2020

INTUNE STARTER GUIDE

Nick Ross | Microsoft Certified Expert Administrator

www.pax8.com
GUIDE DESCRIPTION

The purpose of this guide is to lay out the steps for implementing Intune. This guide is
assuming you have the M365 Business Premium license. It can apply to EMS licenses,
but some features will not be covered, such as Conditional Access and Windows
Autopilot.

After you complete this guide you will have:

• Created Different Device Groups

• Configured Auto-Enrollment of Devices
• Configured Policies and Profiles for Devices
• Added Applications
• Setup Enrollment for Apple, Windows, and Android Devices
• Enrolled a Device to Intune

**Disclaimer**

This guide is meant to provide best practices for policy creation and implementation of
Intune. It is meant to be used as a template, but the policies defined will not be the same in all
use cases. You must assess the policies and configurations you will need for your client’s
environment and make changes as needed. Pax8 is not liable for any policies you create that
do not meet the client’s standards. As a best practice, test all configurations with a pilot group
before moving to broad deployment across an entire organization.

Updated: May 2020

www.pax8.com
 PRE-FLIGHT CHECKLIST

Platforms You Baseline Groups You Apps You

3 Pilot Devices
Want to Security Want to Apply Want to
to Test
Support Requirements Policies to Deploy

a. Determine the platforms that you will support

i. iOS/Android
ii. Mac/Windows
b. Have baseline security requirements complied that you want to
implement
i. Min/Max OS versions
ii. Password requirements
iii. Encryption enabled
c. Determine if there will be separate groups for separate security policies
i. Ex1. I have one group I want to assign iOS policies to and I have
another I want to assign Android policies to.
ii. Ex2. I have more granular security policies I want to apply to one
group over another.
iii. I encourage you to create a test group for piloting everything you
are looking to implement in your organization.
d. Assess if there are any apps beyond 365 that you want users to have
access to
e. Choose 3 pilot devices you want to enroll into Intune

www.pax8.com
 TABLE OF CONTENTS
Phase 1: Groups and Licensing

•Ensure All Users Have Appropraite Licensing

•Add Necessary Groups for Policy Assignment
•Configure Device Auto-Enrollment

Phase 2: Policy and Profile Creation

•Configure Device Polcies
•iOS
•Android
•Windows
•Create Device Profile

Phase 3: Add Apps

•Adding Applications
•Adding Microsoft Authenticator App

Phase 4: Configuring Enrollment

•Setting Apple Enrollment
•Setting Android Enrollment
•Setting Terms and Conditions
•Adding Company Branding

Phase 5: Enroll Devices

•Enroll Devices: Windwos
•Enroll Devices: iOS and Android

Phase 6: Testing and Broad Deployment

•Pilot Testing and Remediation
•Broad Deployment

www.pax8.com
Table of Contents Continued (Links to sections of Document):

Phase 1: Groups and Licensing

• Ensure All Users Have Appropriate Licensing

• Add Necessary Groups for Policy Assignment
• Configure Device Auto-Enrollment

Phase 2: Policy and Profile Creation

• Configure Device Policies

o iOS
o Android
o Windows
• Create Device Profiles

Phase 3: Add Apps

• Adding Applications
• Adding Microsoft Authenticator App

Phase 4: Configuring Enrollment

• Setting Apple Enrollment

• Setting Android Enrollment
• Setting Terms and Conditions
• Adding Company Branding

Phase 5: Enrolling Devices

• Enroll Devices: Windows

• Enroll Devices: iOS and Android

Phase 6: Testing and Broad Deployment

• Pilot Testing and Remediation

www.pax8.com
 LICENSING USERS

1. Ensure all appropriate users are licensed

a. Login to 365 Admin Center> go to Active users

.
b. Select a User>click Licenses and Apps>ensure an M365 license is assigned

www.pax8.com
 CREATE GROUPS

Create different groups if you want to separate out different people into different
Intune policies. These groups are typically separated with users who will either be on
different device platforms or users who need more granular policies.

a. Scroll down in the 365 Admin Portal and go to the Endpoint Manager
portal

b. Click on Groups>click New group

www.pax8.com
 c. Group Type can be 365 or security. You can add whatever users you
would like for this group. This is my test group, so I am going to add my
pilot user

d. Click Create when finished

www.pax8.com
 DEVICE AUTO-ENROLLMENT

Ensure Device Auto-Enrollment is turned on. Auto-enrollment allows devices that join to
Azure AD to automatically be enrolled in Intune and have policies push down to them.

a. Go to Devices>Windows>Windows Enrollment>Automatic Enrollment

b. Choose All if it is not already pre-selected. You can choose auto-enrollment for
only subsets of your users by clicking Some. Click Save when finished

www.pax8.com
 CONFIGURE DEVICE COMPLIANCE POLICIES

Device Compliance Policies designate which devices are compliant and non-
compliant. When we join devices to Intune after configuring these policies, we will be
able to see why the devices are not compliant. You will want to create a device policy
for every platform you wish to support in your organization.

