Getting Started with Mobile Device and Application Management for Cloud Solution Providers

Introduction

The Microsoft Cloud Solution Provider (CSP) program is built to provide a scalable, flexible partner program. CSP is designed to deepen customer relationships and expand business opportunities by allowing partners to:

  • Own and control billing
  • Sell combined offers and services
  • Deliver direct provisioning, management, and support

To achieve these capabilities, CSP partners need to integrate their back end systems and business processes with various Microsoft cloud services and processes. Once integration has taken place, CSP partners then have the ability to directly provision, manage, and support clients within the Microsoft Office 365, Azure, Dynamics CRM, and Enterprise Mobility Suite (EMS) product offerings.

The goal of this document is to help CSP Partners to quickly implement Microsoft Intune and Azure AD Join Services to provide a mobile device and application management solution for their clients.

This document provides guidance on how to gather necessary information from clients to facilitate the initial setup of Microsoft Intune and Azure AD Join services for mobile device and application management. It also provides step by step instructions on how to configure its various features.

Scope

The scope of this document is to provide implementation guidance for the following Enterprise Mobility Suite features:

  • Configuring the Microsoft Intune service settings for mobile device and application management (MDM and MAM) via enrollment
  • Configuring Microsoft Intune service settings for MAM without device enrollment Configuring Azure AD Join Service settings for Windows 10 devices

Terminology

Term

Description

CSP

Cloud Solution Provider

AD

Active Directory

AAD

Azure Active Directory

Partner Center

Portal for CSP Partners to administer their CSP offerings http://partnercenter.microsoft.com

End Customer

Organization that is managed by the CSP Partner

EMS

Enterprise Mobility Suite

MDM

Mobile device management

MAM

Mobile application management

CYOD

Choose your own device – Company-owned mobile devices

BYOD

Bring your own device – Employee-owned mobile devices

Intune Management Portal

Portal for administering the Microsoft Intune service https://manage.microsoft.com

Office 365 Global Admin

Administrator who has access to all administrative features within the end customers Office 365 subscription

Before you start

This document assumes that the following conditions have been met:

  • The steps in the document "Getting Started with the Office 365 and EMS for Microsoft Cloud Solution Providers" have been completed
  • The administrator completing these steps has co-administrator access to the Azure subscription
  • The administrator completing these steps has Global Administrator access to the Azure AD tenant
  • The end customer has set the mobile device management authority to the Microsoft Intune management service. Refer to the document Set mobile device management authority and configure Microsoft Intune for information on configuring this permission
  • The end customer has set up the certificate requirements for the management of iOS devices. Refer to the document Set up iOS and Mac management with Microsoft Intune for configuring this management channel

Microsoft Intune mobile device management

Microsoft Intune mobile device management (MDM) capabilities differ across the various mobile device platforms; but all platforms support the following:

  • Certificate, email, VPN and Wi-Fi profiles. Administrators can deploy certificate profiles to mobile devices, and also deploy e-mail, VPN and Wi-Fi profiles
  • Manage corporate-owned iOS devices. Administrators can set up devices for enrollment and then distribute them to specific users, or the administrators can enroll devices so that they can be shared by multiple users
  • Conditional access. Administrators can use Intune conditional access policies to control access to on-premises Microsoft Exchange email from mobile devices, even when the device is not managed by Intune. Conditional access is also available for Exchange Online, SharePoint Online and Skype for Business
  • Password management differs across mobile device platforms, but all platforms let administrators configure the requirement for a password, limit the number of failed attempts, limit the minutes before the screen locks, set password expiration, and prevent previouslyused passwords
  • Application settings. Administrators can control browser settings, and also application settings such as whether app stores can be used on mobile devices
  • Device capabilities, cellular, and voice. Administrators can allow or deny the use of a camera, control roaming settings, and enable or disable iOS voice assistant and voice dialing features
  • Reset passcodes, lock, and selectively wipe or retire devices. Administrators can reset passcodes if end customer staff loses access to their devices, lock missing or stolen devices, or even wipe data off of missing or stolen devices

MDM capabilities supported on iOS and Android only:

  • Mobile application management (MAM). Managed mobile apps can be configured to restrict certain app operations, such as copy and paste, to help protect the end customer's organization data. Administrators can also use the managed browser to control the sites that end customer's staff are allowed to visit

For more information, refer to the document, Mobile device management capabilities in Microsoft Intune. to work through the Microsoft Intune capabilities and the requirements to meet the organization's needs.

