MAM.
1. On the App policy blade, choose your newly-created app protection policy, choose User groups, then
choose Add user group.
A list of user groups, made up of all the security groups in your Azure Active Directory, opens in the Add
user group blade.
2. Choose the group you want your policy to apply to, then click Select to deploy the policy.
 How to manage data transfer between iOS apps
6/19/2017 4 min to read Edit Online

Manage iOS apps

Protecting your company data includes making sure that file transfers are restricted to apps that are managed by
you. You can manage iOS apps in the following ways:
Prevent company data loss by configuring an app protection policy for the apps, which we will refer to as
policy-managed apps. See all the Intune-enlightened apps you can manage with app protection policy
You can also deploy and manage apps through the MDM channel. This requires that the devices are
enrolled in the MDM solution. These can be policy-managed apps or other managed apps.
The Open in management feature for iOS devices can limit file transfers between apps that are deployed through
the MDM channel. Open in management restrictions are set in configuration settings and deployed using your
MDM solution. When the user installs the deployed app, the restrictions you set are applied.

Using app protection with iOS apps

App protection policies can be used with the iOS Open in management feature to protect company data in the
following ways:
Employee owned devices not managed by any MDM solution: You can set the app protection policy
settings to Allow app to transfer data to only Policy Managed apps. The Open-In behavior in a Policy
Managed app will only present other Policy Managed apps as an option for sharing. If a user tries to send a
policy protected file as an attachment from OneDrive in the native mail, that file will be unreadable.
Devices managed by Intune: For devices enrolled in Intune, data transfer between apps with app
protection policies and other managed iOS apps deployed through Intune is allowed automatically. To allow
data transfer between apps with app protection policies, enable the Allow app to transfer data to only
managed apps setting. You can use the Open in management feature to control data transfer between
apps that are deployed through Intune.
Devices managed by a third party MDM solution: You can restrict data transfer to only managed apps
by using the iOS Open in management feature. To make sure that apps that you deploy using your third
party MDM solution are also associated with the app protection policies you have configured in Intune, you
must configure the user UPN setting as described in the Configure user UPN setting walkthrough. When
apps are deployed with the user UPN setting, the app protection policies are applied to the app when the
end user signs-in using their work account.

IMPORTANT
The user UPN setting is only required for apps deployed to devices managed by a third-party MDM. For Intune-managed
devices, this setting is not required.

Configure user UPN setting for third-party EMM

Configuring the user UPN setting is required for devices that are managed by a third-party EMM solution. The
procedure described below is a general flow on how to configure the UPN setting and the resulting end user
experience:
1. In the Azure portal, create and assign an app protection policy for iOS. Configure policy settings per your
company requirements and select the iOS apps that should have this policy.
2. Deploy the apps and the email profile that you want managed through your third-party MDM solution
using the generalized steps below. This experience is also covered by Example 1.
a. Deploy the app with the following app configuration settings:
key = IntuneMAMUPN, value = [email protected]
Example: [IntuneMAMUPN, [email protected]]
b. Deploy the Open in management policy using your third-party MDM provider to enrolled devices.
Example 1: Admin experience in third-party MDM console
1. Go to the admin console of your third-party MDM provider. Go to the section of the console in which you
deploy application configuration settings to enrolled iOS devices.
2. In the Application Configuration section, enter the following setting:
key = IntuneMAMUPN, value = [email protected]
The exact syntax of the key/value pair may differ based on your third-party MDM provider. The table below
shows examples of third-party MDM providers and the exact values you should enter for the key/value pair.

THIRD-PARTY MDM PROVIDER CONFIGURATION KEY VALUE TYPE CONFIGURATION VALUE

VMware AirWatch IntuneMAMUPN String {UserPrincipalName}

MobileIron IntuneMAMUPN String ${userUPN} or

${userEmailAddress}

Example 2: End-user experience

1. End user installs Microsoft Word app on the device.
2. End user launches the managed native email app to access their email.
3. End user tries to open document from native mail in Microsoft Word.
4. When the Word app launches, the end user is prompted to log in using their work account. This work
account the end user enters when prompted should match account you specified in the configured in the
app configuration settings for the Microsoft Word app.

NOTE
The end user can add other personal accounts to Word to do their personal work and not be affected by the app
protection policies when using the Word app in a personal context.

5. When the login is successful, the app protection policy settings are applied to the Word app.
6. Now the data transfer succeeds and the document is tagged with a corporate identity in the app. In addition,
the data is treated in a work context and the policy settings are applied accordingly.
Validate user UPN setting for third-party EMM
After configuring the user UPN setting, you should validate the iOS app's ability to receive and comply to Intune
app protection policy.
For example, the Require app PIN policy setting is easy to visually test on a device. If the policy setting is set to
Yes, the end user should see a prompt to set or enter a PIN when attempting to access company data.
First, create and assign an app protection policy to the iOS app. See Validate app protection policies for more
information on how to test app protection policy.
See also
What is Intune app protection policy
 Mobile Threat Defense integration with Intune
6/19/2017 1 min to read Edit Online

Intune Mobile Threat Defense connectors allow you to leverage your chosen Mobile Threat Defense vendor as a
source of information for your compliance policies and conditional access rules. This allows IT Administrators to
add a layer of protection to their corporate resources such as Exchange and Sharepoint, specifically from
compromised mobile devices.

What problem does this solve?

Companies need to protect sensitive data from emerging threats including physical, app-based, and network-based
threats, as well as operating system vulnerabilities. Historically, companies have been proactive when protecting
PCs from attack, while mobile devices go un-monitored and unprotected. Mobile platforms have built-in protection
such as app isolation and vetted consumer app stores, but these platforms remain vulnerable to sophisticated
attacks. Today, more employees use devices for work and need access to sensitive information. Devices need to be
protected from increasingly sophisticated attacks.

How the Intune Mobile Threat Defense connectors work?

The connector protects company resources by creating a channel of communication between Intune and your
chosen Mobile Threat Defense vendor. Intune Mobile Threat Defense partners offer intuitive, easy to deploy
applications for mobile devices which actively scan and analyze threat information to share with Intune, for either
reporting or enforcement purposes. For example, if a connected Mobile Threat Defense app reports to the Mobile
Threat Defense vendor that a phone on your network is currently connected to a network which is vulnerable to
Man in the Middle attacks, this information is shared with and categorized to an appropriate risk level
(low/medium/high) which can then be compared with your configured risk level allowances in Intune to
determine if access to certain resources of your choice should be revoked while the device is compromised.

Sample scenarios
When a device is considered infected by the Mobile Threat Defense solution:
Access is granted when the device is remediated:

Mobile Threat Defense partners

Learn how to protect access to company resource based on device, network, and application risk with:
Lookout
Skycure
 Lookout Mobile Threat Defense connector with
Intune
6/22/2017 2 min to read Edit Online

You can control mobile device access to corporate resources based on risk assessment conducted by Lookout, a
Mobile Threat Defense solution integrated with Microsoft Intune. Risk is assessed based on telemetry collected
from devices by the Lookout service including:
Operating system vulnerabilities
Malicious apps installed
Malicious network profiles
You can configure conditional access policies based on Lookout's risk assessment enabled through Intune
compliance policies. Settings let you allow or block non-compliant devices based on detected threats.

How do Intune and Lookout Mobile Threat Defense help protect

company resources?
Lookouts mobile app, Lookout for work, is installed and run on mobile devices. This app captures file system,
network stack, and device and application telemetry where available, then sends it to the Lookout cloud service to
assess the device's risk for mobile threats. You can change risk level classifications for threats in the Lookout
console to suit your requirements.
The compliance policy in Intune includes a rule for Lookout Mobile Threat Defense based on Lookout risk
assessment. When this rule is enabled, Intune evaluates device compliance with the policy that you enabled.
If the device is found non-compliant, access to resources like Exchange Online and SharePoint Online can blocked.
Users on blocked devices receive a steps to resolve the issue and regain access. Guidance is launched from the
Lookout for work app.

Supported platforms
The following platforms are supported for Lookout when enrolled in Intune:
Android 4.1 and later
iOS 8 and later For additional information about platform and language support, visit the Lookout website.

Prerequisites
Microsoft Intune subscription
Azure Active Directory
Lookout Mobile Endpoint Security enterprise subscription
For more information, see Lookout Mobile Endpoint Security

Sample scenarios
Here are the common scenarios when using Lookout Mobile Threat Defense with Intune.
Control access based on threats from malicious apps
When malicious apps such as malware are detected on devices, you can block devices from the following until the
threat is resolved:
Connecting to corporate e-mail
Syncing corporate files with the OneDrive for Work app
Accessing company apps
Block when malicious apps are detected:

Access granted on remediation:

Control access based on threat to network

Detect threats to your network such as man-in-the-middle attacks and protect access to WiFi networks based on
the device risk.
Block network access through WiFi:
Access granted on remediation:

Control access to SharePoint Online based on threat to network

Detect threats to your network such as Man-in-the-middle attacks, and prevent synchronization of corporate files
based on the device risk.
Block SharePoint Online when network threats are detected:

Access granted on remediation:

Next steps
Here are the main steps you must do to implement this solution:
1. Set up your Lookout integration
2. Enable Lookout Mobile Threat Defense in Intune
3. Add and assign the Lookout for Work app
4. Configure Lookout device compliance policy
 Set up your Lookout Mobile Threat Defense
integration with Intune
6/22/2017 5 min to read Edit Online

The following steps are required to set up Lookout Mobile Threat Defense subscription:

# STEP

1 Collect Azure AD information

2 Configure your subscription

3 Configure enrollment groups

4 Configure state sync

5 Configure error report email recipient information

6 Configure enrollment settings

7 Configure email notifications

8 onfigure threat classification

9 Watching enrollment

IMPORTANT
An existing Lookout Mobile Endpoint Security tenant that is not already associated with your Azure AD tenant cannot be
used for the integration with Azure AD and Intune. Contact Lookout support to create a new Lookout Mobile Endpoint
Security tenant. Use the new tenant to onboard your Azure AD users.

Collect Azure AD information

Your Lookout Mobility Endpoint Security tenant will be associated with your Azure AD subscription to integrate
Lookout with Intune. To enable your Lookout Mobile Threat Defense service subscription, Lookout support
([email protected]) needs the following information:
Azure AD Tenant ID
Azure AD Group Object ID for full Lookout console access
Azure AD Group Object ID for restricted Lookout console access (optional)
Use the following steps to gather the information you need to give to the Lookout support team.
1. Sign in to the Azure portal and select your subscription.
2. When you choose the name of your subscription, the resulting URL includes the subscription ID. If you have
any issues finding your subscription ID, see this Microsoft support article for tips on finding your
subscription ID.
3. Find your Azure AD Group ID. The Lookout console supports 2 levels of access:
Full Access: The Azure AD admin can create a group for users that will have Full Access and optionally
create a group for users that will have Restricted Access. Only users in these groups will be able to login
to the Lookout console.
Restricted Access: The users in this group will have no access to several configuration and
enrollment related modules of the Lookout console, and have read-only access to the Security
Policy module of the Lookout console.

TIP
For more details on the permissions, read this article on the Lookout website.

NOTE
The Group Object ID is on the Properties page of the group in the Azure AD management portal.

4. Once you have gathered this information, contact Lookout support (email: [email protected]).
Lookout Support will work with your primary contact to onboard your subscription and create your Lookout
Enterprise account, using the information that you collected.

Configure your subscription

1. After Lookout support creates your Lookout Enterprise account, an email from Lookout is sent to the
primary contact for your company with a link to the login url:https://aad.lookout.com/les?action=consent.
2. The first login to the Lookout console must be by with a user account with the Azure AD role of Global
Admin to register your Azure AD tenant. Later, sign in doesn't this level of Azure AD privilege. A consent
page is displayed. Choose Accept to complete the registration. Once you have accepted and consented, you
are redirected to the Lookout Console.

[NOTE] See troubleshooting Lookout integration for help with login problems.

3. In the Lookout Console, from the System module, choose the Connectors tab, and select Intune.
4. Go Connectors > Connection Settings and specify the Heartbeat Frequency in minutes.

Configure enrollment groups

1. As a best practice, create an Azure AD security group in the Azure AD management portal containing a small
number of users to test Lookout integration.

[NOTE] All the Lookout-supported, Intune-enrolled devices of users in an enrollment group in Azure AD
that are identified and supported are enrolled and eligible for activation in Lookout MTD console.

2. In the Lookout Console, from the System module, choose the Connectors tab, and select Enrollment
Management to define a set of users whose devices should be enrolled with Lookout. Add the Azure AD
security group Display Name for enrollment.
 IMPORTANT
The Display Name is case sensitive as shown the in the Properties of the security group in the Azure portal. As
shown in the image below, the Display Name of the security group is camel case while the title is all lower case. In
the Lookout console match the Display Name case for the security group.

NOTE
The best practice is to use the default (5 minutes) for the increment of time to check for new devices. Current
limitations, Lookout cannot validate group display names: Ensure the DISPLAY NAME field in the Azure portal
exactly matches the Azure AD security group. Creating nest groups is not supported: Azure AD security groups
used in Lookout must contain users only. They cannot contain other groups.

3. Once a group is added, the next time a user opens the Lookout for Work app on their supported device, the
device is activated in Lookout.
4. Once you are satisfied with your results, extend enrollment to additional user groups.
Configure state sync
In the State Sync option, specify the type of data that should be sent to Intune. Both device status and threat status
are required for the Lookout Intune integration to work correctly. These settings are enabled by default.

Configure error report email recipient information

In the Error Management option, enter the email address that should receive the error reports.

Configure enrollment settings

In the System module, on the Connectors page, specify the number of days before a device is considered as
disconnected. Disconnected devices are considered as non-compliant and will be blocked from accessing your
company applications based on the Intune conditional access policies. You can specify values between 1 and 90
days.
Configure email notifications
If you want to receive email alerts for threats, sign in to the Lookout console with the user account that should
receive notifications. On the Preferences tab of the System module, choose the threat levels that should
notifications and set them to ON. Save your changes.

If you no longer
want to receive email notifications, set the notifications to OFF and save your changes.
Configure threat classification
Lookout Mobile Threat Defense classifies mobile threats of various types. The Lookout threat classifications have
default risk levels associated with them. These can be changed at any time to suit your company requirements.
 IMPORTANT
Risk levels are an important aspect of Mobile Threat Defense because the Intune integration calculates device compliance
according to these risk levels at runtime. The Intune administrator sets a rule in policy to identify a device as non-compliant if
the device has an active threat with a minimum level of High, Medium, or Low. The threat classification policy in Lookout
Mobile Threat Defense directly drives the device compliance calculation in Intune.

Watching enrollment
Once the setup is complete, Lookout Mobile Threat Defense starts to poll Azure AD for devices that correspond to
the specified enrollment groups. You can find information about the devices enrolled on the Devices module. The
initial status for devices is shown as pending. The device status changes once the Lookout for Work app is installed,
opened, and activated on the device. For details on how to get the Lookout for Work app pushed to the device, see
the Add Lookout for work apps with Intune topic.

Next steps
Enable Lookout MTD connection Intune
 Skycure Mobile Threat Defense connector
6/22/2017 2 min to read Edit Online

You can control mobile device access to corporate resources using conditional access based on risk assessment
conducted by Skycure, a mobile threat defense solution that integrates with Microsoft Intune. Risk is assessed
based on telemetry collected from devices running Skycure, including:
Physical defense
Network defense
Application defense
Vulnerabilities defense
You can configure conditional access policies based on Skycure risk assessment enabled through Intune device
compliance policies, which you can use to allow or block non-compliant devices to access corporate resources
based on detected threats.

How do Intune and Skycure help protect your company resources?

Skycure mobile app for Android or iOS captures file system, network stack, device and application telemetry where
available, then sends it to the Skycure cloud service to assess the device's risk for mobile threats.
The Intune device compliance policy includes a rule for Skycure Mobile Threat Defense, which is based on the
Skycure risk assessment. When this rule is enabled, Intune evaluates device compliance with the policy that you
enabled.
If the device is found non-compliant, access to resources like Exchange Online and SharePoint Online are blocked.
Users on blocked devices receive guidance from the Skycure mobile app to resolve the issue and regain access to
corporate resources.
Intune supports two modes of integration with Skycure:
Basic setup which is a read only mode that allows Skycure visibility for devices in Intune.
Full integration which allows Skycure to report device risk and security incident details to Intune.

Sample scenarios
Here are some common scenarios:
Control access based on threats from malicious apps
When malicious apps such as malware are detected on devices, you can block devices until the threat is resolved:
Connecting to corporate e-mail
Syncing corporate files with the OneDrive for Work app
Accessing company apps
Block when malicious apps are detected:
Access granted on remediation:

Control access based on threat to network

Detect threats like Man-in-the-middle in network, and protect access to Wi-Fi networks based on the device risk.
Block network access through Wi-Fi:

Access granted on remediation:

Control access to SharePoint Online based on threat to network
Detect threats like Man-in-the-middle in network, and prevent synchronization of corporate files based on the
device risk.
Block SharePoint Online when network threats are detected:

Access granted on remediation:

Supported platforms
Android 4.1 and later
iOS 8 and later
Pre-requisites
Azure Active Directory Premium
Microsoft Intune subscription
Skycure Mobile Threat Defense subscription
For more information, check Skycure website.

Next steps
Here are the steps you need to complete to integrate Intune with Skycure:
1. Configure Skycure to use Azure Active Directory Single Sign On (SSO)
2. Download Skycure iOS app configuration policy
3. Add and assign Skycure apps, Microsoft Authenticator and iOS app configuration policy
4. Set up Skycure integration with Intune
5. Enable Skycure Mobile Threat Defense in Intune
6. Create Skycure Mobile Threat Defense device compliance policy in Intune
 Configure Skycure to use Azure Active Directory
Single Sign On (SSO)
6/22/2017 1 min to read Edit Online

Azure AD SSO is used when you integrate Intune with Skycure. Here are the main benefits:
Admins can use the same credentials without having to type it again every time they log in and out from the
Microsoft portals (Intune, Azure) and Skycure Management console.
End-users can use the same Azure AD credentials without having to type it again every time they log in and
out from the Skycure apps.
Below are the steps to integrate Skycure with Azure Active Directory Single Sign On (SSO).

To retrieve the Azure Active Directory Tenant ID

You need to retrieve the Azure AD Tenant ID.
1. Go to the Azure portal and sign in with your credentials.
2. You can see the Dashboard, choose Azure Active Directory.

3. The Azure Active Directory blade opens, choose Properties.

4. Click on the Copy icon under the Tenant Directory ID at Azure Active Directory Properties blade.
5. Paste the copied Directory ID value in a text file so you can use it later. The Directory ID value will be required
later in the Skycure and Intune integration process.

Allow Skycure to communicate with Azure Active Directory

1. Enter the below URL in your browser. Instead of DIRECTORY_ID, enter your Azure Active Directory Tenant
ID previously copied to the text file.
 https://login.microsoftonline.com/<DIRECTORY_ID>/oauth2/authorize?
client_id=28fd67fdb1794629a8b0dad420b697c7&prompt=admin_consent&redirect_uri=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fmc.skycure.com%2Fapi%2Fext
ernal%2Fmdm%2Faad_app_consent%2Fmanagement_callback&response_type=code

2. You need to login using your Azure Active Directory credentials. Click Accept to continue.

Create an Azure AD Security group for Skycure (optional)

You might want to create a dedicated user group which contain users running Skycure (e.g Skycure users). This can
be helpful when analyzing Skycure activity through the reports.
Learn more how to create a group and add members in Azure AD.

NOTE
You can also use an existing Azure AD security group.

Configure the Azure AD account to integrate Intune with Skycure

1. From the Skycure Management Console, enter the Azure Active Directory Tenant ID previously saved in the text
file.
 IMPORTANT
Skycure validates if the Azure AD Tenant ID exists by querying Azure AD, once Skycure finds it, the admin can proceed to next
step, which is the Basic setup.

Next steps
Download Skycure iOS app configuration policy
 Download Skycure iOS app configuration policy
6/22/2017 1 min to read Edit Online

Before you begin

You need to log in to the Skycure Management Console to perform the next steps.

TIP
If using Microsoft Internet explorer 11 or Edge, you might need to open the Skycure Management console using In-Private
mode.

To download the iOS app configuration policy

1. Go to Skycure Management Console.
2. Enter your Skycure admin credentials, then click Continue.

IMPORTANT
The Skycure admin username is an e-mail account that must be a valid user account in the Azure Active Directory,
otherwise the login will fail. Skycure uses Azure Active Directory to authenticate its admin username using Single Sign
On (SSO).

3. Go to Settings > Device Management Integrations > EMM Integration Selection, choose Microsoft
Intune, then save your selection.
4. Click on the Integration setup files link and save the generated *.zip file. The .zip file contains the
skycure_configuration.plist file, which will be used to create the iOS app configuration policy in the Intune
classic console.
Next steps
Add and assign Skycure apps, Microsoft Authenticator app and the iOS configuration policy
 Set up the Skycure integration with Intune
6/22/2017 2 min to read Edit Online

You need to add Skycure apps into Azure AD to have Single Sign On capabilities.

Before you begin

Azure AD account used to integrate Intune and Skycure
Make sure you have the Azure AD account properly configured in the Skycure Management console, before
starting the Skycure Basic setup process.
Full integration vs. Read-only
Skycure supports two modes of integration with Intune:
Read-only integration (Basic setup): Only inventories devices from Azure Active Directory and populates
them in the Skycure console.
If the Report the health and risk of devices to Intune, and Also report security incidents to Intune
boxes are not selected in the Skycure Management console, the integration is read-only and therefore
will never change a devices state (compliant or non-compliant) in Intune.
Full integration: Allows Skycure to report devices on risk and security incident details to Intune, which creates
a bi-directional communication between both cloud services.
How the Skycure apps are used with Azure AD and Intune?
iOS app: Allows end-users to sign in to Azure AD using an iOS app.
Android app: Allows end-users to sign in to Azure AD using an Android app.
Management app: This is the Skycure Azure AD multi-tenant app which enables service-to-service
communication with Intune.

To set up the read-only integration between Intune and Skycure

IMPORTANT
The Skycure admin credentials is an e-mail that must belong to a valid user in the Azure Active Directory, otherwise the login
will fail. Skycure uses Azure Active Directory to authenticate its admin using Single Sign On (SSO).

1. Go to Skycure Management Console.

2. Enter your Skycure admin credentials, then click Continue.
3. Go to Settings, choose Basic Setup under Intune Integration.
4. On the iOS App label, click on Add to Active Directory.
5. Login page opens, enter your Intune credentials, then click Accept.

6. Once the app is added into Azure AD, you can see an indication that the app was successfully added into
Azure AD on the Skycure Management console.
 NOTE
Repeat the same process for the Skycure Android and Management apps.

Add an Azure AD Security group into Skycure

You need to add an Azure AD security group that contains all devices running Skycure.
1. Enter and select all the security groups of devices that are running Skycure, then click on Apply changes.

Skycure syncs the devices running its Mobile Threat Defense service with the Azure AD security groups.

Set up the full integration between Intune and Skycure

1. Go to Skycure Management Console.
2. Enter your Skycure admin credentials, then click Continue.
3. Go to Settings, choose Full Integration under Intune Integration.
4. Check the following settings:
a. Report the health and risk of device to Intune
b. Also report security incidents to Intune
5. Click on Apply changes.
Next steps
Enable Skycure Mobile Threat Defense in Intune
 Add and assign Mobile Threat Defense (MTD) apps
with Intune
6/23/2017 3 min to read Edit Online

You can use Intune to add and deploy MTD apps so end-users can receive notifications when a threat is identified
in their mobile devices, and to receive guidance to remediate the threats.
For iOS devices, you need the Microsoft Authenticator so users can have their identities checked by Azure AD.
Additionally, you need the iOS app configuration policy which signals the MTD iOS app to use with Intune.

TIP
The Intune company portal works as the broker on Android devices so users can have their identities checked by Azure AD.

Before you begin

The below steps need to be completed in the Azure portal.
Make sure youre familiar with the process of:
Adding an app into Intune.
Adding an iOS app configuration policy into Intune.
Assigning an app with Intune.
Adding an iOS app configuration policy.

To add apps
Skycure app for Android
See the instructions for adding Android store apps to Microsoft Intune. Use this Skycure app store URL on step
7.
Skycure app for iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this Skycure app store URL on step 5
under the Configure app information section.
Microsoft Authenticator app for iOS
See the instructions for adding iOS store apps to Microsoft Intune. Use this Microsoft Authenticator app store
URL on step 5 under the Configure app information section.
Lookout for work Android app
See the instructions for adding Android store apps to Microsoft Intune. Use this Lookout for work Google app
store URL on step 7.
Lookout for Work iOS app
See the instructions for adding iOS store apps to Microsoft Intune. Use this Lookout for Work iOS app store
URL on step 5 under the Configure app information section.
Lookout for Work app outside the Apple store
You need to re-sign the Lookout for Work iOS app. Lookout distributes its Lookout for Work iOS app outside of
the iOS App Store. Before distributing the app, you must re-sign the app with your iOS Enterprise Developer
Certificate.
For detailed instructions to re-sign the Lookout for Work iOS apps, see Lookout for Work iOS app re-signing
process on the Lookout website.
Enable Azure AD authentication for Lookout for Work iOS app
Enable Azure Active Directory authentication for the iOS users by doing the following:
1. Go to the Azure portal, sign in with your credentials, then navigate to the application page.
2. Add the Lookout for Work iOS app as a native client application.
3. Replace the com.lookout.enterprise.yourcompanyname with the customer bundle ID you selected
when you signed the IPA.
4. Add additional redirect URI: <companyportal://code/> followed by a URL encoded version of your
original redirect URI.
5. Add Delegated Permissions to your app.

NOTE
See configure a native client application with Azure AD for more details.

Add the Lookout for Work ipa file

Upload the re-signed .ipa file as described in the Add iOS LOB apps with Intune topic. You also need to set the
minimum OS version to iOS 8.0 or later.

To associate the MTD app with an iOS app configuration policy

For Skycure
Use the same Azure AD account previously configured in the Skycure Management console, which should
be the same account used to log in into the Intune classic console.
You need to have the Skycure integration file ready to use. This is the .zip file previously downloaded from
the Skycure Management console, which contains the file skycure_configuration.plist with the iOS app
configuration policy parameters.
See the instructions for using Microsoft Intune app configuration policies for iOS to add the Skycure iOS
app configuration policy.
On step 8, use the option Enter XML data, copy the content from the skycure_configuration.plist file
and paste its content into the configuration policy body.
You can also copy the skycure_configuration.plist content from here:

<dict>
<key>MdmType</key>
<string>Intune</string>
<key>UserEmail</key>
<string>{{userprincipalname}}</string>
</dict>

For Lookout
Create the iOS app configuration policy as described in the using iOS app configuration policy topic.
To assign MTD apps
See the instructions for assigning apps to groups with Intune.

Next steps
Set up the Skycure integration with Intune Set up the Lookout integration with Intune
 Enable Mobile Threat Defense in Intune
6/22/2017 1 min to read Edit Online

To enable the Mobile Threat Defense (MTD) connection in Intune, you should have already configured the Intune
Connector in the MTD solution console.

To enable the MTD connector

1. Go to the Azure portal, and sign in with your Intune credentials. After you've successfully signed in, you see
the Azure Dashboard.
2. On the Azure Dashboard, choose More services from the left menu, then type Intune in the text box
filter.
3. Choose Intune, the Intune Dashboard opens.
4. On the Intune Dashboard, choose Device compliance, then choose Mobile Threat Defense under the
Setup section.
5. On the Mobile Threat Defense blade, choose Add.
6. Choose your MTD solution as the Mobile Threat Defense connector to setup from the drop-down list.

7. Enable the toggle options according to your organization's requirements.

MTD toggle options

You can decide which MTD toggle options you need to enable according to your organization's requirements.
Here's more details:
Connect Android 4.1+ devices to [MTD partner name] for Work MTD: When you enable this option, you
can have Android 4.1+ devices reporting security risk back to Intune.
Mark as non-compliant if no data is received: If Intune doesn't receive data about a device on this
platform from the MTD partner, consider the device non-compliant.
Connect iOS 8.0+ devices to [MTD partner name] for Work MTD: When you enable this option, you can
have Android 4.1+ devices reporting security risk back to Intune.
Mark as non-compliant if no data is received: If Intune doesn't receive data about a device on this
platform from the MTD partner, consider the device non-compliant.
Block unsupported OS versions: Block if the device is running an operating system less than the
minimum supported version.
 Number of days until partner is unresponsive: Number of days of inactivity before Intune considers teh
partner to be unresponsive because the connection is lost. Intune ignores compliance state for
unresponsive MTD partners.

IMPORTANT
You must add and assign the MTD apps before creating the device compliance and the conditional access policy rules. This
ensures that the MTD app is ready and available for end users to install before they can get access to email or other
company resources.

TIP
You can see the Connection status and the Last synchronized time between Intune and the MTD partner from the Mobile
Threat Defense blade.

Next steps
Create Mobile Threat Defense device compliance policy with Intune
 Create Mobile Threat Defense (MTD) device
compliance policy with Intune
6/22/2017 2 min to read Edit Online

Intune with MTD helps you detect threats and assess risk on mobile devices. You can create an Intune device
compliance policy rule that assesses risk to determine if the device is compliant or not. You can then use a
conditional access policy to block access to services based on device compliance.

Before you begin

As part of the MTD setup, in the MTD partner console, you created a policy that classifies various threats as high,
medium and low. You now need to set the Mobile Threat Defense level in the Intune device compliance policy.
Prerequisites for device compliance policy with MTD:
Set up MTD integration with Intune
Enable the MTD connector in Intune

To create a MTD device compliance policy

1. Go to the Azure portal, and sign in with your Intune credentials.
2. On the Azure Dashboard, choose More services from the left menu, then type Intune in the text box filter.
3. Choose Intune, the Intune Dashboard opens.
4. On the Intune Dashboard, choose Device compliance, then choose Policies under the Manage section.
5. Choose Create policy, enter the device compliance Name, Description, select the Platform, then choose
Configure under the Settings section.
6. On the compliance policy blade, choose Device Health.
7. On the Device Health blade, choose the Mobile Threat Level from the drop-down list under the Require
the device to be at or under the Mobile threat Defense Level.
a. Secured: This is the most secure. The device cannot have any threats present and still access company
resources. If any threats are found, the device is evaluated as non-compliant.
b. Low: The device is compliant if only low level threats are present. Anything higher puts the device in a
non-compliant status.
c. Medium: The device is compliant if the threats found on the device are low or medium level. If high level
threats are detected, the device is determined as non-compliant.
d. High: This is the least secure. This allows all threat levels, and uses Skycure Mobile Threat Defense for
reporting purposes only.
8. Click OK twice, then choose Create.
 IMPORTANT
If you create conditional access policies for Office 365 or other services, the device compliance evaluation is assessed and
non-compliant devices are blocked from accessing corporate resources until the threat is resolved in the device.

To assign a MTD device compliance policy

To assign a device compliance policy to users, choose a policy that you have previously configured. Existing
policies can be found in the Device Compliance policies blade.
1. Choose the policy you want to assign to users and choose Assignments. This opens the blade where you
can select Azure Active Directory security groups and assign them to the policy.
2. Choose Select groups to open the blade that displays the Azure AD security groups. Choosing Select
deploys the policy to users.

NOTE
You have applied the policy to users. The devices used by the users who are targeted by the policy will be evaluated
for compliance.
 Network access control (NAC) integration with Intune
6/23/2017 1 min to read Edit Online

Intune integrates with network access control partners to help organizations secure corporate data when devices
try to access on-premises resources.

How do Intune and NAC solutions help protect your organization

resources?
NAC solutions are responsible for checking the device enrollment and compliance state with Intune to make access
control decisions. If the device is not enrolled or is enrolled and not compliant with Intune device compliance
policies, the device should be redirected to Intune for enrollment and/or for a device compliance check.
Example
If the device is enrolled and compliant with Intune, the NAC solution should allow the device access to corporate
resources. For example, users can be allowed or denied access when trying to access corporate Wi-Fi or VPN
resources.

NAC and conditional access

NAC works with with conditional access to provide access control decisions.
See common ways to use conditional access with Intune for more details.

How the NAC integration works

Heres an overview on how the NAC integration works when integrated with Intune, the first three steps explain the
onboarding process. Once the NAC solution is integrated with Intune, steps 4-9 describe the on-going operation.

