Click icon to add picture

Intune Device Management

Workshop
Intune Device Management
Workshop Objective

During this workshop we will

Set architecture and design
options for the Mobile Device
Management capability of the
Modern Device Management
implementation project
Introduction
MDM Design Workshop – Content details
Mobile Device
Overview Preparation
Management

Microsoft
Enterprise Mobility Infrastructur
Intune Enroll Provision
Management e
Subscription

Device Lifecycle Configuration Manage & Protect

Supported
Solution
Device Certificates Retire
Architecture
Platforms
Overview

Enterprise Mobility Device Lifecycle Solution Architecture Supported Device

Management Platforms
Enterprise Mobility Management with Microsoft
Intune
Mobile device Mobile application Computer
management management management

Use IT
r

Microsoft
Intune

Help organizations enable their users to be productive on the devices they love while
helping ensure corporate assets are secure
Device Lifecycle
Enroll Provision
Provide a self-service Company Deploy certificates, email, VPN, and
Portal for users to enroll devices Wi-Fi profiles
Deliver custom terms and conditions Deploy device security policy
at enrollment settings
Bulk enroll devices using Apple Install mandatory apps
Configurator or service account Deploy app restriction policies
Restrict access to Exchange email if Deploy data protection policies
a device is not enrolled
User IT

Retire Manage and Protect

Revoke access to corporate Restrict access to corporate
resources resources if policies are violated
Perform selective wipe (e.g., jailbroken device)
Audit lost and stolen devices Protect corporate data by restricting
actions such as copy/cut/paste/save
outside of managed app ecosystem
Report on device and app
compliance
Solution Architecture
Microsoft Intune Standalone Configuration

Intune, O365,
Azure AD

Devices Internet
 Solution Architecture
Intune Hybrid Configuration Manager

DMZ

Intune, O365,
Azure AD External
Firewall Reverse ADFS
Mobile Device Internet Proxy Proxy

Internal
Firewall
Internal
Network
Identity Management Exchange SCEP

Intune AD/ADFS Azure AD Exchange Exchange Connector CA NDES/NDES

Configuration
Connector Connect 2010/2013 (On-Prem Exchange Connector (Cert
Manager
(Optional) only) Enrollment Only)
Supported Device Platforms
Devices can be directly managed by Microsoft Intune or the use of Exchange ActiveSync
Overview The Modern Device Management project will use direct management to provide an
increased feature set and increased access to resources

Direct Management for Mobile Device is supported for the following platforms:
• Apple iOS 10.0 and later
• Mac OS X 10.12 and later
Supported
• Google Android 4.4 and later (including Samsung KNOX Standard 4.4 and higher)*, Android
Mobile Enterprise
Device • Windows Phone 8.1 and later
Platforms • Windows 8.1 RT
• PCs running Windows 8.1
• PCs running Windows 10 (Home, Pro, Education, and Enterprise versions)

Supported The following operating systems can be managed using the Microsoft Intune client:
• Windows 7 (Professional, Enterprise Ultimate)
Computer
• Windows 8/8.1 (Pro, Enterprise)
Device
• Windows 10 (Pro, Enterprise)
Platforms
Preparation

Microsoft Intune Subscription Infrastructure Configuration Certificates

Microsoft Intune Subscription
Options
Microsoft Intune can be configured in a cloud or hybrid configuration
• Hybrid configuration connects to System Center Configuration Manager (2012 R2, 1511
Overview or higher)
• The Modern Device Management Foundation will configure Microsoft Intune as a cloud
Stand-Alone configuration

Three subscription options

• Intune only subscription
Subscription
• Enterprise Mobility + Security E3
Options
• Enterprise Mobility + Security E5

Two license agreement options

License • Microsoft Online Subscription Program – recommended for organizations with less than
Agreement 250 users
• Enterprise Agreement – recommended for organizations for more than 250 users
Infrastructure
Pre-Requisites Intune Standalone

