1. Planning for Device Management
With Microsoft 365, you might have the opportunity, depending on your plan, to leverage mobile device management or even Windows Intune to manage your mobile devices. We’re typically managing most of our devices on our internal network, either through Group Policy Objects or through System Center Configuration Manager. However, as more organizations begin to leverage that large volume of software as a service in the cloud, they begin to look to the cloud in terms of infrastructure and how they can begin to manage things in the cloud a little bit better. One of the things that happens is that we start integrating our Active Directory domain services with Azure Active Directory. Now that we’ve got that synchronization going on in that environment, Microsoft thinks that we might want to think about something known as Microsoft Modern Management.
The ability to migrate from an on-premises environment to those cloud-based services using Azure Active Directory for their access control environment, their identity and access management solution, those software-as-a-service offerings, messaging, security, and all those other workloads We can manage all of that in the cloud without having to worry about on-premises solutions here. Which is where Microsoft says maybe one of the things we want to start thinking about is going through a management solution, right? When Microsoft calls, comanagement is their initial step—their initial introduction to this idea of cloud-based management for your products and for your devices out there in the environment, right?
You can continue to use whatever we do on premises, right? I have the ability to go out there and still use my GPOs and my system center configuration manager for all of my own premises resources, but I can also add mobile device management for some of those environments. So I can take advantage of that cloud capability without having to give up everything that I’ve already gone through, entered, and planned in my environment. Now, Comanagement integrates that configuration manager with Microsoft Intuitive in the cloud. So I’ve got a Windows 10 device now, and it can be managed in both locations. The nice thing about this is that my ability to go out there and do that doesn’t have to affect how I go through and manage my environment. I can actually set up configuration management just so that we can start testing it and working with it and still continue to manage all of my workloads and everything for all of my devices in my on-premises Configuration Manager.
Now, once we’re ready, we can actually start using Intune for various authentication protocols or other things in modern management, like conditional access. So that I can go out there and make sure the device has to be mobile device-joined before it’s allowed to access, say, for example, our Exchange Organization. So we can begin enforcing policies and capabilities on those mobile devices with Intune, which has some features that our configuration manager did not have. Right. We want to ensure that the devices are accessing that data because we want to ensure that those devices are actually compliant with our policies in this mobile world. Avoid anybody going out there and saying, for example, “I went into a hotel business centre and connected with a device that is not compliant, and all of a sudden they may leave us exposed in a way that we didn’t want to.” The idea here is that with this modern management approach, we’re going to have the ability to go out there and make sure that all of those things are current and available in our environment. And of course, we can also push out things like updates using a cloud-based update management system.
2. Prerequisites for Using Co-Management
If you’re ready to start using a management environment where you’re going to integrate your System Center Configuration Manager with Intune, there are a few things that you have to have in place. First off, my on-premises Active Directory and domain services must be synchronized with Azure Active Directory. So I have to be running Azure AD, connecting, and synchronising my environment.
Now, with that said, it’s not forcing me to use any specific authentication methods, so I don’t have to verify or use ADFS or password authentication or password sync; any of those choices is fine, but I do have to be synchronising my on-premises directory with Azure Active Directory Environment. My on-premises System Center Configuration Manager has to be at least 17 months old or newer. So you must have that version running somewhere. I’m going to need to have Intune on the cloud to do this. Now, you can either have Intune as a standalone subscription with that and have the ability to go out there and do that, or you can go through and use it as part of your EMS suite.
Right. If you have the Enterprise Mobility and Security Suite, you have the ability to go out there and actually work with Intune as part of that. It comes with an Em S, E Three, or E Five plan and gives you the ability to leverage that as well. So you could do that. Now, your systems that you want to manage—your Windows 10—need to be running. Again, versions 17 and 9 are newer in order to integrate and manage those with both locations out there in the environment. And finally, the device itself, which I want to manage. Right. The device itself has to be joined to my on-premises Active Directory domain services and to Azure Active Directory. So I’m going to have to go through and actually make sure that that’s joined in both locations. Otherwise, I’m not going to be able to implement the command-line functionality.
3. Enabling Co-Management
In order to enable comanagement, you’re going to need an on-premises System Center Configuration Manager and a cloud-based Intune environment. There are a few things that we have to go through. Right? So first of all, my Windows 10 devices that I want to co-manage need to be joined to Active Directory and to Domain Services on premises. And that directory service needs to be synced with Azure Active Directory. Right. We need our Windows 10 Configuration Manager clients, and typically with those, we’ll have them configured to automatically enrol the device into Intune.