Microsoft Intune mobile device management policies

Microsoft Intune policies are groups of settings that control the settings and features on mobile devices and computers. Administrators create the various policies available to them by either utilizing the preconfigured Intune templates, which let them manage many of the settings and features on the end customer's mobile devices, or by the creation of custom policies for when the template policies do not contain the settings required, and then deploy these to Intune user or device groups.

In addition to Microsoft Intune polices, applications can also be deployed to Intune user or device groups. Refer to the document, Use groups to manage users and devices with Microsoft Intune. for further information.

There are three Intune policy types that can be configured to meet the end customer requirements:

  • Configuration policies. These policies allow administrators to manage the settings and features on the mobile devices enrolled with the end customer's organization
  • Compliance policies. These policies define the rules and settings that a mobile device must comply with in order to be considered compliant by conditional access polices. Administrators can also use compliance policies to monitor and remediate compliance issues with devices independently of conditional access.
  • Conditional access policies. These policies help to secure access to the end customer's Exchange on-premises, as well as their online services. This helps to ensure that only managed devices that pass administrator-defined compliance checks and rules can access these services.

There are a number of elements to the configuration and setup of the Microsoft Intune service that need to be agreed upon with the end customer.

CSP Partners can leverage the tables in the following sections, covering the different policy types to help provide guidance when identifying which policies and settings will be required to meet the end customer's mobile device and application management requirements.

Due to the faster update release cadence of the Microsoft Intune service and the policies available, these tables just provide guidance. So please refer to the document, Mobile device management capabilities in Microsoft Intune and Manage settings and features on your devices with Microsoft Intune policies. for the latest information.

Mobile application management (MAM) policies can be configured and applied to both:

  • Devices that are enrolled in to Intune mobile device management
  • Devices that are not enrolled in to Intune mobile device management

Both of these managed and unmanaged device scenarios will be covered in their own sections further below.

Configuration policies

CSP Partners can leverage the table below to help obtain the end customer's requirements and the settings needed to configure the security section of the policy General Configuration (iOS 7.1 and later) for management of iOS mobile devices. As with Intune configuration policies, some of the settings below differ from platform to platform due to the features and settings available on each.

Refer to the document, Use policies to manage computers and mobile devices with Microsoft Intune. for further information about the creation, configuration, and deployment of these policies.

Configuration Policy Setting

Description

End Customer Setting

Require a password to unlock mobile devices

Specifies whether to require users to enter a password before access is granted to information on their mobile device.

Enabled/Disabled

Yes/No

Required password type

Specifies whether passwords are allowed to be comprised only of numeric characters, or whether they must contain characters other than numbers.

Enabled/Disabled

Alphanumeric/Numeric

Number of complex characters required in password

Select the number of complex (nonalphanumeric) characters, like #,%,!, etc. that the password must contain.

Enabled/Disabled

0 characters or more

Minimum password length

Specifies the minimum number of digits or characters in the password.

Enabled/Disabled

4 characters or more

Allow simple passwords

Specifies whether to allow mobile devices to use simple password sequences, such as 1234 or 1111.

Enabled/Disabled

Yes/No

Number of repeated sign-in failures to allow before the device is wiped

Specifies the number of consecutive times an incorrect password can be entered before the mobile device is wiped of all data.

Enabled/Disabled

At least 4 or more password failures

Minutes of inactivity before password is required

Minutes of inactivity before the password is required.

