CHAPTER 17
Managing Mobile Devices
As discussed in Chapter 16, “Integrating Intune Hybrid into Your Configuration Manager Environment,” you can integrate System Center Configuration Manager (ConfigMgr) with Microsoft Intune to provide a solution for managing mobile devices, and you can set ConfigMgr as the mobile device management authority. Chapter 16 also describes the process of synchronizing user accounts from on-premise Active Directory (AD) to Azure AD.
This chapter focuses on configuring this hybrid solution to manage mobile devices. It describes the steps to enroll devices and the features available for managing the supported platforms.
NOTE: MANAGING ACCESS TO CORPORATE RESOURCES
Conditional access prevents access to corporate resources when a device is not enrolled in ConfigMgr. It is implemented through compliance policies and conditional access policies. This major feature of the hybrid solution is discussed in Chapter 18, “Conditional Access in Configuration Manager.”
Table 17.1 lists the devices supported for management by ConfigMgr and Intune.
TABLE 17.1 Devices Supported for Management
Platform |
Version |
Google Android |
Version 4.0 and later (including Samsung Knox) |
Apple iOS |
Version 8.0 and later |
Windows Phone |
Version 8.0 and later |
Windows |
Windows RT, Windows 8.1 RT, Windows 8.1 and later (managed as mobile devices) |
Mac OS X |
Version 10.9 and later |
Enabling Devices for Management
Each platform listed in Table 17.1 is managed differently. Android and iOS users download the Intune Company Portal app from Google Play and the Apple App Store, respectively. Once the app is installed, users log in to Microsoft Intune to enroll the device. However, Windows devices do not require the Intune Company Portal.
Each platform has different prerequisites. For example, only iOS devices require that you create and install an Apple Push Notification (APN) certificate before enrolling those devices. Further information is available in the “Enabling iOS Devices for Management” section, later in this chapter.
Various enrollment scenarios exist, including the two primary ones:
Bring your own device (BYOD)
Choose your own device (CYOD)
Enrolling devices is a user process with BYOD. For CYOD, an administrator or device manager can enroll devices as well.
Enabling Android Devices for Management
Android device management can be challenging, as management capabilities are not consistent across all Android devices. Samsung Knox extends the management capabilities in some Android devices. To manage Android devices, you must enable Android support in the ConfigMgr console (with an Intune subscription). There are no prerequisite tasks for Android support. To enroll an Android device, a user or an administrator must download and install the Intune Company Portal app for Android, which is available from the Google Play store. The user is prompted to log in to Intune, and the device is subsequently enrolled for management.
Enabling Android Devices in Configuration Manager
Enabling Android support in ConfigMgr is straightforward. Follow these steps:
1. In the console, navigate to Administration -> Overview -> Cloud Services -> Microsoft Intune Subscription.
2. Right-click the Microsoft Intune subscription you created in Chapter 16.
3. Select Configure Platforms -> Android.
4. Enable the check box Enable Android enrollment.
5. Click OK to finish enabling Android support.
Enrolling Android Devices
Use the Intune Company Portal for Android to enroll Android devices. You can download this portal, released in December 2013, from the Google Play Store, at https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal. The process of enrolling an Android device follows. This example uses a Samsung Galaxy tablet:
1. Open Google Play on the Android device.
2. Search for Intune Company Portal app. Download and install the app.
3. When you are presented with a list of features that the Intune Company Portal needs to access, such as device and app history, identity, contacts, photos/media/files, Wi-Fi connection information, device ID, and call information, click Accept to continue (see Figure 17.1).
FIGURE 17.1 Intune Company Portal access required.
4. After the Company Portal completes installing, open the app.
5. Click Sign in to continue. You are redirected to an Intune login page.
6. Enter an account that has permission to enroll devices and select Sign in to sign in using the UPN you configured in Chapter 16.
7. Note on the Company Access Setup page that Device Enrollment and Device Compliance require attention. Select Begin.
8. On the Why enroll your device? page, which describes the benefits of enrolling your device, click the hyperlink for more information and then click Continue.
9. When you are presented with privacy information, listing items that an information technology (IT) administrator can and cannot see on the device, click Continue.
10. On the next page, which includes a description of what comes next, click Enroll.
11. For Android devices, you must activate the device administrator, so review the list of operations the Company Portal can perform and click Activate.
12. Check the box to accept the Samsung Knox terms and conditions (assuming a Knox-enabled Android device). Click Confirm to continue.
13. If you are asked to configure screen unlock settings, enter a pattern, PIN, or password and then confirm your choice.
14. When you are redirected back to the Company Access Setup page, note that the green checkmarks show that Device Enrollment and Device Compliance no longer require attention. Select Continue.
15. When you are informed that the company access setup is complete, click Done. The Android device is enrolled (see Figure 17.2), and you can see apps available in the Company Portal.
FIGURE 17.2 Intune Company Portal with an Android device enrolled.
The device, highlighted in Figure 17.3, is now available for management in the ConfigMgr console. Note the automatic naming convention for Android devices: Username_Android_Enrollment_Date_Time.
FIGURE 17.3 Viewing an Android device in the Configuration Manager console.
TIP: TROUBLESHOOTING WITH THE HYBRID DIAGNOSTICS TOOL
Use the Configuration Manager Hybrid Diagnostics tool to troubleshoot issues with enrolling devices. Chapter 16 provides additional information.
Enabling iOS Devices for Management
The process of enabling and enrolling iOS devices is similar to the process for Android devices. First, enable iOS support in the ConfigMgr console, which requires configuring an APN certificate. A user or an administrator can then download and install the Intune Company Portal app for iOS, which is available from the Apple App Store. During that process, the device is enrolled for management.
NOTE: ENABLING MAC OS X ENROLLMENT
In ConfigMgr 2012 you could manage Apple Mac OS X devices by installing the Mac Client for ConfigMgr. In ConfigMgr Current Branch you manage Mac devices by enrolling them as MDM clients in the same way as with iOS devices. It is no longer required to configure an HTTPS infrastructure to support Mac OS X devices.
Enabling iOS support in ConfigMgr automatically enables support for Mac OS X devices enrolled in MDM.