1. Register the NAC partner solution with Azure Active Directory (AAD), and grant delegated permissions to
the Intune NAC API.
2. Configure the NAC partner solution with the appropriate settings including the Intune discovery URL.
3. Configure the NAC partner solution for certificate authentication.
4. User connects to corporate Wi-Fi access point or makes a VPN connection request.
5. NAC partner solution forwards the device information to Intune, and asks Intune about the device
enrollment and compliance state.
6. If the device is not compliant or not enrolled, the NAC partner solution instructs the user to enroll or fix the
device compliance.
7. The device attempts to re-verify its compliance and/or the enrollment state.
8. Once the device is enrolled and compliant, NAC partner solution gets the state from Intune.
9. Connection is successfully established which allows the device access to corporate resources.

Next steps
Integrate Cisco ISE with Intune
Integrate Citrix NetScaler with Intune
Integrate HP Aruba Clear Pass with Intune
 Use Windows Hello for Business
6/19/2017 4 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Microsoft Intune integrates with Windows Hello for Business (formerly Microsoft Passport for Work), an alternative
sign-in method that uses Active Directory or an Azure Active Directory account to replace a password, smart card,
or a virtual smart card.
Hello for Business lets you use a user gesture to sign in, instead of a password. A user gesture might be a simple
PIN, biometric authentication such as Windows Hello, or an external device such as a fingerprint reader.
Intune integrates with Hello for Business in two ways:
You can use an Intune policy to control which gestures users can and cannot use to sign in.

IMPORTANT
In Windows 10 desktop and mobile versions prior to the Anniversary Update, you could set two different PINS that could be
used to authenticate to resources:
The device PIN could be used to unlock the device and connect to cloud resources.
The work PIN was used to access Azure AD resources on users personal devices (BYOD).
In the Anniversary Update, these two PINS were merged into one single device PIN. Any Intune configuration policies you set
to control the device PIN, and additionally, any Windows Hello for Business policies you configured, now both set this new
PIN value. If you have set both policy types to control the PIN, the Windows Hello for Business policy will be applied on both
Windows 10 desktop and mobile devices. To ensure policy conflicts are resolved and that the PIN policy is applied correctly,
update your Windows Hello for Business Policy to match the settings in your configuration policy, and ask your users to sync
their devices in the Company Portal app.

Create a Windows Hello for Business policy

1. In the Azure portal, choose More Services > Monitoring + Management > Intune.
2. On the Intune blade, choose Enroll devices, and then choose Manage > Windows Hello for Business.
3. On the blade that opens, choose the Default settings.
4. On the All Users blade, click Properties and then enter a Name and optional Description for the Windows
Hello for Business settings.
5. On the All Users blade, click Settings and then choose from the following for Configure Windows Hello
for Business:
Disabled. If you don't want to use Windows Hello for Business, select this setting. All other settings on
the screen are then unavailable.
Enabled. Select this setting if you want to configure Windows Hello for Business settings.
Not configured. Select this setting if you don't want to use Intune to control Windows Hello for
Business settings. Any existing Windows Hello for Business settings on Windows 10 devices will not be
 changed. All other settings on the blade are unavailable.
6. If you selected Enabled in the previous step, configure the required settings that will be applied to all
enrolled Windows 10 and Windows 10 Mobile devices.
Use a Trusted Platform Module (TPM). A TPM chip provides an additional layer of data security.
Choose one of the following values:
Required (default). Only devices with an accessible TPM can provision Windows Hello for
Business.
Preferred. Devices first attempt to use a TPM. If this is not available, they can use software
encryption.
Require minimum PIN length/Require maximum PIN length. Configures devices to use the
minimum and maximum PIN lengths that you specify to help ensure secure sign-in. The default PIN
length is 6 characters, but you can enforce a minimum length of 4 characters. The maximum PIN
length is 127 characters.
Require lowercase letters in PIN/Require uppercase letters in PIN/Require special characters
in PIN. You can enforce a stronger PIN by requiring the use of uppercase letters, lowercase letters,
and special characters in the PIN. Choose from:
Allowed. Users can use the character type in their PIN, but it is not mandatory.
Required. Users must include at least one of the character types in their PIN. For example, it's
common practice to require at least one uppercase letter and one special character.
Not allowed (default). Users must not use these character types in their PIN. (This is also the
behavior if the setting is not configured.)
Special characters include: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
PIN expiration (days). It's a good practice to specify an expiration period for a PIN, after which
users must change it. The default is 41 days.
Remember PIN history. Restricts the reuse of previously used PINs. By default, the last 5 PINs
cannot be reused.
Allow biometric authentication. Enables biometric authentication, such as facial recognition or
fingerprint, as an alternative to a PIN for Windows Hello for Business. Users must still configure a
work PIN in case biometric authentication fails. Choose from:
Yes. Windows Hello for Business allows biometric authentication.
No. Windows Hello for Business prevents biometric authentication (for all account types).
Use enhanced anti-spoofing, when available. Configures whether the anti-spoofing features of
Windows Hello are used on devices that support it (for example, detecting a photograph of a face
instead of a real face).
If this is set to Yes, Windows requires all users to use anti-spoofing for facial features when that is
supported.
Use phone sign-in. If this option is set to Yes, users can use a remote passport to serve as a portable
companion device for desktop computer authentication. The desktop computer must be Azure Active
Directory joined, and the companion device must be configured with a Windows Hello for Business
PIN.

Further information
For more information about Microsoft Passport, see the guide in the Windows 10 documentation.
 Role-based administration control (RBAC) with
Intune
6/22/2017 4 min to read Edit Online

RBAC helps you control who can perform various Intune tasks within your organization, and who those tasks
apply to. You can either use the built-in roles that cover some common Intune scenarios, or you can create your
own roles. A role is defined by:
Role definition: The name of a role, the resources it manages, and the permissions granted for each resource.
Members: The user groups that are granted the permissions.
Scope: The user or device groups that the members can manage.
Assignment: When the definition, members, and scope have been configured, the role is assigned.

Starting at the new Intune portal, Azure Active Directory (Azure AD) provides two Directory Roles which can be
used with Intune. These roles are granted full permission to perform all activities in Intune:
Global Administrator: Users with this role have access to all administrative features in Azure AD, as well
 as services that federate to Azure AD like Exchange Online, SharePoint Online, and Skype for Business
Online. The person who signs up for the Azure AD tenant becomes a global administrator. Only global
administrators can assign other Azure AD administrator roles. There can be more than one global
administrator at your organization. Global admins can reset the password for any user and all other
administrators.
Intune Service Administrator: Users with this role have global permissions within Intune when the
service is present. Additionally, this role provides the ability to manage users, devices, and create and
manage groups.
Conditional Access Administrator: Users with this role only have permissions to view, create, modify and
delete conditional access policies.

IMPORTANT
The Intune Service Administrator role does not provide the ability to manage Azure ADs conditional access settings.

TIP
Intune also shows three Azure AD extensions: Users, Groups and Conditional access which are controlled using
Azure AD RBAC. Additionally, the User Account Administrator only performs AAD user/group activities and does
not have full permissions to perform all activities in Intune. Refer to RBAC with Azure AD for more details.

Roles created in the Intune classic console

Only Intune Service Administrators users with "Full" permissions get migrated from the Intune classic console to
Intune on Azure. You need to re-assign Intune Service Administrators users with "Read-Only" or "Helpdesk"
access into the Intune roles in the Azure portal, and remove them from the classic portal.

IMPORTANT
You might need to keep the Intune Service Administrator access in the classic console if your admins still need access to
manage PCs using with Intune.

Built-in roles
The following roles are built into Intune and you can assign them to groups with no further configuration:
Help Desk Operator: Performs remote tasks on users and devices and can assign applications or policies to
users or devices.
Policy and Profile Manager: Manages compliance policy, configuration profiles, Apple enrollment and
corporate device identifiers.
Read Only Operator: Views user, device, enrollment, configuration and application information and cannot
make changes to Intune.
Application Manager: Manages mobile and managed applications, and can read device information.
To assign a built-in role
1. On the Intune roles, choose the built-in role you want to assign.
2. On the <role name> - Properties blade, choose Manage, then Assignments.
 NOTE
You cannot delete or edit the built-in roles

3. On the custom role blade, choose Assign.

4. On the Role Assignments blade, enter a Name and optional Description for the assignment, and then
choose the following:
Members - Select a group that contains the user you want to give the permissions to.
Scope - Select a group containing the users who the member above will be allowed to manage.
5. When you are done, click OK. The new assignment is displayed in the list of assignments.
Intune RBAC table
Download the Intune RBAC table to see more details on what each role can do.

Custom roles
You can create a custom role that includes any permissions required for a specific job function. For example, if an
IT department group manages applications, policies and configuration profiles, you can add all those permissions
together in one custom role.

IMPORTANT
To create, edit, or assign roles, your account must have one of the following permissions in Azure AD:
Global Administrator
Intune Service Administrator

To create a custom role

1. Sign into the Azure portal with your Intune credentials.
2. Choose More services from the left menu, then type Intune in the text box filter.
3. Choose Intune, the Intune Dashboard opens, choose Intune roles.
4. On the Intune roles blade, choose Intune roles, choose Add custom.
5. On the Add Custom Role blade, enter a name and description for the new role, then click Permissions.
6. On the Permissions blade, choose the permissions you want to use with this role. Use the Intune RBAC
table to help you decide which permissions you want to apply.
7. When you are done, choose OK.
8. On the Add Custom Role blade, click Create. The new role is displayed in the list on the Intune roles
blade.
To assign a custom role
1. On the Intune roles, choose the custom role you want to assign.
2. On the <role name> - Properties blade, choose Manage, then Assignments. On this blade, you can also
edit or delete existing roles.
3. On the custom role blade, choose Assign.
4. On the Role Assignments blade, enter a Name and optional Description for the assignment, and then
 choose the following:
Members - Select a group that contains the user you want to give the permissions to.
Scope - Select a group containing the users who the member above will be allowed to manage.
5. When you are done, click OK. The new assignment is displayed in the list of assignments.

Next steps
Use the Intune Helpdesk operator role with the troubleshooting portal

See also
Assign roles using Azure AD
 Help users with the Troubleshooting portal in
Microsoft Intune
6/30/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

The troubleshooting portal lets help desk operators and Intune administrators view user information to fix user
help requests. Organizations that include help desk operators in their staff can assign the Help desk operator to a
group of users, who can then use the Troubleshoot blade to help users.
For example, when a user contacts support with a technical issue with Intune, the help desk operator enters the
user's name. Intune displays pertinent information that can help resolve many tier-1 issues such as user status,
app installation failure, or compliance issues. Issues addressed can include:
Device not responding
Device not getting VPN or Wi-Fi settings
App installation failure

Add help desk operators

An Intune administrator can assign help desk operator permission to users in two ways:
Assign the built-in Help Desk Operator role
Create and assign a custom role

Assign help desk operator role

As an Intune admin, you can assign the Help Desk Operator role to a user group. Members of that group can use
the admin portal. Each help desk operator must have an Intune license to access the Intune portal. Learn how to
assign Intune licenses.
1. As an Intune administrator, login to Intune portal, and select Intune roles.
2. On the Intune roles workload, select Help Desk Operator > Assignments, and then select Assign.
3. Type an Assignment name (required), an Assignment description (optional), and then assign Members
(Groups) and Scope (Groups).
4. Members of the Help Desk Operator role can now use the troubleshooting portal.
For more information about Intune roles, see Intune roles (RBAC).

Create a custom role for troubleshooting

As an Intune admin, you can create a custom role that lets users use the troubleshooting portal with permissions
that suit your organization's needs. For more information about Intune roles, see Intune roles (RBAC).

To use the Intune console for a help-desk view, a custom help desk role should have the following permissions:
MobileApps: Read
ManagedApps: Read
ManagedDevices: Read
Organization: Read

Access the troubleshooting portal

Help desk staff and Intune administrators can access the troubleshooting portal in two ways:
Open http://aka.ms/intunetroubleshooting in a web browser.
In the Intune portal, go Help and Support > Troubleshoot.

Use the troubleshooting portal

In the troubleshooting portal, you can choose Select user to view a users' information. User information can help
you understand the current state of users and their devices. The troubleshooting portal shows the following
troubleshooting details:
Tenant status
User status
Devices and device actions
Group membership
App protection status
 How to educate your end users about Microsoft
Intune
6/22/2017 4 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Microsoft Intune helps you enable your workforce with mobile devices while keeping your corporate data
protected. There are many steps to ensuring a successful deployment, including evaluating Intune through a free
trial.
None of these technologies will ensure that your users understand the importance of why you're managing their
devices. In fact, many of your end users may feel as though you are infringing on their privacy - especially if you
are deploying Intune as a BYOD solution.

IMPORTANT
Understanding and proactively addressing your end users' concerns about why your company needs to manage devices is
critical to a successful rollout.

Adoption is not just about getting the technology working and distributed throughout your workforce, but about
getting your end user population to embrace the secured access that Intune provides them. Users may be
intimidated of enterprise mobility because, by and large, we aren't explaining to them what they need to know
about what enterprise mobility is for, and what it can (and can't) do.

Things to consider about your end users

What level of experience do your end users have? Your end users may have a range of experience with a
variety of technology. These experiences could be both positive and negative, from memorable photos they've
taken of their children, to that time they dropped their device into the sink and lost any data that wasn't backed up.
These experiences color how they approach technology, and what perceptions they have of personal and business
uses of devices.
What does mobility management mean to me? Users may not have a full understanding of what access you
do (and do not) have to their devices and their information. Users are likely to be concerned about the potential for
IT and leadership to keep track of their every move. This can be especially worrying for less experienced users, who
may believe that all activity on their devices is private. A more experienced user may have specific fears stemming
from "big brother" spying on their devices, and may then evangelize their concerns to coworkers.
How could this inconvenience my end users? It takes time to install apps, enroll devices, and maintain
compliance. Ensuring your corporate data's security is the top priority of any Intune deployment, but requiring an
unreasonable passcode on a personal device will cause your users to resent your management of their devices.
Sending required app updates in the middle of business-critical conference calls could cause your users to become
less productive, defeating the purpose of enabling them with mobile devices.

Things you should do

Assuaging these user concerns will make your deployment smoother. We have a list of ways to consider to make it
easier for your end users to embrace device management.
Be resourceful. The Intune documentation has a variety of content to help your end users figure out how
to do certain tasks, like enrolling and troubleshooting their devices. Among these are articles that users are
sent to from the Company Portal, which are divided into sections about Company Portal app installation
and Intune enrollment, general tasks that users can do on their devices, and troubleshooting. This
documentation can be found in our explanations of how to use managed devices to get work done.
Be accessible. End users need to know where they can get help with their devices. Be sure that you include
IT administrator contact information when you customize the Company Portal so that your users can get
help if they need it.
Be personal. Providing instructions that aren't specific to your deployment can make end users feel like
you haven't given any thought to their experience. You can use this customizable, end user Intune
enrollment template for IT administrators to create your own enrollment instructions for your end users.
Find different ways to communicate. As with different learning styles, users have preferred ways to
consume information. For users that prefer video to documentation, we offer video versions of how to
enroll various device types and more on Channel 9. These videos are available to embed directly into your
own SharePoint site or for download of local copies - either of the video or just of the audio track.
Be aware. Your end user experience will impact your productivity, and understanding their experience will
make it easier for you to troubleshoot their problems when they come to you. Understanding how end
users get their apps can make it much easier for you to diagnose what issues they're experiencing, and can
help you fix their problems faster.
Android
Using an Android device with Intune
How your Android users get their apps
iOS
Using an iOS device with Intune
How your iOS users get their apps
Windows
Using a Windows device with Intune
How your Windows users get their apps
Be forthcoming. Clearly tell your users what you're going to manage on their devices. Tell them what kind
of data you're collecting and why you're collecting it. Inform them of how you're planning to use all asset
data. Microsoft believes that you have a right to as much information as possible about how we handle
your customer data in the cloud, and we believe that this philosophy can greatly increase your end user
satisfaction with Intune.

NOTE
Transparency, wherever possible, is fundamental to the success of your deployment.

You're trying to combine trust with well-crafted compliance policies to make sure that end users know that even if
you could look at certain types of personal data, that you don't want to, and the liability that you could incur for
invading their privacy. Crafting a statement with your legal and HR departments can help with particularly difficult
employees.
 Help end users understand Company Portal app
messages
6/22/2017 3 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

NOTE
The following information applies only on devices with Android 6.0+.

At different points in the enrollment process, end users will see two different messages that could be cause for
concern.
Allow Company Portal to make and manage phone calls?
Allow Company Portal to access photos, media, and files on your device?

Allow Company Portal to make and manage phone calls?

Where it appears
The message Allow Company Portal to make and manage phone calls? appears when users tap Enroll in the
Company Portal app while they are enrolling their device.
What it means
By accepting this prompt, users allow their device's phone and IMEI numbers to be sent to the Intune service. These
will appear on the admin console on the Hardware page.

NOTE
The Company Portal app never makes or manages phone calls! The message text is controlled by Google and cannot
be changed.

To see the Hardware page, go to Groups > All mobile devices > Devices. Select the user's device, and go to
View Properties > Hardware.
What happens if users deny access
If users deny access, they can continue to use the Company Portal app and enroll their device. However, the device
phone number and IMEI number will be blank on the Hardware page in the admin console. The second time that
users sign in to the Company Portal app after denying access, the message displays a Never ask again check box
that users can select to stop the prompt.
If users allow, but then later deny access, the message appears the next time users sign in to the Company Portal
app after enrollment.
If users later decide to allow access, they can go to Settings > Apps > Company Portal > Permissions > Phone,
and turn it on.
How to explain this to your users
Send your users to Enroll your Android device in Intune for more information.

Allow Company Portal to access your contacts?

Where it appears
The message Allow Company Portal to access your contacts? appears when users tap Enroll in the Company
Portal app while they are enrolling their device.
What it means
By accepting this prompt, users allow Intune to create their work account and manage the Azure Active Directory
identity that is registered for the user on that device.

NOTE
Microsoft never accesses your contacts! The message text is controlled by Google and cannot be changed.

What happens if users deny access

If users deny access, their device will not be enrolled in Intune and cannot be managed. The second time that users
sign in to the Company Portal app after denying access, the message displays a Never ask again check box that
users can select to stop the prompt.
If users allow, but then later deny access, the message appears the next time users sign in to the Company Portal
app after enrollment.
If users later decide to allow access, they can go to Settings > Apps > Company Portal > Permissions > Phone,
and turn it on.
How to explain this to your users
Send your users to Enroll your Android device in Intune for more information.

Allow Company Portal to access photos, media, and files on your

device?
Where it appears
The message Allow Company Portal to access photos, media, and files on your device? appears when users
tap Send Data to send logs to their IT admin.
What it means
By accepting this prompt, users allow their device to write data logs to the device's SD card and enable those logs
to be moved using a USB cable.

NOTE
The Company Portal app never accesses users' photos, media, and files! The message text is controlled by Google and
cannot be changed.

What happens if users deny access

If users deny access, they can still send data logs via email, but the logs won't be copied to the device's SD card.
The second time that users sign in to the Company Portal app after denying access, the message displays a Never
ask again check box that users can select so that the message never shows again. If users allow, but then later
deny access, the message appears the next time users try to send logs. If users later decide to allow access, they can
go to Settings > Apps > Company Portal > Permissions > Storage, and then turn on the permission.
How to explain this to your users
Send your users to Send logs to your IT admin by email. You can also send them to Send logs to your IT admin by
cable if you want to let them compare the two methods.
See also
What to tell your end users about using Intune
 What to expect when your Android app is managed
by app protection policies
6/22/2017 3 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This topic describes the user experience for apps with app protection policies. App protection policies are applied
only when apps are used in a work context: for example, when the user is accessing apps with a work account or
accessing files that are stored in a company OneDrive business location.

Access apps
The Company Portal app is required for all apps that are associated with app protection policies on Android
devices.
For devices that are not enrolled in Intune, the Company Portal app must be installed on the device. However, the
user does not have to launch or sign into the Company Portal app before they can use apps that are managed by
app protection policies.
The Company Portal app is a way for Intune to share data in a secure location. Therefore, the Company Portal app
is a requirement for all apps that are associated with app protection policies, even if the device is not enrolled in
Intune.

Use apps with multi-identity support

App protection polices are only applied in the work context. Therefore, the app might behave differently depending
on whether the context is work or personal.
For example, the user gets a PIN prompt when accessing work data. For the Outlook app, the user is prompted for
a PIN when they launch the app. For the OneDrive app, the user is prompted for the pin when they type in the
work account. For Microsoft Word, PowerPoint, and Excel, the user is prompted for the pin when they access
documents that are stored in the company OneDrive for Business location.

Manage user accounts on the device

Intune supports the deployment of app protection policies to one user account per device only.
Depending on the app that you're using, the second user might be blocked on the device. However, in all
cases, only the first user who gets the app protection policies is affected by the policy.
Microsoft Word, Excel, and PowerPoint don't block a second user account, but the second user
account is not affected by the app protection policies.
For OneDrive and Outlook apps, you can only use one work account. You can't add multiple work
accounts for these apps. You can however, remove a user and add a different user on the device.
If a device has existing multiple user accounts before the app protection policies are deployed, the account
that the app protection policies are deployed to first is managed by Intune app protection policies.
Read the following example scenario to get a deeper understanding of how multiple user accounts are treated.
User A works for two companiesCompany X and Company Y. User A has a work account for each company,
and both use Intune to deploy app protection policies. Company X deploys app protection policies before
Company Y. The account that's associated with Company X gets the app protection policy, but not the account
that's associated with Company Y. If you want the user account that's associated with Company Y to be managed
by the app protection policies, you must remove the user account that's associated with Company X.
Add a second account
Android
If you are using an Android device, you might see a blocking message with instructions to remove the existing
account and add a new one. To remove the existing account, go to Settings >General > Application Manager
>Company Portal. Then choose Clear Data.

View media files with the Azure Information Protection app

To view company AV, PDF, and image files on Android devices, use the Azure Information Protection app
(previously known as the Rights Management sharing app).
Download this app from the Google Play store.
The following file types are supported:
Audio: AAC LC, HE-AACv1 (AAC+), HE-AACv2 (enhanced AAC+), AAC ELD (enhanced low delay AAC), AMR-NB,
AMR-WB, FLAC, MP3, MIDI, Ogg Vorbis, PCM/WAVE
Video: H.263, H.264 AVC, MPEG-4 SP, VP8
Image: .jpg, .pjpg, .png, .ppng, .bmp, .pbmp, .gif, .pgif, .jpeg, .pjpeg
Documents: PDF, PPDF
 PFILE TEXT

Pfile is a generic wrapper format for protected files that Text files, including XML, CSV, and so on, can be opened for
encapsulates the encrypted content and the Azure viewing in the app even when they are protected. File types:
Information Protection licenses. It can be used to protect any .txt, .ptxt, .csv, .pcsv, .log, .plog, .xml, .pxml.
file type.

Next steps
What to expect when your iOS app is managed by app protection policies
 What to expect when your iOS app is managed by
app protection policies
6/22/2017 3 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

This topic describes the user experience when using apps with app protection policies applied to. App protection
policies are applied only when apps are used in the work context; for example, when the user is accessing apps with
a work account or accessing files that are stored in a company OneDrive for business location.

Access apps
If the device is not enrolled in Intune, the user is asked to restart the app when they first use it. A restart is
required so that app protection polices can be applied to the app.
For devices that are enrolled for management in Intune, the user sees a message that their app is now
managed.

Use apps with multi-identity support

Apps that support multi-identity let you use different accounts (work and personal) to access the same apps, while
app protection policies are applied only when the apps are used in the work context.
For example, the user gets a PIN prompt when accessing work data. For the Outlook app, the user is prompted for
a PIN when they launch the app. For the OneDrive app, the user is prompted for a pin when they type in the work
account. For Microsoft Word, PowerPoint, and Excel, the user is prompted for a pin when they access documents
that are stored in the company OneDrive for Business location.
Learn more about the apps that support MAM and multi-identity with Intune.
App protection polices are only applied in the work context. Therefore, the app might behave differently depending
on whether the context is work or personal.

Manage user accounts on the device

Intune supports the deployment of app protection policies to one user account per device only.
Depending on the app that you are using, the second user might be blocked on the device. However, in all
cases, only the first user who gets the app protection policies is affected by the policy.
Microsoft Word, Excel, and PowerPoint don't block a second user account, but the second user
account is not affected by the app protection policies.
For OneDrive and Outlook apps, you can only use one work account. You can't add multiple work
accounts for these apps. You can however, remove a user and add a different user on the device.
If a device has existing multiple user accounts before the app protection policies are deployed, the account
that the app protection policies are deployed to first is managed by Intune app protection policies.
Read the following example scenario to get a deeper understanding of how multiple user accounts are treated.
User A works for two companiesCompany X and Company Y. User A has a work account for each company,
and both use Intune to deploy app protection policies. Company X deploys app protection policies before
Company Y. The account that's associated with Company X gets the app protection policy, but not the account
that's associated with Company Y. If you want the user account that's associated with Company Y to be managed
by the app protection policies, you must remove the user account that's associated with Company X.
Add a second account
If you are using an iOS device, when you try to add a second work account on that device, you might see a blocking
message. The accounts will be displayed, and then you can choose the account you want to remove.

Next steps
What to expect when your Android app is managed by app protection policies
 How your Android users get their apps
6/22/2017 2 min to read Edit Online
APPLIES TO: INTUNE
This topic applies to Intune in both the Azure portal and the classic console.
Use this information to understand how and where your Android end users get the apps that you distribute
through Microsoft Intune. The information can vary by device type (native Android devices or Samsung Knox
Standard devices).
Native (non-Samsung Knox Standard) Android devices
APP TYPE LINE-OF-BUSINESS (LOB) APPS
Available apps Users tap install in the Company
Portal. A notification appears, which
users then tap to start the installation.
After the installation is successful, the
notification disappears.
Required apps Users are shown a notification, which
they cannot dismiss, indicating that
they need to install an app. Users tap
the notification to start the installation.
After the installation is successful, the
notification disappears.
Samsung Knox Standard Android devices
APP TYPE LINE-OF-BUSINESS (LOB) APPS
Available apps Users tap install in the Company
Portal. The app installs without further
user intervention.
Required apps The app is installed without any user
intervention.
Apps can be managed or unmanaged, as described below. The process of making apps managed is the same for
all types of Android devices.
PLAY STORE APPS
Users tap the app in the Company
Portal and are taken to an app page in
the Play Store, where they can start the
installation.
Users are shown a notification, which
they cannot dismiss, indicating that
they need to install an app. Users tap
the notification and are taken to an app
page in the Play Store, where they can
start the installation. After the
installation is successful, the notification
disappears.
PLAY STORE APPS
Users tap the app in the Company
Portal and are taken to an app page in
the Play Store, where they can start the
installation.
Users are shown a notification, which
they cannot dismiss, indicating that
they need to install an app. Users tap
the notification and are taken to an app
page in the Play Store, where they can
start the installation. After the
installation is successful, the notification
disappears.
Managed apps - These are apps that can be managed through policies. They have been "wrapped" by Intune or
built with the Intune Mobile Application Management (MAM) Software Development Kit (SDK). These apps can be
managed by Intune, and application policies can be applied to them.
Unmanaged apps - These are apps that cannot be managed through policies. They have not been wrapped by
Intune or do not incorporate the Intune MAM SDK. Application policies cannot be applied to these apps.
See also
Add apps with Microsoft Intune
How your iOS users get their apps
How your Windows users get their apps
 How your iOS users get their apps
6/22/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Use this information to understand how and where your end users get the apps that you distribute through
Microsoft Intune.
Required apps--Apps that are required by the admin and that are installed on the device with minimal user
involvement, depending on the platform.
Available apps--Apps that are provided in the Company Portal app list and that a user may optionally choose to
install.
Managed apps--Apps that can be managed through policies and that have been "wrapped" by Intune or have
been built with the Intune Mobile Application Management (MAM) Software Development Kit (SDK). These apps
can be managed by Intune, and application policies can be applied to them.
Unmanaged apps--Apps that can be managed through policies and that have not been wrapped by Intune or that
do not incorporate the Intune MAM SDK. Application policies cannot be applied to these apps.
Apple restrictions prohibit line-of-business and managed App Store apps from being listed in the Company Portal
app. To get around this issue, the tiles in the Company Portal app for iOS point users to different views in a single
location (the Company Portal website) for all of their apps.
Enrolled users get their apps by tapping on the following tiles on the Apps screen of the Company Portal app:
All Apps points to a list of all apps in the ALL tab of the Company Portal website.
Featured Apps take users to the FEATURED tab of the Company Portal website.
Categories points to the CATEGORIES tab of the Company Portal website.
For information on how to add apps and put them in these tiles, see Add apps for enrolled devices to Intune.
See also
How your Android users get their apps
How your Windows users get their apps
 How your Windows users get their apps
6/22/2017 1 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Use this information to understand how and where your users get the apps that you distribute through Microsoft
Intune.
Required apps are required by the administrator and that are installed on the device with minimal user
involvement, depending on the platform.
Available apps are provided in the Company Portal app list and that a user might choose to install.
Managed apps can be managed through policies and that have been "wrapped" by Intune or have been built with
the Intune Mobile Application Management (MAM) Software Development Kit (SDK). These apps can be managed
by Intune, and application policies can be applied to them.
Unmanaged apps can be managed through policies and that have not been wrapped by Intune or that do not
incorporate the Intune MAM SDK. Application policies cannot be applied to these apps.
See also
How your Android users get their apps
How your iOS users get their apps
 Set up a telecom expense management service in
Intune
6/19/2017 5 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Intune enables you to manage telecom expenses incurred from data usage on corporate-owned mobile devices. To
enable this capability, Intune has integrated with the third-party software developer Saaswedos Datalert telecom
expense management solution. Datalert is real-time telecom expense management software that lets you manage
telecom data usage and avoid costly and unexpected data and roaming overages for your Intune-managed devices.
Intune's integration with Datalert enables you to centrally set, monitor and enforce roaming and domestic data
usage limits by using automated alerts when the limits exceed defined thresholds. You can configure the service to
apply different actions to individuals or groups of end users, including disabling roaming, when users exceed the
threshold. Reports that provide data usage and monitoring information are available from the Datalert
management console.
The following diagram shows how Intune integrates with Datalert.

Before you can use the Datalert service with Intune, you need to configure settings in the Datalert console and in
Intune. The connection must be turned on for the Datalert service and for Intune. If the Datalert side of the
connection is enabled, but not the Intune side, Intune receives the communication, but ignores it.

Supported platforms
Samsung Knox
iOS 8.0 and later

Prerequisites
A subscription to Microsoft Intune, and access to the Azure portal.
A subscription to the Datalert telecom expense management service
List of telecom expense management providers
Intune currently integrates with the following telecom expense management providers:
Saaswedo Datalert telecom expense management service

Deploy the Intune and Datalert integrated solution

Before you start, make sure that you already have an Intune and a Datalert telecom expense management service
subscription.
Step 1: Connect the Datalert service to Microsoft Intune
1. Sign into the Datalert management console with your administrator credentials.
2. On the Datalert management console, go to the Settings tab, and then to MDM configuration.
3. Select Unblock to enable you to enter the settings on the page.
4. For Server MDM, choose Microsoft Intune.
5. For Azure AD domain, enter your Azure tenant ID, and then select the Connection button.
Selecting Connection makes the Datalert service check in with Intune to ensure that there are no pre-
existing Datalert connections with Intune. After a few seconds, a Microsoft log-in page appears, followed by
the Datalert Azure authentication.
6. On the Microsoft authentication page, select Accept. You are redirected to a Datalert thank you page,
which closes after a few seconds. Datalert validates the connection, and displays green check marks beside a
list of items that it validated. If the validation fails, you see a message in red. If this happens, contact Datalert
Support for help.
The following screenshot shows the green check marks that you can expect to see once the connection is
successful.

Step 2: Check that the telecom expense management feature is Active in Intune
After you complete Step 1 above, your connection should be automatically enabled, and a connection status of
Active should be showing in the Azure portal. These steps show you how to check for the Active status.
1. Sign in to the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Setup > Telecom Expense Management.
Look for the Active connection status at the top of the page.

Step 3: Deploy the Datalert app to corporate enrolled devices

To ensure that data usage from only corporate-owned lines is collected, you need to create device categories in
Intune, and then target the Datalert app to only corporate phones. Complete the steps in the following subsections.
Define device categories and device groups mapped to the categories
Depending on your organizational needs, you'll need to create at least two device categories (for example,
Corporate and Personal) and create dynamic device groups for each category. You can create more categories for
your organization, as needed.
These categories will be shown to users during enrollment. Depending on which category users choose, the
enrolled device will be moved to the corresponding device group. For steps on how to create device categories, see
Map devices to groups.

