Script to remind Office 365 users to enrol their device to InTune

When I have a little downtime (which isn’t often!), I like to sit around and think of cool things I can automate using PowerShell. I have a .txt file that I put all these ideas into and every now and then have a crack at solving one.

Just recently I was playing around with Office 365 and Windows InTune and this idea struck me.

With the licensing model of Office 365 being user based, people are syncing their mail to more and more devices. They’ll have Outlook on their work laptop, email syncing on their Windows Phone, and probably syncing on their Apple and/or Android tablet as well. The problem with having so many devices is IT tracking and managing their corporate data. Of course, InTune is the obvious tool to manage these devices.

Getting your users to enrol their devices into InTune is one of the main challenges. As the registration has to happen from the end users side, I thought I’d write a script to help pester your users into registering their iPads, iPhones, Androids and WPs into your InTune MDM.

The idea is for this script to be run as a scheduled task. It will connect to your o365 tenant subscription and discover all those users who have synced their device with o365 since the last scheduled task ran. It will then send that user an email reminding them to enrol their device to InTune.

The email to your users can obviously be customized, but here’s a look at what I’ve given you by default

image

I’ve also added a testing mode switch, so you don’t spam your o365 users while doing your dev and test.

Here’s the script.

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
$O365Username = "your@username.onmicrosoft.com" #Add your o365 admin username here
$SendEmail = $true #Change this to $false during testing. Output will be returned to the console
$DeviceRegistrationTimeFrame = -1000000 #Set this to the schedule of your scheduled task
$InServiceMode = $true 
#Configure this to $true when running as a scheduled task. This stops the PSSession from unloading everytime it's run

# Ensure o365 session
$SessionState = Get-PSSession 
ForEach ($Session in $SessionState) {If ($Session.ConfigurationName -ne "Microsoft.Exchange") {Connect-O365}}
If (!$SessionState) {Connect-O365} 

# Get o365 data
Get-MobileDevice | Where{$_.WhenCreated -gt (Get-Date).AddHours($DeviceRegistrationTimeFrame)}  | ForEach-Object {

$User = Get-User -Identity $_.UserDisplayName 
$AccountDisplayName = $User.DisplayName
$AccountFirstName = $User.FirstName
$AccountEmail = $User.WindowsEmailAddress
$DeviceId = $_.DeviceId
$DeviceOS = $_.DeviceOS
$UserDisplayName = $_.UserDisplayName
$ClientType = $_.ClientType
$IsCompliant = $_.IsCompliant
$IsDisabled = $_.IsDisabled
$Name = $_.Name
$WhenChanged = $_.WhenChanged
$WhenCreated = $_.WhenCreated
$Id = $_.Id
$IsValid = $_.IsValid

# Email authorization

If ($IsDisabled -eq $true) {$SendEmail = $false}
If ($IsValid -eq $false) {$SendEmail = $false} 

# Mail info

$SMTPServer = "smtp.office365.com"
$SMTPPort = 587
$SMTPCredential = $UserCredential 
$EmailRecipient = 
$AccountEmail
$EmailSender
 = 
$O365Username
$EmailSubject
 = "$AccountFirstName, don't forget to enroll your device to InTune!"
$Body = `
"<html>
<head>
<title>Enroll Your Device Today!</title>
<style>
body {
font-family: Verdana;
}
#HeadingTitle {
text-align: center;
font-size: large;
margin-top: 10px;
color: blue;
}
#HeadingBox {
width: 60%;
height: 70px;
background-color: yellow;
position: absolute;
top: 10px;
left: 20%;
right: 20%;
vertical-align: middle;
background-color: white;
}
#BodyText {
width: 60%;
height: 60%;
position: absolute;
top: 100px;
left: 15%;
right: 20%;
vertical-align: middle;
text-align: center;
}
 
table.center {
    margin-left: auto;
    margin-right: auto;
font-size: x-small;
position: relative;
top: 30px;
color: gray;
}

</style>
<body>
<div id=""BodyText"">
<!– Intune logo. Please add your company logo too. –>
<img src=""https://secure.aadcdn.microsoftonline-p.com/aadbranding/1.0.1/aadlogin/Intune/logo.png""></img><p>
<!– First line ""Hello Name,"" –>
Hello $AccountFirstName, <p>
<!– Second line ""Thank you for syncing your device with Office 365!"" –>
Thank you for syncing your device with Office 365! <p>
<!– Third line ""To ensure your device is fully managed and supported by the internal IT team, please ensure you enroll your device to InTune via the URL below"" –>
To ensure your device is fully managed and supported by the internal IT team, please now enrol your device into InTune via the link below <p>
<!– Fourth line: link to the manage portal –>
<a href=""http://manage.microsoft.com"">Manage My Device!</a><p>
<!– Fifth line ""Thanks,"" –>
Thanks,<p>
<!– Sixth line ""Your IT Team"". Please add your IT department –>
<b>Your IT Team</b>
<!– Device Details –>
<table class=""center"">
<tr>
  <td><b>Username</b></td>
  <td>$UserDisplayName </td>
</tr>
<tr>
  <td><b>Enrolled</b></td>
  <td>$WhenCreated </td>
</tr>
<tr>
  <td><b>Device OS</b></td>
  <td>$DeviceOS </td>
</tr>
<tr>
  <td><b>Device ID</b></td>
  <td>$DeviceID </td>
</tr>
</table>
</div>
</body>
</html>"

# Send Email
If ($SendEmail -eq $true) {
Send-MailMessage -To $EmailRecipient -From $EmailSender -Subject $EmailSubject -UseSsl -Port $SMTPPort -SmtpServer $SMTPServer -Credential $SMTPCredential   `
-BodyAsHtml -Body $Body }
Else {
Write-Host "—– Output to console for testing —–"
Write-Host "—– To: $EmailRecipient —–"
Write-Host "—– From: $EmailSender —–"
Write-Host "—– Subject: $EmailSubject —–"
Write-Host "—– Body: Not added to testing —–"
}

}

# Close Session if not in service mode
If ($InServiceMode = $false) {
Get-PSSession | ForEach-Object {If ($_.ConfigurationName -eq "Microsoft.Exchange") {Disconnect-o365 $_.
ID}} 
}

Function Connect-O365 {

$UserCredential = Get-Credential -UserName $O365UserName  -Message "Enter o365 password"
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
 

} 

Function Disconnect-o365 ($SessionID) {

Remove-PSSession $SessionID

}

Matt Shadbolt