Device Configuration Profiles PDF

**Device Configuration Profiles** Intune lets you create profiles with features and settings that can be enabled or disabled on the devices in your organization. Device configuration profiles: - Are managed using a web-based management interface. - Can be used to set or change device settings. - Can be edited at any time. - Can be set up for platforms such as Android, iOS, and Windows. - Are Azure AD groups. - Use configuration baselines. - Are applied automatically, reducing the likelihood of a configuration mistake. - Ensure compliance and consistency with device settings. - Improve device security. - Can function over the web. **Custom Device Configuration Profiles** Using a built-in device profile setting is ideal. However, suppose one of the built-in profile settings does not meet your organization\'s specific needs. In that case, you can create a device profile within the Microsoft Endpoint Management admin center. Custom device profiles apply to Android, iOS, macOS, and Windows 10 and above. **Configuring Device Configuration Profiles** Once a profile is created for a device, the profile must be assigned to the device or user groups. When assigning profiles, consider the following: - Assigning the profile to a device group only applies to those devices and users who use those devices. In other words, the settings are applied regardless of who is logged in. This is useful for devices that do not have a dedicated user, such as a shared device in a warehouse where multiple workers use the device. - Assigning the profile to a user group means that the settings follow the users to each device they log into, regardless of the device platform. Administrators can create exclusions when deploying device profiles. If a particular user or device group is excluded from a specific profile, the exclusion always takes precedence over inclusion. For example, a profile could be applied to the AllUsers group but exclude the DomainAdmins group. In this example, AllUsers would get the settings. DomainAdmins group members would not. **Kiosk Mode** Microsoft\'s kiosk mode is a configuration that allows a system to be used for a single application in a very restricted environment. This is useful when you need a device for a specific purpose and/or for public use. Some kiosk examples include: - Self-registration at a hotel, doctor\'s office, or other appointment - Museum information stations - Self-check out in stores or restaurants In these cases, you would want people to be able to use the device for the intended purpose, but would not want them to be able to access anything else on the device or access your network resources. Kiosk mode uses the Assigned Access feature to run the application of your choice above the lock screen of the device. **Microsoft Tunnel for Intune Overview** With Microsoft Tunnel for Intune, users can securely access corporate resources from outside the corporate network using their mobile devices or PCs. It is specifically designed for users who work remotely or for IT administrators who need to manage on-premises resources securely. Encrypting and protecting the connection between the device and the on-premises resources ensures secure access to applications and data. Microsoft Tunnel for Intune can be used to manage access to web applications, internal websites, and file shares through a single control plane in the Intune console. Microsoft Tunnel for Intune is available on iOS and Android devices and can be deployed and managed through the Microsoft Endpoint Manager. **Device Lifecycle** Intune can be used to manage a device's lifecycle. It manages updates, threat protection, and security monitoring. This process begins with enrollment and carries through device configuration, protection, and management, to its retirement. Intune provides remote access for administrators to deploy operating systems, software, and software updates. It can also be used to secure network access and for hardware and software inventory management. **Enrollment Capabilities** A device must first be enrolled to manage it using InTune. Devices can be enrolled by an administrator, or users can use a company portal to enroll themselves. The following device types can be enrolled: - Personal PCs, tablets, and PCs. - Corporate-owned PCs, tablets, and PCs used by employees at work or school. - Windows, Android, iOS, and macOS devices. When a device has reached the end of its lifecycle, it should be retired and wiped. When the wipe action is selected, a device is restored to factory settings.\ If the retain enrollment state and user account checkbox has been selected, user data will be kept. If the checkbox is not selected, all settings, apps, and user data will be wiped.\ The Wipe device, and continue to wipe even if device loses power option, ensures that the reset will be tried and retried until the reset is successful. When the retire action is selected, the following happens: - Email profiles are removed. - Managed app data is removed. - Device is removed from Intune Management. **Monitor devices with Intune** Intune is a cloud-based mobile device management (MDM) tool. It can be used to manage and monitor Azure, hybrid, and on-premises devices running Windows, Android, Windows, and Linux operating systems. Once Intune is installed, you can enroll devices. Enrollment can be user-driven (through a website), through a device enrollment manager, or can be set to automatic enrollment. Devices that have been enrolled can be monitored for performance, compliance, and security. **Monitor devices with Azure Monitor** Azure Monitor can be used to monitor and manage services, applications, and devices. It uses machine learning to collect and analyze feedback collected from Azure, hybrid, and on-premises devices. If abnormal patterns are identified, administrators receive an alert. Azure Monitor can support large amounts of collected data. Administrators can customize their dashboards, alerts, and notifications to meet organizational needs. This monitoring system works well with other Azure services as well as third-party analysis and management tools. **Monitor devices with Endpoint Analysis** Azure Endpoint Analytics can be used to