So we’ll have a mobile device managed automatically, so we can actually go out there with that and have that happen. Now, if I have an Intune device, and I have devices that are already enrolled in Intune but are not enrolled in Configuration Manager, I have the ability to go out there and apply an application of Intune to that device, which will force it into System Center Configuration Manager client installation. So now we have it in both locations. Right? Now, if I’ve got a brand new device, it’s not enrolled in Intune, and it’s not enrolled in System Center Configuration Manager. Either way, I can use automatic enrollment if I want to have the ability to have it automatically enrol in Intune. Because it’s enrolled in Intune, it can then push out the System Center Configuration Client to that system, allowing us to manage it from both locations out there. And of course, we can also enable this right through Azure Active Directory. If a device is joined to Azure Active Directory, we can set it to automatic configuration.
4. Transferring Service to Intune
When you’re in a comanagement situation where you have System Center Configuration Manager on premises and you’ve connected it to Intune in the cloud, you have different services and different workloads that you can decide where you want to manage them.
As a result, we will not necessarily manage a workload in both locations. Instead, what we’ll do is have the ability to decide, for example, based on our compliance policies: do we want to go out there and have all the rules in terms of what the devices have to meet in order to be compliant? And if so, we can move that workload for compliance policies into Intune, and now it will be managed there as opposed to on our premises in System Center Configuration Manager. We also can decide if we want to do it with our resource access policies in terms of things like certificates and VPN access, having the ability to configure email systems for the users, and things like that. Our Windows Update policies dictate where they’re going to get their updates from and which updates are going to be pushed out to them, delaying the installation of the Windows updates. All of these things are our responsibilities that we have to decide.
Do we want them to run in our on-premises environment, or do we want to run them up in the cloud using Intune and manage them from there? Now, in addition to that, we have endpoint protection, where we can control some of the security features for Windows 10. And again, do we want to force BitLocker on there? Where are they going to get their updates from in terms of the definition files and things like that? We can control that from either location, but we have to make a decision as to where that workload is actually going to be managed. right device configurations for the various settings that we’re going to configure for our devices. If we’re going to lock things down, we can do it from Intune, or we could do it from our on-premises system center. If you’re running any of those Office click-to-run apps like Office Pro Plus, Visio, and things like that, you may run for them.
We have the ability to add these as an entune managed product, move that workload into the cloud, and now the app will actually show up in the company portal on the device. In addition to that, various client apps and PowerShell scripts that we may want to run on these devices could be run from either location, depending on where we’re going to establish that workload. Now, these are the workloads that are presently available. They’re in the process of adding more and more workloads, so you may see more available at some point in the future.
5. What is the Microsoft Store for Business?
With Windows 10, businesses have the ability to take advantage of the Microsoft Store for Business. The Microsoft Store for Business gives us the ability to go out there and acquire apps for our organisation and then make them available to our Windows 10 devices. We have the ability to control what’s available, and we can get this benefit for free. You don’t even have to have a paid subscription for 365 or anything else to do it. Most organisations likely already have an Azure Active Directory environment. But if you don’t, when you set up a Microsoft Store for business for your organization, it will actually create one for you. However, you can go out here and scale this up or down depending on the size. So whether you have five people working for you or 5,000 people or more working for you, it doesn’t matter. The Microsoft Store for Business is going to help you actually distribute applications to your end users. It’s a very familiar infrastructure. People are used to going to the various stores.
The Microsoft Store, well, the Microsoft Store for Business is going to give them that same interface and that same feel that they’re used to working with, except it’s a private store, which means we get to decide which apps are going to be available in that store. And you must have a corporate ID to login to the store and be able to access it. It also helps that we can go out there and buy in bulk. So if I wanted to, I could get a discount. If I need 1000 licences for something, I’m probably going to get a better price for it than if I have each person go to the Microsoft Store and purchase it independently. Right? It also gives us centralised management, so I can go in there and see which applications we have, how many licences we have available, who’s using those licenses, and I can even reclaim those licences if I wanted to. Right now, we have the ability to track those licences out there. We get the ability to decide how we want to distribute it. Some apps are distributed right through the store, and the only way to do it is for the people to go to the actual store for business.
