Introduction to Cloud-Based Mobile Device Management

with Intune
Information in this document, including URLs and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo,
person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any
purpose, without the express written permission of Microsoft Corporation.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer
or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked
site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only
as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written
license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Copyright 2014 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveSync, Azure, Forefront, Internet Explorer, Silverlight, Windows, Microsoft Intune, Windows PowerShell, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Session 6 / User and device management / Page 2

Overview

Getting started
For these demonstrations, use the following virtual machines (VMs):

CM
BYOD
For more information about these VMs and their use, see the Enterprise Client IT Camp Demonstrations Delivery and Setup Guide.

Session 6 / User and device management / Page 3

Lab
Create a user account in Microsoft Intune
Talking point
To begin, well navigate to the Microsoft Intune account
management website and create a new user account.
You have already established a Microsoft Intune administrator
account for your company, so sign in using those credentials.
To begin managing a user, we first need to establish a user account in
Microsoft Intune. This account will be used to connect the user (and
device) to the management services.
In practice you would probably establish directory synchronization to
synchronize your on-premises AD credentials to Azure AD. In this lab
we create a cloud based identity for our user.
First, lets create a new user. We do this in the Users node.
Notice that a user has already been created. This is the Microsoft
Intune administrator account that was created when the Microsoft
Intune subscription was created.
We will create a new user, Lori Penor. We can provide the typical
information that we would expect for a user (first name, last name,
display name, and user name).
If we expand the Additional details section, we can also enter
information that is similar to what we would expect for an Active
Directory user (job title, department, office number, mobile phone,
etc.). We dont need to add any of this additional information, so we
will just proceed to the next wizard page.
Action
Perform the following steps on CM logged on as CORP\Administrator
with the password Passw0rd:
1. In Internet Explorer, go to
https://account.manage.microsoft.com.
The Microsoft Intune sign-in web page appears.
2. On the Microsoft Intune sign in web page, type
Admin@<tennant>.onmicrosoft.com (where Admin is the
administrative credentials for the Microsoft Intune subscription),
and then click Sign in.
The Microsoft Intune admin portal is displayed.
3. On the Dont lose access to your account page click the Remind
me later link.
4. In the navigation pane, under Management, click Users.
The Users page is displayed.
5. On the actions menu, click the New link, and then click User.
Tip The actions menu is immediately above the list of users.
The New User Wizard starts.
6. In the New User Wizard, on the Details page, perform the
following steps, and then click Next:
a. In First name, type Lori.
Session 6 / User and device management / Page 4
Talking point Action
b. In Last name, type Penor.
c. In Display name, verify that Lori Penor has been
automatically populated.
d. In User name, type lori.
e. Expand the Additional details section, click Next.
On this wizard page, we select the country in which the user resides. 7. On the Settings page, in Set user location, select location (where
In this case, well select the appropriate country, and then continue location is the location of the user, such as United States or
to the next wizard page. Microsoft Intune uses the country Canada), and then click Next.
information to provide the right services to the user.
On this wizard page, we grant the user membership in Microsoft 8. On the Microsoft Intune user group page, click Next.
Intune user groups. Currently, we have only one user group
Microsoft Intuneso we accept that default membership and go on
to the next wizard page.
On this wizard page, we verify that the email address listed is correct. 9. On the Send results in email page, verify that the email address is
An email message will be sent to this address that contains the new correct, and then click Create. You can skip this, but it might be
user passwords for the user that we are creating. The email address useful to know.
looks correct, so we click Create to create the user.
On this wizard page, we see the temporary passwords that have been 10. Start Notepad.
created for our users. Start Microsoft Notepad, and save these 11. On the Results page, copy and paste the temporary password for
passwords for later in the demonstration. The user will be asked to Lori Penor into Notepad for use later in the lab.
change their password the first time they log on to Microsoft Intune.
The passwords are sent by email in case the user forgets the 12. Click Finish.
passwords before they log on for the first time. If users forget their
password, we can reset a user password in the Microsoft Intune
account portal.
Now that we have saved the password, we can finish the wizard and
move on to configuring the mobile device management authority in
Microsoft Intune.

