1. Introduction to Microsoft Intune
With Microsoft Entune. It’s a Microsoft MDM product. So MDM is mobile device management. Mam is an acronym for mobile application management. Now, in Tune, it’s all about being able to control mobile devices that people use and utilise in your office and, of course, outside your office in order to access resources that your organisation manages.
So this gets back into the BYOD scenario. Bring your own device. Or there’s also another one, “CYOD” (choose your own device), where a company allows an employee to choose a certain type of device they purchase for them. Okay? There’s also COPE, corporately owned and personally enabled. So there are various acronyms. You’ll hear that BYOD is by far the most popular. But the situation we get into in our environments nowadays is that we live in a time where mobility doesn’t just mean laptops anymore, right? If you go back over 20 years, you’ll find that I got into the IT field when mobility was really just laptops.
So we just had to worry about people having personal data on their laptops and travelling around. Another thing we also had to be concerned about was Raz remote access services—people promoting and getting access to resources remotely. But now it’s a whole other ballgame. Users are walking around with computers in their pockets, right? We have smartphones, we have tablets, and you even get into things like smart watches and all of that stuff. So we have to have a way to control those devices that could have potentially sensitive information on them. So the issue is that these people not only have these devices that they have purchased and want to use in our environments, but we have no control over where they take them.
We don’t have any control over what they do with those devices or the networks they’re on. So Intune gives us some power and gives us some control over that situation. This is going to give us some control over both on-premises devices and devices that are outside our organization. That’s the one thing to understand about Intune. A lot of people think, “Well, Intune is just going to help me with smartphones and tablets.” Actually, Intune can help link devices that are also on premises. So you’re talking about desktop computers, laptop computers, smartphones, tablets, and all that other stuff. And it helps you centrally control those devices and centrally manage those devices back in Active Directory on premises. We’ve always had something called GPOs. GPOs are group policy objects, and they’ve allowed us to deploy rules and restrictions and all of that. Now you can still use GPOs. The downside, though, of course, with controlling things using group policy objects like we did back in Active Directory is that it’s only going to affect Windows machines.
What you’re going to find with Intune is that it can control not just Windows machines but also your mobile operating systems, such as Android and iOS. So you have a lot more control. Also, Macintosh forgot about that as well. We have some control over that also. So Intune is more than just a product that just controls smartphones and tablets. It can actually link to your desktop devices as well, as well as laptops and all that. So it’s actually a pretty powerful product. It’s a very valuable product. The other thing is, a lot of people, when they hear about Intune, think, “Well, isn’t this kind of stepping on the toes of SCCM, which is System Center Configuration Manager?” Now, don’t get me wrong; SCCM is an incredibly powerful product, and I’m a big fan of it. I love Scrum, I’ve taught Scrum, I’ve worked with it for years, and I absolutely think it’s a fantastic product. So is Intune kind of stepping on its toes? Maybe a little bit, but here’s the thing: Intune really shines when it comes to dealing with mobile devices. Devices that jump around the world are everywhere, and yes, when tuned in, they can do some of the same things as Sccm.
STCM, however, really shines when dealing with on-premises devices. In the past, Sccm could do a little bit with mobile devices, but it was kind of limited in what you could do with them. So now, what if you could combine those two powers together? Well, guess what? You can. Intune and Sccm can work in what we call a “co-managed” environment. Comanagement means that if you’ve got a hybrid Azure Active Directory environment, where you’ve linked your on-premises environment with your Azure Active Directory, you can actually utilise Intune and SCCM together. And you can have devices that are on-premises that are managed by SCCM. And then you can have devices that are more mobile-oriented being managed by Intune. If you’ve got Windows 10 devices, those, too, can jump back and forth. They can be in the network being managed by SCCM. They can go outside your environment and be managed by Intune. So the two can work together in a co-managed environment.
Now, I’m also going to encourage you to go out there and do a little research on this. Recently, Microsoft actually announced that when you subscribe to Intune, you get an SCM licence as well. So you’re actually getting a two-for-one deal here. Previously, you had to licence both Intune and Sccm. And Microsoft has a product called Endpoint Manager. Now that’s part of all of that, and that will help manage all of it. So, really interesting stuff. Now, we’re going to be sort of honing in on Intune, which is what the MS 500 course really focuses on. But you can make the two work together. Both of them can inventory products, both of them can create reports, and both of them can deploy rules and restrictions to your devices. Okay? It’s just that SCCM is more powerful when it comes to on-premises devices, whereas when it comes to mobile devices, it really shines. So they can both do some of the same things.
