Microsoft 365 Mobility and Security (MS-101)

(1)

Microsoft 365 Mobility and Security (MS-101)

Implement Mobile Device Management (MDM)

Configure MDM integration with Azure AD - SCCM

Implement Modern Device Services (30-35%)

Implement Mobile Device Management (MDM) • Plan for MDM • Configure MDM integration with Azure AD • Set an MDM authority • Set device enrollment limit for users

Configure MDM integration with Azure AD - SCCM: Setup MDM integration using SCCM

Configure Client Settings to direct clients to register with Azure AD:

1. Open the Configuration Manager console > Administration > Overview > Client Settings, and then edit the Default Client Settings

2. Select Cloud Services

3. On the Default Settings page, set Automatically register new Windows 10 domain joined devices with Azure Active Directory to = Yes

4. Select OK to save this configuration Enable co-management in SCCM

When you enable co-management, you will want to assign a collection as a Pilot group.

(2)

This is a group that contains a small number of clients to test your co-management configurations.

I recommend you create a suitable collection before you start the procedure, that way you can select that collection without exiting the procedure to do so.

NOTE: Starting in Configuration Manager version 1906, you may need multiple collections since you can assign a different Pilot group for each workload.

To enable co-management starting in Configuration Manager version 1906, follow the instructions below:

1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Co-management node. Click

Configure co-management in the ribbon to open the Co-management Configuration Wizard.

2. On the Subscription page of the wizard, configure the following settings: • The Azure environment to use.

• Select Sign In. Sign in to your Intune tenant, and then select Next. 3. On the Enablement page, choose the following settings:

• Automatic enrollment into Intune - Enables automatic client enrollment in Intune for existing Configuration Manager clients. This option allows you to enable co-management on a subset of clients to initially test co-management, and rollout co-management using a phased approach. If a device is

unenrolled by the user, on the next evaluation of the policy, it will re-enroll. • Pilot - Only the Configuration Manager clients that are members of the Intune Auto Enrollment collection are automatically enrolled to Intune. • All - Enable automatic enrollment for all Windows 10, version 1709 or later, clients.

• Intune Auto Enrollment - This collection should contain all of the clients you want to onboard into co-management. It's essentially a superset of all the other staging collections.

(3)

NOTE: Starting in version 1806, automatic enrollment is not immediate for all clients. This behavior helps enrollment scale better for large environments. Configuration Manager randomizes enrollment based on the number of clients. Starting in version 1906:

A new co-managed device now automatically enrolls to the Microsoft Intune service based on its Azure Active Directory (Azure AD) device token. It does not need to wait for a user to sign in to the device for auto-enrollment to start. This change helps to reduce the number of devices with the enrollment status Pending user sign in. To support this behavior, the device needs to be running Windows 10, version 1803 or later.

If you already have devices enrolled to co-management, new devices now enroll immediately once they meet the prerequisites.

4. For internet-based devices that are already enrolled in Intune, copy and save the command line on the Enablement page. You will use this command line to install the Configuration Manager client as an app in Intune for internet-based devices.

NOTE: If you do not save this command line now, you can review the co-management configuration at any time to get this command line.

5. On the Workloads page, for each workload, choose which device group to move over for management with Intune. If you only want to enable co-management, you do not need to switch workloads now. You can switch workloads later.

• Pilot Intune - Switches the associated workload only for the devices in the pilot collections you will specify on the Staging page. Each workload can have a different pilot collection.

• Intune - Switches the associated workload for all co-managed Windows 10 devices.

6. On the Staging page, specify the pilot collection for each of the workloads that are set to Pilot Intune.

(4)

Set an MDM Authority

Implement Modern Device Services (30-35%)

============================================================================ ====

Set an MDM authority:

What is an MDM Authority? determines which interface you administer devices from.

NOTE: BEFORE YOU CAN ENABLE DEVICE ENROLLMENT, YOU MUST SET UP AN MDM AUTHORITY !!!

3 options:

a. Intune

b. Intune Hybrid (stopped as of September 2019) c. MDM for Office 365

What about changing an MDM authority once it is set?