Enabling iOS Devices in Configuration Manager
Enrolling iOS devices for management requires additional configuration. Follow these steps:
1. In the ConfigMgr console, navigate to Administration -> Overview -> Cloud Services -> Microsoft Intune Subscription.
2. Highlight the Microsoft Intune subscription.
3. Select Create APNs certificate request from the Ribbon.
4. In the Request Apple Push Notification Service Certificate Signing Request dialog box, enter the path for downloading the certificate signing request (.csr file) and click Download to create the CSR.
5. Click the Apple Push Certificate Portal hyperlink or browse to https://identity.apple.com.
6. Click Sign in and sign in to the portal, using an Apple ID. (Note that you can now create an Apple ID without adding credit card information.)
TIP: USING AN ORGANIZATION APPLE ID
The authors recommend creating an organization Apple ID to enroll iOS devices for management. If the APN certificate is not renewed every 12 months using the same ID, the iOS devices must be re-enrolled.
Avoid this situation by using an organization Apple ID rather than personal Apple IDs with your APN certificate.
7. Select Create a Certificate on the Get Started page.
8. Check the Accept box to accept the terms and conditions.
9. Browse to your CSR file on the Create a New Push Certificate page and click Upload.
10. Depending on the browser used for this part of the process, you may be asked to download a .json file. This file is not required and should be ignored. Cancel the download and log out of the portal.
11. Log back into the portal and your new certificate will be visible. Select Download to retrieve the MDM_Microsoft Corporation_Certificate.pem file (see Figure 17.4).
FIGURE 17.4 Apple Push Certificates Portal.
12. Back in the ConfigMgr console, right-click the Microsoft Intune subscription.
13. Select Configure Platforms ->iOS and Mac OS X (MDM).
14. Check the box Enable iOS and Mac OS X (MDM) enrollment. Click Browse and locate the .pem certificate file you downloaded earlier (see Figure 17.5).
15. Click Apply to enable enrollment of these devices. Click OK to finish.
The next time you open the properties page, you do not see the path to the APN certificate; it is replaced by the text <Certificate on file>.
Enrolling iOS Devices
This section uses an iPhone 6 to illustrate enrolling an iOS device. The Intune Company Portal for iOS is used for device enrollment. Download the portal from the Apple App Store at https://itunes.apple.com/app/microsoft-intune-company-portal/id719171358?mt=8 and perform the following steps:
1. Search for the Intune Company Portal app in the Apple App Store and then download and install the app.
2. Launch the app and log in to Intune with your user account, using the UPN configured in Chapter 16.
3. The first steps of this wizard are the same as when enrolling an Android device. Follow the wizard through the Company Access Setup, Why enroll your device, We care about privacy, and What comes next pages. Click Enroll to enroll your device.
4. Click Install to install Management Profile, as shown in Figure 17.6. This profile contains the Device Enrollment Challenge and is signed and verified by IOSProfileSigning.manage.microsoft.com.
5. After the enrolling certificate is installed, again click Install to install the mobile device management profile.
6. Click Trust to verify that you trust the profile’s source.
7. Click Open when prompted to open the page in the Company Portal.
8. Company Access Setup requires no more attention, so click Continue and then click Done on the next page. The Intune Company Portal for iOS is installed, and the device is enrolled.
9. Select Rate App if you wish to give feedback on the setup experience.
The device is now available for management in the ConfigMgr console. The automatic naming convention for iPhones is Name_iPhone.
TIP: PREVENTING DUPLICATE DEVICE NAMES
The authors recommend renaming iOS devices before enrollment to avoid duplicate device names in the ConfigMgr console.
Enterprise enrollment of corporate iOS devices is discussed in the “Managing Company Devices” section, later in this chapter.
Enabling Windows Phone Devices for Management
Enabling support to manage Windows mobile devices in ConfigMgr is more involved than with the other platforms, and different configurations are required depending on the type of device you wish to manage. For example, for Windows Phone 8.0, you must sign the Company Portal app (ssp.xap) with a Symantec Enterprise Code Signing certificate. Enrolling Windows Phone 8.1 and Windows 10 Mobile devices is more straightforward. This book uses Windows 10 Mobile as an example.
Enabling Windows Phone Devices in Configuration Manager
To enable support for Windows Phone in the ConfigMgr console, perform the following steps:
1. Navigate to Administration -> Overview -> Cloud Services -> Microsoft Intune Subscription.
2. Right-click on the Microsoft Intune subscription.
3. Select Configure Platforms -> Windows Phone.
4. Check the box Windows Phone 8.1 and Windows 10 Mobile, as shown in Figure 17.7.
FIGURE 17.7 Enabling Windows Phone devices.
Automatic Intune Enrollment
There are many more options for enrolling Windows 10 Mobile devices than with other platforms. Windows 10, Intune, and Azure are closely integrated to provide a holistic solution.
At this point, the device could be enrolled in Intune by navigating to Settings -> Accounts -> Work access and choosing Enroll in device management. However, it is more useful to integrate with Microsoft Azure during this process. Performing an Azure AD join of the device lets you take advantage of advanced Azure features such as multi-factor authentication (MFA). You can configure Azure so that automatic Intune enrollment is part of the process.
NOTE: AUTOMATIC INTUNE ENROLLMENT
Automatic Intune enrollment refers to a process in which a device enrolls with Intune automatically after it has been joined to Azure AD.
The term automatic can be confusing in this scenario as it is not a fully automatic process. User input is still required to join the device to Azure AD.
NOTE: AZURE AD PREMIUM LICENSE
An Azure AD Premium license is required for each user who will have Azure AD-joined devices automatically enrolled in Microsoft Intune. This license is included with an Enterprise Mobility + Security (EMS) license.
The process of configuring automatic Intune enrollment for Azure AD-joined devices follows:
1. Assign an EMS license to the global administrator account.
2. Log in to the Azure portal (https://manage.windowsazure.com) using the global administrator account.
3. Access the Azure Active Directory namespace.
4. Click on the Mobility (MDM and MAM) tab and select Microsoft Intune.
5. Select Configure to open the Intune properties.
6. Verify that the MDM Discovery URL, MDM Terms of Use URL, and MDM Compliance URL fields are prepopulated. You do not have to change these URLs.
