Ms-IntuneTutorial

Device Enrollment

 To use this mobile device management (MDM), the devices must first be enrolled in the Intune
service. When a device is enrolled, it is issued an MDM certificate. This certificate is used to
communicate with the Intune service.
 Enrolling IOS Devices in Intune
 Dole Europe Employee are allowed a maximum of 5 Enrollement Devices, Iphone, Ipad Tablet per user
 We are currently using DEP(Deployment Enrollement Program) To enroll all Dole IOS COD`s(Corporate-Owned Devices) Devices in Intune.
 Dole Devices Purchase Through Apple Dep will be automatically Enrolled with device serial number in Intune and devices Purchased without Dep will be Enrolled with Apple
configurator and device serial number into DEP/Intune using Macbook Pro Laptop
 Dole Devices that are purchased and automatically enrolled in DEP can be sent to Remote users. When the user turns on the device, Setup Assistant runs with preconfigured settings
and the device enrolls into Intune Device management.
 Unlike the Previous MDM Solution, Dole Europe IOS devices are no longer required to enroll their COD`s in Intune using Apple ID but allowed to use their Personal Apple ID with
COD´s
 Company Portal applications on COD´s DEP device are automatically pushed to the device by VPP( Volume Purchased Program in the Apple Device Manager:
 As part of Apple Device Enrollment Program (DEP).All COD´s are under Supvised Mode
 When a device is enrolled, it is issued an MDM certificate. This certificate is used to communicate with the Intune service.
 The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. If mobile devices are wiped, or they fail to communicate with the Intune
service for some period of time, the MDM certificate is not renewed. The device is removed from the Azure portal 180 days after the MDM certificate expires
 Dole Users with Private Devices will be allowed to Enroll devices by downloading,Install and run the Company Portal App
DOLE EU INTUNE GROUPS
Before users are enrolled in Intune the must be belong to either of the 3 groups below..

EU-OKTA-O365-INTUNE
This user AD group belongs to all Dole
Europe who are Licensed to user Msintune.
All Intune users must belong to this user
Group. We currently have 20 Ms-Intune
Licence and Plan to have more Intune
Licenses in the Future.
MDM POLICY-DOLE
EUROPE
This user group is for all Ms-Intune users
who are licensed to have and use Ms-Intune
ALL Auto Deployed Application.
Users of this group are allowed to have all
authorized apps for MS-Intune.
MDM POLICY DOLE USERS EUROPE
This user group is for all Ms-Intune users
who are licensed not to have and use Ms-
Intune Auto Deployed Application.
Users of this group are allowed to have
ONLY required apps for MS-Intune.

MDM BYOD USERS EUROPE

This Group are for Dole Europe Employees
who are using Private Devices to access Dole
Email and other Dole Company Apps and
resources.

Members of this Group will be allowed to

enroll their personal device using Company
Portal Website or download Company portal
App.Link will also be provided for online
enrollement Link
ENROLLED DEVICES USING APPLE CONFIGURATOR FOR
MS-INTUNE
This step will required IMAC or Macbook Pro laptop if the device or devices are not purchased under DEP. To
manually prepare devices for DEP follow the steps below…..

 Connect ios Device to the Macbook pro

with usb cable and verify that the device
is connect to macbook pro Laptop.
 Open Apple configurator and right click
on the Device and select Prepare or click
once on the device and click Prepare on
the taskbar.
2).Specify the Configuration Type as Manual. If you wish to add mobile devices into your Device Enrollment Program (DEP) portal, enable the Enable the Device
Enrollment Program option.

3). Add the the Ms-Intune MDM Server name (MS-INTUNE IOS) as the server name
4).Add the new server details by specifying the Server Name and Enrollment URL. Enrollment URL, which is configured in the MDM server
4). Once you've entered your Name and Host name / URL press Next and The select Apple Certificate
5).In this and the next step you will create a new organization, this will be shown on the Settings > General > About page of the iPad, this cannot be changed
without erasing the device
6).Select Generate a new supervision identity (This identity can be used to import to different macOS devices to managed your devices) and press
next
7).In the next Page sign in with Dole Apple ID or enter Dole DEP account credentials ([email protected]) to add the Device in to DEP
8). In this step you select which steps will be presented to the user in the Setup assistant on the iPad or IPhone. You can select some steps, all steps
and no steps from the drop down menu. Select which steps you want to show and press Prepare. Allow the device to be prepared for DEP and once it
is done the Device will be automatically restarted.
9.)Next step will be to logging to the DEP apple manage to https://business.apple.com/#main/assignmenthistory and verify that the device has being
assinged into DEP…See Reference Below
10).Adding and assign Devices serial Number to the MDM Server In DEP