Now, we’ll tell you that Sccm can do Windows images and send all those images out to your devices, whereas Intune cannot deploy images to your devices. However, Intune does support a feature called Autopilot, which allows you to purchase a Windows 10 computer. Let’s say you go out and purchase 50 new computers from a vendor like Dell. No joke. You could plug those devices in, turn them on as soon as they get an Internet connection, so they can talk to Intune and this thing called Autopilot, and they can actually deploy settings on your machine. And of course, Intune also supports the ability to deploy client apps out to your machines and uninstall client applications on your machines.
As a result, it is extremely versatile. Let’s take a look, sort of, at the big picture. Here’s what you’ve got from Microsoft. So you’ve got the Microsoft Intune cloud here. You’ll notice from there that you can configure devices with Intune. You can protect those devices and the data. The beauty of Intune as well is that it works in conjunction with a lot of the technologies that we’ve learned in some of the previous lectures that you’ve had here. For example, you have conditional access policies. It works with and can be controlled based on compliance policies, Azure Identity Protection, and Information Protection. All these things that we’ve been learning about previously can come into play and actually complement Intune. You can also have access to and control those mobile devices more, whereas in most cases, a lot of us are still thinking in terms of just desktops and laptops. Intune gives us that ability for our hands to reach out there and gain a level of control over those mobile devices.
Now, here’s the other thing. A lot of people worry. They think, “Well, if people are bringing their own devices to our office, aren’t we going to have to link the devices to enter?” So I’m going to say yes and no to that. Now, if you want to be able to control all the settings on somebody’s device, then yes, their device must be enrolled in Intune, all right? Yes, all of the settings, configurations, and other features on your mobile devices must be registered with Intuition. But I also want to tell you a little secret. Maybe it’s not a secret. Any applications that we make available through our cloud, such as our Office apps—Word, Excel, all of that stuff—guess what? We can have application policies put on those applications.
And if somebody does not enrol their device into Intune, well, when they open one of those applications, like, let’s say a user has Microsoft Word on their phone and they want to access some Word documents that are in our cloud environment, So they open up the Word app, and then it’s going to ask them to authenticate with our cloud because, in order for them to get access to our cloud data, they have to authenticate. Well, when they do that, it can put application restrictions on the app while they are using that document. It’s not going to affect their personal data, but it will affect their settings while they’re using the application.
And I can impose conditions on them. I can put those conditional access policies that we’ve talked about in place. I can have compliance policies. I can have all of that stuff rolled back in regards to these settings that the user is trying to use with their documents. So you actually do have a level of control without the device actually being enrolled. Now again, you want complete and utter control over the device. You’re going to want the device to be enrolled. Okay, but they actually don’t have to enrol the device, and we can still get some control through those applications while the users are using the applications. So again, this is an incredibly powerful thing. It also works in conjunction with Azure Identity Protection. So we can allow them to access things with their mobile devices depending upon where they are.
Maybe we don’t want them accessing sensitive information outside our organization. We can create location profiles and all of that, just like we have conditional access policies in Azure Identity Protection that can control where they are when they log on. It can monitor for atypical log-ons. So that gets somebody logged on here in Atlanta, Georgia, and then five minutes later somebody’s logged over to China. It can monitor for that sort of thing. It can restrict the user based on that. And again, it can be combined with SCCM for comanagement to give you an even more powerful system of control. So Intune is a very powerful product. It’s actually a pretty easy and intuitive product if you take the time to learn it. I think you’re going to find that it’s not as advanced as you think. In fact, I’m going to be showing it to you. So you’re going to definitely get some knowledge here and get a little bit of hands-on experience with it as well. But again, this is a very powerful product. I highly encourage you to learn it and take the time to do so. Look at some of the fancy things you can do with it and see what Microsoft is really giving you here, which is actually a very strong product.
2. Using Intune with the Endpoint Manager Portal
So I’d like for us to start out by looking at how we actually get into End Point Manager. Now, if you’ve worked with Intune in the past, you might know that Intune has gone through a lot of transitions over the years. It’s had different websites and different portals. They used to have Intune in Azure, which they retired. And all that has now moved into Endpoint Manager, which Microsoft announced would be back towards the end of 2019. And they plan to retire the portal entirely in the Azure Portal in August 2020. So we’re going to be focusing on the way Microsoft wants you to work with Intune these days, which is to use the Endpoint Manager portal. Now to get into Endpoint Manager, what you’re going to do is go to Endpoint.Microsoft.com, which is going to be your portal, and that’s going to bring you right into the Endpoint Manager Admin Center.