With other apps, the user has the ability to actually download the app and push it out through our internal software management solution. So you have some choices there. We can also leverage the Store for Business if we have a custom line of business applications that we can load into the Store for Business to make available to our employees as well. So it gives us that capability. And the other nice thing about this is that our apps will always be up to date, right? The Business Store will automatically update the apps to the latest version. We have the ability to go out there and have the user download and install it. And once they’ve installed it, we can have automatic updating go out there and update the app whenever something changes. Now the nice part about that is that the application is packaged, and as a packaged application, it downloads the entire application package and all of its dependencies, and it’s not going to leave any legacy DLLs or anything like that around if we were to go out there and uninstall the application. So there are definitely some advantages to using that. Microsoft is for business.
6. Configuring the Microsoft Store for Business
If you want to actually use the Microsoft Store for business, you have to configure and set it up. Now you have to meet the following prerequisites. Number one, I know you’re shocked, right? We have to have Internet connectivity to actually use the Microsoft Online Store for business. You do need to use Windows 10 devices with this. So it is a Windows 10 device environment, and you have to have the Windows Update Service enabled. If it’s disabled on your system for any reason, the store for business will not function for you. Now, it doesn’t have to be automatic. You can have it enabled but set to manual mode. But you do have to have it enabled in order to be able to go out there and work for that. And you also have to have an Azure Active Directory account.
Now here’s the thing: If you don’t have one when you go to the store for business, you could actually set up a free Azure Active Directory account before you start trying to activate the store for business. Now, most of us, because we have Microsoft 365, will already have the Azure Active Directory account without any problem. All you need to do is actually go to the URL, which is, as you can see, the business store’s Microsoft.com URL. From there, we’re going to sign in with a Global Administrator account in that Azure Active Directory environment. The Azure Active Directory Global Administrator account is what’s going to be necessary for us to go out there and work with it, and then we accept the licence agreement. So let’s go take a look at what that looks like.
So if I were to go out here to the business store for Microsoft, I’m just going to go ahead and sign in. I’m actually already signed in, so it should be able to grab my cash credentials and actually sign me into the environment. And now I’m going to click over here on the Private Store button, and you see when I click on this, it says, “Hey, check with your admin.” They need to set up your Private Store so you can use it. But what we have is the ability to actually activate the private store, right? So I’m going to go ahead and activate the private store. We’ll click on that. I’m going to accept the end-user licence agreement here for our organization, for the private store. And that’s all it takes to actually set up a store for business once it finishes building. Now we can start adding applications. We can start by assigning applications to users, and we’ll look at doing so in other videos.
7. Managing Settings for the Microsoft Store for Business
Having set up a Microsoft Store for business, as the global administrator, I now have the ability to go in there and manage some of the settings, purchase some applications, and even assign those applications out to my users. Let’s take a look at some of the options that we have here. First, we’re going to go over here to manage, and in the Manage section, you’ll note that we have all these different environments where we can get into our manager apps or the software that we’re doing, the subscriptions that we have in our line of business apps, if we wanted to work with them. I can go out there and deal with my billing and payments. If we’ve got some apps that we’re having to pay for and buy licences for, I can go out there and distribute applications in our environment and manage some of the device settings as well. But I also have the ability to go out there and change permissions.
And let’s click on the permissions for a moment. Right now in the Permissions section, if I wanted to, I have the ability to go in here and actually assign other people roles in this environment. So if I click on Assign roles here, you’ll notice that I can make somebody else an admin. I could go out here and say, for example, Carlos is here; we’ll pick Carlos. I can make Carlos an admin so he can get access to all of the account settings again, purchase from the store, and manage all of the items. Maybe I don’t want him to have admin access, but I can go out there and make him a purchaser so he can purchase from the Microsoft Store and manage all of the items in the environment. So you have various roles here that I can assign to him. But notice, let me click out of that for a moment. Besides going out there and doing it in the roles, we have a line of business publishers, and I have the ability to go out there and invite somebody to come in and publish applications in our environment. And we have the ability to block people from becoming basic purchasers. If we don’t want them to have the right to purchase things in our environment, we can go out there and actually block them.