Enabled/Disabled

1 minute

5 minutes

15 minutes

1 Hour

Password expiration (days)

Specifies the length of time after which the mobile device password must be changed.

Enabled/Disabled

Minimum 1 day

Recommended 41 days

Remember password

history

Specifies the number of previous passwords that cannot be reused by the user.

Enabled/Disabled

Yes/No

Prevent reuse of previous passwords:

Minimum of 1 previous

password, recommendation is 5

Minutes of inactivity before screen turns off

Specifies the length of time without user input after which the mobile device screen is locked.

Enabled/Disabled

1 minute

5 minutes

15 minutes

30 minutes

1 Hour

Allow fingerprint unlock

Allow a fingerprint to unlock a device.

Enabled/Disabled

Yes/No

In the following example, a Microsoft Intune configuration policy is created for iOS devices, implementing the password security settings as agreed upon with the end customer.

  1. Log in to the Intune management portal with an account with Office 365 Global Administrator privileges:

  1. Select Policy:

  1. Select Configuration Policies,
    and select Add…:

  1. Expand iOS:

  1. Select General Configuration (iOS 7.1 and later).
  2. Select Create Policy:

  1. In this example, the settings are configured as agreed upon with the end customer. When configured, click Save Policy:

  1. When prompted to deploy this policy, select Yes:


  1. Select All Users and then Add:

  1. Once All Users has been added to Selected Groups, click OK:

This completes the creation and deployment of an Intune configuration policy and setting up the password policy required for iOS devices when being enrolled into the organization's mobile device management. This policy has been deployed to All Users, but will only apply to an iOS device at enrollment time.

Compliance policies

Microsoft Intune compliance policies define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. Administrators can also use compliance policies to monitor and remediate compliance issues with devices independently of conditional access.

Compliance policies can remediate mobile device compliance for:

  • PIN and passwords
  • Encryption
  • Whether the device is jailbroken (iOS) or rooted (Android), or if the device is reporting as unhealthy by the Windows device Health Attestation Service
  • Whether email on the device is managed by an Intune policy
  • Minimum OS version required – This will depend on the end customer's company compliance policies and security requirements. This helps to prevent access to devices that might have security vulnerabilities because they are using an older OS version
  • Maximum OS version allowed – Administrators may choose not to support the latest OS version available before testing or other reasons. Administrators can choose to block devices that have a version later than the one administrators have specified. The device will not be able to access company resources until the policy is changed.

If no compliance policy is deployed to a device, then any applicable conditional access policy will treat the device as compliant.

Refer to the document, Manage device compliance policies for Microsoft Intune. for further information on the policies and how they apply on the various mobile device platforms.

CSP Partners can leverage the following table to obtain end customer requirements and the settings needed to configure the compliance policy. As with Intune configuration policies, some of the settings below differ from platform to platform due to the features and settings available on each.

Compliance Policy Setting

Description

End Customer Setting

Require a password to unlock mobile devices

Specified whether to require users to enter a password before access is granted to information on their mobile device.

Yes/No

Allow simple passwords

Specifies whether to allow mobile devices to use simple password sequences, such as 1234 or 1111,

Yes/No

Minimum password length is not configured

Specifies the minimum amount of digits or characters in the password.

4 characters or more

Required password type

Specifies whether passwords are allowed to be comprised only of numeric characters, or whether they must contain characters other than characters.

Password Type:
Alphanumeric/Numeric

Minimum number of character types:
At least 1

Password quality

Sets the password requirement for Android devices.

Options:

Low security biometric

Required

At least numeric

At least alphabetic

At least alphanumeric

Alphanumeric with symbols

Minutes of inactivity before password is required

Specifies the length of time without user input after which the mobile device screen is locked.

1 minute

5 minutes

15 minutes

1 hour

Password expiration

(days)

Specifies the length of time after which a mobile device password must be changed.