Create the Datalert app in Intune

Follow these steps to create the Datalert app in Intune for each platform. iOS is used as an example in these steps.
1. On the Intune blade of the Azure portal, choose Mobile apps.
2. On the Mobile apps blade, choose Manage > Apps.
3. Select Add to add an app.
4. Select the app type. For example, for iOS, you would select iOS Store App.
5. In Search the App Store, look for the Datalert app by typing Datalert in the search window.
6. Select the Datalert app, and select OK.

7. Complete the remaining steps to create an app for iOS.

Assign the Datalert app to the corporate device group

1. Select the iOS Datalert app that you created in the previous step.
2. On the Apps blade, go to Manage > Assignments.
3. Choose Select groups, and follow the steps to select the corporate device group.
4. Choose whether to make the app installation required or optional for the group. The following example
screenshot shows the installation as required, which means that users must install the Datalert app
installation after enrolling their device.

Step 4: Add corporate paid phone lines to the Datalert console

You now have configured the Intune and Datalert services to communicate with each other. You now need to add
your corporate paid phone lines to the Datalert console and define thresholds and actions for any cellular or
roaming usage violations. You can either add corporate paid phone lines to the Datalert console manually or have
the lines added automatically after the device is enrolled into Intune.
To set these items, go to the Datalert setup for Microsoft Intune page (http://www.datalert.fr/microsoft-
intune/intune-setup), and follow the steps in the setup wizard under the Settings tab.

The Datalert service is now active, and it starts monitoring data usage and disabling cellular and roaming data on
devices that exceed the configured usage limits.

Client enrollment experience

For client enrollment experience see following:
 Enroll your iOS device in telecom expense management
Enroll your Android device in telecom expense management

Turning off the Datalert service

If you disable the Datalert service in the Azure portal:
All of the actions that have been applied to devices, due to past violations of the usage limits, are undone.
Users are no longer blocked from data access and roaming.
Intune still receives the signals coming from the service, but ignores them.
To turn off the service
1. On the Telecom Expense Management blade in the Azure portal, select Disable.
2. Select Save.

Viewing data usage and roaming reports

At this time, data usage reporting is available only in Saaswedos Datalert management console.
The instructions that your end users follow to install the Datalert app will be added soon.
 How to configure custom device settings in Microsoft
Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

When to use custom settings

Custom device settings can be useful when Intune doesn't have the settings you want to configure built-in, and
available from other device profiles. Custom settings are configured differently for each platform. For example,
with Android and Windows devices, you can specify Open Mobile Alliance Uniform Resource Identifier (OMA-URI)
values to control features on devices. For Apple devices, you can import a file you created with the Apple
Configurator.
Use the information in this topic to learn the basics about configuring profiles with custom settings, and then read
further topics for each platform to learn about device specifics.

Create a device profile containing custom settings

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and Description for the custom profile.
7. From the Platform drop-down list, select the device platform to which you want to apply custom settings.
Currently, you can choose one of the following platforms for custom device settings:
Android
iOS
macOS
Windows Phone 8.1
Windows 10 and later
8. From the Profile type drop-down list, choose Custom.
9. Depending on the platform you chose, the settings you can configure will be different. Go to one of the
following topics for detailed settings for each platform:
Android settings
iOS settings
macOS settings
Windows Phone 8.1 settings
Windows 10 settings
Android for Work settings
10. When you're done, go back to the Create Profile blade, and hit Create.
The profile will be created and appears on the profiles list blade. If you want to go ahead and assign this profile to
groups, see How to assign device profiles.
 Custom settings for Android devices in Microsoft
Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use the Microsoft Intune Android Custom profile to assign OMA-URI settings that can be used to control features
on Android devices. These are standard settings that many mobile device manufacturers use to control device
features.
This capability is intended to allow you to assign Android settings that are not configurable with Intune policies.

Custom profile settings for Android devices

1. Use the instructions in How to configure custom device settings in Microsoft Intune to get started.
2. On the Create Profile blade, choose Settings to add one or more OMA-URI settings.
3. On the Edit Row blade, configure the following values for each setting:
Name - Enter a unique name for the OMA-URI setting to help you identify it in the list of settings.
Description - Provide a description that gives an overview of the setting and other relevant information
to help you locate it.
Data type - Select the data type in which you will specify this OMA-URI setting. Choose from String,
String (XML), Date and time, Integer, Floating point, or Boolean.
OMA-URI - Specify the OMA-URI you want to supply a setting for.
Value - Enter the value you want to associate with the OMA-URI you entered.
4. Click OK once you are done, then continue to add more settings as required.
 Use a Microsoft Intune custom device profile to create
a Wi-Fi profile with a pre-shared key
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Here's how to use Intunes Custom device profiles to create a Wi-Fi profile with a pre-shared key. This topic also
has an example of how to create an EAP-based Wi-Fi profile.

NOTE
You might find it easier to copy the code from a computer that connects to that network, as described below.
For Android, you also have the option of using this Android PSK Generator provided by Johnathon Biersack.
You can add multiple networks and keys by adding more OMA-URI settings.
For iOS, use Apple Configurator on a Mac station to set up the profile. Alternatively, use this iOS PSK Mobile Config
Generator provided by Johnathon Biersack.

1. To create a Wi-Fi profile with a pre-shared key for Android or Windows or an EAP-based Wi-Fi profile, when
you create a device profile choose Custom for that device platform rather than a Wi-Fi profile.
2. Provide a name and description.
3. Add a new OMA-URI setting:
a. Enter a name for this Wi-Fi network setting.
b. Enter a description of the OMA-URI setting or leave blank.
c. Data Type: Set to String.
d. OMA-URI:
For Android: ./Vendor/MSFT/WiFi/Profile//Settings
For Windows: ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml

NOTE
Be sure to include the dot character at the beginning.

SSID is the SSID for which youre creating the policy. For example, ./Vendor/MSFT/WiFi/Profile/Hotspot-1/Settings

e. Value Field is where you paste your XML code. Heres an example. Each value should be adapted to your
network settings. See the comments section of the code for some pointers.
4. Choose OK, save, and then assign the policy.
 NOTE
This policy can only be assigned to user groups.

The next time each device checks in, the policy will be applied, and a Wi-Fi profile will be created on the device. The
device will be able to connect to the network automatically.

Android or Windows Wi-Fi profile

Heres an example of the XML code for an Android or Windows Wi-Fi profile:

IMPORTANT
<protected>false</protected> must be set to false, as true could cause device to expect an encrypted password and then
try to decrypt it, which may result in a failed connection.
<hex>53534944</hex> should be set to the hexadecimal value of <name><SSID of wifi profile></name> . Windows 10
devices may return a false 0x87D1FDE8 Remediation failed error, but will still be provisioned with the profile.

<!--
<Name of wifi profile> = Name of profile
<SSID of wifi profile> = Plain text of SSID. Does not need to be escaped, could be <name>Your Company's Network</name>
<nonBroadcast><true/false></nonBroadcast>
<Type of authentication> = Type of authentication used by the network, such as WPA2PSK.
<Type of encryption> = Type of encryption used by the network
<protected>false</protected> do not change this value, as true could cause device to expect an encrypted password and then try to decrypt it,
which may result in a failed connection.
<password> = Password to connect to the network
x>53534944</hex> should be set to the hexadecimal value of <name><SSID of wifi profile></name>
-->
<WLANProfile
xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name><Name of wifi profile></name>
<SSIDConfig>
<SSID>
<hex>53534944</hex>
<name><SSID of wifi profile></name>
</SSID>
<nonBroadcast>false</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication><Type of authentication></authentication>
<encryption><Type of encryption></encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>networkKey</keyType>
<protected>false</protected>
<keyMaterial>MyPassword</keyMaterial>
</sharedKey>
<keyIndex>0</keyIndex>
</security>
</MSM>
</WLANProfile>
EAP-based Wi-Fi profile
Heres an example of the XML code for an EAP-based Wi-Fi profile:

<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>testcert</name>
<SSIDConfig>
<SSID>
<hex>7465737463657274</hex>
<name>testcert</name>
</SSID>
<nonBroadcast>true</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication>WPA2</authentication>
<encryption>AES</encryption>
<useOneX>true</useOneX>
<FIPSMode xmlns="http://www.microsoft.com/networking/WLAN/profile/v2">false</FIPSMode>
</authEncryption>
<PMKCacheMode>disabled</PMKCacheMode>
<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
<cacheUserData>false</cacheUserData>
<authMode>user</authMode>
<EAPConfig>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
<ServerNames></ServerNames>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation
xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
<AllPurposeEnabled>true</AllPurposeEnabled>
<CAHashList Enabled="true">
<IssuerHash>75 f5 06 9c a4 12 0e 9b db bc a1 d9 9d d0 f0 75 fa 3b b8 78 </IssuerHash>
</CAHashList>
<EKUMapping>
<EKUMap>
<EKUName>Client Authentication</EKUName>
<EKUOID>1.3.6.1.5.5.7.3.2</EKUOID>
</EKUMap>
</EKUMapping>
<ClientAuthEKUList Enabled="true"/>
<AnyPurposeEKUList Enabled="false">
<EKUMapInList>
 <EKUMapInList>
<EKUName>Client Authentication</EKUName>
</EKUMapInList>
</AnyPurposeEKUList>
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</EAPConfig>
</OneX>
</security>
</MSM>
</WLANProfile>

Create the XML file from an existing Wi-Fi connection

You can also create an XML file from an existing Wi-Fi connection:
1. On a computer that is connected to or has recently connected to the wireless network, open the following
folder: C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces{guid}.
Its best to use a computer that has not connected to many wireless networks, because youll have to search
through each profile to find the right one.
2. Search through the XML files to locate the one with the right name.
3. After you have located the correct XML file, copy and paste the XML code into the Data field of the OMA-URI
settings page.
 Use a Microsoft Intune custom profile to create a per-
app VPN profile for Android devices
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

You can create a per-app VPN profile for Android 5.0 and later devices that are managed by Intune. First, create a
VPN profile that uses the Pulse Secure connection type. Then, create a custom configuration policy that associates
the VPN profile with specific apps.
After you assign the policy to your Android device or user groups, users should start the PulseSecure VPN.
PulseSecure then allows only traffic from the specified apps to use the open VPN connection.

NOTE
Only the Pulse Secure connection type is supported for this profile.

Step 1: Create a VPN profile

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the list of profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and optional Description for the VPN profile.
7. From the Platform drop-down list, choose Android.
8. From the Profile type drop-down list, choose VPN.
9. Choose Settings > Configure and then configure the VPN profile as per the settings in How to configure VPN
settings and Intune VPN settings for Android devices.
Take note of the Connection Name value you specify when creating the VPN profile. This name will be needed in
the next step. For example, MyAppVpnProfile.

Step 2: Create a custom configuration policy

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. On the profiles blade, click Create Profile.
6. On the Create Profile blade, enter a Name and Description for the custom profile.
7. From the Platform drop-down list, choose Android.
8. From the Profile type drop-down list, choose Custom.
 9. Choose Settings > Configure.
10. On the Custom OMA-URI Settings blade, choose Add.
Enter a setting name.
For Data type, specify String.
For OMA-URI, specify this string: ./Vendor/MSFT/VPN/Profile/Name/PackageList, where Name is
the VPN profile name you noted in Step 1. In this example, the string would be
./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/PackageList.
For Value, create a semicolon-separated list of packages to associate with the profile. For example, if you
want Excel and the Google Chrome browser to use the VPN connection, enter
com.microsoft.office.excel;com.android.chrome.

Set your app list to blacklist or whitelist (optional)

You can specify a list of apps that cannot use the VPN connection by using the BLACKLIST value. All other apps
connect through the VPN. Alternatively, you can use the WHITELIST value to specify a list of apps that can use the
VPN connection. Apps that are not on the list do not connect through the VPN.
1. On the Custom OMA-URI Settings blade, choose Add.
2. Enter a setting name.
3. For Data type, specify String.
4. For OMA-URI, use this string: ./Vendor/MSFT/VPN/Profile/Name/Mode, where Name is the VPN profile
name you noted in Step 1. In our example, the string would be
./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/Mode.
5. For Value, enter BLACKLIST or WHITELIST.

Step 3: Assign both policies

Use the instructions in How to assign device profiles to assign both profiles to the required users or devices.
 Use custom policies to allow and block apps for
Samsung KNOX Standard devices in Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use the procedures in this topic to create a Microsoft Intune custom policy that creates one of the following:
A list of apps that are blocked from running on the device. Apps in this list are blocked from being run, even if
they were already installed when the policy was applied.
A list of apps that users of the device are allowed to install from the Google Play store. Only the apps you list can
be installed. No other apps can be installed from the store.
These settings can only be used by devices that run Samsung KNOX Standard.

Create an allowed or blocked app list

1. Sign into the Azure portal.
2. Choose More Services > Monitoring + Management > Intune.
3. On the Intune blade, choose Device configuration.
4. On the Device Configuration blade, choose Manage > Profiles.
5. In the list of profiles blade, choose Create Profile.
6. On the Create Profile blade, enter a Name and optional Description for this device profile.
7. Choose a Platform type of Android, and a Profile type of Custom.
8. Click Settings.
9. On the Custom OMA-URI Settings blade, choose Add.
10. In the Add or Edit OMA-URI Setting dialog box, specify the following:
For a list of apps that are blocked from running on the device:
Name - Enter PreventStartPackages.
Description - Enter an optional description like 'List of apps that are blocked from running.'
Data type - From the drop-down list, choose String.
OMA-URI - Enter ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/PreventStartPackages
Value - Enter a list of the app package names you want to allow. You can use ; : , or | as a delimiter. (Example:
package1;package2;)
For a list of apps that users are allowed to install from the Google Play store while excluding all other apps:
Name - Enter AllowInstallPackages.
Description - Enter an optional description like 'List of apps that users can install from Google Play.'
Data type - From the drop-down list, choose String.
OMA-URI - Enter ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/AllowInstallPackages
Value - Enter a list of the app package names you want to allow. You can use ; : , or | as a delimiter. (Example:
package1;package2;)
1. Click OK, and then, on the Create Profile blade, choose Create.

TIP
You can find the package ID of an app by browsing to the app on the Google Play store. The package ID is contained in the
URL of the app's page. For example, the package ID of the Microsoft Word app is com.microsoft.office.word.

The next time each targeted device checks in, the app settings will be applied.
 Microsoft Intune custom settings for iOS devices
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use the Microsoft Intune iOS custom profile to assign settings that you created by using the Apple Configurator
tool to iOS devices. This tool lets you create many settings that control the operation of these devices and export
them to a configuration profile. You can then import this configuration profile into an Intune iOS custom profile
and assign the settings to users and devices in your organization.
This capability allows you to assign iOS settings that are not configurable with other Intune profile types.
1. Use the instructions in How to configure custom device settings in Microsoft Intune to get started.
2. On the Create Profile blade, specify the following:
Custom configuration profile name - Provide a name for the policy as it will be displayed on the device, and
in Intune status.
Configuration profile file - Browse to the configuration profile that you created by using the Apple
Configurator. Ensure that the settings you export from the Apple Configurator tool are compatible with the
version of iOS on the devices to which you assign the iOS custom policy. For information about how
incompatible settings are resolved, search for Configuration Profile Reference and Mobile Device
Management Protocol Reference on the Apple Developer website.
The file you imported will be displayed in the File contents area of the blade.
 Custom settings for macOS devices in Microsoft
Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use the Microsoft Intune macOS custom profile to assign settings that you created by using the Apple
Configurator tool to macOS devices. This tool lets you create many settings that control the operation of these
devices and export them to a configuration profile. You can then import this configuration profile into an Intune
macOS custom profile and assign the settings to users and devices in your organization.
This capability allows you to assign macOS settings that are not configurable with other Intune profile types.
1. Use the instructions in How to configure custom device settings in Microsoft Intune to get started.
2. On the Create Profile blade, specify the following:
Custom configuration profile name - Provide a name for the policy as it will be displayed on the device, and
in Intune status.
Configuration profile file - Browse to the configuration profile that you created by using the Apple
Configurator. Ensure that the settings you export from the Apple Configurator tool are compatible with the
version of macOS on the devices to which you assign the macOS custom policy. For information about how
incompatible settings are resolved, search for Configuration Profile Reference and Mobile Device
Management Protocol Reference on the Apple Developer website.
The file you imported will be displayed in the File contents area of the blade.
 Custom settings for Windows Phone 8.1 devices in
Microsoft Intune
6/19/2017 1 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use the Microsoft Intune Windows Phone 8.1 Custom profile to assign OMA-URI settings that can be used to
control features on Windows Phone 8.1 devices. These are standard settings that many mobile device
manufacturers use to control device features.
This capability is intended to allow you to assign settings that are not configurable with other Intune policies.

Custom policy settings for Windows Phone 8.1 devices

1. Use the instructions in How to configure custom device settings in Microsoft Intune to get started.
2. On the Create Profile blade, choose Settings to add one or more OMA-URI settings.
3. On the Add Row blade, configure the following values for each setting:
Name - Enter a unique name for the OMA-URI setting to help you identify it in the list of settings.
Description - Provide a description that gives an overview of the setting and other relevant information
to help you locate it.
OMA-URI - Specify the OMA-URI you want to supply a setting for.
Data type - Select the data type in which you will specify this OMA-URI setting. Choose from String,
Date and time, Integer, Floating point, or Boolean.
Value - Enter the value you want to associate with the OMA-URI you entered.
4. Click OK once you are done, then continue to add more settings as required.
 Custom device settings for Windows 10 devices in
Microsoft Intune
6/19/2017 2 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

Use the Microsoft Intune custom profile for Windows 10 and Windows 10 Mobile to deploy OMA-URI (Open
Mobile Alliance Uniform Resource Identifier) settings that can be used to control features on devices. Windows 10
makes many CSP settings available, for example, the Policy Configuration Service Provider (Policy CSP). If you are
looking for a particular setting, remember that the Windows 10 device restriction profile contains many settings
that are built-in to Intune and do not require you to specify custom values.
1. Use the instructions in How to configure custom device settings in Microsoft Intune to get started.
2. On the Create Profile blade, choose Settings to add one or more OMA-URI settings.
3. On the Custom OMA-URI Settings blade, click Add to add a new value. You can also click Export to create a
list of all the values you configured in a comma-separated values (.csv) file.
4. For each OMA-URI setting you want to add, enter the following information. Use the list in this topic to learn
about the settings you can use:
Setting name - Enter a unique name for the OMA-URI setting to help you identify it in the list of
settings.
Setting description - Optionally, enter a description for the setting.
Data type - Choose from:
String
String (XML)
Date and time
Integer
Floating point
Boolean
OMA-URI (case sensitive) - Specify the OMA-URI you want to supply a setting for.
Value - Specify the value to associate with the OMA-URI you entered.
5. When you're done, go back to the Create Profile blade, and hit Create. The profile will be created and appears
on the profiles list blade.

Example
In the screenshot below, the setting Connectivity/AllowVPNOverCellular has been enabled. This lets a Windows
10 device open a VPN connection when on a cellular network.
How to find the policies you can configure
Youll find a complete list of all configuration service providers (CSPs) that Windows 10 supports in the
Configuration service provider reference in the Windows documentation library.
Not all settings are compatible with all Windows 10 versions. The table in the Windows topic tells you which
versions are supported for each CSP.
Additionally, Intune does not support all of the settings listed in the topic. To find out if Intune supports the setting
you want, open the topic for that setting. Each setting page shows its supported operation. To work with Intune,
the setting must support the Add or Replace operations.
 Create Intune custom profile settings for Android for
Work devices
6/19/2017 2 min to read Edit Online

Use the Intune Android for Work custom configuration policy to assign OMA-URI settings that can be used to
control features on Android for Work devices. These are standard settings that many mobile device manufacturers
use to control device features.
This capability is intended to allow you to assign Android settings that are not configurable with Intune policies.
Intune supports a limited number of Android custom policies at present. See the examples in this topic to find out
which policies you can configure.

Create a custom profile

1. Use the instructions in How to configure custom device settings to get started.
2. On the Custom OMA-URI Settings blade, choose Add to add a new setting.
3. On the Add Row blade, configure the following:
Name - Enter a unique name for the Android for work custom settings to help you identify it in the
Intune portal.
Description - Provide a description that gives an overview of the Android custom policy and other
relevant information that helps you to locate it.
OMA-URI - Enter the OMA-URI you want to supply a setting for.
Data type - Select the data type in which you will specify this OMA-URI setting. Choose from String,
String (XML file), Date and time, Integer, Floating point, Boolean, or Base64 (file).
Value - Specify the value to associate with the OMA-URI that you specified previously. The method you
use to supply this value will vary according to the data type you selected. For example, if you chose Date
and time, you'll select the value from a date picker.
4. When you have finished, choose OK to return to the Custom OMA-URI Settings, and then add more settings,
or choose Create to create the custom profile.

Example
In this example, you'll create a custom profile that can be used to restrict whether copy and paste actions between
work and personal apps are allowed on managed Android for Work devices.
1. Use the procedure in this topic to create a custom profile for Android for Work devices using the following
values:
Name - Enter "Block copy and paste" or text of your own choosing.
Description - Enter "Blocks copy/paste between work and personal apps" or text of your own choosing.
OMA-URI - Enter ./Vendor/MSFT/WorkProfile/DisallowCrossProfileCopyPaste.
Data type - Select Boolean to indicate that the value for this OMA-URI is either True or False.
Value - Select True.
2. You should end up with a setting looking similar to this image.
3. Now, when you assign this custom profile to Android for Work devices you manage, copy and paste will be
blocked between apps in the work, and personal profiles.
 Prepare line of business apps for MAM
6/19/2017 3 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

You can enable your apps to use mobile application management (MAM) policies by using either the Intune App
Wrapping Tool or the Intune App SDK. Use this information to learn about these two methods and when to use
them.

Intune App Wrapping Tool

The App Wrapping Tool is used primarily for internal line-of-business (LOB) apps. The tool is a command line
application that creates a wrapper around the app, which then allows the app to be managed by an Intune MAM
policy.
You don't need the source code to use the tool, but you do need signing credentials. For more about signing
credentials, see the Intune blog. For the App Wrapping Tool documentation, see Android App Wrapping Tool and
iOS App Wrapping Tool.
The App Wrapping Tool does not support apps in the Apple App Store or Google Play Store. It also doesn't
support certain features that require developer integration (see the following feature comparison table).
For more information about the App Wrapping Tool for MAM on devices that are not enrolled in Intune, see
Protect line of business apps and data on devices not enrolled in Microsoft Intune.
Reasons to use the App Wrapping Tool:
Your app does not have built-in data protection features.
Your app is simple.
Your app is deployed internally.
You don't have access to the app's source code
You didn't develop the app.
Your app has minimal user authentication experiences.
Supported app development platforms

APP WRAPPING TOOL XAMARIN CORDOVA

iOS Yes Yes

Android No Yes

Intune App SDK

The App SDK is designed mainly for customers who have apps in the Apple App Store or Google Play Store, and
want to be able to manage the apps with Intune. However, any app can take advantage of integrating the SDK,
even line-of-business apps.
To learn more about the SDK, see the Overview. To get started with the SDK, see Getting Started With the
Microsoft Intune App SDK.
Reasons to use the SDK
Your app does not have built-in data protection features.
Your app is complex and contains many experiences.
Your app is deployed on a public app store such as Google Play or Apple's App Store.
You are an app developer and have the technical background to use the SDK.
Your app has other SDK integrations.
Your app is frequently updated.
Supported app development platforms

INTUNE APP SDK XAMARIN CORDOVA

iOS Yes use the Intune App SDK Xamarin Yes use the Intune App SDK Cordova
Component. Plugin.

Android Yes - use the Intune App SDK Xamarin Yes use the Intune App SDK Cordova
Component. Plugin.

Feature comparison
This table lists the settings that you can use for the App SDK and App Wrapping Tool.

NOTE
The App Wrapping Tool can be used with Intune standalone or Intune with Configuration Manager.

FEATURE APP SDK APP WRAPPING TOOL

Restrict web content to display in a X X

corporate managed browser

Prevent Android, iTunes or iCloud X X

backups

Allow app to transfer data to other X X

apps

Allow app to receive data from other X X

apps

Restrict cut, copy and paste with other X X

apps

Require simple PIN for access X X

Replace built-in app PIN with Intune X

PIN

Specify the number of attempts before X X

PIN reset
 FEATURE APP SDK APP WRAPPING TOOL

Allow fingerprint instead of PIN X X

Require corporate credentials for access X X

Block managed apps from running on X X

jailbroken or rooted devices

Encrypt app data X X

Recheck the access requirements after a X X

specified number of minutes

Specify the offline grace period X X

Block screen capture (Android only) X X

Support for MAM without device X X

enrollment

Full Wipe X X

Selective Wipe X
Note: For iOS, when the management
profile is removed, the app is also
removed.

Prevent Save as X

Targeted Application Configuration X

Support for Multi-Identity X

Customizable Style X

See also
Android app wrapping tool
iOS app wrapping tool
Use the SDK to enable apps for mobile application management
 Prepare iOS apps for mobile application
management with the Intune App Wrapping Tool
6/19/2017 20 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Use the Microsoft Intune App Wrapping Tool for iOS to enable Intune app protection policies for in-house iOS
apps without changing the code of the app itself.
The tool is a macOS command-line application that creates a wrapper around an app. Once an app is processed,
you can change the app's functionality by deploying app protection policies to it.
To download the tool, see Microsoft Intune App Wrapping Tool for iOS on GitHub.

General prerequisites for the App Wrapping Tool

Before you run the App Wrapping Tool, you need to fulfill some general prerequisites:
Download the Microsoft Intune App Wrapping Tool for iOS from GitHub.
A macOS computer that runs OS X 10.8.5 or later and has the Xcode toolset version 5 or later installed.
The input iOS app must be developed and signed by your company or an independent software vendor
(ISV).
The input app file must have the extension .ipa or .app.
The input app must be compiled for iOS 8.0. or later.
The input app cannot be encrypted.
The input app cannot have extended file attributes.
The input app must have entitlements set before being processed by the Intune App Wrapping Tool.
Entitlements give the app additional permissions and capabilities beyond those typically granted. See
Setting app entitlements for instructions.

Apple Developer prerequisites for the App Wrapping Tool

To distribute wrapped apps exclusively to your organization's users, you need an account with the Apple
Developer Enterprise Program and several entities for app signing that are linked to your Apple Developer
account.
To learn more about distributing iOS apps internally to your organization's users, read the official guide to
Distributing Apple Developer Enterprise Program Apps.
You will need the following to distribute apps wrapped by Intune:
A developer account with the Apple Developer Enterprise Program.
In-house and ad-hoc distribution signing certificate with valid Team Identifier.
 You will need the SHA1 hash of the signing certificate as a parameter to the Intune App Wrapping Tool.
In-house distribution provisioning profile.
Steps to create an Apple Developer Enterprise account
1. Go to the Apple Developer Enterprise Program site.
2. In the top right of the page, click Enroll.
3. Read the checklist of what you need to enroll. Click Start Your Enrollment at the bottom of the page.
4. Sign in with the Apple ID of your organization. If you don't have one, click Create Apple ID.
5. Select your Entity Type and click Continue.
6. Fill out the form with your organization's information. Click Continue. At this point, Apple contacts you to
verify that you are authorized to enroll your organization.
7. After verification, click Agree to License.
8. After agreeing to license, finish by purchasing and activating the program.
9. If you are the team agent (the person who joins the Apple Developer Enterprise Program on behalf of your
organization), build your team first by inviting team members and assigning roles. To learn how to manage
your team, read the Apple documentation on Managing Your Developer Account Team.
Steps to create an Apple signing certificate
1. Go to the Apple Developer portal.
2. In the top right of the page, click Account.
3. Sign in with your organizational Apple ID.
4. Click Certificates, IDs & Profiles.

5. Click the in the top right corner to add an iOS certificate.

6. Choose to create an In-House and Ad Hoc certificate under Production.
 NOTE
If do not plan to distribute the app, and only want to test it internally, you can use an iOS App Development
certificate instead of a certificate for Production. If you use a development certificate, make sure the mobile
provisioning profile references the devices on which the app will be installed.

7. Click Next at the bottom of the page.

8. Read the instructions on creating a Certificate Signing Request (CSR) using the Keychain Access
application on your macOS computer.
 9. Follow the instructions above to create a Certificate Signing Request. On your macOS computer, launch the
Keychain Access application.
10. On the macOS menu at the top of the screen, go to Keychain Access > Certificate Assistant > Request a
Certificate From a Certificate Authority.

11. Follow the instructions from the Apple developer site above on how to create a CSR file. Save the CSR file to
your macOS computer.
12. Return to the Apple developer site. Click Continue. Then upload the CSR file.
13. Apple generates your signing certificate. Download and save it to a memorable location on your macOS
computer.

14. Double-click the certificate file you just downloaded to add the certificate to a keychain.
15. Open Keychain Access again. Locate your certificate by searching for its name in the top right search bar.
Right-click on the item to bring up the menu and click Get Info. In the example screens, we are using a
development certificate instead of a production certificate.
16. An informational window appears. Scroll to the bottom and look under the Fingerprints label. Copy the
SHA1 string (blurred out) to use as the argument for "-c" for the App Wrapping Tool.

Steps to create an In-House Distribution Provisioning profile

1. Go back to the Apple Developer account portal and sign in with your organizational Apple ID.
2. Click Certificates, IDs & Profiles.

3. Click the in the top right corner to add an iOS provisioning profile.
4. Choose to create an In House provisioning profile under Distribution.
5. Click Continue. Make sure to link the previously generated signing certificate to the provisioning profile.
6. Follow the steps to download your profile (with extension .mobileprovision) to your macOS computer.
7. Save the file in a memorable location. This file will be used for the -p parameter while using the App
Wrapping Tool.

Download the App Wrapping Tool

1. Download the files for the App Wrapping Tool from GitHub to a macOS computer.
2. Double-click Microsoft Intune App Wrapping Tool for iOS.dmg. A window with the End User License
Agreement (EULA) will appear. Read the document carefully.
3. Choose Agree to accept EULA, which mounts the package to your computer.
4. Open the IntuneMAMPackager folder and save its contents to your macOS computer. You are now ready
to run the App Wrapping Tool.

Run the App Wrapping Tool

Use terminal
Open the macOS Terminal program and navigate to the folder where you saved the app wrapping tool files. The
executable tool is named IntuneMAMPackager and is located in IntuneMAMPackager/Contents/MacOS. Run the
command as follows:

./IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager -i /<path of input app>/<app filename> -o /<path to output folder>/<app

filename> -p /<path to provisioning profile> -c <SHA1 hash of the certificate> [-b [<output app build string>]] [-v] [-e] [-x /<array of extension
provisioning profile paths>]
 NOTE
Some parameters are optional as shown in the following table.

Example: The following example command runs the App Wrapping Tool on the app named MyApp.ipa. A
provisioning profile and SHA-1 hash of the signing certificate are specified and used to sign the wrapped app. The
output app (MyApp_Wrapped.ipa) is created and stored in your Desktop folder.

./IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager -i ~/Desktop/MyApp.ipa -o ~/Desktop/MyApp_Wrapped.ipa -p

~/Desktop/My_Provisioning_Profile_.mobileprovision -c "12 A3 BC 45 D6 7E F8 90 1A 2B 3C DE F4 AB C5 D6 E7 89 0F AB" -v true

Command-line parameters
You can use the following command line parameters with the App Wrapping Tool:

PROPERTY HOW TO USE IT

-i <Path of the input native iOS application file> . The

file name must end in .app or .ipa.

-o <Path of the wrapped output application>

-p <Path of your provisioning profile for iOS apps>

-c <SHA1 hash of the signing certificate>

-h Shows detailed usage information about the available

command line properties for the App Wrapping Tool.

-v (Optional) Outputs verbose messages to the console. It is

recommended to use this flag to debug any errors.

-e (Optional) Use this flag to have the App Wrapping Tool

remove missing entitlements as it processes the app. See
Setting app entitlements for more details.

-xe (Optional) Prints information about the iOS extensions in the

app and what entitlements are required to use them. See
Setting app entitlements for more details.

-x (Optional)
<An array of paths to extension provisioning
profiles>
. Use this if your app needs extension provisioning profiles.

-f (Optional)
<Path to a plist file specifying arguments.> Use this
flag in front of the plist file if you choose to use the plist
template to specify the rest of the IntuneMAMPackager
properties like -i, -o, and -p. See Use a plist to input
arguments.
 PROPERTY HOW TO USE IT

-b (Optional) Use -b without an argument if you want the

wrapped output app to have the same bundle version as the
input app (not recommended).