Session 6 / User and device management / Page 5

Set the mobile device management authority in Microsoft Intune
Talking point
The next step in performing unified management through Microsoft
Intune is to configure the mobile device management authority in
Microsoft Intune. A Microsoft Intune subscription can only be
managed by one mobile device management authority. The most
common mobile device management authorities are Microsoft
Intune itself and System Center 2012 R2 Configuration Manager. The
mobile device management authority controls the management of all
mobile devices, such as Windows devices, Windows Phones, iOS
devices, and Android devices. First, we will log on to the Microsoft
Intune administration portal by using the credentials of a Microsoft
Intune administrator.
In the Microsoft Intune administration portal, we will go to the
Microsoft Intune administration console. Here, we will navigate to
the Administration workspace, then click Mobile Device
Management to administer the mobile device management
authority for our Microsoft Intune subscription.
Action
Perform the following steps on CM logged on as CORP\Administrator
with the password Passw0rd:
1. In Internet Explorer, go to
https://account.manage.microsoft.com.
The Microsoft Intune sign-in web page appears.
2. On the Microsoft Intune sign in web page, type
IntuneAdmin@<tennant>.onmicrosoft.com (where IntuneAdmin
is the administrative credentials for the Microsoft Intune
subscription), and then click Sign in.
The Microsoft Intune administration portal is displayed
3. In the Microsoft Intune administration portal, click the Admin
Console link.
Tip The Admin Console link is at the top of the Microsoft Intune
administration portal between the Company Portal and Admin
links.
The Microsoft Intune administration console opens, you might be
asked to sign in again.
4. In the Microsoft Intune administration console, in the navigation
pane, click the Administration workspace.
5. In the Administration workspace, click Mobile Device
Management.
The Mobile Device Management page opens.
Session 6 / User and device management / Page 6
Talking point
On the Mobile Device Management page, we click the Set Mobile
Device Management Authority link to configure the mobile device
management authority.
Because Microsoft Intune can be managed by only one authority, we
need to be certain that we want to configure the authority for either
Microsoft Intune or System Center 2012 R2 Configuration Manager.
If we look at the Set MDM authority dialog box, we can see a
warning that this change is permanent and cannot be changed in the
future. We do in fact want to configure Microsoft Intune as the
mobile device management authority, so we select the check box,
and then click Yes.
Action
6. On the Mobile Device Management page, under Tasks, click the
Set Mobile Device Management Authority link.
Tip The Set Mobile Device Management Authority link is in the
upper right corner of the page.
The Set MDM authority dialog box appears.
7. In the Set MDM authority dialog box, select the I understand that
after the mobile device management authority is step to
Microsoft Intune, it is permanent and cannot be changed check
box, and then click Yes.
The mobile device management authority is set to Microsoft
Intune.

Now, back on the Mobile Device Management page, we can see that
Microsoft Intune is now the mobile device management authority.
We can also see the types of devices that Microsoft Intune can
manage, including Windows devices (such as Windows 8.1 and
Windows RT 8.1), Windows Phone 8, and iOS devices. We can also
manage Android devices, but that management does not require any
configuration, so Android devices are not shown in this list.
We can also configure a connection to Microsoft Exchange Server,
which enables us to do enrollment and management of devices that
are connected to Exchange Server through Microsoft Exchange
ActiveSync.
For this demonstration, we just configure the management of 8. On the Mobile Device Management page, click the Windows
Windows devices. Lets click the Windows Management link to start Management link.
this process. The Set Up Mobile Device Management for Windows page is
displayed.