Minimum 1 day

Recommended 41 days

Remember password

history

Specifies whether to restrict the reuse of previous passwords.

Yes/No

Prevent reuse of previous passwords:

Minimum of 1

Require a password to unlock an idle device

Force user to input password every time the device returns from an idle state.

(Windows 10 mobile only)

Yes/No

Require encryption on mobile device

This setting enables encryption on mobile devices. Not all devices can enforce encryption.

Yes/No

Email account must be managed by Intune

A device will be considered noncompliant, if Intune cannot deploy an email profile, because one is already set up by the end user. Email profiles are not deployed by this compliance policy.

iOS 7.1 and later only

Yes/No

Select the email profile that must be managed by Intune:
Select the email profile deployed to iOS devices

Require devices to be reported as healthy

Windows 10 boot logs are remotely parsed and attested for health by the Windows Health Attestation Service (HAS). The following attributes are considered in the overall compliance state:

Code integrity is enabled.

BitLocker encryption is enabled.

Secure boot is enabled.

Early launch anti-malware driver is loaded (Windows 10 desktop only).

Yes/No

Device must not be jailbroken or rooted

Specifies whether to detect, if the device is jailbroken or rooted.

Yes/No

Minimum Windows

Version

The operating system version, defined as major.minor.build, cannot be less than this version to enroll.

The version number corresponds to the version returned by the winver command.

Yes/No

Insert the version number required for this setting

Maximum Windows

Version

The operating system version, defined as major.minor.build, cannot be greater than this version to enroll.

The version number correspond to the version returned by the winver command.

Yes/No

Insert the version number required for this setting

Minimum Windows

Phone or Windows 10

Mobile Version

The operating system version, defined as major.minor.build, cannot be less than this version to enroll.

Windows Phone 8.1 and later only.

Yes/No

Insert the version number required for this setting

Maximum Windows

Phone or Windows 10

Mobile Version

The operating system version, defined as major.minor.build, cannot be greater than this version to enroll.

Windows Phone 8.1 and later only.

Yes/No

Insert the version number required for this setting

Minimum Android

Version

The operating system version, defined as major.minor.build, cannot be less than this version to enroll.

Android 4.0 or later or Samsung KNOX standard 4.0 and later only.

Yes/No

Insert the version number required for this setting

Maximum Android

Version

The operating system version, defined as major.minor.build, cannot be greater than this version to enroll.

Android 4.0 or later or Samsung KNOX standard 4.0 and later only

Yes/No

Insert the version number required for this setting

Minimum iOS Version

The operating system version, defined as major.minor.build, cannot be less than this version to enroll. iOS 7.1 and later only.

Yes/No

Insert the version number required for this setting

Maximum iOS Version

The operating system version, defined as major.minor.build, cannot be greater than this version to enroll. iOS 7.1 and later only.

Yes/No

Insert the version number required for this setting

In the following example, a compliance policy will be created for the end customer.

  • Select Policy:


  • Select Compliance Policies:

  • Select Create Policy:

  • Enter the settings as agreed upon with the end customer, the image below shows an example of these settings. Click Save Policy:

  • When prompted to deploy the policy, select Yes:

  • Select All Users, to assign this policy to all Intune users and then select Add. The compliance policy can also be deployed to a custom user or device group to cater for different policies required, e.g. for testing different policy configurations by the end customers administrators or deployment of different policies per organization department.

  • Select OK. This policy will be displayed in the compliance policy pane:

Conditional access policies

Microsoft Intune conditional access policies are configured against particular services, helping to ensure that only managed and compliant devices can access the service.

They can define rules, such as which Azure Active Directory (AAD) security user group or which Intune user or device group will be targeted, and how devices that cannot enroll with Intune will be managed.

Unlike other Intune policies, administrators do not deploy conditional access policies. Instead, these are configured within the Intune management portal once and can apply to all users, targeted security group users, or security groups members that are exempt from this policy.