Use -b <custom bundle version> if you want the wrapped

app to have a custom CFBundleVersion. If you choose to
specify a custom CFBundleVersion, it's a good idea to
increment the native apps CFBundleVersion by the least
significant component, like 1.0.0 -> 1.0.1.

Use a plist to input arguments

An easy way to run the App Wrapping Tool is to put all the command arguments into a plist file. Plist is a file
format similar to XML that you can use to input your command line arguments using a form interface.
In the IntuneMAMPackager/Contents/MacOS folder, open Parameters.plist (a blank plist template) with a text editor
or Xcode. Enter your arguments for the following keys:

PLIST KEY DEFAULT VALUE NOTES

Input Application Package Path empty Same as -i

Output Application Package Path empty Same as -o

Provisioning Profile Path empty Same as -p

SHA-1 Certificate Hash empty Same as -c

Verbose Enabled false Same as -v

Remove Missing Entitlements false Same as -c

Prevent Default Build false Equivalent to using -b without

arguments

Build String Override empty The custom CFBundleVersion of the

wrapped output app

Extension Provisioning Profile Paths empty An array of extension provisioning

profiles for the app.

Run the IntuneMAMPackager with the plist as the sole argument:

./IntuneMAMPackager f Parameters.plist

Post-wrapping
After the wrapping process completes, the message "The application was successfully wrapped" will be displayed.
If an error occurs, see Error messages for help.
The wrapped app is saved in the output folder you specified previously. You can upload the app to the Intune
admin console and associate it with a mobile application management policy.
 IMPORTANT
When uploading a wrapped app, you can try to update an older version of the app if an older (wrapped or native) version
was already deployed to Intune. If you experience an error, upload the app as a new app and delete the older version.

You can now deploy the app to your user groups and target app protection policies to the app. The app will run on
the device using the app protection policies you specified.

Error messages and log files

Use the following information to troubleshoot issues you have with the app wrapping tool.
Error messages
If the app wrapping tool fails to finish successfully, one of the following error messages will be displayed in the
console:

ERROR MESSAGE MORE INFORMATION

You must specify a valid iOS provisioning profile. Your provisioning profile might not be valid. Check to make
sure you have the correct permissions for devices and that
your profile is correctly targeting development or distribution.
Your provisioning profile might also be expired.

Specify a valid input application name. Make sure that the input application name you specified is
correct.

Specify a valid path to the output application. Make sure that the path to the output application you
specified exists, and is correct.

Specify a valid input provisioning profile. Make sure you supplied a valid provisioning profile name and
extension. Your provisioning profile might be missing
entitlements, or you might not have included the p
command line option.

The input application you specified was not found. Specify a Make sure your input app path is valid and exists. Make sure
valid input application name and path. the input app exists at that location.

The input provisioning profile file you specified was not found. Make sure that the path to the input provisioning file is valid
Specify a valid input provisioning profile file. and that the file you specified exists.

The output application folder you specified was not found. Make sure that the output path you specified is valid and
Specify a valid path to the output application. exists.

Output app does not have .ipa extension. Only apps with the .app and .ipa extensions are accepted by
the App Wrapping Tool. Make sure your output file has a
valid extension.

An invalid signing certificate was specified. Specify a valid
Apple signing certificate.
Make sure youve downloaded the correct signing certificate
from the Apple developer portal. Your certificate might be
expired or might be missing a public or private key. If your
Apple certificate and provisioning profile can be used to
correctly sign an app within Xcode, then they are valid for the
App Wrapping Tool.

The input application you specified is invalid. Specify a valid Make sure you have a valid iOS application that has been
application. compiled as an .app or .ipa file.
 ERROR MESSAGE MORE INFORMATION

The input application you specified is encrypted. Specify a The App Wrapping Tool does not support encrypted apps.
valid unencrypted application. Provide an unencrypted app.

The input application you specified is not in a Position Position Independent Executable (PIE) apps can be loaded at a
Independent Executable (PIE) format. Specify a valid random memory address when run. This can have security
application in PIE format. benefits. For more about security benefits, see your Apple
Developer documentation.

The input app you specified has already been wrapped. You cannot process an app that has already been processed
Specify a valid unwrapped application. by the tool. If you want to process an app again, run the tool
using the original version of the app.

The input application you specified is not signed. Specify a The app wrapping tool requires apps to be signed. Consult
valid signed application. your developer documentation to learn how to sign a
wrapped app.

The input application you specified must be in the .ipa or .app Only .app and .ipa extensions are accepted by the app
format. wrapping tool. Make sure your input file has a valid extension
and has been compiled as a .app or .ipa file.

The input app you specified has already been wrapped and is The App Wrapping Tool will not rewrap an existing wrapped
on the latest policy template version. app with the latest policy template version.

WARNING: You did not specify a SHA1 certificate hash. Make Ensure that you specify a valid SHA1 hash following the c
sure that your wrapped application is signed before command line flag.
deploying.

Log files for the App Wrapping Tool

Apps that have been wrapped by using the App Wrapping Tool generate logs that are written to the iOS client
device console. This information is useful when you are having problems with the application and need to
determine if the issue is related to the App Wrapping Tool. To retrieve this information, use the following steps:
1. Reproduce the issue by running the app.
2. Collect the console output by following Apple's instructions for Debugging Deployed iOS Apps.
3. Filter the saved logs for App Restrictions output by entering the following script into the console:

grep IntuneAppRestrictions <text file containing console output> > <required filtered log file name>

You can submit the filtered logs to Microsoft.

NOTE
In the log file, the item build version represents the build version of Xcode.

Wrapped apps will also present users the option to send logs directly from the device via email after the
app crashes. Users can send the logs to you to examine and forward to Microsoft if necessary.
Certificate, provisioning profile, and authentication requirements
The App Wrapping Tool for iOS has some requirements that must be met in order to guarantee full functionality.
 REQUIREMENT DETAILS

iOS provisioning profile Make sure that the provisioning profile is valid before you
include it. The App Wrapping Tool does not check whether
the provisioning profile is expired when processing an iOS
app. If an expired provisioning profile is specified, the app
wrapping tool will include the expired provisioning profile, and
you will not know there is a problem until the app fails to
install on an iOS device.

iOS signing certificate Make sure that the signing certificate is valid before you
specify it. The tool does not check whether a certificate is
expired when processing iOS apps. If the hash for an expired
certificate is provided, the tool will process and sign the app,
but it will fail to install on devices.

Make sure that the certificate provided for signing the

wrapped app has a match in the provisioning profile. The tool
does not validate if the provisioning profile has a match for
the certificate provided for signing the wrapped application.

Authentication A device must have a PIN for encryption to work. On devices

to which you have deployed a wrapped app, touching the
status bar on the device will require the user to sign in again
with a work or school account. The default policy in a wrapped
app is authentication on re-launch. iOS handles any external
notification (like a phone call) by exiting the app and then re-
launching it.

Setting app entitlements

Before wrapping your app, you can grant entitlements to give the app additional permissions and capabilities that
exceed what an app can typically do. An entitlement file is used during code signing to specify special permissions
within your app (for example, access to a shared keychain). Specific app services called capabilities are enabled
within Xcode during app development. Once enabled, the capabilities are reflected in your entitlements file. For
more information about entitlements and capabilities, see Adding Capabilities in the iOS Developer Library. For a
complete list of supported capabilities, see Supported capabilities.
Supported capabilities for the App Wrapping Tool for iOS

CAPABILITY DESCRIPTION RECOMMENDED GUIDANCE

App groups Use app groups to allow multiple apps When using App Groups, use reverse
to access shared containers and allow DNS notation:
additional interprocess communication
between apps. group.com.companyName.AppGroup

To enable app groups, open the

Capabilities pane and click ON in App
Groups. You can add app groups or
select existing ones.

Background modes Enabling background modes lets your

iOS app continue running in the
background.
 CAPABILITY DESCRIPTION RECOMMENDED GUIDANCE

Data protection Data protection adds a level of security

to files stored on disk by your iOS app.
Data protection uses the built-in
encryption hardware present on specific
devices to store files in an encrypted
format on disk. Your app needs to be
provisioned to use data protection.

In-app purchase In-app purchase embeds a store

directly into your app by enabling you
to connect to the store and securely
process payments from the user. You
can use in-app purchase to collect
payment for enhanced functionality or
for additional content usable by your
app.

Keychain sharing Enabling keychain sharing lets your app When using keychain sharing, use
share passwords in the keychain with reverse DNS notation:
other apps developed by your team.
com.companyName.KeychainGroup

Personal VPN Enable personal VPN to allow your app

to create and control a custom system
VPN configuration using the Network
Extension framework.

Push notifications Apple Push Notification service (APNs)
lets an app that isnt running in the
foreground notify the user that it has
information for the user.
For push notifications to work, you
need to use an app-specific
provisioning profile.
Follow the steps in the Apple developer
documentation.

Wireless accessory configuration Enabling wireless accessory

configuration adds the External
Accessory framework to your project
and lets your app set up MFi Wi-Fi
accessories.

Steps to enable entitlements

1. Enable capabilities in your app:
a. In Xcode, go to your apps target, and click Capabilities.
b. Turn on the appropriate capabilities. For detailed information about each capability and how to determine
the correct values, see Adding Capabilities in the iOS Developer Library.
c. Note any IDs that you created during the process.
d. Build and sign your app to be wrapped.
2. Enable entitlements in your provisioning profile:
a. Sign in to the Apple Developer Member Center.
b. Create a provisioning profile for your app. For instructions, see How to Obtain the Prerequisites for the
Intune App Wrapping Tool for iOS.
 c. In your provisioning profile, enable the same entitlements that you have in your app. You will need to
supply the same IDs that you specified during the development of your app.
d. Finish the provisioning profile wizard and download your file.
3. Ensure that you have satisfied all the prerequisites, and then wrap the app.
Troubleshoot common errors with entitlements
If the App Wrapping Tool for iOS shows an entitlement error, try the following troubleshooting steps.

ISSUE CAUSE RESOLUTION

Failed to parse entitlements generated
from the input application.
The App Wrapping Tool cannot read
the entitlements file that was extracted
from the app. The entitlements file
might be malformed.
Inspect the entitlements file for your
app. The following instructions explain
how to do so. When inspecting the
entitlements file, check for any
malformed syntax. The file should be in
XML format.

Entitlements are missing in the
provisioning profile (missing
entitlements are listed). Repackage the
app with a provisioning profile that has
these entitlements.
There is a mismatch between the
entitlements enabled in the
provisioning profile and the capabilities
enabled in the app. This mismatch also
applies to the IDs associated with
particular capabilities (like app groups
and keychain access).
Generally, you can create a new
provisioning profile that enables the
same capabilities as the app. When IDs
between the profile and app don't
match, the App Wrapping Tool will
replace the IDs if it is able to. If you still
get this error after creating a new
provisioning profile, you can try
removing entitlements from the app by
using the e parameter (see Using the
e parameter to remove entitlements
from an app section).

Find the existing entitlements of a signed app

To review the existing entitlements of a signed app and provisioning profile:
1. Find the .ipa file and change its the extension to .zip.
2. Expand the .zip file. This will produce a Payload folder containing your .app bundle.
3. Use the codesign tool to check the entitlements on the .app bundle, where YourApp.app is the actual name
of your .app bundle.:

$ codesign -d --entitlements :- "Payload/YourApp.app"

4. Use the security tool to check the entitlements of the app's embedded provisioning profile, where
YourApp.app is the actual name of your .app bundle.

$ security -D -i "Payload/YourApp.app/embedded.mobileprovision"

Remove entitlements from an app by using the e parameter

This command removes any enabled capabilities in the app that are not in the entitlements file. If you remove
capabilities that are being used by the app, it can break your app. An example of where you might remove missing
capabilities is in a vendor-produced app that has all capabilities by default.

./IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager i /<path of input app>/<app filename> -o /<path to output folder>/<app

filename> p /<path to provisioning profile> c <SHA1 hash of the certificate> -e
Security and privacy for the App Wrapping Tool
Use the following security and privacy best practices when you use the App Wrapping Tool.
The signing certificate, provisioning profile, and the line-of-business app you specify must be on the same
macOS machine that you use to run the app wrapping tool. If the files are on a UNC path, ensure that these
are accessible from the macOS machine. The path must be secured via IPsec or SMB signing.
The wrapped application imported into the admin console should be on the same computer that you run
the tool on. If the file is on a UNC path, ensure that it is accessible on the computer running the admin
console. The path must be secured via IPsec or SMB signing.
The environment where the App Wrapping Tool is downloaded from the GitHub repository needs to be
secured via IPsec or SMB signing.
The app you process must come from a trustworthy source to ensure protection against attacks.
Ensure that the output folder you specify in the App Wrapping Tool is secured, particularly if it is a remote
folder.
iOS apps that include a file upload dialog box can allow users to circumvent, cut, copy, and paste restrictions
applied to the app. For example, a user could use the file upload dialog box to upload a screenshot of the
app data.
When you monitor the documents folder on your device from within a wrapped app, you might see a folder
named .msftintuneapplauncher. If you change or delete this file, it might affect the correct functioning of
restricted apps.
See also
Decide how to prepare apps for mobile application management with Microsoft Intune
Manage settings and features on your devices with Microsoft Intune policies
Use the SDK to enable apps for mobile application management
 Prepare Android apps for mobile application
management with the Intune App Wrapping Tool
6/19/2017 5 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

Use the Microsoft Intune App Wrapping Tool for Android to change the behavior of your in-house Android apps by
restricting features of the app without changing the code of the app itself.
The tool is a Windows command-line application that runs in PowerShell and creates a wrapper around your
Android app. After the app is wrapped, you can change the apps functionality by configuring mobile application
management policies in Intune.
Before running the tool, review Security considerations for running the App Wrapping Tool. To download the tool,
go to the Microsoft Intune App Wrapping Tool for Android on GitHub.

Fulfill the prerequisites for using the App Wrapping Tool

You must run the App Wrapping Tool on a Windows computer running Windows 7 or later.
Your input app must be a valid Android application package with the file extension .apk and:
It cannot be encrypted.
It must not have previously been wrapped by the Intune App Wrapping Tool.
It must be written for Android 4.0 or later.
The app must be developed by or for your company. You cannot use this tool on apps downloaded from the
Google Play Store.
To run the App Wrapping Tool, you must install the latest version of the Java Runtime Environment and
then ensure that the Java path variable has been set to C:\ProgramData\Oracle\Java\javapath in your
Windows environment variables. For more help, see the Java documentation.

NOTE
In some cases, the 32-bit version of Java may result in memory issues. It's a good idea to install the 64-bit version.

Android requires all app packages (.apk) to be signed. Use Java keytool to generate credentials needed to
sign the wrapped output app. For example, the following command uses the Java executable keytool.exe to
generate keys that can be used by the App Wrapping Tool to sign the wrapped output app.

keytool.exe -genkeypair -v -keystore mykeystorefile -alias mykeyalias -keyalg RSA -keysize 2048 -validity 50000

This example generates a key pair (a public key and associated private key of 2,048 bits) by using the RSA
algorithm. It then wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-
element certificate chain. This certificate chain and the private key are stored in a new keystore entry named
"mykeystorefile" and identified by the alias "mykeyalias." The keystore entry is valid for 50,000 days.
 The command will prompt you to provide passwords for the keystore and key. Use passwords that are
secure, but make a note of them because they're needed to run the App Wrapping Tool.
For detailed documentation, read more about the Java keytool and Java KeyStore on the Oracle
documentation website.

Install the App Wrapping Tool

1. From the GitHub repository, download the installation file InstallAWT.exe for the Intune App Wrapping Tool
for Android to a Windows computer. Open the installation file.
2. Accept the license agreement, then finish the installation.
Note the folder to which you installed the tool. The default location is: C:\Program Files (x86)\Microsoft Intune
Mobile Application Management\Android\App Wrapping Tool.

Run the App Wrapping Tool

1. On the Windows computer where you installed the App Wrapping Tool, open a PowerShell window in
administrator mode.
2. From the folder where you installed the tool, import the App Wrapping Tool PowerShell module:

Import-Module .\IntuneAppWrappingTool.psm1

3. Run the tool by using the invoke-AppWrappingTool command, which has the following usage syntax:

Invoke-AppWrappingTool [-InputPath] <String> [-OutputPath] <String> -KeyStorePath <String> -KeyStorePassword <SecureString>

-KeyAlias <String> -KeyPassword <SecureString> [-SigAlg <String>] [<CommonParameters>]

The following table details the properties of the invoke-AppWrappingTool command:

PROPERTY INFORMATION EXAMPLE

-InputPath<String> Path of the source Android app (.apk).

-OutputPath<String> Path to the output Android app. If this

is the same directory path as InputPath,
the packaging will fail.

-KeyStorePath<String> Path to the keystore file that has the By default, keystore files are stored in
public/private key pair for signing. "C:\Program Files
(x86)\Java\jreX.X.X_XX\bin."

-KeyStorePassword<SecureString> Password used to decrypt the keystore.

Android requires all application
packages (.apk) to be signed. Use Java
keytool to generate the
KeyStorePassword. Read more about
Java KeyStore here.

-KeyAlias<String> Name of the key to be used for signing.

-KeyPassword<SecureString> Password used to decrypt the private

key that will be used for signing.
 PROPERTY INFORMATION EXAMPLE

-SigAlg<SecureString> (Optional) The name of the signature Examples: SHA256withRSA,

algorithm to be used for signing. The SHA1withRSA, MD5withRSA
algorithm must be compatible with the
private key.

<CommonParameters> (Optional) The command supports

common PowerShell parameters like
verbose and debug.

For a list of common parameters, see the Microsoft Script Center.

To see detailed usage information for the tool, enter the command:

Help Invoke-AppWrappingTool

Example:
Import the PowerShell module.

Import-Module "C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping

Tool\IntuneAppWrappingTool.psm1"

Run the App Wrapping Tool on the native app HelloWorld.apk.

invoke-AppWrappingTool -InputPath .\app\HelloWorld.apk -OutputPath .\app_wrapped\HelloWorld_wrapped.apk -KeyStorePath "C:\Program

Files (x86)\Java\jre1.8.0_91\bin\mykeystorefile" -keyAlias mykeyalias -SigAlg SHA1withRSA -Verbose

You will then be prompted for KeyStorePassword and KeyPassword. Enter the credentials you used to create the
key store file.
The wrapped app and a log file are generated and saved in the output path you specified.

Security considerations for running the App Wrapping Tool

To prevent potential spoofing, information disclosure, and elevation of privilege attacks:
Ensure that the input line-of-business (LOB) application, output application, and Java KeyStore are on the
same Windows computer where the App Wrapping Tool is running.
Import the output application to the Intune console on the same machine where the tool is running. See
keytool for more about about Java keytool.
If the output application and the tool are on a Universal Naming Convention (UNC) path and you are not
running the tool and input files on the same computer, set up the environment to be secure by using
Internet Protocol Security (IPsec) or Server Message Block (SMB) signing.
Ensure that the application is coming from a trusted source.
Secure the output directory that has the wrapped app. Consider using a user-level directory for the output.
See also
Decide how to prepare apps for mobile application management with Microsoft Intune
Use the SDK to enable apps for mobile application management
 Sign line-of-business apps so they can be deployed to
Windows devices with Intune
6/19/2017 11 min to read Edit Online

APPLIES TO: INTUNE

This topic applies to Intune in both the Azure portal and the classic console.

As an Intune administrator, you can deploy line-of-business (LOB) apps to Windows and Windows 10 Mobile
devices, including the Company Portal app. To deploy .appx or .xap apps to Windows 10 and Windows 10 mobile
devices, or to deploy any LOB app to Windows 8.1 or Windows Phone 8.1 devices, you must get a Symantec
Enterprise Mobile Code Signing Certificate. Only the Symantec certificate is trusted for these apps for the
respective Windows devices. You can use your own certificate authority for Windows 10 apps and "universal" apps.
This certificate is required in order to:
Sign the Company Portal app for deployment to Windows PCs, Windows 10 Mobile devices, and Windows
Phone devices
Sign company line-of-business apps so Intune can deploy them to Windows devices
The steps below will help you get the required certificate and sign the apps. You will need to register as a Microsoft
developer, and then purchase a Symantec certificate.
1. Register as a Microsoft developer
Register as a Microsoft developer using the corporate account information you used when logging in to
purchase your company account. This request will need to be authorized by a company officer before you
receive a code-signing certificate.
2. Get a company Symantec certificate
Purchase a certificate from the Symantec website using your Symantec ID. After you purchase the certificate,
the corporate approver whom you designated when you registered as a Microsoft developer will receive an
email asking for approval of the certificate request. For more information about the Symantec certificate
requirement, see the Why Windows Phone requires a Symantec certificate? Windows device enrollment
FAQ.
3. Import certificates
Once the request has been approved, you will receive an email containing instructions for importing
certificates. Follow the instructions in the email to import the certificates.
4. Verify certificates imported
To verify that the certificates have been imported correctly, go to the Certificates snap-in, right-click
Certificates, and select Find Certificates. In the Contains field, enter Symantec, and click Find Now. The
certificates you imported should appear in the results.
5. Export a signing certificate
Having verified that the certificates are present, you can export the .pfx file to sign the company portal. Select
the Symantec certificate with Intended purpose code-signing. Right-click the code-signing certificate and
select Export.

In the Certificate Export Wizard, select Yes, export the private key and then click Next. Select Personal
Information Exchange PKCS #12 (.PFX) and check Include all the certificates in the certification
path if possible. Complete the wizard. For more information, see How to Export a Certificate with the
Private Key.
6. Upload the app to Intune
Upload the signed app file and your code-signing certificate to make the app available to your end users.
 a. In the Intune portal, click Administration > Windows Phone.
b. Click the Upload Signed App File and sign in with your Intune Administrator ID.
c. Add the certificate (.pfx) file that you exported to Code-signing certificate and create a password for
the certificate.
d. Complete the wizard.

Example: Download, sign, and deploy the Company Portal app for
Windows devices
You can deploy the Company Portal app to Windows devices, including Windows Phone and Windows 10 Mobile
devices, with Intune instead of installing from the Windows Store. You must download the Company Portal app and
sign it with your certificate. This is only necessary if your users won't use the Company Store and you want to
deploy the Company Portal to Windows Phone 8.1 devices.
1. Download the Company Portal
To deploy the Company Portal app using Intune, you can download the Microsoft Intune Company Portal
App for Windows Phone 8.1 from the Download Center and run the self-extracting (.exe) file. This file
contains two files:
CompanyPortal.appx The Company Portal installation app for Windows Phone 8.1
WinPhoneCompanyPortal.ps1 A PowerShell script you can use to sign the Company Portal app file
so it can be deployed to Windows Phone 8.1 devices
Alternatively, you can download the Windows Phone 8.1 Company Portal (offline licensed package) or the
Windows 10 Company Portal (offline licensed package) from the Windows Store for Business. The Company
Portal app will need to be acquired with an offline license and the appropriate package downloaded for
offline use. Windows 8 and Windows Phone 8 platform listings in the selection refer to their 8.1
counterparts. For details about how to do this with Intune, see Manage apps you purchased from the
Windows Store for Business.
2. Download the Windows Phone SDK Download the Windows Phone SDK 8.0]
(http://go.microsoft.com/fwlink/?LinkId=615570) and install the SDK to your computer. This SDK is needed
to generate an application enrollment token.
3. Generate an AETX file Generate an application enrollment token (.aetx) file from the Symantec PFX file
using AETGenerator.exe, part of Windows Phone SDK 8.0. For instructions on how to create an AETX file, see
How to generate an application enrollment token for Windows Phone
4. Download the Windows SDK for Windows 8.1 Download and install the Windows Phone SDK
(http://go.microsoft.com/fwlink/?LinkId=613525). Note that the PowerShell script included with the
Company Portal app uses the default install location, ${env:ProgramFiles(x86)}\Windows Kits\8.1 . If you install
elsewhere, you must include the location in a cmdlet parameter.
5. Code-sign the app using PowerShell As an administrator, open Windows PowerShell on the host
computer installed with the Windows SDK, the Symantec Enterprise Mobile Code Signing Certificate,
navigate to the Sign-WinPhoneCompanyPortal.ps1 file and run the script.
Example 1

.\Sign-WinPhoneCompanyPortal.ps1 -InputAppx 'C:\temp\CompanyPortal.appx' -OutputAppx

'C:\temp\CompanyPortalEnterpriseSigned.appx' -PfxFilePath 'C:\signing\cert.pfx' -PfxPassword '1234' -AetxPath 'C:\signing\cert.aetx'
 This example signs the CompanyPortal.appx at C:\temp\ and produces the
CompanyPortalEnterpriseSigned.appx. It would use PFX password 1234 and read the publisher ID from the
PFX file. It reads the enterprise ID from the cert.aetx file as well.
Example 2

.\Sign-WinPhoneCompanyPortal.ps1 -InputAppx 'C:\temp\CompanyPortal.appx' -OutputAppx

'C:\temp\CompanyPortalEnterpriseSigned.appx' -PfxFilePath 'C:\signing\cert.pfx' -PfxPassword '1234' -PublisherId
'OID.0.9.2342.19200300.100.1.1=1000000001, CN="Test, Inc.", OU=Test 1' -EnterpriseId 1000000001

This example signs the CompanyPortal.appx at C:\temp\ and produces the

CompanyPortalEnterpriseSigned.appx. It would use PFX password 1234 and use the publisher ID specified.
Parameters:
The local path to the CompanyPortal.appx file in single quotes. For example
-InputAppx
'C:\temp\CompanyPortal.appx'
-OutputAppx The local path and file name for the signed Company Portal app in single quotes. For
example, 'C:\temp\CompanyPortalEnterpriseSigned.appx'
The local path and file name for the exported PFX file of the Symantec certificate. For
-PfxFilePath
example, 'C:\signing\cert.pfx'
-PfxPassword The password used to sign the PFX file in single quotes. For example '1234'
-AetxPath The local path to the .aetx file which is used for reading the enterprise ID if the
'EnterpriseId' argument is not defined. Either this argument or EnterpriseId must be provided. For
example 'C:\signing\cert.aetx'
- The Publisher ID of the enterprise. If absent, the 'Subject' field of the Symantec
-PublisherId
Enterprise Mobile Code Signing Certificate is used. For example,
'OID.0.9.2342.19200300.100.1.1=1000000001, CN="Test, Inc.", OU=Test 1'
- The path to the root folder of the Windows SDK for Windows 8.1. This argument is optional
-SdkPath
and defaults to ${env:ProgramFiles(x86)}\Windows Kits\8.1.
-EnterpriseId - The enterprise ID. Either this argument or 'AetxPath' must be provided. If this argument
is not provided, the enterprise ID is read from the AETX file. For example, 1000000001
6. Deploy the Windows Phone 8.1 Company Portal (SSP.appx) app. For guidance, see How to add Windows
Phone line-of-business (LOB) apps (Classic console).

How to renew the Symantec enterprise code-signing certificate

The Symantec certificate used to deploy Windows and Windows Phone mobile apps must be renewed periodically.
1. Look for a renewal email sent from Symantec approximately 14 days prior to certificate expiration. This
email contains directions from Symantec about renewing your enterprise certificate.
For additional information about Symantec certificates, visit www.symantec.com or call 1-877-438-8776 or
1-650-426-3400.
2. Go to the website (example:
https://products.websecurity.symantec.com/orders/enrollment/microsoftCert.do) and login with the
Symantec Publisher ID and email addressed associated with the certificate. Remember to use the same
machine for starting the renewal that youll use to download the certificate.
3. Once the renewal is approved and paid for, download the certificate.
How to install the updated certificate for line-of-business (LOB) apps
1. Sign the latest version of your line-of-business app.
2. Open the Intune console and go to Admin > Mobile Device Management > Windows Phone and click
Upload Signed App.
3. Upload the newly signed Company Portal. Youll need the newly signed SSP.xap and the new .PFX file you
received from Symantec or the Application enrollment token that was created with this new .PFX file.
4. When the upload is complete, remove the old Company Portal version in the Software workspace.
5. Sign all new and any updated enterprise line-of-business apps using the new certificate. Existing applications
do not need to be resigned and redeployed.

Manually deploy Windows 10 Company Portal app

You can manually deploy the Windows 10 Company Portal app directly from Intune, even if you havent integrated
Intune with the Windows Store for Business.

NOTE
This option will require deploying manual updates each time an app update is released.

1. Log in to your account in the Windows Store for Business and acquire the offline license version of the
Company Portal app.
2. Once the app has been acquired, select the app in the Inventory page.
3. Select Windows 10 all devices as the Platform, then the appropriate Architecture and download. An app
license file is not needed for this app.

4. Download all the packages under Required Frameworks. This must be done for x86, x64 and ARM
architectures resulting in a total of 9 packages as shown below.
1. Before uploading the Company Portal app to Intune, create a folder (e.g., C:\Company Portal) with the packages
structured in the following way:
a. Place the Company Portal package into C:\Company Portal. Create a Dependencies subfolder in this
location as well.

b. Place the nine dependencies packages in the Dependencies folder.

If the dependencies are not placed in this format, Intune will not be able to recognize and upload them
during the package upload, causing the upload to fail with the following error.

2. Return to Intune, then upload the Company Portal app as a new app. Deploy it as a required app to the desired
set of target users.
See Deploying an appxbundle with dependencies via Microsoft Intune MDM for more information about how
Intune handles dependencies for Universal apps.
How do I update the Company Portal on my users devices if they have already installed the older apps from the store?
If your users have already installed the Windows 8.1 or Windows Phone 8.1 Company Portal apps from the Store,
then they should be automatically updated to the new version with no action required from you or your user. If the
update does not happen, ask your users to check that they have enabled autoupdates for Store apps on their
devices.
How do I upgrade my sideloaded Windows 8.1 Company Portal app to the Windows 10 Company Portal app?
Our recommended migration path is to delete the deployment for the Windows 8.1 Company Portal app by setting
the deployment action to Uninstall. Once this is done, the Windows 10 Company Portal app can be deployed
using any of the above options.
If you need to sideload the app and deployed the Windows 8.1 Company Portal without signing it with the
Symantec Certificate, follow the steps in the Deploy directly via Intune section above to complete the upgrade.
If you need to sideload the app and you signed and deployed the Windows 8.1 Company Portal with the Symantec
code-signing certificate, follow the steps in the section below.
How do I upgrade my signed and sideloaded Windows Phone 8.1 Company Portal app or Windows 8.1 Company Portal app to the
Windows 10 Company Portal app?
Our recommended migration path is to delete the existing deployment for the Windows Phone 8.1 Company Portal
app or the Windows 8.1 Company Portal app by setting the deployment action to Uninstall. Once this is done, the
Windows 10 Company Portal app can be deployed normally.
Otherwise, the Windows 10 Company Portal app needs to be appropriately updated and signed to ensure that the
upgrade path is respected.
If the Windows 10 Company Portal app is signed and deployed in this way, you will need to repeat this process for
each new app update when it is available in the store. The app will not automatically update when the store is
updated.
Heres how you sign and deploy the app in this way:
1. Download the Microsoft Intune Windows 10 Company Portal App Signing Script from
https://aka.ms/win10cpscript. This script requires the Windows SDK for Windows 10 to be installed on the host
computer. To download the Windows SDK for Windows 10, visit https://go.microsoft.com/fwlink/?
LinkId=619296.
2. Download the Windows 10 Company Portal app from the Windows Store for Business, as detailed above.
3. Run the script with the input parameters detailed in the script header to sign the Windows 10 Company Portal
app (extracted below). Dependencies do not need to be passed into the script. These are only required when the
app is being uploaded to the Intune Admin Console.

PARAMETER DESCRIPTION

InputWin10AppxBundle The path to where the source appxbundle file is located

OutputWin10AppxBundle The output path for the signed appxbundle file. Win81Appx
The path to where the Windows 8.1 or Windows Phone 8.1
Company Portal (.APPX) file is located.

PfxFilePath The path to Symantec Enterprise Mobile Code Signing

Certificate (.PFX) file.

PfxPassword The password of the Symantec Enterprise Mobile Code Signing

Certificate.

PublisherId The Publisher ID of the enterprise. If absent, the 'Subject' field

of the Symantec Enterprise Mobile Code Signing Certificate is
used.

SdkPath The path to the root folder of the Windows SDK for Windows
10. This argument is optional and defaults to
${env:ProgramFiles(x86)}\Windows Kits\10

The script will output the signed version of the Windows 10 Company Portal app when it has finished running. You
can then deploy the signed version of the app as an LOB app via Intune, which will upgrade the currently deployed
versions to this new app.
 Intune App SDK overview
6/19/2017 3 min to read Edit Online

The Intune App SDK, available for both iOS and Android, enables your app for Intune app protection policies. It
strives to minimize the amount of code changes required from the app developer. You will find that you can
enable most of the SDK's features without changing your apps behavior. For enhanced end-user and IT
administrator experience, you can utilize our APIs to customize your app behavior for features that require your
app participation.
Once you have enabled your app for app protection policies, IT administrators can deploy these policies to protect
their corporate data within the app.