7. Select the groups of users to configure automatic enrollment to Intune.
8. Save the configuration.
Enrolling Windows 10 Mobile Devices
After Intune auto-enrollment is configured, perform the following steps to join a Windows 10 Mobile device to Azure AD:
NOTE: JOINING WINDOWS 10 MOBILE TO AZURE AD
For Windows 10 Mobile, you must perform the configuration to join Azure AD during the initial setup of the device (out-of-box experience). It is not possible to do so afterward without resetting the device.
This is different with Windows 10 computers, for which you can join Azure AD in the context of the operating system.
1. Start the initial setup of a Windows 10 Mobile device. Continue through the out-of-box experience until you get to the Who owns the device? page, shown in Figure 17.8.
2. Under My work or school owns it, click Set up for work.
3. Read the information on the What happens next page and click Next to continue.
4. On the Let’s get you signed in page, sign in with your user account (UPN) and password.
5. If MFA is configured, and you are prompted to verify your identity, choose your preferred verification method and continue through the wizard. You may also be prompted to provide a work PIN if Passport for Work is enabled on your Azure tenant.
The wizard informs you “You’re all set!” This means the device has been added to Azure AD and enrolled in Intune.
FIGURE 17.8 Joining Windows 10 Mobile to Azure AD.
The device is now available for management in the ConfigMgr console. Figure 17.9 shows the automatic naming convention for Windows Phone devices: Username_WindowsPhone_Enrollment_Date_time.
Using Windows Computers as Mobile Devices
Beginning with Windows 8.1, Windows computers can be enrolled and managed as mobile devices in Microsoft Intune through the Open Mobile Alliance Device Management (OMA DM) channel. This chapter uses Windows 10 as an example.
The prerequisites for enrolling and managing Windows computers are the same as those for Windows mobile devices, as already discussed in this chapter, in the context of Windows Mobile. Intune auto-enrollment is discussed in the “Automatic Intune Enrollment” section, earlier in this chapter, and Chapter 16 discusses external DNS records.
Enabling Windows Computers in Configuration Manager
Enabling enrollment of Windows computers in Configuration Manager is straightforward; no special prerequisites are required. Follow these steps:
1. In the ConfigMgr console, navigate to Administration -> Overview -> Cloud Services -> Microsoft Intune Subscription.
2. Right-click the Microsoft Intune subscription.
3. Select Configure Platforms -> Windows.
4. Enable the check box Enable Windows enrollment, as shown in Figure 17.10.
NOTE: ENTERPRISE CODE-SIGNING CERTIFICATE
An enterprise code-signing certificate is required to deploy apps to Windows computers managed through OMA DM.
Enrolling Windows 10 Computers
The process of enrolling a Windows 10 computer is slightly different from that for Windows 10 Mobile. You can join the device to Azure AD during the out-of-box experience. However, you can also perform this step within the context of the OS. This is described in the following steps, using a Windows 10 v1607 computer:
1. In Windows, navigate to Start -> Settings -> Accounts -> Access work or school.
2. Under Connect to work or school, select Connect.
3. On the Set up a work or school account page, click Join this device to Azure Active Directory (see Figure 17.11).
4. Sign in with your user account (UPN) and password.
5. If MFA is configured, and you are prompted to verify your identity, choose your preferred verification method, and continue through the wizard. You may also be prompted to provide a work PIN if Passport for Work is enabled on your Azure tenant.
The wizard informs you that You’re all set! This means that the device is added to Azure AD and enrolled in Intune.
6. In Access work or school, verify that the computer is connected to Azure AD.
The computer is now available for management in the ConfigMgr console. Notice that Windows computers retain their system name but are enrolled as mobile devices, as displayed in Figure 17.12.
FIGURE 17.12 Windows 10 computer available as a mobile device.
NOTE: WINDOWS 10 PROVISIONING PACKAGES
Administrators can use provisioning packages to automate the configuration of Windows 10 devices. This automation includes the steps to join the device to Azure AD.
Managing Company Devices
Mobile devices are automatically categorized as personal devices when enrolled into Intune and ConfigMgr. You can easily change a personal device to a company device by right-clicking the device and selecting Change Ownership and then selecting from the dropdown shown in Figure 17.13. You can also multi-select devices and then follow the same process to change ownership.
FIGURE 17.13 Changing ownership of a mobile device.
There are several differences in the way that ConfigMgr manages personal and company devices:
The inventory data collected is different for personal and company devices. For example, for iOS and Android devices, all software is inventoried for company devices, while the inventory for personal devices shows managed apps only.
You can use device ownership as a global condition when targeting a policy or an app to a group of devices.
There are a number of methods to enroll company-owned devices for MDM with Intune and ConfigMgr, discussed in the following sections. Some of these methods are dependent on the device type and how it was purchased.
Device Enrollment Program (iOS Only)
To use the Device Enrollment Program, organizations must first join the Apple Device Enrollment Program (DEP) and receive a DEP token. iOS devices must be purchased through DEP. The Intune enrollment profiles can then be uploaded to Apple and assigned to these devices.
The high-level process for enabling DEP enrollment follows:
1. In the ConfigMgr console, create a DEP token request by navigating to Administration -> Overview -> Cloud Services -> Microsoft Intune Subscription, selecting your subscription, and clicking Create DEP token request from the ribbon bar (see Figure 17.14).
2. Get a DEP token from Apple and add it to ConfigMgr.
3. Add a corporate device enrollment profile.
4. Assign DEP devices for management.
5. Synchronize DEP-managed devices.
See https://technet.microsoft.com/library/mt706231.aspx for further information on configuring DEP.
Apple Configurator (iOS Only)
The Apple Configurator tool is an Apple-developed solution to assist administrators in deploying corporate iOS devices. It can be downloaded from the Mac App Store and can be installed only on Apple operating systems.
The high-level process for iOS enrollment using the Apple Configurator follows:
1. Add a corporate device enrollment profile. In the ConfigMgr console, navigate to Assets and Compliance -> Overview -> All Corporate-owned devices -> iOS -> Enrollment Profiles.
2. Add iOS devices to enroll with the Setup Assistant.
3. Select devices to enroll.
4. Assign a profile.
5. Select a profile to deploy to iOS devices.
6. Prepare the device with the Apple Configurator.
See https://technet.microsoft.com/library/mt706232.aspx for full details on device enrollment with the Apple Configurator.