All right? Now when you get into the Endpoint Manager Admin Center, you’re going to be in a little dashboard, and it tells you about your account status and tells you things are healthy. You’ll notice that in my case, I’ve got some devices that are not compliant. We’ll be looking at compliance applications that didn’t get installed. This is helpful because I can click on this stuff and see what might be a problem if there’s something that’s not compliant. I can see right here what is not compliant in my environment. So I’ve got a machine that’s not okay. I can go back over here to my house. I can look at client apps that didn’t get installed. Right here, I can click on that. It’s going to show me that information. So as you can imagine, right here in your little home area, you get some pretty good information that tells you if there’s been any issue of any kind.
Okay? And then I can look down on it and try to walk me through certain things. Like I have a guided scenario for deploying Edge for mobile, trying out the cloud, managing PCs, and featuring some reading materials down here, I can also click on the dashboard, and this dashboard breaks it all into a tile-based system that provides me with some reporting information as well. So I can easily see how many devices I’ve enrolled and whether or not there have been any issues. There is some of the same information you see on the homepage here. Okay, so very helpful. You can, if you want, click to create a new dashboard, and you can mix and match any of these items here and create your own little new dashboard if you want. So that’s kind of neat too. That’s something that you can kind of play around with. And when you do that, if you create a custom dashboard, you can drop this down, and you can switch between those dashboards if you want. Okay? But this is the default one that I’ve got right here. I can even go full-screen with it. I can clone the dashboard. I can do all that stuff if I want and alter it. So I just cloned the dashboard. If I wanted to customise the second dashboard, I could.
And as you can see now, I have three different dashboards to look at. But it’s a great, you know, little way to kind of organise things and see the different things that are going on here. If you want, you can delete items from the dashboard. You can also click on “all services.” This will show you all the different components that we’ve got available. And I can have different favourites that show up over here. So I’ve got them all, and then I’ve got my favorites. If I want to remove something from my favourites, I could want to add something like Intune for Education. I could eat all that good stuff. Okay, so that’s what all services are going to do. Now, devices, this is going to allow you to see anything related to your different devices, whether they be Windows, Android, iOS, iPad, Mac OS, or Windows Mobile. All that stuff will show up here. And I can see all my devices, or if I want to view them by platform, I can choose between Windows, iOS, Mac OS, and Android. I can see my enrolled devices. I can examine compliance policies, conditional access policies, and configuration policies, but I cannot manage them all. I can work with scripts, updates, and enrollment restrictions. So another thing I can do is go over here to apps, and I have application-related things. So intune is the MDM solution—mobile device management—but it’s also an AM solution—mobile application management. Mobile device management allows you to manage all the different device settings that are on somebody’s machine or device.
And then Mom allows you to manage all of the application-related stuff. That includes being able to install, uninstall, and configure some of the different settings there. I can view all of the apps that I’ve got. I can view them by platform: Windows, iOS, Mac, and Android. I can set up app protection policies. That’s all the stuff we’ll look at. You can manage iOS app provisioning, profiles, and mode policies for office apps. You can group policies together into policy sets. So there’s a lot of stuff here, and you can do a lot of things here that involve your mother. Okay, now that we’ve gotten into another thing, you’ve got nothing you can get into with.This is called endpoint security. And this includes being able to examine the antivirus side of things, as well as disc encryption and firewall settings on people’s machines.
This is all about trying to decrease what’s called the attack surface, and that’s to strengthen the security on somebody’s device, right? So when you look at the attack surface, that involves all the entry ways to get into somebody’s device. I always use the analogy that the attack surface is kind of like your house, which maybe has a front door and a back door. Maybe it’s got a side door. Maybe you’ve got eight windows on your home. Well, those are your attack surfaces, right? Those are the weak spots in your home. Those are the things you’ve got to strengthen up.All the entryways into your home would be part of your tax service. So if you think about it from that analogy, you think about your environment, whether you’re dealing with Windows devices, Apple devices, Android devices, or whatever. You want to be thinking about protecting the attack surface and reducing the attack surface of things. So that’s part of the goal of this little course: to get all of that out in the open and talk about how we can do it. Okay, you have security baselines, and that gets into deploying groups of policies to people’s machines to kind of lock things down.