Session 6 / User and device management / Page 7

Talking point
For Windows 8.1 devices that are not domain joined, we need to add
sideloading keys and code-signing certificates.
We obtain sideloading keys through Microsoft Volume Licensing.
Sideloading keys are necessary for Windows 8.1 apps when youre
installing them to non-domain joined Pro and Enterprise devices and
Windows RT devices. Sideloading keys are not necessary for
Windows Store apps that are installed by deeplinks. Deeplinking lets
us provide the URL to an app in the Windows Store, and then point
the user directly to the app in the Windows Store. Because the user
installs the app directly from the Windows Store, sideloading keys
are not required.
Lets add a fictitious sideloading key by giving it a name, entering the
key, and entering the total number of activations the sideloading key
supports. After weve entered all that information, we click OK to
return to the Set Up Mobile Device Management for Windows page.
Next, we need to add a code-signing certificate for any apps that are
code-signed by using a certificate from a non-Microsoft public
certification authority (CA) that the device trustsfor example, if our
organization developed a Windows Store app, and then code-signed
the app with a certificate issued by CAs within our organizations.
We click the Modify Code-Signing Certificate link, and then browse
for the code-signing certificate. We select the certificate, and then
click Upload to upload the certificate. When we see a notification
about uploading the certificate, we click Close in that notification
dialog box.
If we look on the Set Up Mobile Device Management for Windows
page, we can see that our certificate is listed. Now, we are ready to
enroll a device in Microsoft Intune.
Action
9. On the Set Up Mobile Device Management for Windows page,
under Tasks, click the Add Sideloading Key link.
The Add Sideloading Key dialog box appears.
10. In the Add Sideloading Key dialog box, perform the following
steps, and then click OK:
a. In Name, type Contoso Sideloading Key.
b. In Key, type 12345-12345-12345-12345-12345.
c. In Total activations, type 5.
The sideloading key is added to Microsoft Intune.
11. On the Set Up Mobile Device Management for Windows page,
under Tasks, click the Modify Code-Signing Certificate link.
The Upload a Code-Signing Certificate dialog box appears.
12. In the Upload a Code-Signing Certificate dialog box, perform the
following steps:
a. Click Browse.
The Open dialog box appears.
b. In the Open dialog box, in File name, type
\\DC\Source$\SampleApps\Tiles_Sample.cer.
The Upload a Code-Signing Certificate dialog box appears.
c. Click Upload.
13. In the Upload a Code-Signing Certificate dialog box, click Close.
Session 6 / User and device management / Page 8
 Talking point
Add software (apps) to Microsoft Intune for deployment
Talking point
In Microsoft Intune, we manage software in the Software workspace.
In the navigation pane, we click the Software icon, which takes us to
the Software workspace. In the Software workspace, we can see
Detected Software and Managed Software.
In Managed Software, we administer the software that we want to
deploy to our users and devices. Right now, we have no software in
our list, so lets add a new app to Microsoft Intune.
To add software to Microsoft Intune, we need to download, install,
and start the Add Software - Microsoft Intune Software Publisher
Wizard. This process only has to be done on a device the first time
we add software to Microsoft Intune on a device.
Action
14. The code-signing certificate is added to Microsoft Intune.
Action
Perform the following steps on CM logged on as CORP\Administrator
with the password Passw0rd:
1. Go to Internet Explorer and open a new tab, type
http://aka.ms/skypewifiapp into the address bar. We used a
short link to save typing errors in this lab, normally you would
enter the URL for an app in the Store which can be obtained from
the store.
2. Click Cancel on the dialog box if one appears.
3. The web version of the Windows Store will have loaded, copy the
URL from the address bar to the clipboard.
4. In the Microsoft Intune administration console, in the navigation
pane, click Software.
5. In the Software workspace, go to Managed Software.
6. In the details pane, click Add Software.
Tip The Add Software button is immediately above the list of
software.
The Microsoft Intune Software Publisher starts. The Application
Run - Security Warning dialog box is displayed.
7. In the Application Run - Security Warning dialog box, click Run.
Session 6 / User and device management / Page 9
Talking point
On the first page of the wizard, there is no information to be
configured, so we will continue on to the next wizard page.
On this wizard page, we select type of software installation to
perform. If we look in the Select how this software is made available
to device list, we can see that we can specify a software installer (like
an .msi or .appx file) or an external link. We select Software installer
for these types of files. Select External link for apps that are directly
installed from a store (such as Windows Store, iTunes, or Google
Play). For the purposes of this demonstration, we are deploying a
deeplinked app, so we will select External link.
Now, we need the deeplink URL. We open the file where we stored