 As Previous stated, Devices purchased by Dole Europe without DEP can be added and Managed in Intune by adding the devices serial number with Apple
Configurator in DEP.
 To add a non DEP Company Purchased in DEP for Intune, Do The following
 Logging to https://business.apple.com/ with your DEP Logging email address and Password
 Go to Deployment Programs > Device Enrollment Program > Manage Devices.
 Under Choose Devices By, specify how devices are identified

 From the Choose Action, choose Assign to Server, choose the <Server Name(MS-INTUNE IOS> specified for Microsoft Intune, and then choose OK. The Apple
portal assigns the specified devices to the Intune server for management and then displays Assignment Complete.
 In the Apple device manager portal, go to Deployment Programs > Device Enrollment Program > View Assignment History to see a list of devices and their MDM
server assignment.
11).Once the Device has being verifed and the Serial number assing to the MDM Intune server which will now have permission to manage the device,You can
logging into Ms-intune Portal to sync with Apple Dep to see your manager devices in Ms-Intune in the Azure Portal.
MANAGING MS-INTUNE DEVICES
 Sign in to MS-Intune.
 Select Devices. This view shows detailed information about the individual devices, and what you can do with them, including as follows
 Overview shows a visual snapshot of the enrolled devices, and also shows how many devices are using the different platforms, including
Android, iOS, and more.
 All devices shows a list of the enrolled Dole Europe devices we manage.
 Use the Export feature to create a .csv list of all the devices, in increments of 10,000 (Internet Explorer) or 30,000 (Microsoft Edge,
Chrome).
 Select any device to view additional details about that device, including hardware details, installed apps, its compliance policy status, and
more.
 Azure AD devices shows a list of the devices registered or joined with Azure Active Directory (Azure AD).
 Device actions includes a history of the remote actions ran on different devices, including the action, its status, who initiated the action, and
the time.
 Audit logs is a record of activities that generate a change in Intune. Audit logs provides more details.
 TeamViewer Connector is a service that allows Dole users of Intune-managed devices to get remote assistance from IT Service Desk.
( Currently not configured)
MANAGING DEVICE ACTIONS IN MS-INTUNE
1). The Retire action removes managed app data (where applicable), settings, and email profiles that were
1. Retire assigned by using Intune. The device is removed from Intune management.
2. Wipe 2). The Wipe action restores a device to its factory default settings. The user data is kept if you choose the
Retain enrollment state and user account checkbox. Otherwise, all data, apps, and settings will be
3. Remote lock removed same as retire action.

3). The Remote lock device action locks the device. To unlock the device, the device owner enters their
4. Reset passcode passcode.
5. Bypass Activation Lock (iOS only) 4).Reset Device passcode

6. Lost mode (iOS only) 5). The Intune Bypass Activation Lock remote device action removes the Activation Lock from an iOS
device without requiring the user’s Apple ID and password.
7. Locate device (iOS only) 6). The Lost mode device action helps you enable lost mode on lost or stolen iOS devices. This mode lets
you enter a message and a phone number that appears on the lock screen of the device. To use lost mode,
8. Restart (Supervised only) the device must be a corporate-owned iOS device that is in supervised mode.

9. Shutdown (Supervised only) 7). To get the location of a lost or stolen iOS device on a map, use the Locate device action. The device
must be in supervised mode. Before you use this action, be sure the device is in lost mode.
10. Synchronize device 8).Dole IOS Devices can be remotely Restarted using this Action.

11. Revoke licences 9).Dole IOS Devices can be remotely shutdown, Device must be in Supervised Mode

10). The Sync device action forces the selected device to immediately check in with Intune. When a device
12. Locate device(Supervised) checks in, it immediately receives any pending actions or policies that have been assigned to it.
13. Play Lost Mode 11). Revoke all Ms-Intune Licenses
Sound(Supervised) 12). To get the location of a lost or stolen iOS device on a map, use the Locate device action. The device
must be in supervised mode. Before you use this action, be sure the device is in lost mode.
14. Rename Device (Supervised)
13). If someone has lost their iOS 9.3 or later device, you can remotely trigger the device to play an alert
15. Logout Current User sound so the user can find it. The device must be in lost mode.

