Intune lab for noobs – part 4 // iOS

This is the fourth part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

In this part, we will look at iOS management and how to get going! To test this, you will need an iPhone or an iPad which we can enroll. No reset of the device will be needed.

In the second part of this guide, we configured the Apple MDM Push certificate, which means that we have the basics down for managing iOS, iPadOS and macOS. In this guide we will only look a basic configuration for iOS and iPadOS (it’s the same policies).

There are two types of profiles and policies we will create one Configuration Profile and one Compliance Policy. We will also add an app to distribute.

Configuration Profile

Like always, we are doing everything from the Microsoft Intune portal at endpoint.microsoft.com. Once you have signed in, navigate to Devices > iOS/iPadOS in the left side menu.

Select “Configuration profile” and then click “+ Create profile“.

Select “Device restrictions” as Profile type and click Create at the bottom of the page.

In this example we will create a profile which requires the user to set a PIN for the device. Give the profile a good name, I will call my profile iOS PIN Requirement since its for iOS and the profiles purpose is to require a PIN. Click Next.

Find and expand the category Password to display all available settings for PIN. Some settings will not be applicable since we will not use Apple Automated Device Enrollment.

For this lab, we will require a password (or PIN) which has six digits, we will block the use of a simple code (such as 111111 or such) and we will wipe the device after 10 failed attempts. We will also require PIN immediately when device is locked and lock the screen after 5 minutes.

Since we will not block FaceID or TouchID, this can be used to unlock the device.

When you have set these settings, click Next.

The next step is to assign this profile to our users (we will use user-targeting to have the settings follow the user). Find your user-group that we created in the second part and add that as an included group. When you have added the group, click Next.

Review your settings and click Create.

We have now successfully created a configuration which will require the user to set a PIN on their device.

Compliance Policy

Compliance policies are used to audit if user’s device is following the security messures we have required them to use. We can also notify the user if their device is not compliant.

Navigate to Device > iOS/iPadOS in the left side menu and find “Compliance policies“. Click “+ Create Policy” and then click Create.

You will need to give your policy a name, and in this policy, we will only look if PIN requirements are met. It’s a good idea to create one policy per setting category you are looking at to be able to target end-user information better.

Find and expand the System Security category to display the policy settings for the PIN. For this policy, we want to mimic the settings we set with the configuration profile to verify that the user has set up the PIN according to our requirements.

Once you have set the settings to the same values as the configuration profile, click Next.

Next step is to set what actions will happen if the device is not compliant. We will leave the default “Mark as compliant” and add “Send push notification to end user” and set the schedule to 0 days. Click Next.

We will now assign this to our user group and click Next.

Review your settings before you click Create.

We have now created a compliance policy which will audit the end-user to verify that the PIN is set correctly. If the PIN is missing or incorrect, the device will be flagged as non-compliant, and Microsoft Intune will send a push notification to the end-user’s device.

The compliance value can be used as a condition in a Conditional Access rule.

Application distribution

Of course, we need to distribute applications to our device. For this, we will once again utilize the guided scenarios in Microsoft Intune.

Click on Home in the left side menu and find the “Deploy Edge for mobile” scenario and press Start. If it’s not visible on the landing page, click on “See all >” next to the heading for guided scenarios.

Read through the initial information and click Next.

Add a prefix which will be displayed on the application configuration which will be created and click Next.

Add a Homepage shortcut URL which will be shown as the first link icon on in the Edge application, you can also leave this blank. Then press Next.

We will once again assign this to our user group before we press Next.

Review your settings before you click Create on the last page.

We have now successfully deployed the Microsoft Edge application to both Android and iOS devices.

You can review the application if you navigate to Apps > All apps, where you can see all applications which has been added to your environment. You can also filter out each platform by selection each platform in the left side menu.

The application configuration which where created as part of this guided scenario can be found under Apps > App configuration policies.

Feel free to add additional apps to your environment, easiest is to go to Apps > iOS then select “+ Add” and select “iOS Store app” as App type. Then search for the app that you which to deploy to your devices.

Search for an application you want to deploy by clicking on “Search the app store” and search for an application. When you have found your application, click Select then leave all information to default and click Next.

Applications can be setup as either required or available. Required means that it will be automatically installed, available means that the user will see the application in the Company Portal and install it from there. Since our other application is set as required, we will make this available for enrolled devices by targeting the assignment towards our user group. When you have added the group, click Next.

On the last page, review your settings before you click Create.

You have now successfully added an second app to your iOS devices.

Enroll your device!

Now it’s time to enroll your device by downloading the Company Portal from the Apple AppStore, this will require an Apple ID to download.

Once you have downloaded the application, open the app and sign in with the user we created earlier.

You will be prompted that your device is not managed and asked to enroll it.

Follow the guide through the process.

Once you have enrolled your device, you will notice that the Microsoft Edge application will be installed and that you will be asked to set a PIN code which meets the requirements set earlier in this part.

Navigate to Device > iOS/iPadOS and you will see your device listed. Click on the device to show more settings and to perform remote actions such as removing the PIN, retiring the device which will remove the enrollment or completely wipe the device which will perform a factory reset.

You will also notice that some actions are grayed out since we are not using the Apple Automate Device Enrollment program.

Ending notes…

You can add additional Configuration profiles to your device and applications. Feel free to play around a bit with it and see what you can do!

In the next part, we will setup management for Android.

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.