the deeplink URL earlier in the demonstration. We copy the deeplink
URL, and then paste it into Specify the URL.
On this wizard page, we provide information about the software we
are adding. For this demonstration, we enter information about our
Skype Wi-Fi Windows Store app. In Publisher, we enter Microsoft. In
Name, we enter a name and point out that this is the deeplinked
version (as opposed to an .msi installation). We provide additional
information in Description. And finally, we select the appropriate
category for our software. In this case, Collaboration & Social is the
most appropriate.
Action
The Add Software - Microsoft Intune Software Publisher is
downloaded, installed, and started.
8. If prompted to log in to Microsoft Intune, log on using
IntuneAdmin@<tennant>.onmicrosoft.com (where IntuneAdmin
is the administrative credentials for the Microsoft Intune
subscription).
9. In the Add Software - Microsoft Intune Software Publisher Wizard,
on the Before you begin page, click Next.
10. On the Software setup page, perform the following steps, and
then click Next:
a. In Select how this software is made available to device,
select External link.
b. Return to the Add Software wizard.
c. In Specify the URL, paste the windows store address you
copied to the address bar.
11. On the Software description page, perform the following steps,
and then click Next:
a. In Publisher, type Microsoft.
b. In Name, type Skype Wi-Fi Windows Store App (Deeplink).
c. In Description, type Skype Windows Store app to be
installed from deeplink.
d. In Category, select Collaboration & Social.
e. Click Next.
Session 6 / User and device management / Page 10
 Talking point
On the Summary page, we review all the information the wizard has
collected. All the information looks good, so we click Upload to add
the software to Microsoft Intune.
We can see that the software has successfully been added to
Microsoft Intune. We close the wizard and see that our Skype Wi-Fi
Windows Store app is shown in the list of managed software. Now
that our app is added to Microsoft Intune, we need to deploy the app
to our devices.
Deploy an app
Talking point
Now, we will deploy our Skype Wi-Fi deeplinked Windows Store app
to our user. We do this by using the Manage Deployment Wizard.
We start the Manage Deployment Wizard by clicking Manage
Deployment immediately above the list of software.
On this wizard page, we select the user groups to which we want to
deploy the software.
Action
12. On the Summary page, review the information collected during
the wizard, and then click Upload.
The software is added to Microsoft Intune.
13. On the Upload page, review the completion status of the wizard,
and then click Close.
14. In the details pane, the new software (Skype Wi-Fi) is shown in
the list of managed software.
Action
Perform the following steps on CM logged on as CORP\Administrator
with the password Passw0rd:
1. In the Microsoft Intune administration console, in the navigation
pane, click Software.
2. In the Software workspace, go to Managed Software.
3. In the details pane, click Skype Wi-Fi Windows Store App
(Deeplink).
4. In the details pane, click Manage Deployment.
Tip The Manage Deployment button is immediately above the
list of software.
The Manage Deployment Wizard starts.
5. In the Manage Deployment Wizard, on the Select Groups page,
click Ungrouped Users, click Add, and then click Next.
Session 6 / User and device management / Page 11
Talking point Action
On this wizard page, we select the type of deployment action that we 6. On the Deployment Action page, in the Approval column, click
want to perform for each user group. If we click the drop-down list in the drop-down list to show the list of options.
the Approval column, we can see that the options include Required 7. Select Available Install, and then click Finish.
Install, Do Not Install, Available Install, and Uninstall.
Required Install is used when we have software that we can force
users to install. You can see that this option is greyed out, because
we cannot force users to install Windows Store apps from the
Windows Store: We can only make the apps available.
Do Not Install is used when we want to do all the preparation for
deploying software but not actually perform the deployment at that
moment. For example, we could prepare the software for
deployment but wait because operating system updates are
necessary and have not yet been completed.
Available Install is used when we want to make the software
available to the user in the Company Portal. This option allows the
user to install the software if they desire.
Uninstall is used when we want to uninstall software that has been
previously deployed to users.
We can also see that we can provide a deadline in the Deadline 8.
column. The deadline is provided when we select the Required
Install option in the Approval column. You can see that we can select
a predefined deadline or create a custom deadline. Because we are
installing a Windows Store app by deeplinking and deeplinked
Windows Store apps can only be installed by using the Available
Install option, we will not specify a deadline.
For the purposes of this demonstration, we select Available Install,
and then click Finish to deploy our Skype Windows Store app to our
user group.

