Microsoft Intune, Part 2:
Management of Apple iOS Endpoint Devices
An Introduction to Intune
Microsoft Intune was introduced back in 2011. Over time, it has proven to be a strong player in the world of device management—especially in these difficult times where end-users are increasingly working remote from their offices and organizations are seeing increased use of personal devices. This blog series will go through some capabilities of this product and explain how organizations can take advantage of the security features it offers. In this second installment, we’ll discuss the specifics of managing Apple iOS devices.
The first major device to enjoy deep Intune integration wasn’t the Windows Mobile/Phone, as you might imagine, but the Apple iPhone, due in large part to its corporate footprint. Now, I know what you’re thinking. You’re holding an Android phone and you see similar devices everywhere you look. But remember, you’re probably an IT guy. The corporate world, particularly the US market, is skewed towards the Apple platform.
Intune – Where Do I Start?
Intune permits administrators to control which devices access Office 365 data and which applications on that device are permitted to access the data. In addition, Intune enables policies that allow only devices that meet certain configuration criteria to access the data (e.g., PIN configuration: devices must have a PIN of a certain length or that has letters in it), as well as restrictions on repeatability (much like on a domain-joined managed device).
Currently, Intune management is achieved by accessing “Endpoint Management” on the Office 365 administrators’ portal. Here, the overview displays the number of devices being managed and indicates if any are non-compliant (i.e., need some action to make them compliant with whatever corporate policies have been set).
Intune – Apple Device Requirements
For Apple devices, it’s necessary to obtain a certificate from the Apple website to apply to your Office 365 tenant so your iOS devices can establish trust between themselves and the tenant. This simple process is documented here. All you need is an Apple ID that corresponds to an email address in the tenant. We recommend you add the email address [email protected] to your existing [email protected] address. Set and secure the password. You will need to renew the certificate every year so don’t forget where you stored the credentials. This certificate is key to successfully enrolling your iOS device into the tenant and making it a managed device.
Administrators also need to create a group for users permitted to access information on enrolled devices, so go ahead and create that; you’ll need it momentarily.
Ensuring Device Compliance
The next thing to do is come up with some compliance policies. From the Devices menu, scroll down and click “Compliance Policies.” Android, iOS, and MacOS policies are shown below (but Windows 10 policies can also be created).
We won’t go into extensive detail about all the possible compliance policy settings, but two screens are shown below as illustrative examples.
Once these compliance policies have been configured, you can then assign the group—and by extension the users—to whom the policy applies.
Here at Anexinet, we ensure that all iOS devices connected to your environment have a minimum version of iOS, a minimum password-length; we ensure users change their passwords regularly, maintain a certain password-complexity, and finally, we prevent users from repeating passwords. Sound like Active Directory settings, but for devices? Far more complex settings can be configured to ensure devices that do connect are truly permitted to do so.
You always want to provide users as many configuration options as possible, so they don’t have to ask for the wi-fi password, email settings, VPN settings, etc. That’s where the configuration policies for iOS come in.
As you can see in the image below, the configuration policies are displayed in the menu just below the compliance policies.
As can be seen in the image below, a range of configuration settings may be set. The Email Policy used to be most popular as it configured the ActiveSync policies so that the Apple iOS-native email/contact/calendar/notes apps would automatically be configured for the user. Next most-popular was setting the HQ and/or remote office WI-FI details, which greatly simplifies life for users when they walk into any corporate building.
Have users download the Intune Company Portal from the Apple Store. This is no different than downloading any app. Once users have downloaded the app they can begin the process of enrollment, thus connecting their devices to the company data. Microsoft keeps an updated guide here. Anyone preparing documentation around device-enrollment can either use their own screenshots or leverage the pre-published images.
Configuring today’s Apple devices for a Microsoft world is a straightforward and user-friendly process which “just works”; taking the responsibility of learning about configuration settings and passwords for connecting to infrastructure and applications out of the hands of users. For administrators, Intune ensures the devices that are connecting to the corporate data have at least a minimum set of security settings, minimizing attack vectors as much as possible.
The third part of this series will describe the deployment and configuration of mobile applications to users and devices. Again, if you have any questions about maintaining device compliance, or any other aspect of device management, please don’t hesitate to reach out to us. We’d love to help ensure your organization is safe and secure.