App protection features

The following are examples of Intune app protection features that can be enabled with the SDK.
Control users ability to move corporate files
IT administrators can control where work or school data in the app can be moved. For instance, they can deploy a
policy that disables the app from backing up corporate data to the cloud.
Configure clipboard restrictions
IT administrators can configure the clipboard behavior in Intune-managed apps. For instance, they can deploy a
policy to prevent end users from cutting or copying data from the app and pasting into an unmanaged, personal
app.
Enforce encryption on saved data
IT administrators can enforce a policy that ensures that data saved to the device by the app is encrypted.
Remotely wipe corporate data
IT administrators can remotely wipe corporate data from an Intune-managed app. This feature is identity-based
and will only delete the files associated with the corporate identity of the end user. To do that, the feature requires
the apps participation. The app can specify the identity for which the wipe should occur based on user settings. In
the absence of these specified user settings from the app, the default behavior is to wipe the application directory
and notify the end user that access has been removed.
Enforce the use of a managed browser
IT administrators can force web links in the app to be opened with the Intune Managed Browser app. This ensures
that links that appear in a corporate environment are kept within the domain of Intune-managed apps.
Enforce a PIN policy
IT administrators can require the end-user to enter a PIN before accessing corporate data in the app. This ensures
that the person using the app is the same person who initially signed in with their work or school account. When
end users configure their PIN, the Intune App SDK uses Azure Active Directory to verify the credentials of end-
users against the enrolled Intune account.
Require users to sign in with work or school account for app access
IT administrators can require users to sign in with their work or school account to access the app. The Intune App
SDK uses Azure Active Directory to provide a single sign-on experience, where the credentials, once entered, are
reused for subsequent logins. We also support authentication of identity management solutions federated with
Azure Active Directory.
Check device health and compliance
IT administrators can a check the health of the device and its compliance with Intune policies before end-users
access the app. On iOS, this policy checks if the device has been jailbroken. On Android, this policy checks if the
device has been rooted.
Multi-identity support
Multi-identity support is a feature of the SDK that enables coexistence of policy-managed (corporate) and
unmanaged (personal) accounts in a single app.
For example, many users configure both corporate and personal email accounts in the Office mobile apps for iOS
and Android. When a user accesses data with their corporate account, the IT administrator must be confident that
app protection policy will be applied. However, when a user is accessing a personal email account, that data should
be outside of the IT administrator's control. The Intune App SDK achieves this by targeting the app protection
policy to only the corporate identity in the app.
The multi-identity feature helps solve the data protection problem that organizations face with store apps that
support both personal and work accounts.
App protection without device enrollment

IMPORTANT
Intune app protection without device enrollment is not yet available with the Intune App SDK for Android. It is available with
the Intune App Wrapping Tools, SDK for iOS, SDK Xamarin Component, and SDK Cordova Plugin.

Many users with personal devices want to access corporate data without enrolling their personal device with a
Mobile Device Management (MDM) provider. Since MDM enrollment requires global control of the device, users
are often hesitant to give control of their personal device over to their company.
App protection without device enrollment allows the Microsoft Intune service to deploy app protection policy to an
app directly, without relying on a device management channel to deploy the policy.
 Get started with the Microsoft Intune App SDK
6/19/2017 5 min to read Edit Online

This guide will help you quickly enable your mobile app for app protection policies with Microsoft Intune. You may
find it useful to first understand the benefits of the Intune App SDK, as explained in the Intune App SDK overview.
The Intune App SDK supports similar scenarios across iOS and Android, and is intended to create a consistent
experience across the platforms for IT admins. But there are small differences in the support of certain features,
because of platform limitations.

Register your store app with Microsoft

If your app is internal to your organization and will not be publicly available:
You do not need to register your app. For internal line-of-business apps, the IT administrator will deploy the app
internally. Intune will detect that the app has been built with the SDK, and will let the IT administrator apply app
protection policy to it. You can skip to the section Enable your iOS or Android app for app protection policy.
If your app will be released to a public app store, like the Apple App Store or Google Play:
You must first register your app with Microsoft Intune and agree to the registration terms. IT administrators can
then apply app protection policy to the enlightened app, which will be listed as an Intune app partner.
Until registration has been finished and confirmed by the Microsoft Intune team, Intune administrators will not
have the option to apply app protection policy to your app's deep link. Microsoft will also add your app to its
Microsoft Intune Partners page. There, the app's icon will be displayed to show that it supports Intune app
protection policies.
To begin the registration process, fill out the Microsoft Intune App Partner Questionnaire.
We will use the email addresses listed in your questionnaire response to reach out and continue the registration
process. Additionally, we use your registration email address to contact you if we have any concerns.

NOTE
All information collected in the questionnaire and through email correspondence with the Microsoft Intune team will honor
the Microsoft Privacy Statement.

What to expect in the registration process:

1. After you have submitted the questionnaire, we will contact you via your registration email address, to
either confirm successful receipt or request additional information to finish the registration.
2. After we receive all necessary information from you, we will send you the Microsoft Intune App Partner
Agreement to sign. This agreement describes the terms that your company must accept before it becomes a
Microsoft Intune app partner.
3. You will be notified when your app is successfully registered with the Microsoft Intune service and when
your app is featured on the Microsoft Intune partners site.
4. Finally, your app's deep link will be added to the next monthly Intune Service update. For example, if the
registration information is finished in July, the deep link will be supported in mid-August.
If your app's deep link changes in the future, you will need to re-register your app.
 NOTE
Please inform us if you update your app with a new version of the Intune App SDK.

Download the SDK files

The Intune App SDKs for native iOS and Android are hosted on a Microsoft GitHub account. These public
repositories have the SDK files for native iOS and Android, respectively:
Intune App SDK for iOS
Intune App SDK for Android
If your app is a Xamarin or Cordova app, please use these SDK variants:
Intune App SDK Xamarin Component
Intune App SDK Cordova Plugin
It's a good idea to sign up for a GitHub account that you can use to fork and pull from our repositories. GitHub lets
developers communicate with our product team, open issues and receive quick responses, view release notes, and
provide feedback to Microsoft. For questions on the Intune App SDK GitHub, contact
[email protected].

Enable your iOS or Android app for app protection policy

You will need one of the following developer guides to help you integrate the Intune App SDK into your app:
Intune App SDK for iOS Developer Guide: This document will walk you step-by-step through enabling
your native iOS app with the Intune App SDK.
Intune App SDK for Android Developer Guide: This document will walk you step-by-step through
enabling your native Android app with the Intune App SDK.
Intune App SDK Cordova Plugin guide: This document will help you build iOS and Android apps using
Cordova for Intune app protection policies.
Intune App SDK Xamarin Component guide: This document will help you build iOS and Android apps
using Cordova for Intune app protection policies.

Configure Telemetry for your app

Microsoft Intune collects data on usage statistics for your app.
Intune App SDK for iOS: The SDK logs SDK telemetry data on usage events by default. This data is sent to
Microsoft Intune.
If you choose not to send SDK telemetry data to Microsoft Intune from your app, you must disable
telemetry transmission by setting the property MAMTelemetryDisabled to "YES" in the IntuneMAMSettings
dictionary.
Intune App SDK for Android: Telemetry data is not logged through the SDK.

Next steps after integration

Test your app
After you finish the necessary steps to integrate your iOS or Android app with the Intune App SDK, you will need to
ensure that all the app protection policies are enabled and functioning for the user and the IT admin. To test your
integrated app, you will need the following:
Microsoft Intune test account: To test your Intune-enlightened app against Intune app protection
features, you will need a Microsoft Intune account.
If you are an ISV enabling your iOS or Android store apps for Intune app protection policy, you will
receive a promo code after you finish the registration with Microsoft Intune, as outlined in the
registration step. The promo code will let you sign up for a Microsoft Intune trial for one year of
extended use.
If you are developing a line-of-business app that will not be shipped to the store, you are expected to
have access to Microsoft Intune through your organization. You can also sign up for a one-month
free trial in Microsoft Intune.
Intune app protection policies: To test your app against all the Intune app protection policies, you should
know what the expected behavior is for each policy setting. See the descriptions for iOS app protection
policies and Android app protection policies.
Troubleshoot: If you run into any issues while manually testing your app's user experience, check out the
Troubleshooting MAM. This article offers help for common issues, dialogs, and error messages that may be
experienced in Intune-enlightened apps.
Badge your app (optional)
After validating that Intune app protection policies work in your app, you can badge your app icon with the Intune
app protection logo.
This badge indicates to IT administrators, end-users, and potential Intune customers that your app works with
Intune app protection policies. It encourages the usage and adoption of your app by Intune customers.
The badge is a briefcase icon and can be seen in the samples below:

What you'll need to badge your app:

An image manipulation application that can read .eps files, or an Adobe application that can read .ai files.
You can find the Intune app badge assets and guidelines on the Microsoft Intune GitHub.
 Microsoft Intune App SDK for iOS developer guide
6/28/2017 32 min to read Edit Online

NOTE
You might want to first read the Get Started with Intune App SDK Guide article, which explains how to prepare for
integration on each supported platform.

The Microsoft Intune App SDK for iOS lets you incorporate Intune app protection policies (also known as APP or
MAM policies) into your native iOS app. A MAM-enabled application is one that is integrated with the Intune App
SDK. IT administrators can deploy app protection policies to your mobile app when Intune actively manages the
app.

Prerequisites
You will need a Mac OS computer that runs OS X 10.8.5 or later and has the Xcode 8 or later installed.
Your app must be targeted for iOS 9 or above.
Review the Intune App SDK for iOS License Terms. Print and retain a copy of the license terms for your
records. By downloading and using the Intune App SDK for iOS, you agree to such license terms. If you do
not accept them, do not use the software.
Download the files for the Intune App SDK for iOS on GitHub.

Whats in the SDK

The Intune App SDK for iOS includes a static library, resource files, API headers, a debug settings .plist file, and a
configurator tool. Mobile apps might simply include the resource files and statically link to the libraries for most
policy enforcement. Advanced Intune MAM features are enforced through APIs.
This guide covers the use of the following components of the Intune App SDK for iOS:
libIntuneMAM.a: The Intune App SDK static library. If your app does not use extensions, link this library to
your project to enable your app for Intune mobile application management.
IntuneMAM.framework: The Intune App SDK framework. Link this framework to your project to enable
your app for Intune mobile application management. Use the framework instead of the static library if your
app uses extensions, so that your project does not create multiple copies of the static library.
IntuneMAMResources.bundle: A resource bundle that has resources that the SDK relies on.
Headers: Exposes the Intune App SDK APIs. If you use an API, you will need to include the header file that
contains the API. The following header files include the API function calls required to enable the
functionality of the Intune App SDK:
IntuneMAMAsyncResult.h
IntuneMAMDataProtectionInfo.h
IntuneMAMDataProtectionManager.h
IntuneMAMFileProtectionInfo.h
IntuneMAMFileProtectionManager.h
IntuneMAMPolicyDelegate.h
 IntuneMAMLogger.h

How the Intune App SDK works

The objective of the Intune App SDK for iOS is to add management capabilities to iOS applications with minimal
code changes. The fewer the code changes, the less time to market--without affecting the consistency and stability
of your mobile application.

Build the SDK into your mobile app

To enable the Intune App SDK, follow these steps:
1. Option 1 (recommended): Link IntuneMAM.framework to your project. Drag IntuneMAM.framework to the
Embedded Binaries list of the project target.

NOTE
If you use the framework, you must manually strip out the simulator architectures from the universal framework
before you submit your app to the App Store. See Submit your app to the App Store for more details.

2. Option 2: Link to the libIntuneMAM.a library. Drag the libIntuneMAM.a library to the Linked Frameworks
and Libraries list of the project target.

NOTE
If you plan to release your app to the App Store, please use the version of libIntuneMAM.a that is built for release
and not the debug version. The release version will be in the release folder. The debug version has verbose output
that helps troubleshoot problems with the Intune App SDK.

Add -force_load {PATH_TO_LIB}/libIntuneMAM.a to either of the following, replacing {PATH_TO_LIB} with the
Intune App SDK location:
The projects OTHER_LDFLAGS build configuration setting
The UIs Other Linker Flags
 NOTE
To find PATH_TO_LIB , select the file libIntuneMAM.a and choose Get Info from the File menu. Copy and
paste the Where information (the path) from the General section of the Info window.

3. Add these iOS frameworks to the project:

MessageUI.framework
Security.framework
MobileCoreServices.framework
SystemConfiguration.framework
libsqlite3.tbd
libc++.tbd
ImageIO.framework
LocalAuthentication.framework
AudioToolbox.framework
4. Add the IntuneMAMResources.bundle resource bundle to the project by dragging the resource bundle under
Copy Bundle Resources within Build Phases.

5. If your mobile app defines a main nib or storyboard file in its Info.plist file, cut the Main Storyboard or
Main Nib field(s). In Info.plist, paste these fields and their corresponding values under a new dictionary
named IntuneMAMSettings with the following key names, as applicable:
MainStoryboardFile
MainStoryboardFile~ipad
MainNibFile
MainNibFile~ipad

NOTE
If your mobile app doesnt define a main nib or storyboard file in its Info.plist file, these settings are not
required.

You can view Info.plist in raw format (to see the key names) by right-clicking anywhere in the
document body and changing the view type to Show Raw Keys/Values.
6. Enable keychain sharing (if it isn't already enabled) by choosing Capabilities in each project target and
enabling the Keychain Sharing switch. Keychain sharing is required for you to proceed to the next step.
 NOTE
Your provisioning profile needs to support new keychain sharing values. The keychain access groups should support
a wildcard character. You can check this by opening the .mobileprovision file in a text editor, searching for keychain-
access-groups, and ensuring that you have a wildcard. For example:

<key>keychain-access-groups</key>
<array>
<string>YOURBUNDLESEEDID.*</string>
</array>

7. After you enable keychain sharing, follow these steps to create a separate access group in which the Intune
App SDK will store its data. You can create a keychain access group by using the UI or by using the
entitlements file. If you are using the UI to create the keychain access group, make sure to follow the steps
below:
a. If your mobile app does not have any keychain access groups defined, add the apps bundle ID as the
first group.
b. Add the shared keychain group com.microsoft.intune.mam to your existing access groups. The Intune App
SDK uses this access group to store data.
c. Add com.microsoft.adalcache to your existing access groups.
a. Add com.microsoft.workplacejoin to your existing access groups.

d. If you are using the entitlement file to create the keychain access group, prepend the keychain access
group with $(AppIdentifierPrefix) in the entitlement file. For example:

* `$(AppIdentifierPrefix)com.microsoft.intune.mam`
* `$(AppIdentifierPrefix)com.microsoft.adalcache`

NOTE
An entitlements file is an XML file that's unique to your mobile application. It is used to specify special
permissions and capabilities in your iOS app.

8. If the app defines URL schemes in its Info.plist file, add another scheme, with a -intunemam suffix, for each
URL scheme.
9. For mobile apps developed on iOS 9+, include each protocol that your app passes to
UIApplication canOpenURL in the LSApplicationQueriesSchemes array of your app's Info.plist file. Additionally, for
each protocol listed, add a new protocol and append it with -intunemam . You must also include
 http-intunemam , https-intunemam , and ms-outlook-intunemam in the array.
10. If the app has app groups defined in its entitlements, add these groups to the IntuneMAMSettings
dictionary under the AppGroupIdentifiers key as an array of strings.

Configure Azure Active Directory Authentication Library (ADAL)

The Intune App SDK uses Azure Active Directory Authentication Library for its authentication and conditional
launch scenarios. It also relies on ADAL to register the user identity with the MAM service for management without
device enrollment scenarios.
Typically, ADAL requires apps to register with Azure Active Directory (AAD) and get a unique ID (Client ID) and
other identifiers, to guarantee the security of the tokens granted to the app. Unless otherwise specified, the Intune
App SDK uses default registration values when it contacts Azure AD.
If your app already uses ADAL to authenticate users, the app must use its existing registration values and override
the Intune App SDK default values. This ensures that users are not prompted for authentication twice (once by the
Intune App SDK and once by the app).
Recommendations
It is recommended that your app links to the latest version of ADAL on its master branch. The Intune App SDK
currently uses the broker branch of ADAL to support apps that require conditional access. (These apps therefore
depend on the Microsoft Authenticator app.) But the SDK is still compatible with the master branch of ADAL. Use
the branch that is appropriate for your app.
Link to ADAL binaries
Follow the steps below to link your app to the ADAL binaries:
1. Download the Azure Active Directory Authentication Library (ADAL) for Objective-C from GitHub, then
follow the instructions on how to download ADAL using Git submodules or CocoaPods.
2. Include the ADALiOSBundle.bundle resource bundle in the project by dragging the resource bundle under
Copy Bundle Resources within Build Phases.
3. Add -force_load {PATH_TO_LIB}/libADALiOS.a to the projects OTHER_LDFLAGS build configuration setting or
Other Linker Flags in the UI. PATH_TO_LIB should be replaced with the location of the ADAL binaries.
Share the ADAL token cache with other apps signed with the same provisioning profile?**
Follow the instructions below if you want to share ADAL tokens between apps signed with the same provisioning
profile:
1. If your app does not have any keychain access groups defined, add the apps bundle ID as the first group.
2. Enable ADAL single sign-on (SSO) by adding com.microsoft.adalcache and com.microsoft.workplacejoin access
groups in the keychain entitlements.
3. If you are explicitly setting the ADAL shared cache keychain group, make sure it is set to
<app_id_prefix>.com.microsoft.adalcache . ADAL will set this for you unless you override it. If you want to specify a
custom keychain group to replace com.microsoft.adalcache , specify that in the Info.plist file under
IntuneMAMSettings, by using the key ADALCacheKeychainGroupOverride .
Configure ADAL settings for the Intune App SDK
If your app already uses ADAL for authentication and has its own ADAL settings, you can force the Intune App SDK
to use the same settings during authentication against Azure Active Directory. This ensures that the app will not
double-prompt the user for authentication. See Configure settings for the Intune App SDK for information on
populating the following settings:
 ADALClientId
ADALAuthority
ADALRedirectUri
ADALRedirectScheme
ADALCacheKeychainGroupOverride
If your app already uses ADAL, the following configurations are required:
1. In the projects Info.plist file, under the IntuneMAMSettings dictionary with the key name ADALClientId ,
specify the client ID to be used for ADAL calls.
2. Also under the IntuneMAMSettings dictionary with the key name ADALAuthority , specify the Azure AD
authority.
3. Also under the IntuneMAMSettings dictionary with the key name ADALRedirectUri , specify the redirect URI
to be used for ADAL calls. You might also need to specify ADALRedirectScheme , depending on the format of
your apps redirect URI.
Additionally, you can override the Azure AD Authority URL with a tenant-specific URL at runtime. To do this, simply
set the aadAuthorityUriOverride property on the IntuneMAMPolicyManager instance.

NOTE
Setting the AAD Authority URL is required for APP without device enrollment to let the SDK reuse the ADAL refresh token
fetched by the app.

The SDK will continue to use this authority URL for policy refresh and any subsequent enrollment requests, unless
the value is cleared or changed. Therefore, it is important to clear the value when a managed user signs out of the
app and to reset the value when a new managed user signs in.
If your app does not use ADAL
If your app does not use ADAL, the Intune App SDK will provide default values for ADAL parameters and handle
authentication against Azure AD. You do not have to specify any values for the ADAL settings listed above.

App protection policy without device enrollment

Overview
Intune app protection policy without device enrollment, also known as APP-WE or MAM-WE, allows apps to be
managed by Intune without the need for the device to be enrolled Intune mobile device management (MDM). To
support this new functionality, the app must participate to register user accounts for management. To use the new
APIs, follow these steps:
1. Use the latest release of the Intune App SDK, which supports management of apps with or without device
enrollment.
2. Add IntuneMAMEnrollment.h to any files that will call the APIs.
Register user accounts
An app can receive app protection policy from the Intune service if the app enrolls with the APP-WE service on
behalf of a specified user account. The app is responsible for registering any newly signed-in user with the SDK.
After the new user account has been authenticated, the app should call the registerAndEnrollAccount method in
Headers/IntuneMAMEnrollment.h:
 /**

* This method will add the account to the list of registered accounts.
* An enrollment request will immediately be started.
* @param identity The UPN of the account to be registered with the SDK
*/

(void)registerAndEnrollAccount:(NSString *)identity;

By calling the registerAndEnrollAccount method, the SDK will register the user account and attempt to enroll the app
on behalf of this account. If the enrollment fails for any reason, the SDK will automatically retry the enrollment 24
hours later. For debugging purposes, the app can receive notifications, via a delegate, about the results of any
enrollment requests.
After this API has been invoked, the app can continue to function as normal. If the enrollment succeeds, the SDK
will notify the user that an app restart is required. At that time, the user can immediately restart the app.
Deregister user accounts
Before a user is signed out of an app, the app should deregister the user from the SDK. This will ensure:
1. Enrollment retries will no longer happen for the users account.
2. App protection policy will be removed.
3. If the app initiates a selective wipe (optional), any corporate data is deleted.
Before the user is signed out, the app should call the following API in Headers/IntuneMAMEnrollment.h :

/*
* This method will remove the provided account from the list of
* registered accounts. Once removed, if the account has enrolled
* the application, the account will be un-enrolled.
* @note In the case where an un-enroll is required, this method will block
* until the Intune MAM AAD token is acquired, then return. This method must be called before
* the user is removed from the application (so that required AAD tokens are not purged
* before this method is called).
* @param identity The UPN of the account to be removed.
* @param doWipe If YES, a selective wipe if the account is un-enrolled
*/

(void)deRegisterAndUnenrollAccount:(NSString *)identity withWipe:(BOOL)doWipe;

This method must be called before the user accounts Azure AD tokens are deleted. The SDK needs the user
accounts AAD token(s) to make specific requests to the APP-WE service on behalf of the user.
If the app will delete the users corporate data on its own, the doWipe flag can be set to false. Otherwise, the app
can have the SDK initiate a selective wipe. This will result in a call to the app's selective wipe delegate.

[[IntuneMAMEnrollmentManager instance] deRegisterAndUnenrollAccount:@[email protected] withWipe:YES];

Apps that do not use ADAL

Apps that do not sign in the user using ADAL can still receive app protection policy from the Intune service by
calling the API to have the SDK handle that authentication. Apps should use this technique when they have not
authenticated a user with Azure AD but still need to retrieve app protection policy to help protect data. An example
is if another authentication service is being used for app sign-in, or if the app does not support signing in at all. To
do this, the application should call the loginAndEnrollAccount method in Headers/IntuneMAMEnrollment.h:
 /**
* Creates an enrollment request which is started immediately.
* If no token can be retrieved for the identity, the user will be prompted
* to enter their credentials, after which enrollment will be retried.
* @param identity The UPN of the account to be logged in and enrolled.
*/
(void)loginAndEnrollAccount: (NSString *)identity;

By calling this method, the SDK will prompt the user for credentials if no existing token can be found. The SDK will
then try to enroll the app with the APP-WE service on behalf of the supplied user account. The method can be
called with "nil" as the identity. In that case, the SDK will enroll with the existing managed user on the device, or
prompt the user for a user name if no existing user is found.
If the enrollment fails, the app should consider calling this API again at a future time, depending on the details of
the failure. The app can receive notifications, via a delegate, about the results of any enrollment requests.
After this API has been invoked, the app can continue functioning as normal. If the enrollment succeeds, the SDK
will notify the user that an app restart is required.

Status, result, and debug notifications

The app can receive status, result, and debug notifications about the following requests to the Intune MAM service:
Enrollment requests
Policy update requests
Unenrollment requests
The notifications are presented via delegate methods in Headers/IntuneMAMEnrollmentDelegate.h :

/**
* Called when an enrollment request operation is completed.
* @param status status object containing debug information
*/

(void)enrollmentRequestWithStatus:(IntuneMAMEnrollmentStatus *)status;

/**
* Called when a MAM policy request operation is completed.
* @param status status object containing debug information
*/
(void)policyRequestWithStatus:(IntuneMAMEnrollmentStatus *)status;

/**
* Called when a un-enroll request operation is completed.
* @Note: when a user is un-enrolled, the user is also de-registered with the SDK
* @param status status object containing debug information
*/

(void)unenrollRequestWithStatus:(IntuneMAMEnrollmentStatus *)status;

These delegate methods return an IntuneMAMEnrollmentStatus object that has the following information:
The identity of the account associated with the request
A status code that indicates the result of the request
An error string with a description of the status code
An NSError object

This object is defined in IntuneMAMEnrollmentStatus.h , along with the specific status codes that can be returned.
Sample code
These are example implementations of the delegate methods:

- (void)enrollmentRequestWithStatus:(IntuneMAMEnrollmentStatus *)status
{
NSLog(@"enrollment result for identity %@ with status code %ld", status.identity, (unsigned long)status.statusCode);
NSLog(@"Debug Message: %@", status.errorString);
}

- (void)policyRequestWithStatus:(IntuneMAMEnrollmentStatus *)status
{
NSLog(@"policy check-in result for identity %@ with status code %ld", status.identity, (unsigned long)status.statusCode);
NSLog(@"Debug Message: %@", status.errorString);
}

- (void)unenrollRequestWithStatus:(IntuneMAMEnrollmentStatus *)status
{
NSLog(@"un-enroll result for identity %@ with status code %ld", status.identity, (unsigned long)status.statusCode);
NSLog(@"Debug Message: %@", status.errorString);
}

App restart
When an app receives app protection policies for the first time, it must restart to apply the required hooks. To
notify the app that a restart needs to happen, the SDK provides a delegate method in
Headers/IntuneMAMPolicyDelegate.h.

- (BOOL) restartApplication

The return value of this method tells the SDK if the application must handle the required restart:
If true is returned, the application must handle the restart.
If false is returned, the SDK will restart the application after this method returns. The SDK will immediately
show a dialog box that tells the user to restart the application.

Customize your app's behavior

The Intune App SDK has several APIs you can call to get information about the Intune app protection policy
deployed to the app. You can use this data to customize your app's behavior. Most app protection policy settings
are automatically enforced by the SDK and not the application. The only setting that the app should implement is
the Save-as control.
Get app protection policy
IntuneMAMPolicyManager.h
The IntuneMAMPolicyManager class exposes the Intune app protection policy deployed to the application. Notably,
it exposes APIs that are useful for Enabling multi-identity.
IntuneMAMPolicy.h
The IntuneMAMPolicy class exposes the Intune app protection policy deployed to the application. Most the policy
settings exposed in this class are enforced by the SDK, but you can always customize your app's behavior based on
how policy settings are enforced.
This class exposes some APIs needed to implement save-as controls, detailed in the next section.
Implement save-as controls
Intune lets IT admins select which storage locations a managed app can save data to. Apps can query the Intune
App SDK for allowed storage locations by using the isSaveToAllowedForLocation API, defined in
IntuneMAMPolicy.h.
Before apps can save managed data to a cloud-storage or local location, they must check with the
isSaveToAllowedForLocation API to know if the IT admin has allowed data to be saved there.
When apps use the isSaveToAllowedForLocation API, they must pass in the UPN for the storage location, if it is
available.
Supported save locations
The isSaveToAllowedForLocation API provides constants to check whether the IT admin permits data to be
saved to the following locations defined in IntuneMAMPolicy.h:
IntuneMAMSaveLocationOther
IntuneMAMSaveLocationOneDriveForBusiness
IntuneMAMSaveLocationSharePoint
IntuneMAMSaveLocationLocalDrive
Apps should use the constants in the isSaveToAllowedForLocation API to check if data can be saved to locations
considered "managed," like OneDrive for Business, or "personal." Additionally, the API should be used when the
app can't check whether a location is "managed" or "personal."
Locations known to be "personal" are represented by the IntuneMAMSaveLocationOther constant.
The IntuneMAMSaveLocationLocalDrive constant should be used when the app is saving data to any location on the
local device.

Configure settings for the Intune App SDK

You can use the IntuneMAMSettings dictionary in the applications Info.plist file to set up and configure the
Intune App SDK. If the IntuneMAMSettings dictionary is not seen in your Info.plist file, you should create a
dictionary in your app's Info.plist with the field name "IntuneMAMSettings."
Under the IntuneMAMSettings dictionary, you can add key/value rows of configuration settings to configure the
SDK. The table below lists all supported settings.
Some of these settings might have been covered in previous sections, and some do not apply to all apps.

SETTING TYPE DEFINITION REQUIRED?

ADALClientId String The apps Azure AD client Required if the app uses
identifier. ADAL.

ADALAuthority String The app's Azure AD Required if the app uses

authority in use. You should ADAL. If this value is absent,
use your own environment an Intune default is used.
where AAD accounts have
been configured.

ADALRedirectUri String The apps Azure AD redirect ADALRedirectUri or

URI. ADALRedirectScheme is
required if the app uses
ADAL.
SETTING TYPE DEFINITION REQUIRED?

ADALRedirectScheme String The app's Azure AD redirect ADALRedirectUri or

scheme. This can be used in
place of ADALRedirectUri if
the application's redirect URI
is in the format
scheme://bundle_id .
ADALRedirectScheme is
required if the app uses
ADAL.

ADALLogOverrideDisabled Boolean Specifies whether the SDK Optional.

will route all ADAL logs
(including ADAL calls from
the app, if any) to its own
log file. Defaults to NO. Set
to YES if the app will set its
own ADAL log callback.

ADALCacheKeychainGroupO String Specifies the keychain group Optional.

verride to use for the ADAL cache,
instead of
com.microsoft.adalcache."
Note that this doesnt have
the app-id prefix. That will
be prefixed to the provided
string at runtime.

AppGroupIdentifiers Array of string Array of app groups from Required if the app uses
the apps entitlements application groups.
com.apple.security.applicatio
n-groups section.

ContainingAppBundleId String Specifies the bundle ID of Required for iOS extensions.

the extensions containing
application.

DebugSettingsEnabled Boolean If set to YES, test policies Optional.

within the Settings bundle
can be applied. Applications
should not be shipped with
this setting enabled.

MainNibFile String This setting should have the Required if the application
MainNibFile~ipad applications main nib file defines MainNibFile in
name. Info.plist.

MainStoryboardFile String This setting should have the Required if the application
MainStoryboardFile~ipad applications main defines
storyboard file name. UIMainStoryboardFile in
Info.plist.
SETTING TYPE DEFINITION REQUIRED?

AutoEnrollOnLaunch Boolean Specifies whether the app Optional.

should attempt to
automatically enroll on
launch if an existing
managed identity is
detected and it has not yet
done so. Defaults to NO.

Notes: If no managed
identity is found or no valid
token for the identity is
available in the ADAL cache,
the enrollment attempt will
silently fail without
prompting for credentials,
unless the app has also set
MAMPolicyRequired to YES.

MAMPolicyRequired Boolean Specifies whether the app Optional.

will be blocked from starting
if the app does not have an
Intune app protection policy.
Defaults to NO.

Notes: Apps cannot be

submitted to the App Store
with MAMPolicyRequired set
to YES. When setting
MAMPolicyRequired to YES,
AutoEnrollOnLaunch should
also be set to YES.

MAMPolicyWarnAbsent Boolean Specifies whether the app Optional.

will warn the user during
launch if the app does not
have an Intune app
protection policy.

Note: Users will still be

allowed to use the app
without policy after
dismissing the warning.

MultiIdentity Boolean Specifies whether the app is Optional.

multi-identity aware.

SplashIconFile String Specifies the Intune splash Optional.

SplashIconFile~ipad (startup) icon file.

SplashDuration Number Minimum amount of time, in Optional.

seconds, that the Intune
startup screen will be shown
at application launch.
Defaults to 1.5.
 SETTING TYPE DEFINITION REQUIRED?

BackgroundColor String Specifies the background Optional. Defaults to light

color for the startup and PIN grey.
screens. Accepts a
hexadecimal RGB string in
the form of #XXXXXX, where
X can range from 0-9 or A-
F. The pound sign might be
omitted.

ForegroundColor String Specifies the foreground Optional. Defaults to black.

color for the startup and PIN
screens, like text color.
Accepts a hexadecimal RGB
string in the form of
#XXXXXX, where X can range
from 0-9 or A-F. The pound
sign might be omitted.

AccentColor String Specifies the accent color for Optional. Defaults to system
the PIN screen, like button blue.
text color and box highlight
color. Accepts a hexadecimal
RGB string in the form of
#XXXXXX, where X can range
from 0-9 or A-F. The pound
sign might be omitted.