We have some reports over here, but most of the reporting capabilities are extremely limited. They want you to use PowerBI, which is a whole other thing altogether. It’s a whole other course to really do all the monitoring stuff. You have to learn about power BI. But they do provide us with some compliance reports, which is nice because we can get into them to look at the compliance of our devices. But anyway, we’ll talk more about reporting later. We’ve got users that tie to your Azure AD, your Azure Active Directory, all of your users, and all that will be listed here. If you wanted to create a new user, all you had to do was click “Create a User.” Okay? For example, I can create a user called, perhaps, tune admin. I’m going to illustrate this guy as being an admin, and I’ll just say “in tune” admin, first name Intune, last name Admin, and then give it a password. I can have it show the password if I want, set the password, or whatever I want. I can assign it to groups. I can assign it to roles. Roles are going to give it authority. Okay? Right now, it’s just a regular user.
However, if I wanted to, I could go through here and make this user an intune administrator. That will give it the power to manage tuning. A usage location can be specified. This is going to be where this user is based. Keep in mind that, for you to be able to assign licences and other things to an account, you do have to assign a usage location to that account. So assigning a usage location to a user is imported. Okay? In my case, I’m going to choose the United States job title department. You can do all that. You can then click to create the user. And you’ve now officially created that little user I called the Intune admin, okay? I can go on to that user, assign licenses, and all that. in my little lab environment here. I’ve got a licence called EMS Enterprises Plus Security. That is the licence that allows this user to deal with Intune and be managed by Intune. To work with Intune, you’ve got to have that MS license.
Alternatively, you could licence Intune separately. Now with Intune, for it to manage users, each user must have an Intune license. Their users must have an Intune licence in order for their device to be managed. In this case, in this little environment, I’m using Enterprise Ability Plus Security, which gives you all these things, but Tune itself is the one that we would care about in this case, okay? So that involves my users. I can work with groups where you’re grouping users together into different groups, or you can also group devices together if you want. Then there’s tenant administration, which involves managing your tenants. Everyone with a Microsoft 365 subscription is a tenant because you’re using Microsoft resources. And then, lastly, they give you a little troubleshooting and support area that you could go through. You can also use this to troubleshoot specific issues such as assignments or devices. If you’re having issues with “At Protection policies,” “enrollment failures,” or “users are having problems with enrollment,” you can try to figure out what’s wrong and then troubleshoot it. You have help and support as well. And this leads to attempting to obtain assistance from Microsoft, specifying a ticket, and so on.
Another thing you can do, and we’re really getting into the ConfigManager side of things in this course, But you can do Comemanagement, which is where you’re going to tie Endpoint Configuration Manager on premises into your Intune environment as well. And Endpoint Manager can manage all of that. That’s called Co management, and it allows you to manage your Windows 10 devices and all of that. a configuration manager. It used to be called SCCM system centre configuration manager. And before that, in the 1990s, it used to be called SMS. The name has changed a few times. Most recently, SCCM Systems Configuration Manager has been renamed to End Point Configuration Manager now.So names have changed a little bit, but we’re focused on Intune here, okay? So hopefully that gives you a good overview of some of the different blades and other things you can do. It’s a really nice product, and it’s really easy to use. One of the things I love about it is that it’s easy to manage our devices, to deploy devices, and all that. In the older days, when it came to deploying a bunch of Windows devices and all that, we had to actually capture an image if we wanted to.
And it was kind of funny because you would buy all these computers from places like Dell or HP, and then you would end up blowing away the hard drives. Maybe the computers came with something like Windows 10 already on them. You would blow the hard drives away and then reimage them with Windows 10. And so now with Intune, I’ve got this thing called Autopilot, and Autopilot will go through, and instead of blowing the hard drive away and getting rid of Windows 10 just to reinstall Windows 10 as an image, I have the ability to go through and actually just kind of reprovision as opposed to using all the older solutions of imaging. So Autopilot is a great feature that we get with our endpoint managers. But hopefully that gives you a good idea of how to get into EndpointManager and start using and moving around, manoeuvring around the different blades. These are called blades. Maneuvering around the different blades that we have in Endpoint Manager.
