Implement modern device services
- By Robert Clements and Brian Svidergol
- 6/14/2019
Chapter summary
There are three MDM solutions that you can deploy with Microsoft 365. Standalone Intune, Intune with Co-management, and MDM for Office 365.
Cloud-based MDM solutions can reduce on-premises server infrastructure, but network bandwidth needs to be sized appropriately.
Policy conflicts should be reviewed and addressed as part of your planning phase for implementing Intune. Tools like MMAT can be used to help identify conflicts.
Group Policy and ConfigMgr offer policies for configuring Hybrid Azure AD join and automatic MDM enrollment.
Co-management provides a bridge for supporting Microsoft Intune. Administrators can select which workloads are managed by ConfigMgr and Intune.
Setting an MDM authority is a requirement for managing devices with Intune.
The MDM authority can be changed when moving between MDM solutions.
There are pre-defined device enrollment restrictions with Microsoft Intune.
You should be familiar with the enrollment restrictions interface in Microsoft Intune, including where to create restrictions.
You should be familiar with the priority system used by enrollment restrictions and how to assign them to devices.
You should be familiar with the subscription requirements for Microsoft Intune and Azure AD, along with the supported platforms for compliance policies.
You should be familiar with the fundamentals of a compliance policy, how they are assigned to devices, and how a device is marked for compliance.
You should have some understanding on what rules a device compliance policy can check for and use cases that align with those rules.
You should be familiar with the conditional access formula and how it corresponds to the policies you create.
You should be familiar with the conditional access controls available in the Azure portal, how these controls relate to each other, and how to design policies using these controls.
You should be familiar with device-based and app-based policies, including how they are defined and what role they play in policy design.
You should be familiar with navigating the Conditional Access blade, including items like named locations and terms of use.
You should be familiar with how to create, assign, and enforce a conditional access policy to users and groups.
You should be familiar with navigating the device compliance blade, with a focus on the available compliance configurations settings and relative use cases for changing the default values.
You should be familiar with how to create, assign and evaluate device compliance policies. Keep in mind that compliance policies are created on a per-platform basis and are used by conditional access policies when referencing compliance status.
You should be familiar with using the What If tool to evaluate new policies and troubleshoot policy assignments. Use this tool to help validate policies during your pilot phase, before assigning the policy to a larger audience.
You should be familiar with the Azure AD Sign-ins report. This includes navigating the report, entering search criteria, and interpreting the details provided.
You need to be familiar with the terminology used to describe WaaS. This includes terms such as feature updates, quality updates, and deployment rings.
You need to be familiar with servicing channels and how they operate. This includes the available channels and configuration options.
You need to be familiar with WIfB and its importance in supporting the WaaS model.
You need to be familiar with the different deployment methods and what their capabilities are. This includes traditional deployments, in-place upgrades, and modern servicing.
You need to be familiar with the Windows 10 in-place upgrade. This includes planning considerations, requirements, and solutions for deployment.
You need to be familiar with modern servicing. This includes understanding the differences between servicing and in-place upgrades, the limitations, and the various solutions that can enable modern servicing.
You need to be familiar with what upgrade readiness can provide and how it is implemented.
You need to be familiar with the upgrade readiness workflow. This includes the different blades and they information they provide.
You need to be familiar with each of the security features included with Windows 10. This includes an understanding of their capabilities and possible use cases.
You should be familiar with MSfB, how to navigate the management portal, add apps, and connect it with Intune for centralized management.
You should be familiar with app deployment prerequisites. This includes conditional requirements depending on the needs of an organization.
You should be familiar with creating and assigning apps in Intune. This includes navigating the client app blades in the Intune console.
You should be familiar with the requirements for implementing co-management. This includes versions of ConfigMgr and Windows 10, with an emphasis on certain versions.
You should be familiar with how to setup co-management in the ConfigMgr management console. This includes navigating the setup wizard, account requirements for establishing the connection, and available workload options.
You should be familiar with each of the workload options for co-management. This includes the basic capabilities and what version of ConfigMgr supports the different features.
You should have a basic understanding of Device Health and Upgrade Readiness, including their requirements and capabilities.
You should be familiar with how to enroll devices with Windows Analytics.
You should be familiar with the capabilities of device profiles and the use cases they address. This includes platform support and profile types.
You should be familiar with the device configuration blade in Intune, including how to navigate the portal for creating and assigning device profiles.
You should be familiar with the requirements for app protection policies, with an emphasis on the required subscriptions and supported platforms.
You should be familiar with navigating through the app protection policy blades, along with the extensive number of controls available for managing and securing app data.
You should be familiar with the prerequisites and setup process required to activate the MSfB for an organization.
You should be familiar with navigating the MSfB management portal. This includes searching for new apps in the Microsoft Store and adding them to an organization’s app inventory.
App collections and app visibility in the private store are managed through the MSfB portal, from the private store page.