iOS
a. In the Endpoint Manager admin center, go to Devices>iOS/iPad>Compliance
Policies>Create

www.pax8.com
 b. Select iOS/iPadOS from the dropdown and click Create

c. Give your policy a Name and Description and click Next

www.pax8.com
 d. For the email section, if you configure to require, then you also need to set up an
email configuration profile for iOS to create a managed email profile on the
native mail client. It’s recommended leaving this off until that profile is set up

e. Under the Device Health section for Jailbroken devices settings, select Block

f. Under Device Properties, configure minimum and maximum OS versions, if

applicable. If you do not what to define these settings leave them blank

www.pax8.com
 g. Under System Security, enter the values as follows:

www.pax8.com
 h. Under Actions for noncompliance, leave the default of Mark device
noncompliant as Immediately. Be careful here if you have set up a conditional
access policy that blocks access to noncompliant devices.

i. Click Next on Scope Tags. On the Assignments tab, scope the policy to one of
the groups you created or select All users from the dropdown menu. Review and
Create

j. For the full Microsoft doc on iOS Compliance Polices, click here.

www.pax8.com
ANDROID
a. Go to Devices>Android>Compliance Policies>Create Policy

b. Select Android Enterprise and Work profile. Note that this policy is for corporately
owned devices, not BYOD. For BYOD, you would select Device Owner

www.pax8.com
 c. Enter the Name, enter Description (if applicable), and choose Next

d. Skip Microsoft Defender ATP and under Device Health, configure the following:

www.pax8.com
 e. Under Device Properties, configure the Minimum and Maximum OS version if
applicable. If you do not want to configure, leave blank

f. Under System Security, configure as follows:

www.pax8.com
 g. Under Actions for noncompliance, leave the default of Mark device
noncompliant as Immediately. Be careful here if you have set up a conditional
access policy that blocks access to noncompliant devices

h. Click Next on Scope Tags. On the Assignments tab, scope the policy to one of
the groups you created or select All users from the dropdown menu. Review and
Create

i. For the full Microsoft doc on Android Compliance Polices, click here

www.pax8.com
WINDOWS
a. Click Devices>Windows>Compliance Policies>Create Policy

b. Select Windows 10 and later and click Create

www.pax8.com
 c. Enter a Name and Description (if applicable), and click Next

d. Under Compliance Settings>Device Health, configure the following:

www.pax8.com
 e. Under Device Properties, configure the Minimum and Maximum OS version if
applicable. If you do not want to configure, leave blank

f. Skip Configuration Manager Compliance. Under System Security, configure

the following:

*NOTE* We will not be configuring password settings for Windows mobile. We are
not choosing to require encryption here since we already chose to require
Bitlocker in the Device Health section.

www.pax8.com
 j. Click Next. Under Actions for noncompliance, leave the default of Mark device
noncompliant as Immediately. Be careful here if you have set up a conditional
access policy that blocks access to noncompliant devices

a. Click Next on Scope Tags. On the Assignments tab, scope the policy to one of
the groups you created or select All users from the dropdown menu. Review and
Create

www.pax8.com
 CREATE DEVICE PROFILE

Device profiles allow you to have uniform settings for all devices across your
organization. Examples:

• You create a Wi-Fi profile that automatically configures the Wi-Fi on devices that
are enrolled with Intune.
• Assume that you want to provision all iOS devices with the settings required to
connect to a file share on the corporate network. You create a VPN profile that
contains the settings to connect to the corporate network. Then you assign this
profile to all users who have iOS devices. The users see the VPN connection in the
list of available networks and can connect with minimal effort.
• You want to have a uniform start menu and settings for all of your Windows 10
Devices. You can create this with a Device Restriction Profile.

Here is a list of the profiles that you can create:

• Administrative templates (Windows)

• Custom
• Delivery optimization (Windows)
• Derived credential (Android Enterprise, iOS, iPadOS)
• Device features (macOS, iOS, iPadOS)
• Device firmware (Windows)
• Device restrictions
• Domain join (Windows)
• Edition upgrade and mode switch (Windows)
• Education (iOS, iPadOS)
• Email
• Endpoint protection (macOS, Windows)
• Extensions (macOS)
• Identity protection (Windows)
• Kiosk
• Microsoft Defender ATP (Windows)
• Mobility Extensions (MX) profile (Android device administrator)
• OEMConfig (Android Enterprise)
• PKCS certificate
• PKCS imported certificate
• Preference file (macOS)
• SCEP certificate
• Secure assessment (Education) (Windows)
• Shared multi-user device (Windows)
• Telecom expenses (Android device administrator, iOS, iPadOS)
• Trusted certificate
• VPN
• Wi-Fi

www.pax8.com
Since we configured a policy in the previous section to require Bitlocker, we are going
to set up a profile for Bitlocker so that users are immediately prompted to configure if
they do not have it already.