Infrastructur
e
There are no Infrastructure Pre-Requisites for an Intune CloudOnly configuration
Pre-
Requisites
Infrastructure
Pre-Requisites Hybrid solution

Infrastructur
e Supported and healthy System Center Configuration Manager environment
Pre- (2012 R2 or higher, latest version is preferred)
Requisites
Infrastructure
Pre-Requisites Microsoft Recommended Practice
Certificate Authority (Microsoft Enterprise Subordinate CA)
Windows Server 2012 R2 (or newer) server(s) to host NDES role + Microsoft
On-premises NDES Intune Connector (only for Cloud only solutions) + Application Proxy
Pre-
On-premises Active Directory synchronized with Azure Active Directory
Requisites
Firewall/Proxy server modification to allow Microsoft Intune connectivity
Configuration Manager (only for hybrid solutions) + CRP

Public All user accounts must have a publicly verifiable domain name that can be
Company verified by Microsoft Intune
Domain Microsoft Intune can support multiple domains

Public
Before synchronizing Active Directory user accounts, verify that user accounts
Domain have a public domain UPN
UPN
Infrastructure
Dependencies Intune Standalone
Manage and Protect
No existing infrastructure necessary
No existing Configuration Manager deployment required
IT
Simplified policy control
Intune web
console Simple web-based administration console
Faster cadence of updates
Always up-to-date

Microsoft
Intune
Devices Enrollment Supported
Windows 10 , Windows 8.1
Windows 10 Mobile, Windows Phone 8.1
iOS
Android
Mac OSX

Mobile devices and

PCs
Configuration
Company Portal
The Microsoft Intune company portal provides users access to company data
and apps. Users can access the company portal by using:
Overview • Company portal app: An application that is available on devices you manage with
Intune
• Company portal website: A website that provides access from a supported web browser
Company Compan IT
Users can use the company portal to:
Logo y Department
• Enroll devices
Name Information
Purpose • View the status of their devices
• Download software deployed by the
company
• Contact the IT department for support
Customizations for the Company Portal
include:
Customizatio • Company name
n • URL to company privacy documentation
• Color scheme for Company Portal (RGB)
• Company Logo (400 x 100 pixels) Color
• IT Department information Scheme
Configuration
Application Proxy Microsoft Recommended Practice
Microsoft Intune devices will need certificates to access company resources
Overview An application proxy provides a way for internet connected devices to
communicate securely with the corporate network to achieve this goal

Cloud based solution

Enables applications such as NDES inside the private network to be accessed
Azure AD securely to users over the internet. Users can log into company applications on
Application Microsoft Intune managed devices
Proxy The Azure AD Application Proxy connector only installs on a Windows Server
2012 R2 or later Operating system

On-premises solution
Web
Requires more infrastructure and Windows Server 2012 R2 or later OS to
Application provide Web Application Proxy functionality
Proxy +
Recommended for customers in scenarios where ADFS 2012 R2 or later is
ADFS already configured
Certificates
Overview Intune Standalone
A Symantec Enterprise Mobile Code Signing Certificate is needed to:
• Support the Company Portal app for Windows Phone 8.0
Windows • Deploy company apps to Windows Phone 8.1
Phone
You cannot use a certificate issued by your own certification authority because
only the Symantec certificate is trusted by Windows Phone devices

An Apple Push Notification service certificate is required to allow Microsoft

iOS Intune to manage iOS devices
Certificates
Overview Microsoft Recommended Practice
Certificates allow Intune to establish an accredited and encrypted IP connection
Overview as well as app-signing to help protect devices from malware

