Microsoft Intune Deploy Guide and Device Onboarding Process - NETSEC

Latest

NETSEC

Learning, Sharing, Creating

Cybersecurity Memo

Monday, October 21, 2024

Microsoft Intune Deploy Guide and Device Onboarding Process

Microsoft Intune, together with Microsoft Entra ID, facilitates a secure, streamlined process for registering and enrolling devices that want access to your internal resources. Once users and devices are registered within your Microsoft Entra ID (also called a tenant), then you can utilize Intune for its endpoint management capabilities. The process that enables device management for a device is called device enrollment.




A successful Microsoft Intune deployment or migration starts with planning. This guide helps you plan your move or adoption of Intune as your unified endpoint management solution.

Diagram that shows the steps to plan your migration or move to Microsoft Intune, including licensing needs.


Overview

During enrollment, Intune installs a Mobile Device Management (MDM) certificate on the enrolling device. The MDM certificate communicates with the Intune service, and enables Intune to start enforcing your organization's policies, like:
  • Enrollment policies that limit the number or type of devices someone can enroll.
  • Compliance policies that help users and devices meet your rules.
  • Configuration profiles that configure work-appropriate features and settings on devices.

Diagram that shows the device enrolls, the object is created in Microsoft Entra ID, and the MDM certificate is pushed to these devices in Microsoft Intune.

Typically, policies are deployed during enrollment. Some groups, depending on their roles in your organization, can require stricter policies than others. Many organizations start by creating a baseline of required policies for users and devices. Then, add to this baseline as needed for different groups and use cases.



Minimum recommended baseline policies:
  1. Step 1 - Set up Intune subscription
  2. Step 2 - Add, configure, and protect apps
  3. Step 3 - Create compliance policies
  4. Step 4 - Configure device features and security settings
  5. Step 5 - Enroll devices

Diagram that shows getting started with Intune with step 1, which is setting up Microsoft Intune.






Step 2 - Add, configure, and protect apps

Managing applications on devices in your organization is a central part to a secure and productive enterprise ecosystem. You can use Microsoft Intune to manage the apps that your company's workforce uses. By managing apps, you help control which apps your company uses, as well as the configuration and protection of the apps. This functionality is called mobile application management (MAM). MAM in Intune is designed to protect organization data at the application level, including custom apps and store apps. App management can be used on organization-owned devices and personal devices. When it is used with personal devices, only organization-related access and data is managed. This type of app management is called MAM without enrollment, or from an end-user perspective, bring your own device (BYOD).

Diagram that shows getting started with Microsoft Intune with step 2, which is adding and protect apps using Microsoft Intune.




Step 3 – Plan for compliance policies

Next, plan for and configure device compliance settings and policies to help protect organizational data by requiring devices to meet requirements that you set.

Diagram that shows getting started with Microsoft Intune with step 3, which is creating compliance and conditional access policies.


You deploy compliance policies to groups of devices or users. When deployed to users, any device the user signs into must then meet the policies requirements. Some common examples of compliance requirements include:

  • Requiring a minimum operating system version.
  • Use of a password or PIN that meets certain complexity and length requirements.
  • A device being at or below a threat level as determined by mobile threat defense software you use. Mobile threat defense software includes Microsoft Defender for Endpoint or one of Intune’s other supported partners.



Step 4 - Configure device features and settings to secure devices and access resources

In this step, you're ready to configure a minimum or baseline set of security and device features that all devices must have.

Diagram that shows getting started with Microsoft Intune with step 4, which is configuring devices features and security settings.






Step 5 – Enroll devices in Microsoft Intune

In the final phase of deployment, devices are registered or joined in Microsoft Entra ID, enrolled in Microsoft Intune, and checked for compliance.

Diagram that shows getting started with Microsoft Intune with step 5, which is enrolling devices to be managed by Intune.


During enrollment, Microsoft Intune installs a mobile device management (MDM) certificate on the device, which enables Intune to enforce enrollment profiles, enrollment restrictions, and the policies and profiles you created earlier in this guide.

If devices are currently enrolled in another MDM provider, unenroll the devices from the existing MDM provider before enrolling them in Intune. The following table shows the devices that require a factory reset before enrolling in Intune.

Automatic Enrollment

Configure Windows devices to enroll when they join or register with Azure Active Directory.

Make enrollment in Intune easier for employees and students by enabling automatic enrollment for Windows. For more information, see Enable automatic enrollment.

  • Microsoft Entra join with automatic enrollment: This option is supported on devices that are procured by you or the device user for work use. Enrollment occurs during the out-of-box-experience, after the user signs in with their work account and joins Microsoft Entra ID or by choosing to join the device in Microsoft Entra ID when connecting a work or school account from the Settings app (as described in Windows device enrollment guide - End user tasks). This solution is for when you don't have access to the device, such as in remote work environments. When these devices enroll, their device ownership changes to corporate-owned and you get access to management features that aren't available on devices marked as personal-owned.

  • Windows Autopilot user-driven or self-deploying mode: Automatic enrollment is supported with the Windows Autopilot user-driven (for both the Microsoft Entra hybrid join and Microsoft Entra join scenarios) or self-deploying (Microsoft Entra join only) profiles and can be used for corporate-owned desktops, laptops, and kiosks. Device users get desktop access after required software and policies are installed. A Microsoft Entra ID P1 or P2 license is required. We recommend using only Microsoft Entra join, which provides the best user experience and is easier to configure. In scenarios where on-premises Active Directory is still needed, Microsoft Entra hybrid join can be used but you have to install the Intune connector for Active Directory, and your devices must be able to connect to a domain controller via either an on-premises network or VPN connection.

  • Co-management with Configuration Manager: Co-management is best for environments that already manage devices with Configuration Manager, and want to integrate Microsoft Intune workloads. Co-management is the act of moving workloads from Configuration Manager to Intune and telling the Windows client who the management authority is for that particular workload. For example, you can manage devices with compliance policies and device configuration workloads in Intune, and utilize Configuration Manager for all other features, like app deployment and security policies.

  • Enrollment using Group Policy: A Group Policy can be used to trigger the automatic enrollment of Microsoft Entra hybrid joined devices without any user interaction. The enrollment process starts in the background (via a scheduled task) after a Microsoft Entra ID-synced user signs in on the device. We recommend this method in environments where devices are Microsoft Entra hybrid joined and not managed using Configuration Manager.





Onboard A Windows Device into InTune



1 Settings - Access work or school

Join this device to Microsoft Entra ID



2 Login with your Entra ID

Make sure this is your organization then join:
Once done, you will get a message to ask you switch account:


3 Switch Account to log in 

Switch user


4 Onboard Account 



Videos

 







References






$AzureAdCred = Get-Credential
Connect-AzureAD -Credential $AzureAdCred




[netsec@centos1docker hihttps]$ netstat -lntp | grep 80
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
[netsec@centos1docker hihttps]$






root@4ccb3643b7e4:/# 
cat /etc/nginx/conf.d/wp.conf 
server {
    listen       80;
    server_name  opc2armwp.51sec.eu.org 51sec.org www.51sec.org;

}





#/bin/bash

set_chinese_lang
apt-get autoremove -y
echo "Install Done!"
echo "Now you can reboot and connect port 3389 with rdp client"
echo "Note: chromium-browser is not displayed on the desktop, please start it manually if necessary"
echo "Default Username: rdpuser"
echo "Default Password: rdpuser_password"






Read more

Subscribe via email

Author Image

About Netsec
Netsec - Learning, Sharing, Creating!

-
Tags:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)