Session 6 / User and device management / Page 12

 Talking point
If we now look at our Skype Windows Store App, we can see that the
status in the Deployed column is set to Yes, which indicates that the
software has been deployed.
Now, if we want to see the list of users to which the software has
been deployed, we can view the properties of the software by
clicking View Properties. Then, we will look at the list of users on the
Users tab.
There, we can see Lori Penor in the list of users, which is what we
would expect. Now, lets install the software.
Enroll a Windows 8.1 device with Microsoft Intune and OMA-DM
Talking point
Now that we've configured Microsoft Intune let's enroll our
Windows 8.1 device.
To enroll their Windows 8.1 devices, users provide their email
address. Windows 8.1 takes the domain portion of their email
address and performs auto-discovery by looking for a DNS record
named EnterpriseEnrollment. For example, if the user's email account
is lori@contoso.com, then Windows 8.1 automatically looks for
EnterpriseEnrollment.contoso.com (which points to
manage.microsoft.com).
Action
9. In the details pane, click Skype Windows Store App (Deeplink).
10. In the details pane, click View Properties.
Tip The View Properties button is immediately above the list of
software.
The properties of the software are displayed.
11. Click the User tab.
Tip The User tab is immediately beneath the title of the
application at the top the details pane.
The list of users to which the software has been deployed is
displayed
Action
Perform the following steps on BYOD logged on as the Microsoft
account that is associated with the BYOD\Lori account earlier in the
process:
1. Start the Windows PowerShell integrated scripting environment
(ISE) as an administrator by holding CTRL and Shift and clicking
the ISE icon on the taskbar.
2. In the Windows PowerShell ISE, open the
Contoso_BYOD_WindowsIntune_Override_Enrollment_UPN.ps1
script, which is stored in the C:\DemoContent folder.
Session 6 / User and device management / Page 13
Talking point
The problem is that in our environment, we do not have a public-
facing DNS where we could add the
EnterpriseEnrollment.contoso.com DNS record. Instead, we will use a
workaround by making a registry modification.
Again, although this works for our lab environment, we should never
do this in a production environment. Instead, we should add the
EnterpriseEnrollment DNS record to our public-facing DNS and verify
this in Microsoft Intune.
We enroll our device on the Workplace panel, in the Network panel,
in PC settings.
Users only need their email account to enroll their device, so we
enter our Lori Penor email address, and then click Turn on. This
allows System Center 2012 R2 Configuration Manager and Microsoft
Intune to manage our device.
We need to enter the password for our Microsoft Intune account and
sign in to Microsoft Intune.
Action
3. In Windows PowerShell ISE, highlight the entire script, and then
press F8 or click Run Selection on the toolbar at the top of the
console.
Tip You can highlight the entire script by pressing Ctrl+A.
The registry is updated.
4. Minimize the Windows PowerShell ISE.
5. In the notification area (system tray), click the network icon.
The Networks panel is displayed.
6. On the Networks panel, select View Connection Settings.
PC settings opens and displays the Network panel.
7. In PC settings, in the Network panel, select Workplace.
The Workplace panel opens.
8. In the Workplace panel, in Enter your user ID to get workplace
access or turn on device management, type
lori@xxx.onmicrosoft.com (where xxx is the domain for the
Microsoft Intune subscription), and then click Turn on.
Windows 8.1 locates the Microsoft Intune servers. The Microsoft
Intune sign in page is displayed.
9. On the Microsoft Intune sign in page, in Password, type the
password for lori@xxx.onmicrosoft.com (where xxx is the
domain for the Microsoft Intune subscription), and then click Sign
in. You noted this in Notepad on the CM machine previously.
10. You will be asked to update the password, provide your own
password at this point and click Submit.
Session 6 / User and device management / Page 14
 Talking point
After we are signed in to Microsoft Intune, Windows 8.1 displays a
notification about having apps and services being provided by the
organization's IT admin. This notification makes the user aware that
some features of their device will be now managed by the IT
department. This is especially critical in BYOD scenarios, where the
user owns the device. Let's agree to allow our organization to
manage our device. When we have connected to the workplace, we
can close PC settings.
Associate a Microsoft account with our device to allow Store access
Talking point
As the first step, we need to associate a Microsoft account with the
CORP\Lori domain account. We will do that by using the Connect to a
Microsoft account on this PC wizard.
Action
The Allow apps and services from IT admin page is displayed.
11. On the Allow apps and services from IT admin page, review the
information, select I agree, and then click Turn on.
Windows 8.1 connects to the workplace.
12. Close PC settings.
Action
Perform the following steps on BYOD logged on as Lori Penor with the
password Passw0rd:
1. Press Win + I, and then click Change PC settings.
2. Tap or click Accounts.
3. Tap or click Connect to a Microsoft account.
4. The Connect to a Microsoft account on this PC wizard starts.
5. Enter Loris password: Passw0rd
6. Select the link Create a new account be sure to note your
password.
7. Fill out the requested details, click Next
8. On the Add security info page enter at least a Birthdate (your
user needs to be over 18) and Gender and one alternate email
address, click Next
Session 6 / User and device management / Page 15
 Talking point Action
9. On the Communication Preferences page enter the characters
shown and click Next
10. On the Help us protect your info page click the I cant do this
right now link
11. Click Next and then Switch