Certificate Template – Configured on the CA to support Intune managed mobile

Infrastructur devices
e Client authentication certificate – Installed on the NDES
Certificates Server authentication certificate – Installed on the NDES server*
Trusted Root CA certificate – To export to Microsoft Intune
A Symantec Enterprise Mobile Code Signing Certificate is needed to:
• Support the Company Portal app for deployment to Windows PCs, Windows 10 Mobile
Windows devices, and Windows Phone devices
• Sign company line-of-business apps so Intune can deploy them to Windows devices
Phone
You cannot use a certificate issued by your own certification authority because
only the Symantec certificate is trusted by Windows Phone devices

An Apple Push Notification service certificate is required to allow Microsoft Intune

iOS
to manage iOS devices
*If NDES is required , use the NDES module for
implementation design
Mobile Threat Detection
Overview Intune Standalone
Control mobile device access to corporate resources based on risk assessment
Overview conducted by Lookout, a Mobile Threat Defense solution integrated with
Microsoft Intune

Supported Android 4.4 and later

Platforms iOS 9 and later

Microsoft Intune subscription

Prerequisites Azure Active Directory
Lookout Mobile Endpoint Security enterprise subscription

Operating system vulnerabilities

Telemetry
based risk Malicious apps installed
assessment Malicious network profiles
*If NDES is required , use the NDES module for
implementation design
Mobile Threat Detection
Overview Intune Standalone

检查应用威胁

检查系统威胁 允许访问 或
锁定
设备管理
强制 MFA 每用户 / 每 APP
设备合规

阻止访问

设备合规

威胁 ( 高 , 中 , 低 )
Design Options
Overview
Standalone or Hybrid
Intune
Office 365 and Microsoft Intune integrated
Subscription tenant

iOS

?
Supported Mac OS X Windows
Platforms Android/Samsung Windows Phone
KNOX

Company No Customization
Portal Customization

Azure AD Application Proxy

Reverse Proxy
Web Application Proxy

Infrastructure Certificates
Certificates
Device Certificates
Mobile Device Management

Enroll Provision Manage & Protect Retire

You need flexibility in a complex device ecosystem

Microsoft Intune provides you options that allow you to keep

your data secure across a range of scenarios that occur day-
to-day. Our Intune App Management and Device Management
capabilities allow you to protect corporate data with or without
device management

Company- Employee- 3rd Party-

Managed Managed Managed
In a complex device landscape, you need choices
Microsoft Intune gives you the flexibility and control to secure your data on any device – even
those you don’t manage

Secure & remove

corporate data within
mobile apps
Company- Employee- 3rd Party-
Managed Managed Managed

Secure your data on any device with

Intune
Intune Device Management Intune App Management

Enroll devices Provision Report & Remove Publish Configure Report app
for settings, certs, measure device corporate data mobile apps and update inventory &
management profiles compliance from devices to users apps usage
Conditions Access: Restrict access to managed & complaint Conditional Access: Restrict access to apps with app protection
devices policy
App Management Without Enrollment

Purpose
Allow customers to protect data in managed apps such
as Office
IT
Prevents copying from a managed app into Facebook, for
example
Selective wipe of managed app data
Does not require device to be MDM enrolled – great for
customers who can’t migrate from their MDM quite yet
Users can install Apps from the company portal Assigned
to the user even though associated device is not
enrolled into Intune

Supported Apps
https://www.microsoft.com/en-us/server-cloud/
products/microsoft-intune/partners.aspx
Enroll
Overview

Compan

Hub, Apple/Android
y Portal

Company Portal,
C Mac OS X

Store
Compan
y Portal Windows
C
Active PCs
DirSync with Authentication (x86/64,
password hash Intel SoC)
B
sync Workplac
e C Windows 8.1
& RT 8.1
A
Compan
y Portal
C iOS &
Android

D Work
Accoun
C Windows 10
t
& Mobile
Microsoft
Intune Workplace Windows
C
Microsoft Intune Portal MDM Authority
Phone 8.1
Enroll
Overview
The MDM enrollment process establishes a relationship between the user, the
device, and the Microsoft Intune service
Enrollment Using Microsoft Intune as a standalone service enables the administrator to use
a single web-based administration console to manage both Windows PCs, Mac
OS X and the most popular mobile device platforms