MAMTelemetryDisabled Boolean Specifies if the SDK will not Optional.

send any telemetry data to
its back end.

NOTE
If your app will be released to the App Store, MAMPolicyRequired must be set to "NO," per App Store standards.

Enabling MAM targeted configuration for your iOS applications

MAM targeted configuration allows an app to receive configuration data through the Intune App SDK. The format
and variants of this data must be defined and communicated to Intune customers by the application
owner/developer. Intune administrators can target and deploy configuration data via the Intune Azure console. As
of the Intune App SDK for iOS (v 7.0.1), apps that are participating in MAM targeted configuration can be provded
MAM targeted configuration data via the MAM Service. The application configuration data is pushed through our
MAM Service directly to the app instead of through the MDM channel. The Intune App SDK provides a class to
access the data retrieved from these consoles. Consider the following as prerequisites:
The app needs to be MAM-WE enrolled before you access the MAM targeted config UI. For more information
about MAM-WE, see App protection policy without device enrollment in the Intune App SDK guide.
Include IntuneMAMAppConfigManager.h in your app's source file.
Call [[IntuneMAMAppConfig instance] appConfigForIdentity:] to get the App Config Object.
Call the appropriate selector on IntuneMAMAppConfig object. For example, if your application's key is a string,
you'd want to use stringValueForKey or allStringsForKey . The IntuneMAMAppConfig.h header file talks about return
values/error conditions.
For more information about the capabilities of the Graph API with respect to the MAM targeted configuration
values, see Graph API Reference MAM Targeted Config.
For more information about how to create a MAM targeted app configuration policy in iOS, see the section on
MAM targeted app config in How to use Microsoft Intune app configuration policies for iOS.

Telemetry
By default, the Intune App SDK for iOS logs telemetry data on the following usage events. This data is sent to
Microsoft Intune.
App launch: To help Microsoft Intune learn about MAM-enabled app usage by management type (MAM
with MDM, MAM without MDM enrollment, and so on).
Enrollment calls: To help Microsoft Intune learn about success rate and other performance metrics of
enrollment calls initiated from the client side.

NOTE
If you choose not to send Intune App SDK telemetry data to Microsoft Intune from your mobile application, you must
disable Intune App SDK telemetry capture. Set the property MAMTelemetryDisabled to YES in the IntuneMAMSettings
dictionary.

Enable multi-identity (optional)

By default, the SDK applies a policy to the app as a whole. Multi-identity is a MAM feature that you can enable to
apply a policy on a per-identity level. This requires more app participation than other MAM features.
The app must inform the app SDK when it intends to change the active identity. The SDK also notifies the app
when an identity change is required. Currently, only one managed identity is supported. After the user enrolls the
device or the app, the SDK uses this identity and considers it the primary managed identity. Other users in the app
will be treated as unmanaged with unrestricted policy settings.
Note that an identity is simply defined as a string. Identities are case-insensitive. Requests to the SDK for an
identity might not return the same casing that was originally used when the identity was set.
Identity overview
An identity is simply the user name of an account (for example, [email protected]). Developers can set the
identity of the app on the following levels:
Process identity: Sets the process-wide identity and is mainly used for single identity applications. This
identity affects all tasks, files, and UI.
UI identity: Determines what policies are applied to UI tasks on the main thread, like cut/copy/paste, PIN,
authentication, and data sharing. The UI identity does not affect file tasks like encryption and backup.
Thread identity: Affects what policies are applied on the current thread. This identity affects all tasks, files,
and UI.
The app is responsible for setting the identities appropriately, whether or not the user is managed.
At any time, every thread has an effective identity for UI tasks and file tasks. This is the identity that's used to check
what policies, if any, should be applied. If the identity is "no identity" or the user is not managed, no policies will be
applied. The diagrams below show how the effective identities are determined.
Thread queues
Apps often dispatch asynchronous and synchronous tasks to thread queues. The SDK intercepts Grand Central
Dispatch (GCD) calls and associates the current thread identity with the dispatched tasks. When the tasks are
finished, the SDK temporarily changes the thread identity to the identity associated with the tasks, finishes the
tasks, then restores the original thread identity.
Because NSOperationQueue is built on top of GCD, NSOperations will run on the identity of the thread at the time the
tasks are added to NSOperationQueue . NSOperations or functions dispatched directly through GCD can also change
the current thread identity as they are running. This identity will override the identity inherited from the
dispatching thread.
File owner
The SDK tracks the identities of local file owners and applies policies accordingly. A file owner is established when
a file is created or when a file is opened in truncate mode. The owner is set to the effective file task identity of the
thread that's performing the task.
Alternatively, apps can set the file owner identity explicitly by using IntuneMAMFilePolicyManager . Apps can use
IntuneMAMFilePolicyManager to retrieve the file owner and set the UI identity before showing the file contents.

Shared data
If the app creates files that have data from both managed and unmanaged users, the app is responsible for
encrypting the managed users data. You can encrypt data by using the protect and unprotect APIs in
IntuneMAMDataProtectionManager .

The protect method accepts an identity that can be a managed or unmanaged user. If the user is managed, the
data will be encrypted. If the user is unmanaged, a header will be added to the data that's encoding the identity,
but the data will not be encrypted. You can use the protectionInfo method to retrieve the datas owner.
Share extensions
If the app has a share extension, the owner of the item being shared can be retrieved through the
protectionInfoForItemProvider method in IntuneMAMDataProtectionManager . If the shared item is a file, the SDK will handle
setting the file owner. If the shared item is data, the app is responsible for setting the file owner if this data is
persisted to a file, and for calling the setUIPolicyIdentity API before showing this data in the UI.
Turning on multi-identity
By default, apps are considered single identity. The SDK sets the process identity to the enrolled user. To enable
multi-identity support, add a Boolean setting with the name MultiIdentity and a value of YES to the
IntuneMAMSettings dictionary in the app's Info.plist file.

NOTE
When multi-identity is enabled, the process identity, UI identity, and thread identities are set to nil. The app is responsible
for setting them appropriately.

Switching identities
App-initiated identity switch:
At launch, multi-identity apps are considered to be running under an unknown, unmanaged account. The
conditional launch UI will not run, and no policies will be enforced on the app. The app is responsible for
notifying the SDK whenever the identity should be changed. Typically, this will happen whenever the app is
about to show data for a specific user account.
An example is when the user attempts to open a document, a mailbox, or a tab in a notebook. The app
needs to notify the SDK before the file, mailbox, or tab is actually opened. This is done through the
setUIPolicyIdentity API in IntuneMAMPolicyManager . This API should be called whether or not the user is
managed. If the user is managed, the SDK will perform the conditional launch checks, like jailbreak
detection, PIN, and authentication.
The result of the identity switch is returned to the app asynchronously through a completion handler. The
app should postpone opening the document, mailbox, or tab until a success result code is returned. If the
identity switch failed, the app should cancel the task.
SDK-initiated identity switch:
Sometimes, the SDK needs to ask the app to switch to a specific identity. Multi-identity apps must
implement the identitySwitchRequired method in IntuneMAMPolicyDelegate to handle this request.
When this method is called, if the app can handle the request to switch to the specified identity, it should
pass IntuneMAMAddIdentityResultSuccess into the completion handler. If it can't handle switching the identity,
the app should pass IntuneMAMAddIdentityResultFailed into the completion handler.
The app does not have to call setUIPolicyIdentity in response to this call. If the SDK needs the app to switch to
an unmanaged user account, the empty string will be passed into the identitySwitchRequired call.
Selective wipe:
When the app is selectively wiped, the SDK will call the wipeDataForAccount method in
IntuneMAMPolicyDelegate . The app is responsible for removing the specified users account and any data
associated with it. The SDK is capable of removing all files owned by the user and will do so if the app
returns FALSE from the wipeDataForAccount call.
Note that this method is called from a background thread. The app should not return a value until all data
for the user has been removed (with the exception of files if the app returns FALSE).

Test app protection policy settings in Xcode

Before you manually test your Intune-enlightened app in production, you can use a Settings.bundle file while in
Xcode. This will let you set app protection policies for testing without requiring a connection to Intune.
Enable policy testing
Follow the steps below to enable policy testing in Xcode:
1. Make sure to be in a debug build. Add a Settings.bundle file by right-clicking the top-level folder in your
project. Choose Add > New File from the menu. Under Resources, choose the Settings Bundle template.
2. Copy the following block to the Settings.bundle/Root.plist file for the debug build:

<key>PreferenceSpecifiers</key>
<array>
<dict>
<key>Type</key>
<string>PSChildPaneSpecifier</string>
<key>Title</key>
<string>MDM Debug Settings</string>
<key>Key</key>
<string>MAMDebugSettings</string>
<key>File</key>
<string>MAMDebugSettings</string>
</dict>
</array>

3. In the IntuneMAMSettings dictionary in the app's Info.plist, add a boolean called "DebugSettingsEnabled."
Set the value of DebugSettingsEnabled to "YES."
App protection policy settings
The table below describes the app protection policy settings that you can test using MAMDebugSettings.plist. To
turn on a setting, add it in MAMDebugSettings.plist.

POLICY SETTING NAME DESCRIPTION POSSIBLE VALUES

AccessRecheckOfflineTimeout The length of time in minutes the app Any integer greater than 0
can be offline before Intune blocks the
app from launching or resuming if
authentication is enabled.

AccessRecheckOnlineTimeout
The length of time in minutes the app Any integer greater than 0
can run before the user is prompted for
PIN or authentication at launch or
resume (if authentication or PIN for
access is enabled).

AppSharingFromLevel Specifies which apps this app can accept 0=

data from.

iOS best practices

Here are recommended best practices for developing for iOS:
The iOS file system is case-sensitive. Ensure that the case is correct for file names like libIntuneMAM.a and
IntuneMAMResources.bundle .

If Xcode has trouble finding libIntuneMAM.a , you can fix the problem by adding the path to this library into
the linker search paths.

FAQs
Are all of the APIs addressable through native Swift or the Objective-C and Swift interoperability?
The Intune App SDK APIs are in Objective-C only and do not support native Swift. Swift interoperability with
Objective-C is required.
Do all users of my application need to be registered with the APP-WE service?
No. In fact, only work or school accounts should be registered with the Intune App SDK. Apps are responsible for
determining if an account is used in a work or school context.
What about users that have already signed in to the application? Do they need to be enrolled?
The application is responsible for enrolling users after they have been successfully authenticated. The application is
also responsible for enrolling any existing accounts that might have been present before the application had
MDM-less MAM functionality.
To do this, the application should make use of the registeredAccounts: method. This method returns an NSDictionary
that has all of the accounts registered into the Intune MAM service. If any existing accounts in the application are
not in the list, the application should register and enroll those accounts via registerAndEnrollAccount: .
How often does the SDK retry enrollments?
The SDK will automatically retry all previously failed enrollments on a 24-hour interval. The SDK does this to
ensure that if a users organization enabled MAM after the user signed in to the application, the user will
successfully enroll and receive policies.
The SDK will stop retrying when it detects that a user has successfully enrolled the application. This is because only
one user can enroll an application at a particular time. If the user is unenrolled, the retries will begin again on the
same 24-hour interval.
Why does the user need to be deregistered?
The SDK will take these actions in the background periodically:
If the application is not yet enrolled, it will try to enroll all registered accounts every 24 hours.
If the application is enrolled, the SDK will check for app protection policy updates every 8 hours.
Deregistering a user notifies the SDK that the user will no longer use the application, and the SDK can stop any of
the periodic events for that user account. It also triggers an app unenroll and selective wipe if necessary.
Should I set the doWipe flag to true in the deregister method?
This method should be called before the user is signed out of the application. If the users data is deleted from the
application as part of the sign-out, doWipe can be set to false. But if the application does not remove the users
data, doWipe should be set to true so that the SDK can delete the data.
Are there any other ways that an application can be un-enrolled?
Yes, the IT admin can send a selective wipe command to the application. This will deregister and unenroll the user,
and it will wipe the users data. The SDK automatically handles this scenario and sends a notification via the
unenroll delegate method.

Submit your app to the App Store

Both the static library and framework builds of the Intune App SDK are universal binaries. This means they have
code for all device and simulator architectures. Apple will reject apps submitted to the App Store if they have
simulator code. When compiling against the static library for device-only builds, the linker will automatically strip
out the simulator code. Follow the steps below to ensure all simulator code is removed before you upload your
app to the App Store.
1. Make sure IntuneMAM.framework is on your desktop.
2. Run these commands:

lipo ~/Desktop/IntuneMAM.framework/IntuneMAM -remove i386 -remove x86_64 -output ~/Desktop/IntuneMAM.device_only

cp ~/Desktop/IntuneMAM.device_only ~/Desktop/IntuneMAM.framework/IntuneMAM

The first command strips the simulator architectures from the framework's DYLIB file. The second
command copies the device-only DYLIB file back into the framework directory.
 Microsoft Intune App SDK for Android developer
guide
6/19/2017 48 min to read Edit Online

NOTE
You might want to first read the Intune App SDK overview, which covers the current features of the SDK and describes how
to prepare for integration on each supported platform.

The Microsoft Intune App SDK for Android lets you incorporate Intune app protection policies (also known as APP
or MAM policies) into your native Android app. An Intune-enlightened application is one that is integrated with the
Intune App SDK. Intune administrators can easily deploy app protection policies to your Intune-enlightened app
when Intune actively manages the app.

What's in the SDK

The Intune App SDK consists of the following files:
Microsoft.Intune.MAM.SDK.aar: The SDK components, with the exception of the Support.V4 and Support.V7
JAR files. This file can be used in place of the individual components if your build system supports AAR files.
Microsoft.Intune.MAM.SDK.Support.v4.jar: The interfaces necessary to enable MAM in apps that use the
Android v4 support library. Apps that need this support must reference the JAR file directly.
Microsoft.Intune.MAM.SDK.Support.v7.jar: The interfaces necessary to enable MAM in apps that use the
Android v7 support library. Apps that need this support must reference the JAR file directly.
proguard.txt: Contains ProGuard rules which must be applied if building with ProGuard.
CHANGELOG.txt: Provides a record of changes made in each SDK version.
THIRDPARTYNOTICES.TXT: An attribution notice that acknowledges third-party and/or OSS code that will be
compiled into your app.
If your build system does not support AAR files, you may use the following files in place of
Microsoft.Intune.MAM.SDK.aar.
Microsoft.Intune.MAM.SDK.jar: The interfaces necessary to enable MAM and interoperability with the Intune
Company Portal app. Apps must specify it as an Android library reference.
The res directory: The resources (like strings) on which the SDK relies.
AndroidManifest.xml: Entry points and the library requirements.

Requirements
The Intune App SDK is a compiled Android project. As a result, it is largely unaffected by the version of Android that
the app uses for its minimum or target API versions. The SDK supports Android API 14 (Android 4.0+) through
Android API 25 (Android 7.1).
Company Portal app
The Intune App SDK for Android relies on the presence of the Company Portal app on the device to enable app
protection policies. The Company Portal retrieves app protection policies from the Intune service. When the app
initializes, it loads policy and code to enforce that policy from the Company Portal.
 NOTE
When the Company Portal app is not on the device, an Intune-enlightened app behaves the same as a normal app that does
not support Intune app protection policies.

For app protection without device enrollment, the user is not required to enroll the device by using the Company
Portal app.

SDK Integration
Build integration
The Intune App SDK is a standard Android library with no external dependencies. Microsoft.Intune.MAM.SDK.jar
contains both the interfaces necessary for an app protection policy enablement and the code necessary to
interoperate with the Microsoft Intune Company Portal app.
Microsoft.Intune.MAM.SDK.jar must be specified as an Android library reference. To do this, open your app
project in Android Studio and go to File > New > New module and select Import .JAR/.AAR Package. Select
our Android archive package Microsoft.Intune.MAM.SDK.aar.
Additionally, Microsoft.Intune.MAM.SDK.Support.v4 and Microsoft.Intune.MAM.SDK.Support.v7 contain
Intune variants of android.support.v4 and android.support.v7 respectively. They are not built into
Microsoft.Intune.MAM.SDK.aar in case an app does not want to include the support libraries. They are standard JAR
files instead of Android library projects.
ProGuard
If ProGuard (or any other shrinking/obfuscation mechanism) is used as a build step, Intune SDK classes must be
excluded. For ProGuard, this can be accomplished by including the rules from the proguard.txt file distributed with
the SDK.
The Azure Active Directory Authentication Libraries (ADAL) may have its own ProGuard restrictions. If your app
integrates ADAL, you must follow the ADAL documentation on these restrictions.
Entry points
======= The Azure Active Directory Authentication Library (ADAL) requires these permissions to perform
brokered authentication. If these permissions are not granted to the app or are revoked by the user, authentication
flows that require the broker (the Company Portal app) will be disabled.
The Intune App SDK requires changes to an app's source code to enable Intune app protection policies. This is done
through the replacement of the Android base classes with equivalent Intune base classes, whose names have the
prefix MAM. The SDK classes live between the Android base class and the app's own derived version of that class.
Using an activity as an example, you end up with an inheritance hierarchy that looks like: Activity > MAMActivity >
AppSpecificActivity .

For example, when AppSpecificActivity interacts with its parent (for example, calling super.onCreate() ), MAMActivity is
the super class.
Typical Android apps have a single mode and can access the system through their Context object. Apps that have
integrated the Intune App SDK, on the other hand, have dual modes. These apps continue to access the system
through the Context object. Depending on the base Activity used, the Context object will be provided by Android
or will intelligently multiplex between a restricted view of the system and the Android-provided Context .

Replace classes, methods, and activities with their MAM equivalent

Android base classes must be replaced with their respective MAM equivalents. To do so, find all instances of the
classes listed in the following table and replace them with the Intune App SDK equivalent.
 ANDROID BASE CLASS INTUNE APP SDK REPLACEMENT

android.app.Activity MAMActivity

android.app.ActivityGroup MAMActivityGroup

android.app.AliasActivity MAMAliasActivity

android.app.Application MAMApplication

android.app.DialogFragment MAMDialogFragment

android.app.ExpandableListActivity MAMExpandableListActivity

android.app.Fragment MAMFragment

android.app.IntentService MAMIntentService

android.app.LauncherActivity MAMLauncherActivity

android.app.ListActivity MAMListActivity

android.app.NativeActivity MAMNativeActivity

android.app.PendingIntent MAMPendingIntent (see notes below)

android.app.Service MAMService

android.app.TabActivity MAMTabActivity

android.app.TaskStackBuilder MAMTaskStackBuilder

android.app.backup.BackupAgent MAMBackupAgent

android.app.backup.BackupAgentHelper MAMBackupAgentHelper

android.app.backup.FileBackupHelper MAMFileBackupHelper

android.app.backup.SharePreferencesBackupHelper MAMSharedPreferencesBackupHelper

android.content.BroadcastReceiver MAMBroadcastReceiver

android.content.ContentProvider MAMContentProvider

android.os.Binder MAMBinder (Only necessary if the Binder is not generated

from an Android Interface Definition Language (AIDL)
interface)

android.provider.DocumentsProvider MAMDocumentsProvider

android.preference.PreferenceActivity MAMPreferenceActivity

Microsoft.Intune.MAM.SDK.Support.v4.jar:
 ANDROID CLASS INTUNE MAM INTUNE APP SDK REPLACEMENT

android.support.v4.app.DialogFragment MAMDialogFragment

android.support.v4.app.FragmentActivity MAMFragmentActivity

android.support.v4.app.Fragment MAMFragment

android.support.v4.app.TaskStackBuilder MAMTaskStackBuilder

android.support.v4.content.FileProvider MAMFileProvider

Microsoft.Intune.MAM.SDK.Support.v7.jar:

ANDROID CLASS INTUNE APP SDK REPLACEMENT

android.support.v7.app.ActionBarActivity MAMActionBarActivity

Renamed Methods
After you derive from one of the MAM entry points, it's safe to use Context as you would normally -- for example,
starting Activity classes and using PackageManager .
In many cases, a method available in the Android class has been marked as final in the MAM replacement class. In
this case, the MAM replacement class provides a similarly named method (generally suffixed with MAM ) that you
should override instead. For example, when deriving from MAMActivity , instead of overriding onCreate() and calling
super.onCreate() , Activity must override onMAMCreate() and call super.onMAMCreate() . The Java compiler should
enforce the final restrictions to prevent accidental override of the original method instead of the MAM equivalent.
PendingIntent
Instead of PendingIntent.get* , you must use the MAMPendingIntent.get* method. After this, you can use the resultant
PendingIntent as usual.
Manifest Replacements
Please note that it may be necessary to perform some of the above class replacements in the manifest as well as in
Java code. Of special note:
Manifest references to must be replaced with
android.support.v4.content.FileProvider
com.microsoft.intune.mam.client.support.v4.content.MAMFileProvider .

SDK permissions
The Intune App SDK requires three Android system permissions on apps that integrate it:
android.permission.GET_ACCOUNTS (requested at runtime if required)
android.permission.MANAGE_ACCOUNTS

android.permission.USE_CREDENTIALS

The Azure Active Directory Authentication Library (ADAL) requires these permissions to perform brokered
authentication. If these permissions are not granted to the app or are revoked by the user, authentication flows that
require the broker (the Company Portal app) will be disabled.

Logging
Logging should be initialized early to get the most value out of logged data. Application.onMAMCreate() is typically the
best place to initialize logging.
To receive MAM logs in your app, create a Java Handler and add it to the MAMLogHandlerWrapper . This will invoke
publish() on the application handler for every log message.

/**
* Global log handler that enables fine grained PII filtering within MAM logs.
*
* To start using this you should build your own log handler and add it via
* MAMComponents.get(MAMLogHandlerWrapper.class).addHandler(myHandler, false);
*
* You may also remove the handler entirely via
* MAMComponents.get(MAMLogHandlerWrapper.class).removeHandler(myHandler);
*/
public interface MAMLogHandlerWrapper {
/**
* Add a handler, PII can be toggled.
*
* @param handler handler to add.
* @param wantsPII if PII is desired in the logs.
*/
void addHandler(final Handler handler, final boolean wantsPII);

/**
* Remove a handler.
*
* @param handler handler to remove.
*/
void removeHandler(final Handler handler);
}

Enable features that require app participation

There are several app protection policies the SDK cannot implement on its own. The app can control its behavior to
achieve these features by using several APIs that you can find in the following AppPolicy interface.
/**
* External facing application policies.
*/
public interface AppPolicy {

/**
* Restrict where an app can save personal data.
* This function is now deprecated. Please use getIsSaveToLocationAllowed(SaveLocation, String) instead
* @return True if the app is allowed to save to personal data stores; false otherwise.
*/
@Deprecated
boolean getIsSaveToPersonalAllowed();

/**
* Check if policy prohibits saving to a content provider location.
*
* @param location
* a content URI to check
* @return True if location is not a content URI or if policy does not prohibit saving to the content location.
*/
boolean getIsSaveToLocationAllowed(Uri location);

/**
* Determines if the SaveLocation passed in can be saved to by the username associated with the cloud service.
*
* @param service
* see {@link SaveLocation}.
* @param username
* the username/email associated with the cloud service being saved to. Use null if a mapping between
* the AAD username and the cloud service username does not exist or the username is not known.
* @return true if the location can be saved to by the identity, false if otherwise.
*/
boolean getIsSaveToLocationAllowed(SaveLocation service, String username);

/**
* Whether the SDK PIN prompt is enabled for the app.
*
* @return True if the PIN is enabled. False otherwise.
*/
boolean getIsPinRequired();

/**
* Whether the Intune Managed Browser is required to open web links.
* @return True if the Managed Browser is required, false otherwise
*/
boolean getIsManagedBrowserRequired();

/**
* Check if policy allows Contact sync to local contact list.
*
* @return True if Contact sync is allowed to save to local contact list; false otherwise.
*/
boolean getIsContactSyncAllowed();

/**
* Return the policy in string format to the app.
*
* @return The string representing the policy.
*/
String toString();

}
 NOTE
MAMComponents.get(AppPolicy.class) will always return a non-null App Policy, even if the device or app is not under an
Intune management policy.

Example: Determine if PIN is required for the app

If the app has its own PIN user experience, you might want to disable it if the IT administrator has configured the
SDK to prompt for an app PIN. To determine if the IT administrator has deployed the app PIN policy to this app, for
the current end user, call the following method:

MAMComponents.get(AppPolicy.class).getIsPinRequired();

Example: Determine the primary Intune user

In addition to the APIs exposed in AppPolicy, the user principal name (UPN) is also exposed by the getPrimaryUser()
API defined inside the MAMUserInfo interface. To get the UPN, call the following:

MAMUserInfo info = MAMComponents.get(MAMUserInfo.class);

if (info != null) return info.getPrimaryUser();

The full definition of the MAMUserInfo interface is below:

/**
* External facing user informations.
*
*/
public interface MAMUserInfo {
/**
* Get the primary user name.
*
* @return the primary user name or null if the device is not enrolled.
*/
String getPrimaryUser();
}

Example: Determine if saving to device or cloud storage is permitted

Many apps implement features that allow the end user to save files locally or to a cloud storage service. The Intune
App SDK allows IT administrators to protect against data leakage by applying policy restrictions as they see fit in
their organization. One of the policies that IT can control is whether the end user can save to a "personal,"
unmanaged data store. This includes saving to a local location, SD card, or third-party backup services.
App participation is needed to enable the feature. If your app allows saving to personal or cloud locations
directly from the app, you must implement this feature to ensure that the IT administrator can control whether
saving to a location is allowed. The API below lets the app know whether saving to a personal store is allowed by
the current Intune administrator's policy. The app can then enforce the policy, since it is aware of personal data
store available to the end user through the app.
To determine if the policy is enforced, make the following call:

MAMComponents.get(AppPolicy.class).getIsSaveToLocationAllowed(
SaveLocation service, String username);

... where service is one of the following SaveLocations:

 * SaveLocation.ONEDRIVE_FOR_BUSINESS
* SaveLocation.LOCAL
* SaveLocation.OTHER

The previous method of determining whether a users policy allowed them to save data to various locations was
getIsSaveToPersonalAllowed() within the same AppPolicy class. This function is now deprecated and should not be
used, the following invocation is equivalent to getIsSaveToPersonalAllowed() :

MAMComponents.get(AppPolicy.class).getIsSaveToLocationAllowed(SaveLocation.LOCAL, userNameInQuestion);

NOTE
Use SaveLocation.OTHER if the location in question is not listed in the SaveLocations enum.

Register for notifications from the SDK

Overview
The Intune App SDK allows your app to control the behavior of certain policies, such as selective wipe, when they
are deployed by the IT administrator. When an IT administrator deploys such a policy, the Intune service sends
down a notification to the SDK.
Your app must register for notifications from the SDK by creating a MAMNotificationReceiver and registering it with
MAMNotificationReceiverRegistry . This is done by providing the receiver and the type of notification desired in
App.onCreate , as the example below illustrates:

@Override
public void onCreate() {
super.onCreate();
MAMComponents.get(MAMNotificationReceiverRegistry.class)
.registerReceiver(
new ToastNotificationReceiver(),
MAMNotificationType.WIPE_USER_DATA);
}

MAMNotificationReceiver
The MAMNotificationReceiver interface simply receives notifications from the Intune service. Some notifications are
handled by the SDK directly, while others require the app's participation. An app must return either true or false
from a notification. It must always return true unless some action it tried to take as a result of the notification failed.
This failure may be reported to the Intune service. An example of a scenario to report is if the app fails to wipe
user data after the IT administrator initiates a wipe.

NOTE
It is safe to block in MAMNotificationReceiver.onReceive because its callback is not running on the UI thread.

The MAMNotificationReceiver interface as defined in the SDK is included below :

 /**
* The SDK is signaling that a MAM event has occurred.
*
*/
public interface MAMNotificationReceiver {

/**
* A notification was received.
*
* @param notification
* The notification that was received.
* @return The receiver should return true if it handled the
* notification without error (or if it decided to ignore the
* notification). If the receiver tried to take some action in
* response to the notification but failed to complete that
* action it should return false.
*/
boolean onReceive(MAMNotification notification);
}

Types of notifications
The following notifications are sent to the app and some of them may require app participation:
WIPE_USER_DATA: This notification is sent in a MAMUserNotification class. When this notification is received,
the app is expected to delete all data associated with the "corporate" identity passed with the
MAMUserNotification . This notification is currently sent during APP-WE service unenrollment. The user's
primary name is typically specified during the enrollment process. If you register for this notification, your
app must ensure that all the user's data has been deleted. If you don't register for it, the default selective
wipe behavior will be performed.
WIPE_USER_AUXILIARY_DATA: Apps can register for this notification if they'd like the Intune App SDK to
perform the default selective wipe behavior, but would still like to remove some auxiliary data when the
wipe occurs.
REFRESH_POLICY: This notification is sent in a MAMUserNotification . When this notification is received, any
cached Intune policy must be invalidated and updated. This is generally handled by the SDK; however, it
should be handled by the app if the policy is used in any persistent way.
MANAGEMENT_REMOVED: This notification is sent in a MAMUserNotification and informs the app that it is
about to become unmanaged. Once unmanaged, it will no longer be able to read encrypted files, read data
encrypted with MAMDataProtectionManager, interact with the encrypted clipboard, or otherwise participate
in the managed-app ecosystem.

NOTE
An app should never register for both the WIPE_USER_DATA and WIPE_USER_AUXILIARY_DATA notifications.

Configure Azure Active Directory Authentication Library (ADAL)

First, please read the ADAL integration guidelines found in the ADAL repository on GitHub.
The SDK relies on ADAL for its authentication and conditional launch scenarios, which require apps to be
configured with Azure Active Directory. The configuration values are communicated to the SDK via
AndroidManifest metadata.
To configure your app and enable proper authentication, add the following to the app node in
AndroidManifest.xml. Some of these configurations are only required if your app uses ADAL for authentication in
general; in that case, you will need the specific values your app uses to register itself with AAD. This is done to
ensure that the end user does not get prompted for authentication twice, due to AAD recognizing two separate
registration values: one from the app and one from the SDK.

<meta-data
android:name="com.microsoft.intune.mam.aad.Authority"
android:value="https://AAD authority/" />
<meta-data
android:name="com.microsoft.intune.mam.aad.ClientID"
android:value="your-client-ID-GUID" />
<meta-data
android:name="com.microsoft.intune.mam.aad.NonBrokerRedirectURI"
android:value="your-redirect-URI" />
<meta-data
android:name="com.microsoft.intune.mam.aad.SkipBroker"
android:value="[true | false]" />

ADAL metadata
Authority is the current AAD authority in use. If present, you should use your own environment where AAD
accounts have been configured. If this value is absent, an Intune default is used.
ClientID is the AAD ClientID to be used. You should use your own app's ClientID if it is registered with
Azure AD. If this value is absent, an Intune default is used.
NonBrokerRedirectURI is the AAD redirect URI to use in broker-less cases. If none is specified, a default
value of urn:ietf:wg:oauth:2.0:oob is used. This default is suitable for most apps.
SkipBroker is used in case the ClientID has not been configured to use the broker redirect URI. The default
value is "false."
For apps that do not integrate ADAL and do not want to participate in device-wide brokered
authentication/SSO, this should be set to "true." When this value is "true," the only redirect URI that
will be used is NonBrokerRedirectURI.
For apps that do support device-wide SSO brokering, this should be "false." When the value is "false,"
the SDK will select a broker between the result of
com.microsoft.aad.adal.AuthenticationContext.getRedirectUriForBroker() and NonBrokerRedirectURI, based on the
availability of the broker on the system. In general, the broker will be available from the Company
Portal app or Azure Authenticator app.
Common ADAL configurations
The following are common ways an app can be configured with ADAL. Find your app's configuration and make
sure to set the ADAL metadata parameters (explained above) to the necessary values.
1. App does not integrate ADAL:

REQUIRED ADAL PARAMETER VALUE

Authority Desired environment where AAD accounts have been

configured

SkipBroker True

2. App integrates ADAL:

 REQUIRED ADAL PARAMETER VALUE

Authority Desired environment where AAD accounts have been

configured

ClientID The app's ClientID (generated by Azure AD when the app

is registered)

NonBrokerRedirectURI A valid redirect URI for the app, or

urn:ietf:wg:oauth:2.0:oob by default.

Make sure to configure the value as an acceptable redirect

URI for your app's ClientID.

SkipBroker False

3. App integrates ADAL but does not support brokered authentication/device-wide SSO:

REQUIRED ADAL PARAMETER VALUE

Authority Desired environment where AAD accounts have been

configured

ClientID The app's ClientID (generated by Azure AD when the app

is registered)

NonBrokerRedirectURI A valid redirect URI for the app, or

urn:ietf:wg:oauth:2.0:oob by default.