2 options:

a. Intune Hybrid would allow for changing from Standalone Intune to SCCM or

vice versa

b. MDM for Office 365 would allow for changing from Office 365 to Standalone

Intune

Set Device Enrollment Limit for Users

Implement modern device services (30-35%)

============================================================================ ====

Set device enrollment limit for users:

As an Intune administrator, you can create and manage enrollment restrictions that define what devices can enroll into management with Intune, including the:

• number of devices

• operating systems and versions

You can create multiple restrictions and apply them to different user groups.

(5)

The specific enrollment restrictions that you can create include:

• Maximum number of enrolled devices

• Device platforms that can enroll:

Android device administrator Android Enterprise work profile iOS

macOS Windows

Windows Mobile

• Platform operating system version for iOS, Android device administrator,

Android Enterprise work profile, Windows, and Windows Mobile. (Only Windows 10 versions can be used. Leave this blank if Windows 8.1 is allowed.)

• Restrict personally owned devices (iOS, Android device administrator, Android

Enterprise work profile, macOS, Windows, and Windows Mobile only).

Default restrictions:

Default restrictions are automatically provided for both device type and device limit enrollment restrictions. You can change the options for the defaults. Default restrictions apply to all user and userless enrollments. You can override these defaults by creating new restrictions with higher priorities.

Create a device type restriction:

Under Versions, choose the minimum and maximum versions that you want the allowable platforms to support.

Version restrictions only apply to devices enrolled with the Company Portal. Supported version formats include:

• Android device administrator and Android Enterprise work profile support major.minor.rev.build.

• iOS supports major.minor.rev. Operating system versions do not apply to Apple devices that enroll with the Device Enrollment Program, Apple School Manager, or the Apple Configurator app.

• Windows supports major.minor.rev.build for Windows 10 only.

NOTE: Windows 10 does not provide the build number during enrollment so for instance if you enter in 10.0.17134.100 and the device is 10.0.17134.174 it will be blocked during enrollment.

Create a device limit restriction:

Device limit restrictions do not apply for the following Windows enrollment types:

• Co-managed enrollments

• GPO enrollments

(6)

• Bulk Azure Active Directory joined enrollments • Autopilot enrollments

• Device Enrollment Manager enrollments

Device limit restrictions are not enforced for these enrollment types because they are considered shared device scenarios. You can set hard limits for these enrollment types in Azure Active Directory.

Blocking personal Android devices:

If you block personally owned Android device administrator devices from enrollment, personally owned Android Enterprise work profile devices can still enroll.

By default, your Android Enterprise work profile devices settings are the same as your settings for your Android device administrator devices. After you change your Android Enterprise work profile or your Android device administrator settings, that's no longer the case.

If you block personal Android Enterprise work profile enrollment, only corporate-owned Android devices can enroll with Android Enterprise work profiles.

Blocking personal Windows devices:

If you block personally owned Windows devices from enrollment, Intune checks to make sure that each new Windows enrollment request has been authorized as a corporate enrollment.

Unauthorized enrollments will be blocked.

The following methods qualify as being authorized as a Windows corporate enrollment:

• The enrolling user is using a device enrollment manager account.

• The device enrolls through Windows Autopilot.

• The device is registered with Windows Autopilot but is not an MDM enrollment

only option from Windows Settings.

• The device’s IMEI number is listed in Device enrollment > Corporate device identifiers. (Not supported for Windows Phone 8.1.)

• The device enrolls through a bulk provisioning package.

• The device enrolls through GPO, or automatic enrollment from SCCM for co-management.

The following enrollments are marked as corporate by Intune. But since they do not offer the Intune administrator per-device control, they will be blocked:

• Automatic MDM enrollment with Azure Active Directory join during Windows setup^.

• Automatic MDM enrollment with Azure Active Directory join from Windows

(7)

The following personal enrollment methods will also be blocked:

• Automatic MDM enrollment with Add Work Account from Windows Settings^.

• MDM enrollment only option from Windows Settings. ^ These will not be blocked if registered with Autopilot.

* Reference:

Manage Device Compliance

Plan for Device Compliance

Compliance is all about ensuring that the devices accessing your environment meet a specific set of requirements.

What are the pre-requisites for compliance?

Subscriptions: Dependencies on BOTH Azure AD & Intune. MINIMUM Intune standalone subscription & Azure AD P1.

Platform (OS) Support:

• Android • Android Enterprise • iOS • macOS • Windows Phone 8.1 • Windows 8.1 • Windows 10

Microsoft 365 Mobility and Security (MS-101)