The Microsoft Cloud Solution Provider (CSP) program is built to provide a scalable, flexible partner program. CSP is designed to deepen customer relationships and expand business opportunities by allowing partners to:
To achieve these capabilities, CSP partners need to integrate their back end systems and business processes with various Microsoft cloud services and processes. Once integration has taken place, CSP partners then have the ability to directly provision, manage, and support clients within the Microsoft Office 365, Azure, Dynamics CRM, and Enterprise Mobility Suite (EMS) product offerings.
The goal of this document is to help CSP Partners to quickly implement Microsoft Intune and Azure AD Join Services to provide a mobile device and application management solution for their clients.
This document provides guidance on how to gather necessary information from clients to facilitate the initial setup of Microsoft Intune and Azure AD Join services for mobile device and application management. It also provides step by step instructions on how to configure its various features.
The scope of this document is to provide implementation guidance for the following Enterprise Mobility Suite features:
Term | Description |
CSP | Cloud Solution Provider |
AD | Active Directory |
AAD | Azure Active Directory |
Partner Center | Portal for CSP Partners to administer their CSP offerings http://partnercenter.microsoft.com |
End Customer | Organization that is managed by the CSP Partner |
EMS | Enterprise Mobility Suite |
MDM | Mobile device management |
MAM | Mobile application management |
CYOD | Choose your own device – Company-owned mobile devices |
BYOD | Bring your own device – Employee-owned mobile devices |
Intune Management Portal | Portal for administering the Microsoft Intune service https://manage.microsoft.com |
Office 365 Global Admin | Administrator who has access to all administrative features within the end customers Office 365 subscription |
This document assumes that the following conditions have been met:
Microsoft Intune mobile device management (MDM) capabilities differ across the various mobile device platforms; but all platforms support the following:
MDM capabilities supported on iOS and Android only:
For more information, refer to the document, Mobile device management capabilities in Microsoft Intune. to work through the Microsoft Intune capabilities and the requirements to meet the organization's needs.
Microsoft Intune policies are groups of settings that control the settings and features on mobile devices and computers. Administrators create the various policies available to them by either utilizing the preconfigured Intune templates, which let them manage many of the settings and features on the end customer's mobile devices, or by the creation of custom policies for when the template policies do not contain the settings required, and then deploy these to Intune user or device groups.
In addition to Microsoft Intune polices, applications can also be deployed to Intune user or device groups. Refer to the document, Use groups to manage users and devices with Microsoft Intune. for further information.
There are three Intune policy types that can be configured to meet the end customer requirements:
There are a number of elements to the configuration and setup of the Microsoft Intune service that need to be agreed upon with the end customer.
CSP Partners can leverage the tables in the following sections, covering the different policy types to help provide guidance when identifying which policies and settings will be required to meet the end customer's mobile device and application management requirements.
Due to the faster update release cadence of the Microsoft Intune service and the policies available, these tables just provide guidance. So please refer to the document, Mobile device management capabilities in Microsoft Intune and Manage settings and features on your devices with Microsoft Intune policies. for the latest information.
Mobile application management (MAM) policies can be configured and applied to both:
Both of these managed and unmanaged device scenarios will be covered in their own sections further below.
CSP Partners can leverage the table below to help obtain the end customer's requirements and the settings needed to configure the security section of the policy General Configuration (iOS 7.1 and later) for management of iOS mobile devices. As with Intune configuration policies, some of the settings below differ from platform to platform due to the features and settings available on each.
Refer to the document, Use policies to manage computers and mobile devices with Microsoft Intune. for further information about the creation, configuration, and deployment of these policies.