Device Enrollment Manager
From a licensing perspective, a user is entitled to enroll a maximum of 15 devices in the hybrid Intune/ConfigMgr solution. The maximum of 15 devices is configured by default in the General tab of the Intune subscription properties. You can set this maximum value to any number between 1 and 15.
The devices are enrolled as user specific, and you can target these devices with apps and policies based on the user. However, sometimes app deployment to specific users is not required, and you may want to quickly bulk-enroll many devices that will be shared by users. The device enrollment manager is a special Intune account with permission to enroll more than 15 devices.
Device enrollment managers cannot be Intune administrators. Assign this role as follows:
1. In the ConfigMgr console, navigate to Administration -> Overview -> Cloud Services -> Microsoft Intune Subscription.
2. Right-click the Microsoft Intune subscription and select Properties.
3. Choose the Device Enrollment Manager tab.
4. Select Add/Remove to add the managers.
NOTE: DEVICE ENROLLMENT MANAGERS
Device enrollment managers can enroll devices and log in to the Company Portal to install and uninstall apps. However, these devices cannot be workplace or Azure AD joined; therefore, they are not subject to conditional access policies.
See Chapter 18 for information regarding conditional access.
Protecting Mobile Devices
ConfigMgr provides a number of options should one of your devices be lost or stolen. It can also assist if a device no longer needs to be managed or is no longer accessible. In the console, right-click a mobile device to see available options, shown in Figure 17.15. Notice the Retire/Wipe feature.
FIGURE 17.15 Viewing mobile device options.
Click on Remote Device Actions to view further options, shown in Figure 17.16.
FIGURE 17.16 Viewing remote device actions.
The following sections examine some of these options.
Retiring and Wiping Mobile Devices
You can retire a device if you no longer want to manage it with ConfigMgr. Right-click the device and choose Retire/Wipe. You are asked whether to wipe company content or the entire device when it is retired from ConfigMgr, as shown in Figure 17.17.
FIGURE 17.17 Options for retiring a device.
Select Wipe company content and retire the mobile device from Configuration Manager if you require a selective wipe. This is useful in a BYOD scenario if the user is leaving the company. In this scenario, the device is no longer managed, and corporate data is removed. Personal data is not affected by a selective wipe.
There is an additional consideration regarding retiring and wiping Windows 10 devices. Joining devices to Azure AD is discussed earlier in this chapter, in the “Enrolling Windows 10 Mobile Devices” section. Joining devices to Azure AD is typically used to enroll corporate devices. The selective wipe option may be grayed out and unavailable for these devices. This is by design as executing a full wipe on a corporate device is the required action.
Workplace joining a device is an alternative method of enrolling a device and is the preferred option in a BYOD scenario. For these personal devices, both selective and full wipe options are available. (Workplace join steps for personal devices are beyond the scope of this book.)
Tables 17.2 and 17.3 list the company data removed for each platform when retiring a device and choosing selective wipe.
TABLE 17.2 Data Removed with Selective Wipe (Windows)
Content |
Windows 8.1 and Later |
Windows Phone 8.1 and Windows Mobile 10 |
Company apps and associated data |
Apps are uninstalled, and sideloading keys are removed. Data will no longer be accessible. |
Apps are uninstalled. App data is removed. |
Virtual private network (VPN) and Wi-Fi profiles |
Removed. |
Removed. |
Certificates |
Removed and revoked. |
Removed. |
Settings |
Removed. |
Mostly removed (review TechNet documentation). |
Email profiles |
Email and attachments are removed from Outlook and the Mail app for Windows. |
Removed. |
TABLE 17.3 Data Removed with Selective Wipe (iOS and Android)
Content |
iOS |
Android |
Samsung Knox |
Company apps and associated data |
Apps are uninstalled. App data is removed. |
Apps and data remain installed. |
Apps are uninstalled. |
VPN and Wi-Fi profiles |
Removed. |
Removed. |
Removed. |
Certificates |
Removed and revoked. |
Revoked. |
Revoked. |
Settings |
Mostly removed (review TechNet documentation). |
Removed. |
Removed. |
Management agent |
Management profile is removed. |
Device administrator privilege is revoked. |
Device administrator privilege is revoked. |
Email profiles |
For email profiles provisioned by Microsoft Intune, the email account and email are removed. |
N/A |
For email profiles provisioned by Microsoft Intune, the email account and email are removed. |
Select Wipe the mobile device and retire it from Configuration Manager if a full wipe is required. This action restores the device to factory defaults; all data, applications, and settings are removed. This option is useful when a device is stolen or lost.
NOTE: PERFORMING RETIRE/WIPE
Administrators perform the Retire/Wipe operations in the ConfigMgr console. Users can also perform these operations on their own devices by using the Company Portal app.
Resetting Passcodes
Passcode Reset is one of the additional remote device actions that you can perform (refer to Figure 17.16). If a user forgets the passcode for his or her device, you can provide assistance by removing the passcode or forcing a new temporary passcode. The behavior is platform dependent (see Table 17.4).
TABLE 17.4 Password Reset Behavior
Platform |
Passcode Reset |
iOS |
Clears the passcode from a device. Does not create a new temporary passcode. |
Android |
Supported; a temporary passcode is created. |
Windows Phone 8 and later |
Supported. |
Windows 8.1 and later |
Not supported. |
You can view the state of a passcode reset by selecting View Passcode State (refer to Figure 17.16). You can also select this from the Remote Device Actions menu.
TIP: ANDROID TEMPORARY PASSWORDS
Android temporary passwords are long and complex. You should warn your users in advance.
Remotely Locking a Device
You can lock a device remotely if it is lost. The behavior is platform dependent (see Table 17.5).
TABLE 17.5 Remote Lock Support, by Platform
Platform |
Remote Lock |
iOS |
Supported. |
Android |
Supported. |
Windows Phone 8 and later |
Supported. |
Windows 8.1 and later |
Supported if the current user of the device is the same user who enrolled the device. |
You can view the state of a remote lock by selecting View Remote Lock State or by using the Remote Device Actions menu.