3. Understanding how Device Configuration Profiles can help secure devices
I now want to spend some time going over one of the extremely powerful capabilities we have with Intune through the Endpoint Manager. And what it is is this thing called “device configuration profiles.” Device configuration profiles enable me to manage the various settings on people’s devices, whether they run Windows, Macs, Apple iOS, or Android. I can control those settings with the help of these things called configuration profiles. Device configuration profiles So let’s go and take a look at these. Now I’m going to go ahead and open this up. I’m going to click Devices, okay? and then scroll down here. Again. At Microsoft.com, I work as an endpoint manager. but scroll down. Here it is right here: the configuration profile. So we’re going to click on that, all right? And then from there, we’re going to click to create one of these. And we have different options here. As can be seen, we have Android, iOS, Mac, and Windows 10 or later. I’ll start with that.
Select the profile. So I’m just going through some of the options you have here. You’ve got administrative templates, and these are very similar to what we have in group policies. These are going to let us control some of our different settings and options. If I click to create that, OK, give it a name, right? Go to configuration settings here. It’s very similar to what we had in group policies. So, if you’ve ever worked with Administrative Templates or Group Policies, you’ll recognise the various options available to you, as well as your control panel. very similar to dealing with group policy. And it appears to have the same format, with different folder options and all that you can do. OK, so that’s what administrative templates are. Let’s take a look at what we have in custom. This is kind of neat. With Custom, you can actually go out and download what are known as “custom XMLs.” You can link to these custom XML files, and it will allow you to enable and disable features that maybe Microsoft has not included in Intune yet. So, for example, let’s say you had a new or Android phone; maybe you’re using Samsung NOX technology. And there’s a new feature under the security feature known as the Knocks feature that Intune doesn’t support yet. They can provide an XML file out there on the Internet that can turn this feature on or off.
You can link to that; it’ll import that in, and at that point, you can turn that feature on and off using a custom profile delivery optimization. That’s the peer-to-peer option that we talked about. People’s firmware device restrictions can be updated. This is probably one of the most important ones. We’ll get into that one here, coming up. Okay, device restrictions are really going to let you lock things down here’s.Domain Join I can do an additional upgrade. I can manage your email and change your email settings. I can do endpoint protection. This is going to manage your virus protection on your machine. I can do identity protection, where it’s going to control who gets to log on and how they get to log on. Kiosks! That’s great. If you’ve got a Windows computer that’s a kiosk computer, you can control the different settings for that. So if you have somebody that’s just walking up anonymously with a computer, you can really lock that down. Okay, you have ATP event threat protection. We’ll talk more about this towards the end of this course. But that gets into all the different security features.
Firewall, Windows, Defender, Antivirus, okay, spyware protection, and there are a lot of other little features there that it’s going to involve, such as looking for email spyware and things like that. You have a network boundary. This lets me control where a person is logging on from and have different policies based on where they’re logging on. These right here are certificate-related. So you’ve got PKcs. That’s public-key cryptographic services. That’s what both of these are. This will let you install a certificate on somebody’s machine or device if you want. Now, if it’s a desktop computer, you would use one of these two. If it was a mobile device like a phone or a tablet, you would use Skeptic. That’s a quick rundown of certificate enrollment protocols and what they stand for. And it allows a mobile phone, tablet, or something like that to actually have a certificate imported. Okay, here’s your security assessment. They tell you this is for the education system. It’s to do security assessments in the education system. Essentially, this entails scanning a machine for vulnerabilities. You have shared a multi-user device. This is when you have multiple users using the same device. This is going to allow you to set some settings there that involve which objects or items users can share among themselves, which settings can be shared between them, and which apps can be shared between them. Here’s a trusted certificate.
This is going to add a digital certificate to the trusted certificate store on your computer. So if your company was using a custom certificate, then at that point you could import it, and the certificate would be trusted by that computer. You can configure people’s VPN settings, just like we learned that you could disable provisioning packages earlier in the course. You can actually deploy VPN settings to people’s machines, and the VPN will be set up. You can also configure your Wi-Fi. So this is great. If you have a device that is randomly connecting to different offices, you can go ahead and configure the WiFi settings on those devices. Okay, so here’s the other thing to understand: When you click on one of these, a plethora of settings become available for you to configure. OK, once you create this profile, you’re going to go in, and there are all sorts of things you can configure on somebody’s device if they’re being managed through Intune. Keep in mind that this is an MDM solution. So the device must be enrolled in an MDI in order for these settings to apply to it. Okay, so coming up in this next little lesson, I’m going to actually go through the process. We’re going to create one of these, and we’re going to look at some of the options that we’ve got available.