Bulk enrollment allows IT administrators to simplify the enrollment of a large

number
of devices
Bulk Supported options for bulk enrollment of Windows and iOS devices
Enrollment • Device enrollment Manager
• Support for Apple Configurator
• Support for Apple Device Enrollment Program
• Windows Autopilot
• Samsung Knox Mobile Enrollment
Enroll
Device Enrollment Manager

Business Microsoft IT
Manager Apply policies Intune

Enrolls devices Distributes to users

on behalf of users

Restaurant School Retail Store

Enroll
Apple Configurator

iOS devices will

automatically enroll on
first power on

Use
Microsoft IT
r Intune
Export device enrollment
profile from Intune

Configure iOS devices

Import to Apple
with the Apple
Configurator
Configurator
Enroll
Apple Device Enrollment Program

Register organization with Apple

Use IT
r

Establish trust link between Apple

and Intune using a token issued by
Deploy the configuration
Apple.

Microsoft Intune

Intune syncs information from Apple

then management profile is configured
in Intune
Enroll
Windows Autopilot

Device IDs Windows Autopilot Autopilot profile sync

Intune
Device sync

Configure
Windows
Autopilot
profile

Self-service
deploy
IT Admin

Hardware
Vendor
Ship

Deliver direct to Employee

Employee
unboxes device,
self-deploys
Enroll
Azure AD Join for Windows 10
Azure AD Join makes it
possible to connect work-
owned Windows 10 devices to Azure Active
Directory
your company’s Azure Active Apps
in
Microsoft Intune
3rd party
apps &
Directory Azure clouds

With Azure AD Join, you can

auto enroll devices in
Microsoft Intune for Intune/MDM
management Auto-enrollment
• Intune auto-enrollment
• Enterprise-compliant
services
Windows 10 Azure On-premises apps
• Single sign-on from the AD Joined Devices
desktop to cloud and on-
premises applications with
Provision
Overview

Device Profiles Resource Access Profiles Applications

Feature Settings Email settings Required Applications

Restriction Settings Wi-Fi settings Available Applications
Custom Settings (OMA-URI) VPN settings Device Targeted
Windows 10 Edition Upgrade Certificate Settings User Targeted
Settings
Endpoint Protection
Education Settings
Windows Defender ATP
Provision
Resource Access Profiles
Microsoft Intune resource access profiles work together to help your users gain
Overview access to the files and resources they need to do their work successfully,
wherever they are

Android
&
Profile Windows Windows Mac
Description iOS Android
Type 10 10 Mobile OS X
Enterpris
e
Yes Yes
Deploy wireless network (Import Wi-Fi (Import Wi-
Wi-Fi Yes Yes Yes
settings to your users Config Fi Config
Profile) Profile)
Deploy Virtual Private
VPN Network (VPN) settings to Yes Yes Yes Yes Yes
your users
Create, deploy and
monitor Exchange
Only AE
Email ActiveSync email settings Yes Yes Yes No
Provision
Resource Access Profiles Microsoft Recommended Practice
Microsoft Intune resource access profiles work together to help your users gain access to
Overview the files and resources they need to do their work successfully, wherever they are
A Trusted Root Certificate Profile is required to deploy certificate profiles

Android &
Windows 10 Mac
Profile Type Description Windows 10 iOS Android
Mobile OS X
Enterprise
Trusted Trusted Trusted Trusted
Trusted
Secure access to company Certificate, Certificate, Certificate, Certificate,
Certificate Certificate
resources PKCS #12 PKCS #12 PKCS #12 PKCS #12
and SCEP
and SCEP and SCEP and SCEP and SCEP
Yes (Import Yes (Import Wi-
Deploy wireless network
Wi-Fi Wi-Fi Config Fi Config Yes Yes Yes
settings to your users
Profile) Profile)
Yes (not in
Deploy Virtual Private Network
VPN Yes Yes Yes KNOX Yes
(VPN) settings to your users
container)
Create, deploy and monitor
Exchange ActiveSync email Only AFW
Email Yes Yes Yes No
settings on devices in your and KNOX
organization
Provision
Certificate Profiles Microsoft Recommended Practice
Certificate profiles work with Active Directory Certificate Services and the Network Device
Overview Enrollment Service (NDES) role to provision authentication certificates for managed devices
so that users can seamlessly access company resources