provide information about the health, performance, and performance of connected devices (Windows 10 and later). Administrators can use this feedback for troubleshooting, optimizing device performance, reducing technical support costs, and increasing end-user productivity. **Updating Policies with Intune** Using Microsoft Intune, you can update policies and deploy them in real-time to devices within your organization, ensuring that all devices are configured with the latest policies and procedures. Intune automatically updates a policy version and notifies all targeted devices when an update is available. Devices typically check for updates every 8 hours, but this can be customized. Policies can be updated and managed for Windows, iOS/iPadOS, and Mac. **Monitoring Updates in Intune** You can monitor updates in Intune. Under your device listing, you will see a list of devices with pending updates. These updates can be sorted by update status, device name, or other criteria that would help you with update management. To deploy updates, you can simply select the deploy button in the same device listing. Updates can be deployed in real-time or scheduled when bandwidth is not a concern. **Update Rings** Intune update rings are used to deploy updates for devices running Windows 10 and later. An update ring is a group of devices configured to receive updates at various times. Updates can be deployed in stages so that network and user performance is minimally affected. An update ring has three stages: 1. Pilot deployment phase - This phase is used to test updates and identify issues before deploying to the broader group of devices. 2. Broader deployment phase -- During this phase, updates are deployed to additional rings or device groups, one at a time. 3. Maintenance phase -- During this phase, you will apply quality updates to ensure your devices are secure and up-to-date. **Application Deployment and Management with Microsoft Intune** Microsoft Intune is a cloud-based service that allows organizations to manage and secure their devices and applications from a central location. Intune is a very flexible option for deploying a wide range of applications across different platforms. It supports the following platforms: - Windows - iOS - Android - macOS Intune can be used for: - App deployment - Automation of application updates - App security - App retirement - Monitoring app usage across devices - Providing end users self-service app deployment through: - Company Portal app - Microsoft Store for Business - Advanced conditional access policies Intune allows deployment of supported applications either by user or device. - By user: The application is installed for a user only when the user signs in to the device. - Modern Line of Business apps (online or offline) can be deployed by the user. - Supports: Required and Available intents - Win32 apps (User Mode or Dual Mode) can be deployed by the user. - Supports: Required and Available intents - By device: The applications are installed directly on the device. - Only the Modern Line of Business app and offline licensed Microsoft Store for Business applications can be deployed directly on a device. - Supports: Required intent - Win32 apps (User Mode or Dual Mode) can be deployed by the device. - Supports: Required intent - Applications must be supported by both the device and the Intune app type. - Supported app types include: - Win32 apps - Offline licensed Microsoft Store for Business apps - LOB apps (MSI, APPX, and MSIX) - Microsoft 365 Apps for enterprise - Line of Business apps (APPX and MSIX) and Microsoft Store for Business apps installed on a device must be assigned to a device group unless the application is installed in combination with an Autopilot pre-previsioning process. In that case, no device group assignment is required. Note: If an application is assigned to both a device and a user, a conflict will result and be resolved in the following way: A device assignment policy is a higher priority than a user-assigned policy. **Other Tools for Application Deployment and Management** While Intune offers many features and benefits for application deployment and management, it is not the only option. The best option for an organization will depend on the organization\'s size, infrastructure, and security requirements. **App Protection Planning Steps** The overall objective of planning application protection is to ensure that critical applications are secured against data leakage and other security threats while enabling authorized users to access them from their devices of choice. By using app protection policies in Microsoft Intune, you can provide a consistent level of protection for your organization\'s applications and data, regardless of the device or network being used. **Conditional Access Policies** Conditional access is a critical component of modern security strategies. By using conditional access policies in Microsoft Intune, you can ensure that only authorized users are accessing your organization\'s data and applications and that those users are doing so from secure devices and locations. App-based conditional access allows IT administrators to define access policies for specific applications rather than just for the entire device. This allows organizations to provide more granular control over who can access specific applications and from which devices. To use app-based conditional access in Intune, an administrator must do the following: - Create a conditional access policy. - Define the apps that the policy should apply to. - Define the conditions under which users can access those apps. For example: - - An administrator might require that users only be able to access a specific app if their device is compliant with certain security requirements. - An administrator might require that users are only able to access a specific app from a specific location or network. When a user attempts to access an app covered by a conditional access policy, the policy is evaluated to determine if the user meets the specified requirements. If the user does not meet the requirements, they will be denied access to the app.

Device Configuration Profiles PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue