Intune Administration Guide

This guide provides a comprehensive overview of Intune administration, focusing on adding, managing, auditing, and removing devices. It offers a complete and detailed resource for IT administrators seeking to leverage Intune for enhanced device security and simplified management.

Adding Devices to Intune

Adding devices to Intune allows you to manage and secure them within your organization's network. Intune supports various device platforms, including iOS, Windows, and Android, and offers flexibility in managing devices based on ownership (private or business) and management requirements (resets, affinity, lockout)1. You can even restrict device enrollment by platform if needed1.

Choosing the right enrollment method is crucial for a smooth and efficient onboarding process. Consider the following methods and their suitability for different scenarios:

Manual Enrollment

Manual enrollment is ideal for individual devices or small deployments where users can set up their devices with minimal IT intervention.

1. Prepare for Enrollment: Ensure you have an active Intune subscription, administrative rights to configure Intune, and that the devices meet the operating system requirements supported by Intune2.

2. Configure Intune Settings: Sign in to the Microsoft Intune admin center and configure the MDM authority to Microsoft Intune. Create enrollment profiles for different device platforms (Windows, iOS, Android) and assign them to the necessary device groups2.

3. Enroll the Device:

4. Windows: Go to Settings > Accounts > Access work or school, select Connect, and enter your work or school account credentials3.

5. iOS: Navigate to Settings > General > Device Management and sign in with your work account. Install the Intune Company Portal app from the App Store and follow the on-screen instructions2.

6. Android: Download the Intune Company Portal app from Google Play and follow the on-screen instructions to enroll2.

Bulk Enrollment

For larger deployments, bulk enrollment methods simplify the process and reduce manual effort.

• Windows Autopilot: This method allows you to pre-configure devices for automatic enrollment during initial setup. Upload the hardware IDs of the devices to be enrolled in the Intune admin center, configure Autopilot profiles, and assign them to the devices2.

• Apple Business Manager (ABM): For corporate-owned iOS devices, ABM allows you to assign devices to Intune and automatically enroll them during setup2.

• Android Enterprise: Configure enrollment settings for corporate-owned Android devices in the Intune admin center2.

Device Enrollment Manager (DEM)

DEM accounts are service accounts with permissions to enroll and manage multiple corporate-owned devices. This method is useful when devices need to be enrolled and prepared before being handed out to users4.

1. Prerequisites: Ensure you have Global Administrator or Intune Administrator privileges4.

2. Add a DEM Account: Sign in to the Microsoft Endpoint Manager admin center, go to Devices > Enroll devices > Device enrollment managers, and select Add. Enter the user principal name for the DEM user and add them4.

3. Enroll a Device: On the Windows device, go to Settings > Accounts > Access Work or School, click Connect, and enter the DEM user credentials4.

Hybrid Azure AD Join

This method allows you to join domain-joined computers to Azure AD and automatically enroll them in Intune5.

1. Configure Auto-enrollment: In the Intune admin center, go to Devices > Enroll devices > Windows enrollment > Automatic Enrollment and set the MDM user scope to All5.

2. Configure Hybrid Azure AD Join: Run the Azure AD Connect wizard on your AD Connect server and configure hybrid Azure AD join for your domain-joined devices5.

Shared Management

Shared management offers a bridge between traditional and modern management by allowing you to manage Windows 10 devices simultaneously using Configuration Manager and Microsoft Intune. This is particularly useful for organizations transitioning from on-premises to cloud-based management, enabling a phased approach and leveraging the best features of both systems1.

By carefully considering the different enrollment methods and their implications, organizations can choose the most suitable approach for their specific needs and optimize the device onboarding process.

Managing Devices in Intune

Intune provides a comprehensive set of tools and features for managing devices throughout their lifecycle. This lifecycle typically involves four phases: registration, configuration, protection, and retirement1.

Device Management Tasks

Intune offers a range of remote actions to manage devices efficiently:

These actions provide administrators with granular control over devices, enabling them to perform essential management tasks remotely without requiring physical access to the devices6.

Policies and Profiles

Intune allows you to create and deploy policies and profiles to manage device settings and features:

• Compliance Policies: These policies ensure devices meet security and compliance requirements. For example, you can enforce password complexity, require device encryption, or restrict access to certain applications7.

• Configuration Profiles: These profiles allow you to configure device settings, such as Wi-Fi, VPN, and email profiles. You can also configure device restrictions, such as disabling the camera or blocking access to certain websites1.

• Windows Information Protection: This feature helps protect corporate data from accidental leaks by controlling how users access and share data on their devices1.

• User Profiles: Intune allows you to manage different types of user profiles:

• Local: Available only on a single computer.

• Roaming: Can move between computers that are domain members.

• Mandatory: A preconfigured user profile that does not store user changes between logins.

• Temporary: Used when an error prevents the user's profile from being loaded1.

Application Management

Intune enables you to manage applications on enrolled devices:

• Deploy Apps: Deploy apps from public app stores or your own line-of-business apps8.

• Manage Updates: Push out app updates and patches8.

• Remove Apps: Remove unwanted or unauthorized apps8.

Monitoring and Reporting

Intune provides tools for monitoring device usage and generating reports:

• Device Usage Tracking: Track user activity, such as app usage and website visits8.

• Compliance Reporting: Generate reports on device compliance with organizational policies8.

• Inventory Reports: Get a full inventory of all enrolled devices6.

By effectively utilizing these management features, organizations can ensure their devices are secure, compliant, and optimized for productivity.

Auditing Devices in Intune

Auditing devices in Intune involves tracking and monitoring events to ensure security and compliance. Regularly reviewing audit logs can help proactively identify and address potential security threats or compliance issues9.