Use this profile to deploy the Trusted Root CA

Trusted certificate or intermediate CA certificate to devices
Certificate Create a Trusted Root Certificate profile for each
Profile supported platform

Use this profile to deploy platform specific settings

for device certificate requests
SCEP & PKCS Create a SCEP or PKCS #12 certificate profile for
#12 each platform you use, and pair it with the Trusted
Certificate CA
certificate profile
Profile
To complete the task of creating a SCEP or PKCS #12
certificate profile, you must select a previously
created Trusted CA certificate profile *NDES decisions will follow in more detailed workshop
Provision
Certificate Provisioning Process Microsoft Recommended
Practice
2 1
Microsoft
Intune

Microsoft Intune
Connector
3 4
Network Device ConfigMgr Certificate
Enrollment Service Plugin Registration Point
8 5 Configuration
Manager
7 6

Use
r
IT Admin

Certificate Server Corporate

Network

*NDES decisions will follow in more detailed workshop

Provision
Windows Hello for Business Profiles
Windows Hello for Business is an alternative sign-in method for Windows 10 devices
Uses Active Directory, or an Azure Active Directory account to replace a password, smart
card, or virtual smart card
Overview
Windows Hello for Business allows a user to use a simple PIN, biometric authentication or
external device such as a fingerprint reader to authenticate instead of a password

Create WHfB profile including PIN settings,

Windows
biometrics settings, Trusted Platform Module (TPM)
Hello for requirements
Business
Not for domain-joined devices that run the Hello
Profile Configuration Manager client Christopher

Intune can deploy certificates to Windows Hello for

Business to authenticate users and help them to
Certificate access corporate resources
Profile
Provision
Email Profile Management
Corporate email server
Any email service supported
by Exchange ActiveSync

Use IT
r

Microsoft
Intune
Deploy email profile on enrollment
• Configure account settings and security restrictions
• Enable certificate authentication
• Synchronize email, task, contacts, and calendar
• Support for iOS 8+, Samsung KNOX 4.4+, and Windows 10+
and Windows Phone 8.1+
• Enable selective wipe of corporate email
Provision
VPN Profile Management
Support for major SSL VPN vendors and VPN standards (PPTP, L2TP, IKEv2)
Automatic VPN connection
• DNS name-based initiation support for Windows 10 and iOS
Overview • Application ID based initiation support for Windows 10

Per-app VPN (iOS 8+)

• On demand VPN connection for corporate apps only
• Routes only specific app’s data to corporate VPN

Connection Type iOS Android & AE Windows 10 Mobile Windows 10 Mac OS X

Cisco AnyConnect Yes Yes (OMA-URI, mobile only) No Yes

Juniper Pulse Yes Yes Yes Yes Yes

F5 Edge Client Yes Yes Yes Yes Yes

Dell SonicWALL Mobile Connect Yes Yes Yes Yes Yes

CheckPoint Mobile VPN Yes Yes Yes Yes Yes

Provision
Wi-Fi Profile
Use Microsoft Intune Wi-Fi profiles to deploy
wireless network settings to users and devices
in your organization
• Manage Wi-Fi protocol and authentication settings
Overview • Provision Wi-Fi networks that device can auto
connect
• Specify certificate to be used for Wi-Fi connection

Specify certificate or username/password

authentication to connect to Wi-Fi network
Android 4.0 and later, Android for Work
iOS 8.0 and later