Create a Microsoft Intune Trial

Talking point Action

We now need to get you a Microsoft Intune tenant to use for testing
purposes in our lab.
Perform the following steps on CM logged on as CORP\Administrator
with the password Passw0rd:
12. Go to the Desktop and launch Internet Explorer from the taskbar
13. Enter http://aka.ms/tryintune into the address bar
14. On the website select the Try tab
15. Select Signup for a Microsoft Intune free 30-day-trial
16. Complete the details on the Signup screen DO NOT use your own
organizations real name in the New Domain Name field use a
variation such as contosolab1 where Contoso is your company
name.
17. Click Check availability
18. Enter Admin in New user ID and provide a password.
19. Enter the verification code as seen on screen.
20. Click I accept and continue. Your account will now be created,
continue when prompted to do so.

Session 6 / User and device management / Page 16

 Talking point
Obtain the Company Portal app from the Windows Store
Talking point
Now, let's install the Company Portal app. In practice your users
might install this first and it will direct them to enroll their device if
they have not already done so.
We can do this by searching for the app on the Start screen. When
we find the Company Portal Install app entry, we select it and are
taken to the Company Portal app page in the Windows Store app.
Let's install the Company Portal app. It only takes a few minutes for
the installation process to finish, and we are notified that the
Company Portal app was successfully installed.
Now, let's run the Company Portal app. Again, we search for the app,
and then select it from the list of search results.
Action
21. On the Dont lose access to your account page click the Remind
me later link.
Action
22. On the Start screen, type Company Portal.
The list of search results is displayed.
23. In the list of search results, select Company Portal Install app.
24. The Windows Store app opens to the Company Portal app.
25. On the Company Portal app page, click Install.
Company Portal app installation begins. You may be asked to
provide credit card into. Do not worry, you dont need to for this
lab! Click Ask me later if prompted.
After a few moments, you are notified that installation is
complete.
Close the Windows Store app.
26. On the Start screen, type Company Portal.
The list of search results is displayed.
27. In the list of search results, select Company Portal.
28. The Company Portal app starts, and the Microsoft Intune sign-in
page appears.
Session 6 / User and device management / Page 17
 Talking point
We need to sign in to Microsoft Intune, so we provide Lori Penor's
Microsoft Intune credentials. The Company Portal app opens.
Notice that the BYOD device is listed under devices users can see all
their enrolled devices in the company portal, regardless of platform.
Install an app from the Company Portal as a user
Talking point
On the Company Portal home page, we can see our deployed Skype
app in the company apps section. We click Skype and are taken to a
page that displays the details of our software (in this case, our Skype
app).
We can see that because our software (Skype) is only available
through the Windows Store, we are given a link to the app in the
Windows Store. We click the link, and the Windows Store app opens.
In the Windows Store app, we can see the Skype Wi-Fi app page.
There is the Install button that we would expect for a Windows Store
app. We click Install. The download and installation process behaves
just as it would for any app deployed from the Windows Store.
Action
29. On the Microsoft Intune sign-in page, in Password, type the
password for lori@xxx.onmicrosoft.com (where xxx is the
domain for the Microsoft Intune subscription), and then click Sign
in.
The Company Portal information is displayed.
30. Click BYOD, notice the available options
31. Click back to the Company Portal app.
Action
Perform the following steps on BYOD logged on as Lori with the
password for her Microsoft account.