Make sure to configure the value as an acceptable redirect

URI for your app's ClientID.

SkipBroker True

App protection policy without device enrollment

Overview
Intune app protection policy without device enrollment, also known as APP-WE or MAM-WE, allows apps to be
managed by Intune without the need for the device to be enrolled Intune MDM. APP-WE works with or without
device enrollment. The Company Portal is still required to be installed on the device, but the user does not need to
sign into the Company Portal and enroll the device.

NOTE
All apps are required to support app protection policy without device enrollment.

Workflow
When an app creates a new user account, it should register the account for management with the Intune App SDK.
The SDK will handle the details of enrolling the app in the APP-WE service; if necessary, it will retry any enrollments
at appropriate time intervals if failures occur.
The app can also query the Intune App SDK for the status of a registered user to determine if the user should be
blocked from accessing corporate content. Multiple accounts may be registered for management, but currently
only one account can be actively enrolled with the APP-WE service at a time. This means only one account on the
app can receive app protection policy at a time.
The app is required to provide a callback to acquire the appropriate access token from the Azure Active Directory
Authentication Library (ADAL) on behalf of the SDK. It is assumed that the app already uses ADAL for user
authentication and to acquire its own access tokens.
When the app removes an account completely, it should unregister that account to indicate that the app should no
longer apply policy for that user. If the user was enrolled in the MAM service, the user will be unenrolled and the
app will be wiped.
Overview of app requirements
To implement APP-WE integration, your app must register the user account with the MAM SDK:
1. The app must implement and register an instance of the MAMServiceAuthenticationCallback interface. The
callback instance should be registered as early as possible in the app's lifecycle (typically in the
onMAMCreate() method of the application class).

2. When a user account is created and the user successfully signs in with ADAL, the app must call the
registerAccountForMAM() .

3. When a user account is completely removed, the app should call unregisterAccountForMAM() to remove the
account from Intune management.

NOTE
If a user signs out of the app temporarily, the app does not need to call unregisterAccountForMAM() . The call may
initiate a wipe to completely remove corporate data for the user.

MAMEnrollmentManager
All the necessary authentication and registration APIs can be found in the MAMEnrollmentManager interface. A
reference to the MAMEnrollmentManager can be obtained as follows:

MAMEnrollmentManager mgr = MAMComponents.get(MAMEnrollmentManager.class);

// make use of mgr

The MAMEnrollmentManager instance returned is guaranteed not to be null. The API methods fall into two categories:
authentication and account registration.

NOTE
MAMEnrollmentManager contains some API methods that will be deprecated soon. For clarity, only the relevant methods
and result codes are shown in the code block below.
 package com.microsoft.intune.mam.policy;

public interface MAMEnrollmentManager {

public enum Result {
AUTHORIZATION_NEEDED,
NOT_LICENSED,
ENROLLMENT_SUCCEEDED,
ENROLLMENT_FAILED,
WRONG_USER,
MDM_ENROLLED,
UNENROLLMENT_SUCCEEDED,
UNENROLLMENT_FAILED,
PENDING,
COMPANY_PORTAL_REQUIRED;
}

//Authentication methods
interface MAMServiceAuthenticationCallback {
String acquireToken(String upn, String aadId, String resourceId);
}
void registerAuthenticationCallback(MAMServiceAuthenticationCallback callback);
void updateToken(String upn, String aadId, String resourceId, String token);

//Registration methods
void registerAccountForMAM(String upn, String aadId, String tenantId);
void unregisterAccountForMAM(String upn);
Result getRegisteredAccountStatus(String upn);
}

Account authentication
This section describes the authentication API methods in MAMEnrollmentManager and how to use them.

interface MAMServiceAuthenticationCallback {
String acquireToken(String upn, String aadId, String resourceId);
}
void registerAuthenticationCallback(MAMServiceAuthenticationCallback callback);
void updateToken(String upn, String aadId, String resourceId, String token);

1. The app must implement the MAMServiceAuthenticationCallback interface to allow the SDK to request an ADAL
token for the given user and resource ID. The callback instance must be provided to the
MAMEnrollmentManager by calling its registerAuthenticationCallback() method. A token may be needed very early in
the app lifecycle for enrollment retries or app protection policy refresh check-ins, so the ideal place to
register the callback is in the onMAMCreate() method of the app's MAMApplication subclass.
2. The acquireToken() method should acquire the access token for the requested resource ID for the given user.
If it can't acquire the requested token, it should return null.
3. In case the app is unable to provide a token when the SDK calls acquireToken() -- for example, if silent
authentication fails and it is an inconvenient time to show a UI -- the app can provide a token at a later time
by calling the updateToken() method. The same UPN, AAD ID, and resource ID that were requested by the
prior call to acquireToken() must be passed to updateToken() , along with the token that was finally acquired.
The app should call this method as soon as possible after returning null from the provided callback.

NOTE
The SDK will call acquireToken() periodically to get the token, so calling updateToken() is not strictly required. However,
it is recommended as it can help enrollments and app protection policy check-ins complete in a timely manner.
Account registration
This section describes the account registration API methods in MAMEnrollmentManager and how to use them.

void registerAccountForMAM(String upn, String aadId, String tenantId);

void unregisterAccountForMAM(String upn);
Result getRegisteredAccountStatus(String upn);

1. To register an account for management, the app should call registerAccountForMAM() . A user account is
identified by both its UPN and its AAD user ID. The tenant ID is also required to associate enrollment data
with the user's AAD tenant. The SDK may attempt to enroll the app for the given user in the MAM service; if
enrollment fails, it will periodically retry enrollment until the account is unregistered. The retry period will
typically be 12-24 hours. The SDK provides the status of enrollment attempts asynchronously via
notifications.
2. Because AAD authentication is required, the best time to register the user account is after the user has
signed into the app and is successfully authenticated using ADAL.
The user's AAD ID and tenant ID are returned from the ADAL authentication call as part of the
AuthenticationResult object. The tenant ID comes from the AuthenticationResult.getTenantID() method.
Information about the user is found in a sub-object of type UserInfo that comes from
AuthenticationResult.getUserInfo() , and the AAD user ID is retrieved from that object by calling
UserInfo.getUserId() .
3. To unregister an account from Intune management, the app should call unregisterAccountForMAM() . If the
account has been successfully enrolled and is managed, the SDK will unenroll the account and wipe its data.
Periodic enrollment retries for the account will be stopped. The SDK provides the status of unenrollment
request asynchronously via notifications.
Important implementation notes
Authentication
When the app calls registerAccountForMAM() , it may receive a callback on its MAMServiceAuthenticationCallback
interface shortly thereafter, on a different thread. Ideally, the app acquired its own token from ADAL prior to
registering the account to expedite the acquisition of the MAMService token. IF the app returns a valid
token from the callback, enrollment will proceed and the app will get the final result via a notification.
If the app doesn't return a valid AAD token, the final result from the enrollment attempt will be
AUTHENTICATION_NEEDED . If the app receives this Result via notification, it can expedite the enrollment
process by acquiring the MAMService token and calling the updateToken() method to initiate the
enrollment process again. This is not a firm requirement, however, since the SDK retries enrollment
periodically and invokes the callback to acquire the token.
The app's registered MAMServiceAuthenticationCallback will also be called to acquire a token for periodic app
protection policy refresh check-ins. If the app is unable to provide a token when requested, it will not get a
notification, but it should attempt to acquire a token and call updateToken() at the next convenient time to
expedite the check-in process. If a token is not provided, the callback will still be called at the next check-in
attempt.
Registration
For your convenience, the registration methods are idempotent; for example, registerAccountForMAM() will
only register an account and attempt to enroll the app if the account is not already registered, and
unregisterAccountForMAM() will only unregister an account if it is currently registered. Subsequent calls are no-
ops, so there is no harm in calling these methods more than once. Additionally, correspondence between
calls to these methods and notifications of results are not guaranteed: i.e. if registerAccountForMAM is called
for an identity that is already registered, the notification may not be sent again for that identity. It is possible
that notifications are sent that don't correspond to any calls to these methods, since the SDK may
 periodically try enrollments in the background, and unenrollments may be triggered by wipe requests
received from the Intune service.
The registration methods can be called for any number of different identities, but currently only one user
account can become successfully enrolled. If multiple user accounts that are licensed for Intune and targeted
by app protection policy are registered at or near the same time, there is no guarantee on which one will win
the race.
Finally, you can query the MAMEnrollmentManager to see if a particular account is registered and to get its
current status using the getRegisteredAccountStatus method. If the provided account is not registered, this
method will return null. If the account is registered, this method will return the account's status as one of
the members of the MAMEnrollmentManager.Result enumeration.
Result and status codes
When an account is first registered, it begins in the PENDING state, indicating that the initial MAM service
enrollment attempt is incomplete. After the enrollment attempt finishes, a notification will be sent with one of the
Result codes in the table below. In addition, the getRegisteredAccountStatus() method will return the account's status
so the app can always determine if access to corporate content is blocked for that user. If the enrollment attempt
fails, the account's status may change over time as the SDK retries enrollment in the background.

RESULT CODE EXPLANATION

AUTHORIZATION_NEEDED This result indicates that a token was not provided by the
apps registered MAMServiceAuthenticationCallback
instance, or the provided token was invalid. The app should
acquire a valid token and call updateToken() if possible.

NOT_LICENSED The user is not licensed for Intune, or the attempt to contact
the Intune MAM service failed. The app should continue in an
unmanaged (normal) state and the user should not be
blocked. Enrollments will be retried periodically in case the
user becomes licensed in the future.

ENROLLMENT_SUCCEEDED The enrollment attempt succeeded, or the user is already

enrolled. In the case of a successful enrollment, a policy refresh
notification will be sent before this notification. Access to
corporate data should be allowed.

ENROLLMENT_FAILED The enrollment attempt failed. Further details can be found in

the device logs. The app should not allow access to corporate
in this state, since it was previously determined that the user
is licensed for Intune.

WRONG_USER Only one user per device can enroll an app with the MAM
service. In order to enroll successfully as a different user, all
enrolled apps must be unenrolled first. Otherwise, this app
must enroll as the primary user. This check happens after the
license check, so the user should be blocked from accessing
corporate data until the app is successfully enrolled.

UNENROLLMENT_SUCCEEDED Unenrollment was successful.

UNENROLLMENT_FAILED The unenrollment request failed. Further details can be found

in the device logs.
 RESULT CODE EXPLANATION

PENDING The initial enrollment attempt for the user is in progress. The
app can block access to corporate data until the enrollment
result is known, but is not required to do so.

COMPANY_PORTAL_REQUIRED The user is licensed for Intune, but the app cannot be enrolled
until the Company Portal app is installed on the device. The
Intune App SDK will attempt to block access to the app for the
given user and direct them to install the Company Portal app
(see below for details).

Company Portal requirement prompt override (optional)

If the COMPANY_PORTAL_REQUIRED Result is received, the SDK will block use of activities that use the identity for
which enrollment was requested. Instead, the SDK will cause those activities to display a prompt to download the
Company Portal. If you want to prevent this behavior in your app, activities may implement
MAMActivity.onMAMCompanyPortalRequired .

This method is called before the SDK displays its default blocking UI. If the app changes the activity identity or
unregisters the user who attempted to enroll, the SDK will not block the activity. In this situation, it is up to the app
to avoid leaking corporate data.
Notifications
A new type of MAMNotification has been added in order to inform the app that the enrollment request has
completed. The MAMEnrollmentNotification will be received through the MAMNotificationReceiver interface as described
in the Register for notifications from the SDK section.

public interface MAMEnrollmentNotification extends MAMUserNotification {

MAMEnrollmentManager.Result getEnrollmentResult();
}

The method returns the result of the enrollment request. Since MAMEnrollmentNotification extends
getEnrollmentResult()
MAMUserNotification , the identity of the user for whom the enrollment was attempted is also available. The app must
implement the MAMNotificationReceiver interface to receive these notifications, detailed in the Register for
notifications from the SDK section.
The registered user account's status may change when an enrollment notification is received, but it will not change
in some cases (e.g. if AUTHORIZATION_NEEDED notification is received after a more informative result such as
WRONG_USER , the more informative result will be maintained as the account's status)

Protecting Backup data

As of Android Marshmallow (API 23), Android has two ways for an app to back up its data. Each option is available
to your app and requires different steps to ensure that Intune data protection is correctly implemented. You can
review the table below on corresponding actions required for correct data protection behavior. You can read more
about the backup methods in the Android API guide.
Auto Backup for Apps
Android began offering automatic full backups to Google Drive for apps on Android Marshmallow devices,
regardless of the app's target API. In your AndroidManifest.xml, if you explicitly set android:allowBackup to false, then
your app will never be queued for backups by Android and "corporate" data will stay within the app. In this case, no
further action is necessary.
However, by default the android:allowBackup attribute is set to true, even if android:allowBackup isn't specified in the
manifest file. This means all app data is automatically backed up to the user's Google Drive account, a default
behavior that poses a data leak risk. Therefore, the SDK requires the changes outlined below to ensure that data
protection is applied. It is important to follow the guidelines below to protect customer data properly if you want
your app to run on Android Marshmallow devices.
Intune allows you to utilize all the Auto Backup features available from Android, including the ability to define
custom rules in XML, but you must follow the steps below to secure your data:
1. If your app does not use its own custom BackupAgent, use the default MAMBackupAgent to allow for
automatic full backups that are Intune policy compliant. If you do this, you can ignore the
android:fullBackupOnly manifest attribute, as its not applicable for our backup agent. Place the following in the
app manifest:

android:backupAgent="com.microsoft.intune.mam.client.app.backup.MAMDefaultBackupAgent"

2. [Optional] If you implemented an optional custom BackupAgent, you need to make sure to use
MAMBackupAgent or MAMBackupAgentHelper. See the following sections. Consider switching to using
Intune's MAMDefaultFullBackupAgent (described in step 1) which provides easy back up on Android M
and above.
3. When you decide which type of full backup your app should receive (unfiltered, filtered, or none) you'll need
to set the attribute android:fullBackupContent to true, false, or an XML resource in your app.
4. Then, you must copy whatever you put into android:fullBackupContent into a metadata tag named
com.microsoft.intune.mam.FullBackupContent in the manifest.

Example 1: If you want your app to have full backups without exclusions, set both the
android:fullBackupContent attribute and com.microsoft.intune.mam.FullBackupContent metadata tag to true:

android:fullBackupContent="true"
...
<meta-data android:name="com.microsoft.intune.mam.FullBackupContent" android:value="true" />

Example 2: If you want your app to use its custom BackupAgent and opt out of full, Intune policy compliant,
automatic backups, you must set the attribute and metadata tag to false:

android:fullBackupContent="false"
...
<meta-data android:name="com.microsoft.intune.mam.FullBackupContent" android:value="false" />

Example 3: If you want your app to have full backups according to your custom rules defined in an XML file,
please set the attribute and metadata tag to the same XML resource:

android:fullBackupContent="@xml/my_scheme"
...
<meta-data android:name="com.microsoft.intune.mam.FullBackupContent" android:resource="@xml/my_scheme" />

Key/Value Backup
The Key/Value Backup option is available to all APIs 8+ and uploads app data to the Android Backup Service. The
amount of data per user of your app is limited to 5MB. If you use Key/Value Backup, you must use a
BackupAgentHelper or a BackupAgent.
BackupAgentHelper
BackupAgentHelper is easier to implement than BackupAgent both in terms of native Android functionality and
Intune MAM integration. BackupAgentHelper allows the developer to register entire files and shared preferences to
a FileBackupHelper and SharedPreferencesBackupHelper (respectively) which are then added to the
BackupAgentHelper upon creation. Follow the steps below to use a BackupAgentHelper with Intune MAM:
1. To utilize multi-identity backup with a BackupAgentHelper, follow the Android guide to Extending
BackupAgentHelper.
2. Have your class extend the MAM equivalent of BackupAgentHelper, FileBackupHelper, and
SharedPreferencesBackupHelper.

ANDROID CLASS MAM EQUIVALENT

BackupAgentHelper MAMBackupAgentHelper

FileBackupHelper MAMFileBackupHelper

SharedPreferencesBackupHelper MAMSharedPreferencesBackupHelper

Following these guidelines will lead to a successful multi-identity backup and restore.
BackupAgent
A BackupAgent allows you to be much more explicit about what data is backed up. Because the developer is fairly
responsible for the implementation, there are more steps required to ensure appropriate data protection from
Intune. Since most of the work is pushed onto you, the developer, Intune integration is slightly more involved.
Integrate MAM:
1. Please carefully read the Android guide for Key/Value Backup and specifically Extending BackupAgent to
ensure your BackupAgent implementation follows Android guidelines.
2. Have your class extend MAMBackupAgent .
Multi-identity Backup:
1. Before beginning your backup, check that the files or data buffers you plan to back up are indeed permitted
by the IT administrator to be backed up in multi-identity scenarios. We provide you with the
isBackupAllowed function in MAMFileProtectionManager and MAMDataProtectionManager to determine this. If the
file or data buffer is not allowed to be backed up, then you should not continue including it in your backup.
2. At some point during your backup, if you want to back up the identities for the files you checked in step 1,
you must call backupMAMFileIdentity(BackupDataOutput data, File files) with the files from which you plan to
extract data. This will automatically create new backup entities and write them to the BackupDataOutput for
you. These entities will be automatically consumed upon restore.
Multi-identity Restore:
The Data Backup guide specifies a general algorithm for restoring your applications data and provides a code
sample in the Extending BackupAgent section. In order to have a successful multi-identity restore, you must follow
the general structure provided in this code sample with special attention to the following:
1. You must utilize a while(data.readNextHeader()) * loop to go through the backup entities.
2. You must call data.skipEntityData() * if data.getKey() * does not match the key you wrote in onBackup . Without
performing this step, your restores may not succeed.
3. Avoid returning while consuming backup entities in the while(data.readNextHeader()) * construct, as the entities
we automatically write will be lost.
 Where data is the local variable name for the BackupDataInput that is passed to your app upon restore.

Multi-identity (optional)
Overview
By default, the Intune App SDK will apply policy to the app as a whole. Multi-identity is an optional Intune app
protection feature which can be enabled to allow policy to be applied on a per-identity level. This requires
significantly more app participation than other app protection features.
The app must inform the SDK when it intends to change the active identity, the SDK will also notify the app when
an identity change is required. Once the user enrolls the device or the app, the SDK registers this identity and
considers it the primary Intune managed identity. Other users in the app will be treated as unmanaged, with
unrestricted policy settings.

NOTE
Currently, only one Intune managed identity is supported per device.

Note that an identity is simply defined as a string. Identities are case-insensitive, and requests to the SDK for an
identity may not return the same casing that was originally used when setting the identity.
Enabling Multi-identity
By default, all apps are considered to be single-identity apps. You can declare an app to be multi-identity aware by
placing the following metadata in AndroidManifest.xml.

<meta-data
android:name="com.microsoft.intune.mam.MAMMultiIdentity"
android:value="true" />

Setting the Identity

Developers can set the identity of the app user on the following levels in descending priority:
1. Thread level
2. Context (generally Activity) level
3. Process level
An identity set at the thread level supersedes an identity set at the Context level, which supersedes an identity set at
the process level. An identity set on a Context is only used in appropriate associated scenarios File IO operations,
for example, do not have an associated Context. The following methods in MAMPolicyManager may be used to set
the identity and retrieve the identity values previously set.
 public static void setUIPolicyIdentity(final Context context, final String identity, final MAMSetUIIdentityCallback mamSetUIIdentityCallback);

public static String getUIPolicyIdentity(final Context context);

public static MAMIdentitySwitchResult setProcessIdentity(final String identity);

public static String getProcessIdentity();

public static MAMIdentitySwitchResult setCurrentThreadIdentity(final String identity);

public static String getCurrentThreadIdentity();

/**
* Get the currently applicable app policy. Same as
* MAMComponents.get(AppPolicy.class). This method does
* not take the context identity into account.
*/
public static AppPolicy getPolicy();

/**
* Get the currently applicable app policy, taking the context
* identity into account.
*/
public static AppPolicy getPolicy(final Context context);

public static AppPolicy getPolicyForIdentity(final String identity);

public static boolean getIsIdentityManaged(final String identity);

NOTE
You can clear the identity of the app by setting it to null.
The empty string may be used as an identity that will never have app protection policy.

Results
All the methods used to set the identity report back result values via MAMIdentitySwitchResult . There are four values
that can be returned:

RETURN VALUE SCENARIO

SUCCEEDED The identity change was successful.

NOT_ALLOWED The identity change is not allowed.

This occurs if an attempt is made to switch to a different

managed user belonging to the same organization as the
enrolled user. It also occurs if an attempt is made to set the UI
(Context) identity when a different identity is set on the
current thread.

CANCELLED The user cancelled the identity change, generally by pressing

the back button on a PIN or authentication prompt.

FAILED The identity change failed for an unspecified reason.

In the case of setting a Context identity, the result is reported asynchronously. If the Context is an Activity, the SDK
doesn't know if the identity change succeeded until after conditional launch is performed -- which may require the
user to enter a PIN or corporate credentials. The app is expected to implement a MAMSetUIIdentityCallback to receive
this result, you can pass null for this parameter.

public interface MAMSetUIIdentityCallback {

void notifyIdentityResult(MAMIdentitySwitchResult identitySwitchResult);
}

You can also set the identity of an activity directly through a method in MAMActivity instead of calling
MAMPolicyManager.setUIPolicyIdentity . Use following method to do so:

public final void switchMAMIdentity(final String newIdentity);

You can also override a method in MAMActivity if you want the app to be notified of the result of attempts to
change the identity of that activity.

public void onSwitchMAMIdentityComplete(final MAMIdentitySwitchResult result);

NOTE
Switching the identity may require recreating the activity. In this case, the onSwitchMAMIdentityComplete callback will be
delivered to the new instance of the activity.

Implicit Identity Changes

In addition to the app's ability to set the identity, a thread or a context's identity may change based on data ingress
from another Intune-enlightened app that has app protection policy.
Examples
1. If an activity is launched from an Intent sent by another MAM app, the activitys identity will be set based on
the effective identity in the other app at the point the Intent was sent.
2. For services, the thread identity will be set similarly for the duration of an onStart or onBind call. Calls into
the Binder returned from onBind will also temporarily set the thread identity.
3. Calls into a ContentProvider will similarly set the thread identity for their duration.
In addition, user interaction with an activity may cause an implicit identity switch.
Example: A user canceling out of an authorization prompt during Resume will result in an implicit switch to an
empty identity.
The app is given an opportunity to be made aware of these changes, and, if it must, the app can forbid them.
MAMService and MAMContentProvider expose the following method that subclasses may override:

public void onMAMIdentitySwitchRequired(final String identity,

final AppIdentitySwitchResultCallback callback);

In the MAMActivity class , an additional parameter is present in the method:

public void onMAMIdentitySwitchRequired(final String identity,

final AppIdentitySwitchReason reason,
final AppIdentitySwitchResultCallback callback);

The captures the source of the implicit switch, and can accept the values CREATE ,
AppIdentitySwitchReason
RESUME_CANCELLED , and NEW_INTENT . The RESUME_CANCELLED reason is used when activity resume
 causes PIN, authentication, or other compliance UI to be displayed and the user attempts to cancel out of
that UI, generally though use of the back button.
The AppIdentitySwitchResultCallback is as follows:

public interface AppIdentitySwitchResultCallback {

/**
* @param result
* whether the identity switch can proceed.
*/
void reportIdentitySwitchResult(AppIdentitySwitchResult result);
}

Where AppIdentitySwitchResult is either SUCCESS or FAILURE.

The method onMAMIdentitySwitchRequired is called for all implicit identity changes except for those made through a
Binder returned from MAMService.onMAMBind . The default implementations of onMAMIdentitySwitchRequired
immediately call:
reportIdentitySwitchResult(FAILURE) when the reason is RESUME_CANCELLED.
reportIdentitySwitchResult(SUCCESS) in all other cases.
It is not expected that most apps will need to block or delay an identity switch in a different manner, but if an
app needs to do so, the following points must be considered:
If an identity switch is blocked, the result is the same as if Receive sharing settings had prohibited the
data ingress.
If a Service is running on the main thread, reportIdentitySwitchResult must be called synchronously or
the UI thread will hang.
For Activity creation, onMAMIdentitySwitchRequired will be called before onMAMCreate . If the app must
show UI to determine whether to allow the identity switch, that UI must be shown using a different
activity.
In an Activity, when a switch to the empty identity is requested with the reason as
RESUME_CANCELLED, the app must modify the resumed activity to display data consistent with that
identity switch. If this is not possible, the app should refuse the switch, and the user will be asked
again to comply with policy for the resuming identity (e.g. by being presented with the app PIN entry
screen).

NOTE
A multi-identity app will always receive incoming data from both managed and unmanaged apps. It is the
responsibility of the app to treat data from managed identities in a managed manner.

If a requested identity is managed (use MAMPolicyManager.getIsIdentityManaged to check), but the app is not able
to use that account (e.g. because accounts, such as email accounts, must be set up in the app first) then the
identity switch should be refused.
File Protection
Every file has an identity associated with it at the time of creation, based on thread and process identity. This
identity will be used for both file encryption and selective wipe. Only files whose identity is managed and has policy
requiring encryption will be encrypted. The SDK's default selective functionality wipe will only wipe files associated
with the managed identity for which a wipe has been requested. The app may query or change a files identity
using the MAMFileProtectionManager class.

public final class MAMFileProtectionManager {

/**
* Protect a file. This will synchronously trigger whatever protection is required for the file, and will tag the file for
* future protection changes.
*
* @param identity
* Identity to set.
* @param file
* File to protect.
* @throws IOException
* If the file cannot be changed.
*/
public static void protect(final File file, final String identity) throws IOException;

/**
* Get the protection info on a file.
*
* @param file
* File or directory to get information on.
* @return File protection info, or null if there is no protection info.
* @throws IOException
* If the file cannot be read or opened.
*/
public static MAMFileProtectionInfo getProtectionInfo(final File file) throws IOException;

/**
* Get the protection info on a file.
*
* @param file
* File to get information on.
* @return File protection info, or null if there is no protection info.
* @throws IOException
* If the file cannot be read or opened.
*/
public static MAMFileProtectionInfo getProtectionInfo(final ParcelFileDescriptor file) throws IOException;

public interface MAMFileProtectionInfo {

String getIdentity();
}

File identity tagging is sensitive to offline mode. The following points should be taken into account:
If the Company Portal is not installed, files cannot be identity-tagged.
If the Company Portal is installed, but the app does not have Intune MAM policy, files cannot be reliably
tagged with identity.
When file identity tagging becomes available, all previously created files are treated as personal/unmanaged
(belonging to the empty-string identity) unless the app was previously installed as a single-identity
managed app in which case they are treated as belonging to the enrolled user.
Directory Protection
Directories may be protected using the same protect method used to protect files. Please note that directory
protection applies recursively to all files and subdirectories contained in the directory, and to new files created
within the directory. Because directory protection is applied recursively, the protect call can take some time to
complete for very large directories. For that reason, apps applying protection to a directory that contains a large
number of files might wish to run protect asynchronously on a background thread.
Data Protection
It is not possible to tag a file as belonging to multiple identities. Apps that must store data belonging to different
users in the same file can do so manually, using the features provided by MAMDataProtectionManager . This allows the
app to encrypt data and tie it to a particular user. The encrypted data is suitable for storing to disk in a file. You can
query the data associated with the identity and the data can be unecrypted later.
Apps which make use of MAMDataProtectionManager should implement a receiver for the MANAGEMENT_REMOVED
notification. After this notification completes, buffers which were protected via this class will no longer be readable
if file encryption was enabled when the buffers were protected. An app can remediate this situation by calling
MAMDataProtectionManager.unprotect on all buffers during this notification. Note that it is also safe to call protect
during this notification if it is desired to preserve identity information -- encryption is guaranteed to be disabled
during the notification.

public final class MAMDataProtectionManager {

/**
* Protect a stream. This will return a stream containing the protected
* input.
*
* @param identity
* Identity to set.
* @param input
* Input data to protect, read sequentially. This function
* will change the position of the stream but may not have
* read the entire stream by the time it returns. The
* returned stream will wrap this one. Calls to read on the
* returned stream may cause further reads on the original
* input stream. Callers should not expect to read directly
* from the input stream after passing it to this method.
* Calling close on the returned stream will close this one.
* @return Protected input data.
* @throws IOException
* If the data could not be protected
*/
public static InputStream protect(final InputStream input, final String identity);

/**
* Protect a byte array. This will return protected bytes.
*
* @param identity
* Identity to set.
* @param input
* Input data to protect.
* @return Protected input data.
* @throws IOException
* If the data could not be protected
*/
public static byte[] protect(final byte[] input, final String identity) throws IOException;

/**
* Unprotect a stream. This will return a stream containing the
* unprotected input.
*
* @param input
* Input data to protect, read sequentially.
* @return Protected input data.
* @throws IOException
* If the data could not be unprotected
*/
public static InputStream unprotect(final InputStream input) throws IOException;

/**
* Unprotect a byte array. This will return unprotected bytes.
*
* @param input
 * @param input
* Input data to protect.
* @return Protected input data.
* @throws IOException
* If the data could not be unprotected
*/
public static byte[] unprotect(final byte[] input) throws IOException;

/**
* Get the protection info on a stream.
*
* @param input
* Input stream to get information on. Either this input
* stream must have been returned by a previous call to
* protect OR input.markSupported() must return true.
* Otherwise it will be impossible to get protection info
* without advancing the stream position. The stream must be
* positioned at the beginning of the protected data.
* @return Data protection info, or null if there is no protection
* info.
* @throws IOException
* If the input cannot be read.
*/
public static MAMDataProtectionInfo getProtectionInfo(final InputStream input) throws IOException;

/**
* Get the protection info on a stream.
*
* @param input
* Input bytes to get information on. These must be bytes
* returned by a previous call to protect() or a copy of
* such bytes.
* @return Data protection info, or null if there is no protection
* info.
* @throws IOException
* If the input cannot be read.
*/
public static MAMDataProtectionInfo getProtectionInfo(final byte[] input) throws IOException;
}

Content Providers
If the app provides corporate data other than a ParcelFileDescriptor through a ContentProvider, the app must
call the method isProvideContentAllowed(String) in MAMContentProvider , passing the owner identity's UPN (user
principal name) for the content. If this function returns false, the content may not be returned to the caller. File
descriptors returned through a content provider are handled automatically based on the file identity.
Selective Wipe
If an app registers for the WIPE_USER_DATA notification, it will not receive the benefit of the SDK's default selective
wipe behavior. For multi-identity aware apps, this loss may be more significant since MAM default selective wipe
will wipe only files whose identity is targeted by a wipe.
If a multi-identity aware application wishes MAM default selective wipe to be done and wishes to perform its own
actions on wipe, it should register for WIPE_USER_AUXILIARY_DATA notifications. This notification will be sent
immediately by the SDK before it performs the MAM default selective wipe. An app should never register for both
WIPE_USER_DATA and WIPE_USER_AUXILIARY_DATA.

Style Customization (optional)

Views generated by the MAM SDK can be visually customized to more closely match the app in which it is
integrated. You can customize primary, secondary, and background colors, as well as the size of the app logo. This
style customization is optional and defaults will be used if no custom style is configured.
How to customize
In order to have style changes apply to the Intune MAM views, you must first create a style override XML file. This
file should be placed in the /res/xml directory of your app and you may name it whatever you like. Below is an
example of the format this file needs to follow.

<?xml version="1.0" encoding="utf-8"?>

<styleOverrides>
<item
name="foreground_color"
resource="@color/red"/>
<item
name="accent_color"
resource="@color/blue"/>
<item
name="background_color"
resource="@color/green"/>
<item
name="logo_image"
resource="@drawable/app_logo"/>
</styleOverrides>

You must reuse resources that already exist within your app. For example, you must define the color green in the
colors.xml file and reference it here. You cannot use the Hex color code #0000ff." The maximum size for the app
logo is 110 dip (dp). You may use a smaller logo image, but adhering to the maximum size will yield the best
looking results. If you exceed the 110 dip limit, the image will scale down and possibly cause blurring.
Below is the complete list of allowed style attributes, the UI elements they control, their XML attribute item names,
and the type of resource expected for each.

