What is Microsoft Intune MDM?
Devices covered
Enrol your Windows 10 device
On your Windows 10 device that you want to set as a Trusted Device.
- Microsoft Intune <> Microsoft Windows 10 device
We need to set up two things to fully set this up.
- Add corporate account to this device
- Connect this device to work
1. Add corporate account to this device
Search and open "Manage your account".
Click on "Access work or school".
This is found under Settings> Accounts> Access work or school.
Under the "Access work or school" section, click on "Connect".
You will be prompted for your login details. Enter your test user's details here.
As I configured my Okta to be the Identity Provider for Microsoft Office 365 via WS-Federation Single Sign On (SSO) integration, it will prompt me for my Okta username and password. I will log in with the corresponding test user that I have in Okta and Microsoft Azure Active Directory.
It will then register my Windows 10 device.
Once completed, it will give you a confirmation. "You're all ready!"
Then you will see your account listed under the "Connect" button.
2. Connect this device to work
We will need to install Microsoft Intune "Company Portal" to further set up our device for corporate use.
Go to your "Microsoft Store". Click "Get" to install.
Under the "Devices" section, click on "This device hasn't been set up for corporate use yet. Select this message to begin setup." 
Click on "This device hasn't been set up for corporate use yet. Select this message to begin setup."
It will prompt you to "Connect this device to work", click "Next".
Click "Connect".
You will then be prompted for your 1) Email address, and 2) MDM Management endpoint/ MDM Server URL/ MDM discovery URL as - https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
You will then be prompted to log into Microsoft Intune, which we will do via Okta, our identity provider, which we have configured to manage our identity from Okta to Microsoft Office 365/ Microsoft Azure Active Directory.
Log in.
Once we have signed in successfully, we can move to the next step.
Click "Got it".
Then we just wait for our device to connect with Microsoft Intune. We can do other things while we are waiting.
When we are done, we will get an "You're all set!" message.
If we go back to our Microsoft Endpoint Manager, we can now see our Windows 10 device managed by Microsoft Intune and Okta.
Under Devices> Windows> Windows devices
You are all set now!
Setting up enrolment for your mobile devices
If you need to manage Android and/or Apple devices with Microsoft Intune, then we need to configure Microsoft Intune to be able to connect with Google Android Enterprise and/or Apple Business Manager. That is:
- Microsoft Intune <> Google Android Enterprise
- Microsoft Intune <> Apple Business Manager
To kick this off, in Microsoft Endpoint Manager, we can go our "Devices" Overview and click on "Enroll devices".
Microsoft Endpoint Manager> Devices
Configure Microsoft Intune to enroll Android devices
In order to manage Android devices, we need to connect Microsoft Intune with Google Android Enterprise.
To do this, we:
Microsoft Endpoint Manager> Devices > Enroll devices> Android enrolment
Click on "Managed Google Play".
Under "I grant Microsoft permission to send both user and device information to Google. Learn more", tick "I agree".
Then click on "Launch Google to connect now".
A pop up web browser will pop up where you can click the "Get started" button.
Enter your business name and click Next.
Fill in your Data Protection Officer and EU Representative details.
Tick "I have read and agree to the Managed Google Play agreement."
You will then receive a "Set up complete" message.
You can close the window or click on the "Complete Registration" button which will close the window.
If you go back to Microsoft Endpoint Manager, you will see that your Google details have been authorised in Microsoft Intune now.
It will say a Status = Set up (green tick).
You will then be able to manage your Android devices from Microsoft Intune using your Google Account.
You will now have options to manage your Android devices, depending on your preferences and if you are managing corporate issuedAndroid devices or personal Android devices.
As we are testing, let's use the "Corporate-owned, fully managed user devices" option.
Click on "Corporate-owned, fully managed user devices".
Where it says "Allow users to enrol corporate-owned user devices", click "Yes".
This will give you the following which you can use depending on Android OS and version of your device.
- an enrolment token (a random string) and
- a QR code for your Intune tenant.
Configure Microsoft Intune to enrol Apple iOS
In order to manage Apple devices, we need to connect Microsoft Intune with Apple.
Specifically, Apple will only let you manage Apple devices if you have an Apple Business Manager account.
Once you have that, you can follow the following steps:
Microsoft Endpoint Manager> Devices > Enroll devices> Apple enrolment
Click on "Apple enrolment".
Click on "Apple MDM Push certificate".
Check the tickbox for "I agree".
Click on "Download your CSR" to download your Intune CSR certificate signing request certificate to your computer.
- Create your Apple MDM push Certificate. More information on Apple MDM push certificate.
An Apple MDM Push certificate is required for Intune to manage iOS/iPadOS and macOS devices. When a push certificate expires, you must renew it. When renewing, make sure to use the same Apple ID that you used when you first created the push certificate.
- Apple ID - Enter the Apple ID used to create your Apple MDM push certificate.
- Browse to your Apple MDM push certificate to upload.
- Click "Upload" when you're ready.
Click "Upload" when you're ready.