Audit Logs

Intune maintains audit logs that record activities that generate a change in the system, such as creating, updating, deleting, and assigning policies or profiles. These logs can be used to track user and device actions and are retained for one year9.

To view audit logs:

1. Sign in to the Microsoft Intune admin center.

2. Select Tenant administration > Audit logs.

3. Select a log from the list to see the activity details.

You can filter the audit logs by date, category (e.g., Compliance, Device, Role), and activity9.

Exporting Audit Logs

You can export audit logs to a .csv file for further analysis or archiving9.

Azure Monitor Integration

Intune audit logs and operational logs can be routed to Azure Monitor for advanced analytics and visualizations. This integration provides a centralized platform for monitoring and analyzing Intune activity alongside other organizational data10.

Auditing Plug-and-Play Activity

You can enable auditing for plug-and-play detection of external devices to monitor and track any changes or additions made to your system through the connection of external devices. This can be particularly useful in security-sensitive environments where unauthorized devices pose a risk11.

Removing Devices from Intune

Removing devices from Intune management may be necessary when devices are no longer needed, being repurposed, or lost or stolen. Choosing the appropriate removal method is crucial to ensure data security and compliance.

Retire

The Retire action removes managed app data, settings, and email profiles assigned by Intune. The device is removed from Intune management the next time it checks in. This method is suitable for devices that are no longer used for work purposes but are still functional12.

To retire a device:

1. Sign in to the Microsoft Intune admin center.

2. Select Devices > All devices.

3. Select the device you want to retire.

4. Select Retire.

Wipe

The Wipe action restores a device to its factory default settings, removing all data and settings. This method is appropriate for devices that are being repurposed or sold, or when data security is a primary concern12.

To wipe a device:

1. Sign in to the Microsoft Intune admin center.

2. Select Devices > All devices.

3. Select the device you want to wipe.

4. Select Wipe.

Delete

The Delete action removes a device from Intune management and deletes any company data. This method is typically used for lost or stolen devices to prevent unauthorized access to company information12.

To delete a device:

1. Sign in to the Microsoft Intune admin center.

2. Select Devices > All devices.

3. Select the device you want to delete.

4. Select Delete.

Unenroll from Company Portal

Users can unenroll their devices from Intune through the Company Portal app or website. This removes the device from Intune management and removes access to company resources. This method is often used when employees leave the organization or no longer need access to company data on their personal devices13.

Removing Autopilot Devices

To completely remove an Autopilot device from Intune management, you need to remove it from the Autopilot list in the Intune admin center and then delete it from Azure AD. This ensures that the device is no longer associated with your organization and cannot be automatically re-enrolled15.

Conclusion

This guide provides a comprehensive overview of Intune administration, covering the essential aspects of adding, managing, auditing, and removing devices. By following the instructions and best practices outlined in this guide, IT administrators can effectively manage and secure their organization's devices and data within the Intune environment. Intune offers a robust platform for simplifying device management, enhancing security, and improving productivity. Proper administration and regular auditing are crucial for maximizing the benefits of Intune and ensuring a secure and compliant mobile device environment.

Works cited

1. Manage Windows devices with Intune - MSB365, accessed on February 8, 2025, https://www.msb365.blog/?p=3822

2. How to Enroll Devices in Intune: Our Step-by-Step Guide - BlueTally, accessed on February 8, 2025, https://bluetallyapp.com/blog/how-to-enroll-device-in-intune

3. Enroll Windows 10/11 devices in Intune - Microsoft Learn, accessed on February 8, 2025, https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device

4. Device Enrollment Manager - Enrolling a Device in Microsoft Intune, accessed on February 8, 2025, https://help.rapididentity.com/docs/device-enrollment-manager-enrolling-a-device-in-microsoft-intune

5. Setting up Windows 10 devices in Intune - Gitbit, accessed on February 8, 2025, https://www.gitbit.org/course/ms-500/learn/setting-up-windows-10-devices-in-intune-xfxu2zis9

6. Run remote actions on devices with Microsoft Intune, accessed on February 8, 2025, https://learn.microsoft.com/en-us/mem/intune/remote-actions/device-management

7. Mobile Device Management with Intune | Zero Trust Lab Guide - Microsoft Open Source, accessed on February 8, 2025, https://microsoft.github.io/ztlabguide/intmdm/

8. How to Get Started With Company Device Management in Microsoft Intune - CoreView, accessed on February 8, 2025, https://www.coreview.com/blog/how-to-get-started-with-company-device-management-in-microsoft-intune

9. Use audit logs to track and monitor events in Microsoft Intune, accessed on February 8, 2025, https://learn.microsoft.com/en-us/mem/intune/fundamentals/monitor-audit-logs

10. Intune Logs: How to Monitor and Track Events in Microsoft Intune - CoreView, accessed on February 8, 2025, https://www.coreview.com/blog/intune-logs-how-to-monitor-and-track-events-in-microsoft-intune

11. Best Guide to Apply Audit PNP Activity Policy using Intune - Anoop C Nair, accessed on February 8, 2025, https://www.anoopcnair.com/audit-pnp-activity-policy-using-intune/

12. Retire or wipe devices using Microsoft Intune, accessed on February 8, 2025, https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe

13. Remove your Windows device from Intune management | Microsoft Learn, accessed on February 8, 2025, https://learn.microsoft.com/en-us/mem/intune/user-help/unenroll-your-device-from-intune-windows

14. How To Unenroll your Mobile Device from Intune - Knowledge Portal - Access Manager, accessed on February 8, 2025, https://michmed.service-now.com/kb?id=kb_article_view&sysparm_article=KB0015940

15. Deleing a device : r/Intune - Reddit, accessed on February 8, 2025, https://www.reddit.com/r/Intune/comments/1bqyhi6/deleing_a_device/