Configuration Policy Setting | Description | End Customer Setting |
Require a password to unlock mobile devices | Specifies whether to require users to enter a password before access is granted to information on their mobile device. | Enabled/Disabled Yes/No |
Required password type | Specifies whether passwords are allowed to be comprised only of numeric characters, or whether they must contain characters other than numbers. | Enabled/Disabled Alphanumeric/Numeric |
Number of complex characters required in password | Select the number of complex (nonalphanumeric) characters, like #,%,!, etc. that the password must contain. | Enabled/Disabled 0 characters or more |
Minimum password length | Specifies the minimum number of digits or characters in the password. | Enabled/Disabled 4 characters or more |
Allow simple passwords | Specifies whether to allow mobile devices to use simple password sequences, such as 1234 or 1111. | Enabled/Disabled Yes/No |
Number of repeated sign-in failures to allow before the device is wiped | Specifies the number of consecutive times an incorrect password can be entered before the mobile device is wiped of all data. | Enabled/Disabled At least 4 or more password failures |
Minutes of inactivity before password is required | Minutes of inactivity before the password is required. | Enabled/Disabled 1 minute 5 minutes 15 minutes 1 Hour |
Password expiration (days) | Specifies the length of time after which the mobile device password must be changed. | Enabled/Disabled Minimum 1 day Recommended 41 days |
Remember password history | Specifies the number of previous passwords that cannot be reused by the user. | Enabled/Disabled Yes/No Prevent reuse of previous passwords: Minimum of 1 previous password, recommendation is 5 |
Minutes of inactivity before screen turns off | Specifies the length of time without user input after which the mobile device screen is locked. | Enabled/Disabled 1 minute 5 minutes 15 minutes 30 minutes 1 Hour |
Allow fingerprint unlock | Allow a fingerprint to unlock a device. | Enabled/Disabled Yes/No |
In the following example, a Microsoft Intune configuration policy is created for iOS devices, implementing the password security settings as agreed upon with the end customer.
This completes the creation and deployment of an Intune configuration policy and setting up the password policy required for iOS devices when being enrolled into the organization's mobile device management. This policy has been deployed to All Users, but will only apply to an iOS device at enrollment time.
Microsoft Intune compliance policies define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. Administrators can also use compliance policies to monitor and remediate compliance issues with devices independently of conditional access.
Compliance policies can remediate mobile device compliance for:
If no compliance policy is deployed to a device, then any applicable conditional access policy will treat the device as compliant.
Refer to the document, Manage device compliance policies for Microsoft Intune. for further information on the policies and how they apply on the various mobile device platforms.
CSP Partners can leverage the following table to obtain end customer requirements and the settings needed to configure the compliance policy. As with Intune configuration policies, some of the settings below differ from platform to platform due to the features and settings available on each.
Compliance Policy Setting | Description | End Customer Setting |
Require a password to unlock mobile devices | Specified whether to require users to enter a password before access is granted to information on their mobile device. | Yes/No |
Allow simple passwords | Specifies whether to allow mobile devices to use simple password sequences, such as 1234 or 1111, | Yes/No |
Minimum password length is not configured | Specifies the minimum amount of digits or characters in the password. | 4 characters or more |
Required password type | Specifies whether passwords are allowed to be comprised only of numeric characters, or whether they must contain characters other than characters. | Password Type: Minimum number of character types: |
Password quality | Sets the password requirement for Android devices. | Options: Low security biometric Required At least numeric At least alphabetic At least alphanumeric Alphanumeric with symbols |
Minutes of inactivity before password is required | Specifies the length of time without user input after which the mobile device screen is locked. | 1 minute 5 minutes 15 minutes 1 hour |
Password expiration (days) | Specifies the length of time after which a mobile device password must be changed. | Minimum 1 day Recommended 41 days |
Remember password history | Specifies whether to restrict the reuse of previous passwords. | Yes/No Prevent reuse of previous passwords: Minimum of 1 |
Require a password to unlock an idle device | Force user to input password every time the device returns from an idle state. (Windows 10 mobile only) | Yes/No |
Require encryption on mobile device | This setting enables encryption on mobile devices. Not all devices can enforce encryption. | Yes/No |
Email account must be managed by Intune | A device will be considered noncompliant, if Intune cannot deploy an email profile, because one is already set up by the end user. Email profiles are not deployed by this compliance policy. iOS 7.1 and later only | Yes/No Select the email profile that must be managed by Intune: |
Require devices to be reported as healthy | Windows 10 boot logs are remotely parsed and attested for health by the Windows Health Attestation Service (HAS). The following attributes are considered in the overall compliance state: Code integrity is enabled. BitLocker encryption is enabled. Secure boot is enabled. Early launch anti-malware driver is loaded (Windows 10 desktop only). | Yes/No |
Device must not be jailbroken or rooted | Specifies whether to detect, if the device is jailbroken or rooted. | Yes/No |
Minimum Windows Version | The operating system version, defined as major.minor.build, cannot be less than this version to enroll. The version number corresponds to the version returned by the winver command. | Yes/No Insert the version number required for this setting |
Maximum Windows Version | The operating system version, defined as major.minor.build, cannot be greater than this version to enroll. The version number correspond to the version returned by the winver command. | Yes/No Insert the version number required for this setting |
Minimum Windows Phone or Windows 10 Mobile Version | The operating system version, defined as major.minor.build, cannot be less than this version to enroll. Windows Phone 8.1 and later only. | Yes/No Insert the version number required for this setting |
Maximum Windows Phone or Windows 10 Mobile Version | The operating system version, defined as major.minor.build, cannot be greater than this version to enroll. Windows Phone 8.1 and later only. | Yes/No Insert the version number required for this setting |
Minimum Android Version | The operating system version, defined as major.minor.build, cannot be less than this version to enroll. Android 4.0 or later or Samsung KNOX standard 4.0 and later only. | Yes/No Insert the version number required for this setting |
Maximum Android Version | The operating system version, defined as major.minor.build, cannot be greater than this version to enroll. Android 4.0 or later or Samsung KNOX standard 4.0 and later only | Yes/No Insert the version number required for this setting |
Minimum iOS Version | The operating system version, defined as major.minor.build, cannot be less than this version to enroll. iOS 7.1 and later only. | Yes/No Insert the version number required for this setting |
Maximum iOS Version | The operating system version, defined as major.minor.build, cannot be greater than this version to enroll. iOS 7.1 and later only. | Yes/No Insert the version number required for this setting |
In the following example, a compliance policy will be created for the end customer.
