Enterprise Mobility and Security Blog

RSS

Howdy folks,

Today it’s time for another blog in our Windows 10 series!

This time we’re walking you through the steps to turn on auto-MDM enrollment with Azure Active Directory (AD) and Microsoft Intune. This is a capability we’ve just recently enabled that many of you have been asking about.

By combining login, Azure AD Join and Intune MDM enrollment in one easy step, we’ve made it drop dead simple to bring devices into well managed state that complies with your corporate policies.

To give you the details on to enable this cool new set of features, I’ve asked Mahesh Unnikrishnan, the PM from my team who lead much of the work to build this combined solution to write up a blog post. You’ll find it below.

This “one step” enrollment is a unique new capability of Windows 10, one that really differentiates it from other mobile platforms. I’ve already received a lot of questions on Twitter about when it would be available and I hope you find it as exciting as we do!

And as always, we would love to receive any feedback or suggestions you have.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity and Security Services Division

—————————-

Hi there!

I’m Mahesh Unnikrishnan, the PM responsible for integrating mobile device management (MDM) solutions such as Microsoft Intune with Azure AD. In a previous blog post, we discussed how we’re enabling automatic MDM enrollment of both corporate owned as well as personally owned Windows 10 devices. Since then, it’s been an exciting few weeks for us, culminating in last week’s launch of Windows 10. We are excited to announce that the Azure AD configuration experience to enable automatic MDM enrollment with Microsoft Intune is now generally available. In this post, we walk through how you can configure this feature in Azure AD.

Get your subscriptions

  • Microsoft Intune: If you do not have an existing subscription to Microsoft Intune, you can sign up for a trial subscription.
  • Azure AD Premium is required to configure automatic MDM enrollment with Intune. If you do not have a subscription, you can sign up for a trial subscription.

Configure automatic MDM enrollment

In the Azure management portal, navigate to the ‘Active Directory’ node and select your directory.

Click on the ‘Applications’ tab and you should see Microsoft Intune in the list of applications. Note that if you do not have an Azure AD Premium subscription or do not have a Microsoft Intune subscription you will not see Microsoft Intune in the list of applications.

Click on the arrow and you should see a page that enables you to configure Microsoft Intune.

Click the ‘Configure’ button to start configuring automatic MDM enrollment with Microsoft Intune. On the Configure tab of this page, you can see a couple of URLs for Intune:

  • MDM Enrollment URL – This URL is used to enroll Windows 10 devices for management with Microsoft Intune. This is done automatically when users join their devices to Azure AD or when they add a work account to their Windows 10 machine, if automatic MDM enrollment is enabled for them.
  • MDM Terms of Use URL – Currently this URL is empty for Microsoft Intune. The ability to configure custom terms of use for users to see as part of the enrollment process will be made available in an Intune update shipping later this year. For now, leave this URL field empty.
  • MDM Compliance URL – When a device is found to be out of compliance, Azure AD’s conditional access control engine will block access to users for applications that require compliant devices. In this scenario an access denied message will be displayed to end users. Users will also see this compliance URL on the access denied page. The compliance URL helps end users understand why their device is not compliant with policy and how they can bring it back into compliance.

You do not need to change any of these URLs. They are automatically configured for your Azure AD tenant.

On scrolling down further, you will notice a setting that lets you specify which users’ devices should be managed by Microsoft Intune. These users’ Windows 10 devices will be automatically enrolled for management with Microsoft Intune.

The simplest option is to specify that all users’ Windows 10 devices be managed by Microsoft Intune. However, you also have the flexibility to specify whether only users belonging to a specific set of groups should have their devices managed by Microsoft Intune. This is useful for performing phased rollouts of the feature in your organization. You can start off with a few groups and subsequently roll out the deployment more broadly in your organization.

To roll out automatic MDM enrollment with Microsoft Intune to only a select group of users, slide the toggle to ‘Groups’.

When you click the ‘Select Groups’ button, you should see a group picker with the ability to specify groups this capability should be rolled out to.

That’s it! When you’re done, hit ‘Save’ and automatic MDM enrollment with Microsoft Intune will be enabled for both corporate owned and personally owned devices that are joined to Azure AD.

Please give automatic MDM enrollment a try and send us your questions and feedback. Keep watching this space to learn more about the cool features we’re building in Windows 10 and Azure AD as we continue this blog series.

As always we look forward to and welcome your feedback.

Thanks,

Mahesh Unnikrishnan

Senior Program Manager

Microsoft Identity and Security Services Division