STYLE ATTRIBUTE UI ELEMENTS AFFECTED ATTRIBUTE ITEM NAME EXPECTED RESOURCE TYPE

Background color PIN screen background color background_color Color

PIN box fill color

Foreground color Foreground text color foreground_color Color

PIN box border in default
state
Characters (including
obfuscated characters) in
PIN box when user enters a
PIN

Accent color PIN box border when accent_color Color

highlighted
Hyperlinks

App logo Large icon that appears in logo_image Drawable

the Intune app PIN screen

Limitations
File Size limitations
For large code bases that run without ProGuard, the limitations of the Dalvik executable file format become an
issue. Specifically, the following limitations may occur:
1. The 65K limit on fields.
2. The 65K limit on methods.
Policy enforcement limitations
Screen Capture: The SDK is unable to enforce a new screen capture setting value in Activities that have
already gone through Activity.onCreate. This can result in a period of time where the app has been
configured to disable screenshots but screenshots can still be taken.
Using Content Resolvers: The "transfer or receive" Intune policy may block or partially block the use of a
content resolver to access the content provider in another app. This will cause ContentResolver methods to
return null or throw a failure value (e.g. openOutputStream will throw FileNotFoundException if blocked). The app
can determine whether a failure to write data through a content resolver was caused by policy (or would be
caused by policy) by making the call:

MAMComponents.get(AppPolicy.class).getIsSaveToLocationAllowed(contentURI);

Exported services
The AndroidManifest.xml file included in the Intune App SDK contains MAMNotificationReceiverService, which
must be an exported service to allow the Company Portal to send notifications to an enlightened app. The service
checks the caller to ensure that only the Company Portal is allowed to send notifications.

Expectations of the SDK consumer

The Intune SDK maintains the contract provided by the Android API, though failure conditions may be triggered
more frequently as a result of policy enforcement. These Android best practices will reduce the likelihood of failure:
Android SDK functions that may return null have a higher likelihood of being null now. To minimize issues,
ensure that null checks are in the right places.
Features that can be checked for must be checked for through their MAM replacement APIs.
Any derived functions must call through to their super class versions.
Avoid use of any API in an ambiguous way. For example, using Activity.startActivityForResult without checking
the requestCode will cause strange behavior.

Recommended Android best practices

All library projects should share the same android:package where possible. This will not sporadically fail in
run-time; this is purely a build-time problem. Newer versions of the Intune App SDK will remove some of
the redundancy.
Use the newest Android SDK build tools.
Remove all unnecessary and unused libraries (e.g. android.support.v4)
 Microsoft Intune App SDK Cordova Plugin
6/19/2017 4 min to read Edit Online

NOTE
You may wish to first read the Get Started with Intune App SDK article, which explains how to prepare for integration on
each supported platform.

Overview
The Intune App SDK Cordova Plugin in iOS and Android apps built with Cordova. The plugin allows developers to
integrate Intune app and data protection features into their Cordova-based app.
You will find that you can enable SDK features without changing your app's behavior. Once you have built the
plugin into your iOS or Android app, the Microsoft Intune administrator will be able to deploy Intune app
protection policy, which consists of a variety of data protection features. The plugin is built so that most of the
steps are automatically performed in the Cordova build process. As a result, you should be able to get your app
enabled for Intune app protection quickly. To get started, follow the steps below based on your target platform.

Supported Platforms
The plugin works on Windows, Mac and Linux OS
The plugin works for Android apps with minSdkVersion >= 14 and targetSdkVersion <= 24
The plugin works for iOS apps targeted for iOS 9.0 and above.

Intune Mobile Application Management scenarios

Intune MDM-enrolled devices
Third-party EMM-enrolled devices
Unmanaged devices (not enrolled with any MDM)
Cordova apps built with the Intune App SDK Cordova Plugin can now receive Intune app protection policies on
both Intune mobile device management (MDM) enrolled devices and unenrolled devices.

Prerequisites
Android
The latest Microsoft Intune Company Portal app must always be installed on the device.
Java 7 at minimum must be on the path where you will execute Cordova build when using the plugin.
iOS
The latest Microsoft Intune Company Portal app must be installed on the device for MDM features. It is not
needed for Intune app protection policy without device enrollment features.
Both platforms
Version 0.8.0+ of the Azure Active Directory Authentication Libraries (ADAL) plugin for Cordova is required.
 NOTE
Due to an Apache Cordova bug the filed here, apps that already have the plugin dependency will not automatically upgrade
the plugin to the requested version.

Quick start
1. Update your version of ADAL:

cordova plugin remove cordova-plugin-ms-adal

cordova plugin add [email protected]

2. Add the Intune App SDK for Cordova plugin:

cordova plugin add cordova-plugin-ms-intune-mam

Build the plugin into your iOS app

You'll need to complete some steps for your app to be enabled for Intune app protection policy. For convenience,
these steps are performed automatically in the Cordova build process as a pre-build hook. As a result, the
automated steps will modify your *.pbxproj , *-Info.plist , and *.entitlements files that are associated with a project
configuration. If your project doesn't contain an entitlements file, the plugin will create one automatically.
This setup only supports a single target and will perform the configuration on the first target found if there are
multiple targets. If the process fails, check that:
1. Your app's Xcode project is [name].xcodeproj where [name] is the value defined in config.xml
2. Your project uses the standard Cordova app directory structure.

Build the plugin into your Android app

1. Import this plugin with the latest Cordova tools. The plugin will be automatically invoked as an after_compile
step.
2. The plugin will create a Intune-enabled version of a built apk (Android API 14+) at the end of the build
process. The build output will contain a [Project]-intunewrapped-[Build_Configuration].apk (e.g.
helloWorld-intunewrapped-debug.apk ).

NOTE
The plugin only supports gradle builds.

Due to a Cordova bug filed here that causes certain Cordova hooks to be ignored on cordova run , to run the
wrapped app from the command line, you must do the following:

$ cordova build
$ cordova run --nobuild

Sign your Android app

The plugin automatically recognizes signing information you have provided to Cordova at the following locations:
 platforms/android/debug-signing.properties
platforms/android/release-signing.properties
res/native/android/ant.properties
See the Cordova gradle signing information for more information about the expected format.
We currently don't support the ability to provide signing information in build.json or arbitrary locations provided
via parameters to Cordova build.

Debugging from Visual Studio

After launching the app for the first time you should see a dialog notifying you that the app is managed by Intune.
Hit "Don't show again" and click the debug/run button again from VS for breakpoints to be hit.

Known Limitations
Android
MultiDex support is incomplete.
App must have minSdkVersion of 14 and targetSdkVersion of 24 or below. We currently don't support apps
targeting API 25
We cannot re-sign apps that were signed with the V2 Signature Scheme. When V2-signed apps are
wrapped by the plugin, the wrapped output .apk will be unsigned. *
You can disable Cordova's default V2 Signing by adding the following to your build-extras.gradle file:

android {
signingConfigs {
release {
v2SigningEnabled false
}
debug {
v2SigningEnabled false
}
}
buildTypes {
release {
signingConfig signingConfigs.release
}
debug {
signingConfig signingConfigs.debug
}
}
}

iOS
Whenever you modify the list of UTI's under the CFBundleDocumentTypes node of the Info.plist file,
you must clear the Intune UTI's in the Imported UTI's section of the same plist file
(UTImportedTypeDeclarations node) before building again. All of the Intune UTI's will start with the
prefix com.microsoft.intune.mam .
If you want to remove the Intune App SDK for Cordova plugin from your Cordova project, you must also
remove the iOS platform and re-add it, in order to undo some of the Intune configuration in the .xcodeproj
and .plist files.
 Microsoft Intune App SDK Xamarin Component
6/19/2017 3 min to read Edit Online

NOTE
You may wish to first read the Get Started with Intune App SDK article, which explains how to prepare for integration on
each supported platform.

Overview
The Intune App SDK Xamarin component enables Intune app protection policy in iOS and Android apps built with
Xamarin. The component allows developers to easily build in Intune app protection features into their Xamarin-
based app.
You will find that you can enable SDK features without changing your apps behavior. Once you've built the
component into your iOS or Android mobile app, the IT admin will be able to deploy policy via Microsoft Intune
Mobile Application Management (MAM) supporting a variety of data protection features.

What's supported?
Developer machines
Windows
Mobile app platforms
Android
iOS
Intune Mobile Application Management scenarios
Intune MDM-enrolled devices
Third-party EMM-enrolled devices
Unmanaged devices (not enrolled with any MDM)
Xamarin apps built with the Intune App SDK Xamarin Component can now receive Intune mobile application
management (MAM) policies on both Intune mobile device management (MDM) enrolled devices and unenrolled
devices.

Prerequisites
[Android only] The latest Microsoft Intune Company Portal app must always be installed on the device.

Get started
1. Download Xamarin-component.exe from here and extract it.
2. Read the license terms for the Microsoft Intune MAM Xamarin Component.
3. Download the Intune App SDK Xamarin Component folder from GitHub or Xamarin and extract it. Both files
downloaded from step 1 and step 3 should be in the same directory level.
4. In the command line as an administrator, run Xamarin.Component.exe install <.xam> file .
5. In Visual Studio, right click components in your previously created Xamarin project.
6. Select Edit Components and add the Intune App SDK component youve downloaded locally to your
computer.

Enabling Intune MAM in your iOS mobile app

1. In order to initialize the Intune App SDK, you will need to make a call for any API in the AppDelegate.cs class.
For example:

public override bool FinishedLaunching (UIApplication application, NSDictionary launchOptions)

{
Console.WriteLine ("Is Managed: {0}", IntuneMAMPolicyManager.Instance.PrimaryUser != null);
return true;
}

2. Now that the component is added and initialized, you can follow the general steps required for building the
App SDK into an iOS mobile app. You can find the full documentation for enabling native iOS apps in the
Intune App SDK for iOS Developer Guide.
3. Important: There are several modifications specific to Xamarin-based iOS apps. For instance, when
enabling keychain groups, you'll need to add the following to include the Xamarin sample app we included
in the component. Below is an example of the groups you would need to have in your Keychain Access
groups:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)com.xamarin.microsoftintunesample</string>
<string>$(AppIdentifierPrefix)com.xamarin.microsoftintunesample.intunemam</string>
<string>$(AppIdentifierPrefix)com.microsoft.intune.mam</string>
<string>$(AppIdentifierPrefix)com.microsoft.adalcache</string>
</array>
</dict>
</plist>

You have completed the steps necessary to build the component into your Xamarin-based iOS app. If you are
utilizing Xcode for building your project, you can use the Intune App SDK Settings.bundle . This will allow you to toggle
Intune policy settings on and off as you build your project to test and debug. To take advantage of this bundle,
follow the steps in the Intune App SDK for iOS Developer Guide and read the section on debugging in Xcode.

Enabling MAM in your Android mobile app

For Xamarin-based Android apps not using a UI framework, you will need to read and follow the [Intune App SDK
for Android Developer Guide]. For your Xamarin-based Android app, you will need to replace class, methods, and
activities with their MAM equivalent based on the table included in the guide. If your app doesnt define an
android.app.Application class, you will need to create one and ensure that you inherit from MAMApplication .

For Xamarin Forms and other UI frameworks, we have provided a tool called MAM.Remapper . The tool will
accomplish the class replacement for you. However, you will need to do the following steps:
1. Add a reference to the Microsoft.Intune.MAM.Remapper.Tasks nuget package version 0.1.0.0 or greater.
2. Add the following line to your Android csproj:
 <Import
Project="$(NugetPack)\\Microsoft.Intune.MAM.Remapper.Tasks.0.1.X.X\\build\\MonoAndroid10\\Microsoft.Intune.MAM.Remapper.t
argets" />

3. Set the build action of the added remapping-config.json file to RemappingConfigFile. The included
remapping-config.json only works with Xamarin.Forms. For other UI frameworks, refer to the Readme included
with the Remapper nuget package.

Test your app

You have completed the basic steps of building the component into your app. Now you can follow the steps
included in the Xamarin Android sample app. We have provided two samples, one for Xamarin.Forms and another
for Android.
 How to use Azure AD to access the Intune Graph API
6/26/2017 11 min to read Edit Online

The Microsoft Graph API now supports Microsoft Intune with specific APIs and permission roles. The Graph API
uses Azure Active Directory (Azure AD) for authentication and access control.
Access to the Intune Graph API requires:
An application ID with:
Permission to call Azure AD and Graph APIs.
Permission scopes relevant to the specific application tasks.
User credentials with:
Permission to access the Azure AD tenant associated with the application.
Role permissions required to support the application permission scopes.
The end user to grant permission to the app to perform applications tasks for their Azure tenant.
This article:
Shows how to register an application with access to the Graph API and relevant permission roles.
Describes the Intune Graph API permission roles.
Provides Intune Graph API authentication examples for C# and PowerShell.
Describes how to support multiple tenants
To learn more, see:
Authorize access to web applications using OAuth 2.0 and Azure Active Directory
Getting start with Azure AD authentication
Integrating applications with Azure Active Directory
Understand OAuth 2.0

Register apps to use Graph API

To register an app to use Graph API:
1. Sign into the Azure portal using administrative credentials.
As appropriate, you may use:
The tenant admin account.
A tenant user account with the Users can register applications setting enabled.
2. From the menu, choose Azure Active Directory > App Registrations.
3. Either choose New application registration to create a new application or choose an existing application.
(If you choose an existing application, skip the next step.)
4. On the Create blade, specify the following:
a. A Name for the application (displayed when users sign in).
b. The Application type and Redirect URI values.
These vary according to your requirements. For example, if you're using an Azure AD Authentication
Library (ADAL), set Application Type to Native and Redirect URI to urn:ietf:wg:oauth:2.0:oob .

To learn more, see Authentication Scenarios for Azure AD.

5. From the application blade:
a. Note the Application ID value.
b. Choose Settings > API access > Required permissions.

6. From the Required Permissions blade, choose Add > Add API access > Select an API.

7. From the Select an API blade, choose Microsoft Graph > Select. The Enable access blade opens and lists
permission scopes available to your application.
 Choose the roles required for your app by placing a checkmark to the left of the relevant names. To learn
about specific Intune permission scopes, see Intune permission scopes. To learn about other Graph API
permission scopes, see Microsoft Graph permissions reference.
For best results, choose the fewest roles needed to implement your application.
When finished, choose Select and Done to save you changes.
At this point, you may also:
Choose to grant permission for all tenant accounts to use the app without providing credentials.
To do so, choose Grant permissions and accept the confirmation prompt.
When you run the application for the first time, you're prompted to grant the app permission to perform the
selected roles.

Make the app available to users outside your tenant. (This is typically only required for partners supporting
multiple tenants/organizations.)
To do so:
1. Choose Manifest from the application blade, which opens the Edit Manifest blade.

2. Change the value of the availableToOtherTenants setting to true .

3. Save your changes.

Intune permission scopes

Azure AD and the Graph API use permission scopes to control access to corporate resources.
Permission scopes (also called the OAuth scopes) control access to specific Intune entities and their properties. This
section summarizes the permission scopes for Intune Graph API features.
To learn more:
Azure AD authentication
Application permission scopes
When you grant permission to the Graph API, you can specify the following scopes to control access to Intune
features: The following table summarizes the Intune Graph API permission scopes. The first column shows the
name of the feature as displayed in the Azure portal and the second column provides the permission scope name.
 ENABLE ACCESS SETTING SCOPE NAME

Perform user-impacting remote actions on Microsoft DeviceManagementManagedDevices.PrivilegedOperations.All

Intune devices

Read and write Microsoft Intune devices DeviceManagementManagedDevices.ReadWrite.All

Read Microsoft Intune devices DeviceManagementManagedDevices.Read.All

Read and write Microsoft Intune RBAC settings DeviceManagementRBAC.ReadWrite.All

Read Microsoft Intune RBAC settings DeviceManagementRBAC.Read.All

Read and write Microsoft Intune apps DeviceManagementApps.ReadWrite.All

Read Microsoft Intune apps DeviceManagementApps.Read.All

Read and write Microsoft Intune Device Configuration DeviceManagementConfiguration.ReadWrite.All

and Policies

Read Microsoft Intune Device Configuration and Policies DeviceManagementConfiguration.Read.All

Read and write Microsoft Intune configuration DeviceManagementServiceConfig.ReadWrite.All

Read Microsoft Intune configuration DeviceManagementServiceConfig.Read.All

The table lists the settings as they appear in the Azure portal. The following sections describe the scopes in
alphabetical order.
At this time, all Intune permission scopes require administrator access. This means you need corresponding
credentials when running apps or scripts that access Intune Graph API resources.
DeviceManagementApps.Read.All
Enable Access setting: Read Microsoft Intune apps
Permits read access to the following entity properties and status:
Mobile Apps
Mobile App Categories
App Protection Policies
App Configurations
DeviceManagementApps.ReadWrite.All
Enable Access setting: Read and write Microsoft Intune apps
Allows the same operations as DeviceManagementApps.Read.All
Also permits changes to the following entities:
Mobile Apps
Mobile App Categories
App Protection Policies
App Configurations
DeviceManagementConfiguration.Read.All
 Enable Access setting: Read Microsoft Intune device configuration and policies
Permits read access to the following entity properties and status:
Device Configuration
Device Compliance Policy
Notification Messages
DeviceManagementConfiguration.ReadWrite.All
Enable Access setting: Read and write Microsoft Intune device configuration and policies
Allows the same operations as DeviceManagementConfiguration.Read.All
Apps can also create, assign, delete, and change the following entities:
Device Configuration
Device Compliance Policy
Notification Messages
DeviceManagementManagedDevices.PrivilegedOperations.All
Enable Access setting: Perform user-impacting remote actions on Microsoft Intune devices
Permits the following remote actions on a managed device:
Retire
Wipe
Reset/Recover Passcode
Remote Lock
Enable/Disable Lost Mode
Clean PC
Reboot
Delete User from Shared Device
DeviceManagementManagedDevices.Read.All
Enable Access setting: Read Microsoft Intune devices
Permits read access to the following entity properties and status:
Managed Device
Device Category
Detected App
Remote actions
Malware information
DeviceManagementManagedDevices.ReadWrite.All
Enable Access setting: Read and write Microsoft Intune devices
Allows the same operations as DeviceManagementManagedDevices.Read.All
Apps can also create, delete, and change the following entities:
Managed Device
Device Category
The following remote actions are also allowed:
Locate devices
 Bypass activation lock
Request remote assistance
DeviceManagementRBAC.Read.All
Enable Access setting: Read Microsoft Intune RBAC settings
Permits read access to the following entity properties and status:
Role Assignments
Role Definitions
Resource Operations
DeviceManagementRBAC.ReadWrite.All
Enable Access setting: Read and write Microsoft Intune RBAC settings
Allows the same operations as DeviceManagementRBAC.Read.All
Apps can also create, assign, delete, and change the following entities:
Role Assignments
Role Definitions
DeviceManagementServiceConfig.Read.All
Enable Access setting: Read Microsoft Intune configuration
Permits read access to the following entity properties and status:
Device Enrollment
Apple Push Notification Certificate
Apple Device Enrollment Program
Apple Volume Purchase Program
Exchange Connector
Terms and Conditions
Telecoms Expense Management
Cloud PKI
Branding
Mobile Threat Defense
DeviceManagementServiceConfig.ReadWrite.All
Enable Access setting: Read and write Microsoft Intune configuration
Allows the same operations as DeviceManagementServiceConfig.Read.All_
Apps can also configure the following Intune features:
Device Enrollment
Apple Push Notification Certificate
Apple Device Enrollment Program
Apple Volume Purchase Program
Exchange Connector
Terms and Conditions
Telecoms Expense Management
Cloud PKI
Branding
Mobile Threat Defense
Azure AD authentication examples
This section shows how to incorporate Azure AD into your C# and PowerShell projects.
In each example, you'll need to specify an application ID that has at least the DeviceManagementManagedDevices.Read.All
permission scope (discussed earlier).
When testing either example, you may receive HTTP status 403 (Forbidden) errors similar to the following:

{
"error": {
"code": "Forbidden",
"message": "Application is not authorized to perform this operation - Operation ID " +
"(for customer support): 00000000-0000-0000-0000-000000000000 - " +
"Activity ID: cc7fa3b3-bb25-420b-bfb2-1498e598ba43 - " +
"Url: https://example.manage.microsoft.com/" +
"Service/Resource/RESTendpoint?" +
"api-version=2017-03-06 - CustomApiErrorPhrase: ",
"innerError": {
"request-id": "00000000-0000-0000-0000-000000000000",
"date": "1980-01-0112:00:00"
}
}
}

If this happens, verify that:

You've updated the application ID to one authorized to use the Graph API and the
DeviceManagementManagedDevices.Read.All permission scope.

Your tenant credentials support administrative functions.

Your code is similar to the displayed samples.
Authenticate Azure AD in C#
This example shows how to use C# to retrieve a list of devices associated with your Intune account.
1. Start Visual Studio and then create a new Visual C# Console app (.NET Framework) project.
2. Enter a name for your project and provide other details as desired.
3. Use the Solution Explorer to add the Microsoft ADAL NuGet package to the project.
a. Right-click the Solution Explorer.
b. Choose Manage NuGet Packages > Browse.
c. Select Microsoft.IdentityModel.Clients.ActiveDirectory and then choose Install.

4. Add the following statements to the top of Program.cs:

using Microsoft.IdentityModel.Clients.ActiveDirectory;</p>
using System.Net.Http;

5. Add a method to create the authorization header:

private static async Task<string> GetAuthorizationHeader()

{
string applicationId = "<Your Application ID>";
string authority = "https://login.microsoftonline.com/common/";
Uri redirectUri = new Uri("urn:ietf:wg:oauth:2.0:oob");
AuthenticationContext context = new AuthenticationContext(authority);
AuthenticationResult result = await context.AcquireTokenAsync(
"https://graph.microsoft.com",
applicationId, redirectUri,
new PlatformParameters(PromptBehavior.Auto));
return result.CreateAuthorizationHeader();

Remember to change the value of to match one granted at least the

application_ID
DeviceManagementManagedDevices.Read.All permission scope, as described earlier.
6. Add a method to retrieve the list of devices:
 private static async Task<string> GetMyManagedDevices()
{
string authHeader = await GetAuthorizationHeader();
HttpClient graphClient = new HttpClient();
graphClient.DefaultRequestHeaders.Add("Authorization", authHeader);
return await graphClient.GetStringAsync(
"https://graph.microsoft.com/beta/me/managedDevices");
}

7. Update Main to call GetMyManagedDevices:

string devices = GetMyManagedDevices().GetAwaiter().GetResult();

Console.WriteLine(devices);

8. Compile and run your program.

When you first run your program, you should receive two prompts. The first requests your credentials and the
second grants permissions for the managedDevices request.
For reference, here's the completed program:

using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
using System.Net.Http;
using System.Threading.Tasks;

namespace IntuneGraphExample
{
class Program
{
static void Main(string[] args)
{
string devices = GetMyManagedDevices().GetAwaiter().GetResult();
Console.WriteLine(devices);
}

private static async Task<string> GetAuthorizationHeader()

{
string applicationId = "<Your Application ID>";
string authority = "https://login.microsoftonline.com/common/";
Uri redirectUri = new Uri("urn:ietf:wg:oauth:2.0:oob");
AuthenticationContext context = new AuthenticationContext(authority);
AuthenticationResult result = await context.AcquireTokenAsync("https://graph.microsoft.com", applicationId, redirectUri, new
PlatformParameters(PromptBehavior.Auto));
return result.CreateAuthorizationHeader();
}

private static async Task<string> GetMyManagedDevices()

{
string authHeader = await GetAuthorizationHeader();
HttpClient graphClient = new HttpClient();
graphClient.DefaultRequestHeaders.Add("Authorization", authHeader);
return await graphClient.GetStringAsync("https://graph.microsoft.com/beta/me/managedDevices");
}
}
}

Authenticate Azure AD (PowerShell)

The following PowerShell script uses the AzureAD PowerShell module for authentication. To learn more, see Azure
Active Directory PowerShell Version 2 and the Intune PowerShell examples.
In this example, update the value of $clientID to match a valid application ID.

function Get-AuthToken {
[cmdletbinding()]
param
(
[Parameter(Mandatory = $true)]
$User
)

$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User

$tenant = $userUpn.Host

Write-Host "Checking for AzureAD module..."

$AadModule = Get-Module -Name "AzureAD" -ListAvailable

if ($AadModule -eq $null) {
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}

if ($AadModule -eq $null) {

write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}

# Getting path to ActiveDirectory Assemblies

# If the module count is greater than 1 find the latest version

if ($AadModule.count -gt 1) {
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}

else {
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}

[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null

$clientId = "<Your Application ID>"

$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"

try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $clientId, $redirectUri, $platformParameters, $userId).Result
# If the accesstoken is valid then create the authentication header
if ($authResult.AccessToken) {
# Creating header for Authorization token
$authHeader = @{
'Content-Type' = 'application/json'
'Authorization' = "Bearer " + $authResult.AccessToken
'ExpiresOn' = $authResult.ExpiresOn
}
 }
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}

$authToken = Get-AuthToken -User "<Your AAD Username>"

try {
$uri = "https://graph.microsoft.com/beta/me/managedDevices"
Write-Verbose $uri
(Invoke-RestMethod -Uri $uri Headers $authToken Method Get).Value
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}

Support multiple tenants and partners

If your organization supports organizations with their own Azure AD tenants, you may want to permit your clients
to use your application with their respective tenants.
To do so:
1. Verify that the client account exists in the target Azure AD tenant.
2. Verify that your tenant account allows users to register applications (see User settings).
3. Establish a relationship between each tenant.
To do so, either:
a. Use the Microsoft Partner Center to define a relationship with your client and their email address.
b. Invite the user to become a guest of your tenant.
To invite the user to be a guest of your tenant:
1. Choose Add a guest user from the Quick tasks panel.
2. Enter the client's email address and (optionally) add a personalized message for the invite.

3. Choose Invite.
This sends an invite to the user.

The user needs to choose the Get Started link to accept your invitation.
When the relationship is established (or your invitation has been accepted), add the user account to the Directory
role.
Remember to add the user to other roles as needed. For example, to allow the user to manage Intune settings, they
need to be either a Global Administrator or an Intune Service administrator.
Also:
Use http://portal.office.com to assign an Intune license to your user account.
Update application code to authenticate to the client's Azure AD tenant domain, rather than your own.
For example, suppose your tenant domain is contosopartner.onmicrosoft.com and your client's tenant domain is
northwind.onmicrosoft.com , you would update your code to authenticate to your client's tenant.
To do so in a C# application based on the earlier example, you'd change the value of the authority variable:

string authority = "https://login.microsoftonline.com/common/";

to

string authority = "https://login.microsoftonline.com/northwind.onmicrosoft.com/";

 Microsoft Intune glossary
6/19/2017 6 min to read Edit Online

APPLIES TO: INTUNE ON AZURE

Looking for documentation about Intune in the classic console? Go to here.

App assignment Lets users find, download, and install the apps they need. This
was previously known as app deployment.

App configuration profile Configures an iOS or Android app with specific settings before
it runs.

App monitoring Lets you review recent status and activity related to app
assignment.

App protection data removal task Removes app data from the user's device.

App protection policy Ensures that user's apps are compliant with your company
data protection policies.

App SDK The Microsoft Intune App SDK lets you add functionality to
your in-house written apps that enables them to be managed
by Intune app protection policies.

App uninstall action Lets you uninstall apps from user's devices.

App Wrapping Tool A command-line application that creates a wrapper around a

line-of-business app, letting it be managed by an Intune app
protection policy.

Assignment action A choice you make when you assign an app. You can choose
to make the app installation mandatory (required), optional
(Available), or you can uninstall the app.

Available install When you assign an app with this action, it is displayed in the
company portal, and users can install it on demand.

Azure Portal The new console for Intune Read more.

B
BYOD Bring your own device. Users can install the Intune Company
Portal app on their device and then enroll it, gaining access to
company resources like email, company apps, company data,
and support.

Certificate profile You use this policy type to secure access to corporate
resources with certificates when you use Wi-Fi, email, or VPN
profiles.

COD Company owned devices can be enrolled in numerous ways,

depending upon the needs of the organization and the types
of devices being managed.

Company Portal An app or a website that provides users with access to

company data and apps.

Compliance policy Makes sure that the devices comply with certain rules like
using a PIN to access the device, and encryption of data
stored on the device.

Compliant and noncompliant apps
Part of a device restriction profile, these settings let you define
a list of apps that users can, or cannot run. Intune then
informs you via. reports that a noncompliant app was
installed, or run. For some platforms, Intune can also block
install of a noncompliant app.

Conditional access Allows access to company email, Office 365, and other services
only from devices that are compliant with rules you set.

Custom policy You use these policies when a general configuration policy
does not contain a built-in setting that meets your needs. You
might be able to use a custom policy to create a setting by
other means like the Apple Configurator, or OMA-URI.

Deployment The act of sending an app or a policy to a device or user you

manage. This action is now known as assign.

Device enrollment manager Organizations can use Intune to manage large numbers of
mobile devices with a single user account. The device
enrollment manager (DEM) account is a special Intune account
that can enroll up to 1,000 devices.

Device profiles These profiles let you configure a wide range of security,
feature, and access settings on devices you manage.

E
 Email profile This policy can be used to set up email access settings for on
mobile devices, minimizing the amount of setup the end user
must do.

EMS Microsoft Enterprise Mobility + Security (formerly Enterprise

Mobility Suite) keeps your company data protected while
enabling your users to access the apps and content they need.

End user Users of devices like phones and PCs that are managed using
Intune.

Enroll Microsoft Intune uses enrollment to bring devices into

management and allow access to resources.

FastTrack A Microsoft service for Intune users with 150 licenses in an

eligible plan. Using this service, Microsoft specialists can work
with you to get up and running with Intune.

Groups Groups let you logically collect together users or devices. For
example, you might create a group of all Windows PCs. You
can then assign apps and profiles to these groups.

Hybrid A configuration where you can manage devices that are

enrolled with Intune through the System Center Configuration
Manager console.

Intune portal The Azure portal you use for most Intune management
operations.

Intune software client An alternative way of managing some Windows PCs for help
deciding which method to use.

Intune Software Publisher A tool you use to define apps you want to deploy and upload
them to your cloud storage space.

Inventory Use to view the hardware of, and the software installed on
devices you manage.
K

Kiosk mode Configured as part of a device restriction profile, this mode lets
you lock down devices. For example, you could configure a
retail device to only allow some apps to run.

Managed Browser A web browsing application that you can assign in your
organization by using Intune. A managed browser policy
configures an allow list or a block list that restricts the
websites that users of the managed browser can visit.

MDM authority The MDM authority defines the management service that has
permission to manage a set of devices. The options for the
MDM authority include Intune by itself and Configuration
Manager with Intune.

Mobile app configuration policy An iOS or Android policy that is used to supply settings to
compatible apps when they are run, for example, a company
name, or server address.

Mobile app provisioning policy An iOS policy that helps you ensure that provisioning profiles
for iOS apps you assign do not expire.

Mobile application management Mobile application management (MAM) lets you publish,
push, configure, secure, monitor, and update mobile apps for
your users.

Mobile device management Mobile device management (MDM) lets you enroll devices in
Intune so that you can provision, configure, monitor, and
manage those devices.

OMA-DM Open Mobile Alliance Device Management. An industry

standard device management protocol used by many
hardware manufacturers to enable control of features of
mobile devices and PCs.

OMA-URI Open Mobile Alliance Uniform Resource Identifier. These items

identify individual device settings that conform to the OMA-
DM standard. The settings can be used in Intune custom
profiles when there is no built-in setting to meet your needs.

Passcode reset An Intune feature that lets you force the end user to reset the
passcode on supported devices.
R

Remote lock An Intune feature that lets you lock supported devices, even if
you do not possess the device.

Required install When you assign an app with this action, user intervention is
not required to complete the installation. On some platforms,
the end user might have to accept the installation).

Selective wipe A selective wipe removes only company data including mobile
app management (MAM) data where applicable, settings, and
email profiles from a device. Selective wipe leaves the user's
personal data on the device.

Sideloading The action of installing a line-of-business app without

accessing it from an app store.

Subscription The agreement you enter that allows you to access an Intune
tenant.

TeamViewer A third-party application that works with Intune to provide

remote assistance capabilities for Android device that you
manage with Intune.

Tenant A single instance of the Intune service you can access with a
subscription.

Terms and conditions A policy type you assign to users that contains information
users must read and accept before they can use the Company
Portal to enroll and access their work.

Volume-purchased apps and books
Some app stores give you the ability to purchase multiple
licenses for an app or book that you want to use in your
company. Intune helps you manage apps and books that you
purchased through such a program. You can import the
license information from the app store, track how many of the
licenses you have used, and prevent yourself from installing
more copies of the app than you own.

VPN profile A policy that assigns VPN settings to devices you manage,
minimizing any setup required for end users.
W

Wi-Fi profile A policy that assigns wireless network settings to devices to let
users connect to your company network without needing to
know, or configure any settings.