4. Implementing a Device Configuration Profile with Intune
Okay? So now that we know what a device configuration profile is, I want to go through the process of actually creating one for you. So we’re starting from the beginning here. We’re on endpoint Microsoft.com. We’re going to click devices. We’re going to go down to configuration profiles, and we are going to create a configuration profile. We’re going to select Windows 10. And later, we’re going to go to the profile. And probably again, one of the most important ones to sort of focus on is going to be device restrictions. I’m going to select Device Restrictions, and I’m going to click Create. Right, I’m going to give this a name. I’m just going to call this Windows Ten. Personalization Settings. Maybe I’m going to deploy some personalization settings.
Okay? So I’m going to click next. All right, and here we go. Once this shows up, you’re going to see there are a lot of little dropdowns here that can be configured. All sorts of things Now I want to encourage you guys to come in here to End Point Manager and just look through this. There are so many things, okay, that you could probably spend hours just going over the individual things you can do. There are lots and lots of things here from the App Store, like being able to manage the settings on People’s App Store on Windows 10. There are cellular connectivity options that you can configure, okay? cloud and storage settings. Maybe I’m going to block certain things. There are cloud printer settings that I can define if I’m going to allow cloud printing control panel settings, okay? I mean, heck, I could disable the settings app if I wanted.
If I didn’t want somebody personalising their Windows 10 device, Maybe it’s a kiosk or something; I could block that. And that’s what I’m going to do, because I call these the personalization settings. I’m going to block that. Maybe block time and language settings as well. Okay? So I can configure some of the settings I want. Don’t allow them to mess with updates and security. All right, remember, I wanted to block personalization. I’m going to do that through the control panel and settings. So then, display settings This does GDI scaling for apps. This includes apps that scale your resolution, affect resolution, and change general settings. There are a lot of things I can do here, such as disable cameras and Cortana, if I want. Lock screen settings, messaging settings for email and text messaging, and the Edge web browser I can configure those settings through this network proxy. I can figure out your password settings if I want. I can require you to have a certain size password. OK, you’ve got another personalization area. This would let you set the background. So, if I wanted a background, I could save it on a server like NYC serverone wallpapers and rename it wallpapers companylogo.jpg.
Maybe I want your background to be the company logo. That’s going to be your wallpaper. So I’ve got printer settings, privacy settings, Imean, and all kinds of stuff you can do here. There are just so many things that you can look at here. Disable Windows Spotlight, which displays the Maybe I’ll turn that off. That’s going to show the different wallpapers as you go to log on to Windows. And it does take up some bandwidth, so you can disable it. Here is where you can configure their Windows Defender antivirus. So I’d advise you to enable real-time monitoring on your antivirus. All right. And then power settings can be managed here as well, involving the sleep settings and all that on your computer. So again, there’s a lot here. We could probably spend hours going over those things. So I’m going to click next. Scope tags. I’m not going to spend a lot of time on this right now. Skip tags; involve your administrators. You can tag these policies and grant them authority over specific administrators. Scope tags are more for admins than they are for users. It’s going to allow me to tag this and allow a certain group of admins to be able to manage this profile if I want. Okay, so that’s going to involve the management of profiles.
So I could specify a particular scope tag if I wanted to. Right here. Okay. I wanted to give it a name. It’s going to select Default, and then I’m going to click Next and sign that. This is how I assigned this profile. So if I wanted to sign it for a particular set of users, I could add an inclusion group if you had an exclusion group. Exclusion groups will always override inclusion groups. Okay, so if I want, I could say all users, or I could specify particular users I want this to be attached to. Or for now, if I don’t want to assign it to anybody, I don’t have to. So then I’ll click next. I can also place some restrictions on who I assign it to. If there is a specific addition or version on your machine or version, I can add if statements and assign profiles. All right. And that way, it’s only going to apply to you if those conditions are met. So you can actually add more than one condition here if you want. So then I’m going to click Next, and it’s going to officially confirm it. And I’m going to click “Create,” which is going to officially create it. and it’s now going to be configured. All right? So at that point, it’s now officially set up.