So if we were to go into our products and services here, you can see the apps and software, and you can see we have some of them that are already available to us because we have the Office 365 environment and I’ve installed or activated my store for business with that Azure ad account. You can see that we have all of those apps already available to us in our environment. I can go out there and buy some apps if I want to. If I see up here where I can shop for my group, I’ll click on “shop for my group” for a moment and be able to go out there and actually start finding various apps that we might want to work with here. Let’s just say, for example, we wanted to add some, so we’ll just do some free ones here. Assume I wanted to add Translator to my store. I’ll get the app; it’s been added to my purchase history and added to my inventory now, right? So, now that it’s in my inventory, if I go back into managing my apps, I should be able to scroll down and see the translator app right there in the list of apps that are currently unavailable. It just takes a few minutes here to hopefully become available, and then we can start there. It just didn’t take long. Now I can assign some users to it, right? So I can assign the users, like, for example, Carlos.
And now when Carlos goes to the Store for Business, besides seeing all of the other apps that we have in there from the Office suite, he’ll also have the translator app available that he can install from the Store for Business. Again, if we’re purchasing apps that actually cost and have licenses, I’ll have the ability to go out there and buy them in bulk and assign them to users that I want to. Furthermore, if I’d assigned an app to a user and needed to reclaim that license, I could do so. I’d be able to go out there and reclaim my license as a result of that. user if they no longer needed the apps so that we could use it for something else without me having to go out and always buy additional licences for the product. So we get lots of ways to actually manage our assignment of our products out to our users and who has the ability to do what in our tenant account with the Microsoft Store for Business.
8. What is the Mobile Application Management?
Mobile application management is an option for giving us the ability to go out there and control applications. We can configure them, we can secure them, and we can update them on devices that we may not have management policies over, right? Sometimes you have mobile device management where I can manage the actual device, and that allows me to control things like the security on the device, the encryption on the device, whether we have to have passwords and things like that with the device. But if I want to control the actual application itself, I can go out there and use mobile application management—even on a device that we don’t manage—right?
I can configure it in Intune by using an app protection policy. So I have the ability to select an application, and in that policy, I can configure the settings that I want to have. I can apply that to Windows 10 devices, but also to Android and iOS devices. So now we can manage it across the full spectrum of all the mobile devices our users might be using in the environment. And it doesn’t require that that device be enrolled for management. The idea here is that if I wanted to have some policy on, say, how you access or utilize the content that was in Outlook, I could use mobile application management to restrict access to it. And you’ll have to accept the policy in order to be able to use it on that device. But you’re not going to have to join your device to my Intune environment for management purposes. Give us the ability to protect that corporate data right at that application level. similar to the way we can actually work with Windows Information Protection.
We can apply that same type of protection for our corporate data to the Android and iOS environments out there. Now, Configuration Manager has to be connected to Intune to be able to manage those mobile apps. If I wanted to go out there and work with that, and it works with both Android and iOS devices, I could. So from Configuration Manager, if I’ve got it connected to Intune, I can go out there and use it to manage the Android and iOS devices, but not my Windows 10 devices. The management of Windows 10 mobile applications is still going to be managed in Intune. So even if I have System Center Configuration Manager, I will have to manage those devices in Intune in terms of my Windows 10 environment. You.
9. Configuring Mobile Application Management
If I want to take advantage of mobile application management, I need to set it up so that our clients can actually enrol in mobile application management.
Now, to do that, we actually go over to the Azure Portal. So I’m going to open up a new tab app. And then here, I’m going to go to Portal Azure.com. I’m already signed in, so I don’t have to worry about providing my credentials there. And now I’m going to scroll down and go to Azure Active Directory, click on that, and open up my Azure Active Directory environment. Now once the Azure Active Directory environment comes up, I’m actually going to scroll down here to the mobility section. I’m going to work in the mobility section here.
I’m going to click on that. It has mobile device management and mobile application management settings. I’m going to click on that, and we’re going to actually be working with Microsoft Intune. So I’ll click on Microsoft Intune, and you’ll see I have two different sections here that we can set up. We can set up mobile device management and user scope. So which users do we want to apply mobile device management to them? And they’ll need to have a license in order to be able to do that. But I also have the ability to go out there and have mobile application management user scope, right? So I can go out there and activate that. Assume we’re going to implement mobile application management for a subset of users. So we’ll click on the total button when I do that.