Supported Windows 10 (Wi-Fi config profile import policy

Platforms required)
Windows 10 Mobile (Wi-Fi config profile import
policy required)
Mac OS X 10.9 and later
Provision
Device Profiles – Device Features and Restriction Settings
Microsoft Intune uses device profiles that help configure security and functional settings
for enrolled mobile devices, including:
• Hardware settings
Overview • Password settings
• Application whitelisting
• Kiosk mode

Device Restriction Settings exist for iOS, Android, Windows Mobile, Windows devices and
Supported Mac OSX
Platforms OMA-URI can be used to apply Android, Windows Mobile and Windows custom device
settings
Apple Configurator can be used to apply custom iOS device settings
When conflicts occur due to multiple Microsoft Intune settings being applied to a device:
• Settings in a compliance policy take precedence over device restriction settings, even if the
Policy restriction settings are more secure
Conflicts • If multiple compliance policies exist, the most secure of these policies will be used
Provision
Migrate Windows 10 GPO’s to Intune CSP’s

Microsoft MDM Migration Analysis Tool compares GPOs to Intune CSPs

GPOs from Use MDM Migration (optional) Import Deploy CSPs; Use
User+Computer Analysis Tool matches to Intune custom URI where
examples needed

Intun
e

Group Policy Intune Policy

https://github.com/WindowsDeviceManagement/MMAT
Or use this friendly link: http://aka.ms/MMAT
Provision
Windows 10 Edition Upgrade
Automatically upgrade devices that run Windows 10 to a different edition
A product key is required that is valid to install the new version of Windows on all devices that you
target with the policy (for Windows 10 Desktop editions)
Overview MAK and KMS keys are supported
Windows 10 devices that you target must be enrolled in Microsoft Intune
Not supported for PCs that run the Intune PC client software

Windows 10 Home
Windows 10 Pro
Supported
Platforms Windows 10 Holographic
Windows 10 Mobile

From Windows 10 Pro to Windows 10 Enterprise

Supported From Windows 10 Home to Windows 10 Education
Upgrade From Windows 10 Mobile to Windows 10 Mobile Enterprise
Paths From Windows 10 Holographic Pro to Windows 10 Holographic Enterprise
Provision
Windows 10 Endpoint Protection

Overview Control security features on Windows 10 devices, like BitLocker

Windows Settings: Require devices to be encrypted (Desktop only), Require

Storage Card
Supported to be encrypted (mobile only)
Bitlocker
Bitlocker base settings: Encryption for operating system drives, fixed data-drives
Settings and removable data-drives
Drive type specific settings for OS drives, fixed data-drives and removable data-
drives
Provision
Windows Update for Business
Configure update settings on devices
Defer update installations
Overview
Intune doesn’t store the updates, but only the update policy assignment
Configure and manage Windows 10 update rings

Windows 10 Servicing Branch

Deferral Settings
Pausing
Supported Maintenance Window
Features Update Type
Installation Behavior
Peer Downloading

Windows 10 Pro with the Windows Anniversary update

Supported
Windows 10 Team (for Surface Hub devices)
Platforms Windows 10 Mobile and Windows 10 Holographic are not supported
Provision
Windows Defender Advanced Threat Protection
Onboard and monitor endpoints
Overview Offboard and monitor endpoints
Create custom configuration profile to deploy supported OMA-URI settings

Onboarding
Health Status for onboarded machines
Supported
Configuration for onboarded machines
OMA-URI Offboarding
Settings Health Status for offboarded machines
Configuration for offboarded machines

Windows 10 Enterprise
Supported Windows 10 Education
Platforms Windows 10 Pro
Windows 10 Pro Education
Provision
PowerShell scripts
Use the Microsoft Intune management extension to upload PowerShell scripts in Intune
Overview Run PowerShell scripts on MDM managed Windows 10 devices for advanced device
configuration and troubleshooting or to deploy Win32 apps.