a. Go to Devices>Windows>Configuration profiles>Create profile

b. Select Windows 10 and later and Endpoint protection

www.pax8.com
 c. Enter a Name, Description (if applicable), click Next

d. Under the Windows Encryption section, configure the following:

www.pax8.com
 e. Click Next. Skip Scope Tags. On the Assignments tab, scope the policy to one of
the groups you created or select All users or All Users and Devices from the
dropdown menu. Review and Create

f. For the full list of encryption settings, click here

www.pax8.com
 SET UP APPLE MDM PUSH CERTIFICATE

The Apple MDM Push Certificate allows us to start enrolling iOS devices. You can think of
this certificate as a shell account in which you can put all over your clients under. The
certificate is associated with the Apple ID used to create it. As a best practice, use a
company Apple ID for management tasks and make sure the mailbox is monitored by
more than one person like a distribution list. Never use a personal Apple ID.

a. In the Endpoint Manager Admin Center go to Devices>iOS/iPad>iOS/iPadOS

enrollment>Apple MDM Push certificate

b. Agree to the terms and conditions, download your CSR (save to another
location or keep in downloads. The file is used to request a trust relationship
certificate from the Apple Push Certificates Portal.), and click Create your MDM
push Certificate to open the Apple Center

www.pax8.com
 c. Sign in with your Business Apple ID or create a new Apple account for your
business if you do not have one already (takes 5 minutes and no financial
commitment). This should be an Apple ID associated to your MSP

www.pax8.com
 d. After you sign in click Create a Certificate

a. Upload your CSR file and then download the MDM Push Certificate

www.pax8.com
 e. Back in Microsoft, enter your Apple ID and upload the MDM Certificate you just
downloaded

www.pax8.com
 f. You will see the status as Active

www.pax8.com
 SETTING UP ANDROID ENROLLMENT

Setting up Android enrollment requires that you link Intune to an existing Google Play
account. If you do not have one you can create one for the client’s business. This
needs to be unique per client. As a best practice, use a company Google Account for
management tasks and make sure the mailbox is monitored by more than one person
like a distribution list. Never use a personal Google Account.

a. In the Endpoint Manager admin center, go to Devices>Android>Android

enrollment>Managed Google Play

www.pax8.com
 b. Agree to the terms and conditions and click Launch Google to connect now

c. Sign into your business Google Account. If you do not have one, create one
now. Click Get started

www.pax8.com
 d. Enter your Business name and click Next

e. If you are in the EU, you can enter the contact of an EU representative. If not,
simply agree to the terms and click Confirm

www.pax8.com
 f. Click Complete Registration and you will be redirected back to Microsoft

g. You will get a green check for the status. Registration is complete

www.pax8.com
 ADD AN APPLICATION

Intune allows you to add applications so that when users enroll, they immediately have
access to those applications via the Microsoft Store for Business, Company Portal App,
or these apps can be required and automatically installed without end user interaction.
The most common of these for the Office Suite of which we will be configuring below.

a. In the Endpoint Manager admin center go to Apps>All apps>Add

b. Select Windows 10 under Office 365 Suite from the list

www.pax8.com
 c. Here you can leave the default settings or white-label the name. After you are
done, click Next

www.pax8.com
 d. Under Configuration settings format select Enter XML data
*Note* We are making this selection because we have M365 Business Premium
Plan. If we have a plan that comes with ProPlus (E3, E5, M365 E3, M365 E5) we
would select Configuration designer

e. Go to https://config.office.com/ and sign in with your admin credentials

www.pax8.com
 f. Select your appropriate architecture and select Microsoft 365 Apps for business
from the dropdown

www.pax8.com
 g. De-select any apps you do not want to deploy and choose Monthly for the
update channel and Latest for the version

h. Under Language select English or your primary language

www.pax8.com
 i. Under the Licensing and activation section turn the Automatically accept the
EULA to
On

j. Leave all other settings defaulted and click Export

www.pax8.com
 k. Agree to the terms, name your file, and click Export

www.pax8.com
 l. Open the XML file and copy the text

m. Back in the Microsoft portal, click Enter XML data, paste the text, and click Next

www.pax8.com
 n. For Assignments, click Add all users under Required

o. When a user enrolls into Intune the XML file will be pushed and they will get office
installed without any interaction

www.pax8.com
 ADDING THE MICROSOFT AUTHENTICATOR APP

The Microsoft Authenticator app is widely using for MFA that comes with M365 Business
Premium. You can add this app in Intune so that it is immediately available for
download for your clients.