Now I have to let it know which users we want this to apply to, so we can actually go out there and select a group. I’ve chosen groups rather than individuals. So I’m going to have to come up with the groups that I want to assign the mobile application management solution to. In this case, let’s say we’ll just pick on the finance group here and say that they’ve got an application and we need to apply it to them. Now you’ll note here that it automatically has the Mobile Application Management Discovery URL built into the environment, right? So we’ve got our whipmammanagemicrosoft.com account set up. URL If something were to happen to that URL, for example, if someone typed it incorrectly, you can go out there and restore the original URL simply by clicking on it. It will put in the appropriate URL again for that location. I have the ability to add in a terms of service URL if we wanted to have them have access to that, as well as a compliance URL if we wanted that to be available as well. Now that I’ve got it set up for mobile application management for the finance group, I’m just going to go up here and save it. Now that I’ve saved that, I can now start using mobile application management, and I can pick applications and enforce policies for people in the finance group using the mobile application management environment.
10. Using Azure Ad for Apps
With so many software-as-a service applications out there today, users are often having to go out and actually log in multiple times to various services to gain access to them. Perhaps you’re using it for us; maybe you’ve got an aBox environment for your users to work with files. Of course, using Office 365 or Microsoft 365 for many productivity apps is also an option.
So users find themselves logging in a lot in the environment. Wouldn’t it be nice if we could offer them single sign-on access to all of those services? And that’s where Azure Active Directory comes in. Azure Active Directory can actually be used to grant access to thousands upon thousands of software-as-a-service applications. Let’s take a look at how we might do that. If I go in here to my Azure Portal, let’s just scroll down to Azure Active Directory. In Azure Active Directory, I’m going to actually click on “Enterprise applications.” Now this tenant already has the entire Office Suite available to us. As you can see, we have a plethora of Office Suite apps at our disposal. Let me click on “Add a New Application.” Now in that new application, you’ll notice that there are over 3000 software-as-a-service applications that we can pick and choose from right here in the app catalog.
So, for the time being, let’s stick with something simple like Box, right? I’ll click on the Box application, and we can add that application to our tenant. Now, all you have to do is click the “Add” button. When I do that, it’s going to open up in my tenant with a box so that I can edit it here. Let’s say, for example, that I want them to sign on. Well, I want to go out there and give them single-sign-on access. Now. I can do that with a Sam L token. Security assertion. Markup language capabilities We have a password base or a linked environment. For the time being, let’s stick with password-based authentication. Something very simple The next thing I have to do is actually assign the application to users. So let me go in and pick. For now, we’ll just go ahead and assign this to Ethan directly. So we’ll go down, scroll down here, and grab our friend Ethan, and we’ll assign the application to Ethan. Now I can also assign Ethan’s credentials for Box, right? So I’m going to put in what his credentials would be to log into Box, and we’ll just put in “demo Cred” and some random password. This isn’t going to be a real account, but we’ll give you a sense of what would happen if the user was able to go into Box and log in with those credentials. So let’s go ahead and save those and assign them to Ethan. So I’ve assigned the application to Ethan now.
Now that I’ve assigned that application to him, Ethan has the ability to go out there and gain access to it in a couple of ways. First off, there is what’s called a “My Apps” panel at MyApps.Microsoft.com, right? And Ethan would have the ability to log in here. Now, Box hasn’t shown up yet, but that’s not surprising. Sometimes it takes a couple of minutes for the directory service to catch up with the fact that you have that here. One of the other locations you can actually get to is by going to my Office 365 environment, where I click, as you can see, on the little app launcher button. I can see all of my apps if I want to. And if I opened up all of my apps, Box would be showing up in here as well. This is where I would be able to see my Box environment. It takes just a few minutes for it to show up. So let’s just give it a second, and then we’ll go in and take a look at that option. Now that Box has appeared in my apps panel, I have the ability, having already logged in with my credentials and the fact that my credentials were entered for Box when the box was assigned to me.
All I have to do is navigate to the My Apps panel and select Box. It’s not going to ask me to login; it’s going to attempt to log in. Now the credential we used is not going to actually log us in. And you can see we’ve got an invalid credential there. But the idea here is that, with the proper credentials, the user would log right into Box, and they wouldn’t have to go through the process of putting that in. Now think about all the other software-as-a-service applications you use, and imagine your users having the ability to just log in once and have that single sign-on give them access to all of their applications. Not only Microsoft 365, but also third-party software as a service application.