When mobile devices do not meet the conditions administrators configure, the user is guided though the process of enrolling the device and fixing the issue that prevents the device from being compliant.

Conditional access policies can remediate mobile device compliance for:

  • Exchange Online
  • Exchange on-premises
  • SharePoint Online
  • Skype for Business

Each of the services listed above have different requirements for the conditional access policy configuration. Refer to the document, Manage access to email and O365 services with Intune. for further information.

CSP Partners can leverage the following table to obtain the end customer's requirements and the settings needed to configure the conditional access policy.

Conditional Access Policy setting

Description

End Customer Setting

Outlook and other apps that use modern authentication

Specifies which platforms and requirements must be met to allowed access to Exchange Online.

All Platforms/Specific Platforms:

iOS
Android
Windows 10 Mobile

Windows must meet the following requirements:

Devices must be domain joined or compliant
Devices must be domain joined
Devices must be compliant

Exchange ActiveSync apps that use basic authentication

Specifies whether to allow or block access to Exchange Online on noncompliant or non-supported devices,

Block non-compliant devices on platforms supported by

Microsoft Intune/Block all other devices on platforms not supported by Microsoft Intune

Targeted Groups

Specifies the AD security groups to target with this policy.

All users/Selected security groups

Exempt Groups

Specifies the AD security groups to exempt from this policy (overrides members in the Targeted Groups list).

No exempt users/Selected security groups

As an example, a conditional access policy will be created to further secure access to the organization's Exchange Online service. Enabling Exchange Online conditional access is only required for reporting purposes.

The service connector creates the relationship between the Intune subscription and the Exchange Online service, allowing for both compliance and conditional access conditions to be verified on enrolled devices prior to gaining access to the Exchange Online service.

  1. Log in to the Intune management portal with an account with Office 365 Global Administrator privileges:

  1. Select Admin:

  1. Expand Mobile Device Management, then Microsoft Exchange, and select Set Up Exchange Connection:

  1. Select Set Up Service to Service Connector, and click OK when prompted:

  1. Use the signed-in Global Administrator account to configure the Service to Service Connector:

  1. Select the link Run Quick Sync and select Close when prompted. The connector will synchronize mobile devices and new mobile devices with changes to their Exchange state:

  1. Select Policy:

  1. Expand Conditional Access and select Exchange Online Policy:

  1. Tick the checkbox for Enable conditional access policy:

  1. Configure the settings as agreed upon with the end customer, and select Save:

This conditional access policy is now configured to help secure the end customers Exchange Online service, and references the compliance policy already deployed.

Microsoft Intune application deployment

Organizations can deploy applications to all device types that are supported by Microsoft Intune. Depending on the type of application the end customer wants to deploy, the process and supported devices will differ.

Refer to the document, Plan for app deployment in Microsoft Intune. for further information on the types of applications that can be deployed via Microsoft Intune, and the deployment options available for each application type.

Refer to the document, Deploy apps to mobile devices in Microsoft Intune. for further information on how to configure, deploy and then monitor the deployed apps.

Microsoft Intune mobile application management

Mobile application management policies within the Microsoft Intune service allows administrators to modify the functionality of apps that are deployed to help bring them into line with the end customer's compliance and security policies. For example, administrators can restrict cut, copy, and paste operations within a managed app, or configure an app to open all web links inside a managed browser.

At the time of writing this document, these are the available iOS MAM policies that can be customized to meet the end customer's requirements., The options differ depending on the device type targeted.

Section

Setting

End Customer Setting

App Web Content

Restrict web content to display in the Intune managed browser.

Yes/No

Data Relocation

Prevent iTunes and iCloud backups.

Yes/No

Allow app to transfer data to the other apps.

None/Policy Managed Apps/Any App

Allow app to receive data from other apps.

None/Policy Managed Apps/Any App

Prevent "Save As".

Yes/No

Restrict cut, copy, and paste with other apps.

Blocked/Policy Managed Apps/Policy Managed Apps with Paste In/Any App

Access

Require simple PIN for access.

