Skill 2.2: Configure device profiles
Administrators can implement mobile device management (MDM) functionality using Microsoft Intune or, to a more limited extent, with Basic Mobility and Security for Microsoft 365. In addition to managing settings on iOS and Android mobile devices, MDM allows you to configure policies that control settings on any Windows 10 device, such as desktop PCs and laptops.
Administrators can now manage devices from the cloud using an MDM solution such as Intune. By removing the traditional domain-based constraints that are often imposed on devices, MDM allows new management and device functionality to be used. You need to understand how devices enrolled into Azure Active Directory and Intune can be cloud-managed. Also, you need to understand how you can plan and use profiles and policies to configure devices, control user access, and set device settings to comply with company security and compliance policies.
This skill covers how to:
Plan device profiles
When planning how your organization will use MDM to manage your devices, there are several areas that you should include in your scope.
Intune uses Azure Active Directory (Azure AD) for authentication, and if you already have a local Active Directory Domain Services (AD DS) environment, you can connect the two identity services using a tool called Azure AD Connect. If you use Configuration Manager and Intune, you can manage devices by implementing a co-management solution.
The two common elements to modern management are your users and the device or devices that they use. In a traditional environment, an administrator will retain full control of a user’s computing environment, including the user’s desktop, by using Configuration Manager or Group Policy. This can be restrictive for the user, but it provides the strictest level of control for the administrator. Using Intune, a similar level of control is possible. Also, the cloud-based nature of Intune can be especially useful for devices that are beyond the management scope of Group Policy, such as in the following scenarios:
- Devices that are not domain members
- Mobile phones
- Windows 10 devices that are joined to Azure AD only
- Devices that are used entirely remotely and without access to VPN solutions
Intune provides excellent features for managing devices that connect to your corporate data, allowing you to remain compliant with your corporate security and compliance requirements. All enrolled devices can be forced to comply with the device configuration policies you have defined.
MDM refers to the management of mobile devices and can be used to manage smartphones, laptops, and PCs. The Open Mobile Alliance (OMA) developed a set of platform-independent device management protocols to define the MDM specification. The MDM protocol is supported by modern devices.
Microsoft Intune allows you to manage your devices in an MDM solution that includes settings and features that you can enable or disable on a variety of mobile devices. Microsoft has built the MDM functionality into PCs running Windows 10, which allows Intune to fully manage Windows 10 as though it is a mobile device. The full list of platforms supported by Intune through device enrollment is as follows:
Apple
- Apple iOS 12.0 and later
- Apple iPadOS 13.0 and later
- Mac OS X 10.13 and later
- Android 5.0 and later, including Samsung KNOX Standard 2.4 and higher
- Android Enterprise
Microsoft
- Windows 10 (Home, S, Pro, Education, and Enterprise versions)
- Windows 10 Enterprise 2019 LTSC
- Surface Hub
- Windows 10 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode)
- Windows 10 Teams (Surface Hub)
- Windows Holographic for Business
- Windows 10 IoT Enterprise (x86, x64)
Because of the variety of platforms and devices, not all settings and features are available to be configured on every device platform. You should review the settings and features that you can add to a configuration profile for the different devices and different platforms that you use—or plan to use—in your organization.
You can view the most common device profiles in Table 2-5. Profile features are available on supported devices, indicated with an X.
The number and scope of the built-in device settings that are supported by Intune continues to grow as more organizations provide feedback to Microsoft requesting additional support for new scenarios. For each new Windows 10 version, there will be new MDM functionality added to the built-in MDM client to reflect new features that ship with that version of Windows 10.
In Table 2-5, the last item relates to creating custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) profiles. Custom profiles allow you to create and use device settings and features that aren’t natively built into Intune. If a setting or feature is supported on devices in your organization, you should be able to create a custom profile that sets the same feature for every device by using OMA-URI settings.
TABLE 2-5 Common Intune device configuration profiles
| Profile | Description | Android | Android enterprise | iOS | mac OS | Windows 10 |
| Manages Exchange ActiveSync settings on devices. | X | X | X | X | ||
| Device restrictions | Prevents device usage, such as disabling the built-in camera, connecting to Bluetooth devices, or using cellular data. | X | X | X | X | X |
| WiFi | Allows you to manage wireless network settings for users and devices. In Windows 10, managing settings for users allows them to connect to corporate WiFi without having to configure the connection manually. Instead, users can import a configuration that was previously exported from another device. | X | X | X | X | X |
| Administrative Templates | Allows you to manage hundreds of settings for Microsoft Edge, OneDrive, Remote Desktop, Word, Excel, and other Microsoft Office programs for Windows 10 devices. Administrative Templates provide a simplified view of settings similar to group policy. Windows 10 Version 1703 and later. | X | ||||
| Kiosk | Allows you to configure a device to run one or multiple apps, such as a web browser. This feature supports Windows 10, and kiosk settings are also available as device restrictions for Android, Android Enterprise, and iOS devices. | X | X | X | X | |
| VPN | Configures VPN settings for devices. This feature supports the following: AndroidAndroid EnterpriseiOSmacOSWindows 8.1Windows 10 and later | X | X | X | X | X |
| Education | Configures options for the Take a Test app in Windows 10. iOS uses the iOS Classroom app. | X | X | |||
| Certificates | Allows you to configure trust and other certificates used for WiFi, VPN, and email profiles. | X | X | X | X | |
| Edition upgrade | Allows you to permit users to upgrade some versions of Windows 10. | X | ||||
| Endpoint protection | Configures settings for BitLocker and Windows Defender. | X | ||||
| Windows Information Protection | Allows you to configure Windows Information Protection for data loss prevention. | X | ||||
| Custom profile | Custom settings allow administrators to assign device settings that aren’t built into Intune. These use the Open Mobile Alliance Uniform Resource Identifier (OMA-URI) values for Android and Windows devices. For iOS devices, you can import a configuration file you created in the Apple Configurator or Apple Profile Manager. | X | X | X | X | X |