Accessing Activation Lock Bypass (iOS Only)
iOS Activation Lock is a feature of the Find My iPhone app for iOS 7.1 and later versions. It is automatically enabled when the Find My iPhone app is used on a device. When it is enabled, the user’s Apple ID and password are required for the following actions:
Turning off Find My iPhone
Erasing the device
Reactivating the device
If a user sets up Activation Lock on a device and then leaves the company without resetting this option, the device cannot be reactivated without the user’s Apple ID and password. Activation Lock Bypass overcomes this problem, and this feature is now supported in Configuration Manager.
To use this feature, select Activation Lock Bypass from the Remote Device Actions menu.
NOTE: ACTIVATION LOCK WARNING
Microsoft issues a strong warning related to using this feature: “After you bypass the Activation Lock on a device, it will automatically apply a new Activation Lock if the Find My iPhone app is opened. Because of this, you should be in physical possession of the device before you follow this procedure.”
Configuring Mobile Devices
Devices can be managed after they are enrolled in Intune and ConfigMgr. This includes many platform-dependent features and settings. Those options are not listed here as there are many of them, and they change at a rapid pace. You can find details at https://docs.microsoft.com/sccm/mdm/deploy-use/manage-compliance-settings.
Define the settings you require by creating configuration items and adding them to a configuration baseline. You apply the settings to mobile devices by deploying the baseline to a collection of devices. This process is discussed in the next section, “Creating Configuration Items and Baselines.”
The settings are not supported on all platforms. The settings that are available are categorized. Select the required categories when working through the wizard.
Creating Configuration Items and Baselines
You can create a configuration item (CI) in order to apply some configuration settings to mobile devices. Follow these steps to create a CI:
1. In the ConfigMgr console, navigate to Assets and Compliance -> Overview -> Compliance Settings.
2. Right-click Configuration Items and select Create Configuration Item.
3. In the first screen of the Create Configuration Item Wizard, enter a descriptive name and choose the device type for the CI you want. You can choose devices with or without the full ConfigMgr client. This section is concerned with devices enrolled with Intune (without the ConfigMgr client). Choose one of the following (see Figure 17.18):
Windows 8.1 and Windows 10
Windows Phone
iOS and Mac OS X
Android and Samsung Knox
FIGURE 17.18 Choosing a device type for the CI.
4. To view the available configuration options, it would be useful to select the various devices and run through the wizard. This example deploys password settings to Windows 10 devices, so select Windows 8.1 and Windows 10 and click Next.
5. Specify the support platforms for this configuration item. In this case, choose Windows 10 only and click Next to continue.
6. Select the device setting groups you wish to configure. If you select all the options, you can see that these options become available to you in the left side of the wizard, as shown in Figure 17.19. For this example, you only need the Password group, so check only the box beside Password and click Next to continue.
7. On the next page of the wizard, configure the required password settings. Continue through the wizard, configuring the settings for each group you selected, checking the box Remediate noncompliant settings on each page.
FIGURE 17.19 Selecting the device setting groups.
8. On the Platform Applicability page, which contains a list of the settings that are not supported by all the platforms you selected, choose whether to export this list to a CSV file for review. Click Next to continue.
9. Review the Summary and click Next to create the CI.
10. Click Close to finish the wizard.
Now you need to create a configuration baseline, adding the CIs so they can be deployed to a collection of devices. Follow these steps:
1. In the ConfigMgr console, navigate to Assets and Compliance -> Overview -> Compliance Settings.
2. Right-click Configuration Baselines and select Create Configuration Baseline.
3. Enter a descriptive name. Click Add and choose Configuration Items, as shown in Figure 17.20. Choose the CIs you previously created and click Add. Click OK to add the CIs to the baseline.
FIGURE 17.20 Creating a configuration baseline.
4. Click OK to create the configuration baseline containing your configured settings.
The last step in this process is to deploy the configuration baseline to a collection of devices. Perform the following steps:
1. Right-click the configuration baseline and select Deploy.
2. Ensure that the correct baseline is selected in the Selected configuration baselines box, shown in Figure 17.21.
3. Enable the option Remediate noncompliant rules when supported. You may also choose to allow remediation outside the maintenance window. You can choose to generate an alert based on a compliance level or at a specific date and time.
4. Select the collection for the baseline deployment.
5. Choose the compliance evaluation schedule. The default interval is every seven days.
6. Click OK to deploy the configuration baseline to the members of your selected collection.
Using Custom Configuration Items
The OMA DM standard is designed for managing mobile devices such as mobile phones and tablets. It is a lightweight specification and is designed to manage small-footprint devices, where memory, storage space, and bandwidth could be limited. Devices that use this standard are referred to as modern devices.
OMA DM uses Open Mobile Alliance-Unified Resource Identifier (OMA-URI) values; these can be used to enhance mobile device management capabilities in Configuration Manager.
Microsoft has led the way in publishing OMA-URI values that can be used to manage devices. Useful examples of custom URI settings for Windows 10 are available at https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune.
NOTE: CUSTOM OMA-URI EXAMPLE
Following is an example of a custom URI value for Windows 10:
Setting: AllowDateTime
URI Full Path: ./Vendor/MSFT/Policy/Config/Settings/AllowDateTime
Data Type: Integer
Allowed Values: 0—not allowed, 1—allowed (default)
You can create a CI with a custom OMA-URI. Follow these steps:
1. In the ConfigMgr console, navigate to Assets and Compliance -> Overview -> Compliance Settings -> Configuration Items.
2. Create the CI, as discussed earlier in this chapter, in the “Creating Configuration Items and Baselines” section. Ensure that you select the check box Configure additional settings that are not in the default setting groups on the Select the device setting groups to configure page. This allows you to add custom settings to the CI.
3. Click Add on the Configure additional mobile device settings page.
4. When you are presented with a list of existing settings, click Create Setting to add your own.
5. Enter your OMA-URI settings as shown in Figure 17.22 and click Apply and then OK.
NOTE: OMA-URI SETTINGS
Remember that OMA-URI settings are case sensitive.
6. Highlight the setting you just created and choose Select.
7. Enter a value on the Create Rule page, such as 0 for not allowed. Check the box Remediate noncompliant rules when supported and click OK.
FIGURE 17.22 Creating a custom configuration item.
8. Click Close to close the Browse Settings page. The OMA-URI setting is now created and added to the CI wizard.
9. Complete the wizard and add the CI to a baseline to be deployed.
About Device Policy Refresh Intervals
Intune notifies a device almost immediately when a policy or an app is deployed—typically within 5 minutes. The device then checks in with the Intune service to retrieve the policy or app. If the device does not check in after the first notification, three additional attempts are made to contact the device. If the device is offline, it may not receive these notifications and will get the policy or app on the next scheduled check-in.
The scheduled check-in intervals for the various platforms are as follows:
iOS: Every 6 hours
Android: Every 8 hours
Windows Phone: Every 8 hours
Windows Computers Enrolled as Mobile Devices: Every 24 hours
Users can also manually sync a device at any time to immediately check for policy, using the Company Portal app.
Check-in is more frequent if the device has just been enrolled:
iOS: Every 15 minutes for 6 hours and then every 6 hours
Android: Every 3 minutes for 15 minutes then every 15 minutes for 2 hours, and then every 8 hours
Windows Phone: Every 5 minutes for 15 minutes then every 15 minutes for 2 hours, and then every 8 hours
Windows Computers Enrolled as Mobile Devices: Every 3 minutes for 30 minutes, and then every 24 hours
Inventorying Mobile Devices
A mobile device reports its discovery data record (DDR) and inventory to Intune after the enrollment process. This data is then downloaded via the service connection point (SCP) and written to the ConfigMgr database. After this initial inventory, the devices report their inventory according to the schedule defined in the client settings.
Inventory classes reported by the devices are platform specific; Figure 17.23 shows an example. Mobile devices report full inventory each time. Right-click a device in the console and select Start -> Resource Explorer to view the inventory data.
As discussed earlier in this chapter, in the section “Managing Company Devices,” the app inventory reported depends on the ownership of the device, according to Table 17.6.
TABLE 17.6 App Inventory, by Platform
Platform |
Personal Devices |
Company Devices |
Windows 8.1 and later |
For enrolled (OMA DM), only managed apps |
For enrolled (OMA DM), only managed apps |
Windows Phone 8.1 and later |
Only managed apps |
Only managed apps |
iOS |
Only managed apps |
All apps |
Android |
Only managed apps |
All apps |
Figure 17.24 shows the inventory of all the apps that are collected on a Windows 10 computer enrolled as a company device.
FIGURE 17.24 App inventory for a company device.
Numerous reports are available in the (mobile) device management category. Many reports present the data collected through inventory; see Figure 17.25 for an example. Navigate to Monitoring -> Overview -> Reports in the ConfigMgr console to view the available reports.
FIGURE 17.25 Device management report.
Deploying Apps
Chapter 11, “Creating and Managing Applications,” and Chapter 12, “Creating and Using Deployment Types,” describe how to create and manage applications and deployment types (DTs). This section concentrates specifically on deploying apps to mobile devices. The process is the same as with other devices: Use the Create Application Wizard to create an application and use the Deploy Software Wizard to deploy it to a collection of mobile devices.
The following application types can be deployed to modern mobile devices:
Windows app package (*.appx, *.appxbundle) (Windows 8.1 or later)
Windows app package (in the Windows Store)
Windows Phone app package (*.xap file) (Windows Phone 8.1)
Windows Phone app package in the Windows Phone Store
App package for iOS (*.ipa file)
App package for iOS from the App Store
App package for Android (*.apk file)
App package for Android on Google Play
Web application
Windows installer through MDM (*.msi) (on-premise MDM)
In general, there are three types of apps you can deploy to mobile devices, each of which behaves differently when deployed to a device:
Store Apps (Google Play, App Store, Windows Store): The user uses a link to the app in the store to download and install the app. The user must have a store account to download the app (with the exception of a Microsoft Store for Business app).
Line-of-Business Apps (.xap, .appx, .ipa, .apk): These are apps developed in-house, and they must be side-loaded to the devices.
Web Applications: These are deployment types that specify a link to a web application. The deployment type adds an icon for the web application on the user’s device. The icon type varies per platform.
Web clip (iOS)
Widget (Android)
Shortcut (Windows)
Table 17.7 lists the app deployment scenarios.
TABLE 17.7 App Deployment Scenarios
Deployment Scenario |
iOS |
Android |
Windows Phone 8.1 and Later |
Windows 8.1 and Later |
Available install (to users) |
Yes |
Yes |
Yes |
Yes |
Required install of side-loaded apps (to users or devices) |
User prompted to accept the installation |
User prompted to accept the installation |
N/A |
Automatically installed |
Remote uninstall of side-loaded apps (to users or devices) |
Yes |
User prompted to accept the uninstall |
N/A |
Automatically uninstalled |
Leveraging Mobile Application Management (MAM)
ConfigMgr leverages Intune’s MAM capabilities to enable the deployment of MAM policies to MAM-managed apps. MAM policies allow administrators to modify the functionality of apps to conform to a security policy. You can control operations such as cut, copy, and paste by restricting data transfer only to other managed apps. You can also configure a MAM-managed app to open all web links inside the Intune Managed Browser app, as this app is a MAM-managed app.
MAM policies are supported on iOS (versions 8.1 and later) and Android (version 4 and later) only. Follow these steps to create a MAM policy and associate it with the DT of an app:
1. In the ConfigMgr console, navigate to Software Library -> Overview -> Application Management -> Application Management Policies.
2. Right-click Application Management Policies and select Create Application Management Policy.
3. Enter a name and description and click Next.
4. On the Specify the type of application management policy page, choose the required platform (iOS or Android) and policy type (General or Managed Browser). Click Next.
5. Enter your application management policy selections (see Figure 17.26 for an iOS example) and click Next.
FIGURE 17.26 Specifying an iOS MAM policy.
6. Review the summary and click Next to create the MAM policy.
7. Click Close to complete the wizard.
MAM policies are not deployed to collections; they are associated with the deployment type of a MAM-managed app. You configure this in the Deploy Software Wizard.
Import a MAM-managed app into the ConfigMgr console and deploy it as normal. The Deploy Software Wizard asks you to select the MAM policy you want to associate with the MAM app DT, as shown in Figure 17.27.
FIGURE 17.27 Associating a MAM policy with iOS DT.
Microsoft publishes details of MAM-capable apps in the Intune mobile application gallery at https://www.microsoft.com/cloud-platform/microsoft-intune-apps. This list of apps is increasing rapidly.
TIP: INTUNE APP WRAPPING TOOLS
You can use the Intune app wrapping tools for iOS and Android to convert your own line-of-business apps to be capable of MAM management.
Creating Mobile Device Collections
You may want to target specific device platforms with app or policy deployments. Do so by creating target collections using dynamic queries. Examples follow:
Listing 17.1 creates a collection of Windows Phone 8.1 devices.
Listing 17.2 creates a collection of iPhones.
Listing 17.3 creates a collection of iPads.
Listing 17.4 creates a collection of Android devices.
LISTING 17.1 Creating a Collection of Windows Phone 8.1 Devices
SELECT SMS_R_System.ResourceId,SMS_R_System.ResourceType,SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client FROM SMS_R_System INNER JOIN SMS_G_System_DEVICE_OSINFORMATION ON SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId WHERE SMS_G_System_DEVICE_OSINFORMATION.Platform like "Windows Phone" and SMS_G_System_DEVICE_OSINFORMATION.Version like "8.1%"
LISTING 17.2 Creating a Collection of iPhones
SELECT SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client FROM SMS_R_System INNER JOIN SMS_G_System_DEVICE_COMPUTERSYSTEM ON SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId WHERE SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%iphone%"
LISTING 17.3 Creating a Collection of iPads
SELECT SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client FROM SMS_R_System INNER JOIN SMS_G_System_DEVICE_COMPUTERSYSTEM ON SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId WHERE SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%ipad%"
LISTING 17.4 Creating a Collection of Android Devices
SELECT SMS_R_System.ResourceId,SMS_R_System.ResourceType,SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client FROM SMS_R_System INNER JOIN SMS_G_System_DEVICE_OSINFORMATION ON SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId WHERE SMS_G_System_DEVICE_OSINFORMATION.Platform like "Android%"
Using the Company Resource Access Workspace
View company resource access in the ConfigMgr console by navigating to Assets and Compliance -> Overview -> Compliance Settings -> Company Resource Access. This area provides tools that allow users to access company resources from remote locations. Four options are available to deploy configuration profiles to mobile devices:
Certificate profiles
Email profiles
VPN profiles
Wi-Fi profiles
These options are described in the following sections.
NOTE: COMPANY RESOURCE ACCESS MANAGER
Company Resource Access Manager is a security role in ConfigMgr. This role is assigned to an administrative user to create and deploy resource profiles.
Using Certificate Profiles
Certificate profiles integrate with Active Directory Certificate Services (ADCS) and Network Device Enrollment Services (NDES) to provision certificates for authentication of mobile devices. (A full description of certificates and Certificate Services is beyond the scope of this book.)
You can deploy three certificate types:
Trusted CA Certificates: Deploy a trusted root or intermediate CA certificate.
Certificates Issued via Simple Certificate Enrollment Protocol: Request a certificate by using SCEP and NDES.
Personal Information Exchange (PFX) Certificates: Deploy certificates that support user-based public key infrastructure (PKI) communication.
In the ConfigMgr console, navigate to Assets and Compliance -> Overview -> Compliance Settings -> Company Resource Access. Right-click Certificate Profiles and select Create Certificate Profile to open the dialog displayed in Figure 17.28. Select the type of profile you want to create and enter the required details to complete the wizard. Deploy the profile to a collection of users or mobile devices as normal.
Certificate profiles are supported on all device types that can be enrolled in Intune.
NOTE: SCEP CERTIFICATE PREREQUISITES
Before you can create a SCEP certificate profile, you must implement a PKI and NDES infrastructure. To deploy profiles that use SCEP, you also must install the certificate registration point on a site system and deploy the Configuration Manager Policy Module for NDES.
FIGURE 17.28 Types of certificate profiles.
Using Email Profiles
Email profiles allow you to enable access to corporate email with minimal user input by deploying Exchange ActiveSync settings.
In the ConfigMgr console, navigate to Assets and Compliance -> Overview -> Compliance Settings -> Company Resource Access. Right-click Email Profiles and select Create Exchange ActiveSync Profile to open the dialog displayed in Figure 17.29. Enter a name for the profile and the required details to complete the wizard. Deploy the profile to a collection of users or devices.
There are a number of options to specify when configuring the email profile:
Email Address: Primary SMTP address/user principal name
Authentication Method: Username and password/certificate
Synchronization Schedule: Manual, as messages arrive or at interval
Content Type to Synchronize: Email/contacts/calendar/tasks/notes
Email profiles are supported on all device types that can be enrolled in Intune.
NOTE: EMAIL PROFILE DEPLOYMENT
Email profiles can only be deployed to the native mail app on a device. They cannot be deployed to the Outlook app, for example. A user could therefore end up with two email profiles if a device has already been configured manually with a profile for the same account.
Deploying VPN Profiles
To minimize the effort required for users to remotely access corporate resources, you can deploy VPN profiles to iOS, Android, Windows Phone, and Windows devices when they are enrolled into Microsoft Intune.
In the ConfigMgr console, navigate to Assets and Compliance -> Overview -> Compliance Settings -> Company Resource Access. Right-click VPN Profiles and select Create VPN Profile. Enter a name for the profile and enter the required details to complete the wizard. Deploy the profile to a collection of users or devices.
Table 17.8 lists currently supported VPN connection types.
TABLE 17.8 Supported VPN Connection Types
Connection Type |
iOS |
Android |
Windows 8.1 and Later |
Windows Phone 8.1 and Later |
Cisco AnyConnect |
Yes |
Yes |
No |
No |
Pulse Secure |
Yes |
Yes |
Yes |
Yes |
F5 Edge Client |
Yes |
Yes |
Yes |
Yes |
Dell SonicWALL Mobile Connect |
Yes |
Yes |
Yes |
Yes |
Check Point Mobile VPN |
Yes |
Yes |
Yes |
Yes |
Microsoft SSL (SSTP) |
No |
No |
Yes |
No |
Microsoft Automatic |
No |
No |
Yes |
No |
IKEv2 |
No |
No |
Yes |
Yes |
PPTP |
Yes |
No |
Yes |
No |
L2TP |
Yes |
No |
Yes |
No |
Using Wi-Fi Profiles
Wi-Fi profiles, used to deploy wireless network settings to users, are supported on all device types that can be enrolled in Intune. You can create Wi-Fi profiles to use certificates previously provisioned by certificate profiles.