5. Using App Protection Policies to help protect Office 365 Apps
I now want to spend some time going over one of the extremely powerful capabilities we have with Intune through the Endpoint Manager. And what it is is this thing called “device configuration profiles.” Device configuration profiles allow me to control the different settings that are on people’s devices. Whether they’re Windows, Mac, Apple iOS, or Android, they’re all capable of doing so. I can control those settings with the help of these things called configuration profiles. Device Configuration Profiles, so let’s go and take a look at these. Now, I’m going to go ahead and open this up. I’m going to click Devices, okay? and then scroll down here.
Again, I’m in Endpoint Manager input at shop.com, but scroll down. Here it is, right here. Configuration Profile. So we’re going to click on that, all right? And then from there, we’re going to click to create one of these. And we have different options here. As can be seen, we have Android, iOS, Mac, and Windows 10 or later. I’ll begin by selecting the profile. So I’m just going through some of the options you have here. You’ve got administrative templates. And these are very similar to what we have in group policies. These are going to let us control some of our different settings and options. If I click to create that, OK, give it a name, right? Go to configuration settings here. It’s very similar to what we had in group policies. So if you’ve ever worked with administrative templates in group policies, you’ll see the different options that you’ve got. Your control panel and all that are very, very similar to dealing with group policy.
And it has a similar format in some ways, different folder options, and all that you can do. OK, so that’s what administrative templates are. Let’s take a look at what we have in custom. This is kind of neat. With custom, you can actually go out and download what are known as “custom XMLs.” You can link to these custom XML files, and it will allow you to enable and disable features that maybe Microsoft has not included in Intune yet. So, for example, let’s say you had a newer Android phone; maybe you were using Samsung NOX technology. And there’s a new feature under the security feature known as the Knocks feature that Intune doesn’t support yet. They can provide an XML file out there on the Internet that can turn this feature on or off. You can link to that, and it’ll import that in. And at that point, you can turn that feature on and off using a custom profile delivery optimization. That’s the peer-to-peer option that we’ve talked about. You can update people’s firmware. Device restrictions are probably one of the most important ones. We’ll get into that one here, coming up. Okay, device restrictions are really going to let you lock things down here’s.Domain Join I can do an additional upgrade. I can manage your email and change your email settings. I can do endpoint protection.
This is going to manage your virus protection on your machine. I can do identity protection, where it’s going to control who gets to log on and how they get to log on. Kiosks! That’s great. If you’ve got a Windows computer that’s a kiosk computer, you can control the different settings for that. So if you have somebody that’s just walking up anonymously with a computer, you can really lock that down. Okay. You have ATP advanced threat protection. We’ll talk more about this towards the end of this course, but that gets into all the different security features. Firewall, Windows, Defender, Antivirus, spyware protection, and a slew of other features, such as looking for email spyware and the like, will all be included. You have a network boundary. This lets me control where a person is logging on from and have different policies based on where they’re logging on. Okay, these right here are all certificate-related. So you’ve got PKcs. That’s public-key cryptographic services. That’s what both of these are. This will let you install a certificate on somebody’s machine or device if you want. Now, if it’s a desktop computer, you would use one of these two.
If it was a mobile device like an iPhone or a tablet, you would use Sketch. That’s a quick rundown of certificate enrollment protocols and what they stand for. And it allows a mobile phone, tablet, or something like that to actually have a certificate imported. Okay, here’s your security evaluation. They tell you this is for the education system. It’s to do security assessments in the education system. Essentially, this entails scanning a machine for vulnerabilities. You have shared a multi-user device. This is when you have multiple users using the same device. This is going to let you set some settings there that involve which objects or items users can share among themselves, which settings can be shared between them, and which apps can be shared between them. Here’s. Trusted certificate. This is going to add a digital certificate to the trusted certificate store on your computer. So if your company was using a custom certificate, then at that point you could import it, and the certificate would be trusted by that computer.
You can configure people’s VPN settings, just like we learned that you could disable provisioning packages earlier in the course. You can actually deploy VPN settings to people’s machines, and the VPN will be set up. You can also configure your Wi-Fi. So this is great. If you have a device that is randomly connecting to different offices, you can go ahead and configure the WiFi settings on those devices. Okay, so here’s the other thing to understand: When you click on one of these, a plethora of settings become available for you to configure. OK, once you create this profile, you’re going to go in, and there are all sorts of things you can configure on somebody’s device if they’re being managed through Intune. Keep in mind that this is an MDM solution. So the device must be enrolled in MDM in order for these settings to apply to it. Okay, so coming up in this next little lesson, I’m going to actually go through the process. We’re going to create one of these, and we’re going to look at some of the options that we’ve got available.