• Devices must be joined or registered to Azure AD

• Azure AD is configured for auto-enrollment into Intune

Requirement • The Intune management extension agent is installed when a PowerShell script or a
Win32 app is deployed to a user or device security group
s

Azure AD joined, hybrid domain joined, and co-managed enrolled Windows 10 devices
Supported
Platforms Windows 10 version 1607 or later
Manage & Protect
Compliance Policies
Compliance policies define the rules and settings that a device must comply
Overview with in order to be considered compliant by conditional access polices

PIN/Password Device Jailbroken or rooted Email

Device Type
Configuration Encryption device Profile
Windows 10 Remediated N/A N/A N/A
Windows 10 Mobile Remediated Remediated N/A N/A
Remediated Quarantined
iOS 8.0 + Remediated Quarantined
(by setting PIN) (not a setting)
Not
Mac OS X Not Supported Not Supported Not Supported
Supported
Quarantined (not a
Android 4.0 + Quarantined Quarantined N/A
setting)
Samsung Knox Standard Quarantined (not a
4.0 +
Remediated – Compliance
Quarantined is enforced
Quarantinedby the device OS
setting)
N/A
Quarantined – Device OS does not enforce compliance. In this case:
Definition
• The device will be blocked if the user is targeted by a conditional access policy
• Company Portal/Web Portal will notify the user about any compliance issues
Manage & Protect
Conditional Access
Used in conjunction with Compliance Policies to enforce settings to access a service
Targeted at user groups and devices that are not managed with Microsoft Intune
Conditional access policies are not deployed, they are configured once and then applied to
Overview all targeted users
When devices do not meet the required access conditions, the user is guided through the
process of enrolling the device and fixing the issue that prevents the device from
being compliant

Device Type Exchange Online Exchange On-Premises SharePoint Online

Supported Windows 8.1 and later (when enrolled with Intune) Windows 8 and later (when Windows 8+ (Domain Joined or
Platforms enrolled with Intune) Intune enrolled)
Windows 7.0 or later (when domain joined)
Windows Phone 8 and later Windows Phone 8.1 +
Windows Phone 8.1 and later
Any iOS device that uses an iOS 8.0 +
iOS 7.1 and later
Exchange ActiveSync (EAS)
Android 4.2 +
Android 4.0 and later, Samsung Knox Standard 4.0 email client
and later
Android 4 and later
Requirements Exchange Online subscription Exchange 2010 or later SharePoint Online subscription
On-premises Exchange
Connector
Manage and Protect
Windows 10 (Mobile) – Configuration Service Providers
Mobile device OEMs can create custom configuration service providers (CSP) to manage
their devices
A configuration service provider includes an interface for creating, editing, and deleting
Overview nodes, and the nodes themselves
Each node contains data for one registry value and can optionally support get, set, and
delete operations
BitLocker CSP Messaging CSP
CleanPC CSP NetworkProxy CSP

CSP’s DeveloperSetup CSP NetworkQoSPolicy CSP

DynamicManagement CSP Office CSP
EnterpriseAppVManagement CSP Personalization CSP

Windows 10 Enterprise
Supported Windows 10 Education
Platforms Windows 10 Pro
Windows 10 Pro Education
Manage and Protect
Windows 10 (Mobile) – Dynamic Management
Allows you to manage devices differently depending on location, network, or
Overview time
Core scenarios currently supported – Configurable settings – actions
input signals • Camera: Camera/AllowCamera
• Applying settings automatically based on • Cellular: Connectivity/AllowCellularData
predefined geographic area • Wi-Fi: WiFi/AllowWiFi
CSP’s • Enforcing policies through time schedules • Cortana: Experience/AllowCortana
• Adjusting configurations or restricting • Default Background/Lock Screen:
device capabilities when ip-network DeviceLock/EnforceLockScreenAndLogonI
changes mage (Desktop only)
• Dynamic Management is configured • First run URL: Browser/FirstRunURL
locally on the device and works even (Mobile only)
Windows
offline 10 Enterprise
Supported Windows 10 Education
Platforms Windows 10 Pro
Windows 10 Pro Education
Afternoon
Studio X
Upon entering
the building, her
camera on phone
and laptop are
disabled
Retire
Overview, Full Wipe & Selective Wipe
Microsoft Intune provides selective wipe, full wipe, remote lock and passcode
Overview reset capabilities
Devices can be remotely wiped by administrators or users