If Yes:

Number of attempts before PIN is reset.

Yes/No

Recommended 5

Require corporate credentials for access.

Yes/No

Block managed apps from running on jailbroken or rooted devices.

Yes/No

Recheck the access requirements after (minutes).

Timeout: 30 mins (default)

Office grace period 720 mins (default)

Additional Policies

Encrypt app data.

When device is locked/ When device is locked (except open files)/ After devices restart/ Use device settings

In the following example, a Microsoft Intune MAM policy is created, and automatically associated with the External Link application Microsoft Word (for iOS).

Refer the section Configure the app in the document, Deploy apps to mobile device in Microsoft Intune, for instructions on how to configure and deploy this application.

  1. Log in to the Intune management portal with an account with Office 365 Global Administrator privileges:

  1. Select Policy:

  1. Select Configuration Policies and under Add…, select End Customer iOS Configuration Policy:


  1. Expand Software:

  1. Select Mobile Application Management (iOS 7.1 and later):

  1. Select Create Policy:

  1. The MAM policy has now been created. This now requires association with the software with which it will be managed.
  2. Select Apps.
  1. Select Apps again and select Microsoft Word:

  1. From Microsoft Word,

    choose Select Groups:

  1. Select All Users and then Add:

  1. Select Deployment Action:

  1. The Approval has been changed to "Available Install", which will advertise this application within the Microsoft Intune company portal for all users.
  2. Select Next:

  1. The MAM policy has automatically associated itself with Microsoft Word, as it hasn't been deployed previously. If there are other MAM policies that need to meet additional requirements for the same OS, administrators could select these from the available drop-list and choose whichever policy suits the end customer's needs.
  2. Select Next:

  1. Select Next as a VPN profile is not required to be associated with this application.
  2. Select Finish to advertise the application to all Intune users, and secure with the mobile application management policy:

Microsoft Intune mobile application management without device enrollment

The Intune MAM without enrollment features allows organizations to protect their Office apps on iOS and Android without the need to enroll their devices in Intune MDM. This means end customers who already have an MDM vendor, or don't wish to manage their users' devices via MDM, can protect access to Office 365 and company data. This includes cut/copy/paste restrictions, preventing 'save-as', jailbreak detection, PIN requirements, and the ability to remotely wipe MAM-protected data.

In the following example, a Microsoft Intune MAM policy is created to manage Microsoft OneNote on iOS devices that have not been enrolled.

  1. Sign in to the Microsoft Azure portal as a co-administrator for the end customer tenant.
  2. From the menu, select Browse and then Intune:


  1. Select App policy:

  1. Select Add a policy and fill in the required fields:

  1. Click on Select required apps, and then select OneNote as the application targeted for this example policy. Administrators can also select multiple applications in the list to meet the end customers requirement.

  1. Select Configure required settings and configure with the settings as agreed upon with the end customer:

  1. Once the applications and settings have been configured, select Create.
  2. Once the policy is created, select User Groups:

  1. Select Add user group:


  1. Select the security group iOS MAM Policy Without Device Enroll… to assign this policy to members of this group.
    1. Click on Select at the bottom:

  1. This Policy has now been successfully created and deployed to the members of this group:

Azure AD Join

Azure AD Join is a functionality in which a Windows 10 device can be registered in Azure Active Directory to enable centralized management of the device.

This makes it possible for users, such as employees, to connect to the enterprise cloud through Azure Active Directory. This enables simplified Windows deployments and access to organizational apps and resources from any Windows 10 device, both as Choose Your Own Device (CYOD) and Bring Your Own Device (BYOD). If the end customer has AD FS and the federated identity model in place, Azure AD Join will also enable a seamless SSO experience to the organization's cloud services without the user needing to enter another username and password.

For more information, refer to the document, Active Directory Azure AD Join Overview. to identify configuration to fit the organization's needs.

