Part 2 – Settings config, MDM enablement, ESR and Company Branding

Part 2 – Settings config, MDM enablement, ESR and Company Branding

1. Configure user settings

In the Device Management Portal, navigate to Users – User settings.

We have a few settings here that are interesting to talk about.

The first one is the setting: “Users can register applications”. You should consider yourself when working for a client/customer, do we want our end users to be able to register applications in Azure AD? Mostly you want this switch to be on ‘No’. When applications have to be registered you can give them the appropriate role or work with PIM. If you hover over the ‘i’ it also shows you this as tooltip: “If this option is set to yes, then non-admin users may register custom-developed applications for use within this directory.
If this option is set to no, then only users with an administrator role may register these types of applications.
” So my basic advice on this one is, set it on ‘No’. And give them the role when they need to register an app.

The second interesting setting we see here: “Restrict access to Azure AD administration portal”. The “i” tooltip here says: “No lets a non-administrator use this Azure AD administration portal experience to access Azure AD resources that the user has permission to read, or manage resources they own. Yes restricts all non-administrators from accessing any Azure AD data in the administration portal, but does not restrict such access using PowerShell or another client such as Visual Studio.” So depending on what you want your end users to see in the Azure AD portal, you can choose Yes or No here.

LinkedIn account connections let your end users connect their work or school account with their LinkedIn account.

When you click on ‘Manage external collaboration settings’ another menu will pop up:

These settings depend on what you want your guest users to be able to do in your tenant. A setting to consider is ‘Guests can invite’. This is again worth a discussion, should your guests be able to invite other guests? Or do you want full control over this feature?

If we go back to our User settings, we can again click on ‘Manage user feature preview settings’ and let another menu pop up:

The setting worth talking about here is ‘Users can use preview features for registering and managing security info – enhanced’. The ‘i’ tooltip here says: “This will enable users to register and manage their security info for Multi-Factor Authentication and self-service password reset in a single experience“. You need to enable this feature to let your end users register USB security keys (FIDO2) like Yubico. Otherwise they won’t be able to register their security key in the portal.

2. Configure group settings

In the Device Management Portal, navigate to Groups – General.

Depending on your organisation’s wishes on who can make groups and add people to groups there are a few settings here. I won’t go over all of these in detail as they are self-explanatory. The one setting here that I find interesting to use sometimes is the ‘Enable an All Users group in the directory’. This makes a default All Users group in Azure AD, with guests included.

Next we navigate to Groups – Expiration.

Here you can set Group lifetime (in days) if you want to use that feature. Or add an email contact for groups without owners.

Last thing to check here is Groups – Naming policy

There are two tabs here: Blocked words and Group naming policy.

Blocked words will allow you to upload a csv file with words you don’t want to be used in Group names. You can use a maximum of 5000 words. Good thing here is you can always download your list again and make changes and then upload it again.

The other tab, Group naming policy allows you to set up a naming convention for you Office 365 groups, you can add a prefix or a suffix here that all groups have to start that way or end that way.

3. Configure device settings

One thing that is bothering me a little bit is that for being able to see the device settings, we still have to go to the Azure Portal, go to Azure Active Directory, click on Devices and then Device Settings.

Few settings here worth talking about.

First one is ‘Users may join devices to Azure AD’. It could be wise to change this setting to the group of users you want to be able to join devices to Azure AD. Standard this setting is on ‘All’.

Next one is ‘Additional local administrators on Azure AD joined devices’. This settings is also one worth talking about. You can configure this with configuration profiles also or custom OMA-URI. But it’s understandable that you want a set of users to have local administrator rights on Azure AD joined devices. You can add all helpdesk users here in this setting so they could do they work when they look at the end user his machine.

‘Require Multi-Factor Auth to join devices’ gives an extra factor of security when end users are adding devices from the Internet. It will ask them to verify their identity through MFA.

4. Configure Enterprise State Roaming

Now we navigate further & click on ‘Enterprise State Roaming’ in the Devices blade:

Here you can add a group of users that you want to enable Enterprise State Roaming on.

Enterprise State Roaming means that certain settings will get synchronised in the ‘Cloud’. This setting together with ‘OneDrive Known Folder Move’ will make your end users life easier when they change to another device. More on OneDrive KFM in a later guide part.

When Enterprise State Roaming is enabled in your Azure AD tenant, users that have joined their Windows 10 devices to Azure AD, gain the ability to securely synchronize their user and applications settings to the cloud with separation of personal and corporate data. This reduces the time needed for users when setting up a new device and enables an unified experience across all of the devices of that user. In addition to the personal synchronization in Windows, Enterprise State Roaming offers the following enhancements:

  • Enhanced security – by encrypting data using Azure RMS before leaving the device. Data is also encrypted when stored in the cloud.
  • Management and monitoring services – more control and visibility of users synchronising their data and on which devices.
  • Geographic location of data in the cloud – data will be stored in an Azure region based on the country of the Azure AD domain.
  • Separation of corporate and personal data – organisations are in control of their data, and their is no mixing of corporate or personal data.

5. Configure Company Branding

If you want to use Windows Autopilot in a further stage (this will off course also be covered in a later guide post), you need to have Company Branding configured.

Company Branding is nothing more than giving a personal look and feel to the login experience for your end users. They will see the company’s logo, a custom background and a custom banner for example if you configure them all. Let’s go over these settings one by one.

Navigate to the Azure Portal, open Azure Active Directory and click on ‘Company Branding’.

Click on ‘New language’.

Here you can add a sign-in page background image, a banner logo, a sign-in page text, if you want a sign-in page background color, a square logo and you also have the option to let your end users remain signed in.

If you configure this well the login experience in the Azure AD portal will look like this (with how Company Branding is configured in my tenant offcourse:

This will also affect how your Autopilot login process looks.

6. Enable MDM (Mobile Device Management)

Fist we are gonna configure the MDM authority.

In the Azure Portal, navigate to Intune. An orange banner will be displayed:

Click on the banner and you will be asked to choose an MDM authority. Set this to Intune MDM Authority as we will be setting up a demo tenant Cloud only. You can also set it to Configuration Manager MDM authority here, and divide the workload between ConfigMgr and Intune. I won’t be covering this in this guide as I’m a strong believer ConfigMgr or co-management is for +10.000 devices. Everything less should be done with Intune in my opinion.

Next we want to specify the user scope of users that can enrol their devices to be Intune managed.

In the Device Management Portal, navigate to Devices – Enroll devices – Automatic enrollment.

Here you can specify the MDM and MAM user scope. First thing to know is the difference between MDM and MAM.

MDM stands for Mobile Device Management. This means that the devices will be fully managed by your organisation.

MAM stands for Mobile Application Management. Here we can have control over certain applications or data within those applications without having full control over the device or without enrolling them in Intune. This will off course be covered in a later guide post. MAM is useful in BYOD (Bring-Your-Own-Device) scenarios and still have control over your corporate data.

It is recommended to set a scope here with a user group. Don’t leave the setting on All, set it on your Azure AD group with Intune licensed users.

That’s it for today’s guide post. Next week I will be covering how to install a test device in Hyper-V en enroll it in Intune MDM (MEM)

Happy testing!