iOS

a. In the Endpoint Manager admin center go to Apps>All apps>Add

b. Under Store app>select iOS store app

www.pax8.com
 c. Click Search the App Store, then search for “Microsoft Authenticator”
*NOTE* You will have to search for this text in its entirety for it to find this app

d. Select the app and click Configure under App Information. Say Yes for displaying
app in Company Portal. Leave all other settings defaulted

www.pax8.com
 e. For Assignments, click Add all users under Required. Review and Create

www.pax8.com
Android

*Note* you will want to link a managed Google Play account for this client before
starting these steps. Click here to move to that section.

a. In the Endpoint Manager admin center go to Apps>All apps>Add

b. Select Managed Google Play app

www.pax8.com
 c. Search for “Microsoft Authenticator” and select the app

d. Click Approve to add this app>Approve again and keep the default settings for
app permissions

www.pax8.com
 e. Click Sync in the upper left corner

f. After the sync is complete the app will be listed

www.pax8.com
 g. Click on the app>click Properties>click Edit under Assignments

h. Add all users under Required and click Review + save

www.pax8.com
 SETTING UP TERMS AND CONDITIONS

As an Intune admin, you can require that users accept your company's terms and
conditions before enrolling their device via in the Settings area or using the Company
Portal app.

a. In the Endpoint Manager admin center, go to Tenant administration>Terms and

conditions>Create

www.pax8.com
 b. Give a name and description

c. Define your terms

www.pax8.com
Ex. Summary of Terms

By enrolling your device, you agree to <Company X> terms and conditions.

Ex. Terms and Conditions

I acknowledge that by enrolling my device, <Company X> administrators have certain

types of control. This includes visibility into corporate app inventory, email usage, and
device risk. I further agree to keep company resources safe to the best of my ability
and inform <Company X> administrators as soon as I believe my device is lost or stolen.

d. Assign to All users>Create

www.pax8.com
 ADD COMPANY BRANDING

Company branding allows you to white label the end user experience when they are
enrolling their device to Intune. This applies to both existing devices that are just now
enrolling and OOBE for new devices.

a. In the Endpoint Manager admin center, go to Tenant

administration>Customization>Edit

www.pax8.com
 b. Enter Organization name and all other information you want to include. Choose
your theme and upload your logo. When done, click Review + save

www.pax8.com
 c. Pax8 Example:

www.pax8.com
 ENROLL DEVICES: WINDOWS

a. On the Windows 10 Device, click Start and type “Access work or school”

b. Click Connect

www.pax8.com
 c. Click Join this device to Azure Active Directory

d. Sign in with the user’s Azure AD credentials

www.pax8.com
 e. When prompted, click Join

f. You will get a success message when complete. If this is the first device the user is
enrolling, you will be first given Terms and Conditions to accept

www.pax8.com
 g. Back in the Intune Portal, you can go to Devices>Windows>Windows devices to
see the devices enrolled and compliance status

h. You can click on Device status to see compliance status

*Note* It can take some time before the evaluation will complete. In this case, I
see the device I just joined as “Not Evaluated”. We just must wait for that to
complete.

Monitoring

I can come back in later to see that the device is still not compliant

www.pax8.com
 a. Click on Device compliance

b. We can see the compliance polices are in error and can click to drill down
further. Here you can identify what part of the policy is not compliant on the
devices and take action to remediate. Here we see there is no firewall in place

www.pax8.com
 ENROLL DEVICES: IOS AND ANDROID
iOS and Android device enrollment can be completed by downloading the “Intune
Company Portal” app from the Apple App store or Google Play store:

a. Users will be walked through a wizard after they enter their Azure AD credentials
which begins with the following:

www.pax8.com
 b. For a detailed list of the entire user experience, you can follow this support guide
from Microsoft:

iOS

Android

PILOT TESTING AND REMEDIATION

During our pilot we want to discover:

• Common FAQs
• Whether we need to tighten or loosen our policies
• End user experience for communications to broad audience
• Common troubleshooting techniques for each platform

After this is complete, we want to create communications to our audience for

enrollment:

• Why is this service important?

• What pain points will it help them solve?
• What can end users expect?
• What are the steps to get my device enrolled?

Lastly, after we have this pushed out and a target date for deployment, we can go
back into the Device Management Admin Center and begin to add our groups to our
policies and profiles.

www.pax8.com
 CONCLUSION

I hope this article provided you some targeted guidance on implementing Intune. Any
feedback to improve this guide further would be greatly appreciated and can be sent
to the following email:

[email protected]

For all other questions or additional assistance, please reach out to your CSA or our
support team:

Support (Existing Partners Only)

•Support: 1-855-884-7298 Ext. 3
•Email: [email protected]
•Hours: 24/7

www.pax8.com