Full Wipe – restore the device to its factory defaults. This removes all company and user
Definition data and settings. A full wipe can be performed on Windows Phone, iOS, and Android
devices
Selective Wipe – Used to remove only company data
Scenarios Suggested Action
Lost Device Remote Lock whilst looking for device, Full wipe if the
device cannot be found
Stolen Device Full wipe
Retire Device Full wipe
Forgotten passcode Passcode reset
User leaving company, personal device enrolled to Selective Wipe
Intune
Retire
Selective Wipe impact across supported platforms
Content Windows Windows Phone Windows iOS Mac OS X Android Samsung
Type 8.1+ 8.1+ 10 KNOX
Company Files protected Apps installed through Apps are Apps Not supported Apps and data Apps
Apps/Data by EFS have key company portal are uninstalled uninstalled. remain installed uninstalled.
installed by revoked – user uninstalled. Company and Company app App data from App data from
Microsoft not able to open app data is removed sideloading data removed. mobile app mobile app
Intune the files keys are App data from management management
removed MS apps that apps is apps is
use mobile removed. The removed. The
app app is not app is not
management removed removed
is removed.
The app is not
removed
Settings Configurations set by Intune policy are no longer enforced and users can change the settings
Wi-Fi & VPN
Removed Removed Removed Removed Not supported Not Supported Not Supported
Profiles
Retire
Selective Wipe impact across supported platforms (Continued)
Content Windows Windows Phone Windows iOS Mac OS X Android Samsung
Type 8.1+ 8.1+ 10 KNOX
Certificate Certificates Certificates removed Certificates Certificates Not supported Certificates Certificates
Profiles removed and and revoked removed removed and revoked, but not revoked, but not
revoked and revoked revoked removed removed
Management N/A – N/A – Management N/A – Management Not supported Device admin Device admin
Agent Management agent built – in Managemen profile is privilege is privilege is
agent built – in t agent removed revoked revoked
built – in
Email Removes email Intune provisioned Removes Intune Not supported Not supported Intune
that is EFS email profile removed, email that is provisioned provisioned
enabled cached data deleted EFS email profile email profile
enabled, removed, removed,
which cached data cached data
includes the deleted deleted
Mail app for
Windows
email and
attachments
. Removes
mail
accounts
that were
provisioned
by Intune
Retire
Remote Lock & Passcode Reset

Overview For use when users have misplaced or forgotten credentials to access their
device
Platform Remote Passcode Reset
Lock
iOS Supported Supported for clearing passcode from device. Does not create a
temporary passcode
Mac OS X Not Not Supported
Supported
Android & Android for Supported Supported on versions earlier than Android 7.0. Creates a
Work temporary passcode. Not supported for AFW
Windows 10 Mobile Supported Supported for Windows 10 Creator version and later mobile devices
that are Azure AD joined
Windows 10 Not Not Supported
Supported
Design Options

Microsoft Intune Account Portal

Enrolment Device Enrolment Manager
Apple Configurator

?
Device Restrictions Profiles
• Hardware settings
Device • Password settings
Profiles • Application whitelisting
• Kiosk mode
Custom Profiles

VPN Profiles
Resource Wi-Fi Profiles
Access
Profiles Email Profiles
Windows Hello for Business
Questions & Next Steps
© 2019 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.