1. On the Company Portal home page, under All Apps, click Skype
Wi-Fi.
The details of the software we have deployed are displayed.
Specifically, we can see that the software is only available in the
Windows Store, and we are given a link to view the app in the
Windows Store.
2. Click the View in Windows Store link.
The Skype Wi-Fi Windows Store app is displayed in the Windows
Store.
3. In the Windows Store, on the Skype Wi-Fi app page, notice that
the Skype Wi-Fi app can be installed on this device
4. Click Install.
5. Close the Company Portal app.
Session 6 / User and device management / Page 18
 Talking point Action
We see the notification that our Skype Wi-Fi app was installed. Well
close the Window Store app and the Company Portal app.
Now, if we look on the Start screen, we can see the Skype Wi-Fi tile. 6. On the Start screen, display all apps, and show the Skype Wi-Fi
tile.
As you can see, installing an app from the Microsoft Intune Company
Portal is easy for users. And from an administrators perspective,
adding the software to Microsoft Intune and deploying the software
are easy, as well.
Now, lets look at how to scan a device for malware.

Add a web-based app to Microsoft Intune and deploy it

Talking point Action

Perform the following steps on CM logged on as CORP\Administrator
with the password Passw0rd:
7. In the Microsoft Intune console add a new application (youve
already done this once yes this is a test)
8. In the Add Software wizard click Next on the Before you begin
page
9. Select External link under Select how this software is made
available to devices.
10. Enter the URL http://outlook.office365.com, click Next
11. In Publisher enter Microsoft, in Name enter OWA, in Description
enter Outlook Web App, change the Category to Productivity.
12. Click Next and Upload and Close.
13. Now deploy the web app to your users (youve already done this
once yes this is a test)

Session 6 / User and device management / Page 19

Explore the web-based Company Portal
Talking point
The web based company portal is available anywhere and allows a
user to remotely manage their devices, including the ability to wipe
devices (both fully and partially where supported), to rename them
and to install software onto them.
The web-based portal can also be used to enroll a new device.
Here we will install our Outlook Web App link to our BYOD device as
a user from another computer.
We will now test the remote install that our user initiated.
Action
Perform the following steps on CM logged on as CORP\Administrator
with the password Passw0rd:
14. On the taskbar right click the Internet Explorer icon and select
Start InPrivate Browsing
15. Enter http://portal.manage.microsoft.com in the address bar.
16. Log in using Loris credentials lori@xxx.onmicrosoft.com
17. Click the link Click here to select your device
18. Select the BYOD device and click OK We are going to be managing
this device remotely using the Web portal.
19. You can now see the apps that are available to Lori on this device,
click the All Apps tile.
20. Select OWA.
21. Click Install.
22. Close the InPrivate window.
Perform the following steps on BYOD logged on as Lori with the
password for her Microsoft account.
23. Go to the Start Screen
24. Click the arrow at the bottom of the screen to show all apps, scroll
right to find OWA and click the OWA tile.
The sign-in screen for Outlook Web Access will load, you do not
need to sign in.
Session 6 / User and device management / Page 20
Remotely manage devices

Talking point Action

Lets see how we can remotely manage devices from the Microsoft
Intune administration console. We manage devices in the Groups
workspace. Within the Groups workspace, we go to the All Devices
device group.
Perform the following steps on CM logged on as CORP\Administrator
with the password Passw0rd:
1. In the Microsoft Intune administration console, in the navigation
pane, click Groups.
2. In the Groups workspace, go to All Devices.
The list of devices is displayed, including the BYOD device.