In the ConfigMgr console, navigate to Assets and Compliance -> Overview -> Compliance Settings -> Company Resource Access. Right-click Wi-Fi Profiles and select Create Wi-Fi Profile. Enter a name for the profile and the required details to complete the wizard. Deploy the profile to a collection of users or devices.
Configuration Manager offers the following Wi-Fi security types:
No authentication (open)
WPA-Personal
WPA2-Personal
WPA-Enterprise
WPA2-Enterprise
WEP
802.1X
Each security type offers different encryption options. Note that all types may not be supported on all platforms.
NOTE: PRE-SHARED KEYS
At the time this book was published, it was not possible to deploy a Wi-Fi profile with a pre-shared key using ConfigMgr, although the authors expect this feature to be available soon. You can create a custom profile by using the Apple Configurator tool and deploy it to iOS devices.
On-Premise Mobile Device Management
On-premise MDM is a new solution released with ConfigMgr Current Branch version 1511. It differs from traditional hybrid MDM (ConfigMgr integrated with Intune) in that managed devices do not have to be enrolled in Microsoft Intune. This feature supports Windows 10 devices only (mobile or desktop) and uses the on-premise ConfigMgr infrastructure and the built-in OMA DM capabilities of the device.
On-premise MDM enables you to manage mobile devices without synchronizing user accounts to Azure AD. Although devices are not managed by Intune directly, an Intune subscription and licenses are still required. The following sections describe management capabilities, advantages and disadvantages, and on-premise MDM requirements.
Management Capabilities
The following features are available for management with on-premise MDM:
Hardware and software inventory
The Retire/Wipe feature
App deployment, which supports web applications from the Windows Store, 32-bit MSI apps, and line-of-business apps (.appx)
Configuration of devices using OMA DM policies
Leverage of Windows 10 provisioning packages
Advantages and Disadvantages of On-Premise MDM
For some organizations, a huge advantage to using on-premise MDM is that all management and data is maintained on-premise. The solution is also easier to maintain, as there is no additional client to install, and all functionality is built into the operating system.
Disadvantages include limited device support (only Windows 10 desktop and Windows 10 mobile are supported at this time), and there is currently less client management functionality. However, this is a new feature and a work in progress.
On-Premise MDM Configuration
A number of prerequisites must be fulfilled before an on-premise MDM solution can be implemented with ConfigMgr. Many of these prerequisites should be familiar to those who have previously implemented a solution for managing Apple Mac devices:
Intune Subscription and Service Connector Role: Although this is an on-premise solution, you must configure an Intune subscription and add the Service Connector role.
PKI with Certificate Revocation List (CRL) and CRL Distribution Point: A PKI infrastructure is required with the following role services: Certification Authority (CA), CA Web Enrollment, and CA Web Service.
When Windows 10 clients communicate over HTTPS, they automatically check to see if the certificate they are using has been revoked. They find this information in the CRL, which is two files stored in a virtual folder that is accessible to the Windows 10 clients (full and delta CRL files).
The CRL location (CRL distribution point) must be configured in the CA so that it is included in all issued certificates.
ConfigMgr Management Point (MP) Configured to Communicate via HTTPS: This requires a web certificate assigned in Internet Information Services (IIS) and bound to HTTPS. The MP must be configured with a fully qualified domain name (FQDN).
ConfigMgr Distribution Point (DP) Configured to Communicate via HTTPS: This requires a web certificate assigned in IIS and bound to HTTPS. The DP must be configured to allow intranet and Internet connections and to allow mobile devices to connect, as shown in Figure 17.30.
Trusted Root CA: After adding secure MP and DP, navigate to Administration -> Site Configuration -> Sites. Right-click your site and choose Properties. Select the Client Computer Communications tab and set the Trusted Root CA.
Client Certificate: This certificate, installed on Windows 10 clients, is generated from the client certificate template.
Enrollment Point (EP): This site system role is added in the default configuration.
Enrollment Proxy Point (EPP): This site system role is added in the default configuration. The EP and EPP roles can be installed on the same site system and can coexist with the secure MP and DP.
Certificate Profile and Enrollment Profile: Navigate to Assets and Compliance -> Compliance Settings -> Company Resource Access. Right-click Certificate Profiles to launch the Create Certificate Profiles wizard. Navigate to Administration -> Site Configuration -> Client Settings. Open your client settings and choose the Enrollment section. Select Allow users to enroll modern devices and set the modern device enrollment profile.
On-Premise MDM Client Configuration
When the on-premise MDM prerequisites are satisfied, you are ready to enroll devices. Note that you can use provisioning packages to automate the client configuration. Follow these steps to enroll a Windows 10 client in the ConfigMgr on-premise MDM solution:
1. Import the trusted root certificate and client certificate discussed in the previous section.
2. Navigate to Settings -> Accounts -> Work access and select Connect to work or school.
3. Enter your local domain credentials. The first attempt fails, as Windows attempts to authenticate with Azure AD and is unable to do so as you are using local credentials.
4. When you are prompted to enter a server name, enter the FQDN of the enrollment point. You are then connected to the ConfigMgr enrollment point.
5. When you are prompted to authenticate, enter your local domain credentials.
The device is now connected and available in ConfigMgr, where it has been enrolled as a mobile device.
Summary
This chapter discussed managing mobile devices. It described how to enroll the various device types (Android, iOS, Windows Phone, and Windows) with Microsoft Intune so that they can be managed using the Intune/ConfigMgr hybrid solution. The enrollment process is slightly different for each platform. The chapter also discussed the difference between personal and company devices and described some ways to assist administrators with the enrollment of company-owned devices.
Protection and configuration of mobile devices are important parts of an administrator’s role. The chapter discussed features such as remote wipe, password reset, remote lock, and activation lock bypass. It demonstrated how to configure devices using configuration items and configuration baselines.
It also described the different management features offered by the hybrid solution—inventory, app deployment, certificate profiles, email profiles, VPN profiles, and Wi-Fi profiles.
Chapter 18 discusses conditional access, including how you can protect access to corporate resources by forcing users to enroll their devices.