Microsoft Intune conditional access policies are configured against particular services, helping to ensure that only managed and compliant devices can access the service.
They can define rules, such as which Azure Active Directory (AAD) security user group or which Intune user or device group will be targeted, and how devices that cannot enroll with Intune will be managed.
Unlike other Intune policies, administrators do not deploy conditional access policies. Instead, these are configured within the Intune management portal once and can apply to all users, targeted security group users, or security groups members that are exempt from this policy.
When mobile devices do not meet the conditions administrators configure, the user is guided though the process of enrolling the device and fixing the issue that prevents the device from being compliant.
Conditional access policies can remediate mobile device compliance for:
Each of the services listed above have different requirements for the conditional access policy configuration. Refer to the document, Manage access to email and O365 services with Intune. for further information.
CSP Partners can leverage the following table to obtain the end customer's requirements and the settings needed to configure the conditional access policy.
Conditional Access Policy setting | Description | End Customer Setting |
Outlook and other apps that use modern authentication | Specifies which platforms and requirements must be met to allowed access to Exchange Online. | All Platforms/Specific Platforms: Windows must meet the following requirements: |
Exchange ActiveSync apps that use basic authentication | Specifies whether to allow or block access to Exchange Online on noncompliant or non-supported devices, | Block non-compliant devices on platforms supported by Microsoft Intune/Block all other devices on platforms not supported by Microsoft Intune |
Targeted Groups | Specifies the AD security groups to target with this policy. | All users/Selected security groups |
Exempt Groups | Specifies the AD security groups to exempt from this policy (overrides members in the Targeted Groups list). | No exempt users/Selected security groups |
As an example, a conditional access policy will be created to further secure access to the organization's Exchange Online service. Enabling Exchange Online conditional access is only required for reporting purposes.
The service connector creates the relationship between the Intune subscription and the Exchange Online service, allowing for both compliance and conditional access conditions to be verified on enrolled devices prior to gaining access to the Exchange Online service.
This conditional access policy is now configured to help secure the end customers Exchange Online service, and references the compliance policy already deployed.
Organizations can deploy applications to all device types that are supported by Microsoft Intune. Depending on the type of application the end customer wants to deploy, the process and supported devices will differ.
Refer to the document, Plan for app deployment in Microsoft Intune. for further information on the types of applications that can be deployed via Microsoft Intune, and the deployment options available for each application type.
Refer to the document, Deploy apps to mobile devices in Microsoft Intune. for further information on how to configure, deploy and then monitor the deployed apps.
Mobile application management policies within the Microsoft Intune service allows administrators to modify the functionality of apps that are deployed to help bring them into line with the end customer's compliance and security policies. For example, administrators can restrict cut, copy, and paste operations within a managed app, or configure an app to open all web links inside a managed browser.
At the time of writing this document, these are the available iOS MAM policies that can be customized to meet the end customer's requirements., The options differ depending on the device type targeted.