We can also perform several remote tasks on devices through the 3. In the details pane, click BYOD.
Microsoft Intune software that was installed when the device was 4. In the details pane, click the Remote Tasks list.
enrolled.
Tip The Remote tasks button is immediately above the list of
The Run a Full Malware Scan and Run a Quick Malware Scan tasks
devices.
deal with performing a full or quick malware scan on the device. We
could select these options to force malware scan on a device. As 5. Select Remote Lock.
expected, a full scan takes longer and consumes more resources than
6. Switch to the BYOD VM you will see that the machine will lock
a quick scan.
even if you are actively using it!
The Restart Computer task remotely restarts the selected device.
The Update Malware Definitions task forces the device to download
the latest malware definitions for Microsoft Forefront Endpoint
Protection.
The Refresh Policies task forces the device to download the latest
Microsoft Intune policies (which we configured in the Policy
workspace).
The Remote Lock task remotely locks the device. This is useful if a
user misplaces the device and you want to give them time to find it
while maintaining security.

Session 6 / User and device management / Page 21

 Talking point
Finally, the Refresh Inventory task forces the Microsoft Intune client
software on the device to perform an inventory and discover the
system resources and software on the device.
For the purposes of this demonstration, we wont perform any of
these actions, because they can take some time to finish. So, lets
look at how to deploy an update to a device.
Deploy an update to a device
Talking point
Applying policy to mobile devices is a critical management task.
Microsoft Intune allows us to do this, here we create a simple policy
and enable Enterprise Mode for Internet Explorer a way of
managing LoB web app compatibility.
Action
Action
Perform the following steps on CM logged on as CORP\Administrator
with the password Passw0rd:
1. In the Microsoft Intune administration console, in the navigation
pane, click Policy.
2. Select All Policies in the Policy workspace
3. Click Add
4. Select Mobile Device Security Policy
5. Click Create Policy leaving the defaults in place.
6. Select Ungrouped Users and click Add, then click OK
7. Highlight the policy and click Edit
8. Select the Applications section of the policy
9. Scroll down to and enable Allow Enterprise Model menu access,
set the drop down box to Yes.
10. Click Save Policy.
Session 6 / User and device management / Page 22
Retire a device
Talking point
In some instances, we may want to no longer manage a device by
using Microsoft Intune. We can stop managing devices by retiring the
device. We retire devices in the Microsoft Intune administration
console.
First, we find the device we want to retire in the Microsoft Intune
administration console. We will find the BYOD.corp.contoso.com
device that we used earlier.
Next, we click Retire/Wipe to retire the device. The Retire device:
BYOD dialog box is displayed. We can see that there is an option to
also wipe the device. Wiping the device removes any user data from
the device. We would elect to wipe a device if the device has been
stolen or we want to repurpose the device for another user.
For the purposes of our demonstration, we will not wipe the device.
We will click Yes to retire the device. In the Microsoft Intune
administration console we can see a notification that the device is in
the process of retiring. This process will take 10-15 minutes to
complete.
Action
Perform the following steps on CM logged on as CORP\Administrator
with the password Passw0rd:
1. In the Microsoft Intune administration console, in the navigation
pane, click Groups.
2. In the Groups workspace, go to All Devices.
3. In the details pane, click the Devices tab.
4. The list of devices is displayed, including the BYOD device.
5. In the details pane, click Retire/Wipe.
Tip The Retire/Wipe button is immediately above the list of
updates.
The Retire device: BYOD dialog box is displayed.
6. In the Retire device: BYOD dialog box, hover the mouse pointer
over the Wipe the device before retiring check box while
discussing it, but do not select the check box.
7. In the Retire device: BYOD dialog box, click Yes.
The notification This devices in the in the process of retiring. is
displayed in the information area.
Session 6 / User and device management / Page 23