At the time of writing this document, the minimum version of Windows 10 devices that support the Azure AD Join feature is build 10551 or newer. Refer to the document, Connect domain joined devices to Azure AD for Windows 10 experiences. for this requirement.

Configure Azure AD Join

There are number of elements to the Azure AD Join service that needs to be agreed upon with the end customer to provide the best management and user experience for their organization.

The following table outlines the features and functions that need to be agreed upon with the end customer to allow the CSP Partner to proceed with the configuration of Azure AD Join.

CSP Partners can leverage this table to discuss and determine end customer settings for each of the AD Join configuration options.

Azure AD Join (Devices) Service Setting

Description

End Customer Setting

Users may join devices to Azure AD

Defines the users and groups that are allowed to join devices to Azure AD.

All/Selected/None

Additional Administrators on Azure AD joined devices

With Azure AD Premium, administrators can choose which users are granted local administrator rights to the device.

Azure AD Global Administrators and device owners are granted local administrator rights by default.

Selected/None

Users may register their devices with Azure AD

Allows users to register their devices with Azure AD (Workplace Join.)

Enrollment with Microsoft Intune or Mobile Device management for Office 365 requires device registration. If administrators have configured either of these services, ALL will be selected and the button will be disabled.

All/None

Require Multi-Factor Authentication to join devices

Multi-Factor Authentication is recommended when adding devices to Azure AD.

When set to 'Yes', users who are adding devices from the internet must first use a second method of authentication.

Yes/No

Maximum number of devices per user

Designates the maximum number of devices a user can have in Azure AD. If a user reaches this quota, they will not be able to add additional devices until one or more of their existing devices are removed.

5/10/20/50/100/Unlimited

Users may Sync settings and Enterprise App Data (In Preview)

Users may sync settings and enterprise application data between Azure AD registered devices.

With Azure AD Premium, administrators can select a subset of your users and enable this feature for them.

All/Selected/None

  1. When the above information has been gathered, sign in to the Azure Management Portal as a co-administrator for the end customer tenant.
  2. Select the Azure AD tenant for the end customer:

  1. Select the Configuration tab.
  2. Scroll down to the devices section:

  1. Complete the configuration as per the information gathered from the end customer.
  2. Once complete, select SAVE.

This completes the configuration of Azure AD Join to meet the end customer's requirements. The customer is now able to remotely join Windows 10 devices to Azure Active Directory with the policies agreed to in the table above. To see the end user experience for AD Join, refer to Appendix B.

Appendix A - Microsoft Intune device enrollment user experience

With Microsoft Intune device enrollment, the steps differ from platform to platform. Due to the release cadence of the service and the ever-evolving steps required, please refer to the documents covered in the Microsoft Intune End User Enrollment Guide.

The guide covers privacy with respect to the information administrators are able to see from the mobile devices, how to install the Microsoft Intune company portal, the device enrollment steps for the various platforms, and what to do when the mobile device is lost or stolen.

Appendix B - Azure AD Join user experience

An example of the end customer experience using Azure AD Join functionality to link their Windows 10 device to their organization's Azure AD Tenant is provided below.

  1. The end customer (user) is logged in to their Windows 10 device using local credentials:

  1. The user opens the Windows 10 Action Center and selects the All Settings button.
  2. The user selects System:

  1. The user then selects the About tab:

  1. The user selects Join Azure AD, and receives information about what happens when joining their device to Azure AD.
  2. The user then selects Next:

  1. The user is prompted to enter their Office 365 username and password. They enter their credentials, and select Sign in:

  1. The user is prompted to confirm that the organization they are joining is the intended organization. The user clicks Join to confirm this is correct:

  1. The user is advised that the join has been successful:

  1. The Organization field in the System\About window displays that the PC is now connected to the end customer's organization:

  1. The user's device now receives the policy and associated settings configured for Azure AD Join. The device has been automatically enrolled in Intune and can be now be managed via the Intune management console.

Reference links