Section | Setting | End Customer Setting |
App Web Content | Restrict web content to display in the Intune managed browser. | Yes/No |
Data Relocation | Prevent iTunes and iCloud backups. | Yes/No |
Allow app to transfer data to the other apps. | None/Policy Managed Apps/Any App | |
Allow app to receive data from other apps. | None/Policy Managed Apps/Any App | |
Prevent "Save As". | Yes/No | |
Restrict cut, copy, and paste with other apps. | Blocked/Policy Managed Apps/Policy Managed Apps with Paste In/Any App | |
Access | Require simple PIN for access. If Yes: Number of attempts before PIN is reset. | Yes/No Recommended 5 |
Require corporate credentials for access. | Yes/No | |
Block managed apps from running on jailbroken or rooted devices. | Yes/No | |
Recheck the access requirements after (minutes). | Timeout: 30 mins (default) Office grace period 720 mins (default) | |
Additional Policies | Encrypt app data. | When device is locked/ When device is locked (except open files)/ After devices restart/ Use device settings |
In the following example, a Microsoft Intune MAM policy is created, and automatically associated with the External Link application Microsoft Word (for iOS).
Refer the section Configure the app in the document, Deploy apps to mobile device in Microsoft Intune, for instructions on how to configure and deploy this application.
The Intune MAM without enrollment features allows organizations to protect their Office apps on iOS and Android without the need to enroll their devices in Intune MDM. This means end customers who already have an MDM vendor, or don't wish to manage their users' devices via MDM, can protect access to Office 365 and company data. This includes cut/copy/paste restrictions, preventing 'save-as', jailbreak detection, PIN requirements, and the ability to remotely wipe MAM-protected data.
In the following example, a Microsoft Intune MAM policy is created to manage Microsoft OneNote on iOS devices that have not been enrolled.
Azure AD Join is a functionality in which a Windows 10 device can be registered in Azure Active Directory to enable centralized management of the device.
This makes it possible for users, such as employees, to connect to the enterprise cloud through Azure Active Directory. This enables simplified Windows deployments and access to organizational apps and resources from any Windows 10 device, both as Choose Your Own Device (CYOD) and Bring Your Own Device (BYOD). If the end customer has AD FS and the federated identity model in place, Azure AD Join will also enable a seamless SSO experience to the organization's cloud services without the user needing to enter another username and password.
For more information, refer to the document, Active Directory Azure AD Join Overview. to identify configuration to fit the organization's needs.
At the time of writing this document, the minimum version of Windows 10 devices that support the Azure AD Join feature is build 10551 or newer. Refer to the document, Connect domain joined devices to Azure AD for Windows 10 experiences. for this requirement.
There are number of elements to the Azure AD Join service that needs to be agreed upon with the end customer to provide the best management and user experience for their organization.
The following table outlines the features and functions that need to be agreed upon with the end customer to allow the CSP Partner to proceed with the configuration of Azure AD Join.
CSP Partners can leverage this table to discuss and determine end customer settings for each of the AD Join configuration options.
Azure AD Join (Devices) Service Setting | Description | End Customer Setting |
Users may join devices to Azure AD | Defines the users and groups that are allowed to join devices to Azure AD. | All/Selected/None |
Additional Administrators on Azure AD joined devices | With Azure AD Premium, administrators can choose which users are granted local administrator rights to the device. Azure AD Global Administrators and device owners are granted local administrator rights by default. | Selected/None |
Users may register their devices with Azure AD | Allows users to register their devices with Azure AD (Workplace Join.) Enrollment with Microsoft Intune or Mobile Device management for Office 365 requires device registration. If administrators have configured either of these services, ALL will be selected and the button will be disabled. | All/None |
Require Multi-Factor Authentication to join devices | Multi-Factor Authentication is recommended when adding devices to Azure AD. When set to 'Yes', users who are adding devices from the internet must first use a second method of authentication. | Yes/No |
Maximum number of devices per user | Designates the maximum number of devices a user can have in Azure AD. If a user reaches this quota, they will not be able to add additional devices until one or more of their existing devices are removed. | 5/10/20/50/100/Unlimited |
Users may Sync settings and Enterprise App Data (In Preview) | Users may sync settings and enterprise application data between Azure AD registered devices. With Azure AD Premium, administrators can select a subset of your users and enable this feature for them. | All/Selected/None |
This completes the configuration of Azure AD Join to meet the end customer's requirements. The customer is now able to remotely join Windows 10 devices to Azure Active Directory with the policies agreed to in the table above. To see the end user experience for AD Join, refer to Appendix B.
With Microsoft Intune device enrollment, the steps differ from platform to platform. Due to the release cadence of the service and the ever-evolving steps required, please refer to the documents covered in the Microsoft Intune End User Enrollment Guide.
The guide covers privacy with respect to the information administrators are able to see from the mobile devices, how to install the Microsoft Intune company portal, the device enrollment steps for the various platforms, and what to do when the mobile device is lost or stolen.
An example of the end customer experience using Azure AD Join functionality to link their Windows 10 device to their organization's Azure AD Tenant is provided below.