14).Renamed an Enrolled Dole Ms-Intune Managed Device.

15).The Logout current user action logs out the current user on a shared iPad device.
Removing iOS device from MS-Intune.
*When you remove iOS device from Intune, The device will no longer be able to access company resources and will no longer be managed by Intune*

*Note*Before you remove an Intune user from Azure Active Directory (Azure AD), use the Wipe or Retire actions for all devices that are associated
with that user. If you remove users that have managed devices from Azure AD, Intune can no longer wipe or retire those devices.

*Note*All Dole Europe Company Owned device are enrolled using DEP, lWhich means user cannot un manage the device even when factory reset. To
Un manage the device and remove the device from MDM Intune Server, use the following below or go to IT SharePoint site to watch Video

1. Log in Ms-Intune Admin Console Choose Devices > All devices > choose the device > Retire .
2. Sign in to the Intune in the Azure portal.
3. Go to deploy.apple.com and search the device by its serial number
4. In the Assigned to menu, choose Unassigned
5. Choose Reassign
Deleting Devices from Azure AD
*Note* You might need to delete devices from Azure AD due to communication issues or missing devices. You can use the Delete action to remove
device records from the Azure portal for devices that you know are unreachable and unlikely to communicate with Azure again. The Delete action
doesn't remove a device from Ms-Intune management.

 Sign in to Azure Active Directory in the Azure portal by using your admin credentials. You can also sign in to the Microsoft 365 admin
center. From the menu, select Admin centers > Azure AD.
 Select Azure Active Directory, and then select your organization.
 Select the Users tab.
 Select the user that's associated with the device that you want to delete.
 Select Devices.
 Remove devices as appropriate. For example, you might remove devices that are no longer in use, or devices that have inaccurate
definitions.
Apps Managment in Ms-Intune/MMA
Note* All Dole Europe Application Device management is manage solely by Apple VPP(Volume Purchase management) and deployed automatically
once the ios Device is enrolled in Ms-intune without Apple ID.Dole Europe Users has also the option to ask for any specific Applicatiion and that will
be approved by management and deployed automatically to the device.

To Purchase and deploy approved Licensed Application for Dole Employees, Pls follow this steps below…
1).Logging to Apple device manager https://business.apple.com/
2).Enter your assigned Apple manager ID and password
3).Click on Apps and books
4).Type the name of the Application
Apps Managment in Ms-Intune/MMA
 Apps Managment in Ms-Intune/MMA

Once you click on get, the Vpp Will automatically added to Dole Europe Available Apps/License in Apple device manager and also in Ms-intune and to the required groups of users

In an event that applications fail to deploy or sync to the device, Pls logging in Ms-Intune and follow the steps Below to remedy the Issue
Assign apps to groups in Microsoft Intune
Note*
After adding or odering Apps Via the Apple Device Manager/VPP, Loging to Microsoft Intune to verify that the apps are present in Intune. you can
assign the app to users and devices. It is important to note that you can assign an app to a device whether or not the device is managed by Intune.

 Sign in to Intune.
 In the Intune pane, select Client apps.
 In the Manage section of the menu, select Apps.
 In the Apps pane, select the app you want to assign.
 In the Manage section of the menu, select Assignments.
 Select Add Group to open the Add group pane that is related to the app.
 For the specific app, select an assignment type:
 Available for enrolled devices: Assign the app to groups of users who can install the app from the Company Portal app or website.
Available with or without enrollment: Assign this app to groups of users whose devices are not enrolled with Intune. Users must be assigned an Intune license, see Intune Licenses.

Required: The app is installed on devices in the selected groups. Some platforms may have additional prompts for the end user to acknowledge before app installation begins.

Uninstall: The app is uninstalled from devices in the selected groups if Intune has previously installed the application onto the device via an "Available for enrolled devices" or "Required" assignment using the same deployment. Web links cannot be removed after
deployment.

 To select the groups of users that are affected by this app assignment, select Included Groups.
 After you have selected one or more groups to include, select Select.
 In the Assign pane, select OK to complete the included groups selection.
 If you want to exclude any groups of users from being affected by this app assignment, select Exclude Groups.
 If you have chosen to exclude any groups, in Select groups, select Select.
 In the Add group pane, select OK.
 In the app Assignments pane, select Save.